Пропускане към основното съдържание

Offensive-security-wireless-attacks & Attack WPS WiFi protected WPA WPA2_script



WARNING! THIS IS A COMPUTER CRIME

This is a brute force attack against an access point’s WiFi Protected Setup pin number. Once the WPS pin is found, the WPA PSK can be recovered and alternately the AP’s wireless settings can be reconfigured. Reaver-WPS targets the external registrar functionality mandated by the WiFi Protected Setup specification. Access points will provide authenticated registrars with their current wireless configuration (including the WPA PSK), and also accept a new configuration from the registrar. In order to authenticate as a registrar, the registrar must prove its knowledge of the AP’s 8-digit pin number. Registrars may authenticate themselves to an AP at any time without any user interaction. Because the WPS protocol is conducted over EAP, the registrar need only be associated with the AP and does not need any prior knowledge of the wireless encryption or configuration. Reaver-WPS performs a brute force attack against the AP, attempting every possible combination in order to guess the AP’s 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that keyspace is reduced to 10^7 (10,000,000) possible values. The keyspace is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10^4 (10,000) possible values for the first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit of the pin being a checksum. Reaver-wps brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts. The speed at which Reaver can test pin numbers is entirely limited by the speed at which the AP can process WPS requests. Some APs are fast enough that one pin can be tested every second; others are slower and only allow one pin every ten seconds. Statistically, it will only take half of that time in order to guess the correct pin number.

WARNING! THIS IS A COMPUTER CRIME. YOU CAN DO THIS AT YOUR OWN RISK! THIS IS ONLY FOR EDUCATION!!!!!!

Need to install:

Kali Linux
Download script

STRONGLY RECOMMENDED:

Download from:
git clone https://github.com/nu11secur1ty/wifitick.git

IMPORTANT: YOU HAVE TO USE POWERFUL WIFI ANTENNA!

RECOMMENDED: Check for update every week!

NOTE! You need about 10 or 15 hours to complete the process. If you see "warning detected ap rate-limiting waiting 60 seconds before re-checking" Need to Know! Some routers will just block the mac address after a few failed WPS attempts. So you can bash your way with macchanger -r to some success. However anything new as you said tend to lock completely. You have to get fancy with trying to reset it using MDK3 to carry on. But do not worry. Reset the program and try another.


Upgrade 2019

Коментари

Popular Posts

CVE-2021-44228

REPRODUCE OF THE VULNERABILITY =): Collaboration: silentsignal

CVE-2022-21907

Donate if you are not shame!

DVWA - Brute Force (High Level) - Anti-CSRF Tokens

This is the final "how to" guide which brute focuses Damn Vulnerable Web Application (DVWA), this time on the high security level. It is an expansion from the "low" level (which is a straightforward HTTP GET form attack). The main login screen shares similar issues (brute force-able and with anti-CSRF tokens). The only other posting is the "medium" security level post (which deals with timing issues). For the final time, let's pretend we do not know any credentials for DVWA.... Let's play dumb and brute force DVWA... once and for all! TL;DR: Quick copy/paste 1: CSRF=$(curl -s -c dvwa.cookie "192.168.1.44/DVWA/login.php" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2) 2: SESSIONID=$(grep PHPSESSID dvwa.cookie | cut -d $'\t' -f7) 3: curl -s -b dvwa.cookie -d "username=admin&password=password&user_token=${CSRF}&Login=Login" "192.168.1...