Introducing a new way to crack WPS: Option p with an Arbitrary String

kcdtv edited this page Jun 28, 2017 · 2 revisions

We are very happy to present you the improved argument -p.

`-p, --pin=<wps pin>             Use the specified pin (may be arbitrary string or 4/8 digit WPS pin)`   

It can be used against Access Points that do not follow the WPS checksum on the last digit of the PIN.
For example: D-Link used 22222222 as a default PIN in some devices. It is not a "legitimate" WPS PIN.
If you try to use -p to send this PIN with a version prior to 1.6b, Reaver would automatically correct it and send the "correct" WPS PIN (2222228 for instance).
As of version 1.6b, any pin can be sent, including a non legitimate PIN such as 22222222. Even an "empty" PIN can be sent!
That sounds crazy, right?...
... Have a look at this document!: Obtaining the WiFi password in a few seconds using WPS
The author shows how he manages to crack a Huawei router immune to pixiewps and the standard WPS brute force. He does so by sending a empty PIN.
And he also shows in the document the faulty configuration:

BusyBox vv1.9.1 (2014-02-08 20:26:13 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# nvram show  | grep wps_device_pin  
size: 2659 bytes (30109 left)
wps_device_pin=
#

As you can see the variable wps_device_pin is declared but is not defined. "Logically" the PIN value is "NULL" (none, an "empty" PIN).
This is not a unique case... In this video you will see how we managed to crack a ZTE router immune to known methods by sending a blank string with -p "": Cracking ZTE ZXHN H218N (jazztel) with new option "arbitrary strings" from Reaver 1.6b

  • The screen shot below shows that sending a PIN for a brute force does not lead anywhere against this AP:

  • Pixie dust attack is pointless too:

  • But if I send a blank PIN, I crack the device in 2 seconds!

Thanks to binarymaster for proposing and coding - see #133 - this exciting new feature!

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.