WPS PIN attacks: How to crack WPS-enabled Wi-Fi networks with Reaver
Level up your Wi-Fi hacking! Understanding WPS and its older vulnerabilities is a good intro to wireless network security and how to detect, exploit, and mitigate them.
升级您的 Wi-Fi 黑客攻击！了解 WPS 及其较旧的漏洞是无线网络安全以及如何检测、利用和缓解它们的良好介绍。
Wi-Fi has become an essential network infrastructure in both homes and businesses due to the requirement to support mobile devices and network-connected smart devices.
To simplify the connection of devices to a wireless network, the Wi-Fi Alliance introduced Wi-Fi Protected Setup (WPS) in 2006, which allowed the automated configuration of devices at the touch of a button or by entering a short PIN.
为了简化设备与无线网络的连接，Wi-Fi 联盟于 2006 年推出了 Wi-Fi 保护设置 （WPS），只需按一下按钮或输入短 PIN 即可自动配置设备。
However, in 2011, major vulnerabilities were discovered in the implementation of this protocol by a number of wireless access point manufacturers.
Users at that time realized that the feature was often enabled by default and worse, was still vulnerable even when WPS was disabled in the management user interface.
The WPS vulnerabilities illustrate the difficulty in getting manufacturers of network devices to fully implement protocols and to implement security measures. Especially when these measures come at the cost of convenience and functionality.
In the case of WPS PIN brute force attacks, end users were left with little option in some cases other than to wait for firmware updates or to purchase new devices.
Although the original WPS PIN attack has been mitigated with updates, new wireless access points designed for the home or small office still support WPS through push button configuration. This remains a vulnerability for any device that an attacker has physical access to.
Understanding WPS and its older vulnerabilities is a good introduction to wireless network security and how to detect, exploit, and mitigate them in a live environment.
了解 WPS 及其较旧的漏洞是对无线网络安全以及如何在实时环境中检测、利用和缓解它们的良好介绍。
Improve your wireless network security skills with Wifinetic
Improve your understanding of Wi-Fi network vulnerabilities.
提高您对 Wi-Fi 网络漏洞的了解。
Learn to brute force WPS PINs to obtain the pre-shared key (PSK).
了解如何暴力破解 WPS PIN 以获取预共享密钥 （PSK）。
Get familiar with tools like Reaver and Aircrack-ng
We’ve introduced a new innovative machine, Wifinetic, that allows users to explore wireless network vulnerabilities to develop skills in searching for vulnerabilities such as those found in the WPS protocol.
This would have normally required a hardware network setup in a lab but is delivered on the HTB platform through our virtualized environment.
What is WPS? 什么是WPS？
Wi-Fi Protected Setup (WPS), sometimes referred to as Wi-Fi Simple Configuration (WSC), is a network standard and protocol that allows devices to join a Wi-Fi network without using the network’s key.
Wi-Fi 保护设置 （WPS），有时也称为 Wi-Fi 简单配置 （WSC），是一种网络标准和协议，允许设备在不使用网络密钥的情况下加入 Wi-Fi 网络。
It is commonly used to attach smart devices such as TVs and printers to home Wi-Fi networks where inputting a complicated or long passphrase or key would be cumbersome.
How does WPS work?
WPS calls the device wanting to connect to the network an “Enrollee” and the WPS logic that handles the authentication and configuration process the “Registrar”.
WPS 将想要连接到网络的设备称为“登记者”，将处理身份验证和配置过程的 WPS 逻辑称为“注册器”。
An access point (AP) allows the enrollee and registrar to communicate with each other. In most cases, the AP and registrar functions are combined as in the case of a wireless router for example.
接入点 （AP） 允许登记者和注册商相互通信。在大多数情况下，AP 和注册器功能是组合在一起的，例如无线路由器。
Access points can also support “external registrars”. External registrars connect with the access point using the same message exchange as the wireless clients outlined below.
To connect a device via WPS, there are a few different modes of operation. The main two are:
Push Button Configuration (PBC): The enrollee device and access point both have buttons that need to be pushed in sequence to initiate and confirm a connection. Once the button is pushed on the access point, the discovery mode of the connection process remains active for two minutes or less.
The user then pushes a button on the connecting device to connect to the access point. This feature assumes that attackers would not have physical access to the router, a weakness we discuss more below.
PIN Entry: An eight-digit, static PIN code is provided by the access point. Its input is required to authenticate a device for it to join the Wi-Fi network. The code is sometimes provided on a physical sticker on the access point, and can sometimes be changed via an administration interface.
PIN 输入：接入点提供八位数的静态 PIN 码。需要其输入来验证设备才能加入 Wi-Fi 网络。代码有时在接入点的物理标签上提供，有时可以通过管理界面进行更改。
WPS uses the IEEE 802.11 and Extensible Authentication Protocol (EAP) protocols for discovery and configuration. The flow of messages between the user, enrollee, and registrar is split into a discovery phase and a registration phase.
WPS 使用 IEEE 802.11 和可扩展身份验证协议 （EAP） 协议进行发现和配置。用户、登记者和注册商之间的消息流分为发现阶段和注册阶段。
The first two messages allow the enrollee and registrar to exchange public keys that are used in all subsequent messages. What follows is a proof that both the enrollee and registrar know the same PIN. This is done by taking the PIN and splitting it in two and using each half as a key. The PIN is eight digits long with the last digit being a checksum.
前两条消息允许登记者和注册商交换所有后续消息中使用的公钥。以下是登记者和注册商都知道相同 PIN 的证明。这是通过获取PIN并将其一分为二并使用每一半作为密钥来完成的。PIN 码长度为 8 位，最后一个数字是校验和。
1st Half of PIN
2nd Half of PIN
The enrollee and registrar can detect if either the first or second half of the PIN is wrong because they will receive a negative acknowledgment message in response to an incorrect proof of knowing that part of the PIN.
登记者和注册商可以检测 PIN 的前半部分或后半部分是否错误，因为他们将收到一条否定确认消息，以响应知道该部分 PIN 的错误证明。
This means that if the registrar receives a NACK after the M4 message, the first half of the PIN is incorrect and after the M6 message, the second half is incorrect.
这意味着，如果注册商在 M4 消息之后收到 NACK，则 PIN 的前半部分不正确，而在 M6 消息之后，后半部分不正确。
At the end of the process, the Wi-Fi password is shared with the enrollee, allowing it to join the network.
The WPS PIN attack vulnerability
WPS PIN 攻击漏洞
Having seen how WPS uses the PIN, you may have already worked out that it is vulnerable to brute force attacks. If WPS had used all 7 available digits as the key (the checksum is always calculable and so can be ignored), there would be a potential 10^7 or 10,000,000 possible combinations making the prospect of a brute force attack unfeasible.
However, because each half of the PIN is checked independently, this reduces the permutations of the first half to 10^4 or 10,000 numbers and the second half of the PIN only 10^3 or 1,000 options.
This vulnerability was published by Stefan Viehböck in 2011. He created a proof of concept (POC) to exploit this vulnerability and tested a number of wireless access points to demonstrate the flaw.
此漏洞由 Stefan Viehböck 于 2011 年发布。他创建了一个概念验证（POC）来利用这个漏洞，并测试了许多无线接入点来证明这个漏洞。
In his POC, Viehböck used the authentication protocol for registering an external registrar with the access point. If an access point was vulnerable, the PIN could normally be cracked within 4 hours.
在他的 POC 中，Viehböck 使用身份验证协议向接入点注册外部注册商。如果接入点易受攻击，PIN 通常可以在 4 小时内被破解。
Exploiting WPS in practice
The first phase of an attack on a Wi-Fi access point is its discovery on a network. There are a number of tools for this with one of the more well-known being Aircrack-ng. Others include airmon-ng and airodump-ng.
To use this tool, you will need to have a wireless network interface on your computer and have it set in “monitor mode” in order to be able to do things like scan for other wireless networks or even examine network packets.
Assuming this is in place, the tool airodump-ng will provide a list of available networks and provide details of the network's Basic Service Set Identifier (BSSID) and their descriptive names or Extended Service Set Identifier (ESSID). You will also get information about the channels they are operating on and the authentication and cipher protocols they may be using.
In a real engagement, you would need to determine which of these networks were of interest and then look at potential vulnerabilities for each target of interest. Since this article is concerned with WPS PIN attacks, we are going to focus on that.
💡Note: The retired HTB machine Olympus, which focuses on the use of Docker, features a small Wi-Fi section that involves cracking an offline Wi-Fi handshake using aircrack.
Phase: Exploitation 阶段：开发
Tactic: WPS PIN attack 策略：WPS PIN攻击
Having scanned for Wi-Fi networks and found a potential target, we can switch to using a specific tool called Reaver that was created to brute force WPS PINs. Reaver uses the same approach as Stefan Viehböck’s POC. It uses IEEE 802.11/EAP to act as an external registrar authenticating with the target Wi-Fi access point.
扫描Wi-Fi网络并找到潜在目标后，我们可以切换到使用名为Reaver的特定工具，该工具旨在暴力破解WPS PIN。Reaver使用与Stefan Viehböck的POC相同的方法。它使用 IEEE 802.11/EAP 充当外部注册商，通过目标 Wi-Fi 接入点进行身份验证。
To perform the attack, Reaver is run with the following arguments:
reaver -i <Interface name> -b <BSSID> -c <channel number> -vv (verbosity of output)
With these arguments, you will be able to follow the progress in cracking the PIN and once successful, Reaver will print out details of the PIN and any WPA PSK password it has discovered.
[+] Pin cracked in 2 seconds
[+]销钉在 2 秒内破裂
[+] WPS PIN: '12345670'
[+] WPA PSK: 'Password123!'
Once you have obtained the Wi-Fi key, you would use it to potentially join the network and enumerate the resources accessible by that network. You might also check if the password has been used for authenticating other accounts that are discovered during the penetration of the network and associated systems.
获取 Wi-Fi 密钥后，您将使用它来潜在地加入网络并枚举该网络可访问的资源。您还可以检查密码是否已用于验证在渗透网络和相关系统期间发现的其他帐户。
Defense against WPS attacks
防御 WPS 攻击
The current specification of the Wi-Fi Protected Setup specification (version 2.0.8) has specific recommendations for implementers of the protocol to protect against brute force attacks of the PIN.
Wi-Fi 保护设置规范（版本 2.0.8）的当前规范为协议的实现者提供了具体的建议，以防止 PIN 的暴力攻击。
This includes using temporary PINs and implementing progressive delays in responding to requests that appear to be attempts to brute force the PIN. Another requirement is for the access point to enter a lock-down state after 10 failed attempts to guess the PIN from any external registrars trying to authenticate.
这包括使用临时 PIN 和在响应看似试图暴力破解 PIN 的请求时实施渐进式延迟。另一个要求是接入点在尝试从任何尝试进行身份验证的任何外部注册商猜测 PIN 失败 10 次失败后进入锁定状态。
Updating firmware on devices to implement fixes or purchasing an access point that has implemented an up-to-date version of WPS is important. WPS is normally configurable from the administration function, so if not in use, it should be turned off.
In the past, there were devices where even if WPS was disabled, the protocol could still be brute forced and so this should be checked in the particular models of devices. Since anyone with physical access to a device can simply push the WPS button to connect, physical access to access points should be controlled by putting them in locked cupboards or cages.
Another vulnerability that we haven’t discussed is the so-called Pixie Dust vulnerability which is concerned with particular models of access points using specific chips.
This vulnerability involves limitations in the way random nonces were generated for the EAP authentication protocol.
此漏洞涉及为 EAP 身份验证协议生成随机随机数的方式限制。
The issue was that the nonces were not random and so the PIN could be easily brute forced knowing the nonces. Again, this issue has been fixed in more recent models of access point.
Develop your skills with HTB
Now that you have the theory and principles behind reconnaissance and enumeration of Wi-Fi networks, you can put it into practice using the Hack The Box machine Wifinetic.
现在您已经掌握了Wi-Fi网络侦察和枚举背后的理论和原理，您可以使用Hack The Box机器Wifinetic将其付诸实践。
What is special about this box is the fact that it is running an emulated wireless access point running a wireless network.
Wifinetic is an Easy difficulty Linux machine that focuses on wireless security. Initial enumeration reveals an exposed FTP service that has anonymous authentication enabled which allows you to download available files. One of the files is an OpenWRT backup.
Wifinetic是一款专注于无线安全的易难度Linux机器。初始枚举显示启用了匿名身份验证的公开 FTP 服务，该服务允许您下载可用文件。其中一个文件是OpenWRT备份。
OpenWRT is an operating system designed for wireless access points and routers based on Linux. Enumeration of the backup reveals a wireless network configuration that discloses an Access Point password. The contents of shadow or passwd files further disclose usernames on the server.
With this information, a password reuse attack can be carried out on the SSH service running on the Wifinetic machine, allowing us to gain a foothold as the netadmin user. Using a variety of tools, the wireless networks the machine has access to can be enumerated revealing the OpenWRT network.
The utility Reaver is available on the machine and has been given capabilities to work on the wireless interface allowing it to be run and reveal the PIN and WPA key. This key can then be reused to gain access to root via SSH.
实用程序 Reaver 在机器上可用，并且已被赋予在无线接口上工作的功能，允许它运行并显示 PIN 和 WPA 密钥。然后可以重复使用此密钥以通过 SSH 访问根。
Further reading and resources
Wifinetic machine. 威芬蒂克机器。
Wifinetic walkthrough video by IppSec.
Wifinetic write-up. 威芬蒂克写。
转载请注明：WPS PIN attacks: How to crack WPS-enabled Wi-Fi networks with Reaver | CTF导航