WIFI WPS brute forace attack Faster than cracking WPA/WPA2

Viewing 16 reply threads
  • Author
    Posts
    • #7199
      Anonymous
      Participant
    • #44999
      Seen
      Participant

      Yeah I saw it yesterday.  I kinda want to try it out and see how easy it is to crack, but will have to wait until people leave the house in case I break their Internet!

    • #45000
      hayabusa
      Participant

      @Seen wrote:

      Yeah I saw it yesterday.  I kinda want to try it out and see how easy it is to crack, but will have to wait until people leave the house in case I break their Internet!

      LOL!  At least you’re going to be ethical and test on your own systems. 

    • #45001
      Seen
      Participant

      Yeah, not a fan of jail hayabusa!

    • #45002
      dbest
      Participant

      Tested reaver at home and it worked well.
      Tested at a client and didnt succeed.. 🙁

    • #45003
      DragonGorge
      Participant

      I tried this at home with a spare Linksys router – it was scarily easy. What made it worse was that the Linksys lets you think you’ve turned WPS without really doing so. That is, I turned WPS off, ran Reaver, and it still cracked my WPS PIN and WPA2 password in under 3 hours.

      In my limited experience, Reaver is easier to use and more successful than cracking WEP with no client attached (which I’ve been unsuccessful in even though my target router is just in the next room.) And Reaver v1.4 comes with a tool called wash that allows you to scan your local area for WPS enabled routers. There wasn’t a single router in my local area with WPS off.

      One thing I found though was running Reaver caused a DoS on my primary wi-fi router, even though I’d turned the txpower way down. The significant other was not pleased.

    • #45004
      Deadpool614
      Participant

      I think that this is the most exciting part about security, well for me anyways. Stuff like this gives people like us a reason to think outside of the box to overcome these security shortcuts. I’m looking forward to trying to find a way to patch this flaw. But even after you shut one door another opens. Nothing is ever stopped, only hindered.

    • #45005
      DragonGorge
      Participant

      AFAIK, Linksys/Cisco are the only ones that don’t actually turn WPS off (while letting you think you did). And they’ve been really slow in coming out with patches. The other brands (e.g. Netgear) actually do turn it off (confirmed). Another plus is that it takes a pretty strong signal to succeed. I asked my neighbor two houses over to plug in my router and Reaver failed in that case.

      The sad fact is less than 10% of the routers in my neighborhood use WPA/2 in the first place. Most use WEP and one or two have no authentication at all. Still, for smaller companies the WPS vulnerability could be exploited and cause serious harm.

    • #45006
      rocketscientist
      Participant

      the fastest one i cracked was in 3 seconds. lol. reaver is just absolutely awesome. but if there is mac filtering don’t forget to use –mac= or -A

    • #45007
      kerpap
      Participant

      I love reaver.
      absolutly love it.

      WPS enabled routers will be around for a while. a bad person could really make use of it.

    • #45008
      JTD121
      Participant

      I am really surprised this hasn’t caught more attention for such a huge vulnerability across the world.

      I mean, I have used Reaver when no one was home (got into a neighbors’ WiFi with it). Just looked around their router, saw it was an ISP-provided NetGear router.

      If I remember correctly, once I got the commands down, it took a matter a minutes to get the WPS key correct, and therefore the WPA2 key. WPA2, yo! That’s quite the black eye on such a secure encryption for WiFi, no?

      My router is WPS-incapable, being that it runs Tomato; most Linksys-based WRT routers do not implement WPS in any way, shape, or form, so that vulnerability is right out the window for those of us running alternative firmware on Linksys gear.

      So far, I’ve only used it when no one was home, and didn’t do anything malicious, like setting new passwords, or changing settings. I just wanted to see how it worked, and if it worked. Surprisingly it did, and quickly.

    • #45009
      dynamik
      Participant

      Wireless is notoriously insecure. Even if there isn’t an inherent vulnerability, such as this Reaver attack or WEP, the majority of people will continue to secure their devices poorly. More often than not, you just need to capture the WPA-handshake and have a few decent wordlists. Having a powerful GPU on-hand makes this attacking increasingly trivial.

      As always, ensure you have written permission before attacking equipment that isn’t yours. Something as innocuous as testing the exploit on your neighbors equipment can unnecessarily land you in hot water.

    • #45010
      JTD121
      Participant

      ajohnson, you are definitely right, but there was only one WiFi network around that might have been vulnerable, and that was the neighbors’ network. Like I explained, I did nothing when I got in, just looked to see if it was one of the ones that doesn’t turn WPS off, and then logged off.

    • #45011
      superkojiman
      Participant

      @JTD121 wrote:

      ajohnson, you are definitely right, but there was only one WiFi network around that might have been vulnerable, and that was the neighbors’ network. Like I explained, I did nothing when I got in, just looked to see if it was one of the ones that doesn’t turn WPS off, and then logged off.

      Unfortunately these days, that’s all it takes to land in hot water. That’s like saying “The only lock I could try to pick was my neighbors, so I did it, but I didn’t go in the house”. Your neighbor is still not going to be pleased about it if they find out, even if you were just curious and meant no harm.

    • #45012
      Jamie.R
      Participant

      wow that’s a really old post under my own username. Its good to see it resurface and still usable for others members.

    • #45013
      DragonGorge
      Participant

      @JTD121 wrote:

      My router is WPS-incapable, being that it runs Tomato; most Linksys-based WRT routers do not implement WPS in any way, shape, or form, so that vulnerability is right out the window for those of us running alternative firmware on Linksys gear.

      I was confused by your post at first because I have a WRT160N v2 which is vulnerable and isn’t (last time I checked) compatible with DD-WRT or Tomato. Then I realized that you were referring to DD-WRT.

      To clarify, any Linksys/Cisco router that is capable of running DD-WRT or Tomato is not vulnerable to Reaver because these firmware versions do not support WPS. It’s the open-source firmware (DD-WRT/Tomato), not the stock firmware that comes with the router, that is safe. 

      http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&articleid=25154
      It’s been a while since I checked the above link – hasn’t changed much since the beginning of the year. Clearly Linksys/Cisco is saying “SOL” to most of the owners on that list with older hardware. I’ll likely never buy a Cisco/Linksys router again because of this.

    • #45014
      JTD121
      Participant

      Hm…re-reading that part of my post you quoted, I realize I wasn’t being 100% clear…..

      But yeah, Linksys/Cisco WiFi routers that are running DD-WRT/Tomato don’t run WPS code at all.

      Yeah, my next router (when I get the monies) is going to be the Asus RT-N66U 🙂 I am not sure if I want to run the stock firmware (which I believe is DD-WRT or Tomato-based) or flash it to Tomato (I’ve been done with DD-WRT for quite some time now).

Viewing 16 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?