WPS
Last updated
Was this helpful?
Last updated
Was this helpful?
Wi-Fi Protected Setup (WPS) is a simplified configuration protocol designed to make connecting devices to a secure wireless network easier. WPS employs an 8-digit PIN for user network connection, verifying the first 4 digits before proceeding to check the remaining 4. This allows for a potential Brute-Force attack on the first set of digits followed by the second set, with a total of only 11,000 possible combinations.
Below are some known attacks on Wi-Fi Protected Setup (WPS):
PIN Brute-Force: Some routers with WPS allow users to connect by entering an 8-digit PIN code. A brute-force attack involves trying all possible combinations until the correct PIN is found.
Pixie Dust: This attack exploits a weakness in the generation of WPS encryption keys. It involves exploiting vulnerabilities in certain routers during the creation of WPA/WPA2 encryption keys.
PIN Revelation: Certain WPS-enabled routers may reveal information about the validity of the PIN during a connection attempt. This information disclosure can aid an attacker in narrowing down the search space during a brute-force attack.
Access Point Enumeration: Some routers with WPS may be vulnerable to an attack that allows an attacker to determine which access points are present in a given area.
Most WPS attacks mentionned below can be conducted using (Bash) or (Python).
Some of the commands listed in this section may require high privileges to run. Containers would also need high privileges on a host.
There are three main methods for setting up a connection using WPS:
Push Button Configuration (PBC): Press the WPS button on the router and then activate the WPS function on the device to connect. The two devices will automatically establish a connection.
PIN based Configuration: Each WPS-enabled device has a unique PIN code. It can be entered on the router through its web interface, or vice versa, to establish the connection.
Near Field Communication Configuration: In which the user has to bring the new client close to the access point to allow a near field communication between the devices. NFC Forum–compliant RFID tags can also be used.
The default configuration for wireless interfaces is "Managed" mode, restricting packet capture to those with a "Destination MAC" matching the interface's own MAC address. To capture all packets within a wireless device's range, switch the mode to "Monitor."
The following native commands can be used to have a capable network interface in monitor mode.
With (C) installed, the following commands can be used.
is used to identify nearby WPS-enabled access points along with their main characteristics. It is included in the (C) package.
In 2011, researcher identified a design and implementation flaw that made PIN-based WPS vulnerable to brute-force attacks. A successful exploitation of this flaw would grant unauthorized individuals access to the network, and the sole effective solution is to disable WPS.
Two main tools are now available for conducting this attack: (C) and (C).
In 2014, identified a security vulnerability he dubbed "Pixie Dust". It specifically targets the default WPS implementation found in wireless chips produced by various manufacturers, including Ralink, MediaTek, Realtek, and Broadcom. The attack exploits a randomization deficiency during the generation of the "E-S1" and "E-S2" "secret" nonces. Knowing these nonces, the PIN can be retrieved in a matter of minutes.
A tool called was developed, and a new version of was created to automate the attack.
Check to know which router model is vulnerable.
Some poorly implemented systems allowed the use of a "Null" PIN for connections. can conduct the attack, whereas lacks this specific functionality.