Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
WPS Flaw Vulnerable Devices - Master

WPS Flaw Vulnerable Devices - Master

Ratings: (0)|Views: 1,918 |Likes:
Published by Eusebiu Pungaru

More info:

Published by: Eusebiu Pungaru on Aug 15, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





MI424-WR Rev.EActiontecRouter20.19.8NoNoNonen/aWPS "functionality"is not enabledcurrentlyThis is the type of router that is used for Verizon FIOS and it appears to me at least thatdespite there being a button for WPS on the outside of the box, Actiontec says in the user manual:"Although the WPS button is included on the FiOS Router, WPS functionality will not beenabled until a future firmware release. The button is included so that WPS can beactivated at a later date without having to physically change the FiOS Router. The GUIdoes not include the WPS option."00:1F:90ajdownsWLAN 1421Alice/HansenetWlan Router1.0.16NoYesReaverYesI did a quick check. Seems to be vulnerable. But with some kind of rate limit maybe. Every second try fails. AirPort ExtremeAppleRouter7.5.2NoNon/an/aYes, seecommentsApple seems to use the internal PIN Method, not external PIN.60:33:4BjagermoVodafone Easybox602ArcadyanRouter/Modem20.02.022YesNoReaver 1.3Yes0:23:08Do we have more information about this? WPS PIN is enabled, but device is not vulnerable? Why?Vodafone EasyBox802ArcadyanRouter/Modem4/20/0207YesMaybeReaver 1.3,WPScrackYesThe Router brings a Message after 10 failed logins:Warnung:Bedingt durch zu viele Fehlversuche, nimmt ihre EasyBox keine WPS PIN Registrierungvon externen Teilnehmern mehr entgegen. Bitte setzten diesen WPS PIN durch einem neue zu generierenden WPS PIN Code wieder zuruck.Translation: Device locks after ten wrong attempts, user needs to create a new WPS PINcode0:26:04Speedport W 504VTyp AArcadyanRouterunkownYesYesReaver 1.4r1221 sekyes00:1D:1912345670EasyBox 803 ArcadyanTechnologyCorporationRouter30.05.211 (01.07.2011-10:36:41)YesYesReaver 1.3[user reports untested, sohis 3sec value hereremoved]yes (not testetmaybe its alreadyative after switching to off!)i think there is an interesting thing between easyboxes and speedport AP'ssome esyboxe's use a standard key begins with spXXXXXXXXXXXXXwith a 13 char length numeric key! (also some speedport aps use such a key but there is anice script to get them with the hexdecimal mac of the target ap! [wardiving wiki!!!] that willwork for a lot of speedport models ... ) Have nice dayCriticalCore00:15:AFCriticalCoreRT-N16ASUSRouter1.0.2.3YesYesReaver 1.31176 secondsYesbc:ae:c5RT-N10ASUSRouter1.0.0.8YesYesReaver 1.32 seconds per attempt/3.5hours to crackYesReece ArnottN13U v1&v2ASUSRouter2/1/2012NoNoReaver 1.310minYes ASUS N13U uses only PBC WPS configuration method . WPS is switched off automatically after two minutes . Tested on ASUS N13U v1 and v2 using latest firmwareshA1d3RFritz!box 7390AVMRouter84.05.05NoNowill follow soonwill follow soonYesI found this list at work and thought I can provide you with some information of my router. I filled out the parts I know and will check the clear field this evening:- Is your device vulnerable against the WPS attack? *- Wich tool did you use? *- How long did it take you?FireFlyHi Firefly, thanks - to fill in the missing informations, just re-do the form.Fritz!Box 7240AVMRouter73.05.05NoNowpscrack,Reaver 1.2uncrackableyes00:24:FEFritzBox7390AVMRouterALLNoNoReaver 1.3uncrackableYesYou have to activate WPS manually. I's deactivated after every successful wps connectionand after 2 minutes. =>Not vulnerable because of very short time limit.f.reddyFritz!Box WLAN3370AVMRouter / Modem103.05.07NoNoN/AN/AYesI think all current AVM devices are save as WPS with pin isn't activated on default.n150BelkinRouterUnknownyesyesReaver 1.212.5 hoursyesF9K1001v1BelkinRouterF9K1001_WW_1.00.08YesYesReaver 1.37765 secondsYesF6D6230-4 v1000BelkinRouter1.00.19 (Apr 22 2010)YesYesReaver 1.320 minyesNo lockout, no delay needed.0:23:15F9K1001v1 (N150)BelkinRouter1.0.08YesYesReaver 1.341 minutes, 12 secondsYesThe F9K1001v1 is the same as the Belkin N150. I got lucky on the speed, the first 4 digitswere found at 3.06% completion.08:86:3BNick21250491F7D1301 v1BelkinRouter1.00.22YesMaybenoneyesdidn't bother to test, but i assume it's vulnerable judging by the other Belkin routers thatcome with WPS enabled94:44:52beejF7D2301 v1BelkinRouter1.00.16 (Jul 2 2010 14:36:56)YesYesReaver 1.31.9 HoursYes94:44:5293645348F9K1105 v1Belkinrouter1.00.03 (Jul 4 2011)YesYesReaver 1.33hoursyesF9K1001 v1BelkinRouter1.00.08YesYesReaver 1.211.2 HoursYes83024417800nBillionRouter1.06dNoMaybeReaver 1.314 hoursYesOnly vulnerable when WPS is enabled. Even though I had my attack laptop in the sameroom as my router, it still took 14 hours to find the PIN. Disabling WPS is completely effective.00:04:EDBiPAC 7404VGPXBillionAP6.23YesYesreaver 1.33hoursnoWZR-HP-G300NHBuffaloRouterUnknownYesMaybeReaver viaBacktrackWithin 1 hourYesWith WPS turned off reaver did nothing. With WPS on reaver is looking for the pin. Thisrouters was bought and being used in Japan.WZR-HP-AG300HBuffaloAccess Piontdd-wrt v24SP2-multi build 15940YesNoreaver 1.4No but it startslockedWPS is enabled by default and I cannot turn it off. However, Reaver reports that the stateis locked at first try. Beacon packets sometimes show WPS (and thus appear in walsh),and other time WPS is not in beacon packets and thus is not reported by walsh. So far I am unable to break wps with reaver even using the known PIN. I've never actuallytested to see if wps even works properly in the first place however.Device NameManufacturer Type (Router/ AP/Bridge...)Firmware-VersionWPS enabled by default?Vulnerable (yes/no)Tool (Version) Average time for penetration*without* providing the PINWPS can bedisabled (and itstays off!)Comments/Notes
tested byPINThis database is intended as an educational resource for users interested in IT-Security. I did not find thevulnerability, that honor goes to Stefan Viehböck and Craig Heffner.
Linksys E4200 v1CiscoRouter1.0.03 (Build 14)yesyesReaver 1.21 second / attempt, no anti-flooding / blocking / delaynoWPS LED blinking continuously during attack. Vulnerable with latest firmware, no way todisable WPS -> epic fail! Anonymous user 9308: I've also noticed that across 2 differentlinksys devices (don't have them on me now) the default WPS pin of 12345670 was theresult of 2.5 and 6 hours crackingValet M10CiscoRouter2.0.01YesYesReaver 1.25 hoursNO A newer firmware is available (2.0.03), but the changes were fairly trivial according to therelease notes.Linksys E4200CiscoRouter1.0.0.3YesYesReaver4hNOFeedback by security@cisco.com "Issue has been identified and being worked on by product engineering.There is no ETA of a firmware release. Please continue to check supportweb page for the E4200v1. If you have E4200v2 you can use the autofirmware update to see if there is a new firmware update."Linksys E3200 v1CiscoRouter1.0.02YesYesReaver 1.3 &r5824hNoWith 1.3, use the --ignore-locks option. With r58 and over, use --lock-delay 60. The router has a 60 seconds cycle with 3 PINs. I was lucky it went as fast, it could've taken a lotlonger.58:6D:8FSocapexWRVS4400NCiscoRouter1/1/2013NoNononenot availableUC320WCiscoUnifiedCommunicationsCurrent VersionyesyesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCiscoWAP4410NCiscoAccess PointCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCiscoRV110WCiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCiscoRV120WCiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCiscoSRP521WCiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCiscoSRP526WCiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCiscoSRP527WCiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCiscoSRP541WCiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCiscoDevice NameManufacturer Type (Router/ AP/Bridge...)Firmware-VersionWPS enabled by default?Vulnerable (yes/no)Tool (Version) Average time for penetration*without* providing the PINWPS can bedisabled (and itstays off!)Comments/Notestested byPINThis database is intended as an educational resource for users interested in IT-Security. I did not find thevulnerability, that honor goes to Stefan Viehböck and Craig Heffner.
SRP546WCiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCiscoSRP547WCiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCiscoWRP400CiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCiscoLinksys E1000CiscoRouter2.1.00 build 7Sep 21, 2010YesYesReaver 1.47/6/2012NoTook aound 6.7hrs to recover the WPS PinC0:C1:C0aBs0lut3z33r0Lynksis E3200 v1CiscoRouter1.0.03YesYesReaver 1.4No As stated by Cisco for firmware 1.0.03: - Added Enabled/Disabled feature for Wi-Fi Protected Setup in the web configuration- Added WPS lockdown feature Not true, still works great :) There is no new WPS lockdown, still 60s/3 pins. Anyone elsecan confirm this?58:6D:8FSocapexWRT320NCisco LinksysRouterunknownYesMaybeReaver 1.4n/aunknownReaver constantly outputs 'WPS transaction failed (code: 0x2)', indicating an "Unexpectedtimeout or EAP failure".WRT610NCisco-LinksysRouter2.00.01.15YesYesReaver 1.424 hoursNot SureChaos12215676DIR-825D-LinkRouter2.02EUYesYesreaver5hYes00:18:e7:fbDIR-615D-LinkRouter4,1YesYesReaver-1.1ca. 1h 45minYesDIR-855D-LinkRouter1.23EUYesMaybeReaver 1.3user reported 5 minutetimeout on failedregistration, unknowninducement thresholdyesDIR-655 vB1D-LinkRouter2.00NAYesMaybeWifi Analyzer (Android) v3.0.2Yes5C:D9:98Can be user-generatedDIR-300 (HV - B1)D-LinkRouter5/2/2012YesYesReaver 1.34 Daysyes - can becompletelydeabledNsolDIR-300D-LinkRouter"2.05"YesYesReaver 1.34 DaysyesNsolDIR-655 A3D-LinkRouter1.22b5YesYesReaver 1.34.5hrsYesDevice ships with WPS enabled; I normally keep disabled; older 1.22b5 firmware sincemore stable. Allows you to specify a different WPS PIN; When enabled took approx 4.5hrs to recover WPS pin and WPA2 password; Router constantly re-boots (approx every30-50 PIN attempts) during this period and was also subjected to a denial of service.Reaver continues to try pins when router recovers using -L option. Can adjust Reaver timing settings for better results. Reaver 1.3 on BackTrack 5R1. Reaver thinks router is rate limiting (it is actually crashing); restarting Reaver or using -Lallowed Reaver to continue checking pins almost immediately or as soon as the router rebooted itself.DIR-300D-LinkRouterCurrentYesYesyestested and reported by D-Link directlyD-LinkDIR-457D-LinkRouterCurrentYesYesYestested and reported by D-Link directlyD-LinkDIR-501D-LinkRouterCurrenttested and reported by D-Link directlyD-LinkDIR-600D-LinkRouterCurrentYesYesYestested and reported by D-Link directlyD-LinkDevice NameManufacturer Type (Router/ AP/Bridge...)Firmware-VersionWPS enabled by default?Vulnerable (yes/no)Tool (Version) Average time for penetration*without* providing the PINWPS can bedisabled (and itstays off!)Comments/Notestested byPINThis database is intended as an educational resource for users interested in IT-Security. I did not find thevulnerability, that honor goes to Stefan Viehböck and Craig Heffner.

Activity (4)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
dany3220 liked this
rondic liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->