Putting Wi-Fi router's security to the test



Fred LangaBy Fred Langa
If your Wi-Fi router supports Wi-Fi Protected Setup (WPS) — and most newer home/small-business routers do — it might easily reveal its passwords to a readily available hacking tool.
You can use that tool to be 100 percent certain your router isn't vulnerable to malicious WPS hacking. Here's how.
Recap: Why WPS routers are typically not secure
Think your Wi-Fi router's safe because you use a long and complex passphrase? Think again! In the Dec. 13 Top Story, I discussed a fundamental security flaw in most routers using WPS technology.
In short, all WPS-enabled routers have a built-in, easily hackable back door: a simple, vendor-assigned PIN (personal identification number) of just six to eight numerals. This PIN can easily be guessed by free hacker tools that run on ordinary laptops — or even smartphones.
A hacked WPS PIN opens the door to your entire Wi-Fi network. With the correct PIN, an attacker can recover a router's passphrase, giving him full access to a Wi-Fi network. Here are the key points from last week's story:
  • All WPS-enabled routers are vulnerable to this kind of PIN hacking.
  • The only way to prevent this type of hacking is to disable WPS.
  • Some routers are supposed to time-limit or otherwise automatically disable WPS, but there's no obvious way to know whether this is working.
  • Some router configuration software is faulty; even if you disable WPS in the router's setup menus, WPS will actually still remain active — and vulnerable.
  • The only sure way to determine whether your router is vulnerable to WPS PIN hacking is to test-hack it yourself. The easiest way to do so is with a free, open-source, white-hat hacking tool called Reaver.
In this article, I'll walk you through the use of Reaver and some associated tools so you can see whether your own network is vulnerable to WPS hacking.
Note: Reaver's intended use is to sniff out router vulnerabilities so they can be corrected. However, black-hat hackers can also use it to steal PINS or for other malicious purposes. I shouldn't have to say this, but for the record:
Please don't use Reaver for any purpose other than testing your own router's security!
Let's get started!
Building a bootable Linux system with BackTrack
Reaver is a Linux-based tool that's almost absurdly easy to use. A simple, one-line command sets off its WPS PIN-sniffing process. If your router is vulnerable, Reaver will find its PIN within a few hours. It will then use the PIN to recover and reveal the router's passphrase — as simple as that.
For many Windows users, the hardest part of using Reaver is getting Linux going and gathering the Wi-Fi configuration information Reaver requires.
Fortunately, there's an easy shortcut: run Reaver via a preconfigured, live Linux installation on a bootable DVD. There's almost no setup or configuration involved; no partitioning, reformatting, or any similar operations; and your original Windows setup remains untouched and unchanged.
There are many bootable Linux distributions (versions) available, but I picked BackTrack 5, a self-contained, free, bootable, Debian Linux installation that's optimized for network security testing. The BackTrack home page has links to hardware and Wi-Fi compatibility information, how-tos, troubleshooting, training info, FAQs, and more. It's worth spending some time there.
Here's how to install BackTrack 5, step by step.
  • When you're ready to go, grab a free copy of BackTrack from its download page. As shown in Figure 1, I chose a 32-bit, ISO, Gnome-desktop version of the BackTrack Live DVD, downloaded directly (not via Torrent) to my Windows-based PC. All following screenshots are based on that version of BackTrack.
    BackTrack download
    Figure 1. My selected options for downloading BackTrack
  • Once the 3.1GB download finished, I burned it to DVD. (Need help? See Microsoft's article, "Burn ISO images natively in Windows 7.")
  • Now insert the bootable BackTrack disc into your Wi-Fi-capable desktop or laptop and reboot.
    Initially, the BackTrack DVD boots to a plain screen showing just a line of informational text and a Linux command prompt that says, simply, boot. When you see that prompt, press Enter.
    BackTrack boot
    Figure 2. BackTrack's initial Linux command-line boot prompt
  • Next, you'll see a screen labeled BackTrack 5 CD. BackTrack's boot process pauses to let you select various optional configurations. For our purposes, the default choice — BackTrack Text (selected in Figure 3) — is fine. Press Enter — or do nothing and let BackTrack automatically boot in 30 seconds.
    BackTrack auto launch
    Figure 3. BackTrack will automatically launch.
  • After a flurry of system activity, you'll see at the bottom of the screen a text-mode command prompt. Mine read: root@bt:~#, but yours might be slightly different, depending on your setup.
    BackTrack command prompt
    Figure 4. Look for the command prompt (typically something likeroot@bt:~#) at the bottom of a long screen of text.
  • Now launch BackTrack's full graphical desktop interface. Type startx at the command prompt and press Enter.
    Start BackTrack graphics
    Figure 5. Entering startx at the command prompt launches BackTrack's graphical desktop interface.
  • After a few moments, BackTrack's desktop will appear. You now have a familiar point-and-click environment that's conceptually much like Windows.
    BackTrack's GUI desktop
    Figure 6. BackTrack's Windows-like desktop
  • Currently, BackTrack 5 does not come with Reaver preinstalled, but it's simple to add it. To start, you need to connect temporarily to your Wi-Fi network.
    On BackTrack's main screen, click Applications/Internet/Wicd Network Manager.
    BackTrack Wicd Network Manager
    Figure 7. Connecting to Wi-Fi via BackTrack's Wicd Network Manager
  • If your network is broadcasting its service-set identifier (SSID — your network's name), select it from the resulting list. Click Connect and enter your Wi-Fi network's normal passphrase.
    If you've previously disabled SSID broadcasting, click Wicd Network Manager's Network button and select Find a Hidden Network. Type in your network's SSID and passphrase.
    To download and install Reaver — and to do your test-hacking later — you need to open a Linux command-line Terminal window.
    Linux terminal
    Figure 8. Look for BackTrack's command-line Terminal button at the top of the screen.
  • Next, update BackTrack's list of available apps by typing the following string at the command prompt:
    apt-get update
    Update apps
    Figure 9. Updating BackTrack's applications
  • When the update is finished, install Reaver by typing the following text at the command prompt:
    apt-get install reaver
    Install Reaver
    Figure 10. Installing Reaver from the terminal command prompt
  • With Reaver installed (it has no graphical interface; just follow the text that appears on-screen), go back to the Wicd Network Manager window and click Disconnect to turn off your Wi-Fi connection.
Identifying your specific wireless LAN
The next step is to gather some information about your specific Wi-Fi interface and setup. Fortunately, all the tools you'll need are built into BackTrack.
  • Start by finding your system's wireless LAN (wlan) interface identifier. It's easy: At a Terminal window's command prompt, type iwconfig and press Enter. Next, look for an entry labeled wlan[X], where [X] is a number such as 0, 1, or 2. Most systems' wireless LAN interface will be wlan0, as highlighted in Figure 11.
    LAN interface identifier
    Figure 11. My system's wireless LAN interface identifier, highlighted in yellow
  • Now, put your wireless card into monitor mode so it can listen passively to all the Wi-Fi routers within range. Enter the following command at a terminal window's prompt:
    airmon-ng start wlan0
    (If your wireless interface was identified as wlan1, wlan2, or some other designator, use that instead ofwlan0.)
  • You'll see output that looks something like what's shown in Figure 12. Make note of the monitor mode enabled on mon[X] line (again, [X] will be a number such as 0, 1, 2, etc.). In most cases, the monitor mode will be mon0.
    Monitor mode number
    Figure 12. In passive-monitoring mode, the monitoring mode's numeric designator is typically mon0.
A brief technical aside might make the next step easier to understand. As mentioned earlier, your Wi-Fi router's SSID is the network name it broadcasts. But an SSID actually has two separate, independent components: the human-friendly name of a Wi-Fi network, formally known as the ESSID (extended service set identifier); and a manufacturer-assigned, alphanumeric, machine-friendly BSSID (basic service set identifier).
  • The next step is to find your router's BSSID. In a terminal window, type:
    airodump-ng wlan0
    As before: if necessary, change the wlan0 to match your Wi-Fi LAN's designator.
  • The above command will produce a live display (or dump) of information from all Wi-Fi LANs in range of your system. Find your LAN's ESSID (human-friendly name) on the right side of the list, and then make a note of its associated BSSID on the left. In this case, my ESSID is NETGEAR and the BSSID isA0:21:B7:B0:D1:A1.
    LAN ESSID and BSSID
    Figure 13. Finding your router's BSSID by looking for its ESSID (I've blurred some of the information from my neighbors' routers to protect their privacy.)
If you previously disabled SSID broadcasting, and your router does not appear on the airodump-ng listing, congratulations! Your router should not be vulnerable to WPS hacking. You're done — you don't have to go on to the next steps.
On the other hand, if your router does appear on the list, it's time to get, ah, cracking with Reaver.
Letting Reaver do its PIN-cracking thing
A Reaver run typically takes two to 10 hours. It's best to start Reaver in the evening (when you don't need your PC or your Wi-Fi) and let it run overnight. You can check the results in the morning.
The following steps will work in the majority of cases, but if you run into trouble getting Reaver to work, check out its wiki, FAQ, hardware-compatibility info, etc. on the Reaver site. If that doesn't help, there's a list of additional resources at the end of this article.
  • Set Reaver loose on your network with the following one-line command, entered in a BackTrack Terminal window. Replace the items in square brackets with your network's specific designators.
    reaver -i mon[X] -b [BSSID] -vv
    For example, using my mon0 monitor interface and A0:21:B7:B0:D1:A1 BSSID, my command is:
    reaver -i mon0 -b A0:21:B7:B0:D1:A1 -vv
  • Press Enter; Reaver will then try to initiate a WPS session with your router (repeatedly, if necessary) and will then try to hack in by plodding through all possible WPS PIN codes — one after another.
    Figure 14 shows the kinds of messages it might display as it attempts to hack your WPS PIN.
    Reaver dump
    Figure 14. Reaver tells you everything it's doing, including the status of its connection attempts and the PINs it's trying.
If you previously turned off WPS and/or disabled SSID broadcasting in your router's configuration screens (as recommended in last week's Top Story), Reaver will fail to find a working PIN and passphrase. If so, congratulations! You're safe from WPS hacking.
But if Reaver finds a working PIN (and/or the router's passphrase), it will be displayed on-screen. In that case, you'll know that your router is vulnerable to WPS hacking. Thank your lucky stars that you found this vulnerability before local hackers did!
To possibly eliminate the WPS vulnerability, check your router manufacturer's support pages to see whether there's a new firmware update available for your router. If so, download and install the new firmware, and then re-test the new setup with Reaver.
If the updated firmware also succumbs to Reaver, your only real options are to get a better, newer router that properly controls and disables WPS, or replace the factory firmware with third-party firmware from a resource such as the open-source dd-wrt.com (site).
And of course, test the new router or firmware with Reaver, too!

Comments

Post a Comment

Popular posts from this blog

VITZ “INSERT MAP CD” SOLUTION

Image
By   Moonis ( zaitron )   on   December 3, 2010 For those of you who have a JDM navigation system installed in their Toyota (vitz, belta, axio, etc) and get the following message on their navigation system “INSERT MAP CD”, i have the solution for you. All that the system needs is a boot CD that will bypass this message. After that you will be able to use most of the features of the system like controlling the treble/base, maintenance log, etc. Everything, apart from the actual GPS navigation will be activated (for that, you require a map file of Pakistan, which unfortunately isn’t available for any system apart from Garmin). Usually you can go to the market (audio stores) and pay Rs.500-2000 for them to unlock your system. Instructions: First thing you need to do is to know the model number of the system you have installed in your car, for eg, NDCN W55 etc. (Model number is usually written at the bottom right of the unit). After that, download the file from mega
Read more

Make ready your horses !

Image
Assalam o alaikum, I just wanted to share a thought that has come to my mind regarding war in which nuclear weapons could be used. I might be wrong in my perception but I just thought to share it and get valued opinions of the members. Quran says: "Tayyar rakho apni taqat aur apni quwwat aur zara-e-jang ke sath, takey HAIBAT tari ho jaey unke dilon per jo dushman hen Allah ke aur tumharey dushman" I have highlighted the word 'Haibat'. It means to strike terror into the hearts. Being a muslim it's our firm belief that every single word of Quran is full wisdom. Quran talks not about 'destruction' of the enemies. It does not say that we should be equiped with modern weaponary so that our enemy is 'Destroyed' by it. It says that we should be equiped so that we can strike terror into the hearts of our enemies. If we observe, this is exactly what has stopped India from attacking Pakistan on a number of occassions. E.g. After attac
Read more

Halal and Haram in Chocolates and Ice Creams

Image
HALAL & HARAM DIRECTORY O believers ! Eat of the good things that We have provided you with and give thanks to Allah. (2: 172) Though thorough research has gone into producing this guideline, it is by no means complete and only covers the common products as it is very difficult to obtain exactly the listing of halal and haram ingredients present in all products. Also, companies are constantly changing their product ingredients and Muslims should always be aware that what is originally certified halal might in the future be haram and vice versa. Due to aggressive campaigning by The Vegetarian Society, UK, most products now display their symbol ‘Suitable For Vegetarians’ which means that there is NO animal content in that particular product, making it halal. However, a product can still contain alcohol, making it haram . Please check. Points to note: · Medicine containing alcohol is not permissible unless on authority of a doctor with no alternative med
Read more