WPS Pixie Dust
Disclaimer: I am not responsible for what you do with these tools or this information. The use of anything on this thread should only be attempted on networks you own or have permission to test.
Links at the bottom, I want you to understand everything before you ask questions that can be easily answered
*
A more detailed writeup is available on our Division0 site! http://www.division0.net (we are still actively developing our site, it is not yet completed). Here is the link to the writeup!
I've been looking into the new
WPS security flaw found by Dominique Bongard. All of the information I am providing here is not mine, all credit goes to Bongard and the other wonderful sources listed at the bottom. This thread assumes you have some basic knowledge of the WPS exchange. If not, have a look at the "Complete WPS Specification" link posted at the bottom.
Dominique Bongard discovered that some APs have weak ways of generating
nonces (known as
E-S1 and
E-S2) that are supposed to be secret. If we are able to figure out what these nonces are, we can easily find the WPS PIN of an AP since the AP must give it to us in a hash in order to prove that it also knowns the PIN, and the client is not connecting to a rouge AP. These E-S1 and E-S2 are essentially the "keys to unlock the lock box" containing the WPS pin. You can kind of think of the whole thing as an algebra problem, if we know all but 1 variable in an equation, we just have to solve for x. X in this case is the WPS pin (this is not a perfect example but for beginners it should help.)
Important parts of a WPS exchange: M1,
M2, M3, other
Enrollee Nonce
PKE Public Key (Enrollee Public Key)
Registrar Nonce
PKR Public Key (Registrar Public Key)
E-Hash1 = HMAC-SHA-256(authkey) (E-S1 | PSK1 | PKE | PKR)
E-Hash2 = HMAC-SHA-256(authkey) (E-S2 | PSK2 | PKE | PKR)
Authkey [derived from the KDK (Key Derivation Key)]
Components
E-Hash1 is a hash in which we brute force the first half of the PIN.
E-Hash2 is a hash in which we brute force the second half of the PIN.
HMAC is a function that hashes all the data. The function is HMAC-SHA-256.
PSK1 is the first half of the router's PIN (10,000 possibilities)
PSK2 is the second half of the router's PIN (10,000 possibilities)
PKE is the Public Key of the Enrollee (used to verify the legitimacy of a WPS exchange and prevent replays.)
PKR is the Public Key of the Registrar (used to verify the legitimacy of a WPS exchange and prevent replays.)
Vendor Implementations
In Broadcom eCos, these two nonces are generated right after the enrollee nonce (the public nonce generated by the AP.) We also know the function that gives us this data, so if we substitute in seeds, we will eventually find matching nonces, and from there we can find the E-S1 and E-S2 nonces.
E-S1 + E-S2 are generated from the same PRNG that generates the N1 Enrollee Nonce
In Realtek, the PRNG is a function that uses the time in seconds from January 1st, 1970 until whenever the data in generated (basically when the WPS exchange starts.) The vulnerable part is that the chip uses the same generator to make the Enrollee nonce as it does to make E-S1 and E-S2.
So if the whole entire exchange occurs in that same second, E-S1 = E-S2 = Enrollee Nonce. If it occurs over the course of a few seconds, then all we have to do is find the seed that gave us the Enrolle Nonce, and then increment it and taking the output as E-S1 and E-S2. Its a multivariable brute force, so it may take a little bit more time but not more than a few minutes on a modern PC.
E-S1 = E-S2 = N1 Enrollee Nonce or generated with seed = time
In Ralink, E-S1 and E-S2 are never generated. They are always 0. Therefore, we just have to brute force the PIN and we're done.
E-S1 = E-S1 = 0
In MediaTek, the same problem that Ralink has exists. E-S1 and E-S2 are never generated.
E-S1 = E-S2 = 0
In Celeno, the same problem that Ralink has exists as these chips are just rebranded Ralink chips. E-S1 and E-S2 are never generated.
E-S1 = E-S2 = 0
Conclusion
Assuming we already know the PKE, PKR, Authkey, E-Hash1 and E-Hash2 since the router gives us these values (and vice versa) and we have figured out E-S1 and E-S2 by brute forcing them or knowing that they are equal to 0, we can run all the data through the hash function and try every pin until we have a matching hash (E-Hash1 and E-Hash2) that the AP gave us. When we are returned with a match, we can say "Ok, that last pin we used matched the hash from the M3 message. That must be the pin." Now we can take the pin we just brute forced and toss it into Reaver or Bully and the AP will say "Ok, you have the right pin, here are all my credentials," including the SSID, WPS Pin, and the WPA key.
Preventing the attack
Look up your device on
Wikidevi. If your device contains one of the chipsets as listed above,
disable WPS now. If your device does NOT contain one of the chipsets as listed above,
disable WPS now.
If you find anything new or wish to correct me, please do and post it in the comments! I will try to respond and keep you updated as frequently as possible!
Resources
1.
Slide Presentation
2.
Video Presentation
3.
Hack Forums
4.
Diffie-Hellman Key Exchange
5.
Pseudo Random Number Generators
6.
WPS Background
7.
Complete WPS Specification (PDF Download)
8.
Broadcom PRNG Source
9.
Realtek PRNG Source
10.
Top Hat Sec
11.
First Tweet
12.
Database with affected/non affected models
Tools
Pixiewps 1.2.2: http://www.github.com/wiire/pixiewps
Written by wiire
Original Thread: https://forums.kali.org/showthread.p...st-attack-tool
Reaver 1.5.2: https://github.com/t6x/reaver-wps-fork-t6x
Modified by t6_x and datahead
Original Thread: https://forums.kali.org/showthread.p...ie-Dust-Attack
Bully 1.1: https://github.com/aanarchyy/bully
Modified by AAnarchYY
Original Thread: https://forums.kali.org/showthread.p...ixiewps-attack
And I would like to give a special thanks to DataHead, Wiire, t6_x, aanarchyy, FrostyHacks and of course Dominique Bongard for all their help! Thank You!