EH-Net

Hi all did anyone else see this .




http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/
 (http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/)

Yeah I saw it yesterday.  I kinda want to try it out and see how easy it is to crack, but will have to wait until people leave the house in case I break their Internet!

LOL!  At least you're going to be ethical and test on your own systems.  <props  ;)>

Yeah, not a fan of jail hayabusa!

Tested reaver at home and it worked well.
Tested at a client and didnt succeed.. :(

I tried this at home with a spare Linksys router - it was scarily easy. What made it worse was that the Linksys lets you think you've turned WPS without really doing so. That is, I turned WPS off, ran Reaver, and it still cracked my WPS PIN and WPA2 password in under 3 hours.

In my limited experience, Reaver is easier to use and more successful than cracking WEP with no client attached (which I've been unsuccessful in even though my target router is just in the next room.) And Reaver v1.4 comes with a tool called wash that allows you to scan your local area for WPS enabled routers. There wasn't a single router in my local area with WPS off.

One thing I found though was running Reaver caused a DoS on my primary wi-fi router, even though I'd turned the txpower way down. The significant other was not pleased.

I think that this is the most exciting part about security, well for me anyways. Stuff like this gives people like us a reason to think outside of the box to overcome these security shortcuts. I'm looking forward to trying to find a way to patch this flaw. But even after you shut one door another opens. Nothing is ever stopped, only hindered.

AFAIK, Linksys/Cisco are the only ones that don't actually turn WPS off (while letting you think you did). And they've been really slow in coming out with patches. The other brands (e.g. Netgear) actually do turn it off (confirmed). Another plus is that it takes a pretty strong signal to succeed. I asked my neighbor two houses over to plug in my router and Reaver failed in that case.

The sad fact is less than 10% of the routers in my neighborhood use WPA/2 in the first place. Most use WEP and one or two have no authentication at all. Still, for smaller companies the WPS vulnerability could be exploited and cause serious harm.

the fastest one i cracked was in 3 seconds. lol. reaver is just absolutely awesome. but if there is mac filtering don't forget to use --mac= or -A

I love reaver.
absolutly love it.

WPS enabled routers will be around for a while. a bad person could really make use of it.

I am really surprised this hasn't caught more attention for such a huge vulnerability across the world.

I mean, I have used Reaver when no one was home (got into a neighbors' WiFi with it). Just looked around their router, saw it was an ISP-provided NetGear router.

If I remember correctly, once I got the commands down, it took a matter a minutes to get the WPS key correct, and therefore the WPA2 key. WPA2, yo! That's quite the black eye on such a secure encryption for WiFi, no?

My router is WPS-incapable, being that it runs Tomato; most Linksys-based WRT routers do not implement WPS in any way, shape, or form, so that vulnerability is right out the window for those of us running alternative firmware on Linksys gear.

So far, I've only used it when no one was home, and didn't do anything malicious, like setting new passwords, or changing settings. I just wanted to see how it worked, and if it worked. Surprisingly it did, and quickly.

Wireless is notoriously insecure. Even if there isn't an inherent vulnerability, such as this Reaver attack or WEP, the majority of people will continue to secure their devices poorly. More often than not, you just need to capture the WPA-handshake and have a few decent wordlists. Having a powerful GPU on-hand makes this attacking increasingly trivial.

As always, ensure you have written permission before attacking equipment that isn't yours. Something as innocuous as testing the exploit on your neighbors equipment can unnecessarily land you in hot water.

ajohnson, you are definitely right, but there was only one WiFi network around that might have been vulnerable, and that was the neighbors' network. Like I explained, I did nothing when I got in, just looked to see if it was one of the ones that doesn't turn WPS off, and then logged off.

Unfortunately these days, that's all it takes to land in hot water. That's like saying "The only lock I could try to pick was my neighbors, so I did it, but I didn't go in the house". Your neighbor is still not going to be pleased about it if they find out, even if you were just curious and meant no harm.

wow that's a really old post under my own username. Its good to see it resurface and still usable for others members.

I was confused by your post at first because I have a WRT160N v2 which is vulnerable and isn't (last time I checked) compatible with DD-WRT or Tomato. Then I realized that you were referring to DD-WRT.

To clarify, any Linksys/Cisco router that is capable of running DD-WRT or Tomato is not vulnerable to Reaver because these firmware versions do not support WPS. It's the open-source firmware (DD-WRT/Tomato), not the stock firmware that comes with the router, that is safe. 

http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&articleid=25154
It's been a while since I checked the above link - hasn't changed much since the beginning of the year. Clearly Linksys/Cisco is saying "SOL" to most of the owners on that list with older hardware. I'll likely never buy a Cisco/Linksys router again because of this.

Hm...re-reading that part of my post you quoted, I realize I wasn't being 100% clear.....

But yeah, Linksys/Cisco WiFi routers that are running DD-WRT/Tomato don't run WPS code at all.

Yeah, my next router (when I get the monies) is going to be the Asus RT-N66U :) I am not sure if I want to run the stock firmware (which I believe is DD-WRT or Tomato-based) or flash it to Tomato (I've been done with DD-WRT for quite some time now).