1. Breaking WPS with Reaver
Ian Miller & Zach Shepherd

2. What is WPS WiFi Protected Setup Introduced in 2006
Included in most major brand routers
WPS is typically enabled by default
Intended to make setting up “easy” for users

3. WPS Modes PIN Internal Registrar External Registrar
The client device has a PIN that must be entered into the the AP interface to setup.
External Registrar
The AP has a unique PIN that must be entered into the client device to allow it to connect
Push Button Connect
The AP and client device press a button within a timeout period which initiates connection.

4. The Exploit WPS requires PIN/External registrar to be supported
WPS PIN is 8 digits
This gives 10^8 or 10,000,000 possible combinations
WPS reports back with a NACK if the first 4 digits are incorrect
Reduces entropy of first half to 10^4 or 10,000 combinations
WPS then reports on the the final 4 digits
Last digit is a checksum
So entropy is reduced to 10^3 for the last half or 1,000 combinations.
So, it only needs to check 11,000 combinations in the worst case.
Each authentication check takes .5-3 seconds.

5. Reaver A script that implements the exploit
Takes from seconds to 10 hours to crack
Average is about 4 hours
Sometimes the default PIN is still used
Takes almost no time at all
Included in Backtrack 5 and in Kali
Very easy for anyone to use

6. Reaver In Action - Using Airodump

7. Reaver In Action- Copy the BSSID

8. Reaver In Action- Start Running
Now all we have to do is type
reaver -i moninterface -b bssid -vv
So using the previous example we would type
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv
Reaver will now start trying a series of PINs

9. Reaver In Action- After Running

10. Solutions Disable WPS Have a timeout after incorrect attempts
Doesn’t always work
Not viable for average user
Have a timeout after incorrect attempts
Usually have to buy a “newer” router
Change the firmware on your router
Use a program like DD-WRT
Lock your WPS Pin in router settings

11. Q&A