MSDOS Introduction

NYITSpring 2015Homework No: Midterm ProjectTitle: Wireless Protected SetupName:

Feingold, Aaron

Class ID#:

23

School ID#: 0204787

Name:

Seaman, Shawn

Class ID#:

26Course:

Intrusion Detection and . . . .Course ID:

INCS-745Date:

4/14/2015Assignments Content1. Paper..

3

2. Slides . 11 Aaron Feingold

Shawn Seaman

INCS-745: Hacker Exploits & Intrusion DetectionWireless Protected Setup:Security Sacrificed for UsabilityEXECUTIVE SUMMARYWireless Protected Setup, or WPS, is a protocol that allows unskilled users to easily add devices to a WPA2-secured wireless network. The user is not required to configure passwords or choose an encryption algorithm.

The 8-digit PIN at the heart of in-band WPS is inherently insecure. Rather than evaluating the entire PIN at once, the pin is broken down into three segments. The first four digits are evaluated first, followed by the next three digits. The final digit is simply a checksum used to validate the PIN. This reduces the number of possible PINs from one hundred million to a mere eleven thousand. A brute force attack against such a small keyspace is trivial.

We successfully used a number of variations of this exploit to break security on several different wireless routers. All were secured with WPA2. None of the wireless devices we tested resisted our attacks.

OVERVIEW OF WPS: EXTERNAL REGISTRARWPS is a user-friendly authentication protocol for encrypted wireless networks, which consists of three mechanisms: Push-button-connect, PIN with internal registrar, and PIN with external registrar. [Wi-Fi Alliance, 2006] We are concerned only with the external registrar.

The external registrar method uses an eight-digit PIN in decimal notation, which is stored in the router's firmware and printed on the bottom of the router. The user enters the PIN on their device, and it is automatically added to the network. This PIN is broken down as follows:

The first 4 digits form a discrete initial pin.

The second 3 digits form a discrete secondary PIN.

The third digit is a checksum calculated from the first seven digits. This is used only for error correction, and adds nothing in terms of security.

Digit:12345678

Initial M4 M5 PIN

4 digitsSecond M6 M7 PIN

3 digitsChecksum

The two PINs are evaluated separately, as shown. If, at any point, an EAP-NACK message is received, it means that the PIN number is incorrect.

If, at any point, an EAP-NACK message is received, it means that the PIN number was incorrect. Depending on the timing of the EAP-NACK, we can determine which part of the PIN was wrong. If an EAP-NACK was received in response to message M4, it means that the first part of the PIN was incorrect. If an EAP-NACK was received after sending M6, we can conclude that the first part of the PIN is correct, and the second part is wrong.

BRUTE FORCE ATTACK: THE CORE VULNERABILITYAt first glance, WPS appears to be quite resistant to brute force attacks. 8 decimal digits gives us 108 = 100,000,000 possible combinations. Assuming (optimistically) that we can test one PIN per second, it would take over 3 years to brute force the combination. In practice, we were usually able to test one PIN every 6 seconds. This means it would take over 18 years to try every combination. We could expect the attack to succeed in an average of 9 years. By that time, the wireless network we are attacking may no longer be operational. While this is by no means strong cryptography, it may be considered acceptable.

Unfortunately, the PIN length is deceptive. In 2011, a vulnerability was noticed in WPS, by a security researcher named Stefan Viehbck. Because the two segments of the PIN are validated separately, it is possible to brute force each one independently. [Viehbck, 2011]

The first segment of the PIN has 4 decimal digits. 104 = 10,000. The second segment has 3 decimal digits. 103 = 1000. By first isolating and breaking the first segment, and then proceeding to the second segment, we can brute force the PIN by traversing a keyspace of only 11,000 possible combinations. It is now possible to brute force the PIN in several hours, rather than several years.

Simple modifications to the behavior of our WPS software are all that is required to implement the attack:

The brute force attack is performed as follows:

Step 1: Place the wireless card in monitor mode. Interface mon0 will be enabled.

airmon-ng start wlan0

Step 2: Scan for vulnerable wireless routers using the wash utility. This software ships with Kali Linux by default.

wash -i mon0

Note: If you get an error Found packet with bad FCS, skipping... you will need to set the

--ignore-fcs flag:

wash -i mon0 -ignore-fcs

The target should have the field WPS Locked set to No.

Make a note of the target's BSSID.Step 3: Use Reaver with the following options:

reaver -i mon0 -c 6 -b [BSSID] vv

In this case, it took 18 hours and 12 minutes to obtain the PIN. That gave us all the other wireless configuration data, including the wifi password.

The reason this took as long as it did was due to a lock-down setting designed to mitigate WPS attacks. After every 16 attempts, the router shut down WPS for 5 minutes.

Even with this limitation, it was not difficult to break WPS.LOCK-DOWN: RATE-LIMITING MITIGATION & THE ROUTER RESETIn the initial paper which revealed the WPS brute force attack, it is suggested that manufacturers implement a lock down period after a number of incorrect PIN guesses. It is estimated that locking WPS for 60 minutes following 5 incorrect guesses would increase the maximum attack time to about 92 days. [Viehbck, 2011] This would give us an average attack time of 46 days.

Of course, locking down WPS for an hour while a legitimate (if unskilled) user is attempting to set it up is a problem. The entire point of WPS is to allow untrained users to configure wireless networks easily. So manufacturers have tended toward less restrictive lock down policies.

Unless addressed, lock-down policies can significantly slow down a WPS brute force attack. There is a way around this. It turns out that many routers will reset if subjected to an EAPOL packet flood. Because the PIN is stored in the router's firmware, it is not altered when the router resets. By reseting the router, we can remove the lockdown policy. We can then continue testing PINs immediately.

MD3K is a tool capable of producing this type of EAPOL flood. [Smeat, 2013] Reaver, our WPS tool, can be modified to unleash MD3K automatically upon detecting a lockdown (or, as Reaver calls it, rate limiting.)Due to the EAPOL flood, the router resets, and we now have less than one minute of downtime when rate-limiting is engaged.

EAPOL flooding reduced the time of our attack to approximately 4 hours. We retrieved the WPS PIN, the WPA password, and the SSID.THE PIXIE DUST ATTACK: EXPLOITING A PRNG VULNERABILITYThere is one additional vulnerability which has been demonstrated in certain implementations of WPS. Weak pseudo-random number generators are used in AP chipsets manufactured by Broadcom, Ralink, and RealTek.

This allows us to perform a brute-force attack against the same 11,000 candidate PINs offline. This is an offline attack. We do not need to wait for the router on each attempt, and we can therefore attain much higher speeds. In our tests, this attack completes in less than one second.We will need the following data to begin the Pixie Dust PRNG attack:

Obtained by sniffing network traffic (use WireShark):

PKR Public Key

Obtained from WPS using Reaver: E-Hash1

E-Hash2

N1 Enrollee Nonce

PKE Public Key Generated from the Key Derivation Key:

Authkey

Some of this information can be obtained from more than one source.

Once we have gathered our data, we use a tool called Pixiewps to perform the off-line attack. [Wiire, 2015] This tool will return the WPS PIN. We then feed the PIN into Reaver, which returns all the wireless configuration information, including the password.

The real vulnerability here is the fact that we can get E-S1 and E-S2, such that:

E-Hash1= HMAC (E-S1, PSK1, PKE, PKR)

E-Hash2= HMAC (E-S2, PSK2, PKE, PKR)Ralink chipsets set E-S1 = 0 and E-S2 = 0. This is so weak, it can't even properly be called a pseudo-random number generator. There is nothing there to break.

In the event that the transaction takes less than one second, Realtek chipsets assign the same value to E-S1, E-S2, and N1 Enrollee Nonce. Because we can sniff the value of the Nonce, we have the value of E-S1, and E-S2.

Broadcom at least uses a PRNG, but it is very weak. It is not difficult to brute force the state of the Broadcom PRNG, and calculate E-S1 and E-S2 from that state.

Though the weak PRNG is not a flaw in the design of the protocol itself, it is an informative example of the way poor implementation can introduce new vulnerabilities.

MULTIPLE MAC SPOOFING: AN OPTIONAL OPTIMIZATIONWhen attacking wireless networks that do not have a lockdown policy in place, it is possible to spoof the last digit of your MAC address so that your requests appear to come from multiple different sources at once.

In this way, you can speed up the attack by having multiple simultaneous instances running at the same time. [Heffner, 2013]

While this was an effective technique several years ago, it can backfire by causing rate limiting lock-down policies to engage more quickly and more often. We did not find this technique to be of much use against current wireless routers.

OUR PLATFORM: HARDWARE AND SOFTWARE USED IN OUR TESTSWe used virtualized copies of Kali Linux on two laptops to launch our attacks. On the first laptop, we used VMware Player 7.0.0, with Windows 8.1 as the host OS. The other laptop used VirtualBox, running on top of Windows 8. Both systems worked well in our tests. We did not observe any significant difference between VirtualBox and VMware Player for this application.

We required wireless adapters capable of packet injection and monitor mode. Neither laptop had such capabilities pre-installed. Therefore, we used USB wireless adapters which did have those capabilities. We tested two adapters from Alfa Networks: The AWUS036NH and the AWUS036NHA. We noticed no performance difference between the two cards, but it should be noted that the AWUS036NHA has an Atheros chipset, and AWUS036NH appears to have a chipset produced by Ralink.

We did notice a significant increase in range when we tested different antennas. Surprisingly, there was not much difference between the 5dBi and the 9dBi omni-directional antennas. There was a significant improvement when using the 7dBi directional antenna, though only when it was positioned correctly.

CONCLUSIONS AND RECOMMENDATIONSWe have determined that WPS in-band configuration is hopelessly insecure. The keyspace is just too small to be useful for security. If WPS is enabled, a determined attacker will get inside the system. The attacker's success is inevitable.

Repeated attempts by WAP manufacturers to mitigate the weakness at the heart of of the external register mechanism have failed. Rate limiting makes the attack take days, rather than hours, and it can be bypassed by EAPOL flooding.

Though the PRNG issues could be resolved easily, there is no clear fix for the brute force attacks. WAPs which do not have a known PRNG vulnerability still fall to the brute force attack.

It is therefore our recommendation that WPS should be disabled wherever and whenever it is encountered.

WORKS CITEDViehbck, Stefan (2011-12-26). "Brute forcing Wi-Fi Protected Setup" (PDF).https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdfWi-Fi Alliance (December 2006). Wi-Fi Protected Setup Specification Version 1 .0h. (PDF).http://cfile28.uf.tistory.com/attach/16132E3C50FCFFCB3EC74ESmeat, (2013). md3k, , GitHub repository, https://github.com/Smeat/md3k

Wiire, (2015). Pixiewps, GitHub repository, https://github.com/wiire/pixiewpsHeffner, Craig (2013). MAC Address last character changer to speed up the attack, GitHub repository, https://github.com/chrsmithdemos/reaver-wps/issues/258SLIDES BEGIN HERE!

Please note: The MAC address and other details of the router used in the initial brute force test have been redacted at the request of the organization that was kind enough to loan one of their wireless routers for this project.

PAGE 1

_1493575742.psd