WPScan actively sends 802.11 probe requests to access points that advertise WPS support. It then parses out the WPS Information Element in the resulting probe response and displays the results. This is a very useful fingerprinting tool since nearly all new routers have WPS enabled by default, and most vendors will actually put the exact make, model, and version of the router in the probe response!

WPSpy is a tool to simply monitor and report changes in the WPS status of and access point. This is particularly useful if you are running some of our described attacks that leverage WPS to gain access to the WLAN.

Currently we only have a handful of signatures, so if you want to contribute to this tool, here’s what you can do:

1. Get your access point and enable WPA and WPS (if supported).
2. Capture the beacon frames that your access point is broadcasting and save them to a pcap file.
3. Send us the pcap file along with as much information about the access point as you can (make, model, firmware version, hardware revision, ESSID and BSSID).

Once we get your submission we’ll generate a signature for it and update the WiFinger database file. We think this tool has a lot of great potential, so we welcome any and all submissions – if you’ve got a router, let’s put it in there!

WiFinger can be downloaded here.