Pixiewps: wps pixie dust attack tool

[kcdtv]

@kcdtv
Fixed the dependency issue. Should compile fine now on Ubuntu and derivatives.

Sweet! I can confirm you that a friend had the same issue yesterday with ubuntu and that the modification solved the issue. In the name of canonial addicted (no one is perfect) thanks!
as i was using reaver_mod and pixiewps.c i was wondering about this two options in the reaver mod and how to "play " with them "smartly" with pxiewps.

Code:

	-1, --p1-index                  Set initial array index for the first half of the pin [False]
	-2, --p2-index                  Set initial array index for the second half of the pin [False]

So if i understand well we could use them to try with pixiewps different seeds values then the one predefined for ralink and brodacom.
Could you tel us know a bit more about this?
Other thing that i was curious about. If i get in two different sessions the same nounce repeated, wouldn't it mean taht the entropy is very low also on this particular AP?
cheers

[wiire]

as i was using reaver_mod and pixiewps.c i was wondering about this two options in the reaver mod and how to "play " with them "smartly" with pxiewps.

Code:

	-1, --p1-index                  Set initial array index for the first half of the pin [False]
	-2, --p2-index                  Set initial array index for the second half of the pin [False]

So if i understand well we could use them to try with pixiewps different seeds values then the one predefined for ralink and brodacom.

I don't undertand what you're trying to say here. Ralink doesn't have a seed. It doesn't use a pseudo-random number for ES-1 and ES-2. It uses a constant (ES-1 = ES-2 = 0).

Broadcom has a pseudo-number generator. Its seed (for ES-1 and ES-2) can be bruteforced using the nonce as a reference: when using a certain number (initial seed) we get the same sequence of the nonce we know that we can find the ES-1 and ES-2 sequences because they're calculated right after the nonce.

The PIN is provided by the Registrar (the attacker) on M4 and it's not relevant (for the pixie dust attack purposes). Quoting Bongard: the right PIN is provided by the Enrollee (AP) with M3 in two "Safes". The first one contains the first half of the PIN and it's lock combination is ES-1. The second one contains the second half of the PIN and it's lock combination is ES-2. The attack consists in bruteforcing the seed of the Broadcom's PRNG to get the two combinations (ES-1 and ES-2).

Other thing that i was curious about. If i get in two different sessions the same nounce repeated, wouldn't it mean taht the entropy is very low also on this particular AP?

If you look on page 55 on Bongard's slides.
- "do not generate new random enrollee nonce in case of we have prebuild enrollee nonce"
- "It should not generate new key pair if we have prebuild enrollee nonce"

So on some implementations the nonce and the the keys don't change in different sessions. This is not about entropy, it's about vendor/manufacturer's implementations.

[nuroo]

This attack worked on Arris models TG1672 and DG1670.
Modified reaver spits out info needed for pixiewps. wps pin in secs.