bktruss / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

Manufacturer based attack? #199

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Many router manufacturers generate their WPS/WPA key through MAC and/or default 
SSID like "EasyBox-2E1524" adress. If manufacturer is know you can strip the 
amount of numbers to "guess". For ex. SpeedTouch, Speedport, ALICE or Vodafone 
Easybox routers. Perhaps its possible to look up manufacurer via mac and select 
the optimal way to react.
There are several Android-Apps like "Wifi-WPA Crack" which use this in antoher 
way ... 

Optimizing this would dramatically speed up guessing a key.

Original issue reported on code.google.com by mo.latte...@gmail.com on 29 Jan 2012 at 3:51

GoogleCodeExporter commented 9 years ago
You beat me to it mo, i was thinking of that vector also for a couple of days, 
and was about to comment, until i saw your post. ;)

Haha so guess i'll comment here.

Along with extremely weak manufacturer default wps-codes 012345670 and the 
like(which could be put into a database of shame maybe? ;) I'm betting theres 
the possibility that a manufacturer wps algorithm generator was used, creating 
the wps code from one of the many fields that are readily available whilst 
viewing wireshark. In a similar way some manufacturers like thomson (i think) 
used a wpa password generator using parts of the ssid name. 

Good call mo. 

Perhaps we can do some respective recon and see if any of our collective 
routers wps pin is any way similar to a field which is readily viewable when 
sending the first 4 'm' packets, serial number, that sorta thing ;). Would 
drastically reduce time if any such vulnerabilties were unveiled. 

Just a thought anyways, good call mo! ;) 

Original comment by ObiDanKi...@googlemail.com on 30 Jan 2012 at 3:24

GoogleCodeExporter commented 9 years ago
Thx! :D .... Have a look here. Unfortunately in german. But perhapbs you can 
read and understand it. Look for SPEEDPORT for eg.

http://www.wardriving-forum.de/wiki/Standardpassw%C3%B6rter

Theyre building a databse with ssid, bssid, wps key, snr etc.
and documenting how some models build up their keys.

Including some of that stuff would increase the speed reaver works massivly!

Original comment by mo.latte...@gmail.com on 31 Jan 2012 at 2:10

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
You can try WPSPIN, a simple script i made with default WPS PIN for many devices
click this link tpo cee de online updated supòrted device list
http://wpspinupdate.auditoriaswireless.org/BSSID.txt

to download the script (spanish, i will make an english versión theses days 
and put it here)
http://ubuntuone.com/50hTnKWl9tyG5gkm74e05j

Original comment by kcdt...@gmail.com on 11 Jan 2013 at 4:06

GoogleCodeExporter commented 9 years ago
Veeeeery nice work! Cant wait for an english version. *thumbs up*

Original comment by mo.latte...@gmail.com on 14 Jan 2013 at 12:06

GoogleCodeExporter commented 9 years ago
Sorry for the long delay, i forgot about this post, here is the version 1.4 
with english language
http://wpspinupdate.auditoriaswireless.org/WPSPIN.zip
enjoy!
If you want to contribute send me
snapshot of reaver attack
snapshot of routeur configuration.

the reaquired datas are exactly

default essid
bssid
manufacturer
model
hardware version
firmware version
default WPS PIN
default WPA passphrase
serial number
Is the WPS enabled by fefault?
Is there any AP rate limit?
Is there any thing relevant, a trick for the attack, as more information better.

take care

Original comment by kcdt...@gmail.com on 26 Jul 2013 at 7:41