WPS Pixie Dust Attack - Hack Wi-Fi network in 5 minutes. Vulnerability Description

The vulnerability is not new, but due to the lack of materials in the “RU” segment, I decided to write this article.


At the end of 2014 to computer security specialist Dominique Bongard (Dominique Bongard) found a vulnerability in the WPS, which allowed to hack Wi-Fi router for a few minutes.

The problem was the generation of random numbers ( E-S1 and E-S2 ) on many routers. If we recognize these numbers, we can easily recognize the WPS pin, since they are used in the cryptographic function to protect against brute force by receiving the WPS pin.
The router gives the hash generated using the WPS pin and data (E-S1 and E-S2) numbers to prove that he also knows it (this is done to protect against connecting to a fake point, which could just accept your password and listen to traffic).
E-S1 and E-S2 are used in the generation of E-Hash1, E-Hash2, which in turn will be received from the router in the M3 message .

WPS protocol

Important here are: M1, M2, M3 .
M1 message - the router sends N1 , Description, PKE to the client .
Message M2 - the client sends to the router N1, N2, PKR, Auth .
Auth - a hash from the first and second messages.

And the most important message of M3 is that the router sends the client E-Hash1, E-Hash2 . Where PSK1 is the first 4 digits of the WPS pin , PSK2 is the remaining 4 digits. E-S1 and E-S2 - must be random 128-bit numbers. PKE is the public key of the router. PKR

E-Hash1 = HMAC-SHA-256(authkey) (E-S1 | PSK1 | PKE | PKR)
E-Hash2 = HMAC-SHA-256(authkey) (E-S2 | PSK2 | PKE | PKR)





- public key of the client.
From this it turns out that the unknowns are (as yet) E-S1 and E-S2, PSK1 and PSK2.

M4 - the client sends R-Hash1, R-Hash2 to confirm that he also knows the WPS pin.
If everything is OK, the router will give the client a passphrase for accessing the network, tied to the current WPS pin. This is done on the assumption that the WPS pin should not be permanent, and if it changes, the client must re-receive the password.

Generation of E-S1 and E-S2 on our routers:

In “ Broadcom / eCos ” these 2 numbers are generated immediately after the generation of N1 (public key) by the same function. Obtaining E-S1 and E-S2 is reduced to the brute force of the state of the function based on N1 and resulting in E-S1 and E-S2.

Function Code:

#if (defined(__ECOS) || defined(TARGETOS_nucleus))
void
generic_random(uint8 * random, int len)
{
	int tlen = len;
	while (tlen--) {
		*random = (uint8)rand();
		*random++;
	}
	return;
}
#endif 

The source is github.com/RMerl/asuswrt-merlin/blob/master/release/src-rt/bcmcrypto/random.c

In “ Realtek ”, the function uses UNIX timestamp to generate such numbers .
Like Broadcom, N1 and E-S1,2 generate one function.
And if all the exchange happens in the same second, E-S1 = E-S2 = N1 .
If within a few seconds - the state brute force based on N1.
Source - github.com/skristiansson/uClibc-or1k/blob/master/libc/stdlib/random_r.c

In “ Ralink ” E-S1 and E-S2 are never generated. They are always 0.
E-S1 = E-S2 = 0

In “ MediaTek ” and “Celeno ”the same picture:
E-S1 = E-S2 = 0

Conclusion

Suppose we already know PKE, PKR, Authkey, E-Hash1 and E-Hash2 - we received all these data as a result of communication with the router (see above M1, M2, M3). E-S1 and E-S2 are either twisted or we know that it = 0.
The only thing left is small - send all the data to the hash function and compare each new pin with (E-Hash1 and E-Hash2). As a result, in a few minutes we get a WPS pin and, in fact, access to the network.

In kali2, there are already all the tools you need to conduct an attack . Who is interested in practice (test your router) - we look at the docks for Reaver. Wifite also supports this type of attack.

Sources of information on this topic:

Speech by Dominic at the WPS pixie conference
Description on the forum kali

P.S I would be glad to make some comments and additions to the article.