Showing 2 different methods to crack the passwords of routers by taking advantage

of WPS being enabled by default. 1st method is an online attack using Reaver.
Reaver wps brute forces the first half of the pin and then the second half of the pin,
meaning that the entire key space for the WPS pin number can be exhausted in
11,000 attempts. Do to the ease of the attack, router manufacturers fought this
attack off by including rate limiting in the firmware. After 3-5 pin attempts that fail,
the router locks the WPS function of the router. The first attack exploits the fact
that the router unlocks the WPS if the router is forced to reboot. When this occurs,
pin cracking can continue to pursue the correct pin, and ultimately the passphrase
to the router.

We will be using Kali Linux at the OS for this attack.

A wireless card capable of packet injection must be used to perform such wireless
attacks successfully.
Alfa Awus036NHA

Wireless card must be put into monitor mode so we can scan for networks that have
WPS enabled. Interface mon0 will be enabled.
airmon-ng start wlan0

Using the wash i mon0 command. We tell Kali to scan for routers in the area
with WPS enabled. It will also tell us if the access point has locked WPS. Physical
address of the router as well as the channel it resides on is also given, which is
needed for attacks.

Upon launching a pin cracking attempt with Reaver, the access point in question
locks us out of WPS. Using a script that starts an EAPOL flood request when Reaver
detects rate limiting, we can automatically reboot the router with this Denial of
service attack, and let Reaver continue cracking pins. EAPOL is an authentication
protocol used in wireless networks.

Screenshot shows the attack defeating rate limit detection, and continuing to crack
pins.If the attacker receives a NACK message after the M4 message then we know
the 1st half of the pin generated was incorrect and we should continue.

IMPORTANT TO NOTE: Using a modified version of Reaver we allow ourselves to not

just flood the access point from 1 interface in monitor mode with EAPOL requests
but 3. This allows even more packets to be injected into the router making a forced
reboot and WPS unlock even more likely. Mac addresses are also spoofed
automatically to make this possible.

TRIPLE FLOOD.

WPS PIN INEVITABLY CRACKED AND WIFI PASSWORD DUMPED. No NACK after the
M4 message verified the 1st half of the pin was cracked. It is important to note that

the next 4 digits only need 3 digit pin to be cracked as the final 8 th digit is a
checksum of the first 4. WPS PIN: 79550000 Password: VULNERABLE
It took around 4 hours. It states 3 seconds because the original was lost screenshot
was lost and I already had the pin from the 4 hour crack session.

Second attack: Brute forcing the WPS pin offline. Broadcom eCos chips use a
Pseudo Random Number Generator that is as pseudo as the name suggests. This

tells us that it is possible to brute force the actual state of the Pseudo Random
Number Generator.
The following information is known by all WPS enabled devices:
-Pseudo Random Number Generator used to make the public keys (g^AB mod p)
-g is the generator, A and B are private numbers of the Enrollee and Registrar
respectively, and p is a prime
We first need 3 components that the router spits out via wireshark during
authentication. Please note that the registrar is the actual access point, which is
responsible for the keys, and the Enrollee is always the device trying to authenticate
with the router. This is gathered in the M1 and M2 messages.
-N1 Enrollee Nonce
-PKR Public Key (Registrar Nonce) (g^B mod p)
-PKE Public Key (Enrollee Nonce) (g^A mod p) modulus.
The 4th component needed is the Authkey which is generated from the key
derivation key aka KDK.
--__________________________________________________________________________________
The final component needed to brute force the pin offline are the two hashes
generated in the M3 message.
-E-Hash1= HMAC (E-S1, PSK1, PKE, PKR)
-E-Hash2= HMAC (E-S2, PSK2, PKE, PKR)

So we also need E-S1 and E-S2. Once we have that we can get the hashes and see
if they match the hash generated in the M3 message. All we do is run through
11,000 combination offline. That is done within seconds if not less than a second.
PSK1 and PSK2 in the hash equation above are the first half and second half of the
router. You can see if you plug the components in that we already know, how easy
it is to just rip through different pins till the hash matches the original. Four pin
spaces is 10,000 combinations in addition to three pin spaces which is one thousand
combinations. The original point was to figure out how to get E-S1 and E-S2 though.
Let us start with the worst. Ralink chipsets dont even have a E-S1 and E-S2, so
they are set to zero. There is literally nothing to brute force in that respect.
Grabbing the enrollee key, the authkey, and the enrollee nonce will reveal any
routers pin and ultimate password if it has this vulnerable chipset. Broadcom keeps
its E-S1 and E-S2 a secret, therefore bruteforcing the state of the PRNG will reveal
them. Realtek chipsets set the enrollee nonce equals to E-S1 and E-S2 if the
exchange is made in under one second. We will be taking advantage of a Belkin
n450 with a Realtek chipset. Once the information needed is extracted, it will be
fed into the WPS Pixie program and be brute forced to reveal the pin of the router.
That pin will be fed back into the Reaver program so we can attain the actual Wi-Fi
password.

The vulnerable router: Belkin N450

We will fire up a modified Reaver attack on the router. Remember, we need the
information from the M1, M2, and M3 messages. We will also fire up Wireshark to
sniff packet on the mon0 interface. The modified version of Reaver we will use will
dump the auth key, the enrollee nonce, and enrollee key, and the two hashes.
Since we arent hacking a Ralink chipset router, we will also need the registrar key.
Only Wireshark can capture that information as Reaver does not have it built in.
The only thing to remember during this process, is that when looking for the packet
containing the registrar key, that the enrollee nonce must match, or else the wrong
keys will be inputted into the Wi-Fi Pixie program.
-i = interface -b=routers physical address -c=channel -vv=verbose mode

As seen in this screenshot, the M1, M2, and M3 messages are exchanged
successfully, allowing us to stop the attack after only one pin attempt. The modified
version of Reaver has dumped the auth key, e-nonce, enrollee public key, and
hashes as promised. Wireshark has captured the M1 and M2 messages as promised
so we can extract the registrar key. Can also view the enrollee nonce and enrollee
public key via Wireshark if needed.

Open up a text editor and copy paste the auth key, the enrollee nonce, enrollee
public key, and hashes. Then go to Wireshark and hit Ctrl + f. This open up the find
packet menu. We will be searching in the M2 message for the registrar public key
as it is the final piece of the puzzle. Select string, and packet details, and type
public key. This will look through the M2 message for the registrar key. If the
screenshot is examined closely, it can be seen that I have already found and
highlighted the enrollee nonce and it matches the nonce found in Reaver. It is
verified that the right packet is being used and not one from a different pin
transaction.

Registrar public key located, and loaded into text editor. Info ready to be moved
into brute force tool.

WPS Pixie

Proper information plugged in, and the WPS pin resolved in less then a second.
PSK1(the first half of the pi) and PSK2(second half of pin) are enumerated. Pin :
21407420

The last step is to plug the pin into Reaver. It will resolve the passphrase to the wifi
without fear of rate limiting. It should take no longer than 5 seconds as the brunt of
the attack took place offline.
First, we will add the pin to the original Reaver line with pin-21407420.

Password cracked: PWNEDROUTER