Skip to content

FAQ

Jump to bottom
wiire-a edited this page Dec 26, 2017 · 10 revisions
  • What is WPS? Why is it needed if we have WPA?

WPA is the protocol used to secure wireless traffic between the wireless base station and clients. WPS is a sort of key management protocol for WPA. It's used to send the network configuration, including the WPA passphrase, to the clients, and vice-versa, it's used to configure an existing network from a client. In case of in-band communication (i.e. wireless), this is done with message 7 and 8 of the protocol, respectively.

The purpose of WPS is to encourage users to use strong WPA passwords while making it easy to connect to a network (i.e. using a 8-digit numeric PIN) and avoid offline brute-force attacks like the dictionary attack against WPA and WPA2, but also to simplify the process of configuring a wireless network.

  • WPS or WSC?

WPS stands for Wireless Protected Setup and it's the original name, WSC for Wireless Simple Configuration and it's the name of the protocol since version 2. On Windows it's implemented under the Windows Connect Now (WCN) method.

  • What is pixiewps for?

It's for cracking the Wi-Fi Protected Setup PIN method(s) offline. It implements the so-called WPS "pixie-dust attack", discovered by Dominique Bongard in summer 2014. This method exploits low entropy pseudo-random number generators (PRNG) in some software implementations, and works only on some known vulnerable devices.

This process can reduce the time of finding the correct PIN from hours to a few minutes or seconds. The PIN can later be used to recover the WPA-PSK from the Access Point using a tool like Reaver, Bully or join directly the wireless network using wpa_cli and other programs.

  • What is the difference between online and offline attacks?

Online is used to refer to the process of supplying random PINs to the Access Point until the right one is guessed. This process is what traditional tools such as Reaver and Bully were built to do, and can take up to several hours, or not be feasible if strong mitigations are in place.

The offline method involves trying only one random PIN and collect some information during the process. This data can later be used to attempt the pixie-dust attack.

  • How is it possible?

It has to do with how the proof-of-possession of the PIN works. Both the Enrollee and the Registrar must take turn to prove the knowledge of the PIN. To do so, the PIN is split in two halves and the Enrollee sends the Registrar two hashes of these halves, in message 3 of the protocol, each one "protected" by a 128 bit "random number", called Enrollee Secret Nonce 1 (E-S1) and Enrollee Secret Nonce 2 (E-S2) respectively.

These "secret numbers" will be later sent on message 5 and 7 giving the possibility to verify that indeed the device knew about the PIN halves before the Registrar sent its halves (in message 4 and 6).

The pixie-dust attack exploits the fact that on some devices these "secret numbers" are generated using insecure pseudo-random number generators which have 32 bits of state and no external entropy and that each half of the PIN takes at most 10^4 guesses.

  • Enrollee, Registrar?

If you want to go in depth of all the possible configurations, methods and nuances of the protocol read the specification. But to put it simple, the Enrollee is the Access Point, the Registrar is the client or attacker.

  • What methods are supported?

Every method that involves the use of a 8-digit numeric PIN, provided all the correct data is supplied. These are: label, push-button and display. Note that the display method allows for a 4-digit numeric PIN to be used, but since the specification requires these types of PINs to be used only once, it would be useless to support them in pixiewps anyway (1).

  • Label and user-specified PINs

The last digit in pre-configured PINs (printed on the sticker of the device) is used as a checksum of the other digits. This is especially useful in case of a throwaway PIN is used (i.e. Display method), because it enables error detection in user input of the PIN before the protocol is started. Users of course are not expected to compute checksums for passwords they choose, so user-specified PINs do not include a checksum digit.

Both are supported since the very first version of pixiewps.

  • What is the authentication session key (--authkey)?

It's one of the session keys derived from from the Diffie-Hellman shared secret. It's used as key in the HMAC-SHA-256 functions. Since the protocol is executed between the attacker (e.g. Reaver) and the Access Point, third party tools like pixiewps need, in most cases, this session key in order to be able to carry on the attack.

  • Version Y is slower than version X?

The most recent version of pixiewps must be considered the most "correct" and "general". It may be slower or faster compared to older versions but that doesn't matter. Pixiewps tries to do as little work as possible to recover the correct PIN, but you have to keep in mind that it only sees numbers in input, and it may not always be possible for it to take the "shortest path". Because of that, some versions may have to do more work in order to work in all instances, more so if no --mode is specified.

It should be up to the user or the higher-level tool to detect the right vendor and supply the correct mode to pixiewps. This is fairly easy to do with a tool which uses monitor mode and can grab the vendor OUI tag from a beacon frame. When monitor mode is not an option, the user or tool can resort to the usual WPS fields like model, serial etc.

Notes:

  1. This may be not always true in the event it would be possible to crack the PIN and complete the protocol before a timeout from the Enrollee. This feature however is not supported in tools currently available.
Clone this wiki locally