WPS Attack - Pin Bruteforce

Somebody said that between security, convenience and price you can pick only two of them. If you choose security and convenience you will have to pay a high price for a product like that. Naturally when you choose a product that is both convenient to use and cheap that's where the vulnerabilities happen. The price you pay is that one of exposing yourself to a breach.. of trust, privacy, identity ? You have to make a choice of what you value in life - somebody wise once said, sadly we are not versed enough in technology to see how it connects with our values. Maybe we do not place an emphasis on our values any more, because if we did would we would pay more attention to securing them in the first place ? Have we allowed ourselves to outsource this responsibility to some other, omnipotent entity that we believe will do better job than we can ? Those questions I have in my mind as I test the security of the few routers that I own. I have put myself in the shoes of your average consumer who is delighted to use the convenience of using WPS (Wireless Protected Setup) where he at the push of a button can evade this huge, painful, daunting inconvenience of entering an 8 digit alphanumeric password into their devices to connect to the network once in a lifetime! I guess we really are lazy, if we asked for a feature like WPS. Very convenient, sure.... secure, mmmm not so much. Whilst the first attack on aforementioned EX2700 was an offline PixieWPS approach this on is slightly louder. Welcome to...

Source of many jokes @OSCP

The tool to test the robustness of wireless network is Reaver, available on Kali Linux as a part of the package. Came to life in 2011 by Craig Heffner and Stefan Viehböck (link to his research) uses a brute forcing method to retrieve the PIN from WPS enabled routers. This PIN allows the devices to connect to the network at a push of the button and is essentially a key that allows attackers to retrieve the WIFI password and connect freely, regardless of the complexity of the password itself. Many thought that Reaver, since it's old age has been "forgotten", "dead" or "shit" as its default configuration won't do the magic. Sadly those people do not understand the fact, that, just like any tool, say a lock-pick, requires practice, practice, practice and a correct use of switches that come as a part of this tool (reaver -h).

What is more, reaver is still going strong and being developed. New version 1.65 was released lately and has got many interesting features. Those guys, developing the tool are smart, and would not carry on with the subject if they have not seen a potential in it. Besides, old routers still exist in there, some new ones are built on outdated chips to save money, and new vulnerabilities in routers are being discovered every day. Without further ado, let's get the magic. Essence of "interacting" with invisible WiFi waves is employing a wireless adapter capable of being both in monitor and promiscuous mode - the last one allows to intercept, add or inject "frames" into a wireless stream of data and modify it within the vicinity of the card, which is about 20 meters (depending on the wireless antenna, adapter strength etc). In order to use reaver successfully on a wireless point we are trying to retrieve our golden pin, aircrack-ng suite tells us that: The lack of association with the access point is the single biggest reason why injection fails. To associate with an access point, use fake authentication:

aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0

Where:

  • -1 means fake authentication

  • 0 reassociation timing in seconds

  • -e teddy is the wireless network name

  • -a 00:14:6C:7E:40:80 is the access point MAC address

  • -h 00:09:5B:EC:EE:F2 is our card MAC address

  • ath0 is the wireless interface name

This simple command allows us to act as one of the devices connected to the network and in consequence modify the frames coming and going from the access point. Many people overlook that advice which results in reaver giving: Warning: Receive timeout occurred. When sending EAPOL start request. It would infinitely loop without any response from the router we are trying to talk to. Even though reaver includes this option as a default during start: reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vv some routers need more personalized treatment:

aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0

Where:

  • 6000 - Reauthenticate very 6000 seconds. The long period also causes keep alive packets to be sent.

  • -o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs.

  • -q 10 - Send keep alive packets every 10 seconds

See what I mean by practice? And it is not to mention the delay switches that adjust the behavior of the router in order to prevent lockouts, AP rate limiting and other challenges.

Reaver in action. 5.49% done after few hours, 20 seconds per pin.

With our wireless card correctly associated with the AP we get a stable bruteforce attack.