NEW: We have a Discord server now. Click here to go there now!

NOTE: Why not use our List Manager to crack your lists? Its easy and enables better management.

NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Wireless Cracking - looking for information on a network named NETGEAR


12 Results - Page 1 of 1 -
1
Author Message
Avatar
taco

Status: Member
Joined: Sat, 25 Feb 2017
Posts: 205
Team:
Reputation: 92 Reputation
Offline
Sat, 08 Apr 2017 @ 18:56:44

I have a cap of a network named NETGEAR with nothing followling. I am familiar with networks named NETGEARXX where XX is some number. These use the adjective + noun + number keyspace. I have tried that on this cap with no luck. I also tried all 10 digits and all 8 hex. Finally I tried an 80G dictionary I typically have good luck with but no luck their either. I am thinking either 1 this is an older router with a different keyspace or this is a changed pw that I just dont have in my dictionary. Has anyone seen this router name before and what was the keyspace. Also I have read about rainbow tables and since NETGEAR is very common I imagine they would exist for this, is that something to look in to?

Thanks for the advice.

If anyone is interested in the cap it is posted here - https://forum.hashkiller.co.uk/topic-view.aspx?t=18476&m=128338#128338

I raised the price to 25USD in BTC for a valid password



_____________________________
CPU 1 - Celeron - 8G RAM - 4 x 1070 , 1 x 1080ti
CPU 2 - i7 4770k - 2 x 1080ti
CPU 3 - i3 6300 - 8G RAM - 5 x 1070 , 1 x 1060


Just doing it for fun and to learn...
If I helped feel free to +rep me

1Lo3q3YefT6J5yanirjKfXL2pxu15Q2uUj

Avatar
shonash

Status: Member
Joined: Fri, 17 Mar 2017
Posts: 126
Team:
Reputation: 300 Reputation
Offline
Sat, 08 Apr 2017 @ 19:33:23

Your router is Netgear WNR1000 V2

Default SSID is NETGEAR (obviously not changed)
There is no default encryption or passphrase. Box ships open.

Someone has set WPA2-PSK encryption.
Passphrase could be anything.
Trying dictionary as you have is probably the best approach.

Have you tried WPS attack?
Trace shows WPS configured.
Worst thing is you will get WPS lockout, but maybe nothing to lose?


Avatar
taco

Status: Member
Joined: Sat, 25 Feb 2017
Posts: 205
Team:
Reputation: 92 Reputation
Offline
Sat, 08 Apr 2017 @ 19:54:07

shonash said:

Your router is Netgear WNR1000 V2

Default SSID is NETGEAR (obviously not changed)
There is no default encryption or passphrase. Box ships open.

Someone has set WPA2-PSK encryption.
Passphrase could be anything.
Trying dictionary as you have is probably the best approach.

Have you tried WPS attack?
Trace shows WPS configured.
Worst thing is you will get WPS lockout, but maybe nothing to lose?

Locked out after about a minute :P

thanks for the heads up, ill keep plugging away at it then.



_____________________________
CPU 1 - Celeron - 8G RAM - 4 x 1070 , 1 x 1080ti
CPU 2 - i7 4770k - 2 x 1080ti
CPU 3 - i3 6300 - 8G RAM - 5 x 1070 , 1 x 1060


Just doing it for fun and to learn...
If I helped feel free to +rep me

1Lo3q3YefT6J5yanirjKfXL2pxu15Q2uUj

Avatar
shonash

Status: Member
Joined: Fri, 17 Mar 2017
Posts: 126
Team:
Reputation: 300 Reputation
Offline
Sat, 08 Apr 2017 @ 20:06:11

Netgear WPS brute force protection may depend on timeout

https://kb.netgear.com/app/answers/detail/a_id/19824
(Netgear certificate error on this link, probably need to click through if browser allows)

With timeout defense, it may be possible to chip away at it over time?
The final advice from Netgear is to disable WPS PIN, but it still looks enabled on your router.

Try again after some time and see if it accepts a few more PINs.
If so, then set up something to plug away at it, ideally low power like Raspberry Pi?


Avatar
taco

Status: Member
Joined: Sat, 25 Feb 2017
Posts: 205
Team:
Reputation: 92 Reputation
Offline
Sun, 09 Apr 2017 @ 06:40:28

shonash said:

Netgear WPS brute force protection may depend on timeout

https://kb.netgear.com/app/answers/detail/a_id/19824
(Netgear certificate error on this link, probably need to click through if browser allows)

With timeout defense, it may be possible to chip away at it over time?
The final advice from Netgear is to disable WPS PIN, but it still looks enabled on your router.

Try again after some time and see if it accepts a few more PINs.
If so, then set up something to plug away at it, ideally low power like Raspberry Pi?

It seems to allow about 100 attempts then lock for at least a couple weeks maybe more. I will pay more attention to it and see. Hopefully I can get the pw figured out with a dictionary and rules or something before then though!



_____________________________
CPU 1 - Celeron - 8G RAM - 4 x 1070 , 1 x 1080ti
CPU 2 - i7 4770k - 2 x 1080ti
CPU 3 - i3 6300 - 8G RAM - 5 x 1070 , 1 x 1060


Just doing it for fun and to learn...
If I helped feel free to +rep me

1Lo3q3YefT6J5yanirjKfXL2pxu15Q2uUj

Avatar
frenchy1

Status: Cracker
Joined: Tue, 28 Jul 2015
Posts: 647
Team:
Reputation: 396 Reputation
Offline
Sun, 09 Apr 2017 @ 07:12:44

I have chipped away at these using a setting to wait for five minutes every say 80 pins or so. every router is different. once you feel out the settings you will know. changing your mac address may also help



Just a hobbyist

Avatar
shonash

Status: Member
Joined: Fri, 17 Mar 2017
Posts: 126
Team:
Reputation: 300 Reputation
Offline
Sun, 09 Apr 2017 @ 09:45:30

Another thing to bear in mind is that the AP has to do a big number modular exponentiation
to compute a Diffie-Hellman at every WPS attempt.

Some routers can cope with this quite easily, but other have poor implementations and
were not designed to handle repeated attempts. Those crappy routers can freeze, run
out of memory, or even crash if you pump them too hard. Once that happens, you
may have to wait for the router to be reset for some other reason.

You may need to observe the router carefully as the attack progresses for
any sign that it is unable to keep up (like times stretching out for responses to
requests).

Some routers even struggle to get beacons out if processing is overloaded.
That is a definite red flag that you need to back off.


Avatar
taco

Status: Member
Joined: Sat, 25 Feb 2017
Posts: 205
Team:
Reputation: 92 Reputation
Offline
Sun, 09 Apr 2017 @ 15:58:49

Its definitely locked now but I will try this again every couple of days to check when it unlocks. Once it is unlocked i will try it again with different parameters, like slowing down the attack speed, etc... i am already using -vv for verbose mode, are there any other parameters i should be using?




_____________________________
CPU 1 - Celeron - 8G RAM - 4 x 1070 , 1 x 1080ti
CPU 2 - i7 4770k - 2 x 1080ti
CPU 3 - i3 6300 - 8G RAM - 5 x 1070 , 1 x 1060


Just doing it for fun and to learn...
If I helped feel free to +rep me

1Lo3q3YefT6J5yanirjKfXL2pxu15Q2uUj

Avatar
frenchy1

Status: Cracker
Joined: Tue, 28 Jul 2015
Posts: 647
Team:
Reputation: 396 Reputation
Offline
Sun, 09 Apr 2017 @ 23:20:46

reaver -i wlan1mon (or adapter your using) -c 1 (channel) --recurring-delay=360:80 (or as high as you can go without locking it up) --dh-small (improves speed sometimes) -vv

reavers an old beast now but i have used it against a network extender (netgear) with luck before.



Just a hobbyist

Avatar
taco

Status: Member
Joined: Sat, 25 Feb 2017
Posts: 205
Team:
Reputation: 92 Reputation
Offline
Mon, 10 Apr 2017 @ 13:41:04

frenchy1 said:

reaver -i wlan1mon (or adapter your using) -c 1 (channel) --recurring-delay=360:80 (or as high as you can go without locking it up) --dh-small (improves speed sometimes) -vv

reavers an old beast now but i have used it against a network extender (netgear) with luck before.

check! I will try this as soon as it unlocks, as of this morning still locked... i aim to try every couple of days though to see when it unlocks, then we will try your parameters



_____________________________
CPU 1 - Celeron - 8G RAM - 4 x 1070 , 1 x 1080ti
CPU 2 - i7 4770k - 2 x 1080ti
CPU 3 - i3 6300 - 8G RAM - 5 x 1070 , 1 x 1060


Just doing it for fun and to learn...
If I helped feel free to +rep me

1Lo3q3YefT6J5yanirjKfXL2pxu15Q2uUj

Avatar
frenchy1

Status: Cracker
Joined: Tue, 28 Jul 2015
Posts: 647
Team:
Reputation: 396 Reputation
Offline
Tue, 11 Apr 2017 @ 00:23:29

taco said:

frenchy1 said:

reaver -i wlan1mon (or adapter your using) -c 1 (channel) --recurring-delay=360:80 (or as high as you can go without locking it up) --dh-small (improves speed sometimes) -vv

reavers an old beast now but i have used it against a network extender (netgear) with luck before.

check! I will try this as soon as it unlocks, as of this morning still locked... i aim to try every couple of days though to see when it unlocks, then we will try your parameters

if you get impatient try mdk3

http://www.kalilinuxworld.tk/2016/03/reset-wps-lockouts-using-mdk3.html



Just a hobbyist

Avatar
taco

Status: Member
Joined: Sat, 25 Feb 2017
Posts: 205
Team:
Reputation: 92 Reputation
Offline
Tue, 11 Apr 2017 @ 02:03:41

frenchy1 said:

taco said:

frenchy1 said:

reaver -i wlan1mon (or adapter your using) -c 1 (channel) --recurring-delay=360:80 (or as high as you can go without locking it up) --dh-small (improves speed sometimes) -vv

reavers an old beast now but i have used it against a network extender (netgear) with luck before.

check! I will try this as soon as it unlocks, as of this morning still locked... i aim to try every couple of days though to see when it unlocks, then we will try your parameters

if you get impatient try mdk3

http://www.kalilinuxworld.tk/2016/03/reset-wps-lockouts-using-mdk3.html

tried but i think it failed, i hit it a lot too :/ in fact it is now still appearing in airodump but when ive noticed nothing is connected to it and no data is going through it, normally there are several connections and lots of data all the time, not really sure what that means.



_____________________________
CPU 1 - Celeron - 8G RAM - 4 x 1070 , 1 x 1080ti
CPU 2 - i7 4770k - 2 x 1080ti
CPU 3 - i3 6300 - 8G RAM - 5 x 1070 , 1 x 1060


Just doing it for fun and to learn...
If I helped feel free to +rep me

1Lo3q3YefT6J5yanirjKfXL2pxu15Q2uUj


12 Results - Page 1 of 1 -
1

We have a total of 212585 messages in 26065 topics.
We have a total of 23034 registered users.
Our newest registered member is 18Lines.