|
[request] reaver for n900 - wps pin brute force hack
hi
does anyone have the mood to port it to maemo ? google has the code http://code.google.com/p/reaver-wps/downloads/list ciao |
Re: [request] reaver for n900 - wps pin brute force hack
Funny, the first thing I did when I first read news about it was to google for "n900 reaver wps" ;)
Now I did it again and found your post. I would like to try against my different APs, too. N900 was my first thought, would be nice ... EDIT 03.01.2012: Reaver v1.3 is working on n900 - Requirements:
Latest changes to code: http://code.google.com/p/reaver-wps/source/list Known Problems: http://code.google.com/p/reaver-wps/issues/list Maemo SDK In Maemo SDK start a terminal, download the sources: Code:
Optional - get latest source code using svn Code:
svn checkout http://reaver-wps.googlecode.com/svn/trunk/ reaver-wps-read-onlyEdit Makefiles, change crT to cr (removing the T): http://www.imgbox.de/users/public/images/UprwojHt8q.png Code:
nano reaver-1.3/src/crypto/MakefileCompile sourcecode Code:
/scratchbox/loginNow you should see 2 compiled binaries: http://www.imgbox.de/users/public/images/yzF9WiGkt1.png Text from reaver README Code:
OVERVIEW |
Re: [request] reaver for n900 - wps pin brute force hack
there is a python port somewhere on google (independend coded from another guy) and it starts on n900 but fails on forking the sniffer. google for wpscrack python.
ciao |
Re: [request] reaver for n900 - wps pin brute force hack
I am updating catalogues of my N900 while writing this didn't test yet, but do you have scapy and PyCrypto(dunno if its in maemo repo) installed?
Edit: Installing python-crypto python-scapy ettercap libpcap0,8 Think that dependencies are needed... Besides that, can't someone compile reaver? Only dependency seems to be libpcap. [Offtopic: The N900 is my only linux machine and I would love to know how to compile things just for N900. Can someone point me in the right direction? PM me if you are willing to help] Meanwhile, I will keep me busy getting that python version working. Going to sleep now... Regarding driver, I think loading the bleeding edge driver, (WL1251) is enough to let this program work |
Re: [request] reaver for n900 - wps pin brute force hack
Quote:
Maemo SDK Development Start here: http://maemo.org/development/ If you know VMware Player you can use this: http://wiki.maemo.org/Documentation/...Virtual_Images User: maemo pass: maemo sudo-pass: maemo More useful tutorial: http://www.nokiausers.net/forum/noki...r-running.html http://www.developer.nokia.com/Commu...K_installation Needed DNS-Fix for Vmware Image (/scratchbox/etc/resolv.conf) Change VM-Network to whatever you need (maybe NAT) run: ifconfig (note the eth-Number) dhclient eth5 (replace 5 with whatever it is for you) http://iloapp.mikek.dk/blog/developer?Home&post=49 Then do a reboot. |
Re: [request] reaver for n900 - wps pin brute force hack
Setup n900 and run compiled reaver binary
You need to be root for most actions, installations and running the applications airmon-ng and reaver. You need to install this package on your n900: Libpcap0.8 0.9.8-5+0m5 http://maemo.org/packages/package_in...8/0.9.8-5+0m5/ Direct Download: http://repository.maemo.org/pool/mae...+0m5_armel.deb on n900 shell (as root): Code:
sudo gainrootThen transfer Reaver-Binaries and database to your n900, copy reaver to the right location and do a testrun: /opt/reaver/etc/reaver.db /opt/reaver/bin/reaver /opt/reaver/bin/walsh symlinc to: /usr/local/bin /usr/local/etc/reaver Setup: Code:
mkdir -p /usr/local/etc/reaverOPTIONAL - change MAC so xou can easily identify your actions in your AccessPoints Logs Code:
From the README-file: Code:
USAGEBleeding-edge wl1251 driver for Maemo Fremantle Monitor mode on all channels: yes http://david.gnedt.eu/blog/wl1251/ README: http://david.gnedt.eu/wl1251/README Aircrack-ng Install Aircrack-ng on your n900. Run airmon-ng to create a monitoring interface: If you want to cahneg your MAC-Address you need to change it BEFORE creating the mon0 interface! Code:
ifconfig wlan0 downNow you should have an entry with "mon0". Airodump-ng To verify if it is working as expected run: Code:
airodump-ng mon0Stop it by pressing ctrl + c. Now you can run reaver (change example mac with bssid from you AP): Code:
reaver -i mon0 -b 00:01:02:03:04:05 -vvIt should look like this: http://www.imgbox.de/users/public/images/GjZiBWZZ7G.png OPTIONAL - Set WLAN0 to Monitoring-Mode Code:
ifconfig wlan0 downthere you should see wlan0 IEEE 802.11bg Mode:Monitor |
Re: [request] reaver for n900 - wps pin brute force hack
just tried and reaver seems to work but does not work - strace does not show any activity and airodump also not. using '-c' for channel switching on reaver shows a bit more activity regarding switching frequency.
seems there is more than just compiling. tx for the port to n900 anyway. ciao and happy new year |
Re: [request] reaver for n900 - wps pin brute force hack
very interest .hope it can fine work on N900.
|
Re: [request] reaver for n900 - wps pin brute force hack
you need at least a wlan driver that supports monitoring mode!
it will not work with stock n900 kernel and driver! but the bleeding edge driver should support full monitoring support and i hope somebody get it to work with it. see comparison chart: http://www.imgbox.de/users/public/images/W13WJLeK03.png and have a look at how it would work with pc linux (mon0 interface): http://www.youtube.com/watch?v=5_gELLGJSY8 |
Re: [request] reaver for n900 - wps pin brute force hack
hi
i tried both drivers (stock and b.edge - both in monitor mode) - same result. same result i had with one wlan adapter i use with linux. seems reaver supports only certain wlan drivers. ciao |
Re: [request] reaver for n900 - wps pin brute force hack
On my N900 reaver freezes:
https://dl.dropbox.com/u/1722763/Scr...101-142728.png And use full power of N900 CPU: https://dl.dropbox.com/u/1722763/Scr...101-142750.png |
Re: [request] reaver for n900 - wps pin brute force hack
I recompiled after make distclean, and even tried to compile v1.0, but still the same.
Someone needs to have a look into thesources at where it stops and why I think. I will attach the two bins. |
Re: [request] reaver for n900 - wps pin brute force hack
for me compiling it there was only problem with 'ar crT' where T is not supported by maemo ar (neither busybox or gnu). It does seem to hang with no activity whatsoever(except cpu) whether in monitor/bleeding/stock after compiling without this flag (also without providing target which tells immediately its buggy). WPSCrack seems to send 00000000 packets endlessly, which maybe result of two errors (scapy/python-crypto got many packages suggested, some not available for maemo, and most non-optified it would seem:() that pop up. Considering multitude of bugs being reported from standard distro users we might have better chances once the main probs are addressed by the authors. Looking forward to it anyway
EDIT: the above is my experience with 1.2, 1.0 from above posts is just as borked, maybe initial release will be luckier though that's doubtful at best lack of T is probably not the cause of problem. From only man page around I found for ar that contained this flag (MacOS ouch): -T Select and/or name archive members using only the first fifteen characters of the archive mem-ber member ber or command line file name. The historic archive format had sixteen bytes for the name, but some historic archiver and loader implementations were unable to handle names that used the entire space. This means that file names that are not unique in their first fifteen characters can subsequently be confused. A warning message is printed to the standard error output if any file names are truncated. (See ar(5) for more information.) Doesn't look as if it would make difference (as if binary compiling wouldn't be enough of an indicator), maybe pcap 0.8 is too old (pcap-dev 1.0 conflicts though for me) |
Re: [request] reaver for n900 - wps pin brute force hack
thank you for your detailed report!
yes I removed only those unsupported T,too. I have not much time for deeper inspection now. |
Re: [request] reaver for n900 - wps pin brute force hack
Thanks for trying anyway, guys - I hope it will be fixable, as it would be nice to have this little bastard on our device. Maybe contacting original developer is good idea? It seems, that interest in this show by our community is = or even > than amongst mainstream desktop ;)
/Estel |
Re: [request] reaver for n900 - wps pin brute force hack
Yeah, though 5-10 hrs seems to bit harsh at first, when you consider this or never (without a farm doing your wpa cracking for days) it is a great vector of an attack. Also 3-5 seconds per try make this not CPU intensive (from my understanding) making it an awesome tool (also considering how many routers now ship with WPS set as default lol)
|
Re: [request] reaver for n900 - wps pin brute force hack
I tried compile this alone via Debian chroot, but it's still not working.
|
Re: [request] reaver for n900 - wps pin brute force hack
|
Re: [request] reaver for n900 - wps pin brute force hack
reaver trunk with fixes from issue 41 seems to work a bit better ;)
don't forget to >chmod +x reaver edit: trunk removed, as v1.3 is working. |
Re: [request] reaver for n900 - wps pin brute force hack
What fixes did you apply? Revision 42 (the one using sqlite3 as yours) gives me same hanging as before. Your version fails to initialize interface (bit better I guess)
|
Re: [request] reaver for n900 - wps pin brute force hack
Reaver v1.3 (working)
Code:
Description: Release of full command-line commercial Reaver code.Working on my n900: Code:
Reaver v1.3 WiFi Protected Setup Attack ToolEdit: Added the new utility "WALSH". New utility, walsh, to scan for WPS enabled APs. ... but it seems this one needs some time again until it is working, for me it does nothing, it always displays the help. |
Re: [request] reaver for n900 - wps pin brute force hack
What 'a bit better' means, in case of program that isn't working (on N900) at all? More details, please?
|
Re: [request] reaver for n900 - wps pin brute force hack
Quote:
http://code.google.com/p/reaver-wps/issues/detail?id=41 I changed as mentioned char -> int. Now I compiled latest 1.3 stable again and there it is already fixed in sources. I am running v1.3 right now and it is working. Quote:
Code:
reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv |
Re: [request] reaver for n900 - wps pin brute force hack
Alright, 1.3 (revision 48 currently in trunk at least) works, though superuser privileges required. Sudo that and got some movement
|
Re: [request] reaver for n900 - wps pin brute force hack
Quote:
I forgot to mention it on first page, I tried to sum up in short (the text in green). and fixed wrong libpcap-Version in shell commands: wrong: wget http://repository.maemo.org/extras-t...emo4_armel.deb correct: wget http://repository.maemo.org/pool/mae...+0m5_armel.deb I will try to clean up the first page threads the next days. |
Re: [request] reaver for n900 - wps pin brute force hack
Just compiled my first software ever, I think I done it all right as I got a binary and I copied it to /usr/bin and chmod +x it. Reaver starts fine but it doesn't change PINs. It keeps trying te samen PIN over and over again, everytime I start reaver with these parameters another PIN is tried. However it does not change during run ;o
Is it my compiling noobnes or is it reaver thats buggin me? Installed SDK on VM and compiled it from there with the instructions found on page 1. I even compiled mdk3 but didn't test it yet. Now I can compile I hope I will bring reaver or mdk3 to the repos once, no promises tho. This feels already like a huge step, the N900 is my only and first linux device ;p Can we compile on the N900 itself? |
Re: [request] reaver for n900 - wps pin brute force hack
Is the AP you are trying it on with WPS/QSS/... enabled? Sounds like it works (if you got injection/monitor mode enabled) but the router is not responding. Maybe the signal is too weak? Does the AP show up in normal connection wizard (from status menu-bar) as WiFi-Protected Setup Compliant?
If you will be packaging it remember to just place symbolic link in /usr/bin and the binary (stripped) on opt |
Re: [request] reaver for n900 - wps pin brute force hack
Quote:
gcc, make, etc. are all available from the repos for compiling c programs, you may have to activate some extra repos though. I also had ftoc working on my system and managed to compile some old Fortran77 programs that I wrote back in the DOS days of computing :p. |
Re: [request] reaver for n900 - wps pin brute force hack
Quote:
|
Re: [request] reaver for n900 - wps pin brute force hack
2 Attachment(s)
Quote:
|
Re: [request] reaver for n900 - wps pin brute force hack
Quote:
|
Re: [request] reaver for n900 - wps pin brute force hack
Yup, just as meShell said, but since tony requested it...
|
Re: [request] reaver for n900 - wps pin brute force hack
wow very nice! would like to try it but at the moment i have to little time / am to lazy to set up the environment for compiling - is it possible anyone upload the compiled reaver binary?
thanks in advance :D EDIT: ...just saw that it's now part of Cleven http://talk.maemo.org/showpost.php?p...&postcount=327 AWESOME! :D |
Re: [request] reaver for n900 - wps pin brute force hack
today, I've tested it with 10+ WPS-compliant AP in work, and the results were quite interesting.
It seems, that WPS-compliant device can mean virtually anything. First router was accepting *every* pin as correct, so reaver reported WPS pin cracked after 2-5 seconds, every time, no matter of PIN tested. Of course, it wasn't giving any WPA passphrase (unfortunately or fortunately, depending on point of view ;) ). when I tried to connect to this AP "godly way", it wasn't using any pre-defined PIN - N900 dialog was asking me to use on-AP button. I was able to choose "PIN method", but that was even more ridiculous - instead of asking me to input PIN on N900, it actually *gave* me PIN via N900 dialog, and requested to input this PIN to AP. every attempt resulted in different PIN created. So, this Access Point was protected against this attack vector, but, according to WPS standard, it wasn't compliant with *any* obligatory method of establishing WPS connection... Another router - some kind of damn Livebox - after 4-5 pin attempts just locked further WPS connecting. Using any delay (instead of default 315) haven't helped. Interesting thing is that, when I checked it after 10 hours, it was still in WPS locked state :eek: I wonder, if it's going to allow WPS tommorow - maybe, after lockout, it require restart to work properly? That would mean Reaver is performing WPS DoS on this model, as during lockup, no client is able to connect via WPS. Few other machines were working with Reaver "normally". Yet, the time between effective PIN attempts wasn't particularly awesome - Reaver measured it as average of 27 seconds per PIN. Despite having strong signal, I was getting "response timeouts" many times. This require further investigation, as some times, I was able to check 7 PIN per 10 seconds, and for other situations, same router allowed 1 PIN per minute. Finally, one router 'seemed' to work, but wasn't responding to PIN attempts at all - Reaver just tried one and only PIN whole testing period. I though it's related to MAC filtering, so I used allowed MAC for 2nd attempt, but results were same. by the way, I also tried allowed MAC for first router (this one that was giving PIN, instead of requesting one), also with no new results. The bright side, is that it isn't power demanding. Using N900 with 800 mAh (out of 3070 mAh total), I was expecting quick need for charge. Instead, after ~8h, I was still @ ~500 mAh. Power usage resembled regular one with WiFi connected to AP, staying idle (GSM was disabled totally during tests). Overall, on router working best, 8h30min resulted in 1.45% of 11000 PIN's checked. Far from 'promised' 10-13H to 50%, but it probably depends highly on AP - I haven't noticed anything, that could indicate problems with fast PIN checking on N900 or Reaver side. Probably, never routers, that most strictly follow WPS standards, are - ironically - more prone to quick WPS cracking. /Estel // Edit During actively trying to crack one AP, N900 reported 7-13% of processor usage @ 500mhz - including Conky itself, and of course, other N900 processes. So, Reaver itself was using about 3-9% @ 500 mhz. It never resulted in on-demand jump to higher frequency. |
Re: [request] reaver for n900 - wps pin brute force hack
Estel,
What options exactly did you use? Did you try the --eap-terminate? I noticed that for my friend's router that dropped connection after a few tries it helped. |
Re: [request] reaver for n900 - wps pin brute force hack
Yea, I've tried -E (same as --eap-terminate, according to reaver --help) on every router. in case of models I was dealing with, it wasn't making any difference.
Every router was also tested with -S and -a (independently and together) - I haven't noticed any improvement. Same goes for -w option (though, that for some routers mimic'ing win7 behavior may help against dropping connection\). So, generally, I've tried them in all possible combination. Of course it doesn't mean -E is useless - as You have noted, it works on some APs. I'm pretty sure, that implementation of WPS in existing routers is one big of a mess. WPScrack developer state, that 95% of newly produced router have WPS enabled by default - I hope, that it's more standardized in new batches (routers I've tested wasn't models from last month or two). /Estel // Edit Saturn, while testing it on your friends router, what amount of average second per pin attempt reaver reported (it reports total% and average seconds once a few minutes)? |
Re: [request] reaver for n900 - wps pin brute force hack
Quote:
Yes it does showed up =) Anyway tried a bit older router(sitecom 300N) I had lying around, and it worked fantastically, didn't finish the job. But output gave me the impression it worked like it should.Probably that particular router wasn't "hackable". This confirms Estels experience with different routers. I think I succesfully compiled my first software of my life. :D |
Re: [request] reaver for n900 - wps pin brute force hack
Quote:
did you use "-i mon0" or "-i wlan0"? The rate varied and I could test for almost 6 hours while also finding out stuff. We have rebooted the router maybe 30 times! (that's why I've put the warning) In a rebooted router it could be 10-15 seconds per attempt going up to 60-70 seconds/attempt after some time. It eventually locked and if you left it running it would eventually reconnect. By creating some symlinks (they are included in cleven-experimental) I was able to store and recover the session and continue from were it is left. We will try to leave it running over several nights and see if it will manage to find the pass-phrase. In that way his wife will not be that upset with us :) In any case, a few bugs have been reported and in future reaver is expected to have less errors - the wait and retry delays are not working properly. |
Re: [request] reaver for n900 - wps pin brute force hack
Quote:
walsh -i wlan0 walsh -interface wlan0 walsh -i wlan0 -c 6 walsh -i mon0 ---- created mon0 using airmon-ng and walsh -f mycapfile.cap ---- mycapfile is already have cap file |
Re: [request] reaver for n900 - wps pin brute force hack
Of course I was using -vv.. Also, I was enabling monitor mode via fAircrack (just for convenience), so only -i wlan0 was present, and I used it.
I wonder why router You've tested was becoming slower and slower during test. Proper way of "blocking" too many pin attempts would be Rate lock, which reaver detects properly and use longer wait time (315 by default) - that happened with Livebox I've tested (and it's still locked, lol. Just as a curiosity, I'm going to leave it as is and check if it's ever going to unlock without reset). response timeout are - at least AFAIUI - more likely due to router inability to cope with so many PIN attempts/associations etc. I think that 'Your' router logs/cache/whatever PIN attempts, and slowly, it's (not so high) internal memory become stuffed after some time, to the point of DoS. Of course it's purely an assumption, but I don't see any other reason, why it should become slower and slower, then deny next PIN request and normal working for already connected clients altogether. On the other hand, some Linksys routers with 16 MB and 32 MB of RAM, seem like "un-Dos-able'' - either they're not logging WPS attempts, or their RAM/NVRAM is big enough to cope with that. /Estel |
| All times are GMT. The time now is 21:27. |
vBulletin® Version 3.8.8