El libre pensamiento para un internet libre

No estas registrado.  

#1 Re: Hacking wireless ético: Los métodos alternativos » Hostbase-1.4 está aquí » 26-02-2022 01:02:32

Koala escribió:

I don't know very well how work python but ruby is pretty easy to learn too wink

from google

Is it better to learn Ruby or Python?

Ruby is known for its elegant syntax. It uses simple English words that are easy to understand. But Python is just as simple and uses language that is even more natural. ... Python, Python is easier to learn than Ruby due to its syntax.

but whatever,  wifiphisher the most common evil twin tool is written in python tho

#2 Re: Hacking wireless ético: Los métodos alternativos » Hostbase-1.4 está aquí » 22-02-2022 01:16:21

Hmm then why not python

the same about bash applies to python

tons of python wifi hacking scripts on github that we can read its code and learn from

Ruby is a weird  choice for a wifi hacking script that all it's about is just automation

#3 Re: Hacking wireless ético: Los métodos alternativos » Hostbase-1.4 está aquí » 19-02-2022 21:28:38

Koala escribió:

and i will never use the same code (or little bit changed) than the other tools. The reason is if another tools use my code or my ideas about the wps_pbc without mention or link the original hostbase project , i will not appreciate that.

I understand , then you can mention link or whatever .... it's written in bash mostly and it's pretty generic code so changing it a little bit would make it a totally diff code

Second: hostbase is made in ruby when the other scripts are made in bash or python. That mean i have to create an entire new code including your suggestions without borrowing code from the other scripts.

Hmm but why you made it in ruby while all the needed code was already done in bash , there was no need for reinventing the wheel , And i thought that you could run bash files from within the ruby script just like the wps loop , and then you could link the output of both tools some how

Automatically upload the new page to github isn't possible but making a pull request maybe yes

it won't matter much, Even if FTP ------> then github
would do the job


Now to respect this forum, i suggest for the following messages to speak spanish language because maybe all users don't understand the english and can't participate to this threadsmile

Hmm but the translator will probably break the meaning of the text but what ever : )

#4 Re: Hacking wireless ético: Los métodos alternativos » Hostbase-1.4 está aquí » 19-02-2022 02:39:13

Koala escribió:

For some reasons the problem was on the loop itself, "while true" can't work if there is another loop using "while true" too on the same file script.In our case we have 2 loops, one for check if the wps button has been pressed and another one to send wps_pbc request on the target AP.So i created a new bash script called "wash.sh" and used it from the main ruby script as a background "ruby thread".Like that we can use the bash code with the loop to check if the wps button has been pressed without stopping the second loop when it begins if the button has been pushed sending wps_pbc request on the target AP.

oh that's great

I have to create an english version of hostbase too but the problem is i don't know which router is used to make a good phishing page... if you live in England or US any help to identify what phishing page to do will be appreciatedcool

No Unfortunately i don't live there , Even if  that an english version would be really great since english is the most popular language over the world

But before that, You need to make the script/tool user friendly as for it's lacking
1. listing the available cards and allowing the user to select from just like fluxion
2. scanning the networks and listing them with a star beside their name to indicate that the network has targets connected to it and allowing the user to select from the list by just typing a number just like fluxion
3. Remove the need to move the script folder to /tmp/ folder

These are basic features that are included in all evil twin scripts , i know that you may not be able to do these features but you can borrow code from the other scripts
, they are open source after all

After that then maybe your tool become known and popular , other wise you know that most users won't like the usability of the script because it's a little bit hard 

With these things left aside

For the UK/US phishing page we can know the most popular routers from their amazon page or from shodan
And the customer support phishing is a bit to much ...  i think the wps phishing is enough
as for users like to just leave the evil twin attack on while they do something else ... and that's not the case for  "customer support phishing" page

I have a couple of suggestions for the phishing pages problem

But first the networks scan should show the routers model that we get from wash
so they know which networks to target , in other words we should use wash for scanning networks instead

1. A generic page asking users to push the wps button with pictures of the logo which will work mostly with no problem

2. we collect one for each vendor (Router Manufacturer) not model  , or let the user put the page used for the attack  them selves

3. We Do it using an advanced way  (my usual "crazy ideas" )
if the attacking device has network access , we simply grab the router model from the WPS probes
and google it with the inurl filter and filetype:pdf
using  a list of official Router Vendors documentation pages

And using python rindex() function
we can search for wps in the returned file
and return the matches of the pages

and we present them to the user to choose which one fits
And then simply merge it with the html page with a big ass header saying " Press the button...etc"

or if we can detect if a pdf page has an image or not
it can be done then 100% automatically in a very advanced way that works for all devices
Then we make the script automatically submit the page to github so the more users use the tool the more we have already ready pages in our collection and normally we would get the common router models pages in no time since they are common and then users will be happy haha

but this totally not necessary,  Points 1 or 2 are more than enough


this how it looks like for most routers when searching the pdf manual
unknown.png


That's all what i have in mind about this, and if the tool get popular  enough then maybe users start submitting pages and then we would have a lot of them

I will be posting a really crazy method in the next couple of days that will maybe change the wifi hacking game : ]

Regards

#5 Re: Hacking wireless ético: Los métodos alternativos » Hostbase-1.4 está aquí » 18-02-2022 19:43:14

Koala escribió:

Here I am... I try to give the best I can with my little experience in programming and the updates that sometimes screw everything up...smile

I know a the struggle mate, i too have little experience in programming and unable to implement really great ideas
Your work is much appreciated : )

At this moment i removed the option to check if the real AP is shutdown or not

oh , it's not that important no worries

i have some problems to include it and i have to work on that... stay tuned for the next updatesmile

wish you luck ,  i am always tuned for updates : )

I have changed the code because after the update of kali (2022.1) the loop that serves to detect the support of the WPS button did not work,

what was the problem ?

#6 Re: Hacking wireless ético: Los métodos alternativos » Hostbase-1.4 está aquí » 17-02-2022 00:40:39

Koala escribió:

Hi cool

Thanks for getting the open fake network option back biere  cool

what did you use for the "PBC loop option" ?


I use wash for the loop but since yesterday when i updated my kali-linux computer to kali 2022.1 i have some problems and the loop doesn't work any more, some options are not working fine, i have to work on them and fix them

I don't know if the ruby version has been changed or whatever... maybe i have to enforce some things on the code.At this moment i don't recommand to test the tool until i solve the problem.


I will update the tool when fixed

Great , np : )

#7 Re: Hacking wireless ético: Los métodos alternativos » Hostbase-1.4 está aquí » 16-02-2022 21:38:43

Whoa Thanks a lot mate this a really really great work


Thanks for getting the open fake network option back biere  cool

what did you use for the "PBC loop option" ?

#8 Re: Hacking wireless ético: Los métodos alternativos » A possible improvement to the WPS PBC hack » 16-02-2022 21:24:48

Koala escribió:

Hi cool


So i have a good news, apparently it is possible to stop the deauth only when the wps button has been pushed.Before i was close the deauth only when a victim joined the fake AP to let the router waking up to be sure we can launch the wps_pbc request efficiently after that.Now from what i have tested on my router, it seem to be possible to stop the deauth only when the wps button has been pushed.I maked a sample ruby script to test this new option using a loop with wash.


https://zupimages.net/up/22/05/d665.png

Whoa that's hella  Great !  yikes



Like you can see, i consider any of you proposal to make better the hostbase project and i hope you will enjoy the next version if i can include this new test in the whole script smile

@++

sure : )

#9 Re: Hacking wireless ético: Los métodos alternativos » A possible improvement to the WPS PBC hack » 16-02-2022 21:18:53

Koala escribió:

Hi cool

I work on a new version of hostbase but i can't say now when i will release it.Like i see the wps_pbc attack is becoming attractive, the first time i did this attack was in 2015 and i will continue until wps will exist and i hope it will exist for long time lol

haha yeah big_smile:D

#10 Re: Hacking wireless ético: Los métodos alternativos » A possible improvement to the WPS PBC hack » 28-01-2022 18:24:15

wifiyeah escribió:

Reaver issue num 107??

eso es un poco antiguo no?
creo que va por la 700
se supone que ahora detecta eso no?

tambien he probado el comando

wash -i mon0 -b xxxxxxxxxx -c 8 | grep -q "wps_device_password_id" && echo Pushed || echo NotPushed

y no pasa nada de nada,
ademas -j como lo puso mooooon no sirve da error,
y el timeout para que??

salu2


First you forgot the -j option !!
And you forgot to change the channel number !!
it should be like this

wash -j -i mon0 -b xxxxxxxxxx -c 8 | grep -q "wps_device_password_id" && echo Pushed || echo NotPushed

Second Update Reaver to the latest Version first !

creo que va por la 700

That's because you are discussing the issue on Pixiewps

the timeout option is Cause wash  would never exit if you don't kill it , Which means that grep would never Echo anything !

You can do it using a .sh file if you want

#!/bin/bash
wash -i wlan0mon -j -b XX:XX:XX:XX:XX:XX -c 8   > file.txt &
PIDOFWASH=$!
until grep -q '"wps_device_password_id" : "0004"' file.txt;
do
sleep 1;
done;
echo found
kill ${PIDOFWASH}

#11 Re: Hacking wireless ético: Los métodos alternativos » A possible improvement to the WPS PBC hack » 28-01-2022 18:19:33

kcdtv escribió:

Reaver también se basa en wpa_supplicant, Craig heffner (creador de las primeras versiones) ha modificado algunas librerías para que se adapte mejor al prometido de la herramienta.

Oh even Reaver that works in monitor mode is based on wpa_supplicant !! That's just insane

No es posible con un solo adaptador porque las interfaces virtuales están atadas a la interfaz física.
Para tener una interfaz en un canal fijo y otra haciendo channel hooping necesitas sí o sí dos adaptadores WiFi.

I meant using some method like monitoring for channel change using airdoump-ng -c option
and kill everything incase of the AP not found on current channel to grab the new channel then Restart

But someone told me that they tried it and airodump just messes things up and that's inconstant

Also what do you think about this ?

[url=https://rhaidiz.net/2018/10/25/dribble-stealing-wifi-password-via-browsers-cache-poisoning/]Hacking Wi-Fi with cached JavaScript Via Browsers Cache Poisoning
[/url]

Are you interested in doing something like it but with captive portal instead ?

Getting the model is easy with 3wifi and fing and wps
wenQRl0.jpg

¡Bien Hecho!

Thanks for Your help so far

#12 Re: Hacking wireless ético: Los métodos alternativos » A possible improvement to the WPS PBC hack » 27-01-2022 21:02:48

Koala escribió:

For this reason we have to stop mdk3/4 before make a pbc request on the AP when a client connect to the fake AP.Like i said before if you stop mdk3/4 just when the pbc is alive on the AP, you will get some troubles to get the wps access because not all APs act by the same way and the deauth with mdk3/4 is very powerfull and can crash an AP for a while.

Hmm ,  I didn't experience Any AP crashing because of mdk3/4 ... and lets say that it would crash ... would the crash last for the whole 120 seconds ?

Even if that's the case ...Checking the pbc button was pushed or not using the wpa cli is trouble some as we are already in monitor mode while wpa cli works in managed
And then if we try channel hopping , it would be much much complicated for no reason cause the wpa cli would be running checking for the push of the button in the background
making the mdk3 not possible.
Also this way we leave a window for the client target to reconnect back to their network
That way The attack becomes less effective

Anyway, if you don't go with wpa_cli i think it is a big mistake and like Kcdtv said "wpa_cli is the way" wink

haha maybe , but i am looking for a new way to do it using monitor mode




-1 The version of hostbase for wifislax is completely outdated.Since this time i maked a lot of change to improve channel hopping and it work's fine now.
-2 You are confused here.Wps_pbc work only when the fake ap with wpa encryption is launched to let the victim connect to us then when a client connect to the fake AP the deauth stop and wps_pbc again the target AP beging

Hmm so .. Can i use the latest version of hostbase that's not for wifislax  on wifislax or not ?
Also how did you get the channel hopping to work using only two adapters .... Can you explain the logic you used ?

Also again about the "the fake ap with wpa encryption"   if we go this Road then Using the

Hacking Wi-Fi with cached JavaScript Via Browsers Cache Poisoning

is much much effective

SO ..... The deauth stops when the client connects to us ... right ?
Then what if the client disconnects ?
or what if the channel changes while he connected to us
How will the mdk3 start again after the 10 minutes has passed ?



-1 The hostbase wps phishing attack can be done with one adapter only if the target AP is on 2.4GHz frequency .Now in 2022 a lot of AP 's have two frequencies, one in 2.4GHz and one 5GHz.We can't do a good deauth in both frequencies with the same adapter so we need 2 adapter at least.In my personal experience i use 3 adapter one for the fake AP, second for the deauth in 24GHz frequency and the third for the deauth on 5GHz frequency.


-2  In my ownm experience (i like to spend my time to test some things big_smile ) you can't launch the fake AP on the same channel as the real AP because if you want to do an efficiant deauth, the channel of the fake AP wich is on the same channel of the real AP will be saturate at the same time and the victim can't join the fake AP.


-3 The best to test channel hopping is wash, i was using airodump-ng before but finaly i use wash.Also we don't need to restart the fake AP at all, trust me the users in the majority of the cases don't shutdown their AP's.

1. So.... IF the network is 2.4GHz only ... Can The hostbase wps phishing attack can be done with one adapter + channel hopping ?

2. Why ? Every single Evil twin tool/script out there launches the fake AP on the same channel as the real AP with no problem what so ever
Check Airegddon/Fluxion/Wifiphisher

3. How wash is better ? And i didn't say shutdown but restart .... when they restart their AP they expect the network to disappear from the networks list for a while then appear again ... but whenn
they see that the network is still there , they will know that something is wrong and the wifi isn't coming from their Router!


In your previous post you mentionned that:


The problem with this , that not all networks has win10 devices connected to them
which means we have to set the network to open
which means that any device would connect to it
not just the target devices
that way we can't count on the connection of the device to our fake AP To determine if we should stop the deauth or not

Also mdk4 has a client whitelist option if that helps


Im working on the next version of hostbase but i have few time to maintain my project...I agree with you but put the networks open mean we have to take care of who is connect to it.For this reason i maked a MAC filters directly through hostapd and if two clients are connected the deauth stop and we send wps_pbs to the target AP.


https://zupimages.net/up/22/04/buaw.png

That would have been useful before 2018 before android and IOS added MAC Address Randomization by default and windows too ... now it's pretty useless so....


To resume from what i see you have good ideas but you need to test yourself in a terminal all things you want to do before to go with hostbase or wifiphisher.... cool

Haha Thanks

And you haven't even seen this list. where i mentioned the most crazy wifi hacking ideas in existence I could think of
. That most one i like of them is the WIFI Manager phishing page
where we create a wifi manager captive portal
Based on the user agent of the connected device

This way they get fooled and think that they are still in the password entering place , Even that they are in the captive portal
ex. for Samsung
image.png

Also me and a friend where planning on Creating a full blown
Evil twin project that exploits the Routers of the targets instead 
By making them disconnect as soon as the captive portal page loads ... so this way they connect back to their network with the page still open which in turn Logins to the router and sends Us the password back

And we were designing it to make it to work in a general way on most of the routers using Iframes and google auto fill input bars trick unlike dribble which works for certain Router only and needs the user to visit a http page
But we stopped since we needed help working on it

image.png



Also about the last part of my last post

You can get the exact Router model from WPS or using Fing wifi scanner app or the 3wifi model detection option

or even make the attack on two parts one for grabbing the page and sending it  back to us for the purpose of detecting which model it's

and the second is to make  a new page with JS payload that fits the router model to exploit it using some bug or default login!

That most one i like of them is the WIFI Manager phishing page
where we create a wifi manager captive portal
Based on the user agent of the connected device

This way they get fooled and think that they are still in the password entering place , Even that they are in the captive portal
ex. for Samsung


Wifiphsiher already has a one for windows
68747470733a2f2f77696669706869736865722e6769746875622e696f2f77696669706869736865722f73732d7765627068697368696e672e706e67

And another for Ios

63663713-59511600-c778-11e9-8a7c-d9d532037edc.PNG

And another of Mac OS

149202001-8762e5f9-ca0e-4b05-b572-07ebdca5b0d9.png


But non for android !

That would have been useful before 2018 before android and IOS added MAC Address Randomization by default and windows too ... now it's pretty useless so....


This problem could be fixed if you were able to apply

Some of these anti mac address Randomization methods

But it's too complicated

https://petsymposium.org/2021/files/pap … 1-0042.pdf

#13 Re: Hacking wireless ético: Los métodos alternativos » A possible improvement to the WPS PBC hack » 27-01-2022 19:38:58

kcdtv escribió:

Nah the Wpa_cli is trouble some , i recommend using the  OneShot Python Script , It's easier to use and prints the password automatically

Na tú big_smile
oneshot,py (creación original del compañero - y miembro de nuestro foro - r0flor) es un "wrapper" (envoltorio) para wpa_supplicant y su linea de ordenes interactiva (cli) wpa_cli,

https://www.wifi-libre.com/img/members/3/oneshot_1.jpg

Oh boy ! looks like i missed a lot haha

but to be honest the original from rofl0r doesn't have nor support PBC

only the one from drygdryg does.

And still oneshot is quicker than doing it the manual way

I would have used kcdtv/PBC  But the problem is that ... it does it on all channels

While i want it to only scan on a single channel and procced to try to connect only if the PBC press has been detected in monitor mode without network manager , This way it can be used beside other attacks like the hostbase

so this would be a better method , It's better than the method hostbase USEs ! that's why i came here and made this post
hostbase method would make it trouble some to have mdk3 and Rogue AP using only two adapters
while supporting channel hopping for mdk3
as how will wpa_cli wps_pbc detect if the button was pushed or not without stopping  mdk3 ?
we have to able to have an indicator that tells if the button was pushed or not by just monitoring Passively, This way we can do the whole attack
With only two or one adapters without needing to stop mdk3 for more than 5 seconds
And this the exact opposite of what  hostbase does

#!/bin/bash
wash -i wlan0mon -j -b XX:XX:XX:XX:XX:XX -c 8   > file.txt &
PIDOFWASH=$!
until grep -q '"wps_device_password_id" : "0004"' file.txt;
do
sleep 1;
done;
echo found
kill ${PIDOFWASH}
sleep 2
sudo python3 /root/OneShot-master/oneshot.py -i wlan0mon --pbc

I am looking for way to join the script above
with mdk3 with channel hopping + Fake AP
only using two adapters

do you know how ?


looks like i came late into the scene

also is there way to do  wpa_cli wps_pbc in monitor mode ?

I suggested to rofl0r to add it to Reaver  issue num 107 before i opened that issue Wash wasn't able to detect if the button has been pushed or not.They just added showing wps_device_password_id in the Json mode of wash


I am the one who suggested PBC phishing to wifiphisher years ago but it doesn't actually work haha

I am currently looking for a way to pull Evil twin with channel hopping + PBC Using only a Single adapter

Also how does wpa_cli wps_pbc work ? does it work the same way as

timeout 10s wash -i wlan0mon -j -b XX:XX:XX:XX:XX:XX -c 8 | grep -q "wps_device_password_id" && echo Pushed || echo NotPushed

or ... ?

#14 Re: Hacking wireless ético: Los métodos alternativos » A possible improvement to the WPS PBC hack » 26-01-2022 19:31:38

kcdtv escribió:

Two different things here:
  - The while loop (python)  is to send (through wpa_cli) a PBC connection request

But that isn't a good idea when mdk3 is deauthing the target network!

- The if condition (bash) is to scan the devices (through wash)

this option is better ,That way we can send a connection request only if the PBC is activated ! , So mdk3 won't be an Issue when checking , we kill it after we detect the button pushed in probe requests

The "method" is to send the PBC request trough wpa_cli in both cases.


Nah the Wpa_cli is trouble some , i recommend using the  OneShot Python Script , It's easier to use and prints the password automatically

Start WPS push button connection:

sudo python3 oneshot.py -i wlan0mon --pbc

so we use it like this

import subprocess, sys
import os
argv = list(sys.argv)
argv[0] = 'wash'
proc = subprocess.Popen(argv, executable=argv[0], stdout=subprocess.PIPE)
while 1:
        line = proc.stdout.readline()
        if line == '': break
        print line
        if '"wps_device_password_id" : "0004"' in line:
	        proc.terminate()
                os.system("sudo python3 /root/OneShot-master/oneshot.py -i wlan0mon --pbc")
                break
#Usage : washwrapper.py -j -i wlan0mon -c 6 -b XX:XX:XX:XX:XX:XX 
Koala escribió:

More details about the ruby code used in hostbase, i commented it for you:


wpacli = Thread.new do # here we create a new thread called "wpacli", we can execute it on the background and it is more efficient than get a lot of windows on the same screen
  while true  # the begining of the loop
    system "xterm -e wpa_cli wps_pbc #{$apmac}"  # the command that will be execute by the thread, wpa_cli command to launch every 120 seconds
    sleep(120)  # the time before the loop will repeat.
  end
end  # the end of the loop

oh thanks a lot for commenting it for me , But again the same as i replied to kcdtv , it's not efficient to use  wpa_cli wps_pbc with mdk3 as we would have to use only one of them at a time but not
both ! , And the fact that wpa_cli wps_pbc would result in Fixed channel error  While we can easily use mdk3 + wash , cause wash wouldn't have to try to connect to check if the button was pushed or not but monitor the traffic passively and we can specify the channel in wash , that way we won't get the fixed channel error


In my oldest version of hostbase the bash code is the following:


while : ; do
        xterm -e wpa_cli wps_pbc ${BSSID} ; sleep 120 ; done &
       echo $! >/tmp/wpacliactu.pid

The bash code above do exactly the same thing as the ruby code i explained.Don't forget to kill the pid generated by wpa_cli


Before to go testing some tools, i strongly recommend you to understand how works wpa_cli.


Also wpa_cli as a interactive command line to do every things you want to do cool

I still don't understand why would you use wpa cli to check if the button was pushed or not while it's stated in the Wi-Fi Protected Setup Specification @Patcher linked me to it , and told me that he uses that method with waircut PBC option

The AP informs Enrollees that the Selected Registrar is in PBC mode using Probe Response messages

The Enrollee performs this scan by sending out probe requests with a Device Password ID indicating that the Enrollee is in PBC mode and receiving probe responses indicating a Selected Registrar with a PBC Device Password ID.

When an AP receives a Selected Registrar and Device Password ID indicating PBC mode from a Registrar, it MUST automatically remove this information and no longer include it in probe responses after an interval of Walk Time has elapsed.Before the Registrar’s button is pushed, the AP shall not advertise any active PBC state

And from another WPS documentation titled : Wireless LAN PCI Card User Manual V1.1

Device Password ID : Indicate the method or identifies the specific password that the selected Registrar intends to use. AP in PBC mode must indicate 0x0004 within two-minute Walk Time.

That way using

timeout 10s wash -i wlan0mon -j -b XX:XX:XX:XX:XX:XX -c 8 | grep -q "wps_device_password_id" && echo Pushed || echo NotPushed 

is more than enough to check if the button was pushed or not



I also tested the latest hostbase wifislax version

And the channel hopping wasn't working at all !

How it's supposed to be able to check the channel change while it's running wpa_cli wps_pbc whenever it's not deauthing using mdk3 !

Also the thing that the latest version would only work if the target network Has A laptop connected to it .. IS so annoying .... Like the most of the networks has mobile phones only connected to them and rarely there is any laptop !


Also if the target network had A laptop on it  it would be super EASY to hack the network with No Phishing at all !
Using this method

Hacking Wi-Fi with cached JavaScript Via Browsers Cache Poisoning

I also like to add that the whole hostbase wps Phishing attack can be  done using only a single adapter !

  • We launch the Fake AP on the same channel as the original network

  • We run MDK4 -b target mac -c channel

  • We run the wash | grep -q "wps_device_password_id" , if the button was pushed then we kill everything and use oneshot to connect

  • Run something like airodump-ng on target AP with the channel it already found , to monitor for channel change

  • Then if airodump-ng can no longer detect/find the AP on that channel then it kills mdk4 and the fake AP & wash and then  starts looking for the AP on other channels

  • And after finding the new channel , It restarts mdk4 & Fake AP & wash with the new channel provided to it as an argument

  • then airodump-ng starts monitoring the target on that channel again , to look for possible channel change

As a bonus now the Fake AP is stealthy and won't get the user suspicious  when He shutdowns the Routers and still see the Fake AP network not disappearing

What do you think ?

#15 Re: Hacking wireless ético: Los métodos alternativos » A possible improvement to the WPS PBC hack » 25-01-2022 18:17:54

Hello Kcdtv

Acutally there is
by using the loop

wpacli = Thread.new do
  while true
    system "xterm -e wpa_cli wps_pbc #{$apmac}"   
    sleep(120)
  end
end

Also , what method does Hostbase use ?

I tried to use this , but it results in false Positives.

#!/bin/bash
if timeout 10s wash -i wlan0mon -j -b XX:XX:XX:XX:XX:XX -c 8 | grep -q "wps_selected_registrar"; then
   echo Pushed
else 
   echo NotPushed 
fi

Thanks

#16 Re: Las herramientas para WPS » Wireless Air Cut, auditoria del protocolo wps en Windows » 25-01-2022 18:04:58

Patcher escribió:

No lo recuerdo exactamente pero esta descrito en los documentos que te indiqué.

I looked at the Wi-Fi Protected Setup Specification and Found that it's

Device Password ID = 0x0004

No tengo ni idea... Nivel de señal quizas o talvez haya que esperar un tiempo para iniciar una nueva conexión. El ataque pixieDust interrumpe el protocolo tras recibir el paquete M3 y quizas esa interrupción de la comunicación no le sienta bien al AP.

oh

I Also Can we Get ignore WPS LOCK option ?

What about that  ?

#17 Re: Las herramientas para WPS » Wireless Air Cut, auditoria del protocolo wps en Windows » 24-01-2022 00:41:04

Patcher escribió:

los probes información adicional indicando este estado y esí es como lo detecta waircut. Esto esta documentado en la "Wi-Fi Protected Setup Specification"



Oh thanks a lot but what are the elements name ?

That indicates that the button has been pushed ?


How it's able to find these probes without monitor mode ?

Also why does it fail on this AP even that it ha already found the pin using pixie dust ?


5.jpg

Also Can we Get ignore WPS LOCK option ?

DO you know if using  a wrong WPS pin to connect While the PBC button is pressed , will it success to connect or not ?

Like does Pressing on PBC button make the router accept any PIN ?

Also does WPS PBC connection work even if the WPS status locked is true ?

I tested it on mine and it worked , Is it the normal thing for WPS lock to not work while WPS PBC Connection ?

#18 Re: Las herramientas para WPS » Wireless Air Cut, auditoria del protocolo wps en Windows » 22-01-2022 23:24:32

Patcher escribió:

Quizas le esté pasando lo mismo que se ha discutido en este otro hilo:
https://www.wifi-libre.com/topic-1321-w … l-pin.html

Hello @Patcher


may i know how does this work ?

image.png


As it would really improve
hostbase


Does it try to connect to all networks to see if the button is pressed or how does it detect what ever the button is pressed or not using monitoring or ?

Thanks

#19 Re: Hacking wireless ético: Los métodos alternativos » A possible improvement to the WPS PBC hack » 22-01-2022 18:56:11

Koala escribió:

I saw that wps_pbc method is becoming a real interess, i enjoy it smile

Glad that you do wink


You take my old code in ruby but you don't specify wich code mentioned above is

The code is from here

https://www.wifi-libre.com/topic-596-vu … html#p9291

For all to avoid misunderstanding : this code it's not a ruby code like the first but a python code from wifiphisher.

That way we won't need to stop the AP deauth at all

You have to take care because sometimes if the router has been deauthed for a while, the wps_pbc connect will not work.For this reason i stop the deauth only when a client is coming to the fake AP, like that the original router has a time to wake up while the victim see the fake page and more chance to get the wps_pbc connect.

The problem with this , that not all networks has win10 devices connected to them
which means we have to set the network to open
which means that any device would connect to it
not just the target devices
that way we can't count on the connection of the device to our fake AP To determine if we should stop the deauth or not

Also mdk4 has a client whitelist option if that helps

instead of disconnecting all the clients...we disconnect all the clients expect one (ours) the
so we no longer need the stop the DoS attacks when the user connects to fake AP


Check my last reply the one before this about Pixiewps too !

Koala escribió:

I saw that wps_pbc method is becoming a real interess, i enjoy it smile


You take my old code in ruby but you don't specify wich code mentioned above is


For all to avoid misunderstanding : this code it's not a ruby code like the first but a python code from wifiphisher.


That way we won't need to stop the AP deauth at all


You have to take care because sometimes if the router has been deauthed for a while, the wps_pbc connect will not work.For this reason i stop the deauth only when a client is coming to the fake AP, like that the original router has a time to wake up while the victim see the fake page and more chance to get the wps_pbc connect.


Hey i tested the tool once again but

the deauth doesn't support channel hopping

which means it doesn't follow channel change

so the deauth is useless !

Thanks

I think maybe it can be done using the waircut method

image.png

mooooon escribió:

We use the wifiphisher method that Checks if the pbc button is being pressed or not without trying to connect

Thanks


or using this

wps2key.py

https://github.com/Tourountzis/wifi-pwn … wps2key.py

150663553-e042b5b2-ebc9-4cfc-822e-2b3b3c100bfa.png

#20 Hacking wireless ético: Los métodos alternativos » A possible improvement to the WPS PBC hack » 22-01-2022 02:31:26

mooooon
Respuestas: 19

Instead of

wpacli = Thread.new do
  while true
    system "xterm -e wpa_cli wps_pbc #{$apmac}"   
    sleep(120)
  end
end

We use the wifiphisher method that Checks if the pbc button is being pressed or not without trying to connect

        while isinstance(elt_section, dot11.Dot11Elt):
            # check if WPS IE exists
            if elt_section.ID == 221 and\
                    elt_section.info.startswith("\x00P\xf2\x04"):

That way we won't need to stop the AP deauth at all

@Kcdtv  what do you think ?

Also

There is no need for this

Kcdtv escribió:

Se levanta para llegar al router y activar el WPS PBC
Luego  vuelve a su silla para prensar en el botón del dongle que hace de victma.
Cuando se sienta otra vez es tarde:  el ordenador "atacante" ya esta conectado y prensar el botón desde la victima no sirve de nada.


and this too

Kcdtv escribió:

Lo importante es llegar primero, si la petición de conexión del intruso se recibe antes que la del cliente legitimo, el intruso se conecta a nuestra a red y obtiene la llave WPA.
    La vulnerabilidad se basa en el intervalo de tiempo necesario a un humano para prensar un botón.
Es a la vez muy simple y implacable: Una maquina que manda peticiones en bucle será siempre más rápida que un humano.

As pixiewps supports -7 option

This option requires the attribute encrypted settings found in M7 when the Registrar proved knowledge of the PIN, and the Access Points, the Enrollee, sends its current network configuration.
This feature can be used to crack the WPA-PSK (and WPS PIN) from a passive packet capture (e.g. sniffing a PBC session).

Source :

there's currently no code in wash or similar tools to know whether the button was pushed.
you just got to be lucky and have a packet capture running while someone submits M1-M7 with the AP, so you can extract all parameters needed for https://camo.githubusercontent.com/18d3 … 672e706e67 from wireshark.


which means it can extract the password by just airodump-ng on a network while someone connect to it using the PBC method

That way , There is no need to be the first or anything

what do you think , is it worth a post update ?

Thanks

#21 Re: Preguntas generales y comparativas » which one of these wireless adapters is the best in terms of range ? » 06-06-2019 23:52:44

usuariodewifilibre escribió:

This TOTOLINK A2000UA is compatible for audits and has removable antennas, it is compatible with dual band
if you have problems with the drivers in kali try this

There will be a window in console

sudo apt install realtek-rtl88xxau-dkms

so you are recommending A2000UA ?
in terms of range and speed ? and injection of course

#24 Re: Hacking wireless ético: Los métodos alternativos » Cómo puedo realizar el dns reencuadre usando el gemelo malvado en el ? » 28-05-2019 08:39:17

Betis-Jesus escribió:

buenas perdona la tandaza no habia visto el mensaje.

los encabezados CORS normalmente los maneja el navegador, y si el servidor de orignen tiene implementado CORS, este espera un encabezados CORS para descarga el objecto solicitado.

en tu caso no creo que necesite el host remoto es encabezados CORS pero como esta usando curl no hay navegador de por medio, en este caso tiene que enviar tu mismo los encabezados CORS desde propio curl.

para salir de duda puede enviar una solicitud con curl a host remoto para ver si este te enviar informacion de CORS y mira la respuesta de host remoto que tipo de encabezados CORS le deber de enviar.

saludo


Hola, cambié el proveedor de la página web y ahora ya no recibo esto ... pero la página ahora no termina de cargarse
si pudieras echarle un vistazo a esto  https://www.reddit.com/r/HowToHack/comm … ocking_to/   Agradecería .
"para salir de duda puede enviar una solicitud con curl a host remoto para ver si este te enviar informacion de CORS y mira la respuesta de host remoto que tipo de encabezados CORS le deber de enviar."
El problema es que el servidor o el destino es el enrutador, así que no sé cómo funcionarán las solicitudes CORS.

#25 Re: Hacking wireless ético: Los métodos alternativos » Cómo puedo realizar el dns reencuadre usando el gemelo malvado en el ? » 24-05-2019 22:04:42

Betis-Jesus escribió:

poque no pone aqui el codigio de login4.php y por otras parte leer un poco el tema de CORS

saludo


Entonces, ¿cómo puedo usar los encabezados CORS? ¿El problema con el login4.php y el mooooon.epizy.com domian?

¿Esto requiere que los encabezados CORS estén también en el host solicitado?

Pie de página

Información del usuario

Ultimo usuario registrado: Asakuras
Usuarios registrados conectados: 0
Invitados conectados: 14

Estadisticas de los foros

Número total de usuarios registrados: 2,317
Número total de temas: 1,587
Número total de mensajes: 15,139

Máx. usuarios conectados: 373 el 30-09-2019 15:04:36
Impulsado por FluxBB