This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course.

http://www.securitytube-training.com/online-courses/offensive-internet-of-things- exploitation/index.html

Student ID: IoTE-728

 

On the back of my TP-Link router I found some information regarding the device including the default WPS PIN number and SSID.

wps01

WPS is a fast way of connecting wifi devices with a PIN number. However the PIN number could be brute-forced easily on some devices (newer devices contain some form of protection against it). Moreover in some implementation the PIN number is calculated from the MAC address of the device and brute-forcing the PIN is not necessary. WPS might be a possible attack vector on routers, that support this feature.

On my TP-Link router WPS is enabled by default and the PIN is the same as the one on the back of the device, however it can be replaced by generating new PIN.

wps02

If the user does not configure the device properly, but keeps the default values, then the attacker can get the password. Lazy and careless users/administrators tend to use default values which leaves the system vulnerable.

 

First I connected my wifi adapter to my Kali machine and checked its name with iwconfig.

 

wps03

Then I set my wifi adapter into monitor mode.

wps04

I searched the available wifi Access Points.

wps05

wps06

The first line belongs to my wifi router (ESSID = wifi-iot). I used the bully tool to get the wifi password from WPS PIN. This tool can be found on Kali.

wps07

I also tried to brute force the PIN, but there is a protection against it.

wps08