WPS Pixie Dust Attack (Offline WPS Attack)

[soxrok2212]

Hello and thanks for the info.

The following router is vulnerable

Code:

[P] WPS Manufacturer: BUFFALO INC.
[P] WPS Model Name: WBMR-HP-GN
[P] WPS Model Number: RT2860
[P] Access Point Serial Number: 12345678

https://wikidevi.com/wiki/Buffalo_WBMR-HP-GN

Thanks buddy, added to the database Keep up the testing and paste any vulnerable/non vulnerable devices with all the request info if possible A big thanks to the community! Wouldn't have been inspired without you!

[kcdtv]

the only reason we're able to get the pin now is because we assume ES-1 = ES-2 = 0. which really not much of "hacking". the only problem we are facing now, is someone needs to know how to write a code to find the state of the PRNG,

Hi there!
You missed some points.
In his presentation diominique spoke about 2 flows:
1) ES-1=ES-2=0 and that is just for Ralink Chipset and was indeed the first stuff that was coded (because, indeed, it doesn't requires extra brute force of seed)
2) Then wiire found the way to code the second breach revealed by Dominique : some broadcom devices for which we know the "interval" used to define the seed (cracked inmediatly)
In the meantime soxrok2212 sent to dominique datas form realteck chipsets because we saw that the same PKE was used in his two routers and in my two routers with realtek... all four routers from different manufacturer with different firmwares (but all is coming form the SDK for rtl819x project that developer uses to build their firmware)
And dominique foiund out a third breach
3) for this Realtek chipsets the exact time in seconds is used as a seed in DH exchange key process - or it is the time of the last build.( brute force required from exact time (in seconds) to 1970 < don't ask me why for some router it was found that 1970 was used as seed )
wiire coded everything and we have all the stuff in the hand to "pixie-dust" and also to create a custom code to try a different interval.
cheers