{"id":48,"date":"2018-03-04T19:23:16","date_gmt":"2018-03-04T18:23:16","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=48"},"modified":"2018-03-04T19:31:41","modified_gmt":"2018-03-04T18:31:41","slug":"build-a-hacking-gadget-reaverpro-p2","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=48","title":{"rendered":"Build a Hacking Gadget \u2013 ReaverPro P2"},"content":{"rendered":"<p>When we did successfull flash the OpenWRT Firmware we can continue with flashing the ReaverPro Firmware on the device.<\/p>\n<p>Table of Contents:<\/p>\n<ul>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=17\" target=\"_blank\" rel=\"noopener\">Build a Hacking Gadget \u2013 ReaverPro P1<\/a><\/li>\n<li>Build a Hacking Gadget \u2013 ReaverPro P2<\/li>\n<\/ul>\n<p>Let&#8217;s start:<\/p>\n<p>Extract the <a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/staging_firmware.zip\" target=\"_blank\" rel=\"noopener\">ReaverPro Firmware<\/a> to the TFTP Directory. IP Adress and configuration is the same as in Part1.<\/p>\n<p>The zip file contains 3 files. ReaverPro-14.0.49.bin, staging-firmware.bin and latest.bin. We will start with ReaverPro-14.0.49.bin. We need the staging-firmware.bin as step between that we can successfull upgrade to the latest version.<\/p>\n<pre class=\"code\">Please choose the operation:\r\n   1: Entr boot command line interface.\r\n   2: Load system code then write to Flash via TFTP.\r\n   3: Boot system code via Flash (default).\r\n\r\nYou choosed 1\r\n\r\n 0\r\n\r\nar7240&gt; <strong>setenv serverip 192.168.1.254; setenv ipaddr 192.168.1.1\r\n\r\n<\/strong><\/pre>\n<hr \/>\n<pre class=\"code\">Verify connection to TFTP Server:\r\n\r\nar7240&gt; <strong>ping 192.168.1.254\r\n\r\n<\/strong><\/pre>\n<hr \/>\n<pre class=\"code\">ar7240&gt; <strong>tftp 0xa0800000 ReaverPro-14.049-beta.bin\r\n\r\n<\/strong><\/pre>\n<hr \/>\n<pre class=\"code\">ar7240&gt; <strong>erase 0x9f050000 +0xf60000\r\n\r\n<\/strong><\/pre>\n<hr \/>\n<pre class=\"code\">ar7240&gt; <strong>cp.b 0xa0800000 0x9f050000 0xf60000\r\n\r\n<\/strong><\/pre>\n<hr \/>\n<pre class=\"code\">Reboot Device and we should see something like this:\r\n\r\n<\/pre>\n<pre class=\"code\">[\u00a0\u00a0 19.150000] device eth0 entered promiscuous mode\r\n[\u00a0\u00a0 19.160000] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready\r\n[\u00a0\u00a0 19.170000] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready\r\n[\u00a0\u00a0 22.070000] eth1: link up (100Mbps\/Full duplex)\r\n[\u00a0\u00a0 22.070000] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready\r\n[\u00a0\u00a0 33.910000] jffs2_scan_eraseblock(): End of filesystem marker found at 0x0\r\n[\u00a0\u00a0 33.910000] jffs2_build_filesystem(): unlocking the mtd device... done.\r\n[\u00a0\u00a0 33.920000] jffs2_build_filesystem(): erasing all blocks after the end marker... done.\r\n[\u00a0\u00a0 75.900000] jffs2: notice: (974) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.\r\nprocd: - init complete -\r\n\r\n\r\n\r\nBusyBox v1.19.4 (2014-02-18 14:26:37 EST) built-in shell (ash)\r\nEnter 'help' for a list of built-in commands.\r\n\r\n\r\n\r\n\u00a0(\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (\r\n\u00a0)\\ )\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 )\\ )\r\n(()\/(\u00a0\u00a0 (\u00a0\u00a0\u00a0\u00a0 )\u00a0\u00a0 )\u00a0\u00a0\u00a0\u00a0\u00a0 (\u00a0\u00a0 (\u00a0\u00a0\u00a0 (()\/( (\r\n\u00a0\/(_)) ))\\ ( \/(\u00a0 \/((\u00a0\u00a0\u00a0 ))\\\u00a0 )(\u00a0\u00a0\u00a0 \/(_)))(\u00a0\u00a0\u00a0 (\r\n(_))\u00a0 \/((_))(_))(_))\\\u00a0 \/((_)(()\\\u00a0 (_)) (()\\\u00a0\u00a0 )\\\r\n| _ \\(_)) ((_)_ _)((_)(_))\u00a0\u00a0 ((_) | _ \\ ((_) ((_)\r\n|\u00a0\u00a0 \/\/ -_)\/ _` |\\ V \/ \/ -_) | '_| |\u00a0 _\/| '_|\/ _ \\\r\n|_|_\\\\___|\\__,_| \\_\/\u00a0 \\___| |_|\u00a0\u00a0 |_|\u00a0 |_|\u00a0 \\___\/\r\n\r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 reaversystems.com\r\n\r\nroot@OpenWrt:\/#\r\n\r\n<\/pre>\n<hr \/>\n<p>Connect Ethernetcable to the PoE Port. Open a Browser and go to http:\/\/10.9.8.1<\/p>\n<p>default login: raever \/ foo<\/p>\n<p><strong><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/reaver1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-49\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/reaver1-1024x550.png\" alt=\"\" width=\"1024\" height=\"550\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/reaver1-1024x550.png 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/reaver1-300x161.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/reaver1-768x412.png 768w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/strong><\/p>\n<p>The attack webinterface has a green\/black design. Under configure we can upload the <strong>staging-firmware.bin<\/strong> which is needed that we can go over to the latest firmware (otherwise it won\u2019t work). This step took some patience. After reboot we can go back and upload the newest firmware <strong>latest.bin.<\/strong><\/p>\n<p>I just setup a WLAN AP with SSID: Swiss_Emmentaler<\/p>\n<p>I set a WPA2 Encryption with a strong Password and did enable WPS<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/REaverPro1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-50\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/REaverPro1-1024x624.png\" alt=\"\" width=\"1024\" height=\"624\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/REaverPro1-1024x624.png 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/REaverPro1-300x183.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/REaverPro1-768x468.png 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/REaverPro1.png 1936w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>After 9 hours the WPS Pin was cracked \ud83d\ude42<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/Reaver_Crack.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-51\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/Reaver_Crack-1024x665.png\" alt=\"\" width=\"1024\" height=\"665\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/Reaver_Crack-1024x665.png 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/Reaver_Crack-300x195.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/Reaver_Crack-768x499.png 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/Reaver_Crack.png 1706w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>When we did successfull flash the OpenWRT Firmware we can continue with flashing the ReaverPro Firmware on the device. Table of Contents: Build a Hacking <a class=\"mh-excerpt-more\" href=\"https:\/\/cybercop-training.ch\/?p=48\" title=\"Build a Hacking Gadget \u2013 ReaverPro P2\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":2,"featured_media":53,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,2,3],"tags":[6,5,7],"class_list":["post-48","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking","category-hardware","category-wi-fi","tag-openwrt","tag-reaverpro","tag-wps-cracking"],"_links":{"self":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/48","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=48"}],"version-history":[{"count":1,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/48\/revisions"}],"predecessor-version":[{"id":52,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/48\/revisions\/52"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/media\/53"}],"wp:attachment":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=48"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=48"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=48"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}