Recently, WPS has been given a lot of attention due to research by Stefan Viehböck that exposed a vulnerability that allowed the PIN of WPS enabled devices to be brute-forced in an efficient manner. This is a major concern because it can ultimately expose the WPA passphrase used to join the network. Due to the fact that WPS is an expanded EAP type, SecureState added support to the EAPScan tool of the EAPeak Suite to actively probe an access point to check if WPS is enabled.
Wi-Fi Protected Setup is used for easily configuring wireless devices to join a network. Many of the inner workings of WPS are explained in Viehböck’s whitepaper. The protocol itself is based on the Extensible Authentication Protocol (EAP), specifically the use of an “Expanded EAP” type as described in RFC3748 Section 5.7. WPS uses a Vendor ID of 0x372A, but like most Expanded EAP types, it defines and utilizes its own fields.
The latest revisions of EAPScan has added support for the –check-wps option which will actively probe an access point to determine if WPS is enabled. This option is functionally similar to specifying an EAP type of 254 and an identity of “WFA-SimpleConfig-Registrar-1-0” which can also be specified from the command line. Once WPS is identified, one of the tools based on
Viehböck’s paper, such asreaver-wps, can be used in an attempt to attack the access point.
(Figure 1: EAPScan using the –check-wps option)
Find out more about resources related to this attack here:
Stefan Viehböck’s Whitepaper
Expanded EAP Specification