Defending against WPS attacks

[Snayler]

thanks for the input. I did mention disabling WPS is the obvious solution in my OP, I was just curious if there was anything else available to a defender, assuming their router cannot disable WPS (which is the case with a surprising number, sadly).

IDK if kismet supports running a command when it detects a WPS bruteforce attack, but if it does, it should be easy to make it run airdrop-ng against the attacker's MAC address, or even running a script that connects through telnet/ssh to the AP and adds the attacker's MAC address to the disallowed MAC addresses list.

[aerokid240]

Here's an idea. I'm not that experienced with kismet but if you can have it log to syslog or a file, you can use a tool like swatch to continuously "tail" a file looking for certain data. When it gets a hit or detects some strings/data common to wps attak, swatch can be programmed to do something/run some program or script. This script can parse the log file, obtain the offending mac address, and send some death-packets or add the mac address to a blacklist. Just an example.

[ternarybit]

you could always try flashing a router to DD-WRT firmware which could allow you to then toggle on and off WPS

This is only partially correct, as DD-WRT will disable WPS on supported routers, but one cannot toggle it on and off because DD-WRT does not support WPS. DD-WRT uses the WPS button to optionally enable/disable the Wi-Fi radio or run specified scripts.

I think my original inquiry has been misunderstood.

I understand that the proper way to prevent WPS attacks is to disable it. My original question was if it's possible to defend against an attack in progress without taking the vulnerable AP offline, perhaps through DoS of the attacking machine. It sounds like this is not possible, and the only practical way of defending against WPS attacks is to either disable WPS fully or take the AP offline.

[ternarybit]

Interesting thoughts, Snayler and aerokid240. I'm fairly certain these tactics are possible, even if somewhat impractical. Still, its an interesting concept. Thanks for the input!

[haoko]

Well from my point of view, when you start a WPS Attack you usually associate with the AP, what if you use MAC Filtering? I know that its not a strong protection but you can give a lot more trouble to the attacker for him to wait for a legit MAC. Just an idea though

I don't think this is a good idea, because, all you have to do is sniff the target network and record all MACs. Than, you just change you network driver MAC with one that you recorded before. An example:

airmon-ng start wlan0 #monitor mode
airodump-ng mon0 #see all network/traffic aroud you. Chose one and use the channel and bssid in the next command
airodump-ng -c CHANNELNUMBER --bssid MAC mon0 #now you're sniffing every computer in that network. Save all MAC addresses working in that network. Wait for one goes down. Than...

ifconfig wlan0 down
macchanger -m MACVICTIM
ifconfig wlan0 up

Now you just connect in that wifi.

[utiscuign]

It is well told.