WPS Flaw Vulnerable Devices

Device Name
MI424-WR
Rev.E
Manufacturer
Actiontec
Type (Router/ AP
/Bridge...)
Router
WLAN 1421
Alice/Hansenet
Wlan Router
AirPort Extreme
Apple
Router
Arcadyan
Arcadyan
Technology
Arcadyan
Corporation
Router/Modem
Easybox
Vodafone EasyBox
602
802
Speedport W 504V
Typ
A
EasyBox
803
RT-N16
ASUS
Router
Router
RT-N10
ASUS
Router
N13U v1&v2
ASUS
Router
Fritz!box 7390
AVM
Router
Fritz!Box 7240
AVM
Router
FritzBox7390
AVM
Router
Fritz!Box WLAN
3370
n150
AVM
Belkin
Router / Modem
Router
F9K1001v1
Belkin
Router
F6D6230-4 v1000
Belkin
Router
F9K1001v1 (N150)
Belkin
Router
F7D1301 v1
Belkin
Router
F7D2301 v1
Belkin
Router
F9K1105 v1
F9K1001 v1
Belkin
Belkin
router
Router
7800n
BiPAC 7404VGPX
Billion
Billion
Router
AP
WZR-HP-G300NH
Buffalo
Router
WZR-HP-AG300H
Buffalo
Access Piont
Linksys E4200 v1
Cisco
Router
Valet M10
Cisco
Router
Linksys E4200
E3200 v1
WRVS4400N
Cisco
Cisco
Router
Router
UC320W
Cisco
Unified
Communications
WAP4410N
Cisco
Access Point
RV110W
Cisco
Router
RV120W
Cisco
Router
SRP521W
Cisco
Router
SRP526W
Cisco
Router
SRP527W
Cisco
Router
SRP541W
Cisco
Router
SRP546W
Cisco
Router
SRP547W
Cisco
Router
WRP400
Cisco
Router
Linksys E1000
Lynksis E3200 v1
Cisco
Cisco
Router
Router
WRT320N
Cisco Linksys
Router
WRT610N
DIR-825
DIR-615
Cisco-Linksys
D-Link
D-Link
Router
Router
Router
DIR-855
D-Link
Router
DIR-655 vB1
D-Link
Router
DIR-300 (HV - B1)

DIR-300
D-Link
D-Link
Router
Router
DIR-655 A3
D-Link
Router
DIR-300
D-Link
Router
DIR-457
D-Link
Router
DIR-501
D-Link
Router
DIR-600
D-Link
Router
DIR-615 Rev D+ H
D-Link
Router
DIR-615 Rev. B
D-Link
Router
DIR-635 Rev B
D-Link
Router
DIR-645
D-Link
Router
DIR-652
D-Link
Router
DIR-655
D-Link
Router
DIR-657
D-Link
Router
DIR-815
D-Link
Router
DIR-852
D-Link
Router
DIR-855
D-Link
Router
DAP-1360
D-Link
Access Point
DAP-1522
D-Link
Access Point
DIR-625
D-Link
Router
DIR-615
D-Link
Router
DIR-628
DLink
Router/access point
DWA125 with
Ralink2870 / 3070
Dlink
USB
DWA125 with
Ralink2870 / 3070
Dlink
USB
3G-6200nL
ECB9500
EchoLife HG521
BtHomeHiub3
Edimax
Engenius
Huawei
Huawei
Router
Wireless Gigabit
Client Bridge
Router
Router/ADSL
E3000
Linksys
Router
WRT350N
Linksys
Router
E2500
Linksys
Router
WRT120N
WRT160Nv2
Linksys
Linksys
Router
Router
E1000
Linksys
Router
E1200
Linksys
Router
E4200
Linksys
Router
WRT54G2
Linksys / Cisco
Router
E4200
WRT350Nv2.1
Linksys / Cisco
Linksys / Cisco
Router
Router
WAG160Nv2
WRT100
Linksys by Cisco
Linksys-Cisco
ADSL Modem
Router, Wifi AP
Router
WRT100
NP800n
Linksys-Cisco
Netcomm
Router
Wireless Router
CG3100
Netgear
Cable Modem (with

built in Gateway/AP)
CG3100D
NETGEAR
Cable/router
DGND3700
Netgear
Modem/Router
WNDR3700
Netgear
Router
DGN1000B
Netgear
Router
MBRN3000
WNDR3700
NetGear
Netgear
Router (ADSL + 3G)

Router
DGN1000B
WNDR3700
Netgear
NETGEAR
Router
Router
WNDR3700v3
Netgear
Router
CGD24G
Netgear
Cable Modem
Router
WGR614v8
Netgear
Router
WGR614v8
Netgear
Router
WNR1000 (N150)
Netgear
Router
WNR3500L
Netgear
Router
WNR3500v2 (N300)
WNR200V2
WNDR3700v1
DGND3300v2
WNR1000 (N150)
WNR3500V2
WNR3500V2
Netgear
Netgear
NetGear
Netgear
Netgear
Netgear
Netgear
Router
Router
Router
ADSL Router
Router
Router
Router
F@st 3504
Sagem
Router
SX763
Siemens Gigaset
Router/Modem
Sitecom 300N WL363
Sitecom
Router/Modem
Speedport w720v
T-Online
Router
Speedport W 723V
T-Online
Router
TG784n
Thomon
Router
TG784
Thomson
Router
TG782
Thomson
Modem/Router
TG784n
Thomson
Router
TL-WR1043ND
TP-Link
Router
TL-WR2543ND
TP-Link
Router
TL-WR1043N
TP-Link
Router
TL-WR2543ND
TP-Link
Router
TD-W8950ND
TP-Link
Router,Bridge,Mode
m
TL-MR3420
WR841N
TL-WR841ND
WR841ND
TL-WR841N
TP-LINK
TP-Link
TP-Link
TP-Link
TP-Link
Router
Router
Router
Router
Router
TL-WR740N
EVW3200
TP-LINK
Ubee
Router
Router/Modem
XWR100
Vizio
Router
P-660W-T1 v3
TALKTALK-F03653
ZyXEL Corporation
Modem/Router
Router/Modem
F9K1002
Belkin
Router
WTM652
Arris
Router / Access Point
SMC7901WBRA2
SMC
ROUTER/MODEM (AD
SMCWBR14-N2
SMC
Router
F@ST2864
Sagem
Modem/Router
ADSL2+ Wi-Fi N
Telecom Italia
Modem
DIR-615
F6D4230-4 v3 (01)
Belkin
router
WNDR4500
NETGEAR
Router
WNDR3700
Netgear
Router
TG862G
Arris
Cable Modem Gatew
DIR-615
D-LINK
Router
DIR-615
D-LINK
Router
TG585 v7
Thomson
ADSL Modem / Route
LW310V2
Sweex
Wireless Router
SMC8014WN
SMC Networks
Router
WNR3500L
Netgear
Router
WAP-5813n
Comtrend
Router
WAP-5813n
Comtrend
Router
WNR2000v3
netgear
router
wnr2000v2
netgear
router
F5D7234-4 v5
Belkin
router
WNDR3400v2
netgear
Router
WNDR3700V4
netgear
Router
HG256
Huawei
Huawei
ESR300H
EnGenius
Router
TL-WR740N
TP-LINK
Router
EA4500
Cisco
Router
unknow
WNDR3300
netgear
router
WNDR3400v2
Netgear
Router
WR-741nd
TP-Link
modem
DIR-615
dlink
Router
SAMSUNG D7000
Samsung
SMART TV
WNDR3400v2
NETGEAR
Router
Comments and
background
Want to add a
information start
device? Please use
Another
Disclaimer: http://bit.ly/1pxFaqy
here
These entries are
not verified - we
simply don't have
enough tests and
devices (yet). So,
please, don't base
your PHD on it or
anything...
Firmware-Version
20.19.8
WPS enabled by default?

No
Vulnerable (yes/no)
No
1.0.16
No
Yes
7.5.2
No
No
20.02.022
Yes
No
Maybe
unkown (01.07.2011-10:36:41)
30.05.211
1.0.2.3
Yes
Yes
Yes
Yes
1.0.0.8
Yes
Yes
2/1/2012 No
No
84.05.05
No
No
73.05.05
No
No
ALL
No
No
103.05.07
Unknown
No
yes
No
yes
F9K1001_WW_1.00.08
Yes
Yes
1.00.19 (Apr 22 2010)
Yes
Yes
1.0.08
Yes
Yes
1.00.22
Yes
Maybe
1.00.16 (Jul 2 2010 14:36:56)
Yes
Yes
1.00.03 (Jul 4 2011)

1.00.08
Yes
Yes
Yes
Yes
1.06d
6.23
No
Yes
Maybe
Yes
Unknown
Yes
Maybe
dd-wrt v24SP2-multi build 15940
Yes
No
1.0.03 (Build 14)
yes
yes
2.0.01
Yes
Yes
1.0.0.3
1.0.02
Yes
1/1/2013 No
Yes
No
Current Version
yes
yes
Current Version
Yes
Yes
Current Version
Yes
Yes
Current Version
Yes
Yes
Current Version
Yes
Yes
Current Version
Yes
Yes
Current Version
Yes
Yes
Current Version
Yes
Yes
Current Version
Yes
Yes
Current Version
Yes
Yes
Current Version
Yes
Yes
2.1.00 build 7Sep 21, 2010

1.0.03
Yes
Yes
Yes
Yes
unknown
Yes
Maybe
2.00.01.15
2.02EU
Yes
Yes
4.1 Yes
Yes
Yes
Yes
1.23EU
Yes
Maybe
2.00NA
Yes
Maybe
"2.05"
5/2/2012 Yes
Yes
Yes
Yes
1.22b5
Yes
Yes
Current
Yes
Yes
Current
Yes
Yes
Current
Yes
Yes
Current
Yes
Yes
Current
Current
Yes
Yes
Current
Yes
Yes
Current
Yes
Yes
Current
Yes
Yes
Current
Yes
Yes
Current
Yes
Yes
Current
Yes
Yes
Current
Yes
Yes
Current
Yes
Yes
Current
Yes
Yes
Current
Yes
Yes
3.04 Yes
Yes
2.23 Yes
11/1/2012 Yes
1.06b
Unknown
No
Yes
1 No
No
1 No
No
No
2/2/2009 Yes
1.02 yes
Yes
No
Yes
yes
Yes
1.0.04
Yes
Maybe - see
Comments
2.0.3 i think (newest!)
Yes
Maybe - see
Comments
1.0.02
Yes
Maybe
v1.0.01
2.0.03
Yes
Yes
Yes
Yes
unknown
Yes
Yes
1.0.02 build 5
Yes
Yes
1.0.02 build 13 May 24, 2011
No
Yes
unknown
Yes
Yes
unknown
2.00.20
Yes
Yes
Yes
Maybe
2.0.0.20
1.0.05
Yes
Yes
Yes
Yes
1.0.05
1.0.14
Yes
Yes
Yes
Yes
3.9.21.9.mp1.V0028
No
No
unknown
Yes
Yes
V1.0.0.12_1.0.12
Yes
Yes
1.0.7.98
yes
yes, but.... see

comments
1.00.45
No
Maybe
1.0.0.43_2.0.11WW
V1.0.7.98
Yes
Yes
Yes
Yes
1.1.00.43
v1.0.4.68
Yes
Yes
Maybe
Yes
V1.0.0.18_1.0.14
Yes
Maybe
unknown
Yes
Yes
1.1.11_6.0.36
Yes
Yes
1.2.10_21.0.52
Yes
Maybe
unknown
Yes
Maybe
V1.2.2.44_35.0.53NA
Yes
Yes
V1.2.2.28_25.0.85
v2
1.0.16.98 - BETA
2.1.00.52
V1.0.2.28_52.0.60NA
V1.2.2.28_25.0.85
V1.2.2.28_25.0.85
Yes
Yes
No
Yes
Yes
Yes
Yes
Probably
Yes
No
Yes
Yes (though does
Maybe
slow(though
down attack
Yes
does
considerably)
slow down attack
considerably)
Bbox firmware - 8.4.M.O (not sure)
Yes
Yes
4.3.52.21.07
Yes
Yes
2.00.01
Yes
Yes
1.61.000
No
No
1.00.080
Yes
Yes
8.4.H.F
Yes
Yes
8.4.2.Q
Yes
Yes
8.2.2.5
Yes
Yes
8.4.H.F
Yes
Yes
Yes
3.13.6 Build 110923 Rel 53137n
Yes
Yes, see comment
3.12.2 Build 100820 Rel.41891n
Yes
Yes
3.13.4 Build 110429 Rel.36959n
Yes
Yes
1.2.9 build 110106 Rel.59540n
Yes
Yes
3.12.8 Build 110418 Rel.43954n

3.10.4 Build 100326 Rel.42446n
3.10.4 Build 100326 Rel.42446n
3.10.4 Build 100326 Rel.42446n
3.10.4 Build 100326 Rel.42446n
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
3.12.4 Build 100910 Rel.57694n

unknown
Yes
Yes
1/1/2002 Yes
Yes
Yes
Maybe
V3.70(BRI.2) | 02/09/2011
Unknown
Yes
Yes
Yes
Yes
F9K1002_WW_1.00.08
Yes
Yes
1228 Yes
Yes
1.0.3.1
Yes
Yes
1.0.6.0
Yes
Yes
FAST2864_v66396
Yes
Yes
AGPWI_1.0.3
Yes
Yes
D-LINK
Yes
3.00.03 Jun 29, 2009
Yes
Yes
1.0.1.20_1.0.40
Yes
Maybe
unknown
Yes
Yes
unkown
Yes
Yes
1/4/2014 Yes
Yes
1/4/2014 Yes
Yes
8.2.23.0
Yes
Yes
I2_V3.3.5r_sweex_01
Yes
Yes
unknown
Yes
Yes
unknown
Yes
Yes
P401-402TLF-C02_R35
Yes
Yes
P401-402TLF-C02_R35
Yes
Yes
1.1.1.58
Yes
Yes
1.2.0.4_35.0.57NA
unknown
Yes
Yes
1/5/2014 Yes
Yes
Yes
Yes
1/1/1932 Yes
Maybe
V100
Yes
Yes
1.3.8.27
Yes
Yes
3.16.5 Build 130329
Yes
Maybe
2.1.39.145204
Yes
Maybe
unknow
No
Yes
1.0.45_1.0.45NA
Yes
Yes
1.0.0.38_1.0.61
Yes
Yes
v2
Yes
Yes
1/4/2014 Yes
Yes
1027 No
V1.0.0.38_1.0.61
Yes
Yes
Yes
This database is intended as an educational

resource for users interested in IT-Security. I did
not find the vulnerability, that honor goes to
Stefan Viehbck and Craig Heffner.
Want to add a device? https://docs.google.com/spreadshee
Reddit-Link to discuss stuff:
http://www.reddit.com/r/netsec/comments/nzvys/
wps_brute_force_i_started_public_google_doc_s
o_we/
want to talk about this? Please do and use the

hashtag #WPSDoc
want to contact me? @jagermo on twitter or

jagermo@hushmail.com
Tool (Version)
None
Average time for penetration

*without*
providing the PIN
n/a
Reaver
n/a
Reaver 1.3,
Reaver 1.3
WPScrack
WPS can
be
"functionality"
disabled
(and
is not enabled it
stays off!)
currently
Yes
n/a
Yes, see comments
Reaver 1.4
r122
Reaver 1.3
Reaver 1.3
yes
Yes (not testet
maybe its already
[user reports untested, so his ative after switching
1 sekvalue here removed]
yesoff!)
3sec
to
1176 seconds
Yes
Reaver 1.3
2 seconds per attempt/3.5

hours to crack
Yes
Reaver 1.3
10min
Yes
will follow soon will follow soon
Yes
wpscrack,
Reaver 1.2
uncrackable
yes
Reaver 1.3
uncrackable
Yes
N/A
Reaver 1.2
N/A
12.5 hours
Yes
yes
Reaver 1.3
7765 seconds
Yes
Reaver 1.3
20 min
yes
Reaver 1.3
41 minutes, 12 seconds
none
Yes
yes
Reaver 1.3
1.9 Hours
Yes
Reaver 1.3
Reaver 1.2
3hours
11.2 Hours
yes
Yes
Reaver 1.3
reaver 1.3
14 hours
3hours
Yes
no
Reaver via
Backtrack
Within 1 hour
Yes
No but it starts
locked
reaver 1.4
Reaver 1.2
1 second / attempt, no antiflooding / blocking / delay
no
Reaver 1.2
5 hours
NO
Reaver 1.3 &

Reaver
r58
none
4h
24h
NO
No
not available
Reaver 1.4
Reaver 1.4
Reaver 1.4
7/6/2012 No
No
n/a
unknown
Reaver 1.4
reaver
Reaver-1.1
Reaver 1.3
Wifi Analyzer
(Android)
v3.0.2
Reaver 1.3
Reaver 1.3
24 hours
5h
ca. 1h 45min
Not Sure
Yes
Yes
user reported 5 minute

timeout on failed registration,
unknown inducement
threshold
yes
Yes
4 Days
4 Days
yes - can be
completely deabled
yes
Reaver 1.3
4.5hrs
Yes
yes
Yes
Yes
Yes
yes
yes
Yes
yes
Yes
Yes
yes
yes
yes
yes
yes
Reaver 1.4
4 hours
Yes
Reaver 1.3
n/a
Yes
reaver 1.3
Didn't let it run
yes
Reaver 1.4
i don't know
Reaver 1.4
i don't know
N/A
Reaver 1.3 >
Reaver 1.1
Reaver 1.3
N/A
4 hours
5-6 hours
50 minutes
Yes
Yes
yes
Unknown
Reaver 1.3
Reaver 1.3
24h
Yes
Yes
Reaver 1.3
I stopped Reaver after 16 hrs

with no success. See
comments
No
Reaver 1.3
Reaver
4h
5 hours
no
no
Reaver 1.3
7h
No
Reaver 1.4
5 hrs, 20 mins
No
Reaver v1.3
4 hours
No, it doesn't appear

to be
Reaver
6 hours
Yes, but not sure if it

stays off
Reaver 1.3 with PINOption

Reaver 1.4
No, see comments

No
Reaver 1.4
Reaver 1.4
5.5 Hrs
76 minutes
No. Though the

router's web portal
has an option to not
choose WPS, it still
remains active.
No
Reaver 1.4
Reaver 1.3
76 minutes
10 hours
No
yes
Reaver 1.2
Yes
reaver svn rev.

52
5 hours
yes
Reaver 1.3
Yes
Reaver 1.2
is deactivated by
default
WPScrack
Reaver 1.3
Reaver 1.3
reaver 1.2
Reaver 1.3
3h
9hrs
yes
yes
est. 24h
No (there is a
checkbox, but it's
disabled)
unkown
PIN can be disabled,

but WPS cannot be
switched off
completely
Reaver 1.3
Reaver 1.3
12 Hours
No
Reaver 1.3
Reaver 1.3
1 day
Yes, PIN can be

locked out but WPS
remains on
1 day
Yes, PIN can be

locked out but WPS
remains on
Reaver 1.3
n/a
Yes
Reaver 1.4
18hrs
Yes
Reaver v4.0
Reaver 1.4
reaver
Reaver 1.4
n/a
n/a
24 hours
under 3 hours
< 1 Day
n/a
n/a
Yes
yes
deactivated by
default
No
Yes
Yes
Yes
Reaver 1.3
More than 5h
Unknown
Reaver 1.3
45 minutes
Yes
Reaver 1.4
2~3 hours
Yes
Reaver 1.1
No (A 2-MinuteInterval Button is
used)
Reaver r65
2-3 hours
yes
Reaver 1.4
Yes (Please correct

3 days? (needs more testing) This)
Reaver 1.3
15 hours
unkown
Reaver 1.3
24h
Probably no
Reaver 1.3
18hours
maybe
WPScrack
Reaver 1.2
yes
Reaver 1.1
5h
Yes
Reaver 1.3
8h
yes
Reaver
30 Minutes
Yes.But Reaver still

gets in.
Reaver 1.4
Reaver
Reaver
Reaver
Reaver
10 hours
3 Hours
3 Hours
3 Hours
3 Hours
yes
Yes
Yes
Yes
Yes
Reaver 1.4
Reaver 1.4
3h
6-8 hours
Yes
No
Reaver 1.2
N/A
No, see notes
Reaver 1.3
Reaver 1.2
3hours (stopped at 31,75%)

1 hour
yes
yes
reaver 1.4
~5 hours
yes`
Reaver 1.4
12 Hours
Maybe
Reaver 1.4
9 seconds
Yes, see comments
Reaver 1.4
3729sec=62min=1 hour
Yes
Reaver
2hrs
Reaver 1.4 (pins3 hours
Reaver 1.2
Reaver 1.4
several hours
Reaver 1.4
Reaver 1.4
15h
Reaver 1.4
Pin cracked in 34826 seconds unknown
Wifite
Wifite
5h
maybe
Reaver 1.4
A few days
Reaver
4 hours
Reaver 1.4
6 hours
Reaver
2 days
Reaver 1.4
5782 seconds
Reaver 1.4
5782 seconds
reaver 1.4
36 hours
reaver 1.4
12 hours
reaver 1.4
19 hours
reaver 1.4
18 hrs
unknown
reaver 1.4
Reaver 1.4
7 hours
Yes
Reaver v1.4
6.5 hours
Yes
Reaver v1.4
NA
Yes
Reaver v1.4
Yes
Reaver 1.4
no
reaver 1.4
37 sec/pin
yes
Reaver
29.62 Hours. (106632

Seconds)
No
reaver
yes
reaver 1.3
23963 seconds
didnt try it
Reaver 1.4
5 seconds
Disable SWL
Reaver 1.4
24+ hours
Yes
oogle.com/spreadshee
Stefan Viehbck Research and WPScrack:
http://sviehb.wordpress.com/2011/12/27/wi-fiprotected-setup-pin-brute-force-vulnerability/
Craig Heffner Blog Entry and Reaver:
http://www.tacnetsol.com/news/2011/12/28/cracking
-wifi-protected-setup-with-reaver.html
Theiver, fork of Reaver:
http://code.google.com/p/theiv
er/
Dan Kaminsky collects WPS-data in Berlin:
http://dankaminsky.com/2012/
01/02/wps/
This is the type of router that is used for Verizon FIOS and it appears to me at least that
despite there being a button for WPS on the outside of the box, Actiontec says in the user
manual:
"Although the WPS button is included on the FiOS Router, WPS functionality will not be
enabled until a future firmware release. The button is included so that WPS can be activated at
a later date without having to physically change the FiOS Router. The GUI does not include the
Comments/Notes
WPS
option."
00:1F:90
I did a quick check. Seems to be vulnerable.

But with some kind of rate limit maybe. Every second try fails.
Apple seems to use the internal PIN Method, not external PIN.
60:33:4B
The Router brings a Message after 10 failed logins:
Warnung:
iBedingt
think there
is an
interesting
thing between
andkeine
speedport
durch
zu viele
Fehlversuche,
nimmteasyboxes
ihre EasyBox
WPS AP's
PIN Registrierung von
some
esyboxe's
use
a
standard
key
begins
with
spXXXXXXXXXXXXX
externen Teilnehmern mehr entgegen.
with a 13 char length numeric key! (also some speedport aps use such a key but there is a nice
script
to get them
with
the PIN
hexdecimal
mac of
the zu
target
ap! [wardiving
wiki!!!]
willwieder
work for
Bitte setzten
diesen
WPS
durch einem
neue
generierenden
WPS
PIN that
Code
a
lot
of
speedport
models
...
)
zuruck.
0:23:08
Translation: Device locks after ten wrong attempts, user needs to create a new WPS PIN code
0:26:04
Have nice day
CriticalCore
00:1D:19
00:15:AF
bc:ae:c5
I found this list at work and thought I can provide you with some information of my router.
ASUS N13U uses only PBC WPS configuration method . WPS is switched off automatically
Iafter
filledtwo
outminutes
the parts
I know on
and
will check
field
thislatest
evening:
. Tested
ASUS
N13Uthe
v1 clear
and v2
using
firmwares
- Is your device vulnerable against the WPS attack? *
- Wich tool did you use? *
- How long did it take you?
00:24:FE
You have to activate WPS manually. I's deactivated after every successful wps connection and
after 2 minutes. =>Not vulnerable because of very short time limit.
I think all current AVM devices are save as WPS with pin isn't activated on default.
No lockout, no delay needed.
0:23:15
The F9K1001v1 is the same as the Belkin N150. I got lucky on the speed, the first 4 digits
were found at 3.06% completion.
didn't bother to test, but i assume it's vulnerable judging by the other Belkin routers that come
with WPS enabled
08:86:3B
94:44:52
94:44:52
Only vulnerable when WPS is enabled. Even though I had my attack laptop in the same room
as my router, it still took 14 hours to find the PIN.
Disabling WPS is completely effective.
With WPS turned off reaver did nothing. With WPS on reaver is looking for the pin. This
routers was bought and being used in Japan.
WPS is enabled by default and I cannot turn it off. However, Reaver reports that the state is
locked at first try. Beacon packets sometimes show WPS (and thus appear in walsh), and other
time WPS is not in beacon packets and thus is not reported by walsh.
So far I am unable to break wps with reaver even using the known PIN. I've never actually
tested to see if wps even works properly in the first place however.
WPS LED blinking continuously during attack. Vulnerable with latest firmware, no way to
disable WPS -> epic fail! Anonymous user 9308: I've also noticed that across 2 different linksys
devices (don't have them on me now) the default WPS pin of 12345670 was the result of 2.5
and 6 hours cracking
A newer firmware is available (2.0.03), but the changes were fairly trivial according to the
release notes.
00:04:ED
Feedback by security@cisco.com
"Issue has been identified and being worked on by product engineering.
There is no ETA of a firmware release. Please continue to check support
web page
for the
If you
have With
E4200v2
youover,
can use
auto
With
1.3, use
the E4200v1.
--ignore-locks
option.
r58 and
use the
--lock-delay
60. The router has
firmware
update
to see
newlucky
firmware
update."
a 60 seconds
cycle
withif3there
PINs.isI awas
it went
as fast, it could've taken a lot longer.
Reported by Cisco:
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps
Reported by Cisco:
58:6D:8F
Reported by Cisco:
Reported by Cisco:
Reported by Cisco:
Reported by Cisco:
Reported by Cisco:
Reported by Cisco:
Reported by Cisco:
Reported by Cisco:
Reported
As
stated by Cisco:
Cisco for firmware 1.0.03:
- Added Enabled/Disabled feature for Wi-Fi Protected Setup in the web configuration
- Added WPS lockdown feature
Took
aound
recover
the WPS
Pin WPS lockdown, still 60s/3 pins. Anyone else can
Not true,
still6.7hrs
works to
great
:) There
is no new
confirm this?
Reaver constantly outputs 'WPS transaction failed (code: 0x2)', indicating an "Unexpected
timeout or EAP failure".
C0:C1:C0
58:6D:8F
00:18:e7:fb
5C:D9:98
Device ships with WPS enabled; I normally keep disabled; older 1.22b5 firmware since more
stable. Allows you to specify a different WPS PIN; When enabled took approx 4.5 hrs to
recover WPS pin and WPA2 password; Router constantly re-boots (approx every 30-50 PIN
attempts) during this period and was also subjected to a denial of service. Reaver continues to
try pins when router recovers using -L option. Can adjust Reaver timing settings for better
results. Reaver 1.3 on BackTrack 5R1.
Reaver thinks router is rate limiting (it is actually crashing); restarting Reaver or using -L
allowed Reaver to continue checking pins almost immediately or as soon as the router
rebooted itself.
tested and reported by D-Link directly
Hardware version (very relevant for some D-Link devices): C2

This is the first device that I've successfully recovered the PIN from!
00:1E:58
Hardware version B2. This device appears to enter a WPS "blocked" state after approximately
60 failed PIN attempts (consistently around 0.60% progress in Reaver). It does not unblock
until a system reboot.
I didn't bother letting reaver run until it cracked the PIN -- I just wanted to confirm that it was
vulnerable, and that turning off WPS fixed it. Walsh listed it as vulnerable before turning off
WPS, but not after.
Router has a Push Button to Enable WPS

More information about this can be found here: http://www.virtualistic.nl/archives/691
TalkTalk ISP UK
Unknown
WPS lockdown after 20 attemps (power cycle needed). Testet with reaver -p "PIN" ->got WPA
Key. =>not vurlnerable because of automatic lockdown.
58:6D:8F:0A
Reaver gives thousands of errormessages when I try to crack this type of AP.
Tried several parameters... Strange WPS implementation!?!?
00:1D:7E:AD
I left Reaver running overnight, it was stuck in an error the next day after 16 hours. It kept trying
to attempt to send a PIN, but every time it would return the error "[!] WARNING: Receive
timeout occurred". The WPS LED on the back of the router is normally solid green; it starts to
flash on and off during the attack, and when this error is hit the LED turns off and stays off.
The only way to fix this is to unplug the router and plug it back in. I was only able to retrieve
the pin after resetting the router a few times by unplugging/replugging it and restarting Reaver
from where it left off.
58:6D:8F
had to restart the router after 29%, because reaver stuck at the same pin and received
timeouts
00:25:9C
2 seconds/attempt - I let it run all night, had a few hiccups (timeout warnings), but psk was
eventually found.
c0:c1:c0
2 secs/attempt; Never locked up EVER!
58:6D:8F
58:6D:8F
This information ist from this Arstechnica article http://arst.ch/s0i - filled in by jagermo - but it
seems that Linksys does not have a standard-pin
Confirmed that PIN-Method stays switched on, even if you turn WPS off in the management
interface.
ThisPINs
is really
problem.
Starts testing
andaafter
2 attempts I supose it lock you out.
Testet with reaver -p "PIN" ->got WPA Key.
It took about 1.5 seconds per attempt when the router was not doing any activity, took around
5 hrs for the first half of PIN and few mins for rest. The Linksys WAG160Nv2 router doesn't
have any lock down and no option to disable WPS either. The Router didn't crash and the PIN
was cracked on first attempt, though the mon0 interface on BT5r1 crashed. The Reaver was
started again with earlier instance.
When the router was active with couple of wired and wireless users with LAN and Internet
activity, itPIN
tookwas
about
cracked
not 40
theseconds
same asper
theattempt.
PIN displayed in the router's security settings. looks like
pin can be customized but there is also a default PIN hard coded into the router.
00:1D:7E
cracked PIN was not the same as the PIN displayed in the router's security settings. looks like
pin can be customized but there is also a default PIN hard coded into the router.
00:1D:7E
n/a
This device has support for WPS, turned off by default, and only through the Push-Button and
Registrar
method
the ISP,
Wireless
Adapters
PIN at the AP side, as opposed to enter
Is a routerPIN
provided
by(i.e.
veryenter
popular
at least
in my country.
the
APs
PIN
at
the
Wireless
Adapter
side)
c4:3d:c7
Was tested with options: -r 5 -x 30 -w
Signal was about -60
Sometimes reaver enters in a loop and tries the same PIN 10 or 15 times, but luckly continues
as normal after these 10-15 tries.
Router has a timeout built in afet approx 20 attempts; using default delay (315 secs) will allow
resume - but does significantly slow down the number of attempts/sec.
20:4E:7F
Device locks after WPS Flodding, if you wait for like half an hour and use Reaver 1.3, you can
resume the attack. Returns PIN, but WPA2-Passphrase is gibberish
WPS is only enabled for approx. 2 min when you use push 'n' connect to connect a new device
to WLAN.
I haven't got any WPS client, but reaver started guessing PINs so I assume that WPS is
enabled by default. Anyway after 12 PINs there seems to be a rate limit with a timeout greater
than 315 seconds. So I think it is possible to get the PIN but it would take much longer than 10
hours.
00:26:F2
First test, with WPS PIN enabled: router was responding to PIN requests. Reaver was cycling
through attempted PINs. I only attempted to attack the router for a few minutes, but it appeared
Reaver would have found the PIN eventually.
Second test, with WPS PIN disabled: router responded to PIN requests with a lock
immediately. I allowed reaver to run for 2 hours and the lock never terminated. It appears the
WPS PIN disable feature works as intented.
I would prefer that Netgear would allow WPS to be disabled completely. WPS always has been
a weaking of the wireless security to ease connections. I'm looking forward to DD-WRT
becoming available for my router.
Router supplied by very large ISP in my country for all cable users.
Factory/stock firmware 1.1.11_6.0.36 has a bug that revealed PSK after Reaver had obtained
only the first 4 digits of the PIN. The router accepted PIN 16075672, but the correct PIN is
actually 16078710.
Router locks down WPS PIN for ~5min after around 30 attempts, but only while Reaver was
cycling the first four digits. Once the first four correct digits were found, the router did not lock
down at all while reaver was cycling the last three digits.
"version 3" of this device. This device is vulnerable to a DoS condition, but seemingly not PIN
disclosure. The router stopped providing connectivity to all clients after approximately two
hours of testing, and service was not restored until the system was rebooted.
20:4e:7f
2.1.00.52
is a beta
firmwarebeing
that Netgear
have
not officially
released.
allowsperiods
the WPS
Pin to
Not yet tested,
but siblings
vulnerable
suggests
exploitable
overItlonger
of time.
be
disabled
the
2.1.00.48
(latest
available)
firmware
will
not
save
the
disabled
setting.
To be tested soon.
WPS
is LOCKED
by defaultthe
with this firmware
EvenPIN
with
theapin
disabled
will return
PIN
and time
WPAdue
password.
The
was
high
number, soexploit
the attack
wouldthe
take
some
to the brute force
confirmed with WASH
method. If you run reaver with no/little delay, the AP would lock you out for quite some time.
Both
2.1.00.52
firmwares
exploitable.
Using2.1.00.48
the "-d 7"and
argument,
I was
able to are
try pins
continuously without being locked out. A
suggestion
would
be
to
start
at
given
PIN
ranges,
for either/bothforofNetgear's
the first 4 response
and last 4and
digits.
See http://support.netgear.com/app/answers/detail/a_id/19824
recommendation
about this.
See
http://support.netgear.com/app/answers/detail/a_id/19824
for Netgear's response and
recommendation about this.
It was crawling slowly for 40 mins until it jumped from ~5% to 91% and then to 100% in a
minute or two.
0:21:04
Wireless Chipset: Atheros AR5001X+
00-1D-19
Driver: ath5k
84:A8:E4
Please correct last comment, WPS can be disabled on ALL thomson routers by telnet. Guide to
do so here: http://npr.me.uk/telnet.html
Used Reaver
reaver 1.3.
to use
the hours
flags -E
andwith
adjust
the error
timeout
(-t) to belike
greater
or equal
Used
1.3.Crucial
Took quite
a few
to -L
break
many
messages
"receive
than 2 seconds.
timeout
occurred" and "re-transmitting last message". The attack was slow like 4-30sec/attempt
but the
result
wasa good.
This
router
uses
firmware modded by the ISP so is no upgradable.
Couldn't
find its
any
settingstototurn
disable
WPS...
Using
JTAG
possible
off the
WPS but needs some knowledge.
The router uses a button to unlock the WPS feature by I run the attack without pressing it so its
useless.
I used this tags: -E -L -T 2
08:76:FF
Video: http://vimeo.com/34402962
WPS-Service seems to lock down after 12 attempts, Restart required. If you crack the code in
this time or if you add the key to the tool, it can be cracked
f8:d1:11
Nice work guys...
F4:EC:38
F4-EC-38
Reaver got in in 30 minutes on a basic adapter with no injection,but it actually took LONGER
when using an ALFA injection card...
Just add the flag -L and whait :)

Called QSS instead of WPS
00:0C:F1

Run
reaver
with to
option
--no-nacks
Router
appears
lockdown
and disable WPS after approximately 20 failed attempts. Power
cycle reenables. Not sure if WPS will reenable automatically after some unknown time period.
I waited a few hours and it did not reenable.
0:27:22
It was a slow attack, about 2 seconds/attempt

The WPS feature could be easily deactivated and changed.
TalkTalk ISP UK
50:67:F0
Using the --dh-small option in reaver results in a M4 NACK even with the correct pin.
08:86:3b
Even though it's not advertised as having this feature, this router comes with WPS activated by default with common 12345670
Although WPS doesn't show a menu tab on WLAN settings (firmware v1.0.3.1), it's possible to disable it by linking directly to th
Used arguments:reaver -i mon0 -b 00:22:2D:**:**:** -vv
0:22:02
You may effectively disable WPS on "advanced">"wi-fi protected setup" router's page.
Used arguments:reaver -i mon0 -b 00:13:F7:**:**:** -vv -d 0 -S
00:13:F7
pin doesn't respect the "checksum" rule for last digit.

I implemented a simple exhaustive method under reaver/src/pins.c
once pin is found reaver can't retrieve PSK.
using wpa_supplicant & wpa_cli it is possible to retrieve PSK.
from this moment AP disable completely WPS.
c8:cd:72
I can still connect with AP using psk without problems.
wash and reaver don't see the AP anymore.
Retrieving psk with wpa_cli and wps pin doesn't work anymore.
D4:D1:84:DB:3
aireplay-ng doesn't fakeauth anymore (it used to work with this AP during the use of reaver) and 5:6B
give this message: Denied (co
0:23:15
After 3 failed attempts pin automatically disabled and Reaver could not continue the attack.
84:1B:5E
Attack worked better without -S switch. Used DWA-140 (RT2870) for attack.
34:08:04
used wifite-2.0r85
34:08:04
Rate limiting is active on this modem/router. After 5 pin attempts, it locks you out for 5 minutes.
0:24:17
00:16:0A
0:22:02
This router is delivered by the Movistar company for optical fiber (FTTH) service.
In this video: http://youtu.be/NA6zO5NBYes I show the vulnerability theory of Wifi Protected Setup,
00:1A:2B
referring to padlocks to clar
This router is delivered by the Movistar company for optical fiber (FTTH) service.
In this video: http://youtu.be/NA6zO5NBYes I show the vulnerability theory of Wifi Protected
Setup, referring to padlocks to clarify the understanding, and practice is under Kali Linux on the
same router (Comtrend WAP-5813n)
00:1A:2B
4C:60:DE
30:46:9A
08:86:3B
84:1B:5E
Under the check box to enable WPS it has another check box that says: "To prevent PIN compromise, auto disable the PIN aft
This is set to on by default but could be turned off manually thus making the device vunerable to attacks. I get a speed of abou
These settings can be found under advanced>advanced setup>Wireless Settings>WPS settings28:C6:8E
12 seconds/pin with good signal strength
WPS can be disabled through router web interface. Appears to disables all WPS functionality.
82:7D:5E
0:02:06
WPS is identified as QSS on this model.
Firmware version 3.16.5 has multiple releases - Mar 22, 2013 (Build 130322) and Mar 29, 2013 (Build 130329) - same behavi
Router disables PIN after 10 failed attempts for the device. Re-enable through the web interface or reboot the router to reactiv
PIN can be disabled through web interface, but doesn't retain disabled state through reboots unless
f8:1a:67
WPS is deactivated.
router starts to block (AP Rate Limiting) after first 3 attempts for increasing periods of time.
c8:d7:19
Give me a password
B0:48:7A:B2:F0:
00:24:B2
The router still had the default login information (admin/password). First time cracking a WPA pass
84:1B:5E
i took a long time, because i have a signal of -79db.
0:24:01
Enabling Samsung Wireless Link on the TV makes it an Access Point and gateway to the Internet
E4:E0:C5
Locks after 3 failed attempts until reboot. WPS can be turned off completely.
2C:B0:5D
tested by
ajdowns
PIN
jagermo
CriticalCore
Reece Arnott
hA1d3R
FireFly
f.reddy
12345670
Nick
21250491
beej
93645348
8302441
Socapex
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
aBs0lut3z33r0
Socapex
Chaos
12215676
Can be usergenerated
Nsol
Nsol
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
virtualistic.nl
f.reddy
69382161
f.reddy
66026402
Nick
Molito
txag
Sean Gallagher
jagermo
Inakiuy
@_Niranjan
ISP rep
gorilla.maguila@gmail.co
m
47158382
8699183
dankwardo
Nsol
16078710
blue team consulting
90889301
grik
@RiseKB
7097xxxx
neuromancer
Snayler
MG
@jagermo
Mannheim
26599625
prslss
TheDarkGlove96
cenoura
30447028
MG
subhuman
20064525
3737xxxx
luicci
12345670
luicci
14755989
1E6DFE19
stefano.orsolini (gmail.com)
1234567
Mark
trev.norris
81871452
5389xxxx
wpsguy
5389xxxx
Alasala
84207302
T. Crivat
22640086
Gerard Fuguet
16495265
Gerard Fuguet
16495265
31836289
38940972
76726446
29167012
gottalovebrando
weiyang
mpickard
mpickard
mpickard
Kamal
54335677
Brand~o
37449858
Youtube- MasterCookiez
73312055
Lokke
45558221
JEH
This database is intended as an educational resource for users interested in IT-Security. I did not find the vulnerability,
that honor goes to Stefan Viehbck and Craig Heffner.
Do we have more information about this? WPS PIN is enabled, but device is not vulnerable? Why?
Hi Firefly, thanks - to fill in the missing informations, just re-do the form.
Can you verify, that push button is the only method they are using?
more information about this router and the WPS-DoS:

http://www.reddit.com/r/netsec/comments/nzvys/wps_brute_force_i_started_public_google_doc_so_we/c3domfn
I'm seeing something similar on the WNDR3700
Device Name
Manufacturer
Type (Router/ AP
/Bridge...)
Firmware-Version
WPS enabled by
default?
WNDR3700
Netgear
Router
1.0.7.98
yes
TL-WR1043ND
TP-Link
Router
Linksys E4200 V1.0 Cisco
Router
1.0.03 (Build 14)
yes
EchoLife HG521
Router
1.02
yes
Router/Modem
Unknown
yes
TALKTALK-F03653
Huawei
n150
Again - feel free to

post comments - but
they will probably be
overwritten by a troll
If you want a
(relativley) troll free
comment-area, use
the reddit-entry
http://www.reddit.co
m/r/netsec/comment
s/nzvys/wps_brute_f
orce_i_started_publi
c_google_doc_so_w
e/
Belkin
Router
Unknown
yes
Vulnerable (yes/no) Tool (Version)
still running
average time
WPS can be
disabled (and it
stays off!)
Comments/Notes
Reaver 1.2
WPScrack
Video:
http://vimeo.com/34
402962
yes
Reaver 1.2
1 second / attempt,
no anti-flooding /
blocking / delay
no
WPS LED blinking

continuously during
attack. Vulnerable
with latest firmware,
no way to disable
WPS -> epic fail!
Anonymous user
9308: I've also
noticed that across 2
different linksys
devices (don't have
them on me now)
the default WPS pin
of 12345670 was
the result of 2.5 and
6 hours cracking
yes
Reaver 1.1
5-6 hours
yes
TalkTalk ISP UK
yes
Reaver 1.2
1 hour
yes
TalkTalk ISP UK
yes
yes
Reaver 1.2
12.5 hours
yes
This database is
intended as an
educational
resource for users
interested in ITSecurity. I did not
find the vulnerability,
that honor goes to
Stefan Viehbck and
Craig Heffner.
Try using the sleep
function between
attacks.
It should be noted
that the tool 'wpa_cli'
can be used to
determine WPS
compatibility on all
APs in range.
Tell us more...
from command line

# wpa_cli
scan_results ... you
should get a nice list
spat out, might need
to be root and/or
running network
manager
Shame airodump-ng
doesn't tell you this.
anyone tried an
Airport-device?
Nice, I'm having

trouble with another
AP, returns the
incorrect pin
instantly
Anonymous user
9308: I've also
different linksys
devices (don't have
them on me now)
the default WPS pin
of 12345670 was
6 hours cracking
http://code.google.c
om/p/reaverwps/issues/detail?
id=16 <- covered by
that
Device Name
Manufacturer
Type (Router/ AP
/Bridge...)
Firmware-Version
WPS enabled by
default?
WNDR3700
Netgear
Router
1.0.7.98
yes
TL-WR1043ND
TP-Link
Router
Linksys E4200 V1.0 Cisco
Router
1.0.03 (Build 14)
yes
EchoLife HG521
Router
1.02
yes
Router/Modem
Unknown
yes
TALKTALK-F03653
Huawei
n150
Again
- feel afree to
If you want
post comments
- but
(relativley)
troll free
they will probably
be
comment-area,
use
overwritten
by a troll
the
reddit-entry
http://www.reddit.co
m/r/netsec/comment
s/nzvys/wps_brute_f
orce_i_started_publi
c_google_doc_so_w
e/
Belkin
Router
Unknown
yes
Vulnerable (yes/no) Tool (Version)
still running
average time
WPS can be
disabled (and it
stays off!)
Comments/Notes
Reaver 1.2
WPScrack
Video:
http://vimeo.com/34
402962
yes
Reaver 1.2
1 second / attempt,
no anti-flooding /
blocking / delay
no
WPS LED blinking

continuously during
attack. Vulnerable
with latest firmware,
no way to disable
WPS -> epic fail!
Anonymous user
9308: I've also
different linksys
devices (don't have
them on me now)
the default WPS pin
of 12345670 was
6 hours cracking
yes
Reaver 1.1
5-6 hours
yes
TalkTalk ISP UK
yes
Reaver 1.2
1 hour
yes
TalkTalk ISP UK
yes
yes
Reaver 1.2
12.5 hours
yes
This database is
intended as an
educational
resource for users
interested in ITSecurity. I did not
find the vulnerability,
that honor goes to
Stefan Viehbck and
Craig Heffner.
Try using the sleep
function between
attacks.
It should be noted
that the tool 'wpa_cli'
can be used to
determine WPS
compatibility on all
APs in range.
Tell us more...
from command line

# wpa_cli
scan_results ... you
should get a nice list
spat out, might need
to be root and/or
running network
manager
Shame airodump-ng
doesn't tell you this.
anyone tried an
Airport-device?
Nice, I'm having

trouble with another
AP, returns the
incorrect pin
instantly
Anonymous user
9308: I've also
different linksys
devices (don't have
them
on me now)
http://code.google.c
the
default
WPS pin
om/p/reaverof 12345670 was
wps/issues/detail?
the result
of 2.5 and
id=16
<- covered
by
6 hours cracking
that
EasyBox 803
88:25:2C
Router
MI424-WR Rev.E
WLAN 1421
Actiontec
Alice/Hansenet
Router
Wlan Router
AirPort Extreme
Apple
Router
Vodafone Easybox
602
Arcadyan
Router/Modem
Vodafone EasyBox
802
N13U v1&v2
Arcadyan
ASUS
Router/Modem
Router
RT-N10
RT-N16
ASUS
ASUS
Router
Router
Fritz!Box 7240
AVM
Router
Fritz!box 7390
AVM
Router
Fritz!Box WLAN
3370
FritzBox7390
AVM
AVM
Router / Modem
Router
F6D6230-4 v1000
F7D1301 v1
Belkin
Belkin
Router
Router
F7D2301 v1
Belkin
Router
F9K1001v1
Belkin
Router
F9K1001v1 (N150)
Belkin
Router
F9K1105 v1
n150
F9K1001 v1
7800n
BiPAC 7404VGPX
Belkin
Belkin
Belkin
Billion
Billion
router
Router
Router
Router
AP
WZR-HP-AG300H
Buffalo
Access Piont
WZR-HP-G300NH
Buffalo
Router
Linksys E1000
Linksys E3200 v1
Linksys E4200
Cisco
Cisco
Cisco
Router
Router
Router
Linksys E4200 v1
RV110W
RV120W
SRP521W
SRP526W
SRP527W
SRP541W
SRP546W
SRP547W
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
Router
Router
Router
Router
Router
Router
Router
Router
Router
UC320W
Valet M10
WAP4410N
WRP400
WRVS4400N
WRT320N
DAP-1360
DAP-1522
DIR-300
DIR-300
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco Linksys
D-Link
D-Link
D-Link
D-Link
Unified
Communications
Router
Access Point
Router
Router
Router
Access Point
Access Point
Router
Router
DIR-300 (HV - B1)

DIR-457
DIR-501
DIR-600
DIR-615
DIR-615
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
Router
Router
Router
Router
Router
Router
DIR-615 Rev. B
DIR-615 Rev D+ H
DIR-625
DIR-635 Rev B
DIR-645
DIR-652
DIR-655
DIR-655 A3
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
Router
Router
Router
Router
Router
Router
Router
Router
DIR-655 vB1
DIR-657
DIR-815
DIR-825
DIR-852
D-Link
D-Link
D-Link
D-Link
D-Link
Router
Router
Router
Router
Router
DIR-855
DIR-855
D-Link
D-Link
Router
Router
DIR-628
DLink
Router/access point
3G-6200nL
BtHomeHiub3
EchoLife HG521
E1000
E1200
Edimax
Huawei
Huawei
Linksys
Linksys
Router
Router/ADSL
Router
Router
Router
E2500
Linksys
Router
E3000
WRT120N
WRT160Nv2
Linksys
Linksys
Linksys
Router
Router
Router
WRT350N
Linksys
Router
E4200
Linksys / Cisco
Router
WRT54G2
Linksys / Cisco
Router
Device Name
NP800n
Manufacturer
Netcomm
Type (Router/ AP
/Bridge...)
Wireless Router
CG3100
Netgear
Cable Modem (with

built in Gateway/AP)
CG3100D
NETGEAR
Cable/router
CGD24G
Netgear
Cable Modem
Router
DGN1000B
Netgear
Router
DGN1000B
Netgear
Router
DGND3700
Netgear
Modem/Router
MBRN3000
NetGear
Router (ADSL + 3G)
WGR614v8
Netgear
Router
WGR614v8
Netgear
Router
WNDR3700
WNDR3700
WNDR3700
Netgear
Netgear
NETGEAR
Router
Router
Router
WNDR3700v3
WNR1000 (N150)
Netgear
Netgear
Router
Router
WNR3500L
Netgear
Router
WNR3500v2 (N300) Netgear
Router
F@st 3504
SX763
Sagem
Siemens Gigaset
Router
Router/Modem
Sitecom 300N WL363
Sitecom
Router/Modem
Speedport W 723V
T-Online
Router
Speedport w720v
T-Online
Router
TG784n
TG782
TG784
TG784n
Thomon
Thomson
Thomson
Thomson
Router
Modem/Router
Router
Router
TD-W8950ND
TP-Link
Router,Bridge,Mode
m
TL-MR3420
TP-LINK
Router
TL-WR1043N
TL-WR1043ND
TP-Link
TP-Link
Router
Router
TL-WR2543ND
TP-Link
Router
TL-WR2543ND
XWR100
TP-Link
Vizio
Router
Router
P-660W-T1 v3
ZyXEL Corporation
Modem/Router
Comments and
background
information start
here
TALKTALK-F03653
Comments and
background
information start
here
Router/Modem
30.05.211 (01.07.2011-10:36:41)
Yes
Yes
20.19.8
1.0.16
No
No
No
Yes
7.5.2
No
No
20.02.022
Yes
No
Yes
2/1/2012 No
Maybe
No
1.0.0.8
1.0.2.3
Yes
Yes
Yes
Yes
73.05.05
No
No
84.05.05
No
No
103.05.07
ALL
No
No
No
No
1.00.19 (Apr 22 2010)

1.00.22
Yes
Yes
Yes
Maybe
1.00.16 (Jul 2 2010 14:36:56)
Yes
Yes
F9K1001_WW_1.00.08
Yes
Yes
1.0.08
Yes
Yes
1.00.03 (Jul 4 2011)

Unknown
1.00.08
1.06d
6.23
Yes
yes
Yes
No
Yes
Yes
yes
Yes
Maybe
Yes
dd-wrt v24SP2-multi build 15940
Yes
No
Unknown
Yes
Maybe
2.1.00 build 7Sep 21, 2010

1.0.02
1.0.0.3
Yes
Yes
Yes
Yes
Yes
Yes
1.0.03 (Build 14)

Current Version
Current Version
Current Version
Current Version
Current Version
Current Version
Current Version
Current Version
yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Current Version
2.0.01
Current Version
Current Version
unknown
Current
Current
"2.05"
Current
Current
Current
Current
yes
Yes
Yes
Yes
1/1/2013 No
Yes
Yes
Yes
Yes
Yes
yes
Yes
Yes
Yes
No
Maybe
Yes
Yes
Yes
Yes
5/2/2012 Yes
Yes
Yes
Yes
Yes
4.1 Yes
2.23 Yes
Yes
Yes
No
Current
Current
Current
Current
Current
Current
1.22b5
Yes
Yes
3.04 Yes
Yes
Yes
Yes
Yes
Yes
2.00NA
Current
Current
2.02EU
Current
Yes
Yes
Yes
Yes
Yes
Maybe
Yes
Yes
Yes
Yes
1.23EU
Current
Yes
Yes
Maybe
Yes
1.06b
Unknown
unknown
1.0.02 build 5
1.0.02
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
11/1/2012 Yes
Yes
No
Yes
1.02 yes
Yes
Yes
No
Yes
yes
Yes
Yes
Yes
Maybe
1.0.04
v1.0.01
2.0.03
Yes
Yes
Yes
Maybe - see
Comments
Yes
Yes
2.0.3 i think (newest!)
Yes
Maybe - see
Comments
unknown
Yes
Yes
unknown
Yes
Yes
Firmware-Version
1.0.14
WPS enabled by default?

Yes
Vulnerable (yes/no)
Yes
3.9.21.9.mp1.V0028
No
No
unknown
Yes
Yes
unknown
Yes
Yes
1.00.45
No
Maybe
1.1.00.43
Yes
Maybe
V1.0.0.12_1.0.12
Yes
Yes
1.0.0.43_2.0.11WW
Yes
Yes
1.1.11_6.0.36
Yes
Yes
1.2.10_21.0.52
Yes
Maybe
1.0.7.98
V1.0.7.98
v1.0.4.68
yes
Yes
Yes
yes, but.... see

comments
Yes
Yes
V1.0.0.18_1.0.14
unknown
Yes
Yes
Maybe
Maybe
V1.2.2.44_35.0.53NA
Yes
Yes
V1.2.2.28_25.0.85
Yes
Probably
Bbox firmware - 8.4.M.O (not sure)

4.3.52.21.07
Yes
Yes
Yes
Yes
2.00.01
Yes
Yes
1.00.080
Yes
Yes
1.61.000
No
No
8.4.H.F
8.2.2.5
8.4.2.Q
8.4.H.F
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
1.2.9 build 110106 Rel.59540n
Yes
Yes
3.12.8 Build 110418 Rel.43954n
Yes
Yes
3.12.2 Build 100820 Rel.41891n
Yes
Yes
Yes
3.13.6 Build 110923 Rel 53137n
Yes
Yes, see comment
3.13.4 Build 110429 Rel.36959n
Yes
1/1/2002 Yes
V3.70(BRI.2) | 02/09/2011
Yes

Yay, 100 entries :)
Unknown
Yes

https://docs.google.com/spreadsheet/viewform?
formkey=dFFRMlF1MjBybG5aSGFndHJFX2JMe
nc6MQ
Yes
Maybe
Yes
Yes
Another Disclaimer: These entries are not verified

- we simply don't have enough tests and devices to whomever posted the list
(yet). So, please, don't base your PHD on it or
about cisco devices.
anything...
Thanks. I'll add them
Reddit-Link to discuss stuff:
http://www.reddit.com/r/netsec/comments/nzvys/
wps_brute_force_i_started_public_google_doc_s
o_we/
want to talk about this? Please do and use the

hashtag #WPSDoc
want to contact me? @jagermo on twitter or

jagermo@hushmail.com
I've added a second sheet "Comments", that is

free for all - if you want to chat or add
suggestions, please do it there - keep in mind it
might get vandalized.
By the way: you can also add devices, that can't

be attacked by brute forcing wps.
this document is licensed under CC-BY-3.0
Reaver 1.3
yes (not testet

maybe its already
[user reports untested, so his ative after switching
3sec value here removed]
to off!)
None
Reaver
n/a
WPS "functionality"
is not enabled
currently
Yes
n/a
n/a
Yes, see comments
Reaver 1.3
Yes
Reaver 1.3,
WPScrack
Reaver 1.3
10min
Yes
Yes
Reaver 1.3
Reaver 1.3
2 seconds per attempt/3.5

hours to crack
1176 seconds
Yes
Yes
wpscrack,
Reaver 1.2
infinite
yes
will follow soon will follow soon
Yes
N/A
Reaver 1.3
N/A
0sec
Yes
Yes
Reaver 1.3
none
20 min
yes
yes
Reaver 1.3
1.9 Hours
Yes
Reaver 1.3
7765 seconds
Yes
Reaver 1.3
41 minutes, 12 seconds
Yes
Reaver 1.3
Reaver 1.2
Reaver 1.2
Reaver 1.3
reaver 1.3
3hours
12.5 hours
11.2 Hours
14 hours
3hours
yes
yes
Yes
Yes
no
No but it starts
locked
reaver 1.4
Reaver via
Backtrack
Within 1 hour
Yes
Reaver
Reaver 1.4
1.3 &
r58
Reaver
24h
4h
Reaver 1.2
1 second / attempt, no antiflooding / blocking / delay
no
Reaver 1.2
5 hours
NO
none
Reaver 1.4
n/a
Reaver 1.3
4 Days
Reaver 1.3
4 Days
Reaver-1.1
Reaver 1.3
ca. 1h 45min
n/a
7/6/2012 No
No
NO
not available
unknown
yes
yes
yes
yes
yes - can be
completely deabled
Yes
Yes
Yes
Yes
Reaver 1.4
4 hours
Reaver 1.3
Wifi Analyzer
(Android)
v3.0.2
4.5hrs
reaver
5h
Reaver 1.3
yes
Yes
Yes
yes
Yes
yes
Yes
Yes
Yes
Yes
yes
Yes
yes
user reported 5 minute

timeout on failed registration,
unknown inducement
threshold
yes
yes
reaver 1.3
Didn't let it run
yes
N/A
Reaver 1.3
Reaver 1.1
Reaver 1.3
Reaver 1.4
N/A
50 minutes
5-6 hours
7h
5 hrs, 20 mins
Yes
Unknown
yes
No
No
Reaver 1.3
I stopped Reaver after 16 hrs

with no success. See
comments
No
Reaver 1.3
Reaver 1.3
Reaver
24h
4h
5 hours
Reaver 1.3
Reaver 1.3 with PINOption
Yes
no
yes
Yes
Reaver
6 hours
Yes, but any

No, see comments
changes to the
settings automaticly
reenable wps
Tool (Version)
Reaver 1.3
Average time for penetration

*without* providing the PIN
10 hours
WPS can be
disabled (and it
stays off!)
yes
Reaver 1.2
Yes
reaver svn rev.

52
5 hours
yes
Reaver 1.3
No
12 Hours
WPScrack
is deactivated by
default
reaver 1.2
No (there is a
checkbox, but it's
disabled)
Reaver 1.3
Reaver 1.3
Yes
3h
yes
1 day
Yes, PIN can be

locked out but WPS
remains on
Reaver 1.3
1 day
Yes, PIN can be

locked out but WPS
remains on
Reaver 1.2
Reaver 1.3
Reaver 1.3
9hrs
est. 24h
yes
unkown
Reaver 1.3
Reaver 1.3
n/a
PIN can be disabled,

but WPS cannot be
switched off
completely
Yes
Reaver 1.4
18hrs
Yes
Yes
Reaver 1.3
Reaver 1.3
More than 5h
45 minutes
Unknown
Yes
Reaver 1.4
2~3 hours
Yes
Reaver r65
2-3 hours
yes
Reaver 1.1
No (A 2-MinuteInterval Button is
used)
Reaver 1.4
Reaver 1.3
Reaver 1.3
Reaver 1.3
3 days? (needs more testing)

24h
15 hours
18hours
Yes (Please correct

This)
Probably no
unkown
maybe
Reaver
30 Minutes
Yes.But Reaver still

gets in.
Reaver 1.3
Reaver 1.4
10 hours
yes
Reaver 1.1
WPScrack
5h
Yes
Reaver 1.2
yes
Reaver 1.3
Reaver 1.2
8h
N/A
yes
No, see notes
Reaver 1.3
3hours (stopped at 31,75%)
yes
Reaver 1.2
Relevant Links and additional information:

1 hour
yes
Stefan Viehbck Research and WPScrack:
http://sviehb.wordpress.com/2011/12/27/wi-fiprotected-setup-pin-brute-force-vulnerability/
Craig Heffner Blog Entry and Reaver:
http://www.tacnetsol.com/news/2011/12/28/cracking
-wifi-protected-setup-with-reaver.html
Theiver, fork of Reaver:

http://code.google.com/p/theiv
er/
Dan Kaminsky collects WPS-data in Berlin:
http://dankaminsky.com/2012/
01/02/wps/
Anonymous user 9308: I've also noticed that across

2 different linksys devices (don't have them on me
now) the default WPS pin of 12345670 was the
result of 2.5 and 6 hours cracking
WPS BRUTE FORCE THOUGHTS AND VIDEO
http://www.simplywifi.co/blog/2012/1/1/wps-bruteforce-thoughts-and-video.html
ArsTechnica: Hands-on: hacking WiFi Protected

setup with Reaver
http://arstechnica.com/business/news/2012/01/han
ds-on-hacking-wifi-protected-setup-with-reaver.ars
SimplyWiFi: Is your Router running WPS (Video,

demonstration of the Walsh-Tool)
http://www.simplywifi.co/blog/2012/1/4/is-mywireless-router-running-wps.html
Reaver: Official Screencast
http://www.tacnetsol.com/news/2011/12/30/officialreaver-screencast.html
Disabling WPS on Wireless APs via Firmware

Modification
http://blog.nullmethod.com/2012/01/disabling-wpson-wireless-aps-via.html
00:15:AF
00:1F:90
60:33:4B
0:23:08
0:26:04
bc:ae:c5
00:24:FE
0:23:15
94:44:52
94:44:52
08:86:3B
00:04:ED
C0:C1:C0
58:6D:8F
00:1E:58
5C:D9:98
00:18:e7:fb
Unknown
c0:c1:c0
58:6D:8F
58:6D:8F
58:6D:8F:0A
00:25:9C
00:1D:7E:AD
n/a
c4:3d:c7
00:26:F2
20:4E:7F
20:4e:7f
0:21:04
84:A8:E4
00-1D-19
08:76:FF
00:0C:F1
F4:EC:38
f8:d1:11
F4-EC-38
0:27:22
50:67:F0
CriticalCore
ajdowns
jagermo
hA1d3R
Reece Arnott
FireFly
f.reddy
beej
93645348
Nick
21250491
8302441
aBs0lut3z33r0
Socapex
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
D-Link
D-Link
Nsol
D-Link
Nsol
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
Can be usergenerated
D-Link
D-Link
D-Link
D-Link
Molito
Nick
f.reddy
69382161
f.reddy
66026402
jagermo
Sean Gallagher
tested by
ISP rep
gorilla.maguila@gmail.co
m
8699183
PIN
dankwardo
16078710
Nsol
blue team consulting
neuromancer
Snayler
MG
TheDarkGlove96
30447028
cenoura
Mannheim
26599625
@jagermo
prslss
MG
20064525
Do we have more information about this? WPS PIN is enabled, but device is not vulnerable? Why?
Hi Firefly, thanks - to fill in the missing informations, just re-do the form.
Can you verify, that push button is the only method they are using?
more information about this router and the WPS-DoS:

http://www.reddit.com/r/netsec/comments/nzvys/wps_brute_force_i_started_public_google_doc_so_we/c3domfn
This database is intended as an educational resource for users interested in IT-Security. I did not find the vulnerability,
that honor goes to Stefan Viehbck and Craig Heffner.
I'm seeing something similar on the WNDR3700
Again - feel free to post

comments - but they will
probably be overwritten by a
troll
If you want a (relativley) troll

free comment-area, use the
reddit-entry
http://www.reddit.com/r/nets
ec/comments/nzvys/wps_bru
te_force_i_started_public_go
ogle_doc_so_we/
Do you think the PINs are

somewhat related to
manufacturer? Like MAC
adresses?
I don't know - some devices allow

to set your own PINs - but it might
be interesting
AIRPORT FROM THE APPLES

& Co., IS IT HAVE PIN WPS
VULRERABELETIES LIKE
THE OTHERS? XOXO APPLE I tried to contact apple, so far no
FANBOY
luck (wich is not unusal..)
The Belkin N150 is the same

as the F9K1001v1.
good to know, thanks - i'm going

to clean it up as soon as we hit
100 devices :)
Checked WPS using Wash

command in Reaver 1.3 for
ASUS RT-N56U. If WPS is
disabled in the config, it does
not show as supporting WPS in
Wash.
WAG120N
WRT160N V3 is also
vulnerable
linksys wrt54g2
Linksys/cisco
wps can be disabled over the webinterface but any changes to the settin
Cannot disable in firmware V1.0016
JC: The 'backup' tab seems

unnecessary since we can use
the Google Revision History to
revert any improper change.
Yeah, its kind of a relict from the

first version, when everyone was
allowed to edit the document.
After an attack of the trolls I had
to lock it down.
Will provide my PINs when, or if,

Cisco adds a feature to change
them :) Just in case, you know ;)
thx for the list. vey

nice!!!
do you have Reaver

1.3 installed? Maybe
Using the wpa_cli scan, my airport you can check with try using the newer
extreme doesn't show WPS
the walsh Tool
iw tool - "iw dev
capability
(walsh -i mon0
wlan0 scan"
perfect, man!
over the webinterface but any changes to the settings automaticly reenable wps
used reaver 1.3 took about 3hours Correct WPA & i dont know about the pin but the other details were correct
jagermo: you are

welcome - but it
would not have
worked without you
guys
her details were correct

WPS Flaw Vulnerable Devices

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WPS Flaw Vulnerable Devices

Uploaded by

Copyright:

Available Formats

Device Name

DIR-300 (HV - B1)

Cable Modem (with

Router (ADSL + 3G)

Sitecom 300N WL363

Router / Access Point

Cable Modem Gatew

ADSL Modem / Route

WPS enabled by default?

1.00.19 (Apr 22 2010)

1.00.16 (Jul 2 2010 14:36:56)

1.00.03 (Jul 4 2011)

dd-wrt v24SP2-multi build 15940

1.0.03 (Build 14)

2.1.00 build 7Sep 21, 2010

2.0.3 i think (newest!)

1.0.02 build 13 May 24, 2011

yes, but.... see

Bbox firmware - 8.4.M.O (not sure)

3.13.6 Build 110923 Rel 53137n

Yes, see comment

3.12.2 Build 100820 Rel.41891n

3.13.4 Build 110429 Rel.36959n

1.2.9 build 110106 Rel.59540n

3.12.8 Build 110418 Rel.43954n

3.12.4 Build 100910 Rel.57694n

3.00.03 Jun 29, 2009

3.16.5 Build 130329

This database is intended as an educational

Reddit-Link to discuss stuff:

want to talk about this? Please do and use the

want to contact me? @jagermo on twitter or

Average time for penetration

Yes, see comments

2 seconds per attempt/3.5

will follow soon will follow soon

1 second / attempt, no antiflooding / blocking / delay

Reaver 1.3 &

user reported 5 minute

Didn't let it run

I stopped Reaver after 16 hrs

No, it doesn't appear

Yes, but not sure if it

Reaver 1.3 with PINOption

No, see comments

No. Though the

reaver svn rev.

PIN can be disabled,

Yes, PIN can be

Yes, PIN can be

Yes (Please correct

Yes.But Reaver still

No, see notes

3hours (stopped at 31,75%)

Yes, see comments

Reaver 1.4 (pins3 hours

Pin cracked in 34826 seconds unknown

29.62 Hours. (106632

Stefan Viehbck Research and WPScrack:

Craig Heffner Blog Entry and Reaver:

Theiver, fork of Reaver:

Dan Kaminsky collects WPS-data in Berlin:

I did a quick check. Seems to be vulnerable.

No lockout, no delay needed.