top of page
Writer's picturealvin gitonga

Airgeddon: Hacking networks😈 with Pixie-Dust Attacks☠️

CyberMorans🤗

A pixie dust attack☠️ is a way of brute forcing the eight digit pin. This attack allowed the recovery of the pin within minutes 😈 if the router was vulnerable. On the other hand, a simple brute force would have taken hours😏

When attacking a Wi-Fi network, the first and most obvious🙄 place for a hacker😈 to look is the type of network encryption. While WEP networks are easy to crack☠️, most easy techniques to crack WPA and WPA2 encrypted Wi-Fi rely on the password being bad or having the processing power to churn through enough results to make brute-forcing a practical approach😰

WPS Pixie-Dust attack can crack networks in seconds☠️ To do this, a modern wireless attack framework called Airgeddon is used to find vulnerable networks, and then Bully is used to crack them😈

If you forget the password to your access point, Wi-Fi Protected Setup, better known simply as WPS, lets you connect to the network using an 8-digit number printed on the bottom of the router. This is 😤 more convenient than just resetting the router with the button on the back, but also a massive security hole💩 because of the way many routers deal with implementing this feature🤡


WPS PINs have been attacked by two successive generations of attacks😝, starting with the most basic brute-forcing methods targeting the way some routers split the PIN into two separate halves before checking them. Years later, another attack emerged that remains effective against many routers and greatly reduces the amount of time needed to attack a target😨

 

🚀 WPS Pixie-Dust Attack

Since many routers with WPS enabled use known functions to produce random numbers with seed values like "0" or the time stamp of the beginning of the WPS transaction, the WPS key exchange has fatal flaws😎 in the way it encrypts messages. This allows the WPS PIN to be cracked in a matter of seconds💀

Integrating many wireless attack tools into a suite well suited for beginners🤓, Airgeddon will allow you to select and configure your wireless card, find and load targeting data from nearby networks, and attack targeted networks — all from the same tool😎

To use the Bully module of Airgeddon🧐, you'll need to be running Kali Linux or another supported distro.....(ParrotOS users *sigh* in relief).....😝 Make sure your Kali Linux is fully updated before you begin, as you'll need several packages installed for this tool to work. You'll also need a wireless network adapter capable of packet injection and wireless monitor mode incase you are doing this on a VM or a PC that is not wifi capable 🥸


so lets do this Morans...💪


 

🚀 Install airgeddon & Dependencies

Open a terminal window, and type the following to clone the repo, change directory to the new folder, and run "airgeddon.sh" as a bash script 👇

kali > git clone github.com/v1s1t0r1sh3r3/airgeddon.git
kali > cd airgeddon
kali/airgeddon > sudo bash ./airgeddon.sh

Airgeddon will check to see what essential tools are installed🤠. Make sure you have a completely green board before you continue, but in particular, you will need Bully for this attack. To install a missing repo, you have a number of options. The easiest is to 👇

apt-get install (missingmodule)

or 👇

pip3 install (missingmodule)

🚀 Select Your Wireless Network Adapter

In the next step, Airgeddon will list your network adapters. Select the one you wish to use for the attack by typing the number next to it like metasploit. You may want to change the MAC address of your adapter with a tool like GNU MAC Changer before doing this 👇

Next, you will be dropped into the main attack screen. In this case, I'll be doing a WPS attack, so I will select option 8 and HIT Enter...👇


🚀 Enable Monitor Mode

Now, you will need to put your card into monitor mode. Rather than the usual airmon-ng commands, simply type the number 2 into the menu, and hit enter....👇

The card should be put into monitor mode and change its name. Airgeddon will keep track of the changed name, and you will be able to proceed to the targeting menu.


🚀 Scan for Prey

To find vulnerable routers, you can now turn your card to the networks in the immediate area by selecting option 4, scan for targets.... 👇

If you have a dual-band card🤨, you might be asked if you want to scan the 2.4 or 5 GHz spectrum, allowing you to decide what kind of networks to target. Type Y for 5 GHz and N for 2.4 GHz 😋

A window should open showing you all of the vulnerable networks. Allow it to stay open for a few scans while your card runs up and down the wireless channels and tries to find new networks. After waiting for about a minute, exit out of the window, or

hit Ctrl + C 👇

You should see your Wi-Fi target data loaded into a selector screen, meaning you're ready to load target data into an attack module!


🚀 Ignite the Bully Attack Module

Now, you should see a screen which contains target data for each vulnerable network you detected. Type the number of the network you want to target to pass the targeting data to Airgeddon, and hit return. Next, you will select which attack module will use these values as an argument.....👇

My WPS attack screen is now live and ready to fire. Now, all I need to do is select an attack module😁 quite a few are offered. Depending on your wireless card, you will have more luck with either Reaver or Bully. In this guide, I focus on Bully🤤, so type 7 to load the target data into the Bully attack module, and hit enter!👇

The final value you will need to input is the timeout, or how long before the program assumes the attack has failed. For now, set the value to around 69 seconds. Hit return, and the attack begins.....👇

 

🚀 Comrad, Fire in the Hole!

Once you start the attack module, a window will open with red text on the screen. If communication is successful, you will see many encrypted transactions like the one in the image below. If you are out of range or the target isn't really vulnerable, you will see failed transactions.


As soon as Bully has the needed data to break the PIN, it will pass it to the WPS Pixie-Dust program....👇

This can happen in a matter of seconds or less, but if your connection is weak, it may take as long as a few minutes. You should see the cracked PIN and the Wi-Fi password appear at the bottom of the screen. That's it! We have complete access to the router....👇

If you write down the PIN, you can use the "custom PIN association" module to be able to get the new password any time it's changed😈 until the target buys a new router or disables WPS. This also works if you just got the PIN but the router did not dump the Wi-Fi credentials😝

 

🚀 Defending WPS-Pixie Based Attacks

The most obvious solution to pulling the plug on a Pixie-Dust attack is to disable the feature at the heart of the issue😎 — Wi-Fi Protected Setup (WPS). You can easily reset your router with the reset button located on virtually all routers, meaning pretty much no one will be sad if you disable the WPS feature. You can do this through the administration page of most routers🧐


Another important detail is that older routers may say they have disabled the WPS option when, in fact, they are still vulnerable to this attack even with this setting "off."🤥 This is a serious issue for older hardware, and if you test this tool against an older router with the WPS set to "off" and the attack succeeds, your only option may be simply replacing the hardware and buying a new router🤑

 

🚀Conclusion 🤖

Subscribe to receive notifications of similar posts 😜 where we will be reverse engineering malware, vulnerabilities as well as hacking tools, vectors, stories, tutorials and other Infosec stuff...😋


Follow me on twitter for daily Infosec Memes and shenanigans😝

and Youtube: @mcg_254


Morans😈


Thank you for taking time and hope you learned something new, Like/Share and leave a comment and as always, stay awesome! 😋👊 💪



83 views0 comments

Recent Posts

See All

Comments


Post: Blog2_Post
bottom of page