Monday, January 9, 2012

Reaver / WPS Brute Force IDS

Thanks to Render and Dutch for pushing on this and contributing pcaps.

Kismet-SVN now detects a WPS brute force attack underway via tools such as Reaver.

Reaver exploits a weakness in WPS which reduces the potential keyspace to 11,000 PINs, exploitable in a matter of hours.

Kismet WPS brute-force detection alerts on an access point which is doing an unusual amount of WPS traffic, specifically by monitoring for the M3 exchange of the WPS handshake.  An access point should only perform a WPS exchange with new clients, excessive WPS communications indicate a likely attack.

The WPS detector is implemented in the newly minted phy-neutral tracking layer of Kismet, which will become the primary tracking code in the next release of Kismet.  As such, alerts are available from the client protocol under the standard *ALERT sentence, but will not be attached to the network list in the Kismet UI due to pending changes to code.

Further enhancements to WPS brute force detection may be forthcoming soon depending on development.

To be most effective, Kismet should be locked onto the channel of the AP being monitored, however depending on the frequency of the attack, a channel-hopping instance should also detect it.

[Update] When testing, don't forget to enable the WPABRUTE alert in your kismet.conf!

[Update #2] Also included in Kismet-SVN by popular demand is a basic Ruby client which bridges Kismet alerts to syslog:

Jan 10 11:15:27 drd1812 kismet: WPSBRUTE server-ts=1326212106 bssid=00:14:D1:E6:8F:F8 source=00:14:D1:E6:8F:F8 dest=18:3D:A2:4A:65:80 channel=1 IEEE80211 AP 'rootsdkwlan' (00:14:D1:E6:8F:F8) sending excessive number of WPS messages which may indicate a WPS brute force attack such as Reaver

[Update #3] Kismet-SVN now includes the plugin-alertsyslog server plugin, which also logs alerts to syslog, without needing ruby or needing to run a separate client.

[Update #4] Expanded the timeline for WPS brute detection to 5 minutes to catch more during channel-hop configs.  WPS negotiation is so rare that this shouldn't be triggering false positives even with the expanded window.

Kismet SVN code is available via svn co kismet-devel

No comments:

Post a Comment