I have a Netgear R3600v2, router. Broadcom chipset BCM4360. Doesnt seem to be working. I can send .cap if you want/need. Doing brute force now
Junior Member
I have a Netgear R3600v2, router. Broadcom chipset BCM4360. Doesnt seem to be working. I can send .cap if you want/need. Doing brute force now
Senior Member
Okay so 3 new things have been brought to my attention, some of which I've already pointed out but I just want to clear things up.
1- Someone recently e-mailed me about an Atheros device, specifically a D-Link DIR-600 rev A1. This device has an AR9285. A few months ago, the static PKE in Realtek devices made me question their implementation. Many of you know that PKE:
Well, it turns out that this device also has a static PKE!Code:d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b:1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:43:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25:5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78:47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea:2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f:f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:db:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61:be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f:18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a9:e3:b4:22:4f:3d:89:fb:2b
I wasn't able to find source code for this specific model and unfortunately I can't find a firmware link either. Here is a list with all devices that use the AR9285 chip[/url] so the community can look to see if their devices follow the same pattern.Code:91:72:d8:6a:3d:bc:4c:5b:89:c8:b9:86:ff:31:ee:96:b9:bc:ab:ac:cc:1d:42:77:1d:46:09:a3:91:e3:b9:b2:c2:80:a3:2e:b4:01:58:36:f9:90:02:be:ab:94:69:31:38:4e:84:d2:7a:06:7e:bb:f6:15:9b:08:a6:55:67:48:29:c1:b0:69:fb:79:51:a8:d0:d5:bf:8d:65:58:71:4e:be:0d:33:68:30:87:04:7e:71:99:d1:26:e7:fa:8a:55:2a:b6:be:c5:23:f6:87:c8:f8:bd:6c:77:0c:09:3f:40:83:64:90:35:47:0f:b8:1b:6d:31:d5:3e:2f:35:7a:27:16:57:d8:1e:0c:8b:41:f5:1c:3b:b0:31:f5:b0:d7:23:40:26:7b:ce:b5:fd:07:c6:58:64:06:1a:45:55:4b:c4:ca:3b:50:57:bd:a0:fc:7c:69:7f:06:79:52:4e:30:1a:6d:f8:16:6e:1b:9f:51:97:e8:40:2f:9b:97:d1:7e:7e
2- Another strange thing is happening with Atheros, specifically in the Linksys WRT160NL. This is one of Linksys's devices that is completely open source, meaning it runs Linux. This WRT160NL has a AR9130/AR9102 chipset. The strange thing here is that the Enrollee Nonce follows a strange pattern:
Usually, E-S1 and E-S2 are generated right after the Enrollee Nonce, so I'd bet there is some sort of issue here. Here is a download link for the open source firmware and a list of AR9130/AR9102 devices for comparison against other devices.Code:XX:XX:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
3- Finally, another user pointed out a different Realtek chipset, the RTL8671 (as well as other SoC DSL/Wireless modems. I assume that since this chip is SoC, it may use a different PRNG. The nonces follow another strange pattern that as of right now we haven't been able to determine. Here is the pattern:
There is a device that has been confirmed to follow this pattern, a DIGISOL DG-BG4100NU. The firmware can be downloaded and extracted with binwalk here, and the source code for the RTL8186 chip can be found here.Code:00:00:XX:XX:00:00:XX:XX:00:00:XX:XX:00:00:XX:XX
--I already know that Wiire, Datahead and I are looking into these but they are both very busy and I don't know enough C to read code and understand it completely. T6_x is also looking into some interesting stuff as well. I'm coming back to the community looking for help! Maybe we can do this one without Bongard! That is my goal this time, and it probably doesn't help to make this public but thats alright! Leave a reply if you have any questions or comments and thanks in advance!
Last edited by soxrok2212; 2015-06-10 at 04:26.
Junior Member
Perhaps this will help. ftp://ftp2.dlink.com/PRODUCTS/DIR-60...WARE_1.0.1.ZIP Or you can try Craig's D-Link wps pin generator?Originally Posted by soxrok2212
Senior Member
You had a device with a strange E-Nonce that followed the XX:XX:00:00:XX:XX:00:00... pattern right? If so, can you grab like 5-10 sets of data? (Use PixieLoop mode in Reaver so you don't get locked out)
Junior Member
http://www.mediafire.com/download/l8b3gb98k474c3l/Pixie
Senior Member
Awesome thanks!
Senior Member
Yeah I know about the PIN generator, but a chip based ATTACK would be more widespread and for other manufacturers as well.
Member
On some Technicolor the modified reaver recovers the pin but not the passphrase it freezes on
if such thing happens use bully to recover it[+] Running reaver with the correct pin, wait ...
[+] Cmd : reaver -i wlan1mon -b 18:17:25:xx:xx:xx -c 11 -s y -vv -p xxxxxxxx
[Reaver Test] [+] BSSID: 18:17:25:xx:xx:xx
[Reaver Test] [+] Channel: 11
example :
it worked for mebully -b 18:17:25:XX:xx:xx:xx: -c 11 -B -v 2 -p xxxxxxxx
Senior Member
Try to add -n to your reaver line
(by the way, that is not a pixie dust issue and it should be posted somewhere else)
Junior Member
What also works is running aireplay-ng to force an association with the AP while you run reaver.
example:
aireplay-ng -1 12 -a <BSSID OF AP> -h <MAC ADDR. OF WIFI CARD> mon0
Junior Member
I have a TP Link router which I cannot brake. Brute forcing also doesn't work. And I have to say that this is the only router that outputs e-s1 and e-s2.
I can see in my area about 100 devices and only this TP Link outputs e-s1 and e-s2. My other router is Arcadyan with RT2860 chipset and I can read Authkey, PKE, etc... but e-s1 and e-s2 are never displayed by reaver.
Is there a way to force displaying e-s1 and e-s2 ?
Pixiewps description says that Ralink chipset never generates e-s1 and e-s2 and they are always zero. How do I run pixiewps in this case?
here is a gist with reaver output of TP LINK WR841N
https://gist.github.com/anonymous/6184dc4f7f9fe19ef46d
Member
oh could there be progress with Atheros stuff???
Senior Member
Maybe with the Tick Tock attack, but then again there are a lot of prerequisites for the attack to work, and it will really just optimize the regular 2011 online brute force. But you never know!
Junior Member
I think this may not be the correct space to ask for help with my issue; going to make a new thread sorry! please delete
Last edited by Gurgg; 2015-07-26 at 22:08. Reason: delete
Senior Member
Anyone familiar with IDA Pro or binwalk or examining firmwares in general?
I found some interesting articles and documents highlighting flaws in /dev/random in embedded systems, thought I'd share with you. If you are not experienced, you probably won't understand much of it (thats me) but from what I understand, embedded systems from before July 2012 (or maybe even after) may be potentially vulnerable as they don't have a sufficient amount of entropy after being plugged in. The problem with newer devices (not sure about older devices) is that upon reboot, they save the entropy pool through a reboot/power loss. This is why forcing/DOSing an AP so it reboots is not effective in clearing entropy pools. I'm not sure if the same feature exists in pre-2012 devices so it may be something worth looking into. Heck, its even something Dominique noted in his presentations.
I guess one of the maintainers of /dev/random in Linux commented on his worries about the subject here: https://news.ycombinator.com/item?id=6548893
And the whole conference is available here: https://factorable.net/weakkeys12.conference.pdf
Whats even more intriguing about this is older hardware is more susceptible to DOS/force rebooting. The research paper explains how there were a lot of duplicate security keys used in various embedded systems, including "enterprise-grade routers from Cisco; server management cards from Dell, Hewlett-Packard, and IBM; virtual-private-network (VPN) devices; building security systems; network attached storage devices; and several kinds of consumer routers and VoIP products" (quoted from conference.pdf). This is what made them question the implementation. If there are a lot of duplicate keys, then there must not have been sufficient entropy feeding the PRNGs.
t6_x has ventured into the realm of Atheros devices and found that in hostapd, the WPS protocol is stopped before sending the M3 message if there is not sufficient entropy.
As you can see, there are many barriers to break, but much possibility for older devices, or maybe even newer devices if they don't include the patch released following the research. I mean, some manufacturers had zero security so anything is possible!
Senior Member
To soxrok2212
As we have noted to you in e-mails reference field experiments opening a WPS locked system - this DOS/forced rebooting does not seem to result in a total router reboot and the removal of the WPS locking mechanism. Rather it seems to affect the internal systems allowing for the collection of a small number of pins after the router is subjected to a short (15-20 sec) but intense DDOS process. Hence the WPS system always shows a locked state but small numbers of WPS pins can be collected after a DDOS and rest period. Usually approx 5 to 10 pins can be harvested every 360 seconds as a general rule.
Furthermore this short DDOS process sometimes results in the WPS pin resetting to 12345670. We have embedded this pin retest function into the VMR-MDK process which can considerably shorten the attack time required.
In field trials we have been getting good results from our lab variant VMR-MDK011x8 that we sent you which employs pixiedustwps1.1 and the automatic adding of any WPS pin found into the 4 stage attack process as well. However this is not a magic bullet and only a subset of routers are vulnerable to this approach.
MTeams
Junior Member
hi
i have some question
for offline cracking you need keywrapkey and authkey??? how u can find them???
thanks for help!
Last edited by lllhamedlll; 2015-07-30 at 05:54.
Senior Member
You don't need the KeyWrapKey. It is used for making a bunch of other keys. The Authkey is printed in reaver, which is also included in Kali. Use -vvv for the verbosity mode.
Junior Member
thanks... and how we can derive authkey manually?? ... before starting attack:
we have KDK = HMAC-SHA-256DHKey (N1 || EnrolleeMAC || N2)... DHkey= SHA-256(g^AB mod p)... and
AuthKey || KeyWrapKey || EMSK = kdf(KDK, “Wi-Fi Easy and Secure Key Derivation”, 640)
so we should know the value on the right side of equation ... so we have authkey.... right??
i want to study about attack in details...thanks...
Last edited by lllhamedlll; 2015-07-31 at 09:09.
Senior Member
All the answers to your questions can be found here: http://cfile28.uf.tistory.com/attach...50FCFFCB3EC74E
Look on page 37.
You can also watch Dominique's video: http://video.adm.ntnu.no/pres/549931214e18d and look at his slides: http://archive.hack.lu/2014/Hacklu20...ack_on_wps.pdf
They'll help you a lotGlad to see someone who, like me, wants to understand the attack rather than just do it
Junior Member
thanks soxrok2212 !!!
i will study them...
and of course thanks to wiire !!!
i think it is not possible to explain better...
is this the last and best attack on WPS or not?
Last edited by lllhamedlll; 2015-08-01 at 10:27.
Member
The WPS protocol uses the Diffie-Hellman key exchange which is a method of securely exchanging cryptographic keys over a public channel. The AP wants to talk to the Client but they don't want anyone else to be able to eavesdrop they conversation.
To accomplish this, they both generate a pair of keys (a public key and a private key):
- First the AP generates a (hopefully) random private key (A).
- Then it generates its public key, PKe = g^A mod p, where g and p are known and described by the WPS protocol, and sends it to the Client (with M1).
Now, it's the turn of the Client to generate its pair of keys:
- random private key (B)
- PKr = g^B mod p, and sends PKr to the AP (with M2).
At this point they both have each others public key and find the 'shared secret', a common key used to set up a secure channel.
To find the shared secret (g^(AB) mod p):
- the AP does: shared_secret = PKr^A mod p (which is equal to g^(AB) mod p)
- the Client does: shared_secret = PKe^B mod p (which is equal to g^(AB) mod p)
It may seems magic at first but it's simple math.
From this point on the WPS protocol imposes these steps:
- DHKey = SHA-256(shared_secret)
- KDK = HMAC-SHA-256{DHKey}(Enrollee nonce || Enrollee MAC || Registrar nonce), DHKey is used as key for the hash function
- AuthKey || KeyWrapKey || EMSK = kdf(KDK, “Wi-Fi Easy and Secure Key Derivation”, 640)
where || denotes concatenation (kdf ouputs a sequence of bytes, the first 256 are for AuthKey...).
AuthKey stands for Authentication session Key and it is, in fact, a session key.
Now if you are thinking at something like, "I sniff packets with Wireshark and then I generate AuthKey with the data collected". No, you can't. The Diffie-Hellman key exchange does not allow eavesdropping. It all starts with the pair of keys (public and private). To get to AuthKey you need the private key of one of the two involved entities (AP or Client). So Pixiewps needs AuthKey to work, which is provided by Reaver/Bully.
After M2 (before M3) they both have a secure channel to talk in.
However, Reaver >= 1.3 has a feature called "Small Diffie-Hellman keys" (-S, --dh-small). Enabling this feature causes Reaver to choose a static, not random private key, specifically the number 1.
So if we use this feauture with Reaver then the shared_secret becomes: g^(AB) mod p = PKe^B mod p = PKe mod p = PKe (g = 2, B = 1, p > 2).
PKe is calculated as g^A mod p, meaning that, PKe mod p = PKe (< p).
EDIT: of course you can calculate AuthKey everytime you know the private number (it doesn't have to be 1). With 1 it's just simplier.
Last edited by wiire; 2015-08-01 at 09:46. Reason: Added more info, fixed typo
Junior Member
Screenshot_2015-7-8-11-20.jpg
do this scripts suppose to work on nethunter ? sorry for bad capture, couldnt do it somehow else but you see the point is i can't use either mdk3 from kali or by team musket after make install mdk3-v6
Last edited by zen4; 2015-08-08 at 22:03.
Senior Member
I don't know, my only pentesting platform is Kali on my laptop. You'd have to ask in the nethunter part of this forum.
Junior Member
thank you very much
Junior Member
Hi
I run Reaver -i wlan0mon -c xx -b mac -K 1
on 3 of my router I have a dlink , netgear and Belkin it work complete only find password on the older Belkin router and others its say PIN NOT FOUND
am I doing something wrong or is this normal and this type of attack no longer works on newer router. is there anything better to try with
Thanks
Junior Member
This means your router is invulnerable to Pixie Dust Attack
Junior Member
Hi soxrok2212 !!!
Thanks for WPS Pixie Dust Database.xls file. In cloumn F (Vulnerable?) = No . Does it means the specified chip wont Vulnerable with ( -f option) also ? or just with -K option of reaver.?
Senior Member
I think you are a bit confused here, -f is ONLY for Realtek devices when E-S1 and E-S2 are not generated within the same second, or within a few seconds of the Nonce. All -f does is it runs all the possible seeds through the PRNG (seeds in this specific case are time in seconds since Epoch). -f is NOT a solution to any router, ONLY Realtek when E-S1 and E-S2 are not generated the same second, or within a few seconds of the Nonce. In the database, "No" means that the specified AP is NOT currently vulnerable to the Pixie Dust attack.
Junior Member
Thank you soxrok2212 !!
Junior Member
i can't find answer to my question anywhere... and can't message anyone in this forum... so I'm forced to ask here:
in PBC method.... enrollee doesn't know any secret value...just press button and finish!.... so how is it possible to send M3 message or M5 or m7 message ?....it seems in this method sending this values is not necessary !
Senior Member
From what I've seen, even a Push Button Event is still a normal Wps transaction. It still runs through the whole M1 through M8, it will just accept I think any pin you throw at it. I tested that a while ago. PBE, then with reaver I tried pin 00000000 and it went through successfully as a full Wps transaction and retrieved the psk.
Senior Member
Just re-installed KL1.1.0a, and when trying to apt-get install, libssl-dev, libpcap-dev and libsqlite3-dev I get this..
Any ideas?root@kali:~# apt-get install libssl-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
libssl-dev is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@kali:~# apt-get install libpcap-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package libpcap-dev
root@kali:~# apt-get install libsqlite3-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package libsqlite3-dev
root@kali:~#
Kali Linux USB Installation using LinuxLive USB Creator
Howto Install HDD Kali on a USB Key
Clean your laptop fan | basic knowledge
Junior Member
sudo gedit /etc/apt/sources.list
andCode:
#
# deb cdrom:[Debian GNU/Linux 2.0 _Sana_ - Official Snapshot amd64 LIVE/INSTALL Binary 20150811-08:02]/ sana contrib main non-free
#deb cdrom:[Debian GNU/Linux 2.0 _Sana_ - Official Snapshot amd64 LIVE/INSTALL Binary 20150811-08:02]/ sana contrib main non-free
deb http://security.kali.org/kali-security/ sana/updates main contrib non-free
deb-src http://security.kali.org/kali-security/ sana/updates main contrib non-free
deb-src http://http.kali.org/kali sana main non-free contrib
deb-src http://security.kali.org/kali-security sana/updates main contrib non-free
deb http://http.kali.org/kali sana main non-free contrib
deb http://http.kali.org/kali kali main contrib non-free
deb http://security.kali.org/kali-security kali/updates main contrib non-free
deb http://repository.spotify.com stable non-free
sudo apt-get install linux-headers-$(uname -r)
Senior Member
thanks Laserman75, was afraid that "sudo apt-get install linux-headers-$(uname -r)" would brake my installation since it's not the latest Kali. Same for those "sana" repos I presume? It will all work with KL1.1.0a ??
Edit: I do not want to upgrade to KL2. That is the whole point of reinstalling 1.1.0
Edit2: anyways I've installed manually and everything works beautifully..
https://packages.debian.org/wheezy/libsqlite3-dev and searched for each reaver/pixie dependency 'wheezy' package and downloaded them. Then istalled in that order..
dpkg -i libc6-dev_2.13-38+deb7u8_amd64.deb
dpkg -i libpcap0.8-dev_1.3.0-1_amd64.deb
dpkg -i libpcap-dev_1.3.0-1_all.deb
dpkg -i libsqlite3-0_3.7.13-1+deb7u2_amd64.deb
dpkg -i libsqlite3-dev_3.7.13-1+deb7u2_amd64.deb
dpkg -i libssl1.0.0_1.0.1e-2+deb7u17_amd64.deb
dpkg -i libssl-dev_1.0.1e-2+deb7u17_amd64.deb
Nice to see mon0 again
Last edited by Quest; 2015-10-12 at 20:30.
Kali Linux USB Installation using LinuxLive USB Creator
Howto Install HDD Kali on a USB Key
Clean your laptop fan | basic knowledge
Senior Member
So are you all set then?thanks Laserman75, was afraid that "sudo apt-get install linux-headers-$(uname -r)" would brake my installation since it's not the latest Kali. Same for those "sana" repos I presume? It will all work with KL1.1.0a ??
Edit: I do not want to upgrade to KL2. That is the whole point of reinstalling 1.1.0
Edit2: anyways I've installed manually and everything works beautifully..
https://packages.debian.org/wheezy/libsqlite3-dev and searched for each reaver/pixie dependency 'wheezy' package and downloaded them. Then istalled in that order..
dpkg -i libc6-dev_2.13-38+deb7u8_amd64.deb
dpkg -i libpcap0.8-dev_1.3.0-1_amd64.deb
dpkg -i libpcap-dev_1.3.0-1_all.deb
dpkg -i libsqlite3-0_3.7.13-1+deb7u2_amd64.deb
dpkg -i libsqlite3-dev_3.7.13-1+deb7u2_amd64.deb
dpkg -i libssl1.0.0_1.0.1e-2+deb7u17_amd64.deb
dpkg -i libssl-dev_1.0.1e-2+deb7u17_amd64.deb
Nice to see mon0 again
Senior Member
yup set and happy to see 1.1.0
Kali Linux USB Installation using LinuxLive USB Creator
Howto Install HDD Kali on a USB Key
Clean your laptop fan | basic knowledge
Senior Member
Awesome, I am also considering building a new rig, if i can find the money... wondering if I should go with 1.1.0 or 2.0...
Senior Member
strange situation we are in. The good news is; one does not prevent the other. As a main OS though... good luck with that. What were they thinking upstream worry's me abit more... Wish I'd be abit more constructive, but really I'm lost (more than usual).
Kali Linux USB Installation using LinuxLive USB Creator
Howto Install HDD Kali on a USB Key
Clean your laptop fan | basic knowledge
Senior Member
I'd just like to leave a comment here, as of today, November 21, 2015, 56/96 devices reported have been confirmed vulnerable. That's 58.3%! While I assure you this is not real-world accurate as people probably don't report as many failed tests as successful test, these are still some pretty high numbers! If you manage to find more, both vulnerable and not vulnerable, please report here! Thanks! https://docs.google.com/spreadsheets...gid=2048815923
Senior Member
Don't get discouraged, this is nothing new, and probably won't turn out to be anything sufficient but you miss 100% of the shots you don't take so I might as well try.
Tonight I was doing some research on the LRNG (Linux Random Number Generator) and I came across this interesting document http://eprint.iacr.org/2006/086.pdf
It highlights how the LRNG works in various systems, embedded systems, and directly (but briefly) targets OpenWRT. Mind you I don't have a degree in Computer Science, nor Computer Security bla bla bla, but according to this document, the ONLY source of entropy in kernel 2.6.10 (yes it is pretty old) is from network traffic. Apparently in this version, entropy was not carried across reboots, though I believe most current networking devices that run Linux do save it now, but let's not jump to conclusions yet. I haven't finished reading the whole document as it is very late but I figured I'd share to see what you maybe more, maybe less advanced people think.
Even if this practically exists across a small fraction of routers still in use today, it certainly seems to be something worth looking into. Let me know what you think!
Senior Member
Thread of the year 2015
not often I've witnessed a concept based upon vague and obscure notions actually materialize into workable software.
When I first posted I was both interested and skeptical. The skeptical part was proven wrong and quickly dissipated as it unbelievably, happened. This thread is where the actual, workable, revolutionary and delicious program was born, only because soxrok2212 understood then the potential and the mechanics of the Pixie attack well enough to gather the energies here to make it happen for us all. So many thanks guys! To Dominique Bongard for the original R&D, wiire for the actual software that we, common mortal use, DataHead, t6_x, aanarchyy, FrostyHacks, and soxrok2212 for the leadership, but most importantly, your Jedi skills.
Cheers!!
Last edited by Quest; 2015-12-21 at 03:14.
Kali Linux USB Installation using LinuxLive USB Creator
Howto Install HDD Kali on a USB Key
Clean your laptop fan | basic knowledge
Senior Member
Wasn't just me, primarily Datahead. He was my inspiration, he had all the concepts understood before I did (way before I did, in fact) and he really deserves the trophy on this one. Had it not been for him, I think I would've given up. No I am not just saying this to be nice, it was really Datahead all along, look at me as just the "messenger". Bongard provided the materials, Datahead provided the major concepts I was missing, FrostyHacks also helped me with some pieces I didn't have a grip on, aanarchyy is a bro and kept me inspired all along and provided some critical testing devices, and wiire made it all happen (publicly). But really, hats off to Datahead
Senior Member
More speculation about attacking the Linux Random Number Generator... probably just me rambling because it's late, but why not post? Anyways, my understanding on this post comes from here: http://www.blackhat.com/presentation...-Gutterman.pdf
Now, not being an avid user of OpenWRT, I can't say how much of the research and discovery in this document is still true, but it can't hurt to try. Gutterman, the author of this document claims that both /dev/random and /dev/urandom draw from the same entropy pool. What is the difference between, /dev/random and /dev/urandom? Well, when entropy is low in the entropy pool, /dev/random blocks output until there is sufficient entropy while /dev/urandom will always output data (this is true of all devices using the Linux RNG). Now, if I tell you that Hostapd's WPS implementation uses /dev/random, what do you think? Ponder this a minute before reading the next sentence, see if your gears start ticking!
If we attack an arbitrary protocol that uses /dev/urandom, we can effectively drain the entropy pool without running the WPS protocol and risking lockouts/timeouts/etc. Before anything though, there are a few things that we have to consider, so don't get too excited (most of this is probably just me rambling).
-The WPA/WPA2 protocol: nonces are generated, and it wouldn't seem reasonable to use /dev/random because a device would not be able to join a network assuming a router was just installed, no entropy has been generated and a device wants to join. Could we attack this protocol to drain the entropy pool? Guess we'll have to find out!
-When will the LRNG/WPS protocol stop blocking? How much entropy is required to be able to use the entropy?
-What are sources of entropy in an embedded system such as a wireless router? LAN traffic? WAN traffic? Would WAN traffic make sense in a non-internet connected setup? What if temporary networks are set up and never have internet access? (Lan parties?) There are no hard drives, mice, keyboards or other peripherals in these types of embedded systems (yes a large amount of routers have USB ports, but it can't be assumed that all consumers actually use them).
-Do entropy pools save across reboots? While I don't know of a stone cold answer, t6_x leads me to believe in recent versions of Linux they do.
Update about an hour later: I just remembered that Bongard actually noted something on his slide presentation, low entropy across boot, making note of common states after reboot, though it's something he didn't really touch on. Maybe I'm actually onto something...
Last edited by soxrok2212; 2015-12-31 at 05:57.
Senior Member
Ref dev/random and dev/urandom
Maybe you are answering a question MTeams has had for a long time. First we are seeing alot of WPS pin cracks at 12345670 or the default first pin. We have hacked thru the router userame and password and found the pin to be set to another pin
Maybe if dev/random does not have enough random data(you call it entropy) to produce a random number then the firmware just defaults the pin to 12345670 or in the case of dev/urandom the randomness due to lack sufficient data results in a default pin being produced. Hence heavy DDOS the router with processes like mdk3 a -Authentication Dos mode, may in some cases overload the firmware and the dev/random processes themselves fail. Hence it is not necessary to actually reset the router - just deplete it of the of the time to produce complete random numbers and certain operation can again be conducted.
You may have also answered the question as to why the VMR-MDK series works as when you flood the router with short bursts of mdk3 a WPS router sometimes gives up more pins even when locked.
We should look at tying up the router processes rather attempting a reset.
MTeams
Senior Member
Not sure about this theory but it sure is interesting. Entropy doesn't affect the pin, it affects the secure keys used to protect the pin. Are you able to send me a pixielog of an instance where pin 12345670 is used instead of the sticker pin?
Senior Member
To soxrok2212
We will begin checking all the router firmware setting for those routers we can access. We have been seeing the pin reset on occasion. Sometime during a reaver attack the router resets the pin to 12345670. As reaver checks this pin at the beginning of the attack, reaver then climbs to 99% and spins endlessly as it cannot find the pin. In such a case we would either add --pin=12345670 to the command line or simply restart a new reaver attack from start. Reaver would then crack the WPA code when it checked 12345670. It happened enough for use to write a retest pin 12345670 feature in VMR-MDK.
If you remember we previously mentioned to you that if you run mdk3 type alpha (ie type a DDOS) using the same wifi device ie mon0 or wlan0mon as used with reaver, reaver can extract pins thru the mdk3 fog. If you use a different device to run mdk3, then reaver cannot access the router.
In response to your publication of papers dealing with depleting dev/random processes we stopped all other projects and immediately began running tests with simultaneous reaver/mdk3 attacks against WPS locked routers and/or routers which did not respond to reaver even when they were open.
Even after 24 hours of tests we are seeing interesting results.
1. Some WPS locked routers gave up some pins
2. Open WPS enabled router which do not respond at all to reaver begin responding.
3. DDOS during a reaver attack seems to cause some routers to jump channels when just DDOS them alone did not cause channel switching. And such channel switching always resulted in more WPS pins collected in cases where the router was locked
We have only tested this on a few targets.
We suggest running reaver for say 180 seconds and mdk3 type alpha DDOS at the same time for 30 seconds. Thirty seconds after the reaver/mdk3 start, mdk3 terminates and reaver continues for 150 seconds and then restarts
As some WPS locked routers have been giving up pins slowly. We are trying to find a way to keep the pin collection going. We will write these routines into varmacscan??.sh which will automate the process and give us a wider target base for check and we will begin recoding VMR-MDK to allow a short mdk3 process at the start of the reaver attack
As a basic command line example
timeout 180 reaver -i mon0 -b 55:44:33:22:11:00 -vvv
timeout 30 mdk3 mon0 a -a 55:44:33:22:11:00
shutdown processes
spoof macs
restart
These processes need to be automated
MTeams
Junior Member
Congrats and well done on the great work. I know some of you guys have put in a great efforts for pixie and other projects. I have been a kali user for a few years now and a reader of the forums so hope you dont mind me asking a question.
I have successfully used the reaver on some listed vulnerable hardware giving me the E-Nonce, PKE, R-Nonce. PKR, AuthKey, E-Hash1, E-Hash2 then running pixie to give me the WPS PIN then the WPA KEY.
However there is one hardware ap that I reaver that gives me the E-Nonce, PKE, R-Nonce. PKR, AuthKey, E-Hash1, E-Hash2 but tells me WPS PIN not found. Im I correct in thinking that the fact that I get the E-Nonce, PKE, R-Nonce. PKR, AuthKey, E-Hash1, E-Hash2 that I have everything I need and the WPS PIN is to be found? Or is in not as simple as that?
I say this because some hardware you get nothing from no E-Nonce, PKE, R-Nonce. PKR nothing at all. But this hardware is feeding back something but reaver cant figure out the alithogram or whatever to get the WPS PIN.
I take it this hardware isn't vulnerable? and what it is spiting out is on no use at all?
Thanks in advance.
Senior Member
The attack is based on the fact that some chipset vendors generate weak security keys to "encrypt" the pin. I don't even think encryption is the right word because it was a very pathetic attempt. Basically, some chipset manufacturers either made the encryption keys 0, or the made them predictable, they could be found from the nonce that was given to use plaintext. In your case, you are probably trying on an invulnerable chipset manufacturer that uses a secure method of generating keys.
Senior Member
Also, for those of you having trouble with Reaver, try Bully! https://github.com/aanarchyy/bully
AAnarchYY recently modded it to support the pixie dust attack! Much faster and will compile on many more devices natively.
Posting Permissions
