StefanL | # 41 | 2012-01-07, 09:45 | Report

I ran some tests on my router last night (Netgear WNDR 3400) in the standard mode and ended up with a rate of 320ish seconds/attempt. There were loads of timeouts reported by reaver and everytime it hit a pin the WPS button on top flashes (like when you are performing a normal WPS connection). I used airmon-ng to turn on the mon0 interface and ran other internet activities (downloads on gpodder on the N900 and my computer connected via LAN) during the test. Noticed that the downloads on the N900 were interupted when reaver reported testing of a pin, but continued when reaver reported the time-outs. A few times the N900 reset it's wireless connection and reconnected automatically.

The number of succesful pins tried was variable, sometimes 1, sometimes 7 in a row before getting the time-out messages.

The log file (mac_to_crack.wpc) created by reaver has a total of 11003 lines and starts of with the number 135, a zero each on the next 2 lines (this seems to correspond with actual progress, first half and second half found pin values) and then a whole bunch of 4 digit numbers (the first half of the pins to be tried) on a line each for the next 10000 lines and then a bunch of 3 digit numbers (the second half of the pins to be tried) for the next 1000 lines. This attack has a maximum number of 11000 (10000 + 1000) tries to succeed (readme for reaver).

For my router at least, this standard attack is pretty useless, after 12 hrs I got 1.09% of the pins and the flashing light let's you know that something is going on. WPSCrack is supposed to be faster, but I have not yet been able to run it successfully on the N900.

Edit/Update:
Best command line options for my router thus far is the following:
Still getting plenty of time-outs, but speed is now down to less than 100 secs/attempt and I got to 1.22% within a few hours and at a rate of 56 secs/attempt. Still not anywhere near the '4-8 hrs to crack' advertised elsewhere on the web. Interesting exploit, but not all that useful on my set-up.

When running the -p option with the correct pin, the program cracked the key in 64 seconds, displays the correct pin, the correct WPA PSK key and lists the correct AP SSID. It does not update the log file when running it with a specific pin.

A list of affected routers can be found here.

---

Last edited by StefanL; 2012-01-09 at 07:34. Reason: More info added

StefanL | # 42 | 2012-01-07, 10:21 | Report

Yeah same here. Check posts #31 / #32 above, this is the only thing it does.
Update: Check in #49 / #60 below for a proper working version.

---

Last edited by StefanL; 2012-01-08 at 14:42.

meShell | # 43 | 2012-01-07, 13:20 | Report

walsh = wpsmon.c,
they forgot to change the line

char c = 0;

to

int c = 0;

It is fixed now again (latest from svn), maybe now it should work, I can't compile it right now, but maybe somebody wants to try.
http://code.google.com/p/reaver-wps/.../detail?id=100

In my other Linux-VM walsh is working.

StefanL | # 44 | 2012-01-07, 13:41 | Report

Please post compiled file as soon as you can, my development environment is still cactus .

---

Last edited by StefanL; 2012-01-07 at 13:56.

meShell | # 45 | 2012-01-07, 13:52 | Report

Walsh is only a litte tool to display a list of the networks that support WPS,
but you can get the same information by using your normal n900 to connect to the internet and in the list you will see something like

"compatible to Wi-Fi Protected Setup".

karam | # 46 | 2012-01-07, 13:53 | Report

for people who are interested with hacks...

i'm thinking to make a package called : hack-pack and get it into repos

it will include those binaries :
1- hydra6 with gui
2- mdk3
3- dsniff and it's friends (msgsnarf, urlsnarf ....)
4- arpspoof (i was able to fix it on N900)
5- driftnet
6- reaver (when it gets stable enough)
7- charon2.0 gui for mdk3
8- cowpatty , genpmk

PS: i already have them all compiled and ready

as DEPENDS
1- ettercap (already in repos) will only add it as a depend
2- sslstrip (same as ettercap) depend only
3- grimwepa
4- wireshark


so what do you think guys. should i do this ?
and any other suggestions ?

StefanL | # 47 | 2012-01-07, 14:00 | Report

Call it WPT (wireless penetration testing) or something similar and you will get more responses . But anyways, what is in a name??, sign me up, Karam.

Maybe you should open up a separate thread for that one though .

stevomanu | # 48 | 2012-01-07, 14:01 | Report

yes dude that would be an awesome idea ....

,

mr_pingu | # 49 | 2012-01-07, 14:40 | Report

Compiled walsh binary =) Reaver not included..
I can upload reaver if you want

had to run it with option -C else got FCK packet error

edit: walsh -i mon0
Scanning for supported APs...

[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...

walsh -i mon -C

Scanning for supported APs...
00:11:22:33:44:55 example
11:22:33:44:55:66 SSID

Attached Files

walsh.zip (234.6 KB, 285 views)

---

Last edited by mr_pingu; 2012-01-07 at 15:10.

mr_pingu | # 50 | 2012-01-07, 15:06 | Report

Better you upload package one by one, not 1 all in one deb.
Just make sure the dependencies are right. It's cleaner this way.

So you can only download mdk3 if you don't want others by just typing apt-get install mdk3. When all is in one, you can't choose what to install and what not. So in the end we would have in the repos:

• mdk 3
• hydra6.0 (did you fix the gui? I used to crash on N900)
• dsniff
• arpspoof
• driftnet
• wireshark (already in repo)
• tshark (already in repo)
• aircrack-ng (already in repo)
• reaver (including walsh)
• charon (separate package, just like tshark and wireshark )
• cowpatty, genpmk
• YAMAS (already in repo)
• Ettercap-gtk (includes GUI) (already in repo)

I don't like all-in one packages as you might already have some tools installed, like me Love to see them in the repos as separate packages