-1 Setup everything as usual
-2 The victim sees the template that has a "continue" button
that button has a post request that starts all the process.
we use this because we can't start the process in other ways
with only 2 wireless cards
-3 In a thread we have a listener waiting for that post request that
starts everything
The process
-4 The message to push the button appears to the victim screen while
we stop the deauth setting up the wpa_cli on the same wireless card
-5 We wait 2 mins ( the wps_bpc is activated for 2 mins from when the
button is pressed on all routers) trying to connect to the AP while we
keep scanning to see if the AP channel is still the same.
-6 If we are not connected the interface goes back to deauthenticate the
target, otherwise we are done
Problems
What if the victim resets the router instead of pressing the wps button?
- It doesn't really matter because after those two minutes the interface
goes back to deauth, but before that it does a scan searching for our
target (using BSSID) updating the deauth with the new channel
(after the victim restarts the router the channel changes)
to make sure that the deauth restarts properly.
-Then it restarts everything again, wait the user to press continue, stop the deauth,
check if it's connected for 2mins, and so on.
Why do we need the "continue" button?
- Since we only have 2 wireless interfaces we need to know when to switch to deauth
and when to start listening for wps connection.
( everything will be more clear when the html will be done )
@JetseVerschuren it means the out put will change on your AP ( it's different in every AP but the commands are the same )
Anyway i tested all the commands and you can find a video with all the commands here :
Video
@laozi999 the way i wrote it
was just to speed up, it meant it's a normal configuration with one interface for the AP and one for the deauth, also we don't need to keep scanning the channel we can just scan it if the connection is failed because otherwise we don't need it.
We need to now the new channel only if the router is resetted because if the victim press the wps the attack is done and we don't need to deauth anymore