Results 1 to 50 of 583

Thread: WPS Pixie Dust Attack (Offline WPS Attack)

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Join Date
    United States

    WPS Pixie Dust Attack (Offline WPS Attack)

    WPS Pixie Dust

    Disclaimer: I am not responsible for what you do with these tools or this information. The use of anything on this thread should only be attempted on networks you own or have permission to test. Links at the bottom, I want you to understand everything before you ask questions that can be easily answered *

    I've been looking into the new WPS security flaw found by Dominique Bongard. All of the information I am providing here is not mine, all credit goes to Bongard and the other wonderful sources listed at the bottom. This thread assumes you have some basic knowledge of the WPS exchange. If not, have a look at the "Complete WPS Specification" link posted at the bottom.

    Dominique Bongard discovered that some APs have weak ways of generating nonces (known as E-S1 and E-S2) that are supposed to be secret. If we are able to figure out what these nonces are, we can easily find the WPS PIN of an AP since the AP must give it to us in a hash in order to prove that it also knowns the PIN, and the client is not connecting to a rouge AP. These E-S1 and E-S2 are essentially the "keys to unlock the lock box" containing the WPS pin. You can kind of think of the whole thing as an algebra problem, if we know all but 1 variable in an equation, we just have to solve for x. X in this case is the WPS pin (this is not a perfect example but for beginners it should help

    Important parts of a WPS exchange: M1, M2, M3, other

    Enrollee Nonce
    PKE Public Key (Enrollee Public Key)

    Registrar Nonce
    PKR Public Key (Registrar Public Key)

    E-Hash1 = HMAC-SHA-256(authkey) (E-S1 | PSK1 | PKE | PKR)
    E-Hash2 = HMAC-SHA-256(authkey) (E-S2 | PSK2 | PKE | PKR)

    Authkey [derived from the KDK (Key Derivation Key)]


    E-Hash1 is a hash in which we brute force the first half of the PIN.
    E-Hash2 is a hash in which we brute force the second half of the PIN.
    HMAC is a function that hashes all the data. The function is HMAC-SHA-256.
    PSK1 is the first half of the router's PIN (10,000 possibilities)
    PSK2 is the second half of the router's PIN (10,000 possibilities)
    PKE is the Public Key of the Enrollee (used to verify the legitimacy of a WPS exchange and prevent replays.)
    PKR is the Public Key of the Registrar (used to verify the legitimacy of a WPS exchange and prevent replays.)

    Vendor Implementations

    In Broadcom eCos,
    these two nonces are generated right after the enrollee nonce (the public nonce generated by the AP.) We also know the function that gives us this data, so if we substitute in seeds, we will eventually find matching nonces, and from there we can find the E-S1 and E-S2 nonces.
    > E-S1 + E-S2 are generated from the same PRNG that generates the N1 Enrollee Nonce

    In Realtek,
    the PRNG is a function that uses the time in seconds from January 1st, 1970 until whenever the data in generated (basically when the WPS exchange starts.) The vulnerable part is that the chip uses the same generator to make the Enrollee nonce as it does to make E-S1 and E-S2. So if the whole entire exchange occurs in that same second, E-S1 = E-S2 = Enrollee Nonce. If it occurs over the course of a few seconds, then all we have to do is find the seed that gave us the Enrolle Nonce, and then increment it and taking the output as E-S1 and E-S2. Its a multivariable brute force, so it may take a little bit more time but not more than a few minutes on a modern PC.
    > E-S1 = E-S2 = N1 Enrollee Nonce or generated with seed = time

    In Ralink,
    E-S1 and E-S2 are never generated. They are always 0. Therefore, we just have to brute force the PIN and we're done.
    > E-S1 = E-S1 = 0

    In MediaTek,
    the same problem that Ralink has exists. E-S1 and E-S2 are never generated.
    > E-S1 = E-S2 = 0

    In Celeno, the same problem that Ralink has exists as these chips are just rebranded Ralink chips. E-S1 and E-S2 are never generated.
    > E-S1 = E-S2 = 0

    Assuming we already know the PKE, PKR, Authkey, E-Hash1 and E-Hash2 since the router gives us these values (and vice versa) and we have figured out E-S1 and E-S2 by brute forcing them or knowing that they are equal to 0, we can run all the data through the hash function and try every pin until we have a matching hash (E-Hash1 and E-Hash2) that the AP gave us. When we are returned with a match, we can say "Ok, that last pin we used matched the hash from the M3 message. That must be the pin." Now we can take the pin we just brute forced and toss it into Reaver or Bully and the AP will say "Ok, you have the right pin, here are all my credentials," including the SSID, WPS Pin, and the WPA key.

    Preventing the attack
    Look up your device on Wikidevi. If your device contains one of the chipsets as listed above, disable WPS now. If your device does NOT contain one of the chipsets as listed above, disable WPS now.

    If you find anything new or wish to correct me, please do and post it in the comments! I will try to respond and keep you updated as frequently as possible!


    1. Slide Presentation
    2. Video Presentation
    3. Hack Forums
    4. Diffie-Hellman Key Exchange
    5. Pseudo Random Number Generators
    6. WPS Background
    7. Complete WPS Specification (PDF Download)
    8. Broadcom PRNG Source
    9. Realtek PRNG Source
    10. Top Hat Sec
    11. First Tweet
    12. Database with affected/non affected models


    Pixiewps 1.4.2:
    Written by wiire
    Original Thread:

    Reaver 1.6.5:
    Modified by t6_x, rofl0r and datahead
    Original Thread:

    Bully 1.1:
    Modified by AAnarchYY
    Original Thread:

    And I would like to give a special thanks to DataHead, Wiire, t6_x, aanarchyy, FrostyHacks and of course Dominique Bongard for all their help! Thank You!
    Last edited by soxrok2212; 2018-10-16 at 17:48. Reason: pixiewps 1.4.2, reaver 1.6.4

Similar Threads

  1. WPS Pixie Dust Attack (Offline WPS Attack)
    By soxrok2212 in forum General Archive
    Replies: 353
    Last Post: 2015-05-05, 08:32
  2. Reaver modfication for Pixie Dust Attack
    By t6_x in forum General Archive
    Replies: 81
    Last Post: 2015-05-05, 00:55
  3. Pixiewps: wps pixie dust attack tool
    By wiire in forum General Archive
    Replies: 89
    Last Post: 2015-05-04, 19:32

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts