ZaraByte Posted April 4, 2015 Posted April 4, 2015 Download: http://github.com/wiire/pixiewpsDescription: Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (pixie dust attack). It is meant for educational purposes only. All credits for the research go to Dominique Bongard.Sample image: i.imgur.com/J43CM9i.pngLicense: GNU GPLv3Features:- Checksum optimization: it'll try first for valid PINs (11'000).- Reduced entropy of the seed from 32 to 25 bits for the C LCG pseudo-random function.- Small Diffie-Hellman keys: don't need to specify the Public Registrar Key if the same option is used with ReaverThe program will also try first with E-S0 = E-S1 = 0, then it'll tries to bruteforce the seed of the PRNG if the --e-nonce option is specificed.Also thanks to soxrok2212 who made a very nice tutorial: youtu.be/_sbdQMH8cQ8. On the description there's a link to the modified version of reaver-forked to display all the useful information (except PKR). Thing is freaking awesome requires sudo apt-get install libpcap-devsudo apt-get install libsqlite3-dev for it to work but works good on Kali Linux Quote
ZaraByte Posted April 4, 2015 Author Posted April 4, 2015 Also needs libssl dev For the old Kali Linux possibly for Kali Linux 1.1.0 i only need to install just them two. This attacks fails just as much as a normal WPS attack fails just still a good alternative. Quote
DataHead Posted April 4, 2015 Posted April 4, 2015 Well being that I had a big hand in the code here, it doesn't fail if you attack k against the right vuln sources. I've had success with over 100+ routers Quote
ZaraByte Posted April 5, 2015 Author Posted April 5, 2015 Well being that I had a big hand in the code here, it doesn't fail if you attack k against the right vuln sources. I've had success with over 100+ routers My problem is people are renting their modems from their ISP and most of them rented routers are not vulnerable which is good. im not saying that its good to target random networks obviously because its unethical but what i choice to do is my business but i like that this was finally made public might would've been cooler to see this being released at defcon i bet anyone who was planning to bring this up again at defcon is possibly ticked because they were gonna do something like this lol. Quote
gravityzero Posted April 6, 2015 Posted April 6, 2015 From what I've experienced so far, this attack is extremely limited in scope. The claims of the attack should work against both Ralink and Broadcom. It appears that maybe the Ralink portion is true, but I've yet to find one to test it on. I have been able to locate numerous Broadcom routers and none of them are vulnerable. I was able to gain a spreadsheet from the software release noting vulnerable routers and from their own admissions, no Broadcom router was verified. I'm not saying that it does not work against a Broadcom router, but I personally have not verified it, nor have I seen one specifically listed as being vulnerable. I think this tool will perhaps become more useful over time. I also appreciate all those that work so hard on the code. It is greatly appreciated. I am also not sure that I'm using the tool correctly, especially on the Broadcom units. I will list my parameters below and maybe someone can verify. I'm running a "reaver -i mon0 -c x -b xx:xx:xx:xx:xx:xx -vv" command against Broadcom APs. I think the -S option is only used on Ralink APs. I'm running a "pixiewps -e PKE -r PKR -s E-Hash1 -z E-Hash2 -a AuthKey -n E-Nonce" command in PixieWPS. I am of course using the key values provided by modified Reaver in the appropriate fields. I've obtained the PKR value from the M2 message in WireShark, using edit -> copy -> value. Then paste into PixieWPS command. I would be happy to post the AP information for the ones I've already tested. So far I've checked over 10 APs, including 4 different Broadcoms. None have worked. Quote
ZaraByte Posted April 6, 2015 Author Posted April 6, 2015 (edited) If the AP is not vulnerable it will likely say something like Key not found at least it did for me. i did a demo video of me using it right now i don't have a AP i can test on my router is bricked due to a firmware update now. https://www.youtube.com/watch?v=4UaGeXytkVg Also might give AutoPixieWPS a try http://matthewhknight.com/autopixiewps/ Edited April 6, 2015 by ZaraByte Quote
WPA3 Posted April 10, 2015 Posted April 10, 2015 If the AP is not vulnerable it will likely say something like Key not found at least it did for me. i did a demo video of me using it right now i don't have a AP i can test on my router is bricked due to a firmware update now. https://www.youtube.com/watch?v=4UaGeXytkVg Also might give AutoPixieWPS a try http://matthewhknight.com/autopixiewps/ Just wondering if you have treid this on the wifipineapple it's self. Quote
ZaraByte Posted April 10, 2015 Author Posted April 10, 2015 Just wondering if you have treid this on the wifipineapple it's self. To be honest i hardly use my Mark 5 since i got it i've ran this on my nexus 7 tablet with nethunter installed and it works good. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.