Hi folks! in this post series I´ll try to analyze the entire process about how to retrieve WPA/WPA2 key when bruteforcing PSK was not successfull or takes a long long time. Attack surface arose in December 2011 when Tactical Network Solutions released a whitepaper describing a WPS related issue that allows an attacker to retrieve WPA/WPA 2 passphrase without the needing of getting wpa handshake, deauth a client and so son.
With this attack, we can get the pass in few hours ( 4,10,15.. ) instead of many years that bruteforcing PSK technique would take, so let´s start talking a bit about WPS implementation.
Taking a look at the documentation that Wi-Fi Alliance provides:
«The primary goal of Wi-Fi Protected Setup is to simplify the security setup and management of Wi-Fi
networks. The goal of this specification is to provide users with the assurance that their wireless
networks are protected against unauthorized access and disclosure of private information.»
In summary, WPS was introduced in AP devices to facilitate the deployment of WiFi «protected» networks without the knowledge of any parameter, except PIN ( 8 chars ) in the back of the device. I will discuss PIN code generation in the second part of this analisys.
- AP: An infrastructure-mode 802.11 Access Point and monitoring 802.11 probe request and EAP messages from Enrollees.
- Registrar: An entity with the authority to issue and revoke Domain Credentials. A Registrar may
be integrated into an AP, or it may be separate from the AP. A Registrar may not have WLAN
capability. A given Domain may have multiple Registrars and processing enrollee.It handles probing messages and configuring AP with Enrollee MAC address.
- Enrollee: A device seeking to join a WLAN Domain. Once an Enrollee obtains a valid
credential, it becomes a Member.
If we move forward to the WiFi Alliance specifications on WPS protocol, we find this :
«The Wi-Fi Protected Setup in-band Registration protocol is designed to provide strong protection against
passive eavesdropping attacks and also to detect and to protect the system from an attempt to perform an
active brute force attack.»
and a more interesting paragraph…
«Users who want strong security should be encouraged to purchase products that support the higher-security Wi-Fi Protected Setup options.»
Or what is the same as saying … «Buy the most expensive device if you want a lockdown policy»
The next section shows message exchange between new Registrar and AP, and attack will be done when we get the PIN and thereby we are able to establish a new authenticated wireless connection, ( M8 ) :
Knowing that info, start sniffing on monitor mode interface, run reaver ( discussed later ) tool and wireshark at each stage to find some useful and interesting info about the remote AP, like the following in the Diffie-Hellman key exchange involving M1 and M2:
EAP Request, Expanded type, WPS, M1
As we can see, we can retrieve manufacturer, model name, WPS Configured (0x02 ), different security procotols handled by such device and wps configuration methods allowed too, Ethernet, Push Button and Label ( printed on the back of the device ) only with M1 trace, cool :).
If you only want to know if there is any WPS device enabled around you, just use wash tool like the following ( rtl8187 chipset / mon0 interface ) :
In the next post, I´ll be dissecting one of the design flaws that is deployed in that poor protocol.