PDA

View Full Version : Wifite including new pixiewps attack



aanarchyy
2015-04-19, 20:44
Figured i would just make it it's own thread so it doesn't get lost in everything else.
Let me know if there are any problems or ideas, still kinda playing around with this and a few other ideas i kinda want to add.

REQUIRES: Need to have pixiewps and t6x modified reaver installed

ADDED: Support for new pixiewps attack, attempts a pixiewps attack and if successful passes the key to reaver to test. If fails, continues 11,000 key brute force with reaver.
Now reports if wps is locked in scanning window(annoyed the excriment out of me that this wasn't shown.)

ToDo: Maybe add some default pin calculations and checking.
Make attacks a little more chipset specific(like attemting pin 42000648 on known vulnerable routers, etc...)
Add option to mdk3 the poopies out of AP in hopes of reseting it.(can't hurt)
Add a dummy-check to not bork out if modified-reaver or pixiewps isn't installed... :-/

Changelog:
04202015 - added timeout to script to avoid hanging if ap doesn't respond
added flag -pixiet <sec> #adjust timeout of pixie attack
added flag -ponly #only use pixiewps attack on selected wps networks,
fixed ctrl^c issue, will now ask to continue or exit completely
04212015 - added option to skip psk retreaval upon successful pixiewps attack, now runs reaver by default
04222015 - added updater just run ./wifite -update to update to this fork instead of original wifite
fixed timer
fixed issue with new airmon-ng not creating monitor interface
04232015 - fixed -mac not really anonymizing mac address
added -endless flag to loop through targets
made cracked.txt human readable(tab delimited instead of chr(0))
fixed issue with -paddto not working
can now anonymize iface already in monitor mode(via macchanger)

Download:

https://github.com/aanarchyy/wifite-mod-pixiewps

nuroo
2015-04-19, 21:18
Nice, glad you added new pixie attacks. Wifite is great program. Used it exclusively until pixiewps, and new reavers came out. Then I had to use the command line more.

Wifite is also one the the few programs that handles new airmon-ng, well.
new airmon-ng example:
airmon-ng wlan3 = wlan3mon (not mon0)

Im out at the moment, but wifite definitely worked when new airmon-ng already created new monitor interface, then run wifite. Cant remember if could create and use monitor interface of new airmon-ng from beginning. I'll report back

I'll test this new version for both cases when I get home

aanarchyy
2015-04-20, 00:07
Nice, glad you added new pixie attacks. Wifite is great program. Used it exclusively until pixiewps, and new reavers came out. Then I had to use the command line more.

Wifite is also one the the few programs that handles new airmon-ng, well.
new airmon-ng example:
airmon-ng wlan3 = wlan3mon (not mon0)

Im out at the moment, but wifite definitely worked when new airmon-ng already created new monitor interface, then run wifite. Cant remember if could create and use monitor interface of new airmon-ng from beginning. I'll report back

I'll test this new version for both cases when I get home

Let me know how it works, if it doesn't, then i should be able to fix it. I havent updated aircrack to test it yet but if it worked in wifite before, it should now also. I am obviously not the author nor even a contributor to wifite, this is just my own little 'fork' that i have found very usefull for myself, and i am releasing it incase it is usefull for anyone else.

nuroo
2015-04-20, 01:11
Can confirm modified script works if monitor already running. Script picks up wlan3mon right away, and does its thing. If monitor interface is not running, scripts creates it. But since airmon-ng no longer produces mon0, it gets suck in a loop.

This is only a problem for those that upgraded aircrack-ng suite. Im sure its flawless for everyone else.

aanarchyy
2015-04-20, 01:25
Can confirm modified script works if monitor already running. Script picks up wlan3mon right away, and does its thing. If monitor interface is not running, scripts creates it. But since airmon-ng no longer produces mon0, it gets suck in a loop.

This is only a problem for those that upgraded aircrack-ng suite. Im sure its flawless for everyone else.

Will see if i can fix the monitor creation part of it, like i said, not the origional creator of wifite ;-)
Can you confirm the pixiewps portion i added works?

nuroo
2015-04-20, 01:45
I had a hard times running it at first. The orginal wifite gets run, even if u run from downloaded directory. I renamed original and went back to download directory and yours ran.

I can confirm pixiewps portion does work.

ctrl c, doesn't function like old script however. for instance if attacking 10 targets. If I ctrl c, on 3rd target script ends. Doesn't target 4th. Or option to continue.

I would like some timeouts for pixie attack. Needed. reaver will wait for long time for beacons, whole script hangs.

aanarchyy
2015-04-20, 02:00
I had a hard times running it at first. The orginal wifite gets run, even if u run from downloaded directory. I renamed original and went back to download directory and yours ran.

I can confirm pixiewps portion does work.

ctrl c, doesn't function like old script however. for instance if attacking 10 targets. If I ctrl c, on 3rd target script ends. Doesn't target 4th. Or option to continue.

I would like some timeouts for pixie attack. Needed. reaver will wait for long time for beacons, whole script hangs.

Yeah the ctrl c part i have already noticed also and is on my list, still trying to figure out how the whole script meshes together.
And yeah, i also noticed the hang while waiting for beacon, yeah a timeout is a good idea, ill look for a way to put that in.

Thanks for helping me test this :D

EDIT: Updated wifite to now timeout after 60 seconds(may make this configurable in the future) if pixiepws is not successful and move on to a regular reaver brute force. Though chances are that if the pixiewps attack fails, more than likely it's a reception/lockout issue in which a regular reaver brute-force attack would also fail.

Bear with me, kinda learning python as i do this :D

tuongnv3
2015-04-20, 05:26
Will see if i can fix the monitor creation part of it, like i said, not the origional creator of wifite ;-)
Can you confirm the pixiewps portion i added works?
You have fixed it yet?

nuroo
2015-04-20, 09:32
Good news aanarchyy. Im happy to help. Awesome job so far. I wanna learn scripting too, for now help test.

Will try new version, report back.

nuroo
2015-04-20, 13:12
Just so I can run original and your wifite, I renamed yours wifitemod:

Heres output with new version with pixiewps timeout:

~/wifite-mod-pixiewps-master# ./wifitemod -wps

.;' `;,
.;' ,;' `;, `;, WiFite v2 (r85)
.;' ,;' ,;' `;, `;, `;,
:: :: : ( ) : :: :: automated wireless auditor
':. ':. ':. /_\ ,:' ,:' ,:'
':. ':. /___\ ,:' ,:' designed for Linux
':. /_____\ ,:'
/ \

modified by aanarchyy(aanarchyy@gmail.com)
Credits to wiire,DataHead,soxrok2212,nxxxu

[+] targeting WPS-enabled networks

[+] scanning for wireless devices...
[+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
[0:00:04] scanning wireless networks. 0 targets and 0 clients found

[+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.

NUM ESSID CH ENCR POWER WPS? CLIENT
--- -------------------- -- ---- ----- ---- ------
1 DG167**** 1 WPA2 36db Locked
2 FiOS-S**** 1 WPA2 23db wps
3 SprintGatew**** 1 WPA2 21db wps

[0:00:32] scanning wireless networks. 3 targets and 2 clients found
[+] checking for WPS compatibility... done
[+] removed 47 non-WPS-enabled targets

NUM ESSID CH ENCR POWER WPS? CLIENT
--- -------------------- -- ---- ----- ---- ------
1 DG167**** 1 WPA2 36db Locked
2 TG167**** 11 WPA2 25db wps
3 FiOS-S**** 1 WPA2 24db wps
4 TDS 6 WPA2 22db wps
5 TG167**** 1 WPA2 21db wps
6 MiamiHEAT 11 WPA2 20db wps
7 U10C0**** 1 WPA 18db wps
8 SprintGate**** 1 WPA2 18db wps
9 DIRECT-pm-BR**** 1 WPA2 18db wps
10 DG167**** 1 WPA2 15db wps

[+] select target numbers (1-10) separated by commas, or 'all': all

[+] 10 targets selected.

[0:00:00] initializing PixieWPS attack on DG167**** (...........:73:90)
[+] E-Nonce found
[+] PKE hash found
[+] PKR hash found

[!] unable to complete successful try in 60 seconds
[+] skipping pixiewps on DG167****

[+] Pixiewps attack failed!

[0:00:00] initializing WPS PIN attack on DG167**** (...........:73:90)
^C0:00:18] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted

[+] 9 targets remain
[+] what do you want to do?
[c]ontinue attacking targets
[e]xit completely
[+] please make a selection (c, or e): c

[0:00:00] initializing PixieWPS attack on TG167**** (...........:EC:10)

[!] unable to complete successful try in 60 seconds
[+] skipping pixiewps on TG167****

[+] Pixiewps attack failed!

[0:00:00] initializing WPS PIN attack on TG167**** (...........:EC:10)
^C0:00:22] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted

[+] 8 targets remain
[+] what do you want to do?
[c]ontinue attacking targets
[e]xit completely
[+] please make a selection (c, or e): c

[0:00:00] initializing PixieWPS attack on FiOS-S**** (...........:EC:C2)
[+] E-Nonce found
[+] PKE hash found
[+] PKR hash found
[+] E-Hash1 found
[+] E-Hash2 found
Traceback (most recent call last):
File "./wifitemod", line 3124, in <module>
main()
File "./wifitemod", line 321, in main
need_handshake = not wps_attack(iface, t)
File "./wifitemod", line 2912, in wps_attack
line = f.readline()
UnboundLocalError: local variable 'f' referenced before assignment

Timeout for pixie worked. but another error above.
Please make pixie timeout configureable.
also option if pixewps fail, no brutefructe, move to next target.
Please consider because failed attempt locked router

For those wondering what reavers -P option is intended for:

Option (-P) in reaver puts reaver into a loop mode that does not do the WPS protocol to or past the M4 message to hopefully avoid lockouts. This is to ONLY be used for PixieHash collecting to use with pixiewps, NOT to 'online' bruteforce pins.
This option was made with intent of:

----Collecting repetitive hashes for further comparison and or analysis / discovery of new vulnerable chipsets , routers etc..

----Time sensistive attacks where the hash collecting continues repetitively until your time frame is met.

----For scripting purposes of whom want to use a possible lockout preventable way of PixieHash gathering for your Use case.
by datahead

aanarchyy
2015-04-20, 14:27
@noruu fixed typo and added added pixie-loop, will be adding a configureable timeout option for pixie attack and will also add option to only attempt pixie attacks(good idea, i like that)

nuroo
2015-04-20, 21:01
Test parameters:
Internal wifi card only, quick and dirty.
Time limited. Netbook with internal wifi card, so all but one targets where to far away.
The one that was close enough for pixie/reaver attack, the script errored during pixie attack.

Observations:
The script handled configurable timeout well. (targets to far anyway)

When crtl C pressed the script moved on to next target well.

Need the timer for pixie attack, like timer for wps pin attack.
(cursor just hangs during pixie. countdown if possible)

Todo:
I will test script for fails, against more targets and with a stronger external usb wifi card and then post later.



root***:~/wifite-mod-pixiewps-master# ./wifitemod -wps -pixiet 90

.;' `;,
.;' ,;' `;, `;, WiFite v2 (r85)
.;' ,;' ,;' `;, `;, `;,
:: :: : ( ) : :: :: automated wireless auditor
':. ':. ':. /_\ ,:' ,:' ,:'
':. ':. /___\ ,:' ,:' designed for Linux
':. /_____\ ,:'
/ \

modified by aanarchyy(aanarchyy@gmail.com)
Credits to wiire,DataHead,soxrok2212,nxxxu

[+] targeting WPS-enabled networks
[+] pixiewps attack timeout set to 90 seconds

[+] scanning for wireless devices...
[+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
[0:00:04] scanning wireless networks. 0 targets and 0 clients found

[+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.

NUM ESSID CH ENCR POWER WPS? CLIENT
--- -------------------- -- ---- ----- ---- ------
1 DG167**** 1 WPA2 33db Locked
2 TDS 6 WPA2 17db wps

[0:00:25] scanning wireless networks. 2 targets and 2 clients found

[+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.

NUM ESSID CH ENCR POWER WPS? CLIENT
--- -------------------- -- ---- ----- ---- ------
1 DG167**** 1 WPA2 34db Locked
2 TDS 6 WPA2 24db wps
3 TG167**** 1 WPA2 21db wps
4 FiOS-S**** 1 WPA2 19db wps
5 HAL9000 6 WPA2 15db wps

[0:00:48] scanning wireless networks. 5 targets and 9 clients found

[+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.

NUM ESSID CH ENCR POWER WPS? CLIENT
--- -------------------- -- ---- ----- ---- ------
1 DG167**** 1 WPA2 34db Locked
2 TDS 6 WPA2 23db wps
3 TG167**** 1 WPA2 21db wps
4 FiOS-S**** 1 WPA2 16db wps
5 HAL9000 6 WPA2 15db wps

[0:01:11] scanning wireless networks. 5 targets and 13 clients found
[+] checking for WPS compatibility... done
[+] removed 49 non-WPS-enabled targets

NUM ESSID CH ENCR POWER WPS? CLIENT
--- -------------------- -- ---- ----- ---- ------
1 DG167**** 1 WPA2 34db Locked
2 TDS 6 WPA2 24db wps
3 TG167**** 1 WPA2 20db wps
4 DG167**** 1 WPA2 19db wps
5 FiOS-S**** 1 WPA2 17db wps
6 HAL9000 6 WPA2 15db wps

[+] select target numbers (1-6) separated by commas, or 'all': all

[+] 6 targets selected.

[0:00:00] initializing PixieWPS attack on DG16**** (00:00:00:00:73:90)

[!] unable to complete successful try in 90 seconds
[+] skipping pixiewps on DG167****

[+] Pixiewps attack failed!

[0:00:00] initializing WPS PIN attack on DG167**** (00:00:00:00:73:90)
^C0:00:12] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted

[+] 5 targets remain
[+] what do you want to do?
[c]ontinue attacking targets
[e]xit completely
[+] please make a selection (c, or e): c

[0:00:00] initializing PixieWPS attack on TDS (00:00:00:00:1B:C6)

[!] unable to complete successful try in 90 seconds
[+] skipping pixiewps on TDS

[+] Pixiewps attack failed!

[0:00:00] initializing WPS PIN attack on TDS (00:00:00:00:1B:C6)
^C0:00:25] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted

[+] 4 targets remain
[+] what do you want to do?
[c]ontinue attacking targets
[e]xit completely
[+] please make a selection (c, or e): c

[0:00:00] initializing PixieWPS attack on TG167**** (00:00:00:00:8F:20)

[!] unable to complete successful try in 90 seconds
[+] skipping pixiewps on TG167****

[+] Pixiewps attack failed!

[0:00:00] initializing WPS PIN attack on TG167**** (00:00:00:00:8F:20)
^C0:00:22] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted

[+] 3 targets remain
[+] what do you want to do?
[c]ontinue attacking targets
[e]xit completely
[+] please make a selection (c, or e): c

[0:00:00] initializing PixieWPS attack on DG167**** (00:00:00:00:C4:60)

[!] unable to complete successful try in 90 seconds
[+] skipping pixiewps on DG167****

[+] Pixiewps attack failed!

[0:00:00] initializing WPS PIN attack on DG167**** (00:00:00:00:C4:60)
^C0:00:08] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted

[+] 2 targets remain
[+] what do you want to do?
[c]ontinue attacking targets
[e]xit completely
[+] please make a selection (c, or e): c

[0:00:00] initializing PixieWPS attack on FiOS-S**** (00:00:00:00:EC:C2)
[+] E-Nonce found
[+] PKE hash found
[+] PKR hash found
[+] E-Hash1 found
[+] E-Hash2 found
Traceback (most recent call last):
File "./wifitemod", line 3134, in <module>
main()
File "./wifitemod", line 321, in main
need_handshake = not wps_attack(iface, t)
File "./wifitemod", line 2931, in wps_attack
os.remove(temp + "reaver_err.out")
OSError: [Errno 2] No such file or directory: '/tmp/wifite0jkPaB/reaver_err.out'
root@****:~/wifite-mod-pixiewps-master#

Great progress !!

nuroo
2015-04-20, 21:10
Also on little netbook that I havent upgraded aircrack-ng suite, interface creation/usage perfect.

aanarchyy
2015-04-21, 00:49
Updated!
Added -pixiet <sec> to configure pixiewps timeout
Added -ponly to set to only attack using pixiewps
Fixed ctrl^c issue

nuroo
2015-04-21, 01:30
root@kali:~/wifite-mod-pixiewps-master# ./wifitemod -ponly -pixiet 45

.;' `;,
.;' ,;' `;, `;, WiFite v2 (r86)
.;' ,;' ,;' `;, `;, `;,
:: :: : ( ) : :: :: automated wireless auditor
':. ':. ':. /_\ ,:' ,:' ,:'
':. ':. /___\ ,:' ,:' designed for Linux
':. /_____\ ,:'
/ \

modified by aanarchyy(aanarchyy@gmail.com)
Credits to wiire,DataHead,soxrok2212,nxxxu

[+] Pixiewps attack only enabled
[+] pixie attack timeout set to 45 seconds

[+] scanning for wireless devices...
[+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
[0:00:04] scanning wireless networks. 0 targets and 0 clients found

[+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.

NUM ESSID CH ENCR POWER WPS? CLIENT
--- -------------------- -- ---- ----- ---- ------
1 \x00\x00\x001000 6 WPA2 65db wps
2 b0c554a1000 1 WPA2 64db wps
3 DVW32011000 1 WPA2 56db wps
4 atlantis201000 10 WPA2 53db wps
5 WileyR1000 10 WPA2 52db wps
6 DVW321000 1 WPA2 51db wps
7 133 1000 1000 6 WPA2 51db Locked
8 Onyx1100023 1 WPA2 50db wps
9 TommyA1000 6 WPA2 50db wps
10 Kirin1000 1 WPA2 49db wps
11 DG16701000 11 WPA2 48db wps
12 We hear y1000 6 WPA2 48db wps
13 \x00\x00\1000 11 WPA2 47db wps
14 DG11000 11 WPA2 46db wps
15 DG11000 1 WPA2 45db Locked
16 Tuppy Gl1000 6 WPA2 45db Locked
17 lind1000 11 WPA2 44db wps
18 DG11000 1 WPA2 40db Locked

[0:00:06] scanning wireless networks. 18 targets and 3 clients found

[+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.

NUM ESSID CH ENCR POWER WPS? CLIENT
--- -------------------- -- ---- ----- ---- ------
1 \x00\x00\x001000 6 WPA2 65db wps
2 b0c554a1000 1 WPA2 64db wps
3 DVW32011000 1 WPA2 56db wps
4 atlantis201000 10 WPA2 53db wps
5 WileyR1000 10 WPA2 52db wps
6 DVW321000 1 WPA2 51db wps
7 133 1000 1000 6 WPA2 51db Locked
8 Onyx1100023 1 WPA2 50db wps
9 TommyA1000 6 WPA2 50db wps
10 Kirin1000 1 WPA2 49db wps
11 DG16701000 11 WPA2 48db wps
12 We hear y1000 6 WPA2 48db wps
13 \x00\x00\1000 11 WPA2 47db wps
14 DG11000 11 WPA2 46db wps
15 DG11000 1 WPA2 45db Locked
16 Tuppy Gl1000 6 WPA2 45db Locked
17 lind1000 11 WPA2 44db wps
18 DG11000 1 WPA2 40db Locked

[0:00:21] scanning wireless networks. 18 targets and 3 clients found

[+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.

NUM ESSID CH ENCR POWER WPS? CLIENT
--- -------------------- -- ---- ----- ---- ------
1 \x00\x00\x001000 6 WPA2 65db wps
2 b0c554a1000 1 WPA2 64db wps
3 DVW32011000 1 WPA2 56db wps
4 atlantis201000 10 WPA2 53db wps
5 WileyR1000 10 WPA2 52db wps
6 DVW321000 1 WPA2 51db wps
7 133 1000 1000 6 WPA2 51db Locked
8 Onyx1100023 1 WPA2 50db wps
9 TommyA1000 6 WPA2 50db wps
10 Kirin1000 1 WPA2 49db wps
11 DG16701000 11 WPA2 48db wps
12 We hear y1000 6 WPA2 48db wps
13 \x00\x00\1000 11 WPA2 47db wps
14 DG11000 11 WPA2 46db wps
15 DG11000 1 WPA2 45db Locked
16 Tuppy Gl1000 6 WPA2 45db Locked
17 lind1000 11 WPA2 44db wps
18 DG11000 1 WPA2 40db Locked
19 linda1000 11 WPA2 45db wps
20 \x00\x00\x00\x00\... 11 WPA2 45db wps
21 ZOOM 6 WPA2 44db wps
22 DG1671000 1 WPA2 41db Locked
23 McPo1000 6 WPA2 40db wps
24 DG1671000 1 WPA2 40db Locked

[0:00:29] scanning wireless networks. 24 targets and 14 clients found
[+] checking for WPS compatibility... done
[+] removed 35 non-WPS-enabled target


NUM ESSID CH ENCR POWER WPS? CLIENT
--- -------------------- -- ---- ----- ---- ------
1 \x00\x00\x001000 6 WPA2 65db wps
2 b0c554a1000 1 WPA2 64db wps
3 DVW32011000 1 WPA2 56db wps
4 atlantis201000 10 WPA2 53db wps
5 WileyR1000 10 WPA2 52db wps
6 DVW321000 1 WPA2 51db wps
7 133 1000 1000 6 WPA2 51db Locked
8 Onyx1100023 1 WPA2 50db wps
9 TommyA1000 6 WPA2 50db wps
10 Kirin1000 1 WPA2 49db wps
11 DG16701000 11 WPA2 48db wps
12 We hear y1000 6 WPA2 48db wps
13 \x00\x00\1000 11 WPA2 47db wps
14 DG11000 11 WPA2 46db wps
15 DG11000 1 WPA2 45db Locked
16 Tuppy Gl1000 6 WPA2 45db Locked
17 lind1000 11 WPA2 44db wps
18 DG11000 1 WPA2 40db Locked
19 linda1000 11 WPA2 45db wps
20 \x00\x00\x00\x00\... 11 WPA2 45db wps
21 ZOOM 6 WPA2 44db wps
22 DG1671000 1 WPA2 41db Locked
23 McPo1000 6 WPA2 40db wps
24 DG1671000 1 WPA2 40db Locked
25 McP1000 6 WPA2 42db wps client
26 DG1671000 1 WPA2 42db Locked
27 DG1671000 1 WPA2 41db Locked
28 TG1671000 6 WPA2 40db wps
29 THWL9 1 WPA2 38db wps

[+] select target numbers (1-29) separated by commas, or 'all': all

[+] 29 targets selected.

[0:00:00] initializing PixieWPS attack on \x00\x00\x00\x00\x00\x 1000:79:0F)

[!] unable to complete successful try in 45 seconds
[+] skipping pixiewps on \x00\x00\x00\x00\x00\x

[!] unable to complete successful try in 45 seconds
[+] skipping pixiewps on \x00\x00\x00\x00\x00\x

[!] unable to complete successful try in 45 seconds
[+] skipping pixiewps on \x00\x00\x00\x00\x00\x

[!] unable to complete successful try in 45 seconds
[+] skipping pixiewps on \x00\x00\x00\x00\x00\x

[!] unable to complete successful try in 45 seconds
[+] skipping pixiewps on \x00\x00\x00\x00\x00\x

[!] unable to complete successful try in 45 seconds
[+] skipping pixiewps on \x00\x00\x00\x00\x00\x

[!] unable to complete successful try in 45 seconds
[+] skipping pixiewps on \x00\x00\x00\x00\x00\x

[!] unable to complete successful try in 45 seconds
[+] skipping pixiewps on \x00\x00\x00\x00\x00\x
^C
(^C) WPS brute-force attack interrupted

[+] 28 targets remain
[+] what do you want to do?
[c]ontinue attacking targets
[e]xit completely
[+] please make a selection (c, or e): c


(^C) WPS brute-force attack interrupted

[+] 27 targets remain
[+] what do you want to do?
[c]ontinue attacking targets
[e]xit completely
[+] please make a selection (c, or e): c

[+] Pixiewps attack failed!

[0:00:00] initializing PixieWPS attack on b0c554a1000 (1000:A7:86)

[!] unable to complete successful try in 45 seconds
[+] skipping pixiewps on b0c554a1000

[!] unable to complete successful try in 45 seconds
[+] skipping pixiewps on b0c554a1000

[!] unable to complete successful try in 45 seconds
[+] skipping pixiewps on b0c554a1000

[!] unable to complete successful try in 45 seconds
[+] skipping pixiewps on b0c554a1000

[!] unable to complete successful try in 45 seconds
[+] skipping pixiewps on b0c554a1000
^C
(^C) WPS brute-force attack interrupted

[+] 26 targets remain
[+] what do you want to do?
[c]ontinue attacking targets
[e]xit completely
[+] please make a selection (c, or e): ^C
(^C) WPS brute-force attack interrupted

[+] 26 targets remain
[+] what do you want to do?
[c]ontinue attacking targets
[e]xit completely
[+] please make a selection (c, or e): ^CTraceback (most recent call last):
File "./wifitemod", line 3150, in <module>
if attack_interrupted_prompt():
File "./wifitemod", line 1801, in attack_interrupted_prompt
ri = raw_input(GR+' [+]'+W+' please make a selection (%s): ' % options)
KeyboardInterrupt



Stuck in loop after pixie attack fails

nuroo
2015-04-21, 01:39
if ./wifite -pixiet (no time given)

script handles ./wifite -pixiet<null> nicely.

Also in previous version -ponly had no acknolegdement of being set to active, this version says its active.

aanarchyy
2015-04-21, 01:56
[CODE]

Stuck in loop after pixie attack fails
Yeah, just noticed that also, gimme a min to fix, just had it fixed then testbed crashed so i gotta remember what i did... :-/

Edit: Should be fixed now. I want to thank you again for helping me test this :D

nuroo
2015-04-21, 02:17
./wifite -ponly -pixiet 75 -pow 35

Worked no errors. 8 targets. Ctrl'C on a few I knew wouldn't crack, no crash. -NICE

No successful pixie attack though. Gonna increase timeout test pixie attack portion.

nuroo
2015-04-21, 03:05
When given enough info for successful attack against known vulnerable AP:
[0:00:00] initializing PixieWPS attack on DG167000 (0000000:27:80)
[+] E-Nonce found
[+] PKE hash found
[+] PKR hash found
[+] Authkey found
[+] E-Hash1 found
[+] E-Hash2 found
script seems to stand still, no error but no output

Is that because -P option used in reaver? If -P option loop used, so no M4, so no wps lockout?

If so Then do you feed successful results to offline pixie attack to obtain pin? the new reaver to test pin?

soxrok2212
2015-04-21, 03:36
When given enough info for successful attack against known vulnerable AP:
[0:00:00] initializing PixieWPS attack on DG167000 (0000000:27:80)
[+] E-Nonce found
[+] PKE hash found
[+] PKR hash found
[+] Authkey found
[+] E-Hash1 found
[+] E-Hash2 found
script seems to stand still, no error but no output

Is that because -P option used in reaver? If -P option loop used, so no M4, so no wps lockout?

If so Then do you feed successful results to offline pixie attack to obtain pin? the new reaver to test pin?

Yeah, the -P switch will stop M4 from being sent at all. Just run reaver after and supply the correct pin.

aanarchyy
2015-04-21, 05:05
Yeah, didn't exit the loop properly, oops! O.o
Should be all fixed now :D

SubZero5
2015-04-21, 07:14
@aanarchyy,
Is your Wifite based on derv82 's code?
As I recall bwall, drone and brianpow consecutively modified the Wifite code to r95.
Latest Wifite was on https://github.com/brianpow/wifite afaik...

nuroo
2015-04-21, 12:33
Posted two new issues to your git, aanarchyy.

Question - if wifite finds a client, does it spoof the mac of client?
Question - if mon0 is already started a fake mac address, does wifite pass the fake/spoofed mac address when using reaver (ex. reaver -i mon0 -b 11:22:33:44:55:66 --mac=00:11:00:11:00:11 -vv -S -K1)

nuroo
2015-04-21, 12:40
deleted double post

nuroo
2015-04-21, 12:47
@aanarchyy,
Is your Wifite based on derv82 's code?
As I recall bwall, drone and brianpow consecutively modified the Wifite code to r95.
Latest Wifite was on https://github.com/brianpow/wifite afaik...

just checked out that version SubZero. Nice. alots of cool improvements. But it came out b4 pixiewps and modded reaver, so lacking that functionality.

aanarchyy
2015-04-21, 13:00
@Subzero5
The one i am working with is the one that came on Kali. I may update it and add my patches in soon. Any specific features in that one?

@nuroo
1) No, but that was an idea i had been thinking of adding in.
2) If it's already spoofed, there is no reason to use the --mac flag as it is already spoofed.
3) Check the first issue you posted on github and confirm it's fixed for me please :-)

Updated to now run reaver automatically unless explicitly told to skip psk retrevial vai -pixienopsk flag

Still trying to figure out the whole updating timer thing, picking up python as i go along here

nuroo
2015-04-21, 16:36
Im pretty sure reaver doesnt use spoofed mac address for monitor unless --mac option is given.


i'll test for same issue now. but maybe results later, quick lunch

nuroo
2015-04-21, 16:48
airmon-ng also does not copy spoofed mac address to monitor. after airmon-ng creates monitor, i still take it down and run macchanger and assign same spoofed mac address to monitor. that is the reason I always create monitor before running wifite........i believe thats the reason for --mac in reaver.

nuroo
2015-04-21, 19:01
Consider a version or revision number.....for us track changes/fixes. and to know if im reporting on current revision.

aanarchyy
2015-04-21, 20:08
What behavior were you thinking for the spoofing part?

Specify address to spoof at command line?
Wait until client found then start attack with spoofed address?
Start attacking unspoofed and watch at same time, and when client found, restart attack with spoofed address?
If multiple clients found, rotate addresses so often?

nuroo
2015-04-21, 20:11
aanarchyy only because you asked, other wifite -h output.........no pressure.

.;' `;,
.;' ,;' `;, `;, WiFite v2 (r95)
.;' ,;' ,;' `;, `;, `;,
:: :: : ( ) : :: :: automated wireless auditor
':. ':. ':. /_\ ,:' ,:' ,:'
':. ':. /___\ ,:' ,:' designed for Linux
':. /_____\ ,:'
/ \

usage: wifite92.py [-h] [--check [file]] [--cracked] [--recrack] [-i [wlanN]]
[--mac] [-m [monN]] [--tx [N]] [-l [file]] [-v [file]]
[-s [filters]] [-t [criteria]] [-c [N]] [--power [N]]
[--all] [-r [N]] [--showb] [-2] [-q] [-a [filters]]
[-e [SSID]] [-b [BSSID]] [--wpa] [--wpat [secs]] [--nowpa]
[--wpadt [secs]] [--strip] [--crack CRACK] [--dict [file]]
[--hash [file]] [--recapture] [--aircrack] [--pyrit]
[--tshark] [--cowpatty] [--wep] [--pps [N]] [--wept [secs]]
[--chopchop] [--arpreplay] [--fragment] [--caffelatte]
[--p0841] [--hirte] [--nofakeauth] [--wepca [N]]
[--wepnosave] [--wepsaveiv] [--wps] [--nowps]
[--wpst [secs]] [--wpsratio [ratio]] [--wpsretry [N]]
[--wpssave] [--update] [--debug]

optional arguments:
-h, --help show this help message and exit

COMMAND:
--check [file] Check capfile [file] for handshakes.
--cracked Display previously cracked access points.
--recrack Include already cracked networks in targets.

INTERFACE:
-i [wlanN] Wireless interface for capturing.
--mac Anonymize MAC address.
-m [monN], --mon-iface [monN]
Interface already in monitor mode.
--tx [N] Set adapter TX power level.

TARGET:
-l [file], --load [file]
Load airodump file instead of scanning.
-v [file], --save [file]
Save airodump file.
-s [filters], --show [filters]
Filter targets in scanning state.Syntax: numbers,
range (e.g. "1-4"), power level (e.g.
"p[>,>=,=,<=,<][POWER]"), channel (e.g.
"c[CHANNEL,range])", wps disabled or enabled (e.g.
"wps0", "wps1"), Cipher (e.g. "wep" or "wpa", "wep[NUM
OF CLIENT]" or "wpa[NUM OF CLIENT]", "wep+" or "wpa+"
for network with clients), ESSID (e.g. "e[ESSID]") or
BSSID (e.g. "b[11:22:33]"). Multiple filters separated
by comma supported. Add "-" or "=" before to remove
targets.
-t [criteria], --timeout [criteria]
Criteria to stop scanning state. Numbers = seconds,
e[ESSID][+] or b[BSSID][+]= timeout when target is
found, add "+" at the end means "with clients",
n[>,>=,=,<=,<][num of targets] = timeout when total
targets more/equal/less than certain numbers. Multiple
criteria separated by comma supported.
-c [N], --channel [N]
Filter targets with specific channel in scanning state
(equivalent to "--show c[N]").
--power [N] Filter targets with signal strength > [N] in scanning
state (equivalent to "--show p\>[N]").
--all Attack all targets (equivalent to "--show all --attack
all --timeout 10").
-r [N], --row [N] Max numbers of row to show in scanning state.
--showb Show target BSSIDs in scanning state.
-2, --two Show scanning result in two columns.
-q, --quiet Do not list found networks during scan.
-a [filters], --attack [filters]
Automatically select targets after scanning state,
same syntas as "--show".
-e [SSID], --essid [SSID]
Attack target immediately once ssid (name) is found in
scanning state.
-b [BSSID], --bssid [BSSID]
Attack target immediately once bssid (mac) is found in
scanning state.

WPA:
--wpa Only show WPA networks in scanning state (works with
--wps --wep, equivalent to "--show wpa --nowps").
--wpat [secs] Time to wait for WPA attack to complete (seconds).
--nowpa Disable WPA handshake attack.
--wpadt [secs] Time to wait between sending deauth packets (seconds).
--strip Strip handshake using tshark or pyrit.
--crack CRACK Crack WPA handshakes using dict/hash file. (0 =
disable , 1 = aircrack, 2 = pyrit, 3 = cowpatty)
--dict [file] Specify dictionary to be used when cracking WPA.
--hash [file] Specify precomputed hash to be used when cracking WPA.
--recapture Recapture handshake even if the cap file exists.
--aircrack Verify handshake using aircrack.
--pyrit Verify handshake using pyrit.
--tshark Verify handshake using tshark.
--cowpatty Verify handshake using cowpatty.

WEP:
--wep Only show WEP networks in scanning state (equivalent
to "--show wep").
--pps [N] Set the number of packets per second to inject.
--wept [secs] Max time for each attack, 0 implies endless.
--chopchop Use chopchop attack.
--arpreplay Use arpreplay attack.
--fragment Use fragmentation attack.
--caffelatte Use caffe-latte attack.
--p0841 Use P0842 attack.
--hirte Use hirte attack.
--nofakeauth Stop attack if fake authentication fails.
--wepca [N] Start cracking when number of IVs surpass [n].
--wepnosave Dont save the captured IVs to "wep" folder in current
working directory.
--wepsaveiv Save the captured IVs in form of .ivs to "wep" folder
in current working directory. (.ivs is smaller than
.cap but NOT compatible with old aircrack-ng)

WPS:
--wps Only show WPS networks in scanning state (equivalent
to "--show wps --nowpa").
--nowps Disable WPS PIN Attack.
--wpst [secs] Max wait for new retry before giving up (0: never).
--wpsratio [ratio] Min ratio of successful PIN attempts/total retries.
--wpsretry [N] Max number of retries for same PIN before giving up.
--wpssave Save progress of WPS PIN attack to "wps" subfolder in
current folder.

OTHERS:
--update Check and update Wifite.
--debug Print lots of debug information.

Some cool featuers:
--update Check and update Wifite.
--mac Anonymize MAC address.
--wpsretry [N] Max number of retries for same PIN before giving up.
--wpssave Save progress of WPS PIN attack to "wps" subfolder in
current folder.
--debug Print lots of debug information
Lots for filters

nuroo
2015-04-21, 20:24
What behavior were you thinking for the spoofing part?


Specify address to spoof at command line?
Wait until client found then start attack with spoofed address?
Start attacking unspoofed and watch at same time, and when client found, restart attack with spoofed address?
If multiple clients found, rotate addresses so often?

For now
wifite -mac
Check mon0 is actually spoofed or random. airmon-ng doesn't carry spoofed mac to monitor. macchanger needs to also be carried out on mon0.
macchanger on wlan only, not sufficient.
also
reaver use --mac option, spoofed/random mac
aireplay-ng use -h option spoofed/random mac

Down the road:
wifite -clients (only attack access points with connected clients, spoof client b4 any attacks)

any deauths use connected clients mac

nuroo
2015-04-21, 21:21
I just saw you added -mac to wifite....... I like....Cheers. Worked great.

Back to testing

nuroo
2015-04-21, 22:18
./wifitemod -mac -ponly -pixiet 70

[+] 25 attacks completed:

[+] 3/25 WPA attacks succeeded
found Tomm000000 WPA key: "char00000", WPS PIN: 3700000

found Wile000000 WPA key: "Steph00000", WPS PIN: 12080000
./wifitemod -mac -ponly -pixiet 70
found DG1600000 WPA key: "DG167000000", WPS PIN: 7670000


[+] disabling monitor mode on mon0... done
[+] changing wlan1's mac back to 00000000:20:5b... done
[+] quitting

Nice !!!

aanarchyy
2015-04-22, 03:31
Well, it's got a live timer(count up), not as pretty, but functional.
Trying to fix some of the other stuff that was in the origional code, but more interested in the pixiewps/wps part of this to be honest.

nuroo
2015-04-22, 11:10
Ok cool. Pixiewps and wepcrack are first methods used anyway. Low hanging fruit so to speak. Quick and dirty, first. Routers that take longer saved for last.

I only started beta testing WPA capture part of the script because u fixed all the pixie section errors found to date. :)

Glad u implementated timer for pixiewps attack. Will try it soon.

nuroo
2015-04-22, 13:19
-pixiet <secs>

sets a max time for pixiewps attack.
I have been using 90 secs. If access point doesn't bite at all in 90 secs im pretty much convinced its not gonna bite at all. script moves on to next target. if I want I could set a higher time later maybe 180 secs.

What I have been running into though are cases were the access point partially bites in the set time frame.

[0:00:00] initializing PixieWPS attack on Lu0000000 (00000003:5C)
[+] E-Nonce found
[+] PKE hash found
[+] PKR hash found
[+] Authkey found

[!] unable to complete in 90 seconds
[+] skipping pixiewps on Luc0000000

I'm thinking the script can
wait another 60 secs to try and catch rest of info
or
prompt user if he wants to wait another 60 secs or so. if no response in 20secs, automatically move next target.

nuroo
2015-04-22, 13:45
nvm
doesn't seem to be time related. When I run attacks in command line against those same access points, some pixie cracks right away, others timeout, other are locked, or fail to associate.

could be mac filtering, I know some had vulnerable chipsets

aanarchyy
2015-04-22, 14:52
Added updater
just run ./wifite -update
downloads and replaces itself with latest revision automatically

Fixed timer, should look much better now

Fixed issue with new airmon-ng not creating monitor interface.


I'm thinking the script can
wait another 60 secs to try and catch rest of info
or
prompt user if he waits to wait another 60 secs or so. if no response in 20secs, automatically move next target.

That's actually a pretty good idea, maybe add 30 seconds to the countout on each hash found.

EDIT: BLAH! just noticed the interface part is still a little screwed up, ill get to fixing it later tonight.

nuroo
2015-04-22, 21:16
Timer success, ;)
Guess im impatient and want to know script is working as opposed to stuck.Two quick test with pixie attack, timer was good.

-update also worked as advertised, :D

nuroo
2015-04-22, 21:19
Added updater
just run ./wifite -update
downloads and replaces itself with latest revision automatically

Fixed timer, should look much better now

Fixed issue with new airmon-ng not creating monitor interface.



That's actually a pretty good idea, maybe add 30 seconds to the countout on each hash found.

EDIT: BLAH! just noticed the interface part is still a little screwed up, ill get to fixing it later tonight.

If you want add it. ill test it...may help in certain cases

aanarchyy
2015-04-22, 21:23
If you want add it. ill test it...may help in certain cases

May make it a setting with a default value and set to 0 to disable.

PS. Added you to the credits, you have been invaluable with your testing my code and some really great ideas :D

nuroo
2015-04-22, 22:34
My pleasure, thanks for the acknowledgement.

Ideas easy, coding is harder

-cracked+
outputs more data about victims from attack:
Passphrase
Pin
Clients mac's
Manufacturer
Model
Channel
Highest signal strength


Just so this info is available for later. For spoofing etc or known router vulnerabilities etc............output to text file
****************

-pixieR -P <bssid> <X>

loop for 5 to X loops on target, without passing WPS protocol to or past the M4 message to hopefully avoid lockouts

For those wondering what reavers -P option is intended for:

Option (-P) in reaver puts reaver into a loop mode that does not do the WPS protocol to or past the M4 message to hopefully avoid lockouts. This is to ONLY be used for PixieHash collecting to use with pixiewps, NOT to 'online' bruteforce pins.
This option was made with intent of:

----Collecting repetitive hashes for further comparison and or analysis / discovery of new vulnerable chipsets , routers etc..

----Time sensistive attacks where the hash collecting continues repetitively until your time frame is met.

----For scripting purposes of whom want to use a possible lockout preventable way of PixieHash gathering for your Use case.
datahead

output to text file for analysis.

nuroo
2015-04-22, 22:59
Works with new airmon-ng monitor naming......confirmed

Quest
2015-04-23, 01:38
Hi aanarchyy!

What is your wifite base for this improvement, r85 or r86?

aanarchyy
2015-04-23, 02:13
Hi aanarchyy!

What is your wifite base for this improvement, r85 or r86?
AFAIK, r85, whichever one is default installed in kali liveboot cd.

To be honest, i never really planned on making this a project, I was going to make a few minor modifications to a pre-existing tool, like i do to many tools to more fit my needs( as i have done with wifite a while ago along with a few other tools, aircrack, reaver, snort, dsniff stuff, etc), and was never planning on releasing anything, especially since i dont really know python.

But as of recently, ive been having a really good time playing with this, very good learning oportunity. And once it worked kinda the way i wanted, i figured i would share it with anyone that might find it useful. Never expected for this to be a "main project" for me, but i am very much enjoying this.:D

Had i known this was actually going to be even mildly popular, i would have used a more up-to-date version(like the derv82 version), which i still may do, but i'm going to finish adding in things before i move it to a different revision cuz patching a new revision isn't exactly going to be a copy/paste kinda thing.

But either way, im gonna keep doing what im doing, cuz im having a lot of fun with this :D

Quest
2015-04-23, 02:40
:D I was asking because I'm a fan of wifite and according to that ticket https://bugs.kali.org/view.php?id=2225 there seems to be improvement with r86, so naturally I thought that any further improvement should be based on that version. Thank you and keep up the good work!

aanarchyy
2015-04-23, 04:07
I am a HUGE fan of wifite, which is why ive chosen it to add pixiewps to.
If the devs of wifite want/ask me to be a contributor, i would be more than happy.
If not, im perfectly fine creating my own fork that works the way i want it to.

aanarchyy
2015-04-24, 02:07
UPDATES!

fixed -mac not really anonymizing mac address
added -endless flag to loop through targets untill stopped
make cracked.txt human readable
fixed issue with -paddto not working

May be more, but i can't remember right now.

nuroo
2015-04-24, 18:39
./wifite -mac -ponly -pto 45 -paddto 30 -showb

--- -------------------- ----------------- -- ---- ----- ---- ------
1 NE00000 00000000:DE:D7 6 WPA2 28db wps
2 TG000000 00000000:FB:00 6 WPA2 27db wps
3 DG000000 00000000:D5:F0 11 WPA2 26db wps client

[0:00:00] initializing PixieWPS attack on DG0000000 (000000000:D5:F0)
[+] E-Nonce found
[+] PKE hash found
[+] PKR hash found
[+] Authkey found
[+] E-Hash1 found
[+] E-Hash2 found
[+] Cracking using pixiewps...

[+] PIN found: 10896785
[+] Handing pin to reaver

[0:00:00] initializing WPS PIN attack on DG00000 (0000000:D5:F0)
^C0:02:59] WPS attack, 0/2 success/ttl,
(^C) WPS brute-force attack interrupted

[+] 2 attacks completed:

[+] 0/2 WPA attacks succeeded

[+] quitting

Still testing, with -mac option

found:

after exiting wps pin attack from pixie attack - mon0 left alive, mac remains spoofed

Also for troubleshooting purpose's could you echo to the screen the 2nd reaver command used to find pin, and results from access point during the attack

Actually could u echo both reaver commands to screen during attack.
whole initial attack command string used by script
whole 2nd command string used to obtain pin

TheMantis
2015-04-27, 15:27
Thank you, aanarchyy, for the awesome script. very fast wifi testing.

fastlane
2015-04-30, 18:38
hello.

Im getting attack failed on almost every AP, Is it normal ?

of 17 APs, pixie works in only one. Ironically the weakest.

nuroo
2015-04-30, 21:50
hello.

Im getting attack failed on almost every AP, Is it normal ?

of 17 APs, pixie works in only one. Ironically the weakest.

Are u able to tell why attacks are failing?
What happens when u attack individual AP's through command line?
What versions of reaver, wifite, pixiewps?
have u updated any of them recently?

fastlane
2015-04-30, 22:12
Are u able to tell why attacks are failing?
What happens when u attack individual AP's through command line?
What versions of reaver, wifite, pixiewps?
have u updated any of them recently?

everything goes normal. it shows "pkr found" "E-Hash1 found" etc...
and when it going to show the pin, it shows the message "Pixiewps attack failed!"

didnt try indivitual reaver attack yet

got it yesterday from github so i thinks it is the newest
-

thepoor
2015-05-01, 14:49
everything goes normal. it shows "pkr found" "E-Hash1 found" etc...
and when it going to show the pin, it shows the message "Pixiewps attack failed!"

didnt try indivitual reaver attack yet

got it yesterday from github so i thinks it is the newest
-

I got the same issue with fastlane now, it found all the keys but pixiewps attack failed.

aanarchyy
2015-05-01, 17:11
@g0tmi1k Renamed the binary to wifite-ng

thepoor
2015-05-01, 18:40
@g0tmi1k Renamed the binary to wifite-ng

I got errors when run ./wifite -update

[+] downloading update...
Archive: /tmp/wifite05IK1h/wifite-mod-pixiewps-master.zip
32da7b0d69d5cae24e5a2736b77aec56e5a64b7c
creating: /tmp/wifite05IK1h/wifite-mod-pixiewps-master/
inflating: /tmp/wifite05IK1h/wifite-mod-pixiewps-master/LICENSE
inflating: /tmp/wifite05IK1h/wifite-mod-pixiewps-master/README.md
inflating: /tmp/wifite05IK1h/wifite-mod-pixiewps-master/wifite-ng
cp: cannot stat `/tmp/wifite05IK1h/wifite-mod-pixiewps-master/wifite': No such file or directory
chmod: cannot access `wifite': No such file or directory
chmod: cannot access `wifite-ng': No such file or directory
[!] upgrade script returned unexpected code: 1
[+] quitting

aanarchyy
2015-05-01, 19:07
oops changed the binary name because of clashes with the original wifite, should be fixed now :-)

zimmaro
2015-05-01, 19:25
oops changed the binary name because of clashes with the original wifite, should be fixed now :-)
;)
TNX for super-fast-fix!!!&& thanks for your work!!

http://postimg.org/image/9c1btalqh/

kcdtv
2015-05-01, 20:01
nice job aanarchy! It would have been a shame to don't have pxie dust in wifite, isn't it?
By the way it works perfectly in xubuntu 15.04 too (not a surprise but nice)
I see in the "Mightdo list" that you might consider including defaults known PIN and algorithm
I can give you a hand for that when it is time
cheers

thepoor
2015-05-01, 23:23
You're a rock star, aanarchyy...

psicomantis
2015-05-02, 13:56
Hey aanarchy, now that the new pixiewps prints out a warning saying that the router might be vulnerable to mode 4 (PRNG bruteforce), what do you think abut having wifite print this info and then re-run the attack using -f ?

fbs-16
2015-05-02, 18:57
everything goes normal. it shows "pkr found" "E-Hash1 found" etc...
and when it going to show the pin, it shows the message "Pixiewps attack failed!"

didnt try indivitual reaver attack yet

got it yesterday from github so i thinks it is the newest
-

Hello aanarchyy !

I have the same problem with last wifite-ng.
wifite v2(r108)
pixiewps v1.1
reaver v1.5.2

But reaver with pixie shows all info:

http://imageshack.com/a/img910/4162/f3CIbc.jpg

wiire
2015-05-02, 20:17
Hello aanarchyy !

I have the same problem with last wifite-ng.
wifite v2(r108)
pixiewps v1.1
reaver v1.5.2

But reaver with pixie shows all info:

http://imageshack.com/a/img910/4162/f3CIbc.jpg

It might be the same problem we had on Reaver due to me adding some extra 3 more spaces on the pixiewps pin print line.

I think on line 3111 you have to change:

WPSpin=WPSpin[WPSpin.find("WPS pin")+9:WPSpin.find("\n")]

to:

WPSpin=WPSpin[WPSpin.find("WPS pin")+12:WPSpin.find("\n")]

fbs-16
2015-05-02, 21:00
wiire, unfortunately did not help.

psicomantis
2015-05-02, 23:54
wiire, unfortunately did not help.

changed


ENonce=ENonce[ENonce.find("E-Nonce:")+5:ENonce.find("\n")]

to


ENonce=ENonce[ENonce.find("E-Nonce:")+9:ENonce.find("\n")]

working fine now.

thepoor
2015-05-03, 00:28
changed



to



working fine now.

what number line of code? I looked through the entire code but did not find ENonce=ENonce[ENonce.find("E-Nonce:")+9:ENonce.find("\n")]

psicomantis
2015-05-03, 01:08
sorry about that I was actually using the previous version which also had the same problem or not finding the PIN and was due to extra characters in the Enonce. I am using the new version new and seems to have the same issue, I just changed the following (there might be a better way to fix it)

"line 3065"


ENonce= ENonce.split(':',1)[1].rstrip()
PKE=PKE.split(':',1)[1].rstrip()
PKR=PKR.split(':',1)[1].rstrip()
EHash1=EHash1.split(':',1)[1].rstrip()
EHash2=EHash2.split(':',1)[1].rstrip()
AuthKey=AuthKey.split(':',1)[1].rstrip()


to




ENonce=ENonce[ENonce.find("E-Nonce:")+9:ENonce.find("\n")]
PKE=PKE[PKE.find("PKE:")+5:PKE.find("\n")]
PKR=PKR[PKR.find("PKR:")+5:PKR.find("\n")]
EHash1=EHash1[EHash1.find("EHash1:")+14:EHash1.find("\n")]
EHash2=EHash2[EHash2.find("EHash2:")+14:EHash2.find("\n")]
AuthKey=AuthKey[AuthKey.find("AuthKey:")+9:AuthKey.find("\n")]

fbs-16
2015-05-03, 07:23
sorry about that I was actually using the previous version which also had the same problem or not finding the PIN and was due to extra characters in the Enonce. I am using the new version new and seems to have the same issue, I just changed the following (there might be a better way to fix it)
to
Still the same. Wifite says attack failed, but Reaver+pixie finds all.

thepoor
2015-05-03, 12:51
Still the same. Wifite says attack failed, but Reaver+pixie finds all.

I think it does not work on the router you're try to test. I tested on my it worked in less than 1 minute. very fast, and it some that all the keys are found but pixiewps failed to crack.

aanarchyy
2015-05-03, 17:20
Extra whitespaces were added that borked out wifite, should be fixed now. :-)

fbs-16
2015-05-03, 17:46
Extra whitespaces were added that borked out wifite, should be fixed now. :-)

Cool ! Thank's for fixing. Now i got all info from my target router.

nuroo
2015-05-04, 11:11
1.
Confirmed fixed r109....... I mentioned this too, on github.

2. I also like the idea of wifite-ng printing out additional pixiewps info.

3. Until reaver implements all the new attacks in pixiewps 1.1 automatically can wifite-ng carry them out?

aanarchyy
2015-05-04, 12:21
1.
Confirmed fixed r109....... I mentioned this too, on github.

2. I also like the idea of wifite-ng printing out additional pixiewps info.

3. Until reaver implements all the new attacks in pixiewps 1.1 automatically can wifite-ng carry them out?


Once i can find a router that actually tells me the "might be vulnerable" part i can do that, but for now, i can dig through the pixiewps code to see what the output looks like and try to put it in untested.

nuroo
2015-05-04, 13:36
Yes finding a router vulnerable to this is my issue too. Also, attack is new for me. Until I find one, I can't refine my technique.

nuroo
2015-05-04, 23:16
Thought I'd share my current wifite-ng command line usage and thoughts, user asked on github.

./wifite-ng -ponly -pto 50 -paddto 20 -wpst 60 -wpsretry 5 -c<x> -pow 50

-ponly ---------> quick and dirty, low hanging fruit.......key cracked offline even.
-pto 50 --------> if router doesn't respond in 50 secs, I'm too far away or need to spoof mac
-paddto 20 -----> if hashes start flowing add more time
-wspt 60 -------> if pin found, and I'm close enough - reaver will find passphrase quickly.....if not, need advanced options from command line,
don't hang script. Move on to next target. script default is 660 secs
-wpsretry 5 ----> try pin 5 times only. If I'm close enough, thats enough retry times. Else spoof or move closer. possibly -t20, -T20 in reaver.
-c -------------> try routers on specific channels, optional. just less clutter in crowded locations
-pow 50 --------> only try routers 50dB and above, if below your chasing other problems but distance is the main problem

1st know which routers are at this point broken - check soxrok2212's (https://forums.kali.org/member.php?17496-soxrok2212) database (https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?usp=sharing) (1st set of hashes will let u know)
After router scans and wps compatibility check use wifite-ng signal strength colors as indicator of possible success - green targets in range, yellow maybe, red don't even try
Let wifite-ng do its thing...........

If wifite-ng isn't able to crack any targets, consider your distance mostly and if any of the targets routers are vulnerable.

Then use command line to verify with reaver output:
Failed association:

Use airodump-ng to find clients of router ***
Use reaver -m (mac of client) and -A (aireplay-ng does associations)
Move closer **

Rate Limiting Detected:

send less pin request and use lock out timer
use mdk3, try reset router **

Use airodump to see connected clients and or if router resets with mdk3.

nuroo
2015-05-05, 23:07
@aanarchy
By chance my friend had a realtek router. I was able to get a several hashes for pixiewps.
It didnt work for me, but at least pixiewps gives the "may be vulnerable to -f ......." response.
You could at least use it to show wifite what to look for?

aanarchyy
2015-05-05, 23:24
@aanarchy
By chance my friend had a realtek router. I was able to get a several hashes for pixiewps.
It didnt work for me, but at least pixiewps gives the "may be vulnerable to -f ......." response.
You could at least use it to show wifite what to look for?

As i said before, it's really hard for me to code that when i don't have anything in range that will give me the the "may be vulnerable" output so it's kinda hard to write something reliable. If i had a shell on something that had access to such a router, then chances are much better it can happen. But right now, i have no way to try/test it.

Sucks, but i had a version of wifite that actively spoofed connected clients while trying any of the wps/wpa stuff, but comp crashed and i lost it :-/
Gotta remember how i did it, all my best coding is done after three blue moons( scientic proof lol. look up the ballmer peak)

thepoor
2015-05-09, 14:08
Nuroo, why don't you send aanarchyy your router so he can test it? Then he can write a liable codes for the realtek router. just an idea.

atari
2015-05-11, 19:03
how to install wifite-ng and where to place it?

./wifite.py givs error to

thepoor
2015-05-13, 11:17
how to install wifite-ng and where to place it?

./wifite.py givs error to

you can put anywhere, Desktop, Home folder,etc...
you would cd to the folder then ./wifite-ng to run it.
./wifite-ng -update to update

aanarchyy
2015-05-23, 20:19
Fixed issue with new version of wash wasn't working.

It was caused by the changing of the -C flag in wash.

nuroo
2015-05-24, 00:45
Best news of the day, thanks !!

nahci13
2015-06-05, 18:49
Hello!

Thank you, aanarchyy!

what do you think about this error?



root@o:~# wifite-ng

.;' `;,
.;' ,;' `;, `;, WiFite v2 (r110)
.;' ,;' ,;' `;, `;, `;,
:: :: : ( ) : :: :: automated wireless auditor
':. ':. ':. /_\ ,:' ,:' ,:'
':. ':. /___\ ,:' ,:' designed for Linux
':. /_____\ ,:'
/ \

modified by aanarchyy(aanarchyy@gmail.com)
Credits to wiire,DataHead,soxrok2212,nxxxu,nuroo


[+] scanning for wireless devices...
[+] initializing scan (wlan1mon), updates at 5 sec intervals, CTRL+C when ready.
Traceback (most recent call last):rks. 0 targets and 0 clients found
File "/usr/bin/wifite-ng", line 3281, in <module>
main()
File "/usr/bin/wifite-ng", line 269, in main
(targets, clients) = scan(iface=iface, channel=TARGET_CHANNEL)
File "/usr/bin/wifite-ng", line 1189, in scan
wps_check_targets(targets, temp + 'wifite-01.cap', verbose=False)
File "/usr/bin/wifite-ng", line 1445, in wps_check_targets
locked = line.split(' ')[42]
IndexError: list index out of range
root@o:~#

I try to active mon mode before run wifite-ng, but same error!
Good luck

undersc0re
2015-06-05, 22:44
Hello!

Thank you, aanarchyy!

what do you think about this error?



root@o:~# wifite-ng

.;' `;,
.;' ,;' `;, `;, WiFite v2 (r110)
.;' ,;' ,;' `;, `;, `;,
:: :: : ( ) : :: :: automated wireless auditor
':. ':. ':. /_\ ,:' ,:' ,:'
':. ':. /___\ ,:' ,:' designed for Linux
':. /_____\ ,:'
/ \

modified by aanarchyy(aanarchyy@gmail.com)
Credits to wiire,DataHead,soxrok2212,nxxxu,nuroo


[+] scanning for wireless devices...
[+] initializing scan (wlan1mon), updates at 5 sec intervals, CTRL+C when ready.
Traceback (most recent call last):rks. 0 targets and 0 clients found
File "/usr/bin/wifite-ng", line 3281, in <module>
main()
File "/usr/bin/wifite-ng", line 269, in main
(targets, clients) = scan(iface=iface, channel=TARGET_CHANNEL)
File "/usr/bin/wifite-ng", line 1189, in scan
wps_check_targets(targets, temp + 'wifite-01.cap', verbose=False)
File "/usr/bin/wifite-ng", line 1445, in wps_check_targets
locked = line.split(' ')[42]
IndexError: list index out of range
root@o:~#

I try to active mon mode before run wifite-ng, but same error!
Good luck


Is your wireless device supported? Does it work good in other environments?

nahci13
2015-06-06, 08:27
Is your wireless device supported? Does it work good in other environments?

Yes, for example with wifite complete work!

mcscruff
2015-06-08, 14:54
Hello!

Thank you, aanarchyy!

what do you think about this error?



root@o:~# wifite-ng

.;' `;,
.;' ,;' `;, `;, WiFite v2 (r110)
.;' ,;' ,;' `;, `;, `;,
:: :: : ( ) : :: :: automated wireless auditor
':. ':. ':. /_\ ,:' ,:' ,:'
':. ':. /___\ ,:' ,:' designed for Linux
':. /_____\ ,:'
/ \

modified by aanarchyy(aanarchyy@gmail.com)
Credits to wiire,DataHead,soxrok2212,nxxxu,nuroo


[+] scanning for wireless devices...
[+] initializing scan (wlan1mon), updates at 5 sec intervals, CTRL+C when ready.
Traceback (most recent call last):rks. 0 targets and 0 clients found
File "/usr/bin/wifite-ng", line 3281, in <module>
main()
File "/usr/bin/wifite-ng", line 269, in main
(targets, clients) = scan(iface=iface, channel=TARGET_CHANNEL)
File "/usr/bin/wifite-ng", line 1189, in scan
wps_check_targets(targets, temp + 'wifite-01.cap', verbose=False)
File "/usr/bin/wifite-ng", line 1445, in wps_check_targets
locked = line.split(' ')[42]
IndexError: list index out of range
root@o:~#

I try to active mon mode before run wifite-ng, but same error!
Good luck

Ihave the same error on my laptop and on my nexus 5.

Wifite works fine and the patched reaver works fine too

aanarchyy
2015-06-10, 18:01
Sorry, didn't even notice this until yesterday, it's all fixed in newest version :-)

nahci13
2015-06-20, 20:51
Sorry, didn't even notice this until yesterday, it's all fixed in newest version :-)

Thank you for update, Now is working!

fbs-16
2015-06-22, 10:13
Please check, looks like PixieWPS attack commands in wifite are no more working.

aanarchyy
2015-06-28, 17:16
Should be fixed now, they added an extra v in reaver -vvv
Sorry just gotta keep up with all the changes they keep making with the helper apps :-)

Osric
2015-06-29, 10:26
First off, I've enjoyed following this thread and watching this project grow! I've been testing out your mod but pixie seems to auto fail with every attempt.

[+] E-Nonce found
[+] PKE hash found
[+] Manufacturer: Belkin International
[+] Model Name: N150 Wireless Router
[+] Model Number: F9K1001
[+] Serial: 201224GB110012
[+] PKR hash found
[+] Authkey found
[+] E-Hash1 found
[+] E-Hash2 found
[+] Cracking using pixiewps...

[+] Pixiewps attack failed!

This occurs every time.

NotieBoie
2015-08-06, 15:11
ditto with NETGEAR AP i tested it on

NORDLANDVOLK
2015-08-09, 18:10
@aanarchyy ,can you add a option to show ip of the acces point ,ex:
(https://forums.kali.org/member.php?30694-aanarchyy) NUM ESSID CH ENCR POWER WPS? CLIENT IP
--- ------------------ -- ---- ----- ---- ------ --
1 A***** 1 WPA2 46db Locked 79.xx.xx.xx
2 B***** 1 WPA2 43db wps 71.xx.xx.xx
3 C**** 1 WPA2 31db wps 49.xx.xx.xx

soxrok2212
2015-08-09, 19:48
@aanarchyy ,can you add a option to show ip of the acces point ,ex:
(https://forums.kali.org/member.php?30694-aanarchyy) NUM ESSID CH ENCR POWER WPS? CLIENT IP
--- ------------------ -- ---- ----- ---- ------ --
1 A***** 1 WPA2 46db Locked 79.xx.xx.xx
2 B***** 1 WPA2 43db wps 71.xx.xx.xx
3 C**** 1 WPA2 31db wps 49.xx.xx.xx

You need to be connected in order to see the IP.

chrisonline909
2015-08-17, 03:09
heres a few tests ive ran

[+] E-Nonce found
[+] PKE hash found
[+] Manufacturer: Belkin Corporation
[+] Model Name: F9K1002v5
[+] Model Number: 5.03.19
[+] Serial: 12334GC2542065
[+] PKR hash found
[+] Authkey found
[+] E-Hash1 found
[+] E-Hash2 found
[+] Cracking using pixiewps...

[+] Pixiewps attack failed!


[+] E-Nonce found
[+] PKE hash found
[+] Manufacturer: Belkin International
[+] Model Name: Belkin N600DB Wireless Router
[+] Model Number: F9K1102 v2
[+] Serial: 20422GF2204541
[+] PKR hash found
[+] Authkey found
[+] E-Hash1 found
[+] E-Hash2 found
[+] Cracking using pixiewps...

[+] PIN found: 14987236

good work guys ! i really appreciate everyones work

DinoS
2015-08-17, 09:56
Hi aanarchy,

sorry to bother you with this but I am just hoping you could help me out :rolleyes:

I am trying to compile https://github.com/t6x/reaver-wps-fork-t6x on Kali 2.0 and get an error, I didn't have this problem on Kali 1.09

Here is what I did:

1. Clean hd-install of Kali 2.0 light 64bit
2. Installed metapackage kali-all
3. cloned and compiled https://github.com/wiire/pixiewps - no problems
4. cloned and tried to compile https://github.com/t6x/reaver-wps-fork-t6x - and I get the following error:

error.txt attached

Although this error error doesn't concern you directly, would you please be so kind to have a look at it?

Thank you in advance for your time.


Sorry aanarchy, sorry to everyone else too.
Seems I was a bit tired from long hours.
Googled it and found this: https://code.google.com/p/reaver-wps/issues/detail?id=190

It seems: "You can just ignore the error and do,
"sudo reaver" or "sudo -i reaver"
And the program is runnnig and working well.
Enjoy! "

I hadn't even noticed the compiled files. :confused: :rolleyes:
Thank you all anyway.

fruchttiger00x0
2015-08-17, 12:15
Hey,

did you build a config before compiling?


./configure
make && make install

and by the way, this fork of reaver is already part of KALI 2.0 (Full Image) If you just install a minimal OS then its a good idea to try this metapackage

apt-get update && apt-get install kali-linux-wireless

http://tools.kali.org/kali-metapackages

soxrok2212
2015-08-17, 13:23
Hi aanarchy,

sorry to bother you with this but I am just hoping you could help me out :rolleyes:

I am trying to compile https://github.com/t6x/reaver-wps-fork-t6x on Kali 2.0 and get an error, I didn't have this problem on Kali 1.09

Here is what I did:

1. Clean hd-install of Kali 2.0 light 64bit
2. Installed metapackage kali-all
3. cloned and compiled https://github.com/wiire/pixiewps - no problems
4. cloned and tried to compile https://github.com/t6x/reaver-wps-fork-t6x - and I get the following error:

error.txt attached

Although this error error doesn't concern you directly, would you please be so kind to have a look at it?

Thank you in advance for your time.


Sorry aanarchy, sorry to everyone else too.
Seems I was a bit tired from long hours.
Googled it and found this: https://code.google.com/p/reaver-wps/issues/detail?id=190

It seems: "You can just ignore the error and do,
"sudo reaver" or "sudo -i reaver"
And the program is runnnig and working well.
Enjoy! "

I hadn't even noticed the compiled files. :confused: :rolleyes:
Thank you all anyway.

Keep in mind, reaver and pixiewps are included by default in Kali 2.0. There is a version of wifite included as well that I believe supports the pixie dust attack, but it is not aanarchyy's version.

DinoS
2015-08-18, 06:57
Hey,

did you build a config before compiling?



and by the way, this fork of reaver is already part of KALI 2.0 (Full Image) If you just install a minimal OS then its a good idea to try this metapackage

apt-get update && apt-get install kali-linux-wireless

http://tools.kali.org/kali-metapackages

Hi fruchttiger00x0,
thank you for your reply.

As I already mentioned in my edit, I was just too tired to search and find out that it was just an error to ignore.

Yes, of course I did a ./configure.

I not only did an apt-get install kali-linux-wireless, I did an apt-get install kali-linux-all.

DinoS
2015-08-18, 07:07
Hi soxrok2212,
thank you for you reply.


Keep in mind, reaver and pixiewps are included by default in Kali 2.0. There is a version of wifite included as well that I believe supports the pixie dust attack, but it is not aanarchyy's version.

Yes, I know, but I think these versions are different.
They not only accept different command parameters but they also run differently. At least as far as I can say, after testing them on the same system with the same hardware, on two separate installs.
One with original Kali 2.0 files exclusively and one with Kali 2.0 after installing and applying modifications like aanarchyy's version and so on.

fruchttiger00x0
2015-08-18, 11:28
Forget what i said about that "./configure" thing, was also a bit tired i guess^^ after a little research i would point to problems within the newer version of libpcap but i guess you already figure that out

Hmm, yes

there are 2 versions if we talk about usable packages. The original which is still build in kali and the fork from aanarchyy (better known as wifite-ng)


wifite https://github.com/derv82/wifite
wifite-ng https://github.com/aanarchyy/wifite-mod-pixiewps

Is that the point?

DinoS
2015-08-19, 07:54
Hi fruchttiger00x0,
I suppose you oversaw my edit in my original post:



Sorry aanarchy, sorry to everyone else too.
Seems I was a bit tired from long hours.
Googled it and found this: https://code.google.com/p/reaver-wps.../detail?id=190

It seems: "You can just ignore the error and do,
"sudo reaver" or "sudo -i reaver"
And the program is runnnig and working well.
Enjoy! "

I hadn't even noticed the compiled files.
Thank you all anyway.

After half an hour of coffee brake, I found the above mentioned posting and realized I was blind enough to oversee the compiled files.
So, problem solved, my question answered.
Thank you anyway for your interest and time.

aanarchyy
2015-08-21, 03:45
Sorry I have been slacking on this, was busy porting pixiewps to android and soon t6x-reaver :-) I will look into this shortly. Too many projects...

fruchttiger00x0
2015-08-21, 13:31
take your time boy, coming when its done. the mod is my first choice, especially to run some checks after doing wifi modifications. really sweet dude! :)
but btw, can you tell me if there is some verbose mode or that i at least can see what reaver is gonna do. For many APs i just wait forever because it is still trying to get Hash 1 & 2. I could run reaver or other scripts but this is surely inconvenient and wont show me options, parameters you might trigger.so anyway.. would be nice to know o :)

yhi
2015-11-15, 13:11
i am having some problem while using wifite
i am trying to attack on my AP

my router is dlink DSL-2730U
i am getting 0x02 error

i am also getting error while i am trying pixie attack on some other AP
i am not sure about this error
its show something with PSK ...
& then stop attack & switch to another AP


i am using wifite with kali 2.0 (live using usb)
my wifi adapters TP link WN722N

soxrok2212
2015-11-15, 19:50
i am having some problem while using wifite
i am trying to attack on my AP

my router is dlink DSL-2730U
i am getting 0x02 error

i am also getting error while i am trying pixie attack on some other AP
i am not sure about this error
its show something with PSK ...
& then stop attack & switch to another AP


i am using wifite with kali 2.0 (live using usb)
my wifi adapters TP link WN722N

The networks probably aren't vulnerable. From the looks of it, that D-Link uses a Broadcom chipset which is not vulnerable to the pixie dust attack, though it may be vulnerable to devttys0's d-link pingen.

kalifornia
2016-01-27, 06:11
Nice mod with only 1 thing wrong. It does not capture handshakes at all. if it captured handshakes it would be perfect. Thx again for this aanarchyy.

kcdtv
2016-01-27, 10:23
though it may be vulnerable to devttys0's d-link pingen.
Not this one: A common default PIN ( 20172527 ) has been found on several DSL-2730U
The algorithm from craig heffner (devttys0's) affects devices with model name like this "DIR-(....)" or DAP-(....).
If you see "DIR" or "DAP" you would have approximately 50% of probability to be in front of a vulnerable device.

Quest
2016-01-27, 11:36
Nice mod with only 1 thing wrong. It does not capture handshakes at all. if it captured handshakes it would be perfect. Thx again for this aanarchyy.

and why not start a new project? I like Wifite, but I can see the use for an 'assistant'. A program that will assist the User spoof, scan, launch attacks, with a spectrum of options. Less automation and more options.

aanarchyy
2016-01-27, 15:31
Haven't looked at this in months, but last i remember it does capture handshakes just fine, it creates a directory named "hs" and saves the caps of the handshakes in it.
And if you do not supply a word list, all it does is capture the handshake and move on.

kalifornia
2016-01-27, 20:08
I have a modified wifite the sends 5 deauths then waits 10 secs and send 5 more again. Anything with 26db or greater with a client connected gets a handshake within a minute. Wifite-ng i dont know whats wrong bro but it wont capture any. I cant be the only one.

Not complaining at all bro just pointing it out to you. The wifite-ng script rocks. If it captured hs it would be perfect. The wps wash locked or open and connected clients works great and pixiewps attack n printing.

I have a awus036nh whichs hasnt cracked anything yet although my bros routers is 100% vulnerable the pix attack always says failed and i get failed to associate messages lots. Ive ordered a awus036nha as ive read the rt3070 on the 036nh dont work good with reaver.

Thx again aanarchyy!

Voluntarist for life.

aanarchyy
2016-01-28, 00:34
I have a modified wifite the sends 5 deauths then waits 10 secs and send 5 more again. Anything with 26db or greater with a client connected gets a handshake within a minute. Wifite-ng i dont know whats wrong bro but it wont capture any. I cant be the only one.

Not complaining at all bro just pointing it out to you. The wifite-ng script rocks. If it captured hs it would be perfect. The wps wash locked or open and connected clients works great and pixiewps attack n printing.

I have a awus036nh whichs hasnt cracked anything yet although my bros routers is 100% vulnerable the pix attack always says failed and i get failed to associate messages lots. Ive ordered a awus036nha as ive read the rt3070 on the 036nh dont work good with reaver.

Thx again aanarchyy!

Voluntarist for life.

I have issue with how some of reaver(and therefore also wifite as reaver is a "helper" program) is written and poor cross-compilation , and i have since backed away from reaver.

I have a modified version of bully that seems to work much better for me though, give it a shot.
https://github.com/aanarchyy

kalifornia
2016-01-28, 04:29
My 036nha came in tmail today. Its a very fast card and blows the 036nh away. Im in the process of popping my bros asus router 2 blocks away in an hour with wps pin attack 41/146 suucess/ttl 20db is the signal level in wifite-ng lol this card is awesome with low signal. Im using nethunter on my note 3 on touchwiz. I think i will put the 036nh up on kijiji.

Aanarchyy i tried your modded bully with the 036nha and got a lockout within 10 secs which tells me its working. With the 036nh i could not do anything except capture handshakes. the 036nh seems more responsive with bully though. in reaver it sucks imho.

I love the automation with wifite because i use a galaxy note 3 to pentest. It would be great to see bully implimented into wifite. Wink wink

Cheers from BC canada.

kalifornia
2016-01-29, 00:18
This awus036nha is a great card. I Never seen this model dlink router in the pixiedust database and i can confirm it works.

Chazzy1656
2016-07-09, 03:18
Hi guys i dong know if the crack works or not im using the new kali 2016.1 iso live on usb chipset 5100agn with everything configured wlan0mon and injecting packet as well im trying to connect to a AP close to me -41dB but reaver doesnt work wont get pass M2 send nack error time out occured then i tryed wifite the pixie dust doest work wont receive the eHashes eHash1 and eHashes2 so my guess its that the wps doesnt work but wash -i wlan0mon shows me that is not protected and wifite told me that its supporting wps also i tried capturing handshake aireplay lets me so it and also injecting and also deauth and fakeauth but everything else just wont receive the M3 m4 and so the only thing that seems to maybe work..its the wifite WPS pin attack im able to go 0/8900 success/ttl but no percentage and its been like 15h now i really dont know what to do by now

bob79
2016-07-13, 17:25
try with airodump-ng wlan0mon -c 1 --wps and if the output is PBC, forget about it :)

akromos
2016-07-28, 03:12
Just so I can run original and your wifite, I renamed yours wifitemod:

Heres output with new version with pixiewps timeout:

~/wifite-mod-pixiewps-master# ./wifitemod -wps

.;' `;,
.;' ,;' `;, `;, WiFite v2 (r85)
.;' ,;' ,;' `;, `;, `;,
:: :: : ( ) : :: :: automated wireless auditor
':. ':. ':. /_\ ,:' ,:' ,:'
':. ':. /___\ ,:' ,:' designed for Linux
':. /_____\ ,:'
/ \

modified by aanarchyy(aanarchyy@gmail.com)
Credits to wiire,DataHead,soxrok2212,nxxxu

[+] targeting WPS-enabled networks

[+] scanning for wireless devices...
[+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
[0:00:04] scanning wireless networks. 0 targets and 0 clients found

[+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.

NUM ESSID CH ENCR POWER WPS? CLIENT
--- -------------------- -- ---- ----- ---- ------
1 DG167**** 1 WPA2 36db Locked
2 FiOS-S**** 1 WPA2 23db wps
3 SprintGatew**** 1 WPA2 21db wps

[0:00:32] scanning wireless networks. 3 targets and 2 clients found
[+] checking for WPS compatibility... done
[+] removed 47 non-WPS-enabled targets

NUM ESSID CH ENCR POWER WPS? CLIENT
--- -------------------- -- ---- ----- ---- ------
1 DG167**** 1 WPA2 36db Locked
2 TG167**** 11 WPA2 25db wps
3 FiOS-S**** 1 WPA2 24db wps
4 TDS 6 WPA2 22db wps
5 TG167**** 1 WPA2 21db wps
6 MiamiHEAT 11 WPA2 20db wps
7 U10C0**** 1 WPA 18db wps
8 SprintGate**** 1 WPA2 18db wps
9 DIRECT-pm-BR**** 1 WPA2 18db wps
10 DG167**** 1 WPA2 15db wps

[+] select target numbers (1-10) separated by commas, or 'all': all

[+] 10 targets selected.

[0:00:00] initializing PixieWPS attack on DG167**** (...........:73:90)
[+] E-Nonce found
[+] PKE hash found
[+] PKR hash found

[!] unable to complete successful try in 60 seconds
[+] skipping pixiewps on DG167****

[+] Pixiewps attack failed!

[0:00:00] initializing WPS PIN attack on DG167**** (...........:73:90)
^C0:00:18] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted

[+] 9 targets remain
[+] what do you want to do?
[c]ontinue attacking targets
[e]xit completely
[+] please make a selection (c, or e): c

[0:00:00] initializing PixieWPS attack on TG167**** (...........:EC:10)

[!] unable to complete successful try in 60 seconds
[+] skipping pixiewps on TG167****

[+] Pixiewps attack failed!

[0:00:00] initializing WPS PIN attack on TG167**** (...........:EC:10)
^C0:00:22] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted

[+] 8 targets remain
[+] what do you want to do?
[c]ontinue attacking targets
[e]xit completely
[+] please make a selection (c, or e): c

[0:00:00] initializing PixieWPS attack on FiOS-S**** (...........:EC:C2)
[+] E-Nonce found
[+] PKE hash found
[+] PKR hash found
[+] E-Hash1 found
[+] E-Hash2 found
Traceback (most recent call last):
File "./wifitemod", line 3124, in <module>
main()
File "./wifitemod", line 321, in main
need_handshake = not wps_attack(iface, t)
File "./wifitemod", line 2912, in wps_attack
line = f.readline()
UnboundLocalError: local variable 'f' referenced before assignment

Timeout for pixie worked. but another error above.
Please make pixie timeout configureable.
also option if pixewps fail, no brutefructe, move to next target.
Please consider because failed attempt locked router

For those wondering what reavers -P option is intended for:

Option (-P) in reaver puts reaver into a loop mode that does not do the WPS protocol to or past the M4 message to hopefully avoid lockouts. This is to ONLY be used for PixieHash collecting to use with pixiewps, NOT to 'online' bruteforce pins.
This option was made with intent of:

----Collecting repetitive hashes for further comparison and or analysis / discovery of new vulnerable chipsets , routers etc..

----Time sensistive attacks where the hash collecting continues repetitively until your time frame is met.

----For scripting purposes of whom want to use a possible lockout preventable way of PixieHash gathering for your Use case.
by datahead




try : ./wifite-ng ......on the directory that you have the files.... ( sorry for the bad english) :D...:

if it doesnt let you use it... use

chmod +x ./wifite-ng
and after that ./wifite-ng
^^

psicomantis
2016-08-12, 10:42
Hey guys I am having an issue with PixieDust not working on confirmed routers like the " D-Link DIR-501 A1" I get a message that it might be vulnerable to try --force but the force command doesnt seem to work. also, while WPS is enabled, and I can see the AP, if I run wifite --pixie, the AP does not show in the list, if I just run wifite, then I am able to see it, but it defaults to all attacks but WPS. Any suggestions?

0camxuc
2016-08-19, 08:22
Also in previous version -ponly had no acknolegdement of being set to active, this version says its active.
Sorry just gotta keep up with all the changes they keep making with the helper apps

hedbert
2016-08-27, 12:41
(i have a awful english, sorry) i have a problem, the wifite create subinterfaces one after another without me asking if I want to create another. i downloaded the last version of "aanarchyy" but i can't use script

root@BigFalcon:~/Descargas/wifite-mod-pixiewps-master# ./wifite-ng -wps

.;' `;,
.;' ,;' `;, `;, WiFite v2 (r112)
.;' ,;' ,;' `;, `;, `;,
:: :: : ( ) : :: :: automated wireless auditor
':. ':. ':. /_\ ,:' ,:' ,:'
':. ':. /___\ ,:' ,:' designed for Linux
':. /_____\ ,:'
/ \

modified by aanarchyy(aanarchyy@gmail.com)
Credits to wiire,DataHead,soxrok2212,nxxxu,nuroo

[+] targeting WPS-enabled networks

[+] scanning for wireless devices...
[+] available wireless devices:
1. phy0 wlan2 rtl8187 Ovislink Corp. AirLive WL-1600USB 802.11g Adapter [Realtek RTL8187L]
2. phy1 wlan7 rt2800pci Ralink corp. RT3290 Wireless 802.11n 1T/1R PCIe
[+] select number of device to put into monitor mode (1-2): 2
[+] enabling monitor mode on wlan7... done
[+] available wireless devices:
1. phy0 wlan2 rtl8187 Ovislink Corp. AirLive WL-1600USB 802.11g Adapter [Realtek RTL8187L]
2. phy1 wlan7mon rt2800pci Ralink corp. RT3290 Wireless 802.11n 1T/1R PCIe
[+] select number of device to put into monitor mode (1-2): 2
[+] enabling monitor mode on wlan7mon... done
[+] available wireless devices:
1. phy0 wlan2 rtl8187 Ovislink Corp. AirLive WL-1600USB 802.11g Adapter [Realtek RTL8187L]
2. phy1 wlan7monmon rt2800pci Ralink corp. RT3290 Wireless 802.11n 1T/1R PCIe
[+] select number of device to put into monitor mode (1-2): 2
[+] enabling monitor mode on wlan7monmon... done
[+] available wireless devices:
1. phy0 wlan2 rtl8187 Ovislink Corp. AirLive WL-1600USB 802.11g Adapter [Realtek RTL8187L]
2. phy1 wlan7monmonmon rt2800pci Ralink corp. RT3290 Wireless 802.11n 1T/1R PCIe
[+] select number of device to put into monitor mode (1-2):

Laurentiu
2016-11-06, 21:23
(i have a awful english, sorry) i have a problem, ...

airmon-ng check kill worked for me

Roatandave
2016-12-19, 22:41
Same issue as hedbert, I added this to the latest nethunter and I am unable to find a solution anywhere.
Anyone have the same problem or find a solution, check kill did not work.