{"id":97,"date":"2018-03-12T11:52:31","date_gmt":"2018-03-12T10:52:31","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=97"},"modified":"2018-03-12T14:11:01","modified_gmt":"2018-03-12T13:11:01","slug":"wps-insecurity-p1","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=97","title":{"rendered":"WPS &#8211; (In)Security P1"},"content":{"rendered":"<p>The descibed things in that article are nothing new, but there are still lot of devices around which have WPS enabled!<\/p>\n<p>I&#8217;ll split this tutorial in two parts. Part 1 is to get a basic understanding what WPS is and how the weakness works. In part 2 I&#8217;ll show you step by step how you can simulate a WPS attack with Kali Linux.<\/p>\n<ul>\n<li>WPS &#8211; (In)Security P1<\/li>\n<li>WPS &#8211; (In)Security P2<\/li>\n<\/ul>\n<p><strong>WPS stands for WI-FI Protected Setup<\/strong> and it is a networking standard that tries to make connections between a router and wireless devices easier and faster. Instead of entering the WP2-PSK key for each device you can use WPS to connect your devices to the network.<\/p>\n<p>There are several ways to connect to a wireless network that uses WPS:<\/p>\n<ul>\n<li>First, press the WPS button on your router to turn on the discovery of new devices. Then, go to your laptop, tablet or smartphone and select the network you want to connect to. Your device gets automatically connected to the wireless network without entering the network password.<\/li>\n<li>You may have devices like wireless printers or wireless range extenders with their own WPS button that you can use for making very quick connections. Connect them to your wireless network by pressing the WPS button on the router and then on those devices. You don\u2019t have to input any data during this process. WPS automatically sends the network password and these devices remember it for future use. They will be able to connect to the same network in the future without you having to use the WPS button again.<\/li>\n<li>A third method involves the use of an eight-digit PIN. All routers with WPS enabled have a PIN code that\u2019s automatically generated and it cannot be changed by users. You can learn this PIN from the WPS configuration page on your router. Some devices without a WPS button but with WPS support will ask for that PIN. If you enter it, they authenticate themselves and connect to the wireless network.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_99\" aria-describedby=\"caption-attachment-99\" style=\"width: 300px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-99 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_pin_on_router.jpg\" alt=\"\" width=\"300\" height=\"225\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_pin_on_router.jpg 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_pin_on_router-80x60.jpg 80w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><figcaption id=\"caption-attachment-99\" class=\"wp-caption-text\">WPS Pin label on the backside of a router<\/figcaption><\/figure>\n<p>The first two points seems to be more or less secure, because you\u2019ve to press the WPS button on the router that make it difficult for a remote attacker if he has no physical access. But what\u2019s about the third method with the 8 digit pin?<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-100 aligncenter\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_pin.png\" alt=\"\" width=\"665\" height=\"507\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_pin.png 665w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_pin-300x229.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_pin-80x60.png 80w\" sizes=\"auto, (max-width: 665px) 100vw, 665px\" \/><\/p>\n<p>Bruteforece a 8 digit pin = <strong>10^8 = 100\u2019000\u2019000 possibilities!<\/strong> Sounds secure, but\u2026<\/p>\n<p>Back in 2011, a security researcher discoverd that you don\u2019t need to try all 100\u2019000\u2019000 pin combinations. The last digit is just a check digit that is calculated from the previous seven. That means that WPS pins are effectively only seven digits long.<\/p>\n<p>But not enough, the 8-step protocol doesn\u2019t validate the pin in form of a seven digit number. It checks the first four digits and only if those are right it does check the last three digits.<\/p>\n<p><strong>10^4 = 10\u2019000 + 10^3 = 1\u2019000<\/strong>. <strong>Instead of 10\u2019000\u2019000 combinations you only have to try 11\u2019000 combinations to get the WP2-PSK key<\/strong>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-125\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_combination.png\" alt=\"\" width=\"520\" height=\"167\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_combination.png 520w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_combination-300x96.png 300w\" sizes=\"auto, (max-width: 520px) 100vw, 520px\" \/><\/p>\n<p>The problem is known since 2011, but most of the vendors who implement WPS functionality in their devices didn\u2019t react. Such an attack can still be lucrative for an attacker, because WPS is activated by default in most devices and it won\u2019t by hard to find WPS routers in your environment if you do a scan. Another fact is that not many routers have implemented security meassures against a WPS bruteforece attack, forexample that your MAC Address will be locked out after few false tries\u2026<\/p>\n<p>Let&#8217;s move over to part 2 where I&#8217;ll show you step by step how you can do such a attack \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>The descibed things in that article are nothing new, but there are still lot of devices around which have WPS enabled! I&#8217;ll split this tutorial <a class=\"mh-excerpt-more\" href=\"https:\/\/cybercop-training.ch\/?p=97\" title=\"WPS &#8211; (In)Security P1\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":2,"featured_media":98,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,3],"tags":[14,15,7],"class_list":["post-97","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking","category-wi-fi","tag-hacking","tag-wps","tag-wps-cracking"],"_links":{"self":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/97","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=97"}],"version-history":[{"count":3,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/97\/revisions"}],"predecessor-version":[{"id":126,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/97\/revisions\/126"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/media\/98"}],"wp:attachment":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=97"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=97"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=97"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}