How to find out the exact model of a router (wireless access point)
The following method works only against WPS enabled Access Points. However, it lets you to determine the exact model of a router, not only a vendor (like according to MAC-address).
More good news it does not matter whether WPS locked, not locked, configured, or not configured. With any status of WPS, your chance to find out the exact model of an access point is pretty high.
First we set the wireless interface to monitor mode:
sudo systemctl stop NetworkManager sudo ip link set wlan0 down sudo iw wlan0 set monitor control sudo ip link set wlan0 up
Start airodump-ng with -M (display manufacturer from IEEE OUI list) and --wps (display WPS information) options:
sudo airodump-ng wlan0 -M --wps
For example, we are interested in AP named IMAX; we can notice its BSSID is 84:C9:B2:52:F6:37, its manufacturer is D-Link International and it is using channel 5. And the most important it is WPS enabled AP.
Nevertheless, I wonder what is the exact model of the router running IMAX? I can determine that!
Switch to the channel or the target AP:
sudo iw wlan0 set channel 5
Start capturing packets on the wireless interface (wlan0):
After approximately 10-30 seconds, stop the capturing packets.
To find information about model of a router use Wireshark filters:
(wps.device_name != "" || wps.model_name != "" || wps.model_number != "") && wlan.ssid == "ESSID"
Where ‘ESSID’ replace with actual ESSID of the interesting Access Point.
For instance to find frames with the exact model of router running wireless network IMAX:
(wps.device_name != "" || wps.model_name != "" || wps.model_number != "") && wlan.ssid == "IMAX"
Inside the found frames look for Tag: Vendor Specific: Microsof: WPS. In the fields Model Name, Model Number, Device Name you’ll notice information about model of an Access Point:
Therefore, the actual model of the router is D-Link Systems DIR-615.
The described method is applicable for the majority WPS enabled APs.
Keep in mind filters wps.serial_number, wps.manufacturer, and wps.new_device_name; they can be useful to extract some information about the AP model.
To filter out AP you also can use Wireshark filters wlan.addr and wlan host, for example:
wlan.addr==08.00.08.15.ca.fe wlan host 08:00:08:15:ca:fe
There is a nice tool, which is able to extract the same information about the exact model of a router on Windows. It is called WifiInfoView.
- Wireshark Filter Reference: Wifi Protected Setup
- Examples of Wireshark Wi-Fi (WLAN, IEEE 802.11) filters
- How to hack Wi-Fi in Windows (88.3%)
- 3WiFi: open database of Wi-Fi Access Points passwords (88.3%)
- How to detect all Wi-Fi devices in the area? (62.7%)
- Automatic search the database of hacked access points (56.5%)
- How to hack routers in Windows (Router Scan by Stas’M manual) (54.2%)
- How to perform selective jamming of Wi-Fi networks and clients (DoS attack on individual access points / clients) (RANDOM - 22%)