WPS Theory

The WPS (Wi-Fi Protected Setup) protocol is designed to make it easier to set up and secure a wireless network. It simplifies the process of configuring a wireless network by allowing users to set up a secure wireless network without the need for complex passwords or network configuration settings.

WPS works by allowing devices to securely connect to a wireless network without the need for a password. The protocol works in two modes: the push-button mode and the PIN mode.

In push-button mode, the user presses the WPS button on the wireless router, which initiates a 2-minute window during which other devices can join the network without entering a password. The user then presses the WPS button on their device, and the device is automatically configured to connect to the network.

In PIN mode, the user enters a unique 8-digit PIN code that is generated by the wireless router into their device's wireless settings. The router then authenticates the PIN code, and if it is correct, the device is granted access to the network.

It is important to note that WPS has been found to have security vulnerabilities, particularly in its PIN mode. As a result, it is recommended that users disable WPS on their routers and devices and use more secure methods for setting up and configuring wireless networks, such as WPA2 encryption and strong passwords.

WPS Practical

Identify WPS networks

#Identify wireless networks using wash (part of the reaver toolkit)
wash -i mon0

Brute force attack

In PIN mode, an attacker can use brute force attacks to guess the 8-digit PIN. Since there are only 10^8 possible combinations, a determined attacker can crack the PIN in a relatively short amount of time.

Reaver

Reaver is a tool that can exploit an implementation vulnerability in the WPS protocol to crack the PIN in a matter of hours or even minutes. Brute forcing a PIN with 8 digits would imply 10 to 8th power (10 x 10 x 10 x 10 x 10 x 10 x 10 x 10) of possibilities. As the eighth digit is a check sum, the the number of possibilities is reduced to 10 to 7th power or about 10,000,000 possibilities but still requires a relatively large span of time. Fortunately for us, the implementation splits up the PIN into two pieces, the first 4 digit and the second 3 digits, and it is possible to identify whether the first 4 digits are correct. As a result, we only need to crack the first PIN with 10 to the 4th power of possibilities or 10,000 possibilities and then another with 10 to 3rd power possibilities or 1000. This means that to crack the PIN on these devices we only need to try 11,000 possibilities.

https://github.com/t6x/reaver-wps-fork-t6x

Pixie-dust

This is an offline attack and affects only a few chip makers, including Ralink, Realtek, and Broadcom. Pixie-dust works by helping hackers gain access to the passwords on wireless routers. Basically the tool is very straightforward and can gain access to a device in seconds or hours depending on the complexity of the chosen or generated WPS PIN.

https://github.com/wiire-a/pixiewps

Man-in-the-Middle attack

In push-button mode, an attacker could potentially intercept the WPS authentication process and spoof the router or device, thereby gaining access to the network.