Mi hardware se ve así: Lenovo Laptop ejecuta RHEL, y Virtual Machine Manager lanza una máquina virtual con Kali Linux. Probé estas tarjetas de red:
- TL-WN722N
- AWUS051NH
- AWUS036NH
Estoy iniciando la máquina virtual en modo en vivo (no necesito almacenamiento persistente) y comparto una de estas tarjetas de red a la vez. Con todos estos tengo exactamente los mismos resultados.
Primero ejecuto estas dos líneas para tener acceso a través de ssh para una mejor experiencia de terminal, etcétera.
$ sed -i -e 's/prohibit-password/yes/g' /etc/ssh/sshd_config
$ service ssh start
Sumérgete en la configuración de las interfaces de red:
root@kali:~# airmon-ng start wlan0
Found 3 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them!
PID Name
963 NetworkManager
1087 dhclient
1534 wpa_supplicant
PHY Interface Driver Chipset
phy0 wlan0 rt2800usb Ralink Technology, Corp. RT3572
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)
root@kali:~# iwconfig eth0 no wireless extensions.
wlan0mon IEEE 802.11abgn ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
lo no wireless extensions.
root@kali:~# ifconfig wlan0mon down
root@kali:~# iwconfig wlan0mon mode monitor
root@kali:~# ifconfig wlan0mon up
root@kali:~# iwconfig eth0 no wireless extensions.
wlan0mon IEEE 802.11abgn Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
lo no wireless extensions.
Y después de eso un descubrimiento:
root@kali:~# airodump-ng wlan0mon
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
XX:XX:XX:XX -80 2 0 0 1 54e WPA2 CCMP MGT NumA
XX:XX:XX:XX -28 2 0 0 6 54e WPA2 CCMP PSK NumB
XX:XX:XX:XX -81 2 0 0 11 54e WPA2 CCMP MGT NumC
root@kali:~# wash -i wlan0mon
Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212
BSSID Channel RSSI WPS Version WPS Locked ESSID
---------------------------------------------------------------------------------------------------------------
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
root@kali:~# wash -i wlan0mon -C
Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212
BSSID Channel RSSI WPS Version WPS Locked ESSID
---------------------------------------------------------------------------------------------------------------
XX:XX 1 -73 1.0 No WiA
XX:XX 6 -27 1.0 No WiB
XX:XX 11 -77 1.0 No WiC
Y ahora la parte de ataque:
root@kali:~# reaver -i wlan0mon -b XX:XX:XX:XX -vv
Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212
[+] Waiting for beacon from XX:XX:XX:XX
[+] Switching wlan0mon to channel 1
[+] Switching wlan0mon to channel 2
[+] Switching wlan0mon to channel 3
[+] Switching wlan0mon to channel 4
[+] Switching wlan0mon to channel 5
[+] Switching wlan0mon to channel 6
[+] Switching wlan0mon to channel 7
[+] Switching wlan0mon to channel 8
[+] Switching wlan0mon to channel 11
[!] WARNING: Failed to associate with XX:XX:XX:XX (ESSID: ESSIDA)
[!] WARNING: Failed to associate with XX:XX:XX:XX (ESSID: ESSIDA)
[!] WARNING: Failed to associate with XX:XX:XX:XX (ESSID: ESSIDA)
Y también usando bully:
root@kali:~# bully -b XX:XX:XX wlan0mon -c 11
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'wlan0mon' to channel '11'
[!] Using 'XX:XX:XX' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from 'XX:XX:XX' on channel '11'
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Disabling FCS validation (assuming --nofcs)
[+] Got beacon for 'TargetA' (XX:XX:XX)
[!] Creating new randomized pin file '/root/.bully/pins'
[+] Index of starting pin number is '0000000'
[+] Last State = 'NoAssoc' Next pin '36490264'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '36490264'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '36490264'
Sé que al menos 2 de mis puntos de acceso al patio de recreo son vulnerables al ataque basado en las direcciones mac (polvo de duendecillo, creo que se llama). Me las he arreglado para descifrarlos usando un teléfono android sin nombre android sin nombre. Y este ataque no funciona con ninguna combinación de mis tarjetas de red / ninguno de los puntos de acceso objetivo.
Debe haber alguna configuración que me esté faltando o alguna compatibilidad de hardware que no.
Sé que estas tarjetas de red están diseñadas para el modo de monitoreo, supongo que también deberían ser compatibles con wps, pero aún no lo he logrado. ¿Necesito uno específico para poder realizar los ataques WPS?