.braindump – RE and stuff

December 27, 2011

Wi-Fi Protected Setup PIN brute force vulnerability

Filed under: advisories — Stefan @ 3:00 am

A few weeks ago I decided to take a look at the Wi-Fi Protected Setup (WPS) technology. I noticed a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide.

I reported this vulnerability to CERT/CC and provided them with a list of (confirmed) affected vendors. CERT/CC has assigned VU#723755 to this issue.
To my knowledge none of the vendors have reacted and released firmware with mitigations in place.

Detailed information about this vulnerability can be found in this paper: Brute forcing Wi-Fi Protected Setup – Please keep in mind that the devices mentioned there are just a tiny subset of the affected devices.

I would like to thank the guys at CERT for coordinating this vulnerability.

Update (12/29/2011 – 20:15 CET)
As you probably already know, this vulnerability was independently discovered by Craig Heffner (/dev/ttyS0, Tactical Network Solutions) as well – I was just the one who reported the vulnerability and released information about it first. Craig and his team have now released their tool “Reaver” over at Google Code.

My PoC Brute Force Tool can be found here. It’s a bit faster than Reaver, but will not work with all Wi-Fi adapters.

Update (12/31/2011 – 14:25 CET)

Update (04/01/2012 – 17:45 CET)
Tactical Network Solutions has decided to release the code for the commercial version of Reaver. You might want to check it out.

About these ads

291 Comments »

  1. I only just bought a new Netgear router yesterday. I had my suspicions that this was insecure. Looking forward to giving the tools a go.

    Comment by Ryan — December 27, 2011 @ 2:22 pm | Reply

    • Netgear has a so called Push´N Connect Button on router devices. The WPS function is only working for a short time. So they are probably safe!? The vulnerability needs some time for brute forcing.

      Comment by Zentrale — December 31, 2011 @ 11:22 am | Reply

      • not necessarily: I’m currently testing a WND3700, this device has push connect, but it also seems to support the PIN method. Sorry.

        Comment by Jagermo — January 4, 2012 @ 3:07 pm

  2. “will be released once I get around to cleaning up the code”

    For most people this means “never”. I’d rather get a chunk of dirty code and try to figure it out than have to try to re-implement this attack from scratch.

    Please post your messy broken code.

    Comment by Joe — December 27, 2011 @ 9:32 pm | Reply

    • Seconded. In fact, since it’s such an important part of the paper, arguably the code “not being ready” means the paper isn’t, either. But even if you disagree with that, then this still leaves people shorthanded verifying a) their devices are vulnerable and b) they’ve successfully mitigated the problem by turning off the feature. Wouldn’t be the first time shoddy firmware says one thing but does another. As such, the only remedy now is to take every last AP offline until someone gets around to releasing a tool to check mitigation.

      Comment by Cellar — December 28, 2011 @ 12:58 am | Reply

  3. If the code is not ready, in the interim it would at least be useful to have a way to confirm whether a particular access point implements the “External Registrar” method of WPS. Looking at several of the ones in my possession, it was unclear which ones are affected. One device has the Push Button Connect physical button but it does nothing and manufacturer documentation says WPS is not implemented and is reserved for future use. Another device has no physical button but implements the “Internal Registrar” method of WPS through the network admin interface, and may also implement the External Registrar method, but I have no way to easily confirm that.

    Comment by Mike Myers — December 28, 2011 @ 12:18 am | Reply

  4. Please, release the code. If you put it on open source license, the community will clean the code for You :)

    Comment by Christopher — December 28, 2011 @ 8:23 am | Reply

    • I had to change line 480 code to make it partially run on Nokia N900 with Python 2.5:

      elif (self.rcved.is_set() is False): to elif (self.rcved.set() is False):

      Now I get the same problem as other posts with being stuck at PIN 00000 (even after updating to python-scapy 2.2.0)

      Comment by Stefan Lenz — January 6, 2012 @ 10:05 pm | Reply

  5. Please release the PoC:) If You put it on open source license, the community will clean the code :)

    Comment by Christopher — December 28, 2011 @ 8:26 am | Reply

  6. looking forward to testing

    Comment by ralph — December 28, 2011 @ 12:05 pm | Reply

  7. Another possibility to speed-up attack is to use more than one client…

    Comment by Christopher — December 28, 2011 @ 2:20 pm | Reply

    • parallelizing could be possible, but the CPU on the router is the bottleneck anyways.

      Comment by Stefan — December 28, 2011 @ 4:53 pm | Reply

  8. Please release to the open source community. It will be cleaned up and ready by the next day.

    Comment by William — December 28, 2011 @ 6:34 pm | Reply

  9. [...] is something that I’ve been testing and using for a while now, but Stefan over at .braindump beat me to publication. Such is [...]

    Pingback by Cracking WPA in 10 Hours or Less | /dev/ttyS0 — December 28, 2011 @ 8:26 pm | Reply

  10. Stefan, this is actually something I’ve been working on myself. I just posted Reaver, which is my code for breaking WPS pins: http://www.tacnetsol.com/products/

    Comment by Craig — December 28, 2011 @ 8:29 pm | Reply

    • I tried running your code but seems not to be working on my system. I’m running backtrack 5 with an iwi3945 card. There some clock skew on install. when I try to run the script it says it can’t associate and reports the correct essid. The router is a linksys e1000 with wps on.

      Comment by nick — December 29, 2011 @ 1:00 am | Reply

      • Same problem, but on ubuntu 11.10 using standard aircrack.

        Comment by hrmmm — December 29, 2011 @ 6:15 am

      • This is probably an issue with the wireless driver. I’ve only tested it against Atheros ath9k drivers and the Realtek drivers for the Alpha cards, so both of those work fine, but others may not work. Switching to something like lorcon for packet injection will probably fix these types of issues…

        Comment by Craig — December 29, 2011 @ 11:04 am

      • The latest changes to 80211.c have the code working on my iwi3945 card! Brilliant!

        Comment by nick — December 29, 2011 @ 3:41 pm

      • I have also encountered the linksys WPS functionality failure described in the pdf. For me, it occured after about 200 tries. The model of router is a Linksys e1000 v1 2.1 firmware 2.0.00

        Comment by nick — December 29, 2011 @ 4:13 pm

  11. The other mitigation that should be recommended is to never send EAP-NACK in response to the first half of the PIN. Always send the second half of the negotiation, and send EAP-NACK in response to the second half of the PIN if either half was incorrect. That brings the required number of brute force attempts back up to 10^7, which means it will take over 150 days to search the entire space with your assumed attack time of 1.3 seconds per attack, even without any lock down (or 75 days, on average, to find the PIN).

    Rather than a complete lock down after a few failed attempts, I think it would be better to introduce a delay after receiving a few (5 or 10) failed attempts. A 30-second delay per failed attempt requires 1,811 days (4.9 years) on average to find the PIN, 60 seconds requires 3,547 days (9.7 years). This has the advantage that a legitimate client with the correct PIN can still authenticate, even if the device is under a brute force attack. A 30-second delay strikes me as a good compromise between resistance to brute force attacks and responding to legitimate requests.

    If it’s difficult for the attacker to spoof their MAC address, then a per-MAC-address complete lock down is even better. It can provide a much longer average time to find the PIN (a 60-minute lock down after 5 failed attempts leads to a 114-year average time to find the PIN) while still allowing legitimate clients with a different MAC address to authenticate. But if the attacker can send each request with a different MAC address they can bypass the lock down.

    (All of these average times to find the PIN assume the first countermeasure described above is applied, of course.)

    Comment by Keith Reynolds — December 28, 2011 @ 8:34 pm | Reply

    • MAC spoofing is trivial — so trivial that it should never be used as the basis for security. A network card’s MAC address can be changed in microseconds, and there are about 281,474,976,711,000 addresses to choose from.

      Comment by Mark — December 28, 2011 @ 10:14 pm | Reply

    • The no NACK idea is good – thanks … I’ll add this to add this to the WPS 2.1 testplan.

      The current specification and testplans recommend delays and lockouts – it’s just that vendors were lazy and only met the minimum required for certification testing.

      Comment by Paul — January 6, 2012 @ 11:58 pm | Reply

      • Some associates pointed out that never sending a NACK does NOT help. If you send a correct next message it exposes the second half PIN. If you send the wrong second half – it’s detectable and just adds a little more work beyond the current attack.

        Comment by Paul — January 9, 2012 @ 11:15 pm

  12. Are you sure that all of these routers leave WPS on all the time? WPS is only supposed to be “on” when the person presses the physical or virtual button on the router to start a WPS transaction. What’s supposed to happen is the router only does WPS for a certain window period after the button is pressed on it. It’s not supposed to be doing WPS all the time.

    Comment by Phil Kearney (@pfk3) — December 29, 2011 @ 12:41 am | Reply

    • Yes I am sure that the PIN – External Registrar option does work all the time. WPS supports different configuration options and only one involves a physical button.

      Comment by Stefan — December 29, 2011 @ 8:04 am | Reply

  13. Just turn wps off (i guess for some routers don’t hit the button, hated that with linksys routers of old in work settings…someone would eventually hit the button which was the linksys logo that wouldn’t make you think it was a button when someone just needed to move it out of the way because there was shitty locations for wireless routers). I have no idea where it’s handy. The easy-to-use-encryption-for-dumb-people fails.

    Instead of typing in different pins for every device, i always though it was easier to name a wireless network and give it a password with any of the encryption choices offered (just not wps).

    Comment by shamil — December 29, 2011 @ 1:37 am | Reply

  14. If an AP supports external PIN registration for an unlimited time, that would be a problem regardless of an efficient brute-force attack.

    However, the claim that this will affect all WPS routers is overreaching. Even in your limited tests you hit one that malfunctioned before letting you in. I know Apple APs don’t support adding clients without taking action on the AP, so the “all of the more recent router models come with WPS” claim also goes too far. You should clean that up.

    Comment by Kirby Laurence — December 29, 2011 @ 2:42 am | Reply

    • I’m afraid this is fairly accurate. Fellow researcher Craig Heffner agrees: “roughly 95% of modern consumer-grade access points ship with WPS enabled by default” (from http://www.tacnetsol.com/products/). The Apple devices are (as always) a bit special because they do only seem to support PIN – Internal Registrar.

      Comment by Stefan — December 29, 2011 @ 8:44 am | Reply

  15. [...] to Viehböck, he took a look at WPS and found “a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the [...]

    Pingback by Wi-Fi Protected Setup is Busted | wifihotspot.za.net — December 29, 2011 @ 2:55 am | Reply

  16. [...] donosi Stefan Viehbock, odkrywca błedu, producenci sprzętu w ogóle nie odpisali na jego wiadomości. Nie wypuścili [...]

    Pingback by » Miliony domowych routerów Wi-Fi podatnych na atak -- Niebezpiecznik.pl -- — December 29, 2011 @ 6:35 am | Reply

    • może dlatego, że pisał po polsku?

      Comment by Gniewój — March 30, 2012 @ 9:28 am | Reply

  17. [...]   图6 Wi-Fi Protected Setup PIN brute force vulnerability      原文地址:   http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability [...]

    Pingback by 穷举PIN码——是Wi-Fi保护技术WPS的软肋吗? | iBeini — December 29, 2011 @ 6:50 am | Reply

  18. Does this include DD-WRT?

    Comment by mycall — December 29, 2011 @ 6:53 am | Reply

    • As there is no frontend for WPS in dd-wrt or openwrt I don’t expect WPS to be enabled.

      Comment by Stefan — December 29, 2011 @ 8:27 am | Reply

  19. No doubt the various hardware vendors will take a long time to rollout any firmware update. What really worries me is that some only seem to keep updating firmware for a year or two after release and then completely stop, which leaves a lot of kit vulnerable to old exploits that could and should be easily fixed.

    Comment by Mark - Editor (ISPreview) — December 29, 2011 @ 8:06 am | Reply

  20. [...] Blog (desarrollador) // stLight.options({ publisher:'04a40e26-59b6-4af4-984d-391e8159c639' [...]

    Pingback by La tecnología WPS, vulnerable a ataques | The Inquirer ES — December 29, 2011 @ 8:17 am | Reply

  21. [...] nella pratica (il codice che la sfrutta non è stato ancora reso pubblico dall’autore della scoperta), milioni di piccole reti domestiche risulterebbero in balia di potenziali [...]

    Pingback by Grave vulnerabilità per il Wi-Fi Protected Setup (WPS) dei routers — December 29, 2011 @ 9:58 am | Reply

  22. [...] problema es que un investigador de seguridad, Stefan Viehbock, ha descubierto que estos productos adolecen de un agujero de seguridad importante y son vulnerables a un ataque de [...]

    Pingback by Descubren un grave fallo de seguridad en los routers con WPS | TechWeekEurope España — December 29, 2011 @ 10:06 am | Reply

  23. [...] less than tech-savvy computer users.Additional information about the vulnerability can be found at Stefan Viehböck’s website. The author promised to release a brute force tool to demonstrate the impact of the [...]

    Pingback by WiFi Protected Setup PIN Brute Force Vulnerability Discovered — December 29, 2011 @ 10:35 am | Reply

  24. [...] .braindump Tags: wifi, wps, παραβιαση [+] Share & Bookmark • Twitter • StumbleUpon • Digg • Delicious • Facebook [...]

    Pingback by Παραβίαση της προστασίας ασύρματων δικτύων WPS « Tick Technologies — December 29, 2011 @ 11:16 am | Reply

  25. I consider it VERY unscholarly to release this paper without backing up your theses by providing your “brute force tool”. This would have made verification of your paper possible more easily.
    Being a scholar yourself you should do better than this.

    Comment by Tom — December 29, 2011 @ 11:45 am | Reply

  26. [...] nicht gerade kleine Sicherheitslücke, die der Stefan Viehböck da entdeckt hat. Viele, viele Router sind unter Umständen direkt ab Werk unsicher, sofern WPS [...]

    Pingback by Viele Router unsicher: WPS deaktivieren! — December 29, 2011 @ 12:25 pm | Reply

  27. [...] información | Blog de Stefan Viehböck Descarga documento en PDF | Brute forcing Wi-Fi Protected Setup me gusta 0 Para votar [...]

    Pingback by Descubierta una vulnerabilidad en el sistema WPS de los routers WiFi — December 29, 2011 @ 1:16 pm | Reply

  28. [...] information about the vulnerability can be found at Stefan Viehböck’s website. The author promised to release a brute force tool to demonstrate the impact of the [...]

    Pingback by WiFi Protected Setup PIN Brute Force Vulnerability Discovered | The Auto Blogging — December 29, 2011 @ 1:25 pm | Reply

  29. [...] .buttons { float: left; margin: 4px 4px 4px 4px; } Eine nicht ganz kleine Sicherheitslücke hat Stefan Viehböck entdeckt. Solltet Ihr WPS (WiFi Protected Setup) nutzen, so wird empfohlen dies zu deaktivieren. [...]

    Pingback by Tech Blogging » WPS Sicherheitslücke — December 29, 2011 @ 1:32 pm | Reply

  30. [...] zu dieser Sicherheitslücke wissen möchte und wie sie genau funktioniert, kann dies hier [...]

    Pingback by WLAN Router mit aktivierten WPS – möglicherweise unsicher! - Router, Geräte, WLAN, Funktion, Sicherheitslücke, Stefan, Viehböck, Dabei - ITler.NET - Der Blog für ITler und Sysadmins — December 29, 2011 @ 2:05 pm | Reply

  31. [...] so lange die PINs eines Routers ausprobiert, bis die Verbindung steht. Das Hackertool wird auf Viehböcks Webseite [...]

    Pingback by WLAN-Router: Sicherheitslücke im Wi-Fi Protected Setup (WPS) – und wie Sie sich schützen | Tipps, Tricks & Kniffe — December 29, 2011 @ 2:09 pm | Reply

  32. [...] información: Braindump Tags: seguridad, vulnerabilidades, [...]

    Pingback by Se encuentra una grave vulnerabilidad en el estándar WPS (Wi-Fi Protected Setup) — December 29, 2011 @ 3:20 pm | Reply

  33. [...] de datos y problemas varios de seguridad. Lo último llega de la mano de otro desarrollador que ha hecho público un error en el WPS que usan muchos routers WiFi actuales para permitir añadir de forma sencilla y [...]

    Pingback by CoCoLink | Tu Web de Electronica!.. - Tu Web de Electronica!.. — December 29, 2011 @ 3:36 pm | Reply

  34. [...] vërejtjen e vet CERT-i thirret në rezultatet e hulumtimit të kryer nga eksperti për siguri Stefan Viehbock, i cili zbuloi lëshimin në Wi-Fi Protected Set-up, respektivisht në protokollin WPS. WPS është [...]

    Pingback by WPS i pasigurt — December 29, 2011 @ 5:18 pm | Reply

  35. There’s a minor thinko in the complexity calculations in your paper:

    > This form of authentication dramatically decreases the maximum possible authentication attempts
    needed from 10^8 (=100.000.000) to 10^4 + 10^4 (=20.000).
    > As the 8th digit of the PIN is always a checksum of digit one to digit seven, there are at most 10^4 + 10^3 (=11.000) attempts needed to find the correct PIN.

    You forgot that “the 8th digit of the PIN is always a checksum” applies also to the raw brute force combination calculations for the whole PIN, not just the calculations for forcing the two parts of the PIN separately, so the maximum possible authentication attempts figure should only have been 10^7, not 10^8.

    Comment by DaveK — December 29, 2011 @ 5:26 pm | Reply

  36. [...] researcher Stefan Viehbock has revealed a flaw with Wi-Fi Protected Setup that could enable attackers to brute-force their way into PIN-protected networks in a short period [...]

    Pingback by Researcher reveals flaw in Wi-Fi Protected Setup — December 29, 2011 @ 5:28 pm | Reply

  37. (Oh, and PS: Your whitepaper made me feel all nostalgic. This is the exact same design flaw that made the original LM hash algorithm so insecure all those years ago!)

    Comment by DaveK — December 29, 2011 @ 5:28 pm | Reply

  38. [...] libérer l’usager des affres du paramétrage WPA), a été hacké par le chercheur Stephan. L’alerte, la notification faite au Cert/CC, l’article explicatif et enfin le code de l’attaque ont [...]

    Pingback by Réseau : WPS vulnérable - CNIS mag — December 29, 2011 @ 5:50 pm | Reply

  39. This is gonna be interesting…

    Comment by FreebieMachine — December 29, 2011 @ 6:00 pm | Reply

  40. [...] mostrou disposto a conversar com fabricantes de roteadores como Linksys e Netgear, mas afirma em seu blog ter sido ignorado pelas empresas que, até o momento, não publicaram nenhuma atualização de [...]

    Pingback by Pesquisador encontra falha grave no protocolo WPS « Inteligência e Tecnologia — December 29, 2011 @ 6:37 pm | Reply

  41. [...] be quite as secure as you thought it was. A paper recently published by [Stefan Viehböc] details a security flaw in the supposedly robust WPA/WPA2 WiFi security protocol. It’s not actually that protocol which is the culprit, but an in-built feature called Wi-Fi [...]

    Pingback by A chink in the armor of WPA/WPA2 WiFi security - Hack a Day — December 29, 2011 @ 8:01 pm | Reply

  42. Has anyone successfully compiled this in OSX?

    Comment by shcir — December 29, 2011 @ 8:19 pm | Reply

  43. i tried your tool and is is always saying: “Trying 00000000″…is this the normal behaviour?
    and please push the code to github, with a glp or bsd licence;)

    Comment by Me Me — December 29, 2011 @ 8:22 pm | Reply

  44. @48. Me Me:

    Same here. Maybe our wlan adapter is wrong. Mine is intel 3945 abg. Additionally every attempt is 5 seconds long.

    Comment by Dave — December 29, 2011 @ 10:18 pm | Reply

  45. In my city about 32% of the ap I’ve found use WPS… and everybody say “It’s really sure to use this method”… LOL ! Good work!

    Comment by wifirapallo — December 29, 2011 @ 10:41 pm | Reply

  46. [...] be quite as secure as you thought it was. A paper recently published by [Stefan Viehböc] details a security flaw in the supposedly robust WPA/WPA2 WiFi security protocol. It’s not actually that protocol which is the culprit, but an in-built feature called Wi-Fi [...]

    Pingback by A chink in the armor of WPA/WPA2 WiFi security | Orange Claymore Red Slime — December 29, 2011 @ 10:52 pm | Reply

  47. [...] digits and the router would report back if the submitted combination was the first half of the PIN, Viehböck found. The last digit of the PIN appears to be just a checksum, which means the attacker only has to [...]

    Pingback by Flaw Makes WiFi Network Security Vulnerable to Brute-Force Attacks: US-CERT | RobertJGraham.com — December 29, 2011 @ 11:51 pm | Reply

  48. Continous output of

    Trying 00000000
    -> 802.11 deauthentication
    -> 802.11 authentication request

    and I need to “see” a client associated with the AP before it will work.So it’s not just the AP that needs to be in range?

    cheers

    Comment by sandy — December 30, 2011 @ 12:05 am | Reply

  49. [...] be quite as secure as you thought it was. A paper recently published by [Stefan Viehböc] details a security flaw in the supposedly robust WPA/WPA2 WiFi security protocol. It’s not actually that protocol which is the culprit, but an in-built feature called Wi-Fi [...]

    Pingback by A chink in the armor of WPA/WPA2 WiFi security « Vijai's Blog — December 30, 2011 @ 12:05 am | Reply

  50. [...] hole big enough to drive a network through WPS. According to Viehböck, he took a look at WPS and found “a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the [...]

    Pingback by Episode 555 – Subpoena Leak, Don’t Fear The Reaver, Stuxnet Cousins, Trion, MS11-100 & Karthik’s Top 5 | InfoSec Daily — December 30, 2011 @ 1:56 am | Reply

  51. [...] be quite as secure as you thought it was. A paper recently published by [Stefan Viehböc] details a security flaw in the supposedly robust WPA/WPA2 WiFi security protocol. It’s not actually that protocol which is the culprit, but an in-built feature called Wi-Fi [...]

    Pingback by A chink in the armor of WPA/WPA2 WiFi security | CisforComputers — December 30, 2011 @ 5:01 am | Reply

  52. [...] a paper on Boxing Day titled “Brute forcing Wi-Fi Protected Setup” to his WordPress blogdisclosing a weakness in the configuration of most consumer/SoHo Wi-Fi [...]

    Pingback by Do YOU have a Wireless router? Well it only takes a minute to hack it even with security safeguards… Here’s How! « The 1000yr Old Man — December 30, 2011 @ 5:09 am | Reply

  53. [...] WiFi-Protected-Setup (WPS) hat eine Sicherheitslücke, die Brute Force-Angriffe deutlich erleichtert. Das könnte Millionen von Haushalten betreffen, [...]

    Pingback by Sicherheitslücke bei WLAN-Routern durch WPS | News, Tipps und Tricks von DMI — December 30, 2011 @ 5:49 am | Reply

  54. [...] gravierende Sicherheitslücke hat sich im WiFi Protected Setup (WPS)-Protokoll gezeigt, über die Brute Force-Attacken ganz [...]

    Pingback by WiFi Protected Setup (WPS) in WLAN-Routern mit Sicherheitslücke — December 30, 2011 @ 6:25 am | Reply

  55. [...] Viehböck ha dimostrato la vulnerabilità di Wi–Fi Protected Setup (WPS): è un programma di certificazione, che prevede [...]

    Pingback by Attenzione, è facile ottenere la passphrase di Wi–Fi Protected Setup | PowerBlog.it — December 30, 2011 @ 7:01 am | Reply

  56. [...] vulnerabilidad en una gran cantidad de routers, pero Viehböck no se ha quedado atrás y también ha publicado su prueba de concepto en Python llamada WPSCrack para explotar esta vulnerabilidad , la cual asegura es mas rápida que Reaver, aunque no tenga [...]

    Pingback by WPS (Wi-Fi Protected Setup) y por que prefiero las redes cableadas — December 30, 2011 @ 7:24 am | Reply

  57. [...] be quite as secure as you thought it was. A paper recently published by [Stefan Viehböc] details a security flaw in the supposedly robust WPA/WPA2 WiFi security protocol. It’s not actually that protocol which is the culprit, but an in-built feature called Wi-Fi [...]

    Pingback by A chink in the armor of WPA/WPA2 WiFi security | Tech and Linux — December 30, 2011 @ 8:20 am | Reply

  58. Hi i get some errors:..
    also if airmon-ng is used to put the interface to promicious mode is it necessary to specify iwconfig CHANNEL?

    ./wpscrack.py –iface mon0 –client 00:1F:C6:CD:ED:88 –bssid D8:5D:4C:A9:A4:0C –ssid Hosko222 -v
    WARNING: No route found for IPv6 destination :: (no default route?)
    sniffer started
    Exception in thread Thread-1:
    Traceback (most recent call last):
    File “/usr/lib/python2.6/threading.py”, line 532, in __bootstrap_inner
    self.run()
    File “/usr/lib/python2.6/threading.py”, line 484, in run
    self.__target(*self.__args, **self.__kwargs)
    File “./wpscrack.py”, line 516, in sniffer
    sniff(store=0, stop_filter=lambda x: self.sniffer_filter(x))
    File “/usr/local/lib/python2.6/dist-packages/scapy/sendrecv.py”, line 550, in sniff
    s = L2socket(type=ETH_P_ALL, *arg, **karg)
    TypeError: __init__() got an unexpected keyword argument ‘stop_filter’

    ——————- attempt #1
    Trying 00000000
    -> 802.11 deauthentication
    -> 802.11 authentication request
    TIMEOUT!!
    -> 802.11 deauthentication
    attempt took 5.230 seconds
    ——————- attempt #2
    Trying 00000000
    -> 802.11 deauthentication
    -> 802.11 authentication request

    Comment by ianchov — December 30, 2011 @ 9:55 am | Reply

    • Did you ever find a solution?

      Comment by Trance — January 1, 2012 @ 8:46 pm | Reply

  59. Same problem here as at: Q43, Q44, Q48, Q58.

    Comment by Strafeb — December 30, 2011 @ 11:50 am | Reply

    • I’m having the same issue with Q58

      Comment by Trance — January 1, 2012 @ 8:45 pm | Reply

  60. Great work and easy to understand paper. What about (in Germany wide spread) routers from AVM (Fritz!Box). Did anyone check them?

    Comment by Matthias — December 30, 2011 @ 12:01 pm | Reply

  61. For all those that are stuck at the timeout, I noticed this, line 481:
    if x.haslayer(Dot11) and x[Dot11].addr1 == self.client_mac and x[Dot11].addr3 == self.bssid:
    Basically that checks if the incoming packet is for us, but it does a strict case sensitive match (incoming is in lower chars)

    So just use lower case MAC id’s.

    Comment by vlad — December 30, 2011 @ 12:08 pm | Reply

    • Or just modify lines 607 and 608 to:
      wps.client_mac = options.client_mac.lower()
      wps.bssid = options.bssid.lower()

      Comment by vlad — December 30, 2011 @ 12:39 pm | Reply

    • That doesn`t help..at lease on me…Q58

      Comment by ianchov — December 30, 2011 @ 12:40 pm | Reply

      • Thank you for pointing that out Vlad! Does the tool work for you otherwise?

        Comment by Stefan — December 30, 2011 @ 12:42 pm

      • @ianchov you have to install a new version of Scapy (2.2.0)!

        Comment by Stefan — December 30, 2011 @ 12:51 pm

      • Great!

        Thanks Stefan.

        Scappy latest seems to fix both issues :)

        Thanks

        Comment by ianchov — December 30, 2011 @ 1:11 pm

    • Stefan: it’s crashing my test router, a d-link DIR-635. Literally crashing it and self-rebooting every 10 or so attempts, but it does seem it work (it found the first half of the pin; instructed it using -p to a close value)
      Other routers that I have tested are a bit far away for real-time testing, stuck at M4 usually.

      Great tool btw!

      Comment by vlad — December 30, 2011 @ 12:51 pm | Reply

      • Nice to hear that! Unfortunately WPS implementations are not as stable as they should be, you could try to add a sleep(1) or so between each attempt.

        Comment by Stefan — December 30, 2011 @ 12:55 pm

  62. Sorry if this is a noob question but the client has to be a client currently associated with the target AP? Yes?

    cheers

    sandy

    Comment by sandy — December 30, 2011 @ 1:18 pm | Reply

  63. As i see through the list i see only:
    WARNING: No route found for IPv6 destination :: (no default route?)
    sniffer started
    ——————- attempt #1
    Trying 00000000
    -> 802.11 deauthentication
    -> 802.11 authentication request
    802.11 association request
    TIMEOUT!!
    -> 802.11 deauthentication
    attempt took 5.073 seconds
    ——————- attempt #2
    Trying 00000000
    -> 802.11 deauthentication
    -> 802.11 authentication request
    TIMEOUT!!
    -> 802.11 deauthentication
    attempt took 5.089 seconds
    ——————- attempt #3
    Trying 00000000
    -> 802.11 deauthentication
    -> 802.11 authentication request
    TIMEOUT!!
    -> 802.11 deauthentication
    attempt took 5.079 seconds
    ——————- attempt #4
    Trying 00000000
    -> 802.11 deauthentication
    -> 802.11 authentication request
    <- 802.11 authentication resp

    Also it seems i cannot stop the process until i kill it….

    Comment by ianchov — December 30, 2011 @ 1:19 pm | Reply

    • Have the same problem as you. Cant locate the source of the problem though. Have you or any one else found what the problem might be?

      Comment by omni — December 31, 2011 @ 3:38 pm | Reply

      • Only use lowercase MACs. -> @61

        Comment by Stefan — January 2, 2012 @ 12:37 am

    • I got similar result with all routers/APs that I tried. I’m using PCI card with Ralink 2560 chipset, which works fine with the aircrack-ng tools (with the –ignore-negative-one option) under live Ubuntu 11.04.

      Comment by abcdef — December 31, 2011 @ 5:11 pm | Reply

      • have the same with ralink usb device: Ralink Technology, Corp. RT2501/RT2573 Wireless Adapter

        Comment by bla blub — January 2, 2012 @ 12:27 pm

  64. [...] &#959f th&#1077 tools comes fr&#959m security researcher Stefan Viehbock, wh&#959 publicly released information [...]

    Pingback by Two New Tools Exploit Router Security Setup Problem | diBalikCelana.web.id — December 30, 2011 @ 1:37 pm | Reply

  65. [...] österreichische Informatik-Student Stefan Viehböck hat die Sicherheitslücke entdeckt – laut Viehböck seien unter anderem Geräte der Hersteller Cisco/Linksys, Netgear, D-Link, [...]

    Pingback by Warnung: Sicherheitslücke in fast allen WLAN Routern - Computerhilfen.de — December 30, 2011 @ 2:22 pm | Reply

  66. [...] make your network secure and so its concerning to discover in fact that WPS comes with some flaws.The vulnerabilities identified by security researcher Stefan Viehbock affect a large number of WPS-enabled routers and [...]

    Pingback by Wi-Fi Protection Setup Vulnerability Revealed | T3kd.com — December 30, 2011 @ 2:28 pm | Reply

  67. [...] of the tools comes from security researcher Stefan Viehbock, who publicly released information this week on the [...]

    Pingback by Two New Tools Exploit Router Security Setup Problem | Datacentre Management . org — December 30, 2011 @ 2:34 pm | Reply

  68. [...] Sicherheitslücke, über die sich das WLAN Passwort ausspionieren lässt, warnt Informatik-Student Stefan Viehböck. Mit dem Open-Source Programm “Reaver” lässt sich die Lücke jetzt leicht ausnutzen, [...]

    Pingback by Bin-ich-sicher.de | Aktuelle Sicherheits- und Viren-Meldungen » Blog Archive » WPS Sicherheitslücke in zahlreichen WLAN Routern — December 30, 2011 @ 3:09 pm | Reply

  69. [...] paper on Boxing Day titled “Brute forcing Wi-Fi Protected Setup” to his WordPress blog disclosing a weakness in the configuration of most consumer/SoHo Wi-Fi [...]

    Pingback by Most Wi-Fi routers susceptible to hacking through security feature | Cyber Crimes Unit — December 30, 2011 @ 3:43 pm | Reply

  70. [...] investigador Stefan Viehböck describe en su blog que el mecanismo WPS (Wi-Fi Protected Setup) con PIN es susceptible a ataques exitosos por fuerza [...]

    Pingback by Vulnerabilidad en redes Wi-Fi, al usar el estándar WPS (Wi-Fi Protected Setup) « Seguridad PCs — December 30, 2011 @ 3:52 pm | Reply

  71. [...] of the tools comes from security researcher Stefan Viehbock, who publicly released information this week on the [...]

    Pingback by Two new tools exploit router security setup problem | LocatePC | Locate your stolen computer or stolen laptop - Works for both Mac and PC — December 30, 2011 @ 4:19 pm | Reply

  72. [...] a little late with this news but I’m on vacation, what can you really ask from me? Anyways a brute force vulnerability was discovered in Wi-Fi Protect Setup (WPA): A few weeks ago I decided to take a look at the Wi-Fi Protected Setup (WPS) technology. I noticed [...]

    Pingback by Vulnerability Found in Wi-Fi Protected Setup at A Geek With Guns — December 30, 2011 @ 4:30 pm | Reply

  73. [...] reported a disadvantage to a U.S. Computer Emergency Readiness Team, expelled a apparatus that can crack a home Wi-Fi network in dual hours. And Craig Heffner of Tactical Network Solutions, who had been operative exclusively on reckoning [...]

    Pingback by Tools published that exploit router flaw - TECHNOLOGY GADGETS – TECHNOLOGY GADGETS — December 30, 2011 @ 4:59 pm | Reply

  74. [...] paper on Boxing Day titled “Brute forcing Wi-Fi Protected Setup” to his WordPress blog disclosing a weakness in the configuration of most consumer/SoHo Wi-Fi [...]

    Pingback by Most Wi-Fi routers susceptible to hacking through security feature | Naked Security — December 30, 2011 @ 5:23 pm | Reply

  75. [...] of the tools comes from security researcher Stefan Viehbock, who publicly released information this week on the [...]

    Pingback by Two New Tools Exploit Router Security Setup Problem | djwakkk.com — December 30, 2011 @ 5:27 pm | Reply

  76. [...] reported the vulnerability to the U.S. Computer Emergency Readiness Team, released a tool that can crack a home Wi-Fi network in two hours. And Craig Heffner of Tactical Network Solutions, who had been working independently on figuring [...]

    Pingback by Tools published that exploit router flaw | SecurityDeal.com — December 30, 2011 @ 5:36 pm | Reply

  77. [...] reported the vulnerability to the U.S. Computer Emergency Readiness Team, released a tool that can crack a home Wi-Fi network in two hours. And Craig Heffner of Tactical Network Solutions, who had been working independently on figuring [...]

    Pingback by Tools published that exploit router flaw » 99dzh — December 30, 2011 @ 6:01 pm | Reply

  78. Thanks for reporting this. A quick web-search found a basic overview of this vulnerability in 2009 (http://slidingconstant.net/entry/166) but without the technical details and proof-of-concept

    Comment by Thomas Gronke — December 30, 2011 @ 6:06 pm | Reply

  79. [...] reported the vulnerability to the U.S. Computer Emergency Readiness Team, released a tool that can crack a home Wi-Fi network in two hours. And Craig Heffner of Tactical Network Solutions, who had been working independently on figuring [...]

    Pingback by Tools published that exploit router flaw — December 30, 2011 @ 6:26 pm | Reply

  80. [...] reported the vulnerability to the U.S. Computer Emergency Readiness Team, released a tool that can crack a home Wi-Fi network in two hours. And Craig Heffner of Tactical Network Solutions, who had been working independently on figuring [...]

    Pingback by Tools published that exploit router flaw | Custom Software Solutions (Antigua)-Digital World — December 30, 2011 @ 6:52 pm | Reply

  81. [...] reported the vulnerability to the U.S. Computer Emergency Readiness Team, released a tool that can crack a home Wi-Fi network in two hours. And Craig Heffner of Tactical Network Solutions, who had been working independently on figuring [...]

    Pingback by Tools published that exploit router flaw | Partners In Sublime — December 30, 2011 @ 7:37 pm | Reply

  82. [...] pesquisador Stefan Viehböck publicou um artigo detalhando uma brecha no protocolo de segurança Wi-Fi Protected Setup (WPS). O WPS permite a configuração facilitada da rede sem fio: basta apertar um botão no roteador ou [...]

    Pingback by Pesquisadores demonstram falha em segurança de rede sem fio WPS | Agência pre7 — December 30, 2011 @ 7:40 pm | Reply

  83. [...] 4 digits and a router would news behind if a submitted multiple was a initial half of a PIN, Viehböck found. The final series of a PIN appears to be usually a checksum, that means a assailant usually has to [...]

    Pingback by Security Flaw Makes WiFi Network Vulnerable To Brute-Force Attacks | Datacentre Management . org — December 30, 2011 @ 8:35 pm | Reply

  84. [...] of a tools comes from confidence researcher Stefan Viehbock, who publicly expelled information this week on a [...]

    Pingback by Two new tools exploit router security setup problem | Datacentre Management . org — December 30, 2011 @ 8:35 pm | Reply

  85. [...] reported the vulnerability to the U.S. Computer Emergency Readiness Team, released a tool that can crack a home Wi-Fi network in two hours. And Craig Heffner of Tactical Network Solutions, who had been working independently on figuring [...]

    Pingback by My Story, Tools published that exploit router flaw | Vote My Story — December 30, 2011 @ 8:45 pm | Reply

  86. [...] Netgear, Belkin, D-Link et Buffalo sont quelques-uns des constructeurs incriminés à cette occasion. [...]

    Pingback by Il ne fait pas bon crypter son routeur Wi-Fi en WPS | Gadgets Etonnants — December 30, 2011 @ 9:34 pm | Reply

  87. [...] reported the vulnerability to the U.S. Computer Emergency Readiness Team, released a tool that can crack a home Wi-Fi network in two hours. And Craig Heffner of Tactical Network Solutions, who had been working independently on figuring [...]

    Pingback by Drošības Eksperti — December 30, 2011 @ 9:40 pm | Reply

  88. [...] Sicherheitslücke wurde unabhängig voneinander von Stefan Viehböck (ausführlicher Bericht als PDF) und Craig Heffner entdeckt und von Viehböck dem United States [...]

    Pingback by WPS-Designfehler macht WLAN-Router angreifbar | Der News Blog von Steve — December 30, 2011 @ 9:42 pm | Reply

  89. [...] reported the vulnerability to the U.S. Computer Emergency Readiness Team, released a tool that can crack a home Wi-Fi network in two hours. And Craig Heffner of Tactical Network Solutions, who had been working independently on figuring [...]

    Pingback by Tools published that exploit router flaw | Brian's Blog Site — December 30, 2011 @ 11:17 pm | Reply

  90. [...] of the tools comes from security researcher Stefan Viehbock, who publicly released information this week on the [...]

    Pingback by Two New Tools Exploit Router Security Setup Problem — December 30, 2011 @ 11:39 pm | Reply

  91. [...] of the tools comes from security researcher Stefan Viehbock, who publicly released information this week on the [...]

    Pingback by SecRelm » Two new tools exploit router security setup problem — December 31, 2011 @ 12:51 am | Reply

  92. [...] [...]

    Pingback by WiFi Protected Setup attack code posted — December 31, 2011 @ 2:19 am | Reply

  93. [...] Viehböck ha dimostrato la vulnerabilità di Wi–Fi Protected Setup (WPS): è un programma di certificazione, che prevede [...]

    Pingback by Attenzione, è facile ottenere la passphrase di Wi–Fi Protected Setup | Khriss.com — December 31, 2011 @ 3:21 am | Reply

  94. [...] Viehböck discovered that the design of this protocol makes it susceptible to a particular form of brute-force attack.  [...]

    Pingback by Hacking WiFi Routers « Rich's Random Walks — December 31, 2011 @ 3:47 am | Reply

  95. [...] vulnerabilidad en una gran cantidad de routers, pero Viehböck no se ha quedado atrás y también ha publicado su prueba de concepto en Python llamada WPSCrack para explotar esta vulnerabilidad , la cual asegura es mas rápida que Reaver, aunque no tenga [...]

    Pingback by Mi Vida en Poemas – WPS (Wi-Fi Protected Setup) y por que prefiero las redes cableadas — December 31, 2011 @ 4:07 am | Reply

  96. [...] O pesquisador Stefan Viehböck publicou um artigo detalhando uma brecha no protocolo de segurança Wi-Fi Protected Setup (WPS). O WPS permite a configuração facilitada da rede sem fio: basta apertar um botão no roteador ou [...]

    Pingback by Pesquisadores demonstram falha em segurança de rede sem fio WPS | Portal de Morro Agudo — December 31, 2011 @ 4:58 am | Reply

  97. [...] in Millionen WLAN-Routern” berichtet Golem über die Erkenntnisse des Studenten Stefan Viehböck. Die PIN des Systems kann über einen Brute-Force-Angriff ausgehebelt [...]

    Pingback by Neue “bequeme” Lücke in WLAN-Technik | Oberlehrer — December 31, 2011 @ 5:55 am | Reply

  98. [...] reported the vulnerability to the U.S. Computer Emergency Readiness Team, released a tool that can crack a home Wi-Fi network in two hours. And Craig Heffner of Tactical Network Solutions, who had been working independently on figuring [...]

    Pingback by Tools published that exploit router flaw | TechShri — December 31, 2011 @ 7:09 am | Reply

  99. [...] pesquisador Stefan Viehböck publicou um artigo detalhando uma brecha no protocolo de segurança Wi-Fi Protected Setup (WPS). O WPS permite a configuração facilitada da rede sem fio: basta apertar um botão no roteador ou [...]

    Pingback by Pesquisadores demonstram falha em segurança de rede sem fio WPS | — December 31, 2011 @ 11:46 am | Reply

  100. Same problem…. THX Nice Information…

    Comment by Rechner — December 31, 2011 @ 11:52 am | Reply

  101. [...] leer detalles técnicos de la vulnerabilidad aquí y descargar la aplicación que permite explotar esta [...]

    Pingback by Fallo de seguridad en WPS permite acceder a redes Wireless sin autorización | SegelSoft — December 31, 2011 @ 12:03 pm | Reply

  102. [...] pesquisador Stefan Viehböck publicou um artigo detalhando uma brecha no protocolo de segurança Wi-Fi Protected Setup (WPS). O WPS permite a configuração facilitada da rede sem fio: basta apertar um botão no roteador ou [...]

    Pingback by Pesquisadores demonstram falha em segurança de rede sem fio WPS — December 31, 2011 @ 12:52 pm | Reply

  103. [...] tidligere i december bekræftede forskellige routerproducenter at være sårbare over for angreb. Viehbock skrev i sin blog!: at ingen relevante leverandører har udsendt rettelser til deres [...]

    Pingback by Fejl i WIFI sikkerhedsstandarden WPS « Blogs & News « IP-Support Hjælp til IT hjælp til PC Computer hjælp til Tv hjælp til mobil — December 31, 2011 @ 3:41 pm | Reply

  104. [...] tidligere i december bekræftede forskellige routerproducenter at være sårbare over for angreb. Viehbock skrev i sin blog!: at ingen relevante leverandører har udsendt rettelser til deres [...]

    Pingback by Fejl i WIFI sikkerhedsstandarden WPS | IPadvisor.dk — December 31, 2011 @ 3:44 pm | Reply

  105. [...] tidligere i december bekræftede forskellige routerproducenter at være sårbare over for angreb. Viehbock skrev i sin blog!: at ingen relevante leverandører har udsendt rettelser til deres [...]

    Pingback by Fejl i WIFI sikkerhedsstandarden WPS | Mobile Advisor — December 31, 2011 @ 3:46 pm | Reply

  106. [...] of the tools comes from security researcher Stefan Viehbock, who publicly released information this week on the [...]

    Pingback by Two new tools exploit router security setup problem : QualTech Software — December 31, 2011 @ 9:48 pm | Reply

  107. [...] .braindump – RE and stuff [...]

    Pingback by top 100 blog | Lesvosnews.net — January 1, 2012 @ 7:52 am | Reply

  108. [...] Se recomienda además contar con un firewall por hardware, no es caro si tu seguridad no tiene precio y el programa WPSCrack lo tienes aquí. [...]

    Pingback by Hackear WiFi en redes WPS – no WEP, WPA y WPA2 - : Noticias2D — January 1, 2012 @ 10:23 am | Reply

  109. [...] Se recomienda además contar con un firewall por hardware, no es caro si tu seguridad no tiene precio y el programa WPSCrack lo tienes aquí. [...]

    Pingback by Hackear WiFi en redes WPS – no WEP, WPA y WPA2 - - Sopaipleto » Sopaipleto — January 1, 2012 @ 10:46 am | Reply

  110. Great stuff

    Comment by Jerry Keogh — January 1, 2012 @ 2:41 pm | Reply

  111. [...] pesquisador Stefan Viehböck publicou um artigo detalhando uma brecha no protocolo de segurança Wi-Fi Protected Setup (WPS). O WPS permite a configuração facilitada da rede sem fio: basta apertar um botão no roteador ou [...]

    Pingback by Pesquisadores demonstram falha em segurança de rede sem fio WPS « FTECH MANAGEMENT — January 1, 2012 @ 4:30 pm | Reply

  112. Is there any way to scan router if the PIN’s feature is enabled or not?

    Comment by SIFE — January 1, 2012 @ 8:06 pm | Reply

    • Yeah, the guys from reaver made walsh that is supposed to do just that. It is unable to detect my AP (Netgear WNDR 3400) though.

      Comment by stefan lenz — January 11, 2012 @ 5:01 pm | Reply

  113. [...] pesquisador Stefan Viehböck publicou um artigo detalhando uma brecha no protocolo de segurança Wi-Fi Protected Setup (WPS). O WPS permite a configuração facilitada da rede sem fio: basta apertar um botão no roteador ou [...]

    Pingback by Pesquisadores demonstram falha em segurança de rede sem fio WPS « fabiano florentino — January 1, 2012 @ 11:11 pm | Reply

  114. This is the error I’m getting when running the python file.
    I’m running the latest kubuntu updates. I know I can put my card into monitor mode because I was able to run “Reaver” without a problem.

    ./wpscrack.py –iface mon0 –client 99:0c:6d:99:00:00 –bssid 23:60:77:6c:23:0f –ssid mytestap -v
    WARNING: No route found for IPv6 destination :: (no default route?)
    sniffer started
    Exception in thread Thread-1:
    Traceback (most recent call last):
    File “/usr/lib/python2.7/threading.py”, line 552, in __bootstrap_inner
    self.run()
    File “/usr/lib/python2.7/threading.py”, line 505, in run
    self.__target(*self.__args, **self.__kwargs)
    File “./wpscrack.py”, line 516, in sniffer
    sniff(store=0, stop_filter=lambda x: self.sniffer_filter(x))
    File “/usr/lib/pymodules/python2.7/scapy/sendrecv.py”, line 550, in sniff
    s = L2socket(type=ETH_P_ALL, *arg, **karg)
    TypeError: __init__() got an unexpected keyword argument ‘stop_filter’

    ——————- attempt #1
    Trying 00000000
    -> 802.11 deauthentication
    Traceback (most recent call last):
    File “./wpscrack.py”, line 621, in
    main()
    File “./wpscrack.py”, line 615, in main
    wps.run()
    File “./wpscrack.py”, line 187, in run
    self.send_deauth()
    File “./wpscrack.py”, line 552, in send_deauth
    sendp(deauth, verbose=0)
    File “/usr/lib/pymodules/python2.7/scapy/sendrecv.py”, line 255, in sendp
    __gen_send(conf.L2socket(iface=iface, *args, **kargs), x, inter=inter, loop=loop, count=count, verbose=verbose, realtime=realtime)
    File “/usr/lib/pymodules/python2.7/scapy/arch/linux.py”, line 403, in __init__
    self.ins = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(type))
    File “/usr/lib/python2.7/socket.py”, line 187, in __init__
    _sock = _realsocket(family, type, proto)
    socket.error: [Errno 1] Operation not permitted

    Comment by Trance — January 2, 2012 @ 12:33 am | Reply

    • Update to Scapy 2.2.0.

      Comment by Stefan — January 2, 2012 @ 12:35 am | Reply

      • Perfect!! Thanks, they did the trick once I un-installed the older version of SCAPY.

        Comment by Trance — January 2, 2012 @ 1:15 am

  115. [...] problema se agrava porque, según ha descubierto Stefan Viehböck, el punto de acceso responde con EAP-NACK tan solo con enviar los cuatro primeros dígitos del PIN, [...]

    Pingback by Vulnerabilidad en WPS permite ataques de fuerza bruta en la mayoría de routers WiFi | — January 2, 2012 @ 1:07 am | Reply

  116. Ein Jahresende mit Schwachstellen – Im Web, in Java und in WPS…

    In den letzten zwei Wochen des Jahres 2011 wurden noch mal einige Schwachstellen veröffentlicht. Kommentieren werde ich davon hier nur drei: Die DoS-Schwachstelle in gängigen Skriptsprachen und Plattformen für Webanwendungen, die von…

    Trackback by Dipl.-Inform. Carsten Eilers — January 2, 2012 @ 8:43 am | Reply

  117. [...] pesquisador Stefan Viehböck publicou um artigo detalhando uma brecha no protocolo de segurança Wi-Fi Protected Setup (WPS). O WPS permite a configuração facilitada da rede sem fio: basta apertar um botão no roteador ou [...]

    Pingback by Pesquisadores demonstram falha em segurança de rede sem fio WPS « Canal Engenharia RMC — January 2, 2012 @ 10:54 am | Reply

  118. [...] érintő sebezhetőséget hoztak nyilvánosságra.A módszert Stefan Viehböck írta le blogjában, illetve egy részletes  dokumentumban. A kutató szerint a sérülékenység a széles körben [...]

    Pingback by Könnyen hekkelhetők az újabb routerek | magyarinfo.co.ukmagyarinfo.co.uk — January 2, 2012 @ 11:24 am | Reply

  119. [...] Viehböck a publié sur son blog l’exploit, et laisse à disposition une documentation au format [...]

    Pingback by [NEWS] Cracker une clef WPA en moins de 10 heures | Blog de Quentin — January 2, 2012 @ 3:54 pm | Reply

  120. for me it is not working with this error:

    ——————- attempt #31
    Trying 00000000
    -> 802.11 deauthentication
    -> 802.11 authentication request
    802.11 association request
    EAPOL start
    EAP response identity
    M2
    802.11 deauthentication
    attempt took 0.755 seconds

    Comment by fanz — January 2, 2012 @ 4:11 pm | Reply

  121. ——————- attempt #13
    Trying 00000000
    -> 802.11 deauthentication
    -> 802.11 authentication request
    802.11 association request
    EAPOL start
    EAP response identity
    M2
    802.11 deauthentication
    attempt took 1.108 seconds

    Comment by mechthild — January 2, 2012 @ 4:12 pm | Reply

  122. [...] Viehbock, i cili i pari paraqiti lëshimin pranë U.S. Computer Emergency Readiness Team (CERT), publikoi veglën për të cilën pohon se mund të thyej mbrojtjen e rrjetës WiFi për dy orë. Veglën e dytë e [...]

    Pingback by Veglat për thyerjen e WPS-së — January 2, 2012 @ 4:58 pm | Reply

  123. [...] Viehbock, i cili i pari paraqiti lëshimin pranë U.S. Computer Emergency Readiness Team (CERT), publikoi veglën për të cilën pohon se mund të thyej mbrojtjen e rrjetës WiFi për dy orë. Veglën e dytë e [...]

    Pingback by Veglat për thyerjen e WPS-së | Shtimja-Portal — January 2, 2012 @ 5:39 pm | Reply

  124. [...] Stefan Viehböck ein Student hat Ende September auf seinem Blog eine Lücke in heute üblichen Wlan – Router entdeckt. Hier(PDF – Datei) beschreibt er sie ausführlich. Hierbei ist es möglich über das sogenannte Wi-Fi Protected Setup (WPS) den WPA – Schlüssel des Routers heraus zu finden. Es genügen auf Grund einer Verfahrensschwäche der Router 11000 Versuche. WPS wird zur Vereinfachung bei der Wlan – Einrichtung des Routers verwendet. Ein händisches Eintragen von Schlüsseln und Passwörtern entfällt. [...]

    Pingback by Massive WLAN-Sicherheitslücke « Willlys' Blog — January 2, 2012 @ 5:51 pm | Reply

  125. [...] Stefan Viehböck ein Student hat Ende Dezember auf seinem Blog eine Lücke in heute üblichen Wlan – Router entdeckt. Hier(PDF – Datei) beschreibt er sie ausführlich. Hierbei ist es möglich über das sogenannte Wi-Fi Protected Setup (WPS) den WPA – Schlüssel des Routers heraus zu finden. Es genügen auf Grund einer Verfahrensschwäche der Router 11000 Versuche. WPS wird zur Vereinfachung bei der Wlan – Einrichtung des Routers verwendet. Ein händisches Eintragen von Schlüsseln und Passwörtern entfällt. [...]

    Pingback by Massive WLAN-Sicherheitslücke « Willlys' Blog — January 2, 2012 @ 5:53 pm | Reply

  126. Hi! Thanks for the tool. I tried it and it doesn’t work, logs are below. As for my config, I’m using the default version of Backtrack 5 R1 with an Intel 5100 card inside a laptop. The driver might be iwlagn but I wouldn’t quote me on that, I’m yet to check in BT 5. OS is running from Live USB.
    Finally, I *think* I installed Scapy 2.2.0 properly; only thing I installed. I’m not used to Ubuntu/Backtrack so here’s what I did and you decide if it’s valid: I downloaded the .zip file using Windows, then copied it onto Backtrack’s desktop after a reboot to switch OS, then double clicked the .zip which seemed to do the install automagically. (and indeed I see Scapy files in usr/local/somedirectories, though I’m couldn’t check if it’s really v2.2.0)

    BSSID is on channel 6 and WPS is enabled with PIN set to 00010009, although this AP might be immune to external PIN connection. Commands:
    airmon-ng start wlan0
    airodump-ng –channel 6 mon0
    ./wpscrack.py –iface mon0 –client 00:99:88:77:66:55 –bssid 11:22:33:44:55:66 –ssid SomeSSID -v

    Logs:
    WARNING: No route found for IPv6 destination :: (no default route?)
    sniffer started
    Exception in thread Thread-1:
    Traceback (most recent call last):
    File “/usr/lib/python2.6/threading.py”, line 532, in __bootstrap_inner
    self.run()
    File “/usr/lib/python2.6/threading.py”, line 484, in run
    self.__target(*self.__args, **self.__kwargs)
    File “./wpscrack.py”, line 516, in sniffer
    sniff(store=0, stop_filter=lambda x: self.sniffer_filter(x))
    File “/usr/local/lib/python2.6/dist-packages/scapy/sendrecv.py”, line 550, in sniff
    s = L2socket(type=ETH_P_ALL, *arg, **karg)
    TypeError: __init__() got an unexpected keyword argument ‘stop_filter’

    ——————- attempt #1
    Trying 00000000
    -> 802.11 deauthentication
    -> 802.11 authentication request
    TIMEOUT!!
    -> 802.11 deauthentication
    attempt took 5.091 seconds

    —Same thing for all other attempts, including PIN number 00000000

    Comment by Joe — January 2, 2012 @ 7:03 pm | Reply

  127. [...] original article detailing the weakness was blogged here. This entry was posted in Security by Peter. Bookmark the [...]

    Pingback by Wireless Router Security Threat | Calculations in Code — January 2, 2012 @ 7:09 pm | Reply

  128. I have one odd problem, I have TL-WR741N / TL-WR741ND router and using AWUS036NH in mon mode and during process i got this message


    EAPOL start
    EAP request identity
    EAP response identity
    M1
    M2
    WSC_NACK
    got NACK before M4 – something is wrong

    Comment by Java — January 2, 2012 @ 8:44 pm | Reply

    • Same problem like in Q128… i’m also using AWUS036NH with BT5R1 in VM – any suggestions???

      Comment by ernie — January 5, 2012 @ 7:25 pm | Reply

  129. Well it seems it is not working for me. I am using Ralink 2573. Constantly I see:

    Trying 00000000
    -> 802.11 deauthentication
    -> 802.11 authentication request
    802.11 association request
    TIMEOUT!!

    Comment by seckss — January 2, 2012 @ 9:31 pm | Reply

  130. [...] Viehbock, koji je prvi prijavio propust U.S. Computer Emergency Readiness Teamu (CERT), objavio je alat za koji tvrdi kako može probiti zaštitu Wi-Fi mreže za dva sata. Drugi alat je izdao Craig [...]

    Pingback by Alati za probijanje WPS-a - Vrilo - Sve vijesti na jednom mjestu — January 2, 2012 @ 10:05 pm | Reply

  131. [...] [...]

    Pingback by Anonymous — January 2, 2012 @ 10:46 pm | Reply

  132. [...] publicó en su sitio web una herramienta gratuita con la que asegura que se pueden duplicar sus investigaciones y hallazgos [...]

    Pingback by Descubren vulnerabilidad en Routers Wi-Fi | bSecure — January 3, 2012 @ 12:17 am | Reply

  133. [...] of the tools comes from security researcher Stefan Viehbock, who publicly released information this week on the [...]

    Pingback by Two new tools exploit router security setup problem » G.E. Investigations Blog — January 3, 2012 @ 12:51 am | Reply

  134. [...] – Security researcher Stefan Viehböck has revealed a design and implementation flaw in Wi-Fi Protected Setup (WPS) that that makes Wi-Fi networks [...]

    Pingback by Wi-Fi Protected Setup Vulnerable to Brute Force Attack | LIVE HACKING — January 3, 2012 @ 9:12 am | Reply

  135. [...] Viehbock, koji je prvi prijavio propust U.S. Computer Emergency Readiness Team-u (CERT), objavio je alat za koji tvrdi kako može probiti zaštitu Wi-Fi mreže za dva [...]

    Pingback by Alati za probijanje WPS-a | Aleksandar Bjelošević — January 3, 2012 @ 11:58 am | Reply

  136. [...] di sicurezza Stefan Viehbock ha preso di mira il sistema Wi-Fi Protected Setup scoprendo una falla potenzialmente molto pericolosa: la tecnologia pensata per facilitare l'accesso ai network [...]

    Pingback by WiFi, sicurezza a rischio | Rossipaolo.net - informazione - computer - siti web — January 3, 2012 @ 12:42 pm | Reply

  137. hi ,
    i was trying your “wpscrack” on a TP-Link router, but got this error, it didn’t work, ( but with “Reaver” it works and i can get both pin and wpa passkey ) !!!

    so what do you thing is wrong?

    i’m using Backtrack 5 and Alfa network RT8187 usb wifi adapter.
    i installed scapy, python, pycrypto,…. as well !

    root@root:~/Desktop/wpscrack# ./wpscrack.py -i mon0 -c 00:C0:CA:21:F3:20 -b 90:00:4E:24:01:9B -s Ziggo1FD98 -v

    WARNING: No route found for IPv6 destination :: (no default route?)
    sniffer started
    Exception in thread Thread-1:
    Traceback (most recent call last):
    File “/usr/lib/python2.6/threading.py”, line 532, in __bootstrap_inner
    self.run()
    File “/usr/lib/python2.6/threading.py”, line 484, in run
    self.__target(*self.__args, **self.__kwargs)
    File “./wpscrack.py”, line 516, in sniffer
    sniff(store=0, stop_filter=lambda x: self.sniffer_filter(x))
    File “/usr/local/lib/python2.6/dist-packages/scapy/sendrecv.py”, line 550, in sniff
    s = L2socket(type=ETH_P_ALL, *arg, **karg)
    TypeError: __init__() got an unexpected keyword argument ‘stop_filter’

    ——————- attempt #1
    Trying 00000000
    -> 802.11 deauthentication
    -> 802.11 authentication request
    TIMEOUT!!
    -> 802.11 deauthentication
    attempt took 5.104 seconds
    ——————- attempt #2
    Trying 00000000
    -> 802.11 deauthentication
    -> 802.11 authentication request
    TIMEOUT!!
    -> 802.11 deauthentication
    attempt took 5.116 seconds

    Traceback (most recent call last):
    File “./wpscrack.py”, line 621, in
    main()
    File “./wpscrack.py”, line 615, in main
    wps.run()
    File “./wpscrack.py”, line 192, in run
    self.rcved.wait()
    File “/usr/lib/python2.6/threading.py”, line 395, in wait
    self.__cond.wait(timeout)
    File “/usr/lib/python2.6/threading.py”, line 239, in wait
    waiter.acquire()

    Comment by maxim — January 3, 2012 @ 3:54 pm | Reply

    • Same problem here, same setup, BT5R1, Alfa Wireless (inside a VM).

      Comment by Mjaeger — January 4, 2012 @ 11:19 am | Reply

    • same here ..!

      Comment by DAMERO — January 4, 2012 @ 5:24 pm | Reply

  138. [...] s1.parentNode.insertBefore(s, s1); })(); Security researcher Stefan Viehböck has revealed a design and implementation flaw in Wi-Fi Protected Setup (WPS) that that makes Wi-Fi networks [...]

    Pingback by Wi-Fi Protected Setup Vulnerable to Brute Force Attack | MYH3R3 – Believe In Your Technolust — January 3, 2012 @ 4:19 pm | Reply

  139. [...] connection to a computer – or there’s a way to do the same using a PIN.   But Stefan Viehböck found one of the PIN methods vulnerable to a brute force attack, as there are only 11,000 possible [...]

    Pingback by Your WiFi Router Can Be Hacked « WCH Computer Services — January 3, 2012 @ 10:44 pm | Reply

  140. can help me somone..i donwnload this tool but my pc cant open this..has a special program to open this tool? plese help me

    Comment by banny — January 3, 2012 @ 11:28 pm | Reply

    • This is a Phyton script

      You need to use a Linux system with Phyton and the dependencies listed in the README file to run this.

      Comment by Ludo — January 4, 2012 @ 10:24 am | Reply

      • thnx for replay….:)

        Comment by banny — January 7, 2012 @ 1:33 am

  141. [...] información | Blog de Stefan Viehböck Descarga documento en PDF | Brute forcing Wi-Fi Protected Setup Tweet This Post Router [...]

    Pingback by ideasweb.info | Noticias, Software y novedades. Las mejores aplicaciones web, con los trucos más útiles y toda la información en nuestro blog. « Descubierta una vulnerabilidad en el sistema WPS de los routers WiFi « ideasweb.info | Noticias — January 4, 2012 @ 5:52 am | Reply

  142. [...] researcher Stefan Viehbock recently released information about a method that can be used to bypass the security on a Wi-Fi Protected Security (WPS) [...]

    Pingback by Bypassing WPS Router Security | Digital Threat — January 4, 2012 @ 11:10 am | Reply

  143. WPS-Schwachstelle gefährdet WLANs…

    Eine Design-Schwachstelle im Wi-Fi Protected Setup (WPS) gefährdet alle betroffenen Netze – auch wenn die die eigentlich sicheren WPA/WPA2-Standards zur Verschlüsselung und Authentifizierung einsetzen. Bildlich gesprochen, haben diese WLAN…

    Trackback by Dipl.-Inform. Carsten Eilers — January 4, 2012 @ 11:31 am | Reply

  144. [...] [5] Original find [...]

    Pingback by Vulnerabilidade WPS – Caso de estudo « Tecnologia Segura — January 4, 2012 @ 3:15 pm | Reply

  145. rying 00000000
    -> 802.11 deauthentication
    -> 802.11 authentication request
    TIMEOUT!!
    -> 802.11 deauthentication
    attempt took 5.067 seconds
    ——————- attempt #2
    Trying 00000000
    -> 802.11 deauthentication
    -> 802.11 authentication request
    TIMEOUT!!
    -> 802.11 deauthentication

    ================

    what is the problem up there ?

    Comment by DAMERO — January 4, 2012 @ 5:23 pm | Reply

    • Probably weak signal or the AP doesn’t support WPS.

      Comment by Twilight.zero — January 7, 2012 @ 12:12 am | Reply

      • Before running the script you need to set your wireless device to ‘monitor’ mode. In Linux, this can be achieved using ‘airmon-ng’, a utility included with aircrack-ng when installed on Ubuntu.

        $ airmon-ng start [wireless interface name, like 'wlan0'] [channel number, e.g. '6']
        # airmon-ng start wlan0 6

        If you’re using a mac80211 driver, this will create a new device called ‘mon0′ which is in monitor mode. If you’re using another driver, it will set ‘wlan0′ to monitor mode. Once this is done, you can do the following from the README:

        iwconfig mon0 channel X
        ./wpscrack.py –iface mon0 –client 94:0c:6d:88:00:00 –bssid f4:ec:38:cf:00:00 –ssid testap -v

        Of course, substitute your own values instead of the ones provided above. Use the –help flag to see an explanation of each.

        Comment by zs — January 9, 2012 @ 9:28 pm

  146. [...] Protected Setup – When poor design meets poor implementati. Sein Brute-Force-Tool will er in Kürze veröffentlichen, will den Code aber zuvor noch [...]

    Pingback by OliverNET.CO.CC | Oliver Zdravkovic, Sport, Politik, Technik, Psychologie » Blog Archiv » Wi-Fi Protected Setup: Sicherheitsproblem in Millionen WLAN-Routern — January 4, 2012 @ 7:23 pm | Reply

  147. [...] ermöglicht es Angreifern, das Passwort eines geschützten Netzwerks herauszufinden. In seinem Blog berichtet er, wie es ihm gelang mithilfe eines Brute-Force-Angriffes erfolgreich in mehrere [...]

    Pingback by Open-Source-Software knackt WLAN-Passwörter | Hypermedia Trends — January 4, 2012 @ 7:26 pm | Reply

  148. [...] to research by Stefan Viehböck (also discovered independantly by another researcher as well), technical flaws in WPS make [...]

    Pingback by Wi-Fi Protected Setup (WPS) Undermines Wireless Security | WatchGuard Security Center — January 5, 2012 @ 1:05 am | Reply

  149. Heya, I was justing wondering if SecureEasySetup is in trouble too?, as I’ve read it’s just a different name for WPS.

    My router (WRT54G v7.0) only has the option to Enable/Disable SecureEasySetup , no mention of PINs.

    I have tried Reaver which couldn’t associate with my AP, but could on others, and its discovery tool “walsh” doesn’t list my router, but that could of course just be because it’s not calling its self WPS, so isn’t logged.

    Comment by SomeDude — January 5, 2012 @ 5:10 am | Reply

  150. I was wondering if any one knows if you could run this wps cracking tool in backtrack 5? and if so can someone help me?

    Comment by rod123 — January 5, 2012 @ 7:18 am | Reply

  151. [...] Informação : Blog  Stefan Viehbock Mais Informações : [...]

    Pingback by Sistema WPS possui falha de segurança « INFORSALVADOR — January 5, 2012 @ 10:13 am | Reply

  152. [...] Zumindest wenn es so weitergeht, wie es gestartet hat. Was ich meine? Die WPS-Lücke, die Stefan Viehböck zwischen den Jahren in diesem Blogeintrag dokumentiert hat. Wer es noch nicht gelesen hat: WPS steht für Wi-Fi Protected Setup, eine [...]

    Pingback by Spaß mit der WPS-Schwachstelle Nerd-Supreme — January 5, 2012 @ 12:27 pm | Reply

  153. [...] to research by Stefan Viehböck (also discovered independently by another researcher as well), technical flaws in WPS make [...]

    Pingback by Wi-Fi Protected Setup (WPS) Undermines Wireless Security | Techguy Computer Services LLC — January 5, 2012 @ 1:07 pm | Reply

  154. [...] hackar jag din krypterade trådlösa router (JF/CS) http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/ [...]

    Pingback by På den säkra sidan – Utgåva 04 | SAFESIDE-bloggen — January 5, 2012 @ 1:20 pm | Reply

  155. [...] with a gui, but the FOSS version is quite good I think with my first try. The other one is called wpscrack and is only a python script and that automatically means that you have to have python libraries [...]

    Pingback by Break the barriers on almost any post-07/08 WPA router by cracking the WPS security system | Simple hacks & reviews — January 6, 2012 @ 2:38 pm | Reply

  156. [...] with a gui, but the FOSS version is quite good I think with my first try. The other one is called wpscrack and is only a python script and that automatically means that you have to have python libraries [...]

    Pingback by Brute force WPS pins on almost any post-07/08 WPA router | Simple hacks & reviews — January 6, 2012 @ 3:06 pm | Reply

  157. Thank you for the advice and link person who posted on comment #’s 155-156!!!

    Comment by rod567 — January 6, 2012 @ 7:10 pm | Reply

  158. No lie – it looks like someone pointed-out most of this design flaw back in 2009, but (a) he didn’t run it to ground, and (b) nobody noticed. True, he ranted about some other stuff, but aside from noting the shortness of the PIN and the inability to change it (or disable WPS on some devices), the basic flaw is there.

    http://slidingconstant.net/entry/166

    So sad.

    Anyhow, nice work and mad props to Stefan and Craig/TNS.

    Comment by J.H. — January 7, 2012 @ 2:24 am | Reply

    • It was run to ground by the WI-FI Alliance before 2009 … there are recommendations in the specification to avoid the attack. It’s just that vendor clearly did not read the recommendations.

      Comment by Paul — January 9, 2012 @ 11:18 pm | Reply

  159. [...]    * Wi-Fi Protected Setup PIN brute force vulnerability –   <http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/&gt;    * Cracking WiFi Protected Setup with Reaver –   [...]

    Pingback by US-CERT Cyber Security Alert SA12-006A — Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Forc​e Attack | TechnologyNews — January 7, 2012 @ 7:52 pm | Reply

  160. [...] Stefen Viehbock’s blog post on the WPS vulnerability [...]

    Pingback by E02 – Wi-Fi Protected Setup, Battered or Broken? | No Strings Attached Show — January 8, 2012 @ 7:25 pm | Reply

  161. [...] reported the vulnerability to the U.S. Computer Emergency Readiness Team, released a tool that can crack a home Wi-Fi network in two hours. And Craig Heffner of Tactical Network Solutions, who had been working independently on figuring [...]

    Pingback by Tools published that exploit router flaw- websec — January 9, 2012 @ 12:02 am | Reply

  162. [...] mucha gente, esta vulnerabilidad fue descubierta por dos personas independientemente una de la otra, Stefan Viehböck y Craig Heffnet, este ultimo desarrollo una aplicacion (que es la que mostraremos en este post por [...]

    Pingback by Vulnerabilidad en WiFi Protected Setup « TheCoffeMaker — January 10, 2012 @ 12:47 pm | Reply

  163. [...] abilitare il filtraggio dei dispositivi mediante MAC Address. Articolo di: webnews Fonte: Stefan ViehBock Via The Verge Immagine: [...]

    Pingback by Wi-Fi, un bug mette a rischio milioni di router | Storming News — January 10, 2012 @ 1:12 pm | Reply

  164. [...] all started on December 27th when a white paper was released by Stefan Viehböck on his blog .braindump. This was quickly picked up by the security community and then the global community at large. [...]

    Pingback by Just what is WPS and why is everyone talking about it? | Pro Web Marketing — January 10, 2012 @ 3:38 pm | Reply

  165. Trying to test it on my router at home. I can’t get it to start sniffing. Here’s my code-

    python wpscrack.py -iface mon0 -bssid aa:bb:cc:dd:ee:ff -v (replaced BSSID of course)

    I get this in return-

    No route found for IPv6 destination :: (no default route?)
    check arguments or use –help!

    What am I doing wrong? I looked at the -help descriptions and I don’t see anything wrong.

    Comment by RMendez — January 11, 2012 @ 1:49 pm | Reply

    • You need to specify also the -client, -ssid arguments on the input loine (hence the message about arguments). The IPv6 message is issued by scapy, just ignore thatN since we are working over IPv4.

      Comment by stefan lenz — January 11, 2012 @ 5:10 pm | Reply

  166. [...] further details, please see Vulnerability Note VU#723755 and documentation by Stefan Viehböck and Tactical Network [...]

    Pingback by Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack — OnSystem Logic Cyber Security Experts — January 11, 2012 @ 2:37 pm | Reply

  167. I have an WRT54GL Router v1.1:

    (http://homestore.cisco.com/en-us/Routers/linksys-WRT54GL_stcVVproductId53934619VVcatId543809VVviewprod.htm)

    with WPA2 ecryption. It is supposed to have WPS disabled by default, but I have my doubts, since some routers still run WPS, despite it being disabled. How can I be sure I don’t run WPS. I don’t have to knowledge to use the exploit tool.

    Comment by Ro Man (@romanl123) — January 11, 2012 @ 3:23 pm | Reply

  168. [...] Viehbock, koji je prvi prijavio propust U.S. Computer Emergency Readiness Team-u (CERT), objavio je alat za koji tvrdi kako može probiti zaštitu Wi-Fi mreže za dva sata. Drugi alat je izdao Craig [...]

    Pingback by Alati za probijanje WPS-a « ITRepublika — January 13, 2012 @ 6:38 pm | Reply

  169. Hi guys and/or author.
    Im having some problems, i would really appreciate if you can help me.
    Im running BT5R1 (gnome-vm-32).
    I’ve installed scapy 2(setup file completed)
    And im trying to run the program, but im getting the same error, over and over again

    This is the command i run: (btw, testing on my own router)

    ‘/root/wpscrack.py’ -iface mon0 -client 00:0C:43:A3:03:0F -bssid C0:3F:0E:68:AC:20 -ssid NETGEAR -v (((where -client (is the client connected to bssid trying to access, if one is connected, if no one is connected what then, i use my own?), bssid is its bssid, ssid is its name)

    And this is what i get:

    WARNING: No route found for IPv6 destination :: (no default route?)
    /root/scapy/crypto/cert.py:10: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
    import os, sys, math, socket, struct, sha, hmac, string, time
    /root/scapy/crypto/cert.py:11: DeprecationWarning: The popen2 module is deprecated. Use the subprocess module.
    import random, popen2, tempfile
    sniffer started
    ——————- attempt #1
    Trying 00000000
    -> 802.11 deauthentication
    Traceback (most recent call last):
    File “/root/wpscrack.py”, line 621, in
    main()
    File “/root/wpscrack.py”, line 615, in main
    wps.run()
    File “/root/wpscrack.py”, line 187, in run
    self.send_deauth()
    File “/root/wpscrack.py”, line 552, in send_deauth
    sendp(deauth, verbose=0)
    File “/root/scapy/sendrecv.py”, line 259, in sendp
    __gen_send(conf.L2socket(iface=iface, *args, **kargs), x, inter=inter, loop=loop, count=count, verbose=verbose, realtime=realtime)
    File “/root/scapy/arch/linux.py”, line 417, in __init__
    self.ins.bind((iface, type))
    File “”, line 1, in bind
    socket.error: [Errno 19] No such device
    TIMEOUT!!

    Always getting socket.error no such device?

    Please help, i would really appeciate it and will pay dearly! thanks guys!

    axel21pa@gmail.com

    Comment by Axelrose — January 16, 2012 @ 5:35 pm | Reply

  170. [...] Computer Emergency Readiness Team, released a tool that can crack a home Wi-Fi network in two hours. And Craig Heffner of Tactical Network Solutions, who had been working independently [...]

    Pingback by Tools published that exploit router flaw – modrstudio — January 19, 2012 @ 1:15 pm | Reply

  171. [...] la misma al usuario, y es independiente del mecanismo de cifrado usado. Stefan Viehböck describe en su blog que el mecanismo WPS (Wi-Fi Protected Setup) con PIN es susceptible a ataques exitosos por fuerza [...]

    Pingback by (In)seguridad Wi-Fi, no uses WPS (Wi-Fi Protected Setup) | Blog de Seguridad Informática — January 20, 2012 @ 8:54 am | Reply

  172. I contacted Linksys (Cisco) about WPS issue in my router Linksys WRT120N they reply to me that the router is no longer supported therefore no fix will be ever released. Also the firmware is propietary and because of 2MB of flash doesn’t support dd-wrt. So in other words if you have a WRT120N router like me you are in big trouble.

    GAME OVER!

    Comment by Henry — January 20, 2012 @ 11:52 pm | Reply

  173. What’s with this Scapy bullcrap requirement, Stefan? Freaking huge waste of diskspace, plus a very annoying install procedure. Isn’t even in any package management’s database. Puts me off wpscrack before even trying.

    Comment by Carlos Emsii — January 21, 2012 @ 1:42 pm | Reply

    • it’s in portage repositories. go pro, go gentoo :)

      Comment by donc_oe — March 6, 2012 @ 8:11 pm | Reply

  174. [...] von WLAN-Komponenten wahrscheinlich noch länger in Erinnerung bleiben. Grund dafür ist die Veröffentlichung der Forschungsergebnisse von Stefan Viehböck, einem Studenten aus Wien. Dieser hatte im Wi-Fi Protected Setup, kurz WPS, eine massive [...]

    Pingback by WLAN Schwachstelle erkannt | Nie mehr Probleme mit meinem PC — January 22, 2012 @ 9:42 pm | Reply

  175. [...] a possible attack on this vulnerability are available currently two instruments, Reaver-WPS and WPScrack for which we will describe the installation and basic use of [...]

    Pingback by Reaver-WPS Hacking Wifi | Ark@Dis9Team — January 27, 2012 @ 9:47 pm | Reply

  176. [...] Wi-Fi Protected Setup PIN brute force vulnerability [...]

    Pingback by Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack | Page3 of Technology — January 28, 2012 @ 7:49 am | Reply

  177. [...] Stefan Viehböck in seinem Block beschreibt, kann fast jeder WiFi-Router der WPS mit PIN aktiviert hat per Brute Force geknackt [...]

    Pingback by WPS Pin von WiFi Routern kann per Brute Force geknackt werden : Benutzerzeit — January 29, 2012 @ 4:46 pm | Reply

  178. [...] weeks ago, a security researcher by the name of Stefan Viehbock identified a pretty serious vulnerability in the WPS (Wi-Fi Protected Setup) protocol that is supported by most consumer-grade wireless [...]

    Pingback by WPS Security Vulnerability: Ease of Use -> Less Secure | HELPMEUSETECH'S BLOG — February 7, 2012 @ 3:37 pm | Reply

  179. [...] Wi-Fi Protected Setup PIN brute force vulnerability, Stefan Viehböck. December 27, 2011. [...]

    Pingback by Edgis Security - WPS PIN Brute Force Vulnerability — March 2, 2012 @ 11:01 pm | Reply

  180. [...] Viehböck a publié sur son blog l’exploit, et laisse à disposition une documentation au format [...]

    Pingback by [ NEWS ] Cracker une clef WPA en moins de 10 heures | Blog de Quentin — March 5, 2012 @ 9:15 am | Reply

  181. Я люблю этот блог

    Comment by Nick — March 6, 2012 @ 8:15 pm | Reply

  182. [...] tidligere i december bekræftede forskellige routerproducenter at være sårbare over for angreb. Viehbock skrev i sin blog!: at ingen relevante leverandører har udsendt rettelser til deres [...]

    Pingback by Fejl i WIFI sikkerhedsstandarden WPS | Netværk til boligforeninger og antenneforeninger - IPadvisor.dk — April 2, 2012 @ 3:23 pm | Reply

  183. [...] further details, please see Vulnerability Note VU#723755 and documentation by Stefan Viehböck and Tactical Network [...]

    Pingback by TA12-006A: Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack — April 3, 2012 @ 1:55 am | Reply

  184. [...] last December, Stefan Viehbock reported that most WPS-enabled Wi-Fi routers are susceptible to a brute force attack. What makes [...]

    Pingback by BolehVPN News/Status/Fun » Blog Archive » Most Wi-Fi Security Can Be Broken (Including WPA2) — April 4, 2012 @ 2:17 pm | Reply

  185. Hi, just wondering what the .py python file was at the beginning? Is that the shell Reeve runs on?

    Comment by Ty Coon — April 20, 2012 @ 2:31 pm | Reply

  186. Yeah I was wondering too what the .py python file was.
    Coupons

    Comment by Tim Oats — April 24, 2012 @ 5:04 pm | Reply

  187. When is this going to implemented into Aircrack-NG Suite? You already have a trac Account.

    Comment by FBi — May 10, 2012 @ 2:02 am | Reply

  188. [...] further details, please see Vulnerability Note VU#723755 and documentation by Stefan Viehböck and Tactical Network [...]

    Pingback by TA12-006A: Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack | SecOps — May 10, 2012 @ 9:07 pm | Reply

  189. [...] investigador de seguridad Stefan Viehbock ha publicado en diciembre un documento que expone las vulnerabilidades de las configuraciones de [...]

    Pingback by Las redes Wi-Fi aseguradas pueden ser vulnerables | Temas de interés en Seguridad de la Información — July 3, 2012 @ 2:02 pm | Reply

  190. [...] the checksum) makes it much quicker and feasible to brute force crack. Using tools like Reaver orWPScrack can reduce the time it takes to just a few hours, which also reveals the network’s full WPA or [...]

    Pingback by 4 Hidden Wi-Fi Security Threats | PsychoCoding — August 1, 2012 @ 11:19 am | Reply

  191. [...] the PIN, repeatedly sending guesses to the router from a client using a tool like Reaver or WPScrack. After a few hours, these tools will likely reveal the target router’s WPS PIN and the WPA or [...]

    Pingback by Dorchester Cisco Academy | Wireless Security Hole — August 28, 2012 @ 4:45 pm | Reply

  192. [...] the PIN, repeatedly sending guesses to the router from a client using a tool like Reaver or WPScrack. After a few hours, these tools will likely reveal the target router’s WPS PIN and the WPA or [...]

    Pingback by Protecting Your Network from the Wi-Fi Protected Setup Security Hole « Computer Technology — September 3, 2012 @ 4:54 am | Reply

  193. [...] n150 wireless modem router with push button security set up and network status display (f6d4630uk4a)Wi-Fi Protected Setup PIN brute force vulnerability .recentcomments a{display:inline !important;padding:0 !important;margin:0 [...]

    Pingback by Belkin N150 Wireless N Router (Older Generation) | TopWirelessRouter.net — October 1, 2012 @ 3:02 am | Reply

  194. I would like to install the saver as in backtrack 5 r2 wpscrack already the reaver backtrack is installed and is a bit slow, been looking for wep and say wpscrack is faster and saver as I would like to install in backtrack with the reaver I have many faults and I would like to have the wpscrack, please help me and tell me how to run it in the backtrack, thanks ..

    Comment by anonimo — October 4, 2012 @ 4:39 pm | Reply

  195. Do you know What wireless adapters work and don’t work?
    I need to know so that I can to find out if the error occurred because my adapter or my method.

    Comment by Miguel Ramalho — October 5, 2012 @ 6:12 pm | Reply

  196. The lower case doesn’t work, it keep’s repeating the same pin

    Comment by Miguel — October 5, 2012 @ 11:13 pm | Reply

  197. I have installed scapy (2.2.0). Could someone help me, please?

    Comment by Miguel — October 5, 2012 @ 11:19 pm | Reply

  198. I was using reaver and wpscrack for quite a while now. While reaver does a good job in general, I’m a big fan of python and prefer wpscrack as it’s easier to modify and extend. As the further developement seems to be stopped, I uploaded it at github now ( https://github.com/ml31415/wpscrack ) and started to add some tweaks. Anyone who would like to help improving it, feel warmly invited.

    Comment by Michael — October 15, 2012 @ 8:49 am | Reply

  199. [...] be quite as secure as you thought it was. A paper recently published by [Stefan Viehböck] details a security flaw in the supposedly robust WPA/WPA2 WiFi security protocol. It’s not actually that protocol which is the culprit, but an in-built feature called Wi-Fi [...]

    Pingback by WPA/WPA2 Wifi Hack « uniquetank — October 21, 2012 @ 11:30 am | Reply

  200. [...] PIN aren’t very hard to hack. About a year ago, researcher Stefan Viehböck published a paper (site) illustrating how to find a WPS PIN via a simple, brute-force attack that can be carried out with [...]

    Pingback by Routers using WPS are intrinsically unsafe | My Blog — December 15, 2012 @ 5:04 pm | Reply

  201. [...] to research by Stefan Viehböck (also discovered independantly by another researcher as well), technical flaws in WPS make [...]

    Pingback by Wi-Fi Protected Setup (WPS) Undermines Wireless Security. « LogicalTech Blogosphere — January 14, 2013 @ 12:46 am | Reply

  202. “Wi-Fi Protected Setup PIN brute force vulnerability .
    braindump – RE and stuff” genuinely causes me personally contemplate a somewhat more.
    I really treasured each and every particular component of this post.
    Thanks for your effort ,Lenore

    Comment by http://tinyurl.com/movinixon37187 — January 23, 2013 @ 6:38 am | Reply

  203. [...] a year ago, researcher Stefan Viehböck published a paper (site) illustrating how to find a WPS PIN via a simple, brute-force attack that can be carried out with [...]

    Pingback by [IT}-- Routers using WPS are intrinsically unsafe | Padronel — January 26, 2013 @ 12:56 am | Reply

  204. That is why we want to present you with some
    relevant tips about this topic, and hopefully they will help you
    in the long term. They have created it to promote and advertise their business to the fullest among
    millions and millions of people around the world.
    Social media allows users to share content and opinions.
    Bing has combined Facebook Likes. And since the social networking sites attract many of us,
    the advertisement and promotion work using them is proving to be
    very much useful.

    Comment by http://likeskaufen.de/ — January 29, 2013 @ 7:31 am | Reply

  205. [...] ambitionierte Programmierer Sven Viehböck veröffentlichte Ende Dezember eine detaillierte Anleitung, wie man eine schon länger bekannte Schwachstelle in WPA/WPA2 geschützten Drahtlos-Netzwerken [...]

    Pingback by Hallo Nachbar! WLAN-Router – bequem und unsicher | Medienzeiger — March 28, 2013 @ 6:28 pm | Reply

  206. una pregunta si ya tengo el numero de PIN del moden…. como obtengo la clave del wifi????

    Comment by MasterEnigma — April 9, 2013 @ 6:50 am | Reply

  207. While there are stories out there of people who started businesses with a dollar and a prayer,
    their success is either unusual (which is why they became
    a big story) or it took much longer than it should
    have. I have seen people use their credit cards to fund a
    business, and this can be done; but the interest you pay on the initial money means
    that you are paying up to three times to
    start your business. If you start out on your own you
    would need to figure everything out alone and you would not have anyone
    to turn to for help.

    Comment by Retha — April 9, 2013 @ 8:01 am | Reply

  208. A fascinating discussion is worth comment. I do believe that you ought to write more about this subject matter, it might not be a taboo matter but usually people do not discuss these subjects. To the next! All the best!!

    your free resource of sentry mba configs and other cracking tools , Private Elite proxy list , Combo list and Email comb lists . http://www.yahooforum.net

    Comment by Ethical Hacker — April 10, 2013 @ 5:07 pm | Reply

  209. Hi people;

    In this video: http://youtu.be/NA6zO5NBYes I show the vulnerability theory of Wifi Protected Setup, referring to padlocks to clarify the understanding, and practice under Kali Linux

    Do not forget to turn it off! ;)

    Comment by Fuguet — May 21, 2013 @ 6:10 pm | Reply

  210. Way cool! Some extremely valid points! I appreciate you penning this write-up and also the rest of
    the site is very good.

    Comment by Florentina — June 14, 2013 @ 7:11 pm | Reply

  211. […] problema es que un investigador de seguridad, Stefan Viehbock, ha descubierto que estos productos adolecen de un agujero de seguridad importante y son vulnerables a un ataque de […]

    Pingback by Descubren un grave fallo de seguridad en los routers con WPS — June 30, 2013 @ 8:37 am | Reply

  212. Generally I do not learn article on blogs, but I wish to say that this write-up very compelled
    me to try and do it! Your writing style has been surprised me.
    Thanks, very nice article.

    Comment by макияжа глаз — July 12, 2013 @ 2:00 am | Reply

  213. I really love your blog.. Great colors & theme.
    Did you create this web site yourself? Please reply back as I’m wanting to create my very own website and would love to find out where you got this from or what the theme is named. Thank you!

    Comment by homepage — July 12, 2013 @ 2:07 am | Reply

  214. […] so lange die PINs eines Routers ausprobiert, bis die Verbindung steht. Das Hackertool wird auf Viehböcks Webseite […]

    Pingback by über WLAN-Router: Sicherheitslücke im Wi-Fi Protected Setup (WPS) – und wie Sie sich schützen | affklik — July 13, 2013 @ 11:18 am | Reply

  215. WOW just what I was looking for. Came here by searching for Знакомства Арзамас

    Comment by Leona — August 13, 2013 @ 9:03 pm | Reply

  216. I think the admin of this site is really working hard in favor of his web site,
    as here every information is quality based information.

    Comment by web site — September 8, 2013 @ 2:53 pm | Reply

  217. […] ook: Wi-Fi Protected Setup PIN brute force vulnerability Cracking WiFi Protected Setup with […]

    Pingback by Kwetsbaarheid in wps-specificatie ontdekt - Sysadmins of the North — October 9, 2013 @ 9:42 am | Reply

  218. […] escribió un artículo detallado acerca de la amenaza. Puedes acceder a su escrito visitando su web aquí. Su trabajo describe cómo la implementación WPS del punto de acceso inalámbrico se puede romper […]

    Pingback by Cómo comprobar si la configuración Wi-Fi Protected Setup (WPS) está habilitada | Aulacero21 — October 26, 2013 @ 7:32 pm | Reply

  219. […] de datos y problemas varios de seguridad. Lo último llega de la mano de otro desarrollador que ha hecho público un error en el WPS que usan muchos routers WiFi actuales para permitir añadir de forma sencilla y […]

    Pingback by Vulnerabilidad en el WPS de tu router | El Blog Informático — November 4, 2013 @ 10:50 am | Reply

  220. hi guys i have found an error in wpscrack programm during an scansion type error : got an unexpected keyword arguments”stop filter”
    what it means ?
    thanks

    Comment by mike — November 23, 2013 @ 12:50 pm | Reply

  221. […] Wi-Fi Protected Setup PIN brute force vulnerability | .braindump – RE and stuff. […]

    Pingback by Pesquisadores demonstram falha em segurança de rede sem fio WPS | Informações, Notícias, Artigos, Redes e Segurança de Sistemas — December 1, 2013 @ 3:23 pm | Reply

  222. […] napisał „Proof of Concept” w pythonie pozwalający przeprowadzać atak siłowy na WPS. Wpis na jego blogu zawiera link do kodu (wpscrack.zip) napisanego w Pythonie. Korzysta on ze wspominanej już nie raz […]

    Pingback by Bezpieczeństwo sieci Wi-Fi – część 6. (bezpieczeństwo WPS) — December 18, 2013 @ 6:09 pm | Reply

  223. I would suggest you, to Windows XP neu installieren if you use it.

    Comment by Windows XP neu installieren — December 24, 2013 @ 5:30 pm | Reply

  224. […] Fuente: Blog descubridor de la vulnerabilidad WPS […]

    Pingback by Publicadas las herramientas para romper la seguridad WPS | La Cueva Wifi — December 30, 2013 @ 9:12 am | Reply

  225. WARNING: No route found for IPv6 destination :: (no default route?)
    sniffer started
    ——————- attempt #1
    Trying 00000000
    -> 802.11 deauthentication
    Traceback (most recent call last):
    File “wpscrack.py”, line 621, in
    main()
    File “wpscrack.py”, line 615, in main
    wps.run()
    File “wpscrack.py”, line 187, in run
    self.send_deauth()
    File “wpscrack.py”, line 552, in send_deauth
    sendp(deauth, verbose=0)
    File “/usr/lib/python2.7/dist-packages/scapy/sendrecv.py”, line 259, in sendp
    __gen_send(conf.L2socket(iface=iface, *args, **kargs), x, inter=inter, loop=loop, count=count, verbose=verbose, realtime=realtime)
    File “/usr/lib/python2.7/dist-packages/scapy/sendrecv.py”, line 234, in __gen_send
    s.send(p)
    File “/usr/lib/python2.7/dist-packages/scapy/supersocket.py”, line 32, in send
    sx = str(x)
    File “/usr/lib/python2.7/dist-packages/scapy/packet.py”, line 261, in __str__
    return self.build()
    File “/usr/lib/python2.7/dist-packages/scapy/packet.py”, line 319, in build
    p = self.do_build()
    File “/usr/lib/python2.7/dist-packages/scapy/packet.py”, line 311, in do_build
    pay = self.do_build_payload()
    File “/usr/lib/python2.7/dist-packages/scapy/packet.py”, line 303, in do_build_payload
    return self.payload.do_build()
    File “/usr/lib/python2.7/dist-packages/scapy/packet.py”, line 308, in do_build
    pkt = self.self_build()
    File “/usr/lib/python2.7/dist-packages/scapy/packet.py”, line 299, in self_build
    p = f.addfield(self, p, val)
    File “/usr/lib/python2.7/dist-packages/scapy/layers/dot11.py”, line 31, in addfield
    return MACField.addfield(self, pkt, s, val)
    File “/usr/lib/python2.7/dist-packages/scapy/fields.py”, line 70, in addfield
    return s+struct.pack(self.fmt, self.i2m(pkt,val))
    File “/usr/lib/python2.7/dist-packages/scapy/fields.py”, line 183, in i2m
    return mac2str(x)
    File “/usr/lib/python2.7/dist-packages/scapy/utils.py”, line 244, in mac2str
    return “”.join(map(lambda x: chr(int(x,16)), mac.split(“:”)))
    File “/usr/lib/python2.7/dist-packages/scapy/utils.py”, line 244, in
    return “”.join(map(lambda x: chr(int(x,16)), mac.split(“:”)))
    ValueError: invalid literal for int() with base 16: ‘lient’
    TIMEOUT!!

    Comment by Marko — January 12, 2014 @ 3:13 am | Reply

  226. […] 2011, (as far as I can see) there was the first public release of a PoC “tool” (and paper) to “hack” WPS. It’s a bit of a shame with the timing as it didn’t make it […]

    Pingback by [Review] Offensive Security Wireless Attacks (WiFu) & Offensive Security Wireless (OSWP) | iSEC Source — February 23, 2014 @ 2:26 am | Reply

  227. Right here is the perfect webpage for anyone who wishes to understand this topic.
    You understand so much its almost tough to argue with
    you (not that I personally will need to…HaHa).
    You certainly put a new spin on a topic that has been discussed for decades.
    Wonderful stuff, just excellent!

    Comment by http://bc.vc/uLP67N — February 26, 2014 @ 6:17 am | Reply

  228. Hacking a Samsung D7000 TV takes 5seconds – the SEC_Linkshare SSID gives full access to the LAN and Internet for anyone connecting!!

    john@VIAO:~$ sudo reaver -i mon3 -b E4:E0:C5:05:D5:68 -vv
    Reaver v1.4 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions,
    Craig Heffner
    [+] Waiting for beacon from E4:E0:C5:05:D5:68
    [+] Switching mon3 to channel 1
    [+] Associated with E4:E0:C5:05:D5:68 (ESSID: SEC_LinkShare_419a94)
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received WSC NACK
    [+] Sending WSC NACK
    [+] Trying pin 00005678
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M5 message
    [+] Sending M6 message
    [+] Received WSC NACK
    [+] Sending WSC NACK
    [+] Trying pin 00000000
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M5 message
    [+] Sending M6 message
    [+] Received M7 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [+] Pin cracked in 5 seconds
    [+] WPS PIN: ‘00000000’
    [+] WPA PSK: ‘ngYWQnHzxa86JxF9QOiWxrLn0eWa31′
    [+] AP SSID: ‘SEC_LinkShare_419a94′
    john@VIAO:~$

    Comment by John — April 8, 2014 @ 1:06 pm | Reply

  229. شاهد اجمل فيديو يوتيوب العاب تسوق , العاب بنات

    Comment by العاب تسوق — May 28, 2014 @ 8:11 am | Reply

  230. It’s a shame you don’t have a donate button! I’d certainly donate
    to this superb blog! I guess for now i’ll settle for book-marking and
    adding your RSS feed to my Google account. I look forward to brand
    new updates and will share this blog with my Facebook group.
    Talk soon!

    Comment by curar La diabetes En 14 dias — June 1, 2014 @ 8:41 pm | Reply

  231. […] researcher Stefan Viehbock recently released information about a method that can be used to bypass the security on a Wi-Fi Protected Security (WPS) […]

    Pingback by Bypassing WPS Router Security | 1337 Tech News — June 16, 2014 @ 12:30 am | Reply

  232. Link exchange is nothing else except it is simply placing the other
    person’s blog link on your page at proper place and other person will also do similar in favor of you.

    Comment by Main na mano har episode 18 — July 17, 2014 @ 8:17 am | Reply

  233. social media icons

    Wi-Fi Protected Setup PIN brute force vulnerability | .braindump – RE and stuff

    Trackback by social media icons — August 15, 2014 @ 7:10 am | Reply

  234. […] originally demonstrated at the PasswordsCon Las Vegas 2014 conference in early August, builds on previous work published by Stefan Viehböck in late 2011. Viehböck found a number of design flaws in Wi-Fi Protected Setup, but most […]

    Pingback by Offline attack shows Wi-Fi routers still vulnerable | — August 31, 2014 @ 6:48 am | Reply

  235. […] not the only researcher to notice flaw in the protocol. Independently, Stefan Viehböck’s work, published in late 2011, revealed a number of design flaws in WPS and, most significantly, he found the PIN required to […]

    Pingback by Research: Hackers Could Break Wi-Fi Routers in 1 Second | VPN Creative — August 31, 2014 @ 10:15 pm | Reply

  236. […] avec le protocole WPS de vos routeurs ! Un prochain outils devrait apparaitre pour vérifier le niveau de sécu de votre […]

    Pingback by Nono’s Vrac 29 « m0le'o'blog — September 2, 2014 @ 1:33 pm | Reply

  237. […] force Eind 2011 maakte de beveiligingsonderzoeker Stefan Viehbock echter bekend dat een ontwerpfout in WPS het mogelijk maakt via een brute force-aanval de pincode te kraken. Hier zijn kwaadwillenden […]

    Pingback by Onderzoeker kan WPS-code in 1 seconde achterhalen | Infosecurity Magazine — September 2, 2014 @ 1:53 pm | Reply

  238. […] by Dominique Bongard, founder of 0xcite of Switzerland, is a spin-off of 2011 research done by Stefan Viehbock in which Viehbock could use a brute-force attack to arrive at the PIN in 11,000 […]

    Pingback by WPS Implementation Issue Exposes Wi-Fi Routers to Attack | Threatpost | The first stop for security news — September 2, 2014 @ 3:59 pm | Reply

  239. […] by Dominique Bongard, founder of 0xcite of Switzerland, is a spin-off of 2011 research done by Stefan Viehbock in which Viehbock could use a brute-force attack to arrive at the PIN in 11,000 […]

    Pingback by WPS Implementation Issue Exposes Wi-Fi Routers to AttackDigital Era | Digital Era — September 2, 2014 @ 5:39 pm | Reply

  240. […] побочным результатом исследования, выполненного Штефаном Вехбоком в 2011 году. В исследовании Вехбок смог добиться […]

    Pingback by WPS является дырой в защите беспроводных роутеров | Threatpost | Новости информационной безопасности — September 3, 2014 @ 6:14 pm | Reply

  241. Very great post. I simply stumbled upon your blog and wished to say
    that I’ve really enjoyed browsing your weblog posts. In any case
    I will be subscribing for your feed and I am hoping you write once more soon!

    Comment by http://ithere.net/Activity-Feed/My-Profile/UserId/15928 — September 3, 2014 @ 10:48 pm | Reply

  242. […] googletag.enableServices(); googletag.display('art-corpo); Nei giorni scorsi è stata individuata una falla nei router che integrano i chip Broadcom e supportano il protocollo WPS (Wireless […]

    Pingback by Vulnerabilità WPS dei router: le basi AirPort sono sicure - macitynet.it — September 8, 2014 @ 7:30 pm | Reply

  243. […] ve vech domcch Wi-Fi routerech najdete funkci Wi-Fi Protected Setup (WPS). e nen pli bezpen, to se v u minimln od roku 2011 . Nkter novj routery (zdaleka ne vechny) se sna snadnmu brute force toku brnit tm, e zpomaluj […]

    Pingback by Czech Republic cestování » Blog Archive » Hesla milionů uživatelů Gmailu unikla, hned si změňte heslo a aktivujte bezpečnostní SMS — September 11, 2014 @ 1:21 am | Reply

  244. […] it off immediately as this has been found to be a troubled protocol dating back to when researcher Stefan Viehböck reported an implementation flaw that makes brute-force attacks against PIN-based WPS […]

    Pingback by WiFi security & WPS | SecWorX — September 15, 2014 @ 5:24 am | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 57 other followers