81301b7e71
The variable 'i' was of type uint_fast8_t which most compiler typedef as unsigned char or uint8_t which both (in C99) can hold a number between 0 and 255. This could cause an integer overflow when seed was found in mode 3 but the the program was unsuccessful to recover the PIN within the first 255 tries of the first time window set in the future. This bug was introduced when the constant MODE3_TRIES was increased to 10 minutes (60 * 10 = 600 which is > 255) in commit (d3e4aab).
Overview 
Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some Access Points, the so-called "pixie dust attack" discovered by Dominique Bongard in summer 2014. It is meant for educational purposes only.
As opposed to the traditional online bruteforce attack, implemented in tools like Reaver or Bully which aim to recover the pin in a few hours, this method can get the pin in only a matter of milliseconds to minutes, depending on the target, if vulnerable.
More details can be found here:
- https://forums.kali.org/showthread.php?25018-Pixiewps-wps-pixie-dust-attack-tool
- https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)
A non-exhaustive list of vulnerable devices (not maintained by me):
Requirements
apt-get -y install build-essential
Prior versions of 1.2 require libssl-dev.
Setup
Download
git clone https://github.com/wiire/pixiewps
or
wget https://github.com/wiire/pixiewps/archive/master.zip && unzip master.zip
Build
cd pixiewps*/
cd src/
make
Install
sudo make install
Usage
Usage: pixiewps <arguments>
Required arguments:
-e, --pke : Enrollee public key
-r, --pkr : Registrar public key
-s, --e-hash1 : Enrollee hash 1
-z, --e-hash2 : Enrollee hash 2
-a, --authkey : Authentication session key
-n, --e-nonce : Enrollee nonce
Optional arguments:
-m, --r-nonce : Registrar nonce
-b, --e-bssid : Enrollee BSSID
-S, --dh-small : Small Diffie-Hellman keys (PKr not needed) [No]
-f, --force : Brute-force timestamp seed
-l, --length : Brute-force entire pin length (experimental)
-v, --verbosity : Verbosity level 1-3, 1 is quietest [3]
-o, --output : Write output to file
-j, --jobs : Number of parallel threads to use [Auto]
-h : Display this usage screen
--help : Verbose help and more usage examples
-V, --version : Display version
--mode N[,... N] : Mode selection, comma separated [Auto]
--start [mm/]yyyy : Starting date (only mode 3) [+1 day]
--end [mm/]yyyy : Ending date (only mode 3) [-1 day]
Miscellaneous arguments:
-7, --m7-enc : Recover encrypted settings from M7 (only mode 3)
Usage example
A common usage example is:
pixiewps --pke <pke> --pkr <pkr> --e-hash1 <e-hash1> --e-hash2 <e-hash2> --authkey <authkey> --e-nonce <e-nonce>
which requires a modified version of Reaver or Bully which prints the Authentication Session key (--authkey, -a). The recommended version is reaver-wps-fork-t6x.
Supported OS
Pixiewps can be compiled and installed on a wide variety of platforms including OpenWrt and Android.
Acknowledgements
- Part of the code was inspired by Bully and its WPS functionality written by Jouni Malinen
- The crypto libraries were taken from mbed TLS
- Special thanks to:
soxrok2212,datahead,t6_x,aanarchyy,kcdtvand the Kali Linux community
References
Pixiewps is based on the work of Dominique Bongard: