Results 1 to 20 of 20

Thread: WPS Tick Tock Attack

  1. #1
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520

    WPS Tick Tock Attack

    Hello Kali community!

    T6_x has requested that I write this thread since English is not his first language and it would be better if a native explained it. That being said, I do not take any credit for the research that went into this theory!

    *Use all this information at your own risk. Nobody is to be held responsible for what you do with anything that comes out of this thread*

    Now, heres the point of this thread. T6_x has been looking into Hostapd recently, and what he found is that in versions 0.5.9 to 2.0, it uses a poor way of checking hashes. What happens is when a WPS exchange is initiated and we send our 2 hashes to the AP in the M4 message, R-Hash1 and R-Hash2, the AP checks our hashes byte by byte. This can be exploited, though in a very difficult way.

    Assuming the AP does not lock out and is rather active, we as an attacker can count the time it takes for the router to either respond with a WSC Nack or the M5 message. Whoop-Dee-Coo right? Wrong! Since Hostapd checks our hashes byte by byte, we can estimate how much of the hash it has checked based on how quick it has responded with one of the two possibilities! The longer the time it takes to get a response, we know more of our hash was correct! Through statistical analysis and with an estimated 1000-4000 tested pins, we can make a very educated guess as to what parts of our hash were correct and guess a PIN based off of the response times.

    We are still looking for ideas to make this approach better. Therefore, we am supplying download links for all versions of Hostapd. There are probably fresh and better ideas that you guys can come up with, ways that will reduce the amount of PINs needed to be tested before we can guess. Right now, we are beta testing this idea and analyzing data in excel based on a graph. T6_x has reported success with this approach, but it could have just been luck so we want to open the idea to the community. After all, we did make the Pixie Dust attack a reality!

    Any questions or comments of any kind are welcome!

    Warm regards,
    soxrok2212, t6_x, wiire, and datahead
    Last edited by soxrok2212; 2015-06-09 at 01:45.

  2. #2
    Join Date
    2015-Apr
    Posts
    39
    In versions v0.5.9 to v2.0.0, Hostapd uses the following function for comparison:

    Code:
    int os_memcmp (const void * s1, const void * s2, size_t n)
    The function is described below


    Code:
    int os_memcmp (const void * s1, const void * s2, size_t n)
    {
        const unsigned char * p1 = s1 * s2 = P2;
    
        if (n == 0)
            return 0;
    
        while (* p1 == * p2) {
            p1 ++;
            p2 ++;
            n--;
            if (n == 0)
                return 0;
        }
    
        return * p1 - p2 *;
    }
    This function is vulnerable by checking the execution time.

    Therefore, with a sufficient amount of data, it is possible to find out the first byte of each hash tested.


    The newer versions past v2.0.0, do not have this flaw, since it checks the hashes in a different way in order to correct this problem, but most routers use older versions of Hostapd.

    Basically, what occurs.

    The m4 message is sent to the router with R-Hash1 and the R-S1.

    After the M4 message is sent, the router will take RS-1 and the correct pin, and will generate a hash. Then will compare the hash it generates with R-Hash1 and will do the same process for R-Hash2.

    The check is done by the function as described above.


    The function attempts to verify byte by byte if the generated hash is equal to R-Hash1, so if the first byte is equal, the function tests the second and thus spend more time in processing.



    In this specific case, we don’t need to find all the hash bytes, we only need to find the necessary amount so the Pixie Dust attack can find an equal hash.


    The reason for this is because we are sending the R-s1 in m4 message, then we know that r-s1'll be using.

    Therefore it is possible to use the pixiedust attack to find an equivalent hash







    We are creating this post to find people who can help in these tests.


    For now the attack is theoretical, we are performing tests and we need help to get more results


    *Excuse my English, soxrok2212 is helping me with the post
    Last edited by t6_x; 2015-06-08 at 06:14.

  3. #3
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    you know that it's going to be good when a thread starts with "*Use all this information at your own risk. Nobody is to be held responsible for what you do with anything that comes out of this thread*"

    I'm not doing anything Kali related until 1.1.1 comes out, but there are plenty others who will test this idea. Cheers!
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  4. #4
    Join Date
    2013-Sep
    Posts
    264
    i will not be able to make any testing before next week but it looks like very interesting and it is a funny approach. I like it
    i guess we would need very good conditions and not a lot of traffic on the AP to be able to measure well the time spent in this byte by byte comparaison
    congrates and thanks for your work and innovations, it is like something fresh for the summer (so hot right now!) < i don't know if that make sense in english but... who cares?

  5. #5
    Join Date
    2015-Mar
    Posts
    141
    This sounds like you're bruteforcing the hash itself instead of the pin, unless i am completely missinterpreting it.

  6. #6
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by aanarchyy View Post
    This sounds like you're bruteforcing the hash itself instead of the pin, unless i am completely missinterpreting it.
    Kinda, its more of comparing and analyzing.

  7. #7
    Join Date
    2013-Sep
    Posts
    264
    is it possible to send truncated M4 to the PA?
    Will the PA answer?
    example : we send a M4 just with RS1 and with one digit of first half, only one.
    And then we send a second one, also with RS1 and a different number as first .
    Like this
    1) we are lucky and we have in one of our two attempts the good first digit of the first half, i guess they wil be a slight difference between inmediate fail with NACK and a starnge fail for a non complete string, so then we will pass to second digit
    2) both are bad and we know the time it takes to get a NACK due to bad first digit. we try the others values posibles on our first half until we get a slaightly longer answer < that the good first digit

    that would be 10 + 10 +10 +10 +10 +10 +10 attempts (last is checksum) = max 70 attempts and we would have on average 35 tryes for brute force instead of 11000 (or 1000-4000 as sugested by soxrok2212 )

    stupid idea?

    cheers

  8. #8
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by kcdtv View Post
    is it possible to send truncated M4 to the PA?
    Will the PA answer?
    example : we send a M4 just with RS1 and with one digit of first half, only one.
    And then we send a second one, also with RS1 and a different number as first .
    Like this
    1) we are lucky and we have in one of our two attempts the good first digit of the first half, i guess they wil be a slight difference between inmediate fail with NACK and a starnge fail for a non complete string, so then we will pass to second digit
    2) both are bad and we know the time it takes to get a NACK due to bad first digit. we try the others values posibles on our first half until we get a slaightly longer answer < that the good first digit

    that would be 10 + 10 +10 +10 +10 +10 +10 attempts (last is checksum) = max 70 attempts and we would have on average 35 tryes for brute force instead of 11000 (or 1000-4000 as sugested by soxrok2212 )

    stupid idea?

    cheers
    We are working on optimization now With a quick recent test, we were able to narrow down the first half of my pin to 50 possibilities, and the data was not very good at all. Still making progress

  9. #9
    Join Date
    2013-Sep
    Posts
    264
    With a quick recent test, we were able to narrow down the first half of my pin to 50 possibilities
    Awsome
    and the data was not very good at all
    i don't really get this concept of "not very good at all"
    Anyway, happy to learn that t6_x ( and you ) made this fantastic progress
    "¡Adiosito!" (i'll be back home tomorrow night - €uro time - and if you need anything for testing or whatever... )

  10. #10
    Join Date
    2014-Jun
    Posts
    71
    I am willing to test it. and contribute but I don't really know much

  11. #11
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    that's ok and welcome to the club frafri. Our mottos are: "hmm what??" and "make it work". Creativity being the main ingredient here with a touch of technical know-how.
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  12. #12
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    It isn't really known yet if this approach works, we've been pretty distracted with pixie dust, but in one (probably not the greatest, and we didn't try to repeat it) test, we were able to narrow down the possible PINs A LOT with a USB connection And crappy signal quality.

    More testing still needs to be done with a PCI network card so the timing isn't off.

  13. #13
    Join Date
    2015-Aug
    Posts
    5
    im willing to help in any way. i installed hostapd, now just need to know what to do

  14. #14
    Join Date
    2015-Aug
    Posts
    2
    In order to not reduplicate efforts, what fields are you using in your excel stats currently? I don't mind helping out, but it would be useful to know what variables are currently being analyzed (and how), as well as which are currently not (and possibly should be).

    Also, more direct-code links of interest (such as other functions reliant on the one provided in https://forums.kali.org/showthread.p...ll=1#post46032) would help folks from bogging down in possibly irrelevant code review.

  15. #15
    Join Date
    2015-Apr
    Posts
    29
    Hello someone here?
    Any news on this topic?

  16. #16
    Join Date
    2015-Dec
    Posts
    1
    Quote Originally Posted by soxrok2212 View Post
    Assuming the AP does not lock out and is rather active...
    Interesting idea...but I feel like if the AP doesn't lock out and is rather active, this isn't all that useful. Maybe I'm not fully comprehending this concept, but it seems like this would theoretically just decrease the time it takes reaver to crack the pin of an AP that reaver would inevitably crack.

    Also, how would you deal w/ timeouts?

    You have to avoid false negatives and such when attacking AP's w/ low signal strength...

  17. #17
    Join Date
    2015-Apr
    Posts
    29
    Hello someone here?
    Any news on this topic?

  18. #18
    Join Date
    2015-Apr
    Posts
    29
    @soxrok2212

    Is this project still alive?

  19. #19
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Not as of right now unfortunately.

  20. #20
    Join Date
    2016-Mar
    Posts
    2
    Quote Originally Posted by t6_x View Post
    In versions v0.5.9 to v2.0.0, Hostapd uses the following function for comparison:

    Code:
    int os_memcmp (const void * s1, const void * s2, size_t n)
    The function is described below


    Code:
    int os_memcmp (const void * s1, const void * s2, size_t n)
    {
        const unsigned char * p1 = s1 * s2 = P2;
    
        if (n == 0)
            return 0;
    
        while (* p1 == * p2) {
            p1 ++;
            p2 ++;
            n--;
            if (n == 0)
                return 0;
        }
    
        return * p1 - p2 *;
    }
    This function is vulnerable by checking the execution time.

    Therefore, with a sufficient amount of data, it is possible to find out the first byte of each hash tested.


    The newer versions past v2.0.0, do not have this flaw, since it checks the hashes in a different way in order to correct this problem, but most routers use older versions of Hostapd.

    Basically, what occurs.

    The m4 message is sent to the router with R-Hash1 and the R-S1.

    After the M4 message is sent, the router will take RS-1 and the correct pin, and will generate a hash. Then will compare the hash it generates with R-Hash1 and will do the same process for R-Hash2.

    The check is done by the function as described above.


    The function attempts to verify byte by byte if the generated hash is equal to R-Hash1, so if the first byte is equal, the function tests the second and thus spend more time in processing.



    In this specific case, we don’t need to find all the hash bytes, we only need to find the necessary amount so the Pixie Dust attack can find an equal hash.


    The reason for this is because we are sending the R-s1 in m4 message, then we know that r-s1'll be using.

    Therefore it is possible to use the pixiedust attack to find an equivalent hash







    We are creating this post to find people who can help in these tests.


    For now the attack is theoretical, we are performing tests and we need help to get more results


    *Excuse my English, soxrok2212 is helping me with the post
    I have time , and willing to do tests,
    also I send (replay to soxrok) some data related to
    [P] WPS Manufacturer: Realtek Semiconductor Corp.
    [P] WPS Model Name: RTL8671
    [P] WPS Model Number: EV-2006-07-27
    [P] Access Point Serial Number: 123456789012347
    [+] Received M1 message

    cannot open this thing, trying almost 3 weeks now , with data from internet, it do not respond to MDK3 attacks,
    pixie do not work, router locks itself after 8-10 pins and unlocks only with power off button,
    there is AP connected to it with same name essid, no wps enabled, I assume just repeater, changing my mac to that AP and attacking main AP they exchange beacons long time after MDK3 attack finish, ( i can see it with airodump )
    also bully gives me this

    Code:
    [+] Rx( Auth ) = 'Timeout'   Next pin '65533147'
    [+] Rx( Auth ) = 'Timeout'   Next pin '65533147'
    [+] Rx( Auth ) = 'Timeout'   Next pin '65533147'
    [!] Unexpected packet received when waiting for EAP Req Id
    [!] >000012002e48000000026c09a000c701000008023a01f079599cab0164517e23695764517e23695740d6aaaa03000000888e010001d1010e01d1fe00372a000000010400104a0001101022000104104700106304125310192006122864517e2369571020000664517e236957101a00104ddcc09557e79e22273ef74416dba57d103200c0d0141b15656e96b85fcead2e8e76330d2b1ac1576bb026e7a328c0e1baf8cf91664371174c08ee12ec92b0519c54879f21255be5a8770e1fa1880470ef423c90e34d7847a6fcb4924563d1af1db0c481ead9852c519bf1dd429c163951cf69181b132aea2a3684caf35bc54aca1b20c88bb3b7339ff7d56e09139d77f0ac58079097938251dbbe75e86715cc6b7c0ca945fa8dd8d661beb73b414032798dadee32b5dd61bf105f18d89217760b75c5d966a5a490472ceba9e3b4224f3d89fb2b10040002002710100002000f100d00010110080002008610440001021021001b5265616c74656b2053656d69636f6e647563746f7220436f72702e1023000752544c383637311024000d45562d323030362d30372d32371042000f3132333435363738393031323334371054000800060050f204000110110020334242204144534c20726f757465722031204c414e202b20576972656c657373103c000101100200020000101200020000100900020000102d000410000000[+] Rx(  ID  ) = 'EAPFail'   Next pin '65533147'
    [!] Unexpected packet received when waiting for EAP Req Id
    [!] >000012002e48000000026c09a000c7010000080a3a01f079599cab0164517e23695764517e23695740d6aaaa03000000888e010001d1010e01d1fe00372a000000010400104a0001101022000104104700106304125310192006122864517e2369571020000664517e236957101a00104ddcc09557e79e22273ef74416dba57d103200c0d0141b15656e96b85fcead2e8e76330d2b1ac1576bb026e7a328c0e1baf8cf91664371174c08ee12ec92b0519c54879f21255be5a8770e1fa1880470ef423c90e34d7847a6fcb4924563d1af1db0c481ead9852c519bf1dd429c163951cf69181b132aea2a3684caf35bc54aca1b20c88bb3b7339ff7d56e09139d77f0ac58079097938251dbbe75e86715cc6b7c0ca945fa8dd8d661beb73b414032798dadee32b5dd61bf105f18d89217760b75c5d966a5a490472ceba9e3b4224f3d89fb2b10040002002710100002000f100d00010110080002008610440001021021001b5265616c74656b2053656d69636f6e647563746f7220436f72702e1023000752544c383637311024000d45562d323030362d30372d32371042000f3132333435363738393031323334371054000800060050f204000110110020334242204144534c20726f757465722031204c414e202b20576972656c657373103c000101100200020000101200020000100900020000102d000410000000[+] Rx(  ID  ) = 'EAPFail'   Next pin '65533147'
    [+] Rx( Auth ) = 'Timeout'   Next pin '65533147'
    [+] Rx(  M1  ) = 'Timeout'   Next pin '65533147'
    [+] Rx(  M1  ) = 'Timeout'   Next pin '65533147'
    [+] Rx(  ID  ) = 'Timeout'   Next pin '65533147'
    [+] Rx(  M1  ) = 'Timeout'   Next pin '65533147'
    [+] Rx(  M1  ) = 'Timeout'   Next pin '65533147'
    [+] Rx( Auth ) = 'Timeout'   Next pin '65533147'
    [!] Unexpected packet received when waiting for EAP Req Id
    resending some data
    as you can see short packet and long packet

    Code:
    2002e48000000026c09a000c901000008023a0100eebd905e4 a64517e23695764517e2369572019aaaa03000000888e01000 1d1012701d1fe00372a000000010400104a000110102200010 4104700106304125310192006122864517e236957102000066 4517e236957101a0010474526b30cefd65355dfe9c75f6d33d c103200c0d0141b15656e96b85fcead2e8e76330d2b1ac1576 bb026e7a328c0e1baf8cf91664371174c08ee12ec92b0519c5 4879f21255be5a8770e1fa1880470ef423c90e34d7847a6fcb 4924563d1af1db0c481ead9852c519bf1dd429c163951cf691 81b132aea2a3684caf35bc54aca1b20c88bb3b7339ff7d56e0 9139d77f0ac58079097938251dbbe75e86715cc6b7c0ca945f a8dd8d661beb73b414032798dadee32b5dd61bf105f18d8921 7760b75c5d966a5a490472ceba9e3b4224f3d89fb2b1004000 2002710100002000f100d00010110080002008610440001021 021001b5265616c74656b2053656d69636f6e647563746f722 0436f72702e1023000752544c383637311024000d45562d323 030362d30372d32371042000f3132333435363738393031323 334371054000800060050f2040001101100203342422041445 34c20726f757465722031204c414e202b20576972656c65737 3103c000101100200020000101200020000100900020000102 d000410000000[+] Rx( ID ) = 'EAPFail' Next pin '21907593'
    [+] Rx( Assn ) = 'Timeout' Next pin '21907593'
    [+] Rx( M1 ) = 'Timeout' Next pin '21907593'
    [+] Rx( ID ) = 'EAPFail' Next pin '21907593'
    [!] Unexpected packet received when waiting for WPS Message
    [!] >000012002e480000000c6c09c000cf0100000802360000eeb d905e4a64517e23695764517e236957001baaaa03000000080 046000020e47c000001029eb0c0a80101e0000001940400001 164ee9b00000000<
    [+] Rx( M1 ) = 'WPSFail' Next pin '21907593'
    [!] Unexpected packet received when waiting for EAP Req Id
    Last edited by sickn3ss; 2016-03-27 at 11:38.

Similar Threads

  1. WPS Pixie Dust Attack (Offline WPS Attack)
    By soxrok2212 in forum Project Archive
    Replies: 582
    Last Post: 2018-01-07, 11:58
  2. New Attack Against WPA-TKIP
    By mmusket33 in forum General Archive
    Replies: 6
    Last Post: 2016-03-21, 08:18
  3. HID Attack against Mac OSX?
    By simonpunk2016 in forum NetHunter General Questions
    Replies: 1
    Last Post: 2015-10-20, 21:31
  4. WPS Pixie Dust Attack (Offline WPS Attack)
    By soxrok2212 in forum General Archive
    Replies: 353
    Last Post: 2015-05-05, 08:32
  5. HID Keyboard Attack
    By beloadjoker in forum NetHunter General Questions
    Replies: 3
    Last Post: 2014-09-27, 22:45

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •