What is WPS? (Wi-Fi Protected Setup)
WPS is a protocol developed to try to break the breach between having to deal with Wi-Fi security knowledge and the normal user. The protocol facilitates the users the access to the network without having to use the password at all in a new way, using a PIN number, pushing a button or simply approaching it’s phone to a NFC tag.
The interaction can be resumed as: the client gets a 8 digits PIN number by the different mediums said and then sends it to the router that will later send the router’s password.
Everything seems fine with the exception that the protocol has a series of bad design failures that could compromise the security of the networks where it’s used.
Why is it faulty?
Old routers do not have any type of brute force protection and some of the make it impossible to disable the function (even if you disable it, some of them will keep it running).
The most interesting part of the design of the protocol is that the 4 first digits of the 8 PIN number are checked immediately, responding if they are correct without taking into consideration the other 4 digits reducing drastically the number of retries needed to get the complete PIN. Considering also that the last digit is a checksum of the rest of the others, we end up narrowing the discovery of the PIN to only a few retries that are totally possible with a bit of time.
Installing Reaver
Debian or Ubuntu:
1 | sudo apt-get install reaver |
Non supported distributions via packages:
Download the code from: http://code.google.com/p/reaver-wps/downloads/list
Unzip it, get into the unzipped directory and do:1
2
3./configure
make
make install
Using Reaver
Reaver commands are well explained in the Wiki page or in the README that it comes with.
It’s very simple to use, we have first to get our Wi-Fi hardware into monitor mode and then use the two application that come with Reaver (reaver & wash).
To identify which networks have WPS enabled we will use wash in our terminal:1
wash -i OurWiFiInterface
Using wash we will discover the networks that are using WPS and their information.
Using the BSSID gathered from wash we will now commence our attack especifing our Wi-Fi network interface in monitor mode and the delay time for each PIN try (not required but useful to not DOS the router or to get blocked from it).1
reaver -i OurWiFiInterface -b BSSID -d Delay
The time to get the PIN variates depending on the distance to the router and of course, the router’s capacity to respond to the WPS messages. The Reaver’s page says it can take from 4 to 10 hours to get the correct PIN and the router’s password with it. My tests with my personal router took around 8 hours to get the PIN.
Conclusions
There are lots of old routers old there that haven’t been updated to fix this issue making this a potentially interesting tool for penetration testing.
Without taking into consideration the distance to the router or other variabilities to it, the possibility of brute forcing a PIN and getting access into a network, in a range of 8 or 10 hours, otherwise inaccessible makes reaver an excellent tool and good reason to consider changing faulty routers or getting a new firmware into them.