you should try with a white PVC pipe, capped on both ends, with a hole on the bottom cap to allow the USB cable to get in. Easy and slick ;)
Edit: something like this..
http://www.yatesbanjos.com/neck_tube.jpg
you should try with a white PVC pipe, capped on both ends, with a hole on the bottom cap to allow the USB cable to get in. Easy and slick ;)
Edit: something like this..
http://www.yatesbanjos.com/neck_tube.jpg
i have this: http://www.amazon.it/WIFISKY-ANTENNA.../dp/B00DHJWP22 and i can tell for sure that if i put it near the window, it can reach an AP 200-300 m with no problems, no matter how many trees or buildings are between us. not so good maybe in city. i have more stable signal from outside than from my neighbour one floor up. and no need for plastic layers since it's waterproof. i will try another one, same model more or less, with a 5 m cable to see if it's true that are better due the cable length. this one though has two usb , one for signal and one for power. maybe we can open a thread in wich everyone can share their experience with different antennas, this way one can choose between products which are best in different situations
MTeams has been sent this link concerning varmacscan in github
This was not posted by MTeams. We think it supports other Operating Systems but are unsure.
https://github.com/L33T-H4X0R-D00D/Varmascan-reaver
I still cannot understand why you don't include the -C switch for wash. Once I've found the line in the script file and included it I have no problems. Why not just include it in the beginning?
Pippin, everyones hardware/software is slightly different. What works for you, may not work for others.
Gonna try this script tonight. Tried command line attacks on wps and wpa handshakes, then tried vmr-mdk, and this is the newest tool i will attempt to use.
P.s. im a fairly new at this, so apologise in advance for noob questions, but i try my best! Will let you know how it goes.
EDIT: can confirm it worked for a single ap over approximately 12 hours, after attackin around 10. Its also one of the only ap's I've managed to crack using command line (the other 2 were unavailable/out of range).
I didnt even use my best equipment, it was using the built in wifi card on a low-end consumer laptop and kali live usb 2016.
Conclusion: Good stuff, although didnt grab any previously unattainable pins so far. Will try with better equipment and update.
To Pippen
varmacscan-K1-2-2016-3-3.sh available for download has the -C entry in all wash scans
See line 2167
See line 2279
If you are using this version and having problems please advise and MTeams will try and correct the problem if we can duplicate it
Mteams
mmusket33, thanks for your work and sharing
I'm currently trying this script with all the default options, it's going through it's first cycle...
Want to share my experience and report some problems. I'm using Kali 16.1 Light with Alpha NHA card.
First, I had to use check kill option, otherwise script it wouldn't work for me. Also here's the output with the latest arimon when script offers card selection:
(VIA is a built in adapter, supports monitor mode, but can't do packet injection)Code:Your kernel supports rfkill but you don't have rfkill installed.
To ensure devices are unblocked you must install rfkill.
PHY Interface Driver Chipset
phy0 wlan0 ?????? VIA Technologies, Inc. VIA VNT-6656 [WiFi 802.11b/g USB Dongle]
phy1 wlan1 ath9k_htc Atheros Communications, Inc. AR9271 802.11n
Devices found by airmon-ng.
1: kernel
2: ensure
3: wlan0
4: wlan1
Enter the line number of the wireless device (i.e. wlan0, wlan1 etc)
to be used.
Another problem is for every AP I see "Spoofing with random mac address" but "Current device Mac" shown is always the same and it's the card's original mac
Also aireplay always prints "No source MAC (-h) specified. Using the device MAC" and this also seems inconsistent with "Spoofing with random mac address" message of the script.
the script found 2 pins out of around 30 wps networks, but no WPA keys for them
and I figured why mac spoofing didn't work for me - I didn't have macchanger isntalled :) (Kali Light)
To Major Tom
First MTeams tests these scripts in kali-linux i386 for Hard Drive and persistent usb install. We do not test with luks and never use light.
The reason no WPA key was found is probably a direct result of the mac spoofing failure. To spoof a mac and use reaver you must first spoof the mac with macchanger and then ADD the spoofed mac to the reaver command line thru --mac= . If the spoofed mac does not equal what is found in the command line then only the WPS Pin may be found.
MTeams suggests you attack your targets first thru the command line. Then turn on varmacscan and go to bed. If you extract pins but no WPA keys you can focus the attack the next day by adding --pin= to your commandline.
We probably will release an updated handshakeharvest which can collect handshakes robotically. The newer version supports deauthing individual clients seen associated which greatly increases handshake collection. You just turn it on and walk away. We are testing in kali 1 2 and 2016.
Musket Teams
mmusket33
Thanks, I know I can pass a pin to reaver or bully, though haven't tried yet.
After installing macchanger I ran the script for another day (with working spoofing) and it found one more pin, but no WPA key again. End of reaver log looks like
As you can see it's the very first pin reaver tries but it took 5 script cycles (with hours between them) for reaver to retrieve it. Former 4 times AP just wouldn't go past M1. So I think I witnessed the phenomenon which you mentioned when AP doesn't respond to attacks but then all of a sudden gives out a pin. AP signal is very weak though and often disappears.Code:[+] Pin cracked in 38 seconds
[+] WPS PIN: '12345670'
[+] Nothing done, nothing to save.
Yeah, I think auto collection of handshakes would be a nice feature, I was going to ask about it :)
To thothao
First thank you for your interest. This is an important point in a successful reaver WPS/WPA pin/key extraction!
The aireplay-ng warning is actually an old legacy warning as back in the early days of aircrack-ng and WEP cracking you had to add the -h device mac address to your command line. Later this was changed. If you go to infinityexists.com and dig thru the wep video files you will see them talking about the addition of this feature.
However there is a simple method to prove what mac address is being used.
Place a wifi device in monitor mode and spoof the mac
We use:
airmon-ng start wlan0
#To avoid airmon-ng check kill
ifconfig wlan0mon down
iwconfig wlan0mon mode monitor
ifconfig wlan0mon up
#Now spoof your mac
ifconfig wlan0mon down
macchanger -m 00:11:22:33:44:55 wlan0mon
ifconfig wlan0mon up
#Now pick a wifi network in your area and point airodump-ng at that network
airodump-ng -c 1 --bssid 55:44:33:22:11:00 wlan0mon
#Now open another terminal window and do a fake auth with aireplay-ng against the network
aireplay-ng -1 10 -a 55:44:33:22:11:00 wlan0mon
#Now look in your airodump-ng terminal window and you will see below the word "Station", what mac addresses are being used against the network.
Furthermore:
While varmacscan is running a airodump-ng xterm window is open. Just expand the xterm window and look at the device mac being used. In closing AND just in case you might have been right and something had changed in linux or aircrack-ng, MTeams tested to see what mac address was being used and found the mac spoofed was in fact still being employed. It is seen in the aireplay-ng ap activation window and is also picked up by airodump-ng.
Varmacscan scan changes the mac at every cycle and prints the Current Device Mac used in the main menu for this very reason. If your program is using a different mac address then shown for that cycle write us again and we will try and duplicate.
Musket Teams
mmusket33
I ran the script for a few days and it found 6 pins and one wpa key. I saw attacked APs permanently disabling or locking WPS (well, at least until next reboot, I guess).
Based on my experience I have a few suggestions:
1. add --wps option to airodump-ng. Sometimes an AP appears as having WPS not locked during initial wash scan, but locks it permanently or temporarily once attacked. The added option allows to see that in real time.
I also added --uptime and --manufacturer, don't see any harm in seeing those :)
Tip to anyone running airodump with --manufacturer option - run this command to update the reference files used by this feature:
After I did a few APs that were previously listed as Unknown now show the vendor. And I know one of them is a very old device, so it's not like updating will only add recently allocated macs, I don't know why original reference files are so inferior.Code:airodump-ng-oui-update
2. Make naming of PIN and WPA KEY files uniform, starting with BSSID or ESSID, so that PIN and KEY files for the same AP are grouped together in the folder.
3. Make mac spoofing optional. My builtin VIA adapter appears to have limited implementation of monitor mode and neither reaver nor bully can do **** when the mac is spoofed. Yet I cracked my first few APs using this adapter (not by varmacscan)
4. I know I'm not the first to suggest it - remove the confirmations :)
To MajorTom
Thank you for your observations and suggestions. MTeams are working on using more and more wps info from aerodump-ng for both VMR-MDK and varmacscan. Your other points have been put on a list for consideration. However our current priority is to make available a more effective robotic handshake collector thru handshakeharvest and an updated Pwnstar9.0 with new passive DDOS features using airbase-ng as the DDOSing mechanism. We only got 2016.1 Rolling to remain stable two weeks ago. And testing for three(3) different operating systems ie 1.1,2 and 2016 takes time,
Reference your macchanging problems
Try
airmon-ng start wlan0
ifconfig wlan0mon down
ifconfig wlan0mon hw ether 00:11:22:33:44:55
ifconfig wlan0mon up
reaver -i wlan0mon -b 00:01:02:03:04:05 -vv --mac=00:11:22:33:44:55
or maybe
ifconfig wlan0 down
ifconfig wlan0 hw ether 00:11:22:33:44:55
ifconfig wlan0 up
airmon-ng start wlan0
ifconfig wlan0mon down
ifconfig wlan0mon hw ether 00:11:22:33:44:55
ifconfig wlan0mon up
reaver -i wlan0mon -b 00:01:02:03:04:05 -vv --mac=00:11:22:33:44:55
Let us know if this works better.
can someone help me have downloaded this script on kali 2016 version but i cant get it to work thanks in advance !!!
To YssDiamond,
MTeams need more info then "it doesnot work".
Run from root
Type chmod 755 Script name
./script name
Arm/luks encryption not supported as MTeams cannot test.
MTeams
also tried that nothing i'am doing everything right thanks for the quick reply and support !
problem solved thank you musket !!!
How can i use the founded Pin for auth? Network-Manager doesn't seems to support WPS-Pin and the command wpa_cli wps_pin any does not connect my to my Network. I also checked with airodump-ng wlan1mon -c 5 --wps and there is no PBC.
Thanks for help :)
Hi, when I run varmacscan-K1-2-2016-3-3.sh it gets stuck at choosing Kali version:
Attachment 1943
...so I press Enter and nothing happens - it goes back to previous screen:
Attachment 1944
Hope someone can help with that.
Thank you MTeam.
I previously posted about my results, but since there were some incomplete information there I have edited my post to remove (my) speculation and only contain the facts.
I can confirm that this program works as described by others. I started it about ~48 hours ago, and it found four pins, but no wpa keys.
Three of the pins listed are identical, and that made me (incorrectly) believe that there was some mistake by varmacscan. But - important detail - two of the essids indicate that it's the same ISP. Possible explanation for the exact same pin in different routers.
While varmacscan continued running, I inserted the pins it found into bully. I used the -B option (bruteforce), and the -s option ('source' or modified mac addreess on my computer), as well as the -L option (ignore AP lockout) so the command looked like this:
I took a few tries changing my mac address from time to time, and then the router presented the wpa key to me, and it also confirmed that the pin was correct. The last run took about ten minutes.Quote:
bully -s <my computer's spoofed mac address> -b <target APs mac address> -B -L <my wireless interface>
After that, I tried the other router from the same ISP. This took about 5 hours of trial and failure with same bully command, until it coughed up the wpa key and confirmed the pin. (These two routers confirmed the exact same pin, as varmacscan told me. I don't know how many customers would trust this ISP if they knew.)
Conclusion, varmacscan took about 12 hours to find four pins for the ~15 APs within range, but was not efficient in using the pin to make the router give up the wpa key. However, using bully with the -B option and a spoofed mac address (-s option) was effective in the second step of the process.
Possible recommendation: that bully is integrated into varmacscan. Thanks again MTeam.
To Badngood
Thanks for the report.
First MTeams wishes to point out that you are using varmacscan exactly as it was designed to be used. Varmacscan usually gets the pin and sometimes gets the WPA key. Getting the WPA key may take a bit of effort from the command line.
MTeams is currently rewritting this program.
It will provide several methods of making virtual monitors thru airmon-ng and iw and a mixture of both.
It will brute force the WPS pin then try any pins found and then try default pins such as 12345670 and 00000000 in sequence.We have begun finding routers with the all zero default key which is something new for us.
Several AP activation routines will be added. Aireplay-ng will be made regenerative thru while true loops.
With respect to bully MTeams has made several attempts to integrate bully into these robotic processes but in our areas bully just doesnot function well against the routers found. We therefore cannot test and if we cannot test against real targets we cannot confirm any of the subroutines embedded in the script are actually functioning. However we will again test with Annarchyys version.
We have found that reaver when run thru Kali 2.0 and latter, many times does not get the WPA key even when run from the commandline. We immediately switch to kali1.10 and the WPA key is obtained. There is commentary in Top-Hat-Sec see http://forum.top-hat-sec.com/index.php?topic=5647.0 There are comments about airmon-ng disruptions and using iw instead. We are exploring this issue hence the reason for alternative virtual monitor setups in coming releases.
For us this program has obtained more WPA keys then all other methods combined. This is only because of the robotic nature of the script. MTeams runs constant scans 24 hours a day when the computer is idle then try to obtain the WPA key thru the commandline. We will try bully thru the command line again as you suggested.
Musket Teams
@mmusket33
I have been testing your "varmacscan" but after updating to "Kali Linux 2016.2" the tools seems to have problem start the "wlan0" in the monitor mode (tried both ways). I have even tried to write a small shell file to overcome this but the problem still persists. It would be better if you add the following to avoid the hardblocked case or "SIOCSIFFLAGS: Operation not possible due to RF-kill". So that the program while creating the "Monitor Mode" doesnt have problem with it.
And can you say the command you use in the file with reaver and also aireplay-ng?
Command:
rmmod -f <Wifi Driver Name> #Removing the Driver
rfkill unblock all #Unblocking all device
modprobe <Wifi Driver Name> #Installing the driver module.
Thanks.
To 9h05t
MTeams currently has two(2) computers running varmacscan in hard drive installs of i386 kali-linux 2016R2. These computers have been updated but not upgraded and have been running constantly for over two months with no difficulties.
All we can say with the info you provided is to make sure you choose the right program type when asked ie kali 1.10a, 2 and rolling and let the program install the monitors. A common error is to try and write the monitor designation when prompted rather then just selecting the line number next to the device.
The SIOCSIFFLAGS due to RF kill might be caused because you are running kali linux on a laptop which is dual booted with windows or requires windows to turn on the wifi device. If this is the case boot into windows get your internal wifi device functioning then reboot into linux. This would also apply to usb install both live and persistent. Note the computer writing this answer had this problem last month.
All we ask at present is to go thru the setup carefully. If the problem persists write back and give us more info but it is hard to correct if we cannot duplicate. We will also put our RV group on it if this answer does not help you,
You can read the command lines for reaver and aireplay-ng. Just open the file with leafpad and type ctrl - F reaver or aireplay-ng and you will find the various command lines embedded in xterm.
Musket Teams
THX for this nice code.
How can i create a whitelist for varmacscan-K1-2-2016-3-3.sh? Only a simple text file list of BSSIDs in /root/VARMAC_WHITELST? Like this:
11:22:33:44:55:66
77:88:99:00:11:22
Same for whitelist handshakeharvest-K1-K2-K2016-4-0?
Networks are whitelisted by writing a text file and naming the file with the mac code of the network then a dash and the word whitelist. This text file must be placed in the VARMAC_WHITELIST folder. Contents of the file are unimportant. The program looks for file names not contents
File name example
55:44:33:22:11:00-whitelist
The program gives you the option to whitelist Networks during setup and writes the file for you. BUT if you wish to manually whitelist networks prior to running the script then open leafpad enter the mac code of the network in the file as text if you wish then name the file with the mac code then a dash then the word whitelist.
And again for program looks for maccodes of file names not for file contents and each network has its' own file.
It was done this way to protect data. Each time a network is cracked the data is written to a separate file. Those networks are then automatically whitelisted and a text file written to the VARMAC_WHITELIST folder. Manually whitelisted networks have the name whitelist after the maccode and dash. Networks that have had their WPA key cracked have the word WPA_key-FOUND- then the essid.
MTeams decided for data safety each network cracked would have its data written to a individual file in root rather then put all data collected placed in one file. We have seen programs where the user spends hours trying to obtain data and then when found the data iis placed in the /tmp folder.
Musket Teams