As you may know, WiFi Protected Setup (WPS) has recently been broken.
I downloaded and tested Reaver-WPS, the tool that implements the WPS attack. The tool's README file states:
Reaver performs a brute force attack against an access point's WiFi Protected
Setup pin number.
Once the WPS pin is found, the WPA PSK can be recovered and alternately the
AP's wireless settings can be reconfigured.
While Reaver does not support reconfiguring the AP, this can be accomplished
with wpa_supplicant once the WPS pin is known.
I managed to find the AP's WPS pin without any problem (it took about 4 hours).
I would now like to try to reconfigure the AP's wireless settings using wpa_supplicant. I tried to find how to do this in wpa_supplicant's man page, but there's no mention of WPS. I tried to Google this, but I could not find anything.
Does anyone know how to reconfigure an AP's wireless settings with wpa_supplicant (or any other tool) knowing the AP's WPS pin?
BTW, what does the WPS protocol itself allow you to reconfigure? Just the WPA passphrase? Or even the SSID or other parameters?
Please don't think that I'm trying to hack my neighbour's network. This is purely a professional research (measuring the risk for my company and our customers).
Thank you very much.
Best Answer
I asked Craig Heffner, the author of the Reaver-WPS tool, and he kindly answered this (slightly edited for readability):
Start
wpa_supplicantthen connect to it usingwpa_cli. It would look something like this:Then at the
wpa_cliprompt you can use thewps_regcommand to reconfigure the AP. There's a README-WPS file that mentions all the wps_reg options: