This is just a quick note to let everyone know that the lastest No Strings Attached podcast episode is now available for download. I had the great fortune to participate as a guest in this episode, along with Matthew Gast from Aerohive, and would like to thank the @NSAShow team for the invite. It was a lot of fun and I was really impressed with the level of professionalism displayed before, during, and after the show.

Here is a link to the latest episode: Wi-Fi Protected Setup, Battered or Broken?

Many thanks to the NSA Show team for inviting me to participate!

Daniel

If you haven't already, please take a moment to subscribe to the NSA Show blog and podcast. This is an amazing collection of resources and it would be great if we could all show our support. 

This will probably be one of my last posts on the WPS brute force vulnerability since, after this, there will be little else to say. 

I thought it would be nice to go over some frame captures and see what a WPS brute force attack looks like. All of the frame captures begin with the same pattern:

After this, the magic happens.

A Failed PIN Attempt

The first image shows what a failed PIN attempt looks like. Notice how we see a deauth from the client after M4. After the deauth, it starts back at the beginning and tries another PIN.

A Failed PIN Attempt with the 1st Half Correct

The second image shows what the conversation looks like when the first half of the PIN is guessed correctly, but the second half is incorrect. Notice the the client sends a deauth after M6, instead of M4, this time. Each subesequent attempt should now keep the first four-digits the same and only try new variations on the second half of the PIN. It is this ability to crack the first half of the PIN independently from the second half which makes this attack extra speedy.

A Successful PIN Attempt

The last image shows a successful PIN attempt by Reaver. Notice that it makes it all the way to M7 before the frames stop. In a normal WPS negotiation there would be an M8 with a final frame from the Registrar (client) to the Enrollee (AP). However, Reaver is not concerned with actually connecting to the WLAN so it does not send the final frame (set AP configuration). Instead, it simply displays the correct PIN and PSK on the screen for you.

I hope this post is useful, or at least interesting, to anyone interested in learning more about the WPS brute force vulnerability. All frame captures are available on my resources page.

Daniel

If you have any additional thoughts or comments, please leave them in the comments section below. And please share this post with anyone who might benefit from reading it.

A few days ago I posted a video demonstrating how to use reaver, by Tactical Network Solutions, to brute force the WPS PIN on a wireless router. During the video, I also demonstrated how you can check the beacon frames from a wireless router to determine if WPS was running. You can also check probe responses but that's neither here nor there.

Since posting the video, I have still been asked by quite a few people, both online and in-person, how they can tell if WPS is running on their wireless router. Unfortunately, there isn't a really easy way but a new tool, called Walsh, was included in the reaver-1.3 release which should make it easier for some people to find an answer to this question. Here is a quick demonstration of how the tool works:

Unfortunately, this method still requires a little bit of technical skill, but at least it's a little quicker than parsing cap files. (If you're interested in looking at some cap files, please check out the post where we take a look at Reaver in the air.)

Daniel

Not long ago, a new tool was released to the public (reaver) which makes brute-forcing Wi-Fi Protected Setup (WPS) a trivial matter. Given all the hype, I decided to test the tool out. I recorded my testing and it can be seen below:

A few notes and comments about this attack: 

1. It is not an offline attack. It requires the attacker to send frames to the AP which means you could detect it with a WIDS/WIPS. Also, some wireless routers have protection mechanisms built-in already.
2. The length of your PSK doesn't matter. It works on WPA and WPA2 PSKs as well since it is an attack on WPS and not on the PSK itself.
3. It is one more compelling reason for businesses not to run home/personal gear. Enterprise gear, generally, does not utilize WPS as it was designed to make an average user's life easier. Thus, this type of attack is mainly against home and SOHO wireless routers.
4. The obvious way to defend against this attack is to disable WPS. If the service isn't running then reaver can't do it's magic.
5. Always verify that WPS is actually disabled. Don't take your wireless router's word for it. Capture some frames and see for yourself.

 If you would like to look at some sample frames:

• WPS Configured 
• WPS Not Configured
• Probe Response with WPS Enabled

(The presence of either of these tags indicates that WPS is enabled on the wireless router.)

 Daniel

I'd be interested to hear what you think about reaver, this type of attack, or WPS in general. Share you thoughts and comments below. And, as usual, share this post with anyone you think might find this interesting.