Summary
Wi-Fi Protected Setup was originally developed in 2006 as a method to set up networks conveniently for users with little networking knowledge. Although certain defense mechanisms have been built for modern access points to prevent the exploitation of WPS, attack techniques still exist. WPS involves a simple series of messages that allow attackers to easily abuse the algorithm to retrieve the correct PIN and WPA-PSK (password). This module focuses on the components of the EAP message exchange involved in WPS, how they work, and how relevant attacks utilize these as a means for exploitation.
This module is split into the following 5 Chapters:
- Introduction
- Online PIN Brute Forcing Attacks
- Offline PIN Brute Forcing Attacks
- Miscellaneous WPS Attacks
- Skills Assessment
During this module, we will cover:
- How the WPS Algorithm works in-depth
- How to conduct WPS reconnaissance
- How to brute force the WPS PIN and retrieve the WPA-PSK through different techniques
- How to abuse PBC to connect to the WiFi network directly
- How to evade common WPS security mechanisms
Upon completion of this module, you should be ready to compromise access points that utilize an insecure WPS configuration and understand the nuances of WPS.
This module is broken into sections with accompanying hands-on exercises to practice the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas. There are no specific WiFi hardware requirements for this module, as Hack The Box manages all necessary resources. You will need to RDP into the provided attacker VM to perform the exercises.
As you work through the module, you will see example commands and command output for the topics introduced. It is worth reproducing as many of these examples as possible to further reinforce the concepts presented in each section. You can do this using the target host provided in the interactive sections.
You can start and stop the module anytime and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
This module is classified as "Medium" and assumes a working knowledge of linux systems and network fundamentals. Prior familiarity with the following topics is recommended for successful completion of this module:
Wi-Fi Protected Setup Overview
WPS was originally developed by Cisco in 2006 as a method to enable convenience and ease of use for users with little knowledge. Either through the push of a button or entering of a PIN users are able to easily connect their devices to their wireless network. Since then, multiple different exploitation tools have been developed with the intent to abuse the PIN. WPS PINs are eight digits in length, making them significantly easier to crack compared to traditional WPA methods.
Although convenient, WPS is susceptible to online PIN cracking and offline PIN cracking methods. WPS utilizes a series of EAP messages exchanged between a station (enrollee) and an access point (registrar). During this process, valuable information is disclosed; information that can be exploited for these attack methods. While traditional online PIN cracking takes hours to complete, offline PIN cracking can be as quick as a few minutes when the access point is vulnerable.
WPS utilizes HMAC-SHA-256, which is considered a fairly secure hashing function. However, due to the lack of possible PIN combinations, randomness in nonce values, and information disclosed in the communications between the access point and the client, we are able to crack these PINs relatively quickly and retrieve the PSK for normal WPA communications.
When assessing wireless access points, it is always important to check for WPS vulnerabilities. As such, possessing the skills to test for WPS-related vectors is crucial for all wireless penetration testers.
WPS Connection Methods
There are four methods to connect to a WPS-enabled access point. Each of them is detailed below:
Method | Description |
---|---|
Push Button Configuration (PBC) |
This is the most common method and involves pressing a physical or virtual button on the router and the client device. Once the button is pressed on both devices, they automatically exchange the necessary information to establish a secure connection. |
PIN Entry |
Each WPS-enabled device has an 8-digit PIN code, either provided by the manufacturer or displayed on the device. Users enter this PIN on their router or access point’s configuration page to connect the device to the network. |
Near-field communication method |
Some devices support NFC, allowing users to tap the device on the router to establish a connection. This method is less common but offers an additional level of convenience. |
USB Flash Drive |
Involves transferring configuration settings via a USB drive from the router to the client device. This method is rarely used due to the inconvenience compared to other methods. |
Benefits of WPS
-
Ease of Use
: Simplifies the process of adding new devices to a wireless network, making it accessible even for non-technical users. -
Convenience
: Eliminates the need to remember or enter long and complex passwords.
Security Concerns
While WPS was designed to make network connections simpler, it has notable security vulnerabilities:
-
PIN Method Vulnerability
: The 8-digit PIN can be cracked relatively easily through brute-force attacks due to the way the protocol verifies the PIN in two halves. -
Physical Security Risks
: The PBC method relies on physical security, meaning an unauthorized person within range could potentially push the button and connect to the network.
Wi-Fi Protected Setup provides an easy way to connect devices to a Wi-Fi network, but it comes with significant security risks, especially with the PIN method. Understanding these risks and taking steps to mitigate them, such as disabling WPS and using robust security protocols, can help protect your network.
Note: After spawning, please wait 3
-4
minutes before connecting to the target(s).