-1 Setup everything as usual
-2 The victim sees the template that has a "continue" button
that button has a post request that starts all the process.
we use this because we can't start the process in other ways
with only 2 wireless cards
-3 In a thread we have a listener waiting for that post request that
starts everything
The process
-4 The message to push the button appears to the victim screen while
we stop the deauth setting up the wpa_cli on the same wireless card
-5 We wait 2 mins ( the wps_bpc is activated for 2 mins from when the
button is pressed on all routers) trying to connect to the AP while we
keep scanning to see if the AP channel is still the same.
-6 If we are not connected the interface goes back to deauthenticate the
target, otherwise we are done
Problems
What if the victim resets the router instead of pressing the wps button?
- It doesn't really matter because after those two minutes the interface
goes back to deauth, but before that it does a scan searching for our
target (using BSSID) updating the deauth with the new channel
(after the victim restarts the router the channel changes)
to make sure that the deauth restarts properly.
-Then it restarts everything again, wait the user to press continue, stop the deauth,
check if it's connected for 2mins, and so on.
Why do we need the "continue" button?
- Since we only have 2 wireless interfaces we need to know when to switch to deauth
and when to start listening for wps connection.
( everything will be more clear when the html will be done )
You can't do this with 1 interface only and deauth + host fake AP + scan WPS state at the same time.
You have to keep the fake AP running to see the user input, but we don't want extra user input.
We want at least 2 interfaces, one for the fake AP and one for the 3 second loop (for channel hops + deauth + WPS scan):
Using jamming interface: