maemo.org - Talk
Page 1 of 15 1 2311 Last »
Show 40 post(s) from this thread on one page

maemo.org - Talk (https://talk.maemo.org/index.php)
-   Applications (https://talk.maemo.org/forumdisplay.php?f=41)
-   -   [request] reaver for n900 - wps pin brute force hack (https://talk.maemo.org/showthread.php?t=81219)

-miniME- 2011-12-30 18:36
[request] reaver for n900 - wps pin brute force hack
 
hi

does anyone have the mood to port it to maemo ?

google has the code

http://code.google.com/p/reaver-wps/downloads/list

ciao

meShell 2011-12-30 20:28
Re: [request] reaver for n900 - wps pin brute force hack
 
Funny, the first thing I did when I first read news about it was to google for "n900 reaver wps" ;)

Now I did it again and found your post.

I would like to try against my different APs, too.
N900 was my first thought, would be nice ...


EDIT 03.01.2012:

Reaver v1.3 is working on n900 - Requirements:


Latest changes to code:

http://code.google.com/p/reaver-wps/source/list


Known Problems:

http://code.google.com/p/reaver-wps/issues/list








Maemo SDK


In Maemo SDK start a terminal, download the sources:

Code:

cd /scratchbox/users/maemo/home/maemo/workspace/

wget http://reaver-wps.googlecode.com/files/reaver-1.3.tar.gz

tar xzvf reaver-1.3.tar.gz

Optional - get latest source code using svn

Code:
svn checkout http://reaver-wps.googlecode.com/svn/trunk/ reaver-wps-read-only



Edit Makefiles, change crT to cr (removing the T):

http://www.imgbox.de/users/public/images/UprwojHt8q.png

Code:
nano reaver-1.3/src/crypto/Makefile
nano reaver-1.3/src/tls/Makefile
nano reaver-1.3/src/utils/Makefile

Compile sourcecode

Code:
/scratchbox/login

sb-conf select FREMANTLE_ARMEL

apt-get update

apt-get install libpcap0.8-dev libpcap0.8

cd reaver-1.3/src

./configure

make

ls

Now you should see 2 compiled binaries:

http://www.imgbox.de/users/public/images/yzF9WiGkt1.png








Text from reaver README

Code:
OVERVIEW

        Reaver performs a brute force attack against an access point's WiFi Protected Setup pin number.
        Once the WPS pin is found, the WPA PSK can be recovered and alternately the AP's wireless settings can be
        reconfigured.

        While Reaver does not support reconfiguring the AP, this can be accomplished with wpa_supplicant once
        the WPS pin is known.

DESCRIPTION

        Reaver targets the external registrar functionality mandated by the WiFi Protected Setup specification.
        Access points will provide authenticated registrars with their current wireless configuration (including
        the WPA PSK), and also accept a new configuration from the registrar.

        In order to authenticate as a registrar, the registrar must prove its knowledge of the AP's 8-digit pin
        number. Registrars may authenticate themselves to an AP at any time without any user interaction. Because
        the WPS protocol is conducted over EAP, the registrar need only be associated with the AP and does not
        need any prior knowledge of the wireless encryption or configuration.

        Reaver performs a brute force attack against the AP, attempting every possible combination in order to
        guess the AP's 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000)
        possible values for any given pin number. However, because the last digit of the pin is a checksum value
        which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000)
        possible values.

        The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in
        half and validates each half individually. That means that there are 10^4 (10,000) possible values for the
        first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit
        of the pin being a checksum.
       
        Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire
        key space for the WPS pin number can be exhausted in 11,000 attempts. The speed at which Reaver can test
        pin numbers is entirely limited by the speed at which the AP can process WPS requests. Some APs are fast enough
        that one pin can be tested every second; others are slower and only allow one pin every ten seconds. Statistically,
        it will only take half of that time in order to guess the correct pin number.
       

INSTALLATION

        Reaver is only supported on the Linux platform, requires the libpcap library, and can be built and
        installed by running:

                $ ./configure
                $ make
                # make install

        To remove everything installed/created by Reaver:

                # make distclean

USAGE

        Usually, the only required arguments to Reaver are the interface name and the BSSID of the target AP:

                # reaver -i mon0 -b 00:01:02:03:04:05

        The channel and SSID (provided that the SSID is not cloaked) of the target AP will be automatically
        identified by Reaver, unless explicitly specified on the command line:

                # reaver -i mon0 -b 00:01:02:03:04:05 -c 11 -e linksys

        Since version 1.3, Reaver implements the small DH key optimization as suggested by Stefan which can
        speed up the attack speed:

                # reaver -i mon0 -b 00:01:02:03:04:05 --dh-small

        By default, if the AP switches channels, Reaver will also change its channel accordingly. However,
        this feature may be disabled by fixing the interface's channel:

                # reaver -i mon0 -b 00:01:02:03:04:05 --fixed

        The default receive timeout period is 5 seconds. This timeout period can be set manually if necessary
        (minimum timeout period is 1 second):

                # reaver -i mon0 -b 00:01:02:03:04:05 -t 2

        The default delay period between pin attempts is 1 second. This value can be increased or decreased
        to any non-negative integer value. A value of zero means no delay:

                # reaver -i mon0 -b 00:01:02:03:04:05 -d 0

        Some APs will temporarily lock their WPS state, typically for five minutes or less, when "suspicious"
        activity is detected. By default when a locked state is detected, Reaver will check the state every
        315 seconds (5 minutes and 15 seconds) and not continue brute forcing pins until the WPS state is unlocked.
        This check can be increased or decreased to any non-negative integer value:

                # reaver -i mon0 -b 00:01:02:03:04:05 --lock-delay=250
       
        For additional output, the verbose option may be provided. Providing the verbose option twice will
        increase verbosity and display each pin number as it is attempted:

                # reaver -i mon0 -b 00:01:02:03:04:05 -vv

        The default timeout period for receiving the M5 and M7 WPS response messages is .1 seconds. This
        timeout period can be set manually if necessary (max timeout period is 1 second):

                # reaver -i mon0 -b 00:01:02:03:04:05 -T .5

        Some poor WPS implementations will drop a connection on the floor when an invalid pin is supplied
        instead of responding with a NACK message as the specs dictate. To account for this, if an M5/M7 timeout
        is reached, it is treated the same as a NACK by default. However, if it is known that the target AP sends
        NACKS (most do), this feature can be disabled to ensure better reliability. This option is largely useless
        as Reaver will auto-detect if an AP properly responds with NACKs or not:

                # reaver -i mon0 -b 00:01:02:03:04:05 --nack

        While most APs don't care, sending an EAP FAIL message to close out a WPS session is sometimes necessary.
        By default this feature is disabled, but can be enabled for those APs that need it:

                # reaver -i mon0 -b 00:01:02:03:04:05 --eap-terminate

        When 10 consecutive unexpected WPS errors are encountered, a warning message will be displayed. Since this
        may be a sign that the AP is rate limiting pin attempts or simply being overloaded, a sleep can be put in
        place that will occur whenever these warning messages appear:

                # reaver -i mon0 -b 00:01:02:03:04:05 --fail-wait=360

FILES

        The following are Reaver source files:

                o 80211.c        Functions for reading, sending, and parsing 802.11 management frames
                o builder.c        Functions for building packets and packet headers
                o config.h        Generated by the configure script
                o cracker.c        Core cracking functions for Reaver.
                o defs.h        Common header with most required definitions and declarations
                o exchange.c        Functions for initiating and processing a WPS exchange
                o globule.c        Wrapper functions for accessing global settings
                o iface.c        Network interface functions
                o init.c        Initialization functions
                o keys.c        Contains tables of all possible pins
                o misc.c        Mac address conversion, debug print functions, etc
                o pins.c        Pin generation and randomization functions
                o send.c        Functions for sending WPS response messages
                o sigalrm.c        Functions for handling SIGALRM interrupts
                o sigint.c        Functions for handling SIGINT interrupts
                o wpscrack.c        Main Reaver source file
                o wps.h                Includes for wps wpa_supplicant functions
                o libwps/*        Generic library code for parsing WPS information elements

        The following files have been taken from wpa_supplicant. Some have been modified from their original sources:

                o common/*
                o crypto/*
                o tls/*
                o utils/*
                o wps/*

        The lwe directory contains Wireless Tools version 29, used for interfacing with Linux Wireless Extensions.

-miniME- 2011-12-30 20:37
Re: [request] reaver for n900 - wps pin brute force hack
 
there is a python port somewhere on google (independend coded from another guy) and it starts on n900 but fails on forking the sniffer. google for wpscrack python.

ciao

mr_pingu 2011-12-30 22:47
Re: [request] reaver for n900 - wps pin brute force hack
 
I am updating catalogues of my N900 while writing this didn't test yet, but do you have scapy and PyCrypto(dunno if its in maemo repo) installed?

Edit: Installing
python-crypto
python-scapy
ettercap
libpcap0,8

Think that dependencies are needed...
Besides that, can't someone compile reaver? Only dependency seems to be libpcap.

[Offtopic: The N900 is my only linux machine and I would love to know how to compile things just for N900. Can someone point me in the right direction? PM me if you are willing to help]

Meanwhile, I will keep me busy getting that python version working. Going to sleep now...


Regarding driver, I think loading the bleeding edge driver, (WL1251) is enough to let this program work

meShell 2011-12-30 23:51
Re: [request] reaver for n900 - wps pin brute force hack
 
Quote:
Originally Posted by mr_pingu (Post 1143648)

[Offtopic: The N900 is my only linux machine and I would love to know how to compile things just for N900. Can someone point me in the right direction? PM me if you are willing to help]

Maemo SDK Development


Start here:

http://maemo.org/development/

If you know VMware Player you can use this:

http://wiki.maemo.org/Documentation/...Virtual_Images

User: maemo
pass: maemo
sudo-pass: maemo


More useful tutorial:

http://www.nokiausers.net/forum/noki...r-running.html

http://www.developer.nokia.com/Commu...K_installation


Needed DNS-Fix for Vmware Image (/scratchbox/etc/resolv.conf)

Change VM-Network to whatever you need (maybe NAT)
run:
ifconfig (note the eth-Number)
dhclient eth5 (replace 5 with whatever it is for you)

http://iloapp.mikek.dk/blog/developer?Home&post=49

Then do a reboot.

meShell 2011-12-31 20:03
Re: [request] reaver for n900 - wps pin brute force hack
 
Setup n900 and run compiled reaver binary


You need to be root for most actions, installations and running the applications airmon-ng and reaver.


You need to install this package on your n900:

Libpcap0.8 0.9.8-5+0m5

http://maemo.org/packages/package_in...8/0.9.8-5+0m5/

Direct Download:

http://repository.maemo.org/pool/mae...+0m5_armel.deb


on n900 shell (as root):

Code:
sudo gainroot

wget http://repository.maemo.org/pool/maemo5.0/free/libp/libpcap/libpcap0.8_0.9.8-5+0m5_armel.deb

dpkg -i libpcap0.8_0.9.8-5+0m5_armel.deb

Then transfer Reaver-Binaries and database to your n900, copy reaver to the right location and do a testrun:

/opt/reaver/etc/reaver.db
/opt/reaver/bin/reaver
/opt/reaver/bin/walsh

symlinc to:
/usr/local/bin
/usr/local/etc/reaver

Setup:

Code:
mkdir -p /usr/local/etc/reaver
mkdir /opt/reaver
mkdir /opt/reaver/bin
mkdir /opt/reaver/etc

# copy the files as mentioned above !

ln -s /opt/reaver/etc/reaver.db /usr/local/etc/reaver/reaver.db
ln -s /opt/reaver/bin/reaver /usr/bin/reaver
ln -s /opt/reaver/bin/walsh /usr/bin/walsh

chmod -R a+rw /opt/reaver/etc/reaver.db
chmod +x /usr/local/bin/reaver
chmod +x /usr/local/bin/walsh

OPTIONAL - change MAC so xou can easily identify your actions in your AccessPoints Logs

Code:

ifconfig wlan0 down
macchanger wlan0 --mac=00:11:22:33:44:55
ifconfig wlan0 up


reaver -i mon0 -b 00:01:02:03:04:05 -vv


From the README-file:

Code:
USAGE

        Usually, the only required arguments to Reaver are the interface name and the BSSID of the target AP:

                # reaver -i mon0 -b 00:01:02:03:04:05

        The channel and SSID (provided that the SSID is not cloaked) of the target AP will be automatically
        identified by Reaver, unless explicitly specified on the command line:

                # reaver -i mon0 -b 00:01:02:03:04:05 -c 11 -e linksys


Bleeding-edge wl1251 driver for Maemo Fremantle

Monitor mode on all channels: yes

http://david.gnedt.eu/blog/wl1251/

README:
http://david.gnedt.eu/wl1251/README



Aircrack-ng

Install Aircrack-ng on your n900.

Run airmon-ng to create a monitoring interface:

If you want to cahneg your MAC-Address you need to change it BEFORE creating the mon0 interface!

Code:
ifconfig wlan0 down
macchanger wlan0 --mac=00:11:22:33:44:55
ifconfig wlan0 up


airmon-ng start wlan0

ifconfig

Now you should have an entry with "mon0".


Airodump-ng

To verify if it is working as expected run:

Code:
airodump-ng mon0
It should go through wifi channels and after some time display a list of BSSIDs.

Stop it by pressing ctrl + c.

Now you can run reaver (change example mac with bssid from you AP):

Code:
reaver -i mon0 -b 00:01:02:03:04:05 -vv



It should look like this:

http://www.imgbox.de/users/public/images/GjZiBWZZ7G.png


OPTIONAL - Set WLAN0 to Monitoring-Mode

Code:
ifconfig wlan0 down

iwconfig wlan0 mode Monitor

ifconfig wlan0 up

iwconfig

there you should see

wlan0 IEEE 802.11bg Mode:Monitor

-miniME- 2011-12-31 23:21
Re: [request] reaver for n900 - wps pin brute force hack
 
just tried and reaver seems to work but does not work - strace does not show any activity and airodump also not. using '-c' for channel switching on reaver shows a bit more activity regarding switching frequency.

seems there is more than just compiling.

tx for the port to n900 anyway.

ciao and happy new year

psychologe 2011-12-31 23:30
Re: [request] reaver for n900 - wps pin brute force hack
 
very interest .hope it can fine work on N900.

meShell 2011-12-31 23:37
Re: [request] reaver for n900 - wps pin brute force hack
 
you need at least a wlan driver that supports monitoring mode!

it will not work with stock n900 kernel and driver!

but the bleeding edge driver should support full monitoring support and i hope somebody get it to work with it.

see comparison chart:

http://www.imgbox.de/users/public/images/W13WJLeK03.png


and have a look at how it would work with pc linux (mon0 interface):

http://www.youtube.com/watch?v=5_gELLGJSY8

-miniME- 2012-01-01 05:40
Re: [request] reaver for n900 - wps pin brute force hack
 
hi

i tried both drivers (stock and b.edge - both in monitor mode) - same result.

same result i had with one wlan adapter i use with linux.

seems reaver supports only certain wlan drivers.

ciao


All times are GMT. The time now is 16:44.
Page 1 of 15 1 2311 Last »
Show 40 post(s) from this thread on one page

vBulletin® Version 3.8.8