NYIT

Spring 2015

Homework No: Midterm Project

Title: Wireless Protected Setup

Name:
Class ID#:
School ID#:

Feingold, Aaron
23
0204787

Name:
Class ID#:

Seaman, Shawn
26

Course:
Course ID:
Date:

Intrusion Detection and . . . .

INCS-745
4/14/2015

Assignments Content
1. Paper..

2. Slides .

11

Aaron Feingold
Shawn Seaman
INCS-745: Hacker Exploits & Intrusion Detection

Wireless Protected Setup:

Security Sacrificed for Usability
EXECUTIVE SUMMARY
Wireless Protected Setup, or WPS, is a protocol that allows unskilled users to easily add
devices to a WPA2-secured wireless network. The user is not required to configure passwords
or choose an encryption algorithm.
The 8-digit PIN at the heart of in-band WPS is inherently insecure. Rather than evaluating the
entire PIN at once, the pin is broken down into three segments. The first four digits are
evaluated first, followed by the next three digits. The final digit is simply a checksum used to
validate the PIN. This reduces the number of possible PINs from one hundred million to a
mere eleven thousand. A brute force attack against such a small keyspace is trivial.
We successfully used a number of variations of this exploit to break security on several
different wireless routers. All were secured with WPA2. None of the wireless devices we
tested resisted our attacks.
OVERVIEW OF WPS: EXTERNAL REGISTRAR
WPS is a user-friendly authentication protocol for encrypted wireless networks, which consists
of three mechanisms: Push-button-connect, PIN with internal registrar, and PIN with external
registrar. [Wi-Fi Alliance, 2006] We are concerned only with the external registrar.
The external registrar method uses an eight-digit PIN in decimal notation, which is stored in
the router's firmware and printed on the bottom of the router. The user enters the PIN on their
device, and it is automatically added to the network. This PIN is broken down as follows:
The first 4 digits form a discrete initial pin.
The second 3 digits form a discrete secondary PIN.
The third digit is a checksum calculated from the first seven digits. This is used only
for error correction, and adds nothing in terms of security.
Digit:

2
3
4
Initial M4 M5 PIN
4 digits

5
6
7
Second M6 M7 PIN
3 digits

8
Checksum

The two PINs are evaluated separately, as shown. If, at any point, an EAP-NACK message is
received, it means that the PIN number is incorrect.

If, at any point, an EAP-NACK message is received, it means that the PIN number was
incorrect. Depending on the timing of the EAP-NACK, we can determine which part of the
PIN was wrong. If an EAP-NACK was received in response to message M4, it means that the
first part of the PIN was incorrect. If an EAP-NACK was received after sending M6, we can
conclude that the first part of the PIN is correct, and the second part is wrong.

BRUTE FORCE ATTACK: THE CORE VULNERABILITY

At first glance, WPS appears to be quite resistant to brute force attacks. 8 decimal digits gives
us 108 = 100,000,000 possible combinations. Assuming (optimistically) that we can test one
PIN per second, it would take over 3 years to brute force the combination. In practice, we
were usually able to test one PIN every 6 seconds. This means it would take over 18 years to
try every combination. We could expect the attack to succeed in an average of 9 years. By
that time, the wireless network we are attacking may no longer be operational. While this is
by no means strong cryptography, it may be considered acceptable.
Unfortunately, the PIN length is deceptive. In 2011, a vulnerability was noticed in WPS, by a
security researcher named Stefan Viehbck. Because the two segments of the PIN are
validated separately, it is possible to brute force each one independently. [Viehbck, 2011]
The first segment of the PIN has 4 decimal digits. 104 = 10,000. The second segment has 3
decimal digits. 103 = 1000. By first isolating and breaking the first segment, and then
proceeding to the second segment, we can brute force the PIN by traversing a keyspace of
only 11,000 possible combinations. It is now possible to brute force the PIN in several hours,
rather than several years.
Simple modifications to the behavior of our WPS software are all that is required to
implement the attack:

The brute force attack is performed as follows:

Step 1: Place the wireless card in monitor mode. Interface mon0 will be enabled.

airmon-ng start wlan0

Step 2: Scan for vulnerable wireless routers using the wash utility. This software ships with
Kali Linux by default.

wash -i mon0

Note: If you get an error Found packet with bad FCS, skipping... you will need to set the
--ignore-fcs flag:
wash -i mon0 -ignore-fcs
The target should have the field WPS Locked set to No.
Make a note of the target's BSSID.

Step 3: Use Reaver with the following options:

reaver -i mon0 -c 6 -b [BSSID] vv

In this case, it took 18 hours and 12 minutes to obtain the PIN. That gave us all the other
wireless configuration data, including the wifi password.1
The reason this took as long as it did was due to a lock-down setting designed to mitigate WPS
attacks. After every 16 attempts, the router shut down WPS for 5 minutes.
Even with this limitation, it was not difficult to break WPS.
LOCK-DOWN: RATE-LIMITING MITIGATION & THE ROUTER RESET
In the initial paper which revealed the WPS brute force attack, it is suggested that
manufacturers implement a lock down period after a number of incorrect PIN guesses. It is
estimated that locking WPS for 60 minutes following 5 incorrect guesses would increase the
maximum attack time to about 92 days. [Viehbck, 2011] This would give us an average
attack time of 46 days.
Of course, locking down WPS for an hour while a legitimate (if unskilled) user is attempting
to set it up is a problem. The entire point of WPS is to allow untrained users to configure
wireless networks easily. So manufacturers have tended toward less restrictive lock down
policies.
Unless addressed, lock-down policies can significantly slow down a WPS brute force attack.
There is a way around this. It turns out that many routers will reset if subjected to an EAPOL
packet flood. Because the PIN is stored in the router's firmware, it is not altered when the
router resets. By reseting the router, we can remove the lockdown policy. We can then
continue testing PINs immediately.
1

Please note: The MAC address and other details of the router used in the initial brute force test have been
redacted at the request of the organization that was kind enough to loan one of their wireless routers for this
project.

MD3K is a tool capable of producing this type of EAPOL flood. [Smeat, 2013] Reaver, our
WPS tool, can be modified to unleash MD3K automatically upon detecting a lockdown (or, as
Reaver calls it, rate limiting.)
Due to the EAPOL flood, the router resets, and we now have
less than one minute of downtime when rate-limiting is
engaged.
EAPOL flooding reduced the time of our attack to
approximately 4 hours. We retrieved the WPS PIN, the WPA
password, and the SSID.
THE PIXIE DUST ATTACK: EXPLOITING A PRNG VULNERABILITY
There is one additional vulnerability which has been demonstrated in certain implementations
of WPS. Weak pseudo-random number generators are used in AP chipsets manufactured by
Broadcom, Ralink, and RealTek.
This allows us to perform a brute-force attack against the same 11,000 candidate PINs offline.
This is an offline attack. We do not need to wait for the router on each attempt, and we can
therefore attain much higher speeds. In our tests, this attack completes in less than one
second.

We will need the following data to begin the Pixie Dust PRNG attack:

Obtained by sniffing network traffic (use WireShark):

o PKR Public Key
Obtained from WPS using Reaver:
o E-Hash1
o E-Hash2
o N1 Enrollee Nonce
o PKE Public Key
Generated from the Key Derivation Key:
o Authkey

Some of this information can be obtained from more than one source.
Once we have gathered our data, we use a tool called Pixiewps to perform the off-line attack.
[Wiire, 2015] This tool will return the WPS PIN. We then feed the PIN into Reaver, which
returns all the wireless configuration information, including the password.
The real vulnerability here is the fact that we can get E-S1 and E-S2, such that:
E-Hash1= HMAC (E-S1, PSK1, PKE, PKR)
E-Hash2= HMAC (E-S2, PSK2, PKE, PKR)
Ralink chipsets set E-S1 = 0 and E-S2 = 0. This is so weak, it can't even properly be called a
pseudo-random number generator. There is nothing there to break.
In the event that the transaction takes less than one second, Realtek chipsets assign the same
value to E-S1, E-S2, and N1 Enrollee Nonce. Because we can sniff the value of the Nonce,
we have the value of E-S1, and E-S2.
Broadcom at least uses a PRNG, but it is very weak. It is not difficult to brute force the state
of the Broadcom PRNG, and calculate E-S1 and E-S2 from that state.
Though the weak PRNG is not a flaw in the design of the protocol itself, it is an informative
example of the way poor implementation can introduce new vulnerabilities.
MULTIPLE MAC SPOOFING: AN OPTIONAL OPTIMIZATION
When attacking wireless networks that do not have a lockdown policy in place, it is possible to
spoof the last digit of your MAC address so that your requests appear to come from multiple
different sources at once.
In this way, you can speed up the attack by having multiple simultaneous instances running at
the same time. [Heffner, 2013]

10

While this was an effective technique several years ago, it can backfire by causing rate
limiting lock-down policies to engage more quickly and more often. We did not find this
technique to be of much use against current wireless routers.
OUR PLATFORM: HARDWARE AND SOFTWARE USED IN OUR TESTS
We used virtualized copies of Kali Linux on two laptops to launch our attacks. On the first
laptop, we used VMware Player 7.0.0, with Windows 8.1 as the host OS. The other laptop
used VirtualBox, running on top of Windows 8. Both systems worked well in our tests. We
did not observe any significant difference between VirtualBox and VMware Player for this
application.
We required wireless adapters capable of packet injection and monitor mode. Neither laptop
had such capabilities pre-installed. Therefore, we used USB wireless adapters which did have
those capabilities. We tested two adapters from Alfa Networks: The AWUS036NH and the
AWUS036NHA. We noticed no performance difference between the two cards, but it should
be noted that the AWUS036NHA has an Atheros chipset, and AWUS036NH appears to have a
chipset produced by Ralink.
We did notice a significant increase in range when we tested different antennas. Surprisingly,
there was not much difference between the 5dBi and the 9dBi omni-directional antennas.
There was a significant improvement when using the 7dBi directional antenna, though only
when it was positioned correctly.
CONCLUSIONS AND RECOMMENDATIONS
We have determined that WPS in-band configuration is hopelessly insecure. The keyspace is
just too small to be useful for security. If WPS is enabled, a determined attacker will get
inside the system. The attacker's success is inevitable.
Repeated attempts by WAP manufacturers to mitigate the weakness at the heart of of the
external register mechanism have failed. Rate limiting makes the attack take days, rather than
hours, and it can be bypassed by EAPOL flooding.
Though the PRNG issues could be resolved easily, there is no clear fix for the brute force
attacks. WAPs which do not have a known PRNG vulnerability still fall to the brute force
attack.
It is therefore our recommendation that WPS should be disabled wherever and whenever it is
encountered.

11

WORKS CITED
Viehbck, Stefan (2011-12-26). "Brute forcing Wi-Fi Protected Setup" (PDF).
https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
Wi-Fi Alliance (December 2006). Wi-Fi Protected Setup Specification Version 1 .0h. (PDF).
http://cfile28.uf.tistory.com/attach/16132E3C50FCFFCB3EC74E
Smeat, (2013). md3k, , GitHub repository, https://github.com/Smeat/md3k
Wiire, (2015). Pixiewps, GitHub repository, https://github.com/wiire/pixiewps
Heffner, Craig (2013). MAC Address last character changer to speed up the attack, GitHub
repository, https://github.com/chrsmithdemos/reaver-wps/issues/258

12

SLIDES BEGIN HERE!

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41