Summary

Wi-Fi Protected Setup was originally developed in 2006 as a method to set up networks conveniently for users with little networking knowledge. Although certain defense mechanisms have been built for modern access points to prevent the exploitation of WPS, attack techniques still exist. WPS involves a simple series of messages that allow attackers to easily abuse the algorithm to retrieve the correct PIN and WPA-PSK (password). This module focuses on the components of the EAP message exchange involved in WPS, how they work, and how relevant attacks utilize these as a means for exploitation.

This module is split into the following 5 Chapters:

Introduction
Online PIN Brute Forcing Attacks
Offline PIN Brute Forcing Attacks
Miscellaneous WPS Attacks
Skills Assessment

During this module, we will cover:

How the WPS Algorithm works in-depth
How to conduct WPS reconnaissance
How to brute force the WPS PIN and retrieve the WPA-PSK through different techniques
How to abuse PBC to connect to the WiFi network directly
How to evade common WPS security mechanisms

Upon completion of this module, you should be ready to compromise access points that utilize an insecure WPS configuration and understand the nuances of WPS.

This module is broken into sections with accompanying hands-on exercises to practice the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas. There are no specific WiFi hardware requirements for this module, as Hack The Box manages all necessary resources. You will need to RDP into the provided attacker VM to perform the exercises.

As you work through the module, you will see example commands and command output for the topics introduced. It is worth reproducing as many of these examples as possible to further reinforce the concepts presented in each section. You can do this using the target host provided in the interactive sections.

You can start and stop the module anytime and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

This module is classified as "Medium" and assumes a working knowledge of linux systems and network fundamentals. Prior familiarity with the following topics is recommended for successful completion of this module:

Wi-Fi Protected Setup Overview

WPS was originally developed by Cisco in 2006 as a method to enable convenience and ease of use for users with little knowledge. Either through the push of a button or entering of a PIN users are able to easily connect their devices to their wireless network. Since then, multiple different exploitation tools have been developed with the intent to abuse the PIN. WPS PINs are eight digits in length, making them significantly easier to crack compared to traditional WPA methods.

Although convenient, WPS is susceptible to online PIN cracking and offline PIN cracking methods. WPS utilizes a series of EAP messages exchanged between a station (enrollee) and an access point (registrar). During this process, valuable information is disclosed; information that can be exploited for these attack methods. While traditional online PIN cracking takes hours to complete, offline PIN cracking can be as quick as a few minutes when the access point is vulnerable.

WPS utilizes HMAC-SHA-256, which is considered a fairly secure hashing function. However, due to the lack of possible PIN combinations, randomness in nonce values, and information disclosed in the communications between the access point and the client, we are able to crack these PINs relatively quickly and retrieve the PSK for normal WPA communications.

When assessing wireless access points, it is always important to check for WPS vulnerabilities. As such, possessing the skills to test for WPS-related vectors is crucial for all wireless penetration testers.

WPS Connection Methods

There are four methods to connect to a WPS-enabled access point. Each of them is detailed below:

Method	Description
`Push Button Configuration (PBC)`	This is the most common method and involves pressing a physical or virtual button on the router and the client device. Once the button is pressed on both devices, they automatically exchange the necessary information to establish a secure connection.
`PIN Entry`	Each WPS-enabled device has an 8-digit PIN code, either provided by the manufacturer or displayed on the device. Users enter this PIN on their router or access point’s configuration page to connect the device to the network.
`Near-field communication method`	Some devices support NFC, allowing users to tap the device on the router to establish a connection. This method is less common but offers an additional level of convenience.
`USB Flash Drive`	Involves transferring configuration settings via a USB drive from the router to the client device. This method is rarely used due to the inconvenience compared to other methods.

Benefits of WPS

Ease of Use: Simplifies the process of adding new devices to a wireless network, making it accessible even for non-technical users.
Convenience: Eliminates the need to remember or enter long and complex passwords.

Security Concerns

While WPS was designed to make network connections simpler, it has notable security vulnerabilities:

PIN Method Vulnerability: The 8-digit PIN can be cracked relatively easily through brute-force attacks due to the way the protocol verifies the PIN in two halves.
Physical Security Risks: The PBC method relies on physical security, meaning an unauthorized person within range could potentially push the button and connect to the network.

Wi-Fi Protected Setup provides an easy way to connect devices to a Wi-Fi network, but it comes with significant security risks, especially with the PIN method. Understanding these risks and taking steps to mitigate them, such as disabling WPS and using robust security protocols, can help protect your network.

Note: After spawning, please wait 3-4 minutes before connecting to the target(s).

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Sections

Wi-Fi Protected Setup Overview PREVIEW
How WPS Works
WPS Reconnaissance
Online PIN Brute-Forcing Overview
Online PIN Brute-Forcing Using Reaver
Secured Access Points
Using Multiple Pre-defined PINs
Using PIN Generation Tools
Pixie Dust Attack Overview
The Pixie Dust Attack
Push Button Configuration
Crashing a Target AP with MDK4
Attacking Wi-Fi Protected Setup - Skills Assessment

Relevant Paths

This module progresses you towards the following Paths

Wi-Fi Penetration Tester

The Wi-Fi Penetration Tester Job Role Path is designed for professionals and aspiring security practitioners who want to build expertise in assessing and securing corporate wireless networks. The course provides hands-on training in evaluating the security of Wi-Fi environments, from attacking modern authentication and encryption protocols to simulating real-world attack scenarios such as rogue access points, man-in-the-middle attacks, and credential harvesting. Students will gain practical experience with industry-standard tools and methodologies, learning how to identify vulnerabilities, exploit misconfigurations, and recommend effective countermeasures. By the end of this Path the participants will be equipped with the knowledge and skills required to perform authorized Wi-Fi penetration tests and strengthen the wireless security posture of enterprise corporate environments.

Hard

170 Sections

Required: 3400

Reward: +680

10 Modules included

Wi-Fi Penetration Testing Basics

Medium

16 Sections

Reward: +20

In today's digital age, wireless networks are ubiquitous, connecting countless devices in homes, businesses, and public spaces. With this widespread connectivity comes an increased risk of security vulnerabilities that can be exploited by malicious actors. As such, understanding and securing Wi-Fi networks has become a crucial aspect of cybersecurity. Whether you are an aspiring ethical hacker, a network administrator, or simply a tech enthusiast, gaining a solid foundation in Wi-Fi penetration testing is essential for safeguarding your digital environment.

Attacking Wi-Fi Protected Setup (WPS)

Medium

13 Sections

Reward: +20

In this module, we delve into the intricacies of WPS, uncovering the common vulnerabilities that plague this technology. From brute-force attacks to more sophisticated exploitation techniques, we will explore how attackers compromise WPS-enabled networks. By understanding these vulnerabilities and their related attacks, you will gain the knowledge necessary to protect your networks and mitigate the risks associated with WPS.

Wired Equivalent Privacy (WEP) Attacks

Medium

13 Sections

Reward: +20

In this module, we delve into Wired Equivalent Privacy (WEP) and the various attacks that can compromise it. We'll explore how to identify access points configured with WEP and demonstrate different methods to exploit its vulnerabilities. As WEP is an outdated and insecure protocol, understanding its weaknesses is crucial for recognizing the need to upgrade to more secure protocols. This module aims to provide insights into WEP’s vulnerabilities and practical techniques for testing its security.

Attacking WPA/WPA2 Wi-Fi Networks

Medium

15 Sections

Reward: +100

This module explores the security challenges of WPA and WPA2 Wi-Fi networks, focusing on WPA/WPA2-Personal and WPA/WPA2-Enterprise. Although these protocols aim to secure wireless communication, attackers can exploit various weaknesses in home and enterprise environments. This module will delve deeper into WPA-Personal and WPA-Enterprise, demonstrating multiple attack vectors to compromise each. Understanding these attack vectors will give you insight into the vulnerabilities that could compromise WPA/WPA2 networks and how to secure them.

Wi-Fi Evil Twin Attacks

Medium

16 Sections

Reward: +100

This module explores the concept of evil twin attacks on Wi-Fi networks, focusing on WPA2, WPA3, and WPA-Enterprise. Despite these protocols being designed with strong security measures, they remain vulnerable to social engineering and rogue access point attacks. We will delve into both manual and automated methods for executing evil twin attacks, demonstrating practical approaches for each network type. Additionally, we will cover advanced MiTM techniques, including DNS spoofing and SSL interception, to highlight how attackers can exploit compromised connections for data interception.

Attacking WPA3 Wi-Fi Networks

Medium

16 Sections

Reward: +100

Wi-Fi Protected Access 3 improves upon WPA2 by offering stronger encryption, SAE for personal networks, OWE for open networks, and mandatory Protected Management Frames. However, it is not immune to compromise. In this module, we’ll explore practical attack techniques against WPA3 implementations, including OWE, SAE, and Enterprise networks (EAP-PWD), highlighting how vulnerabilities and misconfigurations can be exploited in real-world scenarios.

Bypassing Wi-Fi Captive Portals

Medium

17 Sections

Reward: +100

In this module, we delve into a range of methods for identifying and bypassing captive portals, employing both indirect and direct exploitation techniques. We cover tactics such as MAC spoofing, ARP poisoning, DNS tunneling, and credential interception, alongside direct attack vectors like Cross-Site Scripting (XSS), file upload vulnerabilities, file inclusion, and brute force attacks. Additionally, we will examine client hijacking strategies to extract credentials and circumvent portal restrictions. By understanding these attack methods, we can evaluate and enhance the security of captive portal implementations.

Wi-Fi Password Cracking Techniques

Medium

16 Sections

Reward: +20

Password cracking is a cornerstone of wireless penetration testing, as many real-world assessments hinge on the strength of the Wi-Fi password and our ability to break it. Despite its importance, many testers continue to rely solely on dictionary attacks with basic tools and minimal customization. In this module, we’ll go beyond the basics and explore the full spectrum of practical techniques, targeted strategies, and performance-driven optimizations for cracking Wi-Fi passwords.

Wi-Fi Penetration Testing Tools and Techniques

Medium

30 Sections

Reward: +100 NEW

Wireless network penetration testing presents a unique challenge due to the wide variety of technologies, protocols, and security configurations encountered in the field. This module introduces learners to a range of Wi-Fi pentesting tools, each selected to demonstrate techniques suited for different environments and stages of an engagement. By working through practical examples, learners will gain hands-on experience in choosing and applying the right tool for the task.

Attacking Corporate Wi-Fi Networks

Medium

18 Sections

Reward: +100 NEW

This module incorporates a simulated Wi-Fi penetration test from start to finish, emphasizing hands-on techniques that reflect real-world engagements. It involves conducting scoped reconnaissance, assessing wireless configurations, and evaluating common attack surfaces across WPA2, WPA3, and Enterprise deployments. The environment culminates in a demonstration of internal network pivoting, including Active Directory access, all performed within a controlled, simulated environment and in adherence to strict legal and ethical boundaries.