"Nothing is new under the sun." | ||
| --Popular Saying | ||
This chapter incorporates the new techniques related to attacking WPS and probe monitoring and also covers the pineapple tool that makes much of wireless testing a lot easier. These attacks and tools have appeared since the publication of the original book, and we'll be making sure we're being as holistic as possible.
Wireless Protected Setup (WPS) was introduced in 2006 to help users without wireless knowledge to have secure networks. The idea was that their Wi-Fi device would have a single hidden hardcoded value that would allow access with key memorization. New devices would be authenticated through a button press on the Wi-Fi router. Individuals outside the house without access to the device would not be able to have access, thus reducing the issues surrounding remembering WPA keys or setting short ones.
In late 2011, a security vulnerability was disclosed enabling brute force attacks on the WPS authentication system. The traffic required to negotiate a WPS exchange was spoofable, and the WPS pin itself is only eight characters between 0-9. To start with, this provides only 100,000,000 possibilities in comparison with an eight character azAZ09 password having 218,340,105,584,896 combinations.
However, there are further vulnerabilities:
- Of the eight characters of the WPS pin, the last character is a checksum of the previous seven and therefore predictable, leaving a maximum of 10,000,000 options
- In addition, the first four and the following three of the remaining characters are checked separately, which means that there are 104 + 103 options or 11,000
Through the two decisions made in the authentication mechanism, we have gone from 100,000,000 possible combinations to 11,000. This equates to a six-hours difference when brute-forcing the algorithm. It is these decisions that make attacks against WPS viable.
In the next lab exercise, we will go through identifying and attacking vulnerable WPS setups with Wash and Reaver.