There is no support for atheros chipsets and all the versions of this access point have a chipset manufactured by atheros...
TP-LINK TL-WR740N v4.x
Printable View
There is no support for atheros chipsets and all the versions of this access point have a chipset manufactured by atheros...
TP-LINK TL-WR740N v4.x
This method works on Windows with D-LINK routers that uses RTL8671.
1) Install jumpstart https://onedrive.live.com/download?r...2809d85%214754
2) Open jumpstart and click "configure a wireless network" click next
3) Enter wps pin 12345670 and unclick "select network automatically" , click next
4) Select the AP with the dlink router and continue.
Jumpstart will connect to the AP. Next you can right click on the connected AP and right click and select "properties". Go to the security tab and click "show characters"
From here you should be able to see the AP's passphrase.
So basically D-Link devices just use 12345670?Quote:
Originally Posted by DetmL
Is this pin works for all dlink router with RTL8671 hardware??
You might want to be carefull installing that, even if it works as advertised.
http://www.securityweek.com/d-link-a...te-keys-online
I am overly paronoid of these things though, its probably fine.
Not all Dlink uses RTL8671. From what I have tested, DSL 2750U pixiewps outputs 12345670 as PIN but reaver is unable to retrieve the passphrase using this pin. However jumpstart is able to retrieve the passphrase using that PIN in Windows. I can confirm that this PIN doesn't work on DIR devices but confirmed working on DSL 2730U & DSL 2750U. I have not tested it on other Dlink DSL routers.Quote:
Originally Posted by soxrok2212
jumpstat doesn't do anything special.
Try to add -n to yor reaver line, you should recover the wpa key.
Otherwise use wpa_cli to connect "normaly" through WPS,
That the normal way to use WPS in Linux.
Hi..
Fiirst, Thankyou everyone for the resources available & efforts put up to understand security protocols wrt WPS
Ive been a long time believer of convenience with technology, and Believed WPS helps us achieve just that. However, my secure bubble just burst, when i stumbled upon this thread.
For the longest time, Ive been using, and encouraged everyone to use WPS claiming PSK is so 19th century.. not any more, as ive managed to hack my own as well as wifi setups of my friends and family.
Second :
Im unable to post the log of PixieWps / rever..
im stuck on this everytime I attempt posting something
Quote:
Sucuri WebSite Firewall - CloudProxy - Access Denied
What is going on?
You are not allowed to access the requested page. If you are the site owner, please open a ticket in our support page if you think it was caused by an error: https://support.sucuri.net. If you are not the owner of the web site, you can contact us at soc@sucuri.net. Also make sure to include the block details (displayed below), so we can better troubleshoot the error.
Block details
Your IP: 2.49.9.75
URL: forums.kali.org/newreply.php?do=postreply&t=25018
Your Browser: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Block ID: EXPVP5
Block reason: Not identified.
Time: Fri, 30 Oct 2015 08:23:07 -0400
Server ID: cp13012
Sucuri CloudProxy
CloudProxy is a WebSite Firewall from Sucuri. It stands between your site and the rest of the world and protects against attacks, malware infections, DDOS, brute force attempts and mostly anything that can harm it.
Not only that, but your sites get cached, speeding it up quite a bit. Interested? Visit http://cloudproxy.sucuri.net
So following that post..
I have a question..
Does the PKR value of the same AP change ?
My work network is Cisco Linksys E900 v1 FW: 1.0.0.0
on bruting it, it locks up on every 9 successful incorrect pins for 60 seconds and then for 10 seconds or so for every 3 incorrect pins.. and the cycle continues.
Its non-exponential.
Howwver, the strange bit is : its PKR value has changed two times.
First time it was some huge BE:3f:4c.......
Second time it was something else.. cant rem:
Now its 00:00:00:00:00:00:...............:00:00:00:02 (all zeroes and last digit 2)
Im using the -vvv with reaver.. and trying to manually input values in PD. so this caught my attention.
Again im unable to post the log(s).. as sucuri website firewall doesnt allow me to.
The specification may seem backwards, but upon understanding how the whole thing works, the registrar is the entity looking to join the network (YOU) and the enrollee is the AP.Quote:
Originally Posted by rho
That being said, you as the attacker (or device looking to join) are generating the PKR. If you use -S in Reaver (small DH Keys), then Reaver will generate a PKR with a value of 00:00:00:00.....:00:00:00:02. I generally try to avoid using -S when pixie dusting now (and it WILL NOT even work with Realtek access points) so unless you are running a standard Reaver attack, there is no need for it. Otherwise, Reaver will select a random private number and will generate a random PKR value like the first time you tried.
Also note that your router, Linksys E900, uses a Broadcom BCM5357C0 wireless chip which is not currently vulnerable to pixiewps: https://wikidevi.com/wiki/Linksys_E900
The following comments are more clerical then technical:
If you are doing a brute force reaver attack testing all 11,000 pins and NOT using -S in the command line(CL) and then wish to either:
1. Add the -S --dh-small to the command line
or
2. Wish to test a specific pin by adding --pin= to the reaver CL.
Suggest you also add the --session=?filename? to the reaver CL.
This will keep these different attack types separated. If either the -S or --pin= test does not work you can return to your brute force without loosing your pin count collected during the brute force sessions.
To return to testing all 11,000 pins just remove the --session= entry in the CL and reaver will continue the brute force attack from where you stopped.
MTeams
Oh, ok.. lol
Got mixed up with the PKR and PKE.
Thankyou for clearing it.
@ Mteam,
will try that next.
Hi,
I'm currently testing some features I've introduced in pixiewps however I still have some troubles with some.
I wanted to ask if some of you has a Ralink device and can get me some data. I'd need data from at least 2 consecutive WPS transactions/sessions.
The data should include PKe, PKr, Enrollee nonce, Registrar nonce, Authkey, Enrollee BSSID and the two hashes. If you don't want to include the MAC address is fine. It's not strictly necessary for what I'm doing.
If someone is interested can send me an email with the data. Just be sure to include each Authkey if want to send the .cap.
Thank you in advance.
To Wire
Confirm you wish data from the following two(2) vendor mac addresses
00:17:a5
00:0c:43
Is there any chances to a solution for RTL8761
MTeams
Any Ralink device will work.Quote:
Originally Posted by mmusket33
As for RTL8671, not right now. There are still things that need to be figured out but we haven't got there yet.
When we will get your next new release with more features to bypaas rtl8671??
Nobody said anything about an RTL8671 crack. Nobody knows if it can even be done.Quote:
Originally Posted by Kaushalrocks
@mmusket
Thank you offering your help. I already got the data I needed and forgot to check back on the forum. Hopefully won't be too long for the final release.
About RTL867x I (and others) haven't looked anymore into it.
so guys did you look into RTL8671 for cracking?
I'm trying to crack a router and the log is:
WPS Manufacturer: Realtek Semiconductor Corp.
WPS Model Name: RTL8671
WPS Model Number: EV-2006-07-27
so can it get cracked or what should I do?!!?
It seems like RTL8671 is one unique chipset. This is an old thread from reaver days https://code.google.com/p/reaver-wps.../detail?id=541
To kiarashmm:
In our areas of operation this chipset is in over half the available targets. And in every case the network locks after ten(10) pin requests and does not respond to pixiedust.
The router can though be cracked with reaver as occasionally one of these networks resets its pin to 12345670 and reaver then easily extracts the WPA key.
If the network does not lock and responds to reaver pin requests then just use reaver in a command line.
If the pins climb to 99,99% and spin the router may have reset its pin to 12345670 during the attack so just add --pin=12345670 to your command line or start a new brute force attack.
If the routers WPS system locks then a automated process like that found in varmacscan2.8 is the tool of choice in this case. There may be other tools we are just not aware of them
MTeams
Thanks for replying dude. I did what you said... I started a normal wps attack it started from 90% and stucked at 99.99...after that i tried --pin=12345670 and failure again.Quote:
Originally Posted by mmusket33
so what should I do now?
give up?
Thanks for repliying dud
i get this from the 1st post i think, I'm a total noob in Linux please someone teach me how to do this from the command windows.
Dependencies: PLEASE make sure you are up to date with these or your install WILL fail!
Code:
apt-get install libpcap-dev
apt-get install libsqlite3-dev
DONE
Tools:
-Pixiewps by Wiire, used to brute force the WPS pin offline https://github.com/wiire/pixiewps https://github.com/wiire/pixiewps.git
-Original thread
Code:
cd /path/to/pixiewps/src <<< this part i do not understand i downloaded it and it's in my Download folder, what do I type in command line? and where to move i'm totally blank pls help
make
make install
-t6_x's modified version of Reaver to automate the process https://github.com/t6x/reaver-wps-fork-t6x https://github.com/t6x/reaver-wps-fork-t6x.git
-Original thread
Code:
cd /path/to/reaver-wps-fork-t6x/src <<< this part i do not understand i downloaded it and it's in my Download folder, what do I type in command line? and where to move i'm totally blank pls help
chmod 777 ./configure
./configure
make
make install
Firstly you will need to extract the archives, should be a simple right click, extract here.
Just open the folder in whatever file manager, right click in a blank space in the file manager, and there should be a "Open terminal here" option(or something to that nature).
then type that stuff in.
Sorry to say this bud, but if you can't figure that out then you definitely should NOT be screwing with wireless networks. That's how you get in trouble.Quote:
Originally Posted by motionindo
Thank you for your reply aanarchyy,Quote:
Originally Posted by aanarchyy
"Firstly you will need to extract the archives, should be a simple right click, extract here." the downloaded pixiewps is in the Download folder do you mean I extract it in the download folder? or do I have to move it to other folder then extract it?
Thanks in advance
soxrok2212, I'm sorry maybe i'm in the wrong room but I want to learn this kind of stuff, but I'm a total noob in linux with the command line, so can you please tell me which thread or forum I should start my journey in learning Kali Linux? Btw i have read all the docs in kali some i understand and some don't because they don't explain step by step.Quote:
Originally Posted by soxrok2212
thanks
It is a good idea to start your journey by installing a "normal" linux distribution before you jump in the world of pentesting with Kali linux
I recommend you Xubuntu/Ubuntu or linux mint, there also based on debian, like kali linux
They are well documented and you will find answers to every beginner questions.
Quote:
Originally Posted by motionindo
About "cd" and directoriesQuote:
Originally Posted by =motionindo
http://askubuntu.com/questions/23244...es-in-terminal
It doesn't mater where you extract it, what matters is to have the terminal opened in the correct directory to launch installation : the directory src that you obtain after decompressing the package.
start by using linux and everything will flow naturally ;)
I think I managed to install the modified reaver can anyone take a look if I do it correctly?
root@kali:~/Downloads/reaver-wps-fork-t6x-master/src# chmod 777 ./configure
root@kali:~/Downloads/reaver-wps-fork-t6x-master/src# ./configure
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for pcap_open_live in -lpcap... yes
checking for sqlite3_open in -lsqlite3... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for stdlib.h... (cached) yes
checking for stdint.h... (cached) yes
checking for string.h... (cached) yes
checking pcap.h usability... yes
checking pcap.h presence... yes
checking for pcap.h... yes
checking sqlite3.h usability... yes
checking sqlite3.h presence... yes
checking for sqlite3.h... yes
configure: creating ./config.status
config.status: creating Makefile
ThenQuote:
Originally Posted by motionindo
Code:sudo make
sudo make install
I released version 1.2.2 of pixiewps.
Most of the work was done to clean up the code, support more platforms, remove OpenSSL dependency (finally!) and add more options. This version has been successfully tested under Linux(Debian, Ubuntu), Mac OS X 10.11, Windows (using MinGW), FreeBSD, OpenWrt and Android (as a .bin file).
Version 1.2.2 has an important bugfix for FreeBSD users (found in 1.2.1).
I also include two more PRNG/algorithms for eCos devices (through --mode 4,5). I don't know if they are even used, but there is the concrete possibility.
Thank you wiire for this nice surprise to start the new year!
I am pretty sure that the Realteck brute froce option goes much faster than before , at least with my PC.
Great job!
I have some problem with the new options... i was unable to use them correctly :p
That was my idea : I have a router with factory settings from august 2012 and that is the seed used
So I wanted to make a "reverse" brute force from august 2012 to a date in 2015
I tried many sintaxis and got something like
Code:[!] Bad starting point --
Code:[!] Bad ending point --
This is the kind of sintaxis i usedCode:[!] unknown options
Code:(strings --force)* --mode 3 --start [08/]2012 --end [12/]2015
* The basic command is correct as i can recover the PIN with the "normal brute force" ( 3minute to go back to august 2012, for me it is definitely faster now than with pixiedust 1.1 ;) )Code:(strings --force)* --mode 3 --start 082012 --end 122015
English is not my first language so I can be easly lost for stupid "details" and obvious stuff so sorry if my question is "stupid" but... i don't get it :D
From December 2015 to August 2012 would be (it's not correct, please continue reading): --start 12/2015 --end 08/2012
In CLI programs square parenthesis usually denote some optional parameters/arguments '[...]'. When I write [mm/]yyyy I mean you can write directly a year in the yyyy form, say 2015, or specify year and month, mm/yyyy (for January would be 01/2015). See the image on my post.
Now a slightly problem. If you notice I wrote '--start 12/2015 --end 08/2012', instead of '--end 12/2015 --start 08/2012'. The first would be the correct way of doing things because of how I implemented things. The program executes the bruteforce backwards (yes I could've considered --start as the end and --end as start internally). Instead I've decided to make so that those two arguments can be swapped. So '--start 12/2015 --end 08/2012' and '--end 12/2015 --start 08/2012' are identical.
In any case, the program will always assign the 1st day for the month specified (or the 1st day of the 1st year if month is not specified). This means that if you use 12/2015, it will do the bruteforce (assuming going backwards) from the 1st of December 2015. If you want to bruteforce the month of december as well you will need to specify 2016 or 01/2016 (both equivalent).
Now that I think about it, maybe it's a bit counter-intuitive and misleading. I should probably change it so that the greater date would be done from the last day of the month. For example --start 12/2015 --end 01/1970 would be:
31/12/2015 to 01/01/1970
What do you think?
Also, for how I did things, the program will complain if you specify a date in the future say --start 2017. I don't remember if it was intentional or not. However if you specify only one date (or start or end, not both) the current machine time will be used for the other:
- only --start 1970 will do from today (including seconds, minutes ...) to Epoch (0).
- only --end 1970 will do from today (including seconds, minutes ...) to Epoch (0).
Because remeber you can swap them. See --help.
[!] Unknown extra argument(s)! means you put one or more extra (unknown) argument(s) somewhere, some example would be:
- pixiewps ... -f 3 (-f doesn't accept arguments, yes I should've used -F, my bad)
- pixiewps ... --start 08 2012 (extra space, 2012 is seen as an extra argument)
- pixiewps ... random_string_that_doesnt_start_with_the_dash
Yes the latest versions on github are faster (maybe even 2x, 3x) than the ones packaged in Kali. The difference is made by some compiling optimization options I didn't add when I first released version 1.1.
Also now the choice of modes (auto, when --mode is not specified) is made by looking at the PKe (which is static for Realtek devices) and the nonce.
If you want to see what's going on under the hood compile using 'make debug', although it may break compatibility with Reaver, Bully or some 3rd party scripts so be aware.
Thanks for this very complete and detailed explanation :)
Tricky questionQuote:
Now that I think about it, maybe it's a bit counter-intuitive and misleading. I should probably change it so that the greater date would be done from the last day of the month. For example --start 12/2015 --end 01/1970 would be:
31/12/2015 to 01/01/1970
What do you think?
My first idea when i hear "start in january 2015" would be that it means the first of january 2010 at 00:00 am
But if i consider that the brute force goes only backward, than it makes sense to think that start point is actually 31st of january 2015 at 23:59 :D
I guess that the most relevant system is the one that stick better to the program process , regardless to the representations that everyone have about what is a "start point".
So I think that this modification is a good idea.
We could do like that :
to brute force the month of January.Code:--start 01/2015 --end 01/2015
Which make sense and is straightforward
And if i put
I will naturally expect to brute force the month 01 and 02 by this command,Code:--start 022015 --end 012015
Not just one.
Okay :DQuote:
Yes the latest versions on github are faster (maybe even 2x, 3x) than the ones packaged in Kali. The difference is made by some compiling optimization options I didn't add when I first released version 1.1.
That what i noticed but the difference was so huge that i was not sure if i was not freaking out
with the "old" one I brute forced one year in about 6 minutes.
with the newest version it tok me a bit less than 3 minutes to make the full brute force untill 2012
3 time faster! :cool:Code:Pixiewps 1.2
[*] PRNG Seed: 1344584425 (Fri Aug 10 07:40:25 2012 UTC)
(...)[*] Time taken: 3 s 499 ms
thanks again for this very nice improvement and for your answer.
Thank you for this new release :D i have a question about the new --start 05/2015 --end 04/2015 argument i didn't understand it :confused: what is the purpose from it... and what about the -f argument is it replaced with -v?!
What don't you understand?Quote:
Originally Posted by mugiwara303
https://github.com/wiire/pixiewpsQuote:
Originally Posted by mugiwara303
Sorry, my knowledge about this things is limited! I want to know how this date range works, is it necessary to get the pin or what LoL! I don't know what is the purpose from it, thank you
Everything is explained in the "bible" :D
WPS Pixie Dust Attack (Offline WPS Attack)Quote:
Originally Posted by soxrok2212
thank you, i understand a bit now LoL! i still don't know how to use it and when but i will find out by trying it :D
I give you an example and switch on my routeur for testing.
default SSID is in use (like 90% of the network i can reach from my room) and gives us the model...Code:CH 11 ][ Elapsed: 6 s ][ 2016-01-21 00:35
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH WPS ESSID MANUFACTURER
B8:55:10:02:F0:A1 -23 92 57 0 0 11 54e WPA2 CCMP PSK 1.0 DISP,PBC TOTOLINK N301RT Zioncom Electronics (Shenzhen) Ltd.
BSSID STATION PWR Rate Lost Frames Probe
root@pr0fesoraBubbleVanAppletrudell:/home/kcdtv# sudo airmon-ng stop wlan0mon
quick check on the web and i learn that the device is kind of old, no new firmware for a long time and that it has a realtek chipset (i could see the realteck chipset in its probes but anyway reaver or bully will do it for me in full verbose mode )
As i rode the bible form soxrok2212 i know that realteck chipset can be "pixiedusted" so i launched reaver or bully to get the strings for pixiewps and execute pixewps
http://pix.toile-libre.org/upload/or...1453334051.png
Now, as i am a good hacker i checked a little on the web and saw that this router is from 2012, and as i am a master in "social engenering" :p i know that 79,67% of the people never ever update their firmware.
And i see in the download list that the original firmware is from august 2012.
So i decide to make a brute force on the month of august 2012 instead of brute forcing from today to 1970 (what wil do the option --force used alone )
http://pix.toile-libre.org/upload/or...1453334541.png
It would have taken me around 4 minutes or 5 if i had used the option -force without adding a start point and end point.
Cheers