Grrrr... someone using my router.

Discussion in 'Network Routers' started by Mike Duffy, Oct 14, 2012.

  1. Mike Duffy

    Mike Duffy Guest

    I *thought* I knew how to secure it:

    WPA2 only, ridiculously long passphrase, disactivate "Guest network", use
    MAC-based access list.

    He was spoofing the MAC of a PC that was at the time powered off.
    Presumably he got it at some time previously. Using the router console log,
    I could see occaisional packets coming back from the Internet and looked-up
    a few of the IP#s. It seems that he was using various cloud compute
    services, probably to break other people's passwords.

    Since then, I have obviously changed the passphrase, as well as the SID
    which I now do not "advertise", but after going through all the options on
    the router console page (http://www.routerlogin.net), I cannot see anything
    else that will make things any more secure.

    Other than asking my daughter to come downstairs and turn off the "WPS"
    button when she does not need Internet access, what else can I do?

    Since then, I have done some reading. I have half a mind to find out what
    frequencies are used by the various channels and build a triangulator or
    three. (And some sort of "delivery" system using one of those radio-
    controlled toy helicopters. Don't ask me what I want to deliver.)
     
    Mike Duffy, Oct 14, 2012
    #1
    1. Advertisements

  2. Mike Duffy

    dg1261 Guest


    You mean you're running with WPS enabled? That could be your problem.
    You'll want to listen to "Security Now!" (http://www.grc.com/sn), podcasts
    #335 and #337.
     
    dg1261, Oct 14, 2012
    #2
    1. Advertisements

  3. Mike Duffy

    Ant Guest

    Which router are you using?


    --
    "The Hunam Tiger ant has been known to consume an entire meal before the
    picnic guest arrive." --12th century Tang Dynasty proverb.
    /\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
    / /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
    | |o o| |
    \ _ / If crediting, then use Ant nickname and AQFL URL/link.
    ( ) If e-mailing, then axe ANT from its address if needed.
    A song is/was playing on this computer: Tiffany - Locomotion
     
    Ant, Oct 14, 2012
    #3
  4. Mike Duffy

    Mike Duffy Guest

    Netgear WNR2000v2
     
    Mike Duffy, Oct 14, 2012
    #4
  5. Mike Duffy

    Mike Duffy Guest

    I have disabled WEP. Perhaps that is what you mean?

    I thought the WPS button turned on/off ALL wireless access. Here are the
    help sections of the "Advanced Wireless Settings / WPS Settings" internal
    console web page. All 3 options are checked. He probably knowns my PIN
    already. Anyone capable of spoofing a MAC probably took note of it:

    WPS Settings

    Router's PIN

    This is the PIN number you use on a registrar (e.g., from Network
    Explorer on a Vista Windows PC) to configure the router's wireless
    settings through WPS. You can also find the PIN on the router's product
    label.

    Disable Router's PIN

    You can configure the router's wireless settings or add a wireless client
    through WPS using the router's PIN only when the PIN is enabled. The
    router's PIN can be disabled temporarily when the router detects
    suspicious attempts to break into the router's wireless settings by using
    the router's PIN through WPS. You can manually enable this function by
    clearing the check box and clicking the Apply button.

    Keep Existing Wireless Settings

    This shows whether the router is in the WPS configured state.
    If this option is not selected, adding a new wireless client will change
    the router's wireless settings to an automatically generated random SSID
    and security key. In addition, if this option is selected, some external
    registrars (e.g., Network Explorer on Vista Windows) might not see the
    router. Configuring basic wireless settings from the router's management
    GUI selects this option automatically.



    I might also consider blocking off most of the ports, I presume that my
    daughter only needs http to do her homework.
     
    Mike Duffy, Oct 14, 2012
    #5
  6. Mike Duffy

    Mike Duffy Guest

    Thanks much for the above. I now know that the "WPS" button does not
    enable/disable access to the Internet from wireless clients. When you
    press it, WPS is enabled for 2 minutes (during which time the button
    flashes).

    If you want to disable Internet access for wireless clients, it is done
    by a separate entry on the virtual console.

    The good news is that WPS is only enabled for 2 minutes at a time, and I
    have NEVER used this feature. Instead, I always used the standard SSID +
    passphrase to enable clients. I also use a MAC access list restricted to
    the 2 devices I want to have access. So nobody else should have my PIN,
    which is hard-coded into the router. In any case, it is only used by the
    WPS setup procedure, which I have never used.

    It looks like there is a way to crack a passphrase in a few minutes if
    you know the SSID, which by default is broadcast in the clear. It takes a
    fair bit of number crunching, and it looks as though my hacker was using
    my connection to get introductory free IP-based credits from various
    cloud-based compute services to do the computations to crack other
    connections. (Using the console log, I could see the #IPS of the result
    packets coming back to him from the Internet.) Probably he is far enough
    away that his connection speed was too low to do anything else, like
    downloading movies.

    I have now disabled the broadcast of the SSID (and changed it and changed
    the passphrase).

    I also plan to check a bit closer for "connected devices" in the future,
    because my local hacker friend probably took note of the MAC#s and he is
    able to spoof a given MAC.
     
    Mike Duffy, Oct 14, 2012
    #6
  7. Mike Duffy

    Ant Guest

    No. WPS. It's another security hole. :(

    Nope, WPS is a security hole. Google it:
    https://www.google.com/search?q=wps+security ... Even disabling it
    doesn't mean it is disabled. :(
    --
    "... Our latest evil plan and create an army of giant ants to take over
    the galaxy..." --Dark Helmet from Spaceballs: The Animated Series (S1 E3).
    /\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
    / /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
    | |o o| |
    \ _ / If crediting, then use Ant nickname and AQFL URL/link.
    ( ) If e-mailing, then axe ANT from its address if needed.
    A song is/was playing on this computer: The Asteroids Galaxy Tour - The
    Golden Age #1
     
    Ant, Oct 15, 2012
    #7
  8. Mike Duffy

    VanguardLH Guest

    If you listened to the podcasts, you would've found out:

    - WPS has a vulnerability. Brute forcing the PIN only requires an evil
    listener of your radio traffic to capture a successful pairing and do so
    ONLY once. Because PINs are static (they are, after all, printed on a
    label on the access point), one successful pairing getting captured can
    be brute forced offline (the attacker isn't slamming your access point
    but recomputing hashes on their own host) and once the PIN gets
    extracted then the evil listener can log on successfully the FIRST time
    (so there is no lockout for N minutes after X failed attempts). The
    vulnerability is in using a static PIN. Even if you go into your router
    or access point to change its PIN (and if it lets the user change the
    PIN since not all do), it is still *static* therafter. You won't be
    changing the PIN for every transaction between your computer and the
    access point. The original protocol was [supposed] to be designed so
    the PIN was used only *once* per transaction. That's not how the WiFi
    Alliance implemented WPS. They required only a static PIN which makes
    it easy to guess. Another problem is that the PIN is only 8 digits
    long. Think about it: how secure is 8 digits?

    - WPS is not disabable on some access points or routers. The podcasts
    named Linksys (Cisco) as a wifi device maker who, perhaps only for some
    models, have an option to disable WPS but do NOT actually disable it.
    Their firmware does not honor the user's choice to disable WPS. I don't
    recall if it was just the Linksys line that had a bogus disable or if
    others were mentioned.

    - To be WiFi Alliance certified, wifi makers MUST have WPS enabled by
    default. That means users must manually *disable* WPS. Well, we know
    many users are lazy and ignorant (and prefer to remain that way) since
    they don't even bother to read the manual or even go look at the config
    screens of the router or even those for the software apps they use. How
    many viewers will there be of these podcasts? How many will read tech
    articles or news about the vulnerability? That's a very small
    percentage of all users so there will be LOTS of vulnerable wifi routers
    out there where WPS is enabled because it that way by default, plus some
    of those that do hear about this vulnerability will be using routers
    where they cannot disable WPS.

    Oh yes, there may become available firmware updates to these routers
    that disable WPS by default (and do so after the update flash as part of
    a reset) but then again how many users of these WPS-capable wifi devices
    are going to do the flash update or even know about it? WPS is one of
    those "it's out there and we can't pull it back" screwups. It'll
    probably be around 4 years before this problem goes away mostly because
    that'll be when consumers get around to replacing their wifi devices -
    unless this vulnerability gets LOTS of press coverage (and I don't mean
    just the tech rags, either).

    By the way, the WPS buttons does NOT turn off WPS. It initiates a
    handshake session that remains open for around 2 minutes (so you can
    dash off to the other end to start a WPS handshake session over there).
    The button is like the ignition switch in your car: you turn it (to the
    ignition position), your car starts, and you're supposed to release the
    ignition switch. Both *start* something. They don't stop anything. To
    disable WPS you *must* go into wifi device's web config settings to
    disable it there.

    That's only fixing the problem on the AP or router end. Now you have to
    go to your computer and disable WPS there, too. You don't want EITHER
    end to be using WPS. You don't want it to connect to the evil listener
    who may have happened to capture a prior successful pairing. I believe
    WPS showed up in Windows 7.

    At this point, you need to disable WPS at all your wifi devices (access
    points, routers, computers). Then go into the AP or router config and
    change its PIN (if possible). Why? Because there are been instances
    where hundreds (I've read thousands) of same-brand, same-model wifi
    devices were assigned the same PIN (so you'd be sharing the same PIN
    with lots of other users). Since shipping is in batches, users
    purchasing from the same reseller would get wifi devices with the same
    PIN and some percentage could end up being close enough to each other.

    Listen to the podcasts this time to see how bad is the problem is with
    WPS. Make sure if you disable WPS in your AP or router that it is a
    brand and model that actually does let you disable WPS. Just changing
    the option in the config screen doesn't mean that option actually works.
     
    VanguardLH, Oct 15, 2012
    #8
  9. Mike Duffy

    Mike Duffy Guest

    I did read the transcripts. (I posted a reply in another thread.)
    Yes. The whole debacle shows again how expediency trumps accuracy.
    I cannot see how to do this. I have gone through ALL the config options.

    However, the help for the first 2 entries in the console are:

    1 Setup Wizard

    To get started:

    Select Yes if you want to use the Smart Setup Wizard.
    Select No to configure the router manually.

    2 WPS stands for Wi-Fi Protected Setup. This is a process that lets you
    add a wireless client to the network easily, without the need to
    specifically configure the wireless settings such as SSID, security mode,
    and passphrase.

    You can select to add a wireless client using either the Push Button or
    PIN Number method.

    With the Push Button method, you complete the process by clicking a
    button on the client (either a physical hardware button or a software
    button on the client's utility GUI).

    With the PIN Number method, you have to enter the client's PIN here. You
    have to start the client WPS process at the same time. You can find the
    client's PIN on the client's utility GUI.


    I skipped over both of these and did all my config via the more
    "complicated" SSID / passphrase / security mode config entries.

    SO I am not sure if WPS is still enabled. It is a fairly recent (Netgear
    WNR2000v2), so perhaps it does not have this vulnerability. OTOH, my
    connection WAS hacked, but I was showing my SSID and allowing WPA or WPA2
    instead of hiding SSID and forcing WPA2.
    I will check up on this - thanks.
    Sadly true. Perhaps we should white-hat an attack on a politician's home
    router and use it to download animal p0rn.
    I could not see this. Perhaps after I do a firmware upgrade.
    I did (well, I read the transcripts; much faster), but thanks for your
    comments. They did clear up a few minor misunderstandings.
     
    Mike Duffy, Oct 15, 2012
    #9
  10. Mike Duffy

    VanguardLH Guest

    VanguardLH, Oct 16, 2012
    #10
  11. Mike Duffy

    Char Jackson Guest

    I've looked through the manual linked above and don't see any way to
    completely disable WPS. The closest I came was "Disable Router's PIN"
    on page 2-17, but that apparently doesn't actually disable the
    function.

    I wonder if third party firmware would be an option for that device.
    Some of them, like dd-wrt, seem to be able to completely disable WPS.
     
    Char Jackson, Oct 16, 2012
    #11
  12. Mike Duffy

    Char Jackson Guest

    Download and run a program called Reaver. With that you'll be able to
    infer whether WPS is active or not. Reaver is a tool for hacking WPS,
    but a side benefit of using it on your own router is for peace of mind
    in knowing for sure that WPS is not responding to wireless access
    requests.
    Broadcasting your SSID is better than hiding it. It lets others know
    that a network is operating on that channel, hopefully helping them to
    decide to move somewhere else. Even when you choose not to broadcast
    it, many tools are available that will sniff it in seconds.
     
    Char Jackson, Oct 16, 2012
    #12
  13. Mike Duffy

    Char Jackson Guest

    I could be wrong, but if that's what the podcast says it looks like
    they're mixing two separate issues, aren't they? One issue involves
    capturing a WPA handshake, then going offline to try to brute force
    the password. That issue has nothing to do with WPS. The second issue
    involves sending WPS PINs as fast as the router is willing to process
    them, until the correct PIN is sent and the router opens its doors.

    Note that the goal of the second vulnerability above isn't to discover
    the PIN, exactly, but to use the PIN to discover the passphrase. You
    then use the passphrase to connect as if you were an authorized user.

    Regarding the 8 digits, it's even worse than it looks because the 8
    digits are broken down into 3 groups: the first group is just 4
    digits, the second group is 3 digits, and the last digit is by itself,
    and may be a checksum, IIRC. By constructing the WPS standard the way
    they did, with 4+3+1 digits, the total number of guesses is something
    like 11,000, and on average you only have to guess half that many.
    That part doesn't sound right. I'm under the impression that WPS only
    has to be disabled at the router since that's the only device that's
    listening, or should be listening, for inbound connection attempts.
    Also, capturing a 4-way handshake is again mentioned above, and I
    don't think that's part of the WPS vulnerability.
    Agreed. I use Reaver to make sure the router is deaf and dumb to WPS
    requests.
     
    Char Jackson, Oct 16, 2012
    #13
  14. Mike Duffy

    VanguardLH Guest

    Yep, page 2-17 (not 2-19). It's the only mention I found in the manual
    on disabling WPS.

    "Disable Router¢s PIN. If the router¢s PIN is disabled, you cannot
    configure the router¢s wireless settings with WPS."

    If you cannot configure using WPS then it certainly seems that WPS is
    disabled. If you cannot configure using WPS, why would you think it was
    still enabled?

    So how do you know it doesn't work? Do you have this router and tested?
    Or did you look in the spreadsheet mentioned in the podcast (I don't
    recall the URL) to see if it was one listed as showing a disable but it
    was ignored, like they mention for some of the Linksys routers?
    The podcasts mention DD-WRT and Tomato as alternative firmware code sets
    to replace what's in the router. I've heard of DD-WRT but never delved
    into it, and the podcast was the first I've heard of Tomato.

    http://www.dd-wrt.com/ (offline when I tried)
    http://en.wikipedia.org/wiki/Dd-wrt

    http://www.polarcloud.com/tomato
    http://en.wikipedia.org/wiki/Tomato_(firmware)

    From my reading of forum posts, these alternative firmware let you
    disable WPS. You need to make sure this firmware lists your particular
    router as compatible; however, I see reports saying switching to these
    alternative firmware can result in loss of functionality. I'd check
    over at http://www.dslreports.com/forum/wsecurity to ask if either
    incurs critical problems on the routers.

    The following videos show Reaver Pro with its GUI used to hack into wifi
    routers and shows how easy it is:


    (no narration, music is loud, so mute speakers before playing)



    My review of the podcasts is that the hacker only needs to capture *one*
    successful pairing using WPS and then does the hash crunching offline on
    their own host. When they come back, there is no fear of lockout (i.e.,
    N failed connects results in X minutes of refusing further connects -
    yet some routers don't even do this, anyway) because the first attempt
    will succeed as the hacker has a correct PIN. So if you had WPS
    enabled, and since you don't know if a hacker captured your prior
    successful pairing(s), it seem you should not only disable WPS but also
    change your PIN (which means it won't match the sticker on the unit).
     
    VanguardLH, Oct 16, 2012
    #14
  15. Mike Duffy

    Char Jackson Guest

    Because the very next sentence reads, "However, if your settings are
    already configured, you can still add WPS-enabled wireless clients."

    I figure if WPS-enabled clients can still make connections to the
    router, then WPS is still active and the only part that's disabled is
    the PIN. That might be good enough, but I'm not sure.

    The next sentences make it seem like the router is capable of
    protecting itself against Reaver and it's cousins.

    "The router might disable the PIN if it detects suspicious attempts to
    break into your wireless settings; this can happen if the check box is
    selected. You can enable the PIN by clearing the check box and
    clicking Apply."
    I don't have that router and haven't tested it. I was just going by
    how I interpreted the manual and could well be wrong.
    I ran Tomato in a WRT54G some years ago, for maybe 2 years or so. For
    the last 4-5 years I've been running dd-wrt exclusively. I always
    flash it before putting a box into service. I currently have 6
    WRT54GL's scattered around the house, all running dd-wrt.
    That last part is highly doubtful. What the alternative firmwares do
    is offer tons MORE functionality.
    As the two videos show, the WPS vulnerability isn't related to the
    capability of capturing a WPA/WPA2 handshake and then doing an offline
    dictionary attack against the captured handshake. Those are two
    separate vulnerabilities, I believe. You've somehow mixed them
    together into a single vulnerability.
     
    Char Jackson, Oct 16, 2012
    #15
  16. Mike Duffy

    VanguardLH Guest

    Well, with it being ambiguous, I'd probably reset the router, not rely
    on that setting, change the PIN to something other than the sticker, and
    maybe even tape something over the WPS button or physically disable it
    to ensure it didn't get accidentally used. They mention some Linksys
    models cannot have WPS disabled so maybe Netgear is just as stupid.
    I've read forum posts (DLSreports) where users that flashed to an
    alternative firmwave resulted in one attenna disabled and other normal
    functionality was lost, and that was for a router model listed as
    compatible. They had to flash back to the original firmware. I don't
    have reason to doubt those posters: all functionality worked with
    original firmware, some lost with alternative firmware, regained when
    reflashing back to original firmware.
    The evil listener captures lots of over-the-air WPS sessions waiting for
    a successful pairing acknowledged by one end of the communication.
    Then, while offline, recomputes hashes to brute force out the PIN doing.

    http://media.grc.com/sn/sn-337-lq.mp3
    "How it works" starts at the 48:20 time mark.
    "Here's the problem" starts at the 57:00 time mark.

    http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
    "The flaw allows a remote attacker to recover the WPS PIN in a few hours
    and, with it, the network's WPA/WPA2 pre-shared key."

    "http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf"
    PIN (page 3)
    "This option is called wps_pin in wpa_cli"

    So we have another vulnerability via WPS to exploit another. WPS is
    using hashing to authenticate each endpoint without actually
    transmitting the PIN (except within the hash) but after authentication
    is granted it isn't like WPS continues working. WPS is the initial
    handshaking which bypasses WPA/WPA2 handshaking. WPS sets up the
    pre-shared key (PSK) mode at the endpoints so WPA/WPA2 takes over now
    that it has that key. WPS is the automated pre-setup for WPA. Rather
    than have you write down the PIN from one device and then walk over to
    the other device (computer) to enter it, both of which are manual inputs
    and prone to error, WPS lets you push a button to prepare one endpoint
    so it waits for a pairing broadcast while you walk over to the other end
    to push a [software] button to do the handshaking for you but
    automatically (beyond having to push a button at each end).

    You could go under your car's hood to pull out the fuse(s) for
    non-startup components and short across the starter to start your car or
    you can let the ignition switch do the pre-setup (disconnect
    non-essential electrical components) and run the starter. WPS is just
    doing the pre-setup for WPA: getting the PINs between the endpoints.
    The problem is the short & permanent PIN is not secure when using WPS.

    The shared-key WPA vulnerability is vulnerable to cracking if the
    password phrase is short. Well, the same is true of using a short PIN
    when using WPS to get that PIN (recognized through hashing) known to the
    other endpoint. The PINs are 7 digits long with the 8th being a
    checksum. Short PINs and short passphrases are insecure but even short
    7-character passphrases have a far greater number of combinations than
    7-digit PINs: 78 billion versus 10 million. The podcasts and forum
    posts indicate it may take up to 10 hours to hack out the PIN from the
    captured WPS hashes. That means the hack tools are recomputing 278
    hashes per second which doesn't seem impossible or even improbable.
    That same brute method on 7 alphanum characters would take 10 hours
    times 7836 (the difference in values for 7 digits versus 7 alphanum
    chars) or 8.9 years. Part of the argument regarding WPS is its weak
    8-digit (7 + checksum) PIN is way too insecure. THe other argument on
    why WPS is bad is the reuse of a static PIN value which is trasmitted
    over the air to be captured (in a hash) rather than using a different
    (dynamic) one each time.

    When you manually write down the PIN at one endpoint and then walk to
    the other endpoint to manually input the PIN over there, it isn't in the
    air to get captured so short length and permanence aren't as much a
    problem on hacking with that scenario (although it is still recommended
    to use a long passphrase instead of a short one). Without permanence,
    the bruted out PIN would be of time-limted value to the hacker. The
    next WPS handshake with a different (dynamic) PIN would mean the hacker
    has to recompute all those hashes again for another 8-10 hours. Hackers
    don't like targets that move faster than they can aim. It'd be easier
    to find a nearby wifi hotspot. With a much longer PIN length, it would
    take too long for the hacker to brute out the PIN from the captured
    hashes. With long dynamic PINs, the window of vulnerability is too
    short for the hackers to bother. Twould be far easier to tap into your
    cable at the pole or doghouse to "borrow" your bandwidth rather than try
    to tap into the router or AP.
     
    VanguardLH, Oct 16, 2012
    #16
  17. Mike Duffy

    VanguardLH Guest

    WPS gets the PINs transferred between the endpoints. This is to
    automate the process where you used to manually write down the PIN and
    walk to the other endpoint to enter it: a manual and error prone
    process. Then WPA kicked in because now it had a shared key. Pushing
    a WPS button was for convenience to get the PIN to the other end
    without error-prone manual input and without having to do the walking.
    It does not supplant WPA.

    When running Reaver Pro, it only needs to capture one successful
    pairing. After that, the hash recomputing happens offline. Your
    router or AP is not getting flooded with WPS requests. Once Reaver
    records your pairing, it isn't scanning anymore and certainly not
    transmitting. You click the button to hack out the PIN which is done
    offline. Sometime later, like 8-10 hours, and after Reaver is done,
    you then tell it to connect using the discovered PIN. The listening is
    passive. Your router won't know about it. The only record you'll have
    (at a minimum) is when the hacker comes back with the discovered PIN.
    One WPS 10 hours later is hardly anything your router or AP will alert
    on regarding a flood of connection requests.
    Nope, it only takes the evil listener to capture ONE successful pairing
    between the endpoints to have all the data it needs to brute out the
    PIN from the hash while offline. Then the hacker, after getting a
    successful rehash, comes back and does the WPS connect request just
    *once*. Yep, just once. That's because he now has the correct PIN.
    There is no lockout (not available in all routers or APs) where N
    failed attempts result in having to wait X minutes before the next
    request is accepted. There was no failed request. They have your PIN
    already. That was done offline. They aren't slamming your routing
    with repeated WPS broadcasts.
    True if you're only interested in your router not accepting evil WPS
    requests from the hacker. But don't you want to prevent your computer
    from also not connecting to the evil listener? I'm haven't thought out
    the scenario yet but I'm sure there's one where the user goes into
    Windows 7 and starts the WPS wizard and the evil listener with the same
    PIN as for the router or AP will intercept the broadcast. Remember
    that the PIN is permanent (for now) at the router and AP. It doesn't
    change. Even if you go into its web config to change the PIN, it's
    still permanent after that point. You push the WPS button on the
    router or AP but the evil listener will also acknowledge the WPS
    session started at your computer and pretend it's your router or AP.
    You've got 2 listeners with the same PIN vying to establish the
    handshake and establish a connection. Well, I bet the hacker might use
    a stronger signal to swamp out yours. In fact, from what I've seen of
    videos showing how to use Reaver Pro, they recommend certain brands and
    models because they have greater signal strength.
     
    VanguardLH, Oct 16, 2012
    #17
  18. Mike Duffy

    Char Jackson Guest

    I seriously doubt those reports, but I don't know the details. I'm
    primarily familiar with dd-wrt and Tomato, both of which have far more
    to offer than any stock firmware, so it's possible that those posters
    used something else. I feel very confident in saying, however, that it
    was most likely some kind of user error. The popular alternative
    firmwares have so many additional features and options that it's
    probably easy for someone to get lost. For them, going back to the
    stock firmware is a safe, but very limited, choice.
    The Wikipedia link sums it up pretty well, and makes it clear that the
    WPS vulnerability has nothing to do with the 'handshake and offline
    attack' vulnerability. They are two separate vulnerabilities. Check
    out the Security section.
    Is the above text copied from somewhere, (perhaps the link I snipped)?
    It's basically gobbledy-gook. Short WPS PIN? Every WPS PIN is the same
    length: 8 digits, which breaks down into 4 digits, 3 digits, and 1
    digit. Likewise the rubbish about short passphrases, within the
    context of the WPS vulnerability. When attacking that specific
    vulnerability, it doesn't matter how long or how gnarly the passphrase
    is, because no matter what it is or how often it gets changed, the
    router being attacked will happily cough it up anytime the attacker
    asks for it.
    Not true. Once you have the PIN, you have access to the passphrase, no
    matter how long it is, how big and gnarly it is, or how often it gets
    changed. The only time you don't have access to the passphrase is
    during the window between the time it gets changed and the time the
    correct PIN is attempted. That can be minutes or hours, depending on
    several factors. Since most people don't change their router's WPS PIN
    and WPA/WPA2 passphrase every few minutes, this remains an exploit
    that can be taken advantage of.
    No idea what any of that means, but I can tell you it has nothing to
    do with the WPS vulnerability. It looks like it contains pieces of the
    WPA/WPA2 bug, but that's not a clean fit either.
     
    Char Jackson, Oct 17, 2012
    #18
  19. Mike Duffy

    Char Jackson Guest

    Correct. That part is well known.
    Nope. Reaver (and it's Pro version) care not about pairing or
    handshaking or whatever we should call it. That's not how Reaver
    works.
    Reaver does nothing offline. It's strictly an online tool. This seems
    to be where you're jumping over to the WPA/WPA2 bug, but that bug has
    nothing to do with WPS and Reaver.
    On the contrary, Reaver works by sending WPS requests as fast as the
    router will allow. With some routers and with good signal quality,
    that can be about 1 per second. Other routers, or sub-optimal wireless
    signal quality, can slow that way down to about 1 every 20 seconds. So
    flooded isn't the right word, granted, but you'd have to be extremely
    lucky to hit the right PIN on the very first attempt. There are about
    11,000 possibilities, so you have a 1 in 11,000 chance of guessing it
    the first time.
    Nope, Reaver continues to guess PINs until the target router says it
    has guessed correctly. When that happens, the router happily hands
    over the passphrase, which Reaver displays in the clear. As you can
    see, it doesn't matter how long or complicated the passphrase is since
    the router is just going to cough it up the moment you guess the right
    PIN.
    You're not describing Reaver. Reaver does nothing offline. It's
    strictly sending WPS requests with random PINs, hoping the router will
    say yes to one of them. As soon as it does, Reaver stops sending
    requests. It's work is done. Reaver never makes an actual connection
    to the router. All it wants is the router's passphrase, which it gets
    as soon as it guesses the right PIN. Once it gets it, Reaver's work is
    done. There's no need for Reaver to connect to the router using the
    discovered passphrase.
    I have my doubts that even 11,000 failed WPS attempts would be
    something the router's owner would be made aware of.
    OK, you're describing the WPA/WPA2 bug. I'm talking about the WPS bug.
    Two totally separate vulnerabilities, completely unrelated to one
    another.
    Yup, definitely not describing the WPS bug. I apologize for any part I
    may have played in the confusion, but from the start I was trying to
    keep the two issues separate since they are completely unrelated.
    Agreed, that applies to the WPA/WPA2 bug. I was primarily trying to
    discuss the WPS bug, though. Hence, my repeated mentioning of Reaver,
    which only applies to the WPS bug.
    I can't say that your scenario is impossible, but it seems pretty
    stretched. After all, once you use WPS to get a host associated with
    your router, you'll probably never have to do it again for that host,
    so the scenario (at best) would only be valid for new hosts being
    introduced to the wireless network. That isn't a frequent occurrence
    in most households, so the hacker would have to be very patient with
    his little honeypot. There's a lot more action to be had elsewhere, I
    think, so I don't think it's anything to worry about. Besides, on a
    Win 7 PC, unlike a wireless router, WPS isn't just sitting there
    waiting for connection attempts. Not by default, anyway.
    Reaver needs to associate with a router before it can start guessing
    WPS PINs, so a good steady wireless signal is mandatory. Dropped
    packets would stretch the hacking session way out. Crappy wireless
    hardware means you have to be pretty close, physically, to your
    target. Better equipment lets you attack from a greater distance.
     
    Char Jackson, Oct 17, 2012
    #19
  20. Mike Duffy

    Char Jackson Guest

    Those aren't WPS sessions. They are WPA or WPA2 sessions. You can
    precompute your own rainbow tables for popular SSIDs so that you can
    brute force the passphrase almost instantly after capturing a WPA/WPA2
    handshake. You can even purchase precomputed rainbow tables online, or
    have a custom rainbow table built for you. Each SSID has it's own
    rainbow table of possible hashes.
    I listened to the section from about 42:00 to just after 72:00 and
    during that time they only talked about the WPA/WPA2 vulnerability. No
    mention was made of the WPS vulnerability. Is there another section
    that I should listen to? I hate to commit to the whole 80-minute thing
    because the guy talks so slowly and takes forever to make his points.
    Not exactly an engaging speaker.
     
    Char Jackson, Oct 17, 2012
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.