Page 58 of 58 FirstFirst ... 848565758
Results 571 to 579 of 579

Thread: WPS Pixie Dust Attack (Offline WPS Attack)

  1. #571
    Junior Member
    Join Date
    Oct 2016
    Posts
    2
    no matter what router i scan i can't seem to get e-hash1 and e-hash2 from reaver or wireshark. My reaver is the default reaver that comes with the latest kali linux. Any ideas how to get those ? I can get all the rest (Auth key, PKE,PKR etc)

  2. #572
    Member
    Join Date
    Jun 2013
    Posts
    56
    Quote Originally Posted by squiddymute View Post
    no matter what router i scan i can't seem to get e-hash1 and e-hash2 from reaver or wireshark. My reaver is the default reaver that comes with the latest kali linux. Any ideas how to get those ? I can get all the rest (Auth key, PKE,PKR etc)
    If you include more information you might get good responses, such as the exact command lines you are trying, and the environment your running kali in.

  3. #573
    Junior Member
    Join Date
    Oct 2016
    Posts
    2
    Quote Originally Posted by undersc0re View Post
    If you include more information you might get good responses, such as the exact command lines you are trying, and the environment your running kali in.

    not doing anything exotic

    wifi card: RT2501/RT2573 Wireless Adapter
    Reaver version: v1.5.2
    command: reaver -i wlan0mon -b <mac> -c1 -S -vv
    kali version:
    Linux version 4.7.0-kali1-amd64 (devel@kali.org) (gcc version 5.4.1 20160803 (Debian 5.4.1-1) ) #1 SMP Debian 4.7.5-1kali3 (2016-09-29)

    tried several different routers i'm not getting e-hash1 or e-hash2. I have also tried with wireshark as well but still i see nothing related to e-hash1 and e-hash2 in packets

  4. #574
    Member
    Join Date
    Aug 2015
    Location
    The Pits
    Posts
    86
    Hello squiddy, what happens if you add another v:
    reaver -i wlan0mon -b <mac> -c 1 -vvv
    or, what happens if you do:
    reaver -i wlan0mon -b <mac> -c 1 -K -vvv
    Last edited by John_Doe; 2016-10-30 at 10:57 PM.

  5. #575
    Member
    Join Date
    Dec 2015
    Posts
    36
    did not work with Speedport W724V Type Ci, ZTE ZXDSL 931VII v4 or Zyxel VMG5313-B30

    speedport and zyxel lock wps after few tries and zte turned it off completely. all devices wps reset after power cycle.

  6. #576
    Junior Member
    Join Date
    Apr 2015
    Location
    cosmoland
    Posts
    17
    Is it possible to be made script which could use PIN LIST for the half pin1 or for the whole pin with 11 000 possibilitie to imitate original brute-force?
    Because there are some routers which start from 1234| and they only change the second half of the PIN
    p2_index set to 1
    [+] Pin count advanced: 10001. Max pin attempts: 11000
    [+] Trying pin 12340002.

    [P] WPS Manufacturer: ZTE Corporation
    [P] WPS Model Name: ZXHN H118N
    [P] WPS Model Number: ZXHN H118N
    [P] Access Point Serial Number: 123456789012347


    ex:
    kcdtv: Acknowledging the first M5 is enough to create the fake positive for the first half. Problem here is that this M5 should not exist and totally disable the concept of two stages brute force.

  7. #577
    Junior Member
    Join Date
    Sep 2016
    Posts
    8
    Got the wps pin using "reaver -i wlan0mon -b (insert bssid here) -vvv -W 2 (it is a belkin router) -a -c (insert channel number here), tried to get the passwd using the --pin= option in reaver and it gives me a hash looking thing for the passwd. I still couldn't use that "hash" to connect to the network. I tried to disconnect all AP's from the client as well as changing my mac address to one of the AP's connected on the network, still no success. However, I couldn't help but notice that each time I tried with the passwd I got from pixie, it got NACS errors but every time I tried with a different wps pin than the correct one, it tests it and reports that it didn't work. Kinda stuck here. Some information: WPA and WPS (no WPA2), Belkin chipset, WPS is not locked and is, according to the command "wash -i wlan0mon" at a version 1.0 and it does send out beacons frequently. I'm not very far away from the router, according to the wash command, -59. I just want to learn why this is happening and explore. Since it has WPA enabled as well, I tried to capture a handshake by running aireplay-ng with the 3 and 1 option, as well as aircrack-ng, still got the same wps pin. Tried to de-hash that using an online hash cracker but no use. Tried to connect to the AP using the wps pin (someone mentioned a link that led to the ubuntu forums) and no use.

  8. #578
    Junior Member
    Join Date
    Jul 2013
    Posts
    8
    Has anyone checked into Broadcom routers? I think it's vulnerable, but I need to know for sure, can someone test if i send the info? I already posted in this topic before, but didn't get much replies regarding this.

  9. #579
    Junior Member
    Join Date
    Nov 2015
    Location
    USA
    Posts
    3
    Look up your device on Wikidevi. If your device contains one of the chipsets as listed above, disable WPS now. If your device does NOT contain one of the chipsets as listed above, disable WPS now.
    This is really good lmao

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •