SlideShare a Scribd company logo

Wps pixie dust attack

I
invad3rsam

Wi-Fi Protected Setup - Pixie Dust Attack. An offline bruteforce attack that leaves certain routers vulnerable. Works for Boardcom and Ralink chipset based Wi-Fi routers.

Technology
1 of 14
Download to read offline
WPS Pixie Dust Attack Sumit Shrivastava
Myself  Sumit Shrivastava – Security Analyst @ Network Intelligence India Pvt. Ltd.  2.5+ years of work experience in the field of Digital Forensics and Assessment  Certifications  Computer Hacking and Forensics Investigator v8, EC-Council  Certified Professional Forensics Analyst, IIS Mumbai  Certified Professional Hacker NxG, IIS Mumbai  Certified Information Security Consultant, IIS Mumbai  Certified Information Security Expert – Level 1, Innobuzz Knowledge Solutions  Once upon a time Android and Web Developer
Today’s takeaway  Introduction to WPS  Terminology  WPS Pin Formats  WPS Negotiation Process  Types of attacks on WPS  Diving into Pixie Dust  P0wning the WiFi Router - Demonstration
Introduction to WPS  Wi-Fi Protected Setup (WPS, Wi-Fi Simple Config)  Uses PIN Method to secure wireless home network  Created by Wi-Fi Alliance, introduced in 2006  Goal – to allow the home users, who know very little about the wireless security, to add new devices  Major security flaw revealed in December 2011  Allowed brute-force the WPS Pin  SEVERELY BROKEN PROTOCOL!!!
Terminology  Enrollee: A device seeking to join a WLAN domain  Registrar: An entity with the authority to issue WLAN credentials  External Registrar: A registrar that is separate from the AP  AP: An infrastructure mode 802.11 Access Point Note:- AP and client device may change roles i.e. AP acts as Enrollee and Client Device acts Registrar, when WPS is used to configure the access point
WPS Pin A WPS Pin looks like This is what your Wi-Fi Router has at its back label
WPS Pin Format
WPS Negotiation Process  M1 – 128-bit random nounce generated by Enrollee (N1||PKE)  M2 – 128-bit random nounce generated by Registrar (N1||N2||PKR||Auth). Auth = HMAC (M1||M2)  M3 – E-Hash1 (E- S1||PSK1||PKE||PKR) OR E- Hash2 (E- S2||PSK2||PKE||PKR)
Type of Attacks on WPS  Online Brute-force  Offline Brute-force  Physical Attack
Diving into Pixie Dust  What you require?  Hashes -> E-Hash1 and E-Hash2  Public Keys -> PKE, PKR  Authkey  E-Nounce (Enrollee Nounce)  Flaw is in the E-S1 and E-S2 generation which are Psudo-Random Numbers  Dominique Bongard, found many AP use insecure PRNG  Broadlink -> c.rand()  Ralink -> E-S1 and E-S2 are never generated, hence they are always 0  If PRNG state is recovered, E-S1 and E-S2 can be calculated  PSK1 and PSK2 can be calculated from E-Hash1 and E-Hash2  To successfully complete this attack, negotiation should complete within 1 second
P0wning the Wi-Fi router :~# airmon-ng check kill :~# airmon-ng start <WIFI_INTERFACE> :~# wash –i <MONITOR_INTERFACE> :~# reaver –i <MONITOR_INTERFACE> -b <BSSID> -c <CHANNEL> -vv –K 1
P0wned
References  http://ifconfig.dk/pixiedust/  https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup#Technical_architecture  http://ftp.netbsd.org/pub/NetBSD/NetBSD- current/src/external/bsd/wpa/dist/hostapd/README-WPS  http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf  https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf  http://www.gta.ufrj.br/ftp/gta/TechReports/wd2012/1569655457.pdf  https://www.wi- fi.org/download.php?file=/sites/default/files/private/wsc_best_practices_v2_0_1.pdf
Questions? Thank you

Recommended

курсова работа по васил стоилов 12004
курсова работа по васил стоилов 12004курсова работа по васил стоилов 12004
курсова работа по васил стоилов 12004VasilStoilov
 
Apache Kafka for Cybersecurity and SIEM / SOAR Modernization
Apache Kafka for Cybersecurity and SIEM / SOAR ModernizationApache Kafka for Cybersecurity and SIEM / SOAR Modernization
Apache Kafka for Cybersecurity and SIEM / SOAR Modernization
Kai Wähner
 
Cracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary AttacksCracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary Attacks
n|u - The Open Security Community
 
M-Trends® 2010: The Advanced Persistent Threat
M-Trends® 2010: The Advanced Persistent Threat M-Trends® 2010: The Advanced Persistent Threat
M-Trends® 2010: The Advanced Persistent Threat
FireEye, Inc.
 
Malware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny CzarnyMalware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny Czarny
OPSWAT
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
Narudom Roongsiriwong, CISSP
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
CODE BLUE
 

Recommended

курсова работа по васил стоилов 12004
курсова работа по васил стоилов 12004курсова работа по васил стоилов 12004
курсова работа по васил стоилов 12004VasilStoilov
 
Apache Kafka for Cybersecurity and SIEM / SOAR Modernization
Apache Kafka for Cybersecurity and SIEM / SOAR ModernizationApache Kafka for Cybersecurity and SIEM / SOAR Modernization
Apache Kafka for Cybersecurity and SIEM / SOAR Modernization
Kai Wähner
 
Cracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary AttacksCracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary Attacks
n|u - The Open Security Community
 
M-Trends® 2010: The Advanced Persistent Threat
M-Trends® 2010: The Advanced Persistent Threat M-Trends® 2010: The Advanced Persistent Threat
M-Trends® 2010: The Advanced Persistent Threat
FireEye, Inc.
 
Malware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny CzarnyMalware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny Czarny
OPSWAT
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
Narudom Roongsiriwong, CISSP
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
CODE BLUE
 
23 network security threats pkg
23 network security threats pkg23 network security threats pkg
23 network security threats pkgUmang Gupta
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
Seccuris Inc.
 
Kablosuz Ağlarda Güvenlik
Kablosuz Ağlarda GüvenlikKablosuz Ağlarda Güvenlik
Kablosuz Ağlarda GüvenlikBGA Cyber Security
 
Örnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu EngellemeÖrnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu Engelleme
BGA Cyber Security
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiWEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
BGA Cyber Security
 
BTRisk - Siber Olay Tespit ve Mudahale Egitimi
BTRisk - Siber Olay Tespit ve Mudahale EgitimiBTRisk - Siber Olay Tespit ve Mudahale Egitimi
BTRisk - Siber Olay Tespit ve Mudahale Egitimi
BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
Digital Evidence - the defence, prosecution, & the court
Digital Evidence - the defence, prosecution, & the courtDigital Evidence - the defence, prosecution, & the court
Digital Evidence - the defence, prosecution, & the courtCell Site Analysis (CSA)
 
Course Final Project on OceanLotus by Lino Lazarous Marino Ija
Course Final Project on OceanLotus by Lino Lazarous Marino IjaCourse Final Project on OceanLotus by Lino Lazarous Marino Ija
Course Final Project on OceanLotus by Lino Lazarous Marino Ija
Right Tech Centre
 
Honeypot
HoneypotHoneypot
Honeypot
Akhil Sahajan
 
VoIP (Voice Over IP) güvenliği nasıl sağlanmaktadır?
VoIP (Voice Over IP) güvenliği nasıl sağlanmaktadır?VoIP (Voice Over IP) güvenliği nasıl sağlanmaktadır?
VoIP (Voice Over IP) güvenliği nasıl sağlanmaktadır?
İsmail ŞEN
 
Inrusion Detection Systems Referat
Inrusion Detection Systems ReferatInrusion Detection Systems Referat
Inrusion Detection Systems Referatradoatanasov
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
Priyanka Aash
 
Referat
ReferatReferat
Referatt1234567t
 
Role of data mining in cyber security
Role of data mining in cyber securityRole of data mining in cyber security
Role of data mining in cyber security
Pranto26
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and Protection
Chandrak Trivedi
 
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm ÖnerileriDNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
BGA Cyber Security
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
BGA Cyber Security
 
Презентация - sniffing атаки
Презентация - sniffing атакиПрезентация - sniffing атаки
Презентация - sniffing атаки
University of Economics - Varna
 
Alexey Sintsov - Where do the money lie
Alexey Sintsov - Where do the money lieAlexey Sintsov - Where do the money lie
Alexey Sintsov - Where do the money lie
DefconRussia
 
Pentest requirements
Pentest requirementsPentest requirements
Pentest requirements
Glib Pakharenko
 

More Related Content

What's hot

23 network security threats pkg
23 network security threats pkg23 network security threats pkg
23 network security threats pkgUmang Gupta
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
Seccuris Inc.
 
Örnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu EngellemeÖrnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu Engelleme
BGA Cyber Security
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiWEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
BGA Cyber Security
 
BTRisk - Siber Olay Tespit ve Mudahale Egitimi
BTRisk - Siber Olay Tespit ve Mudahale EgitimiBTRisk - Siber Olay Tespit ve Mudahale Egitimi
BTRisk - Siber Olay Tespit ve Mudahale Egitimi
BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
Digital Evidence - the defence, prosecution, & the court
Digital Evidence - the defence, prosecution, & the courtDigital Evidence - the defence, prosecution, & the court
Digital Evidence - the defence, prosecution, & the courtCell Site Analysis (CSA)
 
Course Final Project on OceanLotus by Lino Lazarous Marino Ija
Course Final Project on OceanLotus by Lino Lazarous Marino IjaCourse Final Project on OceanLotus by Lino Lazarous Marino Ija
Course Final Project on OceanLotus by Lino Lazarous Marino Ija
Right Tech Centre
 
Honeypot
HoneypotHoneypot
Honeypot
Akhil Sahajan
 
VoIP (Voice Over IP) güvenliği nasıl sağlanmaktadır?
VoIP (Voice Over IP) güvenliği nasıl sağlanmaktadır?VoIP (Voice Over IP) güvenliği nasıl sağlanmaktadır?
VoIP (Voice Over IP) güvenliği nasıl sağlanmaktadır?
İsmail ŞEN
 
Inrusion Detection Systems Referat
Inrusion Detection Systems ReferatInrusion Detection Systems Referat
Inrusion Detection Systems Referatradoatanasov
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
Priyanka Aash
 
Role of data mining in cyber security
Role of data mining in cyber securityRole of data mining in cyber security
Role of data mining in cyber security
Pranto26
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and Protection
Chandrak Trivedi
 
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm ÖnerileriDNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
BGA Cyber Security
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
BGA Cyber Security
 
Презентация - sniffing атаки
Презентация - sniffing атакиПрезентация - sniffing атаки
Презентация - sniffing атаки
University of Economics - Varna
 

What's hot (20)

23 network security threats pkg
23 network security threats pkg23 network security threats pkg
23 network security threats pkg
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
 
Kablosuz Ağlarda Güvenlik
Kablosuz Ağlarda GüvenlikKablosuz Ağlarda Güvenlik
Kablosuz Ağlarda Güvenlik
 
Örnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu EngellemeÖrnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu Engelleme
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
 
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiWEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
 
BTRisk - Siber Olay Tespit ve Mudahale Egitimi
BTRisk - Siber Olay Tespit ve Mudahale EgitimiBTRisk - Siber Olay Tespit ve Mudahale Egitimi
BTRisk - Siber Olay Tespit ve Mudahale Egitimi
 
Digital Evidence - the defence, prosecution, & the court
Digital Evidence - the defence, prosecution, & the courtDigital Evidence - the defence, prosecution, & the court
Digital Evidence - the defence, prosecution, & the court
 
Course Final Project on OceanLotus by Lino Lazarous Marino Ija
Course Final Project on OceanLotus by Lino Lazarous Marino IjaCourse Final Project on OceanLotus by Lino Lazarous Marino Ija
Course Final Project on OceanLotus by Lino Lazarous Marino Ija
 
Honeypot
HoneypotHoneypot
Honeypot
 
VoIP (Voice Over IP) güvenliği nasıl sağlanmaktadır?
VoIP (Voice Over IP) güvenliği nasıl sağlanmaktadır?VoIP (Voice Over IP) güvenliği nasıl sağlanmaktadır?
VoIP (Voice Over IP) güvenliği nasıl sağlanmaktadır?
 
Inrusion Detection Systems Referat
Inrusion Detection Systems ReferatInrusion Detection Systems Referat
Inrusion Detection Systems Referat
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
 
Referat
ReferatReferat
Referat
 
Role of data mining in cyber security
Role of data mining in cyber securityRole of data mining in cyber security
Role of data mining in cyber security
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and Protection
 
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm ÖnerileriDNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
 
Презентация - sniffing атаки
Презентация - sniffing атакиПрезентация - sniffing атаки
Презентация - sniffing атаки
 

Viewers also liked

Alexey Sintsov - Where do the money lie
Alexey Sintsov - Where do the money lieAlexey Sintsov - Where do the money lie
Alexey Sintsov - Where do the money lie
DefconRussia
 
Pentest requirements
Pentest requirementsPentest requirements
Pentest requirements
Glib Pakharenko
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Securityqqlan
 
CodeFest 2012. Белов С. — Пентест на стероидах. Автоматизируем процесс
CodeFest 2012. Белов С. — Пентест на стероидах. Автоматизируем процессCodeFest 2012. Белов С. — Пентест на стероидах. Автоматизируем процесс
CodeFest 2012. Белов С. — Пентест на стероидах. Автоматизируем процессCodeFest
 
Penetration testing (AS IS)
Penetration testing (AS IS)Penetration testing (AS IS)
Penetration testing (AS IS)Dmitry Evteev
 
Что общего у CTF и тестов на проникновение?
Что общего у CTF и тестов на проникновение?Что общего у CTF и тестов на проникновение?
Что общего у CTF и тестов на проникновение?
beched
 
Avoid the Hack
Avoid the HackAvoid the Hack
Avoid the Hack
Jason Jakus
 
Kaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the CloudKaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the Cloud
qqlan
 
Exploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shellExploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shell
Aditya Kamat
 
Defcon Moscow #0x0A - Dmitry Evteev "Pentest vs. APT"
Defcon Moscow #0x0A - Dmitry Evteev "Pentest vs. APT"Defcon Moscow #0x0A - Dmitry Evteev "Pentest vs. APT"
Defcon Moscow #0x0A - Dmitry Evteev "Pentest vs. APT"
Defcon Moscow
 
Database honeypot by design
Database honeypot by designDatabase honeypot by design
Database honeypot by designqqlan
 
Web security
Web securityWeb security
Web security
Sync.NET
 
С чего начать свой путь этичного хакера?
С чего начать свой путь этичного хакера?С чего начать свой путь этичного хакера?
С чего начать свой путь этичного хакера?
Vadym_Chakrian
 
Что такое пентест
Что такое пентестЧто такое пентест
Что такое пентестDmitry Evteev
 
автоматизируем пентест Wifi сети
автоматизируем пентест Wifi сетиавтоматизируем пентест Wifi сети
автоматизируем пентест Wifi сетиOlesya Shelestova
 
#root это только начало
#root это только начало#root это только начало
#root это только начало
Vlad Styran
 
Этичный хакинг или пентестинг в действии
Этичный хакинг или пентестинг в действииЭтичный хакинг или пентестинг в действии
Этичный хакинг или пентестинг в действии
SQALab
 
Сканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, Яндекс
Сканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, ЯндексСканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, Яндекс
Сканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, Яндекс
yaevents
 
Кое-что о Wi-Fi (Денис Жевнер)
Кое-что о Wi-Fi (Денис Жевнер)Кое-что о Wi-Fi (Денис Жевнер)
Кое-что о Wi-Fi (Денис Жевнер)
IT Club Mykolayiv
 
Wi Fi Security
Wi Fi SecurityWi Fi Security
Wi Fi Security
yousef emami
 

Viewers also liked (20)

Alexey Sintsov - Where do the money lie
Alexey Sintsov - Where do the money lieAlexey Sintsov - Where do the money lie
Alexey Sintsov - Where do the money lie
 
Pentest requirements
Pentest requirementsPentest requirements
Pentest requirements
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
 
CodeFest 2012. Белов С. — Пентест на стероидах. Автоматизируем процесс
CodeFest 2012. Белов С. — Пентест на стероидах. Автоматизируем процессCodeFest 2012. Белов С. — Пентест на стероидах. Автоматизируем процесс
CodeFest 2012. Белов С. — Пентест на стероидах. Автоматизируем процесс
 
Penetration testing (AS IS)
Penetration testing (AS IS)Penetration testing (AS IS)
Penetration testing (AS IS)
 
Что общего у CTF и тестов на проникновение?
Что общего у CTF и тестов на проникновение?Что общего у CTF и тестов на проникновение?
Что общего у CTF и тестов на проникновение?
 
Avoid the Hack
Avoid the HackAvoid the Hack
Avoid the Hack
 
Kaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the CloudKaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the Cloud
 
Exploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shellExploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shell
 
Defcon Moscow #0x0A - Dmitry Evteev "Pentest vs. APT"
Defcon Moscow #0x0A - Dmitry Evteev "Pentest vs. APT"Defcon Moscow #0x0A - Dmitry Evteev "Pentest vs. APT"
Defcon Moscow #0x0A - Dmitry Evteev "Pentest vs. APT"
 
Database honeypot by design
Database honeypot by designDatabase honeypot by design
Database honeypot by design
 
Web security
Web securityWeb security
Web security
 
С чего начать свой путь этичного хакера?
С чего начать свой путь этичного хакера?С чего начать свой путь этичного хакера?
С чего начать свой путь этичного хакера?
 
Что такое пентест
Что такое пентестЧто такое пентест
Что такое пентест
 
автоматизируем пентест Wifi сети
автоматизируем пентест Wifi сетиавтоматизируем пентест Wifi сети
автоматизируем пентест Wifi сети
 
#root это только начало
#root это только начало#root это только начало
#root это только начало
 
Этичный хакинг или пентестинг в действии
Этичный хакинг или пентестинг в действииЭтичный хакинг или пентестинг в действии
Этичный хакинг или пентестинг в действии
 
Сканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, Яндекс
Сканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, ЯндексСканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, Яндекс
Сканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, Яндекс
 
Кое-что о Wi-Fi (Денис Жевнер)
Кое-что о Wi-Fi (Денис Жевнер)Кое-что о Wi-Fi (Денис Жевнер)
Кое-что о Wi-Fi (Денис Жевнер)
 
Wi Fi Security
Wi Fi SecurityWi Fi Security
Wi Fi Security
 

Similar to Wps pixie dust attack

Brute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupBrute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupScientia Groups
 
Ng sec 2016
Ng sec 2016Ng sec 2016
Ng sec 2016
Rameshwar Nigam
 
Advanced Wi-Fi pentesting
Advanced Wi-Fi pentestingAdvanced Wi-Fi pentesting
Advanced Wi-Fi pentesting
Yunfei Yang
 
Viable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be JeopardizedViable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be Jeopardized
IRJET Journal
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 Issue
Ishan Girdhar
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
Nilesh Sapariya
 
Easy Provisioning with GainSpan Embedded Wi-Fi Technology
Easy Provisioning with GainSpan Embedded Wi-Fi TechnologyEasy Provisioning with GainSpan Embedded Wi-Fi Technology
Easy Provisioning with GainSpan Embedded Wi-Fi Technologygainspan
 
Wireless security
Wireless securityWireless security
Wireless securityparipec
 
Wi-FI Hacking
Wi-FI Hacking Wi-FI Hacking
Wi-FI Hacking
Mehul Jariwala
 
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days
 
How to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngHow to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ng
Open Knowledge Nepal
 
Embedded device hacking Session i
Embedded device hacking Session iEmbedded device hacking Session i
Embedded device hacking Session i
Malachi Jones
 
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+
Ajin Abraham
 
Wireless Security
Wireless SecurityWireless Security
Wireless Security
siDz
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...ijceronline
 
4 wifi security
4 wifi security4 wifi security
4 wifi securityal-sari7
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security
Hariraj Rathod
 
Wi fi protected-access
Wi fi protected-accessWi fi protected-access
Wi fi protected-access
bhanu4ugood1
 

Similar to Wps pixie dust attack (20)

Brute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupBrute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected Setup
 
Ng sec 2016
Ng sec 2016Ng sec 2016
Ng sec 2016
 
Advanced Wi-Fi pentesting
Advanced Wi-Fi pentestingAdvanced Wi-Fi pentesting
Advanced Wi-Fi pentesting
 
Viable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be JeopardizedViable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be Jeopardized
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 Issue
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
 
Easy Provisioning with GainSpan Embedded Wi-Fi Technology
Easy Provisioning with GainSpan Embedded Wi-Fi TechnologyEasy Provisioning with GainSpan Embedded Wi-Fi Technology
Easy Provisioning with GainSpan Embedded Wi-Fi Technology
 
609 618
609 618609 618
609 618
 
Wireless security
Wireless securityWireless security
Wireless security
 
Wi-FI Hacking
Wi-FI Hacking Wi-FI Hacking
Wi-FI Hacking
 
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
 
How to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngHow to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ng
 
Embedded device hacking Session i
Embedded device hacking Session iEmbedded device hacking Session i
Embedded device hacking Session i
 
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+
 
Wireless Security
Wireless SecurityWireless Security
Wireless Security
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
 
Airheads vail 2011 pci 2.0 compliance
Airheads vail 2011 pci 2.0 complianceAirheads vail 2011 pci 2.0 compliance
Airheads vail 2011 pci 2.0 compliance
 
4 wifi security
4 wifi security4 wifi security
4 wifi security
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security
 
Wi fi protected-access
Wi fi protected-accessWi fi protected-access
Wi fi protected-access
 

Recently uploaded

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
Globus
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
UiPathCommunity
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Jen Stirrup
 

Recently uploaded (20)

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
 

Wps pixie dust attack

  • 1. WPS Pixie Dust Attack Sumit Shrivastava
  • 2. Myself  Sumit Shrivastava – Security Analyst @ Network Intelligence India Pvt. Ltd.  2.5+ years of work experience in the field of Digital Forensics and Assessment  Certifications  Computer Hacking and Forensics Investigator v8, EC-Council  Certified Professional Forensics Analyst, IIS Mumbai  Certified Professional Hacker NxG, IIS Mumbai  Certified Information Security Consultant, IIS Mumbai  Certified Information Security Expert – Level 1, Innobuzz Knowledge Solutions  Once upon a time Android and Web Developer
  • 3. Today’s takeaway  Introduction to WPS  Terminology  WPS Pin Formats  WPS Negotiation Process  Types of attacks on WPS  Diving into Pixie Dust  P0wning the WiFi Router - Demonstration
  • 4. Introduction to WPS  Wi-Fi Protected Setup (WPS, Wi-Fi Simple Config)  Uses PIN Method to secure wireless home network  Created by Wi-Fi Alliance, introduced in 2006  Goal – to allow the home users, who know very little about the wireless security, to add new devices  Major security flaw revealed in December 2011  Allowed brute-force the WPS Pin  SEVERELY BROKEN PROTOCOL!!!
  • 5. Terminology  Enrollee: A device seeking to join a WLAN domain  Registrar: An entity with the authority to issue WLAN credentials  External Registrar: A registrar that is separate from the AP  AP: An infrastructure mode 802.11 Access Point Note:- AP and client device may change roles i.e. AP acts as Enrollee and Client Device acts Registrar, when WPS is used to configure the access point
  • 6. WPS Pin A WPS Pin looks like This is what your Wi-Fi Router has at its back label
  • 8. WPS Negotiation Process  M1 – 128-bit random nounce generated by Enrollee (N1||PKE)  M2 – 128-bit random nounce generated by Registrar (N1||N2||PKR||Auth). Auth = HMAC (M1||M2)  M3 – E-Hash1 (E- S1||PSK1||PKE||PKR) OR E- Hash2 (E- S2||PSK2||PKE||PKR)
  • 9. Type of Attacks on WPS  Online Brute-force  Offline Brute-force  Physical Attack
  • 10. Diving into Pixie Dust  What you require?  Hashes -> E-Hash1 and E-Hash2  Public Keys -> PKE, PKR  Authkey  E-Nounce (Enrollee Nounce)  Flaw is in the E-S1 and E-S2 generation which are Psudo-Random Numbers  Dominique Bongard, found many AP use insecure PRNG  Broadlink -> c.rand()  Ralink -> E-S1 and E-S2 are never generated, hence they are always 0  If PRNG state is recovered, E-S1 and E-S2 can be calculated  PSK1 and PSK2 can be calculated from E-Hash1 and E-Hash2  To successfully complete this attack, negotiation should complete within 1 second
  • 11. P0wning the Wi-Fi router :~# airmon-ng check kill :~# airmon-ng start <WIFI_INTERFACE> :~# wash –i <MONITOR_INTERFACE> :~# reaver –i <MONITOR_INTERFACE> -b <BSSID> -c <CHANNEL> -vv –K 1
  • 13. References  http://ifconfig.dk/pixiedust/  https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup#Technical_architecture  http://ftp.netbsd.org/pub/NetBSD/NetBSD- current/src/external/bsd/wpa/dist/hostapd/README-WPS  http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf  https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf  http://www.gta.ufrj.br/ftp/gta/TechReports/wd2012/1569655457.pdf  https://www.wi- fi.org/download.php?file=/sites/default/files/private/wsc_best_practices_v2_0_1.pdf