How To Crack WPS with Pixie Dust … Offline Attacking
In this post we are looking at how vulnerable WPS makes your Access Point. WiFi Protected Setup makes it nice and easy for you to connect to your wireless devices by using a simple pin number, instead of your hard to guess passphrase. The issue is that this means your secure 32 character passphrase is about as much use a chocolate fireguard, as instead of taking potentially years to crack, you can attack the pin number which only has 11,000 iterations and this can be cracked in hours (even with timeouts and other controls in place).
In this video we will show how a vulnerability in some of the chipsets of Wireless Access Points allows you to crack the WPS code in less than a second as well as revealing the WPA pin number. This attack is called the PixieDust attack, and it currently works on certain firmware on Broadcom, Realtek, Ralink and MediaTek chipsets. In the video this is demonstrated on an older BT HomeHub 3 which is using a Realtek chipset.
The way this works is that the Enrollee Hashes (E-Hash1 / E-Hash2) are supposed to be secret hashes, but when they are disclosed we can use them along with the Enrolle and Registrar Public Keys, along with the E & R Nonces and the Auth Key to decipher the WPS PIN Key.
Just to provide some comparison, using the WPS PixieDust attack we got the PIN and then the WPA2 Passphrase in less than a second. Stealing the WPA2 Hash and attacking this directly with a single GPU the time estimated to crack based on knowing its Alpha Numeric with no special characters is 853,399 days, 2 hours and 44 minutes, so year WPS add some weakness to your hardened access point 🙂
Below is the code used during the above video, you can use this easily copy and paste with your own information.
Finally, in the WPS column you need to be checking for one of the following to make sure the Access Point has WPS enabled, if it isnt its not supported on the device, or you have successfully disabled it. 1.0, LAB, PBC, NFC, PIN,
has worked in IT since 1998, Infosec since 2004, and studied and performed hypnosis, mentalism etc since 2009.
Dale is a full time social engineer and qualified hypnotherapist. He spends a great deal of time researching the various skills and techniques that make up the art and science of Social Engineering.