This will probably be one of my last posts on the WPS brute force vulnerability since, after this, there will be little else to say. 

I thought it would be nice to go over some frame captures and see what a WPS brute force attack looks like. All of the frame captures begin with the same pattern:

After this, the magic happens.

A Failed PIN Attempt

The first image shows what a failed PIN attempt looks like. Notice how we see a deauth from the client after M4. After the deauth, it starts back at the beginning and tries another PIN.

A Failed PIN Attempt with the 1st Half Correct

The second image shows what the conversation looks like when the first half of the PIN is guessed correctly, but the second half is incorrect. Notice the the client sends a deauth after M6, instead of M4, this time. Each subesequent attempt should now keep the first four-digits the same and only try new variations on the second half of the PIN. It is this ability to crack the first half of the PIN independently from the second half which makes this attack extra speedy.

A Successful PIN Attempt

The last image shows a successful PIN attempt by Reaver. Notice that it makes it all the way to M7 before the frames stop. In a normal WPS negotiation there would be an M8 with a final frame from the Registrar (client) to the Enrollee (AP). However, Reaver is not concerned with actually connecting to the WLAN so it does not send the final frame (set AP configuration). Instead, it simply displays the correct PIN and PSK on the screen for you.

I hope this post is useful, or at least interesting, to anyone interested in learning more about the WPS brute force vulnerability. All frame captures are available on my resources page.

Daniel

If you have any additional thoughts or comments, please leave them in the comments section below. And please share this post with anyone who might benefit from reading it.