Offensive Security
Offensive Security
About me / contact me
Penetration Testing with Kali
Note taking
Master your skills
OSCP
Information gathering
Gaining Access - Vulnerability Exploitation
Privilege Escalation
HTB
Active
Retired
VulnHub
Brainpan - 1 - Buffer Overflow
Web Vulnerabilities - OWASP TOP 10
SQL Injection
XXE - XML External Entity
Command Injection
Cross Site Scripting
Broken Authentication and Session Management
Insecure Direct Object References
Cross Site Request Forgery
Security Misconfiguration
Insecure Cryptographic Storage
Insufficient Transport Layer Protection
Other Web Vulnerabilities
Remote File Upload
Remote File Inclusion
Local File Inclusion
Personal Projects
WiFi Penetration Testing
WPS Attack - PixieDust
WPS Attack - Pin Bruteforce
WPS Attack - Null Pin
Man-In-The-Middle Attack
Handshake Pcap Password Cracking
Phishing attempts
News
Powered by GitBook

WPS Attack - Null Pin

Why bother with a PIN at all ?

So far we have learnt that there are at two potential attack vectors on WPS - PBC (Push button connect) that can yield successful reveal of WiFi password. However, another router enthusiast who started looking at firmware embedded in HG658C found out that manufacturer has given an option to connect to the router using ..... an empty pin. 

 Connected to 192.168.1.1.
Escape character is '^]'.
-------------------------------
-----Welcome to ATP Cli------
-------------------------------
Login: !!Huawei
Password:
ATP>sh
BusyBox vv1.9.1 (2014-02-08 20:26:13 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# nvram show  | grep wps_device_pin  
size: 2659 bytes (30109 left)
wps_device_pin=

​Reference​

I would love to know the reason behind this implementation, was it conscious ? Did they know that programmers building the firmware allowed this hole to persist, has nobody checked the possible implications ? Since routers are built from parts coming from different manufacturers it is a good idea to look at specific WiFi chip to see if correlation with other router manufacturers can be made in order to cross-reference the vulnerability. HG658C uses Broadcom BCM63168 SOC and above researcher has demonstrated that if one could send an empty PIN for eg. with reaver v. 1.6b or abov​e using command: 

reaver -i wlanXmon -b xx:xx:xx:xx:xx:xx -p "" -N

-i wlanXmon - describes wireless interface in monitor mode -b mac address of the Access Point -p "" empty pin inside quotation marks -N no-nacks - helps to accomplish that feat successfully Once we run this command the PSK (pre shared network key) would be provided in less than a minute of work on a vulnerable router of course !

So far I have found out that affected BCM63168 is implemented in at least 29 known routers/devices adding to the list. Others reported successful breaches on HUAWEI version of BT Home Hub 3.0B running BCM6361 adding potentially 12 more different routers to the list and EE-Smart-Hub from Arcadyan Corporation running on atheros chipset - sadly I could not locate the chipset model itself therefore I am still waiting to cross-reference it with other brands.

Pin cracked in 3 sec! My new personal record - after weeks of learning, boy was it worth it!
Previous
WPS Attack - Pin Bruteforce
Next
Man-In-The-Middle Attack
Last updated Tue Jan 29 2019 14:02:03 GMT+0000 (UTC)