View Full Version : Varmacscan2-0 an automatic multi-target reaver attack tool released

2015-11-26, 12:25
Varmacscan supporting Kali 1.10a, 2 and Kali 2016.1 R is released for community use.

Program supports options to not kill Network-Manager Functions on other devices when running varmacscan.

Several text output bugs when a WPA key was found were corrected.

Differences between the three(3) different Operating Systems were incorporated into one package.

Version 3-3 updated from 3-1

Routines when attacking specific routers models have been rewritten.

You can download here thru kali or at



The following script was originally designed to be used against a specific model of router which locked its WPS system after 10 pin requests. These routers were also NOT susceptible to any of the DDOS attacks available thru VMR-MDK series nor were they vulnerable to pixiedust. A few were cracked when the WPS pin reset to 12345670 and the WPS system was open. But in general reaver was not the tool of choice. To crack these routers the only methods remaining were either brute forcing a WPA handshake or social engineering approaches like WPA Phishing.

MTeams areas of operation are surrounded by this model of router. In short our areas are rich in these targets. After studying the WPA locking and unlocking a different approach was conceived. If a program could constantly search the area of reception and automatically attack any routers which had unlocked, then a small number of WPS pins could slowly be collected from a large number of routers and in time, the WPA key could be extracted.

This program was not originally considered for a MTeams release until a surprising side effect occurred. The program began cracking other models that either were resistant to previous reaver attacks or routers that we did not even know existed. This success is not because of any special reaver command line. It is simply that the program is constantly searching and then attacking all WPS enabled routers found for short periods of time automatically gathering data and moving to the next target endlessly.

Varmacscan2-0 is a totally automatic fire and forget script. Once running the script will search for any WPS enabled networks within reception range and then attack each in turn. Both search and attack times are set by the user. No specific targets are selected. After each router is subjected to reaver, any data acquired is searched for a viable pixiedust data sequence. If a sequence is found and the WPS pin extracted, it is loaded into reaver which reattacks the router using the pin number in the reaver command line. During both search and attack, modes aircrack-ng is run in the background collecting ESSIDPROBES. If a WPA key is obtained the program will skip the target in future attacks. Once all networks seen have been attacked the program rescans for targets and then attacks all seen again. This process will continue for as long as the user requires, no user input is needed.

When you have exhausted attacks against stationary unlocked WPS enabled Networks thru the command line, and/or tested VMR-MDK against all WPS locked routers, run this program up and go to bed and see what tomorrow brings..

Happy Hunting

Musket Teams

2015-11-26, 13:02
Thanks for your R&D and sharing with the rest of us!

Does this replace that https://forums.kali.org/showthread.php?27264-VMR-MDK-K2-011x8-sh-for-Kali2-0 or am I confused again?

2015-11-26, 15:33
GitHub GitHub GitHub!

2015-11-26, 19:55
To Quest

This script does not employ DDOS processes like VMR-MDK. And is not specifically designed to break thru WPS locking. No targets are loaded the program seeks them automatically and collects pins if possible.


2015-11-27, 15:26
Works for me. Started it before bed and got 5 different correct pins when i woke up. I already knows those was working with pixie but anyway:) BUT!! got no wpakey in any of them. it was just empty on the line after wpa in the txtfile.

Edit: Maby it has something with my new laptop to do.
Installed kali yesterday.
Got a warning that my diskspace was low and saw that the program complain about that.
Have only a 24gb ssd in that laptop and the swapfile take 13bg of that, how much in swapfile is recommended for kali?

2015-11-27, 19:20
Seems to work here too, but with same no wpa key problem related by squash


WPS Pin: = '12345670'
WPA Key: =

Note WPA Key is found between the two(2) tick symbols

2015-11-28, 12:32
To brunoaduarte squash

Thanks for the test.

We ran the program against known routers and it gave us the key. Go into the log file in VARMAC_LOGS and see if the key is listed. As you have the pin run it from the command line and see if it gives you the key.

We are interested in the text output found in the reaver log file in VARMAC_LOGS. It is possible your OS or version gives a different output. We use awk to extract the data from the log or reaver output and dump it on the screen. If we know what your output is we will code it in for you.

Look back here is 24 hours we have version 2-2 which gives u more control over the ESSIDPROBE module but we will delay release and run some tests and see if we can induce this error.


2015-11-29, 16:46
newbie here, be kind:
Only data collected in essidprobesdic.txt & essidprobes8dic.txt.
Clean data patterns never seen before forming. Can this data be reused each session or clean start each time?
Using Kali2.0 live usb.
Is "Found packet with bad FCS, skipping...". slowing down process?

2015-11-29, 17:56
Hi mmusket33,

I'm running my tests on Kali v2.0 Live USB with Persistence (BCM4311 wifi chipset).

Here are the contents from both VARMAC_LOGS and VARMAC_WPSWPA folders:

(Couldn't paste text here cause it gives me some weird cloud proxy errors)


2015-11-30, 00:09

Nice Script !

Can you give the script an option whether the association with Aireplay done instead Reaver?
The association with Airplay often works better than using Reaver.

In Reaver there are the flag -A

Then there's the problem with hidden SSIDs.
Current SSID (null)
The should be automaitsch excluded, as these quoted otherwise unnecessary time.

2015-11-30, 06:02
To brunoaduarte

Thanks again for your input

MTeams has been running tests on version 2-4 with three(3) computers running both kali 2.0 and 1.10a in both harddrive and persistent usb installs. In only one(1) case did reaver not get the WPA key. We think the problem is with output from tee.

We are considering dumping xterm and trying Eterm as it is now available thru kali.

To Laserman75

MTeams has never tried association thru aireplay-ng. What a nice idea. As you have reported it works better we will give it a try and add for you a module allowing a association choice in the dropdown menus. However we do run aireplay-ng -1 alot with VMR-MDK without the -A in the reaver command line because there is no way to keep aireplay-ng functioning if it does not get a response which would in turn kill reaver function. Please comment on this point.

We are aware of the hidden ssid matter as this option was coded into VMR-MDK at users request. However varmacscan is really just a scanner - and uses the bssid not the essid so if wash then gives the name as (null) the program would use that as the essid. We cannot test this as we have no hidden essid targets. If you have such please test this.


2015-11-30, 13:50
Ok mmusket33, it seems to happen more often here, i've got 6 pins and no WPA.

I though the problem would be the same related in this link: https://code.google.com/p/reaver-wps/issues/detail?id=203 (Issue 203: Reaver finds PIN but not passphrase) (https://code.google.com/p/reaver-wps/issues/detail?id=203)

So i tried to use "bully" to crack the WPA and it worked !

"bully -b XX:XX:XX:XX:XX:XX -c 3 -B -v 2 -p 20863463"

Maybe another solution, would be to auto run bully instead of reaver at line 695, after wps pin is found...

xterm -g 80x15-1+100 -T "reaver pin= $WPSPIN" -e "reaver -i $monitor -a -f -c $channel -b $bssid -r 2:15 -L -E -vvv -N -T 1 -t 20 -d 0 -x 30 --pin=$WPSPIN --mac=$VARMAC --session tmp/$bssid 2>&1 | tee VARMAC_LOGS/$bssid-$ssid-$DATEFILE-$PAD" &

BTW: There's a small bug at line 708 of "varmacscan2-0.sh"

[+] echo -e " Standby while all ESSID Probe Data from airodump-ng is processed...."

should be

echo -e "[+] Standby while all ESSID Probe Data from airodump-ng is processed...."

2015-12-01, 00:55
To: brunoaduarte

MTeams has tried to duplicate and only found one instance where reaver did not write the WPA key to the log file. Again we think tee is terminating the process before reaver can write the file.

We are just coding in the -A request by Laserman75 as we speak.


2015-12-02, 02:33

As now i have the wps pin code, i manually loaded reaver (same line that is executed by varmacscan):

reaver -i wlan0mon -a -f -c 10 -b XX:XX:XX:XX:XX:XX -r 2:15 -L -E -vvv -N -T 1 -t 20 -d 0 -x 30 --pin=59133049

Here's reaver output:


As you can see, no WPA key is found, so the problem really seems to be with "reaver", and not with "tee".

FYI: varmacscan found this exact same pin 3 times, so i don't believe it's a wrong pin problem.

2015-12-02, 05:30
To brunoaduarte

Thanks for your independent analysis. We will release version 2.6 within 24 hours as the program has been running on three computers both kali1.1 and 2.0. We switched to Eterm but could not get it to run under kali2.0 so we restored xterm. Furthermore Laserman75's idea of using aireplay-ng and -A with reaver seems to work as it cracked one network that had never even responded to a reaver pin request in over a year.

Again Thanks


2015-12-02, 17:28
Which network did laserman got it worked?
Which router model?
Please specify it

2015-12-03, 01:41
Nice mmusket33,

Hoping to see the new version of your script... also i'll try to use aireplay-ng auth here and see if i can crack the wpa passphrase.

Btw, could you remove those confirmation (for every action there's a confirmation) texts from varmacscan2-0.sh ? :D

Other features that would be cool to have:
- Ignore low signal APs
- Attack by signal level (start with stronger signal AP)

2015-12-03, 02:07
Nice mmusket33,

Hoping to see the new version of your script... also i'll try to use aireplay-ng auth here and see if i can crack the wpa passphrase.

No aireplay-ng auth is only there in order not to carry out the association with Reaver, because this fails for some routers.
This has not to do with the WPA passphrase.

I hope that soon the new version available for testing :cool:

2015-12-03, 03:43
No aireplay-ng auth is only there in order not to carry out the association with Reaver, because this fails for some routers.
This has not to do with the WPA passphrase.

Yeah Laserman75, i know aireplay-ng will not crack the WPA pass. What i meant is that i was going to try aireplay-ng to make the auth/association process for reaver (reaver -A flag), because i was having some problems cracking the WPA pass after pin code was found (reaver only found wps pin, and no wpa pass) as you can see in my last log...

Anyway, your idea worked ! Not with reaver, but with "bully"...

I started aireplay-ng auth/association and started bully with fixed pincode, wpa passphrase was recovered in seconds.

Thanks !

2015-12-03, 04:06
No need to thank me, you're welcome.
Nice to hear that it works for you.

2015-12-03, 12:05
To brunoaduarte

We think in some cases (ie not all) the WPA key was not obtained because the mac spoofing routines for kali2.0 were bugged. There are two different routines. If you spoof the mac address in reaver and then do not add the --mac= into the command line reaver many times only gets the Pin.

Reference weak signals

The reaver command line used was developed by the author of auto-reaver. He/she had cracked WPA keys at extreme range using this command line. MTeams duplicated these findings and uses it in other programs and it works well when trying to crack WPS locked routers with VMR-MDK.

We have released verson 2.8. The download addresses are found at the beginning of this thread.

Keep in mind that if you have fixed targets that respond to reaver we suggest you use the command line. When you run out of targets run up this scanner and go to bed and see what info varmacscan2-8 can obtain automatically.


2015-12-04, 18:21
Awesome mmusket33, thanks ! I'm testing it...

There are 2 cases, where i got the WPS PIN (no WPA as usual), but later when i try to attack it again (to get WPA pass with bully), it's WPS is DISABLED (not locked). Is this a security measure from the router ? Why did it allowed me to crack the pin and then disabled it ? It makes no sense... as when the pin is found attack's stopped.

Any ideas ?

2015-12-05, 05:22
To brunoaduarte

We have run four(4) computers kali 1.1a Hard Drive(HD) install Kali 2.0 HD install , kali 1.10a persistent usb, kali 2.0 persistent usb. We ran them at the same available targets. In only one(1) case did we not get the WPA key and in that case we removed the mac file from the VARMAC_WHITELST folder and the program automatically reattacked the network and on the second try got the WPA key. Just remember the complete set of data if obtained is found in the VARMAC_WPSWPA folder Not the VARMAC_WHITELST folder.

Concerning the two(2) cases you comment on above - How did you determine that the WPS system was disabled?


In closing we tried to use Eterm but were unable to get it to function in kali2.0.

2015-12-05, 12:57
Yeah yeah, i always look at the VARMAC_WPSWPA folder, no files are created in VARMAC_WHITELST here, cause i've never got the WPA pass from reaver (i guess the bssid is only white listed when wpa is found)...

I determined the WPS system was disabled after the process because there's a file "PIN_FOUND-63576764-victim_essid-XX:XX:XX:XX:XX:XX" in VARMAC_WPSWPA folder
but "airodump-ng --wps" shows nothing in the WPS field, and the device does not appear in wash scan.

root@kali:~/VARMAC_WHITELST# ls -n
total 0

root@kali:~/VARMAC_WPSWPA# ls -n
total 1
-rw-r--r-- 1 0 0 50 Dec 4 03:26 PIN_FOUND-63576764-victim_essid-XX:XX:XX:XX:XX:XX

XX:XX:XX:XX:XX:XX -63 5 0 0 6 54e WPA2 CCMP PSK victim_essid

As this WPA not being cracked with reaver only occurs here, maybe it's an issue with my wlan adapters:

WLAN0: Broadcom Corporation BCM4311 802.11b/g WLAN (rev 01)
WLAN1: Ralink Technology, Corp. MT7601U Wireless Adapter

Anyway, i'm happy with bully, it does the job.

2015-12-06, 02:01
To brunuaduarte,

We have seen routers which first show the WPS system is on but after one pin is received the WPS functionality disappears. We will give bully a try again we never had much luck with it in the past. We will load reaver first and then do the same attack with bully and see what occurs using the varmacscan program. We will advise.

Thanks for the idea

Could you post the bully command line you prefer to use?


2015-12-06, 05:51
Could you post the bully command line you prefer to use?


bully -b XX:XX:XX:XX:XX:XX -c 3 -v 3 -B -p 20863463 wlan0mon

BTW, could you consider removing the confirmation (Y/n) dialogs from next version of released scripts ? Or maybe a menu option to disable it ?
First thing i do after downloading MTeams scripts is commenting code like:

echo -e "$inp You entered$yel $ERAS$info type$yel (y/Y)$inp to confirm or$yel (n/N)$inp to try again$txtrst"

to be like

#echo -e "$inp You entered$yel $ERAS$info type$yel (y/Y)$inp to confirm or$yel (n/N)$inp to try again$txtrst"

Cause there are so many options, and confirming each one is very time consuming.

Thanks !

2015-12-07, 01:41
To brunuaduarte

Thanks for the command line example

We have been running bully test alongside reaver we will let you know our results.

Reference the input confirmations - we will consider alternatives.


2015-12-09, 16:51
Ok thanks mmusket33 !

FYI: About the WPS pin being disabled, seems it's just some firmware's protection style.
Some only lock WPS, others lock and then after some time disable it. Others just disable it.
And in all that options there are cases which WPS is unlocked/reenabled automatically.
So there's not really a pattern for that.

2015-12-09, 23:51
To brunoadurte

MTeams are seeing a group of routers which have a WPS system which is open but simply donot respond to pin requests. Some of these networks have withstood any pin request for many months until we turned on varmacscan2-8 for tests. The next morning we would look in the WPSWPA folder and there the WPA key would be. The key was always 12345670. When we referred to the log files we found that on one of the many many short requests for pins before moving on to another target thru the automatic functions of the script, the network just gave up its WPA Key and WPS Pin.

We tried to duplicate this by actively attacking the network directly thru the command line with no effect.

So as MTeams has noted elsewhere, when you have finished any active attacks thru the command line just run up varmacscan and go to bed you may get a key by the next day.

A handshake collector module is being placed in the script as airodump-ng is run passively in the background and occasionally a handshake is collected.


2015-12-19, 01:11
Your script works great. I edited the script because I get fcs skipping and adding -C resolved that issue.


2015-12-21, 10:23
To Scolder,

MTeams will probably tweak the ESSIDPROBE Modules and when we do we will take care of the -C matters.

We are seeing an marked increase in the amount of WPA keys in clear text since collection thru these ESSID Probe modules were embedded in our scripts. We are not sure why this is. Our current view is it is coming from android/Ipad phones.

Again Thanx for your input.


2016-02-11, 12:36
Varmacscan supporting Kali 1.10a, 2 and Kali 2016.1 R is released for community use

See details at the beginning of this thread.

Musket Teams

2016-02-13, 07:05
Varmacscan supporting Kali 1.10a, 2 and Kali 2016.1 R is released for community use

Version 3-1 has been updated to version 3-3

Coding when attacking specific router models and the white listing of routers by mac address has been rewritten.


2016-02-13, 15:29
Outstanding work mmusket33, runs beautifully. Is it possible to run this with multiple wifi Adapters on the same machine to speed up the process? 20+ networks in range :D

Thanks for all your hard work!

2016-02-14, 02:39
To catfig

If MTeams understands your idea you want to have two or more wifi devices all seeking targets thru a robotic process like varmacscan. The idea will be looked into.
For your info users have encouraged the use of Bully instead of reaver.
We ran many many tests with Bully along with Reaver and Bully never even got the first WPS pin and ran so poorly that we gave up on incorporating that program into varmacscan. In our areas of operation Bully does not work at all. Hence we are limited by the type of equipment we have to both test and operate with.


2016-02-14, 18:14
Hi there,

First of all tanks for this very nice work. I'm starting to test this script in my laptop. Today i tried to run it on my new Raspberry Pi 2 with kali and it get's lots of errors. What should I do to be able to run it ? I think there are some tools that are not installed tks in advance!!

2016-02-14, 22:26
To Jimbas

Any MTeams releases are written and tested for the Operating Systems listed in this case Kali 1.1a, kali 2.0 and kali 2016.1R using kali i386. All were tested on the slowest computer we have running a persistent usb install of kali i386 and 5 meter long usb extensions to the wifi device.

MTeams cannot write or test for Rasperry Pi2. To our knowledge this uses ARM of which we have no operational experience.

Maybe someone in these forums can help you.


2016-02-15, 12:02
and 5 meter long usb extensions to the wifi device.


which one are you using?

2016-02-15, 12:35
:rolleyes: What do you mean? It's a 5 meters long USB extension, one end male the other female, from the computer to the WiFi dongle, to allow for best positioning of the WiFi device to receive the strongest signal(s).

https://ixquick-proxy.com/do/spg/show_picture.pl?l=english&rais=1&oiu=http%3A%2F%2Fwww.sealevel.com%2Fstore%2Fmedia% 2Fcatalog%2Fproduct%2Fcache%2F1%2Fimage%2F265x265% 2F9df78eab33525d08d6e5fb8d27136e95%2FC%2FA%2FCA214 .jpg&sp=311b0203829628a891b61cd40cf72386

Edit: oh you meant which device. That makes more sense ;)

2016-02-15, 12:37
Best reception is to have the wifi device outside a building with the antenna attached directly to the device ie no sma cable.

MTeams wrap the wifi device in layers of plastic with the antenna outside the plastic layers. We have run AWUSO36H devices wrapped in plastic in direct sunlight with OAT at 48 degrees and 100 percent humidity in the afternoon for years and never had any problem.

If you dig thru the literature you will find that usb extension cable longer then 5 meters is not reliable. In tests this has held true.

Use any basic usb cable. Do not buy usb extension cable that has an egg shaped container near one end with circuits inside as they do not work. Simple usb cable works best

You can boost electric power down the line by a usb splitter plugged into a y cable. Do not run the signal thru the splitter.

MTeams tests with long cable as some routines like mac changing have to be slowed with sleep commands or the processes do not work consistently. Same with persistent usb devices. We gave up on luks encryption for this very reason.


2016-02-15, 12:43
you should try with a white PVC pipe, capped on both ends, with a hole on the bottom cap to allow the USB cable to get in. Easy and slick ;)

Edit: something like this..


2016-02-15, 20:10
i have this: http://www.amazon.it/WIFISKY-ANTENNA-OUTDOOR-ESTERNO-SUPPORTO/dp/B00DHJWP22 and i can tell for sure that if i put it near the window, it can reach an AP 200-300 m with no problems, no matter how many trees or buildings are between us. not so good maybe in city. i have more stable signal from outside than from my neighbour one floor up. and no need for plastic layers since it's waterproof. i will try another one, same model more or less, with a 5 m cable to see if it's true that are better due the cable length. this one though has two usb , one for signal and one for power. maybe we can open a thread in wich everyone can share their experience with different antennas, this way one can choose between products which are best in different situations

2016-02-24, 23:37
MTeams has been sent this link concerning varmacscan in github

This was not posted by MTeams. We think it supports other Operating Systems but are unsure.


2016-04-11, 18:54
I still cannot understand why you don't include the -C switch for wash. Once I've found the line in the script file and included it I have no problems. Why not just include it in the beginning?

2016-04-28, 12:00
Pippin, everyones hardware/software is slightly different. What works for you, may not work for others.

Gonna try this script tonight. Tried command line attacks on wps and wpa handshakes, then tried vmr-mdk, and this is the newest tool i will attempt to use.

P.s. im a fairly new at this, so apologise in advance for noob questions, but i try my best! Will let you know how it goes.

EDIT: can confirm it worked for a single ap over approximately 12 hours, after attackin around 10. Its also one of the only ap's I've managed to crack using command line (the other 2 were unavailable/out of range).
I didnt even use my best equipment, it was using the built in wifi card on a low-end consumer laptop and kali live usb 2016.

Conclusion: Good stuff, although didnt grab any previously unattainable pins so far. Will try with better equipment and update.

2016-05-12, 10:25
To Pippen

varmacscan-K1-2-2016-3-3.sh available for download has the -C entry in all wash scans

See line 2167

See line 2279

If you are using this version and having problems please advise and MTeams will try and correct the problem if we can duplicate it


2016-06-05, 14:49
mmusket33, thanks for your work and sharing

I'm currently trying this script with all the default options, it's going through it's first cycle...
Want to share my experience and report some problems. I'm using Kali 16.1 Light with Alpha NHA card.
First, I had to use check kill option, otherwise script it wouldn't work for me. Also here's the output with the latest arimon when script offers card selection:

Your kernel supports rfkill but you don't have rfkill installed.
To ensure devices are unblocked you must install rfkill.

PHY Interface Driver Chipset

phy0 wlan0 ?????? VIA Technologies, Inc. VIA VNT-6656 [WiFi 802.11b/g USB Dongle]
phy1 wlan1 ath9k_htc Atheros Communications, Inc. AR9271 802.11n

Devices found by airmon-ng.

1: kernel
2: ensure
3: wlan0
4: wlan1

Enter the line number of the wireless device (i.e. wlan0, wlan1 etc)
to be used.
(VIA is a built in adapter, supports monitor mode, but can't do packet injection)
Another problem is for every AP I see "Spoofing with random mac address" but "Current device Mac" shown is always the same and it's the card's original mac
Also aireplay always prints "No source MAC (-h) specified. Using the device MAC" and this also seems inconsistent with "Spoofing with random mac address" message of the script.

2016-06-06, 16:06
the script found 2 pins out of around 30 wps networks, but no WPA keys for them

and I figured why mac spoofing didn't work for me - I didn't have macchanger isntalled :) (Kali Light)

2016-06-07, 13:03
To Major Tom

First MTeams tests these scripts in kali-linux i386 for Hard Drive and persistent usb install. We do not test with luks and never use light.

The reason no WPA key was found is probably a direct result of the mac spoofing failure. To spoof a mac and use reaver you must first spoof the mac with macchanger and then ADD the spoofed mac to the reaver command line thru --mac= . If the spoofed mac does not equal what is found in the command line then only the WPS Pin may be found.

MTeams suggests you attack your targets first thru the command line. Then turn on varmacscan and go to bed. If you extract pins but no WPA keys you can focus the attack the next day by adding --pin= to your commandline.

We probably will release an updated handshakeharvest which can collect handshakes robotically. The newer version supports deauthing individual clients seen associated which greatly increases handshake collection. You just turn it on and walk away. We are testing in kali 1 2 and 2016.

Musket Teams

2016-06-07, 14:51

Thanks, I know I can pass a pin to reaver or bully, though haven't tried yet.

After installing macchanger I ran the script for another day (with working spoofing) and it found one more pin, but no WPA key again. End of reaver log looks like

[+] Pin cracked in 38 seconds
[+] WPS PIN: '12345670'
[+] Nothing done, nothing to save.

As you can see it's the very first pin reaver tries but it took 5 script cycles (with hours between them) for reaver to retrieve it. Former 4 times AP just wouldn't go past M1. So I think I witnessed the phenomenon which you mentioned when AP doesn't respond to attacks but then all of a sudden gives out a pin. AP signal is very weak though and often disappears.

Yeah, I think auto collection of handshakes would be a nice feature, I was going to ask about it :)

2016-06-09, 09:16
To thothao

First thank you for your interest. This is an important point in a successful reaver WPS/WPA pin/key extraction!

The aireplay-ng warning is actually an old legacy warning as back in the early days of aircrack-ng and WEP cracking you had to add the -h device mac address to your command line. Later this was changed. If you go to infinityexists.com and dig thru the wep video files you will see them talking about the addition of this feature.

However there is a simple method to prove what mac address is being used.

Place a wifi device in monitor mode and spoof the mac

We use:

airmon-ng start wlan0

#To avoid airmon-ng check kill

ifconfig wlan0mon down
iwconfig wlan0mon mode monitor
ifconfig wlan0mon up

#Now spoof your mac

ifconfig wlan0mon down
macchanger -m 00:11:22:33:44:55 wlan0mon
ifconfig wlan0mon up

#Now pick a wifi network in your area and point airodump-ng at that network

airodump-ng -c 1 --bssid 55:44:33:22:11:00 wlan0mon

#Now open another terminal window and do a fake auth with aireplay-ng against the network

aireplay-ng -1 10 -a 55:44:33:22:11:00 wlan0mon

#Now look in your airodump-ng terminal window and you will see below the word "Station", what mac addresses are being used against the network.


While varmacscan is running a airodump-ng xterm window is open. Just expand the xterm window and look at the device mac being used. In closing AND just in case you might have been right and something had changed in linux or aircrack-ng, MTeams tested to see what mac address was being used and found the mac spoofed was in fact still being employed. It is seen in the aireplay-ng ap activation window and is also picked up by airodump-ng.

Varmacscan scan changes the mac at every cycle and prints the Current Device Mac used in the main menu for this very reason. If your program is using a different mac address then shown for that cycle write us again and we will try and duplicate.

Musket Teams

2016-06-14, 14:13

I ran the script for a few days and it found 6 pins and one wpa key. I saw attacked APs permanently disabling or locking WPS (well, at least until next reboot, I guess).

Based on my experience I have a few suggestions:
1. add --wps option to airodump-ng. Sometimes an AP appears as having WPS not locked during initial wash scan, but locks it permanently or temporarily once attacked. The added option allows to see that in real time.
I also added --uptime and --manufacturer, don't see any harm in seeing those :)
Tip to anyone running airodump with --manufacturer option - run this command to update the reference files used by this feature:

After I did a few APs that were previously listed as Unknown now show the vendor. And I know one of them is a very old device, so it's not like updating will only add recently allocated macs, I don't know why original reference files are so inferior.
2. Make naming of PIN and WPA KEY files uniform, starting with BSSID or ESSID, so that PIN and KEY files for the same AP are grouped together in the folder.
3. Make mac spoofing optional. My builtin VIA adapter appears to have limited implementation of monitor mode and neither reaver nor bully can do **** when the mac is spoofed. Yet I cracked my first few APs using this adapter (not by varmacscan)
4. I know I'm not the first to suggest it - remove the confirmations :)

2016-06-14, 16:09
To MajorTom

Thank you for your observations and suggestions. MTeams are working on using more and more wps info from aerodump-ng for both VMR-MDK and varmacscan. Your other points have been put on a list for consideration. However our current priority is to make available a more effective robotic handshake collector thru handshakeharvest and an updated Pwnstar9.0 with new passive DDOS features using airbase-ng as the DDOSing mechanism. We only got 2016.1 Rolling to remain stable two weeks ago. And testing for three(3) different operating systems ie 1.1,2 and 2016 takes time,

Reference your macchanging problems

airmon-ng start wlan0
ifconfig wlan0mon down
ifconfig wlan0mon hw ether 00:11:22:33:44:55
ifconfig wlan0mon up

reaver -i wlan0mon -b 00:01:02:03:04:05 -vv --mac=00:11:22:33:44:55

or maybe

ifconfig wlan0 down
ifconfig wlan0 hw ether 00:11:22:33:44:55
ifconfig wlan0 up
airmon-ng start wlan0
ifconfig wlan0mon down
ifconfig wlan0mon hw ether 00:11:22:33:44:55
ifconfig wlan0mon up
reaver -i wlan0mon -b 00:01:02:03:04:05 -vv --mac=00:11:22:33:44:55

Let us know if this works better.

2016-06-25, 05:01
can someone help me have downloaded this script on kali 2016 version but i cant get it to work thanks in advance !!!

2016-06-26, 15:06
To YssDiamond,

MTeams need more info then "it doesnot work".

Run from root

Type chmod 755 Script name

./script name

Arm/luks encryption not supported as MTeams cannot test.


2016-06-26, 19:21
also tried that nothing i'am doing everything right thanks for the quick reply and support !

2016-06-27, 13:26
problem solved thank you musket !!!

2016-07-16, 13:31
How can i use the founded Pin for auth? Network-Manager doesn't seems to support WPS-Pin and the command wpa_cli wps_pin any does not connect my to my Network. I also checked with airodump-ng wlan1mon -c 5 --wps and there is no PBC.

Thanks for help :)

2016-10-30, 09:33
Hi, when I run varmacscan-K1-2-2016-3-3.sh it gets stuck at choosing Kali version:


...so I press Enter and nothing happens - it goes back to previous screen:

Hope someone can help with that.

2016-11-06, 14:17
Thank you MTeam.

I previously posted about my results, but since there were some incomplete information there I have edited my post to remove (my) speculation and only contain the facts.

I can confirm that this program works as described by others. I started it about ~48 hours ago, and it found four pins, but no wpa keys.

Three of the pins listed are identical, and that made me (incorrectly) believe that there was some mistake by varmacscan. But - important detail - two of the essids indicate that it's the same ISP. Possible explanation for the exact same pin in different routers.

While varmacscan continued running, I inserted the pins it found into bully. I used the -B option (bruteforce), and the -s option ('source' or modified mac addreess on my computer), as well as the -L option (ignore AP lockout) so the command looked like this:

bully -s <my computer's spoofed mac address> -b <target APs mac address> -B -L <my wireless interface>

I took a few tries changing my mac address from time to time, and then the router presented the wpa key to me, and it also confirmed that the pin was correct. The last run took about ten minutes.

After that, I tried the other router from the same ISP. This took about 5 hours of trial and failure with same bully command, until it coughed up the wpa key and confirmed the pin. (These two routers confirmed the exact same pin, as varmacscan told me. I don't know how many customers would trust this ISP if they knew.)

Conclusion, varmacscan took about 12 hours to find four pins for the ~15 APs within range, but was not efficient in using the pin to make the router give up the wpa key. However, using bully with the -B option and a spoofed mac address (-s option) was effective in the second step of the process.

Possible recommendation: that bully is integrated into varmacscan. Thanks again MTeam.

2016-11-09, 11:20
To Badngood

Thanks for the report.

First MTeams wishes to point out that you are using varmacscan exactly as it was designed to be used. Varmacscan usually gets the pin and sometimes gets the WPA key. Getting the WPA key may take a bit of effort from the command line.

MTeams is currently rewritting this program.

It will provide several methods of making virtual monitors thru airmon-ng and iw and a mixture of both.

It will brute force the WPS pin then try any pins found and then try default pins such as 12345670 and 00000000 in sequence.We have begun finding routers with the all zero default key which is something new for us.

Several AP activation routines will be added. Aireplay-ng will be made regenerative thru while true loops.

With respect to bully MTeams has made several attempts to integrate bully into these robotic processes but in our areas bully just doesnot function well against the routers found. We therefore cannot test and if we cannot test against real targets we cannot confirm any of the subroutines embedded in the script are actually functioning. However we will again test with Annarchyys version.

We have found that reaver when run thru Kali 2.0 and latter, many times does not get the WPA key even when run from the commandline. We immediately switch to kali1.10 and the WPA key is obtained. There is commentary in Top-Hat-Sec see http://forum.top-hat-sec.com/index.php?topic=5647.0 There are comments about airmon-ng disruptions and using iw instead. We are exploring this issue hence the reason for alternative virtual monitor setups in coming releases.

For us this program has obtained more WPA keys then all other methods combined. This is only because of the robotic nature of the script. MTeams runs constant scans 24 hours a day when the computer is idle then try to obtain the WPA key thru the commandline. We will try bully thru the command line again as you suggested.

Musket Teams

2016-12-27, 21:18
I have been testing your "varmacscan" but after updating to "Kali Linux 2016.2" the tools seems to have problem start the "wlan0" in the monitor mode (tried both ways). I have even tried to write a small shell file to overcome this but the problem still persists. It would be better if you add the following to avoid the hardblocked case or "SIOCSIFFLAGS: Operation not possible due to RF-kill". So that the program while creating the "Monitor Mode" doesnt have problem with it.
And can you say the command you use in the file with reaver and also aireplay-ng?

rmmod -f <Wifi Driver Name> #Removing the Driver
rfkill unblock all #Unblocking all device
modprobe <Wifi Driver Name> #Installing the driver module.


2016-12-28, 13:13
To 9h05t

MTeams currently has two(2) computers running varmacscan in hard drive installs of i386 kali-linux 2016R2. These computers have been updated but not upgraded and have been running constantly for over two months with no difficulties.

All we can say with the info you provided is to make sure you choose the right program type when asked ie kali 1.10a, 2 and rolling and let the program install the monitors. A common error is to try and write the monitor designation when prompted rather then just selecting the line number next to the device.

The SIOCSIFFLAGS due to RF kill might be caused because you are running kali linux on a laptop which is dual booted with windows or requires windows to turn on the wifi device. If this is the case boot into windows get your internal wifi device functioning then reboot into linux. This would also apply to usb install both live and persistent. Note the computer writing this answer had this problem last month.

All we ask at present is to go thru the setup carefully. If the problem persists write back and give us more info but it is hard to correct if we cannot duplicate. We will also put our RV group on it if this answer does not help you,

You can read the command lines for reaver and aireplay-ng. Just open the file with leafpad and type ctrl - F reaver or aireplay-ng and you will find the various command lines embedded in xterm.

Musket Teams

2017-01-09, 23:53
THX for this nice code.

How can i create a whitelist for varmacscan-K1-2-2016-3-3.sh? Only a simple text file list of BSSIDs in /root/VARMAC_WHITELST? Like this:


Same for whitelist handshakeharvest-K1-K2-K2016-4-0?

2017-01-10, 08:38
Networks are whitelisted by writing a text file and naming the file with the mac code of the network then a dash and the word whitelist. This text file must be placed in the VARMAC_WHITELIST folder. Contents of the file are unimportant. The program looks for file names not contents

File name example


The program gives you the option to whitelist Networks during setup and writes the file for you. BUT if you wish to manually whitelist networks prior to running the script then open leafpad enter the mac code of the network in the file as text if you wish then name the file with the mac code then a dash then the word whitelist.

And again for program looks for maccodes of file names not for file contents and each network has its' own file.

It was done this way to protect data. Each time a network is cracked the data is written to a separate file. Those networks are then automatically whitelisted and a text file written to the VARMAC_WHITELIST folder. Manually whitelisted networks have the name whitelist after the maccode and dash. Networks that have had their WPA key cracked have the word WPA_key-FOUND- then the essid.

MTeams decided for data safety each network cracked would have its data written to a individual file in root rather then put all data collected placed in one file. We have seen programs where the user spends hours trying to obtain data and then when found the data iis placed in the /tmp folder.

Musket Teams