We looked at the script. It uses mdk3 alpha against the router only. If you use it do not try and spoof your mac with this program. Reaver requires different mac spoof handling.
Printable View
We looked at the script. It uses mdk3 alpha against the router only. If you use it do not try and spoof your mac with this program. Reaver requires different mac spoof handling.
It is great and useful!
bad_bobby I have successfully reset BTHub3 router last year with the only command mdk3 mon0 a -a XX:XX:XX:XX:XX:XX just make sure you are close enough to your router, otherwise it won't work my friend, it has to be -50 and down, so -40 is better then -50 or 60, the closer you are the better luck of success.
Well I'm using the same method (mdk3 mon0 a -a XX:XX:XX:XX:XX:XX -m) ,but after 3 restarts router get freeze.Router is TP-Link model wr740n.How I can prevent this frezze?
I am trying to reboot a netgear CG3101D aka VM Superhub using the commands from the 1st page without any success regardless of how many clients are connected.
All I get is AP seems to be invulnerable - in airodump it shows only 5 clients are connected and the power fluctuates between 50 and 58.
I have tried cracking this with wifite, reaver and bully without any success unless I specify the pin in either reaver or bully so I assumed it was locking up without reporting it.
Anyone have any suggestions?
Rab.
[QUOTE=BadFollower;30067]It may actually be your card freezing from all the simultaneous commands pushing data from it. Also, the router may just be frozen and need a manual reboot.
Originally, I tried this without the -m switch but when it appeared I wasn't having any luck I changed it to include the switch.
Yes you are correct I am using all 4 commands and the router is set to wpa auto for the security and in airodump it is reported as
WPA2 CCMP PSK.
Reaver and bully just seem to bypass the pin (1st 4 digits) as if the router is reporting it as wrong when the opposite is correct hence my theory
that the router is locking up without reporting it.
Hi!!!
Kali 3.12
MDK3 Dont work....
Connecting Client: 00:00:00:00:00:00 to target AP: D8:FE:E3:08:XX:XX
Connecting Client: 00:00:00:00:00:00 to target AP: D8:FE:E3:08:XX:XX
AP D8:FE:E3:08:XX:XX seems to be INVULNERABLE!
Device is still responding with 500 clients connected!
Connecting Client: 00:00:00:00:00:00 to target AP: D8:FE:E3:08:XX:XX
AP D8:FE:E3:08:XX:XX seems to be INVULNERABLE!
Use Alfa ....036H
Connecting Client: 00:00:00:00:00:00 No clients to connection ...
Who can help?
I've had a Netgear router that doesn't report lockouts, but it still blocks WPS connections. If you can log into the routers webpage, 192.168.1.1 go under advanced setup, and then wireless settings, and scroll down to see if it says something like "Lock WPS after X failed attempts. If it says that its locked in the admin webpage but not in wash, it really is lock but the router just doesn't report it in its beacon frames. It could be that the router blacklists your mac address after a certain amount of pin requests, though it is HIGHLY unlikely. Try spoofing your mac address after a failed attempt and if this works, I can direct you to a program that automates this process. Good luck and I hope I made sense!
@MWA (sorry, i forgot to click reply instead of add post =])
You need to use all 4 MDK3 commands a d b (and m if TKIP is enabled). When you run
add -m to the end, but keep in mind it may crash airodump if you leave it open as it logs all thousands of clients. So one of your commands will look like this:Code:mdk3 mon0 a -a D8:FE:E3:08:XX:XX
Code:mdk3 mon0 a -a D8:FE:E3:08:XX:XX -m
Sript looking to working fine,but every time when I try to reset the router (TL-WR740N) getting freezed.Wireless adapter is TP-link WN722N.Where is the problem is it from wireless adaptor or ?
To BadFollower
Could you expand a bit - what is freezed. Is the router freezing, one of the Eterm pags freezing? or the whole program.
This program has two modes,manual and automatic. Manual mode lets you explore if the router can be reset, the approximate time to reset the router and if a WPS pin that is locked becomes unlocked temporarily. If you find a locked router that you can reset the WPS locking then you can move to automatic.
The Musket Team view is to not use Beacon Flood mode and use WPA Downgrade. We have found that when the WPA down grade begins to give you a series of unable to connect to router or the router is reseting etc then the router has probably reset. In that case use the progran controls and go to reaver and check. If the router has not reset go back to mdk3 attack. The program lets you jump back and forth in seconds. Airodump-ng will eventually freeze. We think the WPA Downgrade is the best indication of router reset.
The automatic mode should only be used once you are sure that you can reset the WPS pin. In automatic mode the program runs the DDOS for the time you selected then shuts down and runs reaver. Reaver will run till it sees in the text file the WPS locked string. It then shuts down and restarts the mdk3 pages.
Sometimes the router jumps channels. This will defeat the automatic mode. You will either have to harvest WPS pins manually. When you are in manual mode there is a place in the menu that allows you to run airodump-ng and see if the router has jumped channels or sim[ply has crashed and reseting.
In the end there is no one method to reset these routers - each router reacts differently.
If you are unable to download atrophy.sh try the below
link. Just click the link and enter the pin shown and
download. If file doesn't come try a few times.
There is no signup required.
atrophy.sh
http://www.axifile.com/en/B045D05996
To mmusket33
Well I try many ways to reset the router and everything is fine 1st and 2nd reset,reaver start also but on 3rd router(TL-WR740N) always freeze.I tryed on TL-WR741nd router same happen.Also tryed on Tenda router,but there was everything fine.May be TP-link devices crash or something no idea...
Those trying to reset WPS locked routers and harvest pins should employ a combined arms approach at the beginning of the attack. If you find a router that you can reset upon command which then results in an unlocking of the WPS system. This unlocked state will be temporary. Instead of using the automatic mode in atrophy we suggest you employ FrankenScript(FS). Use the WPS item three in the menu. Test all the default pins that this program provides. If these default pins do not work then you can use the automatic mode in atrophy. But this method is brute force with the added problem of having to reset the router over 1000 times. So employing FS in the early stages of the attack could save you much time.
If you download this file from http://www.mediafire.com/download/ie...zdb/atrophy.sh make sure you only use kali-linux do not try and download with XP. If you download with XP if will look like you are downloading atrophy but in fact you will get an small exe file which if you click on will send you to viral land.
If you download with kali-linux you will get the correct program. Just read the file name carefully. If it says downloader.exe or atrophy.sh.exe you do not haver the program.
Again use linux and you will get the correct program this only happens with XP. or maybe Windows 7
This WPS default pin generaters wont work for newest routers.I tested on alot of routers and wont work.The % this generaters work are realy low(got successful on some Tenda routers).
Used your programme a couple of times today....
Here are what I hope are a couple of constructive comments
1) After selecting wash to scan for wps networks your instructions read press Ctrl+C to copy is it possible to do something similar to frankie and output the screen to a txt file
2) When attacking with MDK (which works great) I would like to see random macs being used (Would this make a difference to/impede the attack
3) After the attack you give the option to check the status of the AP using Aireplay but this doesn't work for me due to -1 - is it possible to add the ignore-negitive-one to the options
Just my Tuppence worth.
Rab.
I'm going to leave the coding part up to mmusket but part 2 of your question, if you're suggesting that we add the -m switch so it authenticates real mac addresses, we already tried. Airodump doesn't like it using real mac addresses because it has to remember the hundreds of them sent per second, causing it to become unresponsive. You can, however, start and stop airodump as you please but it don't think were gunna be able to put it in the script. (It does add a greater computational load on the AP though, so it is beneficial if you run the commands yourself).
Nice work guys, hope you carry on improving it.
I had a quick attempt at writing a little script for MKD3 router reset, I could get airodump-ng to stop and start in a loop while the other commands were running, but I had issues with one of the commands not launching properly so I gave up, might have another go at some point.
It really depends on the environment and it depends on the hardware inside the router but I generally like to use:
If you can develop a way to check if the AP supports WPA-TKIP then also include:Code:mdk3 monX -a 00:11:22:33:44:55 -m
mdk3 monX d -b blacklist -c X
mdk3 monX b -t 00:11:22:33:44:55 -c X
Each one of those is in a different terminal window, and assuming you got the 20 reset loop for airodump, everything should work (of course depending on the environment).Code:mdk3 monX m -t 00:11:22:33:44:55
Cheers matey.
Getting airodump-ng to loop every 20 is the easy bit, actually I've already achieved that part. ;-)
The part I'm having issue's with is, I dont know how to export the variables/commands to another script, once i can do that all should be good.
Doesn't airodump-ng display that information?, or does it report false positives so to speak?.
Our Team has looked at Slim76's FS script. In a effort to get this project moving we think Slim76 has a far better grasp of coding then we do. We suggest he look at our approach not necessarily the coding but the attack approach of manually determining the ability to reset the router and then an automatic mode adding his WPS defaults to the begining of the attack and then go into a brute force mode. By the time we could get up to speed on the WPS default pin routines Slim76 coud have the program written. He might even figure out how to determine if the router has jumped channels. We are still stuck in trying to figure out how to get an Eterm page to write a file of its output.
Would you believe if i told you that I had never done any coding/scripting until a few days ago. LOL
To be honest I really dont know my head from my *** when it comes to coding LOL, cheers for the compliment though.
Right I think I might nearly be there, Heres where I'm at:
I got all the commands to execute fine.
I got airodump-ng to loop stop/start every 30 seconds.
I don't know much about this attack so I'll need to be told what commands you want implimented and such.
Basicly I think I need a step by step guide LOL.
United we stand, divided we fall ;-)
Sorry dude, its not a dumb question.
It's my fault for the way I worded, and what I said. LOL
I thought airodump-ng showed the WPA-TKIP info, but I checked it after I posted the message and realised that it doesn't. LOL
So I guess the next step is to try and find a program that can display such info, surely there must be a program in kali?.
Update:
I just checked out kismet to see if it mentions if an AP is using WPA-TKIP and found the following:
<encryption>WPA+TKIP</encryption>
<encryption>WPA+PSK</encryption>
<encryption>WPA+AES-CCM</encryption>
Is this what is needed?.
I'm not sure if I'm having trouble with the blacklist command or not, is the terminal meant to stay open or is it mean't to close?.
Oh I see, well it looks like I've hit another issue cause it doesn't stay open. :-(
I'm thinking it might have something to do with the variables as I couldn't even grep for the essid.
I did have everything working when it was in its own little script, the problems started when I merged it with FrankenScript.
I'll continue to try and fix it, hopefully it wont be long.
I might end up having to re-write FrankenScript, or worse case I'll have to put it back in its own little script.
That would stink. Quick note, i added -c X to mdk3 b. X is just the channel number. Crashing times are greatly reduced.
Ok I successfully reset my router when I'm connected to my wireless,but if I'm connected to other wireless (not my own) router freeze when i try to reset it.Any suggestion how to reset it when not connected to wireless ?
Ok its official, I'm a complete dumb ***!, It wasn't working due to my own stupidness.
The problems I was having have now been solved, excluding the grepping issue.
Once I get the grepping issue solved I'll updated FrankenScript with the MDK3 AP Reset attack, so if all goes well I'm hoping to upload it late tonight (Fingers crossed LOL).
Why resets are only successfully on AP when there is clients connected to target AP,if there is no clients on target AP router just stuck freeze.Is it was to make successful reset on AP without any clients ?