1

My neighbour is actively trying WPS pins on my router - I know because the "WiFi/WPS" LED on my router lit up when I have permanently turned it off! I double checked the setting using the router admin page through ethernet and it confirmed LED's were off (except during WPS negotiation, which overrides the off setting). Note, it's a Tenda AC10 router.

Additionally all my 5Ghz devices got disconnected, I'm not sure if it's because of aggressive WPS packets or a simultaneous deauth flood was issued.

I need to track down the WPS packets and pin-point the MAC address the attempts were issued from. I tried using the "WPS" display filter in Wireshark as well as the "eap.wps.code" filter, no packets were found AS the packets were being recorded!

The same also occurred a couple of days back when I was trying WPS attempts against my own device and couldnt see the same frames with the "WPS" display filter in WiresharkI I dropped the issue since I had - in theory - disabled WPS on my AP's so considered it a smaller problem.

Please let me know the exact display filters to use to detect WPS pin attempts in some kind of a flood attack.

Dev Kanchen
  • 121
  • 3
  • Could you see any wifi traffic from devices other than your own? I'm thinking that you're not going to see these packets in Wireshark. – schroeder Nov 14 '19 at 15:20
  • I am seeing the entire neighborhood's packets. I'm using Wireshark on a Macbook in monitor mode - monitoring channels 4 and 40 - which were my main Wifi channels. Unless the attacker sent the packets on an entirely different channel, and considering how long the attack went on, I should be able to see SOME packets despite my use of channel-hopping, between 4 and 40 like I mentioned. – Dev Kanchen Nov 14 '19 at 15:27
  • See: https://security.stackexchange.com/questions/59217/why-is-it-not-possible-to-capture-a-wps-handshake-to-wlan – schroeder Nov 14 '19 at 15:31
  • @schroeder that does not explain why I can't capture or see WPS packets in Wireshark along with all other 802.11 packets such as WPA2 auth/deauth Im already seeing. – Dev Kanchen Nov 14 '19 at 15:36
  • If the question is off-topic here, would you please recommend where I can post it. Network Engineering SE for questions of a similar nature before but they were quite strict about entertaining home-networking questionsons. I posted here because I thought I'd get a fast answer from security analysts about WPS, etc. – Dev Kanchen Nov 14 '19 at 16:11
  • @DevKanchen Just as a note: the MAC address can be easily spoofed in case of such attacks. – Sir Muffington Nov 14 '19 at 17:41
  • Yes. I'm hoping the attacker is dumb enough. But the question is very direct - how do I see WPS packets in Wireshark. For context, this is the second attack - this Sunday he/she had got my 40-character password and happily logged in with their own MAC address - I had posted another question on InfoSec SE about that. The discrepancy between the two actions shows to me that the attacker had simply gotten lucky, perhaps reading the password in plain-text off a couple of devices that I had to use unsecured WiFi to setup with. At the moment those two devices are off and unused. – Dev Kanchen Nov 14 '19 at 21:44

0 Answers0