CyberMoransđ¤
A pixie dust attackâ ď¸ is a way of brute forcing the eight digit pin. This attack allowed the recovery of the pin within minutes đ if the router was vulnerable. On the other hand, a simple brute force would have taken hoursđ
When attacking a Wi-Fi network, the first and most obviousđ place for a hackerđ to look is the type of network encryption. While WEP networks are easy to crackâ ď¸, most easy techniques to crack WPA and WPA2 encrypted Wi-Fi rely on the password being bad or having the processing power to churn through enough results to make brute-forcing a practical approachđ°
If you forget the password to your access point, Wi-Fi Protected Setup, better known simply as WPS, lets you connect to the network using an 8-digit number printed on the bottom of the router. This is đ¤ more convenient than just resetting the router with the button on the back, but also a massive security holeđŠ because of the way many routers deal with implementing this featuređ¤Ą
WPS PINs have been attacked by two successive generations of attacksđ, starting with the most basic brute-forcing methods targeting the way some routers split the PIN into two separate halves before checking them. Years later, another attack emerged that remains effective against many routers and greatly reduces the amount of time needed to attack a targetđ¨
đ WPS Pixie-Dust Attack
Since many routers with WPS enabled use known functions to produce random numbers with seed values like "0" or the time stamp of the beginning of the WPS transaction, the WPS key exchange has fatal flawsđ in the way it encrypts messages. This allows the WPS PIN to be cracked in a matter of secondsđ
Integrating many wireless attack tools into a suite well suited for beginnersđ¤, Airgeddon will allow you to select and configure your wireless card, find and load targeting data from nearby networks, and attack targeted networks â all from the same toolđ
To use the Bully module of Airgeddonđ§, you'll need to be running Kali Linux or another supported distro.....(ParrotOS users *sigh* in relief).....đ Make sure your Kali Linux is fully updated before you begin, as you'll need several packages installed for this tool to work. You'll also need a wireless network adapter capable of packet injection and wireless monitor mode incase you are doing this on a VM or a PC that is not wifi capable đĽ¸
so lets do this Morans...đŞ
đ Install airgeddon & Dependencies
Open a terminal window, and type the following to clone the repo, change directory to the new folder, and run "airgeddon.sh" as a bash script đ
kali > git clone github.com/v1s1t0r1sh3r3/airgeddon.git
kali > cd airgeddon
kali/airgeddon > sudo bash ./airgeddon.sh
Airgeddon will check to see what essential tools are installedđ¤ . Make sure you have a completely green board before you continue, but in particular, you will need Bully for this attack. To install a missing repo, you have a number of options. The easiest is to đ
apt-get install (missingmodule)
or đ
pip3 install (missingmodule)
đ Select Your Wireless Network Adapter
In the next step, Airgeddon will list your network adapters. Select the one you wish to use for the attack by typing the number next to it like metasploit. You may want to change the MAC address of your adapter with a tool like GNU MAC Changer before doing this đ
Next, you will be dropped into the main attack screen. In this case, I'll be doing a WPS attack, so I will select option 8 and HIT Enter...đ
đ Enable Monitor Mode
Now, you will need to put your card into monitor mode. Rather than the usual airmon-ng commands, simply type the number 2 into the menu, and hit enter....đ
The card should be put into monitor mode and change its name. Airgeddon will keep track of the changed name, and you will be able to proceed to the targeting menu.
đ Scan for Prey
To find vulnerable routers, you can now turn your card to the networks in the immediate area by selecting option 4, scan for targets.... đ
If you have a dual-band cardđ¤¨, you might be asked if you want to scan the 2.4 or 5 GHz spectrum, allowing you to decide what kind of networks to target. Type Y for 5 GHz and N for 2.4 GHz đ
A window should open showing you all of the vulnerable networks. Allow it to stay open for a few scans while your card runs up and down the wireless channels and tries to find new networks. After waiting for about a minute, exit out of the window, or
hit Ctrl + C đ
You should see your Wi-Fi target data loaded into a selector screen, meaning you're ready to load target data into an attack module!
đ Ignite the Bully Attack Module
Now, you should see a screen which contains target data for each vulnerable network you detected. Type the number of the network you want to target to pass the targeting data to Airgeddon, and hit return. Next, you will select which attack module will use these values as an argument.....đ
My WPS attack screen is now live and ready to fire. Now, all I need to do is select an attack moduleđ quite a few are offered. Depending on your wireless card, you will have more luck with either Reaver or Bully. In this guide, I focus on Bullyđ¤¤, so type 7 to load the target data into the Bully attack module, and hit enter!đ
The final value you will need to input is the timeout, or how long before the program assumes the attack has failed. For now, set the value to around 69 seconds. Hit return, and the attack begins.....đ
đ Comrad, Fire in the Hole!
Once you start the attack module, a window will open with red text on the screen. If communication is successful, you will see many encrypted transactions like the one in the image below. If you are out of range or the target isn't really vulnerable, you will see failed transactions.
As soon as Bully has the needed data to break the PIN, it will pass it to the WPS Pixie-Dust program....đ
This can happen in a matter of seconds or less, but if your connection is weak, it may take as long as a few minutes. You should see the cracked PIN and the Wi-Fi password appear at the bottom of the screen. That's it! We have complete access to the router....đ
If you write down the PIN, you can use the "custom PIN association" module to be able to get the new password any time it's changedđ until the target buys a new router or disables WPS. This also works if you just got the PIN but the router did not dump the Wi-Fi credentialsđ
đ Defending WPS-Pixie Based Attacks
The most obvious solution to pulling the plug on a Pixie-Dust attack is to disable the feature at the heart of the issueđ â Wi-Fi Protected Setup (WPS). You can easily reset your router with the reset button located on virtually all routers, meaning pretty much no one will be sad if you disable the WPS feature. You can do this through the administration page of most routersđ§
Another important detail is that older routers may say they have disabled the WPS option when, in fact, they are still vulnerable to this attack even with this setting "off."𤼠This is a serious issue for older hardware, and if you test this tool against an older router with the WPS set to "off" and the attack succeeds, your only option may be simply replacing the hardware and buying a new routerđ¤
đConclusion đ¤
Subscribe to receive notifications of similar posts đ where we will be reverse engineering malware, vulnerabilities as well as hacking tools, vectors, stories, tutorials and other Infosec stuff...đ
Follow me on twitter for daily Infosec Memes and shenanigansđ
and Youtube: @mcg_254
Moransđ
Thank you for taking time and hope you learned something new, Like/Share and leave a comment and as always, stay awesome! đđ đŞ
Comments