WPS Pixie Dust Attack

logo

I have written about the flaw in the WPS system a few times. But a new WPS flaw has surfaced, which enables offline brute forcing of the WPS PIN, also called WPS Pixie Dust Attack. When the Registrar (the client computer) wants to connect to the Enrollee (the Access Point) they exchange a series of request and response messages as part of the negotiation process, these a named M1 to M8.

Diagram

 

 

 

 

 

 

 

 

In the Pixie Dust Attack, the negotiation process can be stopped already after message M3 because we already have all the values needed for the attack:
• We are given the Hash value (E-Hash1 and E-Hash2) of the WPS PIN since the Enrollee and the Registrar bough needs to prove to each other that they know the correct PIN
• The PKE is the DH (Diffie Hellman) public key of the Enrollee
PKR is the DH (Diffie Hellman) public key of the Registrar
Authkey a part of Key Derivation and is used to authenticate the Registration Protocol messages
E-Nonce is the Enrollee Nonce

The gold is to brute force PSK1 and PSK2, which each contains 4 digits of the PIN. With the collected values the only thing we need are the nonces E-S1 and E-S2, which are supposed to be secret bit, generated by pseudo-random generators (PRNG). Dominique Bongard found out that many Access Points chipsets uses insecure PRNG to generate these nonces. For example, Broadcom basically uses the Rand() function from C, and in Ralink E-S1 and E-S2 an never generated and therefor always equals zero. Therefor if PRNG state can be recovered, E-S1 and E-S2 can be calculated and PSK1 and PSK2 be brute forced from E-Hash1 and E-Hash2.

To do this attack, we need an Access Point with a vulnerable chipset. I got a hold of an old Netgear JNR3210 Router with a RTL8192CE chipset, which I set up for the purpose. A list of vulnerable routers can be found here.

wpspixiedatabase_edited

 

 

 

 

 

 

 

 

In this tutorial, we will install the prerequisites for the Pixie Dust Attack, do the attack manually and finally do the attack with the modified version of Reaver. First, we get at install the prerequisites with apt-get.

1. Type apt-get install build-essential libpcap-dev sqlite3 libsqlite3-dev pixiewps

Now that taken care of we need a forked version of Reaver, which can be git cloned from github.

2. Type git clone https://github.com/t6x/reaver-wps-fork-t6x

pixie1_edited

 

 

 

 

 

 

 

 

 

 

 

3. Navigate to reaver-wps-fork-t6x/src and type ./configure
4. Type make and when done make install

Let’s confirm that the correct version of Reaver has been installed.

5. Type Reaver

pixie2_edited

 

 

 

 

 

 

 

 

 

 

 

As seen in the previous picture the modified version of Reaver 1.5 has been installed on the system. In this scenario, we already our interface setup in monitor mode and the channel and bssid of our access point. So now let’s us collect the needed data for the manual attack.

6. Type reaver -i <monitor interface> -c <channel> -b <bssid> –vvv
7. Press Ctrl+C after the first set of data

pixie3_edited

 

 

 

 

 

 

 

 

 

 

 

 

The attack is launched and we can see there is a lot of data coming in. After the M3 Message is received, we break the attack with Ctrl+C. We only need the values from PKE, PKR, E-Hash1, E-HASH2, Authkey and E-Nonce to do the offline brute force of the PIN

8. Type pixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce>

pixie4_edited

 

 

 

 

 

 

 

 

 

 

 

 

Success – the PIN 22882325 is received instantly. We cloud now connect a device to the network with that PIN, or we could use Reaver to get the clear text password for the network.

9. Type reaver -i <monitor interface> -b <bssid> -c <channel>  -p 22882325

pixie5_edited

 

 

 

 

 

 

 

 

 

 

 

 

The correct PIN is sent to the Access Point and the clean text password Test123 is given. This method is the “manual” in my opinion at least gives you a hint about what values and tactics is used in the attack. But there is an easier way of doing the attach as well. The modified version of Reaver can do the attack itself, and pass the needed values into pixiewps itself.

10. Type reaver -i <monitor interface>  -c <channel>   -b <bssid>  -vvv -K 1 –f

pixie6_edited

 

 

 

 

 

 

 

 

 

 

 

 

The clean text password Test123 is given once again. The whole attack is done in seconds versus the normal Reaver brute force attack can often take hours to complete. That at network, under the wrong circumstances can be compromised that easily, shows that the WPS security is utterly broken and should never be used if you want a secure network.

Share Button

Comments

comments

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *