Sunday, March 20, 2011

WAP fingerprinting: The Wi-Fi Alliance Way

Fingerprinting a WAP(Wireless Access Point) to find the vendor and model is something I have always been interested in. The first way I thought of doing this was by using the oui.txt to find the vendor of the WAP. But knowing the vendor doesn’t give us to much to work with. So one day when I was sniffing I saw some interesting beacon frames:

This frames had an IE(information element) that Wireshark called “Vendor Specific: WPS”.

But what the heck is WPS?
Let’s see the Wi-Fi Alliance definition:
Wi-Fi Protected Setup™ is an optional certification program from the Wi-Fi Alliance that is designed to ease the task of setting up and configuring security on wireless local area networks. Introduced by the Wi-Fi Alliance in early 2007, the program provides an industry-wide set of network setup solutions for homes and small office (SOHO) environments.
Later on the sniffing session, I saw that this IE was also present on probe response frames and had more information that the one on the beacon frame. This information was really interesting. As an example check out the image below:

As you can see on the image there’s a lot of useful information on the WPS IE, including the WAP serial number.

So this ‘new’ standard is expanding and as far as I know if your WAP supports it, it will be activated by default. So fingerprinting this WAPs is pretty simple.

As you could guess, this way of fingerprinting has a passive way(waiting for probe response frames) or an active way(sending probe request frames).
I created a simple script that automatically does this work for you. The script requires PyLorcon2, Pcapy and Impacket libraries. The output of the tool is something like this

WPS Information Gathering
Press Ctrl+C to stop.
[00:23:69:4X:XX:X5] - 'XXXX' - 'Cisco-Linksys, LLC'
WPS Information
  * Device Name: 'Wireless-G Router'
  * Wi-Fi Protected Setup State: 'Configured'
  * Response Type: 'AP'
  * Primary Device Type: 'Network Infrastructure - AP'
  * Model Number: 'WRT54G2'
  * Serial Number: 'CSV01J2XXXX4'
  * Version: '1.0'
  * Model Name: 'Router'
  * Config Methods: 'Display, PushButton'
  * Manufacturer: 'Linksys'
The tool is available here.


  1. is there a way to import captures using impacket?

  2. shank:

    Impacket itself does not handle captures, but using Pcapy open_offline function with Impacket you should be able to do it.