Forum

  • Well @tacnetsol has added a tool to make it a little easier to check if WPS is running. Unfortunately, it's still too technical for the average joe to run.

    See my demonstration of the new 'walsh' tool [url=http://www.simplywifi.co/blog/2012/1/4/is-my-wireless-router-running-wps.html]here[/url].

  • http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
    This is a good write up of the flaw(s) with WPS. Shamefully, my home router is on the list. Looks like it is only enterprise Wi-Fi for my house now. It looks like some routers implement lock-down features to slow and attack. However, the lock down periods do not seem sufficiently long enough to completely mitigate the 20K attempts it takes to break into most networks. Security consultants everywhere rejoice. Looks like we are back to the old WEP days when you could break into the customers network in 4 hrs.

  • I've created what is hopefully my last blog post on WPS brute force attack. I went ahead and took frame captures of an attack and broke down each stage. I've also made sample frames available for download if anyone wants to take a closer look.

    [url=http://www.simplywifi.co/blog/2012/1/5/reaver-what-does-it-look-like-in-the-air.html]Reaver: What does it look like in the air?[/url]

  • Ironically, there is one last "feature" built into WPS.

    If your AP has "MAC filtering" enabled, WPS not only continues to talk to your device regardless - when all is said and done, it automatically adds the new devices MAC address to the list as one of the allowed STA's.

    This is of course, the only "sane" thing to do. Otherwise WPS would never work if you used MAC filtering - but I do think it's funny given what else we have learned in the last couple weeks.

  • If you Google 'wps brute force attack', you will pull a lot of websites that offer mitigation tips, such as disabling WPS and making sure MAC filtering is turned on. Testing has shown disabling WPS does not always actually disable this feature. Wlanman, you have just shown that using MAC filtering is not an option (which is useless really anyway as MAC spoofing can always be done).

    I know we all work with enterprise-class equipment; however, I am already being asked by co-workers, other IT folks with companies I deal with, etc, this question: "So, what do I do to fix my home router?" I am telling folks that (for now), there is no definitive fix for this problem. However, the workaround(s) appear to be a) turn OFF your router at home when not in use and b) look for a third-party flash to resolve this issue for now (DD-WRT, Tomato, etc). I was going to add "look for firmware flash to resolve this", but no vendor appears to have released a fix yet.

    I would be interested in hearing what others are suggesting to their co-workers and/or other 'fixes' for this problem until vendors come up with a firmware upgrade.

  • They(vendors) will have to put in some serious lock down features at a minimum. If you can slow the attack that may help. Ultimately, they need to have an alternate firmware available with the functionality removed. I think the WFA should also make the PIN external registar NON-manditory. Both NFC and Push Button registration could be new alternatives. I think only a few have implemented PB(Push Button) and no one has implemented NFC (near field communication). Perhaps a combination of PB and PIN would allow the router to enable WPS for a 5 minute window or until a new registration occurs. This would ensure that you have physical proximity and minimized the opportunity for attack. It doesn't fix the weakness in the algorithm. I remember studying for the CWSP a few years back and thinking this WPS stuff cryptographically weak. But, I never would have guessed that when you turn it off, it doesn't do so.

  • SimplyWiFi,

    Thanks for the packet captures. They really clarify the handshakes going back and forth.

    Somehow I doubt this subject is dead though. Even if the new version of WPS takes 50 million attempts, the WFA will catch hell.

    I'm sure any newer version will be tested to death by "the community". They better get it right next time !

    It seems to me that one of the best things to do, after some number of intrusion attempts, would be to disable WPS, write a message to the AP's log file, and only allow the WPS feature to be reenabled after a power cycle of the AP.

    That way the victim can't miss that [u]something[/u] is going on. No it's not perfect, but it would help.

  • A few notes about this problem that may be of interest for people taking the CWSP exam. PP 232 ? 237 of the PWO-204 study guide covers some areas of WPS. The following simply shows some areas covered by the study guide and has nothing to do with exam material.

    There have been a lot of comments on various forums and magazine websites about this problem. Some people have the impression that this relates to an attack against the WPA/WPA 2 methods. It is not. It relates to the Registration Protocol that is used in WPS.

    The previously mentioned document below gives a good overview:

    http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

    We can see quite a few areas covered in the study guide. On page 5, we can see the following:

    Authentication Requests and Responses ( Chapter 2 )

    Association Requests and Responses ( Chapter 2 )

    We can also see Eapol ? Start and Identity Request and Response frames ( Chapter 4 )

    EAP was originally designed for use over a wired network. 802.11 networks recognize EAPOL frames via a special code. The EAPOL frames are used to transport EAP information. When the IETF ( Chapter 1 ) was originally developing EAP, it recognized that in addition to existing methods of authentication at the time the RFC ( Chapter 1 ) was being written, it would be a good idea to allow the protocol to be ?extensible? ( as in Extensible Authentication Protocol ). This simply means that it is ?expandable? via certain types which indicate which particular method of authentication is in use.

    We can see this in action here, with the Vendor ID and Vendor Type information areas. These fields are actually part of the EAP header unit. When a receiving device parses all the fields in the incoming header, it can either recognize whether it supports or does not support that particular vendor?s method of authentication.

    Hashes are one-way mathematical functions. In other words, we can take values and plug them into a mathematical formula and produce a numeric output. The reverse process is nigh on impossible. For example, if I said ?what numbers produced the value 8 after placing them in a ( usually known ) mathematical equation ??, you could see that there are so many possible permutations, that it would not be practically possible to come up with the correct answer. Hashes are a powerful tool in security.

    Hashes are used with digital certificates ( e.g. X.509 certs ) ( Chapter 12 ). When we apply a digital signature, we usually take the original information ( certificate info ) and produce a hash or message digest. The cert authority then takes that digest and uses a private key to encrypt it ( Chapter 3 ). A digital signature is then created and appended to the certificate. End users can then use their non secure public key to verify the message.

    HMAC ( Hashed Message Authentication Code ) utilizes the fact that each end of the link has a secret key. That secret ( symmetric ) key is then used in combination with the message as inputs to a hash function which produces an output which helps with message authentication/anti-tampering.

    We can also see mention made of a Key Wrap Key. Key Wrap Keys are used to encrypt cryptographic material. This is similar to the process used in the 4 ? way handshake mentioned in Chapter 5, where the GTK is encrypted with the PTK.

    We can see mention made of the Diffie Hellman Key Exchange. Unfortunately, this is wrong. Diffie Hellman is NOT a key exchange method. It is a method for exchanging material from which keys are constructed. It is actually a key agreement method. The Diffie Hellman key is NOT exchanged during the process. The key is actually constructed by both sides independently using secret material known only to each side, and the material exchanged during the process by each side. Instead of saying ?Diffie Hellman Key Material Exchange Method? , we just say ?Diffie Hellman Key Exchange?. Technically, not correct, but that is how it is referrred to nowadays.

    Additonal info:

    If we have two parties A and B preparing to initiate a Diffie Hellman Key Exchange ( DHKE ), the first thing that happens is that both sides agree on a DH group. The group contains two values: p ( a prime number ) and g ( a generator number ). This info is transmitted in the clear.

    A now generates a random value x.

    B now generates a random value y.

    A calculates ( g to the power x ) mod p ( where ?mod? means a mathematical modulus )

    B calculates ( g to the power y ) mod p ( where ?mod? means a mathematical modulus )

    Now, ( g to the power x ) mod p and ( g to the power y ) mod p are exchanged ( A to B and B to A ).

    A now calculates [ { ( g to the power y ) mod p } to the power x ]mod p, which gives us:

    g to the power yx mod p, which equals g to the power xy mod p

    B now calculates [ { ( g to the power x ) mod p } to the power y ]mod p, which gives us:

    g to the power xy mod p

    The value ?g to the power xy mod p? which is now present at both ends can now be used to create a symmetric session key.

    Dave

  • Sorry I can't look that up Dave. Somebody walked off with my only new CWSP study guide. ARRGH

    But I do have a copy or two of the new CWAP study guide in Excellent condition.

    If there's anyone in a similar state with an extra (latest edition) CWSP book that they wouldn't mind parting with, how would you like to make me an even trade for it?

Page 2 of 2