This is experimental tool that is capable of attacking multiple WPS-enabled wireless access points in real time.
It utilizes the pixie-dust attack every time it receives M3 message, unless it is disabled with -P
pixie-dust requires pixiewps to be installed.
First, you need packages libpcap-dev and libssl-dev, install them with apt-get or whatever your distro uses.
If you want the pixie-dust attack to work, you have to install pixiewps too.
Then, just run ./install.sh and run 'penetrator'
-h Display help
-i Set monitor mode device to use
-s Scan for WPS enabled APs
-c Set channel(s)
-e Set ESSID for next target specified with -b
-b Set target(s)
-A Scan for WPS APs and try pixiedust on all of them;
-M Disable attacking multiple APs at once (only -A)
-P Disable pixiewps after M3 is received
-D Disable loading sessions - starts new
-W Wait after every PIN attempt
-v verbose - print info about WPS messages etc
-vv verbose level 2 - print pixiewps data
-t Set time limit for scanning (default 10)
-T Set timeout - when it occurs, resend last packet (default 1)
-R Set maximum resends (default 5)\n");
-S Sleep after 10 failures in a row (default 60)
-N Ignore NACKs (debug)
1. Adding targets manually<
This command will attack two APs on channel 1 at the same time, one has BSSID 11:22:33:44:55:66 and second has ESSID "example" and BSSID66:55:44:33:22:11
penetrator -i mon0 -c 1 -b 11:22:33:44:55:66 -e example -b 66:55:44:33:22:11
2. Attacking entire channel
This will scan for APs on channel 1 and attack them all at the same time
penetrator -i mon0 -c 1
3. Attacking all APs in range with pixiewps
This will scan all specified channels (or range 1-13 if nothing is specified) and will try pixie-dust attack on all of them.
There is a timeout of 1 minute for every channel, so if it fails to capture M3 message from some APs, it will just skip them.
By default, all APs on the same channel will be attacked at the same time, this can be disabled with -M
penetrator -i mon0 -A