Airgeddon is a multi-use bash script for Linux systems to audit wireless networks. It is an all in one tool. It can run many attacks on WEP, WPS and WPA networks.
WPS security flaw was found by Dominique Bongard. He found that some Access Points have flaws in the way the nonces (known as E-S1 and E-S2) are generated, that are supposed to be secret. First we need to understand how WPS exchange works. When the Registrar (the client computer) wants to connect to the Enrollee (the Access Point) they exchange a series of request and response messages as part of the negotiation process, these are named M1 to M8. In the Pixie Dust Attack, the negotiation process can be stopped right after message M3 because we already have all the values needed for the attack. The registrar sends EAPOL start message. Let’s see how WPS exchange works. Enrollee generates Enrollee Nonce or N1 and DH Public Key of Enrollee or PKE. Enrollee sends M1 message which is a concatenated string of N1, description and PKE. Upon reception of M1 the Registrar generates PKR and N2. The Registrar computes the DHKey using SHA-256 and calculate the Key Derivation Key. Finally AuthKey, KeyWrapKey, and EMSK are derived and the M2 response message is sent. The M2 message is a concatenated string of N1, N2, description, PKR and Auth. The M3 request message is sent by Enrollee which is again a concatenated string of E-HASH1 and E-HASH2, that is WPS PIN in hashed form, in order to prove that it also knows the PIN, and the client is not connecting to a rouge Access Point. The real fun starts now, the E-HASHes are calculated by H-MAC-SHA-256 with auth key using E-S1 and E-S2, PSK1 an PSK2, PKE and PKR. Now in each hash we have two unknowns, the E-S1 and E-S2 ( or 128 bit random nonces), PSK1 and PSK2 or the first and second halves of the pin. Now, if we know the nonces generated by pseudo-random generators (PRNG), we can brute force PSK1 and PSK2 as each of these contain 4 digits of pin. if PRNG state can be recovered, E-S1 and E-S2 can be calculated and PSK1 and PSK2 be brute forced from E-Hash1 and E-Hash2. These E-S1 and E-S2 are essentially the "keys to unlock the lock box" containing the WPS pin. After this, we use reaver or bully to connect to the access point using pin, which in turn throws back the credentials. I am not going to explain how this exchange works, if you want to know in detail leave a comment.
In WPA-PSK, 4way handshake starts immediately after Open System Authentication & Association state finish.
Authenticator sends EAPOL-Key frame containing an A-Nonce( or Authenticator nonce) to supplicant. The frame includes the authenticators mac address. Message 1 is sent without any protection. With this information, supplicant have all necessary input to generate PTK using
PMK, A-Nonce, S-Nonce, Authenticator MAC Address, and Supplicant MAC Address. This is used to encrypt all unicast transmission between client & Access Point.
Supplicant sends an EAPOL-Key frame containing S-Nonce to the Authenticator. Now authenticator has all the inputs to create PTK. Supplicant also sent RSN-IE capabilities to Authenticator & MIC. Authenticator derive PTK & validate the MIC as well.
If necessary, Authenticator will derive GTK. Authenticator sends EAPOL-Key frame containing A-Nonce, RSN-I E & MIC. GTK will be delivered (encrypted with PTK) to supplicant. It contains message to supplicant to install temporal keys.
Supplicant sends final EAPOL-Key frame to authenticator to confirm temporal keys have been installed with MIC.
Let's see how password cracking works.
PTK is concatenation of five different keys.
Key Confirmation Key or KCK,
Key Encryption Key or KEK,
Temporal Encryption Key or TEK and two MIC keys.
KCK is used to construct MIC in EAPOL packets 2,3 and 4.
4-way handshake password "cracking" works by checking MIC in the 4th frame. 4-way handshake is parsed to get MAC addresses, nonces, and EAPOL payload and MIC from 4th frame. Words from dictionary are used to compute PMK. PTK is computed from PMK, MAC addresses and nonces. KCK from computed PTK is used to compute MIC. Computed M I C is compared to the genuine MIC. If they match, then password is reported as correct.
Evil Twin with Captive Portal
MDK3 process kicks all the clients from the target access point, so they can be lured to connect to the fake access point, and enter the WPA password. A fake DNS server is launched in order to capture all the DNS requests and redirect them to host running the script. A captive portal is launched in order to serve a page to all the clients, which prompts all the users to enter their password. Each submitted password is verified against the handshake captured earlier.