## Known PINs based off first three bytes of BSSID
sudo apt install airgeddon
source /usr/share/airgeddon/known_pins.db
echo ${PINDB["0013F7"]}
Wi-Fi Protected Setup, originally known as Wi-Fi Simple Configuration, was meant to unify various vendor technologies to share WPA or WPA2 passphrases securely using different methods.
Some WPS implementations are flawed, and a successful attack on an AP with WPS leads to disclosure of the passphrase, no matter how complex it is.
- APs that do not advertise WPS are automatically not vulnerable.
Types of WPS setups:
- Pushing a button, Push Button Connect (physical or virtual, WPS PBC)
- Input PIN on device (WPS PIN)
- NFC
- USB Flash Drive (Deprecated)
Connection established (via button press)
- Indicated in the probe response
- EAP Start + EAP Request Identity + EAP Response Identity + WFA-SimpleConfig-Enrollee-1-0 (WPS)
- WSC start
WPS PIN Vulnerabilities
- Eight digit pin (last digit is a checksum)
- WPS PIN verifies the first 4 digits and then the second half (3 digits + checksum)
- This can take 3-10 hours to brute force
- Protection mechanisms
- 60 second timeout after a series of failures
- WPS could be locked from use, or require a reset
Known Issues
- WPS PIN Brute Force attack (using reaver)
- PixieWPS (weak RNG in some chipsets)
- Physical access to AP with WPS PIN
- Known default PIN values based on first three bytes of BSSID