WPS scanning howto (based on a tip from the above document): 1) become root 2) stop network manager, kill wpa_supplicant 3) add the following 2 lines to /etc/wpa_supplicant.conf: ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=users update_config=1 4) Put your wlan interface up: ifconfig wlan0 up 5) Run WPA supplicant: wpa_supplicant -Dwext -i wlan0 -c/etc/wpa_supplicant.conf -B 6) wpa_cli scan 7) wpa_cli scan_results
Example output (censored): azrael@laptop616:~/$ sudo wpa_cli scan_results Selected interface 'wlan0' bssid / frequency / signal level / flags / ssid e0:91:f5::: 2412 195 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP]WPS? NETGEAR e0:cb:4e::: 2462 191 [WPA-PSK-TKIP]WPS? L 74:ea:3a::: 2412 186 [WPA-PSK-CCMP][WPA2-PSK-CCMP]WPS? TP-LINK 00:26:24::: 2442 185 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP] U 00:23:cd::: 2437 185 [WPA2-PSK-CCMP-preauth] TP-LINK 00:1b:2f::: 2462 177 [WPA-PSK-TKIP] L 00:26:24::: 2442 176 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP] U d8:5d:4c::: 2412 174 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP-preauth] F 00:1e:58::: 2437 174 [WPA-PSK-TKIP] apple 00:24:d1::: 2437 173 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP] U 00:1d:0f::: 2432 173 [WPA2-PSK-TKIP]WPS? M 00:25:4b::: 2447 172 [WPA-PSK-TKIP][WPA2-PSK-TKIP+CCMP] A 00:1e:2a::: 2437 172 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP] S 80:c6:ab::: 2462 171 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP] U 1c:af:f7::: 2457 170 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP]WPS? w 00:19:e0::: 2437 178 [WPA-PSK-TKIP] K 58:6d:8f::: 2412 168 [WPA2-PSK-CCMP]WPS? d-link 00:22:6b::: 2417 206 WEP? m 00:23:cd::: 2437 187 WEP? R 00:18:39::: 2462 180 WEP? linksys
Please update the database correcting the AP Netgear CG3100.
Somebody wrote that this AP's doesn't support External Registrar, and this person is obviously wrong. The AP's supports the three wps modes, but the External one is a bit hidden in the configuration page, so I'm pretty sure this person didn't notice.
The three modes are enabled by default.
I have tested against 3 different models and all worked.
Thanks for the info maguila! Based on the WPS spec, in order to be WPS certified by the WiFi? Alliance a device must support external registrars, so it will probably be rare to find a WPS-capable device that doesn't support registrars.
I set up a google doc to collect vulnerable devices. WPS Vulnerability Testing
WPS scanning howto (based on a tip from the above document): 1) become root 2) stop network manager, kill wpa_supplicant 3) add the following 2 lines to /etc/wpa_supplicant.conf: ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=users update_config=1 4) Put your wlan interface up: ifconfig wlan0 up 5) Run WPA supplicant: wpa_supplicant -Dwext -i wlan0 -c/etc/wpa_supplicant.conf -B 6) wpa_cli scan 7) wpa_cli scan_results
Example output (censored): azrael@laptop616:~/$ sudo wpa_cli scan_results Selected interface 'wlan0' bssid / frequency / signal level / flags / ssid e0:91:f5::: 2412 195 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP]WPS? NETGEAR e0:cb:4e::: 2462 191 [WPA-PSK-TKIP]WPS? L 74:ea:3a::: 2412 186 [WPA-PSK-CCMP][WPA2-PSK-CCMP]WPS? TP-LINK 00:26:24::: 2442 185 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP] U 00:23:cd::: 2437 185 [WPA2-PSK-CCMP-preauth] TP-LINK 00:1b:2f::: 2462 177 [WPA-PSK-TKIP] L 00:26:24::: 2442 176 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP] U d8:5d:4c::: 2412 174 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP-preauth] F 00:1e:58::: 2437 174 [WPA-PSK-TKIP] apple 00:24:d1::: 2437 173 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP] U 00:1d:0f::: 2432 173 [WPA2-PSK-TKIP]WPS? M 00:25:4b::: 2447 172 [WPA-PSK-TKIP][WPA2-PSK-TKIP+CCMP] A 00:1e:2a::: 2437 172 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP] S 80:c6:ab::: 2462 171 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP] U 1c:af:f7::: 2457 170 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP]WPS? w 00:19:e0::: 2437 178 [WPA-PSK-TKIP] K 58:6d:8f::: 2412 168 [WPA2-PSK-CCMP]WPS? d-link 00:22:6b::: 2417 206 WEP? m 00:23:cd::: 2437 187 WEP? R 00:18:39::: 2462 180 WEP? linksys
(sending once again because the comment go mangled) WPS scanning howto (based on a tip from the above document):
@cheffner
Please update the database correcting the AP Netgear CG3100.
Somebody wrote that this AP's doesn't support External Registrar, and this person is obviously wrong. The AP's supports the three wps modes, but the External one is a bit hidden in the configuration page, so I'm pretty sure this person didn't notice.
The three modes are enabled by default.
I have tested against 3 different models and all worked.
PS: I have added an entry in the database
Thanks for the info maguila! Based on the WPS spec, in order to be WPS certified by the WiFi? Alliance a device must support external registrars, so it will probably be rare to find a WPS-capable device that doesn't support registrars.
http://www.sourcesec.com/2009/05/09/wpscan-wpspy-tools/ Here are another tools for easy WPS scanning (got the link from the Czech links above).
http://www.simplywifi.co/blog/2012/1/1/wps-brute-force-thoughts-and-video.html
Dragorn just announced that latest SVN version of Kismet now detects and alerts for reaver type WPS bruteforce attacks.
Announcement here : http://blog.kismetwireless.net/2012/01/reaver-wps-brute-force-ids.html
Screendump of Kismet alerting :
Might be an idea to put that into the Wiki as well, for those infosec people who need to detect and prevent attacks.
Dutch
Blog post about the WPS problem. Good for non techy consumers.
http://www.safegadget.com/72/major-wireless-network-vulnerability-wps-bug/
Here is the NEW Link to a 1.4 Reaver Tutorial. http://www.youtube.com/watch?v=ESUBmH8R-18
Hello there I'm keep getting 64 key or 20 key why? and its not working why is it encrypted why is not decoded in text? could u help
The Link "http://www.theprojectxblog.net/setting-up-reaver-the-wifi-protected-setup-attack-tool/" in the 'How tos' Section is dead...
The 2 "Hack4fun.eu" Links in Czech in the 'How tos' Section can be found in English by adding "/en/" in the URL: Hack4fun.eu/en/2012/01/...etc...