http://www.hceda.org/newsDetail.aspx?id=282

Title:

Reaver: Wireless (In)Security Once Again

What:

2012 High School Cybersecurity Fair and Expo
http://www.midatlanticccdc.org/CCDC/

When:

Saturday, March 17, 2012   10:00 AM-4:00 PM

Where:

John Hopkins Applied Physics Lab,
Kossiakoff Conference and Education Center
11100 Johns Hopkins Road
Laurel Maryland 20723

Speaker: 

Terry Dunlap, Tactical Network Solutions

Abstract:

Just when you thought wireless networks were secure with WPA/WPA2 encryption, along comes WiFi Protected Setup (WPS) to make security even easier. Or does it? Due to a flaw in the WPS protocol, it is possible once again to access encrypted wireless networks with ease! Unfortunately, there is no simple fix to this rather large, world-wide security flaw. This talk will explain WPS, how it works, why it's broken, and demonstrate how easy it is to gain access using the free, open-source tool called Reaver.

bFLT is a lightweight alternative to ELF which is primarily used in embedded systems running uClinux. Bflt-utils includes:

• Bfltldr      - A bFLT loader for IDA Pro
• Readbflt  - Like readelf, but for bFLT files
• Flthdr      - A tool for manipulating bFLT files (from the elf2flt project) 

The bFLT IDA loader is arguably the most useful of the three. IDA unfortunately does not have a built-in bFLTloader, and although some simple bFLT loaders can be found floating around the Web, they neglect to patch the bFLT relocation and global offset tables. This means that precious string and data references aren't resolved properly in the resulting disassembly:

Bfltldr does process the relocation and global offset tables, resulting in a much easier to read disassembly:

The readbflt tool is also quite useful, as it not only lists all of the entries in the relocation and global offset tables, but also what data those entries point to:

Finally, flthdr is useful for manipulating bFLT binaries. Most notably, it allows you to extract compressed bFLT files:

Bflt-utils can be downloaded from its Google Code project page.

TNS Reaver Pro Demo from Tactical Network Solutions on Vimeo.

http://hakshop.myshopify.com/products/reaver-pro

The decision has been made to open source the Reaver command line tool. The commercial version will contain all the features the open source command-line tool has along with a web based client, support, and service options.

This means that the open source version of Reaver will have much requested features, such as identification of WPS enabled networks and pause/resume functionality.

This also means that Reaver will have the ability to specify specific options for a given model inside a database. In other words, if it is known that certain options are required or helpful when attacking XYZ router, you can put them in the database and they will be automatically applied whenever you target that model router. How often the FOSS database will be updated remains to be seen, obviously those paying for the support plan will take priority.

The latest Reaver release (1.3) now also implements the short DH key optimizations described in the original vulnerability release paper, which reduces computation time on the target AP and increases the attack speed.

Cracking WPS with Reaver from Zach on Vimeo.

Yesterday, Stefan over at .braindump released a white paper detailing vulnerabilities in the WiFi Protected Setup (WPS) protocol that allows attackers to recover WPA/WPA2 passphrases in a matter of hours.

This is a capability that we at TNS have been testing, perfecting and using for nearly a year. But now that this vulnerability has been discussed publicly we have decided to announce and release Reaver, our WPS attack tool, to the open source community. Reaver is capable of breaking WPS pins and recovering the plain text WPA/WPA2 passphrase of the target access point in approximately 4-10 hours (attack time varies based on the access point).

While we have released Reaver as an open source project, we also offer a commercial version with additional features and functionality as well as a support plan. Since nearly all access points manufactured in the past few years have WPS support enabled by default, attacking WPS provides several advantages over attacking WPA directly:

1. Cracking the WPS pin is, obviously, much faster.
2. Once you have the WPS pin you can instantly recover the WPA passphrase, even if the owner changes the passphrase.
3. Access points with multiple radios (2.4/5GHz) can be configured with multiple WPA keys. Since the radios use the same WPS pin, knowledge of the pin allows an attacker to recover all WPA keys.

Of course the disadvantage is that WPS can be disabled. However, in our experience even security experts with otherwise secure configurations neglect to disable WPS; further, some access points don't provide an option to disable WPS, or don't actually disable WPS when the owner tells it to.

To learn more about Reaver, visit our product page, or the open source project on Googlecode.