Results 1 to 2 of 2

Thread: Induction of WPS Pin Collection in WPS Locked Router - One Case

  1. #1
    Join Date

    Induction of WPS Pin Collection in WPS Locked Router - One Case

    During tests of a updated varmacscan MTeams was able to accidently induce pin collection from a WPS Locked Router. As this was produced by accident all we can do is outline the attack sequence in the hope that others can replicate these results.

    The reaver run sequence that continues to produce pin harvesting even though the router is locked is as follows: The router is first subjected to a reaver attack using pin 12345678 for 60 seconds then a normal Brute Force attack is begun. When running reaver with pin 12345678 there was no response from the router. However when the brute force attack was begun pin collection resumed.

    During all attacks a regenerative aireplay-ng -1 fake auth was run in the background. Regeneration was produced by embedding aireplay-ng in a while true loop as we have outlined in these forums

    Each attack used a different mac address.

    When running your Reaver attack with --pin=12345678 make sure you add the --session=filename so you do not disrupt the subsequent brute force attack pin count.

    Logs of these attacks are on file

    Musket Teams
    Last edited by mmusket33; 2017-02-13 at 13:59.

  2. #2
    Join Date
    in a computer
    Thanks for the research, mmusket33. I'm going to be doing a wireless assessment in a few weeks...looking forward to trying this out.

Similar Threads

  1. Reaver WPA key letter case errors and corrections
    By mmusket33 in forum General Archive
    Replies: 0
    Last Post: 2014-12-22, 00:23
  2. Going down the WPS Locked Router Rabbit Hole
    By mmusket33 in forum General Archive
    Replies: 1
    Last Post: 2013-12-30, 02:51

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts