Pixie Dust Attack (WPS Enabled Routers)

Learn how to test your wireless network security. Is your mobile phone safe to talk on? Is DSL internet really 100% safe or can it be hacked?!

Pixie Dust Attack (WPS Enabled Routers)

Postby Furqan Hanif » Thu Mar 19, 2015 11:51 am

is their any Tool Available for pixie Dust Attack ?? i want to check This Pixie Dust Thingy on my Own Router (my Router is of Fiberhome which have Broadcom Chipset inside). so is their any tool available yet or this attack is just an fairy tale or some kind of story............ ???
Furqan Hanif
Newbie..
Newbie..
 
Posts: 1
Joined: Thu Mar 19, 2015 11:45 am

Re: Pixie Dust Attack (WPS Enabled Routers)

Postby XaneXXXX » Thu Mar 19, 2015 4:36 pm

I found this: https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-%28Offline-WPS-Attack%29


Some info about the pixie dust attack. Personally i have never heard about it before. So i can't provide you any more info atm, seems really interesting tho, so i might read about it! :)
User avatar
XaneXXXX
Moderator
Moderator
 
Posts: 114
Joined: Sun May 08, 2011 11:19 pm
Location: Dark Zone

Re: Pixie Dust Attack (WPS Enabled Routers)

Postby Sethioz » Sat Mar 21, 2015 12:10 pm

never heard of this before, but seems interesting. wonder if they add it into Kali.
User avatar
Sethioz
Admin
Admin
 
Posts: 4747
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown

Re: Pixie Dust Attack (WPS Enabled Routers)

Postby XaneXXXX » Sat Mar 21, 2015 2:20 pm

I added two interesting documents that you should look at! :)
Attachments
Documents.zip
(6.94 MiB) Downloaded 531 times
User avatar
XaneXXXX
Moderator
Moderator
 
Posts: 114
Joined: Sun May 08, 2011 11:19 pm
Location: Dark Zone

Re: Pixie Dust Attack (WPS Enabled Routers)

Postby Sethioz » Sun Mar 22, 2015 9:59 am

I took a quick look into this, I see why there's no working concept yet, it is highly based on chipsets, so there's no generic way of doing this, but i understand the concept.
Basically nothing in computer is "random", if you get a hold of the source, you can always replicate the so called "random" result. Whatever algorithm they use, once you get to know how it works, you will be able to guess what it will do next and based on that you can re-generate the WPS pin, so basically it is not "cracking", it's just replicating the pin or cloning.
At least that's my understanding of this.

However it says you have to go as far as M3 message, but with wrong pin i never get further than M2 or was it up to M4? I'm quite sure I only get up to M2 if i enter wrong pin.
User avatar
Sethioz
Admin
Admin
 
Posts: 4747
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown

Re: Pixie Dust Attack (WPS Enabled Routers)

Postby 7Ds » Mon Apr 06, 2015 8:08 pm

Update2: More PixieWPS Tools.

https://github.com/nxxxu/AutoPixieWps (Tested On Kali Linux 1.1.0)

https://github.com/aanarchyy/wifite-mod-pixiewps (Tested On Kali Linux 1.1.0)

Update1: Since more options continue to occur, figured it would be best to simply attach the link of where to look for updates.

https://github.com/t6x/reaver-wps-fork-t6x

Delete\Replace the old 'reaver-wps-fork-t6x-master' folder & simply re-run 'modifiedreaver+pixiewps-install.sh'


Update0: No more copying and pasting. Install this Modified Reaver, needed dependencies, & pixiewps.

Newly Attached: ModifiedReaver&PixieWPS1.zip

First Order of Business: Place all folders/files on /root/

Secondly: chmod +x, modifiedreaver+pixiewps-install.sh & execute it.
It simply contains a bunch of shell commands without having to do it manually.

Launch this modified reaver against the AP, it prints the needed values for pixiewps.
Afterwards, pixiewps is launched automatically.

New Arguments for reaver:

-K (run ./reaver and have a look!)

reaver example: ./reaver -i mon0 -b APBSSID -vv -d 15 -c 1 -T .20 -K 3


Credit to whomever it's due:

Dominique Bongard
wiire
soxrok2212
DataHead
Espresso_Boy
t6x
dudux
etc.


Original:

Offline WPS Vulnerability Assessment Tool (pixiewps)

Supports: Ralink & Broadcom Routers

Attached: Modified Reaver, pixiewps, needed dependencies & a bash script to install everything in one fell swoop! (Tested on Kali Linux 1.1.0)

First Order of Business: Place all folders/files on /root/

Secondly: chmod +x, modifiedreaver+pixiewps-install.sh & execute it. (It simply contains a bunch of shell commands without having to do it manually.)

Reaver has been modified to print the below needed values for pixiewps. (Run reaver & let it complete one pin transaction attempt.)

PKE
E-Hash1
E-Hash2
AuthKey
E-Nonce

Reaver Example In A New Terminal: reaver -i mon0 -b APBSSID -vv -d 15 -S -c 6 -T .20

Pixiewps Command Arguments:

-e PKE
-s E-Hash1
-z E-Hash2
-a AuthKey
-S dh-small
-n E-Nonce (Try to use this on Bcm3xxx/Bcm6xxx chip routers if pin not found.)

Pixiewps Example In A New Terminal:

pixiewps -e PastePKEFromModifiedReaver -s PasteE-Hash1FromModifiedReaver -z PasteE-Hash2FromModifiedReaver -a PasteAuthKeyFromModifiedReaver -S -n PasteE-NonceFromModifiedReaver


PS:

I'm just a messenger & taking no credit to whomever it's due.

Dominique Bongard
wiire
soxrok2212
dudux
etc.
Attachments
ModifiedReaver&PixieWPS.zip
(1.73 MiB) Downloaded 475 times
ModifiedReaver&Pixiewps1.zip
(2.99 MiB) Downloaded 489 times
Last edited by 7Ds on Wed Apr 22, 2015 12:50 am, edited 4 times in total.
7Ds
Allie
Allie
 
Posts: 73
Joined: Wed Jun 01, 2011 4:39 am

Re: Pixie Dust Attack (WPS Enabled Routers)

Postby Sethioz » Tue Apr 07, 2015 7:12 pm

I gotta test this out, any idea if this is available on latest Kali? i gotta wipe my old BT5 and put Kali on netbook and test it out, looks nice. I'm trying to ask Elcomsoft to make a tool for this.
User avatar
Sethioz
Admin
Admin
 
Posts: 4747
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown

Re: Pixie Dust Attack (WPS Enabled Routers)

Postby Sethioz » Mon Sep 14, 2015 5:55 am

I tried something called AutoPixie, which automatically gathers the info and then should crack the network, but it gets stuck for no reason.

grab it here or google for it (for updated version)
autopixie.rar
(4.14 KiB) Downloaded 94 times


I like including stuff in my posts, so that ppl don't have to search, but downside is that you can get outdated version.

Anyway, I tried the thing and it seem to be going, but it gets stuck in either "Sending WSC NACK" or "Sending M4 Message"
I doubt it's because of network, because reaver works great on the network.
Also i didn't even know that latest reaver shows the E-Hash info and such.

Pixie Dust is based on the fact that most routers don't actually randomize the WPS right? ..but in computing, or well in universe, there is no such thing as random at all, there is just illusion of randomness. Isn't that correct? Every algorithm is made to do something and choose things somehow, wouldn't it be possible to reverse engineer every "random" event in computing? Just a thought tho.
User avatar
Sethioz
Admin
Admin
 
Posts: 4747
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown


Return to Wireless / Network / Internet / Mobile > Hacking / Cracking / Exploiting / Researching

Who is online

Users browsing this forum: No registered users and 1 guest

cron