Maurie

Oh ok I didn't explain myself properly. Everyone knows about WPS and reaver and so on. Most routers have adopted countermeasures against it now. But there is another method to establish a WPA connection (or more precisely get the WPA configuration) with help of the WPS standard. For that you don't even need a PIN, but physical access and press a button (or so they say). Then you can retrieve the password with any one device within 2min after pressing the button. This method is therefore completely open and unsecured. The only security lies in the timeframe of usually 2 min in which the device will reveal the WPA password to anyone asking for it and also that it is only intended for one device to ask for it. While this is not an active attack it should be an easy passive attack and in comparison to the WPS pin or WPA brute force cracking it has a 100% guarantee of working (of course since it's passive there needs to be attackee action and therefore it's not guaranteed to happen). It's even hard to call it an attack. Although I envision it to clearly be one by having a tool running continuously until any device in range has its button pressed and offers to reveal the password to anyone. This is where you just gave me an idea about sniffing might be feasible as well. While the router is supposed to tell if there are more than one station asking for the password it should still tell the password to multiple devices and usually flashes in a different way when doing so. But who in world knows and notices? Besides if you could actually sniff the key exchange through the WPS push button method, maybe you can stay completely passive and get it through the packet capture of that exchange. Here's where I couldn't even find a proper description of how the protocol works - I don't know the encryption used for that exchange. And to be really elegant I also wonder if a WPS station advertises their button pressed OTA. That would be crazy insecure. As far as I have found it doesn't do so - no tool can show this state. So you'd have to actively probe for stations. Every 30s should be enough to account for transmission errors within the 2min timeframe and shouldn'T overload the air. IT would however, be practically undetectable since it's layer 2 stuff.

And you clearly haven't read my post. I don't want to crack WPS or sniff wifi. While wpa_cli provides for the wps_pbc method it also needs the BSSID and is therefore a very manual method. Besides I don't even need to establish a WPA connection.

Hi! This seems so obvious to me - how can I retrieve the wifi configuration/password from a router with the WPS push button pressed? Not only is it hard to find how that protocol really works (while there's nice writeups about the PIN method and M1-M6 messages etc.), I also haven't found a tool. What I imagined is a kind of "wash -i mon0 -WPSbutton" - a tool that monitors all WPS networks in reach and as soon as one of them has the WPS button pressed retrieves that password. Does an AP advertise the button pressed or would such monitoring require active client requests to all APs in range every 30s or so? Am I missing something or is there no tool available to do that? Not even with a specified target bssid? Like "reaver -i mon0 -b 02:02:02:02:02:02 -wpsbutton" and then spits out the same result as when supplied with the correct PIN. I also never read about this passive attack vector other than in a sidenote.