WPS Pixie Dust Attack (Offline WPS Attack)

[soxrok2212]

What fixes, improvements will pixiewps 1.1 bring?

Full Realtek PRNG brute force, Authkey computation if you don't want to use the modified Reaver, and its a bit more user friendly

[nuroo]

Sounds good. Great work everybody involved.

Got my first belkin today. first pin generated was the correct one.

[soxrok2212]

With pixie dust or the pin generator? Model number?

[nuroo]

with the -W1 option.

[nuroo]

When it's ready. I was told very soon. Kept checking back here. Or u could follow the github

[soxrok2212]

IT'S THE 3RD TIME I TRY TO POST A REPLY, I hope this ONE WILL BE PUBLISHED.

How did you get this PIN ?

I'll try it later this week, because I'm travelling right now.

When will the new update of pixie be released ?

Many thanks.

Beta tool

[aanarchyy]

Beta tool

Will said beta tool ever be released? I wanna play too
Or maybe even an email?

[soxrok2212]

Will said beta tool ever be released? I wanna play too
Or maybe even an email?

Yeah probably this week. We're just testing to make sure it works and ironing out bugs if we find any. Kudos to Wiire!!! He's an awesome dev

[nuroo]

I can beta also

[kcdtv]

WoW
Thank you SO MUCH someone else ( i mean you, not someone else )
It is much more "readable" than what i got.
i am not used to MIPs neither (my poor skills in dissembling speak for-themselves :P )
i wil try to with the tool you used, i am curious about LOAD:0040C8C0 / and checking sub_404128 / sub_403F60
The very last line you underline is definitely like a simple "printf" that's "stdout" the value of the PIN

SO GREAT!
first, thanks to you, we know 100% sure that building time is the string used with some randomization.
the startup.sh script was giving a strong clue : time was "generated" just before the PIN....
Another clue : we already know that time is used as a seed for the diffie Hellman key exchange.
Now we know : time is definitely and surely used to generate the default PIN
And it is the first build time.

That's kind of an issue if we look in a way to generate the exact default PIN. . depending of the randomization, but it looks like this with the devices i saw; we might be able to guess the firsts digit correctly realtioning with the year of production,,,, then the PIN respects the checksum so the seconds start on 7 digits
One hour is 3600 seconds and we would need to have maximum about 15 minutes more or less from exact building time to get the first half of PIN... sorry for my english, but i guess you see what i mean...
but a little pixie flying around told me that this kind of "unsuported realteck" would, maybe, who knows?, not be unsupported anymore for so long....
thanks so much for the information and it is helping a lot.................

[aanarchyy]

DOH! How did i forget about fmk, but last i used it was when i was taking part in "jailbreaking" the neotv 300b. Looks like i got some playing to do :-D

[kcdtv]

WoW && WoW
Like someone else you are amazing too
Thta's actualy one of the most exiting thread , full of amazing people, you guys rules!

- you can issue commands over telnet 192.168.2.1 23 login as root and 5up as pass

YES!
You don't know how much I was looking for that!
'cause I noticed telnet is enabled even-thought there is no way to enable / or disable it / or configure it (from the web interface with the proposed option)
But I couldn't log in.
Now i can thank you SO MUCH that's awsome
By the way, did you noticed this permanent "super" backdoor?
With credentials super:super you can log with administrator privileges. (but not in telnet)

- you can issue commands over web on a hidden page http://192.168.2.1/syscmd.asp

i get a 404 error when i try to acess this web page or if i try to execute a command through POST request (but i am not use at all to this so maybe i do something wrong)
i also use version v3.2.0.2.6 different then your. I should make a downgade to check al this very interesting and fundamentals elements that you bring to us.
Thanks for showing us and explaining us all this system around PIN managment (and so much more, this are tremendous informations )

[someone_else]

@ kcdv
i'm glad, that i could help and i'm with you: great thread !

And a little update :

VULNERABLE:

Edimax
Fonera Fon 2.0n (FON 2303B)
Ralink RT 3052

Code:

[P] E-Nonce: 72:a5:2f:83:81:21:32:85:04:2c:30:60:d8:cf:ab:9e
[P] PKE: 6a:b2:23:7b:37:81:58:2c:f6:a1:0c:f9:a8:ec:4c:14:70:dc:0b:70:a1:cb:1e:dc:0a:22:17:2d:b0:83:c4:bc:3a:47:b7:39:a9:63:ea:57:ff:38:ba:61:6d:2f:f7:45:96:45:80:70:1d:cf:27:1f:8a:84:52:77:e0:5c:e9:c1:72:9d:e7:8a:20:70:aa:29:e3:3d:ea:01:c5:34:c9:70:64:e3:72:c7:9a:08:b5:86:61:32:a0:7d:80:b6:e1:9c:5c:57:ab:90:4b:f5:24:50:cb:3e:31:e3:6e:d0:f9:a2:67:ab:69:71:07:9d:35:fc:97:0d:25:fa:2f:a3:d2:be:ae:eb:a2:34:9e:e5:f6:92:27:80:88:0b:fc:24:ee:b3:47:e9:35:17:a1:f5:c2:72:58:44:e6:cd:49:05:4a:2a:23:26:a3:99:8d:ae:54:bd:a7:c0:7c:3a:52:28:fc:58:a6:2b:aa:dc:b5:88:4d:b9:4f:04:41:98:82:25:2a:0a
[P] PKR: 5d:8e:b8:d7:5d:71:79:d3:c1:d5:b1:72:b4:d0:8d:85:f0:5c:13:5f:1e:8c:35:fb:83:2e:15:9a:c9:ed:0f:bf:45:48:93:77:38:2f:90:4a:4c:53:ae:4b:ee:18:4d:cc:d8:98:d8:6c:98:b2:3f:45:fe:0c:52:1b:69:75:b4:85:d0:44:1e:ca:ad:8c:57:b6:a5:13:72:5a:8b:0d:38:1a:50:21:24:71:14:7d:13:72:65:92:53:1c:de:f3:a9:03:c5:ba:65:ff:64:c8:ac:84:00:7b:c9:8b:03:61:6c:9b:39:56:4d:3a:27:a8:66:de:79:99:a2:ab:82:9c:e2:98:53:61:ba:8d:d3:9b:47:4e:d3:ff:f1:8d:e0:61:39:f6:9f:35:a2:2f:23:c4:ed:af:da:a0:77:bc:b2:db:36:21:8c:9d:14:27:96:61:22:89:37:33:09:fa:2b:1f:f0:99:9e:ea:e8:59:ad:bc:8d:d9:75:0a:db:c9:f9:43:ba:83
[P] AuthKey: 54:76:bd:c3:63:02:b2:fe:02:dd:fb:2e:db:e5:3d:2f:0f:4e:a9:e2:bc:cb:fb:d6:58:a9:47:c8:ea:56:99:34
[P] E-Hash1: 08:80:1e:79:8c:5f:27:fb:09:d3:35:cb:e3:59:67:c2:c6:48:4b:d3:0f:5a:cc:42:05:c9:80:e9:83:36:ea:c2
[P] E-Hash2: 6c:b5:bb:78:81:8d:c1:41:af:c0:32:91:8a:b6:13:64:fe:39:26:b6:76:85:ad:e7:37:d9:cc:7e:d2:c1:db:41

[soxrok2212]

@kcdtv pointed out a newly documented "flaw" I guess i would call it: http://w1.fi/security/2015-1/wpa_sup...d-overflow.txt
It was something was I was actually considering a few days ago, but I guess people beat me to it :P
Anyways, it looks like this may be a gateway into a bunch more information... potentially information dumps, router reboots, memory leaks, the list goes on and on. I personally don't know how to implement it. There is an option in mdk3 that does something similar, but it doesn't work for theses purposes... maybe it can be modified? If you run mdk3 --fullhelp I think the command is p but I don't recall.

If you don't want to click the link, it is just a text document:

Code:

wpa_supplicant P2P SSID processing vulnerability

Published: April 22, 2015
Identifier: CVE-2015-1863
Latest version available from: http://w1.fi/security/2015-1/


Vulnerability

A vulnerability was found in how wpa_supplicant uses SSID information
parsed from management frames that create or update P2P peer entries
(e.g., Probe Response frame or number of P2P Public Action frames). SSID
field has valid length range of 0-32 octets. However, it is transmitted
in an element that has a 8-bit length field and potential maximum
payload length of 255 octets. wpa_supplicant was not sufficiently
verifying the payload length on one of the code paths using the SSID
received from a peer device.

This can result in copying arbitrary data from an attacker to a fixed
length buffer of 32 bytes (i.e., a possible overflow of up to 223
bytes). The SSID buffer is within struct p2p_device that is allocated
from heap. The overflow can override couple of variables in the struct,
including a pointer that gets freed. In addition about 150 bytes (the
exact length depending on architecture) can be written beyond the end of
the heap allocation.

This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to wpa_supplicant process crash, exposure of memory contents during
GO Negotiation, and potentially arbitrary code execution.

Vulnerable versions/configurations

wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled

Attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a suitably constructed
management frame that triggers a P2P peer device information to be
created or updated.

The vulnerability is easiest to exploit while the device has started an
active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control
interface command in progress). However, it may be possible, though
significantly more difficult, to trigger this even without any active
P2P operation in progress.


Acknowledgments

Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.


Possible mitigation steps

- Merge the following commits to wpa_supplicant and rebuild it:

  P2P: Validate SSID element length before copying it (CVE-2015-1863)

  This patch is available from http://w1.fi/security/2015-1/

- Update to wpa_supplicant v2.5 or newer, once available

- Disable P2P (control interface command "P2P_SET disabled 1" or
  "p2p_disabled=1" in (each, if multiple interfaces used) wpa_supplicant
  configuration file)

- Disable P2P from the build (remove CONFIG_P2P=y)

That text is not mine, it comes verbatim from the link I posted above. I take no credit and do not mean to infringe any copyrights or screw with any legal stuff that I don't know about.

Anyways, I guess SSID information comes from Management frames, which are unencrypted packets.... check it out here: http://www.wi-fiplanet.com/tutorials...le.php/1447501 They can't be encrypted because they "establish and maintain connections" (quoted form wi-fi planet) making it a whole lot easier for attackers. There is no encryption to break so it should be a fairly straightforward process

If you are worried about this, I suggest you get an AP that supports 802.11w. Read about it here: http://www.cisco.com/c/en/us/td/docs...apter_0100.pdf

Let me know what you think about this!

[aanarchyy]

Where can i get a copy of this firmware everyone is picking apart right now? I've tried to find some arris firmwares(as some seem to be invulerable to pixie) but they are apparently very tightly guarded and i do not own one or i would dump it myself. Definently no downloads for them, but if i get my hands on one physically... different story :-D
email username @ gmail

[soxrok2212]

Where can i get a copy of this firmware everyone is picking apart right now? I've tried to find some arris firmwares(as some seem to be invulerable to pixie) but they are apparently very tightly guarded and i do not own one or i would dump it myself. Definently no downloads for them, but if i get my hands on one physically... different story :-D
email username @ gmail

http://sourceforge.net/projects/alfa...iles/Firmware/

Alfa AIP-W525H I believe.... not sure if it is v1 or v2 though.

[nuroo]

Manufacturer: Greenwave
Device Name: GreenWave BHR4
Model Number: 4

000000000:6F4| 1|-61|1.0|No |FiO00000000| GreenWave| 4|


Greenwave Systems, no wikidevi, fccid

NOT Vulnerable

[soxrok2212]

Manufacturer: Greenwave
Device Name: GreenWave BHR4
Model Number: 4

000000000:6F4| 1|-61|1.0|No |FiO00000000| GreenWave| 4|


Greenwave Systems, no wikidevi, fccid

NOT Vulnerable

Send me the cap I'd like to look into it.

[aboulatif]

not work on technicolor TD5130 V1 and THOMSON AP

[soxrok2212]

Worked fine for me when I tested. You need to wait for the whole realtek tool to be released. It is almost done.

[nuroo]

Big Teaser !

[aboulatif]

soxrok2212 i have tried many time on my network but no result

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212

[+] Switching mon0 to channel 1
[+] Waiting for beacon from 18:17:25:xx:xx:xx
[+] Associated with 18:17:25:2C:0B:7A (ESSID: WIFI 14)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 5e:86:d7:2d:5a:11:c1:36:51:97:d7:16:54:c3:de:7f
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Technicolor
[P] WPS Model Name: Technicolor TD5
[P] WPS Model Number: Technicolor TD5
[P] Access Point Serial Number: 1343A1D22901
[+] Received M1 message
[P] R-Nonce: c0:68:f8:86:c5:14:c2:aa:d8:5f:56:29:51:0c:fd:d4
[P] PKR: 58:f7:89:a6:11:fc:9e:ad:b1:a5:e5:e8:97:5b:4c:e3:f9 :a2:3c:d0:81:70:cf:4f:59:fd:bd:d1:7f:fe:fc:a0:28:6 4:46:fc:da:31:61:88:65:09:86:66:4b:9f:37:af:68:3b: 9e:1f:fd:bd:aa:09:f6:5b:b2:8d:da:e2:cf:cd:c5:5b:8c :87:82:e8:d4:8f:b8:9c:22:8e:ca:c2:ad:c3:43:01:4e:d 9:39:0b:ec:a9:12:bd:ba:02:a9:69:30:de:61:6d:da:cd: 47:80:9c:d9:39:4d:e3:40:c4:38:13:6d:15:f2:b1:68:9e :e4:45:0b:e9:0b:ba:bb:2e:7b:96:d4:c6:c2:8e:e6:07:8 c:fe:35:6d:7a:fd:8c:ca:24:d7:87:b7:b5:fd:8d:32:e7: e6:fa:5d:01:eb:d6:8a:aa:16:89:7a:63:ec:db:e1:60:01 :0f:0b:92:90:ba:e0:33:35:57:f5:01:63:36:0e:b1:46:6 a:70:99:cf:5c:49:6e:40:3c
[P] AuthKey: f4:8d:63:52:60:ad:82:9e:7e:72:b4:84:82:bb:df:5d:0d :29:76:55:a4:07:57:9f:5a:92:07:17:19:53:42:ac
[+] Sending M2 message
[P] E-Hash1: 99:9f:06:06:d4:39:af:ba:43:40:bc:f3:42:db:04:64:e5 :cf:b3:ed:a7:f6:40:a9:f0:d0:eb:df:5c:91:67:79
[P] E-Hash2: 9c:94:a1:72:b8:36:02:47:cd:50:44:d2:2f:fe:49:d8:68 :62:b7:de:84:ac:4a:a8:9e:75:a2:24:bf:37:ba:91
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 1 s
[Pixie-Dust]

[aboulatif]

soxrok2212 i have tried many time on my network but no result

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212

[+] Switching mon0 to channel 1
[+] Waiting for beacon from 18:17:25:xx:xx:xx
[+] Associated with 18:17:25:2C:0B:7A (ESSID: WIFI 14)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 5e:86:d7:2d:5a:11:c1:36:51:97:d7:16:54:c3:de:7f
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Technicolor
[P] WPS Model Name: Technicolor TD5
[P] WPS Model Number: Technicolor TD5
[P] Access Point Serial Number: 1343A1D22901
[+] Received M1 message
[P] R-Nonce: c0:68:f8:86:c5:14:c2:aa:d8:5f:56:29:51:0c:fd:d4
[P] PKR: 58:f7:89:a6:11:fc:9e:ad:b1:a5:e5:e8:97:5b:4c:e3:f9 :a2:3c:d0:81:70:cf:4f:59:fd:bd:d1:7f:fe:fc:a0:28:6 4:46:fc:da:31:61:88:65:09:86:66:4b:9f:37:af:68:3b: 9e:1f:fd:bd:aa:09:f6:5b:b2:8d:da:e2:cf:cd:c5:5b:8c :87:82:e8:d4:8f:b8:9c:22:8e:ca:c2:ad:c3:43:01:4e:d 9:39:0b:ec:a9:12:bd:ba:02:a9:69:30:de:61:6d:da:cd: 47:80:9c:d9:39:4d:e3:40:c4:38:13:6d:15:f2:b1:68:9e :e4:45:0b:e9:0b:ba:bb:2e:7b:96:d4:c6:c2:8e:e6:07:8 c:fe:35:6d:7a:fd:8c:ca:24:d7:87:b7:b5:fd:8d:32:e7: e6:fa:5d:01:eb:d6:8a:aa:16:89:7a:63:ec:db:e1:60:01 :0f:0b:92:90:ba:e0:33:35:57:f5:01:63:36:0e:b1:46:6 a:70:99:cf:5c:49:6e:40:3c
[P] AuthKey: f4:8d:63:52:60:ad:82:9e:7e:72:b4:84:82:bb:df:5d:0d :29:76:55:a4:07:57:9f:5a:92:07:17:19:53:42:ac
[+] Sending M2 message
[P] E-Hash1: 99:9f:06:06:d4:39:af:ba:43:40:bc:f3:42:db:04:64:e5 :cf:b3:ed:a7:f6:40:a9:f0:d0:eb:df:5c:91:67:79
[P] E-Hash2: 9c:94:a1:72:b8:36:02:47:cd:50:44:d2:2f:fe:49:d8:68 :62:b7:de:84:ac:4a:a8:9e:75:a2:24:bf:37:ba:91
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 1 s
[Pixie-Dust]

[soxrok2212]

Try this PIN and let me know if it works: 76734052
I really hope this is your own AP... by using that PIN you agree that I am not responsible for any trouble you may get into.

[wiire]

@aboulatif
Hey just a curiosity of mine... Is the WAN MAC of that router 18:17:25:2C:0B:75?

[Quest]

he forgot to blank out a line, so no wiire.


"[+] Associated with 18:17:25:2C:0B:7A (ESSID: WIFI 14)"

[wiire]

he forgot to blank out a line, so no wiire.


"[+] Associated with 18:17:25:2C:0B:7A (ESSID: WIFI 14)"

That's the WLAN MAC.

I was asking for the WAN MAC = 18:17:25:2C:0B:7A - 5 = 18:17:25:2C:0B:75

[Saydamination]

Model name = model number ...

Example..

RTL8187 >>>> RTL ( Model name) 8187 ( Model number) ...

Other values about modem manufacturer, not wps manufacturer ( 1.0.1.1 , 1 , 1234 )



Old version or invulnerable chipsets are different. They should be well analyzed on Wireshark

[wiire]

Model name = model number ...

Example..

RTL8187 >>>> RTL ( Model name) 8187 ( Model number) ...

Other values about modem manufacturer, not wps manufacturer ( 1.0.1.1 , 1 , 1234 )



Old version or invulnerable chipsets are different. They should be well analyzed on Wireshark

You shouldn't look too much into this. Manufacturers put what they want in those fields. Sometimes they put the valid model number, name, serial or whatever, sometimes they put something else, for example '123456' (or '1234' or whatever) which is like a blank field (I guess they can't put zeroes).

Reaver prints those information only to give you a (sometimes vague) idea of what the chpset brand/model could be. The cracking is performed by pixiewps which don't use this information.

[aanarchyy]

@soxrok2212 here is a cap of the same router type, if you can get me a pin and/or tell me how that would rok ;-)


http://d-h.st/9dE1

[wiire]

Pixiewps 1.1 is out!

See the original thread.

[psicomantis]

Hey guys, I am a little bit confused as to the usage of -f in the new pixiewps. It refers to mode4??? anyone kind enough to clarify?

[popthattif]

just add -f 4

[psicomantis]

And would you add this argument always?

[popthattif]

At first i tried it without that option on a router with Realtek chipset and it didn't found the pin then i tried it with -f 4 and it took about 600s then BOOM pin found

[wiire]

QUOTE=psicomantis;44829]Hey guys, I am a little bit confused as to the usage of -f in the new pixiewps. It refers to mode4??? anyone kind enough to clarify?[/QUOTE]

Yes sorry I should've clarified. The --force option is used only for what I call mode 4 which is Realtek 's PRNG seed bruteforce. I was planning on adding modes selection but I didn't and I left those modes on the usage screen and I didn't want to explicitly refer to vendors in the program.

The best practice is to run the program without -f and if you get a warning saying that the router might be vulnerable to mode 4 it means that you may want to try again with -f or with another set of data that could lead you (mode 2) secret nonces = enrollee nonce. I also refer to modes because that's how the program runs internally: it tries for every possible vulnerability. When it bruteforce the new PRNG though (that is mode 4) it tests normally for a small window of time (approximately 10 days) because the new bruteforce is more consuming power.

So --force is basically used only if the router has set its time to past (more than 10 days ago). To exhaust it probably takes 20 - 30 mins. Also -f doesn't take any argument. The program just doesn't complain if you pass it some extra arguments. I gotta fix that.

Also would you mind replying on the pixiewps thread for program related questions? Thanks.

[hamada]

hi wire can u tell me wich command should i use again realtek chipset?

[kcdtv]

Hello hanada and welcome to the forum
mmm... ¿Did you read the line just before your message?

Also would you mind replying on the pixiewps thread for program related questions? Thanks.

Maybe you are not used to forums but you have to locate your question in the correct thread.
Your question is strictly about pixiewps usage and this thread is about the pixie dust breach
You should have asked your question in this thread
By the way...
..., if you read a little you will find the answer to your question... read before asking, like this the forum is not full of duplicated content

[soxrok2212]

@nuroo @aanarchyy I looked for more info the the data you sent me (caps and reaver output). Upon looking at the beacon frames in the cap that aanarchyy sent me, I see that the Greenwave G1100 uses a Broadcom 802.11N/AC chip, more specifically I believe that it may be the BCM4360: https://wikidevi.com/wiki/Broadcom... AFAIK the G1100 is 3x3:3 on 2.4GHz and 3x3:3 on 5GHz. Assuming so, that leads me to the conclusion above. With the lack of documentation, the only way to find out for sure would be to order one and open it up but FiOS is not available in my area and I don't have $200-$300 to spend on it... I don't even see their firmware available anywhere online...

[aanarchyy]

If i can get my hands on one, i will gladly dump it and share. As of recently, I've been poking around a dump i did the other day of a Belkin F9K1001 v1 ( https://wikidevi.com/wiki/Belkin_F9K1001_v1 ) to see what i can find. Found it at the swap shed of the dump in my town so i had no issues pulling the flash chip off and dumping it. I pick up all kinds of random embeded devices to tinker with. Ive got somewhere over a dozen or so assorted routers/repeaters (Old comcast, old verizon, belkin, dlink, buffalo, netgear, linksys, and some random weird ones) i'd be glad to dump/decompress/decompile/share if anyone would find it usefull :-) I'm kinda sucky at reading assembly but I'm learning...

[soxrok2212]

Any Comcast /Cisco DPC3939?

[nuroo]

G1100 firmware is not available for public download.

As per the folks @ dslreports, who have the router - new firmware is made available to customers internally thru their network.

[nuroo]

@soxrok2212
gave u full dump, no filters. beacons should be in the .cap
No Fios at my location also. Least you where able to deduce its a broadcom chip, never heard of greenwave b4 this. Was gonna be impressed if new company came out of the wood work, with new chipset all own their own.

@aanarchy
I will try to find out if G1100 can be updated, if firmware is available.

[soxrok2212]

@soxrok2212
gave u full dump, no filters. beacons should be in the .cap
No Fios at my location also. Least you where able to deduce its a broadcom chip, never heard of greenwave b4 this. Was gonna be impressed if new company came out of the wood work, with new chipset all own their own.

@aanarchy
I will try to find out if G1100 can be updated, if firmware is available.

Hey, the cap I got from you only has the WPS exchange in it, I didn't see any beacons...

[aanarchyy]

Not sure, I'll check as soon as i get home. I think the onlyl two comcast ones i have are the old actiontec ones, not sure the chipsets but i'll look.

[aanarchyy]

@nuroo already checked, completely unavailable, only way to get it is dump a live device. Same with the xfinity arris routers, found on a website that the firmware is "closely guarded".

[undersc0re]

I am trying my best to figure this out, I have been testing on a broadcom and zyxel router, It never spits out the 2 hashes for them, am I missing something simple here? Of course you need the 2 hashes to get the pin. It spits out the other necessary keys/info. My kali was updated this evening. Edit-I figure its because router is not supported.

[Saydamination]

Wps Pixie Dust Attack is VULNERABLE for all ZTE modems...

[Quest]

... and according to my Jedi skills there are no "gals" here. If there are, please someone introduce me!

Welcome some1, to the new Kali Kitchen (thanks g0tmilk), where strange things are cooked and weird things happen. Cheers!!!

[soxrok2212]

... and according to my Jedi skills there are no "gals" here. If there are, please someone introduce me!

Welcome some1, to the new Kali Kitchen (thanks g0tmilk), where strange things are cooked and weird things happen. Cheers!!!

Haha I love that ^^ Anyways, I need some help from some of you really smart experienced guys out there. I still have a lot of homework to do with the topic but I was looking into tkiptun-ng... more specifically injecting "arbitrary packets." Does anyone know what kind of stuff we can inject? I'm wondering is we can somehow maybe magically with a little bit of "pixie dust" initialize PBC or something similar? I'm really not sure, just thinking