How to disable WPS on DD-WRT

dd-wrt

I have a Buffalo AirStation router with DD-WRT installed.

My version is Firmware: DD-WRT v24SP2-EU-US (08/19/10) std (latest as for today on my device), but I think this question is basically the same for any DD-WRT:

What is the method to disable WPS in Wireless configuration?
I can not find where it is.

Additional Info:

  • Some people reports this setting is at Wireless --> AOSS --> Disable, but this doesn't work for me (WPS keeps active, or so reports any Android device on the nearby).

Best Answer

Extracted from this thread at DD-WRT forums:

Short answer: your WPS could already be disabled on your DD-WRT device, even when it seems to be active. It just depends on the wps_state value at /tmp/path[0-9]_hostap.conf file: 1 means active, 0 or 2 means it is not.

Time to test the real thing with AirCrack-NG. If I scan with AiroDump-NG:

luis@Frambuesio:~$ sudo airodump-ng wlan1mon --wps -c 2

 CH  2 ][ Elapsed: 1 min ][ 2015-12-15 00:48

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH WPS     ESSID

 XX:XX:XX:XX:XX:XX  -35 100      435       20    0   2  54e. WPA2 CCMP   PSK  Locked  MyWiFiNetWork

It seems there is some WPS, but in Locked state.

If I try to attack it via WPS with, say, Bully:

luis@Frambuesio:~$ sudo bully wlan1mon --bssid 00:24:A5:XX:XX:XX -v 3 -c 2
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'wlan1mon' to channel '2'
[!] Using '00:1c:f0:9f:fc:84' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '00:24:a5:XX:XX:XX' on channel '2'
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Disabling FCS validation (assuming --nofcs)
[+] Got beacon for 'MyWiFiNetWork' (00:24:a5:XX:XX:XX)
[!] Beacon information element indicates WPS is locked
[+] Loading randomized pins from '/root/.bully/pins'
[!] Restoring session from '/root/.bully/0024a5c816a2.run'
[+] Index of starting pin number is '0000000'
[+] Last State = 'NoAssoc'   Next pin '64121635'
[!] WPS lockout reported, sleeping for 43 seconds ...
^C
Saved session to '/root/.bully/0024a5c816a2.run'

Indeed, it is locked. If I force the attack even for the locked state:

luis@Frambuesio:~$ sudo bully wlan1mon --bssid 00:24:A5:XX:XX:XX -v 3 -L -c 2
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'wlan1mon' to channel '2'
[!] Using '00:1c:f0:9f:fc:84' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '00:24:a5:XX:XX:XX' on channel '2'
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Disabling FCS validation (assuming --nofcs)
[+] Got beacon for 'MyWiFiNetWork' (00:24:a5:XX:XX:XX)
[!] Beacon information element indicates WPS is locked
[+] Loading randomized pins from '/root/.bully/pins'
[!] Restoring session from '/root/.bully/0024a5c816a2.run'
[+] Index of starting pin number is '0000000'
[+] Last State = 'NoAssoc'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'
[+] Rx(  M1  ) = 'EAPFail'   Next pin '64121635'

So, there is no WPS, or at least no WPS available to attack.

Tested with both Enable/Disable state at Wireless --> AOSS (somebody reported it could change the WPS state):

enter image description here

Anyway, if you want to stay fully calm with that WPS Enabled message that you can see on, say, Android, follow these steps:

1.- Find the hostapd.conf file for your wireless card at /tmp. Mine is:

root@DD-WRT:/tmp# ls /tmp/*hostap.conf -la
-rw-r--r--    1 root     root          580 Dec 15 00:48 /tmp/ath0_hostap.conf

2.- Check the wps_state value:

root@DD-WRT:/tmp# cat ath0_hostap.conf | grep "wps" -i
wps_state=2

Note:

  • 0 means WPS Disabled.
  • 1 means WPS Enabled.
  • 2 means WPS Locked.

3.- Change it to 0. You could edit the file. I prefer to use the sed command to directly exchange 2 by 0:

/bin/sed s/wps_state\=2/wps_state\=0/g -i /tmp/ath0_hostap.conf

4.- Locate the hostapd process (with its parameters):

root@DD-WRT:/tmp# ps | grep "apd" -i
   60 root         0 SW<  [kswapd0]
 2093 root      1340 S    hostapd -B /tmp/ath0_hostap.conf

5.- Kill and restart it (with exactly the same parameters):

root@DD-WRT:/tmp# kill 2093
root@DD-WRT:/tmp# hostapd -B /tmp/ath0_hostap.conf

And that should be all.
This time AirCrack-NG:

luis@Frambuesio:~$ sudo airodump-ng wlan1mon --wps -c 2

 CH  2 ][ Elapsed: 12 s ][ 2015-12-15 00:57

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH WPS     ESSID

 00:24:A5:XX:XX:XX  -35 100       50        3    0   2  54e. WPA2 CCMP   PSK          MyWiFiNetWork

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe

As can be seen, it shows no WPS enabled on the column.
And, this time, Bully-WPS will not even try to attack it:

luis@Frambuesio:~$ sudo bully wlan1mon --bssid 00:24:A5:XX:XX:XX -v 3 -c 2
[sudo] password for luis:
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'wlan1mon' to channel '2'
[!] Using '00:1c:f0:9f:fc:84' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '00:24:a5:XX:XX:XX' on channel '2'
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Disabling FCS validation (assuming --nofcs)
[+] Got beacon for 'MyWiFiNetWork' (00:24:a5:XX:XX:XX)
[X] The AP doesn't appear to be WPS enabled (no WPS IE)

So, finally, we can say that WPS is disabled on your DD-WRT router.

Tested with Buffalo WHR-HP-GN. Expected to work on any model (please confirm).

Further Details:

  • As long as the /tmp dir corresponds to RAM, this change is temporal, unles you script it in any manner for each reboot.
  • On the above referred thread at DD-WRT forum there is some /bin/ps | /bin/grep '[h]ostapd' | /usr/bin/awk -F" " {'print $1'} | /usr/bin/xargs /bin/kill -HUP command line that directly replaces step 5.
Related Question