bktruss / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

Breaking thru the WPS locked barrier. #675

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
    The following two(2) script files are meant to be used with kali-linux 1.09 in an attempt to break thru WPS locking.  
These scripts ARE NOT MAGIC BULLETS!!! Success is case by case router by 
router. Users will have to test each router after  reading the help files. Two 
methods are employed

Method One

varmacreaversav99-3.zip contains:

    1. varmacreaversav99-3.sh
    2. varmacreaversav993-help.txt
    3. maclistreaversav

     It allows users to target up to 50 routers. The automated script tries to collect pins from all targets entered in the maclistreaversav config file. Help files are provided as a separate text file and also embedded in the configuration file.

   You can down this script at:

    http://www.axifile.com/en/91AF3E59AD

Method Two

WPS Special Tools - File contains

     1. varmacreaver-mdk-006.sh
     2. maclistreavermdk

You can dowload at

http://www.axifile.com/en/DCA5819C59

      With the router showing a locked state at all times.

      1.  Begin the attack by attempting to collect pins. Most importantly we added the -L command (ignore locks) to all the reaver command lines.

      2. We used a long reaver command line as suggested by the author of autoreaver but other command line variations are available:

          reaver -i mon0 -a -f -c 1 -b 55:44:33:22:11:00 -r 3:10 -L -E -S -vv -N -T 1 -t 20 -d 0 -x 30 --mac=00:11:22:33:44:55

      3. Reaver should run for approximately 300 seconds. 

      4. Reaver then shuts down and three(3) device monitors mon0,mon1.mon2 are employed each with their own individual mac addresses

      5. Three mdk3 DOS attacks are run against the router simultaneously for approximately 30 seconds

      6  All programs are cleared, all mac addresses are changed and reaver is restarted
Musket Teams

Original issue reported on code.google.com by muskette...@gmail.com on 1 Nov 2014 at 11:06

GoogleCodeExporter commented 9 years ago
You will find that pin harvesting ?MAY? eventually start even though the router 
is showing a locked state. This will proceed for a period and then stop. We 
suggest 300 to 500 seconds as a reaver live time setting.  Keep the mdk3 live 
time low at first around 30 to 45 seconds. If you run it too long the router 
disappears or freezes but does not reset.
      7. The router may jump channels so you could set the channel to 0 (i.e. zero) in the maclistreavermdk config file. This will cause reaver to channel hop till it finds the target.

      Before running the script open the maclistreavermdk file with a text editor like leafpad and enter the information required. There is help embedded in this file for each entry.

      If you place both files in root you can just run the script and watch it for a while to get the sequence of events. You will need to plug in a wifi device supporting packet injection or the script will not run.

      You can monitor the attack and fine tune the settings as the program is running. Just open the maclistreavermdk file, adjust the setting and save the file. At the end of each run this configuration file is reloaded whereupon these new settings take effect.

       We wish to Thank the following kali-linuc forum members soxrox2212 for starting this adventure., Wn722 for the vision of this attack and for shoving our collective heads back into the WPS rabbit hole again. And the author of auto-reaver for the valuable reaver suggestions provided.

Original comment by muskette...@gmail.com on 1 Nov 2014 at 11:39

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Musket Teams have released the latest WPS intrusion device.  

      For details go to:

      http://www.kalilinux.net/community/threads/new-wps-locked-intrusion-script-using-reaver-mdk3-and-wash.1599/

      Download VMR-MDK009.zip at

          http://www.axifile.com/en/5C34EBC933

        MTeams

Original comment by muskette...@gmail.com on 15 Nov 2014 at 5:56

GoogleCodeExporter commented 9 years ago
All the links appear to be dead, but this thread is quite current - what gives? 
I'm concerned, because this is great work! 

Original comment by velkrosm...@gmail.com on 3 Dec 2014 at 12:24

GoogleCodeExporter commented 9 years ago
All the links appear to be dead, but this thread is quite current - what gives? 
I'm concerned, because this is great work! 

Original comment by velkrosm...@gmail.com on 3 Dec 2014 at 12:24

GoogleCodeExporter commented 9 years ago
First thanx for the heads up. We are trying to find another site to host
these files. Furthermore we have a VAR-MDK009x.sh about ready for release.
We will send you a copy directly when completed.
 If you have any ideas about places to post these files please suggest.

MTeams

Original comment by muskette...@gmail.com on 12 Dec 2014 at 11:24

GoogleCodeExporter commented 9 years ago
I could put these on my mega upload account and share the link here. I also 
have a few Google drive accounts I could use. 

I just need the 3 downloads first! Please email to Dr.hennessey1@gmail.com

Thank you!

Original comment by DR.henne...@gmail.com on 12 Dec 2014 at 11:31

GoogleCodeExporter commented 9 years ago
Again our team did not know the link was broken so thanks for the heads up. We 
are slowly reposting older files.

Here is a link to VMR-MDK009j.sh

http://www.datafilehost.com/d/ec0c478c

    However check here again in a week or two we are testing x version as we speak. And this can work just not on every router. If the router gives up some pins then stops and then when hit with mdk3 again provides pins the router is susceptible to this approach. Pay no attention to the locked state just test the router for pin harvesting.

     Adjust the -r x:y mdk3 time and pause times. To much mdk3 can bury these routers. 

Musket Teams

Original comment by muskette...@gmail.com on 12 Dec 2014 at 12:38

GoogleCodeExporter commented 9 years ago
  One correction to the above we find mdk3 time in the 10 to 20 sec range many times freezes the router just enough to allow pin collection while 30 to 45 second buries some routers

MTeams

Original comment by muskette...@gmail.com on 12 Dec 2014 at 12:41

GoogleCodeExporter commented 9 years ago
The link to varmacreaversav99-3.sh is listed below. The program is not meant to 
break routers when the router is in a locked state.

http://www.datafilehost.com/d/88864143

Original comment by muskette...@gmail.com on 12 Dec 2014 at 1:00

GoogleCodeExporter commented 9 years ago
Great job! tell me if these scripts Musket Teams replace: 
atrophy.sh
ReVdK3-r2.sh
ryreaver-reverse.sh
FrankenScript2

thanks you!

Original comment by deltomaf...@gmail.com on 13 Dec 2014 at 8:53

GoogleCodeExporter commented 9 years ago
The VMR-MDK009 was written to take advantage of a small subset of routers
which show a locked WPS state BUT still provide a small number of pins.

   Atrophy was written by us BUT it was an attempt to reset a router thus
unlocking the WPS system. We never had much luck with this approach and
abandoned the idea as impracticable in our areas of operation.

To our knowledge ReVdK3-r2.sh and FrankenScript2 also attempts to reset the
router thus unlocking the WPS system,

We are not sure where to place ryreaver-reverse.sh It doesnot save its work
so testing it is difficult. It is on our list of things to do. It also
seems to only work with i386 version of kali-linux. We hoped the author
would finish the work but that has not happened

     We are about to release VMR-MDK009x.sh just as soon as we can get all
the help files and configuration files cleaned up. The program itself has
been tested and ready to go. Maybe a week or two.

     We are also hoping someone will code in pixie-dust so we can play with
this approach at the field level.

      We have seen some interesting results with our 99:99% reaver replay
attack and are running test as we speak. If the results are positive we
will publish said results. We know the 99.99% works so we are now trying to
induce it in WPS locked routers.

MTeams

Original comment by muskette...@gmail.com on 14 Dec 2014 at 12:42

GoogleCodeExporter commented 9 years ago
Musket Teams wish to RETRACT the following statement concerning the inability 
of ryreaver-reverse to save sessions and provide the solution.

Using Kali-linux1.09a i386 Hardrive install

Placing ryreaver-reverse in root

Run

./ryreaver-reverse -i mon0 -c 11 -b 55:44:33:22:11:00 -vv -x 60 
--mac=00:11:22:33:44:55 --session=55:44:33:22:11:00

In this case the --session= command will look for the existance of a file named 
55:44:33:22:11:00 in root. If no file name seen it will write a file of same 
name.

On restart if file seen in root it will state:

    Restored previous session and start the attack from the last pin.

MTeams 

Original comment by muskette...@gmail.com on 15 Dec 2014 at 1:30

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
For using script had to change the Eterm by xterm and remove --cmod parameter,  
and worked correctly on my Debian Jessie. The question is where is saved the 
session Reaver? When finished cycles what happens?

Original comment by deltomaf...@gmail.com on 16 Dec 2014 at 12:52

GoogleCodeExporter commented 9 years ago
The program writes a log file of the reaver screen output in the VARMAC_LOG
folder which is made at program start.

You should find three(3) folders

VARMAC_LOGS
VARMAC_CONFIG
VARMAC_WASH

You might just try installing Eterm. Better yet just make a persistent usb
install of kali-1.09a.

The --cmod  is just an easy way to remove all the crazy ant screens Eterms
uses that take you back to the 60,s

Original comment by muskette...@gmail.com on 16 Dec 2014 at 1:11

GoogleCodeExporter commented 9 years ago
yes, i install Eterm still did not process anything. with Xterm is going well!
just like find way to force xterm to open in workspace 2 or 1 not in active 
workspace, i am studying this with devilspie. VARMAC_WASH not find here. if I 
cancel the script restore session?

Original comment by deltomaf...@gmail.com on 16 Dec 2014 at 2:59

GoogleCodeExporter commented 9 years ago
There is any invalid parameter on the ifconfig line. Always occurs the output:
  Assigning a random mac address to wlan0.
Current MAC:   5e:bd:82:f4:1f:b8 (unknown)
Permanent MAC: 00:16:44:13:0f:61 (LITE-ON Technology Corp.)
New MAC:       26:55:d5:ad:77:42 (unknown)
Usage:
  ifconfig [-a] [-v] [-s] <interface> [[<AF>] <address>]
  [add <endereço>[/<tam_prefixo>]]
  [del <endereço>[/<tam_prefixo>]]
  [[-]broadcast [<endereço>]]  [[-]pointopoint [<endereço>]]
  [netmask <endereço>]  [dstaddr <endereço>]  [tunnel <endereço>]
  [outfill <NN>] [keepalive <NN>]
  [hw <HW> <endereço>]  [metric <NN>]  [mtu <NN>]
  [[-]trailers]  [[-]arp]  [[-]allmulti]
  [multicast]  [[-]promisc]
  [mem_start <NN>]  [io_addr <NN>]  [irq <NN>]  [media <tipo>]
  [txqueuelen <NN>]
  [[-]dynamic]
  [up|down] ...

  <HW>=Tipo de Hardware.
  Lista dos tipos possíveis de hardware:
    loop (Loopback Local) slip (SLIP) cslip (SLIP VJ) 
    slip6 (SLIP 6 bits) cslip6 (SLIP VJ 6 bits) adaptive (SLIP Adaptativo) 
    ash (Ash) ether (Ethernet) ax25 (AX.25 AMPR) 
    netrom (NET/ROM AMPR) rose (AMPR ROSE) tunnel (Túnel IPIP) 
    ppp (Protocolo Ponto-a-Ponto) hdlc ((Cisco)-HDLC) lapb (LAPB) 
    arcnet (ARCnet) dlci (Frame Relay DLCI) frad (FRAD - Dispositivo de Acesso a Frame Relay) 
    sit (IPv6 sobre IPv4) fddi (FDDI - Fibra Ótica) hippi (HIPPI) 
    irda (IrLAP) ec (Econet) x25 (generic X.25) 
    eui64 (Generic EUI-64) 
  <AF>=Família de endereços. Default: inet
  Lista de famílias de endereços possíveis:
    unix (UNIX Domain) inet (DARPA Internet) inet6 (IPv6) 
    ax25 (AX.25 AMPR) netrom (NET/ROM AMPR) rose (AMPR ROSE) 
    ipx (Novell IPX) ddp (Appletalk DDP) ec (Econet) 
    ash (Ash) x25 (CCITT X.25) 
  Assigning wlan0 mac address to mon0. 
GNU MAC Changer

Original comment by deltomaf...@gmail.com on 16 Dec 2014 at 4:57

GoogleCodeExporter commented 9 years ago
Gives the output of ifconfig but it is working!

Original comment by deltomaf...@gmail.com on 16 Dec 2014 at 7:32

GoogleCodeExporter commented 9 years ago
First the program was written using kali-linux1-09a which was updated and 
upgraded.

There are approx 10 to 20 ifconfig commands used to spoof and add random mac 
addresses to wlan0 mon0 mon1 and mon2. Also there is a rather convuluted 
process to circumvent the neg one issue. Reaver also relies on these random, 
spoofed mac addresses.
  The spoofed mac address can be seen in the program menu when reaver stage one and two is running. You might just type ifconfig in a terminal window while stage one or two reaver is running and see if the mac in the terminal window theu ifconfig is the same as shown in the program menu. It they are different mac addresses seen reaver probably will not run.
   All these processes work fine in kali-linux

Original comment by muskette...@gmail.com on 17 Dec 2014 at 9:55

GoogleCodeExporter commented 9 years ago
the reaver was not automatically reload a previous session when the reaver 
stage begins, installed Reaver version 1.5 resolved!

Original comment by deltomaf...@gmail.com on 18 Dec 2014 at 11:59

GoogleCodeExporter commented 9 years ago
The following VMR-MDK009x2.sh has been written to take advantage of a flaw in 
some WPS locked routers allowing the collection of pins even though reaver and 
wash show the router is locked.

The downloaded includes extensive helpfiles and has been tested against 
numerous routers showing this flaw. All were cracked.

Also included in the help files is how to handle the 99.99% problem which 
occurs in almost half of the successful attacks against routers providing small 
numbers of pins when the WPS system is locked. Details are also included 
in the help files. 

Download the zip package at

http://www.datafilehost.com/d/b6af2928

MusketTeams

Original comment by muskette...@gmail.com on 7 Jan 2015 at 12:04

GoogleCodeExporter commented 9 years ago
Reference the download VMR-MDK009x2.sh above

We have found an error in one configuration file named:

     configfiledetailed1x2

You can REM/COMMENT out with a # the following two(2) variables

USE_PIN1=  should read #USE_PIN1=
WPS_PIN1=  should read #WPS_PIN1=

or you can download the corrected version

New Download

http://www.datafilehost.com/d/18156813

Musket Teams

Original comment by muskette...@gmail.com on 8 Jan 2015 at 12:18

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
The program was written in kali-linux 1-09a. We  downloaded the file and
checked it and it ran fine.  Go to the bottom of the thread and download
the latest but this should no affect that part of the program. Give us more
info and maybe we can help you.

MTeams

Original comment by muskette...@gmail.com on 27 Jan 2015 at 9:06

GoogleCodeExporter commented 9 years ago
This program requires awk and maybe gawk be installed in your linux distro

Original comment by muskette...@gmail.com on 31 Jan 2015 at 3:00

GoogleCodeExporter commented 9 years ago
Hi, can you pls explain step by step how to use it. I downloaded the latest 
version but i don't know which file to run. I run a file called VMR-MDK009y2.sh 
and i follow what the option says there, but at the end i don't quite 
understand what is doing, it seems like its associating with the AP but i don't 
see it trying pins.

Original comment by 00ReMeD...@gmail.com on 10 Feb 2015 at 7:26

GoogleCodeExporter commented 9 years ago
Hi muskett do you know if this will run in xiaopan? So. Some scaled down 
syndrome version of Linux? 

Original comment by phraze2a...@gmail.com on 19 Feb 2015 at 9:29

GoogleCodeExporter commented 9 years ago
How do I run the scripts :P Im new. 
I have kali linux 

Thank you !

Original comment by fraf...@gmail.com on 25 Feb 2015 at 9:41

GoogleCodeExporter commented 9 years ago
Hey Musket Team, I have a couple of suggestions / errors i want to mention for 
the betterment of the future program. First, the Random mac assigned to wlanX 
and monX do not work as in every time reaver tries to connect to a router using 
the random mac assigned, it gives an error of "WARNING: Failed to associate 
with XX:XX:XX:XX:XX:XX". I've always encountered this problem when i try to 
assign a random mac manually and using reaver or even when using ReVdK3-r2.sh, 
which also contained random mac assign. I took the time and edit some lines in 
ReVdK3 so it does not assign random macs, and everything works perfect, which 
is the closest i got to cracking a router that experiences WPS lock. I'm 
willing to try and test your program but first, please add the option if the 
user wants to change the mac to random or not. And about the error part (I 
don't know if this is because my reaver does not even advance into the first 
pin because of random mac error i mentioned or if its just a program error) but 
it mentions "Reading VARMAC_LOGS/"Essid Name"-150306-20:47-00005: No Such File 
or directory". Ive used the "VMR-MDK009y2.sh" with Bash command to start it. 
The additional file I've used was "configfiledetailed1x2". My wireless stick is 
"TP-Link TL-WN321G". My OS is "kali-linux-1.0.6-amd64". Thanks in advance. 
-Killz   

Original comment by killzal...@gmail.com on 7 Mar 2015 at 2:07