Page 1 of 12 123456789101112 LastLast
Results 1 to 50 of 583

Thread: WPS Pixie Dust Attack (Offline WPS Attack)

  1. #1
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520

    WPS Pixie Dust Attack (Offline WPS Attack)

    WPS Pixie Dust

    Disclaimer: I am not responsible for what you do with these tools or this information. The use of anything on this thread should only be attempted on networks you own or have permission to test. Links at the bottom, I want you to understand everything before you ask questions that can be easily answered *

    I've been looking into the new WPS security flaw found by Dominique Bongard. All of the information I am providing here is not mine, all credit goes to Bongard and the other wonderful sources listed at the bottom. This thread assumes you have some basic knowledge of the WPS exchange. If not, have a look at the "Complete WPS Specification" link posted at the bottom.

    Dominique Bongard discovered that some APs have weak ways of generating nonces (known as E-S1 and E-S2) that are supposed to be secret. If we are able to figure out what these nonces are, we can easily find the WPS PIN of an AP since the AP must give it to us in a hash in order to prove that it also knowns the PIN, and the client is not connecting to a rouge AP. These E-S1 and E-S2 are essentially the "keys to unlock the lock box" containing the WPS pin. You can kind of think of the whole thing as an algebra problem, if we know all but 1 variable in an equation, we just have to solve for x. X in this case is the WPS pin (this is not a perfect example but for beginners it should help

    Important parts of a WPS exchange: M1, M2, M3, other

    Enrollee Nonce
    PKE Public Key (Enrollee Public Key)

    Registrar Nonce
    PKR Public Key (Registrar Public Key)

    E-Hash1 = HMAC-SHA-256(authkey) (E-S1 | PSK1 | PKE | PKR)
    E-Hash2 = HMAC-SHA-256(authkey) (E-S2 | PSK2 | PKE | PKR)

    Authkey [derived from the KDK (Key Derivation Key)]

    Components

    E-Hash1 is a hash in which we brute force the first half of the PIN.
    E-Hash2 is a hash in which we brute force the second half of the PIN.
    HMAC is a function that hashes all the data. The function is HMAC-SHA-256.
    PSK1 is the first half of the router's PIN (10,000 possibilities)
    PSK2 is the second half of the router's PIN (10,000 possibilities)
    PKE is the Public Key of the Enrollee (used to verify the legitimacy of a WPS exchange and prevent replays.)
    PKR is the Public Key of the Registrar (used to verify the legitimacy of a WPS exchange and prevent replays.)

    Vendor Implementations


    In Broadcom eCos,
    these two nonces are generated right after the enrollee nonce (the public nonce generated by the AP.) We also know the function that gives us this data, so if we substitute in seeds, we will eventually find matching nonces, and from there we can find the E-S1 and E-S2 nonces.
    > E-S1 + E-S2 are generated from the same PRNG that generates the N1 Enrollee Nonce

    In Realtek,
    the PRNG is a function that uses the time in seconds from January 1st, 1970 until whenever the data in generated (basically when the WPS exchange starts.) The vulnerable part is that the chip uses the same generator to make the Enrollee nonce as it does to make E-S1 and E-S2. So if the whole entire exchange occurs in that same second, E-S1 = E-S2 = Enrollee Nonce. If it occurs over the course of a few seconds, then all we have to do is find the seed that gave us the Enrolle Nonce, and then increment it and taking the output as E-S1 and E-S2. Its a multivariable brute force, so it may take a little bit more time but not more than a few minutes on a modern PC.
    > E-S1 = E-S2 = N1 Enrollee Nonce or generated with seed = time

    In Ralink,
    E-S1 and E-S2 are never generated. They are always 0. Therefore, we just have to brute force the PIN and we're done.
    > E-S1 = E-S1 = 0

    In MediaTek,
    the same problem that Ralink has exists. E-S1 and E-S2 are never generated.
    > E-S1 = E-S2 = 0

    In Celeno, the same problem that Ralink has exists as these chips are just rebranded Ralink chips. E-S1 and E-S2 are never generated.
    > E-S1 = E-S2 = 0

    Conclusion
    Assuming we already know the PKE, PKR, Authkey, E-Hash1 and E-Hash2 since the router gives us these values (and vice versa) and we have figured out E-S1 and E-S2 by brute forcing them or knowing that they are equal to 0, we can run all the data through the hash function and try every pin until we have a matching hash (E-Hash1 and E-Hash2) that the AP gave us. When we are returned with a match, we can say "Ok, that last pin we used matched the hash from the M3 message. That must be the pin." Now we can take the pin we just brute forced and toss it into Reaver or Bully and the AP will say "Ok, you have the right pin, here are all my credentials," including the SSID, WPS Pin, and the WPA key.

    Preventing the attack
    Look up your device on Wikidevi. If your device contains one of the chipsets as listed above, disable WPS now. If your device does NOT contain one of the chipsets as listed above, disable WPS now.

    If you find anything new or wish to correct me, please do and post it in the comments! I will try to respond and keep you updated as frequently as possible!

    Resources

    1. Slide Presentation
    2. Video Presentation
    3. Hack Forums
    4. Diffie-Hellman Key Exchange
    5. Pseudo Random Number Generators
    6. WPS Background
    7. Complete WPS Specification (PDF Download)
    8. Broadcom PRNG Source
    9. Realtek PRNG Source
    10. Top Hat Sec
    11. First Tweet
    12. Database with affected/non affected models

    Tools


    Pixiewps 1.4.2: http://www.github.com/wiire-a/pixiewps
    Written by wiire
    Original Thread: https://forums.kali.org/showthread.p...st-attack-tool

    Reaver 1.6.5: https://github.com/t6x/reaver-wps-fork-t6x
    Modified by t6_x, rofl0r and datahead
    Original Thread: https://forums.kali.org/showthread.p...ie-Dust-Attack

    Bully 1.1: https://github.com/aanarchyy/bully
    Modified by AAnarchYY
    Original Thread: https://forums.kali.org/showthread.p...ixiewps-attack

    And I would like to give a special thanks to DataHead, Wiire, t6_x, aanarchyy, FrostyHacks and of course Dominique Bongard for all their help! Thank You!
    Last edited by soxrok2212; 2018-10-16 at 17:48. Reason: pixiewps 1.4.2, reaver 1.6.4

  2. #2
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    Thanks soxrok2212 !

    Might as well post that in the Howtos.

    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  3. #3
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by Quest View Post
    Thanks soxrok2212 !

    Might as well post that in the Howtos.

    Once I have a working solution, I will be sure to!

  4. #4
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    cool, but the thing is it might get shut down, as it not a 'Kali Linux General Use'. Moreover it is a howto that just needs some R&D. Just saying.

    Keep it up =]
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  5. #5
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by Quest View Post
    cool, but the thing is it might get shut down, as it not a 'Kali Linux General Use'. Moreover it is a howto that just needs some R&D. Just saying.

    Keep it up =]
    I have it posted on hack forums too... getting some replies there.

  6. #6
    Is this the code you displayed starting around line 148?
    Please delete link if not allowed, thanks.
    http://trac.umnaem.webfactional.com/...and.cxx?rev=39

  7. #7
    Ignore above, i never noticed ooops

  8. #8
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by skycrazy View Post
    Is this the code you displayed starting around line 148?
    Please delete link if not allowed, thanks.
    http://trac.umnaem.webfactional.com/...and.cxx?rev=39
    Yes it is but the code has since changed. Bongard made this presentation back in November 2014 so its a bit different now.

  9. #9
    Join Date
    2015-Feb
    Posts
    6
    You are on the right track
    I do have a complete and working PoC program that I use. while it says few routers, I've found a lot more are vulnerable than one would think. All through trial and error of testing which router has which chipset, broadcom, ralink, atheros etc. around 12 of the 20 I've tested on, have been vulnerable.

  10. #10
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by datahead View Post
    You are on the right track
    I do have a complete and working PoC program that I use. while it says few routers, I've found a lot more are vulnerable than one would think. All through trial and error of testing which router has which chipset, broadcom, ralink, atheros etc. around 12 of the 20 I've tested on, have been vulnerable.
    Would you mind sharing? I can give you an email address... Thanks!

  11. #11
    Join Date
    2014-Oct
    Posts
    28
    Yea share the knowledge if you know something we do not. Thanks

  12. #12
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    I have emailed Bongard I don't think that he's gunna release any tool... Sti waiting for a response from you datahead

  13. #13
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by datahead View Post
    You are on the right track
    I do have a complete and working PoC program that I use. while it says few routers, I've found a lot more are vulnerable than one would think. All through trial and error of testing which router has which chipset, broadcom, ralink, atheros etc. around 12 of the 20 I've tested on, have been vulnerable.
    OR could you explain how one can go about making their own tool? Such as what modifications we have to make to reaver?

  14. #14
    Hello guys I am new to Kali Linux, reaver , aircrack and such. I was able to audit my Linksys E1000 with Reaver.

    But I wanted to know if you guys knew about wpispin . Its a software for windows but it contains a database with WPS pin. I am going to attach some screenshoots
    http://postimg.org/image/l7af4yy15/ , http://postimg.org/image/o0se9ux99/

    The name of it its WPS-PIN I think the source is www.inforprograma.net , the software is in spanish. It is very interesting

  15. #15
    Join Date
    2014-Jan
    Posts
    12
    wpspin, yes it help me found some key in a 3 second
    the window version is WPSPIN Betis-Jesus
    the other one works on Kali
    wpspin v1.5

  16. #16
    What do you usually do when the AP limiting error comes.

  17. #17
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by frafri View Post
    What do you usually do when the AP limiting error comes.
    Check this out
    https://forums.kali.org/showthread.p...highlight=mdk3

  18. #18
    Join Date
    2013-Jun
    Posts
    125
    Quote Originally Posted by soxrok2212 View Post
    Ahh soxrok2212..this thread brings back memories ....when I struggled with bash..my first script....I am still making lengthy roadways in bash and python .thanks to this site====>stackoverflow.com

  19. #19
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    New piece of information I am trying to understand. So in the M1 message, we receive a nonce, aka the PKE (DH Key from the enrollee). According to this document, the formula for generating these DH Keys is g^AB mod p, aka PKR result^PKE private number mod p. (G is the public number from the registrar, AB is the enrollee's private number used to generate its own public number, and p is the prime modulus. Now, both the enrollee and the registrar each know the shared secret, which I am led to believe is the seed of the PRNG, (I may be wrong here but it all make sense... for now.)

    For more information about Diffle-Hellman Keys, (DH Keys), do a quick youtube search for dh key exchange (can't post youtube links).
    You can read more about modular arithmetic here.

    I'll be looking more into DH Keys and their integration with PRNGs over the next few days/weeks. If you find anything, leave a comment.

  20. #20
    Join Date
    2013-Jun
    Posts
    125
    Quote Originally Posted by soxrok2212 View Post
    New piece of information I am trying to understand. So in the M1 message, we receive a nonce, aka the PKE (DH Key from the enrollee). According to this document, the formula for generating these DH Keys is g^AB mod p, aka PKR result^PKE private number mod p. (G is the public number from the registrar, AB is the enrollee's private number used to generate its own public number, and p is the prime modulus. Now, both the enrollee and the registrar each know the shared secret, which I am led to believe is the seed of the PRNG, (I may be wrong here but it all make sense... for now.)

    For more information about Diffle-Hellman Keys, (DH Keys), do a quick youtube search for dh key exchange (can't post youtube links).
    You can read more about modular arithmetic here.

    I'll be looking more into DH Keys and their integration with PRNGs over the next few days/weeks. If you find anything, leave a comment.
    the time taken decrypt the private keys (Private Random number) sent during the Diffie-Helman process depends on the prime modulus used (mod p in our case)...the biggger the prime modulus..the longer it will take, also take into consideration the magntitude of the generator in this case "g"....here is another good link which explains the "Alice and Bob" theory..the mathematics might be a little messed up for some...

    http://www.academia.edu/1958665/Eucl...urity_Protocol

    GRAPHICAL PATTERNS in Exponential functions that inlcude the modulus of private random prime numbers might be a breakthorugh in the future...

  21. #21
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by repzeroworld View Post
    the time taken decrypt the private keys (Private Random number) sent during the Diffie-Helman process depends on the prime modulus used (mod p in our case)...the biggger the prime modulus..the longer it will take, also take into consideration the magntitude of the generator in this case "g"....here is another good link which explains the "Alice and Bob" theory..the mathematics might be a little messed up for some...

    http://www.academia.edu/1958665/Eucl...urity_Protocol

    GRAPHICAL PATTERNS in Exponential functions that inlcude the modulus of private random prime numbers might be a breakthorugh in the future...
    But since we are the registrar in the WPS transaction, wouldn't we already know the shared secret and the generator and the enrollee's public number and the prime modulus?

  22. #22
    Join Date
    2013-Jun
    Posts
    125
    Yes soxrok2212.I caught up focusing on the modulas equation you posted for the Diffie-Helman process...As a result I was commenting on the probability of decrypting Diffie-Helman process using a man in the middle attack......Sticking to this thread Now, i am thinking along codes to bruteforcet Pseudo random Generators in order to compute E-S1 and E-S2 ( I am of the opinion that this might include algorithmic codes that guess statiscal patterns in PRNGs-maths,maths,maths.)..However when this attack was proposed by Mr. Bongard,I was looking for books on PRNGS..I noticed amazon had a couple...I might see if there are torrent ebooks out there....all for now....
    Last edited by repzeroworld; 2015-03-03 at 22:44.

  23. #23
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by repzeroworld View Post
    Sticking to this thread Now, i am thinking along codes to bruteforcet Pseudo random Generators in order to compute E-S1 and E-S2 ( I am of the opinion that this might include algorithmic codes that guess statiscal patterns in PRNGs-maths,maths,maths.)
    I have sent you an e-mail to one of your old addresses, I'm not sure if you still have access to them... If you could please respond there that would be great, thanks. I have a few questions to ask but don't want to blow up the forums.
    Last edited by soxrok2212; 2015-03-04 at 11:43.

  24. #24
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    So for those of you having trouble understanding the video of the DH Key exchange I posted, here is how 3^15 mod 17 = 6. First, calculate 3^15, which is our "generator" times the private number of in our applied case, the enrollee... = 14,348,907. Now, we take 14,348,907 and divide it by our prime modulus (known by both the enrollee and registrar, (17) and get 844,053.3529. Now, we remove the remainder from that number, .3529, so we are left with only 844,053 and multiply it by our prime modulus... 844,053 * 17=14,348901. Now, take our initial value (3^15) which is 14,348,907 and subtract the value we just calculated, 14,348,901... 14,348,907 - 14,348,901 = 6!

    Therefore:
    3^15 mod 17 = 6

    Now that the enrollee has generated a public number from its private number, it sends that to the registrar. Now it is the registrars turn to come up with its own private number (13) and make a public number.

    3^13 mod 17 = 12

    3^13 = 1,594,323
    Now, divide by our prime modulus (17)... 1,594,323 / 17 = 93,783.70588. Remove the decimal and get 93,783. Now multiply that number by 17... 93,783 * 17 = 1,594,311. Now, take our initial value and subtract the value we just created to get the registrar's public number... 1,594,323 - 1,594,311 = 12! The registrar then sends this publicly to the enrollee.

    Enrolee public number: 6
    Enrolee private number: 15
    Registrar public number: 12
    Registrar private number: 13

    Now, the registrar and the enrollee both know each others public numbers, 6 and 12. So what they do now is they take their public number from the other, and raise it to the power of their own private number.

    So for the enrollee to calculate the shared secret, it would do 12^15 mod 17 = 10
    And for the registrar to calculate the shared secret, it would do 6^13 mod 17 = 10

    Now they both know the shared secret, which I THINK may also be the seed that the PRNG uses (as stated before) but I'm not sure yet, or maybe this shared secret in conjunction with something else is the seed.
    Last edited by soxrok2212; 2015-03-04 at 11:44.

  25. #25
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Updated with all the latest information!!!! Just need someone who knows C now...

  26. #26
    Join Date
    2013-Jun
    Posts
    125
    Nice explanation of modulus arithematic aspect...sorry dude i don't know C..hope someone with C experience and pentesting can contribute to this thread,,,I noticed in the Pixie Dust attack documentation there is a lack of certainty whether the PNRG state can be bruteforced..if this can be done then we can compute E-S1 and E-S2 and then bruteforce the first half and second half of the pin offline.....I tihnk we need to get Mr. Bongard and lock him down until he successfully complete his thesis (haha...just kidding)..

  27. #27
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    It can be done, we just have to throw in seeds until we get a match. Very simple. The generator will make a long string of numbers/letters and only part of it in the PKE (Enrollee nonce), and then directly after it are the E-S1 and the E-S2

    If anyone knows C, please leave a comment. Looking to find someone to build a tool with.

    Or if there is anyone who knows python let me know please. I would like to get a project going.
    Last edited by g0tmi1k; 2015-03-09 at 21:49. Reason: *merged*

  28. #28
    WoW
    thank you guys for this excellent theme
    @ soxrok2212
    i am not a programmer and seeding is a problem with bash which is the only thing i know very few about. I gues it can be done from the sacrtach but i am not sure baout the efficiency of the code,
    I know to who ask for help, he should be interested in helping you.
    If not i can help you to start something in python and we can see how to get support on the way. C is above my mind
    I send a MP to this person right now and tell you as soon as possible.
    thanks for all your sharing and explanations in this theme . See you

  29. #29
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by kcdtv View Post
    WoW
    thank you guys for this excellent theme
    @ soxrok2212
    i am not a programmer and seeding is a problem with bash which is the only thing i know very few about. I gues it can be done from the sacrtach but i am not sure baout the efficiency of the code,
    I know to who ask for help, he should be interested in helping you.
    If not i can help you to start something in python and we can see how to get support on the way. C is above my mind
    I send a MP to this person right now and tell you as soon as possible.
    thanks for all your sharing and explanations in this theme . See you
    my email is *redacted*
    Last edited by soxrok2212; 2018-10-16 at 17:50.

  30. #30
    Yes, i guess it was me.... my first language is not spanish but i am definitely more fluent in spanish than in english,(i understand everything but my grammar and my syntaxes are horrible)
    I write you a mail (in spanish)
    I didn't receive an answer from my friend yet... But it is still a bit early for him
    we keep in touch- i write you a mail right now and like this you have mine
    cee you there

  31. #31
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by datahead View Post
    You are on the right track
    I do have a complete and working PoC program that I use. while it says few routers, I've found a lot more are vulnerable than one would think. All through trial and error of testing which router has which chipset, broadcom, ralink, atheros etc. around 12 of the 20 I've tested on, have been vulnerable.
    Have you done any testing with realtek at all? I'm trying to add as many possibilities to a tool as possible.

  32. #32
    Join Date
    2015-Mar
    Posts
    1
    I am interested in documentation about vendor-specific implementations of PRNGs.
    kcdtv : libpcap is quite broken, i had to lose time reading .cap manually and playing with colors.

  33. #33
    awesome, keep it up guys. I am hoping to become a tester for the script

  34. #34
    @soxrok2212
    First of all, thank you for your time and effort.

    I have been looking by myself about all 'this' but there's something I can't seem to undestand just yet.

    On the pdf slides (pag. 24) there's written:
    - Upon reception of M1 the Registrar generates PKR and N2
    - The Registrar can then compute the DHKey: DHKey= SHA-256 (zeropad(g^{AB} mod p, 192))

    DHKey is needed in order to get AuthKey which is used as key of the HMAC-SHA-256 (for both E-Hash1 and E-Hash2).

    How is the DHKey actually calculated? Could you make an example? How do we know A?

    Sorry if I am missing something.

    I know a little C, not enough to develop a modified version of reaver but hopefully enough to help testing or making some PoC kinda code.
    I also have a capture of a TP-LINK router which is apparently Ralink, so ES1 = ES2 = 0, right?

    Thank you again.

  35. #35
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by wiire View Post
    @soxrok2212
    First of all, thank you for your time and effort.

    I have been looking by myself about all 'this' but there's something I can't seem to undestand just yet.

    On the pdf slides (pag. 24) there's written:
    - Upon reception of M1 the Registrar generates PKR and N2
    - The Registrar can then compute the DHKey: DHKey= SHA-256 (zeropad(g^{AB} mod p, 192))

    DHKey is needed in order to get AuthKey which is used as key of the HMAC-SHA-256 (for both E-Hash1 and E-Hash2).

    How is the DHKey actually calculated? Could you make an example? How do we know A?

    Sorry if I am missing something.

    I know a little C, not enough to develop a modified version of reaver but hopefully enough to help testing or making some PoC kinda code.
    I also have a capture of a TP-LINK router which is apparently Ralink, so ES1 = ES2 = 0, right?

    Thank you again.
    The math behind calculating the DH Keys is not important, only the actual PKE, PKR and Public keys are. I will explain though.

    So we have the formula g^AB mod p right? In here, both g and p are "variables" (the generator and prime modulus). These two variables are agreed upon by the Registrar (Access Point) and Enrollee (Client) before the WPS transaction starts. However, A and B are different. They are secret numbers known only by the Enrollee and Registrar respectively (PKE knows A, PKR knows B, they don't know each other's secret numbers). Now, both the Enrollee and the Registrar will will run their secret numbers through the generator (PKE > g^A mod p, PKR > g^b mod p).

    Now that that each side has generated a new "public" number with their secret number, they exchange and run a new function (in this case we'll call Ca the PKE public number and Cb the PRK public number). The Enrollee runs: g^ACb mod p, and the Registrar runs: g&BCa mod p.

    There is a full version of the video on youtube, just google Diffle-Hellman Key Exchange and click the youtube link... its by Art of the Problem. I'd post it but we can't post youtube links. Hopefully that makes sense.

    The TP-Link router may be vulnerable, but I can't say for sure. I've never done testing. It is likely that it is but until there is a tool I can't say for sure. You could try looking in the source but you may not find a certain answer there. Good luck!

  36. #36
    @ qolund
    Hello
    Last edited by kcdtv; 2015-03-18 at 18:49.

  37. #37
    @soxrok2212
    Thank you for the explaination. I'll be sure to study the subject thoroughly when I'll have a bit more time. I'm a bit busy at them moment

    Anyway, while we're waiting for someone able to modifiy reaver/bully, I've made a little program.

    For now it just tries to bruteforce the PIN going throught all 20'000 combination (it doesn't use the checksum for now), assuming ES1 = ES2 = 0. Just feed it all the things needed:
    - PKe
    - PKr
    - AuthKey
    - E-Hash1
    - E-Hash2

    Tried on a TP-LINK (Ralink) and it just works. Bongard was right.

    <link removed>

    Here's a sample image:


    EDIT: added the image properly. Removed link.
    Last edited by wiire; 2015-03-21 at 11:24.

  38. So is their any Tool Available for Pixie Dust Attack or Not???

  39. #39
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by FurqanHanif View Post
    So is their any Tool Available for Pixie Dust Attack or Not???
    As of right now, there is no official tool that is also user friendly.
    Last edited by soxrok2212; 2015-03-19 at 10:55.

  40. #40
    Well my tool /works/ assuming that the AP (enrollee) does not generate the 2 random nonces ES1 and ES2. For non wps-technical users this means that'll work only with a few APs (probably Ralink, as described by Bongard).

    When I'll undestand, hopefully with the help of someone, how the Broadcom PNRG seed bruteforce works, I'll be sure to add it to the tool (and post it online on GitHub or similar).

    I made the tool while waiting for someone else to make an automatic tool such as a modification of reaver or bully.

    Anyway, if someone is interested I'll make a post in the HowTos section how to use it. It requires a little modification in the source code of bully/reaver (tried bully for now) but it's easy. It was my yesterday one-day solution.

    EDIT: fixed some typos.
    Last edited by wiire; 2015-03-19 at 11:09.

  41. #41
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by wiire View Post
    @soxrok2212
    Thank you for the explaination. I'll be sure to study the subject thoroughly when I'll have a bit more time. I'm a bit busy at them moment

    Anyway, while we're waiting for someone able to modifiy reaver/bully, I've made a little program.

    For now it just tries to bruteforce the PIN going throught all 20'000 combination (it doesn't use the checksum for now), assuming ES1 = ES2 = 0. Just feed it all the things needed:
    - PKe
    - PKr
    - AuthKey
    - E-Hash1
    - E-Hash2

    Tried on a TP-LINK (Ralink) and it just works. Bongard was right.

    pixiewps

    Here's a sample image:


    EDIT: added the image properly.
    Wonderful! Unfortunately I don't have any ralink devices to test :[ but I will certainly test with some broadcom routers which have low entropy after boot. If you could contact me via email (my [email protected]) or Skype (click that little symbol under my name) that would be great! I'm working with a few other people and I'm hoping we can use your knowledge and ralink PoC and incorporate it into a complete project. Thanks again wiire!!
    Last edited by soxrok2212; 2015-03-19 at 13:24.

  42. #42
    WoW

    I am so glad to see this screenshot
    The first "public" pixie dust attack... "sometimes dreams comes true"
    Great job wiire ....

    For the cheksum maybe the fastest will be to have a full pin diccionnary and just "grep" (grab) from the file the second half for PSK2 brute force instead of genrating the cheksum live.
    I do not want to make you loose your time, i am very bad at maths and with number.
    i get the process but i have difficulties to "see concretly the element involved"
    I will try and have a look at your code to try to understand but i do not know C

    Would you mind to tell me (us) in this example which part of "auth key" is used for genrating the HMAC256 (e-hash) ?
    i guess it is the same lenght that is used to create the string for PKE and PKR and that the process is the same... could you confirm that to me?

    Could you tel us also which tp-link model is it concretly and the wifi chipset that it uses?
    Could you pass me a probe response from your routeur? i would like to start a kind of data base for everybody where we list affceted devices.


    Thank you for sharing with us your work and congratulation
    Last edited by kcdtv; 2015-03-19 at 14:52.

  43. #43
    Awesome ! I can't wait to see the source and to have this published !!
    Hey Kcdtv ! toujours sur la breche hein ?

  44. #44
    Thank you guys.

    @soxrok2212
    Ok, added on Skype. I'll be busy for the next 4 - 5 days, so I'll "pause myself". Looking forward to work with the 'crew', though.

    @kcdtv
    Yeah, I know what you mean referring to the checksum digit: computing it everytime or having an array of already pre-computed digits. Could be an option.
    In any case bruteforcing 11'000 digits or 20'000 doesn't make any difference on modern processors (after the PRNG seed is bruteforced). Also, if the PIN is chosen by the user, then it's most likely that the checksum won't match (odds are 1/10).

    I'm not sure about your question on the AuthKey. It is the key used in the HMAC_SHA-256 hash function and it's 32 bytes (256 bits) long (it's not truncated).
    To make an example: E-Hash1 = HMAC_SHA-256{AuthKey [32 bytes]}(ES-1 [16 bytes] || PSK1 [16 bytes] || PKE [192 bytes] || PKR [192 bytes]).
    PSK1 it the first half of the PIN converted into an array of characters without termination ('\0'), hashed (HMAC_SHA-256) with AuthKey as a key considering the first 16 bytes (half of the hash digest). Just noticed I made the array twice as big...

    PKE, PKR, E-Hash1 and E-Hash2 can be all gathered from a wireshark capture. To get AuthKey I have modified the source code of bully. The data is fed to the program as arrays of characters and then parsed and converted into byte arrays.

    I'll re-organize the code soon and add some comments. I forgot to release some memory before the program's exit...

    I will do more testing later on and send you some data. Just wait a few days...

    If you have any other question send me a PM with your Skype ID or email or just reply here if not too long... I'll contact/reply you.

  45. #45
    Join Date
    2013-Jun
    Posts
    125
    @wiire..great attempt!...I did a capture with wireshark and extracted the following details for my target

    7d:3f:c7:17:20:ec:52:05:84:69:76:e6:60:9e:aa:0e:8c :e3:ea:a1:ed:36:4f:54:96:c4:86:b2:72:91:86:d6 # E hash 1

    55:ca:83:c9:49:05:79:f8:3b:09:57:78:e1:4d:db:bb:21 :ee:f2:72:5a:02:7e:31:5f:02:ee:b3:72:f0:fc:a3 #E-hash 2

    cb:b9:a9:6d:eb:35:94:f7:da:c0:55:be:0d:04:5e:ed:52 :7d:f5:a1:c2:83:68:d2:3d:50:5e:83:ee:3c:d4:20:e6:6 c:07:d8:6b:c9:ea:52:ad:59:34:59:ff:9c:23:d2:d5:2a: 5a:74:a6:c5:fe:8b:0b:8e:c6:09:43:be:c5:df:92:93:77 :6f:12:57:85:ef:bb:a0:b6:58:b8:d2:97:7a:6f:70:f4:2 5:35:36:61:d2:c2:ef:be:38:82:a4:1d:3d:cf:03:3c:c5: d3:a6:52:b0:97:12:5b:a9:f3:0f:83:d0:c9:17:0e:97:cf :e5:9e:67:8c:64:55:30:90:47:25:c4:2c:34:11:49:32:a 2:4e:72:15:93:55:b4:64:87:1c:76:63:cd:b9:dd:57:48: c4:a0:74:e4:0b:f7:10:97:4b:11:07:98:ee:98:6c:a5:71 :f3:85:f4:36:dd:cd:35:4c:e3:3d:ef:43:09:f2:52:ef:d 1:db:a6:c1:f9:ae:b5:7f:61 #pkr


    3b:4c:d9:d5:17:e6:db:19:bc:b8:da:d7:f8:91:5d:a5:3b :4a:c8:ec:f2:17:a7:11:a4:3a:9b:d5:5e:d9:a2:b8:78:3 1:70:ae:57:be:be:0c:b2:5e:03:5f:34:28:a4:16:47:b4: 36:e7:24:71:69:54:de:0d:aa:f1:56:08:7a:d0:22:47:1f :0a:5e:2d:32:6c:0e:18:16:db:b5:89:cf:39:cb:3d:a1:f 3:05:cc:b3:a3:59:92:45:aa:45:35:1e:d8:8e:05:54:45: 74:b1:dd:8d:64:b7:6d:5e:37:c6:9c:e9:18:3d:e7:af:6b :73:c1:66:c9:ce:1a:3c:b5:f7:f3:65:be:3a:1b:29:8c:4 1:09:16:4c:b9:f1:df:41:66:99:81:91:82:a1:80:bc:7b: 1e:c9:4d:f2:62:ca:c0:50:3a:c5:5f:cd:17:dd:97:cc:b4 :82:06:15:b2:4d:1c:67:7f:fb:06:9a:c5:19:5c:ce:b0:a 2:90:d6:af:0a:a8:bc:08:d6 # pke

    These values are from a tp-link router too...the only difficulty i am having is calculating the Authkey..any suggesstions? ( I haven't seen anything tags like authkey in the wps message 2 in wireshark)

  46. #46
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by wiire View Post

    If you have any other question send me a PM with your Skype ID or email or just reply here if not too long... I'll contact/reply you.
    Hmmm, I didn't get any requests on Skype but I did get one on Google, is that you? I have a couple questions so I'll stay on google hangouts or whatever its called if you come back on today =D

  47. #47
    Quote Originally Posted by repzeroworld View Post
    the only difficulty i am having is calculating the Authkey..any suggesstions? ( I haven't seen anything tags like authkey in the wps message 2 in wireshark)
    Read my last post(s).

    @soxrok2212
    Don't think so but I have no idea how that works so... might be? Now you should see my request on Skype. It'll will be probabily faster via email (see your inbox) since we obey to different time zones.

  48. #48
    so for dummies
    how did you extract these again?
    - PKe
    - PKr
    - AuthKey
    - E-Hash1
    - E-Hash2

  49. #49
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    PKE, PKR, E-Hash1, and E-Hash2 can be found in wireshark. Authkey is a bit harder, you need to understand KDK. Look here and scroll until you see Key Derivation. Its tough to understand however, tool isn't ready for prime time but we will soon have everything be automated.

  50. #50
    I see.
    Is it cleat text or you need to push the cap through some utility?
    did you challenge the AP with reaver to get the data?
    Last edited by wn722; 2015-03-20 at 14:53.

Similar Threads

  1. WPS Pixie Dust Attack (Offline WPS Attack)
    By soxrok2212 in forum General Archive
    Replies: 353
    Last Post: 2015-05-05, 08:32
  2. Reaver modfication for Pixie Dust Attack
    By t6_x in forum General Archive
    Replies: 81
    Last Post: 2015-05-05, 00:55
  3. Pixiewps: wps pixie dust attack tool
    By wiire in forum General Archive
    Replies: 89
    Last Post: 2015-05-04, 19:32

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •