Member
WPS Pin crack latest techniques
Hi
As i was out for a long time ago from Wireless penetration testing can anyone point me to the latest WPS Pin cracking methods?
Somewhere i was read that it is possible to do an offline pin cracking and that's great as you will avoid router locking but does it works and in general always works?
What are the 2-3 best methods you use?
Thank you !
Last edited by pamamolf; 2015-08-15 at 22:39.
Junior Member
I generally use still reaver. You can also use bully
Member
I was left on the way that you had to brute force the pin and the most times the router locks
Now i can see that we can get some keys and copy paste them to another software and crack more easy the pin but i need some more help/links about it please.....
I don;t know if a better way exits either....
Member
Hello pamamolf,
The Pixie Dust attack is the bee's knees, it might calculate the correct PIN in just seconds, even working successfully on some wps routers that do "one and done" rate limiting:
github.com/wiire/pixiewps
Make sure you install any needed dependencies. And it only works with the new Reaver fork, here you go:
github.com/t6x/reaver-wps-fork-t6x
WPSPIN.sh and WPSpin.py ~might~ guess the default pin, based on chip and BSSID/ESSID info, but I haven't ever run into a compatible wifi router yet. Besides, the new aircrack-ng suite (Included in Kali now) can try to guess a default pin... if you'd like to try, add the -W argument to reaver.
Member
@ John_Doe
Thank you so much
Do i have to overwrite the default reaver with the new fork or do anything else?
Any instructions?
Member
HI, best method I have found is to download this tool https://github.com/aanarchyy/wifite-mod-pixiewps
Thats all.
Very easy , It should not take more than 4 minutes. Specially if the router is vulnerable.
Member
It is my favorite tool also but if i am not wrong i was read that every time fails :
Post #92
Member
Hello again pamamolf,
I am new to Kali [THANK YOU, KALI, YOU'RE AWESOME!] and out of the box the Pixie Dust attack did
not work properly. I installed the new Reaver fork, which overwrote the old version. Make sure you
install all needed dependencies first; for Kali 1.1.0 I needed to add:
libpcap-dev
and
libsqlite3-dev
And then install pixiewps per:
github.com/wiire/pixiewps
And then install reaver according to:
github.com/t6x/reaver-wps-fork-t6x
Does your Kali open a monitor as mon0 instead of wlan0mon? If so, you have the OLD version of
aircrack-ng, which works great for FrankenScript, but for this you'll want the new aircrack suite:
sudo apt-get -y install aircrack-ng
Here is a sample Pixie Dust syntax, just put in the BSSID in place of the xx's and add a channel number:
sudo reaver -i wlan0mon -b xx:xx:xx:xx:xx:xx -c (PUT CHANNEL HERE) -vvv -K 1 -f
If unsuccessful it should soon reply:
Pixie-Dust] [-] WPS pin not found!
Or it might reply:
[+] Pin not found, trying -f (full PRNG brute force), this may take around 30 minutes
NOTE: Not all models of wifi routers are vulnerable, so you'll see quite a few "WPS Pin not found"
messages. But when it works, it's awesome!
Now, there ARE some problems with going to the new aircrack suite and the new Reaver fork, mostly due to the changed syntax from "mon0" to "wlan0mon", but it's a small price to pay.
Member
I am on Kali 2
Member
Kali 2 includes pixiewps and the latest reaver fork needed to run the attack. Not all routers are susceptible to the pixie attack, but when they are it takes max like 5 minutes to get the WPS pin and password (assuming no rate limiting timeouts).Originally Posted by pamamolf
I am on Kali 2
You can simply put your card into monitor mod, use the wash command to try to find a system and then
and it will attempt to get the needed hashes and pass them to pixiewps.Code:Example: reaver -i wlan0mon -b 00:AA:BB:11:22:33 -vvv -K 1
There is also a python script similar to wifite that you need to modify a few lines in to make it work now since the author hasn't maintained it:
https://github.com/nxxxu/AutoPixieWps
Also a modified version of wifite that incorporates pixiewps (not sure if included in Kali 2):
https://github.com/aanarchyy/wifite-mod-pixiewps
If pixiewps fails, then it's back to bully or reaver pretty much.
Member
Well said, deadlyhabit.
I just tried a default pin calculator called WPS-PIN-6, which only runs on Windows Vista and newer (I tried it on Windows 7). You need to install all the .NET versions up to at least 4 (I also installed .NET 4.5.1). There's also a Linux version but I couldn't get it to work, as I'm not all that smart.
Anyhow, after a little wardriving I found it only goes green for a supposedly correct hit when it sees one of a just a very few models of wifi routers. Basically, it was a waste of time. But if you really have nothing else to do, you might try it.
CAVEAT: The gui is all in Spanish.
Member
But John_Doe told me that i must install them and they are not included..... or not?Kali 2 includes pixiewps and the latest reaver fork needed to run the attack.
Member
MAC Spoofing
In some cases you may want/need to spoof your MAC address. Reaver supports MAC spoofing with the --mac option, but you must ensure that you have spoofed your MAC correctly in order for it to work.
Changing the MAC address of the virtual monitor mode interface (typically named mon0) WILL NOT WORK. You must change the MAC address of your wireless card's physical interface. For example:
# ifconfig wlan0 down
# ifconfig wlan0 hw ether 00:BA:AD:BE:EF:69
# ifconfig wlan0 up
# airmon-ng start wlan0
# reaver -i mon0 -b 00:01:02:03:04:05 -vv --mac=00:BA:AD:BE:EF:69
------------------------------------------------------------------------------------
How do we do it?
Kali linux 2.0 --- wlan0mon
mac address changer and reaver? kali linux 2.0 how to do?
-------WARNING: Failed to associate with------
Member
They're both included and wifite even has a pixiewps option which I saw yesterday since I rarely use it.
Member
Is there a parameter or a way if i know the WPS pin to pass it to the script manually and get the wpa password?
Member
There is that outdated AutoPixieWPS python script I linked earlier I believe that does it (like I said a few lines in the script need a tweak due to the reaver fork command changing). If you mean in wifite, dunno as I rarely touch it.
Basically what I do for a WPS attack is:
1.) put my card into monitor mode
2.) run a wash scan
3.) ensure the target has WPS enabled
4.) ensure the target is not in rate limit mode/locked currently
5.) stop wash and copy the bssid and make note of the channel
6.) plug that info into the reaver fork command (-c is the optional argument for channel)
reaver -i wlan0mon -b 00:AA:BB:11:22:33 -vvv -K 1
7.) if compatible with the pixie attack you get the WPS pin
8.) usually at this point the target AP is in lockout mode from anywhere from 6-20 minutes
9.) run reaver or bully starting with that pin when the AP isn't in lockout mode and voila password
I realize it's easier to just use a script, but if scripts aren't updated then knowing the actual commands and what they do is almost as quick and very useful for when they don't keep up to date, or there are changes in the commands they issue.
Member
mac address changer and reaver? kali linux 2.0 how to do?
-------WARNING: Failed to associate with------
Posting Permissions
