SlideShare a Scribd company logo
WPS Pixie Dust Attack
Sumit Shrivastava
Myself
 Sumit Shrivastava – Security Analyst @ Network Intelligence India Pvt. Ltd.
 2.5+ years of work experience in the field of Digital Forensics and Assessment
 Certifications
 Computer Hacking and Forensics Investigator v8, EC-Council
 Certified Professional Forensics Analyst, IIS Mumbai
 Certified Professional Hacker NxG, IIS Mumbai
 Certified Information Security Consultant, IIS Mumbai
 Certified Information Security Expert – Level 1, Innobuzz Knowledge Solutions
 Once upon a time Android and Web Developer
Today’s takeaway
 Introduction to WPS
 Terminology
 WPS Pin Formats
 WPS Negotiation Process
 Types of attacks on WPS
 Diving into Pixie Dust
 P0wning the WiFi Router - Demonstration
Introduction to WPS
 Wi-Fi Protected Setup (WPS, Wi-Fi Simple Config)
 Uses PIN Method to secure wireless home network
 Created by Wi-Fi Alliance, introduced in 2006
 Goal – to allow the home users, who know very little about the wireless security, to add
new devices
 Major security flaw revealed in December 2011
 Allowed brute-force the WPS Pin
 SEVERELY BROKEN PROTOCOL!!!
Terminology
 Enrollee: A device seeking to join a WLAN domain
 Registrar: An entity with the authority to issue WLAN credentials
 External Registrar: A registrar that is separate from the AP
 AP: An infrastructure mode 802.11 Access Point
Note:- AP and client device may change roles i.e. AP acts as Enrollee and Client Device acts
Registrar, when WPS is used to configure the access point
WPS Pin
A WPS Pin looks like
This is what your Wi-Fi Router has
at its back label
WPS Pin Format
WPS Negotiation
Process
 M1 – 128-bit random nounce
generated by Enrollee
(N1||PKE)
 M2 – 128-bit random nounce
generated by Registrar
(N1||N2||PKR||Auth).
Auth = HMAC (M1||M2)
 M3 – E-Hash1 (E-
S1||PSK1||PKE||PKR) OR E-
Hash2 (E-
S2||PSK2||PKE||PKR)
Type of Attacks on WPS
 Online Brute-force
 Offline Brute-force
 Physical Attack
Diving into Pixie Dust
 What you require?
 Hashes -> E-Hash1 and E-Hash2
 Public Keys -> PKE, PKR
 Authkey
 E-Nounce (Enrollee Nounce)
 Flaw is in the E-S1 and E-S2 generation which are Psudo-Random Numbers
 Dominique Bongard, found many AP use insecure PRNG
 Broadlink -> c.rand()
 Ralink -> E-S1 and E-S2 are never generated, hence they are always 0
 If PRNG state is recovered, E-S1 and E-S2 can be calculated
 PSK1 and PSK2 can be calculated from E-Hash1 and E-Hash2
 To successfully complete this attack, negotiation should complete within 1 second
P0wning the Wi-Fi router
:~# airmon-ng check kill
:~# airmon-ng start <WIFI_INTERFACE>
:~# wash –i <MONITOR_INTERFACE>
:~# reaver –i <MONITOR_INTERFACE> -b <BSSID> -c <CHANNEL> -vv –K 1
P0wned
References
 http://ifconfig.dk/pixiedust/
 https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup#Technical_architecture
 http://ftp.netbsd.org/pub/NetBSD/NetBSD-
current/src/external/bsd/wpa/dist/hostapd/README-WPS
 http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf
 https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
 http://www.gta.ufrj.br/ftp/gta/TechReports/wd2012/1569655457.pdf
 https://www.wi-
fi.org/download.php?file=/sites/default/files/private/wsc_best_practices_v2_0_1.pdf
Questions?
Thank you

More Related Content

What's hot

Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of Sigma
Florian Roth
 
IDS, IPS, IDPS
IDS, IPS, IDPSIDS, IPS, IDPS
IDS, IPS, IDPS
Minhaz A V
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
How to Survive an OpenStack Cloud Meltdown with Ceph
How to Survive an OpenStack Cloud Meltdown with CephHow to Survive an OpenStack Cloud Meltdown with Ceph
How to Survive an OpenStack Cloud Meltdown with Ceph
Sean Cohen
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
Raghav Bisht
 
Authentication (Distributed computing)
Authentication (Distributed computing)Authentication (Distributed computing)
Authentication (Distributed computing)
Sri Prasanna
 
Hybrid encryption
Hybrid encryption Hybrid encryption
Hybrid encryption
ranjit banshpal
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
sravya raju
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
Kernel TLV
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
Hack wifi password using kali linux
Hack wifi password using kali linuxHack wifi password using kali linux
Hack wifi password using kali linux
Helder Oliveira
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
Utkarsh Verma
 
Aircrack
AircrackAircrack
Aircrack
Nithin Sathees
 
PFsense 방화벽 소개
PFsense 방화벽 소개PFsense 방화벽 소개
PFsense 방화벽 소개
ajj007
 
Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!
Jaskaran Narula
 
Metasploit
MetasploitMetasploit
Metasploit
Lalith Sai
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kali
n|u - The Open Security Community
 
How to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngHow to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ng
Open Knowledge Nepal
 

What's hot (20)

Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of Sigma
 
IDS, IPS, IDPS
IDS, IPS, IDPSIDS, IPS, IDPS
IDS, IPS, IDPS
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
How to Survive an OpenStack Cloud Meltdown with Ceph
How to Survive an OpenStack Cloud Meltdown with CephHow to Survive an OpenStack Cloud Meltdown with Ceph
How to Survive an OpenStack Cloud Meltdown with Ceph
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
 
Authentication (Distributed computing)
Authentication (Distributed computing)Authentication (Distributed computing)
Authentication (Distributed computing)
 
Hybrid encryption
Hybrid encryption Hybrid encryption
Hybrid encryption
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
Hack wifi password using kali linux
Hack wifi password using kali linuxHack wifi password using kali linux
Hack wifi password using kali linux
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
 
Aircrack
AircrackAircrack
Aircrack
 
PFsense 방화벽 소개
PFsense 방화벽 소개PFsense 방화벽 소개
PFsense 방화벽 소개
 
Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!
 
Metasploit
MetasploitMetasploit
Metasploit
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kali
 
How to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngHow to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ng
 

Viewers also liked

Alexey Sintsov - Where do the money lie
Alexey Sintsov - Where do the money lieAlexey Sintsov - Where do the money lie
Alexey Sintsov - Where do the money lie
DefconRussia
 
Pentest requirements
Pentest requirementsPentest requirements
Pentest requirements
Glib Pakharenko
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Securityqqlan
 
CodeFest 2012. Белов С. — Пентест на стероидах. Автоматизируем процесс
CodeFest 2012. Белов С. — Пентест на стероидах. Автоматизируем процессCodeFest 2012. Белов С. — Пентест на стероидах. Автоматизируем процесс
CodeFest 2012. Белов С. — Пентест на стероидах. Автоматизируем процессCodeFest
 
Penetration testing (AS IS)
Penetration testing (AS IS)Penetration testing (AS IS)
Penetration testing (AS IS)Dmitry Evteev
 
Что общего у CTF и тестов на проникновение?
Что общего у CTF и тестов на проникновение?Что общего у CTF и тестов на проникновение?
Что общего у CTF и тестов на проникновение?
beched
 
Avoid the Hack
Avoid the HackAvoid the Hack
Avoid the Hack
Jason Jakus
 
Kaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the CloudKaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the Cloud
qqlan
 
Exploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shellExploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shell
Aditya Kamat
 
Defcon Moscow #0x0A - Dmitry Evteev "Pentest vs. APT"
Defcon Moscow #0x0A - Dmitry Evteev "Pentest vs. APT"Defcon Moscow #0x0A - Dmitry Evteev "Pentest vs. APT"
Defcon Moscow #0x0A - Dmitry Evteev "Pentest vs. APT"
Defcon Moscow
 
Database honeypot by design
Database honeypot by designDatabase honeypot by design
Database honeypot by design
qqlan
 
Web security
Web securityWeb security
Web security
Sync.NET
 
С чего начать свой путь этичного хакера?
С чего начать свой путь этичного хакера?С чего начать свой путь этичного хакера?
С чего начать свой путь этичного хакера?
Vadym_Chakrian
 
Что такое пентест
Что такое пентестЧто такое пентест
Что такое пентестDmitry Evteev
 
автоматизируем пентест Wifi сети
автоматизируем пентест Wifi сетиавтоматизируем пентест Wifi сети
автоматизируем пентест Wifi сетиOlesya Shelestova
 
#root это только начало
#root это только начало#root это только начало
#root это только начало
Vlad Styran
 
Этичный хакинг или пентестинг в действии
Этичный хакинг или пентестинг в действииЭтичный хакинг или пентестинг в действии
Этичный хакинг или пентестинг в действии
SQALab
 
Сканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, Яндекс
Сканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, ЯндексСканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, Яндекс
Сканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, Яндекс
yaevents
 
Кое-что о Wi-Fi (Денис Жевнер)
Кое-что о Wi-Fi (Денис Жевнер)Кое-что о Wi-Fi (Денис Жевнер)
Кое-что о Wi-Fi (Денис Жевнер)
IT Club Mykolayiv
 
Wi Fi Security
Wi Fi SecurityWi Fi Security
Wi Fi Security
yousef emami
 

Viewers also liked (20)

Alexey Sintsov - Where do the money lie
Alexey Sintsov - Where do the money lieAlexey Sintsov - Where do the money lie
Alexey Sintsov - Where do the money lie
 
Pentest requirements
Pentest requirementsPentest requirements
Pentest requirements
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
 
CodeFest 2012. Белов С. — Пентест на стероидах. Автоматизируем процесс
CodeFest 2012. Белов С. — Пентест на стероидах. Автоматизируем процессCodeFest 2012. Белов С. — Пентест на стероидах. Автоматизируем процесс
CodeFest 2012. Белов С. — Пентест на стероидах. Автоматизируем процесс
 
Penetration testing (AS IS)
Penetration testing (AS IS)Penetration testing (AS IS)
Penetration testing (AS IS)
 
Что общего у CTF и тестов на проникновение?
Что общего у CTF и тестов на проникновение?Что общего у CTF и тестов на проникновение?
Что общего у CTF и тестов на проникновение?
 
Avoid the Hack
Avoid the HackAvoid the Hack
Avoid the Hack
 
Kaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the CloudKaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the Cloud
 
Exploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shellExploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shell
 
Defcon Moscow #0x0A - Dmitry Evteev "Pentest vs. APT"
Defcon Moscow #0x0A - Dmitry Evteev "Pentest vs. APT"Defcon Moscow #0x0A - Dmitry Evteev "Pentest vs. APT"
Defcon Moscow #0x0A - Dmitry Evteev "Pentest vs. APT"
 
Database honeypot by design
Database honeypot by designDatabase honeypot by design
Database honeypot by design
 
Web security
Web securityWeb security
Web security
 
С чего начать свой путь этичного хакера?
С чего начать свой путь этичного хакера?С чего начать свой путь этичного хакера?
С чего начать свой путь этичного хакера?
 
Что такое пентест
Что такое пентестЧто такое пентест
Что такое пентест
 
автоматизируем пентест Wifi сети
автоматизируем пентест Wifi сетиавтоматизируем пентест Wifi сети
автоматизируем пентест Wifi сети
 
#root это только начало
#root это только начало#root это только начало
#root это только начало
 
Этичный хакинг или пентестинг в действии
Этичный хакинг или пентестинг в действииЭтичный хакинг или пентестинг в действии
Этичный хакинг или пентестинг в действии
 
Сканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, Яндекс
Сканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, ЯндексСканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, Яндекс
Сканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, Яндекс
 
Кое-что о Wi-Fi (Денис Жевнер)
Кое-что о Wi-Fi (Денис Жевнер)Кое-что о Wi-Fi (Денис Жевнер)
Кое-что о Wi-Fi (Денис Жевнер)
 
Wi Fi Security
Wi Fi SecurityWi Fi Security
Wi Fi Security
 

Similar to Wps pixie dust attack

Brute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupBrute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected Setup
Scientia Groups
 
Ng sec 2016
Ng sec 2016Ng sec 2016
Ng sec 2016
Rameshwar Nigam
 
Advanced Wi-Fi pentesting
Advanced Wi-Fi pentestingAdvanced Wi-Fi pentesting
Advanced Wi-Fi pentesting
Yunfei Yang
 
Cracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary AttacksCracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary Attacks
n|u - The Open Security Community
 
Viable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be JeopardizedViable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be Jeopardized
IRJET Journal
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 Issue
Ishan Girdhar
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
Nilesh Sapariya
 
Easy Provisioning with GainSpan Embedded Wi-Fi Technology
Easy Provisioning with GainSpan Embedded Wi-Fi TechnologyEasy Provisioning with GainSpan Embedded Wi-Fi Technology
Easy Provisioning with GainSpan Embedded Wi-Fi Technology
gainspan
 
609 618
609 618609 618
Wireless security
Wireless securityWireless security
Wireless security
paripec
 
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days
 
Embedded device hacking Session i
Embedded device hacking Session iEmbedded device hacking Session i
Embedded device hacking Session i
Malachi Jones
 
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+
Ajin Abraham
 
Wireless Security
Wireless SecurityWireless Security
Wireless Security
siDz
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
ijceronline
 
Airheads vail 2011 pci 2.0 compliance
Airheads vail 2011   pci 2.0 complianceAirheads vail 2011   pci 2.0 compliance
Airheads vail 2011 pci 2.0 compliance
Aruba, a Hewlett Packard Enterprise company
 
4 wifi security
4 wifi security4 wifi security
4 wifi security
al-sari7
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security
Hariraj Rathod
 
Wi fi protected-access
Wi fi protected-accessWi fi protected-access
Wi fi protected-access
bhanu4ugood1
 
CCNA Icnd110 s03l02
CCNA Icnd110 s03l02CCNA Icnd110 s03l02
CCNA Icnd110 s03l02
computerlenguyen
 

Similar to Wps pixie dust attack (20)

Brute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupBrute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected Setup
 
Ng sec 2016
Ng sec 2016Ng sec 2016
Ng sec 2016
 
Advanced Wi-Fi pentesting
Advanced Wi-Fi pentestingAdvanced Wi-Fi pentesting
Advanced Wi-Fi pentesting
 
Cracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary AttacksCracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary Attacks
 
Viable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be JeopardizedViable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be Jeopardized
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 Issue
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
 
Easy Provisioning with GainSpan Embedded Wi-Fi Technology
Easy Provisioning with GainSpan Embedded Wi-Fi TechnologyEasy Provisioning with GainSpan Embedded Wi-Fi Technology
Easy Provisioning with GainSpan Embedded Wi-Fi Technology
 
609 618
609 618609 618
609 618
 
Wireless security
Wireless securityWireless security
Wireless security
 
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
 
Embedded device hacking Session i
Embedded device hacking Session iEmbedded device hacking Session i
Embedded device hacking Session i
 
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+
 
Wireless Security
Wireless SecurityWireless Security
Wireless Security
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
 
Airheads vail 2011 pci 2.0 compliance
Airheads vail 2011   pci 2.0 complianceAirheads vail 2011   pci 2.0 compliance
Airheads vail 2011 pci 2.0 compliance
 
4 wifi security
4 wifi security4 wifi security
4 wifi security
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security
 
Wi fi protected-access
Wi fi protected-accessWi fi protected-access
Wi fi protected-access
 
CCNA Icnd110 s03l02
CCNA Icnd110 s03l02CCNA Icnd110 s03l02
CCNA Icnd110 s03l02
 

Recently uploaded

June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
Data Hops
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Intelisync
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 

Recently uploaded (20)

June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 

Wps pixie dust attack

  • 1. WPS Pixie Dust Attack Sumit Shrivastava
  • 2. Myself  Sumit Shrivastava – Security Analyst @ Network Intelligence India Pvt. Ltd.  2.5+ years of work experience in the field of Digital Forensics and Assessment  Certifications  Computer Hacking and Forensics Investigator v8, EC-Council  Certified Professional Forensics Analyst, IIS Mumbai  Certified Professional Hacker NxG, IIS Mumbai  Certified Information Security Consultant, IIS Mumbai  Certified Information Security Expert – Level 1, Innobuzz Knowledge Solutions  Once upon a time Android and Web Developer
  • 3. Today’s takeaway  Introduction to WPS  Terminology  WPS Pin Formats  WPS Negotiation Process  Types of attacks on WPS  Diving into Pixie Dust  P0wning the WiFi Router - Demonstration
  • 4. Introduction to WPS  Wi-Fi Protected Setup (WPS, Wi-Fi Simple Config)  Uses PIN Method to secure wireless home network  Created by Wi-Fi Alliance, introduced in 2006  Goal – to allow the home users, who know very little about the wireless security, to add new devices  Major security flaw revealed in December 2011  Allowed brute-force the WPS Pin  SEVERELY BROKEN PROTOCOL!!!
  • 5. Terminology  Enrollee: A device seeking to join a WLAN domain  Registrar: An entity with the authority to issue WLAN credentials  External Registrar: A registrar that is separate from the AP  AP: An infrastructure mode 802.11 Access Point Note:- AP and client device may change roles i.e. AP acts as Enrollee and Client Device acts Registrar, when WPS is used to configure the access point
  • 6. WPS Pin A WPS Pin looks like This is what your Wi-Fi Router has at its back label
  • 8. WPS Negotiation Process  M1 – 128-bit random nounce generated by Enrollee (N1||PKE)  M2 – 128-bit random nounce generated by Registrar (N1||N2||PKR||Auth). Auth = HMAC (M1||M2)  M3 – E-Hash1 (E- S1||PSK1||PKE||PKR) OR E- Hash2 (E- S2||PSK2||PKE||PKR)
  • 9. Type of Attacks on WPS  Online Brute-force  Offline Brute-force  Physical Attack
  • 10. Diving into Pixie Dust  What you require?  Hashes -> E-Hash1 and E-Hash2  Public Keys -> PKE, PKR  Authkey  E-Nounce (Enrollee Nounce)  Flaw is in the E-S1 and E-S2 generation which are Psudo-Random Numbers  Dominique Bongard, found many AP use insecure PRNG  Broadlink -> c.rand()  Ralink -> E-S1 and E-S2 are never generated, hence they are always 0  If PRNG state is recovered, E-S1 and E-S2 can be calculated  PSK1 and PSK2 can be calculated from E-Hash1 and E-Hash2  To successfully complete this attack, negotiation should complete within 1 second
  • 11. P0wning the Wi-Fi router :~# airmon-ng check kill :~# airmon-ng start <WIFI_INTERFACE> :~# wash –i <MONITOR_INTERFACE> :~# reaver –i <MONITOR_INTERFACE> -b <BSSID> -c <CHANNEL> -vv –K 1
  • 13. References  http://ifconfig.dk/pixiedust/  https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup#Technical_architecture  http://ftp.netbsd.org/pub/NetBSD/NetBSD- current/src/external/bsd/wpa/dist/hostapd/README-WPS  http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf  https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf  http://www.gta.ufrj.br/ftp/gta/TechReports/wd2012/1569655457.pdf  https://www.wi- fi.org/download.php?file=/sites/default/files/private/wsc_best_practices_v2_0_1.pdf