PDA

View Full Version : Varmacreaver.sh Available For Free Download



mmusket33
2013-12-04, 02:27
The following program called varmacreaver(ie variable mac reaver) was developed to explore flaws in the WPS locking system. The program NEVER WORKED against WPS locked routers as we could find no way to force the router to be remotely reset. However in cases where:

1. Reaver ran normally then would spin hopelessly in a EAPOL hang until the program was restarted.
2. the router was at extreme range.
3. the key flow was interrupted constantly by a temperamental or stick router.


Varmacreaver.sh can keep the crack working. It can unstick these long EAPOL hangs and sticky routers and keep the key flow progressing. Our Team has decided to release this program for general use. This is NOT a new Reaver Program. Your existing Reaver 1.4 must be installed. We still think that the latest Reaver is the WPS Tool of choice in most cases. If Reaver fails you might try bully as this alternate WPS cracking program has a brute force option.

Before choosing to use the varmacreaver.sh program against a router, try exploring the alternatives given in the Reaver command line FIRST and especially, the -r x:y command - see Reaver help files. If the problems still exists, you can try varmacreaver.sh. The varmacreaver.sh program is not a magic bullet just a tool. If you are not getting any keys at all ie no response from the router, varmacreaver.sh cannot help you.

If you allow in the permissions for the file to be run as a program then you can run it from root or place in the /user/bin folder and type varmacreaver.sh in the terminal window.

Run the varmacreaver.sh and go thru the menu options. Once you have given the program the info required, it will start Reaver for the period of time selected you selected. then shut down change the mac code randomly and then restart reaver. We were forced to use the -o command writing a program to file. Therefore once started you must access the files written to root as Reaver screen info is piped to a text file, not to the screen. Output in text form is necessary as the Key once found might be lost in the constant startup and shut down that occurs.


Varmacreaver.sh allows you to set the:

1 Length of time between startup-shutdown-restart
2.-r x:y commands(see Reaver help files)
3. Total number of start-shutdown-restart you require
4. Name of text file show reaver output will be numbered automatically. Just enter a file name when asked and the files will be numbered for you.
5. There is some limited error handling for macode entries etc.

When started a status page is seen which changes with each startup and shutdown;.

Reaver saves its work regardless of whether you employ varmacreaver.sh OR just use the reaver command line. In some cases when reception is good or key flow rate is fast just use the standard Reaver command line, you do not need to use varmacreave.sh. However when EAPOL hangs start occuring and key rates drop or get erratic we suggest you try varmacreaver.sh. When the problem goes away stop varmacreaver.sh and continue from a reaver command line in a terminal window.

You can download the file at:

http://www.axifile.com/en/CFC3101780



You can download at varmacreaver1A.sh at:


http://www.axifile.com/en/047EF3EAD5

We have found bugs in version1A.

You can download varmacreaver1D.sh at the site listed below

http://www.axifile.com/en/5151495380


See page three this thread for program additions and comments

This Is a Musket Team Release

mmusket33
2014-01-03, 10:20
We have recieved mail stating the above link does not work. Readers note we successfully downloaded the file on 3 January 2014 with no problems

testingresults
2014-01-05, 07:04
We have recieved mail stating the above link does not work. Readers note we successfully downloaded the file on 3 January 2014 with no problems

Doesn't work for me

shaberu
2014-01-05, 09:52
nope still dont work

soxrok2212
2014-01-06, 00:26
I'm getting an error too, right after I click download.

mmusket33
2014-01-06, 03:46
We downloaded on 6 Jan at 0342 GMT using XP and internet explorer 8. However if this doesnot work for some we can post elsewhere any suggestions on where to post.

shaberu
2014-01-06, 06:52
dropbox.com, mega.co.nz, googledrive, torrent it if needed lol

mmusket33
2014-01-06, 11:43
We are rewritting varmacreaver.sh as we speak and will try reposting to another site. Our time is limited so if posting these files at these other sites become laborious will advise. We would love to post to torrents but never figured out how to post we only know how to download.

VinnyG
2014-01-06, 17:28
We are rewritting varmacreaver.sh as we speak and will try reposting to another site. Our time is limited so if posting these files at these other sites become laborious will advise. We would love to post to torrents but never figured out how to post we only know how to download.

first time i tried downloading i had a error, i tried couple more times and get it

johannessch
2014-01-12, 13:12
Hey
Pls post a link for download varmacreaver.sh!
I need this quick!
mfg

brazen
2014-01-31, 05:42
We have recieved mail stating the above link does not work. Readers note we successfully downloaded the file on 3 January 2014 with no problems


can you just upload this to 0bin.net ?
it's the best way I know for people to download.

mmusket33
2014-02-01, 01:56
Thankyou Brazin. We are about to provide an updated version of this program. We will give it a try.

mmusket33
2014-02-02, 11:57
Varmacreaver has been updated and available for download


This updated varmacreacer1.1.sh can be downloaded from either of these two(2) locations.

From 0bin.net

http://0bin.net/paste/f1cOAjtwW7ovA3AC#tjVOZCjoFCVqMENu7fOY7vEYP1wdaYh3P XVywkk20rE=

And at axifile

download

http://www.axifile.com/en/5CA5526F8A

Musket Team Alfa

mmusket33
2014-02-02, 11:58
Varmacreaver has been updated and available for download


This updated varmacreaver1.1.sh can be downloaded from either of these two(2) locations.

From 0bin.net

http://0bin.net/paste/f1cOAjtwW7ovA3AC#tjVOZCjoFCVqMENu7fOY7vEYP1wdaYh3P XVywkk20rE=

And at axifile

download

http://www.axifile.com/en/5CA5526F8A

Musket Team Alfa

bigal
2014-02-05, 01:41
I got the new version of your script.

The router I am working with, a Thompson, locks WPS for 10 min.

I am not sure what triggers the WPS lock, but I want to try with same mac 9 times, change mac try another 9 times etc....

I cant quite work out if I can make varmacreaver do this?

Cheers

-Al

mmusket33
2014-02-05, 13:52
Dear Bigal,

First WPS locking is triggered by the firmware in the router. What triggers this lock is normally a set number of pin requests. We have found 10 to be the number that routers in our area lock at.

As we noted at the beginning of this thread, varmacreaver would only work if the router linked the pin requests to the mac address. We have never found a router that responded this way. All routers we have come across lock after ten pin requests regardless of mac addres source.

Currently the only way to unlock a WPS locked state is to remotely reset the router. This can sometimes be done with a combination of mdk3 attacks.

In this linux section go to the thread stating mdk3 secret destruction mode and download atropy.sh. You can run this against the target router and see if you can reset it and unlock the WPS.

Next go to FrankenScript thread and download the latest. We could not get 3.1 to run so if you have any problems just download the older version.

Frankenscript has a WPS default pin attack. You would then reset the router with atrophy and then try the default pins provided by FrankenScript. Remember you would only get 10 attempts before the WPS system locks so you want to try the default pins first as a brute force would require approx 1000 resets or more to brute force over 10,000 pins.

We are hoping the author of Frankenscript will write a mdk3 reset module into the program so keep watching these threads. But at present a combined arms approach using atrophy and Frankenscript could work.


You could try to brute force the key OR go WPA phishing. Our team has provided WPA phishing tools look in aircrack-ng forums or kali-forums. We suggest you use the wpa phjishing attack using pwnstar together with the WPA router pages. Lengthy help files are provided.

Any questions write we will try and explain it better.

MTA

mmusket33
2014-02-05, 14:55
Dear Bigal,
We are very sorry we been surfing all day and totally misread your post. Varmacreaver cannot make only 9 requests but you can set the time it runs before a mac-change occurs. Hence you could set the time at 60 seconds,see how many requests were made and then adjust accordingly. We have never seen a router act this way and find your post extremely interesting. This router is crackable it will just take more time. We have run attacks that went on for months against routers that were on only occasionally. Please let us know if changing the mac code effects the locking..

slim76
2014-02-05, 17:29
Dear Bigal,

First WPS locking is triggered by the firmware in the router. What triggers this lock is normally a set number of pin requests. We have found 10 to be the number that routers in our area lock at.

As we noted at the beginning of this thread, varmacreaver would only work if the router linked the pin requests to the mac address. We have never found a router that responded this way. All routers we have come across lock after ten pin requests regardless of mac addres source.

Currently the only way to unlock a WPS locked state is to remotely reset the router. This can sometimes be done with a combination of mdk3 attacks.

In this linux section go to the thread stating mdk3 secret destruction mode and download atropy.sh. You can run this against the target router and see if you can reset it and unlock the WPS.

Next go to FrankenScript thread and download the latest. We could not get 3.1 to run so if you have any problems just download the older version.

Frankenscript has a WPS default pin attack. You would then reset the router with atrophy and then try the default pins provided by FrankenScript. Remember you would only get 10 attempts before the WPS system locks so you want to try the default pins first as a brute force would require approx 1000 resets or more to brute force over 10,000 pins.

We are hoping the author of Frankenscript will write a mdk3 reset module into the program so keep watching these threads. But at present a combined arms approach using atrophy and Frankenscript could work.


You could try to brute force the key OR go WPA phishing. Our team has provided WPA phishing tools look in aircrack-ng forums or kali-forums. We suggest you use the wpa phjishing attack using pwnstar together with the WPA router pages. Lengthy help files are provided.

Any questions write we will try and explain it better.

MTA

Hello matey.

Just a heads up, FrankenScript already has a mdk3 router reset function built into it.
To use it you need to select the custom reaver option instead of the default pin option.
I should be uploading an updated version of FrankenScript tonight if all goes well.

mmusket33
2014-02-06, 01:24
We downloaded the paste bin three times. We continue to get the same error messages when we run the script. We went thru your mdk3 coding and see that you have followed soxrox advice and added a multivector mdk3 deauth. However as stated we cannot get the program to run and continue to get the same error messages as mentioned. We are running from root. The main menu displays then a series of error messages follow then the screen starts blinking. We tested it on three different computers to include a persistent usb install.

slim76
2014-02-06, 09:47
We downloaded the paste bin three times. We continue to get the same error messages when we run the script. We went thru your mdk3 coding and see that you have followed soxrox advice and added a multivector mdk3 deauth. However as stated we cannot get the program to run and continue to get the same error messages as mentioned. We are running from root. The main menu displays then a series of error messages follow then the screen starts blinking. We tested it on three different computers to include a persistent usb install.

I was going to upload the updated version last night, but I'm still having issues with something that should be very simple.
I cant rename a file without it put a space in the file name, I'll upload it as soon as I solve the issue.

brazen
2014-02-06, 21:58
musket... great stuff... thanks for the share!

mmusket33
2014-04-11, 00:49
After dealing with the vagaries of sticky and unresponsive routers, Musket Teams have expanded the functions in varmacreaver in an effort to improve WPS pin harvesting.

The following has been added to the existing program:

1. The ability to send a short deauthorization burst prior to starting a reaver attack cycle. We have found routers which were initially unresponsive to reaver request for keys, began to respond when deauthenticated.

2. Assigning a specific mac address. In some cases if a client is seen associated to the target router which has been unresponsive, spoofing the mac address of the client results in WPS pin harvesting.

3. Running an aireplay-ng fake authentication in parrellel with reaver to help stimulate router response.

4. Running Airodump-ng to improve monitoring of the attack.

5. Installing a countdown timer to main attack page to allow fine tuning of the -r x:y command and adjusting attack cycle length.

You can download varmacreaver1A.sh at:

http://www.axifile.com/en/047EF3EAD5

Musket Teams A and D

itmanvn
2014-04-14, 03:26
After dealing with the vagaries of sticky and unresponsive routers, Musket Teams have expanded the functions in varmacreaver in an effort to improve WPS pin harvesting.

The following has been added to the existing program:

1. The ability to send a short deauthorization burst prior to starting a reaver attack cycle. We have found routers which were initially unresponsive to reaver request for keys, began to respond when deauthenticated.

2. Assigning a specific mac address. In some cases if a client is seen associated to the target router which has been unresponsive, spoofing the mac address of the client results in WPS pin harvesting.

3. Running an aireplay-ng fake authentication in parrellel with reaver to help stimulate router response.

4. Running Airodump-ng to improve monitoring of the attack.

5. Installing a countdown timer to main attack page to allow fine tuning of the -r x:y command and adjusting attack cycle length.

You can download varmacreaver1A.sh at:

http://www.axifile.com/en/047EF3EAD5

Musket Teams A and D

Thank you Musket!

mmusket33
2014-04-18, 13:58
We have found bugs in the fixed mac module. We are still testing these versions trying to smooth out the key harvesting.

You can download varmacreaver1D.sh at:

http://www.axifile.com/en/5151495380

ll1312ll
2014-05-09, 06:20
could u add a option to specify a essid for hidden network names?

mmusket33
2014-05-10, 11:43
We will do this - but we will need your advice as we have no way of testing the command string to see if it is functioning properly and all our scripts are tested prior to release. So our question(s) is/are as follows:

For hidden -essid names

1. Should we leave the mac address in the command string and just add an essid entry or remove the mac address and replace it with the essid entry. Or should there be options for both?

Please expand on this theme anyway you wish that you think would be helpful. Putting these options in the script should take little time once we get an idea what you require.



MTB

gismo
2014-07-06, 19:32
@mmusket33 Thanks! This is certainly helping my efforts!

One concern/Issue I have that may be worth adding to varmacreaver is ability to change channels and/or test for channel change of the AP. Quite often I'm finding that after about 30 minutes or so, the router will change channels and then varmacreaver will continue to run and all the logs will say failed to associate after the channel change. I have to close and restart the process. In my case, the router jumps between the two same channels. Is there a way to automate a channel change so varmacreaver can continue to run unattended

A few other comments:


I can't use wash directly from the program..I need to append --ignore-fcs. can you add an option or detection for this?
I've read that airmon-zc works better for some people..It "seems" to work better for me, but varmacreaver with airmon-ng seems good. Any thoughts on this?
also, in AIREPLAN-NG FAKEAUTH there are some errors, but it doesn't seems to heavily affect reaver that I can tell:


No Source MAC (-h) specified. Using the device MAC (xx:xx:xx:xx:xx:xx)
Waiting for beacon frame (BSSID: yy:yy:yy:yy:yy:yy) on channel -1
Couldn't determine current channel for mon0, you should either force the operation with --ignore-negative-one or apply a kernel patch
Please specify and ESSID (-e)

xx.. mac is the "Random Mac Address"
yy.. is the target AP mac Address




Thanks,
Gismo.

mmusket33
2014-07-07, 11:17
To gismo,
Musket Teams need to rewrite this script to handle negative-one errors. We have noted your comments and will try and augment as time permits.

We ran a test and changed all the airmon-ng entries to airmon-zc. The program seemed to run but we got some very strange wifi and monitor designations. Furthermore macchanger did not seem to like airmon-zc. The eterm windows did seem to run correctly though.

As to scanning for channel hopping we will have to give that a bit of thought. You might take a look at auto-reaver you can find the download and how to rewrite so it will run in kali in the forums. This is not our work and we are studying this programs potential as we speak

MTA

gismo
2014-07-07, 13:42
Hey MTA,

Thanks for the quick reply!(I appreciate that.) Thanks for doing some testing as well. Yea, I agree, the monitor designations get funky with airmon-zc. In using it with reaver, manually, the monitor was wlan0mon. Then I would reset everything to change the channel and somehow wlan0 would get renamed to wlan0mon. So when restarting monitor mode, it would become wlan0monmon. Anyway, I'm sure there's a fix for that or a way to clean it up, but I couldn't figure it out. I guess I'm wondering if there is any actual benefit or reasons to use ng or zc.

Another thing.. I am testing is ReVdK3-r1. So far results are promising. Using the EAPOL start requests to reset the lock(Option 2) seems to be working much faster than varmacreaver alone at this point. Have you considering bundling this into varmacreaver? ...or injecting varmacreaver inside this tool.

thread link: https://forums.kali.org/showthread.php?19498-MDK3-Secret-Destruction-Mode

Thanks!
Gismo

0E 800
2014-07-07, 23:19
@gismo; @mmusket

I really appreciate the reaver helper scripts that have been coming out. I was hoping that if a consolidation of reaver helper scripts did occur; that you could make the scripts able to run from any terminal and not specifically set to one particular terminal client (ie: gnome-terminal).

Below is an example of how I was able to make Revdk3-r1.sh work without requiring gnome-terminal. The end result was that the whole script ran from a single terminal window.

Example taken from Revdk3-r1.sh:


gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -e "mdk3 $MON1 a -a $MAC -s 200" & gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -e "mdk3 $MON2 a -a $MAC -s 200" & gnome-terminal -e --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -e "mdk3 $MON3 a -a $MAC -s 200";

Modified to look like:


mdk3 $MON1 a -a $MAC -s 200 & mdk3 $MON2 a -a $MAC -s 200 & mdk3 $MON3 a -a $MAC -s 200;

I just did a quick hack-job on the script so I still have to ctrl-c & ctrl-z when I want to get the script to stop. It still beats having windows pop up and it allows the script to be able to be run from other terminal clients.

Another suggestion would be to optionally have the script connect to the router using wpa_cli:

wpa_cli wps_reg [ap mac-add] [wps pin#]
dhclient wlanX

Best regards,

mmusket33
2014-07-08, 12:42
To gismo,

First we have not had time to test Revdk3-r1.sh. The reason is that we have not found any combination of mdk3 attacks that will reset the routers in our areas of operation that have WPS locked states. Again this is not the fault of Revdk3-r1.sh as reseting routers is a case by case affair.

Your comments about bringing many of these programs under one roof is noteworthy and both Revdk3-r1.sh and Frankenscript seem to be moving in that direction. We think the real break thru with reaver will come when the author of mdk3 gives us more potent tools to reset routers remotely.

MTA

mmusket33
2014-07-08, 12:52
To 0E 800

We do not know why the author of Revdk3-r1.sh used gnome-terminal rather then xterm or even better Eterm but it is his?her? script. We wish to point out that Musket Teams are not the authors of Revdk3-r1.sh. You might direct your comments to the author in one of his?/her? threads.

MTC

Attilafx
2014-07-11, 12:57
Dear Musket team, thank you for this script.
I am currently testing it on my spare router but found that your script has a fault in it so I added something to it.
The issue was, when a user would have chosen wash -i mon0 to scan the network for WPS, you would receive an error like
!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...

I've started up my VI editor and added the --ignore-fcs argument.
So it looks like this now.
Eterm -g 80x30-1-210 --cmod "red" -T "WASH" -e sh -c "wash -i $MON --ignore-fcs; bash" &

keep up the good work.

mmusket33
2014-07-13, 09:52
Thanx Attilafx,

We suggest you also explore other authors programs such as Revdk3-r1.sh, autoreaver and Frankenscript. Each of these programs have their uses and strengths.

Musket Teams

Tacman
2014-08-28, 20:28
Hi thanks for the Varmacreaver script. It seems to be working fine for me but now im locked out so I wanted to wait a while and resume the session later. Is that possible and If so how do I do this?

mmusket33
2014-08-30, 07:46
To Tacman

You can try and reset the router using mdk3. There is a thread entitled mdk3 secret destruction mode that you can read thru. There are several programs. The latest is Revdk3-r1.sh. We have not tested this version although the previous versions approach seemed solid enough. But reseting routers is a case by case affair.
If the router opens up you might try the WPS facility in Frankenscript. The only other solution is to collect a handshake or try WPA Phishing or find another target.

MTeams

war_pi
2014-09-09, 03:18
It would be great to have the varmacreaver script working on the kali linux raspberry pi.

jerry.goyal
2014-12-17, 11:55
has this script worked for anybody because in my case wps-lock occurs

mmusket33
2014-12-24, 02:15
To jerry-goyal

For wps locked routers go to wps-reaver issue 675. Scroll down to the bottom as there is a new link. varmacrever.sh is not designed to handel wps locked routers. Furthermore the x version will be released soon.

Starship
2016-10-22, 22:08
Hi, I try to launch it, but it shows not found errors(see the Attachment).
Any help would be appreciated.

1921

mmusket33
2016-10-23, 03:34
To Starship

This is an older program no longer supported. Try varmacscan-K1-2-2016-3-3.sh and/or the VMR-MDK series. The links are available in these forums. There are also other good programs written by others.

MTeams

Starship
2016-10-23, 16:46
OK, I´ll give it a try, thanks for replying.

zam
2017-02-27, 02:01
The links no longer work. Axifile itself is unresponsive. "This site cannot be reached"

mmusket33
2017-02-28, 12:28
To zam

This is an old program no longer supported. Suggest varmacscan or VMR-MDK. If you just wait approx 48 hours MTeams is about to release varmacscan-K1-K2-2016-5-4.sh with more features. Two robotic scripts are running thru final tests as we speak. We will post the links in this forum.

Musket Teams