Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Defending against WPS attacks

Hybrid View

  1. #1
    Junior Member
    Join Date
    Jun 2012
    Posts
    42

    Default Defending against WPS attacks

    After some research and field testing, it's become pretty obvious that WPS is the most dangerous threat to Wi-Fi security, for APs with WPS enabled.

    The most obvious solution is to simply disable WPS. But some routers, most notably Linksys models, don't allow someone to fully disable it.

    Another obvious solution is for vendors to lock down WPS in the firmware. For example, locking WPS for 30 minutes after 10 incorrect PIN attempts, then 60 minutes after another 10, then locking it permanently after another 10. Even just locking WPS for 30 minute intervals after 10 attempts would render most bruteforces impractical. The Netgear WNDR3800 I just pentested does lock WPS ... for five minutes, after about 25 incorrect attempts. With tweaked Reaver settings, I cracked it in under 24 hours at about 16 seconds per PIN.

    I just read that Kismet can now detect a flood of WPS traffic, indicating a WPS attack. That's great! But, what can someone do once they've detected an attack? Other than heatmapping the signal from the offending MAC address and attempting to locate the device, is there anything anyone can do to stop an attack in progress, other than take the vulnerable AP offline?

    Any other thoughts on defending against this? Cheers!

    -ternarybit

  2. #2
    Member
    Join Date
    May 2011
    Location
    Portugal
    Posts
    84

    Default Re: Defending against WPS attacks

    Well from my point of view, when you start a WPS Attack you usually associate with the AP, what if you use MAC Filtering? I know that its not a strong protection but you can give a lot more trouble to the attacker for him to wait for a legit MAC. Just an idea though

  3. #3
    Just burned his ISO
    Join Date
    Sep 2012
    Posts
    1

    Default Re: Defending against WPS attacks

    Quote Originally Posted by strakar View Post
    Well from my point of view, when you start a WPS Attack you usually associate with the AP, what if you use MAC Filtering? I know that its not a strong protection but you can give a lot more trouble to the attacker for him to wait for a legit MAC. Just an idea though
    I don't think this is a good idea, because, all you have to do is sniff the target network and record all MACs. Than, you just change you network driver MAC with one that you recorded before. An example:

    airmon-ng start wlan0 #monitor mode
    airodump-ng mon0 #see all network/traffic aroud you. Chose one and use the channel and bssid in the next command
    airodump-ng -c CHANNELNUMBER --bssid MAC mon0 #now you're sniffing every computer in that network. Save all MAC addresses working in that network. Wait for one goes down. Than...

    ifconfig wlan0 down
    macchanger -m MACVICTIM
    ifconfig wlan0 up

    Now you just connect in that wifi.

  4. #4
    Junior Member
    Join Date
    Jun 2012
    Posts
    42

    Default Re: Defending against WPS attacks

    That would definitely make things harder for an attacker, but also very hard, if not impossible for legitimate users--especially on public or mostly-public hotspots. Thanks for the input!

  5. #5
    Member
    Join Date
    May 2011
    Location
    Portugal
    Posts
    84

    Default Re: Defending against WPS attacks

    Well im thinking about the fact that you already "programed" the AP with the MACs of the users you want to allow access to the network.

  6. #6
    Junior Member
    Join Date
    Jun 2012
    Posts
    42

    Default Re: Defending against WPS attacks

    Sure, good point.

    In the event that, say, I'm running Kismet and pick up a WPS attack coming from a spoofed MAC 00:11:22:33:44:55, what can I do to stop the attack? Is there a way to deny service to that MAC, or do anything else short of physically locating and disabling the attacker?

  7. #7
    Member
    Join Date
    May 2011
    Location
    Portugal
    Posts
    84

    Default Re: Defending against WPS attacks

    I guess the only thing you can do is Filter the address 00:11:22:33:44:55 and block its access. But it would change to another, again and again. So allowing only those computers that you want and block the rest would be more efficient

  8. #8
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: Defending against WPS attacks

    Uh well, to defend against WPS attacks... Why not deactivating the WPS service ? It can be done on most routers, and will get rid of that problem. As for the mac filtering, you block everything but the authorized ones, and that should do it if you want to keep the WPS active. Note that spoofing an authorized MAC is easy as pie though..
    Running both KDE and GNOME BT5 flawlessly. Thank you !

  9. #9
    Junior Member
    Join Date
    Jun 2012
    Posts
    42

    Default Re: Defending against WPS attacks

    Quote Originally Posted by comaX View Post
    Uh well, to defend against WPS attacks... Why not deactivating the WPS service ? It can be done on most routers, and will get rid of that problem. As for the mac filtering, you block everything but the authorized ones, and that should do it if you want to keep the WPS active. Note that spoofing an authorized MAC is easy as pie though..
    thanks for the input. I did mention disabling WPS is the obvious solution in my OP, I was just curious if there was anything else available to a defender, assuming their router cannot disable WPS (which is the case with a surprising number, sadly).

  10. #10
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: Defending against WPS attacks

    Quote Originally Posted by ternarybit View Post
    thanks for the input. I did mention disabling WPS is the obvious solution in my OP, I was just curious if there was anything else available to a defender, assuming their router cannot disable WPS (which is the case with a surprising number, sadly).
    Guess what ? I just jumped THE line saying that... Sorry
    Running both KDE and GNOME BT5 flawlessly. Thank you !

Page 1 of 2 12 LastLast

Similar Threads

  1. Book like "The Database Hacker's Handbook: Defending Database Servers"
    By -=Renegade=- in forum OLD General IT Discussion
    Replies: 3
    Last Post: 01-01-2010, 04:18 AM
  2. smtp attacks
    By imported_UG_Cyber in forum OLD Newbie Area
    Replies: 8
    Last Post: 11-13-2008, 04:27 PM
  3. Defending against aireplay-ng deauthentication
    By imported_Deathray in forum OLD General IT Discussion
    Replies: 12
    Last Post: 10-25-2008, 04:50 AM
  4. Is it possible to use MITM attacks on 802.1x?
    By Lord MuffloN in forum OLD Wireless
    Replies: 2
    Last Post: 10-06-2008, 12:04 PM
  5. WPA EAP attacks
    By Andy90 in forum OLD General IT Discussion
    Replies: 1
    Last Post: 02-27-2008, 10:55 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •