Is this the code you displayed starting around line 148?
Please delete link if not allowed, thanks.
http://trac.umnaem.webfactional.com/...and.cxx?rev=39
Is this the code you displayed starting around line 148?
Please delete link if not allowed, thanks.
http://trac.umnaem.webfactional.com/...and.cxx?rev=39
You are on the right track
I do have a complete and working PoC program that I use. while it says few routers, I've found a lot more are vulnerable than one would think. All through trial and error of testing which router has which chipset, broadcom, ralink, atheros etc. around 12 of the 20 I've tested on, have been vulnerable.
Yea share the knowledge if you know something we do not. Thanks
so then guys & gals....
WPS blackjack attack next?
http://xn--mric-bpa.fr/blog/blackjack.html
The person who prepared this attack(blackjack) is a bit confused how things work.
First RS-1 is a random value generated by the Registrar, and it is different from ES-1
ES-1 remains unknown.
The generation of the registrar R-Hash1 has always been known.
What the author is confusing about this PSK1 and on the data traveling on the WPS protocol, the ES-1 and ES-2 are never sent to the registrar
The R-Hash1 is generated with PSK1 the registrar using a RS-1 Random number generated by registrar.
A check of R-Hash1 is made by the Enrollee but using the Enrollee PSK1, the Enrollee PSK1 is correct.
Then the Enrollee R-Hash1 will be different from the registrar R-Hash1 because PSK1 is different, and if you have to check all 11,000 possibilities, then you are doing what the reaver does, which is to test all known pin.
It is not possible to repeat the message M4 indefinitely because there is a protocol to be followed, it is necessary to go through M1 M2 M3 to then send the M4, then it is the same thing as reaver is to test all pins.
Apparently the author was confused where the keys will and who checks them.
The author of this error here
"The Enrollee sens the first secret nonce, E-S1. The Register knows if the Enrollee knows the first half of the PIN."
This is is done on the contrary, Register sends the R-S1 and the enrolle know if the registrar knows the first half of the pin
Another error in the functioning of things
"Pixie Dust attack blah blah, we have to pretend que the Register crates predictable random number."
The random number is generated in the registrar, the registrar in this case is Linux Kali. How will you generate a random number which you already know him? It has much wrong this article
Last edited by t6_x; 2015-05-05 at 15:54.
I have emailed Bongard I don't think that he's gunna release any tool... Sti waiting for a response from you datahead