Escolar Documentos
Profissional Documentos
Cultura Documentos
Spring 2015
Name:
Class ID#:
School ID#:
Feingold, Aaron
23
0204787
Name:
Class ID#:
Seaman, Shawn
26
Course:
Course ID:
Date:
Assignments Content
1. Paper..
2. Slides .
11
Aaron Feingold
Shawn Seaman
INCS-745: Hacker Exploits & Intrusion Detection
2
3
4
Initial M4 M5 PIN
4 digits
5
6
7
Second M6 M7 PIN
3 digits
8
Checksum
The two PINs are evaluated separately, as shown. If, at any point, an EAP-NACK message is
received, it means that the PIN number is incorrect.
If, at any point, an EAP-NACK message is received, it means that the PIN number was
incorrect. Depending on the timing of the EAP-NACK, we can determine which part of the
PIN was wrong. If an EAP-NACK was received in response to message M4, it means that the
first part of the PIN was incorrect. If an EAP-NACK was received after sending M6, we can
conclude that the first part of the PIN is correct, and the second part is wrong.
Step 2: Scan for vulnerable wireless routers using the wash utility. This software ships with
Kali Linux by default.
wash -i mon0
Note: If you get an error Found packet with bad FCS, skipping... you will need to set the
--ignore-fcs flag:
wash -i mon0 -ignore-fcs
The target should have the field WPS Locked set to No.
Make a note of the target's BSSID.
In this case, it took 18 hours and 12 minutes to obtain the PIN. That gave us all the other
wireless configuration data, including the wifi password.1
The reason this took as long as it did was due to a lock-down setting designed to mitigate WPS
attacks. After every 16 attempts, the router shut down WPS for 5 minutes.
Even with this limitation, it was not difficult to break WPS.
LOCK-DOWN: RATE-LIMITING MITIGATION & THE ROUTER RESET
In the initial paper which revealed the WPS brute force attack, it is suggested that
manufacturers implement a lock down period after a number of incorrect PIN guesses. It is
estimated that locking WPS for 60 minutes following 5 incorrect guesses would increase the
maximum attack time to about 92 days. [Viehbck, 2011] This would give us an average
attack time of 46 days.
Of course, locking down WPS for an hour while a legitimate (if unskilled) user is attempting
to set it up is a problem. The entire point of WPS is to allow untrained users to configure
wireless networks easily. So manufacturers have tended toward less restrictive lock down
policies.
Unless addressed, lock-down policies can significantly slow down a WPS brute force attack.
There is a way around this. It turns out that many routers will reset if subjected to an EAPOL
packet flood. Because the PIN is stored in the router's firmware, it is not altered when the
router resets. By reseting the router, we can remove the lockdown policy. We can then
continue testing PINs immediately.
1
Please note: The MAC address and other details of the router used in the initial brute force test have been
redacted at the request of the organization that was kind enough to loan one of their wireless routers for this
project.
MD3K is a tool capable of producing this type of EAPOL flood. [Smeat, 2013] Reaver, our
WPS tool, can be modified to unleash MD3K automatically upon detecting a lockdown (or, as
Reaver calls it, rate limiting.)
Due to the EAPOL flood, the router resets, and we now have
less than one minute of downtime when rate-limiting is
engaged.
EAPOL flooding reduced the time of our attack to
approximately 4 hours. We retrieved the WPS PIN, the WPA
password, and the SSID.
THE PIXIE DUST ATTACK: EXPLOITING A PRNG VULNERABILITY
There is one additional vulnerability which has been demonstrated in certain implementations
of WPS. Weak pseudo-random number generators are used in AP chipsets manufactured by
Broadcom, Ralink, and RealTek.
This allows us to perform a brute-force attack against the same 11,000 candidate PINs offline.
This is an offline attack. We do not need to wait for the router on each attempt, and we can
therefore attain much higher speeds. In our tests, this attack completes in less than one
second.
We will need the following data to begin the Pixie Dust PRNG attack:
Some of this information can be obtained from more than one source.
Once we have gathered our data, we use a tool called Pixiewps to perform the off-line attack.
[Wiire, 2015] This tool will return the WPS PIN. We then feed the PIN into Reaver, which
returns all the wireless configuration information, including the password.
The real vulnerability here is the fact that we can get E-S1 and E-S2, such that:
E-Hash1= HMAC (E-S1, PSK1, PKE, PKR)
E-Hash2= HMAC (E-S2, PSK2, PKE, PKR)
Ralink chipsets set E-S1 = 0 and E-S2 = 0. This is so weak, it can't even properly be called a
pseudo-random number generator. There is nothing there to break.
In the event that the transaction takes less than one second, Realtek chipsets assign the same
value to E-S1, E-S2, and N1 Enrollee Nonce. Because we can sniff the value of the Nonce,
we have the value of E-S1, and E-S2.
Broadcom at least uses a PRNG, but it is very weak. It is not difficult to brute force the state
of the Broadcom PRNG, and calculate E-S1 and E-S2 from that state.
Though the weak PRNG is not a flaw in the design of the protocol itself, it is an informative
example of the way poor implementation can introduce new vulnerabilities.
MULTIPLE MAC SPOOFING: AN OPTIONAL OPTIMIZATION
When attacking wireless networks that do not have a lockdown policy in place, it is possible to
spoof the last digit of your MAC address so that your requests appear to come from multiple
different sources at once.
In this way, you can speed up the attack by having multiple simultaneous instances running at
the same time. [Heffner, 2013]
10
While this was an effective technique several years ago, it can backfire by causing rate
limiting lock-down policies to engage more quickly and more often. We did not find this
technique to be of much use against current wireless routers.
OUR PLATFORM: HARDWARE AND SOFTWARE USED IN OUR TESTS
We used virtualized copies of Kali Linux on two laptops to launch our attacks. On the first
laptop, we used VMware Player 7.0.0, with Windows 8.1 as the host OS. The other laptop
used VirtualBox, running on top of Windows 8. Both systems worked well in our tests. We
did not observe any significant difference between VirtualBox and VMware Player for this
application.
We required wireless adapters capable of packet injection and monitor mode. Neither laptop
had such capabilities pre-installed. Therefore, we used USB wireless adapters which did have
those capabilities. We tested two adapters from Alfa Networks: The AWUS036NH and the
AWUS036NHA. We noticed no performance difference between the two cards, but it should
be noted that the AWUS036NHA has an Atheros chipset, and AWUS036NH appears to have a
chipset produced by Ralink.
We did notice a significant increase in range when we tested different antennas. Surprisingly,
there was not much difference between the 5dBi and the 9dBi omni-directional antennas.
There was a significant improvement when using the 7dBi directional antenna, though only
when it was positioned correctly.
CONCLUSIONS AND RECOMMENDATIONS
We have determined that WPS in-band configuration is hopelessly insecure. The keyspace is
just too small to be useful for security. If WPS is enabled, a determined attacker will get
inside the system. The attacker's success is inevitable.
Repeated attempts by WAP manufacturers to mitigate the weakness at the heart of of the
external register mechanism have failed. Rate limiting makes the attack take days, rather than
hours, and it can be bypassed by EAPOL flooding.
Though the PRNG issues could be resolved easily, there is no clear fix for the brute force
attacks. WAPs which do not have a known PRNG vulnerability still fall to the brute force
attack.
It is therefore our recommendation that WPS should be disabled wherever and whenever it is
encountered.
11
WORKS CITED
Viehbck, Stefan (2011-12-26). "Brute forcing Wi-Fi Protected Setup" (PDF).
https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
Wi-Fi Alliance (December 2006). Wi-Fi Protected Setup Specification Version 1 .0h. (PDF).
http://cfile28.uf.tistory.com/attach/16132E3C50FCFFCB3EC74E
Smeat, (2013). md3k, , GitHub repository, https://github.com/Smeat/md3k
Wiire, (2015). Pixiewps, GitHub repository, https://github.com/wiire/pixiewps
Heffner, Craig (2013). MAC Address last character changer to speed up the attack, GitHub
repository, https://github.com/chrsmithdemos/reaver-wps/issues/258
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41