WPS Pixie Dust Attack - Hacking a Wi-Fi network in 5 minutes. Vulnerability description

Vulnerability is not new, but due to the lack of materials in the "RU" segment - I decided to write this article.


At the end of 2014, computer security specialist Dominique Bongard discovered a vulnerability in WPS that allowed hacking a Wi-Fi router in a few minutes.

The problem was in generating random numbers ( E-S1 and E-S2 ) on many routers. If we recognize these numbers, we can easily recognize the WPS pin, since it is they that are used in the cryptographic function to protect against brute-force upon receiving a WPS pin.
The router gives a hash generated using a WPS pin and data (E-S1 and E-S2) numbers to prove that he also knows it (this is done to protect against connecting to the fake point, which could just accept your password and listen to traffic).
E-S1 and E-S2 are used in the generation of E-Hash1, E-Hash2 , which in turn will be received from the router in message M3 .

WPS protocol

Important here are: M1, M2, M3 .
Message M1 - the router sends to the client N1 , Description, PKE .
Message M2 - the client sends the router N1, N2, PKR, Auth .
Auth - a hash from the first and second messages.

And the most important message M3 - the router sends to the client E-Hash1, E-Hash2 .

E-Hash1 = HMAC-SHA-256(authkey) (E-S1 | PSK1 | PKE | PKR)
E-Hash2 = HMAC-SHA-256(authkey) (E-S2 | PSK2 | PKE | PKR)


Where PSK1 is the first 4 digits of the WPS pin , PSK2 is the other 4 digits.
E-S1 and E-S2 - must be random 128-bit numbers.
PKE - router's public key.
PKR - client's public key.
From this it turns out that the unknowns are (still) E-S1 and E-S2, PSK1 and PSK2.

M4 - the client sends R-Hash1, R-Hash2 to confirm that he also knows the WPS pin.
If everything is ok, the router will give the client a passphrase for accessing the network associated with the current WPS pin. This is done on the basis that the WPS pin should not be permanent, and if it is changed, the client must receive the password again.

E-S1 and E-S2 generation on our routers:

In Broadcom / eCos , these 2 numbers are generated immediately after generating N1 (public key) by the same function. Obtaining E-S1 and E-S2 is reduced to the brute force of the function state based on N1 and the resulting E-S1 and E-S2.

Function code:

 #if (defined(__ECOS) || defined(TARGETOS_nucleus)) void generic_random(uint8 * random, int len) { int tlen = len; while (tlen--) { *random = (uint8)rand(); *random++; } return; } #endif 

Source - github.com/RMerl/asuswrt-merlin/blob/master/release/src-rt/bcmcrypto/random.c

In “ Realtek ”, the function uses the UNIX timestamp to generate such numbers.
Similar to Broadcom, the N1 and E-S1,2 generates one function.
And if the entire exchange takes place at the same second, E-S1 = E-S2 = N1 .
If within a few seconds - a brute force state based on N1.
Source - github.com/skristiansson/uClibc-or1k/blob/master/libc/stdlib/random_r.c

In “ Ralink ”, E-S1 and E-S2 are never generated. They are always 0.
E-S1 = E-S2 = 0

In “ MediaTek ” and “ Celeno ” the same picture:
E-S1 = E-S2 = 0

Conclusion

Suppose we already know PKE, PKR, Authkey, E-Hash1 and E-Hash2 - all of this data we received as a result of communication with the router (see Above M1, M2, M3). E-S1 and E-S2 twisted or we know that he = 0.
The case is left for small - we send all the data to the hash function and compare each new pin with (E-Hash1 and E-Hash2). As a result, in a few minutes we will get a WPS pin and, in fact, access to the network.

The kali2 already contains all the tools needed for an attack . Who is interested in the practice (test your router) - we look at the docks on Reaver. Wifite also supports this type of attack.

Sources of information on this topic:

Speech by Dominic at the conference on the WPS pixie
Kali forum description

PS I would be glad to make comments and additions to the article.