In the last post we looked at how to obtain WPA handshakes and how to crack them in order to obtain the password using a modified Nexus 7. Now we will look at a simpler way to get the password by exploiting a vulnerability found in many routers.
TL:DR – disable WPS on your home router!
Disclaimer: the author and contributors to this document will accept no responsibility for the consequences of the actions of individuals concerning wireless networks. Penetration testing networks other than your own may be illegal in your country, it is your sole responsibility to act in compliance with all relevant legislation and regulations.
Wifi Protected Setup (WPS) is used to simplify setting up wifi networks by bypassing the need to know a complicated password. There are two main types of WPS; 1. Push button – Where a button is pressed on the router and the client device 2. Pin – Using an 8 digit number to bypass needing a complex password. Both WPS types can be seen in the images below:
We will be exploiting the pin method of WPS. Once you know the correct 8 digit pin the router will spit out the password in plain text.
So youâ€™d think that with an 8 digit pin there would be 10^8 combinations, which would take a while to brute force as most routers can typically handle 1 guess every 10 seconds. However there are a few pitfalls with the implementation.
Our first win is that the last digit of the 8 digit number is a checksum of the previous 7 numbers. So thatâ€™s only 10^7 combinationsâ€¦ still a lot.
The second pitfall of the implementation is that the 8 digit pin is checked in two halfs, so you will be told when the first half is correct and then if it is, it will go on to check the second half.
So this means that you have 10,000 combinations for the first half, and then just 1000 combinations for the last half. This means you can brute force the combination in less than 11,000 attempts.
This assumes weâ€™ve got a device setup as discussed in the previous article. Now letâ€™s have a go at this on our demo network:
- Enable monitor mode on the wifi interface
- Identify the network we are looking to attack
- Run a wps attack against this network (Reaver or Bully)
Monitor mode allows us to listen to the raw packets coming into the wireless interface. We can start or stop monitor mode using airmon-ng.
airmon-ng start wlan1
where wlan1 is the interface we want to start monitor mode on.
Using aerodump-ng we can see the wireless network in range and some information about them.
airodump-ng -i mon0
Where mon0 is our newly created monitoring interface. There are lots of switches for airodump -c 1 for instance would lock the channel to 1 (see help for more airodump-ng –help).
Here we can see the â€˜Intohand_Demoâ€™ network we are looking for. Now we can use this information to start guessing WPS pins.
reaver -i mon0 -b 3c:81:d8:95:6b:ec -vv
where mon0 is the monitor mode interface to our wireless device, 3c:81:d8:95:6b:ec is
the MAC address of the router we are attacking, and -vv instructs reaver to be very verbose.
This will churn through all the possibilities (starting with a few common ones then sequentially). When we get the first 4 digits of the pin incorrect we only see messages 1 to 4, when this changes to get 5 and above the first 4 digits are correct.
When the pin is guessed correctly, the router will spit out the password in plaintext. Too easy right?!
Once the pin is known, if the user changes the password we can simply run reaver again, this time already knowing the correct pin and the new password will be revealed to us.
reaver -i mon0 -b 3c:81:d8:95:6b:ec -vv -p 27319734
Where 27319734 is the WPS pin to try.
Newer routers have a WPS lock out mode when they detect brute forcing attempt, which block WPS attempts for 5 mins to 1 day (Depending on model). This makes the bruteforcing take days to weeks rather than hours. Sometimes this lockout is MAC specific so it is possible to bypass this by changing mac address of our wireless interface. It can also be possible to force the router to restart by using a DOS style attack using MDK, however Iâ€™ve not had much success using this tool.
Some routers have attempted to bypass this method of brute forcing by using invalid pins. I.E Where the checksum is invalid. This increases the keyspace from 11,000 to 100,000. This dramatically increases the time it will take to crack a WPS pin, but does not prevent it entirely.
The best defence against WPS attacks is simply to disable WPS on your router.
It can still take a long time to crack a WPS pin, but thankfully some router manufacturers have made it easier for us. TalkTalk, a UK ISP, are a super cheap broadband provider and also it seems they have a flaw in the way the WPS pins are created.
On many routers the default ESSID (network name) has a string of randomly generated characters at the end, to avoid multiple networks with the same name. But this seemingly random string is actually the last 6 characters of the MAC address of the router. And now the security flaw: The WPS pin is calculated from the last part of this MAC address.
Extract partial MAC address from ESSID
Convert to decimal & limit to 7 digits
Calculate checksum (for last digit) & append to end
And here is a python script that can do that for you!
$ python talktalk_wps_pin_calc.py
WPS Pin: 33842561
We have demonstrated a devastating attack on WPS enabled networks which reveals the plaintext password in a relatively short amount of time, all using the Nexus 7. Hopefully this has convinced you to disable WPS on your home and work WiFi routers.