Brute Force Attack Against WiFi Protected Setup Reaver

Brute Force Attack Against Wi-Fi Protected Setup Reaver is the Linux tool used to implement a Brute Force Attack against Wi-Fi Protected Setup registrar PINs in order to recover WPA/WPA 2 passphrases.

History �Since 2007 the Wi-Fi Alliance provided industry wide setup solutions for home and small business environments. �Allows for typical users with little knowledge of wireless configurations and security settings to configure a new wireless network.

Wi-Fi Protected Setup (WPS) � By default (out-of-the-box) WPS is always active on all devices. � WPS is marketed as being secure, however newly discovered design and implementation flaws allow attackers to gain access. � Allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase. � When the user supplies the correct PIN the access point essentially gives the user the WPA/WPA 2 PSK that is needed to connect to the network.

Push-Button-Connect �User pushes a button on both the Access Point and new wireless device (e. g. printer, PC, NIC)

Personal Identification Number Internal Registrar �User enters WPS PIN of the Wi-Fi adapter into the web interface of the Access Point. External Registrar �User enters WPS PIN of the Access Point into the client device (e. g. PC, laptop)

Reaver Tool �Is a WPA attack tool developed by Tactical Network Solutions that exploits a protocol flaw in the Wi-Fi Protected Setup (WPS). �This vulnerability exposes a side-channel attack against Wi-Fi Protected Access (WPA) versions 1 and 2 allowing the extraction of the Pre-Shared Key (PSK) used to secure the network. �Determine an Access Point's PIN and then extract the PSK and give it to the attacker.

Results �An authentication attempt can take between 0. 5 and 3 seconds to complete. �Once the PIN of the Access Point has been discovered the Access Point then hands the requesting device the passphrase.

Affected Vendor List (not complete) �Cisco/Linksys Buffalo �Netgear Zy. XEL �D-Link Technicolor �Belkin

Mitigation �Disable WPS, however this may not be available on all devices.

References �Tactical network solutions. (2011). Retrieved from http: //www. tacnetsol. com/products