Friday, 12 April 2013

WPS && Reaver Tutorial

What is WPS?

WPS, or WiFi Protected Setup, is a technology introduced in 2007. It's designed to make it easy for dummies to set up their WiFi, buy just typing in the pin the first time they connect to their router to set it up. The last years it's been added to pretty much any router. Unfortunately, it is one big flaw with this that makes us able to get another response from the router when we have the first four digits correct. This makes the total amount of PINs that has to be tried little enough to be brute-forced, a technique which basically contains of testing every possible PIN. Reaver, a tool developed for Linux does this on auto-pilot for us, so if you meet the requirements you'll be able to crack your WiFi within 10 hours.

Flaws in the WPS system:

I actually tried to add them all under the "What is WPS?" subtitle, but I realised they were too many.
  • First of, it's that you'll get a positive response when having the first four digits correct. This makes it vulnerable to brute-force.
  • The WPS pin is hard-coded, which means that it doesn't change even though you reset your router. So if someone has your WPS pin, they can access your router anyway.
  • On many routers the option to disable WPS doesn't actually work. I'll explain how to protect yourself anyway if you're one of the unlucky here.

Requirements:
  • A way to run BackTrack 5.

    • Please refer to BackTrack's tutorial page for a variety of ways to get it running.

  • Understanding in how to use the terminal in Linux.
  • A wireless card that supports injection mode (most of them do).
  • Being physically close enough to your router.

Please also note that this is an active hack, meaning you'll have to be in range of the access point (router) during the whole process.

Warning: This method is only intended to be used on your own router or with the permission of the owner to test the security. The "how to protect yourself" section is here for a reason!

Alrighty then, let's get crackin'!

Get Reaver and identify your wireless interface

BackTrack 5 r3 comes with Reaver already installed, but if you have an older version you can run this command to install it:
Code:

apt-get install reaver

To identify your wireless interface, just run this command:
Code:
iwconfig

[Image: Sq4eI.png]

You'll probably get a result similar to mine, what you want to look for is wlan and a number. In most cases it will be wlan0.

Putting your card in monitor mode and finding the your network

To get your card into monitor mode, run this command:

Code:
airmon-ng start <wlan interface>
In my case it's:

Code:
airmon-ng start wlan0

[Image: CnORv.png]

From here on we'll no longer be using wlan0, since that interface isn't in monitor mode. We'll get printed the name of another interface after running the latest command. You want to look for the text "monitor mode enabled on mon*", the star represents a number. In most cases this will be mon0.

Time to find the network your network!

Code:
airodump-ng <monitor mode interface>
This command will make your WiFi card start searching for APs (access points) and stations (clients connected to them). What you'll have to worry about now is the APs.

[Image: cBxBg.png]

Look for your network, and make sure the PWR is -60 OR MORE (by more is mean as in closer to 0, eg. -30 is more than -40). PWR represents signal strength, so if it's too low you should get closer to your router. For the best results and the fastest cracking you should have at least -40. Take note of what's under BSSID, since that's what we're going to use on the next step. Press Ctrl + C when you've got your BSSID to cancel the scan.

Start the cracking

Now let's tart reaver. The easiest and often most effective command you can run is:

Code:
reaver -i <your monitor interface> -b <BSSID of your router> -vv

eg.:

Code:
reaver -i mon0 -b 00:00:00:00:00:00 -vv

[Image: U6yAb.png]

That's the easiest approach, and if everything seems to work out for you then you can leave it overnight or watch a (really long) movie. After you've verified that it works you can head to the latest part of this tutorial to see how you can protect yourself. However, if you're having problems (eg. timeouts) then you can keep reading the next section for tips on how to solve them.

When you have the PIN you can head over to this thread and post your PIN there if you feel like contributing.

Tips and tricks

Specify a delay

If your router can't handle the excessive number of attempts and goes into DoS (Denail of Service), you'll probably know because you'll be getting timeouts for a while and the computers on your network will loose their connection. You'll also get timeouts if the router locks you out as a security measure. Anyway, you can fix this by specifying the delay between each PIN attempt by using the -d parameter, eg.:

Code:
reaver -i mon0 -b 00:00:00:00:00:00 -vv -d 3

The -d parameter specifies the delay between each pin in seconds, the default being 1. This means if you have really faith in your router being able to handle LOTS of pin attempts, and you're in a hurry, you can try to set the delay to 0.

Specify channel

Another possible way to speed things up is, as PinkPanther says on the next post, to use the -c parameter. This parameter specifies the channel to run the attack on. Normally reaver will see if the access point (router) have changed the channel and hop to the new one. However, if you don't have a problem with the AP channel hopping, you can specify the CH from the "airodump-ng" command, eg.:

Code:
reaver -i mon0 -b 00:00:00:00:00:00 -vv -c 1

This will make reaver only try to attack on channel 1. However, if the channel hops you'll get stuck after a while if using this.

Note that for every successful pin attempt reaver will automatically save your session, so if you want to take a break, or specify other parameters you won't have to start over again.

How to protect yourself

Like you've probably understood, WPS is a major security problem for us with home connections. What you should do to be protected is:
  • Set a STRONG key consisting of random letters and numbers (this doesn't protect against WPS, but it does against other methods).
  • Disable WPS.
Check again with reaver that WPS really is disabled, if it's not you should install a custom firmware to your router, such as DD-WRT.

Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do. Hacking email accounts is criminal activity and is punishable under cyber crime and you may get upto 40 years of imprisonment, if got caught in doing so.

No comments:

Post a Comment