Playing with other people Wi-Fi part 2: WPS, the “backdoor” to WPA

In the previous post here, I quickly showed the historical protection mechanism called WEP, its weaknesses and how to quickly crack it. The practical result of that problem is that we should all enable WPA or even better WPA2 protection protocols on our Wi-Fi networks. But even then you can have your network penetrated if you didn’t checked your Wi-Fi routers specifications properly and made sure to disable something called WPS ( Wi-Fi Protected Setup).

Wifi part 2WPS cracking Thumbansil

Wi-Fi Protected Setup (WPS) is a standard made by Wi-Fi Alliance in 2007 to enable more easier setup of new WPA/WPA2 network by users who are not computer skilled. It sounded like a greate idea in the beginning because there was a problem in that that most users are not aware that they should choose a good and big password to their WPA/WPA2 network in order to be protected from dictionary attacks. So WPS idea was that the encryption key of WPA/WPA2 will be autogenerated to a strong random key, but the end-user will not need to know it in order to connect his devices. Two most common ways how to connect with WPS are:

1) You push a button (either logical in web GUI or physical on the Wi-Fi AP) and for the next minute or so any device that will try to connect and supports WPS will negotiate a key with the Wi-Fi AP automatically. The new client from this point knows the secure password and is able to function normally.

2) On the back of your Wi-Fi AP, you will see an 8-digit PIN (on most models it can be changed). When you are connecting a new client to the WIFI, it will ask you to enter this PIN (if the client supports it, but everything from Vista upwards support this). Then again the new client negotiates the secure encryption key in the background and can function normally from that point.

The WPS idea sounds easy, but it was already proven as the weakest point you can have in your WPA/WPA2 network and what is even worse (or better depending what are your goals) is that most home router has this vulnerable feature enabled by default!

The history how it was cracked started in December 2011 when researcher Stefan Vielböck published a very nice way how to attack WPS in a simple manner. In summary the problem is that when the connecting client is validating the PIN number as an 8-digit, it is technically only 7-digit PIN as the 8th digit is technically a checksum result. That means that brute-force attack is easy in order of magnitude as we are having only 10^7 = 10,000,000 possible combinations. But this goes even lower! The problem is further that during PIN validation the

first 4 digits and then the 3 digits + 1digit checksum are validated separately and this means that you can separately attack 4digits = 10,000 possibilities and 3 digits = 1,000 possibilities = 11,000 possibilities and this is very low number for a brute force attack.

I really recommend you read the original 9-page document from Stefan Vielböck “Brute forcing Wi-Fi Protected Setup” (backup link) that describes this attack in a very easily understandable way.

A tool has been developed by a company called Tactical Network Solutions called reaver-wps to implement this attack. And to this date is implementing this attack as easy as using two or three commands.

Practical example how to crack WPA/WPA2 via WPS

First, lets look what do we need for this task. For the moral and legal reasons, please get your own access-point and configure it with WEP encryption. Then we need two PCs (technically possible with one and two Wi-Fi cards, but two PCs are better). One PC will act as a client (so that it will generate traffic) and the other PC will be for the attacker simulation. This part is taken from the previous article about test WEP cracking here.

Regarding my personal hardware, I have used a a TP-Link 722n wireless card, with a great external antenna adapter and good support from the hacking tools. As a target I used my TP-Link 741ND wifi router. As a test client I have used my iPhone.

tplink741nd

TP-Link 741ND

TP-Link 722n

TP-Link 722n

For the software needed you can go in two directions, I personally have dual-boot with BackTrack Linux. This is ubuntu based distribution designed for penetration-testing and comes with all the best selection of security auditing and penetration testing tools as well as already modified drivers to support advanced attacks like arp-injection (which is not needed for a normal user). You can also simply download this image and start it as a live CD (or inside USB). Second option is to start your linux distribution (yes, you need one) and install aircrack-ng and reaver-wp software packageges.

NOTE: You will also need a Wi-Fi adapter that supports promiscuous mode. If you are going to buy a new Wi-Fi adapter for this, have a look on the aircrack-ng compatibility list.

Step 0. Initialize aircrack-ng promiscuous interface

This step is a repeat from previous article that can be found here, so I will make it a little bit more shorter this time. In summary find your wifi adapter in linux using the “ifconfig -a” command. It should be listed as either “wlanX” or “athX” interface depending on the chipset. Then we start the promiscuous mode with  airmon-ng start <interface>. Example below of successfull creation.

After this step, a new interface called mon0 should appear. Example below:

This is your interface useful for aircrack and reaver-wp attacks. With this we can continue.

NOTE: For WPS attacks the packet injection support should not be mandatory as with the WEP attack.

Step 1. Creating your target WPA network (or choosing a target around you).

Well, in my case I have created a simple WPA2 protected network called WPAcrackTest by configuring my TP-Link 741ND. To show you how to search for vulnerable networks (like mine) lets use the “wash” utility. This utility scans surrounding networks and lists all networks that have WPS enabled. This is no form of attack because WPS capabilities are announced in the periodic Wi-Fi broadcasts to tell the clients they can use WPS to connect.

We will use the “wash” utility to identify all the networks around me that have WPS activated. Surprisingly, there are quite a lot in my apartment building and I had to edit them to hide identity of my neighbors. The one we will be cracking is my “WPAcrackTest”.

 

Step 2. Start attack on WPS with reaver-wp.

Now, cracking WPS is surprisingly much more easy than cracking WEP in previous article, but it will require some waiting time. The bellow command has a 12hour waiting time until the key was cracked successfully. The command is “reaver -i mon0 -b F8:D1:11:37:C2:0E -vv” and has the following paremeters:

Now we execute and wait as shown below.

< — AFTER some 12 hours of waiting and trying– >

And here you have if folks, the PIN is cracked, we already have the password that is quite strong by any standard. But because of the WPS the Wi-Fi was cracked.

Summary

WPA/WPA2 are great standards that are hard to crack and fixed most of the problems of WEP. However with many of vendors implementing default WPS feature and many of the people not knowing enough to disable it (just look at my neighbors at Step 1. above), there is quite a renaissance in war-driving just because a simple feature going wrong.

In the next article, I am going to show you a little bit how to gain some distance for you Wi-Fi penetration testing with Yagi-Uda wifi antennas and some non-standard Wi-Fi adapters.

If you enjoyed this blog, please share.

About Peter Havrila

Author's Profile