First up, to all of my readers, happy new year to you and your families! this is my first post for 2012 and yes unfortunately after too short a break, I am back to business.
As a pentester, I have lost count of the amount of wireless networks I have tested. When it comes to password attacks against wireless, it is usually always the same gameplay, wep, capture your IV’s, bust the key, (in about 5 mins ), WPA/2 Capture handshake’s, dictionary the handshake’s using GPU cracking etc, but a new vulnerability for WAP’s exist that even security professionals tend to miss in their audits.
This is called Wi-Fi Protected Setup.
What the heck is WPS?
With all recent wireless devices (SOHO//small business type generally) they all ship with a feature called WPS, WPS enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices and enable security.
Wireless routers with WPS built-in ship with a personal identification number (PIN – usually 8 digits) printed on them. Using WPS, the user can enable strong encryption for the wireless network simply by pushing a button on the router and then entering the PIN in a network setup wizard designed to interact with the router.
Enter the problem, this technology forgot to address 1 thing. Bruteforce. Even if the WAP has tough security set up and they change the WPA key daily, it makes no difference whatsoever, if you have the PIN, you have access to all the keys, why sit there cracking WPA keys with a hybrid GPU attack via dictionaries for days, when you can bypass with this in a matter of hours.
The important thing to keep in mind with this flaw is that devices with WPS built-in are vulnerable whether or not users take advantage of the WPS capability in setting up their router. Also, routers that include WPS functionality are likely to have this feature turned on by default.
First the good news: Blocking this attack may be as simple as disabling the WPS feature on your router, some vendors have released firmware which will slow it down but not block it.
Some of the vendors so far utilising it: Belkin, Buffalo, D-Link, Linksys, Netgear, TP-Link and ZyXel, I am sure there are others.
The bad news is that it may not be possible in all cases to do this.
Enter Reaver.
Reaver is a WPA attack tool developed by Tactical Network Solutions (tacnetsol.com) that exploits a protocol design flaw in WiFi Protected Setup (WPS). This vulnerability exposes a side-channel attack against Wi-Fi Protected Access (WPA) versions 1 and 2 allowing the extraction of the Pre-Shared Key (PSK) used to secure the network. With a well-chosen PSK, the WPA and WPA2 security protocols are assumed to be secure by a majority of the 802.11 security community.
WPS allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase. When a user supplies the correct PIN the access point essentially gives the user the WPA/WPA2 PSK that is needed to connect to the network. Reaver will determine an access point’s PIN and then extract the PSK and give it to the attacker.
On average Reaver will recover the target AP’s plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.
You can find the free, open source version of Reaver at Google Code
Additionally, a great guide for cracking WPS can be found here: http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf.
Just when you think no more bad ideas are being invented when it comes to wireless, along comes WPS.