VMR-MDK-K2-2017R-012x2.sh was pointed at a RealtekS(14:4D:67) network showing WPS 2.0 installed and a locked state in residence.

Initial setup was a 120 second reaver wps collection time, then a 15 second Type 4 mdk3 attack and a 120 second pause recovery period. After the 15 second mdk3 type 4 burst(see VMR-MDK menu which outlines the type 4 choice), the router showed an unlocked state and continued to allow pin harvesting.

MTeams extended the reaver live time but found that the router would stop producing pins after approx ten(10) were collected. To obtain more pins another burst of type 4 mdk3 was required.

MTeams spoofed the mac of a connected client and set the reaver live time to 200 sec and used a regenerative aireplay-ng fake auth running in the background during the reaver stages. These are basic selections in the VMR-MDK menu. The network began giving up pins at various rates. Later the pause recovery time was lowered to 90 seconds but MTeams have learned from experience to be cautious here and not lock up the router.

The router gave occasional locked state status but continued to provide pins at approx ten(10) per each attack cycle.

The firmware in this router appears vulnerable to the VMR-MDK process. Cracking will take sometime to complete however. Unfortunately the router was not vulnerable to pixiedust.

Musket Teams