Musket Teams have ONLY come acrossW

Musket Teams have ONLY come across
Wifi Routers that lock up after 10 pin request
regardless of the mac address requesting
the pins. We began aggressively locking the
WPS systems of all Wifi Routers in range by
requesting pins till the router locked every time these routers showed an open state. To
our surprise one of the routers' key
completion jumped to 91% after a few pin
request cycles(ie 10 pins per cycle). This of
course would allow even WPS Locked
Routers to be hacked given time and patience. The rule then is to request pins
anytime they are available. We do not wish
to note the first six digits of this routers mac
address for fear software engineers who
might read this will quickly correct the flaw.
We have had reports but have never seen Wifi Routers whose WPS locking is related
to the MAC code addresses requesting the
pins. In other words, if the same mac code
address requests X number of pins the
router locks. However random mac
addesses requesting pins do not lock the router. Anyone finding a router reacting like
this should download Musket Team’s
varmacreaver.sh. You can find the link to
the varmacreaver.sh download in these
forums. This tool was originally designed for
exactly this WPS locking feature however we could never find a router that locked due
to repeated pin requests from a single mac
address only while ignoring request from
random mac addresses. Varmacreaver.sh
can be set up to constantly change the mac
address after every pin request. We have cracked WPS locked routers the
traditional way or by brute forcing the
handshake. Anytime we do this we expend
some effort trying to break the routers'
username-password with hydra or brutus.
We have had equal success by doing a man in the middle attack with Cain/XP or
ettercap. We use Netcut/XP to shut down
the ability of the user-client to access the
internet. Invariably the user logs onto the
router while the MITM is in progress and we
get their password and username thru Cain. Just have patience. You can also
intermittently disrupt their system with mdk3
or again Netcut anything that might cause
the user to turn to the router and access it.
Using Ettercap you can try and automate
this with http://forum.aircrack-ng.org/ index.php/topic,401.0.html .
Once you have access to the router go into
the firmware pages and obtain the WPS key
by reading the firmware page. Like in magic
you now have their secret name. Users
rarely change the WPS Key just the WPA password. And even a temporarily open
WPS locked Router can be cracked in less
then 10 pin requests if you have their WPS
Key. So even if they change the WPA key
you are back in within a few days as you
have their secret name. Reseting the router is not covered here as it
is being explored in a blog led by