Last month I read the "Brute forcing Wi-Fi Protected Setup" document by Stefan Viehböck which explains a vulnerability in the WPS system which is a feature available in most modern wifi routers.
The flaw can be exploited using a tool called reaver which gives you the ultra-secure wpa password of your Wireless Network after it brute forces the WPS system. [simplified explanation in n00b terms]
The document lit a small spark in my mind wondering how hard it actually would be to "exploit" this weakness for a hacker with barely any experience [which would be me 🙂 ]. So I grabbed some gear and did a quick experiment to find out…
To check if my router has WPS enabled and is susceptible to the flaw as described in the document above.
– A piece of hardware; old laptop, WBT, VM, basically anything
– Backtrack (or any form of linux)
– A wireless adapter that can be put in monitoring mode
A Wireless router. I had a Engenius ECB9500 laying around so I used that.
I took an old laptop with a 16 GB thumbdrive and installed BackTrack on it. (very easy to create with LinuxLive USB Creator)
Next Step: Installing Reaver
After booting into Backtrack, install Reaver by issuing the following command:
svn checkout http://reaver-wps.googlecode.com/svn/trunk/ reaver
Go into the reaver/src folder and issue the next command to create the reaver binary:
./configure && make && make install
All done, let’s continue..
Is WPS enabled by default?
The fastest way would be to check if someone has already tested the device and entered the results in this Google document:
My device is not listed so I have to dig a little deeper…
Time to find out by putting my wireless adapter in monitoring mode. This command differs per system but should look something like:
airmon-ng start wlan0
Then we use the extra tool that reaver provides to check which routers have WPS enabled:
wash -i mon0
Whiskey-Tango-Foxtrot,!!! my router was being listed so it looks like WPS is enabled by default on the Engenius ECB 9500! I was shocked to see so many devices listed with WPS enabled. (Can’t provide a screenshot as the list would be too long..!)
Going all the way…ATTACK!
Now let’s see if reaver can deliver as promised:
reaver -i mon0 -b 00:00:11:22:33:44 -vv
And off it goes…
So after doing some laundry and having lunch I came back and saw that reaver was already done..it took the tool only 4 hours to break the pin and hand me my own secret WPA key:
My reaction at first looked somewhat like this:
So it works…now what?
First thing I did was to check my wireless router and see if I could disable WPS which was the case.
After you’ve disabled WPS you can double-check your actions by using the wash command again. It should not be listed anymore. (if it does you have a category 3 router, see below for details)
What about my router?
This is the tricky part, as almost no 2 router brands are the same, anything is possible. Usually wireless devices will fall into one of these categories:
1) No WPS on board
2) WPS enabled but can be disabled through command line or through its web interface
3) WPS can be disabled but is actually not disabled so it stays active (uber BofH move)
4) WPS can’t be disabled
Category 1 is good, 2 is fixable, 3 and 4 are problematic. With Category 3 and 4 the only thing you can do is contact your ISP or manufacturer and demand that they fix their product.
WPS is a backdoor to WPA that needs to be closed ASAP. With some routers it may take several days to crack, others (like my Engenius) it only took 4 hours so if you are the IT guy in your family, just take 5 minutes to disable WPS.
If the router won’t play nice when it comes to disabling WPS just send it back and demand one that has proper firmware!
If this post helped you out, help me out keeping this site alive and visit some of my sponsors on the left or right.. Thanks..!
Tags:how to hack WPA, WPA2, WPS, Reaver, Engenius