Putting Wi-Fi router’s security to the test

Topic

New Reply

	TOP STORY Putting Wi-Fi router’s security to the test
	By Fred Langa If your Wi-Fi router supports Wi-Fi Protected Setup (WPS) — and most newer home/small-business routers do — it might easily reveal its passwords to a readily available hacking tool. You can use that tool to be 100 percent certain your router isn’t vulnerable to malicious WPS hacking. Here’s how.

---

The full text of this column is posted at windowssecrets.com/top-story/putting-wi-fi-router-s-security-to-the-test (paid content, opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

The full text of this column is posted at windowssecrets.com/top-story/putting-wi-fi-router-s-security-to-the-test

Surprise! Broken link again.

Would it be an idea not to use titles which contain apostrophes, as that breaks links every month?

Bruce

Reply | Quote

Good gravy…if testing for WPS sensitivity and the possibility of insecure passwords, can this Linux process be made any more complex, extravagant or time-consuming ?

Regardless of how needed or extensive this Linux app may be…

Surely this tool or its inner testing code can be had as a native Windows or Mac application, even if it’s a boot-able app ?

Joe

Reply | Quote

Can’t believe that anyone would widely broadcast this kind of information. Yes, it may help a few to lock up their router security but its my bet that it will open the gateway for others with less honest intents to ‘give it a go’ …
Surely machine gunning is not the wise way to approach sensitive material and as for the comment … Please don’t use Reaver for any purpose other than testing your own router’s security! … [/B]​what an open invitation!

Reply | Quote

What you suggest is indeed possible, but I wonder how many digital delinquents and delinquent adults will take the time to read the article and then construct the Linux system with BackTrack? And if they’ve got the urge to do this, they probably have figured it out already.

Reply | Quote

Can’t believe that anyone would widely broadcast this kind of information. Yes, it may help a few to lock up their router security but its my bet that it will open the gateway for others with less honest intents to ‘give it a go’ …
Surely machine gunning is not the wise way to approach sensitive material and as for the comment … Please don’t use Reaver for any purpose other than testing your own router’s security! … [/B]​what an open invitation!

What you suggest is indeed possible, but I wonder how many digital delinquents and delinquent adults will take the time to read the article and then construct the Linux system with BackTrack? And if they’ve got the urge to do this, they probably have figured it out already.

Reply | Quote

Would anyone in their right mind ever try to follow that ridiculously complicated route? I stopped reading about half-way through and thought “NO WAY”

Reply | Quote

There is no mention of WPA2 (personal). Please advise how the use of this rather than just WPA will or will not prevent hacking.

Russ

Reply | Quote

WPA2 supports a different encryption algorithm, AES, not supported by WPA. If you use WPA2, you are ok (generically speaking). You won’t be immune to the WPS hack, though.

Reply | Quote

WPA2 supports a different encryption algorithm, AES, not supported by WPA.

But what has that got to do with WPS and the topic of the article?

If you use WPA2, you are ok.

The flaw allows a remote attacker to recover the WPS PIN in a few hours and, with it, the network’s WPA/WPA2 pre-shared key.
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup

A flaw in a feature added to Wi-Fi, called Wi-Fi Protected Setup, allows WPA and WPA2 security to be bypassed and effectively broken in many situations.
WPA and WPA2 security implemented without using the Wi-Fi Protected Setup feature are unaffected by the security vulnerability.
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

Bruce

Reply | Quote

But what has that got to do with WPS and the topic of the article?

The flaw allows a remote attacker to recover the WPS PIN in a few hours and, with it, the network’s WPA/WPA2 pre-shared key.
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup

A flaw in a feature added to Wi-Fi, called Wi-Fi Protected Setup, allows WPA and WPA2 security to be bypassed and effectively broken in many situations.
WPA and WPA2 security implemented without using the Wi-Fi Protected Setup feature are unaffected by the security vulnerability.
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

Bruce

I didn’t mean to imply that the use of WPA2 would prevent the WPS flaw, because it does not. I understood the question in a different way, since it was clear to me that the WPS security fault did not depend on the encryption used – you don’t need to know anything about the encryption used or the password used, to add a device using WPS!
I saw the question as a generic one, but it’s clear now that I should have seen it in terms of the WPS vulnerability.

I have now clarified my statement.

Reply | Quote

Fred Langa says:

Fortunately, there’s an easy shortcut: run Reaver via a preconfigured, live Linux installation on a bootable DVD. There’s almost no setup or configuration involved; no partitioning, reformatting, or any similar operations; and your original Windows setup remains untouched and unchanged.

But then also says:

To download and install Reaver — and to do your test-hacking later — you need to open a Linux command-line Terminal window.

If Reaver must be installed, how can my Windows setup remain untouched?

Reply | Quote

Fred Langa says:
But then also says:

If Reaver must be installed, how can my Windows setup remain untouched?

You will install it in the Linux OS, that you will have booted from the DVD, so your Windows will remain untouched.

Reply | Quote

Even though my SSID is being broadcast BT5 can’t find it. Even if I search for hidden networks and input SSID it still cant find it. Guess it’s having trouble finding/using my wireless card. I’m using an Alienware M18XR2. Any suggestions?

Great article BTW. Have used Gibson Research for years to “attack” my home network.

Reply | Quote

OK then, being a network neophyte I disabled WPS on my Belkin G router, leaving WPA/WPA2 PSK active.
Now my Smartphone doesn’t connect, so what good is my WiFi system? How can I make it secure and useful without buying a new router?
Thanks for any help.

Reply | Quote

OK then, being a network neophyte I disabled WPS on my Belkin G router, leaving WPA/WPA2 PSK active.
Now my Smartphone doesn’t connect, so what good is my WiFi system? How can I make it secure and useful without buying a new router?
Thanks for any help.

Disabling WPS should not affect the ability of your smartphone to connect to the router in any way. What else have you changed?

Reply | Quote

Hi ruirib –
All I am doing on the router web page is selecting ENABLED or DISABLED for WPS without changing anything else.
When Disabled, the Motorola Bravo sees my routers name but is unable to connect to the internet. When WPS is again enabled, all works as expected. Admittedly, I am not too familiar with the other router settings.

Reply | Quote

Hi ruirib –
All I am doing on the router web page is selecting ENABLED or DISABLED for WPS without changing anything else.
When Disabled, the Motorola Bravo sees my routers name but is unable to connect to the internet. When WPS is again enabled, all works as expected. Admittedly, I am not too familiar with the other router settings.

You need to change the WiFi settings in your phone, as it is still connecting with WPS.

Reply | Quote

When I downloaded the Back Track 5r3 iso file, burned it to a DVD and booted from it and issued the ‘startx’ command, I spent a little time looking at the various options that were available in the menus and noticed that Reaver was already installed in the OS. As far as I could, tell the installed version number is the same as the latest version I could find by searching for it on the web. Is it necessary (or advantageous) to use ‘apt-get’ to (re)install it after booting from the DVD?

I skipped the install step but otherwise followed all the other steps in the article, but it has been running for over 30 hours now. The article said it should crack the WPS in 4 to 10 hours (averaging about half of that). Does this mean my router (a Western Digital My Net N900 router) is secure?

Reply | Quote

Here is a link to a recent article about WiFi security, may contribute something to this discussion –

http://www.howtogeek.com/132348/dont-have-a-false-sense-of-security-5-insecure-ways-to-secure-your-wi-fi/?utm_source=newsletter&utm_medium=email&utm_campaign=020113

B

Reply | Quote

I ran this twice each on two different routers and got similar but different results:

On one router All I got was ‘WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking’ several hundred times.

The other router said ‘WARNING: Failed to associate with [MAC ADDRESS HERE] (ESSID: NETWORK SSID HERE)’ several hundred times.

both with no official looking end, like it would just keep on do this forever. Does this mean I’m secure? Or do I need to keep waiting for a Final result?

Dan

Reply | Quote

I was able to follow follow the instructions for BackTrack and then Reaver to the point that I entered “airmon-ng start wlan0” at the prompt. At that point, I got an interesting message:

Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them!
PID Name
2593 dhclient3
2663 dhclient3
3345 dhclient
Process with PID 2663 (dhclient3) is running on interface wlan0

Interface wlan0
Chipset unknown
Driver brcmsmac – [phy0] (monitor mode enabled on mon0)

At this point, entering “airodump-ng wlan0” at the prompt cycles through the 12 channels repeatedly (I let it run for over two hours) and returns no BSSID information on anything…and I know there are a number of networks around my house!

Any idea why nothing at all is showing up? Should I be killing some processes?

Thanks!
Mike (GrampaMike)

Reply | Quote

I was able to follow follow the instructions for BackTrack and then Reaver to the point that I entered “airmon-ng start wlan0” at the prompt. At that point, I got an interesting message:

Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them!
PID Name
2593 dhclient3
2663 dhclient3
3345 dhclient
Process with PID 2663 (dhclient3) is running on interface wlan0

Interface wlan0
Chipset unknown
Driver brcmsmac – [phy0] (monitor mode enabled on mon0)

At this point, entering “airodump-ng wlan0” at the prompt cycles through the 12 channels repeatedly (I let it run for over two hours) and returns no BSSID information on anything…and I know there are a number of networks around my house!

Any idea why nothing at all is showing up? Should I be killing some processes?

Thanks!
Mike (GrampaMike)

I’ve been away for awhile, and see there was a reply that apparently was removed by the moderators. His information wasn’t exactly correct. The truth is that it has to do with the support of the Linux version your using for the adapter installed on the machine, not an adapter issue per se. In fact, this error “not supported” may return if you’re operating with insufficient permissions, although with Backtrack, that is not the case, as you’re operating as “root”.

There should have been a disclaimer in the article that Linux support for wireless, especially laptops, has been problematic, but you could Google your adapter to see if there are workarounds. Some people have had success using a Windows driver and Ndiswrapper, but it’s not a sure thing either.

The dhclient processes reflect the command that is attempting to get an IP from the DHCP server. Obviously, that won’t happen if the wireless devices aren’t connected (password defeated). It’s not interfering with anything.

Reply | Quote

Well, I tried this a few more times, and I can connect using WiFi with WPS disabled. Guess I pushed the panic button too soon! LOL

Reply | Quote

Has anyone actually got this thing to work??? I have downloaded both 32 and 64 bit versions. Both stop just before the GUI interface is supposed to appear. The screen goes black and the signal is lost to the monitor. Did Fred miss an instruction or give the wrong one???

Reply | Quote

Well, I tried this a few more times, and I can connect using WiFi with WPS disabled. Guess I pushed the panic button too soon! LOL

That’s more like it :). Glad you got that working.

Reply | Quote

Even though my SSID is being broadcast BT5 can’t find it. Even if I search for hidden networks and input SSID it still cant find it. Guess it’s having trouble finding/using my wireless card. I’m using an Alienware M18XR2. Any suggestions?

Great article BTW. Have used Gibson Research for years to “attack” my home network.

My son had the same problem. This is what I found.

He has a D-Link DIR-615 router (I don’t know what version but on login you have to use Captcha), a laptop and a desktop that he was moving from wired to wireless as he was moving it away from the router and didn’t want to run cabling. The laptop would detect the SSID but the desktop wouldn’t but it would find all the neighborhood SSID’s. As a default, the router used auto-channel, so I disabled that and selected a channel, 3, that nobody else around was using. (I have software that detects the channels of local SSID’s). After that the desktop detected the SSID and connected to the Internet once I entered the security code.

Reply | Quote

Hi Fred

thanks for this very interesting article… I tried to follow your step by step instructions to test my security and had the following problem:

– you said to type the command “airmon – ng start wlan0”
– I did, and got an error message saying that airmon was unknown (precise message below)
No command ‘airmon’ found, did you mean:
command ‘mirmon’ from package ‘mirmon’ (universe)
airmon: command not found

I don’t know anything about linux, but being a software developer in the windows world, I’m not totally without ressources, so I decided to try to install this package the same way I installed Reaver previously, but even the appt-get install airmon dir not succeed.

This happened while using the EXACT same distribution of linux you are describing (backtrack 5 R3, 32 bits)

Please advise.
Of course, I’m available for any supplemental information/test you may need to investigate this problem

Fabrice Harari
http://www.fabriceharari.com
fromweb@fabriceharari.com (all of you frightened to see an email address fully naked, thank you, but I do have a top of the line spam filter :rolleyes: )

Reply | Quote

– you said to type the command “airmon – ng start wlan0”
– I did, and got an error message saying that airmon was unknown (precise message below)
No command ‘airmon’ found, did you mean:
command ‘mirmon’ from package ‘mirmon’ (universe)
airmon: command not found

Fabrice,

I believe the command is airmon-ng (in one word, no spaces) not airmon -ng (command with one option). Some of the other commands apparently also end in -ng. At least that worked for me.

Hope this helps
mo.eu

Reply | Quote

You are perfectly right…

My windows deformed mind wanted to see the -ng as a parameter when it was part of the command.

Thanks… Reaver is trying to crack my router security as I writer… With just a waiting for beacon message for now

Reply | Quote

I have read both articles but I actually got stopped in the first article (last week). My router is a WRT54G that I have been using for several years. When I look at its Wireless screen, or any other screen, it does not mention WPS at all. Does that mean that it is too old for WPS? Is that a good thing?

Thanks, Bill

Reply | Quote

I have read both articles but I actually got stopped in the first article (last week). My router is a WRT54G that I have been using for several years. When I look at its Wireless screen, or any other screen, it does not mention WPS at all. Does that mean that it is too old for WPS? Is that a good thing?

Thanks, Bill

Yes, it’s a good thing.

Cisco/Linksys WRT54G has SES (Secure Easy Setup), an early version without the vulnerable PIN option: Wi-Fi routers: Oldies are goodies

SecureEasySetup, or SES
This technology has been succeeded by the industry-standard Wi-Fi Protected Setup.
Unfortunately, Wi-Fi Protected Setup was recently broken and has been shown to be easily breakable with brute-force attacks.
http://en.wikipedia.org/wiki/SecureEasySetup

Bruce

Reply | Quote

Thanks, Bruce, that’s good news!
Bill

Reply | Quote

Went through the procedure to produce a bootable Linux system with BackTrack. Rebooted my Laptop with the DVD. Got all the way to the point of entering “startx” to bring up the graphical interface, then nothing. Just a blank screen. Could not proceed.
ACER Aspire 5733Z laptop,Intel HD Graphics, 4GB memory.

Any help would be appreciated.

Reply | Quote

Congrats on a well written article about Backtrack and Reaver. It sounds like it should work if the Backtrack distro is loaded into a virtual machine running under Oracle’s Virtual Box. I have a policy of running Linux only in a VM, since a virtual machine goes a long way toward protecting my Win 7 Vbox host OS. Will the procedure described in your article work from within a Virtual Box VM? It sounds like it should.

Perhaps I should just download it and try it, which would take a fair amount of time – but I am lazy. Perhaps on the other hand I should just go ahead and do it since it really won’t matter if today really is the end of the world as the Mayan calendar suggests.

Reply | Quote

Great article on a complicated procedure. My laptop is a HP Pavilion dv6 and everything works fine until I get to the step airmon-ng start wlan0. This command does not list any items below “Interface Chipset Driver”, but instead it just hangs. The laptop uses the Intel Centrino Wireless-N 1000 chip, and I am guessing BackTrack does not have the chip’s drivers installed. There are quite a few hits when I Google “airmon-ng hp pavilion” so I am sure plenty of other people are having the same problem

Reply | Quote

From gleaning on the Internet, I get the idea that if you run Backtrack/Reaver within a virtual machine, your wireless device must be USB connected. See http://www.backtrack-linux.org/wiki/index.php/Wireless_Drivers#Tested_and_working_cards

Reply | Quote

Several observations. First, the live linux distros use the optical drive as a read only drive, and create a read/write ram drive for the operating system. They don’t touch the hard drive, although some may mount it by default (I don’t know about Backtrack). It’s easy enough to unmount it if you’re concerned. Otherwise, your Windows installation isn’t involved or at risk.

Linux support for both graphics cards and wireless devices are known issues. The symptoms described in several posts here likely reflect that. FWIW, the x-window is not needed, since everything done there can be done from the command line. Trying to get a non-supported wireless device to work is possible, but probably more trouble than worthwhile for this exercise.

Reply | Quote

Used wash to scan – it reported WPS Locked: No but following the process and commands in Fred’s column had Reaver continually retrying the same PIN during and overnight scan.

I’m a Linux newbie and have reached the limit of my knowledge – HELP!

Reply | Quote

Thank you Fred! This was a challenging and fun project. After adding a good BT compatible wireless card, a budget TP-Link TL-WN722N, it worked great. New router is in the works. It was also fun to work with Linux again after many years. Thanks again. Bob
F.

Reply | Quote

I’ve tried this on two laptops but BT5 still can’t find my network. Looks like a problem with the wireless cards. This to process is way too convoluted too
continue.

Reply | Quote

I ran the procedure overnight on a Belkin F6D4230-4 with WPS disabled and nothing happened after the line
[+] associated with the beacon [BSSID]

I tried it with a D-Link DIR 615 C1 (not connected to the Internet) with WPS disabled with the same result as above.

I then enabled WPS on the D-Link. It repeats similar messages as quoted in the article.
I then have had some successful pin attempts but the failure rate for the same pin is very high.

I will leave it running.

Reply | Quote

The exercise here uses a tool to demonstrate that WPS can be more easily defeated, rather than prove relative security. After all, Reaver is just one program.

Reply | Quote

A defeated password doesn’t necessarily mean “game over”. The savvy user will employ other measures to make access more challenging. This article doesn’t cover those; it simply illustrates why WPS should be disabled.

Reply | Quote