Offline bruteforce attack on WiFi Protected Setup

0xcite 549,577 views 21 slides Aug 06, 2014

Slide 1 of 21

About This Presentation

Size: 4.66 MB

Language: en

Added: Aug 06, 2014

Slides: 21 pages

Slide Content

Offline bruteforce attack on
WiFi Protected Setup
Dominique Bongard
Founder
0xcite, Switzerland
@reversity

! Protocol aiming at easily connecting to protected WiFi networks
! Two main modes: Push-Button and 8 digit PIN code
! Gives the WPA passphrase to stations providing the right PIN
! Poor design and implementation

Stefan Viehböck

! Brute force each half of the PIN
! Maximum 10‘000 tries + 1‘000 tries
! No limitation on number of tries in many AP
! Takes a few hours (depends on the AP)
! Largely slowed down in new devices (lock-out)
! Many AP still sold with WPS PIN activated

STA
Nonce
E-Hash1 E-Hash2 HMAC
AES(HMAC(PIN1),E-S1) AES(HMAC(PIN2),E-S2)

! If we can guess E-S1 and E-S2, we can the
brute force PIN1 and PIN2 offline!
! Pixie dust attack!

! Usually with pseudo-random generators (PRNG)
! Often insecure PRNG
! No or low entropy
! Small state (32 bits)
! Can the PRNG state be recovered ?

int rand_r( unsigned int *seed ) {
unsigned int s=*seed;
unsigned int uret;
s = (s * 1103515245) + 12345; // permutate seed
uret = s & 0xffe00000; // Only use top 11 bits
s = (s * 1103515245) + 12345; // permutate seed
uret += (s & 0xfffc0000) >> 11; // Only use top 14 bits
s = (s * 1103515245) + 12345; // permutate seed
uret += (s & 0xfe000000) >> (11+14); // Only use top 7 bits
retval = (int)(uret & RAND_MAX);
*seed = s;
return retval; }

AP Nonce Description PK

! Linear Congruential Generator
! 32 bits state
! No external entropy
! E-S1 and E-S2 generated right after the Nonce

! Do the WPS protocol up to message M3
! Get the Nonce from M1
! Bruteforce the state of the PRNG
! Compute E-S1 and E-S2 from the state
! Decrypt E-Hash1 and E-Hash2
! Bruteforce Pin1 and Pin2
! Do the full WPS protocol and get the passphrase

! Linear Feedback Shift Register (LFSR)
! Broken
! Doesn‘t matter the keys are always NULL !!

! Some AP have the same state at each boot
! Make a list of common states after reboot
! Attack the AP right after boot

! Trigger the breakers
! DDOS the AP
! Jam the signal until the target reboots the AP

! Looks okay
! Uses /dev/random
! Found in Atheros SDK
! But you never know
! Several papers attack the entropy of the linux
PRNG in embedded systems

! It‘s complicated
! Many of the implementations are the reference
code for the chipset
! Only the GUI is reskinned
! Therefore many brands are affected
! Many vendors use different chipset
! Even for the same model number

! Disable WPS now !
! Reverse engineers: Check other AP for bad PRNG
! Cryptographers: Check if good PRNG are okay

Offline bruteforce attack on WiFi Protected Setup

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Offline bruteforce attack on WiFi Protected Setup

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 5

Slide 6

Slide 7

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......