Menu
What's new
By:
Filters Better Search

RT-AC87U vulnerability 380.65

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

F

farmacevt55

New Around Here
Hi, guys! I found vulnerability in RT-AC87U router insertion. WPS is disconnected. But when using wifislax and the Wifite2 program I see that wps is disconnected only at 2.4 GHz. WPS of 5 GHz works and this vulnerability is successfully operated. I received the password of wpa2 in open form. I apply screenshots and the part of the log. If necessary, provide a full log for the current day.
In attempt of a deatuntefikation of clients and receipts of the file of handshake of wi-fi the network in general became open. Wpa2 was transformed to open network.


Feb 27 10:11:33 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.166 b0:e2:35:33:f4:2c
Feb 27 10:11:33 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.166 b0:e2:35:33:f4:2c Redmi3-Redmi
Feb 27 10:11:34 dnsmasq-dhcp[441]: DHCPDISCOVER(br0) b0:e2:35:7d:f7:2d
Feb 27 10:11:34 dnsmasq-dhcp[441]: DHCPOFFER(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:11:34 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:11:34 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.195 b0:e2:35:7d:f7:2d RedmiNote3-Redmi
Feb 27 10:11:50 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.166 b0:e2:35:33:f4:2c
Feb 27 10:11:50 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.166 b0:e2:35:33:f4:2c Redmi3-Redmi
Feb 27 10:11:51 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.166 b0:e2:35:33:f4:2c
Feb 27 10:11:51 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.166 b0:e2:35:33:f4:2c Redmi3-Redmi
Feb 27 10:11:59 dnsmasq-dhcp[441]: DHCPDISCOVER(br0) b0:e2:35:7d:f7:2d
Feb 27 10:11:59 dnsmasq-dhcp[441]: DHCPOFFER(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:11:59 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:11:59 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.195 b0:e2:35:7d:f7:2d RedmiNote3-Redmi
Feb 27 10:12:02 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.166 b0:e2:35:33:f4:2c
Feb 27 10:12:02 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.166 b0:e2:35:33:f4:2c Redmi3-Redmi
Feb 27 10:12:13 dnsmasq-dhcp[441]: DHCPDISCOVER(br0) b0:e2:35:7d:f7:2d
Feb 27 10:12:13 dnsmasq-dhcp[441]: DHCPOFFER(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:12:13 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:12:13 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.195 b0:e2:35:7d:f7:2d RedmiNote3-Redmi
Feb 27 10:12:13 dnsmasq-dhcp[441]: DHCPDISCOVER(br0) 64:cc:2e:ea:07:ad
Feb 27 10:12:13 dnsmasq-dhcp[441]: DHCPOFFER(br0) 192.168.2.26 64:cc:2e:ea:07:ad
Feb 27 10:12:13 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.26 64:cc:2e:ea:07:ad
Feb 27 10:12:13 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.26 64:cc:2e:ea:07:ad RedmiNote3-Redmi
Feb 27 10:12:17 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.166 b0:e2:35:33:f4:2c
Feb 27 10:12:17 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.166 b0:e2:35:33:f4:2c Redmi3-Redmi
Feb 27 10:12:18 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:12:18 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.195 b0:e2:35:7d:f7:2d RedmiNote3-Redmi
Feb 27 10:12:28 dnsmasq-dhcp[441]: DHCPDISCOVER(br0) 64:cc:2e:ea:07:ad
Feb 27 10:12:28 dnsmasq-dhcp[441]: DHCPOFFER(br0) 192.168.2.26 64:cc:2e:ea:07:ad
Feb 27 10:12:28 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.26 64:cc:2e:ea:07:ad
Feb 27 10:12:28 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.26 64:cc:2e:ea:07:ad RedmiNote3-Redmi
Feb 27 10:12:28 rc_service: httpd 448:notify_rc restart_wireless
Feb 27 10:12:30 kernel: UFFP entry not found
Feb 27 10:12:30 kernel: br0: port 2(eth1) entering forwarding state
Feb 27 10:12:30 kernel: device eth1 left promiscuous mode
Feb 27 10:12:30 kernel: br0: port 2(eth1) entering disabled state
Feb 27 10:12:30 kernel: Hooks already unregistered
Feb 27 10:12:30 kernel: Hooks already unregistered
Feb 27 10:12:30 snooper: terminated with signal 15
Feb 27 10:12:32 kernel: wl_module_init: passivemode set to 0x0
Feb 27 10:12:32 kernel: wl_module_init: igs set to 0x0
Feb 27 10:12:32 kernel: wl_module_init: txworkq set to 0x1
Feb 27 10:12:32 kernel: eth1: Broadcom BCM4360 802.11 Wireless Controller 6.37.14.126 (r561982)
Feb 27 10:12:39 kernel: device eth1 entered promiscuous mode
Feb 27 10:12:39 kernel: br0: topology change detected, propagating
Feb 27 10:12:39 kernel: br0: port 2(eth1) entering forwarding state
Feb 27 10:12:39 kernel: br0: port 2(eth1) entering forwarding state
Feb 27 10:12:45 kernel: Interface wifi0 doesn't exist
Feb 27 10:12:45 snooper: started on vlan1@br0
Feb 27 10:12:57 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.166 b0:e2:35:33:f4:2c
Feb 27 10:12:57 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.166 b0:e2:35:33:f4:2c Redmi3-Redmi
Feb 27 10:13:13 dnsmasq-dhcp[441]: DHCPDISCOVER(br0) b0:e2:35:7d:f7:2d
Feb 27 10:13:13 dnsmasq-dhcp[441]: DHCPOFFER(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:13:13 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:13:13 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.195 b0:e2:35:7d:f7:2d RedmiNote3-Redmi
Feb 27 10:13:33 rc_service: httpd 448:notify_rc reset_wps
Feb 27 10:13:34 kernel: br0: port 2(eth1) entering forwarding state
Feb 27 10:13:34 kernel: device eth1 left promiscuous mode
Feb 27 10:13:34 kernel: br0: port 2(eth1) entering disabled state
Feb 27 10:13:34 kernel: Hooks already unregistered
Feb 27 10:13:34 snooper: terminated with signal 15
Feb 27 10:13:34 kernel: Hooks already unregistered
Feb 27 10:13:36 kernel: wl_module_init: passivemode set to 0x0
Feb 27 10:13:36 kernel: wl_module_init: igs set to 0x0
Feb 27 10:13:36 kernel: wl_module_init: txworkq set to 0x1
Feb 27 10:13:36 kernel: eth1: Broadcom BCM4360 802.11 Wireless Controller 6.37.14.126 (r561982)
Feb 27 10:13:36 start_ap: No security in use
Feb 27 10:13:39 rc_service: httpd 448:notify_rc restart_wireless
Feb 27 10:13:39 rc_service: waitting "reset_wps" via httpd ...
Feb 27 10:13:40 kernel: device eth1 entered promiscuous mode
Feb 27 10:13:40 kernel: br0: topology change detected, propagating
Feb 27 10:13:40 kernel: br0: port 2(eth1) entering forwarding state
Feb 27 10:13:40 kernel: br0: port 2(eth1) entering forwarding state
Feb 27 10:13:40 start_ap: No security in use
Feb 27 10:13:43 kernel: Interface wifi0 doesn't exist
Feb 27 10:13:43 snooper: started on vlan1@br0
Feb 27 10:13:49 kernel: br0: port 2(eth1) entering forwarding state
Feb 27 10:13:49 kernel: device eth1 left promiscuous mode
Feb 27 10:13:49 kernel: br0: port 2(eth1) entering disabled state
Feb 27 10:13:50 kernel: Hooks already unregistered
Feb 27 10:13:50 snooper: terminated with signal 15
Feb 27 10:13:50 kernel: Hooks already unregistered
Feb 27 10:13:52 kernel: wl_module_init: passivemode set to 0x0
Feb 27 10:13:52 kernel: wl_module_init: igs set to 0x0
Feb 27 10:13:52 kernel: wl_module_init: txworkq set to 0x1
Feb 27 10:13:52 kernel: eth1: Broadcom BCM4360 802.11 Wireless Controller 6.37.14.126 (r561982)
Feb 27 10:13:52 start_ap: No security in use
Feb 27 10:13:55 kernel: device eth1 entered promiscuous mode
Feb 27 10:13:55 kernel: br0: topology change detected, propagating
Feb 27 10:13:55 kernel: br0: port 2(eth1) entering forwarding state
 
One thing I noticed when testing this out is if you go in and enable the WPS and click the Reset button beside Configured that it resets the Wireless settings back to factory defaults (at least on my AC87U).
 
[QUOTE = "Zirescu, должность: 310786, член: 21668"] Одна вещь, которую я заметил при тестировании на это, если вы идете в и включите WPS и нажмите кнопку сброса рядом Сконфигурирован, что он сбрасывает настройки беспроводной сети обратно к заводским установкам по умолчанию ( по крайней мере, на моем AC87U). [/ QUOTE]
Yes, perhaps I pressed this button when I configured the WPS settings.
Clicking of this button, really leads to reset of all wireless network setups ((
 
farmacevt55 said:
Hi, guys! I found vulnerability in RT-AC87U router insertion. WPS is disconnected. But when using wifislax and the Wifite2 program I see that wps is disconnected only at 2.4 GHz. WPS of 5 GHz works and this vulnerability is successfully operated. I received the password of wpa2 in open form. I apply screenshots and the part of the log. If necessary, provide a full log for the current day.
In attempt of a deatuntefikation of clients and receipts of the file of handshake of wi-fi the network in general became open. Wpa2 was transformed to open network.


Feb 27 10:11:33 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.166 b0:e2:35:33:f4:2c
Feb 27 10:11:33 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.166 b0:e2:35:33:f4:2c Redmi3-Redmi
Feb 27 10:11:34 dnsmasq-dhcp[441]: DHCPDISCOVER(br0) b0:e2:35:7d:f7:2d
Feb 27 10:11:34 dnsmasq-dhcp[441]: DHCPOFFER(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:11:34 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:11:34 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.195 b0:e2:35:7d:f7:2d RedmiNote3-Redmi
Feb 27 10:11:50 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.166 b0:e2:35:33:f4:2c
Feb 27 10:11:50 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.166 b0:e2:35:33:f4:2c Redmi3-Redmi
Feb 27 10:11:51 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.166 b0:e2:35:33:f4:2c
Feb 27 10:11:51 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.166 b0:e2:35:33:f4:2c Redmi3-Redmi
Feb 27 10:11:59 dnsmasq-dhcp[441]: DHCPDISCOVER(br0) b0:e2:35:7d:f7:2d
Feb 27 10:11:59 dnsmasq-dhcp[441]: DHCPOFFER(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:11:59 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:11:59 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.195 b0:e2:35:7d:f7:2d RedmiNote3-Redmi
Feb 27 10:12:02 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.166 b0:e2:35:33:f4:2c
Feb 27 10:12:02 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.166 b0:e2:35:33:f4:2c Redmi3-Redmi
Feb 27 10:12:13 dnsmasq-dhcp[441]: DHCPDISCOVER(br0) b0:e2:35:7d:f7:2d
Feb 27 10:12:13 dnsmasq-dhcp[441]: DHCPOFFER(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:12:13 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:12:13 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.195 b0:e2:35:7d:f7:2d RedmiNote3-Redmi
Feb 27 10:12:13 dnsmasq-dhcp[441]: DHCPDISCOVER(br0) 64:cc:2e:ea:07:ad
Feb 27 10:12:13 dnsmasq-dhcp[441]: DHCPOFFER(br0) 192.168.2.26 64:cc:2e:ea:07:ad
Feb 27 10:12:13 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.26 64:cc:2e:ea:07:ad
Feb 27 10:12:13 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.26 64:cc:2e:ea:07:ad RedmiNote3-Redmi
Feb 27 10:12:17 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.166 b0:e2:35:33:f4:2c
Feb 27 10:12:17 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.166 b0:e2:35:33:f4:2c Redmi3-Redmi
Feb 27 10:12:18 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:12:18 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.195 b0:e2:35:7d:f7:2d RedmiNote3-Redmi
Feb 27 10:12:28 dnsmasq-dhcp[441]: DHCPDISCOVER(br0) 64:cc:2e:ea:07:ad
Feb 27 10:12:28 dnsmasq-dhcp[441]: DHCPOFFER(br0) 192.168.2.26 64:cc:2e:ea:07:ad
Feb 27 10:12:28 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.26 64:cc:2e:ea:07:ad
Feb 27 10:12:28 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.26 64:cc:2e:ea:07:ad RedmiNote3-Redmi
Feb 27 10:12:28 rc_service: httpd 448:notify_rc restart_wireless
Feb 27 10:12:30 kernel: UFFP entry not found
Feb 27 10:12:30 kernel: br0: port 2(eth1) entering forwarding state
Feb 27 10:12:30 kernel: device eth1 left promiscuous mode
Feb 27 10:12:30 kernel: br0: port 2(eth1) entering disabled state
Feb 27 10:12:30 kernel: Hooks already unregistered
Feb 27 10:12:30 kernel: Hooks already unregistered
Feb 27 10:12:30 snooper: terminated with signal 15
Feb 27 10:12:32 kernel: wl_module_init: passivemode set to 0x0
Feb 27 10:12:32 kernel: wl_module_init: igs set to 0x0
Feb 27 10:12:32 kernel: wl_module_init: txworkq set to 0x1
Feb 27 10:12:32 kernel: eth1: Broadcom BCM4360 802.11 Wireless Controller 6.37.14.126 (r561982)
Feb 27 10:12:39 kernel: device eth1 entered promiscuous mode
Feb 27 10:12:39 kernel: br0: topology change detected, propagating
Feb 27 10:12:39 kernel: br0: port 2(eth1) entering forwarding state
Feb 27 10:12:39 kernel: br0: port 2(eth1) entering forwarding state
Feb 27 10:12:45 kernel: Interface wifi0 doesn't exist
Feb 27 10:12:45 snooper: started on vlan1@br0
Feb 27 10:12:57 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.166 b0:e2:35:33:f4:2c
Feb 27 10:12:57 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.166 b0:e2:35:33:f4:2c Redmi3-Redmi
Feb 27 10:13:13 dnsmasq-dhcp[441]: DHCPDISCOVER(br0) b0:e2:35:7d:f7:2d
Feb 27 10:13:13 dnsmasq-dhcp[441]: DHCPOFFER(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:13:13 dnsmasq-dhcp[441]: DHCPREQUEST(br0) 192.168.2.195 b0:e2:35:7d:f7:2d
Feb 27 10:13:13 dnsmasq-dhcp[441]: DHCPACK(br0) 192.168.2.195 b0:e2:35:7d:f7:2d RedmiNote3-Redmi
Feb 27 10:13:33 rc_service: httpd 448:notify_rc reset_wps
Feb 27 10:13:34 kernel: br0: port 2(eth1) entering forwarding state
Feb 27 10:13:34 kernel: device eth1 left promiscuous mode
Feb 27 10:13:34 kernel: br0: port 2(eth1) entering disabled state
Feb 27 10:13:34 kernel: Hooks already unregistered
Feb 27 10:13:34 snooper: terminated with signal 15
Feb 27 10:13:34 kernel: Hooks already unregistered
Feb 27 10:13:36 kernel: wl_module_init: passivemode set to 0x0
Feb 27 10:13:36 kernel: wl_module_init: igs set to 0x0
Feb 27 10:13:36 kernel: wl_module_init: txworkq set to 0x1
Feb 27 10:13:36 kernel: eth1: Broadcom BCM4360 802.11 Wireless Controller 6.37.14.126 (r561982)
Feb 27 10:13:36 start_ap: No security in use
Feb 27 10:13:39 rc_service: httpd 448:notify_rc restart_wireless
Feb 27 10:13:39 rc_service: waitting "reset_wps" via httpd ...
Feb 27 10:13:40 kernel: device eth1 entered promiscuous mode
Feb 27 10:13:40 kernel: br0: topology change detected, propagating
Feb 27 10:13:40 kernel: br0: port 2(eth1) entering forwarding state
Feb 27 10:13:40 kernel: br0: port 2(eth1) entering forwarding state
Feb 27 10:13:40 start_ap: No security in use
Feb 27 10:13:43 kernel: Interface wifi0 doesn't exist
Feb 27 10:13:43 snooper: started on vlan1@br0
Feb 27 10:13:49 kernel: br0: port 2(eth1) entering forwarding state
Feb 27 10:13:49 kernel: device eth1 left promiscuous mode
Feb 27 10:13:49 kernel: br0: port 2(eth1) entering disabled state
Feb 27 10:13:50 kernel: Hooks already unregistered
Feb 27 10:13:50 snooper: terminated with signal 15
Feb 27 10:13:50 kernel: Hooks already unregistered
Feb 27 10:13:52 kernel: wl_module_init: passivemode set to 0x0
Feb 27 10:13:52 kernel: wl_module_init: igs set to 0x0
Feb 27 10:13:52 kernel: wl_module_init: txworkq set to 0x1
Feb 27 10:13:52 kernel: eth1: Broadcom BCM4360 802.11 Wireless Controller 6.37.14.126 (r561982)
Feb 27 10:13:52 start_ap: No security in use
Feb 27 10:13:55 kernel: device eth1 entered promiscuous mode
Feb 27 10:13:55 kernel: br0: topology change detected, propagating
Feb 27 10:13:55 kernel: br0: port 2(eth1) entering forwarding state
Click to expand...
It's an already known issue that is also present in the official firmware.
Enable and then disable WPS and it will turn off for 5Ghz too.
Each time you reboot/restart the router you'll have to enable & then disable it again to turn off WPS

It's probably something related to Quantenna's SoC

Sent from SM-G935FD w/Tapatalk
 
sentinelvdx said:
It's an already known issue that is also present in the official firmware.
Enable and then disable WPS and it will turn off for 5Ghz too.
Each time you reboot/restart the router you'll have to enable & then disable it again to turn off WPS

It's probably something related to Quantenna's SoC

Sent from SM-G935FD w/Tapatalk
Click to expand...
Thanks! Now I dealt with WPS. I achieved complete switching off of WPS on both ranges.
 
That issue was already addressed now by ASUS, it will be merged on future versions together with other issues specific on RT-AC87U model like Guest Networking and others.
 
RMerlin said:
This is Asus's problem to solve, not mine. I don't have access to Quantenna's engineers to figure out what's going on.
Click to expand...
well your the closes we got to asus so my thought was to forward the message up the chain but as hggomes said they are aware and its gonna get fixed.
 
You must log in or register to reply here.

Similar threads

S
Question about security protocol used by RT-ACU86U
Replies
1
Views
318
ColinTaylor
C
bland.life
Solved RT-AC68U: no WAN, no Wifi
Replies
2
Views
565
bland.life
bland.life
M
RT-AC86U -> RT-AX86U Pro Review
Replies
17
Views
1K
Rossmon
R
A
Ting-fire device can't get DHCP addr direct from Asus router wifi...can get address from Asus router via TP-Link extender
Replies
14
Views
692
anastrophe
A
J
Compiling a extreamly basic Asus firmware stripped of every single add-on made
Replies
4
Views
1K
Hawk
Hawk
Similar threads
Thread starter Title Forum Replies Date
G Asus RT-AC87U VPN cipher AES-256-GCM Asuswrt-Merlin 10
B Static VPN route in ASUS RT-AC87u with firmware 384.13_10 Asuswrt-Merlin 0
M Missing ethctl on 380.70 Asuswrt-Merlin 3

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 888 (members: 13, guests: 875)
Top