If you want add it. ill test it...may help in certain cases
Printable View
My pleasure, thanks for the acknowledgement.
Ideas easy, coding is harder
-cracked+outputs more data about victims from attack:
Passphrase
Pin
Clients mac's
Manufacturer
Model
Channel
Highest signal strength
Just so this info is available for later. For spoofing etc or known router vulnerabilities etc............output to text file
****************
-pixieR -P <bssid> <X>
loop for 5 to X loops on target, without passing WPS protocol to or past the M4 message to hopefully avoid lockouts
output to text file for analysis.Code:For those wondering what reavers -P option is intended for:
Option (-P) in reaver puts reaver into a loop mode that does not do the WPS protocol to or past the M4 message to hopefully avoid lockouts. This is to ONLY be used for PixieHash collecting to use with pixiewps, NOT to 'online' bruteforce pins.
This option was made with intent of:
----Collecting repetitive hashes for further comparison and or analysis / discovery of new vulnerable chipsets , routers etc..
----Time sensistive attacks where the hash collecting continues repetitively until your time frame is met.
----For scripting purposes of whom want to use a possible lockout preventable way of PixieHash gathering for your Use case.
datahead
Works with new airmon-ng monitor naming......confirmed
Hi aanarchyy!
What is your wifite base for this improvement, r85 or r86?
AFAIK, r85, whichever one is default installed in kali liveboot cd.
To be honest, i never really planned on making this a project, I was going to make a few minor modifications to a pre-existing tool, like i do to many tools to more fit my needs( as i have done with wifite a while ago along with a few other tools, aircrack, reaver, snort, dsniff stuff, etc), and was never planning on releasing anything, especially since i dont really know python.
But as of recently, ive been having a really good time playing with this, very good learning oportunity. And once it worked kinda the way i wanted, i figured i would share it with anyone that might find it useful. Never expected for this to be a "main project" for me, but i am very much enjoying this.:D
Had i known this was actually going to be even mildly popular, i would have used a more up-to-date version(like the derv82 version), which i still may do, but i'm going to finish adding in things before i move it to a different revision cuz patching a new revision isn't exactly going to be a copy/paste kinda thing.
But either way, im gonna keep doing what im doing, cuz im having a lot of fun with this :D
:D I was asking because I'm a fan of wifite and according to that ticket https://bugs.kali.org/view.php?id=2225 there seems to be improvement with r86, so naturally I thought that any further improvement should be based on that version. Thank you and keep up the good work!
I am a HUGE fan of wifite, which is why ive chosen it to add pixiewps to.
If the devs of wifite want/ask me to be a contributor, i would be more than happy.
If not, im perfectly fine creating my own fork that works the way i want it to.
UPDATES!
fixed -mac not really anonymizing mac address
added -endless flag to loop through targets untill stopped
make cracked.txt human readable
fixed issue with -paddto not working
May be more, but i can't remember right now.
Still testing, with -mac optionCode:./wifite -mac -ponly -pto 45 -paddto 30 -showb
--- -------------------- ----------------- -- ---- ----- ---- ------
1 NE00000 00000000:DE:D7 6 WPA2 28db wps
2 TG000000 00000000:FB:00 6 WPA2 27db wps
3 DG000000 00000000:D5:F0 11 WPA2 26db wps client
[0:00:00] initializing PixieWPS attack on DG0000000 (000000000:D5:F0)
[+] E-Nonce found
[+] PKE hash found
[+] PKR hash found
[+] Authkey found
[+] E-Hash1 found
[+] E-Hash2 found
[+] Cracking using pixiewps...
[+] PIN found: 10896785
[+] Handing pin to reaver
[0:00:00] initializing WPS PIN attack on DG00000 (0000000:D5:F0)
^C0:02:59] WPS attack, 0/2 success/ttl,
(^C) WPS brute-force attack interrupted
[+] 2 attacks completed:
[+] 0/2 WPA attacks succeeded
[+] quitting
found:
after exiting wps pin attack from pixie attack - mon0 left alive, mac remains spoofed
Also for troubleshooting purpose's could you echo to the screen the 2nd reaver command used to find pin, and results from access point during the attack
Actually could u echo both reaver commands to screen during attack.
whole initial attack command string used by script
whole 2nd command string used to obtain pin
Thank you, aanarchyy, for the awesome script. very fast wifi testing.
hello.
Im getting attack failed on almost every AP, Is it normal ?
of 17 APs, pixie works in only one. Ironically the weakest.
@g0tmi1k Renamed the binary to wifite-ng
I got errors when run ./wifite -update
[+] downloading update...
Archive: /tmp/wifite05IK1h/wifite-mod-pixiewps-master.zip
32da7b0d69d5cae24e5a2736b77aec56e5a64b7c
creating: /tmp/wifite05IK1h/wifite-mod-pixiewps-master/
inflating: /tmp/wifite05IK1h/wifite-mod-pixiewps-master/LICENSE
inflating: /tmp/wifite05IK1h/wifite-mod-pixiewps-master/README.md
inflating: /tmp/wifite05IK1h/wifite-mod-pixiewps-master/wifite-ng
cp: cannot stat `/tmp/wifite05IK1h/wifite-mod-pixiewps-master/wifite': No such file or directory
chmod: cannot access `wifite': No such file or directory
chmod: cannot access `wifite-ng': No such file or directory
[!] upgrade script returned unexpected code: 1
[+] quitting
oops changed the binary name because of clashes with the original wifite, should be fixed now :-)
;)
TNX for super-fast-fix!!!&& thanks for your work!!
http://postimg.org/image/9c1btalqh/
nice job aanarchy! It would have been a shame to don't have pxie dust in wifite, isn't it?
By the way it works perfectly in xubuntu 15.04 too (not a surprise but nice)
I see in the "Mightdo list" that you might consider including defaults known PIN and algorithm
I can give you a hand for that when it is time
cheers
You're a rock star, aanarchyy...
Hey aanarchy, now that the new pixiewps prints out a warning saying that the router might be vulnerable to mode 4 (PRNG bruteforce), what do you think abut having wifite print this info and then re-run the attack using -f ?
Hello aanarchyy !
I have the same problem with last wifite-ng.
wifite v2(r108)
pixiewps v1.1
reaver v1.5.2
But reaver with pixie shows all info:
http://imageshack.com/a/img910/4162/f3CIbc.jpg
It might be the same problem we had on Reaver due to me adding some extra 3 more spaces on the pixiewps pin print line.
I think on line 3111 you have to change:
to:Quote:
WPSpin=WPSpin[WPSpin.find("WPS pin")+9:WPSpin.find("\n")]
Quote:
WPSpin=WPSpin[WPSpin.find("WPS pin")+12:WPSpin.find("\n")]
wiire, unfortunately did not help.
sorry about that I was actually using the previous version which also had the same problem or not finding the PIN and was due to extra characters in the Enonce. I am using the new version new and seems to have the same issue, I just changed the following (there might be a better way to fix it)
"line 3065"
toQuote:
ENonce= ENonce.split(':',1)[1].rstrip()
PKE=PKE.split(':',1)[1].rstrip()
PKR=PKR.split(':',1)[1].rstrip()
EHash1=EHash1.split(':',1)[1].rstrip()
EHash2=EHash2.split(':',1)[1].rstrip()
AuthKey=AuthKey.split(':',1)[1].rstrip()
Quote:
ENonce=ENonce[ENonce.find("E-Nonce:")+9:ENonce.find("\n")]
PKE=PKE[PKE.find("PKE:")+5:PKE.find("\n")]
PKR=PKR[PKR.find("PKR:")+5:PKR.find("\n")]
EHash1=EHash1[EHash1.find("EHash1:")+14:EHash1.find("\n")]
EHash2=EHash2[EHash2.find("EHash2:")+14:EHash2.find("\n")]
AuthKey=AuthKey[AuthKey.find("AuthKey:")+9:AuthKey.find("\n")]
Extra whitespaces were added that borked out wifite, should be fixed now. :-)
1.
Confirmed fixed r109....... I mentioned this too, on github.
2. I also like the idea of wifite-ng printing out additional pixiewps info.
3. Until reaver implements all the new attacks in pixiewps 1.1 automatically can wifite-ng carry them out?
Yes finding a router vulnerable to this is my issue too. Also, attack is new for me. Until I find one, I can't refine my technique.
Thought I'd share my current wifite-ng command line usage and thoughts, user asked on github.
./wifite-ng -ponly -pto 50 -paddto 20 -wpst 60 -wpsretry 5 -c<x> -pow 50
1st know which routers are at this point broken - check soxrok2212's database (1st set of hashes will let u know)Code:-ponly ---------> quick and dirty, low hanging fruit.......key cracked offline even.
-pto 50 --------> if router doesn't respond in 50 secs, I'm too far away or need to spoof mac
-paddto 20 -----> if hashes start flowing add more time
-wspt 60 -------> if pin found, and I'm close enough - reaver will find passphrase quickly.....if not, need advanced options from command line,
don't hang script. Move on to next target. script default is 660 secs
-wpsretry 5 ----> try pin 5 times only. If I'm close enough, thats enough retry times. Else spoof or move closer. possibly -t20, -T20 in reaver.
-c -------------> try routers on specific channels, optional. just less clutter in crowded locations
-pow 50 --------> only try routers 50dB and above, if below your chasing other problems but distance is the main problem
After router scans and wps compatibility check use wifite-ng signal strength colors as indicator of possible success - green targets in range, yellow maybe, red don't even try
Let wifite-ng do its thing...........
If wifite-ng isn't able to crack any targets, consider your distance mostly and if any of the targets routers are vulnerable.
Then use command line to verify with reaver output:
Failed association:
- Use airodump-ng to find clients of router ***
- Use reaver -m (mac of client) and -A (aireplay-ng does associations)
- Move closer **
Rate Limiting Detected:
- send less pin request and use lock out timer
- use mdk3, try reset router **
Use airodump to see connected clients and or if router resets with mdk3.
@aanarchy
By chance my friend had a realtek router. I was able to get a several hashes for pixiewps.
It didnt work for me, but at least pixiewps gives the "may be vulnerable to -f ......." response.
You could at least use it to show wifite what to look for?
As i said before, it's really hard for me to code that when i don't have anything in range that will give me the the "may be vulnerable" output so it's kinda hard to write something reliable. If i had a shell on something that had access to such a router, then chances are much better it can happen. But right now, i have no way to try/test it.
Sucks, but i had a version of wifite that actively spoofed connected clients while trying any of the wps/wpa stuff, but comp crashed and i lost it :-/
Gotta remember how i did it, all my best coding is done after three blue moons( scientic proof lol. look up the ballmer peak)
Nuroo, why don't you send aanarchyy your router so he can test it? Then he can write a liable codes for the realtek router. just an idea.
how to install wifite-ng and where to place it?
./wifite.py givs error to