WPS (In)Security – Part 2

I wrote a little introduction into WPS in Part 1 of this article. Part 2 is the practical part. I’ll setup a router with WPS and show you how to attack it. It’s for educational purposes only. So try to hack your own device!

Lab Setup:

1x Alfa AWUS 036H Wlan Adapter
1x Zyxel Router NBG-460N
VMware or Virtualbox Image with
Kali Linux or other Linux with iwash and reaver installed

DSC00853

Alfa AWUS 036H Adapter

 

 

 

 

 

gigabit-wireless-n-router

Zyxel NBG 460N Router

 

 

 

 

 

 

 

Auswahl_060

I did setup a Wifi Protection with WPA2-PSK and a very secure Password 😉 The SSID of my Network will be Swiss_Emmentaler and as you can see WPS is activated. Let’s start!

wps_hack1

First step is to map the WLAN Card into the virtual machine. Let’s check that with the command iwconfig. As we can see It’s mounted as wlan0.

wps_hack2

 Next step is to put the WLAN interface into monitor mode. Putting a wireless interface into monitor mode allows us to monitor all traffic received from the wireless adapter.

wps_hack3

We can see that the monitor interface can get a conflict with three system processes. I’ll kill them and check if the mon0 interface is up.

wps_hack4

Next step is to do a scan with the tool wash (allready installed in kali). I’ve scanned only for channel 6 and as we can see my Swiss_Emmentaler AP got successful deteced. We need the mac address of the router that we want to attack.

wps_hack5

With the tool reaver we have a lot of advanced options that we can use for the attack.

– i means the interface mon0
– b means the target Mac Address
– D improvs the cracking speed
– vv dispays non critical warning
set the command reaver in your shell for a detailed information about all the commands

wps_hack6

In my lab the bruteforce speed depends from 3 to 6seconds/pin. If everything works fine I should get the WPA2-PSK key in between 8 and 16 hours.

If we stop the cracking process, the session gots automatically stored that we can continue later.

wps_hack7 wps_hack8

 

 

 

 

 

 

 

 

In my test it took 34057 seconds to crack the pin. 34057/3600 = 9.46h

Recommondation: Turn off WPS

Happy Hacking 🙂

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.