Page 1 of 59 1231151 ... LastLast
Results 1 to 10 of 581

Thread: WPS Pixie Dust Attack (Offline WPS Attack)

  1. #1
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    517

    WPS Pixie Dust Attack (Offline WPS Attack)

    WPS Pixie Dust

    Disclaimer: I am not responsible for what you do with these tools or this information. The use of anything on this thread should only be attempted on networks you own or have permission to test. Links at the bottom, I want you to understand everything before you ask questions that can be easily answered *

    A more detailed writeup is available on our Division0 site! http://www.division0.net (we are still actively developing our site, it is not yet completed). Here is the link to the writeup!

    I've been looking into the new WPS security flaw found by Dominique Bongard. All of the information I am providing here is not mine, all credit goes to Bongard and the other wonderful sources listed at the bottom. This thread assumes you have some basic knowledge of the WPS exchange. If not, have a look at the "Complete WPS Specification" link posted at the bottom.

    Dominique Bongard discovered that some APs have weak ways of generating nonces (known as E-S1 and E-S2) that are supposed to be secret. If we are able to figure out what these nonces are, we can easily find the WPS PIN of an AP since the AP must give it to us in a hash in order to prove that it also knowns the PIN, and the client is not connecting to a rouge AP. These E-S1 and E-S2 are essentially the "keys to unlock the lock box" containing the WPS pin. You can kind of think of the whole thing as an algebra problem, if we know all but 1 variable in an equation, we just have to solve for x. X in this case is the WPS pin (this is not a perfect example but for beginners it should help.)



    Important parts of a WPS exchange: M1, M2, M3, other


    Enrollee Nonce
    PKE Public Key (Enrollee Public Key)

    Registrar Nonce
    PKR Public Key (Registrar Public Key)

    E-Hash1 = HMAC-SHA-256(authkey) (E-S1 | PSK1 | PKE | PKR)
    E-Hash2 = HMAC-SHA-256(authkey) (E-S2 | PSK2 | PKE | PKR)

    Authkey [derived from the KDK (Key Derivation Key)]



    Components


    E-Hash1 is a hash in which we brute force the first half of the PIN.
    E-Hash2 is a hash in which we brute force the second half of the PIN.
    HMAC is a function that hashes all the data. The function is HMAC-SHA-256.
    PSK1 is the first half of the router's PIN (10,000 possibilities)
    PSK2 is the second half of the router's PIN (10,000 possibilities)
    PKE is the Public Key of the Enrollee (used to verify the legitimacy of a WPS exchange and prevent replays.)
    PKR is the Public Key of the Registrar (used to verify the legitimacy of a WPS exchange and prevent replays.)



    Vendor Implementations


    In Broadcom eCos, these two nonces are generated right after the enrollee nonce (the public nonce generated by the AP.) We also know the function that gives us this data, so if we substitute in seeds, we will eventually find matching nonces, and from there we can find the E-S1 and E-S2 nonces.

    E-S1 + E-S2 are generated from the same PRNG that generates the N1 Enrollee Nonce

    In Realtek,
    the PRNG is a function that uses the time in seconds from January 1st, 1970 until whenever the data in generated (basically when the WPS exchange starts.) The vulnerable part is that the chip uses the same generator to make the Enrollee nonce as it does to make E-S1 and E-S2. So if the whole entire exchange occurs in that same second, E-S1 = E-S2 = Enrollee Nonce. If it occurs over the course of a few seconds, then all we have to do is find the seed that gave us the Enrolle Nonce, and then increment it and taking the output as E-S1 and E-S2. Its a multivariable brute force, so it may take a little bit more time but not more than a few minutes on a modern PC.

    E-S1 = E-S2 = N1 Enrollee Nonce or generated with seed = time

    In Ralink,
    E-S1 and E-S2 are never generated. They are always 0. Therefore, we just have to brute force the PIN and we're done.

    E-S1 = E-S1 = 0


    In MediaTek,
    the same problem that Ralink has exists. E-S1 and E-S2 are never generated.

    E-S1 = E-S2 = 0


    In Celeno, the same problem that Ralink has exists as these chips are just rebranded Ralink chips. E-S1 and E-S2 are never generated.

    E-S1 = E-S2 = 0




    Conclusion


    Assuming we already know the PKE, PKR, Authkey, E-Hash1 and E-Hash2 since the router gives us these values (and vice versa) and we have figured out E-S1 and E-S2 by brute forcing them or knowing that they are equal to 0, we can run all the data through the hash function and try every pin until we have a matching hash (E-Hash1 and E-Hash2) that the AP gave us. When we are returned with a match, we can say "Ok, that last pin we used matched the hash from the M3 message. That must be the pin." Now we can take the pin we just brute forced and toss it into Reaver or Bully and the AP will say "Ok, you have the right pin, here are all my credentials," including the SSID, WPS Pin, and the WPA key.



    Preventing the attack


    Look up your device on Wikidevi. If your device contains one of the chipsets as listed above, disable WPS now. If your device does NOT contain one of the chipsets as listed above, disable WPS now.

    If you find anything new or wish to correct me, please do and post it in the comments! I will try to respond and keep you updated as frequently as possible!



    Resources


    1. Slide Presentation
    2. Video Presentation
    3. Hack Forums
    4. Diffie-Hellman Key Exchange
    5. Pseudo Random Number Generators
    6. WPS Background
    7. Complete WPS Specification (PDF Download)
    8. Broadcom PRNG Source
    9. Realtek PRNG Source
    10. Top Hat Sec
    11. First Tweet
    12. Database with affected/non affected models



    Tools


    Pixiewps 1.2.2: http://www.github.com/wiire/pixiewps
    Written by wiire
    Original Thread: https://forums.kali.org/showthread.p...st-attack-tool

    Reaver 1.5.3: https://github.com/t6x/reaver-wps-fork-t6x
    Modified by t6_x and datahead
    Original Thread: https://forums.kali.org/showthread.p...ie-Dust-Attack

    Bully 1.1: https://github.com/aanarchyy/bully
    Modified by AAnarchYY
    Original Thread: https://forums.kali.org/showthread.p...ixiewps-attack



    And I would like to give a special thanks to DataHead, Wiire, t6_x, aanarchyy, FrostyHacks and of course Dominique Bongard for all their help! Thank You!
    Last edited by soxrok2212; 2017-04-23 at 09:29 PM. Reason: reaver 1.5.3

  2. #2
    Senior Member
    Join Date
    Aug 2013
    Location
    lost in space
    Posts
    580
    Thanks soxrok2212 !

    Might as well post that in the Howtos.

    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  3. #3
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    517
    Quote Originally Posted by Quest View Post
    Thanks soxrok2212 !

    Might as well post that in the Howtos.

    Once I have a working solution, I will be sure to!

  4. #4
    Senior Member
    Join Date
    Aug 2013
    Location
    lost in space
    Posts
    580
    cool, but the thing is it might get shut down, as it not a 'Kali Linux General Use'. Moreover it is a howto that just needs some R&D. Just saying.

    Keep it up =]
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  5. #5
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    517
    Quote Originally Posted by Quest View Post
    cool, but the thing is it might get shut down, as it not a 'Kali Linux General Use'. Moreover it is a howto that just needs some R&D. Just saying.

    Keep it up =]
    I have it posted on hack forums too... getting some replies there.

  6. #6
    Member
    Join Date
    Mar 2013
    Posts
    95
    Is this the code you displayed starting around line 148?
    Please delete link if not allowed, thanks.
    http://trac.umnaem.webfactional.com/...and.cxx?rev=39

  7. #7
    Member
    Join Date
    Mar 2013
    Posts
    95
    Ignore above, i never noticed ooops

  8. #8
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    517
    Quote Originally Posted by skycrazy View Post
    Is this the code you displayed starting around line 148?
    Please delete link if not allowed, thanks.
    http://trac.umnaem.webfactional.com/...and.cxx?rev=39
    Yes it is but the code has since changed. Bongard made this presentation back in November 2014 so its a bit different now.

  9. #9
    Junior Member
    Join Date
    Feb 2015
    Posts
    6
    You are on the right track
    I do have a complete and working PoC program that I use. while it says few routers, I've found a lot more are vulnerable than one would think. All through trial and error of testing which router has which chipset, broadcom, ralink, atheros etc. around 12 of the 20 I've tested on, have been vulnerable.

  10. #10
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    517
    Quote Originally Posted by datahead View Post
    You are on the right track
    I do have a complete and working PoC program that I use. while it says few routers, I've found a lot more are vulnerable than one would think. All through trial and error of testing which router has which chipset, broadcom, ralink, atheros etc. around 12 of the 20 I've tested on, have been vulnerable.
    Would you mind sharing? I can give you an email address... Thanks!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •