Results 1 to 2 of 2

Thread: Induction of WPS Pin Collection in WPS Locked Router - One Case

  1. #1
    Senior Member
    Join Date
    Jul 2013
    Posts
    775

    Induction of WPS Pin Collection in WPS Locked Router - One Case

    During tests of a updated varmacscan MTeams was able to accidently induce pin collection from a WPS Locked Router. As this was produced by accident all we can do is outline the attack sequence in the hope that others can replicate these results.

    The reaver run sequence that continues to produce pin harvesting even though the router is locked is as follows: The router is first subjected to a reaver attack using pin 12345678 for 60 seconds then a normal Brute Force attack is begun. When running reaver with pin 12345678 there was no response from the router. However when the brute force attack was begun pin collection resumed.

    During all attacks a regenerative aireplay-ng -1 fake auth was run in the background. Regeneration was produced by embedding aireplay-ng in a while true loop as we have outlined in these forums

    Each attack used a different mac address.

    When running your Reaver attack with --pin=12345678 make sure you add the --session=filename so you do not disrupt the subsequent brute force attack pin count.

    Logs of these attacks are on file

    Musket Teams
    Last edited by mmusket33; 2017-02-13 at 01:59 PM.

  2. #2
    Senior Member
    Join Date
    Apr 2013
    Location
    in a computer
    Posts
    551
    Thanks for the research, mmusket33. I'm going to be doing a wireless assessment in a few weeks...looking forward to trying this out.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •