WiFi WPS Attack using Reaver
What is WPS?
WiFi Protected Setup (secure installation), WPS – standard (and the same protocol) of the semi-automatic creation of a wireless WiFi network.
WPS was designed to simplify deployment and connect to WiFi networks.
There are two types of WPS: WPS with a pin code of 8 digits, on the client you need to enter the same code as on the access point, and the WPS button – you need to press a button on the access point and on the client with an interval of less than two minutes, then they will connect together.
Access points that have WPS enabled are vulnerable to a brute-force (brute-force) attack of this PIN. Once the WPS PIN is selected, you can connect to the access point, as well as learn its WPA / WPA2 password. The search is possible only on access points for which you need to enter numbers, but it is not possible where you need to press buttons.
All you need to go through only 11,000, which can be done in hours-days.
Different tools are used for sorting WPS PINs, the most popular are Reaver and Bully. In this manual, I’ll show you how to use Reaver to hack WiFi.
In December 2011, Stefan Fibök (born Stefan Viehböck) and Craig Heffner (born Craig Heffner) talked about serious flaws in the WPS protocol. It turned out that if WPS with PIN is activated on the access point (which is enabled by default on most routers), then you can pick up the PIN for connection in a matter of hours.
The PIN code consists of eight digits — hence, there are 108 (100,000,000) PIN variants for selection. However, the number of options can be significantly reduced. The fact is that the last digit of the PIN is a checksum that can be calculated from the first seven digits. Thus, the number of options is already reduced to 107 (10 000 000).
WPS authorization involves the client sending a sequence of PIN numbers and M4 or M6 packets and replies to them from the base station. If the first 4 digits of the PIN-code are incorrect, then having received their access point will send the EAP-NACK immediately after receiving the M4, and if there was an error in the last 3 digits of the right-hand side (we don’t consider the 8th because it is easily generated by the attacker using the formula) after receiving M6. Thus, the lack of a protocol allows you to divide the PIN into two parts, 4 initial digits and 3 subsequent ones and check each part for correctness using the base station as an oracle, which tells you whether the correct sequence of digits has been sent.
If the PIN-code is divided into two parts: Consequently, it turns out 10 4 (10 000) options for the first half and 10 3 (1000) for the second. As a result, this amounts to only 11,000 variants for complete enumeration, which is more than 9000 times less than the initial number of variants 10 8 .
Thus, instead of one large space of values of 10 7, we get two of 10 4 and 10 3 , and, of course, 10 7 <> 10 4 +10 3 . As a result, it suffices to test 11,000 combinations (more than 4 digits per thousand) instead of 10,000,000.
Vulnerabilities were also discovered in the random number generator of some manufacturers’ routers. Vulnerability called pixie dust . For vulnerable routers, you can get a pin after the first attempt and offline brutfors.
WPS Anti-Burglary Protection
It is possible to defend against an attack in one way so far – disable WPS with a pin in the settings of the router. However, it is not always possible to do this, sometimes WPS is disabled only completely. The most that manufacturers can do is to release a firmware that allows you to enter a timeout for blocking a function, for example, after 5 unsuccessful attempts to enter a PIN code, which will complicate the brute force and increase the time for an attacker to pick up the identifier.
Which wireless card is suitable for iterating over WPS
A wireless card is needed that supports monitor mode and is capable of giving injections. Those. in theory, any map from this list should have come up .
But in practice, there are several bugs in Reaver, which make it impossible to iterate over WPS pins using wireless cards with a Ralink chipset that use rt2800usb drivers (RT3070, RT3272, RT3570, RT3572 chips, etc.), as well as for cards with a chipset Intel
Reaver developers (reaver-wps-fork-t6x mod) are trying to correct this situation, several bugs have already been fixed in the latest release, but the work has not yet been completed. At the time of writing, it is recommended to use the Alfa AWUS036NHA wireless adapter with Reaver, since it has an Atheros AR9271 chipset that works great with Reaver.
WPS Attack Algorithm
- Putting the wireless interface in monitor mode
- Looking for targets to attack
- Check for exposure to Pixie Dust
- We are trying to find out if PINs come from a database of known PINs and are generated by certain algorithms.
- We run a full brute force if the previous steps failed.
- If you received a PIN, but the WPA password is not shown, then run the commands to get the password from WiFi.
Putting the wireless card into monitor mode
To search for networks with WPS, as well as to attack them, we need to switch the WiFi card to monitor mode.
We close tools that can prevent our attack:
sudo systemctl stop NetworkManager sudo airmon-ng check kill
Find out the name of the wireless interface:
sudo iw dev
And put it into monitor mode (replace wlan0 with the name of your interface, if it is different):
sudo ip link set wlan0 down sudo iw wlan0 set monitor control sudo ip link set wlan0 up
The new network interface in monitor mode is also called wlan0 .
If you have a different name for the wireless network interface, then in all subsequent commands, insert it instead of wlan0 .
Search for access points with WPS enabled
Very many APs have WPS functionality. But for many, this feature is disabled, and for those with it enabled, it can be blocked (for example, due to several unsuccessful attempts to pick up a PIN).
To collect information about access points, we will use the tool Wash , which comes with Reaver, and it is for this purpose intended.
sudo wash -i wlan0
A few minutes later the tool will display a similar list:
To end the tool, press CTRL + c .
Wash is a utility for identifying access points with WPS enabled. Above is an example of a study on a live (“live”) interface; it can also scan pcap files (several at a time).
Wash shows the following information about detected access points:
BSSID BSSID Access Point (i.e. MAC Address) Ch AP Channel> dBm AP signal level WPS Version WPS supported by AP Lck WPS lock status Vendor Manufacturer AP ESSID ESSID (i.e. name) of the Access Point
Only access point suitable for the attack, in which the column Lck worth No , that is, which is not blocked by WPS.
By default, wash performs a passive probe. Those. the tool does not send any packets and remains completely invisible for possible wireless activity monitoring systems. However, you can specify the -s option and then wash will send probe requests to each AP, this will allow you to get more information about the AP.
In order to search on 5GHz 802.11 channels, the -5 option is used .
You can search for WPS with other tools with other tools, additional information on this in the article “ Search for wireless access points with WPS enabled: using Airodump-ng and Wifite Tools ”,
Pixie Dust vulnerability check-in Reaver
The Pixie Dust attack allows you to quickly get a PIN. But not all Access Points are affected by this vulnerability.
To check a specific AP for this vulnerability using Reaver, the -K option is used . Those. The command is as follows:
sudo reaver -i interface -b MAC_Address_AP -K
The MAC address of the Access Point can be obtained from the BSSID column of the output received in Wash.
For example, I was interested in the following access point:
BSSID Ch dBm WPS Lck Vendor ESSID -------------------------------------------------------------------------------- EE:43:F6:CF:C3:08 3 -81 2.0 No RalinkTe Keenetic-8955
Then the command to attack will look like this:
sudo reaver -i wlan0 -b EE:43:F6:CF:C3:08 -K
When performing a Pixie Dust attack, WPA does not receive a password (a password from a WiFi network), as it will be shown below.
If the access point is invulnerable to Pixie Dust, then before proceeding to the full brute force, it is recommended to try the most probable options for the attacked Access Point.
Brute force WPS pins with Reaver
If none of the described methods helped, then proceed to a complete search, which may take hours or even a day.
The command to start the search is similar to the previous one, but there is no option that launches the Pixie Dust attack:
sudo reaver -i interface -b MAC_Address_AP
Busting WPS pins can fail for many reasons, so for a more detailed output, to determine what the problem is, use the -v , -vv or -vvv options . As you can guess, the more letters v , the more detailed information will be displayed.
Getting a WiFi password with a known WPS pin in Reaver
If the Pixie Dust attack is successful, then only the PIN is shown. At full brute force, both a PIN and a WPA password are shown. If you already have a pin, then you need to use the -p option in Reaver , after which specify a known PIN.
sudo reaver -i wlan0 -b EE:43:F6:CF:C3:08 -p 36158805