Pixiewps: wps pixie dust attack tool

We started a new thread for collecting data: https://forums.kali.org/showthread.p...ll=1#post75368

Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some Access Points, the so-called "pixie dust attack" discovered by Dominique Bongard in summer 2014. It is meant for educational purposes only.

As opposed to the traditional online bruteforce attack, implemented in tools like Reaver or Bully which aim to recover the pin in a few hours, this method can get the pin in only a matter of milliseconds to minutes, depending on the target, if vulnerable.

Recovering PIN:
https://i.imgur.com/tPKgbpB.png

Recovering WPA-PSK (experimental):
https://i.imgur.com/2krBm2Q.png

Brief description: Offline WPS bruteforce utility
Repository: GitHub
License: GNU GPLv3+
Latest release: v1.3.x

To work properly it requires a modified version of Reaver or Bully (neither versions are maintained by me):
Modded Reaver mantained by rofl0r and included in Kali: GitHub (active development)
Modded Bully by aanarchyy: GitHub (stale)

A non-exhaustive list of vulnerable devices (not maintained by me): here

Thread where it all started: WPS Pixie Dust Attack (Offline WPS Attack)

References:

1. Video presentation
2. Slide presentation

Only One Question. is this work with Broadcom Chipset Too or still it only works with ralink Chipset Only ?? :confused:

Ralink and some broadcom, not all

Problem .....
Modified Reaver Not Showing Publick Key (pke).. :confused:

Quote:

---

Trying pin 00005678.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
> N1 Enrollee Nonce: f8:49:5a:df:00:b7:0b:9b:6c:cc:64:2d:11:c8:89:52
[+] Received M1 message
> AuthKey: ce:cc:a5:98:fb:a8:5c:c7:7b:5f:1a:a2:be:ca:1b:b5:40 :27:72:a3:3e:d7:4b:db:dd:78:bf:3c:02:bc:51:aa
[+] Sending M2 message
> E-Hash1: 75:26:1a:d3:bd:73:ed:8e:3e:15:3b:aa:33:b0:dd:92:03 :0b:93:7e:93:cb:c0:ec:34:64:9b:06:ea:61:71:8b
> E-Hash2: 01:d6:8f:f1:9d:3d:da:52:3c:45:42:2f:5f:55:f2:3a:0c :00:3f:f2:ae:bf:9c:7b:12:6e:ee:56:89:2c:52:d3
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] p1_index set to 2
[+] Pin count advanced: 2. Max pin attempts: 11000
[+] Trying pin 01235678.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
> N1 Enrollee Nonce: 27:2b:38:0d:fc:3a:17:06:d4:7d:d3:09:4d:86:87:95
[+] Received M1 message
> AuthKey: 51:29:84:ca:f5:96:d2:b8:f3:90:9f:81:1f:3e:48:57:2e :5c:b1:81:13:83:84:66:86:82:d3:5b:1b:9b:75:ab
[+] Sending M2 message
> E-Hash1: 87:0f:45:30:2f:61:61:53:88:cb:b6:23:e9:ea:d5:22:9a :c4:c3:62:ff:2a:02:b7:99:a1:9d:99:d9:45:f7:82
> E-Hash2: f9:51:2a:a4:3f:79:e7:67:28:f7:37:f4:31:a7:17:ca:75 :e8:b8:3b:31:25:4a:13:60:c5:82:f5:ef:a7:cc:8f
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] p1_index set to 3

---

@ FurqanHanif
you can get it out M1,M2 messages in wireshark.
there's also tshark.sh script that can grab it for you. I forgot where I got it, I think it was part of wpsoffline tool download.
but make sure it's all part of one conversation (pin attempt). I just make the reaver to test one pin at a time and capture.

Did you install the new reaver? Check out the YouTube video. You don't need wire shark at all.

@soxrok2212 i already Mentioned that it's Modified Reaver.. and i also i downloaded it from You Tube Link. i Tried this on Five Routers but it don't giving me Same Output For All (No PKE ) ...
@wn722 Which one is Pke exactly from This ??

Quote:

---

M1 wps.enrollee_nonce : e1123ae1a03001165f243ba7a2a19475
M2 wps.enrollee_nonce : e1123ae1a03001165f243ba7a2a19475
M2 wps.registrar_nonce : 5180afc40d4ca3e31d25affd14e78d1e
M2 wps.authenticator : 72da6b2102198192
M3 wps.registrar_nonce : 5180afc40d4ca3e31d25affd14e78d1e
M3 wps.authenticator : 80c4d98ffd706201
M3 wps.e_hash1 : 6e2cc52a5a22c84e19f701dc8153eb805fc0b247e06178ec3b 01b7b8202ab69a
M3 wps.e_hash2 : 51f0f1b6c9b828345094b535a3c1e120bad0c94f03bc5790b9 de5ae40037224d
M4 wps.enrollee_nonce : e1123ae1a03001165f243ba7a2a19475
M4 wps.authenticator : 8824706540ab0f4d
M4 wps.encrypted_settings : 20bfe3939b2872273204fc93dd52d4ec25b68a23e596630712 b3404cdb1eb125fb3f4e96a8db05a754d5eeb98940728ea243 e8925b0d968fac70fc5bf71b8a36
M4 wps.r_hash1 : b1eea2314f81f2e3d40afbe5af5c19b61bcb7f955d57f61630 6a696da347f0e5
M4 wps.r_hash2 : eaf1b41b28edb43b6feeafdad792500a34482ec1b2b6ad8e97 4288230648e38c

---

Did you move reaver to bin after you compiled?

Before trying the tool i really want to say to you " thank you so much wiire!"
For all your great work and above all all your explanations all the way long (and for releasing a GPL v3 code)

Quote:

---

- to work on a modified version of Reaver/Bully

---

:D We can see that it comes form the heart and that it must have been a "pain in th-censurde-ss" at some points.

Thank you so much wiire! :)

Quote:

---

Originally Posted by soxrok2212

Did you move reaver to bin after you compiled?

---

./configure
make
make install


i think it overwrite the existing Reaver ( because existing reaver not showing the enrolle/E-HASH stuff but installing modified reaver showing enrolle/E-Hash stuff but not showing PKE).. :/ So i think their is no need to copy reaver in Bin.. :confused:

Quote:

---

Originally Posted by FurqanHanif

./configure
make
make install


i think it overwrite the existing Reaver ( because existing reaver not showing the enrolle/E-HASH stuff but installing modified reaver showing enrolle/E-Hash stuff but not showing PKE).. :/ So i think their is no need to copy reaver in Bin.. :confused:

---

See if it compiles and creates the executable. Then try to run it from that folder (no make install).

chmod +x configure
./configure
make distclean && ./configure
make
./reaver -i mon0 etc.

Minor issue: It doesn't compile under Ubuntu's gcc 4.8.2 unless I edit the makefile as follows:
$(CC) pixiewps.c $(CCFLAGS) -o $(TARGET)

Same Output Getting... :confused:

Quote:

---

Originally Posted by soxrok2212

Did you install the new reaver? Check out the YouTube video. You don't need wire shark at all.

---

please if u can reupload links for download...youtube link is deleted

Can you go into some detail as there is a lot of censored information in the OP? Does this run similar to reaver? Does this automate the extraction of the required information from wireshark? Maybe a usage example would be helpful, as I did not see one.

ie: pixiewps -b <bssid> or similar...

Amazing work, nonetheless!

It's really not that hard to install. We told you exactly what to do. If you can't copy the executable reaver to bin, you shouldn't be using Linux.

i Copy that Reaver file to bin Getting Same Output , Started reaver from That Compiled Directory still Getting Same Output , tried tshark it also not Showing Public key like thing. Now What ??

hey just wanted to say thanks again for releasing this seems to work pretty good for me...one thing i noticed is on some routers the model# shows up as 123456 kinda curious as to why that is...also i just noticed the vid soxrok2212 put up last night has been taken down was that ya'll or youtube?

It works perfectly.
Just that I didn't updated my kali for a while and i tryed to install it without updating first and I got a fail.
After updating i could compile and install pixiewps.c
before updating i installed

Code:

---

libsqlite3-dev

---

, I don't know if it was usefull.
cheers & thanks

Quick question, do you have to specify small dh in reaver to use the S flag in pixiewps?

Quick answer
I don't know if it is necessary but i did like this and it worked
That's actually a question that i had in mind too :D

Quote:

---

Originally Posted by kcdtv

Quick answer
I don't know if it is necessary but i did like this and it worked
That's actually a question that i had in mind too :D

---

Hah! That was quick! I'll see if I can test this later on. Awesome work wiire, so far this seems to work great.

Yes. Then you don't need to dig for the PKR in wireshark

Since the help vid is down MTeams provides the following:

This assumes you have a working reaver modded for pixie-dust
This assumes you can run reaver and wash
This will only show you how to quickly find the five(5) variables required.

The modified reaver obtains three(3) of the five(5) variables. The only other problem is finding the corresponding or paired --pke and --pkr in wireshark.

After you have put your wifi device in monitor mode.

1. Start wireshark
2. Select Capture
3. Select Interface and choose your capture interfaces.
4. Start the capture
5. Click capture filters
6. Type or/select wps.public_key[Enter]

When you hit enter the wireshark screen may go blank as it filters the output.

7. Start reaver
8. As reaver obtains M1 and M2 data only these lines will appear in wireshark.
9. When you have collected enough data stop reaver and wireshark.
10. Copy your reaver output from the terminal window and save it to a text file. You will need it latter.

The N1 Enrollee Nonce links the output in reaver to the correct M1 and M2 packets in wireshark.

11. Go to wireshark, Click on the top screen showing No. Time Source......Info WPS M1

The --pke is located in the WPS M1 packets.


12 Select Ctrl-f. A drop down menu will appear = Wireshark Find Packet

Select String

Select Packet Details

In the Filter Block type public key then select find


13 Your cursor should now be over Public Key in the middle wireshark window and you should be in a WPS M1 packet(top screen info),

14. Scroll up in the middle wireshark block and find the Enrollee Nonce Go to your reaver text file you saved and find the same N1 Enrollee Nonce. If it is followed by a:

1. Authkey
2. E-Hash1
3. E-Hash2

You can use this packet in wireshark.

15 Scroll down in the same middle block in wireshark and find Public Key: hex string

16 Click on the Pubic key, then right click, select copy, follow the > to the right, select value. The --pke value is now on the clipboard. Copy it to a text file.

17 Go to wireshark, click on the top screen showing No. Time Source......Info WPS M2

18 Again make sure the Enrollee Nonce is the same and copy the Public Key from the M2 packet. Do not confuse the Registrar Nonce with the Enrollee Nonce in the M2 packet. You now have the paired --pkr hex string.


As long as the enrollee nonce is the same in both reaver output and wireshark M1 and M2 you have picked the right packets in wireshark.

Put the five(5) variables in your pixie dust program and try your luck.

Currently we type in leafpad the following at the bottom of our reaver output file we made in item 10 above and then just paste in the hex strings. When completed we paste the entire text string into a terminal window and type [Enter]

pixiewps --e-nonce --pke --pkr --authkey --e-hash1 --e-hash 2

After a few runs you can do this is less then three(3) minutes.,

Video is back up in full HD :D just search "WPS Pixie Dust" on youtube and you'll find it.

Quote:

---

Originally Posted by soxrok2212

Video is back up in full HD :D just search "WPS Pixie Dust" on youtube and you'll find it.

---

Awesome work soxrok2212! I have been playing with this for some time now, unfortunately I only have BCM* based chipsets available for testing, and have had 0% success. Models range from D-Link DSL2 series, Netgear WDNR series, and Linksys E series. Very awesome work just the same though, and a whole new era for WPS auditing. Let me know if you would like any of the results I have capture for analysis.

My command for all tests was:

Code:

---

#~: pixiewps -e <pke> -s <ehash-1> -z <ehash-2> -a <auth-key> -S -n <e-nonce>

---

@mmusket33, FurqanHanif
I don't know which version of the modded Reaver you are using. The description of the youtube video contains the latest (download). It prints all the info needed (see the '[P]' tag) apart PKR which can be gathered in the M2 message (under Public Key), or can be avoided if the -S option is specified in both Reaver and Pixiewps. This option is used only to "ease the burden of a 10 seconds copy and paste work".

While I was still working on the program I made a tutorial on another forum to print some information not all (Authkey, E-Hash1, E-Hash2) with the ' > ' tag at the beginning of every print. So maybe you guys are using the 'old version'?


Changing topic, Bongard tweeted my tool. :o

in Wireshark Public key in Both M2 Message is

Quote:

---

000000000000000............

---

. So is This Normal . Should i continue with This ?? Router Chipset is BroadCom..

Quote:

---

Originally Posted by wiire

Changing topic, Bongard tweeted my tool. :o

---

Very nice ! :) :cool:

Quote:

---

if the -S option is specified in both Reaver and Pixiewps

---

That's answers the previous question of aanarchyy and that i was not so sure about :p

Quote:

---

Originally Posted by FurqanHanif

in Wireshark Public key in Both M2 Message is . So is This Normal . Should i continue with This ?? Router Chipset is BroadCom..

---

You get PKR = 00:00 ... 00:02 when using the '-S' ('--dh-small') option on Reaver. You can use the same option on Pixiewps so you don't need to specify the PKR.

@kcdtv
Fixed the dependency issue. Should compile fine now on Ubuntu and derivatives.

thank you for making this tool, it's not working on Technicolor APs i hope it will, because in my country (Morocco) 75% of the APs are Technicolor LoL!

Nice work wiire and all involved !

Will be sure to test this and gather some information on UK ISP based routers. I have a few lying around I can test

Quote:

---

@kcdtv
Fixed the dependency issue. Should compile fine now on Ubuntu and derivatives.

---

Sweet! I can confirm you that a friend had the same issue yesterday with ubuntu and that the modification solved the issue. In the name of canonial addicted (no one is perfect) thanks!
as i was using reaver_mod and pixiewps.c i was wondering about this two options in the reaver mod and how to "play " with them "smartly" with pxiewps.

Code:

---

        -1, --p1-index                  Set initial array index for the first half of the pin [False]
        -2, --p2-index                  Set initial array index for the second half of the pin [False]

---

So if i understand well we could use them to try with pixiewps different seeds values then the one predefined for ralink and brodacom.
Could you tel us know a bit more about this?
Other thing that i was curious about. If i get in two different sessions the same nounce repeated, wouldn't it mean taht the entropy is very low also on this particular AP?
cheers

what is this, no stars for this topic yet? Geeeeeeeeez

Tested with UK Sky router Sagecom SR101 - WPS pin not found!

I have a feeling this is a Broadcom chip, however I can't find any more information on this. If anyone does, information would be appreciated :)

Off to find some more to test!

@Calamita
use the pcap file and run it through tshark.sh script = that'll extract the HW info.
or go to fccid tool and use FCC ID number, it's usually on the sticker
http://fccid.net/

This worked so well for me...WOW. So WPS has been broken completely.

I did a couple of captures, and noticed in WireShark that when you have a successful attempt, the relevant part of the M2 packet will be marked with light blue. I think that's what it was, anyway... I was thinking it signified a successful capture of what it needed, as it listed an ",,,R,F,C" on the good one, and only an ",,,F,C" on the fails.

It took 0 seconds to crack, by the way. You're brilliant.

Hi all!
Can u help me pls
Where is the problem? Thanks!

screenshot
http://www36.zippyshare.com/v/WF6nh9cU/file.html

Where can I find a link to tshark.sh?

Quote:

---

Originally Posted by kcdtv

as i was using reaver_mod and pixiewps.c i was wondering about this two options in the reaver mod and how to "play " with them "smartly" with pxiewps.

Code:

---

        -1, --p1-index                  Set initial array index for the first half of the pin [False]
        -2, --p2-index                  Set initial array index for the second half of the pin [False]

---

So if i understand well we could use them to try with pixiewps different seeds values then the one predefined for ralink and brodacom.

---

I don't undertand what you're trying to say here. Ralink doesn't have a seed. It doesn't use a pseudo-random number for ES-1 and ES-2. It uses a constant (ES-1 = ES-2 = 0).

Broadcom has a pseudo-number generator. Its seed (for ES-1 and ES-2) can be bruteforced using the nonce as a reference: when using a certain number (initial seed) we get the same sequence of the nonce we know that we can find the ES-1 and ES-2 sequences because they're calculated right after the nonce.

The PIN is provided by the Registrar (the attacker) on M4 and it's not relevant (for the pixie dust attack purposes). Quoting Bongard: the right PIN is provided by the Enrollee (AP) with M3 in two "Safes". The first one contains the first half of the PIN and it's lock combination is ES-1. The second one contains the second half of the PIN and it's lock combination is ES-2. The attack consists in bruteforcing the seed of the Broadcom's PRNG to get the two combinations (ES-1 and ES-2).

Quote:

---

Originally Posted by kcdtv

Other thing that i was curious about. If i get in two different sessions the same nounce repeated, wouldn't it mean taht the entropy is very low also on this particular AP?

---

If you look on page 55 on Bongard's slides.
- "do not generate new random enrollee nonce in case of we have prebuild enrollee nonce"
- "It should not generate new key pair if we have prebuild enrollee nonce"

So on some implementations the nonce and the the keys don't change in different sessions. This is not about entropy, it's about vendor/manufacturer's implementations.