View Full Version : New experimental WPS attack tool

2015-09-07, 23:15
Hello there, some weeks ago, after reading about the pixiedust attack and tried it myself.
Worked better than expected, I thought that it will be hard to find a vulnerable router, but there is plenty of them around :D
With a high powered wifi adapter and directional antenna it is pain to find which one is vulnerable, because you have to run reaver manually on all of them.. Ain't nobody got time for that

So, I decided to make this, it can perform a scan for WPS enabled APs and then automatically try pixiedust on all of them.
If some APs are on the same channel, it can even attack them at once (It is buggy on one of my wifi adapters, so there is a cmd option to disable this and do it one by one)
Also if you want, standard pin bruteforce on multiple APs at once is supported too.
I have also tested attacking single AP from two different MACs from single adapter - Didn't work, if you want to try it too, change this line:


The third parameter is number of threads to attack the APs you specified with -b parameter

Back to reality - Code is ***, needs to get memory leaks fixed and some heavy refactoring.
WPS exchange code prorably needs to get fixed too, some APs that work on reaver probably wont work here, because it uses my own WPS implementation = probably buggy.

So I need your help - test it yourself on your AP and report please, if it works with good old reaver but doesn't work with this, capture some WPS exchanges and send me .cap file - thanks.

Download: penetrator.tar.gz (http://stalin.jecool.net/penetrator.tar.gz)

tar xfv penetrator.tar.gz
cd penetrator

Command line options:

-h Display help
-i <dev> Set monitor mode device to use
-s Scan for WPS enabled APs
-c <channel> Set channel(s)
-e <essid> Set ESSID for next target specified with -b
-b <bssid> Set target(s)
-A Scan for WPS APs and try pixiedust on all of them;
-M Disable attacking multiple APs at once (only -A)
-P Disable pixiewps after M3 is received
-D Disable loading sessions - starts new
-W Wait after every PIN attempt
-v verbose - print info about WPS messages etc
-vv verbose level 2 - print pixiewps data
-t <seconds>Set time limit for scanning (default 10)
-T <ms> Set timeout - when it occurs, resend last packet (default 1)
-R <max> Set maximum resends (default 5)\n");
-S <seconds> Sleep after 10 failures in a row (default 60)
-N Ignore NACKs (debug)

This tool is in very early development stage (assuming that stuff i am doing can be called development lol)
So please report if some AP that works with reaver doesnt work with this and send me .cap files.
Also, command line options are not verified, if you enter ***, you will get segmentation fault. Or a bug.
Session saving/loading doesn't work good, if you get segmentation fault for no reason, delete "~/.penetrator" folder.
Any suggestions? Speak


new version


2015-09-11, 13:30
fixed serious bug that caused crash while scanning, if someone tested it and it didn't work, try again please

2015-09-12, 00:17
will test it today

2015-09-12, 02:07
Mteams tried to install to a -i368 persistent usb flashdrive of kali2.0

The following error occurred

fatal error: pcap.h: No such file or directory


2015-09-12, 02:16
You need packages libpcap-dev and libssl-dev, use apt-get to install them

However, there is a new bug with channel switching now, working on it

2015-09-12, 12:24
@Dadas (https://forums.kali.org/member.php?35672-Dadas) can you tell me what is your username on youtube?

2015-09-12, 17:23
Last version of Wifite does it automatically, PixieScript too.
It's a good job what you've made, but unfortunately useless, due to fact that there are two programms that do it automaticaly!

2015-09-13, 00:52
Wifite can only attack APs in a row, not at the same time, as far as i know...
This tool can attack more at once, in real time, if you have 5 APs at the same channel, it will attack them all, without switching

New version: Added parameter -e <ESSID> (for networks that don't beacon SSID)
It is used like this:
penetrator -i mon0 -c 1 -b 11:22:33:44:55:66 -e example -b 66:55:44:33:22:11
This means, that AP with BSSID 66:55:44:33:22:11 has ESSID "example"
-e parameter is applied to the next specified bssid (-b)

Also, fixed some bugs with quitting (ctrl+c), changing channels and obtaining source mac address