PDA

View Full Version : WPS Tick Tock Attack



soxrok2212
2015-06-08, 03:24
Hello Kali community!

T6_x has requested that I write this thread since English is not his first language and it would be better if a native explained it. That being said, I do not take any credit for the research that went into this theory!

*Use all this information at your own risk. Nobody is to be held responsible for what you do with anything that comes out of this thread*

Now, heres the point of this thread. T6_x has been looking into Hostapd recently, and what he found is that in versions 0.5.9 to 2.0, it uses a poor way of checking hashes. What happens is when a WPS exchange is initiated and we send our 2 hashes to the AP in the M4 message, R-Hash1 and R-Hash2, the AP checks our hashes byte by byte. This can be exploited, though in a very difficult way.

Assuming the AP does not lock out and is rather active, we as an attacker can count the time it takes for the router to either respond with a WSC Nack or the M5 message. Whoop-Dee-Coo right? Wrong! Since Hostapd checks our hashes byte by byte, we can estimate how much of the hash it has checked based on how quick it has responded with one of the two possibilities! The longer the time it takes to get a response, we know more of our hash was correct! Through statistical analysis and with an estimated 1000-4000 tested pins, we can make a very educated guess as to what parts of our hash were correct and guess a PIN based off of the response times.

We are still looking for ideas to make this approach better. Therefore, we am supplying download links for all versions of Hostapd. (https://w1.fi/releases/) There are probably fresh and better ideas that you guys can come up with, ways that will reduce the amount of PINs needed to be tested before we can guess. Right now, we are beta testing this idea and analyzing data in excel based on a graph. T6_x has reported success with this approach, but it could have just been luck so we want to open the idea to the community. After all, we did make the Pixie Dust attack a reality!

Any questions or comments of any kind are welcome!

Warm regards,
soxrok2212, t6_x, wiire, and datahead :)

t6_x
2015-06-08, 03:51
In versions v0.5.9 to v2.0.0, Hostapd uses the following function for comparison:


int os_memcmp (const void * s1, const void * s2, size_t n)

The function is described below



int os_memcmp (const void * s1, const void * s2, size_t n)
{
const unsigned char * p1 = s1 * s2 = P2;

if (n == 0)
return 0;

while (* p1 == * p2) {
p1 ++;
p2 ++;
n--;
if (n == 0)
return 0;
}

return * p1 - p2 *;
}


This function is vulnerable by checking the execution time.

Therefore, with a sufficient amount of data, it is possible to find out the first byte of each hash tested.


The newer versions past v2.0.0, do not have this flaw, since it checks the hashes in a different way in order to correct this problem, but most routers use older versions of Hostapd.

Basically, what occurs.

The m4 message is sent to the router with R-Hash1 and the R-S1.

After the M4 message is sent, the router will take RS-1 and the correct pin, and will generate a hash. Then will compare the hash it generates with R-Hash1 and will do the same process for R-Hash2.

The check is done by the function as described above.


The function attempts to verify byte by byte if the generated hash is equal to R-Hash1, so if the first byte is equal, the function tests the second and thus spend more time in processing.



In this specific case, we don’t need to find all the hash bytes, we only need to find the necessary amount so the Pixie Dust attack can find an equal hash.


The reason for this is because we are sending the R-s1 in m4 message, then we know that r-s1'll be using.

Therefore it is possible to use the pixiedust attack to find an equivalent hash







We are creating this post to find people who can help in these tests.


For now the attack is theoretical, we are performing tests and we need help to get more results


*Excuse my English, soxrok2212 is helping me with the post

Quest
2015-06-08, 14:14
you know that it's going to be good when a thread starts with "*Use all this information at your own risk. Nobody is to be held responsible for what you do with anything that comes out of this thread*" :)

I'm not doing anything Kali related until 1.1.1 comes out, but there are plenty others who will test this idea. Cheers! :cool::cool:

kcdtv
2015-06-08, 23:28
i will not be able to make any testing before next week but it looks like very interesting and it is a funny approach. I like it :D
i guess we would need very good conditions and not a lot of traffic on the AP to be able to measure well the time spent in this byte by byte comparaison
congrates and thanks for your work and innovations, it is like something fresh for the summer (so hot right now!) < i don't know if that make sense in english but... who cares?

aanarchyy
2015-06-09, 18:44
This sounds like you're bruteforcing the hash itself instead of the pin, unless i am completely missinterpreting it.

soxrok2212
2015-06-09, 20:19
This sounds like you're bruteforcing the hash itself instead of the pin, unless i am completely missinterpreting it.

Kinda, its more of comparing and analyzing.

kcdtv
2015-06-11, 16:15
is it possible to send truncated M4 to the PA?
Will the PA answer?
example : we send a M4 just with RS1 and with one digit of first half, only one.
And then we send a second one, also with RS1 and a different number as first .
Like this
1) we are lucky and we have in one of our two attempts the good first digit of the first half, i guess they wil be a slight difference between inmediate fail with NACK and a starnge fail for a non complete string, so then we will pass to second digit
2) both are bad and we know the time it takes to get a NACK due to bad first digit. we try the others values posibles on our first half until we get a slaightly longer answer < that the good first digit

that would be 10 + 10 +10 +10 +10 +10 +10 attempts (last is checksum) = max 70 attempts and we would have on average 35 tryes for brute force instead of 11000 (or 1000-4000 as sugested by soxrok2212 )

stupid idea?

cheers

soxrok2212
2015-06-15, 15:27
is it possible to send truncated M4 to the PA?
Will the PA answer?
example : we send a M4 just with RS1 and with one digit of first half, only one.
And then we send a second one, also with RS1 and a different number as first .
Like this
1) we are lucky and we have in one of our two attempts the good first digit of the first half, i guess they wil be a slight difference between inmediate fail with NACK and a starnge fail for a non complete string, so then we will pass to second digit
2) both are bad and we know the time it takes to get a NACK due to bad first digit. we try the others values posibles on our first half until we get a slaightly longer answer < that the good first digit

that would be 10 + 10 +10 +10 +10 +10 +10 attempts (last is checksum) = max 70 attempts and we would have on average 35 tryes for brute force instead of 11000 (or 1000-4000 as sugested by soxrok2212 )

stupid idea?

cheers

We are working on optimization now :D With a quick recent test, we were able to narrow down the first half of my pin to 50 possibilities, and the data was not very good at all. Still making progress :)

kcdtv
2015-06-15, 15:39
With a quick recent test, we were able to narrow down the first half of my pin to 50 possibilities
Awsome :cool:

and the data was not very good at all
i don't really get this concept of "not very good at all" :D
Anyway, happy to learn that t6_x ( and you ) made this fantastic progress
"¡Adiosito!" :o :D (i'll be back home tomorrow night - €uro time - and if you need anything for testing or whatever... )

frafri
2015-08-10, 03:12
I am willing to test it. and contribute but I don't really know much

Quest
2015-08-10, 14:02
that's ok and welcome to the club frafri. Our mottos are: "hmm what??" and "make it work". Creativity being the main ingredient here with a touch of technical know-how.

soxrok2212
2015-08-10, 14:24
It isn't really known yet if this approach works, we've been pretty distracted with pixie dust, but in one (probably not the greatest, and we didn't try to repeat it) test, we were able to narrow down the possible PINs A LOT with a USB connection And crappy signal quality.

More testing still needs to be done with a PCI network card so the timing isn't off.

theoctavist
2015-08-31, 05:53
im willing to help in any way. i installed hostapd, now just need to know what to do

nopex
2015-09-07, 19:00
In order to not reduplicate efforts, what fields are you using in your excel stats currently? I don't mind helping out, but it would be useful to know what variables are currently being analyzed (and how), as well as which are currently not (and possibly should be). :D

Also, more direct-code links of interest (such as other functions reliant on the one provided in https://forums.kali.org/showthread.php?25779-WPS-Tick-Tock-Attack&p=46032&viewfull=1#post46032) would help folks from bogging down in possibly irrelevant code review.

Laserman75
2015-11-16, 22:31
Hello someone here?
Any news on this topic?

Runescape
2015-12-09, 23:44
Assuming the AP does not lock out and is rather active...
Interesting idea...but I feel like if the AP doesn't lock out and is rather active, this isn't all that useful. Maybe I'm not fully comprehending this concept, but it seems like this would theoretically just decrease the time it takes reaver to crack the pin of an AP that reaver would inevitably crack.

Also, how would you deal w/ timeouts?

You have to avoid false negatives and such when attacking AP's w/ low signal strength...

Laserman75
2016-01-15, 15:22
Hello someone here?
Any news on this topic?

Laserman75
2016-03-09, 20:01
@soxrok2212

Is this project still alive?

soxrok2212
2016-03-09, 21:10
Not as of right now unfortunately.

vlan
2016-03-27, 11:08
In versions v0.5.9 to v2.0.0, Hostapd uses the following function for comparison:


int os_memcmp (const void * s1, const void * s2, size_t n)

The function is described below



int os_memcmp (const void * s1, const void * s2, size_t n)
{
const unsigned char * p1 = s1 * s2 = P2;

if (n == 0)
return 0;

while (* p1 == * p2) {
p1 ++;
p2 ++;
n--;
if (n == 0)
return 0;
}

return * p1 - p2 *;
}


This function is vulnerable by checking the execution time.

Therefore, with a sufficient amount of data, it is possible to find out the first byte of each hash tested.


The newer versions past v2.0.0, do not have this flaw, since it checks the hashes in a different way in order to correct this problem, but most routers use older versions of Hostapd.

Basically, what occurs.

The m4 message is sent to the router with R-Hash1 and the R-S1.

After the M4 message is sent, the router will take RS-1 and the correct pin, and will generate a hash. Then will compare the hash it generates with R-Hash1 and will do the same process for R-Hash2.

The check is done by the function as described above.


The function attempts to verify byte by byte if the generated hash is equal to R-Hash1, so if the first byte is equal, the function tests the second and thus spend more time in processing.



In this specific case, we don’t need to find all the hash bytes, we only need to find the necessary amount so the Pixie Dust attack can find an equal hash.


The reason for this is because we are sending the R-s1 in m4 message, then we know that r-s1'll be using.

Therefore it is possible to use the pixiedust attack to find an equivalent hash







We are creating this post to find people who can help in these tests.


For now the attack is theoretical, we are performing tests and we need help to get more results


*Excuse my English, soxrok2212 is helping me with the post

I have time , and willing to do tests,
also I send (replay to soxrok) some data related to
[P] WPS Manufacturer: Realtek Semiconductor Corp.
[P] WPS Model Name: RTL8671
[P] WPS Model Number: EV-2006-07-27
[P] Access Point Serial Number: 123456789012347
[+] Received M1 message

cannot open this thing, trying almost 3 weeks now , with data from internet, it do not respond to MDK3 attacks,
pixie do not work, router locks itself after 8-10 pins and unlocks only with power off button,
there is AP connected to it with same name essid, no wps enabled, I assume just repeater, changing my mac to that AP and attacking main AP they exchange beacons long time after MDK3 attack finish, ( i can see it with airodump )
also bully gives me this



[+] Rx( Auth ) = 'Timeout' Next pin '65533147'
[+] Rx( Auth ) = 'Timeout' Next pin '65533147'
[+] Rx( Auth ) = 'Timeout' Next pin '65533147'
[!] Unexpected packet received when waiting for EAP Req Id
[!] >000012002e48000000026c09a000c701000008023a01f07959 9cab0164517e23695764517e23695740d6aaaa03000000888e 010001d1010e01d1fe00372a000000010400104a0001101022 000104104700106304125310192006122864517e2369571020 000664517e236957101a00104ddcc09557e79e22273ef74416 dba57d103200c0d0141b15656e96b85fcead2e8e76330d2b1a c1576bb026e7a328c0e1baf8cf91664371174c08ee12ec92b0 519c54879f21255be5a8770e1fa1880470ef423c90e34d7847 a6fcb4924563d1af1db0c481ead9852c519bf1dd429c163951 cf69181b132aea2a3684caf35bc54aca1b20c88bb3b7339ff7 d56e09139d77f0ac58079097938251dbbe75e86715cc6b7c0c a945fa8dd8d661beb73b414032798dadee32b5dd61bf105f18 d89217760b75c5d966a5a490472ceba9e3b4224f3d89fb2b10 040002002710100002000f100d000101100800020086104400 01021021001b5265616c74656b2053656d69636f6e64756374 6f7220436f72702e1023000752544c383637311024000d4556 2d323030362d30372d32371042000f31323334353637383930 31323334371054000800060050f20400011011002033424220 4144534c20726f757465722031204c414e202b20576972656c 657373103c0001011002000200001012000200001009000200 00102d000410000000[+] Rx( ID ) = 'EAPFail' Next pin '65533147'
[!] Unexpected packet received when waiting for EAP Req Id
[!] >000012002e48000000026c09a000c7010000080a3a01f07959 9cab0164517e23695764517e23695740d6aaaa03000000888e 010001d1010e01d1fe00372a000000010400104a0001101022 000104104700106304125310192006122864517e2369571020 000664517e236957101a00104ddcc09557e79e22273ef74416 dba57d103200c0d0141b15656e96b85fcead2e8e76330d2b1a c1576bb026e7a328c0e1baf8cf91664371174c08ee12ec92b0 519c54879f21255be5a8770e1fa1880470ef423c90e34d7847 a6fcb4924563d1af1db0c481ead9852c519bf1dd429c163951 cf69181b132aea2a3684caf35bc54aca1b20c88bb3b7339ff7 d56e09139d77f0ac58079097938251dbbe75e86715cc6b7c0c a945fa8dd8d661beb73b414032798dadee32b5dd61bf105f18 d89217760b75c5d966a5a490472ceba9e3b4224f3d89fb2b10 040002002710100002000f100d000101100800020086104400 01021021001b5265616c74656b2053656d69636f6e64756374 6f7220436f72702e1023000752544c383637311024000d4556 2d323030362d30372d32371042000f31323334353637383930 31323334371054000800060050f20400011011002033424220 4144534c20726f757465722031204c414e202b20576972656c 657373103c0001011002000200001012000200001009000200 00102d000410000000[+] Rx( ID ) = 'EAPFail' Next pin '65533147'
[+] Rx( Auth ) = 'Timeout' Next pin '65533147'
[+] Rx( M1 ) = 'Timeout' Next pin '65533147'
[+] Rx( M1 ) = 'Timeout' Next pin '65533147'
[+] Rx( ID ) = 'Timeout' Next pin '65533147'
[+] Rx( M1 ) = 'Timeout' Next pin '65533147'
[+] Rx( M1 ) = 'Timeout' Next pin '65533147'
[+] Rx( Auth ) = 'Timeout' Next pin '65533147'
[!] Unexpected packet received when waiting for EAP Req Id

resending some data
as you can see short packet and long packet



2002e48000000026c09a000c901000008023a0100eebd905e4 a64517e23695764517e2369572019aaaa03000000888e01000 1d1012701d1fe00372a000000010400104a000110102200010 4104700106304125310192006122864517e236957102000066 4517e236957101a0010474526b30cefd65355dfe9c75f6d33d c103200c0d0141b15656e96b85fcead2e8e76330d2b1ac1576 bb026e7a328c0e1baf8cf91664371174c08ee12ec92b0519c5 4879f21255be5a8770e1fa1880470ef423c90e34d7847a6fcb 4924563d1af1db0c481ead9852c519bf1dd429c163951cf691 81b132aea2a3684caf35bc54aca1b20c88bb3b7339ff7d56e0 9139d77f0ac58079097938251dbbe75e86715cc6b7c0ca945f a8dd8d661beb73b414032798dadee32b5dd61bf105f18d8921 7760b75c5d966a5a490472ceba9e3b4224f3d89fb2b1004000 2002710100002000f100d00010110080002008610440001021 021001b5265616c74656b2053656d69636f6e647563746f722 0436f72702e1023000752544c383637311024000d45562d323 030362d30372d32371042000f3132333435363738393031323 334371054000800060050f2040001101100203342422041445 34c20726f757465722031204c414e202b20576972656c65737 3103c000101100200020000101200020000100900020000102 d000410000000[+] Rx( ID ) = 'EAPFail' Next pin '21907593'
[+] Rx( Assn ) = 'Timeout' Next pin '21907593'
[+] Rx( M1 ) = 'Timeout' Next pin '21907593'
[+] Rx( ID ) = 'EAPFail' Next pin '21907593'
[!] Unexpected packet received when waiting for WPS Message
[!] >000012002e480000000c6c09c000cf0100000802360000eeb d905e4a64517e23695764517e236957001baaaa03000000080 046000020e47c000001029eb0c0a80101e0000001940400001 164ee9b00000000<
[+] Rx( M1 ) = 'WPSFail' Next pin '21907593'
[!] Unexpected packet received when waiting for EAP Req Id