Skip to content

Introducing a new way to crack WPS: Option p with an Arbitrary String

Jump to bottom
kcdtv edited this page Jun 28, 2017 · 2 revisions

We are very happy to present you the improved argument -p.

`-p, --pin=<wps pin>             Use the specified pin (may be arbitrary string or 4/8 digit WPS pin)`

It can be used against Access Points that do not follow the WPS checksum on the last digit of the PIN.
For example: D-Link used 22222222 as a default PIN in some devices. It is not a "legitimate" WPS PIN.
If you try to use -p to send this PIN with a version prior to 1.6b, Reaver would automatically correct it and send the "correct" WPS PIN (2222228 for instance).
As of version 1.6b, any pin can be sent, including a non legitimate PIN such as 22222222. Even an "empty" PIN can be sent!
That sounds crazy, right?...
... Have a look at this document!: Obtaining the WiFi password in a few seconds using WPS
The author shows how he manages to crack a Huawei router immune to pixiewps and the standard WPS brute force. He does so by sending a empty PIN.
And he also shows in the document the faulty configuration:

BusyBox vv1.9.1 (2014-02-08 20:26:13 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# nvram show  | grep wps_device_pin  
size: 2659 bytes (30109 left)
wps_device_pin=
#

As you can see the variable wps_device_pin is declared but is not defined. "Logically" the PIN value is "NULL" (none, an "empty" PIN).
This is not a unique case... In this video you will see how we managed to crack a ZTE router immune to known methods by sending a blank string with -p "": Cracking ZTE ZXHN H218N (jazztel) with new option "arbitrary strings" from Reaver 1.6b

  • The screen shot below shows that sending a PIN for a brute force does not lead anywhere against this AP:

  • Pixie dust attack is pointless too:

  • But if I send a blank PIN, I crack the device in 2 seconds!

Thanks to binarymaster for proposing and coding - see #133 - this exciting new feature!

Clone this wiki locally