Ultimate Wps Hacking

Showing 2 different methods to crack the passwords of routers by taking advantage of WPS being enabled by default. 1st method is an online attack using Reaver. Reaver wps brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts. Do to the ease of the attack, router manufacturers fought this attack off by including rate limiting in the firmware. After 3-5 pin attempts that fail, the router locks the WPS function of the router. The first attack exploits the fact that the router unlocks the WPS if the router is forced to reboot. When this occurs, pin cracking can continue to pursue the correct pin, and ultimately the passphrase to the router.

We will be using Kali Linux at the OS for this attack.

A wireless card capable of packet injection must be used to perform such wireless attacks successfully.

Alfa Awus036NHA

Wireless card must be put into monitor mode so we can scan for networks that have WPS enabled. Interface mon0 will be enabled.

airmon-ng start wlan0

Using the wash i mon0 command. We tell Kali to scan for routers in the area with WPS enabled. It will also tell us if the access point has locked WPS. Physical address of the router as well as the channel it resides on is also given, which is needed for attacks.

Upon launching a pin cracking attempt with Reaver, the access point in question locks us out of WPS. Using a script that starts an EAPOL flood request when Reaver detects rate limiting, we can automatically reboot the router with this Denial of service attack, and let Reaver continue cracking pins. EAPOL is an authentication protocol used in wireless networks.

Screenshot shows the attack defeating rate limit detection, and continuing to crack pins.If the attacker receives a NACK message after the M4 message then we know the 1st half of the pin generated was incorrect and we should continue.

IMPORTANT TO NOTE: Using a modified version of Reaver we allow ourselves to not just flood the access point from 1 interface in monitor mode with EAPOL requests but 3. This allows even more packets to be injected into the router making a forced reboot and WPS unlock even more likely. Mac addresses are also spoofed automatically to make this possible.

TRIPLE FLOOD.

WPS PIN INEVITABLY CRACKED AND WIFI PASSWORD DUMPED. No NACK after the M4 message verified the 1st half of the pin was cracked. It is important to note that the next 4 digits only need 3 digit pin to be cracked as the final 8th digit is a checksum of the first 4. WPS PIN: 79550000 Password: VULNERABLEIt took around 4 hours. It states 3 seconds because the original was lost screenshot was lost and I already had the pin from the 4 hour crack session.

Second attack: Brute forcing the WPS pin offline. Broadcom eCos chips use a Pseudo Random Number Generator that is as pseudo as the name suggests. This tells us that it is possible to brute force the actual state of the Pseudo Random Number Generator.

The following information is known by all WPS enabled devices:-Pseudo Random Number Generator used to make the public keys (g^AB mod p)-g is the generator, A and B are private numbers of the Enrollee and Registrar respectively, and p is a prime

We first need 3 components that the router spits out via wireshark during authentication. Please note that the registrar is the actual access point, which is responsible for the keys, and the Enrollee is always the device trying to authenticate with the router. This is gathered in the M1 and M2 messages.-N1 Enrollee Nonce-PKR Public Key (Registrar Nonce) (g^B mod p)-PKE Public Key (Enrollee Nonce) (g^A mod p) modulus.

The 4th component needed is the Authkey which is generated from the key derivation key aka KDK.

--__________________________________________________________________________________

The final component needed to brute force the pin offline are the two hashes generated in the M3 message.

-E-Hash1= HMAC (E-S1, PSK1, PKE, PKR)-E-Hash2= HMAC (E-S2, PSK2, PKE, PKR)

So we also need E-S1 and E-S2. Once we have that we can get the hashes and see if they match the hash generated in the M3 message. All we do is run through 11,000 combination offline. That is done within seconds if not less than a second. PSK1 and PSK2 in the hash equation above are the first half and second half of the router. You can see if you plug the components in that we already know, how easy it is to just rip through different pins till the hash matches the original. Four pin spaces is 10,000 combinations in addition to three pin spaces which is one thousand combinations. The original point was to figure out how to get E-S1 and E-S2 though. Let us start with the worst. Ralink chipsets dont even have a E-S1 and E-S2, so they are set to zero. There is literally nothing to brute force in that respect. Grabbing the enrollee key, the authkey, and the enrollee nonce will reveal any routers pin and ultimate password if it has this vulnerable chipset. Broadcom keeps its E-S1 and E-S2 a secret, therefore bruteforcing the state of the PRNG will reveal them. Realtek chipsets set the enrollee nonce equals to E-S1 and E-S2 if the exchange is made in under one second. We will be taking advantage of a Belkin n450 with a Realtek chipset. Once the information needed is extracted, it will be fed into the WPS Pixie program and be brute forced to reveal the pin of the router. That pin will be fed back into the Reaver program so we can attain the actual Wi-Fi password.The vulnerable router: Belkin N450

We will fire up a modified Reaver attack on the router. Remember, we need the information from the M1, M2, and M3 messages. We will also fire up Wireshark to sniff packet on the mon0 interface. The modified version of Reaver we will use will dump the auth key, the enrollee nonce, and enrollee key, and the two hashes. Since we arent hacking a Ralink chipset router, we will also need the registrar key. Only Wireshark can capture that information as Reaver does not have it built in. The only thing to remember during this process, is that when looking for the packet containing the registrar key, that the enrollee nonce must match, or else the wrong keys will be inputted into the Wi-Fi Pixie program.-i = interface -b=routers physical address -c=channel -vv=verbose mode

As seen in this screenshot, the M1, M2, and M3 messages are exchanged successfully, allowing us to stop the attack after only one pin attempt. The modified version of Reaver has dumped the auth key, e-nonce, enrollee public key, and hashes as promised. Wireshark has captured the M1 and M2 messages as promised so we can extract the registrar key. Can also view the enrollee nonce and enrollee public key via Wireshark if needed.

Open up a text editor and copy paste the auth key, the enrollee nonce, enrollee public key, and hashes. Then go to Wireshark and hit Ctrl + f. This open up the find packet menu. We will be searching in the M2 message for the registrar public key as it is the final piece of the puzzle. Select string, and packet details, and type public key. This will look through the M2 message for the registrar key. If the screenshot is examined closely, it can be seen that I have already found and highlighted the enrollee nonce and it matches the nonce found in Reaver. It is verified that the right packet is being used and not one from a different pin transaction.

Registrar public key located, and loaded into text editor. Info ready to be moved into brute force tool.

WPS PixieProper information plugged in, and the WPS pin resolved in less then a second. PSK1(the first half of the pi) and PSK2(second half of pin) are enumerated. Pin :21407420

The last step is to plug the pin into Reaver. It will resolve the passphrase to the wifi without fear of rate limiting. It should take no longer than 5 seconds as the brunt of the attack took place offline.

First, we will add the pin to the original Reaver line with pin-21407420.

Password cracked: PWNEDROUTER