** under construction **



Original thread by the creator, slim76
FrankenScript by Slim76 - It Attacks Access Points and .pcap files (https://forums.kali.org/showthread.php?19913-FrankenScript-by-Slim76-It-Attacks-Access-Points-and-pcap-files)
and to download latest build
http://www.mirrorcreator.com/files/DHEDYWHS/
FrankenScript_v3.1(Updated_9-10-14).deb 1,04 MB (1*099*704 bytes)



FrankenScript, is a script designed to facilitate wireless network auditing under Kali Linux on WEP and WPA/2 protected network access points(APs), liberating the user from the tedious task of building elaborated command lines, as some of these attacks can be quite complex, invoking programs such as Reaver or Bully for WPS's. Crunch, Pyrit and Cowpatty for hash cracking on ATi/AMD Stream or nVidia CUDA enabled systems.


Start in the console with

fs3.sh


Problems / Solutions

~Problem downloading FrankenScript from mirrorcreator.com.
Once you get on mirrorcreator.com, scroll down the page and choose 1Fichier, then click on: "Your preferred download link is ready! Click here to go to the page."
Or, here is a direct DL link http://qm5qv861tv.1fichier.com/


¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
Quick user survey

Do you use full verbose when using Reaver(-vv) or Bully(-v 3)?

Would you like the arguments list to pop up when using Reaver(reaver) or Bully(bully) to help you build your syntax?

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

Thanks for the guide and thanks Slim for creating. Question though, when using the default pin generator, I found by using the options available or pins it repeats same pin but starts at 90 percent. If pin was correct should I expect wpa key on first attempt or do I let it continue until pin is found? Although same pin is trying the percentage keeps rising. Let it finish or should I expect wpa password to dpit out immediately after first try?

Hi Defaultzero. You're welcome.

You are one step ahead of me, because that is what I get when attempting to launch Pin Gen...


There was an error creating the child process for this terminal
Failed to execute child process "/root/FrankenScript2/Scripts/
FrankenScript_AP" (No such file or directory)

Hi Defaultzero. You're welcome.

You are one step ahead of me, because that is what I get when attempting to launch Pin Gen...

You really did create a how to thread. LOL
The following two lines are incorrect,

Attack a handshake.cap file by bruteforce or by using a wordlist, it has 6 different options and should support GPU cracking.
It also has an option to force an access point to reset, BUT, I haven't tested it myself so im not sure on its limits.

Attack a handshake file doesn't have 6 options anymore, and it doesn't have the option to try to reset an access point anymore either.

NOTE:
Regarding the pin issue,
It probably isn't an issue with FrankenScript, it sounds more like a reaver or bully issue.

if it just helped some poor lost basterd to install, and start the **** thing, then it was worth it ;)

For the Pin Gen problem:

I get the big red window! Does it have anything to do with reaver or bully? Really?


[3] = AP Default Passkey Keygens.

if it just helped some poor lost basterd to install, and start the **** thing, then it was worth it ;)

For the Pin Gen problem:

I get the big red window! Does it have anything to do with reaver or bully? Really?

Are you using the 32bit version of kali?.

Kali 1.0.7 x64, fresh installation on HDD | FrankenScript2_Updated-19-7-2014.tar.gz



[3] = AP Default Passkey Keygens.

returns:

There was an error creating the child process for this terminal
Failed to execute child process "/root/FrankenScript2/Scripts/
FrankenScript_AP" (No such file or directory)

:(

I really don't know why you're getting that error message, I tested it on two different computers and I don't get an error.

This is the section you appear to be having trouble with, I can't see anything that would cause that issue.
I have noticed one thing that is an issue, routerkeygen doesn't like to work on 32bit systems.



AP_Default_Passkey_Keygens(){
clear
echo $RED"Checking for possible default passkey's, Please Wait..."$STAND
essid=$(cat $HOME/FrankenScript2/Temp_Working_Dirctory/Chosen_AP_Line.txt | awk '{ print $1 }')
bssid=$(cat $HOME/FrankenScript2/Temp_Working_Dirctory/Chosen_AP_Line.txt | awk '{ print $4 }')

$HOME/FrankenScript2/Scripts/routerkeygen -s $essid -m $bssid -q --no-gui > $HOME/FrankenScript2/Temp_Working_Dirctory/Possible_Default_Passkey_Generation.txt

Thomson_O2wireless_Check=$(grep -e Thomson -e O2wireless $HOME/FrankenScript2/Temp_Working_Dirctory/Chosen_AP_Line.txt)
if [[ $Thomson_O2wireless_Check ]]; then
clear
echo $RED"Checking for possible default passkey's, Please Wait..."$STAND
python $HOME/FrankenScript2/Scripts/Thomson_O2wireless.py $essid 2012 >> $HOME/FrankenScript2/Temp_Working_Dirctory/Possible_Default_Passkey_Generation.txt
fi

Belkin_Check=$(grep -e Belkin -e belkin $HOME/FrankenScript2/Temp_Working_Dirctory/Chosen_AP_Line.txt | awk '{ print $4 }')
if [[ $Belkin_Check ]]; then
clear
echo $RED"Checking for possible default passkey's, Please Wait..."$STAND
python $HOME/FrankenScript2/Scripts/belkin4xx.py -b $Belkin_Check -e Belkin.c0de >> $HOME/FrankenScript2/Temp_Working_Dirctory/Possible_Default_Passkey_Generation.txt
fi

sed -i '/Testing/d' $HOME/FrankenScript2/Temp_Working_Dirctory/Possible_Default_Passkey_Generation.txt
sed -i '/interrupt/d' $HOME/FrankenScript2/Temp_Working_Dirctory/Possible_Default_Passkey_Generation.txt
sed -i '/Generating/d' $HOME/FrankenScript2/Temp_Working_Dirctory/Possible_Default_Passkey_Generation.txt
sed -i '/match/d' $HOME/FrankenScript2/Temp_Working_Dirctory/Possible_Default_Passkey_Generation.txt
cat $HOME/FrankenScript2/Temp_Working_Dirctory/Possible_Default_Passkey_Generation.txt | rev | awk '{ print $1 }' | rev | sort | uniq > $HOME/FrankenScript2/Temp_Working_Dirctory/Possible_Default_Passkeys.txt
rm $HOME/FrankenScript2/Temp_Working_Dirctory/Possible_Default_Passkey_Generation.txt

if [ -s $HOME/FrankenScript2/Temp_Working_Dirctory/Possible_Default_Passkeys.txt ]
then
Possible_Default_Passkeys=$(cat $HOME/FrankenScript2/Temp_Working_Dirctory/Possible_Default_Passkeys.txt)
Network_essid=$(cat $HOME/FrankenScript2/Temp_Working_Dirctory/Chosen_AP_Line.txt | awk '{ print $1 }')
echo ""
echo $RED"Possible Default Passkeys For$STAND $Network_essid:"
echo $STAND"$Possible_Default_Passkeys"$STAND
echo ""
echo $RED"Possible passkeys have been coppied to:$STAND $HOME/FrankenScript2/APs_Possible_Passkeys/$Network_essid.txt"
echo Possible Default Passkeys For $Network_essid: > $HOME/FrankenScript2/APs_Possible_Passkeys/$Network_essid.txt
echo $Possible_Default_Passkeys >> $HOME/FrankenScript2/APs_Possible_Passkeys/$Network_essid.txt
echo ""
read -p $GREEN"Press $RED[Enter]$GREEN to continue."$STAND
rm $HOME/FrankenScript2/Temp_Working_Dirctory/Possible_Default_Passkeys.txt
else
echo ""
echo $RED"No Default Passkeys Were Found"$STAND
echo ""
read -p $GREEN"Press $RED[Enter]$GREEN to continue."$STAND
rm $HOME/FrankenScript2/Temp_Working_Dirctory/Possible_Default_Passkeys.txt
fi
}

Hi Slim,


So I keep having HUGE problems with the last 2 versions of FS. Ever since you've added Bully, things don't work for me. I cannot even scan with option 1(full scan), it creates an empty 'Scanned_APs.txt', and upon exiting with q, it does not empty the Temp folder. I've reinstalled numerous times with the same results.

It won't restart Network manager upon exiting with q.

I've installed an older version of FS(FrankenScript2-10-06-2014.tar.gz) that I knew was working fine, to check if it wasn't something on my end, and everything works fine as before!

So changes that were made after that version does not work on my system at all, and I'd be very surprised if I'm the only one having such problems.

Let me know if you want me to test certain things. :cool:

EDIT:

just installed the latest FS to another Kali installation on a LiveUSB this time, to check if it wasn't something to do with my Kali installation, with the same results.

So, same hardware, different software, same results.

also... is there any chance for FS not to mess with wifi adapters that were not used by FS ?


Interface Chipset Driver

mon0 Atheros AR9271 ath9k - [phy1] (removed)
wlan1 Atheros AR9271 ath9k - [phy1]
wlan0 Intel 2230 iwlwifi - [phy0]



Interface Chipset Driver

wlan1 Atheros AR9271 ath9k - [phy1]
(monitor mode disabled)
wlan0 Intel 2230 iwlwifi - [phy0]



Interface Chipset Driver

wlan1 Atheros AR9271 ath9k - [phy1]
wlan0 Intel 2230 iwlwifi - [phy0]
(monitor mode disabled)

[ ok ] Starting network connection manager: NetworkManager already started.
root@kali:~/FrankenScript2#



It cuts my connexion upon exiting, even though I'm not using the Intel(Wlan0) for the attack/testing.

also... is there any chance for FS not to mess with wifi adapters that were not used by FS ?



It cuts my connexion upon exiting, even though I'm not using the Intel(Wlan0) for the attack/testing.

FrankenScript doesn't mess with wifi adapters that were not used by it, it will only enable and disable monitor mode for the adaptor you selected.
FrankenScript uses the command "airmon-ng start/stop wlano" to enable/disable monitor mode, maybe its that process that causes you to lose connection.

Does everything function correctly if you disconnect from your internet connection, then use airmon check kill option to automatically kill processes, then choose the auto mac address option, and then use the iw dev scan option?.

Can you also try the following commands and post back the results please,

Try:
iw dev <your-wifi-adaptor> scan (Do not put your adaptor into monitor mode and do not kill any processes).

Then try:
iw dev <your-wifi-adaptor> scan (kill processes using airmon check kill and then enable monitor mode by using airmon-ng start <your-wifi-adaptor>).

Then try:
iw dev <your-wifi-adaptor> scan (enable monitor mode by using airmon-ng start <your-wifi-adaptor> and then kill processes using airmon check kill).

Then try:
iw dev <your-wifi-adaptor> scan (enable monitor mode but do not kill processes).

Do not use FrankenScript or any other scripts to perform the above checks, manually enter the commands.

Hi slim, thanks for the time...

I will do those tests above. For now, after some experiments of my own...

1. I got Full iw-dev Scan to work finally. My Network manager must be ON and ENABLED for it to work.

2. Otherewise I get this:

Scanning For All Available Networks, Please Wait...
command failed: Network is down (-100)





Scanned_APs
===========



################################################## ##########################
# [f] = Re-Scan - Full iw-dev Scan # [e] = Sort Scan By - ESSID #
# [w] = Re-Scan - Wash WPS Network Scan # [a] = Sort Scan By - Encryption #
# [d] = Re-Scan - Airodump Network Scan # [0] = Return To Main Menu #
# # [q] = Exit FrankenScript #
################################################## ##########################

Please choose an option or input the number of a target:


3. But then, when it works with my network manager ON and ENABLED, I get this...

Scanning For All Available Networks, Please Wait...


3: xxxxxxxxxx xxxxxx xxxxxxxxx xxxxxxx
2: xxxxxxxxxxx xxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx
1: associated -- MXXXX a4:7a:a4:XX:XX:XX Signal-59.00-dBm

iw-dev scans on all interfaces..! "1: associated -- MXXXX a4:7a:a4:XX:XX:XX Signal-59.00-dBm" that's on Wlan0! I'm never use Wlan0 for testing. It's not capable anyways. Why does it scan on Wlan0 when I choose Wlan1 for operations?

I'll be back later.

Good luck guys, both the MDK3 thread and FrankenScript thread were closed... :mad:

yes I was expecting that. An 'Independent R&D' forum section is needed me thinks. Thanks for the heads up.

First post edited with DL link.

FrankenScript doesn't mess with wifi adapters that were not used by it, it will only enable and disable monitor mode for the adaptor you selected.
FrankenScript uses the command "airmon-ng start/stop wlano" to enable/disable monitor mode, maybe its that process that causes you to lose connection.

I didn't have to unconnect from the AP and reconnect to surf before with previous version of FS. So something is not quite the same.




Does everything function correctly if you disconnect from your internet connection, then use airmon check kill option to automatically kill processes, then choose the auto mac address option, and then use the iw dev scan option?.

nope...

Scanning For All Available Networks, Please Wait...
command failed: Network is down (-100)



Scanned_APs
===========



################################################## ##########################
# [f] = Re-Scan - Full iw-dev Scan # [e] = Sort Scan By - ESSID #
# [w] = Re-Scan - Wash WPS Network Scan # [a] = Sort Scan By - Encryption #
# [d] = Re-Scan - Airodump Network Scan # [0] = Return To Main Menu #
# # [q] = Exit FrankenScript #
################################################## ##########################

Please choose an option or input the number of a target:





Can you also try the following commands and post back the results please,

Try:
iw dev <your-wifi-adaptor> scan (Do not put your adaptor into monitor mode and do not kill any processes).


root@kali:~# iw dev wlan1 scan
BSS XXXXXXXXXXXXXXX (on wlan1)
TSF: 610435465047 usec (7d, 01:33:55)
freq: 2437
beacon interval: 100
capability: ESS Privacy ShortSlotTime (0x0411)
signal: -72.00 dBm
last seen: 664 ms ago
Information elements from Probe Response frame:
SSID: XXXXXXXXXXX
Supported rates: 1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0
...goes on forever. Snip. Let me know if you want to see the whole thing.




Then try:
iw dev <your-wifi-adaptor> scan (kill processes using airmon check kill and then enable monitor mode by using airmon-ng start <your-wifi-adaptor>).


root@kali:~# airmon-ng check kill

Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
22181 NetworkManager
22208 wpa_supplicant
Killing all those processes...
root@kali:~# airmon-ng check
root@kali:~#


root@kali:~# iw dev wlan1 scan
command failed: Network is down (-100)
root@kali:~#





Then try:
iw dev <your-wifi-adaptor> scan (enable monitor mode by using airmon-ng start <your-wifi-adaptor> and then kill processes using airmon check kill).

root@kali:~# airmon-ng start wlan1

Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
2695 NetworkManager
2789 wpa_supplicant


Interface Chipset Driver

wlan1 Atheros AR9271 ath9k - [phy1]
(monitor mode enabled on mon0)
wlan0 Intel 2230 iwlwifi - [phy0]

root@kali:~# airmon-ng check kill


Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
2695 NetworkManager
2789 wpa_supplicant
Killing all those processes...
root@kali:~#


root@kali:~# iw dev wlan1 scan
command failed: Network is down (-100)
root@kali:~#





Then try:
iw dev <your-wifi-adaptor> scan (enable monitor mode but do not kill processes).


root@kali:~# airmon-ng start wlan1

Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
2671 NetworkManager
2766 wpa_supplicant


Interface Chipset Driver

wlan1 Atheros AR9271 ath9k - [phy1]
(monitor mode enabled on mon0)
wlan0 Intel 2230 iwlwifi - [phy0]

root@kali:~# iw dev wlan1 scan
BSS XXXXXXXXXXXXXXXXX (on wlan1)
TSF: 1479113425593 usec (17d, 02:51:53)
freq: 2412
beacon interval: 100
capability: ESS Privacy ShortSlotTime (0x0411)
signal: -87.00 dBm
last seen: 1256 ms ago
Information elements from Probe Response frame:
SSID: RXXxxxxxx
Supported rates: 1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0
DS Parameter set: channel 1
ERP: Barker_Preamble_Mode
Extended supported rates: 6.0 9.0 12.0 48.0
WPA: * Version: 1
* Group cipher: TKIP
* Pairwise ciphers: TKIP
* Authentication suites: PSK
* Capabilities: (0x0000)
BSS XXXXXXXXXXX (on wlan1)
TSF: 611533647295 usec (7d, 01:52:13)
freq: 2437
beacon interval: 100
capability: ESS Privacy ShortSlotTime (0x0411)

...SNIP

So simply put, when the Network Manager is ON and ENABLED, iw dev scan works.
When the Network Manager is OFF, then, iw dev scan doesn't work.


Let me know if you want me to test anything else...

little more testing here while listening to green day :)


In Fs, sometimes iw dev scan works, sometimes not. It seems to be random. It detects mi Network Manager as being OFF when it is ON. I have to restart FS many time for iw dev scan to work.

Slim, does the following (in orange) looks ok to you?


Available Capture Files.
########################

1: Xxxxxxxx.cap

Please input the number of your chosen capture file: 1
Please input a minimum passkey length?: 8
Please input a maximum passkey length?: 10
Please input the character set to be used?: abcdefghijklmnopqrstuvwxyz1234567890
Please input the maximum amount of times a character can appear next to its self?: 2

Slim, does the following (in orange) looks ok to you?

Yeah that looks fine, it will create passwords between 8 and 10 characters long and only allows a character to appear next to its self once.

Will create:
abcdef23
abcdef22
cbcecf3
abcdef2345

Will not create:
abcde222

Did you manage to solve those issue's you were having?.

Hey Slim!

Yes, but things are still 'volatile' and it feels like an 'esoteric' experience at times. I'm starting to understand a greater problem with my rig vs Kali. I'm having other intermittent issues. But things are under control.

I shut down FS with Ctrl+C now, and empty the Temp folder manually, so I don't have to disconnect/reconnect to the AP for surfing.

For the most part I'm enjoying FS, and no one else seems to have prbs with it, so let's move on...

GPU acceleration does work on GeForce :cool:

What's next? Hashcat?? :) I'm all setup and ready to roll.

Hey Slim!

Yes, but things are still 'volatile' and it feels like an 'esoteric' experience at times. I'm starting to understand a greater problem with my rig vs Kali. I'm having other intermittent issues. But things are under control.

I shut down FS with Ctrl+C now, and empty the Temp folder manually, so I don't have to disconnect/reconnect to the AP for surfing.

For the most part I'm enjoying FS, and no one else seems to have prbs with it, so let's move on...

GPU acceleration does work on GeForce :cool:

What's next? Hashcat?? :) I'm all setup and ready to roll.

I might have a go at adding Hashcat at some point, but at the moment I'm rewritting most of FrankenScript.
I've rewritten all 3 scan options, all 3 scan functions can now handle essid's that contain spaces eg: "My skyrouter".
I also fixed several other issues and added some more options.
I still need to rewrite all of the attacks so it won't be ready for some time.

With full respect i can't download your script. it is always .dmg or exe file. Can you make another ( mb safe hosting? )

Hi Sergey,

Yes mirrorcreator.com is a minefield. Once you get on mirrorcreator.com, scroll down the page and choose 1Fichier, then click on: Your preferred download link is ready! Click here to go to the page.

That should work for now..

Name of the file is: FrankenScript2_Updated-19-7-2014.tar.gz
The size of the file is: 1.1 MB (1,087,008 bytes)

Or, here is a direct DL link: http://66ptdww17j.1fichier.com/

@ Quest

Would you be up for testing the updated version when its ready?.

**** yeah :)

all systems are go here.

Hi,script is really amazing :) Thx slim,
but i have 1 problem, when i push [3] = AP Default Passkey Keygens.
(gnome-terminal:4129): Vte-2.90-WARNING **: Не удалось преобразовать символы из набора текущая в набор X-VTE-GUNICHAR.
Unhandled value type TerminalEncoding of pspec encoding
and there open's another terminal but i can nothing to do with it(

Hi,script is really amazing :) Thx slim,
but i have 1 problem, when i push [3] = AP Default Passkey Keygens.
(gnome-terminal:4129): Vte-2.90-WARNING **: Не удалось преобразовать символы из набора текущая в набор X-VTE-GUNICHAR.
Unhandled value type TerminalEncoding of pspec encoding
and there open's another terminal but i can nothing to do with it(

That problem is easy solved, just don't press button 3, Nah I'm only joking. LOL
I suspect the problem might be caused by routerkeygen, routerkeygen will only work on 64-bit architecture.
The issue has been fixed in the new version and I'll be uploading it soon,.

yes and, please do not use [z]

[z] seat ejection. Catapulted out of the house trough the roof*

*parachute not included



Seriously, [3] = AP Default Passkey Keygens. never worked for me. I get the big red window also, and I'm on x64

yes and, please do not use [z]

[z] seat ejection. Catapulted out of the house trough the roof*

*parachute not included



Seriously, [3] = AP Default Passkey Keygens. never worked for me. I get the big red window also, and I'm on x64

oh, well hopefully the updated version will work for everyone. :-)
I found lots of mistakes in FrankenScript so I decided to rewrite most of it.

It can now handle APs that contain a space in the essid.
Fixed several mistakes in the wordlist and pasthrough attacks.
Script launcher has been improved.
View passkeys has been improved.
Routerkeygen can now be used from the main menu.
Changed the way recovered passkeys are stored and viewed.
Added, removed, and changed many options.
FrankenScript can now perform multiple attacks on multiple networks at the same time.

I think thats most of it :-)
I hope to upload it within the next few days.

holly !@#$ can't stop progress

I'm thinking that if you could add a 'Empty Temp folder' option?

not a big deal mind you, to go in 'Temp folder' and delete manually, but the problem is the operator(me) that forgets sometime to empty it before operations, and i have to abort, empty, and start again.

holly !@#$ can't stop progress

I'm thinking that if you could add a 'Empty Temp folder' option?

not a big deal mind you, to go in 'Temp folder' and delete manually, but the problem is the operator(me) that forgets sometime to empty it before operations, and i have to abort, empty, and start again.

No need to add an option for that, the new version doesn't have an issue with cleaning the temp files. :-)

so howsit going friend, any ETA? Is it alive?.. https://archive.org/details/FrankensteinItsAlive

so howsit going friend, any ETA? Is it alive?.. https://archive.org/details/FrankensteinItsAlive

Sorry matey but I've had major problems, my harddrive died on me and I lost a lot of stuff. :-(

I've got a new harddrive now so I just need to restore kali and then I can get back to working on FrankenScript, I'll have to rewrite one of the old versions as I lost the one I was working on.

oh, ouch, that sucks bro.

Just take your time to get back on track =]



This month mini Howto...

Howto avoid loosing your personal files

Get USB flashdrives. HDDs are too much of a liabelity when they fail, for reasons expressed in the post above. Weeks of work, and other personal files have disapeared.

oh, ouch, that sucks bro.

Just take your time to get back on track =]



This month mini Howto...

Howto avoid loosing your personal files

Get USB flashdrives. HDDs are too much of a liabelity when they fail, for reasons expressed in the post above. Weeks of work, and other personal files have disapeared.

Hey quest,

What is the basis of the backup? Rsync or something like a lvm snapshot volume?

You know what would be good, a request a guide section.

Hi staticn0de,

I was referring to a simple copy/paste important files on USB keys. Photos, documents, work.

I've taken the habit of backing up my personal files on 2 USBs, so it's almost impossible have my files "disappeared". If the HDD and one of the USB fail at the same time(??), I have another USB backup of my files, in another physical location. USB flashdrives are cheap now. No reason not to do it. 1$ a gig or less for USB2. 2$ a gig for USB3.

For the whole partition, I use Acronis True Image 2014(windows). It offers automatic incremental partition backups as an option. Problem is, these backups often endup on another partition of the same HDD, as people don't have two of those. So if the disk fails, so does that backup. So for that reason I prefer to save personal files on USBs only, and not rely on partition backups.

HDDs are on their way out me thinks, but that's a different topic.

Slim, here are some more observations..

- Crunch, is an idiot. Tries every unlikely combination imaginable. Has to be a more logical way to do this without a dictionary(Not your problem mind you. Just saying that Crunch logics are 0).

- Airodump window is too small. The results of the scan come out all messed up. Needs to have a longer(<>) window.

Slim, here are some more observations..

- Crunch, is an idiot. Tries every unlikely combination imaginable. Has to be a more logical way to do this without a dictionary(Not your problem mind you. Just saying that Crunch logics are 0).

- Airodump window is too small. The results of the scan come out all messed up. Needs to have a longer(<>) window.

Crunch performs a bruteforce attack and is meant to try every possible combination, use the wordlist option if you don't want to perform a bruteforce attack. LOL
I'm rewritting all three scans again as I've noticed some issue's myself, I've already solved the issue with the scan results being messed up (at least I think I have). LOL

It's going to be a while before I finish rewritting FrankenScript as I don't have much time to work on it at the moment.

Cheers again for your feedback matey. :-)

Sure thing, I'll be traveling next week without my rig, so timing is good.

The problems I'm having with wordlists is that the password will almost surely not be in it, or that wordlist will be too large to be practical.

The problem I'm having with Crunch is its lack of logic, as most if not all passwords are, words, where Crunch generate sets of random characters that are not "words". cabot4562, 1985sumak, for example, both contain a "word", where sjl5rdv2g does not contain any "word", and will never be used in the whole universe, ever, and Crunch generates millions of those.

I guaranty that ldmthv5sh7 will never, never, never be used as a password.

Cheers bro! We all appreciate what you do


Edit: actually most(?) words used in >passwords< are made of vowels and consonants alternatively. If you could find a way to include that as an option, Crunch would actually generate words.

The vowels are a e i o u

The consonants are b c d f g h j k l m n p q r s t v w x y z

Thoughts?

Sure thing, I'll be traveling next week without my rig, so timing is good.

The problems I'm having with wordlists is that the password will almost surely not be in it, or that wordlist will be too large to be practical.

The problem I'm having with Crunch is its lack of logic, as most if not all passwords are, words, where Crunch generate sets of random characters that are not "words". cabot4562, 1985sumak, for example, both contain a "word", where sjl5rdv2g does not contain any "word", and will never be used in the whole universe, ever, and Crunch generates millions of those.

I guaranty that ldmthv5sh7 will never, never, never be used as a password.

Cheers bro! We all appreciate what you do


Edit: actually most(?) words used in >passwords< are made of vowels and consonants alternatively. If you could find a way to include that as an option, Crunch would actually generate words.

The vowels are a e i o u

The consonants are b c d f g h j k l m n p q r s t v w x y z

Thoughts?

I understand what you mean mate but it needs to stay like that for certain default passwords to be cracked.
I'll put in another option if I can find a way to make it do what you are asking, can't promise though mate but I'll certainly try for you.

though I appreciate, don't spent too much time on that. Amazingly that option to separate vowels and consonants does not exist, and no one as ever considered that particular detail as important enough to even mention it or ask the question.

http://www.liatsisfotis.com/2013/02/create-wordlists-using-crunch.html
http://adaywithtape.blogspot.com.ar/2011/05/creating-wordlists-with-crunch-v30.html

That being said, I would like to do some R&D on that subject eventually, because a rough guesstimate is that 50%(being very generous here) of what Crunch generates is useful for practical password purposes, the other 50% of the output,.. to communicate with aliens(if not then I have no idea what these 'jsqtmbdk5z' generated keys are useful for). In any case, everyone is wasting 50% of their time.

though I appreciate, don't spent too much time on that. Amazingly that option to separate vowels and consonants does not exist, and no one as ever considered that particular detail as important enough to even mention it or ask the question.

http://www.liatsisfotis.com/2013/02/create-wordlists-using-crunch.html
http://adaywithtape.blogspot.com.ar/2011/05/creating-wordlists-with-crunch-v30.html

That being said, I would like to do some R&D on that subject eventually, because a rough guesstimate is that 50%(being very generous here) of what Crunch generates is useful for practical password purposes, the other 50% of the output,.. to communicate with aliens(if not then I have no idea what these 'jsqtmbdk5z' generated keys are useful for). In any case, everyone is wasting 50% of their time.

That's the problem with doing a bruteforce attack, that's why many people suggest using a wordlist.
I think crunch can still do what you are asking for, maybe not exactly how you would like it done though. LOL

Use google and do a search for "A day with tape". :-)

yes I've read his blog about crunch. Very useful, but I failed to notice anything helpful to make crunch start spewing out non-outer-planetary words.

Passwords that ppl create are logical. Passwords that Crunch generate are illogical. That's a big prb me thinks when trying to crack a human generated 8-10 character set.

yes I've read his blog about crunch. Very useful, but I failed to notice anything helpful to make crunch start spewing out non-outer-planetary words.

Passwords that ppl create are logical. Passwords that Crunch generate are illogical. That's a big prb me thinks when trying to crack a human generated 8-10 character set.

That is why you use a hashcat brute force attack with masks.

You can define that (for example) the first 6 characters are letters with the 1st of that six is always a capital. Out of the remaining 4, 3 are numbers and the 4th digit is a special character.

This means we get Aaaaaa000! to Zzzzzz999* are everything between. Its more likely that a password will be Lasors165! instead of A3%h@j&d6^

That is why you use a hashcat brute force attack with masks.

You can define that (for example) the first 6 characters are letters with the 1st of that six is always a capital. Out of the remaining 4, 3 are numbers and the 4th digit is a special character.

This means we get Aaaaaa000! to Zzzzzz999* are everything between. Its more likely that a password will be Lasors165! instead of A3%h@j&d6^

I've never used hashcat before so I'm not sure how to write it into FrankenScript just yet, I'll have to look into it at a later time as my things to do list is rather big. LOL
Maybe crunch can be used to generate all combinations and then filtered using sed or awk.

That is why you use a hashcat brute force attack with masks.

You can define that (for example) the first 6 characters are letters with the 1st of that six is always a capital. Out of the remaining 4, 3 are numbers and the 4th digit is a special character.

This means we get Aaaaaa000! to Zzzzzz999* are everything between. Its more likely that a password will be Lasors165! instead of A3%h@j&d6^



The problem remains. Hascat will go trough all illogical and logical combinations(within the specified parameters) before finding Lasors165, as Hascat can't(?) separate vowels from consonants.

In other words...

Lasors165
Capitalized consonant | vowel | consonant | vowel | consonant | consonant | three digit number.
*sees a logical pattern here*

But before Hashcat stumble on that passphrase, it generated things like Cpakwb519 a million times, for hours, even with the most strict parameters(arguments). There has to be a more logical way to do this without a dictionary, and the key to this problem is to separated the vowels from the consonants as 2 different character sets.

Another way would be to use these programs as is, and have a rig the size of a car, with 54 video cards, plugged in directly on a power central. Brutforce hein?

Anyways, very glad to have you guys onboard =] I see a fork in Crunch&Hashcat's future :cool:

The problem remains. Hascat will go trough all illogical and logical combinations(within the specified parameters) before finding Lasors165, as Hascat can't(?) separate vowels from consonants.

In other words...

Lasors165
Capitalized consonant | vowel | consonant | vowel | consonant | consonant | three digit number.
*sees a logical pattern here*

But before Hashcat stumble on that passphrase, it generated things like Cpakwb519 a million times, for hours, even with the most strict parameters(arguments). There has to be a more logical way to do this without a dictionary, and the key to this problem is to separated the vowels from the consonants as 2 different character sets.

Another way would be to use these programs as is, and have a rig the size of a car, with 54 video cards, plugged in directly on a power central. Brutforce hein?

Anyways, very glad to have you guys onboard =] I see a fork in Crunch&Hashcat's future :cool:

Unfortunately no forks. Not for hashcat anyway. It is not open source.

Thank you staticn0de

Your comment triggered me to run over their forum to ask the question, and a search lead me to that..
https://hashcat.net/wiki/doku.php?id=mask_attack#custom_charsets

a plain text file with the .hcchr extension, containing the characters(vowels and another file with consonants) is all that is needed, it seems.

I'll do abit more digging for Crunch.

Hi guys Im new and iI have some issues in extracting the files from the archive. Can someone post or send me the files inside? Please

Hi guys I'm new and facing some initial issues, i can't extract the script from the downloaded file, please can someone help me? Thank you in advance.

I also had that problem when i first downloaded it, i seem to remember it was an incomplete download. After googling around i found an alternative download which was no problem. Out of interest when you download it does it have .exe on the end of the file if so that was the incomplete file i also first got. If its any help i'll see if i can find my source and point you in the right direction.

Try this link:
http://66ptdww17j.1fichier.com/

oki I'm back. I will do my best to experiment with oclHashcat and Crunch this week...

What I was looking for is actually called "Markov Chains". http://blog.spiderlabs.com/2012/07/hashcat-per-position-markov-chains.html

i'm following a very interesting lead http://hashcat.net/forum/thread-1291.html for injecting 'intelligence' into oclhashcat.

Atom, has created a .bin called "statsprocessor-0.083" based upon "Markov Chains". http://hashcat.net/wiki/doku.php?id=statsprocessor


Edit: Actually "Markov Chains" is already included in ocl/cudaHashcat


* Markov:

--markov-hcstat=FILE Specify hcstat file to use, default is hashcat.hcstat
--markov-disable Disables markov-chains, emulates classic brute-force
--markov-classic Enables classic markov-chains, no per-position enhancement
-t, --markov-threshold=NUM Threshold when to stop accepting new markov-chains

http://hashcat.net/wiki/doku.php?id=oclhashcat

Now just need to figure it out. If anyone has some experience using the above arguments, please share.

can't stop progress

philsmd, over at Hashcat.net was good enough to help me out with my quest http://hashcat.net/forum/thread-3668.html Thank you Phil

Can you work with that information Slim? Let me know. I will do some experimenting on my end also..

can't stop progress

philsmd, over at Hashcat.net was good enough to help me out with my quest http://hashcat.net/forum/thread-3668.html Thank you Phil

Can you work with that information Slim? Let me know. I will do some experimenting on my end also..

Yeah I think so, it shouldn't be to difficult to build it into FrankenScript.
I've scrapped the other versions of FrankenScript due to it having to many issue's, so I'm rewritting everything again.

I have to say ive been following the growth of this script and find it very interesting. Its not the normal approach to a how too, in fact i'd personally say its far more informative. The collaberation between you guys to create and over come problems, should be encouraged and admired. Keep up the good work. :cool:

Hey skycrazy! Glad you enjoy the show =]

I'm just a user with a big mouth. Slim does it all, it's his creation. I would love however to see staticn0de work on this project..



@Slim, any ideas to invoke ocl/cudaHashcat without the full path? Now I'm using this syntax..


cd /usr/share/cudahashcat/ && ./cudaHashcat64.bin -w 3 -m 2500 /root/capture.hccap -a 3 ?u?l?l?l?l?l?d?d

That will be a small problem, as there will be 4 sets of command lines. Two for ocl(i386 and x64) and two for CUDA(i386 and x64).

Also, Markov Chains doesn't seem to kick in. May have to use a mask...

Hey skycrazy! Glad you enjoy the show =]

I'm just a user with a big mouth. Slim does it all, it's his creation. I would love however to see staticn0de work on this project..



@Slim, any ideas to invoke ocl/cudaHashcat without the full path? Now I'm using this syntax..


cd /usr/share/cudahashcat/ && ./cudaHashcat64.bin -w 3 -m 2500 /root/capture.hccap -a 3 ?u?l?l?l?l?l?d?d

That will be a small problem, as there will be 4 sets of command lines. Two for ocl(i386 and x64) and two for CUDA(i386 and x64).

Also, Markov Chains doesn't seem to kick in. May have to use a mask...

Sorry mate but I still haven't had chance to look into hashcat, I've been busy decorating and and rewritting FrankenScript in my spare time.
If you can look into hashcat I can get all the info from you once I've finished FrankenScript.

yes don't worry. Making progress http://hashcat.net/forum/thread-3668-post-20987.html#pid20987 went from 45days -to- 4hrs for a 8 character set.

Can't see options for Crunch for injecting intelligence into it. So it will stay brutforce(and dumb) unless someone has an idea.

For decorating, lighting is very important and often neglected ;)

Hey skycrazy! Glad you enjoy the show =]

I'm just a user with a big mouth. Slim does it all, it's his creation. I would love however to see staticn0de work on this project..



@Slim, any ideas to invoke ocl/cudaHashcat without the full path? Now I'm using this syntax..


cd /usr/share/cudahashcat/ && ./cudaHashcat64.bin -w 3 -m 2500 /root/capture.hccap -a 3 ?u?l?l?l?l?l?d?d

That will be a small problem, as there will be 4 sets of command lines. Two for ocl(i386 and x64) and two for CUDA(i386 and x64).

Also, Markov Chains doesn't seem to kick in. May have to use a mask...

Hey Quest,

I've made a short shell script that will check if hashcat is installed and then offer to set up links so that it can be called without full path (can be called with cudahashcat32 and cudahashcat64)

I was toying around within Frankenscript to insert it as a menu check when hashcat was selected for use.

I don't see it being hard to check the arch type running the script so it can select if you want cudahashcat32/64 and install only the correct one so it is called with the "cudahashcat" command. Could be the same for oclhashcat, nothing a grep of pci devices wont fix (as it looks for nvidia or ATI)

either way, the script I just made in about 5 minutes (don't judge my terrible coding skills) which works (just)



#!/bin/bash
#staticn0des hashcat insert
#check if installed
if [ -f /usr/share/cudahashcat/cudaHashcat32.bin ] && [ -f /usr/share/cudahashat/cudaHashcat64.bin ]; then
echo "cudaHashcat32.bin and cudaHashcat64.bin found"
else
echo "cudaHashcat32.bin and cudaHashcat64.bin not found in /usr/share/cudahashcat/."
echo "Download them from hashcat.net and extract to /usr/share/cudahashcat/"
echo ""
read -p "Press any key..."

fi

#check if bin links are installed
if [ -f /usr/bin/cudahashcat32 ] && [ -f /usr/bin/cudahashcat64 ]; then
echo "cudahashcat bin links found. Call directly with cudahashcat32 and cudahashcat64 from terminal"
else
echo "cudahashcat bin links not found. cudaHashcat cannot be called without full path"
echo "Install bin links now?"

read -p $GREEN"[y/n]:$STAND " bin_link_option

#Install bin links
if [[ $bin_link_option == "y" ]]; then
cat > /usr/bin/cudahashcat32 <<EOF
#!/bin/bash
cd /usr/share/cudahashcat/ && ./cudaHashcat32.bin "$@"
EOF

cat > /usr/bin/cudahashcat64 <<EOF
cd /usr/share/cudahashcat/ && ./cudaHashcat64.bin "$@"
EOF

chmod +x /usr/bin/cudahashcat64
chmod +x /usr/bin/cudahashcat32

fi
fi

you rock my friend! That will actually solve the problem of implementing cuda/ocl into FS. Let's see what Slim has to say..


I'm very happy with Markov Chains also...


Mampho80
Mannti91
Maasos33
Markse91
Maetro80
Maltro80
Masoti91
Maiamo80
Maosos33
Matryo80
Mambul91
Manoti91
Maadro80
Mardro80
Maedro80
Malues33
Mascia80
Mairyo80
Maooti91
Matsos33
Mamsos33
Mankse91
Maaiti91


Sarint98
Sasers01
Salant98
Satint98
Samint98
Saastr98
Saelet98
Saiant98
Saomam34
Sanint98
Saront98
Sasham34
Salont98
Satont98
Samont98
Saatet98
Saeant98
Saitet98
Saouss01
Sandet98
Sartet98
Sasint98


Elmpil29
Elamol29
Eletol29
Elices29
Elosho29
Elntol29
Elrsho29
Elssho29
Ellula29
Eltrol29
Elmmol29
Eladol29
Eledol29
Eliela29
Eloomi29
Elnomi29
Elrula29
Elsomi29
Ellyla29
Elttol29
Elmula29
Elaces29
Eleela29
Eliomi29
Elotol29
Elnsho29
Elrdol29
Elsula29
Ellsho29

Ansina33
Anlles33
Anthal33
Anmpal33
Anamal33
Anetes33
Anicho33
Anosti87
Anntes33
Anrsti87
Anssti87
Anluse33
Antres33
Anmmal33
Anades33
Anedes33
Anieri87
Anoona33
Annona33
Anruse33
Ansona33
Anlyal33
Anttes33
Anmuse33


funky words, but words non-the-less.


Stay tuned kids, this is interesting

you rock my friend! That will actually solve the problem of implementing cuda/ocl into FS. Let's see what Slim has to say..


I'm very happy with Markov Chains also...


Mampho80
Mannti91
Maasos33
Markse91
Maetro80
Maltro80
Masoti91
Maiamo80
Maosos33
Matryo80
Mambul91
Manoti91
Maadro80
Mardro80
Maedro80
Malues33
Mascia80
Mairyo80
Maooti91
Matsos33
Mamsos33
Mankse91
Maaiti91


Sarint98
Sasers01
Salant98
Satint98
Samint98
Saastr98
Saelet98
Saiant98
Saomam34
Sanint98
Saront98
Sasham34
Salont98
Satont98
Samont98
Saatet98
Saeant98
Saitet98
Saouss01
Sandet98
Sartet98
Sasint98


Elmpil29
Elamol29
Eletol29
Elices29
Elosho29
Elntol29
Elrsho29
Elssho29
Ellula29
Eltrol29
Elmmol29
Eladol29
Eledol29
Eliela29
Eloomi29
Elnomi29
Elrula29
Elsomi29
Ellyla29
Elttol29
Elmula29
Elaces29
Eleela29
Eliomi29
Elotol29
Elnsho29
Elrdol29
Elsula29
Ellsho29

Ansina33
Anlles33
Anthal33
Anmpal33
Anamal33
Anetes33
Anicho33
Anosti87
Anntes33
Anrsti87
Anssti87
Anluse33
Antres33
Anmmal33
Anades33
Anedes33
Anieri87
Anoona33
Annona33
Anruse33
Ansona33
Anlyal33
Anttes33
Anmuse33


funky words, but words non-the-less.


Stay tuned kids, this is interesting

I can do a copy and paste if that's what you want, that's if it's ok with staticn0de?.

well yes that's a piece of the puzzle. Otherwise there will be 4 different command lines to invoke oclHashcat to match what setup a person has..

- nVidia (CUDA) i386 (cudaHashcat32.bin)
- nVidia (CUDA) x64 (cudaHashcat64.bin)
- ATi (ocl) i386 (oclHashcat32.bin)
- ATi (ocl) x64 (oclHashcat64.bin)

The script statcn0de has created will make your life easier to include oclHashcat in the next FS, I would imagine.

I do believe that it is ok with staticn0de for you to steal his code and run away. I will not tell.

I can do a copy and paste if that's what you want, that's if it's ok with staticn0de?.

Sure, use what you can.

I'll make It less terrible when I get a chance. Add auto detect for ati / NVIDIA and detect 32/64 bit.

well I object!

It is called FrankenScript!! To make it less terrible would go against all international monster conventions. *Geez do I have to explain everything?*


:P

.............and now back to our regular broadcasting...........


so I'm working with 3 different .hcmask files(2 of them I will probly endup fusing together) that I would like to submit under peer review. All 3 files share common features. Minimum 8, maximum 10, last 4 characters can be anything including symbols...


?d?d?d?d?d?d?a?a?a?a = min8 max10 | 6 numbers |*4 all characters

001999L*
002999L!
113999a?
004999nt
005999w$T3
1234567890


?l?l?l?l?l?l?a?a?a?a = min8 max10 | 6 lowercases | 4 all characters

salonang
saserang
saichang
saoteran
satonang
sammanges
sarter7*2b
saeanang$5


?u?l?l?l?l?l?a?a?a?a = min8 max10 | 1 uppercase | 5 lowercases | 4 all characters

Salonang
Saserang
Saichang
Saoteran
Satonang
Sammanges
Sarter7*2b
Saeanang$5

What do you all think? Good or not good?

also Slim, it will be good to see if you can find a way for the user to build his own syntax, like you did with Crunch, where the user decides the character set, number of characters...

here is the oclHashcat operational sequence of events (as I see them).

I've created a wildHashcat folder inside the FrankenScript2 folder.
Path: /root/FrankenScript2/wildHashcat
This is only to gather all files oclHashcat FrankenScript related into one place.
In that wildHashcat folder I've placed 3 .hcmask files.
8-10-6numbers-4all.hcmask
8-10-6lower-4all.hcmask
8-10-1Capitalized-5lower-4all.hcmask
These files will be used as predefined user options to attack a captured handshake and to make Markov Chains 'kick in'.

1. The oclHashcat operational sequence should start with a captured handshake and creating a .cap file, just like before. So at this point nothing new for FrankenScript, as it can already do that.

2. That .cap file must be transformed into a .hccap for oclHashcat to use it.
Convert .cap into .hccap
Copy the .cap file to your Home folder. Then enter this command(replace the XXXXXXXXX with the file name).

aircrack-ng XXXXXXXXXXXX.cap -J capture
A capture.hccap will be created in Home
I would like a more logical way to do this, so that everything is in the wildHashcat folder...

3. At this point an attack can be initiated on that newly created .hccap

Here one syntax that I'm using.

cd /usr/share/cudahashcat/ && ./cudaHashcat64.bin --status -w 3 -t 10 -m 2500 /root/FrankenScript2/wildHashcat/capture.hccap -a 3 /root/FrankenScript2/wildHashcat/8-10-6numbers-4all.mask
cd /usr/share/cudahashcat/ && ./cudaHashcat64.bin Path to directory && to start the program.
--status Will update the progression status automatically every 10 seconds or so.
-w 3 Not even sure what that does but it works. lol
-t 10 Markov threshold. Super important. Without the -t argument, Markov will go into "smart brutforce" and now the estimated time will be 45days. -t 10 is about 4hours.
-m 2500 WPA/2 Hash-type
/root/FrankenScript2/wildHashcat/capture.hccap Path to capture.hccap file
-a 3 Attack mode.
/root/FrankenScript2/wildHashcat/8-10-6numbers-4all.mask Path to .mask file

would like for staticn0de to shine in on all this...

Hey quest, I'm not sure what you want me to shine in on. It all looks good!

If you wanted hashcat to see the hccap file in the home folder after it was converted, don't use the full path. Replace the path to home with $HOME in the script so it always has a good starting point.

It would be good to package this script in a deb so it could place files and configs in etc for use. On that, the installer could set up links for hashcat. But, that's all up to slim as I'm just here to appreciate the great work he does.

@quest, the -w option sets a work load profile.

The options are 1,2 or 3. Details from hashcat below

* Workload Profile:

1 = Reduced performance profile (low latency desktop)
2 = Default performance profile
3 = Tuned performance profile (high latency desktop)

@Slim

I was trying out Frankenscript with my new adapter which arrived in the mail. I had the -1 error and could not capture any handshakes.

I added a one liner at line 232 which looks like this

Enable_Attack_Mode(){
<-snip out all of the attack mode section until the last few lines as I'm not copying and pasting ->

clear
ifconfig $wlanX down
airmon-ng start $wlanX

MAC_Address_Options(){

I only inserted the line ifconfig $wlanX down. This has fixed the -1 error and i'm capturing handshakes again. I can't see this change causing any errors down the road but it's not fully tested. Would you consider adding it in to the script as I doubt i'm the only person who will run into it.

Edit:
@Slim again
Mate, I was just trying to do an iw dev scan from the menu. It failed so I added a catch so I could see the error and go have a read.

I have two wifi adapters and am using wlan1 to scan the network. At line 334 you have defined wlan0 as the adapter so it can't detect if I selected a seperate one. I changed the start of this line to:

iw dev $wlanX scan

and the problem was solved.

@Slim

I was trying out Frankenscript with my new adapter which arrived in the mail. I had the -1 error and could not capture any handshakes.

I added a one liner at line 232 which looks like this

Enable_Attack_Mode(){
<-snip out all of the attack mode section until the last few lines as I'm not copying and pasting ->

clear
ifconfig $wlanX down
airmon-ng start $wlanX

MAC_Address_Options(){

I only inserted the line ifconfig $wlanX down. This has fixed the -1 error and i'm capturing handshakes again. I can't see this change causing any errors down the road but it's not fully tested. Would you consider adding it in to the script as I doubt i'm the only person who will run into it.

Edit:
@Slim again
Mate, I was just trying to do an iw dev scan from the menu. It failed so I added a catch so I could see the error and go have a read.

I have two wifi adapters and am using wlan1 to scan the network. At line 334 you have defined wlan0 as the adapter so it can't detect if I selected a seperate one. I changed the start of this line to:

iw dev $wlanX scan

and the problem was solved.

Yeah I'm sorry about the issue's, hopefully this next version will be better. LOL
I've rewritten most of FrankenScript again and I've made several changes:
FrankenScript now detects all available WiFi devices and all enabled monitor modes, you can now use multiple WiFi devices and monitor modes.
You can now perform multiple attacks against the same target or a different target at the same time.

sounds good! Maybe what happened to you with the HDD failure, had a purpose? Create new and better things? I've seen it numerous times where something bad would happen, but endedup, ultimately, being a good thing. That is what the apocalypse is, changes by disaster. Maybe the universe is trying to tell you something ;)


...

It would be good to package this script in a deb so it could place files and configs in etc for use.

...
oh yes I would like to see that. Hopefully Slim, will take your knowhow and that opportunity to move things ahead :cool:


little more testing with oclHashcat, and a couple of things stands out.

1. There is nothing to gain by having different lines in one .hccap file, for this reason..
Mask (?d?d?d?d?d?d?a?a) [8] = 3 hours, 27 mins
Mask (?d?d?d?d?d?d?a?a?a) [9] = 1 day, 10 hours
Mask (?d?d?d?d?d?d?a?a?a?a) [10] = 14 days, 11 hours
In other words, the command line and the 't' argument must be adapted according to the length of the passphrase in relation to the GPU capabilities to keep the time reasonable.

2. It is obvious now that the user will have to specify his own '-t XX' argument, as we do not have the same GPU, and what is true for me and my GPU is not true for others and their GPUs.
Here a couple of interesting leads as for building oclHashcat command lines..
PACK https://thesprawl.org/projects/pack/
pyHashcat http://hashcat.net/forum/thread-3478.html
RubyHashcat Wrapper http://hashcat.net/forum/thread-3505.html
(have not tried any of them)

3. Not using the '--status' argument anymore, as it remove the ability to pause, resume, bypass, stop.

It would be good to package this script in a deb so it could place files and configs in etc for use. On that, the installer could set up links for hashcat. But, that's all up to slim as I'm just here to appreciate the great work he does.



and speaking of wrapping FS into a .deb, if FS can be invoked into a simple command, then what would prevent it from making the cut for Kali 1.1.0 ?

It is scheduled for 1-1-15

Can someone test this out for me and report back please.

FrankenScript Download:
http://mir.cr/1XYIKG3H

- Kali 1.0.7 x64 -

Hopefully this is only on my end...


When choosing:

# [1] = Deauthenticate all connected clients #
# [2] = Deauthenticate a specific client #

or
# [1] = WEP Chopchop Without Association #
# [2] = WEP ARPreplay With Association #
# [3] = WEP Chopchop With Association #
# [4] = WEP Fragment With Association m

or
# [1] = Reaver & Default WPS Pin Keygens #
# [2] = Reaver Basic Settings #
# [3] = Reaver Custom Settings #
# [4] = Bully & Default WPS Pin Keygens #
# [5] = Bully Bruteforce Settings #
# [6] = Bully Custom Settings

all return with the same error:



There was an error creating the child process for this terminal

Failed to execute child process "/root/FS3/Scripts/Deauthenticate_all_clients.sh" (Permission denied)



and does not empty Temp_Working_Dirctory, or exits when choosing [q] = Clean & Exit Script

- Kali 1.0.7 x64 -

Hopefully this is only on my end...


When choosing:

# [1] = Deauthenticate all connected clients #
# [2] = Deauthenticate a specific client #

or
# [1] = WEP Chopchop Without Association #
# [2] = WEP ARPreplay With Association #
# [3] = WEP Chopchop With Association #
# [4] = WEP Fragment With Association m

or
# [1] = Reaver & Default WPS Pin Keygens #
# [2] = Reaver Basic Settings #
# [3] = Reaver Custom Settings #
# [4] = Bully & Default WPS Pin Keygens #
# [5] = Bully Bruteforce Settings #
# [6] = Bully Custom Settings

all return with the same error:





and does not empty Temp_Working_Dirctory, or exits when choosing [q] = Clean & Exit Script

I'm compiling a new live build now from 1.0.9. I'll have a try soon. Also, was the above a typo from you, Quest or the script?

all the .sh permissions "allow executing file as program" are OFF Slim..


There was an error creating the child process for this terminal

Failed to execute child process "/root/FS3/Scripts/
WEP_Chopchop_Without_Association.sh" (Permission denied)

I'm compiling a new live build now from 1.0.9. I'll have a try soon. Also, was the above a typo from you, Quest or the script?

no it's a Copy/Paste

Decompress FS3 yourself and you will see the Temp_Working_Dirctory

Right click on FS3.sh, choose Properties and then select the permissions tab, now tick the Allow executing file as program.
Then open the Script folder and highlight all of the scripts, right click and then choose Properties and then select the permissions tab, now tick the Allow executing file as program.

Yes that's what I did. It works better now ;)

New prbs:

1.
[1] = Choose A Visable Client To Deauthenticate.
[2] = Input A Client To Deauthenticate.
[q] = Clean & Exit Script.

Please choose an option: 1

Input the number of a client or choose an option: 1

[1] = Basic Set Amount (Is set to send 4 deauth-requests).
[2] = Custom Amount (Input an amount of deauth-requests to send).
[q] = Clean & Exit Script.

Please choose an option: 2


Input the amount of deauthetication requests to send: 10
Invalid destination MAC address.
"aireplay-ng --help" for help.
Invalid destination MAC address.
"aireplay-ng --help" for help.
Checking for a handshake every 7 seconds...


2.

or

[1] = Basic Set Amount (Is set to send 4 deauth-requests).
[2] = Custom Amount (Input an amount of deauth-requests to send).
[q] = Clean & Exit Script.

Please choose an option: 1


The captured handshake is bad, the file will be deleted.

3.

still does not clean the Temp folder

3.

still does not clean the Temp folder

What's left in the temp folder after you've tried to clen it?.
Are you running any attacks while trying to clean the temp folder?.

- Chosen_AP_Line.txt
- Scanned_APs.txt

I choose to exit with [q] at the end. After an attack or after simply after scanning and choosing an AP.

- Chosen_AP_Line.txt
- Scanned_APs.txt

I choose to exit with [q] at the end. After an attack or after simply after scanning and choosing an AP.

Scanned_APs.txt isn't meant to be deleted, but it does get overwritten each time you do a scan.
Chosen_AP_Line.txt I just didn't write a delete option for it, it doesn't effect anything as it get overwritten too.
Everything else excluding the Handshake_Cracking folder should get deleted.

Note:
Attack temp files won't be deleted while running two or more of the same attacks at the same time, the files will remain until the attacks have finished.

and speaking of wrapping FS into a .deb, if FS can be invoked into a simple command, then what would prevent it from making the cut for Kali 1.1.0 ?

It is scheduled for 1-1-15

I would package it if I knew how to.
Does anyone know how to make an installable package?. LOL

I would package it if I knew how to.
Does anyone know how to make an installable package?. LOL

I certainly do! made one to automatically install cudahashcat because I'm impatient and didn't want to wait for the latest release to appear in the repo.

I'm going to install everything in the /usr/share folder and have /usr/bin links so users can call frankenscript with the 'frankenscript' command in bash. The catch is, you are normally using /root/ (or $USER, I have not checked.) and you will need to replace instances of $USER or /root/ with /usr/share/frankenscript/

1. make a folder with name based on the release (i'll assume its in your home directory)


cd ~
mkdir frankenscript_3.0-1


2. Make some folders for the scripts that will let frankenscipt be called with the bash command 'frankenscript' and somewhere to install the software.


mkdir frankenscript_3.0-1
mkdir -p ./usr/bin/
mkdir -p ./usr/share/frakenscript


3. Make the script to launch frankenscript from bash


cd ./usr/bin/
cat <<EOF > frankenscript
#!/bin/bash
cd /usr/share/frankenscript/ && ./FS3.sh "$@"
EOF


4. Make it executable


chmod +x frankenscript


5. Put frankenscript in it's new home


cd ../share/frankenscript/
unrar -x FS3*.rar
rm FS3*.rar
mv FS3/* .


For this version, you will need to fix the script flags (add +x, but I'm sure you know how to do that)

6. Move back to the parent folder (frankenscript_3.0-1) and make the metadata files


cd ../../../
mkdir DEBIAN
cd DEBIAN


7. Update the metadata file (this is altered each time you make changes)


cat <<EOF > control
Package: frankenscript
Version: 3.0-1
Section: base
Priority: optional
Depends:
Maintainer: Slim <[email protected]>
Description: This script allows holistic wireless penetration testing
for kali linux
systems
EOF


8. Build the deb


cd ../../
dpkg-deb --build frankenscript_3.0-1


9. It can now be installed with


dpkg -i frankenscript_3.0-1.deb


10. Or removed with the following (note the name is the name set in the /DEBIAN/control field 'package' Package: frankenscript


dpkg -r frankenscript

Good stuff!

i do not want to muddy the water at this point, but, let's put some thought into this.

- me thinks it would easier to invoke FS with 'franken' only, and also, as it will no longer be considered as a simple script as it was before.

It's like calling Wifite, 'wifitescript'.

thoughts?

@ staticn0de

I've managed to successfully pack FrankenScript into an installable .deb file. :-)

Many thanks for your help mate.

I've had a quick look into hashcat but couldn't get it working using a mask file.
If anyone could help I'd be most greatful.

This worked:
hashcat -m 2500 -a 3 XXXXX.hccap ?d?d?d?d?d?d?d?d

This didn't work:
hashcat -m 2500 -a 3 XXXXX.hccap Default.hcmask

Here's the output:


Initializing hashcat v0.47 by atom with 8 threads and 32mb segment-size...

Added hashes from file XXXXX.hccap: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

NOTE: press enter for status-screen


Input.Mode: Mask (D) [1]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (De) [2]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Def) [3]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Defa) [4]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Defau) [5]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Defaul) [6]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Default) [7]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Default.) [8]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Default.h) [9]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Default.hc) [10]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Default.hcm) [11]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Default.hcma) [12]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Default.hcmas) [13]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Default.hcmask) [14]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--

Started: Sat Oct 4 23:26:04 2014
Stopped: Sat Oct 4 23:26:04 2014

Edit: you're using hashcat, not ocl/cuda?



Hey Slim,

below are two syntax I'm using. The .hccap and .hcmask files being in FrankenScript2/wildHashcat/

?l?u?d,?u?l,?2?l?l?l?1?1?1?1 = min8 max8 | 1 uppercase and lowercase | 3 lowercases | 4 all characters no symbols


cd /usr/share/cudahashcat/ && ./cudaHashcat64.bin -w 3 -t 10 -m 2500 /root/FrankenScript2/wildHashcat/capture.hccap -a 3 /root/FrankenScript2/wildHashcat/8=1Capandlower-3lower-4allnosymbols.hcmask
8=1Capandlower-3lower-4allnosymbols.hcmask
content of that .hcmask

?l?u?d,?u?l,?2?l?l?l?1?1?1?1

sammange
Cabo2012
bali35dC




?l?u?d,?d?d?d?d?1?1?1?1 = min8 max8 | 4 numbers |*4 all characters no symbols


cd /usr/share/cudahashcat/ && ./cudaHashcat64.bin -w 3 -m 2500 /root/FrankenScript2/wildHashcat/capture.hccap -a 3 /root/FrankenScript2/wildHashcat/8=4numbers-4allnosymbols.hcmask
8=4numbers-4allnosymbols.hcmask
content of that .hcmask

?l?u?d,?d?d?d?d?1?1?1?1

87654321
1221JP69
1975Jack

Edit: you're using hashcat, not ocl/cuda?



Hey Slim,

below are two syntax I'm using. The .hccap and .hcmask files being in FrankenScript2/wildHashcat/

?l?u?d,?u?l,?2?l?l?l?1?1?1?1 = min8 max8 | 1 uppercase and lowercase | 3 lowercases | 4 all characters no symbols


cd /usr/share/cudahashcat/ && ./cudaHashcat64.bin -w 3 -t 10 -m 2500 /root/FrankenScript2/wildHashcat/capture.hccap -a 3 /root/FrankenScript2/wildHashcat/8=1Capandlower-3lower-4allnosymbols.hcmask
8=1Capandlower-3lower-4allnosymbols.hcmask
content of that .hcmask

?l?u?d,?u?l,?2?l?l?l?1?1?1?1

sammange
Cabo2012
bali35dC




?l?u?d,?d?d?d?d?1?1?1?1 = min8 max8 | 4 numbers |*4 all characters no symbols


cd /usr/share/cudahashcat/ && ./cudaHashcat64.bin -w 3 -m 2500 /root/FrankenScript2/wildHashcat/capture.hccap -a 3 /root/FrankenScript2/wildHashcat/8=4numbers-4allnosymbols.hcmask
8=4numbers-4allnosymbols.hcmask
content of that .hcmask

?l?u?d,?d?d?d?d?1?1?1?1

87654321
1221JP69
1975Jack

Yeah I'm using hashcat at the moment, I really need a new laptop. LOL
I still cant get the mask attack working, I might have another try at some point though.

if I may suggest, sub-contract that portion to staticn0de.

Rap it up, then staticn0de can ship it right back at you with oclHashcat implemented.

if I may suggest, sub-contract that portion to staticn0de.

Rap it up, then staticn0de can ship it right back at you with oclHashcat implemented.

I might do that if staticn0de is up for the job, but I'd still need the standard CPU hashcat implemented too.

Of course I can help.

What do you want to see? This is what i am guessing.

Maybe a menu option (can be burried in the hascat menu) that lets the user select if they use hashcat, oclhashcat or cudahashcat. Depending on the option they select, it can set an option in a file (perhaps /etc/franken.conf) that will make frankeknscript no longer prompt for what they are using. Another menu option will let the user change their selection.

I can make it check it hashcat / oclhashcat is installed and if it isn't ask if the user wants it.

cudahashcat is harder as it's not in the repo. It can link back to my deb I made, otherwise the user will need to download and manually install it.

my friend to the rescue!

I would not deal with installation of ocl/cuda at all. FS is not a software installation program. Don't go there. Plus as you've mentioned, it's a little too tricky. Let the user deal with that separately.

for the menu, yes,

hashcat
oclhashcat
cudahashcat

after selection maybe

convert .cap into .hccap?

then

select the length of the password:user input 8 9 10 ??


Let's see what you come up with....

do we want to cover the whole hashes spectrum, or stay within WPA/2 only? Would be nice to cover every possibility but that's alot of work...


* Generic hash types:

0 = MD5
10 = md5($pass.$salt)
20 = md5($salt.$pass)
30 = md5(unicode($pass).$salt)
40 = md5($salt.unicode($pass))
snip
2500 = WPA/WPA2
snip
8900 = scrypt
9000 = Password Safe v2
9100 = Lotus Notes/Domino 8

* Specific hash types:

11 = Joomla < 2.5.18
12 = PostgreSQL
snip
3711 = Mediawiki B type
62XY = TrueCrypt 5.0+
snip

http://hashcat.net/wiki/doku.php?id=oclhashcat

staticn0de,

Here are the .hcmask I'm using (descriptive name of the file and content of that file). I do believe that it would be a good starting point for any user. FS, however, should be able to go into the wildHashcat folder and bring up any .hcmask file it finds.

8=1Capandlower-3lower-4allnosymbols.hcmask

?l?u?d,?u?l,?2?l?l?l?1?1?1?1

8=4numbers-4allnosymbols.hcmask

?l?u?d,?d?d?d?d?1?1?1?1

9=1Capandlower-4lower-4allnosymbols.hcmask

?l?u?d,?u?l,?2?l?l?l?l?1?1?1?1

9=5numbers-4allnosymbols.hcmask

?l?u?d,?d?d?d?d?d?1?1?1?1

10=1Capandlower-5lower-4allnosymbols.hcmask

?l?u?d,?u?l,?2?l?l?l?l?l?1?1?1?1

10=6numbers-4allnosymbols.hcmask

?l?u?d,?d?d?d?d?d?d?1?1?1?1

Slim,



The captured handshake is bad, the file will be deleted.

[1] = Retry attack.
[q] = Exit attack.
Please choose an option?:


can anyone else reproduce this?

Slim,





can anyone else reproduce this?

Nothing wrong with FS3.
Pyrit checks the capture.cap file for a valid handshake, it looks like yours was bad. lol
Use the retry option until you get a good handshake.

really?

- I've not had 1 good handshake with FS3
- That never happened, not once, with previous versions

completely mystified and skeptic here :confused:

what about that?..


[1] = Basic Set Amount (Is set to send 4 deauth-requests).
[2] = Custom Amount (Input an amount of deauth-requests to send).
[q] = Clean & Exit Script.
Please choose an option: 2



Input the amount of deauthetication requests to send: 8
Invalid destination MAC address.
"aireplay-ng --help" for help.
Invalid destination MAC address.
"aireplay-ng --help" for help.
Checking for a handshake every 7 seconds...
Invalid destination MAC address.
"aireplay-ng --help" for help.
Checking for a handshake every 7 seconds...




something is outa wack =( not getting anywhere with handshakes.

what about that?..







something is outa wack =( not getting anywhere with handshakes.

I found it, it happens after the option "[2] = Deauthenticate a specific client" but before option "[2] = Custom Amount (Input an amount of deauth-requests to send).".

I'll try and fix it as soon as I get chance.

actually, 1 or 2 has the same result...


##############################################
# [1] = Deauthenticate all connected clients #
# [2] = Deauthenticate a specific client #
##############################################
# [s] = Return To Scanned AP's #
# [m] = Return To Main Menu #
# [q] = Clean & Exit Script #
##############################################




Chosen Target:
Fibertel WiFiXXX 20:25:64:XX:XX:XX Signal-44.dBm WPA2_WPA_AES-CCM_TKIP Channel-11

Please choose an option: 1





[1] = Basic Set Amount (Is set to send 4 deauth-requests).
[2] = Custom Amount (Input an amount of deauth-requests to send).
[q] = Clean & Exit Script.
Please choose an option: 1




The captured handshake is bad, the file will be deleted.

[1] = Retry attack.
[q] = Exit attack.
Please choose an option?


Thanks for looking into it :)

actually, 1 or 2 has the same result...

Thanks for looking into it :)

@ Quest

Try this one.
http://mir.cr/UK5C8P1J

@ staticn0de
Here you go, can you only edit the Attack_Capture_Files.sh file please.
I've created the menu options and such, could you fill in the rest please.

http://mir.cr/UK5C8P1J

I would but...


root@kali:~# dpkg -i FrankenScript_v3.1.deb
dpkg: error processing FrankenScript_v3.1.deb (--install):
package architecture (i386) does not match system (amd64)
Errors were encountered while processing:
FrankenScript_v3.1.deb
root@kali:~#

I would but...

Have added multi-arch yet?.

dpkg --add-architecture i386

root@kali:~# dpkg -i FrankenScript_v3.1.deb
Selecting previously unselected package fs3.
(Reading database ... 372400 files and directories currently installed.)
Unpacking fs3 (from FrankenScript_v3.1.deb) ...
Setting up fs3 (3.1) ...
root@kali:~#


nice! :cool: but now... how do you start the **** thing?


root@kali:~# fs3
bash: fs3: command not found
root@kali:~# franken
bash: franken: command not found
root@kali:~# frankenscript
bash: frankenscript: command not found

nice! :cool: but now... how do you start the **** thing?

This repackage should work for everyone.
http://mir.cr/1V6BDGMX

You start FrankenScript by typing fs3.sh

Thank you DL niowwwwwww

What's the correct syntax to remove the previously installed .deb?

I think that repack was bad too, I just re-editted the repack download link with the new repack.
Download it again from the editted link.

confirmed. I've reinstalled my kali image, and this is what I got


root@kali:~# dpkg -i FrankenScript_v3.1_0.deb
dpkg: error processing FrankenScript_v3.1_0.deb (--install):
package architecture (any) does not match system (amd64)
Errors were encountered while processing:
FrankenScript_v3.1_0.deb

DL the second new .deb now

- packaging check
- permissions check

- scans check


same problem for creating a .cap

##############################################
# [1] = Deauthenticate all connected clients #
# [2] = Deauthenticate a specific client #
##############################################
# [s] = Return To Scanned AP's #
# [m] = Return To Main Menu #
# [q] = Clean & Exit Script #
##############################################

Chosen Target:
Telecentro 8C:04:FF:XX:XX:XX Signal-72.dBm WPA2_AES-CCM_TKIP Channel-6

Please choose an option: 2





[1] = Choose A Visable Client To Deauthenticate.
[2] = Input A Client To Deauthenticate.
[q] = Clean & Exit Script.
Please choose an option: 1



Connected Clients:

1: 40:6F:2A:62:FD:7F
2: 44:6D:57:A4:FA:38
3: 7C:E9:D3:82:2F:92
4: 44:33:4C:BD:27:49

NOTE: Press the Enter button to refresh the client list.
[q] = Clean & Exit Script.
Input the number of a client or choose an option: 2





[1] = Basic Set Amount (Is set to send 4 deauth-requests).
[2] = Custom Amount (Input an amount of deauth-requests to send).
[q] = Clean & Exit Script.
Please choose an option: 2






Input the amount of deauthetication requests to send: 8





The captured handshake is bad, the file will be deleted.

[1] = Retry attack.
[q] = Exit attack.
Please choose an option?:



i don't understand this as I never had problems with hanshakes and creating a .cap with FS

same with [1] = Deauthenticate all connected clients




[1] = Basic Set Amount (Is set to send 4 deauth-requests).
[2] = Custom Amount (Input an amount of deauth-requests to send).
[q] = Clean & Exit Script.
Please choose an option: 1



The captured handshake is bad, the file will be deleted.

[1] = Retry attack.
[q] = Exit attack.
Please choose an option?:

- packaging check
- permissions check

- scans check


same problem for creating a .cap


i don't understand this as I never had problems with hanshakes and creating a .cap with FS

I get bad handshakes too, keep trying and you should get a good handshake at some point. lol

but Slim, I never had such problems.

I'm absolute 0/100. I could not have a handshake with FS3 to save my life.

can anyone confirm this?

but Slim, I never had such problems.

I'm absolute 0/100. I could not have a handshake with FS3 to save my life.

can anyone confirm this?

Quest,

I can also not capture handshakes with the new script.

I have not looked into why as I'm busy with work. I'll take a look when I can if Slim does not beat me too it.

but Slim, I never had such problems.

I'm absolute 0/100. I could not have a handshake with FS3 to save my life.

can anyone confirm this?

I just rechecked and noticed I'm having big issues too.
It only seems to happen with some APs/Networks, I could capture a handshake from a certain AP earlier but can't capture from the same AP now.
It's strange cause I didn't change anything since the last time I captured a good handshake.

I'll continue to try and resolve the issue asap.

@ staticn0de
Hope you have better luck than I'm having, stupid thing is getting the better of me. LOL

just glad that i didn't have to check-in to the local mental hospital.

All part of R&D :D Had the same happened to me numerous time, where things would work, then, they would not.

Whatever, I'm really thankful for the time you two put in to this. THANKS

:cool:

Hey guys,

First problem, when I run a wash scan I was getting smashed with

[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...

Changed line 575 of FS3.sh to xterm -geometry 111x23+0+350 -l -lf $HOME/FS3/Temp_Working_Dirctory/Wash_Network_Scan.txt -e wash -i $monX -C &

and it was fixed.

Hey guys,

First problem, when I run a wash scan I was getting smashed with

[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...

Changed line 575 of FS3.sh to xterm -geometry 111x23+0+350 -l -lf $HOME/FS3/Temp_Working_Dirctory/Wash_Network_Scan.txt -e wash -i $monX -C &

and it was fixed.

Are you using an old version of FS3?, wash should be located at line number 695.

I can capture handshakes again, not sure if I solved the problem or if I'm just getting lucky. LOL
Try the following:

Open Deauthenticate_all_clients.sh and edit line number 448

From this:
kill $Kill_Airodump_All_Clients

To this:
sleep 5
kill $Kill_Airodump_All_Clients
sleep 5

Then open Deauthenticate_a_specific_client.sh and edit line number 518

From this:
kill $Kill_Airodump_Specific_Client

To this:
sleep 5
kill $Kill_Airodump_Specific_Client
sleep 5

Please let me know if it solves the problem.

have not tried it, will wait for the next .deb, but that sounds about right to give the process more time to execute. It was way too quick or missing a step(?)

Can you reverse engineer the last FS2(the one in the first post) Slim? Everything was fine for cap handshakes with that version.

just a headsup,

they seem to want adding a cudahashcat package http://git.kali.org/gitweb/?a=project_list;pf=packages

Might want to keep an eye on that as it might change the installation path(?), and possibly affect staticn0de's coding of cudaHashcat into FS3(?).

just a headsup,

they seem to want adding a cudahashcat package http://git.kali.org/gitweb/?a=project_list;pf=packages

Might want to keep an eye on that as it might change the installation path(?), and possibly affect staticn0de's coding of cudaHashcat into FS3(?).

I don't follow you, what are you talking about?

I think I've solved the handshake issue.
I had set FrankenScript to only check for a good handshake, it now checks for a good or workable handshake.

I'll pack it and upload it later.

ok great!!


I don't follow you, what are you talking about?

staticn0de had to create a cudaHashcat .deb weeks ago, because v1.30 was only available for ATi/AMD(oclHashcat) in the repo. Now if they come out with an "official" version of cudaHashcat 1.30, installation path might be different from the cudaHashcat 1.30 static created, thus affecting the command lines.

In other words, cudaHashcat v1.01 was inside the oclHashcat directory.

Then with staticn0de version, it was separated in it's own directory(cudaHashcat).

Now we don't know what the correct path will be.

If everyone uses staticn0de's version of 1.30, then there's no problem, as we know the path. If they come out with another version with a different installation path, then there will be problems.

..confused yet? I am ;)

ok great!!



staticn0de had to create a cudaHashcat .deb weeks ago, because v1.30 was only available for ATi/AMD(oclHashcat) in the repo. Now if they come out with an "official" version of cudaHashcat 1.30, installation path might be different from the cudaHashcat 1.30 static created, thus affecting the command lines.

In other words, cudaHashcat v1.01 was inside the oclHashcat directory.

Then with staticn0de version, it was separated in it's own directory(cudaHashcat).

Now we don't know what the correct path will be.

If everyone uses staticn0de's version of 1.30, then there's no problem, as we know the path. If they come out with another version with a different installation path, then there will be problems.

..confused yet? I am ;)

I think I follow what you're saying LOL, hopefully staticn0de will have it covered.

but wait,

the reason why v1.01 was all the the same directory was because both cuda and ocl share the same files, so if someone wants to use both cuda and ocl now, they will have to install oclHashcat twice. Once for cuda and the other for ocl. So we might see them coming full circle and revert back to the 1 version solution in the future.

let me know when you're about ready to jump out the window and I'll stop. lol


The real reason behind the development of oclHashcat-lite was that too many people compared apples to oranges. Back in the days when there was only oclHashcat and oclHashcat-plus people compared them against pure single-hash and brute-force-only crackers such as IGHASHGPU, whitepixel or BarsWF. They took the “cracking performance” as the most important factor for comparison.

The “cracking performance” itself is not the most important factor in cracking passwords. The most important factor is how fast it can crack a password. A big difference, and one that oclHashcat and oclHashcat-plus focused on. The best “cracking performance” however can only be achieved only by using both the pure single-hash and brute-force attack vectors.

:confused:

I really appreciate the work they have done overthrere but they seriously need un-confuse their creation.

but wait,

the reason why v1.01 was all the the same directory was because both cuda and ocl share the same files, so if someone wants to use both cuda and ocl now, they will have to install oclHashcat twice. Once for cuda and the other for ocl. So we might see them coming full circle and revert back to the 1 version solution in the future.

let me know when you're about ready to jump out the window and I'll stop. lol



:confused:

I really appreciate the work they have done overthrere but they seriously need un-confuse their creation.

Sounds like a bit of a headache if you ask me LOL.
Think it might be wise if you and staticn0de handled all that, I'll stick to what I know which isn't much. LOL

Updated FrankenScript 8-10-14.

Download Link:
http://mir.cr/XTYJXX7W

wait,

ocl, refers to both nvidia and ati, as it is the name of the program, but when it comes to installation, ocl refers only to ATi and cuda to it's counter part, nVidia.

do not jump Slim! We all need you!!



Updated FrankenScript 8-10-14.

Download Link:
http://mir.cr/XTYJXX7W
Yes DLing miow

How do you uninstall the previous FS3?

How do you uninstall the previous FS3?

I can't remember for sure, try the following:

dpkg -r FrankenScript_v3.1

or

dpkg -r fs3

or

dpkg -r fs3.sh

Thanks.

ok big prbs with the last version. The scans don't work.

airodump: The second window shoing the scan does not apear.

wash:
Chosen monitor interface: mon0

Scanning For Available Networks, Please Wait...

Press [Enter] to stop the wash scan and continue.xterm: cannot open /usr/share/Temp_Working_Dirctory/Wash_Network_Scan.txt: 2:No such file or directory


# [1] = iw dev scan: does not work



hopefully it' only me.

yep I think you forgot a step in the packaging, or something very basic is missing.


System: Linux 3.14-kali1-amd64 x86_64
Available WiFi Devices: Multiple
System Mode Status: Networking Mode Is Enabled

Please choose an option: q

ls: cannot access /usr/share/Temp_Working_Dirctory/Handshake_Cracking: No such file or directory
ls: cannot access /usr/share/Temp_Working_Dirctory: No such file or directory
root@kali:~#

does not create the two files in Temp, and multiple other error messages..

I have 19 files in my script folder. Maybe I need another coffee but looks like I'm missing a couple of feathers?

VERY IMPORTANT WARNING

DO NOT USE THE [R] OPTION TO REMOVE/UNINSTALL FRANKENSCRIPT, DOING SO WILL KILL YOUR SYSTEM.

Please wait for further information.

@ Quest

The problem is the path location, I missed out a folder name.
I'll fix it when i've re-installed kali AGAIN.

hello everybody.
just got the script:
got handshakes captured in .cap files. But I can't see them in Available Capture Files list of the Attack Handshake Files menu...



Available Capture Files.
########################



Please input the number of your chosen capture file:
./FrankenScript2.sh: line 2381: /root/FrankenScript2/Temp_Working_Dirctory/Handshake_Cracking/Handshake_File.txt: No such file or directory
cat: /root/FrankenScript2/Temp_Working_Dirctory/Handshake_Cracking/Chosen_capture_file.txt: No such file or directory

the Handshake files are in Captured_Handshakes/ directory.

Am i missing something?

To uninstall/remove the previous FrankenScript type: dpkg -r FrankenScript_v3.1 or dpkg -r fs3

Updated FrankenScript (9-10-14).
Fixed the uninstall problem.
Fixed location paths.

Download Link:
http://mir.cr/DHEDYWHS

To start the script type fs3.sh into a terminal.
To uninstall/remove FrankenScript type dpkg -r fs3 into a terminal, or use the [R] option in the FrankenScript menu.

hey Slim, you fixed it! I can cap handshakes..



ERROR: could not insert 'nvidia': No such device
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Parsing file '/usr/share/FS3/Temp_Working_Dirctory/Deauthenticate_a_client_8C04FFBA5075/psk-01.cap' (1/1)...
Parsed 7 packets (7 802.11-packets), got 1 AP(s)

#1: AccessPoint 8c:04:ff:ba:50:75 ('Xxxxxxxx')
#0: Station 68:ed:43:76:8e:11
#1: Station 40:6f:2a:62:fd:7f, 1 handshake(s)
#1: HMAC_SHA1_AES, good, spread 1

New pcap-file '/usr/share/FS3/Temp_Working_Dirctory/Deauthenticate_a_client_8C04FFBA5075/Stripped.cap' written (4 out of 7 packets)
ERROR: could not insert 'nvidia': No such device

The captured handshake is good or workable, Xxxxxxxx.cap will be coppied to /usr/share/FS3/Captured_Handshakes

Press [Enter] to continue.

Bully works but a couple of questions



# [4] = Bully & Default WPS Pin Keygens #

Bully & WPS-Pin Attack Command:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -F -B -l 60 -v 3 -p 65822746 <---- has brutforce enabled

Press [Enter] to launch the attack.




# [5] = Bully Bruteforce Settings

Bully Bruteforce Attack Command:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -F -l 60 -v 3 <------ does not have brutforce enabled

Press [Enter] to launch the attack.
kinda confusing. Which one does a "bruteforce attack" ?




# [6] = Bully Custom Settings

Bully Current Attack Command:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -v 3 <------two spaces before "-v"?

Please input any additional Bully options:




Bully Custom Attack Command:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX

Press [Enter] to launch the attack.



[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'mon0' to channel '8'
[!] Using '4c:a3:c8....' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '64:70:02:..' on channel '8'
[+] Got beacon for 'MJYS01' (64:70:02:...)
[+] Loading randomized pins from '/root/.bully/pins'
[!] Restoring session from '/root/.bully/647xxxxxx.run'
[!] WARNING: WPS checksum was bruteforced in prior session, now autogenerated
[X] Use --force to ignore above warning(s) and continue anyway

Bully was cancelled or it failed.

- shouldn't that be the first option (# [4] in the menu) as it is the simplest attack?
- and the first one (with the -p argument) the last attack option as it is the most sophisticated?

Bully works but a couple of questions

kinda confusing. Which one does a "bruteforce attack" ?

- shouldn't that be the first option (# [4] in the menu) as it is the simplest attack?
- and the first one (with the -p argument) the last attack option as it is the most sophisticated?

Go by the title of the attack rather than the commands and you won't get confused. LOL
I think the nvidia error your getting is due to a problem with your setup (I THINK lol), I've just done a fresh install and don't get the issue you get.

re-read my post Slim. I'm not saying anything about the nvidia error. That is definitely on my end ;)

re-read my post Slim. I'm not saying anything about the nvidia error. That is definitely on my end ;)

So everything is working ok for you then?.

Can you update the first page please, that's if everything is working ok.

@ Quest

Can you do me a favour please,
Can you try cracking a wpa password using hashcat and a mask file, then post the commands used as well as the actually mask file.

sure thing bro..


I've never used hashcat(CPU), only cudaHashcat(GPU). Will edit this post.

EDIT: I don't see a 'mask' folder in the hashcat directory. Doesn't look good...

got me completely stumped, and a web search shows that no one has figured it out. Not 1 syntax shows hashcat using a .hcmask



http://hashcat.net/forum/thread-2532.html

... so we might be dealing with more 'name convention' confusion. At least they got me confused, so everything is normal xD


Edit #5:

what they call a "mask" for hashcat is things like a word list. Not a .hcmask
So it's a "naming the file convention" problem. Anyways it will be easier and faster for you(or anyone) to just go to the store and buy another ATi or nVidia equipped lappy for ocl/cuda, than to try and figure this out lol

sure thing bro..


I've never used hashcat(CPU), only cudaHashcat(GPU). Will edit this post.

EDIT: I don't see a 'mask' folder in the hashcat directory. Doesn't look good...

got me completely stumped, and a web search shows that no one has figured it out. Not 1 syntax shows hashcat using a .hcmask



http://hashcat.net/forum/thread-2532.html

... so we might be dealing with more 'name convention' confusion. At least they got me confused, so everything is normal xD


Edit #5:

what they call a "mask" for hashcat is things like a word list. Not a .hcmask
So it's a "naming the file convention" problem. Anyways it will be easier and faster for you(or anyone) to just go to the store and buy another ATi or nVidia equipped lappy for ocl/cuda, than to try and figure this out lol

I wanted to add hashcat to FrankenScript so people with netbooks and tablets could benefit too.
Cheers for looking into it for me matey.

hello everybody.
just got the script:
got handshakes captured in .cap files. But I can't see them in Available Capture Files list of the Attack Handshake Files menu...



Available Capture Files.
########################



Please input the number of your chosen capture file:
./FrankenScript2.sh: line 2381: /root/FrankenScript2/Temp_Working_Dirctory/Handshake_Cracking/Handshake_File.txt: No such file or directory
cat: /root/FrankenScript2/Temp_Working_Dirctory/Handshake_Cracking/Chosen_capture_file.txt: No such file or directory

the Handshake files are in Captured_Handshakes/ directory.

Am i missing something?

Hi wn722 (good choice, luv my tp-link wn722n),

don't know what happened there, we missed your post!??

Do you still have a problem with the above quote? Sorry for the delay :S

hello everybody.
just got the script:
got handshakes captured in .cap files. But I can't see them in Available Capture Files list of the Attack Handshake Files menu...



Available Capture Files.
########################



Please input the number of your chosen capture file:
./FrankenScript2.sh: line 2381: /root/FrankenScript2/Temp_Working_Dirctory/Handshake_Cracking/Handshake_File.txt: No such file or directory
cat: /root/FrankenScript2/Temp_Working_Dirctory/Handshake_Cracking/Chosen_capture_file.txt: No such file or directory

the Handshake files are in Captured_Handshakes/ directory.

Am i missing something?

Sorry I missed your post.
You're not missing anything lol, the problem is due to FrankenScript.
I advise you to update to the latest version, you should be able to find it on the first page or just below the post you made.

*** happened there, did his post just appeared on the last page or am I bugging out?

*** happened there, did his post just appeared on the last page or am I bugging out?

It beats the **** out of me how that happened, all I know is it wasn't there before. LOL

I've changed the handshake capture attack and will be adding a new feature to FrankenScript soon.
It should all be included in the next update. :-)

ok great!

I have my own laundry list whenever you have time, starting with post #139. That's not clear to me at all.

@ Quest, Regarding post 139.

[4] = Bully & Default WPS Pin Keygens:
Option 4 would be the quickest attack so I thought it made sense to list it first.
I couldn't get option 4 to work until I added -F.

[5] = Bully Bruteforce Settings:
Option 5 would take longer than option 4 so I thought it made sense to list it after option 4.
I couldn't get option 5 to work until I added -F.

[6] = Bully Custom Settings:
Option 6 is more for advanced users and will probably be the least used, so I thought it should be placed last in the list.

I'm not sure what you mean here "Bully Current Attack Command:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -v 3 <------two spaces before "-v"?"

yes, I understood that logic, but I didn't(still don't) agree lol

[6] = Bully Custom Settings:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -v 3
is the simplest formula of the three, and probly the most efficient for most users, anytime, anywhere (easy does it, remember?). Then the user can build on that as an option.

[4] = Bully & Default WPS Pin Keygens:
The '-p' option is rarely used with Bully or (Reaver v1.4 fork r3). Only in weird AP cases would anyone resort to that trick. Please educate me if I'm missing something here, but the few times I had to use to the '-p' argument specifying the first 4 pin number, it's because Reaver had issues in a previous/botched session. So that should be last option imo.


[5] = Bully Bruteforce Settings:
if you could just rename that attack, I wouldn't have an issue with it.


The two spaces before the '-v 3' in # [6] = Bully Custom Settings results in this...


bully mon0 -c 8 -b 64:70:02:XX:XX:XX the '-v 3' argument is not there.
Try it yourself you will see.

actually all three attacks should have a 'user input' as an option.

[4] = Bully Easy Settings With User Input Option:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -v 3

[5] = Bully Bruteforce Settings With User Input Option:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -F -B -l 60 -v 3

[6] = Bully & Default WPS Pin Keygens With User Input Option:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -F -B -l 60 -v 3 -p 65822746

actually all three attacks should have a 'user input' as an option.

[4] = Bully Easy Settings With User Input Option:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -v 3

[5] = Bully Bruteforce Settings With User Input Option:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -F -B -l 60 -v 3

[6] = Bully & Default WPS Pin Keygens With User Input Option:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -F -B -l 60 -v 3 -p 65822746

I left the -v out of Bully Custom Settings because some people might not want to see the output for whatever reason, wouldn't be customs settings if I forced people to use -v, besides it can still be added by the user.

The other two bully attacks are preset so even a dumb *** could perform the attack. LOL
Anyway there is no need to have user input for them when there is a custom setting option they can choose, the custom option can perform every bully attack.
So you see if I changed the other two to have user input it would be like having three of the same options, but two of them limited and pointless.

I left the -v out of Bully Custom Settings because some people might not want to see the output for whatever reason, wouldn't be customs settings if I forced people to use -v, besides it can still be added by the user.
I agree.



The other two bully attacks are preset so even a dumb *** could perform the attack. LOL
Anyway there is no need to have user input for them when there is a custom setting option they can choose, the custom option can perform every bully attack.
So you see if I changed the other two to have user input it would be like having three of the same options, but two of them limited and pointless.
I disagree.

Let's wait for more user input on the matter. I'm not a Bully/Reaver expert :]

Packaging
- the '()' should not be used when creating a .deb because it won't install.

Invoke
- fs3.sh, is version specific(3). I do not have to type in wifitev82 when invoking Wifite or Reaver.

Scans
- it is counter-intuitive to click on the first window and press [Enter] when stopping airodump or wash. [Ctrl]+[c] should be allowed to stop the process in the second window, and that would return the 'Enter' in the first window.

Features
- Script Launcher, that was useful.
- verify a .cap option separately would be useful also. cowpatty -r Xxxxxxx.cap -c , pyrit -r Xxxxxxx.cap analyze

...

Hello all,
it's a long time I'm following with great interest the FrankenScript thread, thank you Slim for your work and Quest for your tests!
I'd add a couple of items to Quest's laundry list:

1) giving the user the chance to increase TX power with three options - 27, 30 and, maybe, 33db for those 2000 milliwatt devices (if I'm not wrong 30 is for up to 1000 mW devices).
2) giving the user the chance to use the --band parameter of Airmon in order to scan both 2.4 and 5Ghz band.

A question or two about Bully bruteforce attack (my apologies if Quest has already asked that but I haven't found the messages): shouldn't the -B option be used in the command?
And shouldn't be better if the user would be asked for the deletion of the file aabbccddeeff.run, located in /root/.bully, if existing?
I ask this because I wonder if that file could be still useful if I change the Bully attack type on the same A/P.
Then I've another question about Bully but I have to copy&paste the messages on terminal, I'll post it later.
Many thanks in advance!
Best regards

Angelo

Here's the console after launching Bully (sorry for the long message):

~# bully mon0 -c 1 -b aa:bb:cc:dd:ee:ff -F -l 60 -v 3 -B

[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'mon0' to channel '1'
[!] Using 'gg:hh:ii:jj:kk:ll' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from 'aa:bb:cc:dd:ee:ff' on channel '1'
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Disabling FCS validation (assuming --nofcs)
[+] Got beacon for 'xxxxxxxxxxxxx' (aa:bb:cc:dd:ee:ff)
[+] Loading randomized pins from '/root/.bully/pins'
[+] Index of starting pin number is '00000000'
[+] Last State = 'NoAssoc' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( ID ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( M2 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( M2 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( Assn ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( ID ) = 'Timeout' Next pin '58840458'
[+] Rx( ID ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( ID ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( ID ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( Auth ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( ID ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( ID ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( M2 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( M2 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( Auth ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( Auth ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( ID ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( ID ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'

Then I did a CTRL+C.
So I'd like to know:

1) whick kind of file is '/root/.bully/pins' and how it works?
2) why the pin is always '58840458'?

As you can see I added the -B parameter, but with or without it the console messages are the same.
Thanks again!

Angelo

Hello all,
it's a long time I'm following with great interest the FrankenScript thread, thank you Slim for your work and Quest for your tests!
I'd add a couple of items to Quest's laundry list:

1) giving the user the chance to increase TX power with three options - 27, 30 and, maybe, 33db for those 2000 milliwatt devices (if I'm not wrong 30 is for up to 1000 mW devices).
2) giving the user the chance to use the --band parameter of Airmon in order to scan both 2.4 and 5Ghz band.

A question or two about Bully bruteforce attack (my apologies if Quest has already asked that but I haven't found the messages): shouldn't the -B option be used in the command?
And shouldn't be better if the user would be asked for the deletion of the file aabbccddeeff.run, located in /root/.bully, if existing?
I ask this because I wonder if that file could be still useful if I change the Bully attack type on the same A/P.
Then I've another question about Bully but I have to copy&paste the messages on terminal, I'll post it later.
Many thanks in advance!
Best regards

Angelo

You're welcome mate.

I didn't include a TX power option because I believe there is a change it could damage some wireless network cards.
I still might add the TX power option and add a big warning to go with it. LOL

Regarding the --band parameter of Airmon in order to scan both 2.4 and 5Ghz band.
I didn't know about it until you mentioned it, could you post the commands and explain a little about it please.

Regarding the Bully pin issue.
I've only used Bully a few times and don't know much about it, but I think your pin issue might be because of a weak or intermittent signal.

Ok now I'm completely confused about the bully bruteforce attack, can someone post the proper commands and double/triple check they're correct please.

Regarding the --band parameter of Airmon in order to scan both 2.4 and 5Ghz band.
I didn't know about it until you mentioned it, could you post the commands and explain a little about it please.
Sorry Slim, I meant Airodump, my bad.


I didn't include a TX power option because I believe there is a change it could damage some wireless network cards.
I still might add the TX power option and add a big warning to go with it. LOL
Fair enough.
I could add a script, or more than one with different power settings, to launch depending which adapter I'm using.


Regarding the Bully pin issue.
I've only used Bully a few times and don't know much about it, but I think your pin issue might be because of a weak or intermittent signal.
I'd say it's not something related to a weak or intermittent signal, let me try to explain: I noticed this problem using three different adapters on different locations, different adapters but all of them using the same driver (rt2800usb) so I wonder if doing a kernel update to a 3.16 version (as per instructions found here (https://forums.kali.org/showthread.php?22638-rtl8723be-wireless-driver-installation&p=37193&viewfull=1#post37193)) could fix some problems.
I still wonder if the pin problem could be related to a bad/corrupted pins file (opened it and it isn't human readable, at least for me, so I don't know if it's corrupted, binary or whatever else).
Any thought about the deletion of aabbccddeeff.run located in /root/.bully, if existing?

sorry I was out.

Not sure what you want us to do Slim. The -B argument in Bully is bruteforce.



1) giving the user the chance to increase TX power with three options - 27, 30 and, maybe, 33db for those 2000 milliwatt devices (if I'm not wrong 30 is for up to 1000 mW devices).
Great idea as it seems to be popular, but just a side note to all, increasing your TX power does not augment the received signals strength. Unfortunately.



2) giving the user the chance to use the --band parameter of Airmon in order to scan both 2.4 and 5Ghz band.
Nice!! Thank you. Had no idea also.



A question or two about Bully bruteforce attack (my apologies if Quest has already asked that but I haven't found the messages): shouldn't the -B option be used in the command?
yess the score is now 2-1 lalalallaaallalalala



And shouldn't be better if the user would be asked for the deletion of the file aabbccddeeff.run, located in /root/.bully, if existing?
I ask this because I wonder if that file could be still useful if I change the Bully attack type on the same A/P.
i must admit my cluelessness on that one. But please educate us on that .run file.




Regarding the Bully pin issue.
I've only used Bully a few times and don't know much about it, but I think your pin issue might be because of a weak or intermittent signal.
yup that's what I'm thinking.

i must admit my cluelessness on that one. But please educate us on that .run file.

I'm still have a delay with the messages posted as they still must be moderator-approved, so sorry if you see my messages with some delay (this is my fourth post and I'm still waiting for the third one).
About the .run file, it seems that Bully save a sort of temp file on /root/.bully that should be recalled if the attack is interrupted so no need to restart from the beginning, but in the same time I wonder what happen if I change the Bully attack to the same A/P.
For example, I start a certain type of attack to the A/P on aa:bb:cc:dd:ee:ff, so a aabbccddeeff.run file is created under /root/.bully/.
Then I stop the attack, or it fails, and the .run file is still located under /root/.bully/.
I then launch a different attack, or even the same attack as before but with different parameters: I see that Bully check for the aabbccddeeff.run file and it find the previous one but no clues about how it will manage the contents, I don't know if Bully try to continue starting from the last try or what, I'm worried about the fact that the actual attack is 'dirtied' because the previous one (I hope I was able to explain myself in an understandable way, sorry but English is not my native language).

I'm still have a delay with the messages posted as they still must be moderator-approved, so sorry if you see my messages with some delay (this is my fourth post and I'm still waiting for the third one).
About the .run file, it seems that Bully save a sort of temp file on /root/.bully that should be recalled if the attack is interrupted so no need to restart from the beginning, but in the same time I wonder what happen if I change the Bully attack to the same A/P.
For example, I start a certain type of attack to the A/P on aa:bb:cc:dd:ee:ff, so a aabbccddeeff.run file is created under /root/.bully/.
Then I stop the attack, or it fails, and the .run file is still located under /root/.bully/.
I then launch a different attack, or even the same attack as before but with different parameters: I see that Bully check for the aabbccddeeff.run file and it find the previous one but no clues about how it will manage the contents, I don't know if Bully try to continue starting from the last try or what, I'm worried about the fact that the actual attack is 'dirtied' because the previous one (I hope I was able to explain myself in an understandable way, sorry but English is not my native language).

No need to be sorry for anything mate, I think your english is very good.
The files you mention are located at /root/.bully and I think they get overwritten every time you perform an attack.

No, I checked right now and those .run files are not overwritten, if you open them you see the 'history' of the attack with every pin used.

little voodoo stuff with your coffee?

I'm trying to test the above and my returns says:


Saved session to '/root/.bully/98fcxxxxxxxx.run'

but I do not have such file in root (Home). No .bully, no .run to be found in root. Weird.

So I cannot help with that, I don't even have that .run file.

It's an hidden folder, when I set my system in order to show hidden files and folders I then saw a lot of folders beginning with . (such .bully).

little voodoo stuff with your coffee?

I'm trying to test the above and my returns says:



but I do not have such file in root (Home). No .bully, no .run to be found in root. Weird.

So I cannot help with that, I don't even have that .run file.

Show Hidden Files ;-) LOL

I see what you are saying about the -B argument..


-B, --bruteforce : Bruteforce the WPS pin checksum digit [No]

what they mean by "bruteforce" concern only the checksum digit...

What did you mean Slim by 'bruteforce'? Check all combination of 8 numbers possible for APs that do not follow the 4-3-1 convention?

Because the only one that offers a true bruteforce is reaver 1.4 fork r3, with the '-X' argument. Takes alot longer.

It's an hidden folder, when I set my system in order to show hidden files and folders I then saw a lot of folders beginning with . (such .bully).


Show Hidden Files ;-) LOL

yes i got them. The problem is that Bully does not offer to start from the beginning. I wouldn't worry about that too much, because once a pin is tested, it is tested, regardless of the arguments. But when using the '-p' argument to start with a given pin, will it cycle trough all pins? That would be my question.

Slim, as I said before (can't remember where), Reaver 1.4 has difficulties with certain APs. I find it useful (necessary) to use reaver 1.3, reaver 1.4 fork r3, or bully.

Any chance you could incorporate reaver 1.3 and, reaver 1.4 fork r3 in FS? Otherwise I have to un/install reaver.

Speaking about Bully, could this (http://superuser.com/questions/746332/bully-for-wps-wireless-auditing-is-it-possible-to-continue-an-interrupted-bru) page be useful?
Anyway there's something into the commands syntax that seems wrong (check first two examples, same syntax but different behaviour), still to check that.

Tried now.
First try: sudo bully mon0 --bssid aa:bb:cc:dd:ee:ff -v 3 --bruteforce
Messages:
Loading randomized pins from '/root/.bully/pins'
Restoring sessions from '/root/.bully/aabbccddeeff.run'
WARNING: Randomized search requested but prior session was sequential
Use --force to ignore above warning(s) and continue anyway.

Second try: sudo bully mon0 --bssid aa:bb:cc:dd:ee:ff -v 3 --bruteforce --force
Messages:
Index of starting pin number is '89244548'
Then lot of messages "Next pin '57292736'", pin never changed.

Third try: sudo bully mon0 --bssid aa:bb:cc:dd:ee:ff -v 3 --bruteforce --pin 00000001
Messages:
Starting pin specified, defaulting to sequential mode
Restoring session from '/root/.bully/aabbccddeeff.run' (so it restore the session even if I use the --pin parameter)
WARNING: Sequential search requested but prior session was randomized

Fourth try: sudo bully mon0 --bssid aa:bb:cc:dd:ee:ff -v 3 --bruteforce --pin 00000001 --force
Same as second try, first pin as per parameter given but it never change.
Tried even using the -S parameter (force sequential pins) without giving the --pin parameter, it started with 00000001 but it never changed.

and does deleting the .bin and start a new session with that AP solve that problem?

Slim, as I said before (can't remember where), Reaver 1.4 has difficulties with certain APs. I find it useful (necessary) to use reaver 1.3, reaver 1.4 fork r3, or bully.

Any chance you could incorporate reaver 1.3 and, reaver 1.4 fork r3 in FS? Otherwise I have to un/install reaver.

I'm not sure but we can try.
Do you know if the dependencies are the same for all the different versions of reaver?.
What architecture are you using?.

Great!

x64

The dependencies are the same.

apt-get install libsqlite3-dev && apt-get install libpcap0.8-dev

Reaver 1. 0/1/2/3/4 http://code.google.com/p/reaver-wps/downloads/list

Reaver 1.4 fork r3 https://code.google.com/p/reaver-wps-fork/
Original thread https://code.google.com/p/reaver-wps/issues/detail?id=195


That would rock. Alot of ppl are reporting that 1.3 works better than 1.4. You would make alot of friends.

1.4 fork r3 has some good features.

Great!

x64

The dependencies are the same.

apt-get install libsqlite3-dev && apt-get install libpcap0.8-dev

Reaver 1. 0/1/2/3/4 http://code.google.com/p/reaver-wps/downloads/list

Reaver 1.4 fork r3 https://code.google.com/p/reaver-wps-fork/
Original thread https://code.google.com/p/reaver-wps/issues/detail?id=195


That would rock. Alot of ppl are reporting that 1.3 works better than 1.4. You would make alot of friends.

1.4 fork r3 has some good features.

I got good news and bad news for you.
The good news is I've done it already, it was easy. ;)

FrankenScript can now use Reaver 1.3, Reaver 1.4 fork r3 and whatever version you currently have installed.
No need to keep installing/uninstalling to use a different versions of reaver, and I think it might even be possible to perform multiple attacks simultaneously while using different versions of reaver.

Now for the bad news.
I haven't added it to the current version of FrankenScript, I've added it to the new one I'm currently writing.

really!?

i'M gonna need a howtoo on that one.

How do you install another version of reaver without uninstalling first?
How do you invoke a reaver if there are many?

Anyways that is really cool. Never asked before as I did not think it was feasible. Can't stop progress!

no difference betwenn 1.3 and 1.4. Only three more option with fork r3.



Reaver v1.3 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

Required Arguments:
-i, --interface=<wlan> Name of the monitor-mode interface to use
-b, --bssid=<mac> BSSID of the target AP

Optional Arguments:
-m, --mac=<mac> MAC of the host system
-e, --essid=<ssid> ESSID of the target AP
-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
-o, --out-file=<file> Send output to a log file [stdout]
-s, --session=<file> Restore a previous session file
-a, --auto Auto detect the best advanced options for the target AP
-f, --fixed Disable channel hopping
-5, --5ghz Use 5GHz 802.11 channels
-v, --verbose Display non-critical warnings (-vv for more)
-q, --quiet Only display critical messages
-h, --help Show help

Advanced Options:
-p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin
-d, --delay=<seconds> Set the delay between pin attempts [1]
-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [315]
-g, --max-attempts=<num> Quit after num pin attempts
-x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
-t, --timeout=<seconds> Set the receive timeout period [5]
-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.20]
-S, --dh-small Use small DH keys to improve crack speed
-L, --ignore-locks Ignore locked state reported by the target AP
-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
-n, --nack Target AP always sends a NACK [Auto]
-w, --win7 Mimic a Windows 7 registrar [False]

Example:
reaver -i mon0 -b 00:90:4C:C1:AC:21 -vv










Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

Required Arguments:
-i, --interface=<wlan> Name of the monitor-mode interface to use
-b, --bssid=<mac> BSSID of the target AP

Optional Arguments:
-m, --mac=<mac> MAC of the host system
-e, --essid=<ssid> ESSID of the target AP
-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
-o, --out-file=<file> Send output to a log file [stdout]
-s, --session=<file> Restore a previous session file
-C, --exec=<command> Execute the supplied command upon successful pin recovery
-D, --daemonize Daemonize reaver
-a, --auto Auto detect the best advanced options for the target AP
-f, --fixed Disable channel hopping
-5, --5ghz Use 5GHz 802.11 channels
-v, --verbose Display non-critical warnings (-vv for more)
-q, --quiet Only display critical messages
-h, --help Show help

Advanced Options:
-p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin
-d, --delay=<seconds> Set the delay between pin attempts [1]
-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]
-g, --max-attempts=<num> Quit after num pin attempts
-x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
-t, --timeout=<seconds> Set the receive timeout period [5]
-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.20]
-A, --no-associate Do not associate with the AP (association must be done by another application)
-N, --no-nacks Do not send NACK messages when out of order packets are received
-S, --dh-small Use small DH keys to improve crack speed
-L, --ignore-locks Ignore locked state reported by the target AP
-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
-n, --nack Target AP always sends a NACK [Auto]
-w, --win7 Mimic a Windows 7 registrar [False]

Example:
reaver -i mon0 -b 00:90:4C:C1:AC:21 -vv









Reaver v1.4 (fork r3) WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

Required Arguments:
-i, --interface=<wlan> Name of the monitor-mode interface to use
-b, --bssid=<mac> BSSID of the target AP

Optional Arguments:
-m, --mac=<mac> MAC of the host system
-e, --essid=<ssid> ESSID of the target AP
-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
-o, --out-file=<file> Send output to a log file [stdout]
-s, --session=<file> Restore a previous session file
-C, --exec=<command> Execute the supplied command upon successful pin recovery
-D, --daemonize Daemonize reaver
-a, --auto Auto detect the best advanced options for the target AP
-f, --fixed Disable channel hopping
-5, --5ghz Use 5GHz 802.11 channels
-v, --verbose Display non-critical warnings (-vv for more)
-q, --quiet Only display critical messages
-h, --help Show help

Advanced Options:
-p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin
-d, --delay=<seconds> Set the delay between pin attempts [1]
-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]
-g, --max-attempts=<num> Quit after num pin attempts
-x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
-t, --timeout=<seconds> Set the receive timeout period [5]
-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.20]
-A, --no-associate Do not associate with the AP (association must be done by another application)
-N, --no-nacks Do not send NACK messages when out of order packets are received
-S, --dh-small Use small DH keys to improve crack speed
-L, --ignore-locks Ignore locked state reported by the target AP
-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
-n, --nack Target AP always sends a NACK [Auto]
-w, --win7 Mimic a Windows 7 registrar [False]
-X, --exhaustive Set exhaustive mode from the beginning of the session [False]
-1, --p1-index Set initial array index for the first half of the pin [False]
-2, --p2-index Set initial array index for the second half of the pin [False]

Example:
reaver -i mon0 -b 00:90:4C:C1:AC:21 -vv

disregard my questions in post #178. Just massive confusion on my part with anything linux.

Have you got Reaver v1.4 (fork r3) installed on your system, or did you copy and paste the info from another source?.

i had to install it to make sure the info(arguments) were accurate...

decompress the archive in root.


cd /root/reaver-1.3/src -or- cd /root/reaver-wps-fork-read-only/src
./configure
make distclean && ./configure
make
make install

I get the following output from the 1.4-r3 fork (From your link), is this correct?.

Reaver v1.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

Required Arguments:
-i, --interface=<wlan> Name of the monitor-mode interface to use
-b, --bssid=<mac> BSSID of the target AP

Optional Arguments:
-m, --mac=<mac> MAC of the host system
-e, --essid=<ssid> ESSID of the target AP
-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
-o, --out-file=<file> Send output to a log file [stdout]
-s, --session=<file> Restore a previous session file
-C, --exec=<command> Execute the supplied command upon successful pin recovery
-D, --daemonize Daemonize reaver
-a, --auto Auto detect the best advanced options for the target AP
-f, --fixed Disable channel hopping
-5, --5ghz Use 5GHz 802.11 channels
-v, --verbose Display non-critical warnings (-vv for more)
-q, --quiet Only display critical messages
-h, --help Show help

Advanced Options:
-p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin
-d, --delay=<seconds> Set the delay between pin attempts [1]
-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]
-g, --max-attempts=<num> Quit after num pin attempts
-x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
-t, --timeout=<seconds> Set the receive timeout period [5]
-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.20]
-A, --no-associate Do not associate with the AP (association must be done by another application)
-N, --no-nacks Do not send NACK messages when out of order packets are received
-S, --dh-small Use small DH keys to improve crack speed
-L, --ignore-locks Ignore locked state reported by the target AP
-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
-n, --nack Target AP always sends a NACK [Auto]
-w, --win7 Mimic a Windows 7 registrar [False]
-X, --exhaustive Set exhaustive mode from the beginning of the session [False]
-1, --p1-index Set initial array index for the first half of the pin [False]
-2, --p2-index Set initial array index for the second half of the pin [False]

wow, mine never said
Reaver v1.5 where or how did you get this? Was that your edit? Mine(reaver 1.4 fork r3) says Reaver 1.4

Othere than that, yes, the arguments are the same as mine(-1, -2, -X).

Great!

x64

The dependencies are the same.

apt-get install libsqlite3-dev && apt-get install libpcap0.8-dev

Reaver 1. 0/1/2/3/4 http://code.google.com/p/reaver-wps/downloads/list

Reaver 1.4 fork r3 https://code.google.com/p/reaver-wps-fork/
Original thread https://code.google.com/p/reaver-wps/issues/detail?id=195


That would rock. Alot of ppl are reporting that 1.3 works better than 1.4. You would make alot of friends.

1.4 fork r3 has some good features.

I got it from your post, and I did a copy and paste without any editting.

So another version was uploaded, without the maker saying anything. That is not Reaver 1.5, as it does not exist. It is a fork of 1.4

They are driving me nuts with their file naming.

let me re-download it then...

Edit: Wait i see it now.


r8
Included exhaustive, p1_index and p2_index options Also, if the WPS pin is not found while running in normal mode, instead of exiting, it jumps into exhaustive mode and starts de loop again.
Jan 4, 2014
c.sala.stq
r7
Improved verbose messages and status print (now it includes elapsed and estimated time) Also, in this version I fixed a potential bug, which was probably the cause of the Issue number 1 (Segmentation fault exception)
Jan 4, 2014
c.sala.stq
r6
Fixed the issue 195 of the original reaver-wps project: Stuck at 99% The problem was that the pin_count never reached the get_max_pin_attempts value, so the loop was never broken I replaced the pin_count variable with a function which calculates the current pin_count on the fly
Jan 4, 2014
c.sala.stq
r5
Autoindented ALL code files. (No further changes included) Indention was done using vim defaults, with the following options: set shiftwidth=4 set softtabstop=4 set expandtab
Jan 4, 2014
c.sala.stq
r4
Revert the last revision to apply the changes in a cleaner way
Jan 4, 2014
c.sala.stq
r3
1. Fixed the 99.9% never ending loop: If the end is reached without success, the application exits as expected. (before it continued until it was interrupted or killed). Issue: http://code.google.com/p/reaver-wps/issues/detail?id=195 2. Added an exhaustive option (--exhaustive, -X) which uses "set_p1(p1_index) + set_p1(p2_index)" instead of "set_p1(p1_index) + set_p2(p2_index)" to force covering all possible combinations. This ensures that the PIN is found even if it does not follow the "checksu
Jul 6, 2013
c.sala.stq
r2
Fork from http://reaver-wps.googlecode.com/svn/trunk/ revision 113
Jul 6, 2013
c.sala.stq
r1
Initial directory structure.
Jul 6, 2013
---

so it's not r3, but r8 !! Had no idea and nothing was ever said about that.

Now I'm having a stupid moment... How did I downloaded r3? I have it in my files as a .rar(which I compressed myself), but how do I DL r8 now to save it and keep that package as a .rar !??

ok nevermind i got it now *geez me and linux*


Reaver v1.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tact...

Wow so we have reaver 1.5 now. LOL can't stop progress.

and does deleting the .bin and start a new session with that AP solve that problem?
Mmmmmmm.... about which .bin file are you talking about?
If you're talking about the .run file no, deleting it doesn't solve the problem.

yes, .run i meant.

So it's a Bully problem and unless someone is willing to fork it and solve that prb, not sure how FS can help.

If you have ideas please share :)

I'm doing some searches about this issue (reported by other people as well), I'll let you know as soon as I'll have any answers.
In the meanwhile as I can't check it I'm curious to know if you'll find some improvements with reaver 1.5.

ok great!!

I've not tested reaver 1.5, but I'm very familiar with Carles's work(reaver fork r1-8) and reading the versions history(post 186 above) he basically solved reaver's problems, plus the 'floating point exception' problem that was induced in fork r3.

So in other words, we might not need to use Bully or reaver 1.3. That being said, more tools in the toolbox = more user options.

ok great!!

I've not tested reaver 1.5, but I'm very familiar with Carles's work(reaver fork r1-8) and reading the versions history(post 186 above) he basically solved reaver's problems, plus the 'floating point exception' problem that was induced in fork r3.

So in other words, we might not need to use Bully or reaver 1.3. That being said, more tools in the toolbox = more user options.

**** man, I'm getting more lost the more I read. LOL
So what versions of reaver do you what in FrankenScript?, and can you send me the versions you have please.

yes sorry, but that 1.5 version was unexpected.

We may not need reaver 1.3 or bully, but nothing as changed because the more tools we have (reaver 1.3, 1.4, 1.5, Bully) the more user choices. Plus we might see unexpected bugs rise with 1.5 on certain AP, where reaver 1.3 will save the day again.

In other words, put them all in. I want a world conquering arsenal [insert evil laugh here]

not sure what you want me to send you. If you can just include 1.3, 1.5, that would be good. Reaver 1.4 being already in Kali.



:cool:

Reaver 1.3
http://code.google.com/p/reaver-wps/downloads/list

Reaver 1.5 (r8)
https://code.google.com/p/reaver-wps-fork/

svn checkout http://reaver-wps-fork.googlecode.com/svn/trunk/ reaver-wps-fork-read-only then
reaver-wps-fork-read-only folder appeared in root. That's reaver 1.5


That's it really. Then we can look at the syntaxes later.

Hey guys!

Looks like a lot has been happening, I'll get a chance to work on some of that stuff you mentioned before starting tomorrow..

With all the work going on, I'll ask again if this could make it to Github, will certainly make it a lot easier so that Slim could just pull any changes he likes into the main project

Hi static!!

yes, i second that motion. That would also put an end to mirrorcreator.com

Do what you can. We all appreciate :cool:

Did some tests with Reaver 1.5 and no luck until now, same problem with repeated pins.
Tried even to update the kernel to 3.16, no changes.
After further investigation seems that I should see even M3 and M4 messages when I use Reaver and Bully, not only M1 and M2: if not, that should/could mean that the AP have the WPS on but pin is disabled or not defined, if so that AP is not vulnerable to WPS attack and it would explain why I always see the same pin repeated.
I'll reconfigure my test AP in order to verify.

http://www.kalilinux.net/community/threads/how-do-you-make-reaver-stop-repeating-same-pin-12345670.163/

the guy basically says to kill the PIDs(processes) "dhclient" "NetworkManager" "wpa_supplicant"

FS3 does that for you I believe if you choose to "kill processes" when asked in the routine. Right Slim?

If not then
airmon-ng start wlan0
Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
2069 dhclient
2413 NetworkManager
3195 wpa_supplicant
kill 2069 && kill .....

Yes you should definitely get M1, M2, M3, M4 messages from the start.

http://www.kalilinux.net/community/threads/how-do-you-make-reaver-stop-repeating-same-pin-12345670.163/

the guy basically says to kill the PIDs(processes) "dhclient" "NetworkManager" "wpa_supplicant"

FS3 does that for you I believe if you choose to "kill processes" when asked in the routine. Right Slim?

If not then
airmon-ng start wlan0
kill 2069 && kill .....

Yes you should definitely get M1, M2, M3, M4 messages from the start.

Sorry for the late reply, been sooo busy.
Yeah FS3 can check and kill processes that might cause issue's while performing some attacks.

I was asking because i never use that option, but i see it in the routine all the time...

Whatyouworkinon friend?

I'm testing Reaverrrr 1.5 and so far I have no complains.

ok these are my reflections on Reaver/s and bully for options, and I will have to insist on the following :rolleyes:


Reaver 1.3, 1.4, 1.5 and Bully should have only one customizable option each, and that is

Reaver 1.3, 1.4, 1.5
reaver -i monX -c X -b XX:XX:XX:XX:XX:XX
Bully
bully monX -c X -b XX:XX:XX:XX:XX:XX

1. arguments are known to cause problems and should therefore be avoided.
2. arguments are a case to case basis and cannot be generalized.
3. a simple syntax offers a solid base to build on.
4. frankenscript already does most of the work and saves the user time, and eliminate human error by

a) monitor mode
b) spoofing
c) providing the user with the correct AP's MAC
d) providing the user with the correct channel
e) providing the user with the correct syntax
5. easy does it.

I could provide more points of why prefabricating more elaborated syntax is a really bad idea, but I will stop there, the above points being more than enough.

My only question would be:

- why would anyone launch an attack and not want to see the verbose( -vv, -v 3 ) ? Is it even realistically plausible that anyone would use any syntax without wanting to see what is going on ?

ok these are my reflections on Reaver/s and bully for options, and I will have to insist on the following :rolleyes:


Reaver 1.3, 1.4, 1.5 and Bully should have only one customizable option each, and that is

Reaver 1.3, 1.4, 1.5
reaver -i monX -c X -b XX:XX:XX:XX:XX:XX
Bully
bully monX -c X -b XX:XX:XX:XX:XX:XX

1. arguments are known to cause problems and should therefore be avoided.
2. arguments are a case to case basis and cannot be generalized.
3. a simple syntax offers a solid base to build on.
4. frankenscript already does most of the work and saves the user time, and eliminate human error by

a) monitor mode
b) spoofing
c) providing the user with the correct AP's MAC
d) providing the user with the correct channel
e) providing the user with the correct syntax
5. easy does it.

I could provide more points of why prefabricating more elaborated syntax is a really bad idea, but I will stop there, the above points being more than enough.

My only question would be:

- why would anyone launch an attack and not want to see the verbose( -vv, -v 3 ) ? Is it even realistically plausible that anyone would use any syntax without wanting to see what is going on ?

Check the reaver custom attack again and you notice it only uses the basic commands already, it's the same with bully except bully has -v 3 added.

I would like to do a survey to find out how many ppl do not use the full verbose. Not a big deal mind you to type in '-vv', but it will get redundant, especially(like I suspect) if everyone prefers full verbosity.

Another question. Since it is up to users to specify extra arguments, would it be pertinent for another window to open with the arguments list upon choosing Reaver or Bully? It would be slick and to the point, but some might find that extra window redundant if they do not need it?


So here are my questions to whomever:


Do you use full verbose when using Reaver(-vv) or Bully(-v 3)?

Would you like the arguments list to pop up when using Reaver(reaver) or Bully(bully)?

I would like to do a survey to find out how many ppl do not use the full verbose. Not a big deal mind you to type in '-vv', but it will get redundant, especially(like I suspect) if everyone prefers full verbosity.

Another question. Since it is up to users to specify extra arguments, would it be pertinent for another window to open with the arguments list upon choosing Reaver or Bully? It would be slick and to the point, but some might find that extra window redundant if they do not need it?


So here are my questions to whomever:


Do you use full verbose when using Reaver(-vv) or Bully(-v 3)?

Would you like the arguments list to pop up when using Reaver(reaver) or Bully(bully)?


verbose will be left out of the custom attacks, putting it in would limit the custom attack.
I like the idea about displaying the arguments, I'll definitley be adding it into FrankenScript. :-)

actually it is already -v 3 in Bully by default..

-v, --verbosity N : Verbosity level 1-3, 1 is quietest [3]no need to add the argument :p

and how would adding the '- vv' argument in Reaver limit the custom attack?

actually it is already -v 3 in Bully by default..
no need to add the argument :p

and how would adding the '- vv' argument in Reaver limit the custom attack?

I didn't mean it would limit the actual attack, I mean't maybe not everyone would want to see the output for whatever reason.
Its custom settings so you'll have to add whatever you want including the -vv. LOL

just to clarify post#201 above.

What I would like to see is, only one choice.

Reaver 1.3, 1.4, 1.5
reaver -i monX -c X -b XX:XX:XX:XX:XX:XX
Bully
bully monX -c X -b XX:XX:XX:XX:XX:XX

That single option is customizable(user input). In other words there would be only the custom settings, as anything else is not recommended, arguments being on a case to case basis. What do you think?

I think it's the way to go.

just created a github.

https://github.com/Quest33/new-toys-R-and-D-

it's going to be a learning process as I never used it before.

just created a github.

https://github.com/Quest33/new-toys-R-and-D-

it's going to be a learning process as I never used it before.

Hi Quest.

With all the respect those, can be founded useful to you:
http://readwrite.com/2013/09/30/understanding-github-a-journey-for-beginners-part-1
http://readwrite.com/2013/10/02/github-for-beginners-part-2
and this can help you to build a nice README.md file:
https://confluence.atlassian.com/display/STASH/Markdown+syntax+guide

If you want some help, please feel free to knock my door, but I don't thing that would be necessary. You will find your way!

Thanks!

actually if you could break it down?

1. open an account
2. download the software
3. ?
4. ...

The problem is that i cannot really try it myself. I'm not the maker of FS, I'm just the OC(official complainer), and I eat popcorn also...

Cheers!!

Thanks!

actually if you could break it down?

1. open an account
2. download the software
3. ?
4. ...

The problem is that i cannot really try it myself. I'm not the maker of FS, I'm just the OC(official complainer), and I eat popcorn also...

Cheers!!

Hey Quest,

It would normally go something like this...

Slim would upload his project to his own Github.

We would then fork his project to our own repo's.

I'd say "you know what would be good?! this thing which i'll write into the copy of Slims project stored in my repo". Slim can see that I made changes, if he likes the changes he can pull the code I changed into his project. I can also submit a pull request and say 'slim, I think these changes should be included because I fixed / changed x,y,z'

The github software is useful too. I use the windows version for my updates because it's more pretty. After I clone my repo using the github software (clone the repo to my local drive which is a fork of the repo i'm editing) I edit it with something like Geany or Notepad++.

When I finish my changes, the github software shows me the changes I have made and lets me save a comment against them like 'fixed typo in terminal shortcut for conky' and then I can commit my changes and they appear in my fork on github with the comment for all to see.

Hey friend! Understood.

From there FrankenScript.deb can be downloaded by anyone, without problems, ready to install? Or is it just a cloud based working platform? In other words could you upload a .deb ready to go?

I think i've finally gone crazy, I swear I saw some info in this thread regarding cowpatty and how to check for a valid handshake.
I've been through the thread a few times now and I still can't find it. :-(

nah you're just nuts. Page 16 post# 156. Part of my laundry list ;)

What would be cool also is way to cleanup a .cap, but the only way that I found was with WPAClean and it got serious issues. Wish someone would put it on the operating table, open it and fixit.

Cheers matey.

I got a couple of questions for you,

1) What output message do you get from cowpatty if the capture file is good?.
2) What output message do you get from cowpatty if the capture file is bad?.

good:

Collected all necessary data to mount crack against WPA/PSK passphrase.

bad:

End of pcap capture file, incomplete four-way handshake exchange. Try using a
different capture.

if anyone wants to reproduce the above..

1. place a good .cap in root

2. cowpatty -r Xxxxxx.cap -c
that will produce the "good" return message.

3. wpaclean Xxxxxx22.cap Xxxxxx.cap
that will messup the output .cap for sure.

4. cowpatty -r Xxxxxx22.cap -c
that will produce the "bad" return message.

if anyone wants to reproduce the above..

1. place a good .cap in root

2. cowpatty -r Xxxxxx.cap -c
that will produce the "good" return message.

3. wpaclean Xxxxxx22.cap Xxxxxx.cap
that will messup the output .cap for sure.

4. cowpatty -r Xxxxxx22.cap -c
that will produce the "bad" return message.

Cheers once again matey. :)

I've just tested cowpatty -r Xxxxxx.cap -c and wpaclean Xxxxxx22.cap Xxxxxx.cap, both appear to be working ok I think. LOL
Did you execute the commands in the correct order, wpaclean New.cap Old.cap.

yes they have it backwards so it's the out.cap in.cap last.

It's possible that wpaclean did not messup your out.cap. Keep trying with different .cap and you will see the problem with that app.

can you look at this please? http://www.exploresecurity.com/william-wpawpa2-4-way-handshake-extraction-script/

I will try it.


very interesting:


root@kali:~# cd /root && ./william.sh Xxxx222.cap Xxxx11.cap
Mode=REVERSE m=1 (second message) n=1 (first message) ignoring duplicates
Using packet 4 as second EAPOL packet
BSSID is 38:60:77:xx:xx:xx
TKIP network identified
Client station is 94:eb:cd:xx:xx:xx
Determined SSID from beacon frame (packet number 1)
The SSID is XXXXXX
There are 1 first messages before the chosen second message
Using packet 2 as first EAPOL packet
Writing packets to Xxxx222.cap
Deleting temp files
Now run "aircrack-ng Xxxx222.cap -w <dictionary_file>"

root@kali:~# pyrit -r Xxxx222.cap analyze
ERROR: could not insert 'nvidia': No such device
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Parsing file 'Xxxx222.cap' (1/1)...
Parsed 3 packets (3 802.11-packets), got 1 AP(s)

#1: AccessPoint 38:60:77:xx:xx:xx ('XXXXXX'):
#1: Station 94:eb:cd:xx:xx:xx, 1 handshake(s):
#1: HMAC_MD5_RC4, bad, spread 1

root@kali:~# cowpatty -r Xxxx222.cap -c
cowpatty 4.6 - WPA-PSK dictionary attack. <[email protected]>

Collected all necessary data to mount crack against WPA/PSK passphrase.
root@kali:~#

now pyrit and cowpatty don't agree on the output.cap file generated by william.

can you look at this please? http://www.exploresecurity.com/william-wpawpa2-4-way-handshake-extraction-script/

I will try it.


very interesting:


root@kali:~# cd /root && ./william.sh Xxxx222.cap Xxxx11.cap
Mode=REVERSE m=1 (second message) n=1 (first message) ignoring duplicates
Using packet 4 as second EAPOL packet
BSSID is 38:60:77:xx:xx:xx
TKIP network identified
Client station is 94:eb:cd:xx:xx:xx
Determined SSID from beacon frame (packet number 1)
The SSID is XXXXXX
There are 1 first messages before the chosen second message
Using packet 2 as first EAPOL packet
Writing packets to Xxxx222.cap
Deleting temp files
Now run "aircrack-ng Xxxx222.cap -w <dictionary_file>"

root@kali:~# pyrit -r Xxxx222.cap analyze
ERROR: could not insert 'nvidia': No such device
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Parsing file 'Xxxx222.cap' (1/1)...
Parsed 3 packets (3 802.11-packets), got 1 AP(s)

#1: AccessPoint 38:60:77:xx:xx:xx ('XXXXXX'):
#1: Station 94:eb:cd:xx:xx:xx, 1 handshake(s):
#1: HMAC_MD5_RC4, bad, spread 1

root@kali:~# cowpatty -r Xxxx222.cap -c
cowpatty 4.6 - WPA-PSK dictionary attack. <[email protected]>

Collected all necessary data to mount crack against WPA/PSK passphrase.
root@kali:~#

now pyrit and cowpatty don't agree on the output.cap file generated by william.

Are you just trying to clean and convert the .cap file for use with hashcat, if so is it absolutely necessary to clean the .cap file before converting it?.

Are you just trying to clean and convert the .cap file for use with hashcat, ...
no, that is not necessary. The cleanup is an independent step/option.



... if so is it absolutely necessary to clean the .cap file before converting it?.
no, just makes sense to remove excess data from a .cap, though I'm not sure how that translate in real life. One of the effect excess data has, is that the program won't find the passphrase.

I would definitely include william.sh as an option to clean captured handshakes.

[1] Verify a captured handshake file.
[1] pyrit
[2] cowpatty


[2] Generate a clean version of a captured handshake file.
[1] william

Packaging

the '( )' should not be used when creating a .deb in the file name because it won't install.


Invoke

fs3.sh, is version specific(3). I do not have to type in wifitev82 when invoking Wifite. fs.sh would be more time proof.
Popup arguments list upon invoking Reaver or Bully to help users build their syntax.



Scans

it is counter-intuitive to click on the first window and press [Enter] to stop airodump or wash. [Ctrl]+[c] should be allowed to stop the process in the second window, and that would return the 'Enter' in the first window.
when selecting a target, identify the router make&model based upon MAC would save me time when testing.
http://anonsvn.wireshark.org/wireshark/trunk/manuf

Features

Script Launcher.., that was useful.
verify a .cap option separately would be useful also. cowpatty -r Xxxxxxx.cap -c , pyrit -r Xxxxxxx.cap analyze
Clean a captured handshake as an option with william.sh
Reaver 1.3
Reaver 1.5
cuda/ocl/Hashcat


Modifications:

Only one customizable option (1 syntax) for Reaver and Bully, for reasons expressed in post #201 page 21.
https://forums.kali.org/showthread.php?22087-Howto-frankenScript&p=38851&viewfull=1#post38851




:D

Just registered to say thank you toSlim for coding Frankenscipt!

It's awesome that someone is still improving on reaver and WPS vulnerabilities. The script has made things much faster and easier. I do have a few suggestions for improvement:

1) I would like to second the idea to add syntax lists for Reaver and Bully. Most of them i've memorized but i still have to refer to my "cheat sheet" on occasion.

2) Also, I would like to see a way to save custom syntax in either a list, or in association with a specific ESSID. For instance, I commonly use -vv -N -T -d 3 on a couple of my routers where basic settings will not work. I have to use trial and error to find the best syntax strings and usually write them down in a notebook. It would be nice to be able to save them.

3) Is there any way to automate the trial and error process based on Reaver output? Say I get a rate limit lockout, and the scipt adds -L to try and ignore the lockout which sometimes works. Or, sets a high -d X number and works down to determine the ideal time between pin attempts or number of pin attempts that trigger a lockout? There are alot of ways to go with this and I'm sure some more experianced users could weigh in on how they addapt their syntax for certain situations.

4) Add options for flooding the router for a reset. Currently I scan AP's using wash in Frankenscript, then hop over to a script called AP-Fucker and use the Destruction Mode to attempt to reset the AP. This sometimes works.

5) I don't know if it's been discussed but there is another way to determine the default pin on some d-link routers discovered by the same guy who created Reaver. Check it out on his blog here. (http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/#more-2249) His blog has a lot of good ino on router vulnerabilities.

That's all I can think of for now. Thanks again Slim!

Hello L0vecore,

1) yes that will most likely be added.

2) good idea!

3) FS does not have artificial intelligence. I do see, like you, the potential for that, eventually.

4) something similar was added at one point but was taken out.

5) no, but yes (probly the most ambiguous answer ever)

Thanks man ;)

Just registered to say thank you toSlim for coding Frankenscipt!

It's awesome that someone is still improving on reaver and WPS vulnerabilities. The script has made things much faster and easier. I do have a few suggestions for improvement:

1) I would like to second the idea to add syntax lists for Reaver and Bully. Most of them i've memorized but i still have to refer to my "cheat sheet" on occasion.

2) Also, I would like to see a way to save custom syntax in either a list, or in association with a specific ESSID. For instance, I commonly use -vv -N -T -d 3 on a couple of my routers where basic settings will not work. I have to use trial and error to find the best syntax strings and usually write them down in a notebook. It would be nice to be able to save them.

3) Is there any way to automate the trial and error process based on Reaver output? Say I get a rate limit lockout, and the scipt adds -L to try and ignore the lockout which sometimes works. Or, sets a high -d X number and works down to determine the ideal time between pin attempts or number of pin attempts that trigger a lockout? There are alot of ways to go with this and I'm sure some more experianced users could weigh in on how they addapt their syntax for certain situations.

4) Add options for flooding the router for a reset. Currently I scan AP's using wash in Frankenscript, then hop over to a script called AP-Fucker and use the Destruction Mode to attempt to reset the AP. This sometimes works.

5) I don't know if it's been discussed but there is another way to determine the default pin on some d-link routers discovered by the same guy who created Reaver. Check it out on his blog here. (http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/#more-2249) His blog has a lot of good ino on router vulnerabilities.

That's all I can think of for now. Thanks again Slim!

You're welcome mate.
Cheers for the suggestions.

Questions 1-3, I'll try to include them in frankenscript at some point in time.
Question 4, I doubt I'll be adding that option again.
Question 5, I'm not good at scripting or coding but if someone scripts it then I'll add it. :-)

@ Quest

I decided to setup and configure my Nvidia graphics along with cuda and cudahashcat, so I should be adding cudahashcat to frankenscript very soon. :-)

Sorry that i ask here, but if it's possible someone to modified revdk3 script to work with bully ?

Hi WaLkZ!

yup, definitely the wrong place to post that request. revdk3 is made by repzeroworld, and he has an account over at https://forums.hak5.org/index.php?/topic/32494-reaver-ap-rate-limiting-detected-and-automatic-mdk3-solution/ and someone overthere already asked that question in post# 18.

Good luck!

To uninstall/remove the previous FrankenScript type: dpkg -r FrankenScript_v3.1 or dpkg -r fs3

Updated FrankenScript (9-10-14).
Fixed the uninstall problem.
Fixed location paths.

Download Link:
http://mir.cr/DHEDYWHS
[/B]
apologies if this was addressed, but I couldn't find the info.

Getting a The captured handshake is bad, the file will be deleted. error with this linked above version.
Is there a later version of FS3?

p.s.
Great tool guys.

Cheers.

Hi wn722,

- yes you have the latest version.

- it's normal to have the "The captured handshake is bad, the file will be deleted" message if the cap file is not workable. If you keep having bad caps all the time, without a good one ever, then something is definitely out-of-wak.

what constitutes a bad handshake?
I'm testing it with my own wifi and the old scripty method with aireplay and airodump works fine.

FS uses pyrit to verify cap files, so if you have a cap file you could try and verify it just to see if it a workable cap file..

cap file in Home >
cowpatty -r Xxxxxxx.cap -c

Edit: oopss


pyrit -r Xxxxxxx.cap analyze

can't install sccript "GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._pk _5ftransaction_5ferror.Code4: SimulateInstallFiles not supported by backend"

FS uses pyrit to verify cap files, so if you have a cap file you could try and verify it just to see if it a workable cap file..

cap file in Home >
cowpatty -r Xxxxxxx.cap -c

Edit: oopss


pyrit -r Xxxxxxx.cap analyze

Thank you fir this script.. trying it out now with bully. Just curious, whats your success ratio out of the two, Reaver and Bully. In the past I've been successful with reaver but just got back into this, and giving Bully a first time try. So far so good against my Motorola Router, though it throws the AP lock warning every 3 pins or so :/


can't install sccript "GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._pk _5ftransaction_5ferror.Code4: SimulateInstallFiles not supported by backend"

Jerry, use dpkg -i <path to the deb> that should do it.

Literally just sat here and read through all 24 pages. Thank you all Slim, Quest, and others who has updated this script. Im using it with Bully now, but as I just got done reading the last few pages, looks like Reaver v1.5 is addeed? lol shiiiet, if Bully fails i'll give it a try.. May I ask, why the option to reset the AP for WPS lock was taken out? Hope ya'll had a great christmas and Happy Holidays!

hmm.. cant get reaver to work properly, it just gets stuck on the same PIN. I noticed its running reaver 1.4. How do I force it to run 1.5? Bully surprisingly works better than when I run it manually w/out FS3.

hmm.. cant get reaver to work properly, it just gets stuck on the same PIN. I noticed its running reaver 1.4. How do I force it to run 1.5? Bully surprisingly works better than when I run it manually w/out FS3.

Ho ho ho, Merry Christmas to all. :-)

The version of FrankenScript you're using doesn't contain Reaver 1.5, you would need to uninstall Reaver 1.4 from kali and then install Reaver 1.5 if you wish to use Reaver 1.5.


I've nearly finished the latest version of FrankenScript, I hope to have it finished and uploaded within a few days to a week.

Changes I've made to FrankenScript:

Changed menu's and options.
Made changes to all of the attacks.
Added custom configuration options (custom options will remain set until changed or deleted).
Added show router information (if available).
Added a previously cracked networks check to the displayed scan results, (Cracked networks are displayed in red, uncracked networks are displayed in white).
Added other versions of reaver (They can be used without installing to kali).
Added custom arguments options for reaver and bully (Custom commands can be stored and selected).
Added another wps default pin generator (pingen.py).

Hi Slim! Great, looking forward to the new release =]


Literally just sat here and read through all 24 pages. Thank you all Slim, Quest, and others who has updated this script. Im using it with Bully now, but as I just got done reading the last few pages, looks like Reaver v1.5 is addeed? lol shiiiet, if Bully fails i'll give it a try.. May I ask, why the option to reset the AP for WPS lock was taken out? Hope ya'll had a great christmas and Happy Holidays! Hi Coupee36! The option to reset APs was dropped because it would be like, potentially, giving machine guns to monkeys. That is my understanding. FS is designed to facilitate operations and save the operator time, but that ease of use can also cause problems if not used properly. That is my explanation.

Happy Yule!

Hi Slim! Great, looking forward to the new release =]

Hi Coupee36! The option to reset APs was dropped because it would be like, potentially, giving machine guns to monkeys. That is my understanding. FS is designed to facilitate operations and save the operator time, but that ease of use can also cause problems if not used properly. That is my explanation.

Happy Yule!

That's exactly the reason, well said matey. :-)

Ho ho ho, Merry Christmas to all. :-)

The version of FrankenScript you're using doesn't contain Reaver 1.5, you would need to uninstall Reaver 1.4 from kali and then install Reaver 1.5 if you wish to use Reaver 1.5.


I've nearly finished the latest version of FrankenScript, I hope to have it finished and uploaded within a few days to a week.

Changes I've made to FrankenScript:

Changed menu's and options.
Made changes to all of the attacks.
Added custom configuration options (custom options will remain set until changed or deleted).
Added show router information (if available).
Added a previously cracked networks check to the displayed scan results, (Cracked networks are displayed in red, uncracked networks are displayed in white).
Added other versions of reaver (They can be used without installing to kali).
Added custom arguments options for reaver and bully (Custom commands can be stored and selected).
Added another wps default pin generator (pingen.py).

Hi Slim, thanks for the updates. :) Cant wait for the next release. In the meantime i"ll try the current script with Reaver 1.5.


Hi Slim! Great, looking forward to the new release =]

Hi Coupee36! The option to reset APs was dropped because it would be like, potentially, giving machine guns to monkeys. That is my understanding. FS is designed to facilitate operations and save the operator time, but that ease of use can also cause problems if not used properly. That is my explanation.

Happy Yule!

Hey Quest, makes sense :),

On a side note.. what method is FrankenScript using to spoof the Mac Address? Not sure if anyone has seen this before in Kali, but macchanger doesnt work that well for me when it comes to mac spoofing. Though it says it has changed the MAC address and ifconfig displays the spoof address, but when I connect to my WIFI and run a simple IP scan, the permanent MAC address still comes up. I have found using ifconfig <int> hw ether <mac> after taking down the wlan0 int works the best and truly the MAC address is spoofed when an internal IP scan is performed on the network.

Have a great weekend all!

for what its worth.. this is the custom Reaver command I use that has decent success rate with modern AP's.

reaver -i mon0 -vv -b <bbsid> -d 15 -r 3:15 -T .5

good for you if you have found a steady formula! I find that preconceived syntax, are like wearing someone else underwear... Not only are they on a case-to-case basis, arguments are known to cause problems in some some weird and unexpected ways. That being said you bring up an interesting point
...with modern AP's.

We did have long debates about what prefabricated formulas should be included, and I think that


...
Added custom arguments options for reaver and bully (Custom commands can be stored and selected).
will solve it for all.

Clever move :D

good for you if you have found a steady formula! I find that preconceived syntax, are like wearing someone else underwear... Not only are they on a case-to-case basis, arguments are known to cause problems in some some weird and unexpected ways. That being said you bring up an interesting point

We did have long debates about what prefabricated formulas should be included, and I think that
will solve it for all.

Clever move :D

yup.. can't wait for next release.

That looks interesting...
https://forums.kali.org/showthread.php?23290-Implement-new-WPS-Pixie-Dust-Attack-into-Reaver&p=40956&viewfull=1#post40956

from the included help file..

...

The breakthrough came when MTeams turned their attention to WPS locked routers. It was soon discovered that a small number of WPS pins could be collected from some routers which wash and reaver reported as locked. Presumably no one was spending time attacking locked routers. After more testing, it was found that if these same WPS locked routers were subjected to short bursts of a mdk3 combination simultaneously, usually a mixture of DDOS and EAPOL, then the router would allow further pins to be harvested. In these cases the router did not reset, the WPS locking mechanism remained in place and sometimes the router changed channels. But what was important here was that more WPS pins could be collected. These routers would eventually stop providing pins, BUT if subjected to another dose of mdk3, the router would supply another batch of pins.

...

That looks interesting also...
https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-%28Offline-WPS-Attack%29

... and this...


After almost two years of public development (and another year behind the scenes), we are proud to announce our first point release of Kali Linux – version 1.1.0.

;)

is FS still a live project?
I got the latest version and it keeps spitting out the WPA handshakes - cause they are BAD


Parsing file '/usr/share/FS3/Temp_Working_Dirctory/Deauthenticate_a_client_6466B3C2552F/psk-01.cap' (1/1)...
Traceback (most recent call last):
File "/usr/bin/pyrit", line 6, in <module>
pyrit_cli.Pyrit_CLI().initFromArgv()
File "/usr/lib/pymodules/python2.7/pyrit_cli.py", line 115, in initFromArgv
func(self, **options)
File "/usr/lib/pymodules/python2.7/pyrit_cli.py", line 163, in new_f
f(*args, **kwds)
File "/usr/lib/pymodules/python2.7/pyrit_cli.py", line 478, in stripCapture
parser = self._getParser(capturefile)
File "/usr/lib/pymodules/python2.7/pyrit_cli.py", line 179, in _getParser
parser.parse_pcapdevice(dev)
File "/usr/lib/pymodules/python2.7/cpyrit/pckttools.py", line 600, in parse_pcapdevice
for pckt in reader:
File "/usr/lib/pymodules/python2.7/cpyrit/pckttools.py", line 500, in next
pckt = self.read()
File "/usr/lib/pymodules/python2.7/cpyrit/pckttools.py", line 488, in read
r = _cpyrit_cpu.PcapDevice.read(self)
IOError: libpcap-error while reading: truncated dump file; tried to read 1542 captured bytes, only got 1399
No file found that matches '/usr/share/FS3/Temp_Working_Dirctory/Deauthenticate_a_client_6466B3C2552F/Stripped.cap'
The captured handshake is bad, the file will be deleted.

Hi wn722,

I believe it is. Slim must be busy and/or waiting for new and better toys to make another version.

Please state your version of Kali. There might(?) be a greater problem that has nothing to do with FS.. https://forums.kali.org/showthread.php?24701-Problem-with-capturing-handshake-with-new-version-of-Kali

I do believe we have the same setup. Kali 1.1.0a / TP-LINK TL-WN722N. It is difficult to cap a good handshake. Make sure when attempting handshakes that you choose the option to "kill all process" in FS. That helps. Try that and report back please, I would like to see that situation solved.

hey Quest
ya, I'm running

cat /etc/issue
Kali GNU/Linux 1.1.0 \n \l


JUST upgraded and it's working now...