Random pin on reboot ?

Discussion in 'Community Services' started by boosak, 1 Feb 2017.

  1. boosak

    boosak Member

    Joined:
    14 Jan 2017
    Messages:
    7
    Likes Received:
    1
    Hi,


    I'm new here and i don't know if this is the right forum. anyways.

    Does anyone faced a network that keeps changing the pin after a reboot ?
    I have new STC ( Saudi Telecom Company ) adsl modem. That actually is HG658 V2 and i notice that there is no default pin for it. non even behind the modem. there is only SSID and PASS. but there is no pin. the only way to check pin is from settings. and the pin keep changing after reboot. and it locksout after 3 attempts. i tried to reduce the attack by adding "-r 2:60" first i thought its okay i can keep it like this but after 9 attempts. the 10th locksout. even if i left it for 2 days. i think the limit is 10 wrong pin after that it locksout..
    I can make the modem reboot if i attack it with MDK3 WIDS attack. but if it reboot then the pin will change

    So. reaver + bully + pixie dust + empty string check.. all useless

    changing mac won't help. any ideas ?

    EDIT: i forgot to mention that when i attack it with reaver 1.3 it says pin cracked. even if i put any pin. it will say pin is cracked but the password won't appear
    --- Double Post Merged, 16 Feb 2017, Original Post Date: 1 Feb 2017 ---
    UP...
     
  2. meknb

    meknb Mod
    Moderator Dev Team VIP

    Joined:
    2 Jun 2012
    Messages:
    702
    Likes Received:
    178
    Is the router set to use AP-PIN in the wps settings ? Have you tried logging in using the wps pin with linux, or I use wps connect for android if it connects to the router it will reveal the password.
     
  3. boosak

    boosak Member

    Joined:
    14 Jan 2017
    Messages:
    7
    Likes Received:
    1


    it's set to PBC. i tried to set it to AP-PIN. then it shows 8 stars like this (********). and two button appear. one says pin. and the other says default pin. i tried both default and pin. when i take that pin and try it. it works. but the problem is when i reboot the router. it will automatically change the pin to another random numbers. so when trying the old pin. it won't work .

    See the picture...


    is there anyway that could make reaver use ******** as pin ? i remember someone has created a patch .diif

    he makes reaver uses an empty pin to crack hg658b/c
     

    Attached Files:

  4. meknb

    meknb Mod
    Moderator Dev Team VIP

    Joined:
    2 Jun 2012
    Messages:
    702
    Likes Received:
    178
    The 8 stars are just random numbers or 12345670 it's just encrypted by your browser I think the diff is the emptystringpin.diff here which affects a few broadcom routers.
    If rebooted is wps enabled pbc mode I've tried a few routers which return to pbc mode on reboot so mdk is useless for rebooting the router.
     
    #4 meknb, 18 Feb 2017
    Last edited: 18 Feb 2017
  5. lomas047

    lomas047 Active Member

    Joined:
    12 Feb 2017
    Messages:
    10
    Likes Received:
    4
    Login to your router using ssh, than chmod the file .diff to read only.
     
  6. meknb

    meknb Mod
    Moderator Dev Team VIP

    Joined:
    2 Jun 2012
    Messages:
    702
    Likes Received:
    178
    ???????
    The .diff is for building patching reaver
     
  7. lomas047

    lomas047 Active Member

    Joined:
    12 Feb 2017
    Messages:
    10
    Likes Received:
    4
    Okay sorry, but the method I use is the same, for my pentest router, Thomson old router (is called now Technicolor), I block the user file from rewrite itself when reboot.
     
  8. boosak

    boosak Member

    Joined:
    14 Jan 2017
    Messages:
    7
    Likes Received:
    1




    Hmm... Yes that is the diff file. and no i don't think it's encrypted. when i click save while pin field is ******** then it says wrong pin please choose a valid pin... and it doesn't changes to PBC. still ap-pin. It seems it's highly protected against this attack :)

    oh i forgot. the chipset is RTL871
    --- Double Post Merged, 18 Feb 2017, Original Post Date: 18 Feb 2017 ---

    I'm sorry but i think you misunderstand me. .diff file is not in the router. anyways. STC does not allow me to connect via telnet or ssh. they close it on their firmware
     
  9. lomas047

    lomas047 Active Member

    Joined:
    12 Feb 2017
    Messages:
    10
    Likes Received:
    4
    Your router model is not supported by openwrt, that could solve this problem.
     
  10. meknb

    meknb Mod
    Moderator Dev Team VIP

    Joined:
    2 Jun 2012
    Messages:
    702
    Likes Received:
    178
  11. boosak

    boosak Member

    Joined:
    14 Jan 2017
    Messages:
    7
    Likes Received:
    1

    I'm sorry but i don't know how being my router supported by openwrt will solve this problem ?
    --- Double Post Merged, 19 Feb 2017, Original Post Date: 19 Feb 2017 ---


    Nope. my router is out of box.
     
Loading...
  • About Us

    We are a community mixed with professionals and beginners with an interest in wireless security, auditing and pentesting. Feel free to check out and upload resources.


    You can also find us on: Twitter and Facebook

  • Donate to Us

    Did you find our forums useful? Feel free to donate Bitcoin to us using the form below. Those who donate the equivlent of $10 USD or more will be upgraded to VIP membership. Don't have Bitcoin? Use your credit card to GO VIP here. Don't want to fork out some coin? There are other ways to GO VIP. Bitcoin: 1LMTGSoTyJWXuy2mQkHfgMzD7ez74x1Z8K