Offensive Security
Offensive Security
About me / contact me
Penetration Testing with Kali
Note taking
Master your skills
OSCP
Information gathering
Gaining Access - Vulnerability Exploitation
Privilege Escalation
HTB
Active
Retired
VulnHub
Brainpan - 1 - Buffer Overflow
Web Vulnerabilities - OWASP TOP 10
SQL Injection
XXE - XML External Entity
Command Injection
Cross Site Scripting
Broken Authentication and Session Management
Insecure Direct Object References
Cross Site Request Forgery
Security Misconfiguration
Insecure Cryptographic Storage
Insufficient Transport Layer Protection
Other Web Vulnerabilities
Remote File Upload
Remote File Inclusion
Local File Inclusion
Personal Projects
WiFi Penetration Testing
WPS Attack - PixieDust
WPS Attack - Pin Bruteforce
WPS Attack - Null Pin
Man-In-The-Middle Attack
Handshake Pcap Password Cracking
Phishing attempts
News
Powered by GitBook

WPS Attack - PixieDust

I have been gifted this Netgear EX2700 customer appliance that is designed to act as a wireless extender to your wireless network. Its primary use is to extend the signal range to cover any WiFi dead spots in your house, naturally. It works in a bridged mode alongside with your wireless router. " wireless range extender takes an existing signal from a wireless router or wireless access point and rebroadcasts it to create a second network. When two or more hosts have to be connected with one another over the IEEE 802.11 protocol and the distance is too long for a direct connection to be established, a wireless repeater is used to bridge the gap." wikipedia This model comes with MediaTek MT7620A chipset, has been released to the market in July 2014, produced by Mediatek in partnership with Ralink ( acquired by Mediatek in 2011).

EX2700, still sold by Netgear under the product line of "Essentials", is essentially a backdoor to a home network if WPS PIN is enabled and the software not updated - a convenient entry point to a home network, that intruders can exploit. Due to vulnerability of its WiFi SoC chipset MediaTek MT7620A that controls the behaviour of the device itself, the attacker can obtain WPS Pin to the EX2700 in a matter of minutes and in consequence retrieve PSK password to the network. More on this later....

"A system on a chip or system on chip (SoC or SOC) is an integrated circuit (also known as an "IC" or "chip") that integrates all components of a computer or other electronic systems. These components typically include a central processing unit (CPU), memory, input/output ports and secondary storage – all on a single substrate. It may contain digital, analog, mixed-signal, and often radio-frequency functions, depending on the application. SoCs are very common in the mobile computing market because of their low power consumption" Think Raspberry Pi! Vulnerability! This device, among many, many others ( https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit#gid=2048815923 ) when used with WPS functionality is susceptible to a Pixie Dust attack - an offline, brute forcing method that captures E-S1 and E-S2 messages during WPS exchange. PixieDust gets that information from M3 message.

Link to a research from 2014 by Dominique Bongard This attack in most cases is possible due to low entropy - an algorithm responsible for generating a supposedly "random" E-S1 and E-S2 numbers used to secure the whole process. In EX2700, situation is less secure as those numbers do not seem to be generated at all, they are all equal 0. This overlook in the design of the WPS exchange process results on an instant recovery of the router PIN.

PixieWPS cracking the PIN in less than a minute.
Personal Projects - Previous
WiFi Penetration Testing
Next
WPS Attack - Pin Bruteforce
Last updated Tue Jan 29 2019 13:28:38 GMT+0000 (UTC)