timjackwilkins / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

Extracting the WPS #92

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
Didn't know where to put this but here it goes.
Isn't it possible to extract the "hash" from WPS so that the bruteforce can be 
made directly on the PC, like the wpa-handshake, and consequently improve the 
attack speed?
If not, why does wpa gives away his "hash" and turns it more vulnerable instead 
of doing like wps?

Original issue reported on code.google.com by andremeg...@hotmail.com on 5 Jan 2012 at 10:54

GoogleCodeExporter commented 8 years ago
Like i know there is no hash ... the AP sends two informations of the pins. It 
awners, sends if the first four pins are correct, and if the next four pins are 
correct of the 8 pins.

Original comment by patricks...@gmail.com on 5 Jan 2012 at 10:58

GoogleCodeExporter commented 8 years ago
Example you send 12345678. The AcessPoint will awnser if 1234 are correct or 
not and in another instance if the 5678 are correct. So you have 10'000 
combinations of the first four, and 1'000 combinations of the next 3 because 
the last one is the checksum of it.

Original comment by patricks...@gmail.com on 5 Jan 2012 at 11:14

GoogleCodeExporter commented 8 years ago
There is an HMAC that is exchanged (the pin is never sent plain text). But even 
if you could break the hash, how are you going to get the hash in the first 
place? You would have to capture the wireless traffic when the registrar first 
authenticates to the AP. This only happens once, and this feature seems rarely 
used, so it is very unlikely that you'd ever see this traffic (it's not like 
with WPA where you can just kick them off and wait for them to do a new 
handshake).

Original comment by cheff...@tacnetsol.com on 6 Jan 2012 at 12:11

GoogleCodeExporter commented 8 years ago
I understand... But there might be a solution:
Even after one authenticates with the right password, if you are too far from 
AP and it doesn't achieve to connect, sometimes it ask's you for the password 
again.
So if you could block most traffic between a client and the AP, maybe it would 
ask the pass/pin to the client like the example above.

Original comment by andremeg...@hotmail.com on 6 Jan 2012 at 1:21