Attacking Wi-Fi Protected Setup (WPS)

First we need to list our available wireless interfaces.

eldeim@htb[/htb]$ iwconfig

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off

Then at this point we need to enable monitor mode for our interface.

eldeim@htb[/htb]$ airmon-ng start wlan0

To begin searching for networks with WPS we employ the following command. We specify --wps to display WPS information and --ignore-negative-one to remove -1 PWR error messages.

eldeim@htb[/htb]$ airodump-ng --wps --ignore-negative-one wlan0mon

BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH WPS    ESSID
XX:XX:XX:XX:XX:XX  -43        1        0    0   6  195   WPA2 CCMP   PSK  2.0 LAB   FakeNetwork
XX:XX:XX:XX:XX:XX  -43        1        0    0   6  195   WPA2 CCMP   PSK  1.0 USB   FakeNetwork
XX:XX:XX:XX:XX:XX  -43        1        0    0   6  195   WPA2 CCMP   PSK  1.0 DISP  FakeNetwork
XX:XX:XX:XX:XX:XX  -43        1        0    0   6  195   WPA2 CCMP   PSK  1.0 PBC   FakeNetwork
XX:XX:XX:XX:XX:XX  -43        1        0    0   6  195   WPA2 CCMP   PSK  2.0 PBC   FakeNetwork
60:38:E0:XX:XX:XX   -7   0   24        0    0   8  130   WPA2 CCMP   PSK  1.0 LAB   HTB-Wireless

We could also narrow down our scan further to just our network in question with the following command. We specify the channel with -c and the AP MAC with --bssid

Scanning WPS Networks with Wash

Wash is another great tool for scanning networks with WPS. We can employ a simple command with wash to display all networks with WPS and their respective versions.

WPS Reconnaissance

We can display much more verbose output with wash using the following command.

It is important to check the wps_locked status from wash. If it is set to 2, it means WPS is not in a locked state. Additionally, we can find out which vendor is associated with the access point with the following command, specifying the beginning of the MAC address.

Things to be wary of when testing WPS

When attempting to test WPS, we want to note the following conditions:

  • The WPS version.

  • wps_locked status: We want to ensure that clients can join the network.

  • The WPS Mode: If we need to press a button to join the network, chances are we are not cracking the PIN this way.

  • Max PIN Attempts Locking: If the access point locks after a few incorrectly guessed PINs, we likely will not be able to get through all 11,000 possible combinations.

PoCs - Questions

  • How many WIFI networks with WPS are available? (Answer in digit format: e.g., 5)

Online PIN Brute-Forcing Attacks

Brute-forcing WPS PIN

To begin, we need to enable monitor mode. We can use the iw command to add a new interface named mon0 and set its type to monitor mode, as demonstrated below. Due to a known bug, setting the interface to monitor mode using airmon-ng can cause Reaver to malfunction. Therefore, it is recommended to use the iw command for this purpose.

Once we've added an interface with monitor mode enabled, we can use airodump-ng to enumerate WPS enabled WiFi networks.

Now we can start bruteforcing using Reaver. To begin, we need to specify the interface with the -i argument, the BSSID with the -b argument, and the channel with the -c argument. Reaver will then automatically begin bruteforcing every possible PIN, which totals 11,000 possible PINs.

PreviousModules HTBNextPrompt Injection Attacks - AI

Last updated