Results 1 to 4 of 4

Thread: WPS Exploits - D-Link routers with the first six hexidecimal digits = C0:A0:BB:XX:XX

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Join Date

    WPS Exploits - D-Link routers with the first six hexidecimal digits = C0:A0:BB:XX:XX

    D-Link International routers having the first six hexidecimal digits = C0:A0:BB:XX:XX:XX appear to have a mac blocking feature embedded in the router firmware and other tricks.

    This feature doesnot lock the WPS system, it simply doesnot allow reaver obtain data after repeated requests by reaver for WPS pins if the request are made from the same mac address. It then masks this by giving long EAPOL hangs or no association warning and no harvesting of WPS pins. This will lead you to think it is a signal strength problem or a sticky router which will eventually clear. However the minute you change the mac code normal WPS pin harvesting with reaver is restored for a short time, only to be shut down again.

    We have tested this router extensively with two computer running on one computer and reaver thru a command line in a terminal window on the second . We ran variable mac code requests then ran a series of single mac requests. The variable requests, changing the mac code every three minutes harvested keys. The fixed mac address test always ran normally for a period and then stopped responding and no further results thru reaver were obtained.

    Next we ran two computers requesting pins at the same time. The variable mac requests harvested pins continuously while the fixed mac code approach stopped after a short time when the router refused association with reaver at the same time that the second computer that was changing its mac address every 3 minutes continued to process key requests normally. We then changed the mac address on the computer that was obtaining no real results and both computers harvested pins again normally.

    Further considerations

    1. If you request pins with no -r x:y considerations to slow the process while using the same mac code - the following always occured.

    1. Pins are received at a fast rate for a short period of time
    2. Pin completion then suddenly jumps to 90% and then the router gave
    constant EAPOL hangs for many cycles then incomplete rsponses.
    3. The router refuses to associate or just responds in a random manner until
    you change the mac code.
    4. If you employ a mac changing routine you can get the last 1000 pins out
    of the router ie 90% to 99.99 % but it will simply hang at 99.99% and go
    no further.

    Therefore when approaching this router, should you experience similar problems try the following:

    1. Use or any other mac changing reaver program
    2. Set it to random mac change every 180 sec
    3. Set the -r x:y at -r 2:15

    If the key completion jumps right at the beginning of the attack to 90 you are being sent down a dead end rabbit hole. Restart the attack at zero and slowly harvest the pins - do not try and force speed here.

    This is leading us to consider bully as a possible alternative.
    We have only introductory knowledge concerning bully especially best settings and the brute force option so any help or suggestions from readers would be appreciated.
    Last edited by mmusket33; 2014-04-19 at 10:32.

Similar Threads

  1. Replies: 2
    Last Post: 2014-12-03, 01:08

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts