Pixiewps: wps pixie dust attack tool

[phoenix!]

Yes, always in that format. A google search on EV-2006-07-27 shows that it's a Realtek 8186 chipset. However, I'm not 100% sure that it is the correct chipset as the router is not in WikiDevi database.

Hi, @DetmL, @soxrok2212,
I ,recently came to know about the vulnerabilities of Realtek and other chipsets and thought to check if my router was vulnerable and ran reaver with pixie dust mode -K 1
where I got to know that the model number EV-2006-07-27 belongs to RTL8671 chipset(D-link router).

However I'm getting that

"WPS pin not found"

The output is given below:

[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 7b:37:51:7f:6c:c7:a8:0b:27:e9:a1:f8:5b:88:b5:40
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Name: RTL8671
[P] WPS Model Number: EV-2006-07-27
[P] Access Point Serial Number: 123456789012347
[+] Received M1 message
[P] R-Nonce: c2:ed:e2:d6:80:81:48:fd:7e:13:7b:d2:3e:6c:a0:98
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
[P] AuthKey: ef:eb:93:91:fc:f0:16:3a:3e:b4:fe:dd:8f:b6:a8:fe:a6 :6a:7e:70:55:e5:20:78:c4:3a:c5:55:66:60:be:d0
[+] Sending M2 message
[P] E-Hash1: be:74:91:eb:c3:38:e0:59:7c:e1:de:5c:07:d5:1b:d3:d7 :e6:15:9e:06:09:96:f9:7c:08:4a:84:cc:df:35:0e
[P] E-Hash2: 90:bf:2e:36:f0:65:0e:f6:41:e7:97:f8:71:02:8b:11:92 :c1:89:f1:99:63:2b:fa:01:12:6c:c5:04:b6:ec:cc
[Pixie-Dust]
[Pixie-Dust] Pixiewps 1.1
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 3 s
[Pixie-Dust]
[Pixie-Dust] [!] The AP /might be/ vulnerable to mode 4. Try again with --force or with another (newer) set of data.
[Pixie-Dust]


So I ran pixiewps seperately instead of reaver and it is giving me a strange error :

[!] Bad enrollee public key -- d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:

I don't know what it means.
I hope you'd shed some light on that and help....

[soxrok2212]

Hi, @DetmL, @soxrok2212,
I ,recently came to know about the vulnerabilities of Realtek and other chipsets and thought to check if my router was vulnerable and ran reaver with pixie dust mode -K 1
where I got to know that the model number EV-2006-07-27 belongs to RTL8671 chipset(D-link router).

However I'm getting that

"WPS pin not found"

The output is given below:

[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 7b:37:51:7f:6c:c7:a8:0b:27:e9:a1:f8:5b:88:b5:40
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Name: RTL8671
[P] WPS Model Number: EV-2006-07-27
[P] Access Point Serial Number: 123456789012347
[+] Received M1 message
[P] R-Nonce: c2:ed:e2:d6:80:81:48:fd:7e:13:7b:d2:3e:6c:a0:98
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
[P] AuthKey: ef:eb:93:91:fc:f0:16:3a:3e:b4:fe:dd:8f:b6:a8:fe:a6 :6a:7e:70:55:e5:20:78:c4:3a:c5:55:66:60:be:d0
[+] Sending M2 message
[P] E-Hash1: be:74:91:eb:c3:38:e0:59:7c:e1:de:5c:07:d5:1b:d3:d7 :e6:15:9e:06:09:96:f9:7c:08:4a:84:cc:df:35:0e
[P] E-Hash2: 90:bf:2e:36:f0:65:0e:f6:41:e7:97:f8:71:02:8b:11:92 :c1:89:f1:99:63:2b:fa:01:12:6c:c5:04:b6:ec:cc
[Pixie-Dust]
[Pixie-Dust] Pixiewps 1.1
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 3 s
[Pixie-Dust]
[Pixie-Dust] [!] The AP /might be/ vulnerable to mode 4. Try again with --force or with another (newer) set of data.
[Pixie-Dust]


So I ran pixiewps seperately instead of reaver and it is giving me a strange error :

[!] Bad enrollee public key -- d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:

I don't know what it means.
I hope you'd shed some light on that and help....

First, you can not use -S in your reaver command for Realtek devices. Nobody really knows why but somehow it stops pixiewps from recovering the pin.

Second, the RTL8671 chip is strange. It seems to use a different RNG or something. I know a few people are looking into it though

--I've also noticed that your nonce doesn't follow the 00:00:XX:XX:00:00:XX:XX pattern seen in other RTL8671 chips... hmmm. Would you be able to send me a cap containing a few WPS exchanges?

As for the Bad enrollee key, its probably just a space somewhere in your syntax that is screwing it up. Actually I just found it:

Code:

d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63

Try this instead (you'll probably have to do this for every piece of data)

Code:

d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63

Welcome to the forums by the way

[DetmL]

Is it A DSL-2730U/DSL-2750U?

[kcdtv]

Hi DetmL
For the two models you speak about we could gathered generic PIN ( cf WPSPIN > Générateur PIN WPS par défaut routeurs Huawei, Belkin ...)

DSL-2730U > 20172527
DSL-2750U > 21464065

If there is a common PIN we already now that we deal with a "weak" WPS implementation and so there is hope... it could be "pixie dusted" somehow...
If you have one of this models could you please send to soxrok2212 / wiire (or you can send it to me and i wil share with them) a *.cap file with the reaver 1.5.2 stdout?
Maybe if that is not asking too much you can add some screenshot /copy-paste from the administration interface with Wifi-WPS security parameter and information about device ?
Thanks in advance

[phoenix!]

Hi DetmL
For the two models you speak about we could gathered generic PIN ( cf WPSPIN > Générateur PIN WPS par défaut routeurs Huawei, Belkin ...)

DSL-2730U > 20172527
DSL-2750U > 21464065

If there is a common PIN we already now that we deal with a "weak" WPS implementation and so there is hope... it could be "pixie dusted" somehow...
If you have one of this models could you please send to soxrok2212 / wiire (or you can send it to me and i wil share with them) a *.cap file with the reaver 1.5.2 stdout?
Maybe if that is not asking too much you can add some screenshot /copy-paste from the administration interface with Wifi-WPS security parameter and information about device ?
Thanks in advance

Hi kcdtv,
I can send you the pcap files to your email,if you wish.
cannot upload pcap filese in here.