WPS Pixie Dust Attack (Offline WPS Attack)

[Quest]

hey soxrok, will the new Bully and t6_x Reaver, have to be updated for the new Pixie 1.2.2 ? Or are they completely independent??

[soxrok2212]

They should work fine

[aanarchyy]

Bully works just fine ;-)

[Quest]

well... I knew the answer to that, AH! Was just checking if you guys were paying attention and what's your response time was. 2:15 is kinda slow.

*hides under the desk, pretend that I'm off line*

[soxrok2212]

Maybe someone here knows the answer to this, somewhere on the internets I came across a guy that claimed he found 2 vulnerable Broadcom devices.. anyone know what I'm talking about and have a link?

[Kaushalrocks]

How to install this new bully pixiewps on kali 2.0 ?
Plz send coding to install same and also how to use?
Is there any benefit over reaver or more vulnerabilty to other routers??
Please reply asap.

[Laserman75]

How to install this new bully pixiewps on kali 2.0 ?
Plz send coding to install same and also how to use?
Is there any benefit over reaver or more vulnerabilty to other routers??
Please reply asap.

wget https://github.com/aanarchyy/bully/archive/master.zip && unzip master.zip
cd '/root/bully-master/src'
make
sudo make install

[slmafiq]

why BULLY cant be installed?

*youtube*

[soxrok2212]

why BULLY cant be installed?

*removed*

Code:

apt-get install libpcap-dev

Edit: @Quest was that quick enough for you?

[Quest]

5 mins... Not bad not bad.

****

[kcdtv]

Is there any benefit over reaver

Without any doubt If you use a Ralink USB (RT3070, RT3072, RT3570, RT3572 ) as they works very bad with reaver
For the rest of chipset it is more or less the same, try and you wil see which you like more.

or more vulnerabilty to other routers??

Both uses pixiewps and will exploit exactly the sames vulnerabilities

[slmafiq]

soxrok2212 tnx for reply
but this is the result
ERROR
I use kali 2.

apt-get install libpcap-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
libpcap0.8-dev......

.................................................. ...........
Cd bully/src
Make
compilation terminated.
Makefile:19: recipe for target 'bully' failed
make: *** [bully] Error 1

[Quest]

download again > decompress in /root so you have a bully-master folder. Then

Code:

cd /root/bully-master/src
make
make install

[slmafiq]

download again > decompress in /root so you have a bully-master folder. Then

Code:

cd /root/bully-master/src
make
make install

I made it this way
wget https://github.com/aanarchyy/bully/archive/master.zip && unzip master.zip
cd '/root/bully-master/src'
make
sudo make install
But have error

[zimmaro]

I made it this way
wget https://github.com/aanarchyy/bully/archive/master.zip && unzip master.zip
cd '/root/bully-master/src'
make
sudo make install
But have error

what "type of error"??
post here!!
if this is "RELATED to dependancies" try first:

apt-get -y install build-essential libpcap-dev libssl-dev aircrack-ng pixiewps

after

cd '/root/bully-master/src'
make
sudo make install

[slmafiq]

Thanks zimmaro!
I installed bully successfully!

apt-get update
apt-get -y install build-essential
apt-get install libpcap-dev
apt-get install libssl-dev

[kcdtv]

Crazy thing...
I am testing a ZTE device (ZTE H218N) that is used byt the ISP jazztel (spain)
The device had PIN 12345670 enabled by default. A cople of years ago jaztel made un update to "disable" WPS
My guess is that they "unconfigured" the PIN or voluntary broke the protocol at some pòint.
The routers appears in wash....
Majority of time i get a continuous fail with our tools...

But at some point... i get an M1, send an M2 receive an m3 and pixiewps is launched
Look at that :

Incredible....
The PKE is exactly the same than for the realteck devices that are suported by pixiewps
and
E-HASH 1 = E-HASH2

The fact to see again this PKE is pure madness
This PKE repeated all the time was the starting point of the disovery of the breach for realteck....
And we see it again on broadcom chipset ...

And what about this unconceivable same value for Ehash1 and Ehash2?
It would mean that ES1 = ES2 and PSK1=PSK2....
ES1 and ES2 are not equal to 0 like for the ralink otherwise i would have get the results.
PSK1=PSK2 would be only possible if the PIN is 00000000
I tried to launch with 0000000 and didn't get nothing.

It is also strange to be able to send an m2 sometimes and that maybe something to dig for other purposes (check https://forums.kali.org/showthread.p...ight=reboot+ap)

This unsupported broadcom device with PIN mode broken has a very strange behavior....

the chipset is according to the wiki devi :

SoC Ram Flash Network USB Serial JTag
Broadcom BCM5357 64MiB 16MiB 5 GbE Yes 2x v2.0 ? ?

[soxrok2212]

If you supply PIN 12345670 does it still recover the PSK? I think we briefly discussed this a LOOOOOONG time ago in a chat... The only reason I can think of off the top of my head is that the PIN is not configured and the router is just sending random data... but then again the static PKe is too... provoking to ignore. Do you have any more ZTE H218N's you can test this on?

UPDATE: I wonder if the network is using another device to as the enrollee. Perhaps something like this is going on? Or try deauthing all the clients and see if you get the same result.

[wiire]

The new pixiewps when modes are not specified uses the Pke to try to determine the target. This means it's trying only for Realtek. You should trying manually specifying all the modes --mode 1,2,3,4,5.

Also in case of Ralink devices with push button active, the 2 hashes are identical because of pin and secret hashes equal to 0.

In the beacon frame there could be the chipset vendor. It's under 'Tag vendor specific'.

UPDATE: seems aanarchyy 's Bully doesn't run with --force. The nonce generated seems to be compatible with a Realtek device. I recommend again to test it manually and check in the beacon frame if the vendor information is present.

[kcdtv]

Hi soxrok2212, Hi wiire

first of all it seems that the "wikidevi" is wrong or they may be several version of the device... The point is that the chipset appears to be a realteck one instead of a BCM:

thanks for the trick wiire : i always looked in the WPS tags and didn't noticed that information could be gathered there.
That would explain the presence of our "provocative PKE" in the M' messages.
It doesn't explain why pixiewps didn't launched a long bruteforce (i tried with --force or mode 3 --force / and i tryed every mode separatly)
This case is definitely less weird/interesting than what i thought first as i thought it was a broadcom device.
i managed to repeat once this "fake" pixie dust and i got the realtek PKE (as expected) and two identical ehash again. (like the first time, not the same ehash than the first time but the same ehash1 and ehash2 )
i get a strange error if i put the stdout here (with our without code-quote)... If somebody wants it ask me by PM and i will PM it to you. (or you can get it form here : https://www.wifi-libre.com/topic-335...ado.html#p1776)

If you supply PIN 12345670 does it still recover the PSK?

Never ever since the firmware update (around 2014)
Just from time to time you would get enough for a pixiedust... nothing else (never get a M5 or more)

discussed this a LOOOOOONG time ago in a chat... The only reason I can think of off the top of my head is that the PIN is not configured and the router is just sending random data

Yes indeed.
By seeing this realteck PKE in what was supposed to be braadcom router i got emotionalized and thought that this datas may lead to something to discover another weakness in some unsupported broadcom.
But this ZTE router definitely have a realteck chipset...
Thanks for your "lights" about this.

[wiire]

That's what I suspected. It's Realtek without a doubt.

What do you mean pixiewps didn't launched the full bruteforce? I'm pretty confident it found the seed but couldn't recover the pin if it stopped right away.

Try compiling with 'make debug' and see if at some point it says 'Seed found' or something similar.

The two hashes should be identical only in case of the PBC pin as you pointed out (in case es1 and es2 are the same as well).

When testing the program I did test it against PBC so I'm sure it works properly.

[kcdtv]

that's what i get in stdout with adding --force -v 3

Code:

 Pixiewps 1.2

 [-] WPS pin not found!
[*] Time taken: 1 s 908 ms

pixiewps seems to work properly as it is suggested to use "force" when i don't use it :

Code:

 Pixiewps 1.2

 [-] WPS pin not found!
[*] Time taken: 1 s 903 ms

 [!] The AP /might be/ vulnerable. Try again with --force or with another (newer) set of data.

It doesn't explicitly stdout that seed is found so i am gonna install in debug mode...
see you in 5 minutes...

... You are absolutely right
I didn't doubt it but I just wanted to see the debug mode in action... And I will leave it in debug mode, i prefer like this
- edit : well , I won't because that would break the compatibility in automatized pixie dust mode with reaver 1.5.2 or bully revisited by aanarchyy. I precise this in case people would compile in debug mode

It is not as interisting as i thought first but it still useful to know : As every manufascturer do what they want with PROBES and there is not a way to distinguish beetwen routers with WPS PIN correctly enabled and the others... well, this seems to be the way!
If our ehash-1 and ehash2 are equals in our M3 message it means that only PBC is fully enabled and that PIN mode will not lead to anything.
I don't have broadcom device or atheros device to check it out but at least that is the case for realtek and ralink.
That's pretty cool, we still learned something somehow

[wiire]

If our ehash-1 and ehash2 are equals in our M3 message it means that only PBC is fully enabled and that PIN mode will not lead to anything.

Just to clarify, the PBC method is - protocol-wise - identical to the PIN method. The only difference is the method of activation (a button) and that the PIN is already known, being '00000000'.

I successfully recovered the WPA of my router after pressing the button, using Reaver and Pixiewps some time ago.

If you want you can pass me the data and I can try to to experiment a bit. But maybe the two equal hashes are part of the 'patching work' of the devs. We know for sure Realtek devices are weird.

[kcdtv]

Just to clarify, the PBC method is - protocol-wise - identical to the PIN method. The only difference is the method of activation (a button) and that the PIN is already known, being '00000000'.

ok

If you want you can pass me the data and I can try to to experiment a bit. But maybe the two equal hashes are part of the 'patching work' of the devs. We know for sure Realtek devices are weird.

And it is a .... ZTE ... low coast and low security.... with above all a touch from jazztel for who it took more than one year to understand that all their device had PIN 12345670 enabled.
So weirdness is expected...
here are the datas : http://www78.zippyshare.com/v/y3wuTRzz/file.html
if you need something more, just ask

also added the ESSID and BSSID to the final output per request of soxrok2212

The same guy that requested a tool for pixiedust one day ... i think i remember now... be carefull with him, you never know where it can stop!

[aanarchyy]

@kcdtv debug mode works just fine with bully, i had pixie with debug mode on for quite a while, just extra printing,

oh and i added --force to the pixiepws command, i wasn't aware that was still in as wiire had removed it from the
help.
also added the ESSID and BSSID to the final output per request of soxrok2212

[soxrok2212]

Glad to see it's all sorted out!

[eddie]

hi to all
I'm studying on WiFi vulnerabilities and specially on WPS. I found this article on the web

Can it be a new attack or not?! it claims that:

even by completely disabling the WPS on the routers, all vulnerabilities are not covered

[Laserman75]

hi to all
I'm studying on WiFi vulnerabilities and specially on WPS. I found this article on the web

Can it be a new attack or not?! it claims that:

In the article, nothing is described new

[eddie]

In the article, nothing is described new

Really?? .So the name should be "repetitive attacks on WPS!!".....
i think first scenario is not possible ... But about second, is there any tools for performing that scenario in kali?

Where can I find documents for original source of this attacks??

[soxrok2212]

"But if the attacker could somehow change his role in this exchange and could be the enrollee, he can use two arbitrary values instead of E-Hash1 and E- Hash2 and sends it as M3 message."

First off, the author doesn't sound very informed on the topic in general. A little "somehow" magic and it should work, right? Unfortunately, that's not how the protocol works. Reminds me of the "Blackjack Attack" that was quickly deemed unsuccessful, http://méric.fr/blog/blackjack.html though they are using a rouge AP. I don't think it is possible.

As for the second attack, well, I don't really understand what they are trying to say. It is written in pretty poor English, though I can't point them out on this because it's just a language barrier.

The author should have done practical analysis of the suggested ideas instead of documenting theoretical analysis. Would've made much more interesting document if they found proof for any of the suggested ideas.

[wiire]

The fake AP attack to get the first half of the pin is nothing new. The procedure is described in the specification (2.02) as well in Bogard's slides. The problem with it is that usually one is never prompted to insert a WPS pin when trying to connect to a WPS AP.

The "second attack" is more interesting. Instead of setting up a fake AP with the Pin method, set up one with the PBC method (same name, same encryption) with a greater power level in attempt to cover the legitimate AP and disconnect the client (same procedure of an evil twin). Then when the user tries to connect, make the fake AP start a PBC session. The Windows victim computer should automatically starts a PBC WPS session, grab the new configuration and eventually automatically connect to the fake AP.

Now the attacker could potentially set up dns spoofing, sslstrip, redirection etc.

I honestly never tried, but this would be a flaw in Windows security rather than WPS.

[kcdtv]

About this second "PBC" attack (4.2) "evil twin"
It is one of the "PBC Rogue attack" described by koala some time ago and It doesn't work as "smoothly" as they affirm.
Because windows offer the possibility of a PBC connection only the first time when you connect to an AP, just when you create a new profile.
So you have to create a fake AP where the essid is slightly changed otherwise windows will never activate the PBC connexion : It has to be a new profile.
Than it works, as it is a different name-AP, windows propose you to press the PBC on the router side and you could get the client connected to your fake AP
That's how it would look like from the victim side :

As you can see the legitimate profile Livebox-XXXX appears with a red cross ( effects of mdk3 + airebase used for desauth ) and the fake network reachable is livebox-XXXX (lower case instead of lower)
If the victim clic on "livebox (fake)" than it would be connected

So it is not as simple and straight as they described and and depends on the user active intervention to fall in the trap.
Complete and documented tutorial here : [Tuto] Rogue AP discrète en full WPA avec hostapd
It is in french, sorry, but you have snapshots with kali linux every two lines and code blocks, so you will follow the story.

[soxrok2212]

Also in the event of using a Rouge AP, the best option would just be to redirect to a fake page requesting the WPA key, not the WPS pin. Both of the author's ideas are pretty useless to me, if a router supports WPS then 99.99% of the time it is running WPA2-CCMP and it would just be easier to grab the PSK and then from there just grab the WPS pin from the router config.

[eddie]

I think poor English in that article makes this misunderstanding. The goal in both idea is not requesting WPS pin instead of WPA key! I think wiire is completely right.

[kcdtv]

I think whenever PBC support announced in beacons, windows offers the possibility of PBC connection. I tried it at home with my router.

Maybe you use windows 8.1? Anyway i doubt that it changes anaything.
Koala did his tests with windows 7 and i did the test with windows 10
PBC connexion is just proposed for the first time you connect to the network.
Once you have a profile created windows just try the PMK and will not propose again PBC.
Even if you push the button on the router side...
I connect through PBC to a router that i sue for the test, once i am successfully connected I changed the WPA passphrase (simulating a fake AP with same bssid and essid) and i try to connect to my AP again
Windows network manager stop to try after a certain time and that it.
That's all you get... No PBC is proposed (as the profile is already created)

I think wiire is completely right.

No one said he is not
Both ideas are not news... the authors of the paper present them as new vulnerabilities and it has been demonstrated that it is not the case.

[eddie]

@soxrok2212

thanks .I read that hypothetical "Blackjack" attack, but it's difference.I think theoretically first attack has no problem, but as @wiire said, practically it's not possible.

@wiire

thanks. Really helped me. I want to implement second attack to try it. Do you think this is worth trying?

[carshiv]

i tried cracking dlink router's pin with --force option but pin was not found . Means the router is in-vulnerable ? (Pixie version 1.2 , kali 2.0)

[eddie]

Because windows offer the possibility of a PBC connection only the first time when you connect to an AP, just when you create a new profile.

Not agree! I think whenever PBC support announced in beacons, windows offers the possibility of PBC connection. I tried it at home with my router.
Also there is no need to create fake AP with slightly changed ESSID, it's possible to have two access point(or more maybe!) with same ESSID and same encryption.

[eddie]

Maybe you use windows 8.1? Anyway i doubt that it changes anaything.
Koala did his tests with windows 7 and i did the test with windows 10
PBC connexion is just proposed for the first time you connect to the network.
Once you have a profile created windows just try the PMK and will not propose again PBC.
Even if you push the button on the router side...
I connect through PBC to a router that i sue for the test, once i am successfully connected I changed the WPA passphrase (simulating a fake AP with same bssid and essid) and i try to connect to my AP again
Windows network manager stop to try after a certain time and that it.
That's all you get... No PBC is proposed (as the profile is already created)

I found my mistake! you are completely right as well

Both ideas are not news... the authors of the paper present them as new vulnerabilities and it has been demonstrated that it is not the case.

exactly! So is there any tool for test this attack using kali or other linux OS?

I have another question : How can I get routers firmware source code?

[soxrok2212]

exactly! So is there any tool for test this attack using kali or other linux OS?

Either way, both are not vulnerabilities in WPS, I would just consider it a workaround. No there are no designated tools for this, though I'm assuming hostapd and some magic could make it work.

I have another question : How can I get routers firmware source code?

Either google the model number followed by "source code" or you could try extracting the compiled firmware with binwalk and look at the binaries.

[kcdtv]

though I'm assuming hostapd and some magic could make it work.

exactly
For all the side traffic redirection, fake pages , exploits or whatever it is possible to can use the tools designed for that.
About the WPS, koala explain in his tutorial how to activate it in loop (using hostpad) with a dirty but efficient single line

Code:

while : ; do sudo hostapd_cli wps_pbc ; sleep 120 ; done &

That does the job to have your WPS PBC activated in loop ready to grab the clients.

[mmusket33]

MTeams has been working with RogueAP setups and WPA Phishing for over five years starting with techdynamics wpa phishing programs.

Any client that has a WPA key already loaded into the wifi management software for a specific ESSID cannot associate to a Open RogueAP of the same name unless the client removes the WPA key from the setup.

To defeat this when WPA Phishing, Mteams' Pwnstar9.0 version help files which is designed for WPA Phishing suggest you enter a ESSID that looks the same to the human eye BUT is not the same to the computer. One way to do this is to add five to eight spaces and then a period to the ESSID hence:

"HOMEWIFI" would be "HOMEWIFI five spaces and a period ."

If you just use spaces some software management software ignores the spaces unless the spaces are between characters.

If you add too many spaces you can get strange effects in both client and RogueAP software.


Next DDOS the targetAP and hope the client tries to associate to the RogueAP of almost the same name.

The type of DDOS may require a separate wifi device. The only DDOS that allows the device supporting the RogueAP to also perform the DDOS is mdk3 d Deauthentication / Dissassociation Amoke Mode

If you use mdk3 g or aireplay-ng -0 you need to separate the RogueAP channel at least three or more channel numbers from the targetAP and you will require a separate wifi device or you will end up DDOSing the RogueAP due to the proximity of the wifi devices.

Do not use mdk3 t Probe as it can crash airodump-ng and scanners

Association: If you use a name similar to the targetAP, the name is different to the computer, the clients' computer then associates easily as the system is open. But the client must choose to do so.

However when the client associates and tries and call up a https address this normally sets off a certificate warning.

To beat that MTeams wrote a HTTPS trap feature into Pwnstar9.0. When the client requests a https address the web page is passed on without a certificate warning. When the client request a http address the fake webpage is expressed on the clients' screen.

As soxrok2212 notes this is not so straight forward as it appears. Only a new client which has yet to input a WPA key into the wifi management software will associate easily and even then there are problems. In the end there is a high degree of social engineering skill required to make this work. MTeams has had equal success with just leavng a rogueAP running and walking away. The next morning we find all sorts of passwords to include WPA keys loaded in the RogueAP

Musket Teams

[bob79]

when tried wifiphisher on my wireless, i've noticed that my lap won't feel any difference. my mobile phone keeps disconnecting, but reconnects always to the wpa connection, not the fake one, no matter if i use mdk3 or aireplay. it only connect to the fake one if i manually disconnect from my router. so it's hard that someone do that. didn't try to come from outside though and maybe the phone will connect first to the fake one, if the signal is stronger. mmusket33 is right. maybe leaving it by itself,walk away and hoping that someone will get tricked. latest i tried my luck with nmap since my usb antenna is almost ruined because of overusing mdk3. reaver and bully are of no use as well since i have all new routers near so..(speaking the truth i have had more success and speed, retrieving pin with bully pixiedust and connecting thru jumpstart) until a new method, i'll stay put. thanks for the explaining mmusket

[scila1996]

Reaver is not working with Router ZTE Model . It can not get E-HASH 1 and E-HASH 2 . What a way to get E-HASH 1 and E-HASH 2 Router ZTE ???

[eddie]

If you use mdk3 g or aireplay-ng -0 you need to separate the RogueAP channel at least three or more channel numbers from the targetAP and you will require a separate wifi device or you will end up DDOSing the RogueAP due to the proximity of the wifi devices.

Do not use mdk3 t Probe as it can crash airodump-ng and scanners

Thanks.What is the best tool for deauth attack against clients in the network? between mdk3 and aireplay-ng, which one is better and works in any situation??

[soxrok2212]

Thanks.What is the best tool for deauth attack against clients in the network? between mdk3 and aireplay-ng, which one is better and works in any situation??

They're both the same.

I am ok with Pixie Dust.
I have a question about consecutive cracks of the same AP within minutes resulting in different hex 64 character answers.
The game is afoot !

Try using AAnarchYY's bully: https://github.com/aanarchyy/bully

[helen2016]

I am ok with Pixie Dust.
I have a question about consecutive cracks of the same AP within minutes resulting in different hex 64 character answers.
The game is afoot !

[Quest]

and it's @ version 1.1 https://github.com/aanarchyy/bully not 1.0-24



*geez good thing I'm around here to check on everything, all the time*

[yvette]

Hi,

I have a raspberry pi B and TP-LINK WN722N usb card.

I tried reaver but i am getting pin not found.
Tried pixieWPS with all the arguments and again pin not found.

I google to find a solution but nothing.
Please help.

All are apps are updated. Tryied Kali but have issues so i decided to make my distro from Debian. All are working fines except pixieWPS.

The router i am trying is next to the usb card and it is a TP-LINK TL-WR741ND.

[kcdtv]

You have to check the wifi chipset of your device. I did it for you :

atheros, no doubt about it
So now you know why it doesn't work...
( a good place to have a loock to get information for your device is the https://wikidevi.com/wiki/TP-LINK_TL-WR741ND_v4.3