PDA

View Full Version : WPS Pixie Dust Attack (Offline WPS Attack)



Pages : 1 2 [3]

kcdtv
2016-02-04, 18:27
though I'm assuming hostapd and some magic could make it work.
exactly
For all the side traffic redirection, fake pages , exploits or whatever it is possible to
can use the tools designed for that.
About the WPS, koala explain in his tutorial how to activate it in loop (using hostpad) with a dirty but efficient single line

while : ; do sudo hostapd_cli wps_pbc ; sleep 120 ; done &
That does the job to have your WPS PBC activated in loop ready to grab the clients.

mmusket33
2016-02-05, 02:35
MTeams has been working with RogueAP setups and WPA Phishing for over five years starting with techdynamics wpa phishing programs.

Any client that has a WPA key already loaded into the wifi management software for a specific ESSID cannot associate to a Open RogueAP of the same name unless the client removes the WPA key from the setup.

To defeat this when WPA Phishing, Mteams' Pwnstar9.0 version help files which is designed for WPA Phishing suggest you enter a ESSID that looks the same to the human eye BUT is not the same to the computer. One way to do this is to add five to eight spaces and then a period to the ESSID hence:

"HOMEWIFI" would be "HOMEWIFI five spaces and a period ."

If you just use spaces some software management software ignores the spaces unless the spaces are between characters.

If you add too many spaces you can get strange effects in both client and RogueAP software.


Next DDOS the targetAP and hope the client tries to associate to the RogueAP of almost the same name.

The type of DDOS may require a separate wifi device. The only DDOS that allows the device supporting the RogueAP to also perform the DDOS is mdk3 d Deauthentication / Dissassociation Amoke Mode

If you use mdk3 g or aireplay-ng -0 you need to separate the RogueAP channel at least three or more channel numbers from the targetAP and you will require a separate wifi device or you will end up DDOSing the RogueAP due to the proximity of the wifi devices.

Do not use mdk3 t Probe as it can crash airodump-ng and scanners

Association: If you use a name similar to the targetAP, the name is different to the computer, the clients' computer then associates easily as the system is open. But the client must choose to do so.

However when the client associates and tries and call up a https address this normally sets off a certificate warning.

To beat that MTeams wrote a HTTPS trap feature into Pwnstar9.0. When the client requests a https address the web page is passed on without a certificate warning. When the client request a http address the fake webpage is expressed on the clients' screen.

As soxrok2212 notes this is not so straight forward as it appears. Only a new client which has yet to input a WPA key into the wifi management software will associate easily and even then there are problems. In the end there is a high degree of social engineering skill required to make this work. MTeams has had equal success with just leavng a rogueAP running and walking away. The next morning we find all sorts of passwords to include WPA keys loaded in the RogueAP

Musket Teams

scila1996
2016-02-06, 12:59
Reaver is not working with Router ZTE Model . It can not get E-HASH 1 and E-HASH 2 . What a way to get E-HASH 1 and E-HASH 2 Router ZTE ???

bob79
2016-02-06, 14:07
when tried wifiphisher on my wireless, i've noticed that my lap won't feel any difference. my mobile phone keeps disconnecting, but reconnects always to the wpa connection, not the fake one, no matter if i use mdk3 or aireplay. it only connect to the fake one if i manually disconnect from my router. so it's hard that someone do that. didn't try to come from outside though and maybe the phone will connect first to the fake one, if the signal is stronger. mmusket33 is right. maybe leaving it by itself,walk away and hoping that someone will get tricked. latest i tried my luck with nmap since my usb antenna is almost ruined because of overusing mdk3. reaver and bully are of no use as well since i have all new routers near so..(speaking the truth i have had more success and speed, retrieving pin with bully pixiedust and connecting thru jumpstart) until a new method, i'll stay put. thanks for the explaining mmusket

eddie
2016-02-06, 14:52
If you use mdk3 g or aireplay-ng -0 you need to separate the RogueAP channel at least three or more channel numbers from the targetAP and you will require a separate wifi device or you will end up DDOSing the RogueAP due to the proximity of the wifi devices.

Do not use mdk3 t Probe as it can crash airodump-ng and scanners

Thanks.What is the best tool for deauth attack against clients in the network? between mdk3 and aireplay-ng, which one is better and works in any situation??

helen2016
2016-02-09, 18:22
I am ok with Pixie Dust.
I have a question about consecutive cracks of the same AP within minutes resulting in different hex 64 character answers.
The game is afoot !

soxrok2212
2016-02-15, 16:37
Thanks.What is the best tool for deauth attack against clients in the network? between mdk3 and aireplay-ng, which one is better and works in any situation??

They're both the same.


I am ok with Pixie Dust.
I have a question about consecutive cracks of the same AP within minutes resulting in different hex 64 character answers.
The game is afoot !

Try using AAnarchYY's bully: https://github.com/aanarchyy/bully

Quest
2016-02-16, 14:38
and it's @ version 1.1 https://github.com/aanarchyy/bully not 1.0-24



*geez good thing I'm around here to check on everything, all the time*

yvette
2016-02-19, 10:13
Hi,

I have a raspberry pi B and TP-LINK WN722N usb card.

I tried reaver but i am getting pin not found.
Tried pixieWPS with all the arguments and again pin not found.

I google to find a solution but nothing.
Please help.

All are apps are updated. Tryied Kali but have issues so i decided to make my distro from Debian. All are working fines except pixieWPS.

The router i am trying is next to the usb card and it is a TP-LINK TL-WR741ND.

kcdtv
2016-02-19, 12:19
You have to check the wifi chipset of your device. I did it for you :
http://pix.toile-libre.org/upload/original/1455884182.png
atheros, no doubt about it
So now you know why it doesn't work...
( a good place to have a loock to get information for your device is the https://wikidevi.com/wiki/TP-LINK_TL-WR741ND_v4.3

yvette
2016-02-19, 16:08
Hi,

Thank you for the reply.
I was reading about it the time you were posting.

1) Is it possible to find in this router the password?

2) I have another router in my house which is ZTE Speedport Entry 2i. I opened it and inside it has this chip:
- Broadcom BCM6338
I search for this one and didn't find anything. It means that i can't use pixieWPS?

soxrok2212
2016-02-20, 00:45
Why don't you just try it and see what happens?

kcdtv
2016-02-23, 19:39
1) Is it possible to find in this router the password?

If the default password is still in use and is weak than yes, otherwise no.
But that's totally another subject than " WPS Pixie Dust Attack (Offline WPS Attack)", isn't it?

soxrok2212
2016-02-24, 22:11
Well, it's been over a year since I made this thread. 265,000 views and 13 months later, manufacturers STILL have yet to resolve this problem. Actually, the initial disclosure of the attack was published in August of 2014, meaning it has been about 18 months! This is pathetic. 18 months and this HUGE vulnerability STILL exists!

First and foremost, a big :P to all of those who said this would be a waste and it would be patched quickly.

Second, I hope I didn't say all this too soon, I just read that ASUS was sued due to some extreme vulnerabilities they had in the past few years: http://www.smallnetbuilder.com/wireless/wireless-news/32952-ftc-brings-asus-to-heel-over-router-security-flaws I guess they are dedicating a team to finding and fixing these vulnerabilities. I'm not sure what exactly they will be doing but I'm sure it will be interesting to see how it turns out!

Thanks for all the support guys and as always, if you find any vulnerable and or NOT vulnerable devices, please report them here!

kiarashmm
2016-02-26, 10:22
To Saydamination:
Did you successfully get the Realtek RTL8671's pin?

cengizz
2016-02-27, 18:15
is pixiedust gonna support ZyXEL modems ?

soxrok2212
2016-02-27, 22:10
Pixiewps is for wireless systems, not modems. And it depends on the chipset as you can read on the first page of this thread.

cengizz
2016-03-01, 19:04
Pixiewps is for wireless systems, not modems. And it depends on the chipset as you can read on the first page of this thread.

i understood. Actually only i just want to ask zyxel's modem chipsets. Like d-link , broadcom what else . I dont know which chipset using with zyxel modems.

soxrok2212
2016-03-02, 02:42
D-Link is not a chipset, it is a manufacturer. ZyXEL probably uses every chipset on the market for different applications. There is no 1 chipset for a specific manufacturer.

mmusket33
2016-03-03, 06:48
To soxrok2212:

MTeams received a report that surprised us in that it appears the WPS Pin was also the WPA Key

Barring the user entering the WPS Pin as a WPA key in the wifi management software we are wondering if the DDOS process that VMR-MDK subjects the router to has caused this or there is a glitch in the firmware turning the WPS Pin into the WPA Key.

Obviously anyone trying to crack this router with brute force should run a eight character numeric string passthru with crunch first:


Comment was

Got working on Kali Rolling with Locked AP TL-WR842ND. Not too much to wait though
Pin and Key were the same: 45576072


http://forum.aircrack-ng.org/index.php/topic,868.45.html

MTeams

We did find this:

http://gizmodo.com/a-simple-security-flaw-puts-millions-of-wi-fi-routers-i-1705980884

soxrok2212
2016-03-03, 16:14
TP-Link is known to use the same 8 char WPS PIN as the WPA key. Also happened on a TL-WDR4300.

aanarchyy
2016-03-03, 17:50
I have a TP-Link router right next door to me that has the PIN and PSK the same 8 digit numeric.

kcdtv
2016-03-04, 15:07
Some models have indeed this "fantastic" :p configuration for default PIN and WPA passphrase
You can check default settings for quite a lot of models if you sneak around the web interface emulators that tp-link provides : tp-link emulators (http://www.tp-link.com/en/emulators.html) ;)

soxrok2212
2016-03-04, 22:06
I made a detailed writeup of the vulnerability available here: http://division0.net/wps-pixie-dust.html

If you are looking for more technical details, check out that post!

kcdtv
2016-03-06, 11:32
Just to say that your site has a problem my friend...
I can ping it but i get error 404 if i try to browse it.
If you didn't know what to do this sunday, i found you some activities :p
take care :)

bob79
2016-03-06, 15:30
yesterday was working. today.. The requested URL /wps-pixie-dust.html was not found on this server. Happy html'ing :)

soxrok2212
2016-03-06, 17:45
Just to say that your site has a problem my friend...
I can ping it but i get error 404 if i try to browse it.
If you didn't know what to do this sunday, i found you some activities :p
take care :)

Hahahahaha


yesterday was working. today.. The requested URL /wps-pixie-dust.html was not found on this server. Happy html'ing :)

Working on it now :)

UPDATE: Should be fixed now :)

mmusket33
2016-03-06, 23:44
To

You may find this interesting

We received the following report from devilsadvocate

Also, I would like to report some behavior that I have witnessed on some Netgear APs. It seems that some Netgear APs are aware that Reaver always starts with the code, "12345670". The result of this is that those routers will WPS lock right away. I haven't found a workaround yet (if there even is one). I realize that a mod to Reaver may be necessary. Is there a version of Reaver that doesn't use "12345670" right from the start?

MTeams answer

There is a reaver program called ryreaver-reverse. There is no installation, you run the program with ./ryreaver-reverse from root. You must use the --session=<> command to save the work or the program starts the attack all over again. It also doesnot support pixiedust but you can test for pixiedust data sequences with the normal reaver program by setting the --pin= to some pin other then 12345670. Then use PDDSA-06.sh to test for the pin. If no pin found you can restart ryreaver-reverse.


See
http://forum.aircrack-ng.org/index.php/topic,868.45.html


Musket Teams

soxrok2212
2016-03-07, 01:31
You could also try bully: https://github.com/aanarchyy/bully starts on a random pin.

Quest
2016-03-16, 12:24
Howdy,

Do we have a WPS known pin database anywhere? I would like a simple .txt file with MAC | Known PIN.

In other words, in some cases there's seem to be a direct relation between vendors/MAC and first few pins numbers. Like for example, E8:39:DF: = 18XXXXXX [insert 'NO WAY!!' imoticon here]

Please answer with a positive and link, or I will be in a bad mood for the rest of the day. Thank you.

kcdtv
2016-03-16, 14:09
UPDATE: Should be fixed now
The site works perfectly now :)
Very nice web, good job!

ParanoiA609
2016-03-22, 19:59
Amped Wireless SR10000 is vulnerable. BCM8xxx. 121 seconds creds dumped. I don't see it listed in the database.

soxrok2212
2016-03-22, 22:41
Can you post Reaver/Bully output? Would like to confirm, wikidevi says it's Realtek: https://wikidevi.com/wiki/Amped_Wireless_SR10000

ParanoiA609
2016-03-23, 12:27
Sure will do

I stand corrected. It is the same as listed on the site you linked. The RTL8196C is already listed in the db under other brands anyway.

1396

soxrok2212
2016-03-24, 00:14
I figured :) Thanks for the confirmation.

invader
2016-04-15, 21:04
First success today with pixie dust attack! :cool:
It took about 7 seconds only!

X999
2016-04-27, 12:12
Nice tools specially with K 1 K 2 and K 3
But not work with my tplink router.. when im put with correct pin.. reaver work awesome.

Have idea make reaver can use pin list created with crunch?

Examples: reaver -i wlan0mon -b 11:22:33:44:55:66 -c 11 -p /root/pins.txt

If the router not active wps locked... reaver will famous tools for hack wpa/wps

Thanks just idea.. ☺

soxrok2212
2016-04-27, 22:10
What would the benefit be? Reaver follows a et sequence and Bully just chooses PINs at random. There will always be 11,000 possibilities not matter what.

kcdtv
2016-04-28, 19:33
Have idea make reaver can use pin list created with crunch?
Reaver doesn't have such option... but It is not very hard to do though ;) :
Create your PIN dictionary following the pattern used for *.wpc file :
- You put 0 for the 3 numbers used as headers (index p1 - index p2 - boolean number for getting or not the first half )
- You put your 10000 first half
- You put your 1000 second half (last digit is a checksum, reaver generates it live)
Call your file whatever.wpc and when you launch reaver just use the -s option with the full path to your *.wpc file

-s, --session=<file> Restore a previous session file
have a look to some *.wpc file you will understand how it works...

by the way : why yo didn''t ask this question in the thread about reaver instead of here :confused:

audiorulz4u
2016-04-30, 16:07
BSSID: 38:3B:C8:2D:D5:EA
ESSID: ATT982mxZ9
MANUFACTURER: Pace
MODEL: Pace
MODEL NUMBER: 123456

trying to post WPS data up but gives me a firewall error ... this AP is not vulnerable

soxrok2212
2016-05-05, 04:20
BSSID: 38:3B:C8:2D:D5:EA
ESSID: ATT982mxZ9
MANUFACTURER: Pace
MODEL: Pace
MODEL NUMBER: 123456

trying to post WPS data up but gives me a firewall error ... this AP is not vulnerable

Thanks, added to the database.

Btw, 500th post! :cool:

Ramzes
2016-05-07, 19:36
Thanks, added to the database.

Btw, 500th post! :cool:
Any update to PixieWPS? I'd like to know if you're planning to add some possibilites with Cisco routers.

kcdtv
2016-05-08, 14:13
Cisco doesn't make routers since several year : their "router" division was bought by belkin.
If you read carefully the first post you will understand that your question is not relevant.
Pixie dust attack is first and above all a question of wifi chipset.
So if your device has a vulnerable chispet than it can be vulnerable, which ever the access point manufacturer is.

ParanoiA609
2016-05-16, 12:41
Netgear WN3000RP_V2
MediaTek MT7620A - (Already documented under different manufacturers)
1518

Linksys WRT110
Ralink RT2780/RT2720
1519

soxrok2212
2016-05-16, 23:37
Netgear WN3000RP_V2
MediaTek MT7620A - (Already documented under different manufacturers)
1518

Linksys WRT110
Ralink RT2780/RT2720
1519

Thanks, added both.

Also to everyone, if you find some that are not vulnerable please list them here as well as those are are vulnerable.

ParanoiA609
2016-05-19, 22:03
Netgear C3700-100nas modem / router
Broadcom BCM43227 / BCM43228
Not vulnerable
1528

Paulnewman
2016-06-05, 21:40
Hi, i've tried to hack wifi wlan Fritz 7390, but it keeps trying the same PIN and always getting error.
It means it is not possible to hack it?
Someone has experience against FRitz 7390 Wlan?
Thanks.

Laserman75
2016-06-09, 17:15
Manufatur AVM Fritz Box is Not vulnerable for pixie dust or normaly WPS-Attack with reaver or bully ;)

Both in the WPS-PBC and in the WPS PIN method can be only within 2 minutes of powering up a secure wireless connection to the FRITZ! Box.
After 2 minutes or after a successful connection, the WPS method from the FRITZ! Box will be automatically deactivated.

Paulnewman
2016-06-09, 20:08
Thank you Laserman 75.
So in general, there is nothing to do for hack the wifi of an AWM Fritz box 7390?
Could it work to use Fluxion and try to get a luck while someone is connected?
Any suggestion or advice would helpful.
Thanks in advance.

Paulnewman
2016-06-09, 22:12
Yes.
How can i hack the password then?
There is no possibility to violate FRITZ! box?



Manufatur AVM Fritz Box is Not vulnerable for pixie dust or normaly WPS-Attack with reaver or bully ;)

Both in the WPS-PBC and in the WPS PIN method can be only within 2 minutes of powering up a secure wireless connection to the FRITZ! Box.
After 2 minutes or after a successful connection, the WPS method from the FRITZ! Box will be automatically deactivated.

mmusket33
2016-06-10, 02:01
To Paulnewman

Outside of brute forcing a handshake or wpa phishing there are three(3) possibilities. Chances of success are SMALL, may not be immediate and these attacks may not work at all!

Method One

Some routers when subject to small amounts of DDOS release WPS pins even though the WPS system is locked. You can test this vulnerability by using one of the VMR-MDK variants.

Method Two

Some routers reset their WPS pins to 12345670 and become open to WPS pin collection for short periods of time. You can run reaver or bully with the pin 12345670 in the command line and constantly attack the router a for long period of time(ie weeks). Better just run up varmacscan when your computer is idle and you may get lucky.

Method Three

Some routers reset after being subjected to heavy DDOSing. Mteams has not had much success with Method Three.

Paulnewman
2016-06-12, 12:21
i try use the suggested script VMR-MDK with standard parameters but I always get same errors.
On a first router:
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Entering recurring delay of 15 seconds
On a second router:
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670.

In both case the command wash shows that wps is not locked but the system try always the same PIN 12345670 and don't go forward....

mmusket33
2016-06-13, 02:43
To Paulnewman

If the wps system is OPEN then VMR-MDK is not the tool of choice.

MTeams suggests you use the command line first in most cases where the WPS system is open. Try both reaver and bully.

There are many reasons why you cannot get reaver to collect pins. You might put the --wps command in aerodump-ng, point it at your target by adding the -c channel and --bssid see what information aerodump-ng supplies.

In the end you may have to resort to brute force by collecting a handshake. Remember approx 50% of the WPA keys are simple numeric strings 8 to 10 in length. Back when reaver was king MTeams collected 100's of WPA keys and the 50% rule was obtained. In fact over half of these numeric strings were mobile telephone numbers and a small number of landline numbers with and without the area code.

MTeams

tomodachimo
2016-06-20, 07:36
hi, i know it's a little off topic to pixie's,
is there any possible way to force the router to reset to it's default factory setup? with wps disable router or forcing wps to enable?

tried cracking AP with dictionary attack but no luck..

thanks in advance!

machx
2016-06-21, 16:30
To mmusket33

I have a TP-Link router TL-WR740N, seems like it is impossible to crack the WPS PIN

First I tried the Wifite, Pixie dust attack- within seconds it says WPS PIN not found

tried reaver with delay of 10-15 seconds - doesn't help as the router still locks after few wrong WPS PIN attempts

I tried VM-MDK script, for the first few seconds I get the M1 till M4 messages and then it says " WPS transaction failed, code 0x04"

I tried the Varmacscan, no luck there either.

So I want to know, is there a way to crack the pin of locked WPS routers? Usually the routers locks automatically after few failed pin attempts?

WPA handshake and cracking with wordlist is about luck, if only the passphrase is in the wordlist.

Note: I did crack the Dlink routers with Wifite(pixie-dust) within seconds, works perfectly.

It's just the new routers which are hard to crack.

Running Kali 2.0 Sana all tools updated to the latest.

Please help. Thanks in advance

squash
2016-06-21, 16:53
To machx: I have same problem with newer routers as well, almost any of those i have in range are pretty new and updated technicolor-routers so not much luck there.
But i have recently start to play with wifiphisher instead and have a lot of sucess with that tool.
Before i had hard to belive that people are so naiv and easy to trick so never bother before to test this way, but now i have change my mind. :)
Give it a try^^

machx
2016-06-21, 17:03
To squash,

I'll give it a try, thanks a lot, running out of luck,will keep it updated here after the test.

TheMantis
2016-06-23, 18:35
To mmusket33

WPA handshake and cracking with wordlist is about luck, if only the passphrase is in the wordlist.



You can crack WPA with crunch.

machx
2016-06-24, 08:54
I had my luck yesterday and I was able to crack with dictionary attack with rockyou.txt
Others were cracked pixie dust using Wifite
Rest are still in progress.
VMR-MDK and Revd3k-r3 and Varmascan doesn't work and no hopes.

I'm also using default WPS PIN of the router manufacturer and model. It works sometimes
with default PIN (-p on reaver)

Still testing, will keep updated

vinneth
2016-09-08, 03:05
Just so you know, -K 1,2,3... Each number is for a different chipset. You have to look up which chipset the router uses and then us the corresponding -K 1,2,3 argument.

I only started looking into all things wireless 2 weeks ago, and have been using -K 1 for all attacks because that is the only thing mentioned, if you put number next to the chipset in the menu that would be more intuitive for those who haven't read the full history of this post. I am going through it because I want to see the development from day dot to current but most people I know don't want to do that amount of research before using tools.

Awesome work, as a non-coder (hopefully I develop past script kiddie soon) I am in awe of you

Apologies on posting halfway through reading the entire thread, I jumped the gun a bit.

vinneth
2016-09-09, 08:06
true, but I know that trying to create an accurate wordlist with crunch for bigpond/teltra modems (Australian provider) requires 10 digits, and upper and numerical, the output for that in crunch is 25 petabytes. Not sure I can get that kind of storage, or wait the time for it to be created :confused:

John_Doe
2016-09-11, 22:20
Great thread, THANK YOU KALI FORUMS!
wifiphisher looks neat but since I have to provide the target's internet connection for a period of time I don't think I'll ever use it. Or do I not understand how it works?
RE: Technicolor modems: The ones I've seen use 15 or 16 characters and apparently no "trick" exists to help guess the pass.

And now I have my main question: Is the old pixiewps PRNG brute force ever successful? as in:
[+] Pin not found, trying -f (full PRNG brute force), this may take around 30 minutes
It never succeeded for me, but my new installation of Kali never runs the PRNG brute force, as the -f option now denotes "force disable channel hopping" instead of "brute force PRNG". If it's a hopeful attack, I'd like to get it back, but how?

mordax
2016-09-17, 05:12
my router is not listed, so how do i know if it's vulnerable or not? Obviously reaver with -K option finds nothing, because it's not programmed into pixiedust.
it's a Broadcom
WPS Model Name: Broadcom
WPS Model Number: 123456
AP Serial Number: 1234

It shows the r-nonce, PKR, authkey, hash1, hash2 ..etc, but it finds nothing, obviously because router is never been tested, so how can i find out if my router is vulnerable to pixiedust attack?
does someone ever like update the list?
I also noticed lot of other routers that are not listed. Routers used in Sweden are not listed, some routers used in UK are not listed and most routers used in Finland are not listed either, is this some USA based thing or something?

squash
2016-09-20, 08:45
my router is not listed, so how do i know if it's vulnerable or not? Obviously reaver with -K option finds nothing, because it's not programmed into pixiedust.
it's a Broadcom
WPS Model Name: Broadcom
WPS Model Number: 123456
AP Serial Number: 1234

It shows the r-nonce, PKR, authkey, hash1, hash2 ..etc, but it finds nothing, obviously because router is never been tested, so how can i find out if my router is vulnerable to pixiedust attack?
does someone ever like update the list?
I also noticed lot of other routers that are not listed. Routers used in Sweden are not listed, some routers used in UK are not listed and most routers used in Finland are not listed either, is this some USA based thing or something?

I think its most USA router listed cuz most users in this forum lives there.
But i know pixie works on a lot of routers even in Sweden where i live.

mordax
2016-09-22, 07:49
I think its most USA router listed cuz most users in this forum lives there.
But i know pixie works on a lot of routers even in Sweden where i live.

I dont fully understand pixie dust yet. is there any type of "calculator" which can be used to test new routers against pixie dust?

John_Doe
2016-09-23, 09:18
lol mordax, pixiewps is a calculator. If it succeeds, then the router is vulnerable.
Type this:
reaver --help
and read through the options. I seem to recall that there is a -W switch that MIGHT calculate the default PIN for you, if it's a D-Link or Belkin.

dek0der
2016-09-24, 07:39
I have tested a couple of d-link routers and never succeeded.
I used -K option but failed and -W to generate the default pin but supplying that pin to reaver never seems to work.
I guessed those routers were not vulnerable but then I tested them with an android app "WPA WPS Tester"and i was able to authenticate successfully..!
I tried to disassemble the app but coudn't get anything as I dont know andriod or java much.
If anyone can look at the app, which is available in google play store, may be it will help in wps attacks in future.

Note: The app generated the same pin as -W switch but reaver or bully couldn't get the passphrase whereas the app succeeded.

Any help will be appreciated.

Thanks

mordax
2016-10-03, 02:56
lol mordax, pixiewps is a calculator. If it succeeds, then the router is vulnerable.
Type this:
reaver --help
and read through the options. I seem to recall that there is a -W switch that MIGHT calculate the default PIN for you, if it's a D-Link or Belkin.

nah you didn't get my question. Pixie dust can only calculate the WPS pin if the algorithm is programmed into the pixie dust (algorithm used by router), but what if the router I tested uses a different algorithm? so what i'm saying, is that how can pixie dust know about the router, if it hasn't been programmed into pixie dust?
I know for a fact, that there are different algorithms out there that are being used by different routers. That's what i meant under a calculator, something that constantly gets updated with the latest algorithms being used.


@dek0der if reaver can't get the passphrase from WPS pin, have you tried connecting into the router using WPS pin? For example Windows 10 allows you to connect by using WPS Pin, so do some Android phones. NOTE that connecting to router using WPS pin as passphrase will not work, you have to first select the special option to use WPS Pin, otherwise your OS simply tries the pin as passphrase and fails.
If router accepts the WPS, but reaver won't find the pass, then you have weak signal. If router doesn't accept WPS, then it means that your router does have default WPS, but it's disabled by default. I have ran across some routers that have it disabled by default, i've checked the settings and WPS is set to "push to activate" mode, so you have to push the button physically on your router and only then it becomes active for about 1 minute.

dek0der
2016-10-04, 07:53
@mordax i m fully aware of all the facts that you u stated...what i m saying is that android app 'WPS WPA Tester' is able to authenticate with AP but reaver fails. I tried it with a rooted phone and saw the password in wpa_supplicant.conf file was NULL...what does that mean..? And how is app able to authenticate with AP while reaver does not produce any results. AP signal is also strong.

balder0777
2016-10-10, 20:51
Hi everybody, Why i get the mesaje Rx(Beacon) = 'Timeout' Next pin xxxxxxxx

squiddymute
2016-10-14, 12:11
no matter what router i scan i can't seem to get e-hash1 and e-hash2 from reaver or wireshark. My reaver is the default reaver that comes with the latest kali linux. Any ideas how to get those ? I can get all the rest (Auth key, PKE,PKR etc)

undersc0re
2016-10-15, 01:02
no matter what router i scan i can't seem to get e-hash1 and e-hash2 from reaver or wireshark. My reaver is the default reaver that comes with the latest kali linux. Any ideas how to get those ? I can get all the rest (Auth key, PKE,PKR etc)

If you include more information you might get good responses, such as the exact command lines you are trying, and the environment your running kali in.

squiddymute
2016-10-17, 11:35
If you include more information you might get good responses, such as the exact command lines you are trying, and the environment your running kali in.


not doing anything exotic

wifi card: RT2501/RT2573 Wireless Adapter
Reaver version: v1.5.2
command: reaver -i wlan0mon -b <mac> -c1 -S -vv
kali version:
Linux version 4.7.0-kali1-amd64 (devel@kali.org) (gcc version 5.4.1 20160803 (Debian 5.4.1-1) ) #1 SMP Debian 4.7.5-1kali3 (2016-09-29)

tried several different routers i'm not getting e-hash1 or e-hash2. I have also tried with wireshark as well but still i see nothing related to e-hash1 and e-hash2 in packets

John_Doe
2016-10-30, 22:53
Hello squiddy, what happens if you add another v:
reaver -i wlan0mon -b <mac> -c 1 -vvv
or, what happens if you do:
reaver -i wlan0mon -b <mac> -c 1 -K -vvv

mokba
2016-10-31, 05:30
did not work with Speedport W724V Type Ci, ZTE ZXDSL 931VII v4 or Zyxel VMG5313-B30

speedport and zyxel lock wps after few tries and zte turned it off completely. all devices wps reset after power cycle.

slmafiq
2017-01-11, 17:24
Is it possible to be made script which could use PIN LIST for the half pin1 or for the whole pin with 11 000 possibilitie to imitate original brute-force?
Because there are some routers which start from 1234| and they only change the second half of the PIN
p2_index set to 1
[+] Pin count advanced: 10001. Max pin attempts: 11000
[+] Trying pin 12340002.

[P] WPS Manufacturer: ZTE Corporation
[P] WPS Model Name: ZXHN H118N
[P] WPS Model Number: ZXHN H118N
[P] Access Point Serial Number: 123456789012347


ex:
kcdtv: Acknowledging the first M5 is enough to create the fake positive for the first half. Problem here is that this M5 should not exist and totally disable the concept of two stages brute force.

RAZERZDAHACKER
2017-01-23, 08:33
Got the wps pin using "reaver -i wlan0mon -b (insert bssid here) -vvv -W 2 (it is a belkin router) -a -c (insert channel number here), tried to get the passwd using the --pin= option in reaver and it gives me a hash looking thing for the passwd. I still couldn't use that "hash" to connect to the network. I tried to disconnect all AP's from the client as well as changing my mac address to one of the AP's connected on the network, still no success. However, I couldn't help but notice that each time I tried with the passwd I got from pixie, it got NACS errors but every time I tried with a different wps pin than the correct one, it tests it and reports that it didn't work. Kinda stuck here. Some information: WPA and WPS (no WPA2), Belkin chipset, WPS is not locked and is, according to the command "wash -i wlan0mon" at a version 1.0 and it does send out beacons frequently. I'm not very far away from the router, according to the wash command, -59. I just want to learn why this is happening and explore. Since it has WPA enabled as well, I tried to capture a handshake by running aireplay-ng with the 3 and 1 option, as well as aircrack-ng, still got the same wps pin. Tried to de-hash that using an online hash cracker but no use. Tried to connect to the AP using the wps pin (someone mentioned a link that led to the ubuntu forums) and no use.

mordax
2017-01-26, 17:38
Has anyone checked into Broadcom routers? I think it's vulnerable, but I need to know for sure, can someone test if i send the info? I already posted in this topic before, but didn't get much replies regarding this.

ETCG_FlareCat
2017-01-30, 02:16
Look up your device on Wikidevi. If your device contains one of the chipsets as listed above, disable WPS now. If your device does NOT contain one of the chipsets as listed above, disable WPS now.


This is really good ****

Mr Wolf
2017-09-08, 19:34
What I would be curious to know is why the attack works even if WPS pin is disabled while only push button to connect is enabled.

Well, I guess that's why WPS should be completely disabled.

wiire
2017-11-09, 19:35
We started a new thread for collecting data: https://forums.kali.org/showthread.php?38127-Data-gathering-for-pixiewps-(pixie-dust-attack)&p=75368&viewfull=1#post75368

bigbiz
2017-12-13, 13:17
We started a new thread for collecting data: https://forums.kali.org/showthread.php?38127-Data-gathering-for-pixiewps-(pixie-dust-attack)&p=75368&viewfull=1#post75368

Reaver stores tried # combinations on ur harddrive under cd /etc/reaver. Delete to save room

slmafiq
2018-01-07, 11:58
Could someone write me an application for bcmon with the new version of reaver 1.6.3 and pixiewps ? tnx