WPS Pixie Dust Attack (Offline WPS Attack)

[aanarchyy]

The author knows he was wrong, right at the top of the page it says:

Erratum : I thought the Enrollee was the client, and the Registrar the AP (see spec :

Enrollee: A Device seeking to join a WLAN Domain. Once an Enrollee obtains a valid credential, it becomes a Member.
Registrar: An entity with the authority to issue and revoke Domain Credentials. A Registrar may be integrated into an AP, or it may be separate from the AP. A Registrar may not have WLAN capability. A given Domain may have multiple Registrars.

, but I was wrong. Thus, what I wrote below contains errors. Correction and implementation are left as an exercise to the reader.

Love that we have our own little "kitchen" now

[soxrok2212]

So anyways, is anyone familiar with tkiptun-ng and packetforge-ng?

[aanarchyy]

Like send it malformed packets and make it trigger a PBC? That's an interesting idea. I remember a while ago i was doing some packet maniulation scripting and i found scapy to be VERY useful for the project i was doing. Probably be a good tool to use for that.

[soxrok2212]

Like send it malformed packets and make it trigger a PBC? That's an interesting idea. I remember a while ago i was doing some packet maniulation scripting and i found scapy to be VERY useful for the project i was doing. Probably be a good tool to use for that.

You took the words right out of my mouth, thats exactly what I was thinking. I actually had 3 ideas.

1: Trigger PBC
2: Trigger AP to accept a client's WPS pin
3: Send an M8 packet to attempt to reconfigure the AP

I'm not so sure that any of these ideas will work since I'm no super hacker or programmer, but it is just something I see possible

Also, there has been updates to tkiptun-ng: http://download.aircrack-ng.org/wiki...kip_master.pdf

[aanarchyy]

Hrm, that gave me an idea. I can hook up to a router(uart, spi sniffing, or whatever) and see what goes on inside the router during a wps transaction. See if there is anything exploitable.

[soxrok2212]

Hrm, that gave me an idea. I can hook up to a router(uart, spi sniffing, or whatever) and see what goes on inside the router during a wps transaction. See if there is anything exploitable.

Do it! Lemme know if you find anything.

--If we find something, I'll start a new thread since its not really Pixie Dust related.

[aanarchyy]

Do it! Lemme know if you find anything.

--If we find something, I'll start a new thread since its not really Pixie Dust related.

I'll see what i can get done tonight, even if i can find a way to freeze/reset/dos the router it would be useful for reseting wps locks

[soxrok2212]

I'll see what i can get done tonight, even if i can find a way to freeze/reset/dos the router it would be useful for reseting wps locks

Yeah, a reset would be excellent. I've been trying a bunch of ways but haven't been successful. I've been thinking about probing an AP hundreds of times per second with invalid characters in order to reset it... haven't been able to try that yet (MDK3 doesn't support this operation... yet )

[Quest]

never a dull moment..

[aanarchyy]

If the knoppix-std forum was still up, I could direct you to the script i wrote that used scapy. Wasn't much, it just watched an ap, and dynamically disassoc/deauthed any clients that tried to connect to the ap that weren't on the "whitelist", sort of an active ap protection. Wish i still had a copy of it so i could see how i did it :-/
Oh well, off to do my favorive thing, hardware hacking!
If i come up with anything usefull, I'll start a new thread to hopefully get some R&D into it :-D

[soxrok2212]

If the knoppix-std forum was still up, I could direct you to the script i wrote that used scapy. Wasn't much, it just watched an ap, and dynamically disassoc/deauthed any clients that tried to connect to the ap that weren't on the "whitelist", sort of an active ap protection. Wish i still had a copy of it so i could see how i did it :-/
Oh well, off to do my favorive thing, hardware hacking!
If i come up with anything usefull, I'll start a new thread to hopefully get some R&D into it :-D

So its like MDK3's WPA downgrade mode?? Thats essentially the same thing it does... just deauth until the owner reboots/downgrades to WEP/tries no security at all.

[aanarchyy]

Nope, it was a straight up DOS, it could be set up to protect an AP from any unknown clients, or set up to deny a specified client(s) from assoc/auth to any AP I could see.

More or less it was just used to either protect an AP, or just troll someone ;-)

[soxrok2212]

Nope, it was a straight up DOS, it could be set up to protect an AP from any unknown clients, or set up to deny a specified client(s) from assoc/auth to any AP I could see.

Ah interesting. Well theres really 3 things on my mind right now.

1: Have t6_x's Reaver print PKE, PKR all that stuff with -vvv (as well as sending M1, M2, etc). I've already contacted him about that, hopefully we will see it soon
2: Get someone who knows C (or who can modify MDK3) and try to probe an AP with invalid SSID characters to try to reset/reboot the AP.
3: Figure out how to forge a packet that could possibly open up an opportunity for one (or more) of the 3 things I listed earlier on APs configured with WPA+TKIP or WPA+WPA2 TKIP+CCMP

Thats basically my agenda... if anyone wants to assist me that would be great

[aanarchyy]

Ah interesting. Well theres really 3 things on my mind right now.

1: Have t6_x's Reaver print PKE, PKR all that **** with -vvv (as well as sending M1, M2, etc). I've already contacted him about that, hopefully we will see it soon
2: Get someone who knows C (or who can modify MDK3) and try to probe an AP with invalid SSID characters to try to reset/reboot the AP.
3: Figure out how to forge a packet that could possibly open up an opportunity for one (or more) of the 3 things I listed earlier on APs configured with WPA+TKIP or WPA+WPA2 TKIP+CCMP

Thats basically my agenda... if anyone wants to assist me that would be great

As said earlier, probably best to open a new thread about this, as it is not really pixie related. Put all your ideas in the OP and everyone can collectively(hopefully) make something of it.

But for now, im still poking at this effin router to make it do something interesting D-:<

[soxrok2212]

As said earlier, probably best to open a new thread about this, as it is not really pixie related. Put all your ideas in the OP and everyone can collectively(hopefully) make something of it.

If I can find a little more open time I will... I'll do a big writeup about it.

[soxrok2212]

Just a quick note on the original post, DH Keys are not calculated with a PRNG, its modular arithmetic with the function described below... I updated that. Sorry for the confusion.

[soxrok2212]

I also forgot to note, MediaTek is vulnerable too! Same problem as Ralink (since MediaTek took over Ralink a few years ago.)

[iliass]

Hay #soxrok2212 ..Thanks for pixiewps 1.1 ..it works on TD5130 V 1 but TD5130 V 3 not works why?

[Saydamination]

Hay #soxrok2212 ..Thanks for pixiewps 1.1 ..it works on TD5130 V 1 but TD5130 V 3 not works why?

Pixiwps is vulnerable if ES1=ES2 ...if not , invulnerable.. You can look all results...

Some manufacturer use really easy way to create PIN... Serial numbers , Ad-hoc or other..

They can create new -K options like -K 4 , -K 5 , -K 6 or -W 3 -W 4 ...

Pixiewps is great project .. User friendly , costumer friendly.....

[soxrok2212]

Hay #soxrok2212 ..Thanks for pixiewps 1.1 ..it works on TD5130 V 1 but TD5130 V 3 not works why?

I don't know I don't have one to try.

[iliass]

Give my Your GMAIL pllz

[iliass]

Ok i will send you a handshake For TD5130 V 3 ..ok For add this realtek in pixiewps and reaver

[mushinz]

lol.jpg

it keeps looping :S

[scorpius]

I just checked the database and no broadcom units are vulnerable. I was sure someone posted that only some broadcoms are. Have there been any such cases?

[soxrok2212]

I just checked the database and no broadcom units are vulnerable. I was sure someone posted that only some broadcoms are. Have there been any such cases?

I think someone reported success but they didn't list any specifics.

[iliass]

#Saydamination .yes but i have a have handshake.cap ..i wil send to #soxrok2212 ..just give my your email plz

[nuroo]

TRENDnet TEW-691GR - VULNERABLE

Pixie:
[+] Manufacturer: TRENDnet Technology, Corp.
[+] Model Name: TRENDnet Router
[+] Model Number: TEW-691GR
[+] Serial: 12345678

chipset, ralink RT3883

wikidevi

[soxrok2212]

TRENDnet TEW-691GR - VULNERABLE

Pixie:
[+] Manufacturer: TRENDnet Technology, Corp.
[+] Model Name: TRENDnet Router
[+] Model Number: TEW-691GR
[+] Serial: 12345678

chipset, ralink RT3883

wikidevi

Thanks I'll add it later

[soxrok2212]

I added some thoughts about Atheros. Potentially the same thing goes for Broadcom... anyone have any ideas or comments?

[wn722]

I added some thoughts about Atheros. Potentially the same thing goes for Broadcom... anyone have any ideas or comments?

where?
......

[soxrok2212]

where?
......

Vendor implementations.

[nuroo]

@wn722
I'm glad u asked. I had the same question. Didn't realize main page updated.

@soxrof2212
I'll help test if u guys come up with something.

[soxrok2212]

@wn722
I'm glad u asked. I had the same question. Didn't realize main page updated.

@soxrof2212
I'll help test if u guys come up with something.

I usually update the main page regularly....depends on what I find. It's usually just errors or something stupid but yeah it should say on the bottom when the last update was.

[wn722]

cheers. good on Atheros for keeping it safe.

[dragood]

why not use untwister to bruteforce the original seed and find the pin?
its available on github, its a seed "recovery" tool

[t6_x]

why not use untwister to bruteforce the original seed and find the pin?
its available on github, its a seed "recovery" tool

The reason is because not supported routers use the /dev/urandom to generate the random numbers.

The Untwister, only supports basic PRNG of certain libraries (Glibc's, Mersenne Twister, PHP's MT-variant, Ruby's). These are simple and easy to crack PRNG.

But not supported routers use the /dev/urandom, which is safer and complicated to manage to find the seed.

[dragood]

The reason is because not supported routers use the /dev/urandom to generate the random numbers.

The Untwister, only supports basic PRNG of certain libraries (Glibc's, Mersenne Twister, PHP's MT-variant, Ruby's). These are simple and easy to crack PRNG.

But not supported routers use the /dev/urandom, which is safer and complicated to manage to find the seed.

as far as i can tell, only Atheros us /dev/random. Also Dominique boguard Clearly stated that these seeds could be found in seconds with a decent computer. which algorithm the prng uses is stated anywhere as far as i have read.
also Dominique pointed out that the seed was very low entropy, only 32 bits!!, its nothing impossible to crack in minutes with any home computer. the only reason we can't is because someone hasn't figured out how to write the code yet. Everything is literally written down for us in Boguard's Presentation....Literally....the only reason we're able to get the pin now is because we assume ES-1 = ES-2 = 0. which really not much of "hacking". the only problem we are facing now, is someone needs to know how to write a code to find the state of the PRNG, once that's found we generate random numbers, hash the result with hmac_sha-256. and then simply compare the results to what the router gave us. once we see they are the same, we know we have the correct seed, from that we can find ES-1 and ES-2 (im using broadcom as an exemple since it generates both nounces right after M1 message). This is by far the simplest thing, im honestly very surprised broadcom hasn't been cracked yet. its really not that complicated. Lets not forget Dominique Boguard was able to pwn every router out there. even Atheros with their "hard to crack" /dev/radom prng.

[soxrok2212]

as far as i can tell, only Atheros us /dev/random. Also Dominique boguard Clearly stated that these seeds could be found in seconds with a decent computer. which algorithm the prng uses is stated anywhere as far as i have read.
also Dominique pointed out that the seed was very low entropy, only 32 bits!!, its nothing impossible to crack in minutes with any home computer. the only reason we can't is because someone hasn't figured out how to write the code yet. Everything is literally written down for us in Boguard's Presentation....Literally....the only reason we're able to get the pin now is because we assume ES-1 = ES-2 = 0. which really not much of "hacking". the only problem we are facing now, is someone needs to know how to write a code to find the state of the PRNG, once that's found we generate random numbers, hash the result with hmac_sha-256. and then simply compare the results to what the router gave us. once we see they are the same, we know we have the correct seed, from that we can find ES-1 and ES-2 (im using broadcom as an exemple since it generates both nounces right after M1 message). This is by far the simplest thing, im honestly very surprised broadcom hasn't been cracked yet. its really not that complicated. Lets not forget Dominique Boguard was able to pwn every router out there. even Atheros with their "hard to crack" /dev/radom prng.

Where did you hear he could crack any router? I've been talking a lot with him and he has said that Atheros looked pretty secure. The thing with /dev/random is that it has external sources of entropy that with get increasingly more difficult to crack. It's not just find the seed and we're done, it's a whole lot more complicated than that

[nuroo]

Interesting reading on this thread.....

Here's another router
Linksys WRT110

Vulnerable

[P] WPS Manufacturer: Linksys Inc.
[P] WPS Model Name: Linksys Wireless Router
[P] WPS Model Number: WRT110
[P] Access Point Serial Number: 12345678

CPU1: Ralink RT2780

wikidevi

[soxrok2212]

Interesting reading on this thread.....

Here's another router
Linksys WRT110

Vulnerable

[P] WPS Manufacturer: Linksys Inc.
[P] WPS Model Name: Linksys Wireless Router
[P] WPS Model Number: WRT110
[P] Access Point Serial Number: 12345678

CPU1: Ralink RT2780

wikidevi

Ahh thanks I was waiting for someone to comfirm it.

[emsef]

Hello and thanks for the info.

The following router is vulnerable

Code:

[P] WPS Manufacturer: BUFFALO INC.
[P] WPS Model Name: WBMR-HP-GN
[P] WPS Model Number: RT2860
[P] Access Point Serial Number: 12345678

https://wikidevi.com/wiki/Buffalo_WBMR-HP-GN

[soxrok2212]

Hello and thanks for the info.

The following router is vulnerable

Code:

[P] WPS Manufacturer: BUFFALO INC.
[P] WPS Model Name: WBMR-HP-GN
[P] WPS Model Number: RT2860
[P] Access Point Serial Number: 12345678

https://wikidevi.com/wiki/Buffalo_WBMR-HP-GN

Thanks buddy, added to the database Keep up the testing and paste any vulnerable/non vulnerable devices with all the request info if possible A big thanks to the community! Wouldn't have been inspired without you!

[kcdtv]

the only reason we're able to get the pin now is because we assume ES-1 = ES-2 = 0. which really not much of "hacking". the only problem we are facing now, is someone needs to know how to write a code to find the state of the PRNG,

Hi there!
You missed some points.
In his presentation diominique spoke about 2 flows:
1) ES-1=ES-2=0 and that is just for Ralink Chipset and was indeed the first stuff that was coded (because, indeed, it doesn't requires extra brute force of seed)
2) Then wiire found the way to code the second breach revealed by Dominique : some broadcom devices for which we know the "interval" used to define the seed (cracked inmediatly)
In the meantime soxrok2212 sent to dominique datas form realteck chipsets because we saw that the same PKE was used in his two routers and in my two routers with realtek... all four routers from different manufacturer with different firmwares (but all is coming form the SDK for rtl819x project that developer uses to build their firmware)
And dominique foiund out a third breach
3) for this Realtek chipsets the exact time in seconds is used as a seed in DH exchange key process - or it is the time of the last build.( brute force required from exact time (in seconds) to 1970 < don't ask me why for some router it was found that 1970 was used as seed )
wiire coded everything and we have all the stuff in the hand to "pixie-dust" and also to create a custom code to try a different interval.
cheers

[WaLkZ]

Invulnerable

Code:

[P] E-Nonce: aa:90:80:28:ea:8e:89:cc:03:4a:ad:df:8e:87:02:26
[P] PKE: d9:c5:a6:9e:3a:c2:34:e8:15:85:5e:b6:c4:56:76:54:cd:3f:52:0e:f4:c2:14:5a:7c:08:9d:57:f6:f6:16:dd:e3:bf:30:ed:8a:45:77:73:14:84:10:a6:43:04:9f:0c:ad:d3:6d:6b:6d:2e:fb:a1:10:a9:14:16:c8:88:68:73:2f:96:ec:83:12:19:f4:7d:ab:79:3a:f9:1d:c8:ad:03:e0:c9:08:33:78:98:fb:b0:5b:81:1f:0f:e3:1e:2e:7e:40:01:b4:e6:fd:73:2b:16:12:3d:f1:b8:8a:f6:d5:f1:19:1e:67:78:b0:4e:6f:b5:f0:d8:14:b2:90:70:b3:a9:4f:49:dc:c0:ef:9c:07:0d:c7:7d:9b:59:24:4b:02:67:67:50:42:66:8e:4c:4e:b0:7d:92:4f:42:9b:da:cb:d6:08:53:5b:fa:74:49:54:14:6d:58:6e:71:b3:8c:9e:55:c9:21:5a:7a:9d:23:07:eb:8e:c1:39:0a:d8:2f:c9:72
[P] WPS Manufacturer: ASUSTeK Computer Inc.
[P] WPS Model Name: Wi-Fi Protected Setup Router
[P] WPS Model Number: RT-AC56U
[P] Access Point Serial Number: d8:50:e6:da:0f:08
[P] R-Nonce: 0a:e6:39:ba:f9:44:27:bb:cb:94:8a:47:4c:8e:7b:78
[P] PKR: d8:fd:8c:86:72:8b:a8:ce:4d:e9:3d:a4:f9:9f:4c:3d:7b:62:c1:77:b2:63:52:99:c9:8b:7b:03:fb:0f:84:62:49:af:35:72:db:da:7b:a1:d8:31:3e:bb:88:a8:64:a6:83:58:80:66:fe:12:00:79:c7:42:a6:44:82:be:72:77:3e:ec:db:53:54:77:3b:be:67:3c:53:f6:c6:d9:96:e3:0a:69:99:af:3e:28:c9:a0:fb:16:12:f5:c7:4d:94:b2:99:bf:53:3b:49:53:9b:23:1e:ca:0a:8b:b1:14:50:34:ef:cc:1c:6a:d5:cb:7b:52:b5:4e:5d:b6:97:f2:de:9e:2f:ba:2e:69:30:6f:02:a2:dd:7c:29:6e:b5:f5:0b:d6:8e:41:18:2e:38:85:82:38:d7:f4:3a:67:c3:27:a1:d6:e9:e4:17:be:c7:12:71:59:66:31:63:4d:cb:b8:0c:8a:80:04:40:56:80:69:df:90:ab:37:3a:8b:cc:43:5b:3e
[P] AuthKey: 27:e7:e4:5f:b8:60:6a:50:e5:78:a6:13:44:c4:81:40:58:7c:70:29:b0:66:0f:26:ac:83:91:9d:bd:a2:f9:8a
[P] E-Hash1: bb:dc:4e:7e:ae:28:9a:07:84:c3:df:fd:92:96:41:62:89:f0:47:cd:6e:3e:c0:a9:21:ad:f7:ed:0a:3c:09:92
[P] E-Hash2: 70:76:13:b9:e9:84:a2:49:dc:93:70:df:19:30:9b:b8:4e:c5:68:16:8f:5f:b5:1c:6a:87:b0:e0:a7:b6:c7:ad

Invulnerable

Code:

[P] E-Nonce: 5b:e0:19:5c:4c:76:2e:08:3f:1b:b5:f1:13:ae:29:36
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: 
[P] WPS Model Name: Wireless N Router
[P] WPS Model Number: DIR-501
[P] Access Point Serial Number: 20070413-0001
[P] R-Nonce: 03:e9:eb:c1:80:d9:63:10:d8:16:77:cf:fa:41:d4:5b
[P] PKR: 3f:2b:3b:b8:ba:89:4f:85:02:31:77:2c:71:3c:75:05:74:ca:69:da:99:f7:b8:c3:72:9c:2b:c3:9b:00:d0:f2:d3:56:7a:da:ab:65:da:99:22:cb:00:77:33:80:d0:6e:59:17:3f:3f:38:b5:8c:66:48:c9:60:03:da:5d:28:ef:7e:60:5c:7d:bd:bb:dd:7b:f4:d2:44:f0:62:74:b0:d1:3e:c2:c8:f7:7b:e8:d7:76:f5:53:84:97:9b:1b:85:83:28:fc:4b:45:ca:93:a5:5a:cd:03:0d:f4:bb:bf:c0:93:15:92:5a:43:e6:0d:ef:2c:d2:5f:5b:da:b0:ab:62:dd:76:74:03:cd:e7:ae:c8:b4:e9:ff:61:53:90:e3:70:c0:58:c7:25:99:0d:02:5c:03:96:07:5f:35:e9:ba:4a:db:67:3e:07:76:50:6f:b0:d5:0e:e1:56:e8:86:32:fd:52:68:7c:6f:83:56:ec:e5:a0:8c:80:80:25:74:ae:a6:40
[P] AuthKey: b0:82:36:0d:19:6a:7a:00:0c:16:73:1d:fc:0b:16:62:7f:ea:f1:0f:af:31:38:90:b0:14:59:5a:08:93:a8:13
[P] E-Hash1: d4:b3:36:3f:0e:c9:57:4f:1f:c5:44:4a:93:e2:e3:33:1f:6e:1e:1f:76:4f:6f:f6:26:4e:21:2a:86:68:ab:0b
[P] E-Hash2: 6c:ac:17:51:5f:89:5d:00:dc:43:93:45:fc:ab:61:ff:a7:e5:f4:f0:52:97:a3:3b:4a:8d:0d:86:65:ee:aa:4d

[soxrok2212]

Invulnerable

Code:

[P] E-Nonce: aa:90:80:28:ea:8e:89:cc:03:4a:ad:df:8e:87:02:26
[P] PKE: d9:c5:a6:9e:3a:c2:34:e8:15:85:5e:b6:c4:56:76:54:cd:3f:52:0e:f4:c2:14:5a:7c:08:9d:57:f6:f6:16:dd:e3:bf:30:ed:8a:45:77:73:14:84:10:a6:43:04:9f:0c:ad:d3:6d:6b:6d:2e:fb:a1:10:a9:14:16:c8:88:68:73:2f:96:ec:83:12:19:f4:7d:ab:79:3a:f9:1d:c8:ad:03:e0:c9:08:33:78:98:fb:b0:5b:81:1f:0f:e3:1e:2e:7e:40:01:b4:e6:fd:73:2b:16:12:3d:f1:b8:8a:f6:d5:f1:19:1e:67:78:b0:4e:6f:b5:f0:d8:14:b2:90:70:b3:a9:4f:49:dc:c0:ef:9c:07:0d:c7:7d:9b:59:24:4b:02:67:67:50:42:66:8e:4c:4e:b0:7d:92:4f:42:9b:da:cb:d6:08:53:5b:fa:74:49:54:14:6d:58:6e:71:b3:8c:9e:55:c9:21:5a:7a:9d:23:07:eb:8e:c1:39:0a:d8:2f:c9:72
[P] WPS Manufacturer: ASUSTeK Computer Inc.
[P] WPS Model Name: Wi-Fi Protected Setup Router
[P] WPS Model Number: RT-AC56U
[P] Access Point Serial Number: d8:50:e6:da:0f:08
[P] R-Nonce: 0a:e6:39:ba:f9:44:27:bb:cb:94:8a:47:4c:8e:7b:78
[P] PKR: d8:fd:8c:86:72:8b:a8:ce:4d:e9:3d:a4:f9:9f:4c:3d:7b:62:c1:77:b2:63:52:99:c9:8b:7b:03:fb:0f:84:62:49:af:35:72:db:da:7b:a1:d8:31:3e:bb:88:a8:64:a6:83:58:80:66:fe:12:00:79:c7:42:a6:44:82:be:72:77:3e:ec:db:53:54:77:3b:be:67:3c:53:f6:c6:d9:96:e3:0a:69:99:af:3e:28:c9:a0:fb:16:12:f5:c7:4d:94:b2:99:bf:53:3b:49:53:9b:23:1e:ca:0a:8b:b1:14:50:34:ef:cc:1c:6a:d5:cb:7b:52:b5:4e:5d:b6:97:f2:de:9e:2f:ba:2e:69:30:6f:02:a2:dd:7c:29:6e:b5:f5:0b:d6:8e:41:18:2e:38:85:82:38:d7:f4:3a:67:c3:27:a1:d6:e9:e4:17:be:c7:12:71:59:66:31:63:4d:cb:b8:0c:8a:80:04:40:56:80:69:df:90:ab:37:3a:8b:cc:43:5b:3e
[P] AuthKey: 27:e7:e4:5f:b8:60:6a:50:e5:78:a6:13:44:c4:81:40:58:7c:70:29:b0:66:0f:26:ac:83:91:9d:bd:a2:f9:8a
[P] E-Hash1: bb:dc:4e:7e:ae:28:9a:07:84:c3:df:fd:92:96:41:62:89:f0:47:cd:6e:3e:c0:a9:21:ad:f7:ed:0a:3c:09:92
[P] E-Hash2: 70:76:13:b9:e9:84:a2:49:dc:93:70:df:19:30:9b:b8:4e:c5:68:16:8f:5f:b5:1c:6a:87:b0:e0:a7:b6:c7:ad

Invulnerable

Code:

[P] E-Nonce: 5b:e0:19:5c:4c:76:2e:08:3f:1b:b5:f1:13:ae:29:36
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: 
[P] WPS Model Name: Wireless N Router
[P] WPS Model Number: DIR-501
[P] Access Point Serial Number: 20070413-0001
[P] R-Nonce: 03:e9:eb:c1:80:d9:63:10:d8:16:77:cf:fa:41:d4:5b
[P] PKR: 3f:2b:3b:b8:ba:89:4f:85:02:31:77:2c:71:3c:75:05:74:ca:69:da:99:f7:b8:c3:72:9c:2b:c3:9b:00:d0:f2:d3:56:7a:da:ab:65:da:99:22:cb:00:77:33:80:d0:6e:59:17:3f:3f:38:b5:8c:66:48:c9:60:03:da:5d:28:ef:7e:60:5c:7d:bd:bb:dd:7b:f4:d2:44:f0:62:74:b0:d1:3e:c2:c8:f7:7b:e8:d7:76:f5:53:84:97:9b:1b:85:83:28:fc:4b:45:ca:93:a5:5a:cd:03:0d:f4:bb:bf:c0:93:15:92:5a:43:e6:0d:ef:2c:d2:5f:5b:da:b0:ab:62:dd:76:74:03:cd:e7:ae:c8:b4:e9:ff:61:53:90:e3:70:c0:58:c7:25:99:0d:02:5c:03:96:07:5f:35:e9:ba:4a:db:67:3e:07:76:50:6f:b0:d5:0e:e1:56:e8:86:32:fd:52:68:7c:6f:83:56:ec:e5:a0:8c:80:80:25:74:ae:a6:40
[P] AuthKey: b0:82:36:0d:19:6a:7a:00:0c:16:73:1d:fc:0b:16:62:7f:ea:f1:0f:af:31:38:90:b0:14:59:5a:08:93:a8:13
[P] E-Hash1: d4:b3:36:3f:0e:c9:57:4f:1f:c5:44:4a:93:e2:e3:33:1f:6e:1e:1f:76:4f:6f:f6:26:4e:21:2a:86:68:ab:0b
[P] E-Hash2: 6c:ac:17:51:5f:89:5d:00:dc:43:93:45:fc:ab:61:ff:a7:e5:f4:f0:52:97:a3:3b:4a:8d:0d:86:65:ee:aa:4d

Hey buddy, the DIR-501 should've worked, I've had someone else report that it worked. Did you try a full brute force with pixiewps?

[stanke]

Hey buddy, the DIR-501 should've worked, I've had someone else report that it worked. Did you try a full brute force with pixiewps?

Hello

For me dir501 also not working.
[P] E-Nonce: 51:a5:44:af:03:06:4e:0f:3e:c0:0b:b9:09:1b:c3:2c
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer:
[P] WPS Model Name: Wireless N Router
[P] WPS Model Number: DIR-501
[P] Access Point Serial Number: 20070413-0001
[+] Received M1 message
[P] R-Nonce: 4f:2b:f6:b7:08:bc:59:51:d7:b0:11:cb:0f:dd:8c:db
[P] PKR: 86:de:bf:e6:4a:ff:74:40:45:0f:91:5d:ff:a6:34:69:9e :1c:97:93:2e:48:c5:14:94:66:bd:f9:8b:59:44:4d:cc:9 7:bb:8e:41:f2:9f:47:f2:e1:f0:ad:2b:01:f7:1b:cb:04: 60:bd:d5:42:87:4d:75:dd:58:6c:6a:74:b5:c8:65:1d:09 :32:20:0b:e2:39:e9:49:1c:29:8a:d1:9f:18:bc:4b:7e:4 d:bd:db:e4:b9:9d:65:59:dd:51:c3:9d:9b:3e:5f:26:a1: 76:85:bd:4e:fc:de:ac:78:0d:57:f5:72:22:f7:16:9f:b8 :a7:f4:2c:4b:37:c8:3f:5f:9c:58:45:61:de:7b:17:ae:0 a:c8:e1:c3:30:a0:3c:7a:0d:e2:d8:9f:fe:04:a7:c3:7a: 42:c4:22:6a:32:02:2d:e5:ea:12:47:7c:06:1f:f4:62:11 :94:e4:09:3f:a3:8a:76:44:88:ed:fb:a4:ff:8b:0f:2a:0 c:b6:06:e0:0b:ca:05:ff:07
[P] AuthKey: 41:64:d3:91:09:11:8b:d1:f7:ec:21:6f:29:69:48:ba:0e :1e:9b:3e:26:c5:60:41:27:a9:69:da:12:7f:59:6e
[+] Sending M2 message
[P] E-Hash1: f6:63:0a:dd:2a:0c:e6:e3:e0:0d:76:98:35:6a:c9:14:89 :a8:3d:67:3b:5d:d2:08:ac:62:24:15:f7:e8:3d:8d
[P] E-Hash2: 76:29:da:24:1a:d8:d4:1b:b9:b4:c9:5f:3b:1c:19:28:81 :96:7a:40:f9:ac:d0:95:43:96:96:85:3c:18:49:d0
[Pixie-Dust]
[Pixie-Dust] Pixiewps 1.1
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 2 s
[Pixie-Dust]
[Pixie-Dust] [!] The AP /might be/ vulnerable to mode 4. Try again with --force or with another (newer) set of data.


tried also with pixiewps force. If you need some more testing please feel free to contact me.

[soxrok2212]

Hey community, someone has recently brought to my and Wiire's attention an Atheros device that produces a strange E-Nonce, it follows this pattern:

Code:

xx:xx:00:00:00:00:00:00:00:00:00:00:00:00:00:00

where x is a hex character obviously (0-9, a-f).

It has occurred many times over different exchanges. It has happened in AR9130/AR9102 devices.

If E-S1 and E-S2 follow the same pattern, it would be a relatively fast crack for those chips, faster than the full Realtek bruteforce. It is not yet know if this is the case, but if anyone would like to contribute some data it couldn't hurt!

On the other hand, another Realtek chip was discovered to not use the time since Epoch PRNG, but it still follows the static PKE AND the E-Nonce follows a pattern like this:

Code:

xx:xx:00:00:xx:xx:00:00:xx:xx:00:00:xx:xx:00:00

It is a SoC, the RTL8671. Being a SoC, it might use a different PRNG but it may be just as vulnerable, if not even more vulnerable. There are a few people including me that are actively looking into it. I hope we find something soon!

[someone_else]

Here's a D-Link 501 (Version B) which works with --force :

Code:

[P] E-Nonce: 50:37:4c:db:7a:3c:16:90:4b:57:6a:43:61:c2:85:01
[P] R-Nonce: ae:9b:f2:26:29:23:38:17:0f:d3:7f:bd:92:fb:2d:3b
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] PKR: b5:4a:f2:45:95:44:27:92:f4:8b:65:05:6f:88:83:ff:d3:20:fe:d9:ed:d8:e1:f0:52:3d:a9:95:2a:97:33:53:f4:72:66:30:83:90:8c:3c:58:81:ce:9f:7d:31:1b:04:a2:d2:ca:a6:7b:06:ca:15:97:f4:a5:e9:f5:ef:2e:2b:b7:fc:33:1c:f7:44:01:80:20:a2:49:f4:54:5e:9d:11:49:e3:39:16:0e:45:e9:08:4d:7a:75:47:a0:a6:d1:4d:9e:ee:4a:d0:69:e4:23:ef:5d:9f:d1:4b:34:19:ed:b4:77:95:81:3d:8a:6c:64:a3:f8:5d:d4:b1:89:00:da:65:9b:11:2b:20:5d:36:49:79:a9:25:b2:b6:26:0e:51:45:eb:4c:4a:f3:f1:b3:ac:e9:67:0a:fe:9a:b6:c8:60:75:a6:1f:2a:9b:51:1f:e2:34:b0:78:64:f5:55:25:93:8b:37:d5:cf:74:fd:25:bd:43:cb:e4:e0:c7:a7:71:cf:8c
[P] AuthKey: 8e:7d:72:ef:1d:c3:ee:c5:4a:68:56:10:d5:60:d0:0b:62:9c:d9:b1:2d:a0:a7:5c:da:81:38:fe:a4:b9:6b:4a
[P] E-Hash1: 90:b1:29:cf:44:fd:09:3a:74:7e:e1:fb:17:51:52:85:1a:41:26:30:bb:23:44:5d:53:b5:46:c4:5c:fa:1c:19
[P] E-Hash2: 43:d8:2a:15:c0:85:82:dc:32:1b:bf:04:47:15:73:56:fa:4a:f1:1c:13:6b:db:7a:0d:2e:fd:aa:37:96:44:7b

[beddj]

Netgear R3600v2 Broadcom BCM4360, doesnt seem to be working

E-Nonce: 5b:44:ac:16:26:6f:78:42:7a:9b:b7:91:60:c5:62:87
[P] PKE: 01:fb:e7:b0:80:43:cc:24:6d:f6:9d:b8:9a:89:0e:d0:bb :0e:57:10:c9:d3:bc:c1:e8:a0:df:e6:61:3e:e9:4a:9f:7 0:cb:ac:0b:71:7a:0e:bd:10:2d:83:c2:a8:b4:c4:3c:53: 04:7e:a7:17:13:43:81:9a:6b:f6:b7:d6:0e:32:bb:bf:33 :ce:2e:ca:b6:1f:c3:48:39:77:69:63:80:99:11:78:0d:f 7:0c:39:3d:4c:87:fa:c7:22:9d:97:41:11:f7:c9:b5:20: 09:01:0b:4b:12:2c:88:cb:99:53:11:69:2f:48:3a:2d:f9 :8b:d6:20:7c:84:a5:b0:ad:71:12:4d:46:29:74:66:58:7 c:f7:fe:52:92:6c:e7:86:41:b5:20:e4:e6:b9:64:95:c6: 08:f5:c4:e1:5c:7e:bf:51:a3:e2:da:17:d9:d7:b5:38:be :a5:4f:30:e8:bb:10:51:f6:78:27:0d:51:1d:49:c3:38:2 a:3a:a8:2b:05:6c:72:80:49
[P] WPS Manufacturer: NETGEAR, Inc.
[P] WPS Model Name: R6300v2
[P] WPS Model Number: R6300v2
[P] Access Point Serial Number: 679
[+] Received M1 message
[P] R-Nonce: 2c:2a:4b:27:57:1d:b5:5f:6a:90:f0:9d:26:b7:10:28
[P] PKR: 43:4b:29:6c:ff:cb:c9:6f:5c:f6:6e:2c:35:25:8b:e8:a4 :1b:bc:b2:df:a8:10:8b:72:c6:b8:a2:0b:97:76:e4:47:6 6:6a:11:7a:b0:fd:75:3f:cd:17:8f:16:c6:7e:44:cd:aa: f8:fb:0f:91:80:e6:2c:31:91:a9:a5:84:4a:4a:de:31:c1 :65:1e:a6:57:28:41:91:3d:11:dc:81:2c:af:b9:2f:8b:e e:41:1c:3b:05:61:03:0b:07:b0:10:b6:90:25:09:fd:e9: 4e:ec:bb:f5:49:8f:5c:e1:7f:43:b8:e8:70:2c:cc:db:bd :6d:a4:12:3b:b6:1a:f5:dc:43:11:68:11:9e:eb:d2:67:b 5:ea:58:7f:f9:6a:63:f2:a6:f6:21:ed:06:9f:2e:42:41: e9:18:d6:a2:7d:b5:3e:1b:04:12:eb:de:c6:05:5b:40:a5 :02:b1:1a:54:6d:a6:b2:3f:71:5e:8a:b3:77:f4:b4:66:f 7:f5:75:3c:a2:31:8e:dd:b3
[P] AuthKey: 52:fd:cb:ad:ec:b8:a5:a5:5b:79:38:ca:c6:c5:8c:ef:5f :8b:be:6a:61:4c:b5:e0:19:a1:39:bf:84:fd:a4:18
[+] Sending M2 message
[P] E-Hash1: f3:27:0d:b1:97:6d:ba:83:18:25:44:d8:0f:34:64:09:da :ce:7c:19:b9:89:87:62:98:41:17:45:3d:e4:db:63
[P] E-Hash2: d7:5b:14:f3:a1:43:d2:0b:3c:59:07:ae:ee:c4:dc:2a:32 :a2:a4:fa:18:e5:b5:20:52:c5:85:dc:27:a6:84:6b

[soxrok2212]

Most Broadcom chipsets are not vulnerable because they run linux which uses a cryptographically secure method of generating random keys with good sources of entropy... it's pretty much completely unpredictable as of right now. In the future, something could certainly be found but not right now. The only Broadcom devices that will work are devices the run eCos which are typically found in DSL/Wireless gateway modems or Cable modem/Gateways.