★ Wireless Security Tool Update: New EAPScan Features Check for WPS

Posted on January 13, 2012

Recently, WPS has been given a lot of attention due to research by Stefan Viehböck that exposed a vulnerability that allowed the PIN of WPS enabled devices to be brute-forced in an efficient manner.

This is a major concern because it can ultimately expose the WPA passphrase used to join the network.

Due to the fact that WPS is an expanded EAP type, SecureState added support to the EAPScan tool of the EAPeak Suite to actively probe an access point to checkif WPS is enabled.

Wi-Fi Protected Setup is used for easily configuring wireless devices to join a network. Many of the inner workings of WPS are explained in Viehböck's whitepaper.

The protocol itself is based on the Extensible Authentication Protocol (EAP), specifically the use of an “Expanded EAP” type as described in RFC3748 Section 5.7. WPS uses a Vendor ID of 0x372A, but like most Expanded EAP types, it defines and utilizes its own fields.

The latest revisions of EAPScan has added support for the –check-wps option which will actively probe an access point to determine if WPS is enabled.

This option is functionally similar to specifying an EAP type of 254 and an identity of “WFA-SimpleConfig-Registrar-1-0” which can also be specified from the command line.

Once WPS is identified, one of the tools based on  Viehböck's paper, such as reaver-wps, can be used in an attempt to attack the access point.

Figure 1: EAPScan using the –check-wps option

Find out more about resources related to this attack here:

Stefan Viehböck's Whitepaper:http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

EAPeak Suite: eapeak


Expanded EAP Specification: http://tools.ietf.org/html/rfc3748#section-5.7

Reaver-WPS Tool: http://code.google.com/p/reaver-wps/

Cross-posted from SecureState

Leave a Reply

Your email address will not be published.

Contact Us

Have a question? Send us a message. We'll get back to you soon.