Page 1 of 1

Pixie Dust Attack (WPS Enabled Routers)

PostPosted: Thu Mar 19, 2015 11:51 am
by Furqan Hanif
is their any Tool Available for pixie Dust Attack ?? i want to check This Pixie Dust Thingy on my Own Router (my Router is of Fiberhome which have Broadcom Chipset inside). so is their any tool available yet or this attack is just an fairy tale or some kind of story............ ???

Re: Pixie Dust Attack (WPS Enabled Routers)

PostPosted: Thu Mar 19, 2015 4:36 pm
by XaneXXXX
I found this: https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-%28Offline-WPS-Attack%29


Some info about the pixie dust attack. Personally i have never heard about it before. So i can't provide you any more info atm, seems really interesting tho, so i might read about it! :)

Re: Pixie Dust Attack (WPS Enabled Routers)

PostPosted: Sat Mar 21, 2015 12:10 pm
by Sethioz
never heard of this before, but seems interesting. wonder if they add it into Kali.

Re: Pixie Dust Attack (WPS Enabled Routers)

PostPosted: Sat Mar 21, 2015 2:20 pm
by XaneXXXX
I added two interesting documents that you should look at! :)

Re: Pixie Dust Attack (WPS Enabled Routers)

PostPosted: Sun Mar 22, 2015 9:59 am
by Sethioz
I took a quick look into this, I see why there's no working concept yet, it is highly based on chipsets, so there's no generic way of doing this, but i understand the concept.
Basically nothing in computer is "random", if you get a hold of the source, you can always replicate the so called "random" result. Whatever algorithm they use, once you get to know how it works, you will be able to guess what it will do next and based on that you can re-generate the WPS pin, so basically it is not "cracking", it's just replicating the pin or cloning.
At least that's my understanding of this.

However it says you have to go as far as M3 message, but with wrong pin i never get further than M2 or was it up to M4? I'm quite sure I only get up to M2 if i enter wrong pin.

Re: Pixie Dust Attack (WPS Enabled Routers)

PostPosted: Mon Apr 06, 2015 8:08 pm
by 7Ds
Update2: More PixieWPS Tools.

https://github.com/nxxxu/AutoPixieWps (Tested On Kali Linux 1.1.0)

https://github.com/aanarchyy/wifite-mod-pixiewps (Tested On Kali Linux 1.1.0)

Update1: Since more options continue to occur, figured it would be best to simply attach the link of where to look for updates.

https://github.com/t6x/reaver-wps-fork-t6x

Delete\Replace the old 'reaver-wps-fork-t6x-master' folder & simply re-run 'modifiedreaver+pixiewps-install.sh'


Update0: No more copying and pasting. Install this Modified Reaver, needed dependencies, & pixiewps.

Newly Attached: ModifiedReaver&PixieWPS1.zip

First Order of Business: Place all folders/files on /root/

Secondly: chmod +x, modifiedreaver+pixiewps-install.sh & execute it.
It simply contains a bunch of shell commands without having to do it manually.

Launch this modified reaver against the AP, it prints the needed values for pixiewps.
Afterwards, pixiewps is launched automatically.

New Arguments for reaver:

-K (run ./reaver and have a look!)

reaver example: ./reaver -i mon0 -b APBSSID -vv -d 15 -c 1 -T .20 -K 3


Credit to whomever it's due:

Dominique Bongard
wiire
soxrok2212
DataHead
Espresso_Boy
t6x
dudux
etc.


Original:

Offline WPS Vulnerability Assessment Tool (pixiewps)

Supports: Ralink & Broadcom Routers

Attached: Modified Reaver, pixiewps, needed dependencies & a bash script to install everything in one fell swoop! (Tested on Kali Linux 1.1.0)

First Order of Business: Place all folders/files on /root/

Secondly: chmod +x, modifiedreaver+pixiewps-install.sh & execute it. (It simply contains a bunch of shell commands without having to do it manually.)

Reaver has been modified to print the below needed values for pixiewps. (Run reaver & let it complete one pin transaction attempt.)

PKE
E-Hash1
E-Hash2
AuthKey
E-Nonce

Reaver Example In A New Terminal: reaver -i mon0 -b APBSSID -vv -d 15 -S -c 6 -T .20

Pixiewps Command Arguments:

-e PKE
-s E-Hash1
-z E-Hash2
-a AuthKey
-S dh-small
-n E-Nonce (Try to use this on Bcm3xxx/Bcm6xxx chip routers if pin not found.)

Pixiewps Example In A New Terminal:

pixiewps -e PastePKEFromModifiedReaver -s PasteE-Hash1FromModifiedReaver -z PasteE-Hash2FromModifiedReaver -a PasteAuthKeyFromModifiedReaver -S -n PasteE-NonceFromModifiedReaver


PS:

I'm just a messenger & taking no credit to whomever it's due.

Dominique Bongard
wiire
soxrok2212
dudux
etc.

Re: Pixie Dust Attack (WPS Enabled Routers)

PostPosted: Tue Apr 07, 2015 7:12 pm
by Sethioz
I gotta test this out, any idea if this is available on latest Kali? i gotta wipe my old BT5 and put Kali on netbook and test it out, looks nice. I'm trying to ask Elcomsoft to make a tool for this.

Re: Pixie Dust Attack (WPS Enabled Routers)

PostPosted: Mon Sep 14, 2015 5:55 am
by Sethioz
I tried something called AutoPixie, which automatically gathers the info and then should crack the network, but it gets stuck for no reason.

grab it here or google for it (for updated version)
autopixie.rar
(4.14 KiB) Downloaded 274 times


I like including stuff in my posts, so that ppl don't have to search, but downside is that you can get outdated version.

Anyway, I tried the thing and it seem to be going, but it gets stuck in either "Sending WSC NACK" or "Sending M4 Message"
I doubt it's because of network, because reaver works great on the network.
Also i didn't even know that latest reaver shows the E-Hash info and such.

Pixie Dust is based on the fact that most routers don't actually randomize the WPS right? ..but in computing, or well in universe, there is no such thing as random at all, there is just illusion of randomness. Isn't that correct? Every algorithm is made to do something and choose things somehow, wouldn't it be possible to reverse engineer every "random" event in computing? Just a thought tho.