close-circle
Close
0%
0%

WiFi cracker ESP8266(PBC)

This project using an ESP8266 to find the password of a WiFi access-point with PBC enabled.

Similar projects worth following
close
The basic idea of this project is based around a vulnerability in a WPS PBC enabled systems.
To revile the public key of the wifi hotspot or wifi access point.

WPS PBC :

  This is a feature of WiFi access-point which allows users to connect by simply pressing the button on the access-point.

But the problem with this method is that access-point does not have control over which device gets the connection and 120 sec time makes it even worst.

VULNERABILITY:

  If we have a device which always keep looking for access-point to have a active WPS session and try to connect to it before the intended device does.

HACK:

So we need a wifi device which should be small, cheep, low power, easy to get 

Am I describing the ESP8266?

PROJECT:

IMAGINE!.. a ESP sicked underneath the table or chair with some chewing gum.

 We have a ESP8266 running on a coin cell which wake up from sleep and does it's work and sleep again for 100 sec. once we got the connection we can mail the SSID and PASSWORD to someone who needs it (may be YOU). and disconnect before any one gets to know about it. :)

PROBLEMS: 

1. the esp needs around 80mA when running and the coman  CR2032 (50mA max) can not provide that much ofcource there are other cells which can do that or just couple of CR2032 in parallel but then it violets the rules of "coin cell challenge"

my solution was to add a huge cap in circuit but no success ether

(all of this because i dint had other coin cell with me)

2. great thing is the ESP supports the WPS PBC method but once you got connected there is currently no way to get the password out (at least i don't know)

good thing is that it should not be impossible because 'WINDOWS' can do that. so.......

3. THIS IS ILLEGAL  

A little bit of Background: 
As many of you already know that wifi access-point have these feature called "wifi protected setup" or simply WPS.  The wps enabled system is 100% hack-able. 
But what i did't know that there is actually two types of WPS systems
so called WPS PIN method and WPS PBC  method which both of them work differently. Which i thought was same for quite a long time.
A couple of month back i was running 'wifite' on a mobile hotspot  and no luck no matter how many or how long i tried. which was weird because I have successfully run a pixie dust attack on the successor of that device. well normally this happens  the other way around.
And i tried WPA brute force also as most of time fail.

[at this time HACKADAY coin cell challenge was live]

Luckily one of my friend had this hotspot and i borowed it from him. and ofcourse i run the attack again, failed this time too

then i took a shortcut and tried to find WPS PIN in the settings page of that hotspot but i couldn't able to find the pin there also because there was no pin.

but the device itself had a button saying WPS, and which is also working. where is the pin?

Then i realized that it is a WPS PBC not a WPS PIN.

WPSpbc.ino

Arduino code for esp8266 to connect to WiFi using WPS PBC

ino - 1.25 kB - 01/01/2018 at 13:51

download-circle
Download

ESP8266.sch

schematics in eagle format

sch - 682.13 kB - 12/31/2017 at 17:38

blank
See BOM
download-circle
Download

  • 1 × ESP8266 WiFi microcontroller
  • 1 × CR2032 Batteries and Battery Accessories / Batteries
  • 3 × 10k Resistor resistor
  • 1 × 1000uf cap capacitor
  • 1 × Pin Header 7 pin pinheader

View all 6 components

  • 1
    No need to build

    For testing purposes you actually do not need to build one of these as it's just a esp8266 any dev board will work for testing and developing the software for it

  • 2
    When you need to build

    for building this project get the schematics first. It's just a basic connections for ESP. The important thing is a 1N4148 diode which work as a 5v to 3.3v level shiftier well if you have a 3.3v serial connection then you can skip the diode.

    And also   R1 and R3 it works fine but then when you will program the chip you have to take special care not to use these pins (gpio 15). i did not tried to skip R2.

  • 3
    BUILD

    It is a simple circuit you don't have to follow what i have did.

    But this is what i did 

    take a piece of perf board solder 7 headers to it then take some bare copper wire and make a ground pad on the solder side of perf board for coin cell where then you can solder a battery clip.  Take some more copper wire and solder it to the esp8266's  RESET,  VCC, GROUND, TX pins (4 separate wires). then pass these 4 wires through the perf board and solder on the solder side and make the connections to the header. REMEMBER the coin cell is also coming in so keep some room for it. 

    do the remaining connections with some thin wire like wire wrapping wire etc

View all 6 instructions

Enjoy this project?

Share

Discussions

bambie1234 wrote 01/23/2018 at 00:04 point

I dont quite understand how to use this tutorial. I put the code into nodemcu and on serial monitor all I see is “WPS config start”. I didnt touch the router.

  Are you sure? yes | no

Sagar Naik wrote 01/23/2018 at 10:32 point

This project is not completed yet, (I mean the hacking part) but it can make your ESP connect to your WPS PBC enabled router. You have to press the WPS button on router when ESP says "WPS config start". and ESP will connect to your router

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates