5

I've been working with WPS assessment tools like Reaver and Bully for some time and i could successfully crack my router's PIN code and find its password on both QSS PBC and QSS PIN code. when each of those options was enabled on my router, it appeared in the scan results of WASH command in Linux as a WPS-enabled router that can be cracked.

there are some other routers that when i try to connect to them, it first asks me for PIN code and then the security key but when i scan them using WASH or other such tools, they never show up as a WPS-enabled router. even when i ignore that and try to hack it's WPS pin using reaver or bully, they stick to the first pin even when my signal is 90% strong. the only way that i know that router has PIN is with this method.

enter image description here

aren't they vulnerable to such attacks? how do they do that?

  • Could it be that router detects a brute-force? Have you tried to enter manually wrong PINs in this dialog? Is there any timeout? – Andrey Sapegin Feb 24 '15 at 13:57
  • Yes, the error message is "Windows can't get the network settings from the router. the PIN isn't correct. make sure the PIN matches the number printed on the label on the device". although the first part is a bit confusing, it seems that my computer can communicate with the router. and about the timeout, i give bully a 5 seconds delay but the only results will be timeout messages, Reaver hardly associates with it. –  Feb 24 '15 at 16:27

1 Answers1

1

It would seem that some router manufacturers can detect brute force attempts and enter the router into a "lock down" or "safe mode".

http://kb.netgear.com/app/answers/detail/a_id/19824/~/how-do-netgear-home-routers-defend-wifi-protected-setup-pin-against-brute-force

NETGEAR home routers will protect themselves after several failed attempts to authenticate as an external registrar by entering a lock-down state. During the lock-down state, all WPS attempts using the Router PIN will not work. The router will return from the lock-down state after a predetermined time period.

k1DBLITZ
  • 3,933
  • 14
  • 20
  • I'm totally aware of that feature but that's really not my answer. i can use reverse reaver to bypass that feature but the 2 routers i'm talking about, their WPS functionality is not detectable by tools like WASH in Kali Linux and i only can know their WPS feature when i try to enter their WPA key in Windows. Brute force attack should be detected only after trying some wrong PINs, right? but reaver or bully can't even try one single PIN. the only thing i'm suspecting is that they may have enabled MAC address filtering in their router, could it be the reason? –  Mar 03 '15 at 17:49
  • Wait - you don't KNOW the configuration of these routers? You don't own them? – schroeder Mar 03 '15 at 17:58
  • Well i told my friend that i am capable of hacking a wireless router and he challenged me to do so, so we own them and btw there is no internet connection on the router, he uses another one. –  Mar 03 '15 at 19:31