Skip to content

KALI – How to hack WIFI – WPS Pixie Dust Attack


WPS Pixie Dust Attack

A bit of background first. The Pixie Dust Attack is a WPS attack aimed to crack the PIN offline, exploiting the non-existing or low entropy of some APs. This vulnerability was discovered by Dominique Bongard. All credits for the research go to him.


The roles of the devices in a common WPS transaction are:
– Registrar: client/attacker
– Enrollee: access point

Let’s have a look at part of the information exchanged between the two (|| means concatenation):
– Enrollee -> Registrar: M1 (E-Nonce || description || PKE)
– Registrar -> Enrollee: M2 (E-Nonce || R-Nonce || description || PKR)
– Enrollee -> Registrar: M3 (R-Nonce || E-Hash1 || E-Hash2)

PKE: Public Key Enrollee (g^A mod p)
PKR: Public Key Registrar (g^B mod p)
E-Nonce: Enrollee Nonce
R-Nonce: Registrar Nonce

And now comes the interesting part:
– E-Hash1: HMAC{AuthKey}(ES-1 || PSK1 || PKE || PKR)
– E-Hash2: HMAC{AuthKey}(ES-2 || PSK2 || PKE || PKR)

PSK1 is a truncated hash of the first 4 digits of the WPS pin
PSK2 is a truncated hash of the last 4 digits of the WPS pin

On M3 packet the AP is proving us that it knows the first half of the pin (with E-Hash1) and the second half (with E-Hash2). Of those two hashes we know everything except PSK1 and ES-1 and PSK2 and ES-2 respectivly.
– PSK1 and PSK2 needs only 10,000 + 1,000 guesses to find (if the last digit is used as checksum or 20,000 if not).
– ES-1 and ES-2 are two 128 bits random nonces, which would be impossible to bruteforce, right?

The question now is how are they generated? Are they truly random? No, not for every AP/manufacturer at least. Bongard looked up at two implementation: Ralink and Broadcom.
– The former uses ES-1 = ES-2 = 0 (constant) so we just need to bruteforce the PIN with 11000 guesses.
– The latter has the code of its random function publicy hosted online on GitHub (lol). It will work only for some old devices, though (probably those ones shipped from 2011 – 2013).

It uses the r_rand() function from C (wich is not secure) that uses a Linear Congruential Generator and its entropy is of 25 bits only (instant to bruteforce).
The ES-1 is calculated after the E-Nonce so you just need to guess the seed (25 bits of entropy) until you find the same sequence that leads to the E-Nonce. That’s it.

Now aside for those two manufacturers, it is also importat to mention that the majority of APs (if not all) use random pseudo-namber generators of 32 bits and have low entropy at boot. So more vulnerabilities are out there just need to be discovered by someone.

Now let’s talk about the tool, pixiewps.


Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: