Pixiewps: wps pixie dust attack tool

**DetmL** · 2015-10-12

Originally Posted by soxrok2212

So basically D-Link devices just use 12345670?

Not all Dlink uses RTL8671. From what I have tested, DSL 2750U pixiewps outputs 12345670 as PIN but reaver is unable to retrieve the passphrase using this pin. However jumpstart is able to retrieve the passphrase using that PIN in Windows. I can confirm that this PIN doesn't work on DIR devices but confirmed working on DSL 2730U & DSL 2750U. I have not tested it on other Dlink DSL routers.

**kcdtv** · 2015-10-12

jumpstat doesn't do anything special.
Try to add -n to yor reaver line, you should recover the wpa key.
Otherwise use wpa_cli to connect "normaly" through WPS,
That the normal way to use WPS in Linux.

**rho** · 2015-10-30

So following that post..
I have a question..

Does the PKR value of the same AP change ?

My work network is Cisco Linksys E900 v1 FW: 1.0.0.0
on bruting it, it locks up on every 9 successful incorrect pins for 60 seconds and then for 10 seconds or so for every 3 incorrect pins.. and the cycle continues.
Its non-exponential.

Howwver, the strange bit is : its PKR value has changed two times.
First time it was some huge BE:3f:4c.......
Second time it was something else.. cant rem:
Now its 00:00:00:00:00:00:...............:00:00:00:02 (all zeroes and last digit 2)

Im using the -vvv with reaver.. and trying to manually input values in PD. so this caught my attention.
Again im unable to post the log(s).. as sucuri website firewall doesnt allow me to.

**soxrok2212** · 2015-10-31

Originally Posted by rho

So following that post..
I have a question..

Does the PKR value of the same AP change ?

My work network is Cisco Linksys E900 v1 FW: 1.0.0.0
on bruting it, it locks up on every 9 successful incorrect pins for 60 seconds and then for 10 seconds or so for every 3 incorrect pins.. and the cycle continues.
Its non-exponential.

Howwver, the strange bit is : its PKR value has changed two times.
First time it was some huge BE:3f:4c.......
Second time it was something else.. cant rem:
Now its 00:00:00:00:00:00:...............:00:00:00:02 (all zeroes and last digit 2)

Im using the -vvv with reaver.. and trying to manually input values in PD. so this caught my attention.
Again im unable to post the log(s).. as sucuri website firewall doesnt allow me to.

The specification may seem backwards, but upon understanding how the whole thing works, the registrar is the entity looking to join the network (YOU) and the enrollee is the AP.

That being said, you as the attacker (or device looking to join) are generating the PKR. If you use -S in Reaver (small DH Keys), then Reaver will generate a PKR with a value of 00:00:00:00.....:00:00:00:02. I generally try to avoid using -S when pixie dusting now (and it WILL NOT even work with Realtek access points) so unless you are running a standard Reaver attack, there is no need for it. Otherwise, Reaver will select a random private number and will generate a random PKR value like the first time you tried.

Also note that your router, Linksys E900, uses a Broadcom BCM5357C0 wireless chip which is not currently vulnerable to pixiewps: https://wikidevi.com/wiki/Linksys_E900

**rho** · 2015-11-01

Oh, ok.. lol
Got mixed up with the PKR and PKE.
Thankyou for clearing it.

@ Mteam,
will try that next.

Thread: Pixiewps: wps pixie dust attack tool

Thread Tools

Search Thread

Display

Hybrid View

Similar Threads

Data gathering for pixiewps (pixie dust attack)

WPS Pixie Dust Attack (Offline WPS Attack)

Pixiewps: wps pixie dust attack tool

Posting Permissions