Pixiewps: wps pixie dust attack tool

[t6_x]

I doubt it... As far as I remeber, TL-WR740n uses an Atheros chipset-- Runs Linux-- not feasible with the PRNG keyspace

Finally able to create my account in this forum

I already emailed the wiire on the tests I've done.

First of all I made a modified version of reaver to facilitate the tests, this modification is already do a pixie test when a pin is tested on reaver

[P] E-Nonce: 41: f2: 8c: 82: 53: 3b: df: ........
[P] PKE: 6b: 0e: 22: cb: cd: 21: ........
[P] WPS Manufacturer: Ralink Technology, Corp.
[P] WPS Model Number: RT2860
[+] Received message M1
[P] AuthKey: f7: fb: bc: 21: ab: 3b: 99: 70: 36: 8e: f1: a0: ........
[+] Sending message M2
[P] E-Hash1: 1e: d6: 12: 27: 8f: 12: 28: 21: 9a: 54: .........
[P] E-Hash2: d: f: 34: and: ac: 55: a4: 9e: b3: 95: 31: 7a: 61: b0: ........
[Pixie-Dust]
[Pixie-Dust][*] ES-1: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00
[Pixie-Dust][*] ES-2: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00
[Pixie Dust-][*] PSK1: 76: 46: 96: c7: 5d: e4: 8a: 86: .......
[Pixie-Dust][*] PSK2: 1b: 5e: 3e: 6b: 19: 89: 4b: 5c: .......
[Pixie-Dust] [+] WPS pin: 41368541
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 0 s
[Pixie-Dust]
[+] Received message M3
[+] Sending message M4

If someone want this version, tell me



Now with relation to the TP-Link.

I believe it may be vulnerable to another type of problem.

I have a TP-Link 740N v1, is a very old router, think it 2004-2005


It has the Atheros chipset, Linux runs and uses the hostap together with the / dev / random.

But this firmware version for example has a problem in the generation of random numbers, it may be that this firmware version is with this problem.

The seed for generating the random number is based on the date (date, time, seconds) router

Every time I restart the modem, the seed to generate the random number is the same. So it is possible to make bruteforce on all dates, hours, seconds to find the current state of the seed. This makes it possible to generate future seeds to make bruteforce the pin.


It may be that this problem is only in this firmware version, do not have other routers to test or compare and without having them in the hands is difficult to make the tests.

But this problem certainly is present in many other models of routers.


Today I met a router where the E-Hash1 and the E-Hash2 was identical and there needed to make a modification in pixie for him to do the bruteforce correctly.

I will continue to develop and when I have more news come back to post.

Sorry for the English, I used a translator

[WaLkZ]

Now with relation to the TP-Link.

I believe it may be vulnerable to another type of problem.

I have a TP-Link 740N v1, is a very old router, think it 2004-2005


It has the Atheros chipset, Linux runs and uses the hostap together with the / dev / random.

But this firmware version for example has a problem in the generation of random numbers, it may be that this firmware version is with this problem.

The seed for generating the random number is based on the date (date, time, seconds) router

Every time I restart the modem, the seed to generate the random number is the same. So it is possible to make bruteforce on all dates, hours, seconds to find the current state of the seed. This makes it possible to generate future seeds to make bruteforce the pin.


It may be that this problem is only in this firmware version, do not have other routers to test or compare and without having them in the hands is difficult to make the tests.

But this problem certainly is present in many other models of routers.


Today I met a router where the E-Hash1 and the E-Hash2 was identical and there needed to make a modification in pixie for him to do the bruteforce correctly.

I will continue to develop and when I have more news come back to post.

If you can do this brute-force attack in the fiture to work on tp-link 740n it will be awesome because 95% of networks around me are tp-link 740n with turned on WPS.

[slmafiq]

If you can do this brute-force attack in the fiture to work on tp-link 740n it will be awesome because 95% of networks around me are tp-link 740n with turned on WPS.

i have the same problem!~
http://www44.zippyshare.com/v/aEY5Jq61/file.html

[soxrok2212]

Today I met a router where the E-Hash1 and the E-Hash2 was identical and there needed to make a modification in pixie for him to do the bruteforce correctly.

Someone I am working with has also found an AP where E-Hash1 = E-Hash2. I speak a little Spanish and the other guy speaks it fluently... I guess you do too? Anyways, if you could e-mail me that would be great. My e-mail is my user name @gmail.com

Thanks!

[whitetsagan]

Hi,

Please, I'm trying to test Ralink RT2860 but it constanly gives me a error "wps transaction failed (0x04)" and I can't get m3 or m4 messages.

How can I get e-hashes out of this?

[whitetsagan]

Finally able to create my account in this forum

I already emailed the wiire on the tests I've done.

First of all I made a modified version of reaver to facilitate the tests, this modification is already do a pixie test when a pin is tested on reaver

[P] E-Nonce: 41: f2: 8c: 82: 53: 3b: df: ........
[P] PKE: 6b: 0e: 22: cb: cd: 21: ........
[P] WPS Manufacturer: Ralink Technology, Corp.
[P] WPS Model Number: RT2860
[+] Received message M1
[P] AuthKey: f7: fb: bc: 21: ab: 3b: 99: 70: 36: 8e: f1: a0: ........
[+] Sending message M2
[P] E-Hash1: 1e: d6: 12: 27: 8f: 12: 28: 21: 9a: 54: .........
[P] E-Hash2: d: f: 34: and: ac: 55: a4: 9e: b3: 95: 31: 7a: 61: b0: ........
[Pixie-Dust]
[Pixie-Dust][*] ES-1: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00
[Pixie-Dust][*] ES-2: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00
[Pixie Dust-][*] PSK1: 76: 46: 96: c7: 5d: e4: 8a: 86: .......
[Pixie-Dust][*] PSK2: 1b: 5e: 3e: 6b: 19: 89: 4b: 5c: .......
[Pixie-Dust] [+] WPS pin: 41368541
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 0 s
[Pixie-Dust]
[+] Received message M3
[+] Sending message M4

If someone want this version, tell me



Now with relation to the TP-Link.

I believe it may be vulnerable to another type of problem.

I have a TP-Link 740N v1, is a very old router, think it 2004-2005


It has the Atheros chipset, Linux runs and uses the hostap together with the / dev / random.

But this firmware version for example has a problem in the generation of random numbers, it may be that this firmware version is with this problem.

The seed for generating the random number is based on the date (date, time, seconds) router

Every time I restart the modem, the seed to generate the random number is the same. So it is possible to make bruteforce on all dates, hours, seconds to find the current state of the seed. This makes it possible to generate future seeds to make bruteforce the pin.


It may be that this problem is only in this firmware version, do not have other routers to test or compare and without having them in the hands is difficult to make the tests.

But this problem certainly is present in many other models of routers.


Today I met a router where the E-Hash1 and the E-Hash2 was identical and there needed to make a modification in pixie for him to do the bruteforce correctly.

I will continue to develop and when I have more news come back to post.

Sorry for the English, I used a translator

Hello,

I'm trying to test Ralink RT2860 (exactly same as the example above) but it constantly gives me an error "WPS transaction failed (0x04)" and I can't get any m3, m4 messages or e-hashes. Please, any solutions?