From e760fecda84e58ec1efcc76e2a623498f868bb82 Mon Sep 17 00:00:00 2001 From: wiire-a Date: Tue, 7 Nov 2017 20:53:16 +0100 Subject: [PATCH] Added option -5 and display of secret nonces This option is used to optionally decrypt ES-1 directly from M5, when the Enrollee proves to the Registrar to know the PIN. As of right now it must be used in conjunction with -7. With the introduction of this new option, the display of ES-2 (and ES-1 when -5 is supplied) has been added to the output. --- src/pixiewps.c | 44 +++++++++++++++++++++++++++++++++++++------- src/pixiewps.h | 3 +++ src/wps.h | 1 + 3 files changed, 41 insertions(+), 7 deletions(-) diff --git a/src/pixiewps.c b/src/pixiewps.c index 1bbf301..c97aafe 100644 --- a/src/pixiewps.c +++ b/src/pixiewps.c @@ -51,7 +51,7 @@ uint32_t ecos_rand_simple(uint32_t *seed); uint32_t ecos_rand_knuth(uint32_t *seed); uint_fast8_t crack(struct global *g, char *pin); -static const char *option_string = "e:r:s:z:a:n:m:b:o:v:j:7:SflVh?"; +static const char *option_string = "e:r:s:z:a:n:m:b:o:v:j:5:7:SflVh?"; static const struct option long_options[] = { { "pke", required_argument, 0, 'e' }, { "pkr", required_argument, 0, 'r' }, @@ -72,6 +72,7 @@ static const struct option long_options[] = { { "mode", required_argument, 0, 1 }, { "start", required_argument, 0, 2 }, { "end", required_argument, 0, 3 }, + { "m5-enc", required_argument, 0, '5' }, { "m7-enc", required_argument, 0, '7' }, { 0, no_argument, 0, 'h' }, { 0, 0, 0, 0 } @@ -407,6 +408,15 @@ memory_err: break; } goto usage_err; + case '5': + wps->m5_encr = malloc(ENC_SETTINGS_LEN); + if (!wps->m5_encr) + goto memory_err; + if (hex_string_to_byte_array_max(optarg, wps->m5_encr, ENC_SETTINGS_LEN, &wps->m5_encr_len)) { + snprintf(wps->error, 256, "\n [!] Bad m5 encrypted settings -- %s\n\n", optarg); + goto usage_err; + } + break; case '7': wps->m7_encr = malloc(ENC_SETTINGS_LEN); if (!wps->m7_encr) @@ -495,14 +505,25 @@ usage_err: memcpy(wps->emsk, buffer + WPS_AUTHKEY_LEN + WPS_KEYWRAPKEY_LEN, WPS_EMSK_LEN); /* Decrypt encrypted settings */ - uint8_t *decrypted = decrypt_encr_settings(wps->wrapkey, wps->m7_encr, wps->m7_encr_len); + uint8_t *decrypted7 = decrypt_encr_settings(wps->wrapkey, wps->m7_encr, wps->m7_encr_len); free(wps->m7_encr); - if (!decrypted) { + if (!decrypted7) { printf("\n Pixiewps %s\n", SHORT_VERSION); printf("\n [x] Unexpected error while decrypting (--m7-enc)!\n\n"); return UNS_ERROR; } + uint8_t *decrypted5 = NULL; + if (wps->m5_encr) { + decrypted5 = decrypt_encr_settings(wps->wrapkey, wps->m5_encr, wps->m5_encr_len); + free(wps->m5_encr); + if (!decrypted5) { + printf("\n Pixiewps %s\n", SHORT_VERSION); + printf("\n [x] Unexpected error while decrypting (--m5-enc)!\n\n"); + return UNS_ERROR; + } + } + printf("\n Pixiewps %s\n", SHORT_VERSION); if (wps->verbosity > 1) { printf("\n [*] Mode: %u (%s)", RTL819x, p_mode_name[RTL819x]); @@ -514,18 +535,24 @@ usage_err: printf("\n [*] AuthKey: "); byte_array_print(wps->authkey, WPS_AUTHKEY_LEN); printf("\n [*] EMSK: "); byte_array_print(wps->emsk, WPS_EMSK_LEN); printf("\n [*] KeyWrapKey: "); byte_array_print(wps->wrapkey, WPS_KEYWRAPKEY_LEN); - if (vtag = find_vtag(decrypted, wps->m7_encr_len - 16, WPS_TAG_KEYWRAP_AUTH, WPS_TAG_KEYWRAP_AUTH_LEN)) { + if (vtag = find_vtag(decrypted7, wps->m7_encr_len - 16, WPS_TAG_KEYWRAP_AUTH, WPS_TAG_KEYWRAP_AUTH_LEN)) { memcpy(buffer, vtag->data, WPS_TAG_KEYWRAP_AUTH_LEN); printf("\n [*] KeyWrap Authenticator: "); byte_array_print(buffer, WPS_TAG_KEYWRAP_AUTH_LEN); } } - if (vtag = find_vtag(decrypted, wps->m7_encr_len - 16, WPS_TAG_SSID, 0)) { + if (vtag = find_vtag(decrypted5, wps->m5_encr_len - 16, WPS_TAG_E_SNONCE_1, WPS_NONCE_LEN)) { + printf("\n [*] ES-1: "); byte_array_print(vtag->data, WPS_NONCE_LEN); + } + if (vtag = find_vtag(decrypted7, wps->m7_encr_len - 16, WPS_TAG_E_SNONCE_2, WPS_NONCE_LEN)) { + printf("\n [*] ES-2: "); byte_array_print(vtag->data, WPS_NONCE_LEN); + } + if (vtag = find_vtag(decrypted7, wps->m7_encr_len - 16, WPS_TAG_SSID, 0)) { int tag_size = be16_to_h(vtag->len); memcpy(buffer, vtag->data, tag_size); buffer[tag_size] = '\0'; printf("\n [*] SSID: %s", buffer); } - if (vtag = find_vtag(decrypted, wps->m7_encr_len - 16, WPS_TAG_NET_KEY, 0)) { + if (vtag = find_vtag(decrypted7, wps->m7_encr_len - 16, WPS_TAG_NET_KEY, 0)) { int tag_size = be16_to_h(vtag->len); memcpy(buffer, vtag->data, tag_size); buffer[tag_size] = '\0'; @@ -534,7 +561,10 @@ usage_err: printf("\n [-] PSK not found!\n\n"); } - free(decrypted); + if (decrypted5) + free(decrypted5); + + free(decrypted7); free(buffer); free(wps->pke); free(wps->pkr); diff --git a/src/pixiewps.h b/src/pixiewps.h index d5b43ae..efc763d 100644 --- a/src/pixiewps.h +++ b/src/pixiewps.h @@ -104,7 +104,9 @@ struct global { uint8_t *e_s1; uint8_t *e_s2; uint8_t *e_bssid; + uint8_t *m5_encr; uint8_t *m7_encr; + unsigned int m5_encr_len; unsigned int m7_encr_len; time_t start; time_t end; @@ -156,6 +158,7 @@ char usage[] = " Miscellaneous arguments:\n" "\n" " -7, --m7-enc : Recover encrypted settings from M7 (only mode 3)\n" + " -5, --m5-enc : Recover secret nonce from M5 (only mode 3)\n" "\n" " Example:\n" "\n" diff --git a/src/wps.h b/src/wps.h index 30f7517..10ac5ba 100644 --- a/src/wps.h +++ b/src/wps.h @@ -45,6 +45,7 @@ struct ie_vtag { uint16_t id; +#define WPS_TAG_E_SNONCE_1 "\x10\x16" #define WPS_TAG_E_SNONCE_2 "\x10\x17" #define WPS_TAG_SSID "\x10\x45" #define WPS_TAG_BSSID "\x10\x20"