WPA/WPA2 WPS design flaws, easy way Part II

Share it!

As described in the previous post [ I ], WPS has several flaws in it´s design, and I´ll try to explain them in this post, prior to just going for catching the WPA key only. The first flaw arises in how the procotol handles external registrars.


There is some functionalities that enables a client to connect via WPS, like phisical push button, or web interface. But some devices enables external registrars to connect only if they know the PIN,without any kind of authentication, allowing attackers to launch bruteforcing attacks in order to retrieve the correct PIN.

Let´s look again at the picture shown in the last post



Methods enabled for connecting to WPS, Ethernet ( web configuration access ), Label ( only ESSID, Encryption type and pass ) and PBC ( Push-Button-to-Connect).

We can see too how it´s disabled Physical Push Button in this device, and it´s a virtual one you have to push from the Web Configuration page. The other method is as I said before, to bruteforcing the PIN and get the key, that´s the first design flaw.

How WPS handles PIN code?

The method implemented by WPS for PIN auth has been described in the first post [ I ] so we can make a recap based on Stefan Viehböck resesearch :

  • An attacker can extract useful info from his bruteforce attack ( 8 digits )
  • If the attacker receives an EAP-NACK after sending M4, 1st half of PIN is incorrect.
  • If the attacker receives an EAP-NACK after sending M6, 2nd half of PIN is incorrect

This method, which only takes a few digits and is capable of sending valuable info to the attacker, decreases the maximum possible attempts to be made:

  • from 10^8 ( 100.000.000 ) to 10^4 + 10^4 ( 20.000 )
  • the final digit is a checksum of the seven previous, so 10^4 + 10^3 = 11.000 attempts


Next step in order to know the whole process is to understand how the PIN code is generated. Assuming the device follows Wi-Fi Alliance specifications, it will be 7 characters and a checksum of the seven previous:

  • Get BSSID  = 5C:33:8E | FF:1E:FC
  • Take 2nd part of the BSSID, convert to decimal and apply a math funcion to extract checksum
  • Calculate the checksum and append to the end of final PIN.



Validate checksum C function


 Calculate checksum

Compute checksum C function



These functions have been extracted from Windows Connect Now–NET,  :) although his last version was about 2006 and Microsoft now urges to follow WiFi-Alliance specs. Ok so now we are going to show an Android App that shows WPS PIN directly on the screen, you can download it from Play Store for free.





And now a PIC of the process that the app follows to show us that PIN using Python interactively for better understanding:




Ready for recovering the WPA2 key ?




Share it!
Esta entrada fue publicada en Wireless Hacking y etiquetada . Guarda el enlace permanente.

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos necesarios están marcados *


Puedes usar las siguientes etiquetas y atributos HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>