Page 11 of 12 FirstFirst 123456789101112 LastLast
Results 501 to 550 of 583

Thread: WPS Pixie Dust Attack (Offline WPS Attack)

  1. #501
    though I'm assuming hostapd and some magic could make it work.
    exactly
    For all the side traffic redirection, fake pages , exploits or whatever it is possible to can use the tools designed for that.
    About the WPS, koala explain in his tutorial how to activate it in loop (using hostpad) with a dirty but efficient single line
    Code:
    while : ; do sudo hostapd_cli wps_pbc ; sleep 120 ; done &
    That does the job to have your WPS PBC activated in loop ready to grab the clients.

  2. #502
    Join Date
    2013-Jul
    Posts
    844
    MTeams has been working with RogueAP setups and WPA Phishing for over five years starting with techdynamics wpa phishing programs.

    Any client that has a WPA key already loaded into the wifi management software for a specific ESSID cannot associate to a Open RogueAP of the same name unless the client removes the WPA key from the setup.

    To defeat this when WPA Phishing, Mteams' Pwnstar9.0 version help files which is designed for WPA Phishing suggest you enter a ESSID that looks the same to the human eye BUT is not the same to the computer. One way to do this is to add five to eight spaces and then a period to the ESSID hence:

    "HOMEWIFI" would be "HOMEWIFI five spaces and a period ."

    If you just use spaces some software management software ignores the spaces unless the spaces are between characters.

    If you add too many spaces you can get strange effects in both client and RogueAP software.


    Next DDOS the targetAP and hope the client tries to associate to the RogueAP of almost the same name.

    The type of DDOS may require a separate wifi device. The only DDOS that allows the device supporting the RogueAP to also perform the DDOS is mdk3 d Deauthentication / Dissassociation Amoke Mode

    If you use mdk3 g or aireplay-ng -0 you need to separate the RogueAP channel at least three or more channel numbers from the targetAP and you will require a separate wifi device or you will end up DDOSing the RogueAP due to the proximity of the wifi devices.

    Do not use mdk3 t Probe as it can crash airodump-ng and scanners

    Association: If you use a name similar to the targetAP, the name is different to the computer, the clients' computer then associates easily as the system is open. But the client must choose to do so.

    However when the client associates and tries and call up a https address this normally sets off a certificate warning.

    To beat that MTeams wrote a HTTPS trap feature into Pwnstar9.0. When the client requests a https address the web page is passed on without a certificate warning. When the client request a http address the fake webpage is expressed on the clients' screen.

    As soxrok2212 notes this is not so straight forward as it appears. Only a new client which has yet to input a WPA key into the wifi management software will associate easily and even then there are problems. In the end there is a high degree of social engineering skill required to make this work. MTeams has had equal success with just leavng a rogueAP running and walking away. The next morning we find all sorts of passwords to include WPA keys loaded in the RogueAP

    Musket Teams
    Last edited by mmusket33; 2016-02-05 at 02:40.

  3. #503
    Join Date
    2016-Feb
    Posts
    3
    Reaver is not working with Router ZTE Model . It can not get E-HASH 1 and E-HASH 2 . What a way to get E-HASH 1 and E-HASH 2 Router ZTE ???

  4. #504
    when tried wifiphisher on my wireless, i've noticed that my lap won't feel any difference. my mobile phone keeps disconnecting, but reconnects always to the wpa connection, not the fake one, no matter if i use mdk3 or aireplay. it only connect to the fake one if i manually disconnect from my router. so it's hard that someone do that. didn't try to come from outside though and maybe the phone will connect first to the fake one, if the signal is stronger. mmusket33 is right. maybe leaving it by itself,walk away and hoping that someone will get tricked. latest i tried my luck with nmap since my usb antenna is almost ruined because of overusing mdk3. reaver and bully are of no use as well since i have all new routers near so..(speaking the truth i have had more success and speed, retrieving pin with bully pixiedust and connecting thru jumpstart) until a new method, i'll stay put. thanks for the explaining mmusket

  5. #505
    Join Date
    2016-Feb
    Posts
    7
    If you use mdk3 g or aireplay-ng -0 you need to separate the RogueAP channel at least three or more channel numbers from the targetAP and you will require a separate wifi device or you will end up DDOSing the RogueAP due to the proximity of the wifi devices.

    Do not use mdk3 t Probe as it can crash airodump-ng and scanners
    Thanks.What is the best tool for deauth attack against clients in the network? between mdk3 and aireplay-ng, which one is better and works in any situation??
    Last edited by eddie; 2016-02-06 at 15:14.

  6. #506
    Join Date
    2016-Feb
    Posts
    4
    I am ok with Pixie Dust.
    I have a question about consecutive cracks of the same AP within minutes resulting in different hex 64 character answers.
    The game is afoot !

  7. #507
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by eddie View Post
    Thanks.What is the best tool for deauth attack against clients in the network? between mdk3 and aireplay-ng, which one is better and works in any situation??
    They're both the same.

    Quote Originally Posted by helen2016 View Post
    I am ok with Pixie Dust.
    I have a question about consecutive cracks of the same AP within minutes resulting in different hex 64 character answers.
    The game is afoot !
    Try using AAnarchYY's bully: https://github.com/aanarchyy/bully

  8. #508
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    and it's @ version 1.1 https://github.com/aanarchyy/bully not 1.0-24



    *geez good thing I'm around here to check on everything, all the time*
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  9. #509
    Join Date
    2016-Feb
    Posts
    2
    Hi,

    I have a raspberry pi B and TP-LINK WN722N usb card.

    I tried reaver but i am getting pin not found.
    Tried pixieWPS with all the arguments and again pin not found.

    I google to find a solution but nothing.
    Please help.

    All are apps are updated. Tryied Kali but have issues so i decided to make my distro from Debian. All are working fines except pixieWPS.

    The router i am trying is next to the usb card and it is a TP-LINK TL-WR741ND.

  10. #510
    You have to check the wifi chipset of your device. I did it for you :

    atheros, no doubt about it
    So now you know why it doesn't work...
    ( a good place to have a loock to get information for your device is the https://wikidevi.com/wiki/TP-LINK_TL-WR741ND_v4.3

  11. #511
    Join Date
    2016-Feb
    Posts
    2
    Hi,

    Thank you for the reply.
    I was reading about it the time you were posting.

    1) Is it possible to find in this router the password?

    2) I have another router in my house which is ZTE Speedport Entry 2i. I opened it and inside it has this chip:
    - Broadcom BCM6338
    I search for this one and didn't find anything. It means that i can't use pixieWPS?

  12. #512
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Why don't you just try it and see what happens?

  13. #513
    Quote Originally Posted by Yvette
    1) Is it possible to find in this router the password?
    If the default password is still in use and is weak than yes, otherwise no.
    But that's totally another subject than " WPS Pixie Dust Attack (Offline WPS Attack)", isn't it?

  14. #514
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Well, it's been over a year since I made this thread. 265,000 views and 13 months later, manufacturers STILL have yet to resolve this problem. Actually, the initial disclosure of the attack was published in August of 2014, meaning it has been about 18 months! This is pathetic. 18 months and this HUGE vulnerability STILL exists!

    First and foremost, a big :P to all of those who said this would be a waste and it would be patched quickly.

    Second, I hope I didn't say all this too soon, I just read that ASUS was sued due to some extreme vulnerabilities they had in the past few years: http://www.smallnetbuilder.com/wirel...security-flaws I guess they are dedicating a team to finding and fixing these vulnerabilities. I'm not sure what exactly they will be doing but I'm sure it will be interesting to see how it turns out!

    Thanks for all the support guys and as always, if you find any vulnerable and or NOT vulnerable devices, please report them here!

  15. #515
    Join Date
    2015-Dec
    Posts
    3
    To Saydamination:
    Did you successfully get the Realtek RTL8671's pin?

  16. #516
    Join Date
    2015-Oct
    Posts
    2
    is pixiedust gonna support ZyXEL modems ?

  17. #517
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Pixiewps is for wireless systems, not modems. And it depends on the chipset as you can read on the first page of this thread.

  18. #518
    Join Date
    2015-Oct
    Posts
    2
    Quote Originally Posted by soxrok2212 View Post
    Pixiewps is for wireless systems, not modems. And it depends on the chipset as you can read on the first page of this thread.
    i understood. Actually only i just want to ask zyxel's modem chipsets. Like d-link , broadcom what else . I dont know which chipset using with zyxel modems.

  19. #519
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    D-Link is not a chipset, it is a manufacturer. ZyXEL probably uses every chipset on the market for different applications. There is no 1 chipset for a specific manufacturer.

  20. #520
    Join Date
    2013-Jul
    Posts
    844
    To soxrok2212:

    MTeams received a report that surprised us in that it appears the WPS Pin was also the WPA Key

    Barring the user entering the WPS Pin as a WPA key in the wifi management software we are wondering if the DDOS process that VMR-MDK subjects the router to has caused this or there is a glitch in the firmware turning the WPS Pin into the WPA Key.

    Obviously anyone trying to crack this router with brute force should run a eight character numeric string passthru with crunch first:


    Comment was

    Got working on Kali Rolling with Locked AP TL-WR842ND. Not too much to wait though
    Pin and Key were the same: 45576072


    http://forum.aircrack-ng.org/index.p...ic,868.45.html

    MTeams

    We did find this:

    http://gizmodo.com/a-simple-security...s-i-1705980884
    Last edited by mmusket33; 2016-03-03 at 07:49.

  21. #521
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    TP-Link is known to use the same 8 char WPS PIN as the WPA key. Also happened on a TL-WDR4300.

  22. #522
    I have a TP-Link router right next door to me that has the PIN and PSK the same 8 digit numeric.

  23. #523
    Some models have indeed this "fantastic" configuration for default PIN and WPA passphrase
    You can check default settings for quite a lot of models if you sneak around the web interface emulators that tp-link provides : tp-link emulators

  24. #524
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    I made a detailed writeup of the vulnerability available here: http://division0.net/wps-pixie-dust.html

    If you are looking for more technical details, check out that post!
    Last edited by soxrok2212; 2016-03-04 at 22:09.

  25. #525
    Just to say that your site has a problem my friend...
    I can ping it but i get error 404 if i try to browse it.
    If you didn't know what to do this sunday, i found you some activities
    take care

  26. #526
    yesterday was working. today.. The requested URL /wps-pixie-dust.html was not found on this server. Happy html'ing

  27. #527
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by kcdtv View Post
    Just to say that your site has a problem my friend...
    I can ping it but i get error 404 if i try to browse it.
    If you didn't know what to do this sunday, i found you some activities
    take care
    Hahahahaha

    Quote Originally Posted by bob79 View Post
    yesterday was working. today.. The requested URL /wps-pixie-dust.html was not found on this server. Happy html'ing
    Working on it now

    UPDATE: Should be fixed now
    Last edited by soxrok2212; 2016-03-06 at 18:24.

  28. #528
    Join Date
    2013-Jul
    Posts
    844
    To

    You may find this interesting

    We received the following report from devilsadvocate

    Also, I would like to report some behavior that I have witnessed on some Netgear APs. It seems that some Netgear APs are aware that Reaver always starts with the code, "12345670". The result of this is that those routers will WPS lock right away. I haven't found a workaround yet (if there even is one). I realize that a mod to Reaver may be necessary. Is there a version of Reaver that doesn't use "12345670" right from the start?

    MTeams answer

    There is a reaver program called ryreaver-reverse. There is no installation, you run the program with ./ryreaver-reverse from root. You must use the --session=<> command to save the work or the program starts the attack all over again. It also doesnot support pixiedust but you can test for pixiedust data sequences with the normal reaver program by setting the --pin= to some pin other then 12345670. Then use PDDSA-06.sh to test for the pin. If no pin found you can restart ryreaver-reverse.


    See
    http://forum.aircrack-ng.org/index.p...ic,868.45.html


    Musket Teams

  29. #529
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    You could also try bully: https://github.com/aanarchyy/bully starts on a random pin.

  30. #530
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    Howdy,

    Do we have a WPS known pin database anywhere? I would like a simple .txt file with MAC | Known PIN.

    In other words, in some cases there's seem to be a direct relation between vendors/MAC and first few pins numbers. Like for example, E8:39F: = 18XXXXXX [insert 'NO WAY!!' imoticon here]

    Please answer with a positive and link, or I will be in a bad mood for the rest of the day. Thank you.
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  31. #531
    Quote Originally Posted by soxrok2212
    UPDATE: Should be fixed now
    The site works perfectly now
    Very nice web, good job!

  32. #532
    Join Date
    2016-Mar
    Posts
    5
    Amped Wireless SR10000 is vulnerable. BCM8xxx. 121 seconds creds dumped. I don't see it listed in the database.

  33. #533
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Can you post Reaver/Bully output? Would like to confirm, wikidevi says it's Realtek: https://wikidevi.com/wiki/Amped_Wireless_SR10000

  34. #534
    Join Date
    2016-Mar
    Posts
    5
    Sure will do

    I stand corrected. It is the same as listed on the site you linked. The RTL8196C is already listed in the db under other brands anyway.

    AmpedSR10000.jpg
    Last edited by ParanoiA609; 2016-03-23 at 23:52.

  35. #535
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    I figured Thanks for the confirmation.

  36. #536
    Join Date
    2015-Aug
    Posts
    3
    First success today with pixie dust attack!
    It took about 7 seconds only!

  37. #537
    Join Date
    2016-Apr
    Posts
    3
    Nice tools specially with K 1 K 2 and K 3
    But not work with my tplink router.. when im put with correct pin.. reaver work awesome.

    Have idea make reaver can use pin list created with crunch?

    Examples: reaver -i wlan0mon -b 11:22:33:44:55:66 -c 11 -p /root/pins.txt

    If the router not active wps locked... reaver will famous tools for hack wpa/wps

    Thanks just idea.. ☺

  38. #538
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    What would the benefit be? Reaver follows a et sequence and Bully just chooses PINs at random. There will always be 11,000 possibilities not matter what.

  39. #539
    Have idea make reaver can use pin list created with crunch?
    Reaver doesn't have such option... but It is not very hard to do though :
    Create your PIN dictionary following the pattern used for *.wpc file :
    - You put 0 for the 3 numbers used as headers (index p1 - index p2 - boolean number for getting or not the first half )
    - You put your 10000 first half
    - You put your 1000 second half (last digit is a checksum, reaver generates it live)
    Call your file whatever.wpc and when you launch reaver just use the -s option with the full path to your *.wpc file
    Code:
    -s, --session=<file>            Restore a previous session file
    have a look to some *.wpc file you will understand how it works...

    by the way : why yo didn''t ask this question in the thread about reaver instead of here
    Last edited by kcdtv; 2016-04-29 at 11:51.

  40. #540
    Join Date
    2016-Apr
    Posts
    1
    BSSID: 38:3B:C8:2D5:EA
    ESSID: ATT982mxZ9
    MANUFACTURER: Pace
    MODEL: Pace
    MODEL NUMBER: 123456

    trying to post WPS data up but gives me a firewall error ... this AP is not vulnerable
    Last edited by audiorulz4u; 2016-05-02 at 13:36.

  41. #541
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by audiorulz4u View Post
    BSSID: 38:3B:C8:2D5:EA
    ESSID: ATT982mxZ9
    MANUFACTURER: Pace
    MODEL: Pace
    MODEL NUMBER: 123456

    trying to post WPS data up but gives me a firewall error ... this AP is not vulnerable
    Thanks, added to the database.

    Btw, 500th post!

  42. #542
    Join Date
    2016-Mar
    Posts
    2
    Quote Originally Posted by soxrok2212 View Post
    Thanks, added to the database.

    Btw, 500th post!
    Any update to PixieWPS? I'd like to know if you're planning to add some possibilites with Cisco routers.

  43. #543
    Cisco doesn't make routers since several year : their "router" division was bought by belkin.
    If you read carefully the first post you will understand that your question is not relevant.
    Pixie dust attack is first and above all a question of wifi chipset.
    So if your device has a vulnerable chispet than it can be vulnerable, which ever the access point manufacturer is.

  44. #544
    Join Date
    2016-Mar
    Posts
    5
    Netgear WN3000RP_V2
    MediaTek MT7620A - (Already documented under different manufacturers)
    Netger_WN3000RP_V2.jpg

    Linksys WRT110
    Ralink RT2780/RT2720
    Linksys_WRT110.jpg

  45. #545
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by ParanoiA609 View Post
    Netgear WN3000RP_V2
    MediaTek MT7620A - (Already documented under different manufacturers)
    Netger_WN3000RP_V2.jpg

    Linksys WRT110
    Ralink RT2780/RT2720
    Linksys_WRT110.jpg
    Thanks, added both.

    Also to everyone, if you find some that are not vulnerable please list them here as well as those are are vulnerable.

  46. #546
    Join Date
    2016-Mar
    Posts
    5
    Netgear C3700-100nas modem / router
    Broadcom BCM43227 / BCM43228
    Not vulnerable
    netgear_c7000-100nas.jpg

  47. #547
    Join Date
    2016-Jun
    Posts
    4
    Hi, i've tried to hack wifi wlan Fritz 7390, but it keeps trying the same PIN and always getting error.
    It means it is not possible to hack it?
    Someone has experience against FRitz 7390 Wlan?
    Thanks.

  48. #548
    Join Date
    2015-Apr
    Posts
    29
    Manufatur AVM Fritz Box is Not vulnerable for pixie dust or normaly WPS-Attack with reaver or bully

    Both in the WPS-PBC and in the WPS PIN method can be only within 2 minutes of powering up a secure wireless connection to the FRITZ! Box.
    After 2 minutes or after a successful connection, the WPS method from the FRITZ! Box will be automatically deactivated.

  49. #549
    Join Date
    2016-Jun
    Posts
    4
    Thank you Laserman 75.
    So in general, there is nothing to do for hack the wifi of an AWM Fritz box 7390?
    Could it work to use Fluxion and try to get a luck while someone is connected?
    Any suggestion or advice would helpful.
    Thanks in advance.

  50. #550
    Join Date
    2016-Jun
    Posts
    4
    Yes.
    How can i hack the password then?
    There is no possibility to violate FRITZ! box?


    Quote Originally Posted by Laserman75 View Post
    Manufatur AVM Fritz Box is Not vulnerable for pixie dust or normaly WPS-Attack with reaver or bully

    Both in the WPS-PBC and in the WPS PIN method can be only within 2 minutes of powering up a secure wireless connection to the FRITZ! Box.
    After 2 minutes or after a successful connection, the WPS method from the FRITZ! Box will be automatically deactivated.

Similar Threads

  1. WPS Pixie Dust Attack (Offline WPS Attack)
    By soxrok2212 in forum General Archive
    Replies: 353
    Last Post: 2015-05-05, 08:32
  2. Reaver modfication for Pixie Dust Attack
    By t6_x in forum General Archive
    Replies: 81
    Last Post: 2015-05-05, 00:55
  3. Pixiewps: wps pixie dust attack tool
    By wiire in forum General Archive
    Replies: 89
    Last Post: 2015-05-04, 19:32

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •