WPS Pixie Dust Attack (Offline WPS Attack)

[yvette]

Hi,

Thank you for the reply.
I was reading about it the time you were posting.

1) Is it possible to find in this router the password?

2) I have another router in my house which is ZTE Speedport Entry 2i. I opened it and inside it has this chip:
- Broadcom BCM6338
I search for this one and didn't find anything. It means that i can't use pixieWPS?

[soxrok2212]

Why don't you just try it and see what happens?

[kcdtv]

1) Is it possible to find in this router the password?

If the default password is still in use and is weak than yes, otherwise no.
But that's totally another subject than " WPS Pixie Dust Attack (Offline WPS Attack)", isn't it?

[soxrok2212]

Well, it's been over a year since I made this thread. 265,000 views and 13 months later, manufacturers STILL have yet to resolve this problem. Actually, the initial disclosure of the attack was published in August of 2014, meaning it has been about 18 months! This is pathetic. 18 months and this HUGE vulnerability STILL exists!

First and foremost, a big :P to all of those who said this would be a waste and it would be patched quickly.

Second, I hope I didn't say all this too soon, I just read that ASUS was sued due to some extreme vulnerabilities they had in the past few years: http://www.smallnetbuilder.com/wirel...security-flaws I guess they are dedicating a team to finding and fixing these vulnerabilities. I'm not sure what exactly they will be doing but I'm sure it will be interesting to see how it turns out!

Thanks for all the support guys and as always, if you find any vulnerable and or NOT vulnerable devices, please report them here!

[kiarashmm]

To Saydamination:
Did you successfully get the Realtek RTL8671's pin?

[cengizz]

is pixiedust gonna support ZyXEL modems ?

[soxrok2212]

Pixiewps is for wireless systems, not modems. And it depends on the chipset as you can read on the first page of this thread.

[cengizz]

Pixiewps is for wireless systems, not modems. And it depends on the chipset as you can read on the first page of this thread.

i understood. Actually only i just want to ask zyxel's modem chipsets. Like d-link , broadcom what else . I dont know which chipset using with zyxel modems.

[soxrok2212]

D-Link is not a chipset, it is a manufacturer. ZyXEL probably uses every chipset on the market for different applications. There is no 1 chipset for a specific manufacturer.

[mmusket33]

To soxrok2212:

MTeams received a report that surprised us in that it appears the WPS Pin was also the WPA Key

Barring the user entering the WPS Pin as a WPA key in the wifi management software we are wondering if the DDOS process that VMR-MDK subjects the router to has caused this or there is a glitch in the firmware turning the WPS Pin into the WPA Key.

Obviously anyone trying to crack this router with brute force should run a eight character numeric string passthru with crunch first:


Comment was

Got working on Kali Rolling with Locked AP TL-WR842ND. Not too much to wait though
Pin and Key were the same: 45576072


http://forum.aircrack-ng.org/index.p...ic,868.45.html

MTeams

We did find this:

http://gizmodo.com/a-simple-security...s-i-1705980884

[soxrok2212]

TP-Link is known to use the same 8 char WPS PIN as the WPA key. Also happened on a TL-WDR4300.

[aanarchyy]

I have a TP-Link router right next door to me that has the PIN and PSK the same 8 digit numeric.

[kcdtv]

Some models have indeed this "fantastic" configuration for default PIN and WPA passphrase
You can check default settings for quite a lot of models if you sneak around the web interface emulators that tp-link provides : tp-link emulators

[soxrok2212]

I made a detailed writeup of the vulnerability available here: http://division0.net/wps-pixie-dust.html

If you are looking for more technical details, check out that post!

[kcdtv]

Just to say that your site has a problem my friend...
I can ping it but i get error 404 if i try to browse it.
If you didn't know what to do this sunday, i found you some activities
take care

[bob79]

yesterday was working. today.. The requested URL /wps-pixie-dust.html was not found on this server. Happy html'ing

[soxrok2212]

Just to say that your site has a problem my friend...
I can ping it but i get error 404 if i try to browse it.
If you didn't know what to do this sunday, i found you some activities
take care

Hahahahaha

yesterday was working. today.. The requested URL /wps-pixie-dust.html was not found on this server. Happy html'ing

Working on it now

UPDATE: Should be fixed now

[mmusket33]

To

You may find this interesting

We received the following report from devilsadvocate

Also, I would like to report some behavior that I have witnessed on some Netgear APs. It seems that some Netgear APs are aware that Reaver always starts with the code, "12345670". The result of this is that those routers will WPS lock right away. I haven't found a workaround yet (if there even is one). I realize that a mod to Reaver may be necessary. Is there a version of Reaver that doesn't use "12345670" right from the start?

MTeams answer

There is a reaver program called ryreaver-reverse. There is no installation, you run the program with ./ryreaver-reverse from root. You must use the --session=<> command to save the work or the program starts the attack all over again. It also doesnot support pixiedust but you can test for pixiedust data sequences with the normal reaver program by setting the --pin= to some pin other then 12345670. Then use PDDSA-06.sh to test for the pin. If no pin found you can restart ryreaver-reverse.


See
http://forum.aircrack-ng.org/index.p...ic,868.45.html


Musket Teams

[soxrok2212]

You could also try bully: https://github.com/aanarchyy/bully starts on a random pin.

[Quest]

Howdy,

Do we have a WPS known pin database anywhere? I would like a simple .txt file with MAC | Known PIN.

In other words, in some cases there's seem to be a direct relation between vendors/MAC and first few pins numbers. Like for example, E8:39F: = 18XXXXXX [insert 'NO WAY!!' imoticon here]

Please answer with a positive and link, or I will be in a bad mood for the rest of the day. Thank you.

[kcdtv]

UPDATE: Should be fixed now

The site works perfectly now
Very nice web, good job!

[ParanoiA609]

Amped Wireless SR10000 is vulnerable. BCM8xxx. 121 seconds creds dumped. I don't see it listed in the database.

[soxrok2212]

Can you post Reaver/Bully output? Would like to confirm, wikidevi says it's Realtek: https://wikidevi.com/wiki/Amped_Wireless_SR10000

[ParanoiA609]

Sure will do

I stand corrected. It is the same as listed on the site you linked. The RTL8196C is already listed in the db under other brands anyway.

AmpedSR10000.jpg

[soxrok2212]

I figured Thanks for the confirmation.

[invader]

First success today with pixie dust attack!
It took about 7 seconds only!

[X999]

Nice tools specially with K 1 K 2 and K 3
But not work with my tplink router.. when im put with correct pin.. reaver work awesome.

Have idea make reaver can use pin list created with crunch?

Examples: reaver -i wlan0mon -b 11:22:33:44:55:66 -c 11 -p /root/pins.txt

If the router not active wps locked... reaver will famous tools for hack wpa/wps

Thanks just idea.. ☺

[soxrok2212]

What would the benefit be? Reaver follows a et sequence and Bully just chooses PINs at random. There will always be 11,000 possibilities not matter what.

[kcdtv]

Have idea make reaver can use pin list created with crunch?

Reaver doesn't have such option... but It is not very hard to do though :
Create your PIN dictionary following the pattern used for *.wpc file :
- You put 0 for the 3 numbers used as headers (index p1 - index p2 - boolean number for getting or not the first half )
- You put your 10000 first half
- You put your 1000 second half (last digit is a checksum, reaver generates it live)
Call your file whatever.wpc and when you launch reaver just use the -s option with the full path to your *.wpc file

Code:

-s, --session=<file>            Restore a previous session file

have a look to some *.wpc file you will understand how it works...

by the way : why yo didn''t ask this question in the thread about reaver instead of here

[audiorulz4u]

BSSID: 38:3B:C8:2D5:EA
ESSID: ATT982mxZ9
MANUFACTURER: Pace
MODEL: Pace
MODEL NUMBER: 123456

trying to post WPS data up but gives me a firewall error ... this AP is not vulnerable

[soxrok2212]

BSSID: 38:3B:C8:2D5:EA
ESSID: ATT982mxZ9
MANUFACTURER: Pace
MODEL: Pace
MODEL NUMBER: 123456

trying to post WPS data up but gives me a firewall error ... this AP is not vulnerable

Thanks, added to the database.

Btw, 500th post!

[Ramzes]

Thanks, added to the database.

Btw, 500th post!

Any update to PixieWPS? I'd like to know if you're planning to add some possibilites with Cisco routers.

[kcdtv]

Cisco doesn't make routers since several year : their "router" division was bought by belkin.
If you read carefully the first post you will understand that your question is not relevant.
Pixie dust attack is first and above all a question of wifi chipset.
So if your device has a vulnerable chispet than it can be vulnerable, which ever the access point manufacturer is.

[ParanoiA609]

Netgear WN3000RP_V2
MediaTek MT7620A - (Already documented under different manufacturers)
Netger_WN3000RP_V2.jpg

Linksys WRT110
Ralink RT2780/RT2720
Linksys_WRT110.jpg

[soxrok2212]

Netgear WN3000RP_V2
MediaTek MT7620A - (Already documented under different manufacturers)
Netger_WN3000RP_V2.jpg

Linksys WRT110
Ralink RT2780/RT2720
Linksys_WRT110.jpg

Thanks, added both.

Also to everyone, if you find some that are not vulnerable please list them here as well as those are are vulnerable.

[ParanoiA609]

Netgear C3700-100nas modem / router
Broadcom BCM43227 / BCM43228
Not vulnerable
netgear_c7000-100nas.jpg

[Paulnewman]

Hi, i've tried to hack wifi wlan Fritz 7390, but it keeps trying the same PIN and always getting error.
It means it is not possible to hack it?
Someone has experience against FRitz 7390 Wlan?
Thanks.

[Laserman75]

Manufatur AVM Fritz Box is Not vulnerable for pixie dust or normaly WPS-Attack with reaver or bully

Both in the WPS-PBC and in the WPS PIN method can be only within 2 minutes of powering up a secure wireless connection to the FRITZ! Box.
After 2 minutes or after a successful connection, the WPS method from the FRITZ! Box will be automatically deactivated.

[Paulnewman]

Thank you Laserman 75.
So in general, there is nothing to do for hack the wifi of an AWM Fritz box 7390?
Could it work to use Fluxion and try to get a luck while someone is connected?
Any suggestion or advice would helpful.
Thanks in advance.

[Paulnewman]

Yes.
How can i hack the password then?
There is no possibility to violate FRITZ! box?

Manufatur AVM Fritz Box is Not vulnerable for pixie dust or normaly WPS-Attack with reaver or bully

Both in the WPS-PBC and in the WPS PIN method can be only within 2 minutes of powering up a secure wireless connection to the FRITZ! Box.
After 2 minutes or after a successful connection, the WPS method from the FRITZ! Box will be automatically deactivated.

[mmusket33]

To Paulnewman

Outside of brute forcing a handshake or wpa phishing there are three(3) possibilities. Chances of success are SMALL, may not be immediate and these attacks may not work at all!

Method One

Some routers when subject to small amounts of DDOS release WPS pins even though the WPS system is locked. You can test this vulnerability by using one of the VMR-MDK variants.

Method Two

Some routers reset their WPS pins to 12345670 and become open to WPS pin collection for short periods of time. You can run reaver or bully with the pin 12345670 in the command line and constantly attack the router a for long period of time(ie weeks). Better just run up varmacscan when your computer is idle and you may get lucky.

Method Three

Some routers reset after being subjected to heavy DDOSing. Mteams has not had much success with Method Three.

[Paulnewman]

i try use the suggested script VMR-MDK with standard parameters but I always get same errors.
On a first router:
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Entering recurring delay of 15 seconds
On a second router:
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670.

In both case the command wash shows that wps is not locked but the system try always the same PIN 12345670 and don't go forward....

[mmusket33]

To Paulnewman

If the wps system is OPEN then VMR-MDK is not the tool of choice.

MTeams suggests you use the command line first in most cases where the WPS system is open. Try both reaver and bully.

There are many reasons why you cannot get reaver to collect pins. You might put the --wps command in aerodump-ng, point it at your target by adding the -c channel and --bssid see what information aerodump-ng supplies.

In the end you may have to resort to brute force by collecting a handshake. Remember approx 50% of the WPA keys are simple numeric strings 8 to 10 in length. Back when reaver was king MTeams collected 100's of WPA keys and the 50% rule was obtained. In fact over half of these numeric strings were mobile telephone numbers and a small number of landline numbers with and without the area code.

MTeams

[tomodachimo]

hi, i know it's a little off topic to pixie's,
is there any possible way to force the router to reset to it's default factory setup? with wps disable router or forcing wps to enable?

tried cracking AP with dictionary attack but no luck..

thanks in advance!

[machx]

To mmusket33

I have a TP-Link router TL-WR740N, seems like it is impossible to crack the WPS PIN

First I tried the Wifite, Pixie dust attack- within seconds it says WPS PIN not found

tried reaver with delay of 10-15 seconds - doesn't help as the router still locks after few wrong WPS PIN attempts

I tried VM-MDK script, for the first few seconds I get the M1 till M4 messages and then it says " WPS transaction failed, code 0x04"

I tried the Varmacscan, no luck there either.

So I want to know, is there a way to crack the pin of locked WPS routers? Usually the routers locks automatically after few failed pin attempts?

WPA handshake and cracking with wordlist is about luck, if only the passphrase is in the wordlist.

Note: I did crack the Dlink routers with Wifite(pixie-dust) within seconds, works perfectly.

It's just the new routers which are hard to crack.

Running Kali 2.0 Sana all tools updated to the latest.

Please help. Thanks in advance

[squash]

To machx: I have same problem with newer routers as well, almost any of those i have in range are pretty new and updated technicolor-routers so not much luck there.
But i have recently start to play with wifiphisher instead and have a lot of sucess with that tool.
Before i had hard to belive that people are so naiv and easy to trick so never bother before to test this way, but now i have change my mind.
Give it a try^^

[machx]

To squash,

I'll give it a try, thanks a lot, running out of luck,will keep it updated here after the test.

[TheMantis]

To mmusket33

WPA handshake and cracking with wordlist is about luck, if only the passphrase is in the wordlist.

You can crack WPA with crunch.

[machx]

I had my luck yesterday and I was able to crack with dictionary attack with rockyou.txt
Others were cracked pixie dust using Wifite
Rest are still in progress.
VMR-MDK and Revd3k-r3 and Varmascan doesn't work and no hopes.

I'm also using default WPS PIN of the router manufacturer and model. It works sometimes
with default PIN (-p on reaver)

Still testing, will keep updated

[vinneth]

true, but I know that trying to create an accurate wordlist with crunch for bigpond/teltra modems (Australian provider) requires 10 digits, and upper and numerical, the output for that in crunch is 25 petabytes. Not sure I can get that kind of storage, or wait the time for it to be created