Dadas
2015-09-07, 23:15
Hello there, some weeks ago, after reading about the pixiedust attack and tried it myself.
Worked better than expected, I thought that it will be hard to find a vulnerable router, but there is plenty of them around :D
With a high powered wifi adapter and directional antenna it is pain to find which one is vulnerable, because you have to run reaver manually on all of them.. Ain't nobody got time for that
So, I decided to make this, it can perform a scan for WPS enabled APs and then automatically try pixiedust on all of them.
If some APs are on the same channel, it can even attack them at once (It is buggy on one of my wifi adapters, so there is a cmd option to disable this and do it one by one)
Also if you want, standard pin bruteforce on multiple APs at once is supported too.
I have also tested attacking single AP from two different MACs from single adapter - Didn't work, if you want to try it too, change this line:
for(i=0;i<ttt;i++)addattackex(src_mac,targets[i],1,0);
to
for(i=0;i<ttt;i++)addattackex(src_mac,targets[i],2,0);
The third parameter is number of threads to attack the APs you specified with -b parameter
Back to reality - Code is ***, needs to get memory leaks fixed and some heavy refactoring.
WPS exchange code prorably needs to get fixed too, some APs that work on reaver probably wont work here, because it uses my own WPS implementation = probably buggy.
So I need your help - test it yourself on your AP and report please, if it works with good old reaver but doesn't work with this, capture some WPS exchanges and send me .cap file - thanks.
Download: penetrator.tar.gz (http://stalin.jecool.net/penetrator.tar.gz)
Installation:
tar xfv penetrator.tar.gz
cd penetrator
./install.sh
Command line options:
-h Display help
-i <dev> Set monitor mode device to use
-s Scan for WPS enabled APs
-c <channel> Set channel(s)
-e <essid> Set ESSID for next target specified with -b
-b <bssid> Set target(s)
-A Scan for WPS APs and try pixiedust on all of them;
-M Disable attacking multiple APs at once (only -A)
-P Disable pixiewps after M3 is received
-D Disable loading sessions - starts new
-W Wait after every PIN attempt
-v verbose - print info about WPS messages etc
-vv verbose level 2 - print pixiewps data
-t <seconds>Set time limit for scanning (default 10)
-T <ms> Set timeout - when it occurs, resend last packet (default 1)
-R <max> Set maximum resends (default 5)\n");
-S <seconds> Sleep after 10 failures in a row (default 60)
-N Ignore NACKs (debug)
Summary:
This tool is in very early development stage (assuming that stuff i am doing can be called development lol)
So please report if some AP that works with reaver doesnt work with this and send me .cap files.
Also, command line options are not verified, if you enter ***, you will get segmentation fault. Or a bug.
Session saving/loading doesn't work good, if you get segmentation fault for no reason, delete "~/.penetrator" folder.
Any suggestions? Speak
Enjoy
Edit:
new version
Edit:
Swearing
Worked better than expected, I thought that it will be hard to find a vulnerable router, but there is plenty of them around :D
With a high powered wifi adapter and directional antenna it is pain to find which one is vulnerable, because you have to run reaver manually on all of them.. Ain't nobody got time for that
So, I decided to make this, it can perform a scan for WPS enabled APs and then automatically try pixiedust on all of them.
If some APs are on the same channel, it can even attack them at once (It is buggy on one of my wifi adapters, so there is a cmd option to disable this and do it one by one)
Also if you want, standard pin bruteforce on multiple APs at once is supported too.
I have also tested attacking single AP from two different MACs from single adapter - Didn't work, if you want to try it too, change this line:
for(i=0;i<ttt;i++)addattackex(src_mac,targets[i],1,0);
to
for(i=0;i<ttt;i++)addattackex(src_mac,targets[i],2,0);
The third parameter is number of threads to attack the APs you specified with -b parameter
Back to reality - Code is ***, needs to get memory leaks fixed and some heavy refactoring.
WPS exchange code prorably needs to get fixed too, some APs that work on reaver probably wont work here, because it uses my own WPS implementation = probably buggy.
So I need your help - test it yourself on your AP and report please, if it works with good old reaver but doesn't work with this, capture some WPS exchanges and send me .cap file - thanks.
Download: penetrator.tar.gz (http://stalin.jecool.net/penetrator.tar.gz)
Installation:
tar xfv penetrator.tar.gz
cd penetrator
./install.sh
Command line options:
-h Display help
-i <dev> Set monitor mode device to use
-s Scan for WPS enabled APs
-c <channel> Set channel(s)
-e <essid> Set ESSID for next target specified with -b
-b <bssid> Set target(s)
-A Scan for WPS APs and try pixiedust on all of them;
-M Disable attacking multiple APs at once (only -A)
-P Disable pixiewps after M3 is received
-D Disable loading sessions - starts new
-W Wait after every PIN attempt
-v verbose - print info about WPS messages etc
-vv verbose level 2 - print pixiewps data
-t <seconds>Set time limit for scanning (default 10)
-T <ms> Set timeout - when it occurs, resend last packet (default 1)
-R <max> Set maximum resends (default 5)\n");
-S <seconds> Sleep after 10 failures in a row (default 60)
-N Ignore NACKs (debug)
Summary:
This tool is in very early development stage (assuming that stuff i am doing can be called development lol)
So please report if some AP that works with reaver doesnt work with this and send me .cap files.
Also, command line options are not verified, if you enter ***, you will get segmentation fault. Or a bug.
Session saving/loading doesn't work good, if you get segmentation fault for no reason, delete "~/.penetrator" folder.
Any suggestions? Speak
Enjoy
Edit:
new version
Edit:
Swearing