aanarchyy / wifite-mod-pixiewps

GNU General Public License v3.0
108 stars 46 forks source link

Pixie attack finds Pin, reaver cant find passphase, no save found pin #10

Closed nuroo closed 8 years ago

nuroo commented 9 years ago

Against 2 access points I've come across, the pixie attack succeeds, but reaver is able to get the pass phrase. I've waited 10 mins or more sometimes. end up ctrl C'ing

Script will keep trying pin for timeout 660 sec, But pin is not written to cracked file.

Could be router locks, unsure of the cause.

nuroo commented 9 years ago

Or maybe user just ctrl c, b4 reaver finds pass phrase. Script still should save pin

aanarchyy commented 9 years ago

I will add that to the may do part of the human-readable cracked.txt Reason script may keep trying pin is perhaps false positive on pin or wps is locked. I have reaver using the -L flag(you would be suprised at how many routers report locked but still accept pin attempts) I've found that even with the -P flag enabled on reaver, some routers do still lock. Is wifite showing successful attempts? If so I will see about adding false positive detection. Maybe add support for locked notification while running wps brute-force, and ask user if they want to ignore, wait, or skip.

nuroo commented 9 years ago

I like the idea for pin WPS attacks, locked notifications while brute force.

Only issue with always using -L is for pixie hash collection and some aggressive firmwares that corrupt hashes if locked. as per soxrok2212, need hashes produced while router not in locked state.

aanarchyy commented 9 years ago

My thoughts on this are, if wether or not the AP is producing invalid pin hashes or not responding at all, the attack will fail. But sometimes the router responds properly even when reporting-lockout. So my point of view, for the hash collection stage, is ignoring lockouts with either help, or do nothing. Will not hurt.

nuroo commented 9 years ago

Wondering if you changed any thing in the script from r104 to r106 that could be affecting the pass to reaver 2nd stage or how reaver tries to use the pin to obtain passphrase. I thought it could be distance to the targets related on my part. Or other processes interfering.
But now im in a familiar place. Access Point Variables known in this location.

Getting alot more familiar known targets where script only gets pins but not passphrase.

d8tahead commented 9 years ago

https://github.com/d8tahead/AutoPixieWps/blob/master/autopixie.py

I've added a hash collection a few days in this script for the purpose of you to look at and see if you would like to see about going about it in a similar way for my -P mode logging / collecting purpose.

It logs the hashes collected in the loop mode, it doesn't log stale attempted collection ( no multi logging in one attempt ) and does it for each successful attempt so we can see if any changes in hashes occur. Saves the make model and serial of target And it ouputs the logs also as a bash script so it can just be run to see if pixiewps cracks the pin with all the gathered hashes.

Option 5. Must be selected for the mode to work as such.

A side not from this, in my personal / private collection of work being done, i need to gather lots of data from the hashes as i am trying to write an ai neural network to find, discover, and create ( as of current ) unknown algorithms for pixiedust attacks. Which will help to discover more vulnerable firmware revisions across the board. If this will be a success or not, i will try and make my in dev project incorporate it if you implement a detailed logging feature as such in your wifite revision. :-)

aanarchyy commented 9 years ago

Not entirely folowing, are you saying collect multiple successful hash collections to compare results? Unless what you are loooking for is a more large scale data collection compatable with your project.
Which would be cool :D I can add an option to log all successfull hash collections into files ($AP_MAC.pixie) outputing all hashes/manuf/model files corresponding in csv format or whichever way you think would be easiest to parse. Totally up for colabaration. email username @ gmail dot com

@nuroo I'm not sure why r106 isn't working for you, just tried it several times and it seemed to work fine.