Results 1 to 17 of 17

Thread: WPS Pin crack latest techniques

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Join Date
    2013-Mar
    Posts
    77

    Question WPS Pin crack latest techniques

    Hi

    As i was out for a long time ago from Wireless penetration testing can anyone point me to the latest WPS Pin cracking methods?

    Somewhere i was read that it is possible to do an offline pin cracking and that's great as you will avoid router locking but does it works and in general always works?

    What are the 2-3 best methods you use?

    Thank you !
    Last edited by pamamolf; 2015-08-15 at 22:39.

  2. #2
    Join Date
    2015-Aug
    Posts
    20
    I generally use still reaver. You can also use bully

  3. #3
    Join Date
    2013-Mar
    Posts
    77
    I was left on the way that you had to brute force the pin and the most times the router locks

    Now i can see that we can get some keys and copy paste them to another software and crack more easy the pin but i need some more help/links about it please.....

    I don;t know if a better way exits either....

  4. #4
    Join Date
    2015-Aug
    Location
    The Pits
    Posts
    86
    Hello pamamolf,
    The Pixie Dust attack is the bee's knees, it might calculate the correct PIN in just seconds, even working successfully on some wps routers that do "one and done" rate limiting:
    github.com/wiire/pixiewps
    Make sure you install any needed dependencies. And it only works with the new Reaver fork, here you go:
    github.com/t6x/reaver-wps-fork-t6x

    WPSPIN.sh and WPSpin.py ~might~ guess the default pin, based on chip and BSSID/ESSID info, but I haven't ever run into a compatible wifi router yet. Besides, the new aircrack-ng suite (Included in Kali now) can try to guess a default pin... if you'd like to try, add the -W argument to reaver.

  5. #5
    Join Date
    2013-Mar
    Posts
    77
    It is my favorite tool also but if i am not wrong i was read that every time fails :

    Post #92

  6. #6
    Join Date
    2013-Mar
    Posts
    77
    @ John_Doe

    Thank you so much

    Do i have to overwrite the default reaver with the new fork or do anything else?

    Any instructions?

  7. #7
    Join Date
    2014-Jun
    Posts
    71
    HI, best method I have found is to download this tool https://github.com/aanarchyy/wifite-mod-pixiewps
    Thats all.
    Very easy , It should not take more than 4 minutes. Specially if the router is vulnerable.

  8. #8
    Join Date
    2015-Aug
    Location
    The Pits
    Posts
    86
    Hello again pamamolf,
    I am new to Kali [THANK YOU, KALI, YOU'RE AWESOME!] and out of the box the Pixie Dust attack did
    not work properly. I installed the new Reaver fork, which overwrote the old version. Make sure you
    install all needed dependencies first; for Kali 1.1.0 I needed to add:
    libpcap-dev
    and
    libsqlite3-dev
    And then install pixiewps per:
    github.com/wiire/pixiewps
    And then install reaver according to:
    github.com/t6x/reaver-wps-fork-t6x

    Does your Kali open a monitor as mon0 instead of wlan0mon? If so, you have the OLD version of
    aircrack-ng, which works great for FrankenScript, but for this you'll want the new aircrack suite:
    sudo apt-get -y install aircrack-ng

    Here is a sample Pixie Dust syntax, just put in the BSSID in place of the xx's and add a channel number:
    sudo reaver -i wlan0mon -b xx:xx:xx:xx:xx:xx -c (PUT CHANNEL HERE) -vvv -K 1 -f

    If unsuccessful it should soon reply:
    Pixie-Dust] [-] WPS pin not found!
    Or it might reply:
    [+] Pin not found, trying -f (full PRNG brute force), this may take around 30 minutes

    NOTE: Not all models of wifi routers are vulnerable, so you'll see quite a few "WPS Pin not found"
    messages. But when it works, it's awesome!

    Now, there ARE some problems with going to the new aircrack suite and the new Reaver fork, mostly due to the changed syntax from "mon0" to "wlan0mon", but it's a small price to pay.

  9. #9
    Join Date
    2013-Mar
    Posts
    77
    I am on Kali 2

  10. #10
    Join Date
    2015-Jun
    Posts
    48
    Quote Originally Posted by pamamolf View Post
    I am on Kali 2
    Kali 2 includes pixiewps and the latest reaver fork needed to run the attack. Not all routers are susceptible to the pixie attack, but when they are it takes max like 5 minutes to get the WPS pin and password (assuming no rate limiting timeouts).

    You can simply put your card into monitor mod, use the wash command to try to find a system and then
    Code:
    Example:
            reaver -i wlan0mon -b 00:AA:BB:11:22:33 -vvv -K 1
    and it will attempt to get the needed hashes and pass them to pixiewps.

    There is also a python script similar to wifite that you need to modify a few lines in to make it work now since the author hasn't maintained it:
    https://github.com/nxxxu/AutoPixieWps

    Also a modified version of wifite that incorporates pixiewps (not sure if included in Kali 2):
    https://github.com/aanarchyy/wifite-mod-pixiewps

    If pixiewps fails, then it's back to bully or reaver pretty much.

  11. #11
    Join Date
    2015-Aug
    Location
    The Pits
    Posts
    86
    Well said, deadlyhabit.
    I just tried a default pin calculator called WPS-PIN-6, which only runs on Windows Vista and newer (I tried it on Windows 7). You need to install all the .NET versions up to at least 4 (I also installed .NET 4.5.1). There's also a Linux version but I couldn't get it to work, as I'm not all that smart.
    Anyhow, after a little wardriving I found it only goes green for a supposedly correct hit when it sees one of a just a very few models of wifi routers. Basically, it was a waste of time. But if you really have nothing else to do, you might try it.
    CAVEAT: The gui is all in Spanish.

  12. #12
    Join Date
    2013-Mar
    Posts
    77
    Kali 2 includes pixiewps and the latest reaver fork needed to run the attack.
    But John_Doe told me that i must install them and they are not included..... or not?

  13. #13
    Join Date
    2015-Jun
    Posts
    48
    Quote Originally Posted by pamamolf View Post
    But John_Doe told me that i must install them and they are not included..... or not?
    They're both included and wifite even has a pixiewps option which I saw yesterday since I rarely use it.

  14. #14
    Join Date
    2014-May
    Location
    Valencia
    Posts
    48
    MAC Spoofing

    In some cases you may want/need to spoof your MAC address. Reaver supports MAC spoofing with the --mac option, but you must ensure that you have spoofed your MAC correctly in order for it to work.

    Changing the MAC address of the virtual monitor mode interface (typically named mon0) WILL NOT WORK. You must change the MAC address of your wireless card's physical interface. For example:

    # ifconfig wlan0 down
    # ifconfig wlan0 hw ether 00:BA:AD:BE:EF:69
    # ifconfig wlan0 up
    # airmon-ng start wlan0
    # reaver -i mon0 -b 00:01:02:03:04:05 -vv --mac=00:BA:AD:BE:EF:69

    ------------------------------------------------------------------------------------

    How do we do it?
    Kali linux 2.0 --- wlan0mon
    mac address changer and reaver? kali linux 2.0 how to do?


    -------WARNING: Failed to associate with------

  15. #15
    Join Date
    2013-Mar
    Posts
    77
    Is there a parameter or a way if i know the WPS pin to pass it to the script manually and get the wpa password?

  16. #16
    Join Date
    2015-Jun
    Posts
    48
    There is that outdated AutoPixieWPS python script I linked earlier I believe that does it (like I said a few lines in the script need a tweak due to the reaver fork command changing). If you mean in wifite, dunno as I rarely touch it.
    Basically what I do for a WPS attack is:
    1.) put my card into monitor mode
    2.) run a wash scan
    3.) ensure the target has WPS enabled
    4.) ensure the target is not in rate limit mode/locked currently
    5.) stop wash and copy the bssid and make note of the channel
    6.) plug that info into the reaver fork command (-c is the optional argument for channel)
    reaver -i wlan0mon -b 00:AA:BB:11:22:33 -vvv -K 1
    7.) if compatible with the pixie attack you get the WPS pin
    8.) usually at this point the target AP is in lockout mode from anywhere from 6-20 minutes
    9.) run reaver or bully starting with that pin when the AP isn't in lockout mode and voila password

    I realize it's easier to just use a script, but if scripts aren't updated then knowing the actual commands and what they do is almost as quick and very useful for when they don't keep up to date, or there are changes in the commands they issue.

  17. #17
    Join Date
    2014-May
    Location
    Valencia
    Posts
    48
    mac address changer and reaver? kali linux 2.0 how to do?

    -------WARNING: Failed to associate with------

Similar Threads

  1. Crack PDF password?
    By Jayden_Blade in forum General Archive
    Replies: 0
    Last Post: 2015-01-30, 04:08
  2. Replies: 3
    Last Post: 2014-09-25, 03:21
  3. Possible to crack WPA with message 1 and 2 of 4?
    By soxrok2212 in forum General Archive
    Replies: 0
    Last Post: 2013-11-01, 22:42
  4. SET AV Bypass Techniques
    By seag33k in forum General Archive
    Replies: 1
    Last Post: 2013-06-26, 17:21

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •