soxrok2212

2015-01-28, 20:46

WPS Pixie Dust

Disclaimer: I am not responsible for what you do with these tools or this information. The use of anything on this thread should only be attempted on networks you own or have permission to test. Links at the bottom, I want you to understand everything before you ask questions that can be easily answered :)*

I've been looking into the new WPS security flaw found by Dominique Bongard. All of the information I am providing here is not mine, all credit goes to Bongard and the other wonderful sources listed at the bottom. This thread assumes you have some basic knowledge of the WPS exchange. If not, have a look at the "Complete WPS Specification" link posted at the bottom.

Dominique Bongard discovered that some APs have weak ways of generating nonces (known as E-S1 and E-S2) that are supposed to be secret. If we are able to figure out what these nonces are, we can easily find the WPS PIN of an AP since the AP must give it to us in a hash in order to prove that it also knowns the PIN, and the client is not connecting to a rouge AP. These E-S1 and E-S2 are essentially the "keys to unlock the lock box" containing the WPS pin. You can kind of think of the whole thing as an algebra problem, if we know all but 1 variable in an equation, we just have to solve for x. X in this case is the WPS pin (this is not a perfect example but for beginners it should help

Important parts of a WPS exchange: M1, M2, M3, other

Enrollee Nonce

PKE Public Key (Enrollee Public Key)

Registrar Nonce

PKR Public Key (Registrar Public Key)

E-Hash1 = HMAC-SHA-256(authkey) (E-S1 | PSK1 | PKE | PKR)

E-Hash2 = HMAC-SHA-256(authkey) (E-S2 | PSK2 | PKE | PKR)

Authkey [derived from the KDK (Key Derivation Key)]

Components

E-Hash1 is a hash in which we brute force the first half of the PIN.

E-Hash2 is a hash in which we brute force the second half of the PIN.

HMAC is a function that hashes all the data. The function is HMAC-SHA-256.

PSK1 is the first half of the router's PIN (10,000 possibilities)

PSK2 is the second half of the router's PIN (10,000 possibilities)

PKE is the Public Key of the Enrollee (used to verify the legitimacy of a WPS exchange and prevent replays.)

PKR is the Public Key of the Registrar (used to verify the legitimacy of a WPS exchange and prevent replays.)

Vendor Implementations

In Broadcom eCos, these two nonces are generated right after the enrollee nonce (the public nonce generated by the AP.) We also know the function that gives us this data, so if we substitute in seeds, we will eventually find matching nonces, and from there we can find the E-S1 and E-S2 nonces.

> E-S1 + E-S2 are generated from the same PRNG that generates the N1 Enrollee Nonce

In Realtek, the PRNG is a function that uses the time in seconds from January 1st, 1970 until whenever the data in generated (basically when the WPS exchange starts.) The vulnerable part is that the chip uses the same generator to make the Enrollee nonce as it does to make E-S1 and E-S2. :eek: So if the whole entire exchange occurs in that same second, E-S1 = E-S2 = Enrollee Nonce. If it occurs over the course of a few seconds, then all we have to do is find the seed that gave us the Enrolle Nonce, and then increment it and taking the output as E-S1 and E-S2. Its a multivariable brute force, so it may take a little bit more time but not more than a few minutes on a modern PC.

> E-S1 = E-S2 = N1 Enrollee Nonce or generated with seed = time

In Ralink, E-S1 and E-S2 are never generated. They are always 0. Therefore, we just have to brute force the PIN and we're done.

> E-S1 = E-S1 = 0

In MediaTek, the same problem that Ralink has exists. E-S1 and E-S2 are never generated.

> E-S1 = E-S2 = 0

In Celeno, the same problem that Ralink has exists as these chips are just rebranded Ralink chips. E-S1 and E-S2 are never generated.

> E-S1 = E-S2 = 0

Conclusion

Assuming we already know the PKE, PKR, Authkey, E-Hash1 and E-Hash2 since the router gives us these values (and vice versa) and we have figured out E-S1 and E-S2 by brute forcing them or knowing that they are equal to 0, we can run all the data through the hash function and try every pin until we have a matching hash (E-Hash1 and E-Hash2) that the AP gave us. When we are returned with a match, we can say "Ok, that last pin we used matched the hash from the M3 message. That must be the pin." Now we can take the pin we just brute forced and toss it into Reaver or Bully and the AP will say "Ok, you have the right pin, here are all my credentials," including the SSID, WPS Pin, and the WPA key.

Preventing the attack

Look up your device on Wikidevi. (https://wikidevi.com/wiki/Main_Page) If your device contains one of the chipsets as listed above, disable WPS now. If your device does NOT contain one of the chipsets as listed above, disable WPS now.

If you find anything new or wish to correct me, please do and post it in the comments! I will try to respond and keep you updated as frequently as possible!

Resources

1. Slide Presentation (http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf)

2. Video Presentation (http://video.adm.ntnu.no/pres/549931214e18d)

3. Hack Forums (http://www.hackforums.net/showthread.php?tid=4425809&page=1)

4. Diffie-Hellman Key Exchange (https://www.khanacademy.org/computing/computer-science/cryptography/modern-crypt/v/diffie-hellman-key-exchange-part-2)

5. Pseudo Random Number Generators (https://www.khanacademy.org/computing/computer-science/cryptography/crypt/v/random-vs-pseudorandom-number-generators)

6. WPS Background (https://briolidz.wordpress.com/2012/01/10/wi-fi-protected-setup-wps/)

7. Complete WPS Specification (PDF Download) (http://cfile28.uf.tistory.com/attach/16132E3C50FCFFCB3EC74E)

8. Broadcom PRNG Source (https://github.com/RMerl/asuswrt-merlin/blob/master/release/src-rt/bcmcrypto/random.c)

9. Realtek PRNG Source (https://github.com/skristiansson/uClibc-or1k/blob/master/libc/stdlib/random_r.c)

10. Top Hat Sec (http://forum.top-hat-sec.com/index.php?topic=4968.0)

11. First Tweet (https://twitter.com/Reversity/status/490978005859454978)

12. Database with affected/non affected models (https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?usp=sharing)

Tools

Pixiewps 1.4.2: http://www.github.com/wiire-a/pixiewps

Written by wiire

Original Thread: https://forums.kali.org/showthread.php?25018-Pixiewps-wps-pixie-dust-attack-tool

Reaver 1.6.5: https://github.com/t6x/reaver-wps-fork-t6x

Modified by t6_x, rofl0r and datahead

Original Thread: https://forums.kali.org/showthread.php?25123-Reaver-modfication-for-Pixie-Dust-Attack

Bully 1.1: https://github.com/aanarchyy/bully

Modified by AAnarchYY

Original Thread: https://forums.kali.org/showthread.php?29017-Bully-modified-to-implement-pixiewps-attack

And I would like to give a special thanks to DataHead, Wiire, t6_x, aanarchyy, FrostyHacks and of course Dominique Bongard for all their help! Thank You!

Disclaimer: I am not responsible for what you do with these tools or this information. The use of anything on this thread should only be attempted on networks you own or have permission to test. Links at the bottom, I want you to understand everything before you ask questions that can be easily answered :)*

I've been looking into the new WPS security flaw found by Dominique Bongard. All of the information I am providing here is not mine, all credit goes to Bongard and the other wonderful sources listed at the bottom. This thread assumes you have some basic knowledge of the WPS exchange. If not, have a look at the "Complete WPS Specification" link posted at the bottom.

Dominique Bongard discovered that some APs have weak ways of generating nonces (known as E-S1 and E-S2) that are supposed to be secret. If we are able to figure out what these nonces are, we can easily find the WPS PIN of an AP since the AP must give it to us in a hash in order to prove that it also knowns the PIN, and the client is not connecting to a rouge AP. These E-S1 and E-S2 are essentially the "keys to unlock the lock box" containing the WPS pin. You can kind of think of the whole thing as an algebra problem, if we know all but 1 variable in an equation, we just have to solve for x. X in this case is the WPS pin (this is not a perfect example but for beginners it should help

Important parts of a WPS exchange: M1, M2, M3, other

Enrollee Nonce

PKE Public Key (Enrollee Public Key)

Registrar Nonce

PKR Public Key (Registrar Public Key)

E-Hash1 = HMAC-SHA-256(authkey) (E-S1 | PSK1 | PKE | PKR)

E-Hash2 = HMAC-SHA-256(authkey) (E-S2 | PSK2 | PKE | PKR)

Authkey [derived from the KDK (Key Derivation Key)]

Components

E-Hash1 is a hash in which we brute force the first half of the PIN.

E-Hash2 is a hash in which we brute force the second half of the PIN.

HMAC is a function that hashes all the data. The function is HMAC-SHA-256.

PSK1 is the first half of the router's PIN (10,000 possibilities)

PSK2 is the second half of the router's PIN (10,000 possibilities)

PKE is the Public Key of the Enrollee (used to verify the legitimacy of a WPS exchange and prevent replays.)

PKR is the Public Key of the Registrar (used to verify the legitimacy of a WPS exchange and prevent replays.)

Vendor Implementations

In Broadcom eCos, these two nonces are generated right after the enrollee nonce (the public nonce generated by the AP.) We also know the function that gives us this data, so if we substitute in seeds, we will eventually find matching nonces, and from there we can find the E-S1 and E-S2 nonces.

> E-S1 + E-S2 are generated from the same PRNG that generates the N1 Enrollee Nonce

In Realtek, the PRNG is a function that uses the time in seconds from January 1st, 1970 until whenever the data in generated (basically when the WPS exchange starts.) The vulnerable part is that the chip uses the same generator to make the Enrollee nonce as it does to make E-S1 and E-S2. :eek: So if the whole entire exchange occurs in that same second, E-S1 = E-S2 = Enrollee Nonce. If it occurs over the course of a few seconds, then all we have to do is find the seed that gave us the Enrolle Nonce, and then increment it and taking the output as E-S1 and E-S2. Its a multivariable brute force, so it may take a little bit more time but not more than a few minutes on a modern PC.

> E-S1 = E-S2 = N1 Enrollee Nonce or generated with seed = time

In Ralink, E-S1 and E-S2 are never generated. They are always 0. Therefore, we just have to brute force the PIN and we're done.

> E-S1 = E-S1 = 0

In MediaTek, the same problem that Ralink has exists. E-S1 and E-S2 are never generated.

> E-S1 = E-S2 = 0

In Celeno, the same problem that Ralink has exists as these chips are just rebranded Ralink chips. E-S1 and E-S2 are never generated.

> E-S1 = E-S2 = 0

Conclusion

Assuming we already know the PKE, PKR, Authkey, E-Hash1 and E-Hash2 since the router gives us these values (and vice versa) and we have figured out E-S1 and E-S2 by brute forcing them or knowing that they are equal to 0, we can run all the data through the hash function and try every pin until we have a matching hash (E-Hash1 and E-Hash2) that the AP gave us. When we are returned with a match, we can say "Ok, that last pin we used matched the hash from the M3 message. That must be the pin." Now we can take the pin we just brute forced and toss it into Reaver or Bully and the AP will say "Ok, you have the right pin, here are all my credentials," including the SSID, WPS Pin, and the WPA key.

Preventing the attack

Look up your device on Wikidevi. (https://wikidevi.com/wiki/Main_Page) If your device contains one of the chipsets as listed above, disable WPS now. If your device does NOT contain one of the chipsets as listed above, disable WPS now.

If you find anything new or wish to correct me, please do and post it in the comments! I will try to respond and keep you updated as frequently as possible!

Resources

1. Slide Presentation (http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf)

2. Video Presentation (http://video.adm.ntnu.no/pres/549931214e18d)

3. Hack Forums (http://www.hackforums.net/showthread.php?tid=4425809&page=1)

4. Diffie-Hellman Key Exchange (https://www.khanacademy.org/computing/computer-science/cryptography/modern-crypt/v/diffie-hellman-key-exchange-part-2)

5. Pseudo Random Number Generators (https://www.khanacademy.org/computing/computer-science/cryptography/crypt/v/random-vs-pseudorandom-number-generators)

6. WPS Background (https://briolidz.wordpress.com/2012/01/10/wi-fi-protected-setup-wps/)

7. Complete WPS Specification (PDF Download) (http://cfile28.uf.tistory.com/attach/16132E3C50FCFFCB3EC74E)

8. Broadcom PRNG Source (https://github.com/RMerl/asuswrt-merlin/blob/master/release/src-rt/bcmcrypto/random.c)

9. Realtek PRNG Source (https://github.com/skristiansson/uClibc-or1k/blob/master/libc/stdlib/random_r.c)

10. Top Hat Sec (http://forum.top-hat-sec.com/index.php?topic=4968.0)

11. First Tweet (https://twitter.com/Reversity/status/490978005859454978)

12. Database with affected/non affected models (https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?usp=sharing)

Tools

Pixiewps 1.4.2: http://www.github.com/wiire-a/pixiewps

Written by wiire

Original Thread: https://forums.kali.org/showthread.php?25018-Pixiewps-wps-pixie-dust-attack-tool

Reaver 1.6.5: https://github.com/t6x/reaver-wps-fork-t6x

Modified by t6_x, rofl0r and datahead

Original Thread: https://forums.kali.org/showthread.php?25123-Reaver-modfication-for-Pixie-Dust-Attack

Bully 1.1: https://github.com/aanarchyy/bully

Modified by AAnarchYY

Original Thread: https://forums.kali.org/showthread.php?29017-Bully-modified-to-implement-pixiewps-attack

And I would like to give a special thanks to DataHead, Wiire, t6_x, aanarchyy, FrostyHacks and of course Dominique Bongard for all their help! Thank You!