Induction of WPS Pin Collection in WPS Locked Router - One Case
During tests of a updated varmacscan MTeams was able to accidently induce pin collection from a WPS Locked Router. As this was produced by accident all we can do is outline the attack sequence in the hope that others can replicate these results.
The reaver run sequence that continues to produce pin harvesting even though the router is locked is as follows: The router is first subjected to a reaver attack using pin 12345678 for 60 seconds then a normal Brute Force attack is begun. When running reaver with pin 12345678 there was no response from the router. However when the brute force attack was begun pin collection resumed.
During all attacks a regenerative aireplay-ng -1 fake auth was run in the background. Regeneration was produced by embedding aireplay-ng in a while true loop as we have outlined in these forums
Each attack used a different mac address.
When running your Reaver attack with --pin=12345678 make sure you add the --session=filename so you do not disrupt the subsequent brute force attack pin count.
Logs of these attacks are on file
Last edited by mmusket33; 2017-02-13 at 01:59 PM.
Thanks for the research, mmusket33. I'm going to be doing a wireless assessment in a few weeks...looking forward to trying this out.