Effective selection of WPS PINs based on known and generated PINs
Busting WPS PINs with Reaver takes hours or even a day, especially if the attacked Access Point is far away and you have to make several attempts to check the same pin.
Some access points are vulnerable to the Pixie Dust attack, which is performed by the Pixiewps tool . It allows you to open a pin in minutes or even seconds. Not all access points are vulnerable, so after checking for Pixie Dust, if the attack failed, you have to take a brute force.
But before busting, you can try another effective method, which involves going through a small number of very likely IDUs.
These IDUs are taken from two sources:
- database of known PINs;
- PINs generated by certain algorithms.
The database of known PINs is compiled for Access Points of certain manufacturers for which it is known that they use the same WPS PINs. This database contains the first three octets of the MAC address and a list of PINs that are very likely for a given manufacturer.
Well known are several algorithms for generating WPS PINs. For example, ComputePIN and EasyBox use the Access Point MAC Address in their calculations. And the Arcadyan algorithm also requires a device ID.
Therefore, an attack on WPS IDUs may consist in the following actions, proceeding as their effectiveness decreases:
- Pixie Dust Examination Check
- Checking the database of known PINs and generated PINs using algorithms
- Brute force WPS PIN
In this note, I will tell you more about the second option – checking against the database and generated PINs.
This attack option is automated in airgeddon . Therefore, we go there:
git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git cd airgeddon/ sudo bash airgeddon.sh
Although airgeddon itself is able to translate a wireless card into monitor mode, it will never be superfluous to execute the following commands before it:
sudo systemctl stop NetworkManager sudo airmon-ng check kill
They will complete the processes that may hinder us.
Since we will perform the brute force attack using the WPS PIN, owners of wireless cards with the Ralink chipset, which use rt2800usb drivers (RT3070, RT3272, RT3570, RT3572, etc.), as well as use of cards with Intel chipsets Reaver in airgeddon, so choose the option with Bully , this tool works a bit better with these chipsets.
Launch airgeddon, transfer the wireless card to monitor mode and go to the “ WPS Attack Menu ”:
We need to start by choosing a goal, this is the fourth menu item. APs with blocked WPS are marked in red, the higher the signal level, the higher the probability of a successful PIN search:
Next, select the item ” 12. (reaver) Attack based on a database of known PINs “.
We are asked about the timeout, set to the maximum value ( 100 ), since there are not very many PINs and it will be a shame to miss the correct pin due to delays caused by communication interference:
Further I am informed:
Search in PIN database. Wait a bit…
No match found in PIN database
There are no values for the selected AP in the database – no problem, several additional pins will be generated by algorithms. In any case, PINs from well-known algorithms, such as ComputePIN and EasyBox, will be calculated and added, since all the necessary information for them is already available (only the MAC address is needed).
Next, the tool tells us:
Some added PINs were calculated by algorithms (ComputePIN, EasyBox, etc.), but you can add one more (Arcadyan). To calculate it, certain data is required, and you need to perform a background scan. The process can be very slow. Do you want to add a PIN calculated by this algorithm? [y / n]
In fact, the process is not particularly slow – a timeout of four minutes is set for it, and with a good signal level, the collection of information is completed faster. By the way, if the information is collected for all four minutes, and especially if this process is completed by timeout, then this is a bad sign – the signal is probably too weak to allow for the busting of PINs.
I recommend using the Arcadyan algorithm and answering y,
Further, the tool reports:
The Arcadyan algorithm is useless for the selected target network, the actual value cannot be calculated.
Added PIN calculated using algorithms. A total of 3 PIN will be attacked
After stopping the attack (using [Ctrl + C]), the window will not automatically close. You will have time to rewrite the password if the attack is completed successfully. Then you need to close it manually.
Well, we continue as is. Automatic selection is started for each of the pins.
Already the second IDU was correct.
Those. even if the AP had a lock after three incorrectly entered PINs, we would still have time to find out its password. Almost as fast as with Pixie Dust!
Successfully ended the hacking the AP.
As you can see, the attack method on WPS PINs from the database and PINs generated by the algorithms has the right to exist. In my tests, usually from 3 to 35 PINs were collected, the attacks were of varying success. But in general, the result is very good, especially for AP with a strong signal.
If the failure is due to the fact that the enumeration of some PINs was not completed and ended because of a timeout, then it makes sense to try again for the tested AP,