Thanks soxrok2212 !
Might as well post that in the Howtos.
WPS Pixie Dust
Disclaimer: I am not responsible for what you do with these tools or this information. The use of anything on this thread should only be attempted on networks you own or have permission to test. Links at the bottom, I want you to understand everything before you ask questions that can be easily answered *
I've been looking into the new WPS security flaw found by Dominique Bongard. All of the information I am providing here is not mine, all credit goes to Bongard and the other wonderful sources listed at the bottom. This thread assumes you have some basic knowledge of the WPS exchange. If not, have a look at the "Complete WPS Specification" link posted at the bottom.
Dominique Bongard discovered that some APs have weak ways of generating nonces (known as E-S1 and E-S2) that are supposed to be secret. If we are able to figure out what these nonces are, we can easily find the WPS PIN of an AP since the AP must give it to us in a hash in order to prove that it also knowns the PIN, and the client is not connecting to a rouge AP. These E-S1 and E-S2 are essentially the "keys to unlock the lock box" containing the WPS pin. You can kind of think of the whole thing as an algebra problem, if we know all but 1 variable in an equation, we just have to solve for x. X in this case is the WPS pin (this is not a perfect example but for beginners it should help.)
Important parts of a WPS exchange: M1, M2, M3, other
Enrollee Nonce
PKE Public Key (Enrollee Public Key)
Registrar Nonce
PKR Public Key (Registrar Public Key)
E-Hash1 = HMAC-SHA-256(authkey) (E-S1 | PSK1 | PKE | PKR)
E-Hash2 = HMAC-SHA-256(authkey) (E-S2 | PSK2 | PKE | PKR)
Authkey [derived from the KDK (Key Derivation Key)]
Components
E-Hash1 is a hash in which we brute force the first half of the PIN.
E-Hash2 is a hash in which we brute force the second half of the PIN.
HMAC is a function that hashes all the data. The function is HMAC-SHA-256.
PSK1 is the first half of the router's PIN (10,000 possibilities)
PSK2 is the second half of the router's PIN (10,000 possibilities)
PKE is the Public Key of the Enrollee (used to verify the legitimacy of a WPS exchange and prevent replays.)
PKR is the Public Key of the Registrar (used to verify the legitimacy of a WPS exchange and prevent replays.)
Vendor Implementations
In Broadcom eCos, these two nonces are generated right after the enrollee nonce (the public nonce generated by the AP.) We also know the function that gives us this data, so if we substitute in seeds, we will eventually find matching nonces, and from there we can find the E-S1 and E-S2 nonces.
E-S1 + E-S2 are generated from the same PRNG that generates the N1 Enrollee Nonce
In Realtek, the PRNG is a function that uses the time in seconds from January 1st, 1970 until whenever the data in generated (basically when the WPS exchange starts.) The vulnerable part is that the chip uses the same generator to make the Enrollee nonce as it does to make E-S1 and E-S2. So if the whole entire exchange occurs in that same second, E-S1 = E-S2 = Enrollee Nonce. If it occurs over the course of a few seconds, then all we have to do is find the seed that gave us the Enrolle Nonce, and then increment it and taking the output as E-S1 and E-S2. Its a multivariable brute force, so it may take a little bit more time but not more than a few minutes on a modern PC.
E-S1 = E-S2 = N1 Enrollee Nonce or generated with seed = time
In Ralink, E-S1 and E-S2 are never generated. They are always 0. Therefore, we just have to brute force the PIN and we're done.
E-S1 = E-S1 = 0
In MediaTek, the same problem that Ralink has exists. E-S1 and E-S2 are never generated.
E-S1 = E-S2 = 0
In Celeno, the same problem that Ralink has exists as these chips are just rebranded Ralink chips. E-S1 and E-S2 are never generated.
E-S1 = E-S2 = 0
Conclusion
Assuming we already know the PKE, PKR, Authkey, E-Hash1 and E-Hash2 since the router gives us these values (and vice versa) and we have figured out E-S1 and E-S2 by brute forcing them or knowing that they are equal to 0, we can run all the data through the hash function and try every pin until we have a matching hash (E-Hash1 and E-Hash2) that the AP gave us. When we are returned with a match, we can say "Ok, that last pin we used matched the hash from the M3 message. That must be the pin." Now we can take the pin we just brute forced and toss it into Reaver or Bully and the AP will say "Ok, you have the right pin, here are all my credentials," including the SSID, WPS Pin, and the WPA key.
Preventing the attack
Look up your device on Wikidevi. If your device contains one of the chipsets as listed above, disable WPS now. If your device does NOT contain one of the chipsets as listed above, disable WPS now.
If you find anything new or wish to correct me, please do and post it in the comments! I will try to respond and keep you updated as frequently as possible!
Resources
1. Slide Presentation
2. Video Presentation
3. Hack Forums
4. Diffie-Hellman Key Exchange
5. Pseudo Random Number Generators
6. WPS Background
7. Complete WPS Specification (PDF Download)
8. Broadcom PRNG Source
9. Realtek PRNG Source
10. Top Hat Sec
11. First Tweet
12. Database with affected/non affected models
Tools
Pixiewps 1.4.2: http://www.github.com/wiire-a/pixiewps
Written by wiire
Original Thread: https://forums.kali.org/showthread.p...st-attack-tool
Reaver 1.6.4: https://github.com/t6x/reaver-wps-fork-t6x
Modified by t6_x, rofl0r and datahead
Original Thread: https://forums.kali.org/showthread.p...ie-Dust-Attack
Bully 1.1: https://github.com/aanarchyy/bully
Modified by AAnarchYY
Original Thread: https://forums.kali.org/showthread.p...ixiewps-attack
And I would like to give a special thanks to DataHead, Wiire, t6_x, aanarchyy, FrostyHacks and of course Dominique Bongard for all their help! Thank You!
Last edited by soxrok2212; 2 Weeks Ago at 21:23. Reason: pixiewps 1.4.2, reaver 1.6.4
Thanks soxrok2212 !
Might as well post that in the Howtos.
Kali Linux USB Installation using LinuxLive USB Creator
Howto Install HDD Kali on a USB Key
Clean your laptop fan | basic knowledge
cool, but the thing is it might get shut down, as it not a 'Kali Linux General Use'. Moreover it is a howto that just needs some R&D. Just saying.
Keep it up =]
Kali Linux USB Installation using LinuxLive USB Creator
Howto Install HDD Kali on a USB Key
Clean your laptop fan | basic knowledge
Is this the code you displayed starting around line 148?
Please delete link if not allowed, thanks.
http://trac.umnaem.webfactional.com/...and.cxx?rev=39
Ignore above, i never noticed ooops
You are on the right track
I do have a complete and working PoC program that I use. while it says few routers, I've found a lot more are vulnerable than one would think. All through trial and error of testing which router has which chipset, broadcom, ralink, atheros etc. around 12 of the 20 I've tested on, have been vulnerable.
Yea share the knowledge if you know something we do not. Thanks
I have emailed Bongard I don't think that he's gunna release any tool... Sti waiting for a response from you datahead
Hello guys I am new to Kali Linux, reaver , aircrack and such. I was able to audit my Linksys E1000 with Reaver.
But I wanted to know if you guys knew about wpispin . Its a software for windows but it contains a database with WPS pin. I am going to attach some screenshoots
http://postimg.org/image/l7af4yy15/ , http://postimg.org/image/o0se9ux99/
The name of it its WPS-PIN I think the source is www.inforprograma.net , the software is in spanish. It is very interesting
wpspin, yes it help me found some key in a 3 second
the window version is WPSPIN Betis-Jesus
the other one works on Kali
wpspin v1.5
What do you usually do when the AP limiting error comes.
Check this out
https://forums.kali.org/showthread.p...highlight=mdk3
New piece of information I am trying to understand. So in the M1 message, we receive a nonce, aka the PKE (DH Key from the enrollee). According to this document, the formula for generating these DH Keys is g^AB mod p, aka PKR result^PKE private number mod p. (G is the public number from the registrar, AB is the enrollee's private number used to generate its own public number, and p is the prime modulus. Now, both the enrollee and the registrar each know the shared secret, which I am led to believe is the seed of the PRNG, (I may be wrong here but it all make sense... for now.)
For more information about Diffle-Hellman Keys, (DH Keys), do a quick youtube search for dh key exchange (can't post youtube links).
You can read more about modular arithmetic here.
I'll be looking more into DH Keys and their integration with PRNGs over the next few days/weeks. If you find anything, leave a comment.
the time taken decrypt the private keys (Private Random number) sent during the Diffie-Helman process depends on the prime modulus used (mod p in our case)...the biggger the prime modulus..the longer it will take, also take into consideration the magntitude of the generator in this case "g"....here is another good link which explains the "Alice and Bob" theory..the mathematics might be a little messed up for some...
http://www.academia.edu/1958665/Eucl...urity_Protocol
GRAPHICAL PATTERNS in Exponential functions that inlcude the modulus of private random prime numbers might be a breakthorugh in the future...
Yes soxrok2212.I caught up focusing on the modulas equation you posted for the Diffie-Helman process...As a result I was commenting on the probability of decrypting Diffie-Helman process using a man in the middle attack......Sticking to this thread Now, i am thinking along codes to bruteforcet Pseudo random Generators in order to compute E-S1 and E-S2 ( I am of the opinion that this might include algorithmic codes that guess statiscal patterns in PRNGs-maths,maths,maths.)..However when this attack was proposed by Mr. Bongard,I was looking for books on PRNGS..I noticed amazon had a couple...I might see if there are torrent ebooks out there....all for now....
Last edited by repzeroworld; 2015-03-03 at 22:44.
Last edited by soxrok2212; 2015-03-04 at 11:43.
So for those of you having trouble understanding the video of the DH Key exchange I posted, here is how 3^15 mod 17 = 6. First, calculate 3^15, which is our "generator" times the private number of in our applied case, the enrollee... = 14,348,907. Now, we take 14,348,907 and divide it by our prime modulus (known by both the enrollee and registrar, (17) and get 844,053.3529. Now, we remove the remainder from that number, .3529, so we are left with only 844,053 and multiply it by our prime modulus... 844,053 * 17=14,348901. Now, take our initial value (3^15) which is 14,348,907 and subtract the value we just calculated, 14,348,901... 14,348,907 - 14,348,901 = 6!
Therefore:
3^15 mod 17 = 6
Now that the enrollee has generated a public number from its private number, it sends that to the registrar. Now it is the registrars turn to come up with its own private number (13) and make a public number.
3^13 mod 17 = 12
3^13 = 1,594,323
Now, divide by our prime modulus (17)... 1,594,323 / 17 = 93,783.70588. Remove the decimal and get 93,783. Now multiply that number by 17... 93,783 * 17 = 1,594,311. Now, take our initial value and subtract the value we just created to get the registrar's public number... 1,594,323 - 1,594,311 = 12! The registrar then sends this publicly to the enrollee.
Enrolee public number: 6
Enrolee private number: 15
Registrar public number: 12
Registrar private number: 13
Now, the registrar and the enrollee both know each others public numbers, 6 and 12. So what they do now is they take their public number from the other, and raise it to the power of their own private number.
So for the enrollee to calculate the shared secret, it would do 12^15 mod 17 = 10
And for the registrar to calculate the shared secret, it would do 6^13 mod 17 = 10
Now they both know the shared secret, which I THINK may also be the seed that the PRNG uses (as stated before) but I'm not sure yet, or maybe this shared secret in conjunction with something else is the seed.
Last edited by soxrok2212; 2015-03-04 at 11:44.
Updated with all the latest information!!!! Just need someone who knows C now...
Nice explanation of modulus arithematic aspect...sorry dude i don't know C..hope someone with C experience and pentesting can contribute to this thread,,,I noticed in the Pixie Dust attack documentation there is a lack of certainty whether the PNRG state can be bruteforced..if this can be done then we can compute E-S1 and E-S2 and then bruteforce the first half and second half of the pin offline.....I tihnk we need to get Mr. Bongard and lock him down until he successfully complete his thesis (haha...just kidding)..
It can be done, we just have to throw in seeds until we get a match. Very simple. The generator will make a long string of numbers/letters and only part of it in the PKE (Enrollee nonce), and then directly after it are the E-S1 and the E-S2
If anyone knows C, please leave a comment. Looking to find someone to build a tool with.
Or if there is anyone who knows python let me know please. I would like to get a project going.
Last edited by g0tmi1k; 2015-03-09 at 21:49. Reason: *merged*
WoW
thank you guys for this excellent theme
@ soxrok2212
i am not a programmer and seeding is a problem with bash which is the only thing i know very few about. I gues it can be done from the sacrtach but i am not sure baout the efficiency of the code,
I know to who ask for help, he should be interested in helping you.
If not i can help you to start something in python and we can see how to get support on the way. C is above my mind
I send a MP to this person right now and tell you as soon as possible.
thanks for all your sharing and explanations in this theme . See you
Yes, i guess it was me.... my first language is not spanish but i am definitely more fluent in spanish than in english,(i understand everything but my grammar and my syntaxes are horrible)
I write you a mail (in spanish)
I didn't receive an answer from my friend yet... But it is still a bit early for him
we keep in touch- i write you a mail right now and like this you have mine
cee you there
I am interested in documentation about vendor-specific implementations of PRNGs.
kcdtv : libpcap is quite broken, i had to lose time reading .cap manually and playing with colors.
awesome, keep it up guys. I am hoping to become a tester for the script
@soxrok2212
First of all, thank you for your time and effort.
I have been looking by myself about all 'this' but there's something I can't seem to undestand just yet.
On the pdf slides (pag. 24) there's written:
- Upon reception of M1 the Registrar generates PKR and N2
- The Registrar can then compute the DHKey: DHKey= SHA-256 (zeropad(g^{AB} mod p, 192))
DHKey is needed in order to get AuthKey which is used as key of the HMAC-SHA-256 (for both E-Hash1 and E-Hash2).
How is the DHKey actually calculated? Could you make an example? How do we know A?
Sorry if I am missing something.
I know a little C, not enough to develop a modified version of reaver but hopefully enough to help testing or making some PoC kinda code.
I also have a capture of a TP-LINK router which is apparently Ralink, so ES1 = ES2 = 0, right?
Thank you again.
The math behind calculating the DH Keys is not important, only the actual PKE, PKR and Public keys are. I will explain though.
So we have the formula g^AB mod p right? In here, both g and p are "variables" (the generator and prime modulus). These two variables are agreed upon by the Registrar (Access Point) and Enrollee (Client) before the WPS transaction starts. However, A and B are different. They are secret numbers known only by the Enrollee and Registrar respectively (PKE knows A, PKR knows B, they don't know each other's secret numbers). Now, both the Enrollee and the Registrar will will run their secret numbers through the generator (PKE > g^A mod p, PKR > g^b mod p).
Now that that each side has generated a new "public" number with their secret number, they exchange and run a new function (in this case we'll call Ca the PKE public number and Cb the PRK public number). The Enrollee runs: g^ACb mod p, and the Registrar runs: g&BCa mod p.
There is a full version of the video on youtube, just google Diffle-Hellman Key Exchange and click the youtube link... its by Art of the Problem. I'd post it but we can't post youtube links. Hopefully that makes sense.
The TP-Link router may be vulnerable, but I can't say for sure. I've never done testing. It is likely that it is but until there is a tool I can't say for sure. You could try looking in the source but you may not find a certain answer there. Good luck!
@ qolund
Hello
Last edited by kcdtv; 2015-03-18 at 18:49.
@soxrok2212
Thank you for the explaination. I'll be sure to study the subject thoroughly when I'll have a bit more time. I'm a bit busy at them moment
Anyway, while we're waiting for someone able to modifiy reaver/bully, I've made a little program.
For now it just tries to bruteforce the PIN going throught all 20'000 combination (it doesn't use the checksum for now), assuming ES1 = ES2 = 0. Just feed it all the things needed:
- PKe
- PKr
- AuthKey
- E-Hash1
- E-Hash2
Tried on a TP-LINK (Ralink) and it just works. Bongard was right.
<link removed>
Here's a sample image:
EDIT: added the image properly. Removed link.
Last edited by wiire; 2015-03-21 at 11:24.
So is their any Tool Available for Pixie Dust Attack or Not???
Well my tool /works/ assuming that the AP (enrollee) does not generate the 2 random nonces ES1 and ES2. For non wps-technical users this means that'll work only with a few APs (probably Ralink, as described by Bongard).
When I'll undestand, hopefully with the help of someone, how the Broadcom PNRG seed bruteforce works, I'll be sure to add it to the tool (and post it online on GitHub or similar).
I made the tool while waiting for someone else to make an automatic tool such as a modification of reaver or bully.
Anyway, if someone is interested I'll make a post in the HowTos section how to use it. It requires a little modification in the source code of bully/reaver (tried bully for now) but it's easy. It was my yesterday one-day solution.
EDIT: fixed some typos.
Last edited by wiire; 2015-03-19 at 11:09.
Wonderful! Unfortunately I don't have any ralink devices to test :[ but I will certainly test with some broadcom routers which have low entropy after boot. If you could contact me via email (my username@gmail.com) or Skype (click that little symbol under my name) that would be great! I'm working with a few other people and I'm hoping we can use your knowledge and ralink PoC and incorporate it into a complete project. Thanks again wiire!!
Last edited by soxrok2212; 2015-03-19 at 13:24.
WoW
I am so glad to see this screenshot
The first "public" pixie dust attack... "sometimes dreams comes true"
Great job wiire ....
For the cheksum maybe the fastest will be to have a full pin diccionnary and just "grep" (grab) from the file the second half for PSK2 brute force instead of genrating the cheksum live.
I do not want to make you loose your time, i am very bad at maths and with number.
i get the process but i have difficulties to "see concretly the element involved"
I will try and have a look at your code to try to understand but i do not know C
Would you mind to tell me (us) in this example which part of "auth key" is used for genrating the HMAC256 (e-hash) ?
i guess it is the same lenght that is used to create the string for PKE and PKR and that the process is the same... could you confirm that to me?
Could you tel us also which tp-link model is it concretly and the wifi chipset that it uses?
Could you pass me a probe response from your routeur? i would like to start a kind of data base for everybody where we list affceted devices.
Thank you for sharing with us your work and congratulation
Last edited by kcdtv; 2015-03-19 at 14:52.
Awesome ! I can't wait to see the source and to have this published !!
Hey Kcdtv ! toujours sur la breche hein ?
Thank you guys.
@soxrok2212
Ok, added on Skype. I'll be busy for the next 4 - 5 days, so I'll "pause myself". Looking forward to work with the 'crew', though.
@kcdtv
Yeah, I know what you mean referring to the checksum digit: computing it everytime or having an array of already pre-computed digits. Could be an option.
In any case bruteforcing 11'000 digits or 20'000 doesn't make any difference on modern processors (after the PRNG seed is bruteforced). Also, if the PIN is chosen by the user, then it's most likely that the checksum won't match (odds are 1/10).
I'm not sure about your question on the AuthKey. It is the key used in the HMAC_SHA-256 hash function and it's 32 bytes (256 bits) long (it's not truncated).
To make an example: E-Hash1 = HMAC_SHA-256{AuthKey [32 bytes]}(ES-1 [16 bytes] || PSK1 [16 bytes] || PKE [192 bytes] || PKR [192 bytes]).
PSK1 it the first half of the PIN converted into an array of characters without termination ('\0'), hashed (HMAC_SHA-256) with AuthKey as a key considering the first 16 bytes (half of the hash digest). Just noticed I made the array twice as big...
PKE, PKR, E-Hash1 and E-Hash2 can be all gathered from a wireshark capture. To get AuthKey I have modified the source code of bully. The data is fed to the program as arrays of characters and then parsed and converted into byte arrays.
I'll re-organize the code soon and add some comments. I forgot to release some memory before the program's exit...
I will do more testing later on and send you some data. Just wait a few days...
If you have any other question send me a PM with your Skype ID or email or just reply here if not too long... I'll contact/reply you.
@wiire..great attempt!...I did a capture with wireshark and extracted the following details for my target
7d:3f:c7:17:20:ec:52:05:84:69:76:e6:60:9e:aa:0e:8c :e3:ea:a1:ed:36:4f:54:96:c4:86:b2:72:91:86:d6 # E hash 1
55:ca:83:c9:49:05:79:f8:3b:09:57:78:e1:4d:db:bb:21 :ee:f2:72:5a:02:7e:31:5f:02:ee:b3:72:f0:fc:a3 #E-hash 2
cb:b9:a9:6d:eb:35:94:f7:da:c0:55:be:0d:04:5e:ed:52 :7d:f5:a1:c2:83:68:d2:3d:50:5e:83:ee:3c:d4:20:e6:6 c:07:d8:6b:c9:ea:52:ad:59:34:59:ff:9c:23:d2:d5:2a: 5a:74:a6:c5:fe:8b:0b:8e:c6:09:43:be:c5:df:92:93:77 :6f:12:57:85:ef:bb:a0:b6:58:b8:d2:97:7a:6f:70:f4:2 5:35:36:61:d2:c2:ef:be:38:82:a4:1d:3d:cf:03:3c:c5: d3:a6:52:b0:97:12:5b:a9:f3:0f:83:d0:c9:17:0e:97:cf :e5:9e:67:8c:64:55:30:90:47:25:c4:2c:34:11:49:32:a 2:4e:72:15:93:55:b4:64:87:1c:76:63:cd:b9:dd:57:48: c4:a0:74:e4:0b:f7:10:97:4b:11:07:98:ee:98:6c:a5:71 :f3:85:f4:36:dd:cd:35:4c:e3:3d:ef:43:09:f2:52:ef:d 1:db:a6:c1:f9:ae:b5:7f:61 #pkr
3b:4c:d9:d5:17:e6:db:19:bc:b8:da:d7:f8:91:5d:a5:3b :4a:c8:ec:f2:17:a7:11:a4:3a:9b:d5:5e:d9:a2:b8:78:3 1:70:ae:57:be:be:0c:b2:5e:03:5f:34:28:a4:16:47:b4: 36:e7:24:71:69:54:de:0d:aa:f1:56:08:7a:d0:22:47:1f :0a:5e:2d:32:6c:0e:18:16:db:b5:89:cf:39:cb:3d:a1:f 3:05:cc:b3:a3:59:92:45:aa:45:35:1e:d8:8e:05:54:45: 74:b1:dd:8d:64:b7:6d:5e:37:c6:9c:e9:18:3d:e7:af:6b :73:c1:66:c9:ce:1a:3c:b5:f7:f3:65:be:3a:1b:29:8c:4 1:09:16:4c:b9:f1:df:41:66:99:81:91:82:a1:80:bc:7b: 1e:c9:4d:f2:62:ca:c0:50:3a:c5:5f:cd:17:dd:97:cc:b4 :82:06:15:b2:4d:1c:67:7f:fb:06:9a:c5:19:5c:ce:b0:a 2:90:d6:af:0a:a8:bc:08:d6 # pke
These values are from a tp-link router too...the only difficulty i am having is calculating the Authkey..any suggesstions? ( I haven't seen anything tags like authkey in the wps message 2 in wireshark)
so for dummies
how did you extract these again?
- PKe
- PKr
- AuthKey
- E-Hash1
- E-Hash2
PKE, PKR, E-Hash1, and E-Hash2 can be found in wireshark. Authkey is a bit harder, you need to understand KDK. Look here and scroll until you see Key Derivation. Its tough to understand however, tool isn't ready for prime time but we will soon have everything be automated.
I see.
Is it cleat text or you need to push the cap through some utility?
did you challenge the AP with reaver to get the data?
Last edited by wn722; 2015-03-20 at 14:53.