Wi-Fi Protected Setup - Pixie Dust Attack. An offline bruteforce attack that leaves certain routers vulnerable. Works for Boardcom and Ralink chipset based Wi-Fi routers.

1. WPS Pixie Dust Attack
Sumit Shrivastava

2. Myself
 Sumit Shrivastava – Security Analyst @ Network Intelligence India Pvt. Ltd.
 2.5+ years of work experience in the field of Digital Forensics and Assessment
 Certifications
 Computer Hacking and Forensics Investigator v8, EC-Council
 Certified Professional Forensics Analyst, IIS Mumbai
 Certified Professional Hacker NxG, IIS Mumbai
 Certified Information Security Consultant, IIS Mumbai
 Certified Information Security Expert – Level 1, Innobuzz Knowledge Solutions
 Once upon a time Android and Web Developer

3. Today’s takeaway
 Introduction to WPS
 Terminology
 WPS Pin Formats
 WPS Negotiation Process
 Types of attacks on WPS
 Diving into Pixie Dust
 P0wning the WiFi Router - Demonstration

4. Introduction to WPS
 Wi-Fi Protected Setup (WPS, Wi-Fi Simple Config)
 Uses PIN Method to secure wireless home network
 Created by Wi-Fi Alliance, introduced in 2006
 Goal – to allow the home users, who know very little about the wireless security, to add
new devices
 Major security flaw revealed in December 2011
 Allowed brute-force the WPS Pin
 SEVERELY BROKEN PROTOCOL!!!

5. Terminology
 Enrollee: A device seeking to join a WLAN domain
 Registrar: An entity with the authority to issue WLAN credentials
 External Registrar: A registrar that is separate from the AP
 AP: An infrastructure mode 802.11 Access Point
Note:- AP and client device may change roles i.e. AP acts as Enrollee and Client Device acts
Registrar, when WPS is used to configure the access point

6. WPS Pin
A WPS Pin looks like
This is what your Wi-Fi Router has
at its back label

7. WPS Pin Format

8. WPS Negotiation
Process
 M1 – 128-bit random nounce
generated by Enrollee
(N1||PKE)
 M2 – 128-bit random nounce
generated by Registrar
(N1||N2||PKR||Auth).
Auth = HMAC (M1||M2)
 M3 – E-Hash1 (E-
S1||PSK1||PKE||PKR) OR E-
Hash2 (E-
S2||PSK2||PKE||PKR)

9. Type of Attacks on WPS
 Online Brute-force
 Offline Brute-force
 Physical Attack

10. Diving into Pixie Dust
 What you require?
 Hashes -> E-Hash1 and E-Hash2
 Public Keys -> PKE, PKR
 Authkey
 E-Nounce (Enrollee Nounce)
 Flaw is in the E-S1 and E-S2 generation which are Psudo-Random Numbers
 Dominique Bongard, found many AP use insecure PRNG
 Broadlink -> c.rand()
 Ralink -> E-S1 and E-S2 are never generated, hence they are always 0
 If PRNG state is recovered, E-S1 and E-S2 can be calculated
 PSK1 and PSK2 can be calculated from E-Hash1 and E-Hash2
 To successfully complete this attack, negotiation should complete within 1 second

11. P0wning the Wi-Fi router
:~# airmon-ng check kill
:~# airmon-ng start <WIFI_INTERFACE>
:~# wash –i <MONITOR_INTERFACE>
:~# reaver –i <MONITOR_INTERFACE> -b <BSSID> -c <CHANNEL> -vv –K 1

12. P0wned

13. References
 http://ifconfig.dk/pixiedust/
 https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup#Technical_architecture
 http://ftp.netbsd.org/pub/NetBSD/NetBSD-
current/src/external/bsd/wpa/dist/hostapd/README-WPS
 http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf
 https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
 http://www.gta.ufrj.br/ftp/gta/TechReports/wd2012/1569655457.pdf
 https://www.wi-
fi.org/download.php?file=/sites/default/files/private/wsc_best_practices_v2_0_1.pdf

14. Questions?
Thank you