wash / reaver for WPS push button method?

[Maurie]

Hi!

This seems so obvious to me - how can I retrieve the wifi configuration/password from a router with the WPS push button pressed?

Not only is it hard to find how that protocol really works (while there's nice writeups about the PIN method and M1-M6 messages etc.), I also haven't found a tool.

What I imagined is a kind of "wash -i mon0 -WPSbutton" - a tool that monitors all WPS networks in reach and as soon as one of them has the WPS button pressed retrieves that password. Does an AP advertise the button pressed or would such monitoring require active client requests to all APs in range every 30s or so?

Am I missing something or is there no tool available to do that? Not even with a specified target bssid? Like "reaver -i mon0 -b 02:02:02:02:02:02 -wpsbutton" and then spits out the same result as when supplied with the correct PIN. I also never read about this passive attack vector other than in a sidenote.

[digip]

13 hours ago, Maurie said:

Hi!

This seems so obvious to me - how can I retrieve the wifi configuration/password from a router with the WPS push button pressed?

Not only is it hard to find how that protocol really works (while there's nice writeups about the PIN method and M1-M6 messages etc.), I also haven't found a tool.

What I imagined is a kind of "wash -i mon0 -WPSbutton" - a tool that monitors all WPS networks in reach and as soon as one of them has the WPS button pressed retrieves that password. Does an AP advertise the button pressed or would such monitoring require active client requests to all APs in range every 30s or so?

Am I missing something or is there no tool available to do that? Not even with a specified target bssid? Like "reaver -i mon0 -b 02:02:02:02:02:02 -wpsbutton" and then spits out the same result as when supplied with the correct PIN. I also never read about this passive attack vector other than in a sidenote.

So obvious to me too. You are missing something. Effort. There ARE tools out there for sniffing wifi and cracking WPS. What I will say is, you haven't looked hard enough nor tried enough to test on your own. There are posts on these very forums for tools that will do what you ask, and sure google will find you an answer as well with little trouble. YouTUBE should find you a quick walk through in showing you various tools as well. I'm not even going to list a single tool. Too easy. There is a tool though, that will do almost all of the above, automatically. 

[Maurie]

And you clearly haven't read my post. I don't want to crack WPS or sniff wifi. While wpa_cli provides for the wps_pbc method it also needs the BSSID and is therefore a very manual method. Besides I don't even need to establish a WPA connection.

[digip]

8 hours ago, Maurie said:

And you clearly haven't read my post. I don't want to crack WPS or sniff wifi. While wpa_cli provides for the wps_pbc method it also needs the BSSID and is therefore a very manual method. Besides I don't even need to establish a WPA connection.

"This seems so obvious to me - how can I retrieve the wifi configuration/password from a router with the WPS push button pressed?"

If you don't "sniff" anything, how do you plan to capture the data? Locally on the device? Where/how are you capturing the data, if not sniffing wifi or probing devices with injection or queries? WPS is only used with things like WPA for automation, so, what exactly are you expecting to accomplish, while NOT sniffing the wifi? You want the password from a WPS connection, but don't want to crack the pin to obtain the password through the process, I think maybe I'm missing something, or your not explaining yourself well enough.

[Maurie]

Oh ok I didn't explain myself properly. Everyone knows about WPS and reaver and so on. Most routers have adopted countermeasures against it now.

But there is another method to establish a WPA connection (or more precisely get the WPA configuration) with help of the WPS standard. For that you don't even need a PIN, but physical access and press a button (or so they say). Then you can retrieve the password with any one device within 2min after pressing the button. This method is therefore completely open and unsecured. The only security lies in the timeframe of usually 2 min in which the device will reveal the WPA password to anyone asking for it and also that it is only intended for one device to ask for it.

While this is not an active attack it should be an easy passive attack and in comparison to the WPS pin or WPA brute force cracking it has a 100% guarantee of working (of course since it's passive there needs to be attackee action and therefore it's not guaranteed to happen). It's even hard to call it an attack. Although I envision it to clearly be one by having a tool running continuously until any device in range has its button pressed and offers to reveal the password to anyone.

This is where you just gave me an idea about sniffing might be feasible as well. While the router is supposed to tell if there are more than one station asking for the password it should still tell the password to multiple devices and usually flashes in a different way when doing so. But who in world knows and notices? Besides if you could actually sniff the key exchange through the WPS push button method, maybe you can stay completely passive and get it through the packet capture of that exchange.

Here's where I couldn't even find a proper description of how the protocol works - I don't know the encryption used for that exchange. And to be really elegant I also wonder if a WPS station advertises their button pressed OTA. That would be crazy insecure. As far as I have found it doesn't do so - no tool can show this state. So you'd have to actively probe for stations. Every 30s should be enough to account for transmission errors within the 2min timeframe and shouldn'T overload the air. IT would however, be practically undetectable since it's layer 2 stuff.

[digip]

There are 4 methods to WPS that I know of, with the PIN based being the only one I know of that is open to attack(other than getting lucky with PBC pairing). Pin based or entering the pin between the router and client, Push button connect(PBC) which is automatic, sometimes requiring 2 clicks of the PBC on the router before and during client connect(which also presses a WPS button on the NIC, or in software on the wireless connection software side), NFC(like tapping 2 phones together to exchange data) and USB config which I believe was used in Windows XP networks mainly, I've never had to use it though.

As far as I know WPS PBC basically drops it's pants and bends over for ~2 minutes, which should allow ANY other device trying to connect, to get onto the AP in question without the need for passwords since it's automatic between the devices(so long as the client/nic presses WPS button on their side as well). Even when WPS Pin code is disabled, the WPS PBC method should still work on most AP devices for pairing them since it's a hardware button press that starts the process, except when set to something else, like toggling the radio on and off(which is what my ASUS routers are set to do) or explicitly disabling WPS in the router config, which I also have disabled.

The only attack I see with WPS PBC, is a social engineering attack that gets someone to press that button for you, by which you'd then be able to connect to it without the need for a password so long as you press WPS on your NIC or in the connection software(My netgear USB card, has an actual WPS button on it). You'd more than likely need to attack the client, and have access to their machine to see the password, and that's only if stored in their system, or, access the router's web interface to see the password from it's config. Short of capturing the 4 way handshake and brute forcing the WPA password, not sure there is much you can do in the event the WPS Push button was pressed other than be actively trying to connect when it's enabled. I don't know that it's actually using the password at any point during a WPS PBC session.

I don't know of any tool that sniffs the WPS PBC connections specifically for use in an attack. You can capture the data with tools like Wireshark though. How you tell when the button is pressed, I have no idea. This would probably be a good place to start for sniffing with various filters specific to your testing target: https://www.wireshark.org/docs/dfref/w/wps.html 

Someone with an extensive Wifi pentesting background would def know more than I would, and I could also be wrong about the info I mentioned above.