WPS Vulnerability

[Dudeman02379]

Although this isn't directly backtrack related I thought this would probably be interesting to alot of people on this forum. There has been a tool called 'Reaver' released that takes advantage of a vulnerability in WPS. This can lead to much easier WPA cracking.

http://threatpost.com/en_us/blogs/at...ability-122911

https://code.google.com/p/reaver-wps/

[Scamentology]

I have been working on this for a couple of days now. I got reaver functioning but am unable to get it to associate with the AP even though I can successfully assc with aireplay-ng.

I don't think this attack will be that dangerous but time will tell. I disabled WPS immediately after setting up my AP a long time ago. Something does seem dumb about this. How do you make your network safer by putting up another door for hackers to knock on?

Although this isn't directly backtrack related I thought this would probably be interesting to alot of people on this forum. There has been a tool called 'Reaver' released that takes advantage of a vulnerability in WPS. This can lead to much easier WPA cracking.

http://threatpost.com/en_us/blogs/at...ability-122911

https://code.google.com/p/reaver-wps/

[Barry]

How many attempts per second are you getting? I'm only getting one attempt every two seconds on my 2ghz core 2 duo.

[DeadlyFoez]

There was an update to fix the unable to associate bug. Download the latest svn and compile. It is working for me after updating.

I am getting 1 attempt every 17-25 seconds. I think a lot of it depends on the router you are trying to crack. Apparently my router is limiting how fast someone/something can do an attempt.

[Scamentology]

That was helpful thanks. I have heard it goes as high as 4 tries per second, the bottleneck is the cpu of the AP and the speed depends if it has a lockout function.

I believe this vulnerability also has DOS potential.

There was an update to fix the unable to associate bug. Download the latest svn and compile. It is working for me after updating.

I am getting 1 attempt every 17-25 seconds. I think a lot of it depends on the router you are trying to crack. Apparently my router is limiting how fast someone/something can do an attempt.

[Barry]

Well after about 5 hours it got my test access point key, which is my actual home network key, just on a test access point.... The funny/not-funny part is wps isn't even enabled on the router, at least not according to the gui. Stupid linksys... Oh well, it's been replaced anyway, by a better router with dd-wrt, now it's just a test router, extra when family come by.

[TAPE]

Scary to hear it got an AP that didnt have WPS activated !
I just did a quick test run on my home router and it appears to
block / not respond after a while.

Will have to do a longer scale test after NY on both test and home router..

Would be interesting to see what results are obtained on what types of routers...
I will post my results when completed after 02-01

[Dudeman02379]

Wow now that is interesting. I will have to do some testing on my own gear to see if I have any similar results.

[Barry]

Hey guys, try this. Set your target AP to do mac authentication, then spoof the correct mac. Now see if reaver ever associates. Mine doesn't.

[Scamentology]

I set up an att modem (2wire) for a friend the other day. WPS was disabled by default and the router is not responding to the brute force. I haven't checked the firmware version yet but assume vendors are making changes already. also having issues with N only APs.

I re-compiled from the SVN and I still am having authentication issues with the ath9k drivers. if I manually run fakeauth, reaver starts spitting out keys.

Don't forget these fun tools
http://www.sourcesec.com/2009/05/09/wpscan-wpspy-tools/

Trying to work these into a larger attack.