WiFi is popular. People have such a network at home. ISP supply their bandwidth through WiFi and in many public places – like airports, trains, bars, hotels – WiFi service is available. This post is the third in a series of discussing WiFi vulnerabilities. Earlier post were:
Anyone can read this post but in case you want to try it yourself you have to have a Linux computer with a wireless adapter in monitor mode, as described in detail in the two previous posts.
If you are a journalist in the broad sense of the word (which includes bloggers etc) in some countries (like The Netherlands) you are allowed to attack an important public network if your intention is to expose a vulnerability. Getting in is quite something else than poking around and copying and editing stuff.
In all other cases it is forbidden, unless explicitly allowed by the owner, to try to get into somebody else’s network. As my neighbors do not classify as administrators of important public networks I decided to attack my own WiFi.
Criminals, law-enforcement officers and all kinds of secret agents (like NSA, FBI, CIA and HLS) are not - or do not feel – bound by these restrictions. The purpose of this post is to show you how they can crack your wireless network, so you can protect yourself against them if you wish.
The PIN code of the WPS protocol is 8 digits long, of which the last digit is a parity digit. The WPS protocol is quite stupid in separating the 7 independent digits into two parts. The first part consist of the first 4 digits (10000 combinations) and the last part of the remaining three digits (1000 combinations). Now it comes: every attempt from a wireless adapter with a wrong PIN will get as answer from the WPS-enabled Access Point (AP) confirmation information about the first part and about second part of the PIN separately. As a result after only 11000 tries the correct pin will have been found. In practice this might occur much earlier. After the AP is interrogated with the correct PIN it will acknowledges the correctness and release the password to the wireless adapter.
The US company Tactical Network Solutions has released a downloadable Linux open-source software package, called reaver, that attacks APs by trying all PINS. So download the reaver package from the web to your Linux computer and install it.
After you have installed the reaver package there are two commands relevant (i) wash and (ii) reaver. We will first run wash, as that program will tells us what WiFi APs in your neighborhood can be attacked, that is that are within range and have WPS enabled.
So run wash on the monitor interface (wireless in monitor mode please).
wash -i mon0
To protect my neighbors I have changed those entries that could identify them.
Let us attack my own router. That is to say I want to discover the password of the router SitecomB0994C without ever physically touching the router or reading any of its labels. Nor did I navigate a browser to ip-address 192.168.0.1 with my laptop connected to this router. That all would be cheating. I just pretended to be my neighbor and analyzed the frames sent by my router.
The program reaver has a number of switches (just run reaver without any switches and you will get all the switches).
In my particular case I ran
reaver -i mon0 -b 00:0C:F6:B0:99:4C -vv -c 11
Reaver requires a little tuning because APs migh have different latency times. My AP (Sitecom router) could handle a PIN try every 2 seconds. After 10000 seconds my pin was cracked and the password was shown.
Here I will show the first part of the attack.
On the internet there are quite a number of complaints about getting reaver to work. For that reason I publish the whole attack for those interested (text file of 0.6MB). The only thing I changed was that I removed my password as I still want to use my Sitecom router. As I have published this I had to change my PIN. I should be careful because if I would reset my router to default the old PIN – the one the whole world now knows, will be effective again.
The biggest limitation in attacking WPS-enabled routers is that the cheap wireless adapters hardly radiate any power. For two reasons: (i) the adapter would be more expensive and (ii) the adapter would consume more power at the cost of your battery life. In practice you have with your wireless adapter to be quite close to the source (AP). This can be acomplished by going very close to your neighbor. Attacking is easier when you go to places where the public is allowed and you can hang around for a few hours, like hospitals, city halls, media studio’s, schools (to up your grades) and trains.
For professionals the limit of small signals can easily be overcome. All you need is a high-power wireless adapter or an amplifier. Tactical Network Solutions sells such professional kits and they sell mproved software. If you are in the US military or are friends with them you can buy military grade wlan amplifiers. I am sure criminals and people in “evil” countries can get hold of them as well. Equipped with such amplified system the only thing the bad guys have to do is to park a van in front of your house, or go inside a public building and within two hours they cracked the wifi.