4

I've been conducting some simple penetration tests on a few older wireless routers that I have lying around, focusing mainly on WPS vulnerabilities. I've been having some trouble with an old Belkin router (model F9K1108v1). The router doesn't seem to be vulnerable to a Pixie Dust attack. However, I was able to acquire the router's WPS PIN using the generate PIN option in reaver.

Successful WPS pin generation in reaver

I have access to the router configuration and I can verify the PIN that I acquired is correct. This is an unusual attack situation for me, as I am not used to acquiring only the router PIN. I can't seem to make any further progress with the PIN. I attempted to acquire the router's WPA key using multiple options in reaver, such as mimic windows 7 registrar, to no avail. I also took similar steps using bully, but still made no progress.

What are some logical next steps after having successfully acquired only a router's WPS PIN?

Grant Miller
  • 205
  • 2
  • 3
  • 11
wjjd225
  • 181
  • 1
  • 8
  • I would go with "disable WPS on the router as it is unsecure anyway" but you are studying WPS. – Mindwin Apr 26 '17 at 21:08
  • Yes, I'm more than well aware of the inherent security flaws with WPS. It's not an option that I would ever enable on my own network. I'm just interested in investigating how the flaws affect different types of wireless routers with respect to vendor, chipset manufacturer, model year, firmware, etc. Especially considering that most vendors are still including WPS on their new routers. – wjjd225 Apr 28 '17 at 17:49

1 Answers1

1

You can check with other wireless device using different chipset. Sometimes (is weird I know) with other device it works. Sometimes, there is some kind of incompatibility between the software and the drivers... like for example using reaver and a wireless device with Ralink chipset. It never works.

Now you know the PIN, so your reaver and bully commands can be using -p argument.

Another test you can do is try to check if your AP has PBC (Push Button Connect) activated by default. If you have access to the router you can check it on configuration. Another way to check is using airodump-ng and the --wps parameter available on most modern versions of aircrack suite (since v1.2 RC2 I guess). With that parameter you'll see a new column with WPS info. Let it scanning more than one minute and interesting info will start to be appearing like the WPS version or if the AP has PBC activated or not.

Another curiosity about this, --wps parameter is that the WPS info is shown on window but is never written to the files using -w parameter in airodump. I think maybe is because adding a new column can break the compatibility with all the people who have scripts and automated processes based on this, IDK, is a wild guess.

Regarding your problem again, I experimented Pixie Dust against vulnerable routers with PBC activated and the result is curious... it takes the PIN but then is unable to get the password. Is a similar behavior that you are experimenting. I know is not the same but maybe with some of these advices you can get the step further.

Good luck!

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
  • Thanks for the advice! All of my computers have Intel Wi-Fi chipsets. I'm considering testing it out using a raspberry Pi 3 with Kali Linux as well as an android device. I can verify that WPS is active on the AP (both PBC and PIN). The AP also shows up when performing an airmon-ng scan with the --wps option as well as when using wash. I've had the same problem with Pixie Dust attacks used against PBC enabled AP's. – wjjd225 Apr 28 '17 at 17:56
  • Ok so here is the answer. There is no problem here. PBC is avoiding the password undisclosure. Everything is as it is supossed to be. There is no solution, my answer is the explanation of why is not working and will never be working (unless you push button of course). – OscarAkaElvis Apr 28 '17 at 20:33