Page 12 of 12 FirstFirst 123456789101112
Results 551 to 583 of 583

Thread: WPS Pixie Dust Attack (Offline WPS Attack)

  1. #551
    Join Date
    2013-Jul
    Posts
    844
    To Paulnewman

    Outside of brute forcing a handshake or wpa phishing there are three(3) possibilities. Chances of success are SMALL, may not be immediate and these attacks may not work at all!

    Method One

    Some routers when subject to small amounts of DDOS release WPS pins even though the WPS system is locked. You can test this vulnerability by using one of the VMR-MDK variants.

    Method Two

    Some routers reset their WPS pins to 12345670 and become open to WPS pin collection for short periods of time. You can run reaver or bully with the pin 12345670 in the command line and constantly attack the router a for long period of time(ie weeks). Better just run up varmacscan when your computer is idle and you may get lucky.

    Method Three

    Some routers reset after being subjected to heavy DDOSing. Mteams has not had much success with Method Three.

  2. #552
    Join Date
    2016-Jun
    Posts
    4
    i try use the suggested script VMR-MDK with standard parameters but I always get same errors.
    On a first router:
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Entering recurring delay of 15 seconds
    On a second router:
    [!] WPS transaction failed (code: 0x02), re-trying last pin
    [+] Trying pin 12345670.

    In both case the command wash shows that wps is not locked but the system try always the same PIN 12345670 and don't go forward....
    Last edited by Paulnewman; 2016-06-12 at 13:31.

  3. #553
    Join Date
    2013-Jul
    Posts
    844
    To Paulnewman

    If the wps system is OPEN then VMR-MDK is not the tool of choice.

    MTeams suggests you use the command line first in most cases where the WPS system is open. Try both reaver and bully.

    There are many reasons why you cannot get reaver to collect pins. You might put the --wps command in aerodump-ng, point it at your target by adding the -c channel and --bssid see what information aerodump-ng supplies.

    In the end you may have to resort to brute force by collecting a handshake. Remember approx 50% of the WPA keys are simple numeric strings 8 to 10 in length. Back when reaver was king MTeams collected 100's of WPA keys and the 50% rule was obtained. In fact over half of these numeric strings were mobile telephone numbers and a small number of landline numbers with and without the area code.

    MTeams

  4. #554
    Join Date
    2016-Jun
    Posts
    1
    hi, i know it's a little off topic to pixie's,
    is there any possible way to force the router to reset to it's default factory setup? with wps disable router or forcing wps to enable?

    tried cracking AP with dictionary attack but no luck..

    thanks in advance!
    Last edited by tomodachimo; 2016-06-20 at 08:18.

  5. #555
    Join Date
    2015-May
    Posts
    25
    To mmusket33

    I have a TP-Link router TL-WR740N, seems like it is impossible to crack the WPS PIN

    First I tried the Wifite, Pixie dust attack- within seconds it says WPS PIN not found

    tried reaver with delay of 10-15 seconds - doesn't help as the router still locks after few wrong WPS PIN attempts

    I tried VM-MDK script, for the first few seconds I get the M1 till M4 messages and then it says " WPS transaction failed, code 0x04"

    I tried the Varmacscan, no luck there either.

    So I want to know, is there a way to crack the pin of locked WPS routers? Usually the routers locks automatically after few failed pin attempts?

    WPA handshake and cracking with wordlist is about luck, if only the passphrase is in the wordlist.

    Note: I did crack the Dlink routers with Wifite(pixie-dust) within seconds, works perfectly.

    It's just the new routers which are hard to crack.

    Running Kali 2.0 Sana all tools updated to the latest.

    Please help. Thanks in advance

  6. #556
    Join Date
    2015-May
    Posts
    18
    To machx: I have same problem with newer routers as well, almost any of those i have in range are pretty new and updated technicolor-routers so not much luck there.
    But i have recently start to play with wifiphisher instead and have a lot of sucess with that tool.
    Before i had hard to belive that people are so naiv and easy to trick so never bother before to test this way, but now i have change my mind.
    Give it a try^^

  7. #557
    Join Date
    2015-May
    Posts
    25
    To squash,

    I'll give it a try, thanks a lot, running out of luck,will keep it updated here after the test.

  8. #558
    Join Date
    2015-Apr
    Posts
    29
    Quote Originally Posted by machx View Post
    To mmusket33

    WPA handshake and cracking with wordlist is about luck, if only the passphrase is in the wordlist.
    You can crack WPA with crunch.

  9. #559
    Join Date
    2015-May
    Posts
    25
    I had my luck yesterday and I was able to crack with dictionary attack with rockyou.txt
    Others were cracked pixie dust using Wifite
    Rest are still in progress.
    VMR-MDK and Revd3k-r3 and Varmascan doesn't work and no hopes.

    I'm also using default WPS PIN of the router manufacturer and model. It works sometimes
    with default PIN (-p on reaver)

    Still testing, will keep updated

  10. #560
    Join Date
    2016-Sep
    Posts
    8

    having the k 1,2,3 arguments explained like this in the menu would be helpful

    Quote Originally Posted by soxrok2212 View Post
    Just so you know, -K 1,2,3... Each number is for a different chipset. You have to look up which chipset the router uses and then us the corresponding -K 1,2,3 argument.
    I only started looking into all things wireless 2 weeks ago, and have been using -K 1 for all attacks because that is the only thing mentioned, if you put number next to the chipset in the menu that would be more intuitive for those who haven't read the full history of this post. I am going through it because I want to see the development from day dot to current but most people I know don't want to do that amount of research before using tools.

    Awesome work, as a non-coder (hopefully I develop past script kiddie soon) I am in awe of you

    Apologies on posting halfway through reading the entire thread, I jumped the gun a bit.
    Last edited by vinneth; 2016-09-09 at 08:07. Reason: failed to read properly :-)

  11. #561
    Join Date
    2016-Sep
    Posts
    8
    true, but I know that trying to create an accurate wordlist with crunch for bigpond/teltra modems (Australian provider) requires 10 digits, and upper and numerical, the output for that in crunch is 25 petabytes. Not sure I can get that kind of storage, or wait the time for it to be created

  12. #562
    Join Date
    2015-Aug
    Location
    The Pits
    Posts
    87
    Great thread, THANK YOU KALI FORUMS!
    wifiphisher looks neat but since I have to provide the target's internet connection for a period of time I don't think I'll ever use it. Or do I not understand how it works?
    RE: Technicolor modems: The ones I've seen use 15 or 16 characters and apparently no "trick" exists to help guess the pass.

    And now I have my main question: Is the old pixiewps PRNG brute force ever successful? as in:
    [+] Pin not found, trying -f (full PRNG brute force), this may take around 30 minutes
    It never succeeded for me, but my new installation of Kali never runs the PRNG brute force, as the -f option now denotes "force disable channel hopping" instead of "brute force PRNG". If it's a hopeful attack, I'd like to get it back, but how?

  13. #563
    Join Date
    2013-Jul
    Posts
    9
    my router is not listed, so how do i know if it's vulnerable or not? Obviously reaver with -K option finds nothing, because it's not programmed into pixiedust.
    it's a Broadcom
    WPS Model Name: Broadcom
    WPS Model Number: 123456
    AP Serial Number: 1234

    It shows the r-nonce, PKR, authkey, hash1, hash2 ..etc, but it finds nothing, obviously because router is never been tested, so how can i find out if my router is vulnerable to pixiedust attack?
    does someone ever like update the list?
    I also noticed lot of other routers that are not listed. Routers used in Sweden are not listed, some routers used in UK are not listed and most routers used in Finland are not listed either, is this some USA based thing or something?

  14. #564
    Join Date
    2015-May
    Posts
    18
    Quote Originally Posted by mordax View Post
    my router is not listed, so how do i know if it's vulnerable or not? Obviously reaver with -K option finds nothing, because it's not programmed into pixiedust.
    it's a Broadcom
    WPS Model Name: Broadcom
    WPS Model Number: 123456
    AP Serial Number: 1234

    It shows the r-nonce, PKR, authkey, hash1, hash2 ..etc, but it finds nothing, obviously because router is never been tested, so how can i find out if my router is vulnerable to pixiedust attack?
    does someone ever like update the list?
    I also noticed lot of other routers that are not listed. Routers used in Sweden are not listed, some routers used in UK are not listed and most routers used in Finland are not listed either, is this some USA based thing or something?
    I think its most USA router listed cuz most users in this forum lives there.
    But i know pixie works on a lot of routers even in Sweden where i live.

  15. #565
    Join Date
    2013-Jul
    Posts
    9
    Quote Originally Posted by squash View Post
    I think its most USA router listed cuz most users in this forum lives there.
    But i know pixie works on a lot of routers even in Sweden where i live.
    I dont fully understand pixie dust yet. is there any type of "calculator" which can be used to test new routers against pixie dust?

  16. #566
    Join Date
    2015-Aug
    Location
    The Pits
    Posts
    87
    lol mordax, pixiewps is a calculator. If it succeeds, then the router is vulnerable.
    Type this:
    reaver --help
    and read through the options. I seem to recall that there is a -W switch that MIGHT calculate the default PIN for you, if it's a D-Link or Belkin.

  17. #567
    Join Date
    2016-Sep
    Posts
    2
    I have tested a couple of d-link routers and never succeeded.
    I used -K option but failed and -W to generate the default pin but supplying that pin to reaver never seems to work.
    I guessed those routers were not vulnerable but then I tested them with an android app "WPA WPS Tester"and i was able to authenticate successfully..!
    I tried to disassemble the app but coudn't get anything as I dont know andriod or java much.
    If anyone can look at the app, which is available in google play store, may be it will help in wps attacks in future.

    Note: The app generated the same pin as -W switch but reaver or bully couldn't get the passphrase whereas the app succeeded.

    Any help will be appreciated.

    Thanks

  18. #568
    Join Date
    2013-Jul
    Posts
    9
    Quote Originally Posted by John_Doe View Post
    lol mordax, pixiewps is a calculator. If it succeeds, then the router is vulnerable.
    Type this:
    reaver --help
    and read through the options. I seem to recall that there is a -W switch that MIGHT calculate the default PIN for you, if it's a D-Link or Belkin.
    nah you didn't get my question. Pixie dust can only calculate the WPS pin if the algorithm is programmed into the pixie dust (algorithm used by router), but what if the router I tested uses a different algorithm? so what i'm saying, is that how can pixie dust know about the router, if it hasn't been programmed into pixie dust?
    I know for a fact, that there are different algorithms out there that are being used by different routers. That's what i meant under a calculator, something that constantly gets updated with the latest algorithms being used.


    @dek0der if reaver can't get the passphrase from WPS pin, have you tried connecting into the router using WPS pin? For example Windows 10 allows you to connect by using WPS Pin, so do some Android phones. NOTE that connecting to router using WPS pin as passphrase will not work, you have to first select the special option to use WPS Pin, otherwise your OS simply tries the pin as passphrase and fails.
    If router accepts the WPS, but reaver won't find the pass, then you have weak signal. If router doesn't accept WPS, then it means that your router does have default WPS, but it's disabled by default. I have ran across some routers that have it disabled by default, i've checked the settings and WPS is set to "push to activate" mode, so you have to push the button physically on your router and only then it becomes active for about 1 minute.

  19. #569
    Join Date
    2016-Sep
    Posts
    2
    @mordax i m fully aware of all the facts that you u stated...what i m saying is that android app 'WPS WPA Tester' is able to authenticate with AP but reaver fails. I tried it with a rooted phone and saw the password in wpa_supplicant.conf file was NULL...what does that mean..? And how is app able to authenticate with AP while reaver does not produce any results. AP signal is also strong.

  20. #570
    Join Date
    2016-Oct
    Posts
    3
    Hi everybody, Why i get the mesaje Rx(Beacon) = 'Timeout' Next pin xxxxxxxx

  21. #571
    Join Date
    2016-Oct
    Posts
    2
    no matter what router i scan i can't seem to get e-hash1 and e-hash2 from reaver or wireshark. My reaver is the default reaver that comes with the latest kali linux. Any ideas how to get those ? I can get all the rest (Auth key, PKE,PKR etc)

  22. #572
    Quote Originally Posted by squiddymute View Post
    no matter what router i scan i can't seem to get e-hash1 and e-hash2 from reaver or wireshark. My reaver is the default reaver that comes with the latest kali linux. Any ideas how to get those ? I can get all the rest (Auth key, PKE,PKR etc)
    If you include more information you might get good responses, such as the exact command lines you are trying, and the environment your running kali in.

  23. #573
    Join Date
    2016-Oct
    Posts
    2
    Quote Originally Posted by undersc0re View Post
    If you include more information you might get good responses, such as the exact command lines you are trying, and the environment your running kali in.

    not doing anything exotic

    wifi card: RT2501/RT2573 Wireless Adapter
    Reaver version: v1.5.2
    command: reaver -i wlan0mon -b <mac> -c1 -S -vv
    kali version:
    Linux version 4.7.0-kali1-amd64 ([email protected]) (gcc version 5.4.1 20160803 (Debian 5.4.1-1) ) #1 SMP Debian 4.7.5-1kali3 (2016-09-29)

    tried several different routers i'm not getting e-hash1 or e-hash2. I have also tried with wireshark as well but still i see nothing related to e-hash1 and e-hash2 in packets

  24. #574
    Join Date
    2015-Aug
    Location
    The Pits
    Posts
    87
    Hello squiddy, what happens if you add another v:
    reaver -i wlan0mon -b <mac> -c 1 -vvv
    or, what happens if you do:
    reaver -i wlan0mon -b <mac> -c 1 -K -vvv
    Last edited by John_Doe; 2016-10-30 at 22:57.

  25. #575
    did not work with Speedport W724V Type Ci, ZTE ZXDSL 931VII v4 or Zyxel VMG5313-B30

    speedport and zyxel lock wps after few tries and zte turned it off completely. all devices wps reset after power cycle.

  26. #576
    Join Date
    2015-Apr
    Location
    cosmoland
    Posts
    18
    Is it possible to be made script which could use PIN LIST for the half pin1 or for the whole pin with 11 000 possibilitie to imitate original brute-force?
    Because there are some routers which start from 1234| and they only change the second half of the PIN
    p2_index set to 1
    [+] Pin count advanced: 10001. Max pin attempts: 11000
    [+] Trying pin 12340002.

    [P] WPS Manufacturer: ZTE Corporation
    [P] WPS Model Name: ZXHN H118N
    [P] WPS Model Number: ZXHN H118N
    [P] Access Point Serial Number: 123456789012347


    ex:
    kcdtv: Acknowledging the first M5 is enough to create the fake positive for the first half. Problem here is that this M5 should not exist and totally disable the concept of two stages brute force.

  27. #577
    Got the wps pin using "reaver -i wlan0mon -b (insert bssid here) -vvv -W 2 (it is a belkin router) -a -c (insert channel number here), tried to get the passwd using the --pin= option in reaver and it gives me a hash looking thing for the passwd. I still couldn't use that "hash" to connect to the network. I tried to disconnect all AP's from the client as well as changing my mac address to one of the AP's connected on the network, still no success. However, I couldn't help but notice that each time I tried with the passwd I got from pixie, it got NACS errors but every time I tried with a different wps pin than the correct one, it tests it and reports that it didn't work. Kinda stuck here. Some information: WPA and WPS (no WPA2), Belkin chipset, WPS is not locked and is, according to the command "wash -i wlan0mon" at a version 1.0 and it does send out beacons frequently. I'm not very far away from the router, according to the wash command, -59. I just want to learn why this is happening and explore. Since it has WPA enabled as well, I tried to capture a handshake by running aireplay-ng with the 3 and 1 option, as well as aircrack-ng, still got the same wps pin. Tried to de-hash that using an online hash cracker but no use. Tried to connect to the AP using the wps pin (someone mentioned a link that led to the ubuntu forums) and no use.

  28. #578
    Join Date
    2013-Jul
    Posts
    9
    Has anyone checked into Broadcom routers? I think it's vulnerable, but I need to know for sure, can someone test if i send the info? I already posted in this topic before, but didn't get much replies regarding this.

  29. #579
    Join Date
    2015-Nov
    Location
    USA
    Posts
    3
    Look up your device on Wikidevi. If your device contains one of the chipsets as listed above, disable WPS now. If your device does NOT contain one of the chipsets as listed above, disable WPS now.
    This is really good ****

  30. #580
    Join Date
    2013-Apr
    Posts
    4
    What I would be curious to know is why the attack works even if WPS pin is disabled while only push button to connect is enabled.

    Well, I guess that's why WPS should be completely disabled.
    I'm Winston Wolf. I solve problems.

  31. #581
    We started a new thread for collecting data: https://forums.kali.org/showthread.p...ll=1#post75368

  32. #582
    Join Date
    2016-Dec
    Location
    Canada
    Posts
    326
    Quote Originally Posted by wiire View Post
    We started a new thread for collecting data: https://forums.kali.org/showthread.p...ll=1#post75368
    Reaver stores tried # combinations on ur harddrive under cd /etc/reaver. Delete to save room

  33. #583
    Join Date
    2015-Apr
    Location
    cosmoland
    Posts
    18
    Could someone write me an application for bcmon with the new version of reaver 1.6.3 and pixiewps ? tnx

Similar Threads

  1. WPS Pixie Dust Attack (Offline WPS Attack)
    By soxrok2212 in forum General Archive
    Replies: 353
    Last Post: 2015-05-05, 08:32
  2. Reaver modfication for Pixie Dust Attack
    By t6_x in forum General Archive
    Replies: 81
    Last Post: 2015-05-05, 00:55
  3. Pixiewps: wps pixie dust attack tool
    By wiire in forum General Archive
    Replies: 89
    Last Post: 2015-05-04, 19:32

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •