Wireless Security Tool Update: New EAPScan Features Check for WPS

Thursday, January 12, 2012

Spencer McIntyre


Recently, WPS has been given a lot of attention due to research by Stefan Viehböck that exposed a vulnerability that allowed the PIN of WPS enabled devices to be brute-forced in an efficient manner.

This is a major concern because it can ultimately expose the WPA passphrase used to join the network.

Due to the fact that WPS is an expanded EAP type, SecureState added support to the EAPScan tool of the EAPeak Suite to actively probe an access point to checkif WPS is enabled.

Wi-Fi Protected Setup is used for easily configuring wireless devices to join a network. Many of the inner workings of WPS are explained in Viehböck's whitepaper.

The protocol itself is based on the Extensible Authentication Protocol (EAP), specifically the use of an “Expanded EAP” type as described in RFC3748 Section 5.7. WPS uses a Vendor ID of 0x372A, but like most Expanded EAP types, it defines and utilizes its own fields.

The latest revisions of EAPScan has added support for the --check-wps option which will actively probe an access point to determine if WPS is enabled.

This option is functionally similar to specifying an EAP type of 254 and an identity of “WFA-SimpleConfig-Registrar-1-0” which can also be specified from the command line.

Once WPS is identified, one of the tools based on  Viehböck's paper, such as reaver-wps, can be used in an attempt to attack the access point.

Figure 1: EAPScan using the --check-wps option

Find out more about resources related to this attack here:

Stefan Viehböck's Whitepaper:http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

EAPeak Suite: ode.google.com/p/eapeakhttp://c


Expanded EAP Specification: http://tools.ietf.org/html/rfc3748#section-5.7

Reaver-WPS Tool: http://code.google.com/p/reaver-wps/

Cross-posted from SecureState

Possibly Related Articles:
Information Security
Authentication Vulnerabilities Tools WiFi WPA Brute Force Spencer McIntyre EAPScan Tool Extensible Authentication Protocol SecureState Stefan Viehböck RFC3748 Reaver-WPS Tool
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.