A few days ago I posted a video demonstrating how to use reaver, by Tactical Network Solutions, to brute force the WPS PIN on a wireless router. During the video, I also demonstrated how you can check the beacon frames from a wireless router to determine if WPS was running. You can also check probe responses but that's neither here nor there.

Since posting the video, I have still been asked by quite a few people, both online and in-person, how they can tell if WPS is running on their wireless router. Unfortunately, there isn't a really easy way but a new tool, called Walsh, was included in the reaver-1.3 release which should make it easier for some people to find an answer to this question. Here is a quick demonstration of how the tool works:

Unfortunately, this method still requires a little bit of technical skill, but at least it's a little quicker than parsing cap files. (If you're interested in looking at some cap files, please check out the post where we take a look at Reaver in the air.)

Daniel

Not long ago, a new tool was released to the public (reaver) which makes brute-forcing Wi-Fi Protected Setup (WPS) a trivial matter. Given all the hype, I decided to test the tool out. I recorded my testing and it can be seen below:

A few notes and comments about this attack: 

1. It is not an offline attack. It requires the attacker to send frames to the AP which means you could detect it with a WIDS/WIPS. Also, some wireless routers have protection mechanisms built-in already.
2. The length of your PSK doesn't matter. It works on WPA and WPA2 PSKs as well since it is an attack on WPS and not on the PSK itself.
3. It is one more compelling reason for businesses not to run home/personal gear. Enterprise gear, generally, does not utilize WPS as it was designed to make an average user's life easier. Thus, this type of attack is mainly against home and SOHO wireless routers.
4. The obvious way to defend against this attack is to disable WPS. If the service isn't running then reaver can't do it's magic.
5. Always verify that WPS is actually disabled. Don't take your wireless router's word for it. Capture some frames and see for yourself.

 If you would like to look at some sample frames:

• WPS Configured 
• WPS Not Configured
• Probe Response with WPS Enabled

(The presence of either of these tags indicates that WPS is enabled on the wireless router.)

 Daniel

I'd be interested to hear what you think about reaver, this type of attack, or WPS in general. Share you thoughts and comments below. And, as usual, share this post with anyone you think might find this interesting.