How does "sniffing a PBC session" Work ? #107
Comments
|
there's currently no code in wash or similar tools to know whether the button was pushed. |
@rofl0r Oh! Thanks a lot So i need to sniff using airodump and wait for some one to press the button and connect ? To get the password ? But how do i actually extract these values from a wireshark capture ? Also this isn't what i meant I need to detect whether the button was pushed or not so i can act on it if i notice the button was pushed then i can choose to connect to it or not I read Here at wifiphisher wpspbc extension That you can detect if a button was pushed or not without needing for someone to connect to it , by just sniffing A WPSPBC IE .... But i wasn't able to understand how or if it's possible to do it manually Thanks again for your response |
yes, or using wireshark, or tcpdump or any other tool that can capture packets from monitor if
expand the headers of M1-M7 and look for the relevant fields
you're the first person needing it so far, so nobody has implemented it. PR adding it to wash is welcome. |
@rofl0r what filter do i use to find the m1-m7 headers ? what about this
is it possible or not ?
Not really as i mentioned above , wifiphisher needed it and this too "hostbase" They use an evil twin attack and ask the user to push the button instead of a password .... but they have to stop the deauth of the target clients , So they be able to check if the button was pushed or not
Googling the problem i found a lot of people asking about it but not able to figure it out And here too they had to use an alternative method because they weren't able to figure out how https://www.wifi-libre.com/topic-596-vulnerabilidad-wps-pbc-push-button.html I just want to figure out how to do it using airodump-ng thanks |
can't recall from the top of my head. just record a WPS session (even if wrong pin) to your router and look at the packets. wireshark somewhere mentions those are iirc EAP packets and also has the info whether M1, etc somewhere listed.
i don't know. you best experiment with your own router and compare packets before you push the button and after. in other words, i can't help you further, you gotta dig into this yourself. |
@rofl0r oh thanks a lot you helped me a lot so far I was able to find it i captured Two captures Then i tried all the WPS PBC filters from the wireshark wiki The three filters are and this one i found by looking at the packets
Now that we know which filters are needed I still don't know how to do it from the terminal using I am trying to do something like this , but i can't figure out the syntax for using tcpdump and if the matches are zero or not just from bash I linked the Two capture files if that would help Thanks a lot |
@rofl0r i think that i have found a tool but it works on older systems with python 2.7 only Looks like scapy was the key all along haha |
|
a thing that comes to mind is the json mode of wash (wash -j). it also lists stuff like that. |
@rofl0r oh thanks a lot you are right But it misses I am trying to do a check using this syntax But it only prints Yes after i kill it using ctrl + c 😥 anyway thanks a lot you helped me a lot so far
Yeah just add another column with WPS PBC I am currently wonderingDoes the wps lock matter when using the PBC ? But for some reason Reaver -K -L fails Even using the -N option doesn't help Even that using Pixie dust on Routerscan success with no problem in the same situation ! This is Router scan configuration Even when disabling PixieDust it still works ! Second : Why Wash doesn't refresh results ? i Mean it only outputs each network status for once for each run |
i don't know, maybe @binarymaster can shed some light on this difference.
because wash isn't a tool for real-time monitoring, but for one-shot information gathering. in order to work as you want, you'd need to start it in a way it's automatically terminated after e.g. one sec (like sending a SIGALRM to it, iirc there's some shell tool to achieve that), and only using the channel of the target ap. |
@rofl0r hmm what do you mean ?
What's its name?
Yeah cause i even tried bully and it still fails |
I think not, since you are explicitly pressing a physical (or virtual) button. Some routers may clean lock flag on button press, some may not.
I'm actually tracking this thread from the beginning 😄 Would be nice to have a passive way of WPS button press detection when scanning networks (preferably using Probe Response data) so I can integrate this into Router Scan. |
i suspect the problem lies here in reaver code/output: what does routerscan do differently here than reaver?
if i would recall i'd already told you. google "shell terminate command after 1 sec"
the idea is that you run wash in a loop targeting only the channel the device uses so no time is wasted scanning different channels, and as soon as you have the magic string in the json output you know that now's the time to start sniffing packets for the WPS interchange. |
I think Router Scan just ignores what the AP sends in the "Device Password ID" field. However when it's configured to Enrollee mode, it sends M1 message first, and the "Device Password ID" is equal either to 0 (PIN mode) or 4 (PBC mode) - depending on what setting is chosen in the GUI. |
|
i currently don't have a router with wps button available to test this. maybe @feitoi is interested to look into what's going wrong here ? |
😏😏
@rofl0r Haha see ? @binarymaster You can use the waircut method , it's on windows too
Source : Liberada la versión 1.9
oh
Thanks i was able to do it using the timeout function
Hmm or you can connect using wpa_cli wps_pbc
So.... It still continues to use the same method it was set to use ? How is that possible that Pin method is able to work on routerscan when the Device Password ID is 4 which means PBC only? That doesn't make any sense i also noticed that when even the wps method is set PUSH BUTTON AS enrollee That doesn't seem right to me ! Thanks |
|
Hello everybody! In my a modified version of wash, I put to monitor
I confirm, @binarymaster
When WPS button was pushed, the AP temporarily change the PIN to 00000000 and change lock flag to unlocked or not, if AP is not vulnerable to Pixie Dust attack then reaver will not work. Better to add -p 00000000 and it responds don't restore previous session.
Matter to reaver, reaver needs WPS unlocked. Update reaver and I believe you will see nack code is 0x000F see my comment |
Hello @feitoi
Hmmm interesting, So how do we actually use Wash to detect if the WPS button was pushed or not ? Also does the same thing happen for this filter too ?
Nah the lock doesn't get cleared for me when i push the button , Idk if it gets cleared during the 120 seconds and not after or not... but it's currently still locked after pressing it like dozen times
So.... That way Reaver would work with PBC ?
But why , When it doesn't matter if the WPS button is pushed , the lock doesn't matter as you said.
Dang it , That means I answered my question wrong on |
it seems google drive wants me to login, so i cant download. can you upload it to 0x0.st instead ? |
why this weird site Here it's |
|
I see that @drygdryg added a Can you tell Us how you added the Also , Can it take a channel and bssid as an argument ?
@feitoi Yeah just tested it , and it works Great oh never mind 😅
I have Checked the Wi-Fi Protected Setup Specification And it's quite an interesting read , It has all the answers ... so about the AP setup locked Reaver doesn't have to exit when it detects the setup is locked but maybe if it also detects the device password id set to PBC then it should try PBC too Anyway This what caught my Eyes from the documentation
Found it , Found where you got this from
Any way Which makes us make the conclusion That
Shouldn't happen and i also found this in another WPS documentation titled : Wireless LAN PCI Card User Manual V1.1
Which means that the only way to actually make sure that the button was pushed is to check Device Password ID value Images from the first documentation I have just Tested the OneShot PBC option it works great But it ignores the entered mac address and it doesn't allow specifying a channel
|
this field seems to only be set when the WPS button was pushed. ref: wiire-a/pixiewps#107
this field, if present, and having the value 0x0004 indicates that the push button method was activated. ref: wiire-a/pixiewps#107
|
meanwhile i added a couple commits that make wash add the fields the wpspy script showed, but wash not. additionally, -j mode now detects when the WPS configuration of an already printed AP changes, and prints another line (that should make it possible to remove the timeout hack to use wash to detect when button was used). edit: what's still missing is that reaver detects when the libwps_data struct contains the device_password_id == 4 condition (push button pressed) and in that case uses pin 00000000. |
@rofl0r Just tested it works just Great! , I updated the answer on unix.stackexchange too
Ohhh , Tested it. This really awesome But i still can't get it to echo found unless i kill it if i don't use the timeout command
only prints Found/not found If i kill it.
There is one tiny problem in this, And it's Great work mate |
you'd need to start wash via some wrapper (e.g. a python script) that terminates the wash process as soon as the desired string is found in the output.
i'd assume the reaver option
as i said in the beginning, nobody investigated PBC use case for reaver so far, as the likelihood of somebody pushing the button while you're scanning or running a bruteforce on it seems like winning the lottery. edit: btw, it's odd that your pcap with pbc on has only a single beacon in it. it would be interesting to see whether beacons after PBC is activated have different content (like including the WPS tags) |
@rofl0r But i have already tested it earlier with the -L while the button is pushed and status is locked
For some reason i can't still figure it out haha, echo not found shouldn't be even be an option |
I don't understand ... I have posted a lot of images comparing the output of different tools PBC off vs PBC on
It doesn't get affect by the |
As @rofl0r says, reaver doesn't have a PBC implementation yet and because of that, the AP must have the lock flag unlocked.
@minanagehsalalma, when WPS button was pushed, you should use
I think you missed to do WPS authentication while capturing with wireshark. |
Try to reboot your router, after reboot it may be that WPS lock flag goes back to unlocked and then press PBC button |
@feitoi Yeah just tested it, Without the button pushed : With the button pushed : But I still don't understand why it fails when the WPS locked Even when using -L flag and
@rofl0r As you see i tested it again and it doesn't work.
hmm i didn't think that was needed. |
|
that -L not works is probably due to the other errors that cause a WSC NACK to be sent in the first place (you'd see it with -vvvv).
the issue is that wash process keeps running. here's a wrapper that you can use import subprocess, sys
argv = list(sys.argv)
argv[0] = '../src/wash'
proc = subprocess.Popen(argv, executable=argv[0], stdout=subprocess.PIPE)
while 1:
line = proc.stdout.readline()
if line == '': break
print line
if '"wps_device_password_id" : "0004"' in line:
print "WPS PBC enabled"
proc.terminate()
breakjust replace ../wash with the path to wash and run it like |
Are sure it's not cause Reaver use the Pin method while the router is using PBC ?
@rofl0r Huh ? why read or write to a file ? |
the interesting stuff comes before that.
no, i'm not. i didnt study how PBC works and am of the impression it works identical to pin mode except pin "00000000" needs to be sent. but maybe there's more to it.
what read or write ? this script starts wash as a controlled subprocess and terminates it as soon as the line with the PBC indicator is received.
save the script as washwrapper.py and run it instead of wash with all arguments you'd usually pass to wash. like |
@rofl0r Here it's
i was talking about the pbc.cap and -f you told me to run it with Yeah that worked great , Thanks a lot
but why do i need to type the path ? i just typed wash with no pathes i also changed the order of these two lines |
|
@rofl0r I added the script to the unix.stackexchange answer too
|
|
Thanks Every one for your Help so far ... I learned a lot and and figured a lot of things That wasn't possible with searching it wasn't possible without you ;) The only thing missing is Reaver to ignore |
|
@minanagehsalalma if you can provide 2 pcaps:
i can take a look at what would be needed on the reaver side to support it. |
|
ReaverPBCFailing The output is the same as always And using router scan with the ignore lock flag
Thanks lot 😘 Also as a bonus can we get a quick view of extracting the values needed for Here the Edit : Ah never mind , i just noticed that it only works for routers with |
yes, but i requested a pcap, not the output, in order to compare it with routerscan pcap.
there's an open ticket for that, #89 . feel free to create a wiki page to document the process if you find out. |
well ... The zip file is right there I posted the output just incase @rofl0r so how is it going ?
I don't think it would be much of a use , as the bug is super old and exists in old devices only and it's already patched .. so ... |
|
@rofl0r Look at this We were speaking about a way to go thro the Wpa_cli wps connect in monitor mode And kcdtv mentioned that you are a member of the forum 😅 So you probably know what's up haha He told me that wpa_cli wps_pbc is the only available way to do such a thing So i think Reaver would be the first to provide an alternative |
|
@rofl0r any news ? |
|
i've been busy with RL so i didn't have time to look into your PCAPs. hopefully next week. |
@rofl0r np , Thanks a lot mate |
I am trying to know if it's possible
to know if the WPS button
was pushed on some AP
without trying to connect to it
but with just monitoring it
So i think
sniffing a PBC sessionis what i am looking for , so i would like to know how it worksThanks
The text was updated successfully, but these errors were encountered: