Wi‐Fi Protected Setup (WPS) is a wireless standard that enables simple connectivity to “secure” wireless APs. The problem with WPS is that its implementation of registrar PINs make it easy to connect to wireless and can facilitate attacks on the very WPA/WPA2 pre‐shared keys used to lock down the overall system. As we’ve seen over the years with security, everything’s a tradeoff!
WPS is intended for consumer use in home wireless networks. If your wireless environment is like most others that I see, it probably contains consumer‐grade wireless APs (routers) that are vulnerable to this attack.
The WPS attack is relatively straightforward using an open source tool called Reaver (https://code.google.com/p/reaver‐wps). Reaver works by executing a brute‐force attack against the WPS PIN. I use the commercial ver sion, Reaver Pro (www.reaversystems.com), which is a device that you connect your testing system to over Ethernet or USB. Reaver Pro’s interface, as shown in Figure 1, is pretty straightforward.
Running Reaver Pro is easy. You simply follow these steps:
1. Connect to the Reaver Pro device by plugging your testing system into the PoE LAN network connection. You should get an IP address from the Reaver Pro device via DHCP.
2. Load a web browser and browse to http://10.9.8.1 and log in with reaver/foo as the username and password.
3. On the home screen, press the Menu button and a list of wireless networks should appear.
4. Select your wireless network from the list and then click Analyze.
5. Let Reaver Pro run and do its thing.
This process is shown in Figure 2.
|Fig. 1 : The Reaver Pro Startup Window|
Also read : Top 10 WiFi Penetration Testing Tools
|Fig. 2: Using Reaver Pro to Determine That Wi-Fi Protected Setup is Enabled|
If you wish to have Reaver Pro automatically start cracking your WPS PIN, you’ll need to click Configure and set the WPS Pin setting to On. WPS PIN cracking can take anywhere from a few minutes to a few hours, but if success ful, Reaver Pro will return the WPA pre‐shared key or will tell you that the wireless network is too far away or that intruder lockout is enabled.
I’ve had mixed results with Reaver Pro depending on the computer I’m run ning it on and the wireless AP that I’m testing. It’s still a worthy attack you should pursue if you’re looking to find and fix the wireless flaws that matter.
It’s rare to come across a security fix as straightforward as this one: Disable WPS. If you need to leave WPS enabled, at least set up MAC address controls on your AP(s). It’s not foolproof, but it’s better than nothing! More recent consumer‐grade wireless routers also have intruder lockout for the WPS PIN. If the system detects WPS PIN cracking attempts, it will lock out those attempts for a certain period of time. The best things to do to prevent WPS attacks in the enterprise is to not use low‐end wireless routers in the first place.
like us on facebook : Grey Hat Hackers
NOTE: This is for educational purpose only we are not responsible for any type of inconvenience caused by reader.