Junior Member
i dont want to bother with to much questions and help.
i got this target, when i vmr-mdk it, i noticed that after 3 pins, it locks (ap rate limit).
i also noticed its not changing the channel (stays on 11).
so i need 2 things:
1_ best way to jam it (using kali or bt5.r3).
2_ best ways (you know of) to reveal the pin (since vmr-mdk wont force it to reboot).
thank you.
p.s.
its a Netgear router.
could it be that its not breakable without anyone actually touching the router?
Senior Member
MDK3 has a deauth mode that may work for you. If you're mounting a WPS pin attack, I would think you would want to lock the channel to whatever the router is using. However, I've not used the vmr-mdk tool, so I can't speak to that specifically.
There are some databases scattered around the internet which have several manufacturer pins; I'd check there first. You can also try the pixie dust attack using reaver.
Junior Member
thank you for your reply.Originally Posted by grid
i found only 6-7 pins, thats it.
if any of the friends knows a good pool of pins it would be great.
this is what i found:
Senior Member
Some AP firmwares are protected to most of the attacks that mdk tool does .
If i were you , i would approach the situation differently .
I only tested vmr-mdk 1 or 2 times sometime ago .
You should user reaver with a delay time between pin attempts , brute force will only block the AP again .
You should start with a delay of 180s for each pin and see where it goes , if it blocks then you should increase that value .
Some APS block pin try after 3 wrong attempts during a specific time frame .
Eventually when AP blocks the pin access , it will give access again after a period of time , that could be 3 minutes , 1 hour or 1 day or only give access to pin access again when the user press the wps button again on the router .
If you already waited much time and router does not give access to wps anymore , then you should try to jam that specific AP with aireplay-ng or wifijammer , this way the owner of the AP eventually will be forced to reboot the AP because he can not establish an wifi connection to it , he will thing that there is a problem with the device , and he will reboot it .
In alternative mode , you can make an identical AP with that name and use aireplay-ng to De-authenticate the client from original router and force him to connect to yours .
i think that vmr-mdk does that , but i am not sure .
Fluxion tool creates a rogue AP with target name and forces the client to connect to his AP and then prompt client to post his wifi password on a webpage . However Fluxion needs first the handshake to be captured by you , then Fluxion compares the client input wifi password on the web page with the handshake you have to make sure you got the right password .
Just in case you want to try :
http://www.kitploit.com/2016/10/flux...d-without.html
You should check if pixiewps can grab the pin .
Senior Member
To Pedropt
Your suggestion to count the length of time a WPS is locked can produce results. Set the -l command to 600 ie 10 minutes and run reaver and count the number of AP locked lines between pin collection.
VMR-MDK was not designed to reset the router. MTeams found that is some cases a small amount of DDOS usually 15 to 20 seconds caused the router to leak more pins even though locked. WE cover this in detail in the help file.
VMR-MDK does not support rogueAP and WPA Phishing.
Setting up a RogueAP with the same name etc and then deauthing the clients will not work in the majority of cases. This is because any associated client already has a WPA key loaded into the Wifi Management software. If you bump them off then the client cannot connect to the RogueAP because the RogueAP is either Open or is exhibiting a WPA State thru airbase-ng setups but there is no actual WPA key as airbase-ng doesnot actually support WPA encryption.
The only way the client can connect to a Open RogueAP of same name is to remove the WPA Setup and then manually select to connect to the open RogueAP. We think this is a highly unlikely event However there is an alternative method covered in both musket versions of linset and pwnstar9 as outlined in the help files. This method does not require the client to remove the WPA wifi Setup to connect to the rogue.
Fluxion requires a handshake so the program can test any WPA Phished thru the Rogue.
MTeams
Senior Member
Interesting point , never have try it .VMR-MDK was not designed to reset the router. MTeams found that is some cases a small amount of DDOS usually 15 to 20 seconds caused the router to leak more pins even though locked. WE cover this in detail in the help file.
Another interesting point that i was not fully aware , thanks for the explanation .Setting up a RogueAP with the same name etc and then deauthing the clients will not work in the majority of cases. This is because any associated client already has a WPA key loaded into the Wifi Management software. If you bump them off then the client cannot connect to the RogueAP because the RogueAP is either Open or is exhibiting a WPA State thru airbase-ng setups but there is no actual WPA key as airbase-ng doesnot actually support WPA encryption.
mmusket33 :did you guys try this ? :
-Check if client is connected to AP
-Change mac address of the wifi card to same mac as client connected
-start wps attack .
what is the response of the router ?
Last edited by pedropt; 2016-10-09 at 21:47.
Senior Member
To pedropt
Thanks for the idea we will run some tests over the next few weeks and see what occurs. If anything interesting we will inform you.
Musket Teams
Junior Member
wow thats a lot of info.
one logic step i thought of was the delay between the pins.
yes, my AP is locking after 3 pins.
can you guys write the delay command please?
if it helps its a neatgear router.
WPS Model: VEGN2610
WPS Model Num' : VEGN2610
Access Point Serial num' 3700
-----------------------
i will try today to change my mac to be the same as the AP.
QUESTION:
can i use "wifite" as a reliable tool for checking if the AP connected to Internet?
thank you guys.. you are the best!
and thanks for your patience
Senior Member
To 1stcowgirl
MTeam is unsure what you mean in your delay between pins question. You can set the attempt to collect pins thru the -r command in reaver.
If you spoof your mac address thru macchanger then make sure you add that spoofed mac address to the reaver command line thru the --pin= command. Otherwise reaver may only extract the WPS pin not the WPA key.
We have no experience with wifite and cannot comment.
MTeams
Last edited by mmusket33; 2016-10-15 at 09:13.
Junior Member
mmusket33 :
did you guys try this ? :
-Check if client is connected to AP
-Change mac address of the wifi card to same mac as client connected
-start wps attack .
what is the response of the router ?
changing my mac to target mac resault in the same lock.
OOPS SORRY.
THE CLIENT WAS NOT CONNECTED!!!!
(im guessing its very important for this test for him to be connected... hum, will try again and update.)
So the above is when client is not connected.
Last edited by 1stcowgirl; 2016-10-26 at 16:57.
Senior Member
When i meant this :
I was speaking to change the mac address of your wifi card to the same mac address of someone already connected to that network , and not changing the mac address to the victim router mac .did you guys try this ? :
-Check if client is connected to AP
-Change mac address of the wifi card to same mac as client connected
-start wps attack .
Anyway , it does not mean that may work in any circumstance .
Posting Permissions
