PDA

View Full Version : VMR-MDK-K2-011x8.sh for Kali2.0



mmusket33
2015-09-08, 23:33
MTeams did a series of tests with Datahost. If you use linux to download the files as posted, the normal zip file is received. If however you download thru XP OR possibly other windows based systems datahost loads a small .exe files in zip format instead.

We have seen this thru other filehosting sites.

Until MTeams can move their files to alternative locations suggest downloading thru linux only.

Included in the VMR-MDK package

1. mdk3-v6 folder
2. configfiledetailed for reference only
3. Help Files
4. PDDSA-K2-06.sh
5. VMR-MDK-K2-2016R-011x9.sh

For Kali 1.10a

Loaded 10 March 2016
Download VMR-MDK011x8 package at:

https://github.com/musket33/musketteams

For kali 2.0 and 2016.1R

You can download VMR-MDK-K2-2016R-011x9.zip package at

Loaded 10 March 2016

https://github.com/musket33/VMR-MDK-Kali2-Kali2016


Added 6 July 2017

Musket Teams have released VMR-MDK-K2-2017R-012x2 for Kali 2,2016,2017 and all versions of reaver

The aireplay-ng fake auth has been made regenerative.
Several bugs have been corrected, some thanks to dmatrix.
Comments requested by kcdtv have been added.
Script tested in both persistent usb installs and harddrive installs for reaver 1.52 and 1.53 and kali 2016 and 2017 using i386.
Expect the mac changing routines to be slowed. This is to support wifi receivers at the end of five(5) meter extension cables which is the max length allowed.

We do not support VM Ware and amd or persistent usb installs using luks encryption as we cannot test.

You can download at:

https://github.com/musket33/VMR-MDK-Kali2-Kali2016/blob/master/VMR-MDK-K2-2017R-012x2.zip

or

http://www.datafilehost.com/d/76c80a9d

Added 12 Jan 2018

VMR-MDK-K2-2017R-012x4.zip package has been posted for community use.

Supports kali-linux 2.0 thru 2017.3

Supports text output from reaver v1.52 and v1.63 for pixiewps

A new PDDSA for reaver v1.63 is found within the package along with the older version

You can download at:

https://github.com/musket33/VMR-MDK-Kali2-Kali2016

Select VMR-MDK-K2-2017R-012x4.zip from versions available

or

https://www.datafilehost.com/d/6a49f214

pamamolf
2015-09-09, 18:40
More info for it?

mmusket33
2015-09-10, 02:00
To Pamamolf

This program attempts to circumvent WPS locking. MTeams suggests you download the package and read thru the help files enclosed within the zip. After you read thru these help files, any technical questions, bugs or further help will be provided.

MTeams

markrenton
2015-09-12, 17:18
Using MTeams version, Kali 1.10 amd64, everything configured as Help file provided.

This is the situation: yesterday, reaver made 0.15%.
Today, and I'm talking about 9-10 hours of activity, the "progression" still remains at 0.15%, and this is the situation:

http://i59.tinypic.com/302vzua.png

Could anyone help me, or at least tell me why I've got this problem?
Thank you in advantage, hoping for an answer.

mmusket33
2015-09-13, 01:00
Dear Mark,

The fact that you have gotten 15% of the pins tells us the router is vulnerable to this approach. You have probably just locked up the firmware so stop the attack and try again 24 hours later. Once you start collecting pins again increase the pause/wash scan time so that you give the router more time to recover. Reduce the DDOS/MDK3 time to the bare minimum necessary to collect pins. Set the retest first pin to 50.

Try the attack once a day till pin collection starts again.

Keep in mind that this attack approach takes time and is slow. Do not try and rush the attack or overwhelm the firmware thru long doses of DDOS/MDK3. Usually a short burst of DDOS 15 to 20 sec works better. You will have to find the right mix respect to time of reaver, DDOS and pause to keep pin harvesting progressing. Each router even the same make/model and firmware reacts differently. This is why a config file is used. You can change the setting and test while the program is running

MTeams

markrenton
2015-09-13, 07:54
Thank you for your answer! I will try. Thank you for your time. I will keep you in the loop!

element72
2015-09-14, 04:18
Thanks for all your hard work musket team. A couple days ago I just got into pentesting out of curiosity. I want to know if it is possible to customize the reaver command line in the script, because I can "sometimes" crack 1 or 2 of my routers with tweaked settings (without your script). I found out my router doesn't like the -S argument in reaver. At least that's what my little testing showed. Furthermore, I can't seem to crack my old router without providing the pin manually. Can you tell me where I should direct my questions on successfully cracking my old Asus router?

mmusket33
2015-09-15, 01:16
To element72

The VMR-MDK series are scripts designed to harvest pins from WPS locked routers. It is just a tool and does not replace the reaver command line. The config file allows you to remove the -S and adjust other variables. If you do not need to DDOS the router to collect pins or you do not see the need to change the mac constantly or have reaver stop and restart then just use the command line.

If you have a little understanding of Eterm and bash coding you can easily change the reaver output of a specific command line in VMR-MDK or if you send us what you want we will change a specific command line for you and post it.

However just play around with the variables in the reaver command line in a terminal window until you get the router to respond to reaver.

MTeams

muju821
2015-09-16, 14:58
please make video...so beginners like me can understand faster... thanks for your efforts..

ganch0
2015-11-02, 16:10
Yes, a video would be great! Seems really interesting!

haken29a
2015-11-02, 18:43
Be sure to follow the rules for videos if you want to make sure it's accepted ;)

Noobkin187
2015-11-07, 04:24
muju821 & ganch0

What would you like the video to be of? I have found, that there really is not a full proof cover all, you have to trail and error each router. The script they released works well but you will have to change settings of the script sometimes. Which the script itself and the help files that come with it do a great job of explaining. What would you like to see in the video?

mmusket33
2015-11-07, 11:19
To Noobkin187

For clarity - MTeams do not do vidos. However we have no objections to other making them. We release these programs for the community to do with as they wish.

Musket Teams

nexusnexus
2015-11-15, 00:44
just installed this on kali 2 and it seems a great script, looking forward to future releases from Musket Team :-)

Pippin
2015-11-15, 18:57
The script itself is great, two questions though. If dh-small is selected is it persistent through to pixiewps? i.e. it needs enabling in both.

Is it possible to include the -C switch in the wash command as a norm? I have found where in the script it needs added (not bad for a non-programmer idiot) but as it would not affect those that don't get the error it would help those that do.

mmusket33
2015-11-16, 09:34
The -dhsmall matter versus pixiedust versus brute forcing WPS locked routers is addressed in the help file. Note if you retest 12345670 every X cycles reaver checks this pin with no --dhsmall thus sending complete Pixiedust data sequences for pixie1.1 to test. It also writes the session to a different file and folder so the brute force sequences are not upset. Again read the help files this matter is addressed there in detail.

We have never had any problems that rqr -C except when the wifi device didnot support packet injection.

Scolder
2015-12-19, 01:01
Adding -C to wash should be coded by default to help the program run smoothly incase of any potential fcs errors. I sometimes get them and I edited the script to include it and then everything worked fine.

P.S my device supports packet injection.

mmusket33
2015-12-19, 10:59
To Scolder

Thanx

Your comment on packet injection is all we require. MTeams will add this option in the next release

There is a bug in the awk module which prints the WPA key if found on the screen when the program terminates

If the WPA key includes a space or spaces the screen will show only the first part of the WPA key sequence before the first space.

The path to the log file from which this key was read is also shown so cross reference this file anytime a key is found.

MTeams

Scolder
2015-12-20, 00:42
To Scolder

Thanx

Your comment on packet injection is all we require. MTeams will add this option in the next release

There is a bug in the awk module which prints the WPA key if found on the screen when the program terminates

If the WPA key includes a space or spaces the screen will show only the first part of the WPA key sequence before the first space.

The path to the log file from which this key was read is also shown so cross reference this file anytime a key is found.

MTeams


Sweet!

I will definitely be on the lookout for this bug.

Thanks for sharing this awesome script.

muju821
2015-12-24, 08:05
i want to adjust rever livetime i changed in config file also but still it run for 90 second.. how to reduce it.. please help...

what ever i change but it runs for 90 seconds.. and wps gets locked in 90 second. thats why i want to reduce rever livetime to 10 or 15 seconds.

mmusket33
2015-12-24, 13:02
MTeams tested both the kali1.10 and kali 2.0 versions of VMR-MDK. We set the reaver live time to 30 seconds in both cases.

We think the problem is Config File item 21 Retest pin 12345670. Turn the retest feature OFF by selecting n/N. The program will then skip this feature which has a default value of 90 seconds and go straight to the time set in the config file..

Set Item 5 to the reaver live time required

Set Item 21 Retest pin 12345670 to n/N

You ??may?? find just setting the -r x:y in a reaver command line from the terminal window to -r 3:90 as an example OR using MTeams varmacscan2-8.sh a better approach in your case. You need to slow down pin collection.

Musket Teams

muju821
2015-12-24, 14:21
thank you so much for quick reply.. i will try this tonight as suggested.. thks again.

muju821
2015-12-25, 07:43
it works,thanks after adjusting item 21 i am able to reduce reaver live time. i reduced it to 5sec but still locked the router.. what to do..??

mmusket33
2015-12-25, 12:33
The info you provided was not very specific so bear with us.

1. How long does the router stay locked?

If you are not sure run reaver with the -l --lock-delay=100 And let it run. Some routers unlock after 6,000 seconds just count the number of times reaver attempted to collect pins before a success and multiply by 100. Then set your -l below that number and slowly collect pins

VMR-MDK is designed to attack locked WPS systems. Read the help files and see if the router has the flaw outlined in these files.

MTeams

muju821
2015-12-30, 13:57
thanks for reply...
Dear one more suggestion required.. what's the best MDK3 attack combination i need to select from 1 to 14...

mmusket33
2015-12-31, 11:39
To muju821

You should read carefully thru the help files enclosed with the VMR-MDK package. MTeams use choice 1,3,4 and 14 alot. You simply need to test the router. This approach does not work on all routers. Again read the help files and pay attention to what the program is attempting to accomplish and what results are being obtained.


MTeams

mmusket33
2016-01-25, 02:48
VMR-MDK was rewritten to accept both Kali 2.0 and Kali 2016.1Rolling.

You can download VMR-MDK-K2-2016R-011x9.zip package at

http://www.datafilehost.com/d/fd192b6d

Musket Teams

Chunkingz
2016-01-27, 14:08
I have to say Dat dis is a very smart script a very big thank you to musketTeams and every oda person Dat contributed one way or the other to the project. It works like a charm.

nexusnexus
2016-01-27, 15:22
Would this run on kali nethunter on my galaxy s5 out of interest?

bob79
2016-01-27, 21:08
Had to add the -C to wash. If not,had to insert manually the info. Great job btw

Troll
2016-01-28, 04:20
Hello, mmusket33 and thanks for your tool, sometimes work fine and sometimes failed. :)

I try to reset a TP-link and this time mdk failed, maybe I did smth wrong.. this is the reason why I write you.
router mac adress start with 30:B5:C3

any suggestion, how to reset?!

mmusket33
2016-01-28, 12:37
To Troll

As we indicate in the help files, this approach works with a small subset of routers. The tests for effectiveness are outlined there. You probably have done nothing wrong.

The VMR-MDK approach is not meant to actually reset the router. In fact short bursts of mdk3 combinations 15 to 30 sec in length seems to work better then subjecting the router to long exposure to mdk3.

There are other paths you can take. Try our varmacscan2-8. It it a robotic script. Just start it before you leave your computer and let it run. Everything is automatic. If you are using 2016 you will have to wait a few days. We have a working lab variant being currently tested. If there are no major bugs it will be out in a week.

You can try ReVdk3 We have no experience with this script and are unsure if it works with kali 2.0 or 2016.

Musket Teams

Chunkingz
2016-02-04, 03:10
please is there a way to resume your session, i ran the script for the first time and chose 10 loops then decided to continue with 10000 loops, after the 10 was finished, but it started from beginning again, please how can i make it continue every time i re-run it.

mmusket33
2016-02-04, 06:49
To Chunkingz

MTeams is unsure what you mean by starting from the beginning again.

VMR-MDK is an administrative program. It runs several divergent processes primarily wash - reaver -mdk3 in a sequence. The cycles you loaded are simply the number of times you want to cycle thru the four stages

If you are talking about pin counts reaver in the default setup checks for pin 12345670 every 10 cycles. so between cycle 1 and 10 reaver will run a brute force attack. Any keys checked ie your pin count is stored by reaver as the two reaver attack types are run as different sessions.

If this doe not help then outline in greater detail exactly is starting from the beginning.

MTeams

Chunkingz
2016-02-06, 10:09
Am sorry I didn't make the question quite clear, we'll anyways never mind. I have completed the hack. Woke up dis morning and found vmr had gotten my neighbors wps pin and d wpa pass. Tnx once again. I really appreciate.

Chunkingz
2016-02-06, 10:14
What's left now is post exploitation, I dunno where to go from here, well one tin I noticed I logged Into the router with the default username and password, I tried restoring d wps pin to default but it seems like the router restarts or sumfin and den tells me I do not have permission to change the wps pin. Any ideas?? Tnx once again.

Chunkingz
2016-03-03, 17:33
hey fellas i made a screencast, hope u enjoy and understand it.
please like, share and subscribe.

Search YouTube for "how to use vmr-mdk to hack wps locked wireless routers on kali linux "

or better still youtube[dot]com/y3ByYdVJFqg

soxrok2212
2016-03-03, 21:48
hey fellas i made a screencast, hope u enjoy and understand it.
please like, share and subscribe.


Youtube links are not allowed, if you don't remove it you will get a notification from an Admin and it will be removed, just saying.

Quest
2016-03-03, 23:00
a notification!? What about tar and feathers?


Am sorry I didn't make the question quite clear, we'll anyways never mind. I have completed the hack. Woke up dis morning and found vmr had gotten my neighbors wps pin and d wpa pass. Tnx once again. I really appreciate. - Did he just admitted hacking his neighbors?

- Triple posting!? Even I never did that (and now jealous)!!!

- and a Youtube video, and all that in the same thread.

Just wow, and welcome Chunkingz ;)

Chunkingz
2016-03-04, 10:07
am very new here, so i barely know the rules tnx for the heads up, anyways if youtube links are not allowed how do i share the video?or what other kind of links are accepted

Chunkingz
2016-03-04, 10:10
a notification!? What about tar and feathers?

- Did he just admitted hacking his neighbors?

- Triple posting!? Even I never did that (and now jealous)!!!

- and a Youtube video, and all that in the same thread.

Just wow, and welcome Chunkingz ;)

thanks bro, however you shouldnt do the same tho, u could get caught . ;)

Quest
2016-03-04, 12:55
actually I think I've already triple posted somewhere here.


am very new here, so i barely know the rules tnx for the heads up, anyways if youtube links are not allowed how do i share the video?or what other kind of links are accepted

You could edit post #37, remove the link, and just state that you have made a video on YT with the name of the video, without a link. That will achieve the same result.

moslondon
2016-03-04, 17:01
Hi everyone im new to kali and new to this script, i tried this script yesterday i got a pin number of a network but right after that reaver kept showing "Failed to associate with ..." ; one hour later i closed it and run reaver with that pin number but reaver kept showing the same message. Today is the same thing, i wrote down the bssid because wash does not detect it. The wifi on my smarthphone detects the network 2 of 3 bars of signal. What did i do wrong? If somebody could tell me ill apreciate it

Chunkingz
2016-03-05, 09:50
actually I think I've already triple posted somewhere here.



You could edit post #37, remove the link, and just state that you have made a video on YT with the name of the video, without a link. That will achieve the same result.

Tnx I'll try that asap!

Chunkingz
2016-03-05, 09:56
Hi everyone im new to kali and new to this script, i tried this script yesterday i got a pin number of a network but right after that reaver kept showing "Failed to associate with ..." ; one hour later i closed it and run reaver with that pin number but reaver kept showing the same message. Today is the same thing, i wrote down the bssid because wash does not detect it. The wifi on my smarthphone detects the network 2 of 3 bars of signal. What did i do wrong? If somebody could tell me ill apreciate it

Well I don't really know much but, If u got a wps pin m quite sure you should also have gotten the wpa key. Asides that, are u sure wps is still enabled for that ap? A quick way to check Asides wash is using wifite, just type wifite in terminal and wait a bit to see results.
Try again and let's know what you found. :)

0ops
2016-03-06, 18:16
after i shift mdk3 in root folder and try to run this error
bash: root/mdk3-v6/mdk3: No such file or directory
what am i doing wrong
just following steps from help file!

also getiing this
cd mdk3-v6
root@kali:~/mdk3-v6# make
make -C osdep
make[1]: Entering directory '/root/mdk3-v6/osdep'
Building for Linux
make[2]: Entering directory '/root/mdk3-v6/osdep'
make[2]: '.os.Linux' is up to date.
make[2]: Leaving directory '/root/mdk3-v6/osdep'
make[1]: Leaving directory '/root/mdk3-v6/osdep'
root@kali:~/mdk3-v6# make install
make -C osdep install
make[1]: Entering directory '/root/mdk3-v6/osdep'
Building for Linux
make[2]: Entering directory '/root/mdk3-v6/osdep'
make[2]: '.os.Linux' is up to date.
make[2]: Leaving directory '/root/mdk3-v6/osdep'
make[1]: Leaving directory '/root/mdk3-v6/osdep'
install -D -m 0755 mdk3 //usr/local/sbin/mdk3
root@kali:~/mdk3-v6# chmod 755 /root/mdk3-v6/*
root@kali:~/mdk3-v6# /root/mdk3-v6/mdk3
bash: /root/mdk3-v6/mdk3: No such file or directory

moslondon
2016-03-06, 21:57
Well I don't really know much but, If u got a wps pin m quite sure you should also have gotten the wpa key. Asides that, are u sure wps is still enabled for that ap? A quick way to check Asides wash is using wifite, just type wifite in terminal and wait a bit to see results.
Try again and let's know what you found. :)

I tried with a different ap and after a got the pin of that ap the wps got disabled... Wifite shows no wps on both aps.. Any idea on what to do next?

mmusket33
2016-03-07, 01:15
To moslondon:


From our experience there are several possibilities here.

1. The router was not WPA encrypted. We have routers in our areas that respond to wash but are not WPA encrypted.

2. We have seen routers which initially show WPS is enabled then giveup one pin and the WPS dissappears. We have gotten past the encrytption thru brute force or ESSIDPROBES. We have gone into the firmware remotely and looked at the setup. The WPS is enabled but no response from wash or reaver. Even resetting the router did not restore the wps even though the firmware showed WPS is enabled.

3. Your first attack was done thru the command line(CL) and you spoofed your mac BUT did not add the --mac= command to the reaver CL. This will cause a failure to get the WPA key with reaver.

4. From aircrack-forums we just received a report that some routers lock up after a 12345670 pin request. We afd exploring ryreaver-reverse and loading into varmacscan for some tests.

5. There is yet another security feature that we are at present unaware of reference the WPS system?

You could try Bully. MTeams though has had zero success with this program although others like the program. Hence if you ask, someone may help you.

MTeams

moslondon
2016-03-07, 04:43
From the networks available i picked 3 to use with these script, one dissapered without giving a pin and the others two gave me the same pin number and dissapered right after thay. Wash does not detect them, wifite does detect them with no wps (those aps had wps at the beginning). When i got the pins I tried using the reaver command like this "reaver -i wlan0mon -vv -S -b (bssid) -c (channel) -p (pin)" but it showed the same message "failed to associate..." did i put the command right?. And thanks for the replay to be honest im new to linux and using commands...

moslondon
2016-03-07, 12:49
I tried bully "bully wlan1mon -b (bssid) -e (essid) -c (channel)" on the 3 networks and it says "the ap doesn't to be wps enabled". I guess there is no way to get those networks key (good security?).
I tried a different network with the script and now im on
"Pin count: 11 ...
Wps transaction failed (code: 0x02), re-trying last pin"
Sometimes it keeps counting the pin some times it shows the same message, should i stop it or does this mean its working?

John_Doe
2016-03-08, 03:38
Hackers have replaced your uploads with malware, this is now a virus:
http://www.datafilehost.com/d/3c81deb0
and same with:
http://www.datafilehost.com/d/fd192b6d

mmusket33
2016-03-08, 11:10
Thank you John Doe. We found an .exe file in place of the .zip package. We have deleted all three VMR releases and reloaded on 8 March as follows:


Download VMR-MDK011x8 package at:

http://www.datafilehost.com/d/4f95b97f

You can download VMR-MDK-K2-2016R-011x9.zip package at

http://www.datafilehost.com/d/c2a2b474


MTeams

Chunkingz
2016-03-08, 23:45
I tried bully "bully wlan1mon -b (bssid) -e (essid) -c (channel)" on the 3 networks and it says "the ap doesn't to be wps enabled". I guess there is no way to get those networks key (good security?).
I tried a different network with the script and now im on
"Pin count: 11 ...
Wps transaction failed (code: 0x02), re-trying last pin"
Sometimes it keeps counting the pin some times it shows the same message, should i stop it or does this mean its working?

Speaking of not being able to get the network key. To me the fastest and best way to get some ones wpa key is using the "Evil twin" u need a very good network card and also hope the victim isn't tech savvy.

aanarchyy
2016-03-09, 00:38
@mmusket33

I still don't understand why you haven't made a github of your projects yet.
It's significantly more professional looking, and people can collaborate issues and suggestions.
And likely-hood of your files being compromised(assuming you choose a good password) is pretty
much null, so you won't have to keep changing the links or using apparently risky output channels.
Send me a msg if you need help setting something up :-)

mmusket33
2016-03-09, 00:52
To aanarchyy.

MTeams completely agree and we tried this but it appeared to post a download package required a pay account so we dropped the idea. We have an account we will have to find the password.

And furthermore we welcome any help here and correct us if we are wrong.

MTeams

aanarchyy
2016-03-09, 03:26
To aanarchyy.

MTeams completely agree and we tried this but it appeared to post a download package required a pay account so we dropped the idea. We have an account we will have to find the password.

And furthermore we welcome any help here and correct us if we are wrong.

MTeams

Pay account? I have a few projects on my github, and plan a few more, and have not paid one red cent...
Either way, easiest ways you can contact me is my skype or maybe a PM on HF, or email ([email protected]).
Or meet up in the kali IRC channel( I'm usually there idling XD)
Hopefully we can set up some type of conversation sometime soon. Been interested in talking to you for a bit anyway :-)

Mayank_07
2016-03-09, 14:15
after i shift mdk3 in root folder and try to run this error
bash: root/mdk3-v6/mdk3: No such file or directory
what am i doing wrong
just following steps from help file!

also getiing this

I have the exact same problem. I was able to run MDK3 just fine right before I followed the installation instructions of this too. But now even normal MDK3 won't work. It just says No such file or directory.
Things I have tried so far to fix this :
- Removed this took
- Re-installed default mdk3
-apt-get update and upgrade.
Still no luck. I am just not able to get the mdk3 tool to run. Every other tool works just fine.
Any help will be appreciated, thanks!

mmusket33
2016-03-10, 07:27
To Mayank017

You should have a mdk3 folder in root.

cd to the folder in root and run mdk3

./mdk3 [ENTER]

You should get the help file

Please tell us the Operating System you are using. We only support kali 1.10a 2.0 and 2016.1R

We will test the help instructions again BUT you should now have two mdk3 programs. One must be run from the folder in root. VMR-MDK looks for that root install. Using just the mdk3 command in the Terminal Window should give you the original mdk3 program that came with the program.

MTeams

Chunkingz
2016-03-10, 20:34
Today I came across a router dats wps enabled and not locked. Funny thing is reaver doesn't work against it. That is there would be a successful association but. No pin counts it just keeps entering recurring delays... P1 still at zero. I wonder if it's my kali or sumfin am not doing right. I first ran vmr-mdk. Before trying reaver separately. Still same ish. No response for pin collections.
Please mmusket33 lemme know what you fink.

mmusket33
2016-03-11, 00:30
To Chnkingz
The tool of choice in most WPS pin collection cases is the command line. VMR-MDK and other programs using DDOS processes are really big guns that usually do not need to be employed. Many networks just lock up if the DDOS process is too intense.

If the Network in question is open MTeams would only use DDOS as a last resort and then for very limited time 10 to 20 seconds

In the case you mentioned above we suggest you use varmacscan. The latest version is available for download. Just turn it on and walk away. The program scans for WPS enabled Networks and then attacks each in turn with reaver. The scan and then reaver phase continues for as many cycles as you require.

Alternatively you could try Bully. See the threads in this section. We cannot help you with Bully.

MTeams

wmxuser
2016-03-11, 01:47
thank you and your awesome team for making life easier. I just want to say that on "Fritz Box Fon" model routers Manufactured by Http://www.avm.de doesn't work.

mmusket33
2016-03-11, 03:34
To wmxuser:

Thank you for your input.


MTeams has found that even the same make of router by mac code can react differently to the VMR-MDK series. This is why we have never ask for nor published a list of routers which are susceptible to the VMR-MDK approach. The only way to know if WPS pins can be obtained is to test that specific WPS Locked router for a few days.

Furthermore we have cracked WPS locked routers which when locked did not give up pins BUT during the VMR-MDK process, the router opened and the pin reset to 12345670 resulting in an extraction of the WPA Key.

So our rule is to test each specific router for the vulnerability and ignore the make and model.

MTeams

tridyman
2016-03-11, 11:44
To wmxuser:

Thank you for your input.


MTeams has found that even the same make of router by mac code can react differently to the VMR-MDK series. This is why we have never ask for nor published a list of routers which are susceptible to the VMR-MDK approach. The only way to know if WPS pins can be obtained is to test that specific WPS Locked router for a few days.

Furthermore we have cracked WPS locked routers which when locked did not give up pins BUT during the VMR-MDK process, the router opened and the pin reset to 12345670 resulting in an extraction of the WPA Key.

So our rule is to test each specific router for the vulnerability and ignore the make and model.

MTeams

I admire the work done and time consuming for a personal satisfaction or therapy, but as a constructive criticism I believe that recently +/-
a lot of new process are just the pretty much the same dog with different collar. Just my 2cent, but let's keep testing and enjoy the time and keep watching when process runs and the uploads at our side network. Happy testing,

Chunkingz
2016-03-11, 12:17
To Chnkingz
The tool of choice in most WPS pin collection cases is the command line. VMR-MDK and other programs using DDOS processes are really big guns that usually do not need to be employed. Many networks just lock up if the DDOS process is too intense.

If the Network in question is open MTeams would only use DDOS as a last resort and then for very limited time 10 to 20 seconds

In the case you mentioned above we suggest you use varmacscan. The latest version is available for download. Just turn it on and walk away. The program scans for WPS enabled Networks and then attacks each in turn with reaver. The scan and then reaver phase continues for as many cycles as you require.

Alternatively you could try Bully. See the threads in this section. We cannot help you with Bully.

MTeams

I didn't DDOS it just yet because it's still unlocked. Am saying that using reaver on the router doesn't work at all even if it's wps enabled and wps is not locked. Well I'll still try bully out.. Haven't used it b4 tho. Tnx

Quest
2016-03-16, 12:56
Thanks mmusket33,

If you could remove all the confirmations ('y') in the next release I would appreciate :)

bob79
2016-03-16, 19:02
If you could remove all the confirmations ('y') in the next release I would appreciate :)[/QUOTE]

all those "y"es makes me feel like a baby with his mother at the toy store "so.. do you want this? are you sure? what about that?" :D why don't you pm Aanarchyy. he's the boss of writing/changing scripts. or you can do it yourself :p

mk7e
2016-03-16, 20:47
Hi,

How do I disable FCS check? If there is that option?
Thanks.

1377

aanarchyy
2016-03-16, 22:25
which version of reaver are you using?

You may need to update.

soxrok2212
2016-03-16, 22:34
I'm ditching Reaver. Code is way too buggy. Bully works SO much better and also runs on more *nix distributions... @mmusket I think you should switch to Bully for future scripts.

mk7e
2016-03-16, 22:56
which version of reaver are you using?

You may need to update.

Reaver is v1.4.

But signal is not the best one. I'll try with another antenna.

Interesting that Bully on the same essid say that is not wps enabled.

aanarchyy
2016-03-16, 23:01
and the FCS checks are automatic :-p

Quest
2016-03-16, 23:39
I'm ditching Reaver. Code is way too buggy. Bully works SO much better and also runs on more *nix distributions... @mmusket I think you should switch to Bully for future scripts.

But then why only one? It's a funny thing that on some APs, reaver 1.3 works better than 1.4-1.5 for example. I would like to see all of them as starting options including Bully.



all those "y"es makes me feel like a baby with his mother at the toy store "so.. do you want this? are you sure? what about that?" :D

- Would you like to choose from the wash list? Press (y/Y) to continue....
- y
- Enter (y/Y) to confirm or (n/N) to try again.
- y
- You have chosen BongoWiFi, are you sure about this? Press (y/Y) to continue....
- Y
- Seems to be a slow AP, but whatever. Enter (y/Y) to confirm the previous confirmation or (n/N) to try again.
- Y
- Would you like chicken? Enter (y/Y) to confirm or (n/N).
- N
- Lol ok just checking if you 'n' key is working. To confirm (n/N).
- N
- Would you like to put your wireless device into monitor mode? Press (y/Y) to continue....
- y
- You have chosen (y/Y). Enter (y/Y) to confirm or (n/N) to try again.
- y
- Enter (y/Y) to confirm the previous confirmation or (n/N) to try again.
- YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY Y
- You seem just about to blow a gasket? Are you ok? Press (y/Y) to continue....
- Y !@#$%?&*()_
- Press (y/Y) to continue or confirm that you have actually blown a gasket and about to throw your lappy out the window (f/F)....
- F
- Oh well that will cause some delay in operations then. Press (y/Y) to continue....
- F
- You entered 'F' and that was not an option. Too bad eh? Press (y/Y) to continue....
- Crtl+C




or you can do it yourself :p

two things I do not do. One of them is coding. :)

aanarchyy
2016-03-16, 23:50
Reaver is v1.4.

But signal is not the best one. I'll try with another antenna.

Interesting that Bully on the same essid say that is not wps enabled.

Up to date version of reaver is 1.5.2, in which the -C flag(the one to ignore bad FCS) has been reversed. Perhaps mmusket33 could add some version checking? I would love to help you, but no guthub to pull request...
I have MULTIPLE suggestions to clean up code(and i can also see there has been some "shoehorned" code and multiple different coding styles to suggest multiple contributors.... really needs to be some consistency to increase readability, reliability, and reusability of the code), but it is not my project, and i'm not gonna step on another coders toes, so yeah...

and check if aircrack-ng --wps says it sees WPS as enabled. I've found wash to kinda... well... suck at actually being accurate at times...

Laserman75
2016-03-17, 00:46
But then why only one? It's a funny thing that on some APs, reaver 1.3 works better than 1.4-1.5 for example. I would like to see all of them as starting options including Bully.



- Would you like to choose from the wash list? Press (y/Y) to continue....
- y
- Enter (y/Y) to confirm or (n/N) to try again.
- y
- You have chosen BongoWiFi, are you sure about this? Press (y/Y) to continue....
- Y
- Seems to be a slow AP, but whatever. Enter (y/Y) to confirm the previous confirmation or (n/N) to try again.
- Y
- Would you like chicken? Enter (y/Y) to confirm or (n/N).
- N
- Lol ok just checking if you 'n' key is working. To confirm (n/N).
- N
- Would you like to put your wireless device into monitor mode? Press (y/Y) to continue....
- y
- You have chosen (y/Y). Enter (y/Y) to confirm or (n/N) to try again.
- y
- Enter (y/Y) to confirm the previous confirmation or (n/N) to try again.
- YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY Y
- You seem just about to blow a gasket? Are you ok? Press (y/Y) to continue....
- Y !@#$%?&*()_
- Press (y/Y) to continue or confirm that you have actually blown a gasket and about to throw your lappy out the window (f/F)....
- F
- Oh well that will cause some delay in operations then. Press (y/Y) to continue....
- F
- You entered 'F' and that was not an option. Too bad eh? Press (y/Y) to continue....
- Crtl+C




two things I do not do. One of them is coding. :)

What is your problem? :confused:
You can change all confirms in this code for your self so easy :rolleyes:



echo -e "$inp Press $yel(y/Y)$inp to continue...."
echo -e " Press $yel(n/N)$inp to abort!!..Press any other key to try again:$txtrst"
read CONFIRM

change to


#echo -e "$inp Press $yel(y/Y)$inp to continue...."
#echo -e " Press $yel(n/N)$inp to abort!!..Press any other key to try again:$txtrst"
CONFIRM=Y

soxrok2212
2016-03-17, 00:48
But then why only one? It's a funny thing that on some APs, reaver 1.3 works better than 1.4-1.5 for example. I would like to see all of them as starting options including Bully.


Reaver is all code ripped from Hostapd, it was meant to be a quick and crappy solution. Bully, was developed correctly and wasn't just a quick solution. In my testing, Bully completed the WHOLE process of obtaining a key at a distance farther than it should've worked in 1/30 the time Reaver would've taken. Reaver is just really *@&$%* code.

t6_x just implemented the pixie dust attack into it, never really fixed the rest of the code.

Quest
2016-03-17, 01:01
works pretty good for a *@&$%* code ;) But I believe you.


What is your problem? :confused:
You can change all confirms in this code for your self so easy :rolleyes:


change to

Thought I was clear.

soxrok2212
2016-03-17, 04:00
works pretty good for a *@&$%* code ;) But I believe you.


I'm actually surprised AAnarchYY's Bully (https://github.com/aanarchyy/bully) hasn't made it into the Kali repos yet. @g0tmilk, make this happen!

Also mmusket, I strongly urge you to put your code on GitHub so you can get better community input and involvement. Also beats having to post new download links each time, and it's a safe place to store all your projects.

bob79
2016-03-17, 07:09
Also mmusket, I strongly urge you to put your code on GitHub so you can get better community input and involvement. Also beats having to post new download links each time, and it's a safe place to store all your projects.

Loaded 10 March 2016

https://github.com/musket33/VMR-MDK-Kali2-Kali2016. try reading also the first page soxrok :)

to Quest: wich is the other thing you won't do? having chicken i presume, as in the script? :cool:

mmusket33
2016-03-17, 12:41
To soxrok2212

MTeams tried to substitute Bully for reaver in varmacscan a less code intensive program but Bully did not function well in xterm windows. We ran several tests for almost a month with Bully and Reaver and Reaver functioned fine while Bully failed every time. Your previous comments did not go unnoticed

However MTeams will start another test series using Bully and see if we can figure out why? In our areas of operation Bully does not work well even from the command line in a terminal window.


Musket Teams

aanarchyy
2016-03-17, 12:45
A repository that only hosts a zip file...
Uhm... that's kinda.. pointless...

@mmusket33, are you using some kinda specialized version of mdk3 that you have to include a PRE-COMPILED binary with your script?

soxrok2212
2016-03-17, 15:29
Loaded 10 March 2016
https://github.com/musket33/VMR-MDK-Kali2-Kali2016. try reading also the first page soxrok :)


As aanarchyy also said, it's just a zip file.


To soxrok2212
MTeams tried to substitute Bully for reaver in varmacscan a less code intensive program but Bully did not function well in xterm windows. We ran several tests for almost a month with Bully and Reaver and Reaver functioned fine while Bully failed every time. Your previous comments did not go unnoticed


Have you tried with Bully 1.1? What kind of problems happened.

mmusket33
2016-03-17, 16:55
To aanarchyy

Our associate C++ programmer wrote an additional mdk3 attack type. He was in contact with soxrok2212 on the matter and it might be posted on github not sure?

We can post the latest VMR-MDK script in raw format if you wish. If you wish to post it fine by us.

Reference Bully it did not function for us at all compared to Reaver. We embedded bully in varmacscan, it ran first then reaver ran against all targets seen. Bully did not function well in xterm windows. We then tried it from the command line. Against our targets reaver ran fine while bully did nothing.

We did these tests for over a month thinking we were doing something wrong. After a month we just gave up.

Again we will check the Bully version and retest. The test scripts are stored. You might give us your favorite bully command line to test again.


MTeams

bob79
2016-03-17, 17:30
as mmusket33, also in my area bully doesn't work. i believe it might be a lil too intrusive. all aps cracked with reaver +K 1, bully wasn't able to do it. the ap locks itself or even timeout on me while bully tries it's features. and another thing.. reaver reaches -70dbm and more maybe working a little slow(but it does), while bully tells that those(far away) aps are not in range or wps locked etc.

aanarchyy
2016-03-17, 18:53
as mmusket33, also in my area bully doesn't work. i believe it might be a lil too intrusive. all aps cracked with reaver +K 1, bully wasn't able to do it. the ap locks itself or even timeout on me while bully tries it's features. and another thing.. reaver reaches -70dbm and more maybe working a little slow(but it does), while bully tells that those(far away) aps are not in range or wps locked etc.

if bully gets a little too aggressive, then just increase the time per pin (it defaults to 0). And I've had bully work just fine for me even in the -80's whereas reaver can't even associate with AP's in the -40's. Obviously I'm talking about the version i made, not the one that comes with kali.

But to each their own, I prefer bully as it actually works on Openwrt and several other pieces of hardware that reaver fights with.

and mmusket33, why wouldn't you just make mdk3 it's own separate repo? It is a separate tool. ;-) Then just add in the readme that it requires that to be installed.
Just like how reaver says that it requires pixiewps to be installed to use the pixiedust attack.

soxrok2212
2016-03-17, 19:00
if bully gets a little too aggressive, then just increase the time per pin (it defaults to 0). And I've had bully work just fine for me even in the -80's whereas reaver can't even associate with AP's in the -40's. Obviously I'm talking about the version i made, not the one that comes with kali.


I was hesitant to switch to Bully but I've found the same exact results. Distance is no longer a problem with Bully and everything runs much, much quicker.

Also, I do have the modified version of MDK3 if you'd like me to put it back on GitHub, though I didn't have any success with the extra modifications.

bob79
2016-03-17, 20:00
. Obviously I'm talking about the version i made, not the one that comes with kali.


tell you the truth.. never used bully which came with kali. only your version :D

Quest
2016-03-17, 23:10
Bob, the other one is 3D modeling. The reason is, there are very talented ppl that already do an amazing job at coding and modeling, so I do not see why I should do that, ontop of doing everything else. So coding and modeling is a definite niope :)

mmusket33
2016-03-18, 00:34
To aanarchyy

When approaching WPS locked routers the processes must be automated due to the complex series of steps required to extract pins. Using keyboard output to the commandline is not practicable.

As you have written a bully version maybe you can tell us why bully does not function well when in an xterm window or when outputting to a file thru tee"

For example the following with reaver runs well however bully output to the screen and tee is intermittent and no pins are ever collected.

xterm -g 80x15-1+1 -T "bully" -e "bully wlan0mon -b 55:44:33:22:11:00 -c 1 -B --force -v 3 -L -d -s 00:11:22:33:44:55 2>&1 | tee logfile" &

It could be xterm but we got the same results when we tried the commandline thru a terminal window.

aanarchyy
2016-03-18, 01:32
what results were you expecting and what results did you get?

running the command you just posted seemed to work just fine for me. All output ended up in "logfile" and posted in the xterm... bully went on as usual... (slightly altered)

http://postimg.org/image/h5ebomytz/

This would be far easier(and litter your thread less) if you and i could arrange some other means of communication...

mk7e
2016-03-18, 20:01
Up to date version of reaver is 1.5.2, in which the -C flag(the one to ignore bad FCS) has been reversed. Perhaps mmusket33 could add some version checking? I would love to help you, but no guthub to pull request...
I have MULTIPLE suggestions to clean up code(and i can also see there has been some "shoehorned" code and multiple different coding styles to suggest multiple contributors.... really needs to be some consistency to increase readability, reliability, and reusability of the code), but it is not my project, and i'm not gonna step on another coders toes, so yeah...

and check if aircrack-ng --wps says it sees WPS as enabled. I've found wash to kinda... well... suck at actually being accurate at times...

Thanks for replay aanarchyy, that wasn't WPS indeed. With a slightly stronger signal, it took less then 1h to retrieve password.

I'm satisfied -:)

mmusket33
2016-03-19, 08:56
To aanarchyy:

MTeams is currently tied up with Pwnstar9.0 rewrite for kali 1.10, 2.0 and 2016. We would very much like you to alter VMR-MDK as you see fit. Second opinions are always welcome. You could post your rework on Github.

Quest
2016-03-19, 22:31
in behalf of us dropouts... Thanks for supporting KL1 in everything that you do ;)

bob79
2016-03-19, 23:05
i have to give credit to Quest.. KL1 rocks.. KL2 asks some time and.. there's others :D

aanarchyy
2016-03-20, 00:24
@mmusket33:

As tempting as it is to wade through and rewrite +8k lines of code... I think i may pass on this one...
There is far too little structure to the code for me to make sense of it...


To aanarchyy
When approaching WPS locked routers the processes must be automated due to the complex series of steps required to extract pins. Using keyboard output to the commandline is not practicable.

Then why would you make a program that is DESIGNED to work off "keyboard output to the commandline"????
Something with command line arguments; you type in your command, hit enter, and WALK AWAY!
I don't want to have to babysit a program in case it wants more input...

The whole concept of "input based" scripts(as opposed to command line arguments) is, by design ,NOT AUTOMATED!!!!
Plus i just find them seriously annoying and bloated with ****(read: slow!)
It also completely eliminates versatility in how it can be reused(no way for anyone to add it to anything, like how bully and reaver added support for pixiewps,
or how scripts like wifite added support for aircrack/reaver/wash/etc...)

It would take far more time than justifiable to basically "reverse engineer" everything this script is doing, especially since i don't see a reason for
a great deal of what it's doing... Perhaps if you were to lay-out exactly what you want this to do, i could make something that does what you are
looking for(in a better suited language, using bash sucks for this)

Especially since mdk3 has never done anything useful for me in any of the tests I've run...

I'm not trying to publicly trash your teams code(a GREAT deal of why I've been trying to get into a private conversation with you, so we could discuss
some of this more privately, but apparently you opted for this) just have some suggestions to improve your programs efficiency, effectiveness, and versatility.

mmusket33
2016-03-20, 23:12
To Quest

MTeams will continue to support Kali 1.10. For us Kali 1.10 works all the time, Kali 2.0 can work and Kali 2016 well we will check it again in a month or two.

MTeams

Quest
2016-03-22, 09:58
ah! Was wondering where this thread went. Either it was moved from the kitchen, or I need a doctor asap. Anyways just to give you a little feedback,

- it works well on KL 1.1.0a (probly already knew).
- would like to see both, aanarchyy-bully and reaver-t6x as starting options eventually.
- would like to see all the (y/Y) confirmations, axed, shredded and then cremated at 5452 degrees c.

Chunkingz
2016-03-22, 22:41
- would you like to choose from the wash list? Press (y/y) to continue....
- y
- enter (y/y) to confirm or (n/n) to try again.
- y
- you have chosen bongowifi, are you sure about this? Press (y/y) to continue....
- y
- seems to be a slow ap, but whatever. Enter (y/y) to confirm the previous confirmation or (n/n) to try again.
- y
- would you like chicken? Enter (y/y) to confirm or (n/n).
- n
- lol ok just checking if you 'n' key is working. To confirm (n/n).
- n
- would you like to put your wireless device into monitor mode? Press (y/y) to continue....
- y
- you have chosen (y/y). Enter (y/y) to confirm or (n/n) to try again.
- y
- enter (y/y) to confirm the previous confirmation or (n/n) to try again.
- yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy y
- you seem just about to blow a gasket? Are you ok? Press (y/y) to continue....
- y !@#$%?&*()_
- press (y/y) to continue or confirm that you have actually blown a gasket and about to throw your lappy out the window (f/f)....
- f
- oh well that will cause some delay in operations then. Press (y/y) to continue....
- f
- you entered 'f' and that was not an option. Too bad eh? Press (y/y) to continue....
- crtl+c




****!!! You crazy!

seen_bawl
2016-03-24, 08:15
thank you can you please add a download link + the command to install it

bob79
2016-03-24, 09:49
thank you can you please add a download link + the command to install it

go to the first page

Chunkingz
2016-03-27, 22:45
okay so ive been on this particular router for quite some time now...and i dont really seem to get whats going...ive used the vmr tool to pwn mr A, and now mr B is using the same kinda router mr A uses. but ive noticed one strange behaviour with the router, after some time of trying to pwn it , it duplicates its bssid example...
aa:aa:aa:aa:aa:aa gets two brothers aa:aa:aa:aa:aa:bb and aa:aa:aa:aa:aa:cc . i doubt it that someone would be running an evil twin attack cloning his mac and changing the last octets...so
bottom line when this guys are created sometyms vmr wouldnt be able to perform the fake association - aireplay attack for pin collection.sometyms i try to attack them one after the other to see who are the decoys and who is real.
i dunno if its some sorta IDS.
i should also add that mr A's router had none of such issues. and also mr B's router is seldom connected to...but still, i just want in!
and dont worry about my safety i know who and what am dealing with.
please if you've got any ideas, help a bro out.
tnx in advance.

Volat
2016-04-28, 11:31
Hey guys im new here and fairly new (2 years) to pentesting routers. I managed to successfully penetrate a few networks last year using both reaver with pixiedust and through dictionary attacks. Recently ive been on the move again and found your awesome tool. I understand that it is intended sprcofocally for locked wps intrusion, however, i seem to have made no progress. The tool is working as it should (tested against a few ap's that i already have the psk for), but for any new ap's, specifically locked ap's, the script doesnt seem to give up any more pins. On top of that, it seems to have locked the ap's for over 48 hour. Is this normal?
Finally, somebody mentioned earlier in the thread that hey have identified an ap which is listed as unlocked wps, but reaver treats it as though it is locked. I have a similar ap and would LOVE to breach it. It says wps is not locked, but reaver, nor vmr-mdk, manage to get past the initial sending identity response. Have you guys ever encountere a router like this? If so, how did you work around it.
I believe its a zyxel chipset, 5c:f4:ab

P.s. awesome that someone released a script to run this process, my fingers were not fast enough!

mmusket33
2016-04-29, 06:00
As MTeams notes in the help files the VMR-MDK process only works on a small subset of routers.

If the routers WPS system is Open but simply not responding. You can try these techniques.

Method One

Use varmacscan for a few days

https://forums.kali.org/showthread.php?28535-Varmacscan2-0-an-automatic-multi-target-reaver-attack-tool-released/page5

Method Two

If you wish to focus your reaver attack specifically at one target that is not responding use reaver from the command line then:

Open a second terminal window run this from the command line.

while true; do aireplay-ng -0 10 -a 55:44:33:22:11:00 mon0; sleep 2; aireplay-ng -1 10 -a 55:44:33:22:11:00 mon0; sleep 5; done

The mac address here would be the mac address of your target.
mon0 is your monitor mon0 or wlan0mon etc

If you get a complete pixiedust data sequence use PDDSA-06.sh. Capture the text from the screen, save to the VARMAC_LOGS directory and check it with PDDSA-06.sh MTeams broke a non respondng router this way two days ago.

MTeams

Volat
2016-04-29, 07:08
Great. Thanks for your feedback guys. Ill try this out after work today (already had varmascan running for around 12 hours). The second method is basically a deauth-fakeauth process in aireplay right? Is it worth using a known client mac aswell or shall i just let it go with a random spoof

stem83
2016-05-17, 18:27
@mmusket33.

Thank you very much for your great work!
I used VMR-MDK script for kali 2016 and it started to collect pins like a charm against a tecnicolor AP 582n.
The problem is that after a variable amount of pins, reaver count suddently restart from the beginning.
The access point is always responsive to the attack, but i can't figure out Why reaver count restart.

mmusket33
2016-05-18, 06:10
To Stem83

The program has a retest pin 12345670 every x cycles feature. When the program retests it includes a --session= in the reaver command line so the brute force count is not upset. The program will test the pin for 120 seconds and then return to the brute force count on the next cycle.

Try turning off the retest feature in the configuration file during program setup. Change the y to n. However in the end it is best to use this feature. Read the help files for reasons which include getting a complete pixie dust data sequence.

The only other way the count can be upset to our knowledge is if you jump between using --dh-small and not using.


To test turn off the restest pin feature and the brute force count should return to the previous brute force setting. If you still have problems please advise.

MTeams

stem83
2016-05-19, 20:56
To Stem83

The program has a retest pin 12345670 every x cycles feature. When the program retests it includes a --session= in the reaver command line so the brute force count is not upset. The program will test the pin for 120 seconds and then return to the brute force count on the next cycle.

Try turning off the retest feature in the configuration file during program setup. Change the y to n. However in the end it is best to use this feature. Read the help files for reasons which include getting a complete pixie dust data sequence.

The only other way the count can be upset to our knowledge is if you jump between using --dh-small and not using.


To test turn off the restest pin feature and the brute force count should return to the previous brute force setting. If you still have problems please advise.

MTeams

@mmusket33.

Thank you very much for your prompt reply. :-)
I already have tried to turn off the retest pin feature yesterday and retest frequency to 99999, but after it collected about 3000 pins it restarted again with 12345670, without storing any previous session. It's really strange, i never modified the --dh-small option so, yesterday l tryed to brutally delete from the script lines from 7287 to 7745 with retest functions.
Now it collected about 1500 pins, I'll soon let you know soon how it goes.

mmusket33
2016-05-20, 01:51
To Stem83

Please keep us advised. We are not encountering this with kali1.1 or 2.0. We do know that for reaver to save its pin count, reaver, has to be shut down in a certain manner. But since your program is saving its pin counts the shutdown procedure works.

1. What version are you using ?
2. What type of operating system ie Harddrive Install, Persistent USB, Virtual etc

We will try and induce this failure.

Note we do not support any Virtual mode installs or Persistent usb using luks encryption. However hardrive installs and Persistent USB installs are fine. Live installs will not work as you cannot save between reboots.

MTeams

stem83
2016-05-20, 21:03
To mmusket33:

I use kali-linux-2016.1x64 persitent live usb with LUKS encryption.
Here are some useful info :

root@kali:~# uname -a
Linux kali 4.3.0-kali1-amd64 #1 SMP Debian 4.3.3-5kali4 (2016-01-13) x86_64 GNU/Linux

root@kali:~# reaver
Reaver v1.5.2 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> mod by t6_x <[email protected]> & DataHead & Soxrok2212

root@kali:~# mdk3
MDK 3.0 v6(mod-musket-r1) - "**** the censorship" by ASPj of k2wrlz, using the osdep library from aircrack-ng And with lots of help from the great aircrack-ng community: Antragon, moongray, Ace, Zero_Chaos, Hirte, thefkboss, ducttape, telek0miker, Le_Vert, sorbo, Andy Green, bahathir and Dawid Gajownik THANK YOU! MDK is a proof-of-concept tool to exploit common IEEE 802.11 protocol weaknesses. IMPORTANT: It is your responsibility to make sure you have permission from the network owner before running MDK against it. This code is licenced under the GPLv2

root@kali:~# lspci | grep Network
02:00.0 Network controller: Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (rev 01)

root@kali:~/VARMAC_LOGS# cat TNCAPXXXXXX-XXXXXX-XX:XX-XXXXXX Reaver v1.5.2 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> mod by t6_x <[email protected]> & DataHead & Soxrok2212 [+] Switching mon0 to channel 6 [+] p1_index set to 3129 [+] p2_index set to 0 [+] Restored previous session [+] Waiting for beacon from XX:XX:XX:XX:XX:XX [+] Associated with XX:XX:XX:XX:XX:XX (ESSID: TNCAPXXXXXX) [+] Starting Cracking Session. Pin count: 3129, Max pin attempts: 11000 [+] Trying pin 31225670. [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [P] E-Nonce: XX:XX:XX:XX:XX:XX [P] PKE:XX:XX:XX:XX:XX:XX [P] WPS Manufacturer: Technicolor [P] WPS Model Name: Technicolor TG [P] WPS Model Number: 582n [P] Access Point Serial Number: XXXXXXXXX [+] Received M1 message [P] R-Nonce: XX:XX:XX:XX:XX:XX [P] PKR:XX:XX:XX:XX:XX:XX [P] AuthKey: XX:XX:XX:XX:XX:XX [+] Sending M2 message [P] E-Hash1: XX:XX:XX:XX:XX:XX [P] E-Hash2: XX:XX:XX:XX:XX:XX [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK [+] p1_index set to 3130 [+] Pin count advanced: 3130.
--------------------------------------------------------
[+] Pin count advanced: 3136. Max pin attempts: 11000 [+] Trying pin 31295673. [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [P] E-Nonce: XX:XX:XX:XX:XX:XX [P] PKE: XX:XX:XX:XX:XX:XX [P] WPS Manufacturer: Technicolor [P] WPS Model Name: Technicolor TG [P] WPS Model Number: 582n [P] Access Point Serial Number: XXXXXXXXX [+] Received M1 message [P] R-Nonce: XX:XX:XX:XX:XX:XX [P] PKR:XX:XX:XX:XX:XX:XX [P] AuthKey: XX:XX:XX:XX:XX:XX [+] Sending M2 message

root@kali:~/VARMAC_CONFIG# cat TNCAPXXXXXX-XXXXXXXXXXXX
###========================= CHANNEL1=6 ###========================= ###========================= USE_R1=y ###=========================
###=========================
RX1=9
RY1=2
###=========================
###========================= LIVE1=240 ###=========================
###========================= USE_LONG1=y ###=========================
####========================= MDKTYPE1=3 ####========================= ###========================= MDKLIVE=1 ###======================= ###========================= PAUSE=1 ###========================= ###========================= REAVER_COUNT=y ###=========================
###========================= MDK3_COUNT=y ###========================= ###========================= WASH_COUNT=y ###=========================
###========================= DAMP_MDK=y ###========================= ###========================== ADVAN_TIME=120 ###========================= ###========================= USE_AIRE1=y ###========================= ###========================= USE_AIRE0=n ###========================= ###========================= USE_DHSMALL=y ###========================= ###========================= MACSEL=n ###========================= ###========================= ASSIGN_MAC=XX:XX:XX:XX:XX:XX ###========================= ###========================= USE_PIXIE=n ###========================= ###========================= USE_FIRSTPIN=n ###========================= ###========================= RETESTPIN=999999 ###=========================

mmusket33
2016-05-21, 05:41
To Stem 83

Thanks for the info:

First you might set the
RETESTPIN=50

As we never tested such a long cycle. But we doubt the problem is there.

VMR-MDK was developed against real targets using kali-i386. It has never been tested using AMD or luks encryption.

MTeams tried luks encryption but the encryption process took too long to complete causing other program processes to fail. We remove the encryption feature and programs ran normally again. So if we were to take a guess, the problem is there.

Suggest you make a persistent usb install of kali not using luks and maybe not amd and see what occurs. If you can just turn off luks try that. We gave up on luks a while ago. We know nothing about AMD.


MTeams

Pranav
2016-05-21, 06:43
Heloo Mteam,

I have been trying to crack a wps locked router and have been trying ur script for past few weeks and always get a same error
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping... and it goes on
i gt this line after i specify mon0

I have not installed kali on my windows i am live booting it from my pendrive version : kali-linux-2016.1-amd64.iso
I have Dell Inspiron N4030 WITH INTEL i3 processor
Network card : BCM43XX

Please help me out

stem83
2016-05-21, 07:22
To Stem 83

Thanks for the info:

First you might set the
RETESTPIN=50

As we never tested such a long cycle. But we doubt the problem is there.

VMR-MDK was developed against real targets using kali-i386. It has never been tested using AMD or luks encryption.

MTeams tried luks encryption but the encryption process took too long to complete causing other program processes to fail. We remove the encryption feature and programs ran normally again. So if we were to take a guess, the problem is there.

Suggest you make a persistent usb install of kali not using luks and maybe not amd and see what occurs. If you can just turn off luks try that. We gave up on luks a while ago. We know nothing about AMD.


MTeams

To mmusket33.

Thank you for the advice, I'll give a try and let you know. But there is any way to keep pins already tested? Are they stored in the default /etc/reaver folder?

mmusket33
2016-05-21, 09:24
To Stem83

To find where your .wpc files are stored try typing:

locate .wpc

The storage folder moved around when the first pixiedust moded reaver programs were installed over the existing reaver but current versions store in the /etc/reaver folder as you note or maybe /usr/local/etc/reaver.

As you can see the .wpc file is just a mac address stripped of colons. You could copy the file to another folder or copy to existing folder and place an XX at the beginning.

To avoid conflict in the VMR-MDK series when the --pin= command is used a --session= command to another location to include using a text string at the beginning of the file name is included in the command line to avoid any later brute force session using the file. So even if reaver sends the --session files to the same folder thru internal default it cannot use them for any brute force sessions as there is a text string at the beginning. If you see a file testpin- or startpin- these were written by the --session= command when a specific pin is used or the default pin is tested.

We will run some tests on wpc storage of session files again and see what occurs.

sslx
2016-05-23, 10:24
Is it possible to run this on arm-64 bit?
I'm running kali rolling on odroid c2 with 64-bit cpu.
Thank you!
root@kali-arm64:~/mdk3-v6# make
make -C osdep
make[1]: Entering directory '/root/mdk3-v6/osdep'
Building for Linux
make[2]: Entering directory '/root/mdk3-v6/osdep'
make[2]: '.os.Linux' is up to date.
make[2]: Leaving directory '/root/mdk3-v6/osdep'
make[1]: Leaving directory '/root/mdk3-v6/osdep'
root@kali-arm64:~/mdk3-v6# make install
make -C osdep install
make[1]: Entering directory '/root/mdk3-v6/osdep'
Building for Linux
make[2]: Entering directory '/root/mdk3-v6/osdep'
make[2]: '.os.Linux' is up to date.
make[2]: Leaving directory '/root/mdk3-v6/osdep'
make[1]: Leaving directory '/root/mdk3-v6/osdep'
install -D -m 0755 mdk3 //usr/local/sbin/mdk3
root@kali-arm64:~/mdk3-v6# /root/mdk3-v6/mdk3
-bash: /root/mdk3-v6/mdk3: cannot execute binary file: Exec format error

stem83
2016-05-25, 21:04
To mmusket33.

The mistery continue..
As you suggested I used kali 2.0 i386 persistent USB WITHOUT LUKS encryption and pin count advanced without restarts as expected, but after some days of work i had this unexpected log:

Reaver v1.5.2 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> mod by t6_x <[email protected]> & DataHead & Soxrok2212 [+] Switching mon0 to channel 1 [+] p1_index set to 6904 [+] p2_index set to 999 [+] Restored previous session [+] Waiting for beacon from XX:XX:XX:XX:XX:XX [+] Associated with XX:XX:XX:XX:XX:XX (ESSID: TNCAPXXXXXX) [+] Starting Cracking Session. Pin count: 10999, Max pin attempts: 11000 [+] Trying pin 69019982. [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [P] E-Nonce: XXXXXXXXXXXXXXXXXXXX [P] PKE: XXXXXXXXXXXXXXXXXXXX [P] WPS Manufacturer: Technicolor [P] WPS Model Name: Technicolor TG [P] WPS Model Number: 582n [P] Access Point Serial Number: XXXXXXXXX [+] Received M1 message [P] R-Nonce: XXXXXXXXXXXXXXXXXXXX [P] PKR: XXXXXXXXXXXXXXXXXXXX [P] AuthKey: XXXXXXXXXXXXXXXXXXXX [+] Sending M2 message [P] E-Hash1: XXXXXXXXXXXXXXXXXXXX [P] E-Hash2: XXXXXXXXXXXXXXXXXXXX [+] Received M3 message [+] Sending M4 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [!] WARNING: Receive timeout occurred [+] Sending WSC NACK [+] p2_index set to 1000 [+] Pin count advanced: 11000. Max pin attempts: 11000 [+] Checksum mode was not successful. Starting exhaustive attack [+] p2_index set to 0 [+] Trying pin 69011234. [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [P] E-Nonce: XXXXXXXXXXXXXXXXXXXX [P] PKE: XXXXXXXXXXXXXXXXXXXX [P] WPS Manufacturer: Technicolor [P] WPS Model Name: Technicolor TG [P] WPS Model Number: 582n [P] Access Point Serial Number: XXXXXXXXX [+] Received M1 message [P] R-Nonce: XXXXXXXXXXXXXXXXXXXX [P] PKR: XXXXXXXXXXXXXXXXXXXX [P] AuthKey: XXXXXXXXXXXXXXXXXXXX [+] Sending M2 message [+] Received M1 message [+] Received M1 message [P] E-Hash1: XXXXXXXXXXXXXXXXXXXX [P] E-Hash2: XXXXXXXXXXXXXXXXXXXX [+] Received M3 message [+] Sending M4 message [+] Session saved.

And p2 index restarted from 0.
I'm a Little bit confused now ..What it means exhaustive attack? And, according the log file it discovered only the first part (6901) of the pin right?

mmusket33
2016-05-26, 23:13
To sslx

MTeams does not use arm hence we cannot test. Furthermore our weekly HD test install of Kali-rolling seems to finally been successful after update/upgrade so we will recommence work with the Operating System.

To Stem83

It looks like removing the luks has stopped the pin count restart. You have simply checked all the WPS pins. The only thing we could do in this case is:

1. Restart the attack from the beginning. Remove the -a from the reaver command line and you should get asked if you want to restart.

2. Try Kali 1.10a and reaver 1.3 we have found the older program sometimes works better. We used to keep a persistent usb install using reaver 1.3 for such cases.

Reaver 1.3 was available search the web for the download page and install instructions.

Note in reaver 1.3 wash is called something else maybe walsh and you will have to use airodump-ng to obtain the channel.

MTeams

renanvoluci0n
2016-06-20, 17:45
I gota error, and o need a help ti solve this.



Enter Line Number of Selected TargetAP Here: 1




You have chosen:

1. xxxxxxxxx as the targetAPs' name.

2. xxxxxxxxx as the targetAPs' mac address.

Enter (y/Y) to confirm or (n/N) to try again.
Y
./VMR-MDK-K2-2016R-011x9.sh: line 666: /root/VARMAC_CONFIG/configfiledetailed: Arquivo ou diretório não encontrado
./VMR-MDK-K2-2016R-011x9.sh: line 673: /root/VARMAC_CONFIG/xxxxxx-xxxxxxx: Arquivo ou diretório não encontrado

ls: não é possÃ*vel acessar /root/VARMAC_CONFIG: Arquivo ou diretório não encontrado

Configuration files listed in the VARMAC_CONFIG folder.



Select the config file to be used.
A Configuration file xxxxxxxxxx-xxxxxxxx has been made for use
with this target BUT any config file listed can be used.
After selection the config file parameters will appear. You can review
settings and make changes which will be written to the file choosen.

Once the program is running, open the config file with leafpad,
make any changes and save. The config file is loaded at the start of
Stages II, III & IV.

Enter Line Number of Config File Here:



You have chosen as your configuration file.
Enter (y/Y) to confirm or (n/N) to try again.
y
./VMR-MDK-K2-2016R-011x9.sh: line 1142: /root/VARMAC_CONFIG/: Arquivo ou diretório não encontrado



Arquivo ou diretório não encontrado = File or directory not found
Não é possÃ*vel acessar =is not possible to access


How o solve this?

mmusket33
2016-06-21, 05:25
To renan*

MTeams looked at your problem. For some reason the config file is not being written to the folder. It is possible your script is corrupted as all these processes are automatic. If you are using one of the Spanish versions it is possible it got altered. MTeams corrected a previous version.


Go thru the setup very carefully. You should see your config file in a drop down menu list.

MTeams

machx
2016-06-21, 14:45
To Renan,

Even I was facing the same issue,

You can fix this by copying all the folder that VMR-MDK creates for example VARMAC_CONFIG, LOGS etc

and paste them to root/home folder and then run the script. I hope this helps.

YssDiamond
2016-06-25, 07:46
I'am Also Facing Some Problems On Kali 2016 i cant get this script to work ive read everything even after 3 hours of searching for some reason it doesn't scan for networks or show me the airodump and wash tabs would realy apreciate some help thanks !

marsrolled
2016-06-26, 03:35
I'm having pretty much the same problem, I installed it successfully tho but the script stops at:

usage: VMR-MDK-K2-2016R-011x9.sh <start|stop|check> <interface> [channel or frequency]"

It seemed to me that the script isn't resuming as how it should.

And also 2 questions, first, does installing the mdk3 required/mandatory?
second, do you suggest to have multiple wlan adapters to use? if yes, please recommend to me the latest and greatest in the range of $50 and below.

Would appreciate the reply to be here or to my email: [email protected]

Thank you very much! :o

YssDiamond
2016-06-26, 18:44
i got the script working after restarting my computer but i got the same issue now like described above me and thanks for all the help realy apreciate it !

mmusket33
2016-06-27, 05:47
To marsrolled and YssDiamond

A common error with VMR-MDK by users is when asked to enter the device the user types the device ie wlan0 rather then the line number of the device seen in the menu list of devices.

Suggest carefully going thru the set up.


Loading the modified version of mdk3 is not mandatory. This version is loaded to a folder in root and the VMR-MDK program will run that version if you select item 14 in the DDOS series. All other DDOS using mdk3 run from the installed version that comes with kali-linux.

Reference wifi devices - MTeams is in no way any authority here and are NOT qualified to recommend any devices. We use AWUSO36H it works for us. There are however alot of commentary in these forums on other devices. Suggest you post your question there and some forum member may assist you.

YssDiamond
2016-06-27, 13:20
thanks for the quick reply i managed to get it to work when i had to choose if i wanted to use wlan0 or mon0 wlan0 didnt work for and only mon0 worked for me @ marsrolled i suggest you to try mon0 instead of wlan0 and the other good news is varmacscan is also working now for some weird reason thanks to you musket and marsrolled if u need any help just message me or reply here and ill try to help you !

Chunkingz
2016-06-28, 09:58
ive made anoda episode of my vmr series , showing u continuity, received a lot of complains from youtube dat d script doesnt continue,and some oda ish.
visit youtube and search for "how to hack wps locked routers using vmr-mdk part 2".
hope u enjoy it,
please like share and subscribe.

machx
2016-06-28, 10:46
Hi Chunkinz,

Saw the video and thank you for your efforts

Just wanted to ask you that you attacked unlocked WPS router, How about routers which are already locked, when you do a wash scan and WPS shows locked shows as YES, can we still use VMR-MDK to crack it? I have routers which automatically locks after 5 -6 failed WPS PIN tries. Please help! thanks

machx
2016-06-29, 18:29
Hi All,

First of all thanks for this lovely script, but there are some concerns that I would like to point out.

I dont know if this is normal or not, coz the attack is not suucessful.

Here are my observation:

So after running VMR-MDK-K2-2016R-011x9 script on my router TP Link WR740N

USB wireless adapter= TP Link WN722N
Kali Linux 2016 roling
All updated

Here are the results

All settings as default with interface selected as Mon0


ATTEMPT 1
setting default as the script

reaver result:
p2 index set to 2
10002
90.95% complete

aireplay-ng reception test= association successful AID: 1


Client associated=yes
EAPOL Flood attack

wash WPS locked = NO

ATTEMPT 2

Reaver start/stop cycles remaining = 999
p1 index set to 3
pin count advanced 3
0.03% complete
WPS transaction failed code 0x0

aireplay-ng reception test: association successful AID: 1

Wash WPS locked= YES

client associated= yes

ATTEMPT 3

Reaver= Warning: receive timeout occured and continues
Sending EAPOL start request

aireplay-ng reception test= association successful AID: 1

Wash WPS locked= YES

client associated= yes

ATTEMPT 4

WPS transaction failed code 0x04
0.03% complete
sending EAPOl start request
trying PIN 1115670

aireplay-ng reception test= association successful AID: 1

client associated= yes, 2
MDK3 DOS 1 and 2 = client still responding with 1500 packets

Wash WPS locked=YES

ATTEMPT 5

Reaver start/stop cycles remaining = 996

Reaver:
Warning: receive timeout occured and continues
sending EAPOl start request ( cycle continues)

aireplay-ng reception test= association successful AID: 1

Wash WPS locked= YES
WPS not found
2 clients still connected

Router stop responding
default router page doesnt open up
Restarted the router finally

Please advice.

Thanks.

mmusket33
2016-06-30, 01:25
Reference the use of the VMR-MDK script.

1. VMR-MDK is only effective against a SMALL number of routers.

2. Users should read the help files before employing.

3. Procedure for testing for the flaw are outlined there.


Reference the attack outlined by machx

ATTEMPT 1

Reaver is running the default pin 12345670 attack

Attempt 2

Reaver starts the brute force attack against a the WPS system. Status of WPS unclear but pin count increased.

ATTEMPT 3 thru 5

Router appears partially locked

If the router provides more pins after resetting then this approach may work.

If the router stays locked and no more pins collected the VMR-MDK approach will not work.

Suggestion if VMR-MDK does not work

Test to see if the router automatically unlocks the WPS system after x number of seconds

From the command line(CL) run reaver

Make sure the -L is NOT in the CL.

Add the -l or --lock-delay to 100 "Set the time to wait if AP locks WPS pin attempt"

With a -l 100 reaver will attempt to collect pins every 100 seconds.

Run reaver and wait. If pin collection restarts just count the number of times reaver attempts to collect pins before pin count restarts.

For example if reaver tries 10 times before pin count retarted then 100 times 10 = 1000 seconds.

Now set your -l to 1200 run reaver from the CL and sit back.

You can tweak the 1200 lower if the attack develops a pattern.


MTeams

machx
2016-06-30, 09:21
Thank you MTeam,

I was wishing that you could take a look at my post, and you did.

Thank you for your advice.

I have observed that the router TP-Link WR740N is not vulnerable against this script.

After the DOS attack 1 and 2 , the router stops responding to any devices.

Router page doesn't show up, You have to manually restart the router.

Even after restarting the router the PIN doesn't disable. You have to manually disable the PIn if you want to continue with the attack.

The question is: If I install the old script which is VMR-MDK011x8 for Kali 1.1.0, will it work better than the new script on Kali 2016 rolling.

I have heard that this script gives false results on most Kali 2016 rolling edition..

Please advice MTeam.

Thank you.

mmusket33
2016-06-30, 14:00
Reference VMR-MDK011x8, this script cannot be run in kali2.0 and 2016

As for false results MTeams is unsure which program is providing false results. MTeams has never seen any problems with the latest version.

We do get allot of commentary about pin counts but this is because users do not read carefully the retest pin feature. Furthermore during setup many users input the wrong data causing the program to fail. If you youtube VMR-MDK you will find a new video that states VMR-MDK doesnot work because the user tested it against three routers. MTeams has no objection to the user stating the program was not effective against the routers attacked however during the setup the user input incorrect setup info.

VMR-MDK is a administrative script. It just runs various processes already installed in robotic fashion. Most of the newer scripts changes deal with avoiding network manager problems and handling differences in text output.

If you have info on false results please provide details. We use the script all the time with both 1.1 2.0 and 2016 and have seen no problems. Normally if the router locks we run up VMR-MDK and see if the flaw exists. If the attack collects pins we continue if not we try other tactics. VMR-MDK is just one small tool in the WPA Tool Box.

In closing we have heard the Network Manager problems are finally being addressed and will eventually filter down to users.

machx
2016-06-30, 14:38
Thank you for your advice.

Could you let me know the settings you are using from 1 - 22

I have tried to switch setting 22 to N,

Thank you M team.

The settings that your team use and proven to be successful, we can try and test on our routers and tweak a bit to get the bets out of it.

marsrolled
2016-07-01, 08:58
To mmusket33:
----Yep I rest assured that I typed the number associated with the adapter we used. But after a few tests, i found out that the adapter im using is a weak packet capturer and sender to the point that it barely sends packets, I think that's one big contributor to why im failing. Im getting an adapter in a few weeks after i get my paycheck. I'd also consider if it will work on the router I'm testing on and move on to the next if I'm failing. Also, how many wlan adapters do u suggest using on this particular tool? Thank you for replying, you're one good samaritan! We appreciate the tools you make! :o =)

To YssDiamond:
----Thanks bro, but isn't mon0 the ethernet wired connection tho? Because I only have one wireless adapter but anyways ill give it a shot! And do you know the dlink-605L router? Just wanna know if u encountered one cause thats the router im currently testing. Kinda sensitive cause it took me only 5-7 attempts before it locked. And also, how many wlan adapters r u using?

mmusket33
2016-07-01, 11:56
To machx

Choosing 22 = n just removes the default pin recheck,

If 22 = y/Y then the program runs two concurrent reaver attacks. A brute force attack checking all 11,000 WPS pins and occasionally a separate check of pin 12345670.

If was found that some routers would reset their WPS system to 12345670 if subjected to constant DOS processes. If reaver had already checked this key at the very start of the attack reaver would slowly check all the pins climb to 99.99% and spin endlessly. If the attack was restarted the WPS pin and WPA key would be found and the key was always 12345670.

If was also found that routers which never responded to any attempts to obtain pins for days would suddenly dump their WPS pin and WPA key. The key was always 12345670 then go back to being inert.

To marsrolled

The script only supports one adapter. MTeams sees no reason to use two. We tried DDOS with one adapter and trying to collect pins with a second device but that never worked. We tried DDOS at the same time as running reaver with one adapter and to our surprise reaver could collect pins through the DDOS fog if the adapter conducted both operations. That approach probably needs to be looked at again.

MTeams

machx
2016-07-01, 13:51
To Mmusket33,

To be honest, Kali 2016 rolling is not great.

Because, the routers I could easily crack within seconds with Wifite with Kali 2.0 Sana.

Kali Rolling 2016, same version of Wifite R87, could not get the WPS PIN. Even after taking the router and the wireless adapter next to each other.

That's kind of funnny, because I guess there is something wrong with Kali Rolling.

So I rolled back to Kali 2.0 Sana and Wifite cracks routers like a dream now.

I hope Kali 2.0 Sana is supported further more over the years.

I'm updating Kali 2.0 Sana, and I heard lot of great success with this version of Kali.

I will use VMR-MDk on this version again and get back to you with updates.

Thank you Mteam for your support.

sohilmalvat
2016-07-18, 13:43
To machx

Choosing 22 = n just removes the default pin recheck,

If 22 = y/Y then the program runs two concurrent reaver attacks. A brute force attack checking all 11,000 WPS pins and occasionally a separate check of pin 12345670.

If was found that some routers would reset their WPS system to 12345670 if subjected to constant DOS processes. If reaver had already checked this key at the very start of the attack reaver would slowly check all the pins climb to 99.99% and spin endlessly. If the attack was restarted the WPS pin and WPA key would be found and the key was always 12345670.

If was also found that routers which never responded to any attempts to obtain pins for days would suddenly dump their WPS pin and WPA key. The key was always 12345670 then go back to being inert.

To marsrolled

The script only supports one adapter. MTeams sees no reason to use two. We tried DDOS with one adapter and trying to collect pins with a second device but that never worked. We tried DDOS at the same time as running reaver with one adapter and to our surprise reaver could collect pins through the DDOS fog if the adapter conducted both operations. That approach probably needs to be looked at again.

MTeams


I am not as pro as ya'll guys but i tried unlocking router with the help of your script it aint trying a single pin. from the starting of the program it says " AP RATE LIMITING"
i've tried all 15 MDK attacks but router is still locked in wash. and reaver can not brute force a single pin. any suggestion ? please pardon me for my lack of knowledge in this field.

dmatrix
2016-07-21, 19:51
hi! mmusket33, I' m problem with ESSID characters specials type eg. ">>>LIDIO<<<" and "Arte&Papel" It is to fix it? I tried to edit the script VMR-MDK-K2_2016R-011x9.sh I not found the line to correct. Not create file of log in VARMACS_LOGS.
thanks.

mmusket33
2016-07-22, 12:05
To: sohilmalvat

The readme files note that the VMR-MDK approach only works with a small subset of routers. Suggest you consult the suggestions found in the readme on how to test for this vulnerability.

MTeams

l30n
2016-08-15, 05:22
quick question gentlemen and ladies, during the wash stage, i am getting bad fcs on the wash window, would it be feasible to add the '--ignore-fcs' line to the wash script? if not, how do you solve this dilemma? thanks y'all

ytn1891
2016-08-15, 10:22
WPS transaction failed (code: 0x04) please help me !!!

1740

1toomany
2016-09-02, 15:59
I'm getting the exact same problem and I can't figure it out for the life of me. I've followed the steps both assuming that root is the home folder and root is ./ I first tried it running Kali Live USB with 2016.1r, and then I tried installing thinking it wasn't taking. Both of those failed, so I tried Kali Live USB 2.0 Sana, and that failed also, I'm at my wits end! The following are the responses I get no matter what I try:

bash: ./mdk3-v6/mdk3: No such file or directory

bash: /root/mdk3-v6/mdk3: No such file or directory

what am I doing wrong?

mmusket33
2016-09-03, 11:48
You should not try and run this program from a live usb. Either use a hard drive install or a persistent usb. Do not try and run a usb with luks encryption

Make sure you are using VMR-MDK-K2-2016R-011x9.sh not older versions

This program only works with a small number of routers. Read the help files and run the tests suggested. If the router shows the vulnerability then continue. If not try a different approach.

Suggest you run varmacscan constantly when the computer is idle.

MTeams

1toomany
2016-09-03, 23:34
You should not try and run this program from a live usb. Either use a hard drive install or a persistent usb. Do not try and run a usb with luks encryption

Make sure you are using VMR-MDK-K2-2016R-011x9.sh not older versions

This program only works with a small number of routers. Read the help files and run the tests suggested. If the router shows the vulnerability then continue. If not try a different approach.

Suggest you run varmacscan constantly when the computer is idle.

MTeams

I am running kali 2016.1 on a hard drive install and I'm using VMR-MDK-K2-2016R-011x9. I wish I could get far enough to use VMR-MDK-K2-2016R-011x9.sh but I can't even get /root/mdk3-v6/mdk3 to work. It keeps giving me the following error no matter what I try:

bash: /usr/local/sbin/mdk3: No such file or directory

Even though I'm looking right at it when I run a dir command...very strange.

1toomany
2016-09-04, 02:56
You should not try and run this program from a live usb. Either use a hard drive install or a persistent usb. Do not try and run a usb with luks encryption

Make sure you are using VMR-MDK-K2-2016R-011x9.sh not older versions

This program only works with a small number of routers. Read the help files and run the tests suggested. If the router shows the vulnerability then continue. If not try a different approach.

Suggest you run varmacscan constantly when the computer is idle.

MTeams

Nevermind, I found out what was wrong...you need to be running the 32-bit version of Kali. 64-bit version of Kali returns the no file error even though it means it doesn't have the library to run 32-bit programs such as your mdk3. Thanks so much for your quick reply!

jakefromstatefarm
2016-09-07, 01:59
If I had only saw this thread 5 mins ago I wouldn't have just wiped my whole VM machine and started over. Thank you for pointing this out, I was at a complete loss for where mdk3 went.

mmusket33
2016-09-07, 11:44
Reference the modified mdk3 program that comes in the VMR-MDK download package. This mdk3 version does not replace any installed mdk3 program. The modified version is installed in root and the program only accesses the modified mdk3 in root if you select a DDOS process that calls for invalid essid. Hence if you cannot install the modified mdk3 program VMR-MDK will run fine. All that will occur is if you select an invalid ESSID DDOS process in the config file the Xterm window will not run the process. Just change the DDOS process in the config file to any other process thru leafpad or another text editor and continue.

Musket Teams

1stcowgirl
2016-09-08, 16:02
hi friends.
no config files?

jakefromstatefarm
2016-09-09, 23:11
I was wondering if anyone has run into this issue.

I can only run it through one cycle and then it dies and spits out this line:

usage: VMR-MDK-K2-2016R-011x9.sh <start|stop|check> <interface> [channel or frequency]

Eveyrthing else runs smoothly just trying to get ti to continue running ha proven to be an issue.

I have chmod 'ed to 755
also manually killed _supplicant & network-manager

Any ideas?

Thanks again for writing this!

mmusket33
2016-09-10, 09:52
MTeams saw this occur when during program construction. We had to slow the routines down so all commands between the wifi device and the computer could be completed successfully.

Are you using luks encryption or a usb cable connection to your wifi device longer then 5 meters? You are loosing your connection to your wifi device. When the program tried to spoof the mac addresses etc it cannot start your device.

Since you state the program runs successfully for one complete cycle then it is probably not in your initial setup. However make sure you select line numbers for you devices when asked do not enter mon0 or wlan0mon etc. This is a common error.

MTeams

Pietje
2016-09-10, 15:40
If I'm very greatful for the script. Nicely done. But I'm getting the same problem whatever I do. It's keeps repeating the pin 12345670 and on and on. WPS transaction failed (code 0x04). The script is running fine. And I set all the things as they should as the video shows. Injection is working. And I get a handshake. What a I doing wrong. Got the same problem running reaver on it's own without this script. Please can someone help me out?

mmusket33
2016-09-11, 10:37
To Pietje

You probably are doing nothing wrong. The router is simply not responding. You could try bully try using AAnarchy's version the link can be found in these forums. Mteams also suggests when your computer is not in use run varmacscan . Sometimes routers that do not respond to reaver pin requests suddenly begin functioning. Varmacscan will attack all WPS enabled routers within reception range.

Musket Teams

Pietje
2016-09-11, 11:59
Thanks for answering so quickly I'm going to look into asap.:)

bigfall
2016-09-24, 21:40
hi evrybody my question is how to increase stage 2 more than 90s

Saraسئو
2016-09-25, 04:20
I have same question to, please help us

mmusket33
2016-09-25, 18:43
IN the config file there is a selection to recheck pin 12345670 every x cycles. If you selected y/Y then the program at start will check that pin for 90 sec. On cycle two the program will start the brute force attack for the length of time set in the configfile. Read the help files for further.

MTeams

NeoCore
2016-09-26, 11:27
From my testing , i am starting to get the feeling that when i change the MDKTYPE1 variable i tend to collect more pins.Is it it possible that we can be more succesfull i we change attack type on every cycle or is it just me ?.

mmusket33
2016-09-27, 12:26
To NeoCore,

VMR-MDK was written from responses seen from WPS locked routers in real time. MTeams never tested a variable DDOS approach. Therefore if you have a target that responds to variable DDOS please run some tests and find the sequence of DDOS that provides better results. MTeams will write a patch for you to allow the sequence(s) you require. If you find the sequence(s) work, a update to VMR-MDK will be published to allow this feature for community use.


Musket Teams

1stcowgirl
2016-09-27, 13:31
Musket Teams

Hi friends and thank you for your help and patience.
up till today i used the TL-WN722N and it did a very good job (a slow one... but good).
today i had the ALFA AWUS36NH and it feels like its not working properly.

i need help with VMR-MDK. when the WASH process start i get the "ERROR FCS".
i found out the with alfa-36NH i need to command it like this: wash -i mon --ignore-fcs or wash -i mon -C.

since it is an auto script, what do i need to do to make it work?

thank you.

mmusket33
2016-09-28, 09:43
To 1stcowgirl

Here is your -C patch. You need to change two lines of code only

Open the script with leafpad

Go to line number 5077

ctrl g and enter the line number will take you there


You will find the following:

xterm -g 100x30-1+1 -T "Wash" -e "wash -i $MON 2>&1 | tee VARMAC_WASH/wash01.txt" &

Change the line by adding your -C

xterm -g 100x30-1+1 -T "Wash" -e "wash -i $MON -C 2>&1 | tee VARMAC_WASH/wash01.txt" &

Go to line 7901

You will find:

xterm -g 100x30-1+1 -T "Wash" -e "wash -i $MON 2>&1 | tee VARMAC_WASH/wash01.txt" &


Change the line by adding your -C

xterm -g 100x30-1+1 -T "Wash" -e "wash -i $MON -C 2>&1 | tee VARMAC_WASH/wash01.txt" &


Note there are similar lines of code with a # at the beginning. The # turns the line into a remark and the computer ignores this so make sure you enter the -C in the right line and after the $MON


Test your script


We will add this if we ever offer a update


Musket Teams

1stcowgirl
2016-09-29, 10:09
To 1stcowgirl

Here is your -C patch. You need to change two lines of code only

Test your script


We will add this if we ever offer a update


Musket Teams

Thank you very much!
tested and it working.
a big thank you.

balder0777
2016-10-25, 01:11
Using MTeams version, Kali 1.10 amd64, everything configured as Help file provided.

This is the situation: yesterday, reaver made 0.15%.
Today, and I'm talking about 9-10 hours of activity, the "progression" still remains at 0.15%, and this is the situation:

http://i59.tinypic.com/302vzua.png

Could anyone help me, or at least tell me why I've got this problem?
Thank you in advantage, hoping for an answer.

hellow man, But how did you solve it?
i have the same problem, help me please

mmusket33
2016-10-27, 11:49
In the last year MTeams has seen WPS locked routers when subjected to the VMR-MDK process which give up pins while locked for a period and then stop. The WPS locked status does not change. After a few days usually if the channel has changed the WPS locked router gives up more pins and then stops again.

Spoofing the mac address to an associated client seems to obtain more pins but this view is subjective. We also have only a few routers in our areas of operation which respond in this manner.

We think the router freezes as aireplay-ng -1 also stops obtaining any router response.

The DDOS process was only 15 to 20 sec. More then that just seems to lock the router completely.


Musket Teams

devilsadvocate
2016-11-22, 18:05
First of all, I am trying to configure this in Kali 2016.2. I didn't have any issues in 2016.1.

When trying to run "make" under /root/mdk3-v6/, I get the following error:

make -C osdep
make[1]: Entering directory '/root/mdk3-v6/osdep'
Building for Linux
make[2]: Entering directory '/root/mdk3-v6/osdep'
make[2]: 'os.Linux' is up to date.
make[2]: Leaving directory '/root/mdk3-v6/osdep'
make[1]: Leaving directory '/root/mdk3-v6/osdep'
cc -g -03 -w mdk3.c osdep/libosdep.a -o mdk3 -Losdep -losdep -lpthread
/usr/bin/ld: skipping incompatible osdep/libosdep.a when searching for -losdep
/usr/bin/ld: cannot find -losdep
collect2: error: ld returned exit 1 status
Makefile:22: recipe for target 'mdk3' failed
make: *** [mdk3] Error 1

Is there a fix?

mmusket33
2016-11-23, 04:39
To devilsadvocate

MTeams is sorry for the delay in answering however we had to reload a 2016R2 onto a HardDrive(HD) to see if the mdk3 version would install.

In a i386 HD install of 2016R2 we copied the mdk3-v6 folder to root

Then did the following commands

root@localhost:~# cd mdk3-v6

root@localhost:~/mdk3-v6# make

root@localhost:~/mdk3-v6# make install

root@localhost:~/mdk3-v6# mdk3

And the program ran fine


You probably do not have to do the make install as VMR-MDK runs the program from root so you can keep any newer versions of mdk3 on your computer and only run the Musket version from the folder in root if you want to run the -t probe request from the command line or with VMR-MDK. See the VMR-MDK help files that come with the download.

We see comments in this thread that this mdk3 version may not run in some kali linux versions. However for i386 it runs fine.

In closing remember the VMR-MDK process only works on a small number of routers. The help files tell you how to test for the vulnerability.

Musket Teams

devilsadvocate
2016-11-27, 04:02
To devilsadvocate

MTeams is sorry for the delay in answering however we had to reload a 2016R2 onto a HardDrive(HD) to see if the mdk3 version would install.

In a i386 HD install of 2016R2 we copied the mdk3-v6 folder to root

Then did the following commands

root@localhost:~# cd mdk3-v6

root@localhost:~/mdk3-v6# make

root@localhost:~/mdk3-v6# make install

root@localhost:~/mdk3-v6# mdk3

And the program ran fine


You probably do not have to do the make install as VMR-MDK runs the program from root so you can keep any newer versions of mdk3 on your computer and only run the Musket version from the folder in root if you want to run the -t probe request from the command line or with VMR-MDK. See the VMR-MDK help files that come with the download.

We see comments in this thread that this mdk3 version may not run in some kali linux versions. However for i386 it runs fine.

In closing remember the VMR-MDK process only works on a small number of routers. The help files tell you how to test for the vulnerability.

Musket Teams

Confirmed. Thanks.

I have to boot into the i386 version in order to compile. This seems to be an issue to take up with whoever maintains mdk3.

balder0777
2016-11-28, 22:35
Hi,I tried the script but it stays on pin 99985677 or 90.90% and it does not advance what does it mean?

5amar1
2017-02-10, 05:43
Got everything set up. for some reason it's not writing the config file in the VARMAC_CONFIG folder. When i get to the step to select the config file, it doesnt show me an option to select. And I opened the folder to check and its empty. Any ideas on what I did wrong? Thanks guys for all you do

5amar1
2017-02-12, 04:51
Got it figured out. I didn't realize that vmr-mdk-k2-011x9.sh needed to be in root directly. I was running it out of the folder it was in.

blackcat201
2017-06-22, 09:10
Config folder move to root directory then try��

dmatrix
2017-06-24, 15:18
Please Mmusket33, new version of the Kali come with reaver version 1.6b and not more exist option -a, not work more with VMR-MDK-K2_011x8.
Should I change to old version?
There is a small error on the line 6071 of the VMR-MDK-K2_011x8 Where is it " sleep .1" I think it should be without the point.
I had to change the lines 5224 and 5279 where is it the "xargs" for "xargs -0" Was giving error with some bssid.

mmusket33
2017-06-27, 10:45
To dmatrix

First thankyou for your comments

There is a newer version VMR-MDK-K2-2016R-011x9.zip The github link is at the beginning of this thread. We will be happy to correct any errors you find in the newer version and we have loaded your commentary into our bug file for checking.

For your own use you might edit all the reaver command lines embedded in xterm. Just make a copy of the file remove all the -a entries save and test



Again Thanx

Musket Teams

bigbiz
2017-06-27, 11:04
More bars from the router would help.

mmusket33
2017-06-27, 11:10
To bigbiz

MTeams is not sure what you require here?

Musket Teams

EASD
2017-06-28, 02:51
I tried to use vmr-mdk on kali2017 (kali-linux-2017.1-amd64.iso) (on vmware)
I am using external card wifi ,all programs is ok (also fluxion is ok)
when I used VMR-MDK-K2-2016R-011x9 in this sequence
1-assume it is in root folder
2-chmod +x VMR-MDK-K2-2016R-011x9
3-./VMR-MDK-K2-2016R-011x9
and program is run
I followed the steps but after the program is running do only stage 1 (Just scan AP Activity) for 10 times
and give me wps pin not found and then need to restart
(image from output --imgur.com/a/RRy3j--)
what is wrong did it please help

mmusket33
2017-06-28, 13:14
To all users of varmacscan and VMR-MDK. The newer version of reaver version 1.6b has removed the -a entry in the menu. This has caused several problems. Reaver will no longer restart automatically and requires a keyboard entry. MTeams is currently coding around this problem and will issue a REAVER 1.6B version when coding and tests are completed. Simply removing the -a from the reaver command lines will not solve the problem. Furthermore the new wash has removed the -C entry or ignore FCS errors. Older versions continue to function.

Musket Teams

mmusket33
2017-06-28, 13:19
To EASD
MTeams does not support amd or VM ware as we cannot test. However it looks to us that there simply is no target seen as the scan went thru the 10 cycles.

EASD
2017-06-29, 00:16
Thanks for your answer
Ok I will test it on not VMware
but please let me say what I did
1-2557
2-2558
3-2559
4-2560
5-2561
6-2569
7-2563
8-2564
9-2565
10-2566
11-2570
"reaver" window just show in less than a second then disappeared
12-2571
13-2568
thanks for your time
please tell me what I did wrong or just not work in VMware
thanks again

dmatrix
2017-06-29, 01:52
Please Mmusket33, new version of the Kali come with reaver version 1.6b and not more exist option -a, not work more with VMR-MDK-K2_011x8.
Should I change to old version?
There is a small error on the line 6071 of the VMR-MDK-K2_011x8 Where is it " sleep .1" I think it should be without the point.
I had to change the lines 5224 and 5279 where is it the "xargs" for "xargs -0" Was giving error with some bssid.

26/5000
I was already using this version VMR-MDK-K2-2016R-011x9, sorry, I copied the title of the topic, did not notice the error.
Before posting had already removed the -a without success, The changes mentioned refer to the last script VMR-MDK-K2-2016R-011x9.
tanks

mmusket33
2017-06-30, 12:44
To dmatrix

MTeams has coded around the problems and is testing in varmacscan. When we release varmacscan for kali 2017 then a rewrite of VMR-MDK will immediately follow.

Musket Teams

dmatrix
2017-07-03, 02:37
I made the change in the rows of the Reaver, Where I had "-a" Replaces "--session=/etc/reaver/$MACSTRIP.wpc" I just changed in this same line it does not have "--session" option defined.

mmusket33
2017-07-04, 05:16
We are releasing varmacscan-K1-2-2017-6-1.sh and are starting VMR-MDK.

Musket Teams

mstrmnn
2017-07-04, 17:23
^^ I just have to say how much I appreciate your constant efforts and your generosity to share your results. Thanks man, you are fantastic!

mmusket33
2017-07-06, 01:00
Musket Teams have released VMR-MDK-K2-2017R-012x2 for Kali 2,2016,2017 and all versions of reaver

The aireplay-ng fake auth has been made regenerative.
Several bugs have been corrected, some thanks to dmatrix.
Comments requested by kcdtv have been added.
Script tested in both persistent usb installs and harddrive installs for reaver 1.52 and 1.53 and kali 2016 and 2017 using i386.
Expect the mac changing routines to be slowed. This is to support wifi receivers at the end of five(5) meter extension cables which is the max length allowed.
We do not support VM Ware and amd or persistent usb installs using luks encryption as we cannot test.

You can download at:

https://github.com/musket33/VMR-MDK-Kali2-Kali2016/blob/master/VMR-MDK-K2-2017R-012x2.zip

or

http://www.datafilehost.com/d/76c80a9d

Musket Teams

mmusket33
2017-07-06, 01:28
To EASD
We have looked thru your jpg images. IT looks to us that you are doing nothing wrong. The program looks for a response from the TargetAP. The network you selected simply is not responding to reaver. Try another network Or if you see another client associated to the target enter that clients mac address thru the config file ie spoof the mac and try again. This would check for mac blocking setup in the router firmware.

MTeams

mmusket33
2017-09-03, 06:40
How to use varmacscan to determine if a WPS Locked router ??MAY?? be succepible to VMR_MDK

Currently MTeams is writing a module within varmacscan to alert the user if a network may be susceptible to VMR-MDK. Until this rewrite is available, users can employ the following manual method to determine if a WPS locked network ??may?? allow slow but consistent WPS pin harvesting thru the VMR-MDK process.

For reference, MTeams found that some routers although showing a WPS locked state, still gave up a limited number of WPS pins and then stop. It was later found that some of these Networks when exposed to a short intense DDOS process would then allow another cycle of WPS pins to be harvested. Networks then may show one(1) of three(3) possible states when their WPS system is locked.

1. No WPS pins can be collected
2. Limited pins are collected but pin harvesting then permanently stops
3. Limited pins are collected then pin harvesting stops but when subjected to DDOS more pins can be collected.

VMR-MDK was then written to take advantage of this network response.

Using VMR-MDK to determine if a WPS locked network is susceptible can be done but the user must point VMR-MDK at the network to see if pins can slowly be collected. As each network must be individually attacked, testing each WPS locked Network can take some time. Varmacscan however is robotic in nature and scans all networks within range of the wifi receiver. It also writes a logfile.

All log files can be quickly checked for pin harvesting thru the following command line in a terminal window(TW)

grep -l "Pin count advanced:" /root/VARMAC_LOGS/*

If you wish to write to a file called pincollection written to root/ then:

grep -l "Pin count advanced:" /root/VARMAC_LOGS/* | cat > pincollection

If the networks' WPS system is always open you can focus a reaver attack thru the command line.

If the networks' WPS system is locked or Open then locked you can use VMR-MDK to test for this vulnerability

Musket Teams

PinCracker
2017-09-08, 23:00
For some reason (probably because I use the t6x fork not the official one in Kali) reaver is not recognized.
Therefore everything is pretty meaningless.
I'm running Kali rolling 4.12.0 but this was the case since I first downloaded the script (4.8.0) so I don't think it's Kali related.
Any advice what should I correct in the script?

mmusket33
2017-09-10, 10:47
To PinCracker

The problem is probably the reaver version. Just download the latest VMR-MDK and the problem should be corrected
You can download at:

https://github.com/musket33/VMR-MDK-...017R-012x2.zip

or

http://www.datafilehost.com/d/76c80a9d

If your problem still remains gives us some details but this newer version works for us. You can read thru this thread to find the technical details but other bugs are also corrected in this newer release.



Musket Teams

bigbiz
2017-09-12, 11:15
Will these programs work on 64 bit kali install?

mmusket33
2017-09-12, 12:56
To bigbiz

The only program that may not run is the mdk3 program in the zip file. That mdk3 version supports invalid essid and that version is only used when running that DDOS attack. All other mdk3 attacks call up the version in kali. Even if you try and run that version of mdk3 all that occurs is the Xterm window for that attack will not run.

Musket Teams

dmatrix
2017-09-18, 18:09
mmusket33, so for a better attack VMR should we install kali 32?

Dubbie
2017-09-19, 20:54
I have tried to brute force wps pin against locked routers. The only thing working against several routers is the "mdk3 a -a (bssid) m" command. The router resets and I can get pins again. If it can be in an auto loop with a script it will get the pin even tho it locks. Tried revdk3 if this script would have the command it would work perfect...

mmusket33
2017-09-20, 13:31
To Dubbie

VMR-MDK should work fine for you here. Just select the mdk3 type you require and the length of time you want to run reaver and DDOS the target among other things.

Musket Teams

Dubbie
2017-09-21, 19:58
If you brute force this way it continuous resets the router so the user loses his internet connection and its a matter of time the user will contact the ISP.. So my thoughts on this is that in general most people sleep at night time and if you could set time that the brute force and resetting starts and ends it would work a lot better.

Greetings

bigbiz
2017-09-22, 07:41
If I use apt-get install what is the command name? Please.

mstrmnn
2017-09-22, 13:18
@bigbiz

Read the instructions (https://forums.kali.org/showthread.php?27264-VMR-MDK-K2-011x8-sh-for-Kali2-0&p=49867&viewfull=1#post49867). mmusket33 explains everything very well!

mmusket33
2017-11-27, 12:01
Due to text output changes in Reaver version 1.63, pixiedust pin extraction modules in VMR-MDK-K2-2017R-012x2.sh and PDDSA-K2-06.sh will no longer function. The code is being corrected and new versions supporting the latest will be posted after testing.

Musket Teams

frisbee865
2017-12-26, 17:41
Due to text output changes in Reaver version 1.63, pixiedust pin extraction modules in VMR-MDK-K2-2017R-012x2.sh and PDDSA-K2-06.sh will no longer function. The code is being corrected and new versions supporting the latest will be posted after testing.

Musket TeamsHeh. Got through all the install and found this post. Just a quick thanks for the time and effort your bunch puts in. Waiting patiently on this end...:cool:

mmusket33
2018-01-03, 11:32
VMR-MDK and varmacscan will run using reaver 1.63 however onlythe automatic pixiedust pin extraction module will not function. You can run reaver from the command line and collect a data sequence and test for the pin manually until the rewrite is finished .

Musket Teams

ch1nczyk
2018-01-08, 22:17
Hi Team Musket,

Awesome work with the script - may I ask for a little help on the issue I am currently experiencing with 64 bit Kali 2017.3.

Everytime I run the script (VMR-MDK-K2-2017R-012x2.sh), I am getting to the config selection screen, yet no options are visible (empty list):

2898

I have changed the attribute for the entire VMR-MDK-Kali2-Kali2016 folder (chmod 755, as in the manual) and I see 3 VARMAC folders created in the main folder (VARMAC_CONFIG, VARMAC_LOGS, VARMAC_WASH).

What could be the issue here & how do I fix it so that the config created by VMR-MDK is created inside the VARMAC_CONFIG file? It is not possible to proceed further without the config file, as the parameter values are not loaded / show empty fields.

Appreciate any help here

mmusket33
2018-01-09, 10:27
TO: ch1nczyk

You state

"I have changed the attribute for the entire VMR-MDK-Kali2-Kali2016 folder"

Do not run from the folder - run the script from root?

./VMR-MDK-K2-2017R-012x2.sh

We cannot check if it is a 64 bit problem as we have no 64 bit computers.

MTeams has just finished updating and testing the pixiedust modules in varmacscan and should post that within a day or two. As we speak we are beginning the same work on VMR-MDK. If we find a problem we will post here. Furthermore we should have the VMR-MDK script supporting reaver v1.63 within a week or two .

We tested the script in a persistent usb install of kali-linux-2017.3-i386 and there was no issue.

There is a copy of the config file in the package. You could just place that file in the VARMAC_CONFIG folder then update or change the entries with a text editor. You can name as required and select the file at the prompt.

Please keep us advised

MTeams

ch1nczyk
2018-01-09, 20:44
TO: ch1nczyk

You state

"I have changed the attribute for the entire VMR-MDK-Kali2-Kali2016 folder"

Do not run from the folder - run the script from root?

./VMR-MDK-K2-2017R-012x2.sh

We cannot check if it is a 64 bit problem as we have no 64 bit computers.

MTeams has just finished updating and testing the pixiedust modules in varmacscan and should post that within a day or two. As we speak we are beginning the same work on VMR-MDK. If we find a problem we will post here. Furthermore we should have the VMR-MDK script supporting reaver v1.63 within a week or two .

We tested the script in a persistent usb install of kali-linux-2017.3-i386 and there was no issue.

There is a copy of the config file in the package. You could just place that file in the VARMAC_CONFIG folder then update or change the entries with a text editor. You can name as required and select the file at the prompt.

Please keep us advised

MTeams

Thank you Team, I managed to solve the issue thanks to your post.

The problem was that I was running the sctip from a folder, rather than directly from root. When executed form root, the VARMAC folders were created and config file too.

Now, after playing with the script for a while, I have a question whether it would be possible to include the -N (or --no-nacks) option in the config file? There are certain routers (including mine) that will not progress in Reaver without this option. As soon as it is enabled, Reaver manages to test PINs.

Could you please include it in the next release of VMR-MDK or instruct me how can I add it myself?

Thank you in advance!

bigbiz
2018-01-09, 22:07
With reaver no longer being mantained or updated do you mantain this program too. Also I having trouble loading program even when downloaded with firefox in linux? I get no programs.in my option Reaver was the best program of wireless hackrams.

mmusket33
2018-01-10, 11:29
TO: ch1nczyk

The reaver -N is already found in ALL the reaver command lines


To Bigbiz

MTeams does not maintain reaver. We are unsure who is working with the program. As far as downloading reaver it is found in the current kali-linux distro and in our areas of operation the viability of the reaver/pixiedust combination is increasing. Our best success is running varmacscan constantly. Routers can go thru short periods of vulnerability especially when reset or swtiched on. As varmacscan is robotic it can collect the WPS pin then sit and wait till the router is vulnerable again and then collect the WPA key all without input from the user.


Musket Teams

gaucho
2018-01-11, 16:32
I am getting the following error:

How many times do you want the program to cycle thru the targetAP? (COUNT)

!!!!Enter a number less then 100,000!!!!
10,000
./VMR-MDK-K2-2017R-012x2.sh: line 6055: [: 10,000: integer expression expected

You entered 10,000 type (y/Y) to confirm or (n/N) to try again.
y
./VMR-MDK-K2-2017R-012x2.sh: line 6183: [: 10,000: integer expression expected
loops completed



then the program just quits.

mmusket33
2018-01-12, 03:01
To: gaucho

Just enter without the comma. Try 1000 or 10000 etc

Musket Teams

mmusket33
2018-01-12, 03:02
VMR-MDK-K2-2017R-012x4.zip package has been posted for community use.

Supports kali-linux 2.0 thru 2017.3

Supports text output from reaver v1.52 and v1.63 for pixiewps

A new PDDSA for reaver v1.63 is found within the package along with the older version

You can download at:

https://github.com/musket33/VMR-MDK-Kali2-Kali2016

Select VMR-MDK-K2-2017R-012x4.zip from versions available

or

https://www.datafilehost.com/d/6a49f214


Musket Teams

gaucho
2018-01-12, 12:42
To: gaucho

Just enter without the comma. Try 1000 or 10000 etc

Musket Teams

Hello, now it works. but after 2 successfully pin tries I get wps transaction failed (0x02) and it stays so for a couple of tries... then the program resets... sometimes it successfully get 2 more pin tries, then the same happens... problem is it seems that it reset the pin count to 0 on each resets... so it will never try all pins... so there are these 2 problems, wps transaction failing and pin list reset..

bigbiz
2018-03-01, 03:04
My mac reads alot of wierd icons (says faceface) inthe airodump-ng associatioan column. But like @gaucho says not many more pins.but i like it!!-/

dmatrix
2018-04-21, 02:20
Hi Musket, first time I see the PIN stay so missing, with underline.
Started showing the 8 and now like this. Why did he find the 3?
Also I no longer see the percentage as in the old versions of Reaver



Reaver v1.6.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

[+] Switching mon0 to channel 1
[+] Restored previous session
[+] Waiting for beacon from xx:xx:xx:6F:9B:92
[+] Received beacon from xx:xx:xx:6F:9B:92
[+] Vendor: AtherosC
WPS: A new PIN configured (timeout=0)
WPS: UUID - hexdump(len=16): [NULL]
WPS: PIN - hexdump_ascii(len=8):
33 36 32 30 0a 37 00 00 3620_7__
WPS: Selected registrar information changed
WPS: Internal Registrar selected (pbc=0)
WPS: sel_reg_union
WPS: set_ie
WPS: cb_set_sel_reg
WPS: Enter wps_cg_set_sel_reg
WPS: Leave wps_cg_set_sel_reg early
WPS: return from wps_selected_registrar_changed
[+] Trying pin "3620

dmatrix
2018-04-22, 13:04
Hi Musket, first time I see the PIN stay so missing, with underline.
Started showing the 8 and now like this. Why did he find the 3?
Also I no longer see the percentage as in the old versions of Reaver



Reaver v1.6.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

[+] Switching mon0 to channel 1
[+] Restored previous session
[+] Waiting for beacon from xx:xx:xx:6F:9B:92
[+] Received beacon from xx:xx:xx:6F:9B:92
[+] Vendor: AtherosC
WPS: A new PIN configured (timeout=0)
WPS: UUID - hexdump(len=16): [NULL]
WPS: PIN - hexdump_ascii(len=8):
33 36 32 30 0a 37 00 00 3620_7__
WPS: Selected registrar information changed
WPS: Internal Registrar selected (pbc=0)
WPS: sel_reg_union
WPS: set_ie
WPS: cb_set_sel_reg
WPS: Enter wps_cg_set_sel_reg
WPS: Leave wps_cg_set_sel_reg early
WPS: return from wps_selected_registrar_changed
[+] Trying pin "3620


Even returning the PINs in the mac.wpc file, the underline continued.
so I started by deleting the .wpc file and then changing it to the PIN before the problem. I think at some point in the processing it corrupted something.
now it's continuing normal without underline any
I do not know if you let the Underline run, it would show the PSK.
After completing the procedure, I will return the corrupted .wpc to know.

DorothyDaugherty
2018-11-09, 04:02
ok, still cant get the Mdk3-v6 folder, and the configfileddetailed for reference only,
and i remember i access my <a href="https://19216811.app/">192.168.l.l - 192.168.1.1 Admin Login</a>, and can't change my settings.


and i get some article in this site. https://19216811.app/best-wireless-routers

dmatrix
2018-12-06, 17:41
I have problems with Wifi with space in the name. The VMR script, at the point of attack, the MDKLIVE does not run more than 3 seconds. I did not find it in the script where it is missing.

dmatrix
2019-04-12, 11:41
new version of Mdk4 in Kali
I'll test at VMR

danial1369
2019-05-08, 09:17
hello VMR-MDK-K2-2017R-012x4.zip working on kali 2017.3 64bit ??