Page 4 of 5 FirstFirst 12345 LastLast
Results 151 to 200 of 244

Thread: Pixiewps: wps pixie dust attack tool

  1. #151
    I have confirmed the t6x_reaver port does work, little bit of segault action going on, but it has about a %70 success rate for me, but that may be hardware related... TESTERS APPRECIATED!!!!
    I have agreed with the developers to not release an APK.

    Prerequisites:
    Install both linked binaries(reaver and pixiewps) in the path(eg copy to /system/xbin)
    Have a working copy of bcmon on device.

    How I got it working:
    Enable monitor mode though the bcmon app.
    Open shell in a terminal emulator on device.
    Obtian root in shell.
    Load the bcmon wrapper
    Code:
    LD_PRELOAD=/data/data/com.bcmon.bcmon/files/libs/libfake_driver.so sh
    Then run reaver as normal...
    Code:
    reaver -i wlan0 -b <target> -K1 -P -vvv
    Last edited by aanarchyy; 2015-08-28 at 00:39.

  2. #152
    Join Date
    2015-Sep
    Posts
    5
    Hello Guys,

    I have tried pixiewps 1.1 on Kali 2.0. I have found Pxiewps does not work with Realtek RTL8671 chipset. i have tried with -V 3 -f 4 option but no luck.

    Has anyone faced the issue for chipset Realtek RTL8671?

    Thanks in advance.

  3. #153
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Yes, it is a known problem. RTL8671 is a SoC (System on Chip) and its seems that their number generation is a bit different than their other chips.

  4. #154
    Join Date
    2015-Sep
    Posts
    5
    Thank you for the information.

  5. #155
    Join Date
    2015-Sep
    Posts
    5
    Hi soxrok2212 !

    Today, i have found the tool created by SlientGhost. https://github.com/SilentGhostX/HT-WPS-Breaker. It does working for RTL8671 with Model number 2010 as per given screen shot in the URL. When i tried with RTL8671 model number 2006. it seems to be not working with model 2006.
    Last edited by blackdream; 2015-10-02 at 17:44. Reason: to be more specific on the scenario

  6. #156
    Join Date
    2015-Feb
    Posts
    4

    Pixiewps not getting Hash File

    Quote Originally Posted by wiire View Post
    3 hours...?

    I can give it a go if you want. It takes at most 20 minutes on my PC. Send me your data via email or post it here. Of course I assume the router you're testing is yours.
    Dear Wiire,
    i am not getting error : Pixiewps not getting Hash File

    I only get E-Nounce PKE R-Nounce PKR and AUthkey only no hash

    please guide me further guidance so that i can crack pins and passphrase

    Thanks in advance
    jenisbob

  7. #157
    Join Date
    2015-Feb
    Posts
    4

    Pixiewps not getting Hash File

    Quote Originally Posted by blackdream View Post
    Hi soxrok2212 !

    Today, i have found the tool created by SlientGhost. https://github.com/SilentGhostX/HT-WPS-Breaker. It does working for RTL8671 with Model number 2010 as per given screen shot in the URL. When i tried with RTL8671 model number 2006. it seems to be not working with model 2006.
    I am not getting hash code .......please check my attached picture and please guide me further details ...Screenshot from 2015-10-03 11:05:13.jpg

  8. #158
    Join Date
    2015-Feb
    Posts
    4
    I am using HT-WPS Breaker By Silent Ghost X

    Chipset : Realtek RTL8671


    WPS Manufacturer: Wireless Router

    WPSModel Name: RTL8671
    WPS Model Number: EV-2006-07-27

    Access Point Serial Number: 123456789012347
    Needed Information as below:
    Trying pin 12345670.
    I m waiting for 3 hours and getting Sorry pin not found , good luck next time...


    Veterans please guide further guidance...
    Thanks in advance

    jenisbob

    NS-Wifi.jpg
    NS-Wifi1.jpg
    Last edited by jenisbob; 2015-10-07 at 10:01.

  9. #159
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by jenisbob View Post
    I am using HT-WPS Breaker By Silent Ghost X

    Chipset : Realtek RTL8671


    WPS Manufacturer: Wireless Router

    WPSModel Name: RTL8671
    WPS Model Number: EV-2006-07-27

    Access Point Serial Number: 123456789012347
    Needed Information as below:
    Trying pin 12345670.
    I m waiting for 3 hours and getting Sorry pin not found , good luck next time...


    Veterans please guide further guidance...
    Thanks in advance

    jenisbob

    NS-Wifi.jpg
    NS-Wifi1.jpg
    RTL8671 is currently not vulnerable. Sorry.

  10. #160
    Join Date
    2015-Feb
    Posts
    4
    Quote Originally Posted by soxrok2212 View Post
    RTL8671 is currently not vulnerable. Sorry.
    Dear soxrok2212 ,
    thanks for quick response..
    Again i am not getting wps pin on TP-link Router ..please check attached picture.dipa wifi1.jpg

  11. #161
    There is no support for atheros chipsets and all the versions of this access point have a chipset manufactured by atheros...
    TP-LINK TL-WR740N v4.x

  12. #162
    Join Date
    2015-Apr
    Posts
    12
    This method works on Windows with D-LINK routers that uses RTL8671.
    1) Install jumpstart https://onedrive.live.com/download?r...2809d85%214754
    2) Open jumpstart and click "configure a wireless network" click next
    3) Enter wps pin 12345670 and unclick "select network automatically" , click next
    4) Select the AP with the dlink router and continue.
    Jumpstart will connect to the AP. Next you can right click on the connected AP and right click and select "properties". Go to the security tab and click "show characters"
    From here you should be able to see the AP's passphrase.

  13. #163
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by DetmL View Post
    This method works on Windows with D-LINK routers that uses RTL8671.
    1) Install jumpstart https://onedrive.live.com/download?r...2809d85%214754
    2) Open jumpstart and click "configure a wireless network" click next
    3) Enter wps pin 12345670 and unclick "select network automatically" , click next
    4) Select the AP with the dlink router and continue.
    Jumpstart will connect to the AP. Next you can right click on the connected AP and right click and select "properties". Go to the security tab and click "show characters"
    From here you should be able to see the AP's passphrase.
    So basically D-Link devices just use 12345670?

  14. #164
    Is this pin works for all dlink router with RTL8671 hardware??

  15. #165
    You might want to be carefull installing that, even if it works as advertised.
    http://www.securityweek.com/d-link-a...te-keys-online
    I am overly paronoid of these things though, its probably fine.
    Last edited by undersc0re; 2015-10-11 at 23:27.

  16. #166
    Join Date
    2015-Apr
    Posts
    12
    Quote Originally Posted by soxrok2212 View Post
    So basically D-Link devices just use 12345670?
    Not all Dlink uses RTL8671. From what I have tested, DSL 2750U pixiewps outputs 12345670 as PIN but reaver is unable to retrieve the passphrase using this pin. However jumpstart is able to retrieve the passphrase using that PIN in Windows. I can confirm that this PIN doesn't work on DIR devices but confirmed working on DSL 2730U & DSL 2750U. I have not tested it on other Dlink DSL routers.
    Last edited by DetmL; 2015-10-12 at 00:41. Reason: Spelling error

  17. #167
    jumpstat doesn't do anything special.
    Try to add -n to yor reaver line, you should recover the wpa key.
    Otherwise use wpa_cli to connect "normaly" through WPS,
    That the normal way to use WPS in Linux.

  18. #168
    Join Date
    2015-Oct
    Posts
    8
    Hi..
    Fiirst, Thankyou everyone for the resources available & efforts put up to understand security protocols wrt WPS

    Ive been a long time believer of convenience with technology, and Believed WPS helps us achieve just that. However, my secure bubble just burst, when i stumbled upon this thread.
    For the longest time, Ive been using, and encouraged everyone to use WPS claiming PSK is so 19th century.. not any more, as ive managed to hack my own as well as wifi setups of my friends and family.

    Second :
    Im unable to post the log of PixieWps / rever..
    im stuck on this everytime I attempt posting something
    Sucuri WebSite Firewall - CloudProxy - Access Denied
    What is going on?
    You are not allowed to access the requested page. If you are the site owner, please open a ticket in our support page if you think it was caused by an error: https://support.sucuri.net. If you are not the owner of the web site, you can contact us at [email protected]. Also make sure to include the block details (displayed below), so we can better troubleshoot the error.
    Block details
    Your IP: 2.49.9.75
    URL: forums.kali.org/newreply.php?do=postreply&t=25018
    Your Browser: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
    Block ID: EXPVP5
    Block reason: Not identified.
    Time: Fri, 30 Oct 2015 08:23:07 -0400
    Server ID: cp13012
    Sucuri CloudProxy
    CloudProxy is a WebSite Firewall from Sucuri. It stands between your site and the rest of the world and protects against attacks, malware infections, DDOS, brute force attempts and mostly anything that can harm it.

    Not only that, but your sites get cached, speeding it up quite a bit. Interested? Visit http://cloudproxy.sucuri.net

  19. #169
    Join Date
    2015-Oct
    Posts
    8
    So following that post..
    I have a question..

    Does the PKR value of the same AP change ?

    My work network is Cisco Linksys E900 v1 FW: 1.0.0.0
    on bruting it, it locks up on every 9 successful incorrect pins for 60 seconds and then for 10 seconds or so for every 3 incorrect pins.. and the cycle continues.
    Its non-exponential.

    Howwver, the strange bit is : its PKR value has changed two times.
    First time it was some huge BE:3f:4c.......
    Second time it was something else.. cant rem:
    Now its 00:00:00:00:00:00:...............:00:00:00:02 (all zeroes and last digit 2)

    Im using the -vvv with reaver.. and trying to manually input values in PD. so this caught my attention.
    Again im unable to post the log(s).. as sucuri website firewall doesnt allow me to.

  20. #170
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by rho View Post
    So following that post..
    I have a question..

    Does the PKR value of the same AP change ?

    My work network is Cisco Linksys E900 v1 FW: 1.0.0.0
    on bruting it, it locks up on every 9 successful incorrect pins for 60 seconds and then for 10 seconds or so for every 3 incorrect pins.. and the cycle continues.
    Its non-exponential.

    Howwver, the strange bit is : its PKR value has changed two times.
    First time it was some huge BE:3f:4c.......
    Second time it was something else.. cant rem:
    Now its 00:00:00:00:00:00:...............:00:00:00:02 (all zeroes and last digit 2)

    Im using the -vvv with reaver.. and trying to manually input values in PD. so this caught my attention.
    Again im unable to post the log(s).. as sucuri website firewall doesnt allow me to.
    The specification may seem backwards, but upon understanding how the whole thing works, the registrar is the entity looking to join the network (YOU) and the enrollee is the AP.

    That being said, you as the attacker (or device looking to join) are generating the PKR. If you use -S in Reaver (small DH Keys), then Reaver will generate a PKR with a value of 00:00:00:00.....:00:00:00:02. I generally try to avoid using -S when pixie dusting now (and it WILL NOT even work with Realtek access points) so unless you are running a standard Reaver attack, there is no need for it. Otherwise, Reaver will select a random private number and will generate a random PKR value like the first time you tried.

    Also note that your router, Linksys E900, uses a Broadcom BCM5357C0 wireless chip which is not currently vulnerable to pixiewps: https://wikidevi.com/wiki/Linksys_E900
    Last edited by soxrok2212; 2015-10-31 at 15:53.

  21. #171
    Join Date
    2013-Jul
    Posts
    844
    The following comments are more clerical then technical:

    If you are doing a brute force reaver attack testing all 11,000 pins and NOT using -S in the command line(CL) and then wish to either:

    1. Add the -S --dh-small to the command line
    or
    2. Wish to test a specific pin by adding --pin= to the reaver CL.

    Suggest you also add the --session=?filename? to the reaver CL.

    This will keep these different attack types separated. If either the -S or --pin= test does not work you can return to your brute force without loosing your pin count collected during the brute force sessions.

    To return to testing all 11,000 pins just remove the --session= entry in the CL and reaver will continue the brute force attack from where you stopped.

    MTeams

  22. #172
    Join Date
    2015-Oct
    Posts
    8
    Oh, ok.. lol
    Got mixed up with the PKR and PKE.
    Thankyou for clearing it.

    @ Mteam,
    will try that next.

  23. #173
    Hi,
    I'm currently testing some features I've introduced in pixiewps however I still have some troubles with some.

    I wanted to ask if some of you has a Ralink device and can get me some data. I'd need data from at least 2 consecutive WPS transactions/sessions.

    The data should include PKe, PKr, Enrollee nonce, Registrar nonce, Authkey, Enrollee BSSID and the two hashes. If you don't want to include the MAC address is fine. It's not strictly necessary for what I'm doing.

    If someone is interested can send me an email with the data. Just be sure to include each Authkey if want to send the .cap.

    Thank you in advance.

  24. #174
    Join Date
    2013-Jul
    Posts
    844
    To Wire

    Confirm you wish data from the following two(2) vendor mac addresses

    00:17:a5

    00:0c:43

    Is there any chances to a solution for RTL8761

    MTeams
    Last edited by mmusket33; 2015-11-23 at 09:38.

  25. #175
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by mmusket33 View Post
    To Wire

    Confirm you wish data from the following two(2) vendor mac addresses

    00:17:a5

    00:0c:43

    Is there any chances to a solution for RTL8761

    MTeams
    Any Ralink device will work.

    As for RTL8671, not right now. There are still things that need to be figured out but we haven't got there yet.

  26. #176
    When we will get your next new release with more features to bypaas rtl8671??

  27. #177
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by Kaushalrocks View Post
    When we will get your next new release with more features to bypaas rtl8671??
    Nobody said anything about an RTL8671 crack. Nobody knows if it can even be done.

  28. #178
    @mmusket

    Thank you offering your help. I already got the data I needed and forgot to check back on the forum. Hopefully won't be too long for the final release.

    About RTL867x I (and others) haven't looked anymore into it.

  29. #179
    Join Date
    2015-Dec
    Posts
    3
    so guys did you look into RTL8671 for cracking?
    I'm trying to crack a router and the log is:
    WPS Manufacturer: Realtek Semiconductor Corp.
    WPS Model Name: RTL8671
    WPS Model Number: EV-2006-07-27
    so can it get cracked or what should I do?!!?

  30. #180
    Join Date
    2015-Apr
    Posts
    12
    It seems like RTL8671 is one unique chipset. This is an old thread from reaver days https://code.google.com/p/reaver-wps.../detail?id=541

  31. #181
    Join Date
    2013-Jul
    Posts
    844
    To kiarashmm:

    In our areas of operation this chipset is in over half the available targets. And in every case the network locks after ten(10) pin requests and does not respond to pixiedust.

    The router can though be cracked with reaver as occasionally one of these networks resets its pin to 12345670 and reaver then easily extracts the WPA key.

    If the network does not lock and responds to reaver pin requests then just use reaver in a command line.

    If the pins climb to 99,99% and spin the router may have reset its pin to 12345670 during the attack so just add --pin=12345670 to your command line or start a new brute force attack.

    If the routers WPS system locks then a automated process like that found in varmacscan2.8 is the tool of choice in this case. There may be other tools we are just not aware of them

    MTeams

  32. #182
    Join Date
    2015-Dec
    Posts
    3
    Quote Originally Posted by mmusket33 View Post
    To kiarashmm:

    In our areas of operation this chipset is in over half the available targets. And in every case the network locks after ten(10) pin requests and does not respond to pixiedust.

    The router can though be cracked with reaver as occasionally one of these networks resets its pin to 12345670 and reaver then easily extracts the WPA key.

    If the network does not lock and responds to reaver pin requests then just use reaver in a command line.

    If the pins climb to 99,99% and spin the router may have reset its pin to 12345670 during the attack so just add --pin=12345670 to your command line or start a new brute force attack.

    If the routers WPS system locks then a automated process like that found in varmacscan2.8 is the tool of choice in this case. There may be other tools we are just not aware of them

    MTeams
    Thanks for replying dude. I did what you said... I started a normal wps attack it started from 90% and stucked at 99.99...after that i tried --pin=12345670 and failure again.
    so what should I do now?
    give up?
    Thanks for repliying dud

  33. #183
    Join Date
    2015-Dec
    Posts
    4
    i get this from the 1st post i think, I'm a total noob in Linux please someone teach me how to do this from the command windows.
    Dependencies: PLEASE make sure you are up to date with these or your install WILL fail!
    Code:
    apt-get install libpcap-dev
    apt-get install libsqlite3-dev
    DONE

    Tools:
    -Pixiewps by Wiire, used to brute force the WPS pin offline https://github.com/wiire/pixiewps https://github.com/wiire/pixiewps.git
    -Original thread
    Code:
    cd /path/to/pixiewps/src <<< this part i do not understand i downloaded it and it's in my Download folder, what do I type in command line? and where to move i'm totally blank pls help
    make
    make install

    -t6_x's modified version of Reaver to automate the process https://github.com/t6x/reaver-wps-fork-t6x https://github.com/t6x/reaver-wps-fork-t6x.git
    -Original thread
    Code:
    cd /path/to/reaver-wps-fork-t6x/src <<< this part i do not understand i downloaded it and it's in my Download folder, what do I type in command line? and where to move i'm totally blank pls help
    chmod 777 ./configure
    ./configure
    make
    make install

  34. #184
    Firstly you will need to extract the archives, should be a simple right click, extract here.

    Just open the folder in whatever file manager, right click in a blank space in the file manager, and there should be a "Open terminal here" option(or something to that nature).
    then type that stuff in.

  35. #185
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by motionindo View Post
    i get this from the 1st post i think, I'm a total noob in Linux please someone teach me how to do this from the command windows.
    Dependencies: PLEASE make sure you are up to date with these or your install WILL fail!
    Code:
    apt-get install libpcap-dev
    apt-get install libsqlite3-dev
    DONE

    Tools:
    -Pixiewps by Wiire, used to brute force the WPS pin offline https://github.com/wiire/pixiewps https://github.com/wiire/pixiewps.git
    -Original thread
    Code:
    cd /path/to/pixiewps/src <<< this part i do not understand i downloaded it and it's in my Download folder, what do I type in command line? and where to move i'm totally blank pls help
    make
    make install

    -t6_x's modified version of Reaver to automate the process https://github.com/t6x/reaver-wps-fork-t6x https://github.com/t6x/reaver-wps-fork-t6x.git
    -Original thread
    Code:
    cd /path/to/reaver-wps-fork-t6x/src <<< this part i do not understand i downloaded it and it's in my Download folder, what do I type in command line? and where to move i'm totally blank pls help
    chmod 777 ./configure
    ./configure
    make
    make install
    Sorry to say this bud, but if you can't figure that out then you definitely should NOT be screwing with wireless networks. That's how you get in trouble.

  36. #186
    Join Date
    2015-Dec
    Posts
    4
    Quote Originally Posted by aanarchyy View Post
    Firstly you will need to extract the archives, should be a simple right click, extract here.

    Just open the folder in whatever file manager, right click in a blank space in the file manager, and there should be a "Open terminal here" option(or something to that nature).
    then type that stuff in.
    Thank you for your reply aanarchyy,
    "Firstly you will need to extract the archives, should be a simple right click, extract here." the downloaded pixiewps is in the Download folder do you mean I extract it in the download folder? or do I have to move it to other folder then extract it?

    Thanks in advance

  37. #187
    Join Date
    2015-Dec
    Posts
    4
    Quote Originally Posted by soxrok2212 View Post
    Sorry to say this bud, but if you can't figure that out then you definitely should NOT be screwing with wireless networks. That's how you get in trouble.
    soxrok2212, I'm sorry maybe i'm in the wrong room but I want to learn this kind of stuff, but I'm a total noob in linux with the command line, so can you please tell me which thread or forum I should start my journey in learning Kali Linux? Btw i have read all the docs in kali some i understand and some don't because they don't explain step by step.

    thanks

  38. #188
    It is a good idea to start your journey by installing a "normal" linux distribution before you jump in the world of pentesting with Kali linux
    I recommend you Xubuntu/Ubuntu or linux mint, there also based on debian, like kali linux
    They are well documented and you will find answers to every beginner questions.
    Quote Originally Posted by motionindo
    cd /path/to/pixiewps/src <<< this part i do not understand i downloaded it and it's in my Download folder, what do I type in command line? and where to move i'm totally blank pls help
    Quote Originally Posted by =motionindo
    do you mean I extract it in the download folder? or do I have to move it to other folder then extract it?
    About "cd" and directories
    http://askubuntu.com/questions/23244...es-in-terminal
    It doesn't mater where you extract it, what matters is to have the terminal opened in the correct directory to launch installation : the directory src that you obtain after decompressing the package.

    start by using linux and everything will flow naturally
    Last edited by kcdtv; 2015-12-30 at 14:17.

  39. #189
    Join Date
    2015-Dec
    Posts
    4
    I think I managed to install the modified reaver can anyone take a look if I do it correctly?
    root@kali:~/Downloads/reaver-wps-fork-t6x-master/src# chmod 777 ./configure
    root@kali:~/Downloads/reaver-wps-fork-t6x-master/src# ./configure
    checking for gcc... gcc
    checking whether the C compiler works... yes
    checking for C compiler default output file name... a.out
    checking for suffix of executables...
    checking whether we are cross compiling... no
    checking for suffix of object files... o
    checking whether we are using the GNU C compiler... yes
    checking whether gcc accepts -g... yes
    checking for gcc option to accept ISO C89... none needed
    checking for pcap_open_live in -lpcap... yes
    checking for sqlite3_open in -lsqlite3... yes
    checking how to run the C preprocessor... gcc -E
    checking for grep that handles long lines and -e... /bin/grep
    checking for egrep... /bin/grep -E
    checking for ANSI C header files... yes
    checking for sys/types.h... yes
    checking for sys/stat.h... yes
    checking for stdlib.h... yes
    checking for string.h... yes
    checking for memory.h... yes
    checking for strings.h... yes
    checking for inttypes.h... yes
    checking for stdint.h... yes
    checking for unistd.h... yes
    checking for stdlib.h... (cached) yes
    checking for stdint.h... (cached) yes
    checking for string.h... (cached) yes
    checking pcap.h usability... yes
    checking pcap.h presence... yes
    checking for pcap.h... yes
    checking sqlite3.h usability... yes
    checking sqlite3.h presence... yes
    checking for sqlite3.h... yes
    configure: creating ./config.status
    config.status: creating Makefile

  40. #190
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by motionindo View Post
    I think I managed to install the modified reaver can anyone take a look if I do it correctly?
    root@kali:~/Downloads/reaver-wps-fork-t6x-master/src# chmod 777 ./configure
    root@kali:~/Downloads/reaver-wps-fork-t6x-master/src# ./configure
    checking for gcc... gcc
    checking whether the C compiler works... yes
    checking for C compiler default output file name... a.out
    checking for suffix of executables...
    checking whether we are cross compiling... no
    checking for suffix of object files... o
    checking whether we are using the GNU C compiler... yes
    checking whether gcc accepts -g... yes
    checking for gcc option to accept ISO C89... none needed
    checking for pcap_open_live in -lpcap... yes
    checking for sqlite3_open in -lsqlite3... yes
    checking how to run the C preprocessor... gcc -E
    checking for grep that handles long lines and -e... /bin/grep
    checking for egrep... /bin/grep -E
    checking for ANSI C header files... yes
    checking for sys/types.h... yes
    checking for sys/stat.h... yes
    checking for stdlib.h... yes
    checking for string.h... yes
    checking for memory.h... yes
    checking for strings.h... yes
    checking for inttypes.h... yes
    checking for stdint.h... yes
    checking for unistd.h... yes
    checking for stdlib.h... (cached) yes
    checking for stdint.h... (cached) yes
    checking for string.h... (cached) yes
    checking pcap.h usability... yes
    checking pcap.h presence... yes
    checking for pcap.h... yes
    checking sqlite3.h usability... yes
    checking sqlite3.h presence... yes
    checking for sqlite3.h... yes
    configure: creating ./config.status
    config.status: creating Makefile
    Then
    Code:
    sudo make
    sudo make install

  41. #191
    I released version 1.2.2 of pixiewps.

    Most of the work was done to clean up the code, support more platforms, remove OpenSSL dependency (finally!) and add more options. This version has been successfully tested under Linux(Debian, Ubuntu), Mac OS X 10.11, Windows (using MinGW), FreeBSD, OpenWrt and Android (as a .bin file).

    Version 1.2.2 has an important bugfix for FreeBSD users (found in 1.2.1).

    I also include two more PRNG/algorithms for eCos devices (through --mode 4,5). I don't know if they are even used, but there is the concrete possibility.

  42. #192
    Thank you wiire for this nice surprise to start the new year!
    I am pretty sure that the Realteck brute froce option goes much faster than before , at least with my PC.
    Great job!
    I have some problem with the new options... i was unable to use them correctly
    That was my idea : I have a router with factory settings from august 2012 and that is the seed used
    So I wanted to make a "reverse" brute force from august 2012 to a date in 2015
    I tried many sintaxis and got something like
    Code:
    [!] Bad starting point --
    Code:
    [!] Bad ending point --
    Code:
    [!] unknown options
    This is the kind of sintaxis i used
    Code:
    (strings --force)* --mode 3 --start [08/]2012 --end [12/]2015
    Code:
    (strings --force)* --mode 3 --start 082012 --end 122015
    * The basic command is correct as i can recover the PIN with the "normal brute force" ( 3minute to go back to august 2012, for me it is definitely faster now than with pixiedust 1.1 )
    English is not my first language so I can be easly lost for stupid "details" and obvious stuff so sorry if my question is "stupid" but... i don't get it
    Last edited by kcdtv; 2016-01-13 at 17:49.

  43. #193
    From December 2015 to August 2012 would be (it's not correct, please continue reading): --start 12/2015 --end 08/2012

    In CLI programs square parenthesis usually denote some optional parameters/arguments '[...]'. When I write [mm/]yyyy I mean you can write directly a year in the yyyy form, say 2015, or specify year and month, mm/yyyy (for January would be 01/2015). See the image on my post.

    Now a slightly problem. If you notice I wrote '--start 12/2015 --end 08/2012', instead of '--end 12/2015 --start 08/2012'. The first would be the correct way of doing things because of how I implemented things. The program executes the bruteforce backwards (yes I could've considered --start as the end and --end as start internally). Instead I've decided to make so that those two arguments can be swapped. So '--start 12/2015 --end 08/2012' and '--end 12/2015 --start 08/2012' are identical.

    In any case, the program will always assign the 1st day for the month specified (or the 1st day of the 1st year if month is not specified). This means that if you use 12/2015, it will do the bruteforce (assuming going backwards) from the 1st of December 2015. If you want to bruteforce the month of december as well you will need to specify 2016 or 01/2016 (both equivalent).

    Now that I think about it, maybe it's a bit counter-intuitive and misleading. I should probably change it so that the greater date would be done from the last day of the month. For example --start 12/2015 --end 01/1970 would be:

    31/12/2015 to 01/01/1970

    What do you think?

    Also, for how I did things, the program will complain if you specify a date in the future say --start 2017. I don't remember if it was intentional or not. However if you specify only one date (or start or end, not both) the current machine time will be used for the other:
    • only --start 1970 will do from today (including seconds, minutes ...) to Epoch (0).
    • only --end 1970 will do from today (including seconds, minutes ...) to Epoch (0).

    Because remeber you can swap them. See --help.

    [!] Unknown extra argument(s)! means you put one or more extra (unknown) argument(s) somewhere, some example would be:
    • pixiewps ... -f 3 (-f doesn't accept arguments, yes I should've used -F, my bad)
    • pixiewps ... --start 08 2012 (extra space, 2012 is seen as an extra argument)
    • pixiewps ... random_string_that_doesnt_start_with_the_dash


    Yes the latest versions on github are faster (maybe even 2x, 3x) than the ones packaged in Kali. The difference is made by some compiling optimization options I didn't add when I first released version 1.1.

    Also now the choice of modes (auto, when --mode is not specified) is made by looking at the PKe (which is static for Realtek devices) and the nonce.

    If you want to see what's going on under the hood compile using 'make debug', although it may break compatibility with Reaver, Bully or some 3rd party scripts so be aware.
    Last edited by wiire; 2016-01-14 at 11:29. Reason: Fixedtypo, added extra info

  44. #194
    Thanks for this very complete and detailed explanation

    Now that I think about it, maybe it's a bit counter-intuitive and misleading. I should probably change it so that the greater date would be done from the last day of the month. For example --start 12/2015 --end 01/1970 would be:

    31/12/2015 to 01/01/1970

    What do you think?
    Tricky question
    My first idea when i hear "start in january 2015" would be that it means the first of january 2010 at 00:00 am
    But if i consider that the brute force goes only backward, than it makes sense to think that start point is actually 31st of january 2015 at 23:59
    I guess that the most relevant system is the one that stick better to the program process , regardless to the representations that everyone have about what is a "start point".
    So I think that this modification is a good idea.
    We could do like that :
    Code:
    --start 01/2015 --end 01/2015
    to brute force the month of January.
    Which make sense and is straightforward
    And if i put
    Code:
    --start 022015 --end 012015
    I will naturally expect to brute force the month 01 and 02 by this command,
    Not just one.


    Yes the latest versions on github are faster (maybe even 2x, 3x) than the ones packaged in Kali. The difference is made by some compiling optimization options I didn't add when I first released version 1.1.
    Okay
    That what i noticed but the difference was so huge that i was not sure if i was not freaking out
    with the "old" one I brute forced one year in about 6 minutes.
    with the newest version it tok me a bit less than 3 minutes to make the full brute force untill 2012
    Code:
     Pixiewps 1.2
    [*] PRNG Seed:  1344584425 (Fri Aug 10 07:40:25 2012 UTC)
    (...)[*] Time taken: 3 s 499 ms
    3 time faster!

    thanks again for this very nice improvement and for your answer.

  45. #195
    Join Date
    2015-Mar
    Location
    Morocco
    Posts
    8
    Thank you for this new release i have a question about the new --start 05/2015 --end 04/2015 argument i didn't understand it what is the purpose from it... and what about the -f argument is it replaced with -v?!

  46. #196
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by mugiwara303 View Post
    i have a question about the new --start 05/2015 --end 04/2015 argument i didn't understand it
    What don't you understand?

    Quote Originally Posted by mugiwara303 View Post
    and what about the -f argument is it replaced with -v?!
    https://github.com/wiire/pixiewps

  47. #197
    Join Date
    2015-Mar
    Location
    Morocco
    Posts
    8
    Sorry, my knowledge about this things is limited! I want to know how this date range works, is it necessary to get the pin or what LoL! I don't know what is the purpose from it, thank you

  48. #198
    Everything is explained in the "bible"
    Quote Originally Posted by soxrok2212
    In Realtek, the PRNG is a function that uses the time in seconds from January 1st, 1970 until whenever the data in generated (basically when the WPS exchange starts.) The vulnerable part is that the chip uses the same generator to make the Enrollee nonce as it does to make E-S1 and E-S2. So if the whole entire exchange occurs in that same second, E-S1 = E-S2 = Enrollee Nonce. If it occurs over the course of a few seconds, then all we have to do is find the seed that gave us the Enrolle Nonce, and then increment it and taking the output as E-S1 and E-S2. Its a multivariable brute force, so it may take a little bit more time but not more than a few minutes on a modern PC.

    E-S1 = E-S2 = N1 Enrollee Nonce or generated with seed = time
    WPS Pixie Dust Attack (Offline WPS Attack)

  49. #199
    Join Date
    2015-Mar
    Location
    Morocco
    Posts
    8
    thank you, i understand a bit now LoL! i still don't know how to use it and when but i will find out by trying it

  50. #200
    I give you an example and switch on my routeur for testing.
    Code:
     CH 11 ][ Elapsed: 6 s ][ 2016-01-21 00:35                                         
                                                                                                                                                                                                   
     BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH WPS           ESSID            MANUFACTURER
                                                                                                                                                                                                   
     B8:55:10:02:F0:A1  -23  92       57        0    0  11  54e  WPA2 CCMP   PSK  1.0 DISP,PBC  TOTOLINK N301RT  Zioncom Electronics (Shenzhen) Ltd.                                               
                                                                                                                                                                                                   
     BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                                                                     
                                                                                                                                                                                                   
    
    root@pr0fesoraBubbleVanAppletrudell:/home/kcdtv# sudo airmon-ng stop wlan0mon
    default SSID is in use (like 90% of the network i can reach from my room) and gives us the model...
    quick check on the web and i learn that the device is kind of old, no new firmware for a long time and that it has a realtek chipset (i could see the realteck chipset in its probes but anyway reaver or bully will do it for me in full verbose mode )
    As i rode the bible form soxrok2212 i know that realteck chipset can be "pixiedusted" so i launched reaver or bully to get the strings for pixiewps and execute pixewps

    Now, as i am a good hacker i checked a little on the web and saw that this router is from 2012, and as i am a master in "social engenering" i know that 79,67% of the people never ever update their firmware.
    And i see in the download list that the original firmware is from august 2012.
    So i decide to make a brute force on the month of august 2012 instead of brute forcing from today to 1970 (what wil do the option --force used alone )

    It would have taken me around 4 minutes or 5 if i had used the option -force without adding a start point and end point.
    Cheers

Similar Threads

  1. Data gathering for pixiewps (pixie dust attack)
    By wiire in forum Project Archive
    Replies: 16
    Last Post: 2018-07-24, 01:42
  2. WPS Pixie Dust Attack (Offline WPS Attack)
    By soxrok2212 in forum General Archive
    Replies: 353
    Last Post: 2015-05-05, 08:32
  3. Pixiewps: wps pixie dust attack tool
    By wiire in forum General Archive
    Replies: 89
    Last Post: 2015-05-04, 19:32

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •