NEW: We have a Discord server now. Click here to go there now!

NOTE: Why not use our List Manager to crack your lists? Its easy and enables better management.

NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Wireless Cracking - Having no luck with the pixie-dust attack on UK routers :(


9 Results - Page 1 of 1 -
1
Author Message
Avatar
jiM0r

Status: n/a
Joined: Thu, 27 Aug 2015
Posts: 8
Team:
Reputation: 0 Reputation
Offline
Sat, 05 Sep 2015 @ 08:15:35

Hi everyone, I'm fairly new to pentesting. I have been trying the Pixie-dust attack on several routers with my new WiFi adapter.

I've tried them on these routers;

A couple of BTHub3 & 5 routers
A few Sky routers
A PlusnetWireless router
A mac-wifi router/hotspot (not sure if default of custom ESSID)
And some others which I think are custom ESSIDs

Most routers seem to be using Broadcom chipsets and I've seen a couple with BTeros chipsets, no Ralink chipsets as of yet. And some other chipsets as well, let me know if you want more details on what routers use what chipsets.

But I'm wondering if it is just me typing the wrong arguments in the terminal or if it's my hardware. I've tried both manual and the -K 1 argument for the Pixie-Dust attack.

I really don't want to resort to doing dictionary attacks since my hardware would be inefficient and I have little to no storage for big wordlists.

Thanks in advance to any helpful replies.


Avatar
ExKage

Status: n/a
Joined: Tue, 28 Jul 2015
Posts: 153
Team:
Reputation: 88 Reputation
Offline
Sat, 05 Sep 2015 @ 11:17:20

BThUB3-4-5
New Sky Routers
New Plusnet Routers

ARE NOT VULNERABLE TO WPS ATTACKS anymore.

The only ones that I know that are vulnerable are
TALKTALK (even new ones)
Old Plusnet Routers
BtHub1-2 (im not sure)
Old Sky Routers ( yes)

Technicolor Routers are not vulnerable too, Bteros chipsets are the ones in BT Routers but still not vulnerable.
If you had a rooted android phone, there is an app that could give you possible pins for routers around you.


Bitcoin - 16LwMPgzwuAuvYx2HzFPsDEb6b7T94bvi

Avatar
ExKage

Status: n/a
Joined: Tue, 28 Jul 2015
Posts: 153
Team:
Reputation: 88 Reputation
Offline
Sat, 05 Sep 2015 @ 11:20:02

If you can upload a handshake of the custom ESSIDS then I could give it a go through my custom wordlist. See if i get any hits.


Bitcoin - 16LwMPgzwuAuvYx2HzFPsDEb6b7T94bvi

Avatar
jiM0r

Status: n/a
Joined: Thu, 27 Aug 2015
Posts: 8
Team:
Reputation: 0 Reputation
Offline
Sat, 05 Sep 2015 @ 12:10:46

Yes ExKage, I thought that could be a possibility that most or even all could not be vulnerable to the pixie-dust attack. But is there an explaination? Is it something involving reaver or that the companies have changed their algorithms? I would like to know

I will try and see if I can provide you with a handshake later on as of now there are no stations on the either of the two aps.

Thanks for the informative reply.


Avatar
ExKage

Status: n/a
Joined: Tue, 28 Jul 2015
Posts: 153
Team:
Reputation: 88 Reputation
Offline
Sat, 05 Sep 2015 @ 13:03:38

jiM0r said:

Yes ExKage, I thought that could be a possibility that most or even all could not be vulnerable to the pixie-dust attack. But is there an explaination? Is it something involving reaver or that the companies have changed their algorithms? I would like to know

I will try and see if I can provide you with a handshake later on as of now there are no stations on the either of the two aps.

Thanks for the informative reply.

They've improved the security in the Router. And they've put a different algo, and even if you try bruteforce it with reaver or bully or any wps attacks, Once it gets 1-3 tries wrong it locks itself for 5 minutes then when you try with 10 tries then it locks itself for 20 minutes and then it just keeps getting longer and some routers even lock itself forever. So be careful what you do. You're better off doing a WPA Handshake bruteforce using a wordlist or pipe it through John Reaper.

If you have the handshake, post it in the WPA Handshake Thread. Then I'll try and see if I can get the password for you.


Bitcoin - 16LwMPgzwuAuvYx2HzFPsDEb6b7T94bvi

Avatar
jiM0r

Status: n/a
Joined: Thu, 27 Aug 2015
Posts: 8
Team:
Reputation: 0 Reputation
Offline
Sat, 05 Sep 2015 @ 13:35:31

ExKage said:

jiM0r said:

Yes ExKage, I thought that could be a possibility that most or even all could not be vulnerable to the pixie-dust attack. But is there an explaination? Is it something involving reaver or that the companies have changed their algorithms? I would like to know

I will try and see if I can provide you with a handshake later on as of now there are no stations on the either of the two aps.

Thanks for the informative reply.

They've improved the security in the Router. And they've put a different algo, and even if you try bruteforce it with reaver or bully or any wps attacks, Once it gets 1-3 tries wrong it locks itself for 5 minutes then when you try with 10 tries then it locks itself for 20 minutes and then it just keeps getting longer and some routers even lock itself forever. So be careful what you do. You're better off doing a WPA Handshake bruteforce using a wordlist or pipe it through John Reaper.

If you have the handshake, post it in the WPA Handshake Thread. Then I'll try and see if I can get the password for you.

Ah yes I saw posts on here about after a number or incorrect attempts it locks itself and there is a cooldown, I'm not sure if I have come across this before but a couple times it fails on the M4 message, can't remember what failure it was something like WSC Nack or WPS Transaction.

I will try and see if I can get back to you with a handshake/or make a thread in the WPA Handshake sub-forum, but like I said before no stations as of yet. I will be checking every 30-60 minutes. And thanks again for informative reply. You've helped increase my knowledge on the situation.


Avatar
ExKage

Status: n/a
Joined: Tue, 28 Jul 2015
Posts: 153
Team:
Reputation: 88 Reputation
Offline
Sat, 05 Sep 2015 @ 13:37:04

jiM0r said:


Ah yes I saw posts on here about after a number or incorrect attempts it locks itself and there is a cooldown, I'm not sure if I have come across this before but a couple times it fails on the M4 message, can't remember what failure it was something like WSC Nack or WPS Transaction.

I will try and see if I can get back to you with a handshake/or make a thread in the WPA Handshake sub-forum, but like I said before no stations as of yet. I will be checking every 30-60 minutes. And thanks again for informative reply. You've helped increase my knowledge on the situation.


No worries, I'll be waiting for the handshake


Bitcoin - 16LwMPgzwuAuvYx2HzFPsDEb6b7T94bvi

Avatar
jiM0r

Status: n/a
Joined: Thu, 27 Aug 2015
Posts: 8
Team:
Reputation: 0 Reputation
Offline
Mon, 07 Sep 2015 @ 14:53:42

The ESSID I pick up called macwifi I think must be a BTHub5 router with a BTeros chipset. So this just leaves it down to one custom ESSID as of now. But no stations as of yet ExKage.

But you mentioned about rooting an android phone and an app. I've been wanting to root my phone but not sure which tutorial to take up. Are you able to help me out with that?


Avatar
bsub

Status: n/a
Joined: Sun, 19 Jul 2015
Posts: 9
Team:
Reputation: 0 Reputation
Offline
Tue, 13 Dec 2016 @ 20:06:55

ExKage, how can we know the difference between old and new sky routers? Chipset?



9 Results - Page 1 of 1 -
1

We have a total of 211814 messages in 25985 topics.
We have a total of 22986 registered users.
Our newest registered member is mariake.