WPS Cracking
This tutorial is about to share WPS, what it is? A little bit about it’s working, weakness in WPS and we’ll try to exploiting currently present vulnerability….. JSo what is WPS about?
WPS stand’s for Wi-Fi Protected Setup, a standard that attempts to establish a secure connection with Wireless Access Point (believe me it’s not that much secure
)WPS is to allow users to connect with wireless AP easily just by entering WPS PIN instead of long passphrase. WPS is implemented using 4 different ways
·PIN Method
·Push Button Method
·NFC (Near Field Communication
·USB Method
We’ll discuss only PIN method as it is most widely method to implement WPS.
In December 2011, WPS has been shown to easily bruteforce attack. Using this flaw attacker can recover WPS PIN remotely within few hours and the best thing is by WPS PIN recovery, WPA/WPA2 can also be recovered.
Protocol Working:
There are three main entities, Enrollee : a device seeking connection (user’s device), Registrar : device with the authority to exchange credential to network ( usually integrated in AP) and AP : Wireless Access Point which acts as proxy for enrollee and registrar.
An Enrollee want to connect with the AP (having internal registrar functionality). This session runs on wireless medium using EAP (Extensible Authentication Protocol) response/requests messages. Bottom line is that you ask a connection from AP, AP prompts you to enter WPS PIN, you enter pin AP authenticates/deauthenticate you (by using registrar).
Session consist of 8 messages that are followed in case for seccesssful session.
Here is example how we connect to an AP using WPS….
As shown in the below figure client want to connect to AP using WPS…… so there are two methods either by pushing WPS button or entering the 8 digit WPS PIN. As there is no authentication apart from providing the PIN, it is potentially vulnerable to brute force attack and we’ll target this.
At this point some of you are considering that it would take too long to 8 digit PIN …….. answer is yea if u brute force 8 digit PIN it is lengthy process but there are some design flaws in PIN design so we’ll use that and then brute force process won’t take too long as I used to crack WPS PIN within 3-5 hours.
![[IMG]](http://img189.imageshack.us/img189/9803/84205084.jpg)
So let’s have a deeper look at WPS PIN
![[IMG]](http://img43.imageshack.us/img43/2472/65301859.png)
So this is how the PIN looks like. Now let me explain that we don’t have to try 108 (100,000,000) different keys i.e. 9 digits for every one digit in key.
Let’s look at 2nd half, last digit is checksum so no need to brute force that… we just reduced our brute force effort a little bit now we have to brute force 107 keys (10,000,000).
When we enter the 8 digit PIN, actually we are sending PIN into two halves. If the first half is incorrect then we receive EAP-NACK message from AP. If attacker receive EAP-NACK message after sending second half then its means second half is wrong. So in this scenario let’s see how much keys we have to try.
104 (10,000) for first half and
103 (1,000) for second half……i.e. total of (10,000 + 1,000 = 11,000) keys which means we are good to go now. Following is figure I copied from a Research Paper J showing optimized brute force attack
![[IMG]](http://img191.imageshack.us/img191/6789/37879827.jpg)
I think now we have a good understanding about WPS PIN…….. then what we are waiting for let’s crack it
Thanks to real hacker who have implemented tools for WPS brute forcing……. Some of you think that then why the hell I uttered above theory ….. Believe me it’s all about curiosity J
Now time to crack WPS ….. let me tell you what I am using for cracking J
·Backtrack 5 ( you can use any other linux box )
·Reaver 1.4 ( get it if u don’t have in your linux box)
·Alfa Wifi adapter ( you can use any adapter capable with your OS and able to raw packet injection )
·Wireless Network to crack having WPS
Now I’m not going to explain every thing redarding powering on you wifi I assume you can do that yourself J
Put you wireless card in to monitor mode :
# airmon-ng start wlan0
Monitor the air for Wifi :
# airodump-ng mon0
After selecting a wireless network note MAC for that and start cracking using reaver :
# reaver –i mon0 –b 00:11:22:33:44:55 –vv
After this command reaver will start brute force attack and don’t worry its optimized one….. after 15-20 percent Reaver will figure first half for PIN then it will jump to around 90 percent suddenly then it’ll figure out 2nd part.
And don’t worry, Reaver will also give u WPA/WPA2 paraphrase…..
Hurrrrraaaayyyyy done
--- merged: December 4, 2012 at 11:13 ---
PDF verion if anyone want
http://www.4shared.com/office/lBsnq1mM/WPSb.html
0 comments:
Post a Comment