Extraído de este tópico nos fóruns do DD-WRT:
Short answer: your WPS could already be disabled on your DD-WRT device, even when it seems to be active. It just depends on the
wps_statevalue at/tmp/path[0-9]_hostap.conffile:1means active,0or2means it is not.
Hora de testar a coisa real com AirCrack-NG . Se eu digitalizar com o AiroDump-NG:
luis@Frambuesio:~$ sudo airodump-ng wlan1mon --wps -c 2
CH 2 ][ Elapsed: 1 min ][ 2015-12-15 00:48
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH WPS ESSID
XX:XX:XX:XX:XX:XX -35 100 435 20 0 2 54e. WPA2 CCMP PSK Locked MyWiFiNetWork
Parece que existe algum WPS , mas no estado Bloqueado .
Se eu tentar atacar via WPS com, digamos, Intimidar :
luis@Frambuesio:~$ sudo bully wlan1mon --bssid 00:24:A5:XX:XX:XX -v 3 -c 2
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'wlan1mon' to channel '2'
[!] Using '00:1c:f0:9f:fc:84' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '00:24:a5:XX:XX:XX' on channel '2'
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Disabling FCS validation (assuming --nofcs)
[+] Got beacon for 'MyWiFiNetWork' (00:24:a5:XX:XX:XX)
[!] Beacon information element indicates WPS is locked
[+] Loading randomized pins from '/root/.bully/pins'
[!] Restoring session from '/root/.bully/0024a5c816a2.run'
[+] Index of starting pin number is '0000000'
[+] Last State = 'NoAssoc' Next pin '64121635'
[!] WPS lockout reported, sleeping for 43 seconds ...
^C
Saved session to '/root/.bully/0024a5c816a2.run'
De fato, está bloqueado . Se eu forçar o ataque até mesmo para o estado bloqueado:
luis@Frambuesio:~$ sudo bully wlan1mon --bssid 00:24:A5:XX:XX:XX -v 3 -L -c 2
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'wlan1mon' to channel '2'
[!] Using '00:1c:f0:9f:fc:84' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '00:24:a5:XX:XX:XX' on channel '2'
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Disabling FCS validation (assuming --nofcs)
[+] Got beacon for 'MyWiFiNetWork' (00:24:a5:XX:XX:XX)
[!] Beacon information element indicates WPS is locked
[+] Loading randomized pins from '/root/.bully/pins'
[!] Restoring session from '/root/.bully/0024a5c816a2.run'
[+] Index of starting pin number is '0000000'
[+] Last State = 'NoAssoc' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
[+] Rx( M1 ) = 'EAPFail' Next pin '64121635'
Portanto, não há WPS, ou pelo menos não há WPS disponível para atacar.
Testado com o estado Ativar / Desativar em Wireless --> AOSS (alguém relatou que poderia alterar o estado WPS):
Dequalquerforma,sevocêquiserficartotalmentecalmocomamensagemWPSEnabledquevocêpodevernoAndroid,sigaestasetapas:
1.-Localizeoarquivohostapd.confparasuaplacawirelessem/tmp.Omeué:
root@DD-WRT:/tmp#ls/tmp/*hostap.conf-la-rw-r--r--1rootroot580Dec1500:48/tmp/ath0_hostap.conf2.-Verifiqueovalorwps_state:
root@DD-WRT:/tmp#catath0_hostap.conf|grep"wps" -i
wps_state=2
Nota:
-
0significa WPS desativado. -
1significa WPS ativado. -
2significa WPS bloqueado.
3.- Altere para 0 . Você poderia editar o arquivo. Eu prefiro usar o comando sed para trocar diretamente 2 por 0 :
/bin/sed s/wps_state\=2/wps_state\=0/g -i /tmp/ath0_hostap.conf
4.- Localize o processo hostapd (com seus parâmetros):
root@DD-WRT:/tmp# ps | grep "apd" -i
60 root 0 SW< [kswapd0]
2093 root 1340 S hostapd -B /tmp/ath0_hostap.conf
5.- Mate e reinicie (com exatamente os mesmos parâmetros):
root@DD-WRT:/tmp# kill 2093
root@DD-WRT:/tmp# hostapd -B /tmp/ath0_hostap.conf
E isso deve ser tudo.
Desta vez AirCrack-NG:
luis@Frambuesio:~$ sudo airodump-ng wlan1mon --wps -c 2
CH 2 ][ Elapsed: 12 s ][ 2015-12-15 00:57
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH WPS ESSID
00:24:A5:XX:XX:XX -35 100 50 3 0 2 54e. WPA2 CCMP PSK MyWiFiNetWork
BSSID STATION PWR Rate Lost Frames Probe
Como pode ser visto, ele mostra nenhum WPS ativado na coluna.
E, desta vez, o Bully-WPS nem tentará atacá-lo:
luis@Frambuesio:~$ sudo bully wlan1mon --bssid 00:24:A5:XX:XX:XX -v 3 -c 2
[sudo] password for luis:
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'wlan1mon' to channel '2'
[!] Using '00:1c:f0:9f:fc:84' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '00:24:a5:XX:XX:XX' on channel '2'
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Disabling FCS validation (assuming --nofcs)
[+] Got beacon for 'MyWiFiNetWork' (00:24:a5:XX:XX:XX)
[X] The AP doesn't appear to be WPS enabled (no WPS IE)
Então, finalmente, podemos dizer que o WPS está desativado em seu roteador DD-WRT .
Testado com Buffalo WHR-HP-GN. Espera-se que funcione em qualquer modelo (por favor confirme).
Detalhes adicionais :
- Contanto que o
/tmpdir corresponda à RAM, essa alteração é temporal , unles you script de qualquer maneira para cada reinicialização. - No encadeamento mencionado acima, no fórum DD-WRT, há uma linha de comando
/bin/ps | /bin/grep '[h]ostapd' | /usr/bin/awk -F" " {'print $1'} | /usr/bin/xargs /bin/kill -HUPque substitui diretamente a etapa 5.