There are 4 methods to WPS that I know of, with the PIN based being the only one I know of that is open to attack(other than getting lucky with PBC pairing). IT would however, be practically undetectable since it's layer 2 stuff. Every 30s should be enough to account for transmission errors within the 2min timeframe and shouldn'T overload the air. So you'd have to actively probe for stations. As far as I have found it doesn't do so - no tool can show this state. And to be really elegant I also wonder if a WPS station advertises their button pressed OTA. Here's where I couldn't even find a proper description of how the protocol works - I don't know the encryption used for that exchange. But who in world knows and notices? Besides if you could actually sniff the key exchange through the WPS push button method, maybe you can stay completely passive and get it through the packet capture of that exchange. While the router is supposed to tell if there are more than one station asking for the password it should still tell the password to multiple devices and usually flashes in a different way when doing so. This is where you just gave me an idea about sniffing might be feasible as well. Although I envision it to clearly be one by having a tool running continuously until any device in range has its button pressed and offers to reveal the password to anyone. While this is not an active attack it should be an easy passive attack and in comparison to the WPS pin or WPA brute force cracking it has a 100% guarantee of working (of course since it's passive there needs to be attackee action and therefore it's not guaranteed to happen). The only security lies in the timeframe of usually 2 min in which the device will reveal the WPA password to anyone asking for it and also that it is only intended for one device to ask for it. This method is therefore completely open and unsecured. Then you can retrieve the password with any one device within 2min after pressing the button. For that you don't even need a PIN, but physical access and press a button (or so they say). Most routers have adopted countermeasures against it now.īut there is another method to establish a WPA connection (or more precisely get the WPA configuration) with help of the WPS standard. Everyone knows about WPS and reaver and so on. There is a tool though, that will do almost all of the above, automatically. I'm not even going to list a single tool. YouTUBE should find you a quick walk through in showing you various tools as well. There are posts on these very forums for tools that will do what you ask, and sure google will find you an answer as well with little trouble. What I will say is, you haven't looked hard enough nor tried enough to test on your own. There ARE tools out there for sniffing wifi and cracking WPS. I also never read about this passive attack vector other than in a sidenote. Does an AP advertise the button pressed or would such monitoring require active client requests to all APs in range every 30s or so?Īm I missing something or is there no tool available to do that? Not even with a specified target bssid? Like "reaver -i mon0 -b 02:02:02:02:02:02 -wpsbutton" and then spits out the same result as when supplied with the correct PIN. What I imagined is a kind of "wash -i mon0 -WPSbutton" - a tool that monitors all WPS networks in reach and as soon as one of them has the WPS button pressed retrieves that password. Not only is it hard to find how that protocol really works (while there's nice writeups about the PIN method and M1-M6 messages etc.), I also haven't found a tool. This seems so obvious to me - how can I retrieve the wifi configuration/password from a router with the WPS push button pressed?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |