Jump to content

Attacking WPS Offline with PixieWPS


ZaraByte
 Share

Recommended Posts

Download: http://github.com/wiire/pixiewps
Description: Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (pixie dust attack). It is meant for educational purposes only. All credits for the research go to Dominique Bongard.
Sample image: i.imgur.com/J43CM9i.png
License: GNU GPLv3

Features:
- Checksum optimization: it'll try first for valid PINs (11'000).
- Reduced entropy of the seed from 32 to 25 bits for the C LCG pseudo-random function.
- Small Diffie-Hellman keys: don't need to specify the Public Registrar Key if the same option is used with Reaver

The program will also try first with E-S0 = E-S1 = 0, then it'll tries to bruteforce the seed of the PRNG if the --e-nonce option is specificed.

Also thanks to soxrok2212 who made a very nice tutorial: youtu.be/_sbdQMH8cQ8. On the description there's a link to the modified version of reaver-forked to display all the useful information (except PKR).

Thing is freaking awesome

requires

sudo apt-get install libpcap-dev
sudo apt-get install libsqlite3-dev

for it to work but works good on Kali Linux

Link to comment
Share on other sites

Also needs libssl dev

For the old Kali Linux possibly for Kali Linux 1.1.0 i only need to install just them two.

This attacks fails just as much as a normal WPS attack fails just still a good alternative.

Link to comment
Share on other sites

Well being that I had a big hand in the code here, it doesn't fail if you attack k against the right vuln sources. I've had success with over 100+ routers

My problem is people are renting their modems from their ISP and most of them rented routers are not vulnerable which is good.

im not saying that its good to target random networks obviously because its unethical but what i choice to do is my business but i like that this was finally made public might would've been cooler to see this being released at defcon i bet anyone who was planning to bring this up again at defcon is possibly ticked because they were gonna do something like this lol.

Link to comment
Share on other sites

From what I've experienced so far, this attack is extremely limited in scope. The claims of the attack should work against both Ralink and Broadcom.

It appears that maybe the Ralink portion is true, but I've yet to find one to test it on. I have been able to locate numerous Broadcom routers and none of them are vulnerable. I was able to gain a spreadsheet from the software release noting vulnerable routers and from their own admissions, no Broadcom router was verified.

I'm not saying that it does not work against a Broadcom router, but I personally have not verified it, nor have I seen one specifically listed as being vulnerable.

I think this tool will perhaps become more useful over time. I also appreciate all those that work so hard on the code. It is greatly appreciated.

I am also not sure that I'm using the tool correctly, especially on the Broadcom units. I will list my parameters below and maybe someone can verify.

I'm running a "reaver -i mon0 -c x -b xx:xx:xx:xx:xx:xx -vv" command against Broadcom APs. I think the -S option is only used on Ralink APs.

I'm running a "pixiewps -e PKE -r PKR -s E-Hash1 -z E-Hash2 -a AuthKey -n E-Nonce" command in PixieWPS.

I am of course using the key values provided by modified Reaver in the appropriate fields.

I've obtained the PKR value from the M2 message in WireShark, using edit -> copy -> value. Then paste into PixieWPS command.

I would be happy to post the AP information for the ones I've already tested. So far I've checked over 10 APs, including 4 different Broadcoms. None have worked.

Link to comment
Share on other sites

If the AP is not vulnerable it will likely say something like Key not found at least it did for me.

i did a demo video of me using it right now i don't have a AP i can test on my router is bricked due to a firmware update now.

https://www.youtube.com/watch?v=4UaGeXytkVg

Also might give AutoPixieWPS a try http://matthewhknight.com/autopixiewps/

Edited by ZaraByte
Link to comment
Share on other sites

If the AP is not vulnerable it will likely say something like Key not found at least it did for me.

i did a demo video of me using it right now i don't have a AP i can test on my router is bricked due to a firmware update now.

https://www.youtube.com/watch?v=4UaGeXytkVg

Also might give AutoPixieWPS a try http://matthewhknight.com/autopixiewps/

Just wondering if you have treid this on the wifipineapple it's self.

Link to comment
Share on other sites

Just wondering if you have treid this on the wifipineapple it's self.

To be honest i hardly use my Mark 5 since i got it i've ran this on my nexus 7 tablet with nethunter installed and it works good.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...