http://sourceforge.net/projects/alfa...iles/Firmware/Quote:
Originally Posted by aanarchyy
Alfa AIP-W525H I believe.... not sure if it is v1 or v2 though.
Printable View
http://sourceforge.net/projects/alfa...iles/Firmware/Quote:
Originally Posted by aanarchyy
Alfa AIP-W525H I believe.... not sure if it is v1 or v2 though.
Manufacturer: Greenwave
Device Name: GreenWave BHR4
Model Number: 4
000000000:6F:D4| 1|-61|1.0|No |FiO00000000| GreenWave| 4|
Greenwave Systems, no wikidevi, fccid
NOT Vulnerable
not work on technicolor TD5130 V1 and THOMSON AP
Worked fine for me when I tested. You need to wait for the whole realtek tool to be released. It is almost done.
Big Teaser !
soxrok2212 i have tried many time on my network but no result:confused:
Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212
[+] Switching mon0 to channel 1
[+] Waiting for beacon from 18:17:25:xx:xx:xx
[+] Associated with 18:17:25:2C:0B:7A (ESSID: WIFI 14)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 5e:86:d7:2d:5a:11:c1:36:51:97:d7:16:54:c3:de:7f
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Technicolor
[P] WPS Model Name: Technicolor TD5
[P] WPS Model Number: Technicolor TD5
[P] Access Point Serial Number: 1343A1D22901
[+] Received M1 message
[P] R-Nonce: c0:68:f8:86:c5:14:c2:aa:d8:5f:56:29:51:0c:fd:d4
[P] PKR: 58:f7:89:a6:11:fc:9e:ad:b1:a5:e5:e8:97:5b:4c:e3:f9 :a2:3c:d0:81:70:cf:4f:59:fd:bd:d1:7f:fe:fc:a0:28:6 4:46:fc:da:31:61:88:65:09:86:66:4b:9f:37:af:68:3b: 9e:1f:fd:bd:aa:09:f6:5b:b2:8d:da:e2:cf:cd:c5:5b:8c :87:82:e8:d4:8f:b8:9c:22:8e:ca:c2:ad:c3:43:01:4e:d 9:39:0b:ec:a9:12:bd:ba:02:a9:69:30:de:61:6d:da:cd: 47:80:9c:d9:39:4d:e3:40:c4:38:13:6d:15:f2:b1:68:9e :e4:45:0b:e9:0b:ba:bb:2e:7b:96:d4:c6:c2:8e:e6:07:8 c:fe:35:6d:7a:fd:8c:ca:24:d7:87:b7:b5:fd:8d:32:e7: e6:fa:5d:01:eb:d6:8a:aa:16:89:7a:63:ec:db:e1:60:01 :0f:0b:92:90:ba:e0:33:35:57:f5:01:63:36:0e:b1:46:6 a:70:99:cf:5c:49:6e:40:3c
[P] AuthKey: f4:8d:63:52:60:ad:82:9e:7e:72:b4:84:82:bb:df:5d:0d :29:76:55:a4:07:57:9f:5a:92:07:17:19:53:42:ac
[+] Sending M2 message
[P] E-Hash1: 99:9f:06:06:d4:39:af:ba:43:40:bc:f3:42:db:04:64:e5 :cf:b3:ed:a7:f6:40:a9:f0:d0:eb:df:5c:91:67:79
[P] E-Hash2: 9c:94:a1:72:b8:36:02:47:cd:50:44:d2:2f:fe:49:d8:68 :62:b7:de:84:ac:4a:a8:9e:75:a2:24:bf:37:ba:91
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 1 s
[Pixie-Dust]
soxrok2212 i have tried many time on my network but no result:confused:
Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212
[+] Switching mon0 to channel 1
[+] Waiting for beacon from 18:17:25:xx:xx:xx
[+] Associated with 18:17:25:2C:0B:7A (ESSID: WIFI 14)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 5e:86:d7:2d:5a:11:c1:36:51:97:d7:16:54:c3:de:7f
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Technicolor
[P] WPS Model Name: Technicolor TD5
[P] WPS Model Number: Technicolor TD5
[P] Access Point Serial Number: 1343A1D22901
[+] Received M1 message
[P] R-Nonce: c0:68:f8:86:c5:14:c2:aa:d8:5f:56:29:51:0c:fd:d4
[P] PKR: 58:f7:89:a6:11:fc:9e:ad:b1:a5:e5:e8:97:5b:4c:e3:f9 :a2:3c:d0:81:70:cf:4f:59:fd:bd:d1:7f:fe:fc:a0:28:6 4:46:fc:da:31:61:88:65:09:86:66:4b:9f:37:af:68:3b: 9e:1f:fd:bd:aa:09:f6:5b:b2:8d:da:e2:cf:cd:c5:5b:8c :87:82:e8:d4:8f:b8:9c:22:8e:ca:c2:ad:c3:43:01:4e:d 9:39:0b:ec:a9:12:bd:ba:02:a9:69:30:de:61:6d:da:cd: 47:80:9c:d9:39:4d:e3:40:c4:38:13:6d:15:f2:b1:68:9e :e4:45:0b:e9:0b:ba:bb:2e:7b:96:d4:c6:c2:8e:e6:07:8 c:fe:35:6d:7a:fd:8c:ca:24:d7:87:b7:b5:fd:8d:32:e7: e6:fa:5d:01:eb:d6:8a:aa:16:89:7a:63:ec:db:e1:60:01 :0f:0b:92:90:ba:e0:33:35:57:f5:01:63:36:0e:b1:46:6 a:70:99:cf:5c:49:6e:40:3c
[P] AuthKey: f4:8d:63:52:60:ad:82:9e:7e:72:b4:84:82:bb:df:5d:0d :29:76:55:a4:07:57:9f:5a:92:07:17:19:53:42:ac
[+] Sending M2 message
[P] E-Hash1: 99:9f:06:06:d4:39:af:ba:43:40:bc:f3:42:db:04:64:e5 :cf:b3:ed:a7:f6:40:a9:f0:d0:eb:df:5c:91:67:79
[P] E-Hash2: 9c:94:a1:72:b8:36:02:47:cd:50:44:d2:2f:fe:49:d8:68 :62:b7:de:84:ac:4a:a8:9e:75:a2:24:bf:37:ba:91
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 1 s
[Pixie-Dust]
Try this PIN and let me know if it works: 76734052
I really hope this is your own AP... by using that PIN you agree that I am not responsible for any trouble you may get into.
@aboulatif
Hey just a curiosity of mine... Is the WAN MAC of that router 18:17:25:2C:0B:75?
he forgot to blank out a line, so no wiire.
"[+] Associated with 18:17:25:2C:0B:7A (ESSID: WIFI 14)"
Model name = model number ...
Example..
RTL8187 >>>> RTL ( Model name) 8187 ( Model number) ...
Other values about modem manufacturer, not wps manufacturer ( 1.0.1.1 , 1 , 1234 )
:)
Old version or invulnerable chipsets are different. They should be well analyzed on Wireshark
Send me the cap :D I'd like to look into it.Quote:
Originally Posted by nuroo
That's the WLAN MAC.Quote:
Originally Posted by Quest
I was asking for the WAN MAC = 18:17:25:2C:0B:7A - 5 = 18:17:25:2C:0B:75
You shouldn't look too much into this. Manufacturers put what they want in those fields. Sometimes they put the valid model number, name, serial or whatever, sometimes they put something else, for example '123456' (or '1234' or whatever) which is like a blank field (I guess they can't put zeroes).Quote:
Originally Posted by Saydamination
Reaver prints those information only to give you a (sometimes vague) idea of what the chpset brand/model could be. The cracking is performed by pixiewps which don't use this information.
@soxrok2212 here is a cap of the same router type, if you can get me a pin and/or tell me how that would rok ;-)
http://d-h.st/9dE1
Pixiewps 1.1 is out! :)
See the original thread.
Hey guys, I am a little bit confused as to the usage of -f in the new pixiewps. It refers to mode4??? anyone kind enough to clarify?
just add -f 4
And would you add this argument always?
At first i tried it without that option on a router with Realtek chipset and it didn't found the pin then i tried it with -f 4 and it took about 600s then BOOM pin found
QUOTE=psicomantis;44829]Hey guys, I am a little bit confused as to the usage of -f in the new pixiewps. It refers to mode4??? anyone kind enough to clarify?[/QUOTE]
Yes sorry I should've clarified. The --force option is used only for what I call mode 4 which is Realtek 's PRNG seed bruteforce. I was planning on adding modes selection but I didn't and I left those modes on the usage screen and I didn't want to explicitly refer to vendors in the program.
The best practice is to run the program without -f and if you get a warning saying that the router might be vulnerable to mode 4 it means that you may want to try again with -f or with another set of data that could lead you (mode 2) secret nonces = enrollee nonce. I also refer to modes because that's how the program runs internally: it tries for every possible vulnerability. When it bruteforce the new PRNG though (that is mode 4) it tests normally for a small window of time (approximately 10 days) because the new bruteforce is more consuming power.
So --force is basically used only if the router has set its time to past (more than 10 days ago). To exhaust it probably takes 20 - 30 mins. Also -f doesn't take any argument. The program just doesn't complain if you pass it some extra arguments. I gotta fix that. :)
Also would you mind replying on the pixiewps thread for program related questions? Thanks.
hi wire can u tell me wich command should i use again realtek chipset?
Hello hanada and welcome to the forum
mmm... ¿Did you read the line just before your message?
Maybe you are not used to forums but you have to locate your question in the correct thread.Quote:
Originally Posted by wiire
Your question is strictly about pixiewps usage and this thread is about the pixie dust breach
You should have asked your question in this thread
By the way...
..., if you read a little you will find the answer to your question... read before asking, like this the forum is not full of duplicated content :)
@nuroo @aanarchyy I looked for more info the the data you sent me (caps and reaver output). Upon looking at the beacon frames in the cap that aanarchyy sent me, I see that the Greenwave G1100 uses a Broadcom 802.11N/AC chip, more specifically I believe that it may be the BCM4360: https://wikidevi.com/wiki/Broadcom... AFAIK the G1100 is 3x3:3 on 2.4GHz and 3x3:3 on 5GHz. Assuming so, that leads me to the conclusion above. With the lack of documentation, the only way to find out for sure would be to order one and open it up but FiOS is not available in my area and I don't have $200-$300 to spend on it... I don't even see their firmware available anywhere online...
If i can get my hands on one, i will gladly dump it and share. As of recently, I've been poking around a dump i did the other day of a Belkin F9K1001 v1 ( https://wikidevi.com/wiki/Belkin_F9K1001_v1 ) to see what i can find. Found it at the swap shed of the dump in my town so i had no issues pulling the flash chip off and dumping it. I pick up all kinds of random embeded devices to tinker with. Ive got somewhere over a dozen or so assorted routers/repeaters (Old comcast, old verizon, belkin, dlink, buffalo, netgear, linksys, and some random weird ones) i'd be glad to dump/decompress/decompile/share if anyone would find it usefull :-) I'm kinda sucky at reading assembly but I'm learning...
Any Comcast /Cisco DPC3939?
@soxrok2212
gave u full dump, no filters. beacons should be in the .cap
No Fios at my location also. Least you where able to deduce its a broadcom chip, never heard of greenwave b4 this. Was gonna be impressed if new company came out of the wood work, with new chipset all own their own.
@aanarchy
I will try to find out if G1100 can be updated, if firmware is available.
Not sure, I'll check as soon as i get home. I think the onlyl two comcast ones i have are the old actiontec ones, not sure the chipsets but i'll look.
G1100 firmware is not available for public download.
As per the folks @ dslreports, who have the router - new firmware is made available to customers internally thru their network.
Hey, the cap I got from you only has the WPS exchange in it, I didn't see any beacons...Quote:
Originally Posted by nuroo
@nuroo already checked, completely unavailable, only way to get it is dump a live device. Same with the xfinity arris routers, found on a website that the firmware is "closely guarded".
I am trying my best to figure this out, I have been testing on a broadcom and zyxel router, It never spits out the 2 hashes for them, am I missing something simple here? Of course you need the 2 hashes to get the pin. It spits out the other necessary keys/info. My kali was updated this evening. Edit-I figure its because router is not supported.
so then guys & gals....
WPS blackjack attack next?
http://xn--mric-bpa.fr/blog/blackjack.html
:) :) :)
Wps Pixie Dust Attack is VULNERABLE for all ZTE modems...
The person who prepared this attack(blackjack) is a bit confused how things work.Quote:
Originally Posted by some1
First RS-1 is a random value generated by the Registrar, and it is different from ES-1
ES-1 remains unknown.
The generation of the registrar R-Hash1 has always been known.
What the author is confusing about this PSK1 and on the data traveling on the WPS protocol, the ES-1 and ES-2 are never sent to the registrar
The R-Hash1 is generated with PSK1 the registrar using a RS-1 Random number generated by registrar.
A check of R-Hash1 is made by the Enrollee but using the Enrollee PSK1, the Enrollee PSK1 is correct.
Then the Enrollee R-Hash1 will be different from the registrar R-Hash1 because PSK1 is different, and if you have to check all 11,000 possibilities, then you are doing what the reaver does, which is to test all known pin.
It is not possible to repeat the message M4 indefinitely because there is a protocol to be followed, it is necessary to go through M1 M2 M3 to then send the M4, then it is the same thing as reaver is to test all pins.
Apparently the author was confused where the keys will and who checks them.
The author of this error here
"The Enrollee sens the first secret nonce, E-S1. The Register knows if the Enrollee knows the first half of the PIN."
This is is done on the contrary, Register sends the R-S1 and the enrolle know if the registrar knows the first half of the pin
Another error in the functioning of things
"Pixie Dust attack blah blah, we have to pretend que the Register crates predictable random number."
The random number is generated in the registrar, the registrar in this case is Linux Kali. How will you generate a random number which you already know him? It has much wrong this article
... and according to my Jedi skills there are no "gals" here. If there are, please someone introduce me!
Welcome some1, to the new Kali Kitchen (thanks g0tmilk), where strange things are cooked and weird things happen. Cheers!!!
Haha I love that ^^ Anyways, I need some help from some of you really smart experienced guys out there. I still have a lot of homework to do with the topic but I was looking into tkiptun-ng... more specifically injecting "arbitrary packets." Does anyone know what kind of stuff we can inject? I'm wondering is we can somehow maybe magically with a little bit of "pixie dust" ;) initialize PBC or something similar? I'm really not sure, just thinking :)Quote:
Originally Posted by Quest
Yeah . He is absolutaly right...Quote:
Originally Posted by some1
The blackjack attack is wrong. He got the WPS specification backwards. If the AP were the Registrar and the Client were the Enrollee, then it would work fine but unfortunately that is not the case.Quote:
Originally Posted by Saydamination
The author knows he was wrong, right at the top of the page it says:
Erratum : I thought the Enrollee was the client, and the Registrar the AP (see spec :
Enrollee: A Device seeking to join a WLAN Domain. Once an Enrollee obtains a valid credential, it becomes a Member.
Registrar: An entity with the authority to issue and revoke Domain Credentials. A Registrar may be integrated into an AP, or it may be separate from the AP. A Registrar may not have WLAN capability. A given Domain may have multiple Registrars.
, but I was wrong. Thus, what I wrote below contains errors. Correction and implementation are left as an exercise to the reader.
Love that we have our own little "kitchen" now :D