Cracking 802.11, WPS

9 minutes
Share the link to this page
You need to purchase the class to view this lesson.
One-time Purchase
List Price:  $139.99
You save:  $40
List Price:  د.إ514.18
You save:  د.إ146.92
List Price:  A$181.50
You save:  A$51.86
List Price:  ৳11,871.76
You save:  ৳3,392.17
List Price:  CA$178.30
You save:  CA$50.94
CHF 88.79
List Price:  CHF 124.32
You save:  CHF 35.52
List Price:  kr857.57
You save:  kr245.03
List Price:  €115.28
You save:  €32.94
List Price:  £102.37
You save:  £29.25
List Price:  HK$1,085.17
You save:  HK$310.07
List Price:  ₹10,216.02
You save:  ₹2,919.07
List Price:  RM566.18
You save:  RM161.78
List Price:  ₦53,476.18
You save:  ₦15,280
List Price:  kr1,194.89
You save:  kr341.42
List Price:  NZ$194.52
You save:  NZ$55.58
List Price:  ₱6,725.18
You save:  ₱1,921.61
List Price:  ₨22,499.89
You save:  ₨6,429
List Price:  S$185.82
You save:  S$53.09
List Price:  ฿4,197.95
You save:  ฿1,199.50
List Price:  ₺1,035.01
You save:  ₺295.74
List Price:  B$765.26
You save:  B$218.66
List Price:  R2,127.98
You save:  R608.04
List Price:  Лв225.89
You save:  Лв64.54
List Price:  ₩154,423.33
You save:  ₩44,124.10
List Price:  ₪458.61
You save:  ₪131.04
Already have an account? Log In


There's a big challenge to configuring wireless devices in particular, the whole idea for a person to have to type in a pre shared key into their client and set it up on individual computers and on smart devices. That's not a big deal. But when it comes to things like printers and things like that, we don't have an easy windows or os 10 interface or something to be able to go through this configuration process. So that's why many years ago, they came up with something called Wi Fi Protected Setup, or WPS. Now, for those of you who don't know WPS, the whole idea behind WPS is push button configuration. So I've got a wireless access point.

And this wireless access point has a pre shared key a nice big complicated pre shared key in it. The idea behind WPS is simple. Now, if you look really close here, can we get a photograph of this button right here? That button is how WPS starts. If I have a WPS wireless access point, and I have a WPS escapable device, all I need to do is press this button. Then I go over to my printer, whatever it is.

And I press and usually hold the button on that other device for a couple of minutes, sometimes three minutes depends on the manufacturer, then you let go. And they automatically configure themselves. They make this configuration by having a built in key a hardware burned in key that they can use just to make that initial connection that it's never used again, and they exchange the true pre shared key, and WPS is up and cooking. Now if you really need to, you can actually go into like a Windows system and type in this eight digit number and you can configure that way as well. And WPS is great stuff except for one big problem and it has to do with all right, can we get one more photograph of this? Okay, so what you're looking at is an eight digit key.

So every WPS enabled device has this eight digit key this eight digit key is only used for those few short moments while they're making the initial key exchange of the P SK. However, there's a bit of a problem with it. Now, an eight digit key would be two to the eighth power. So you know, it's a pretty long chunk of data for a guy to be able to crack in just a couple of minutes. However, there are some weaknesses. Weakness number one, one of those eight digits is just used as a cyclic redundancy check for the other seven.

So now we're down to two to the seventh power, still pretty hairy in terms of quick crack, yet, there's another problem with WPS, the actual process of the key exchange is done through first four bits, and then three bits. So really, instead of two to the seventh power, you have two to the fourth power and two to the third power, which basically means you only need about 11,000 iterations to be able to crack this stuff. So this was first discovered back in 2011. And it's set everybody into a tizzy. So what we've seen since 2000 11 is number one, a lot of wireless access points where you can turn WPS off a lot of wireless access points that you could turn it off. However, the right kind of tools could turn it back on a lot of wireless access points where they simply dumped WPS completely, just not even a feature anymore.

And now what we're starting to see, especially in the 802 11 ac world, is a lot of wireless routers that are using WPS, but they're using it very cleverly. So before we get into how they're doing this, I want to go through the process of actually cracking something. So we're going to take a look at the Cisco box right here. And I know he is passing out on this total Wi Fi SSID. Now if you look right here on the screen, it's red. And the reason it's red is the scanner is actually querying the wireless access point.

And the wireless access point has WPS turned off and there is nothing we can do about it. But if we keep looking here you see here it is. A wireless access point called asis. And it's green. Well, what we're actually doing right here is I knew this guy wasn't working. So I brought in another wireless access point.

And this guy, I've got WPS turned on, let me show you how WPS looks on this particular device. So if we take a look over here, what I've got is I've set up I've got the SSID as the default just called asis. And I'm going to go ahead and give it like a WPA two personal and I think I was using the password Timmy Timmy before Yeah, it still remembers that great. Alright, so what I'm going to do is go ahead and light that up. Now keep in mind we're talking about this is a pretty modern 802 11 ac wireless router here. So you know we're not talking about 2011 technology here.

This is pretty recent stuff. So if we come in here, we'll see it does have a W PS tab that we can turn on and off. And for the record with this particular router, if I turn it off, it really turns it off. There are some older routers from the 2011 to 2015 world where you can actually turn off WPS, but a good cracker can literally turn it on remotely and that fun. Anyway, so what I've done here is I've gone ahead and turn this on, and he's up in cooking. Now, right down here, do you see the PIN code?

Now this pin code here, let me pull up this guy has his own PIN code on the outside as well. So what I want to do one more time, let's go ahead and just take a picture. Can we get a photograph of that? Okay, now compare that photograph that we're we're looking at with this pin code. In fact, let's look at them together. You can see it's the exact same code so we now know what exactly we're looking for.

Now, I'm going to go ahead and crack this because my survey tool said that WPS was on in cook and even though I turned off and back on again, it's ready to rock and roll The tool I'm going to use is a wonderful well known tool called Reaver, which again, is part of the Kali Linux toolkit. Now, you can see that I've gone ahead and I ran my arrow dump one more time here so I can see who's out there. And there's aces keeps popping in and out, but he was there. The important thing is, is I already had that BSS ID. So let me scroll up to the top here so you can see where I'm at. I bet this has been running for a while.

So so you can see I started raver and I went to W land zero mon. And I just typed in the MAC address for that particular access point. And I've been letting this go for a while. Try to get to the bottom here. And you can see he's trying different iterations. So he's basically doing a brute force WPS attack, he started with seven zeros and he's going to go to seven nines until he gets the right answer.

Now, what's interesting is he's been at this for a while. He's been at it for a while, because I told him to, one of the big problems we run into with especially the newer generation, WPS capable wireless access points, is that they know if somebody starts hitting on them really, really fast, keeps trying each iteration, that that means they're being attacked, and they will either shut down or they will turn off WPS. I've got particular routers that will literally factory reset themselves. If they get attacked too many times. So what I'm doing with Reaver right now, as I said, just hit him very slowly, very, very slowly. So if you do it, even one iteration per second, you're talking about 11,030 600 iterations per hour, so you're talking about a maximum of three hours and that's it if you hit it one per second.

If I hit this guy, one per second He's gonna just cut off, he will literally turn off WPS on me. So what I'm doing is just, I'm just gonna let him run a little bit. And usually in this case, I would consider letting him run as much as a week seriously, just to make sure I don't set the routers. The end result is is that Reaver will work, a guarantee it'll work, it might take a couple of tries, but it absolutely will work. So here, let me put up what a successful Reaver attack is going to look like for you. So that's the beauty of WPS attacks.

Now, Reaver is not the only tool out there, there's zillions of them. It's just the one I am most comfortable with. It's been around for a while. If you want to stop WPS attacks, you're going to have to be very, very careful. Number one, if you have older routers that are susceptible to this, there's great documentation online about this. Get rid of it.

You can also consider a firmware update. One of the things I do love about the DD WRT firmware for all of these little home routers is that almost invariably shuts off WPS in a way that it's very, very difficult to turn it back on, unless you intentionally want to do it yourself. And the last thing you want to do is consider a modern wireless router. They will have WPS on them a lot of times but they come with so many tools. It's very, very difficult for a guy like me to be able to crack Yeah, unless I really really, really have a lot of time.

Sign Up


Share with friends, get 20% off
Invite your friends to TabletWise learning marketplace. For each purchase they make, you get 20% off (upto $10) on your next purchase.