WPS PIN attacks: How to crack WPS-enabled Wi-Fi networks with Reaver

Wi-Fi has become an essential network infrastructure in both homes and businesses due to the requirement to support mobile devices and network-connected smart devices. 

To simplify the connection of devices to a wireless network, the Wi-Fi Alliance introduced Wi-Fi Protected Setup (WPS) in 2006, which allowed the automated configuration of devices at the touch of a button or by entering a short PIN. 

However, in 2011, major vulnerabilities were discovered in the implementation of this protocol by a number of wireless access point manufacturers. 

Users at that time realized that the feature was often enabled by default and worse, was still vulnerable even when WPS was disabled in the management user interface.

The WPS vulnerabilities illustrate the difficulty in getting manufacturers of network devices to fully implement protocols and to implement security measures. Especially when these measures come at the cost of convenience and functionality. 

In the case of WPS PIN brute force attacks, end users were left with little option in some cases other than to wait for firmware updates or to purchase new devices.

Although the original WPS PIN attack has been mitigated with updates, new wireless access points designed for the home or small office still support WPS through push button configuration. This remains a vulnerability for any device that an attacker has physical access to.

Understanding WPS and its older vulnerabilities is a good introduction to wireless network security and how to detect, exploit, and mitigate them in a live environment. 

Recommended read: web application penetration testing guide for aspiring hackers. 

 

 

What is WPS?

Wi-Fi Protected Setup (WPS), sometimes referred to as Wi-Fi Simple Configuration (WSC), is a network standard and protocol that allows devices to join a Wi-Fi network without using the network’s key. 

It is commonly used to attach smart devices such as TVs and printers to home Wi-Fi networks where inputting a complicated or long passphrase or key would be cumbersome. 

How does WPS work?

WPS calls the device wanting to connect to the network an “Enrollee” and the WPS logic that handles the authentication and configuration process the “Registrar”.  

An access point (AP) allows the enrollee and registrar to communicate with each other. In most cases, the AP and registrar functions are combined as in the case of a wireless router for example. 

Access points can also support “external registrars”. External registrars connect with the access point using the same message exchange as the wireless clients outlined below.

To connect a device via WPS, there are a few different modes of operation. The main two are:

Push Button Configuration (PBC): The enrollee device and access point both have buttons that need to be pushed in sequence to initiate and confirm a connection. Once the button is pushed on the access point, the discovery mode of the connection process remains active for two minutes or less. 

The user then pushes a button on the connecting device to connect to the access point. This feature assumes that attackers would not have physical access to the router, a weakness we discuss more below.

PIN Entry: An eight-digit, static PIN code is provided by the access point. Its input is required to authenticate a device for it to join the Wi-Fi network. The code is sometimes provided on a physical sticker on the access point, and can sometimes be changed via an administration interface. 

WPS uses the IEEE 802.11 and Extensible Authentication Protocol (EAP) protocols for discovery and configuration. The flow of messages between the user, enrollee, and registrar is split into a discovery phase and a registration phase. 

The first two messages allow the enrollee and registrar to exchange public keys that are used in all subsequent messages. What follows is a proof that both the enrollee and registrar know the same PIN. This is done by taking the PIN and splitting it in two and using each half as a key. The PIN is eight digits long with the last digit being a checksum. 

The enrollee and registrar can detect if either the first or second half of the PIN is wrong because they will receive a negative acknowledgment message in response to an incorrect proof of knowing that part of the PIN. 

This means that if the registrar receives a NACK after the M4 message, the first half of the PIN is incorrect and after the M6 message, the second half is incorrect.

At the end of the process, the Wi-Fi password is shared with the enrollee, allowing it to join the network.  

The WPS PIN attack vulnerability

Having seen how WPS uses the PIN, you may have already worked out that it is vulnerable to brute force attacks. If WPS had used all 7 available digits as the key (the checksum is always calculable and so can be ignored), there would be a potential 10^7 or 10,000,000 possible combinations making the prospect of a brute force attack unfeasible. 

However, because each half of the PIN is checked independently, this reduces the permutations of the first half to 10^4 or 10,000 numbers and the second half of the PIN only 10^3 or 1,000 options. 

This vulnerability was published by Stefan Viehböck in 2011. He created a proof of concept (POC) to exploit this vulnerability and tested a number of wireless access points to demonstrate the flaw. 

In his POC, Viehböck used the authentication protocol for registering an external registrar with the access point. If an access point was vulnerable, the PIN could normally be cracked within 4 hours. 

Exploiting WPS in practice

The first phase of an attack on a Wi-Fi access point is its discovery on a network. There are a number of tools for this with one of the more well-known being Aircrack-ng. Others include airmon-ng and airodump-ng. 

To use this tool, you will need to have a wireless network interface on your computer and have it set in “monitor mode” in order to be able to do things like scan for other wireless networks or even examine network packets.

Assuming this is in place, the tool airodump-ng will provide a list of available networks and provide details of the network's Basic Service Set Identifier (BSSID) and their descriptive names or Extended Service Set Identifier (ESSID). You will also get information about the channels they are operating on and the authentication and cipher protocols they may be using. 

In a real engagement, you would need to determine which of these networks were of interest and then look at potential vulnerabilities for each target of interest. Since this article is concerned with WPS PIN attacks, we are going to focus on that.

💡Note: The retired HTB machine Olympus, which focuses on the use of Docker, features a small Wi-Fi section that involves cracking an offline Wi-Fi handshake using aircrack. 

Phase: Exploitation

Tactic: WPS PIN attack

Having scanned for Wi-Fi networks and found a potential target, we can switch to using a specific tool called Reaver that was created to brute force WPS PINs. Reaver uses the same approach as Stefan Viehböck’s POC. It uses IEEE 802.11/EAP to act as an external registrar authenticating with the target Wi-Fi access point.

To perform the attack, Reaver is run with the following arguments:

reaver -i <Interface name> -b <BSSID> -c <channel number> -vv (verbosity of output)

With these arguments, you will be able to follow the progress in cracking the PIN and once successful, Reaver will print out details of the PIN and any WPA PSK password it has discovered.

[+] Pin cracked in 2 seconds

[+] WPS PIN: '12345670'

[+] WPA PSK: 'Password123!'

Once you have obtained the Wi-Fi key, you would use it to potentially join the network and enumerate the resources accessible by that network. You might also check if the password has been used for authenticating other accounts that are discovered during the penetration of the network and associated systems. 

Defense against WPS attacks

The current specification of the Wi-Fi Protected Setup specification (version 2.0.8) has specific recommendations for implementers of the protocol to protect against brute force attacks of the PIN. 

This includes using temporary PINs and implementing progressive delays in responding to requests that appear to be attempts to brute force the PIN. Another requirement is for the access point to enter a lock-down state after 10 failed attempts to guess the PIN from any external registrars trying to authenticate.

Updating firmware on devices to implement fixes or purchasing an access point that has implemented an up-to-date version of WPS is important. WPS is normally configurable from the administration function, so if not in use, it should be turned off. 

In the past, there were devices where even if WPS was disabled, the protocol could still be brute forced and so this should be checked in the particular models of devices. Since anyone with physical access to a device can simply push the WPS button to connect, physical access to access points should be controlled by putting them in locked cupboards or cages. 

Another vulnerability that we haven’t discussed is the so-called Pixie Dust vulnerability which is concerned with particular models of access points using specific chips. 

This vulnerability involves limitations in the way random nonces were generated for the EAP authentication protocol. 

The issue was that the nonces were not random and so the PIN could be easily brute forced knowing the nonces. Again, this issue has been fixed in more recent models of access point.   

Develop your skills with HTB

Now that you have the theory and principles behind reconnaissance and enumeration of Wi-Fi networks, you can put it into practice using the Hack The Box machine Wifinetic.

What is special about this box is the fact that it is running an emulated wireless access point running a wireless network. 

Wifinetic is an Easy difficulty Linux machine that focuses on wireless security. Initial enumeration reveals an exposed FTP service that has anonymous authentication enabled which allows you to download available files. One of the files is an OpenWRT backup. 

OpenWRT is an operating system designed for wireless access points and routers based on Linux. Enumeration of the backup reveals a wireless network configuration that discloses an Access Point password. The contents of shadow or passwd files further disclose usernames on the server. 

With this information, a password reuse attack can be carried out on the SSH service running on the Wifinetic machine, allowing us to gain a foothold as the netadmin user. Using a variety of tools, the wireless networks the machine has access to can be enumerated revealing the OpenWRT network. 

The utility Reaver is available on the machine and has been given capabilities to work on the wireless interface allowing it to be run and reveal the PIN and WPA key. This key can then be reused to gain access to root via SSH.

Play Wifinetic

Further reading and resources

• Wifinetic machine.

• Wifinetic walkthrough video by IppSec. 

• Wifinetic write-up. 

• Wi-Fi Alliance WPS Information and specification

• WPS Vulnerability Stefan Viehböck 

• Reaver

Author bio: Ayush Sahay (Felamos), Content Engineer, Hack The Box Ayush Sahay is a Senior Content Engineer at Hack The Box who's worked on developing cutting-edge cybersecurity content for the past 3 years. He is passionate about breaking things and enjoys researching any interesting technology or something that can destroy the world. Outside of developing cybersecurity content, he's passionate about history (meet him in Bohemia in 1415), philosophy (leaning on stoicism currently), gaming (his favorite games are Europa Universalis IV, Victoria 3, and Baldur's Gate 3), and prides himself on being HTB's official “Fish and Chips Connoisseur." Feel free to connect with him on LinkedIn.

Author bio: David Glance (CyberMnemosyne), Senior Research Fellow, University of Western Australia Dr. David Glance is a cybersecurity consultant and Adjunct Senior Research Fellow at the University of Western Australia. He has taught and carried out research in the areas of cybersecurity, privacy, and electronic health. Dr. Glance has also worked in the finance and software industries for several years and has consulted in the areas of eHealth, cybersecurity and privacy for the OECD and WHO. He is the author of articles and books on cybersecurity. Feel free to connect with him on LinkedIn.