i got the script working after restarting my computer but i got the same issue now like described above me and thanks for all the help realy apreciate it !
Printable View
i got the script working after restarting my computer but i got the same issue now like described above me and thanks for all the help realy apreciate it !
To marsrolled and YssDiamond
A common error with VMR-MDK by users is when asked to enter the device the user types the device ie wlan0 rather then the line number of the device seen in the menu list of devices.
Suggest carefully going thru the set up.
Loading the modified version of mdk3 is not mandatory. This version is loaded to a folder in root and the VMR-MDK program will run that version if you select item 14 in the DDOS series. All other DDOS using mdk3 run from the installed version that comes with kali-linux.
Reference wifi devices - MTeams is in no way any authority here and are NOT qualified to recommend any devices. We use AWUSO36H it works for us. There are however alot of commentary in these forums on other devices. Suggest you post your question there and some forum member may assist you.
thanks for the quick reply i managed to get it to work when i had to choose if i wanted to use wlan0 or mon0 wlan0 didnt work for and only mon0 worked for me @ marsrolled i suggest you to try mon0 instead of wlan0 and the other good news is varmacscan is also working now for some weird reason thanks to you musket and marsrolled if u need any help just message me or reply here and ill try to help you !
ive made anoda episode of my vmr series , showing u continuity, received a lot of complains from youtube dat d script doesnt continue,and some oda ish.
visit youtube and search for "how to hack wps locked routers using vmr-mdk part 2".
hope u enjoy it,
please like share and subscribe.
Hi Chunkinz,
Saw the video and thank you for your efforts
Just wanted to ask you that you attacked unlocked WPS router, How about routers which are already locked, when you do a wash scan and WPS shows locked shows as YES, can we still use VMR-MDK to crack it? I have routers which automatically locks after 5 -6 failed WPS PIN tries. Please help! thanks
Hi All,
First of all thanks for this lovely script, but there are some concerns that I would like to point out.
I dont know if this is normal or not, coz the attack is not suucessful.
Here are my observation:
So after running VMR-MDK-K2-2016R-011x9 script on my router TP Link WR740N
USB wireless adapter= TP Link WN722N
Kali Linux 2016 roling
All updated
Here are the results
All settings as default with interface selected as Mon0
ATTEMPT 1
setting default as the script
reaver result:
p2 index set to 2
10002
90.95% complete
aireplay-ng reception test= association successful AID: 1
Client associated=yes
EAPOL Flood attack
wash WPS locked = NO
ATTEMPT 2
Reaver start/stop cycles remaining = 999
p1 index set to 3
pin count advanced 3
0.03% complete
WPS transaction failed code 0x0
aireplay-ng reception test: association successful AID: 1
Wash WPS locked= YES
client associated= yes
ATTEMPT 3
Reaver= Warning: receive timeout occured and continues
Sending EAPOL start request
aireplay-ng reception test= association successful AID: 1
Wash WPS locked= YES
client associated= yes
ATTEMPT 4
WPS transaction failed code 0x04
0.03% complete
sending EAPOl start request
trying PIN 1115670
aireplay-ng reception test= association successful AID: 1
client associated= yes, 2
MDK3 DOS 1 and 2 = client still responding with 1500 packets
Wash WPS locked=YES
ATTEMPT 5
Reaver start/stop cycles remaining = 996
Reaver:
Warning: receive timeout occured and continues
sending EAPOl start request ( cycle continues)
aireplay-ng reception test= association successful AID: 1
Wash WPS locked= YES
WPS not found
2 clients still connected
Router stop responding
default router page doesnt open up
Restarted the router finally
Please advice.
Thanks.
Reference the use of the VMR-MDK script.
1. VMR-MDK is only effective against a SMALL number of routers.
2. Users should read the help files before employing.
3. Procedure for testing for the flaw are outlined there.
Reference the attack outlined by machx
ATTEMPT 1
Reaver is running the default pin 12345670 attack
Attempt 2
Reaver starts the brute force attack against a the WPS system. Status of WPS unclear but pin count increased.
ATTEMPT 3 thru 5
Router appears partially locked
If the router provides more pins after resetting then this approach may work.
If the router stays locked and no more pins collected the VMR-MDK approach will not work.
Suggestion if VMR-MDK does not work
Test to see if the router automatically unlocks the WPS system after x number of seconds
From the command line(CL) run reaver
Make sure the -L is NOT in the CL.
Add the -l or --lock-delay to 100 "Set the time to wait if AP locks WPS pin attempt"
With a -l 100 reaver will attempt to collect pins every 100 seconds.
Run reaver and wait. If pin collection restarts just count the number of times reaver attempts to collect pins before pin count restarts.
For example if reaver tries 10 times before pin count retarted then 100 times 10 = 1000 seconds.
Now set your -l to 1200 run reaver from the CL and sit back.
You can tweak the 1200 lower if the attack develops a pattern.
MTeams
Thank you MTeam,
I was wishing that you could take a look at my post, and you did.
Thank you for your advice.
I have observed that the router TP-Link WR740N is not vulnerable against this script.
After the DOS attack 1 and 2 , the router stops responding to any devices.
Router page doesn't show up, You have to manually restart the router.
Even after restarting the router the PIN doesn't disable. You have to manually disable the PIn if you want to continue with the attack.
The question is: If I install the old script which is VMR-MDK011x8 for Kali 1.1.0, will it work better than the new script on Kali 2016 rolling.
I have heard that this script gives false results on most Kali 2016 rolling edition..
Please advice MTeam.
Thank you.
Reference VMR-MDK011x8, this script cannot be run in kali2.0 and 2016
As for false results MTeams is unsure which program is providing false results. MTeams has never seen any problems with the latest version.
We do get allot of commentary about pin counts but this is because users do not read carefully the retest pin feature. Furthermore during setup many users input the wrong data causing the program to fail. If you youtube VMR-MDK you will find a new video that states VMR-MDK doesnot work because the user tested it against three routers. MTeams has no objection to the user stating the program was not effective against the routers attacked however during the setup the user input incorrect setup info.
VMR-MDK is a administrative script. It just runs various processes already installed in robotic fashion. Most of the newer scripts changes deal with avoiding network manager problems and handling differences in text output.
If you have info on false results please provide details. We use the script all the time with both 1.1 2.0 and 2016 and have seen no problems. Normally if the router locks we run up VMR-MDK and see if the flaw exists. If the attack collects pins we continue if not we try other tactics. VMR-MDK is just one small tool in the WPA Tool Box.
In closing we have heard the Network Manager problems are finally being addressed and will eventually filter down to users.
Thank you for your advice.
Could you let me know the settings you are using from 1 - 22
I have tried to switch setting 22 to N,
Thank you M team.
The settings that your team use and proven to be successful, we can try and test on our routers and tweak a bit to get the bets out of it.
To mmusket33:
----Yep I rest assured that I typed the number associated with the adapter we used. But after a few tests, i found out that the adapter im using is a weak packet capturer and sender to the point that it barely sends packets, I think that's one big contributor to why im failing. Im getting an adapter in a few weeks after i get my paycheck. I'd also consider if it will work on the router I'm testing on and move on to the next if I'm failing. Also, how many wlan adapters do u suggest using on this particular tool? Thank you for replying, you're one good samaritan! We appreciate the tools you make! :o =)
To YssDiamond:
----Thanks bro, but isn't mon0 the ethernet wired connection tho? Because I only have one wireless adapter but anyways ill give it a shot! And do you know the dlink-605L router? Just wanna know if u encountered one cause thats the router im currently testing. Kinda sensitive cause it took me only 5-7 attempts before it locked. And also, how many wlan adapters r u using?
To machx
Choosing 22 = n just removes the default pin recheck,
If 22 = y/Y then the program runs two concurrent reaver attacks. A brute force attack checking all 11,000 WPS pins and occasionally a separate check of pin 12345670.
If was found that some routers would reset their WPS system to 12345670 if subjected to constant DOS processes. If reaver had already checked this key at the very start of the attack reaver would slowly check all the pins climb to 99.99% and spin endlessly. If the attack was restarted the WPS pin and WPA key would be found and the key was always 12345670.
If was also found that routers which never responded to any attempts to obtain pins for days would suddenly dump their WPS pin and WPA key. The key was always 12345670 then go back to being inert.
To marsrolled
The script only supports one adapter. MTeams sees no reason to use two. We tried DDOS with one adapter and trying to collect pins with a second device but that never worked. We tried DDOS at the same time as running reaver with one adapter and to our surprise reaver could collect pins through the DDOS fog if the adapter conducted both operations. That approach probably needs to be looked at again.
MTeams
To Mmusket33,
To be honest, Kali 2016 rolling is not great.
Because, the routers I could easily crack within seconds with Wifite with Kali 2.0 Sana.
Kali Rolling 2016, same version of Wifite R87, could not get the WPS PIN. Even after taking the router and the wireless adapter next to each other.
That's kind of funnny, because I guess there is something wrong with Kali Rolling.
So I rolled back to Kali 2.0 Sana and Wifite cracks routers like a dream now.
I hope Kali 2.0 Sana is supported further more over the years.
I'm updating Kali 2.0 Sana, and I heard lot of great success with this version of Kali.
I will use VMR-MDk on this version again and get back to you with updates.
Thank you Mteam for your support.
I am not as pro as ya'll guys but i tried unlocking router with the help of your script it aint trying a single pin. from the starting of the program it says " AP RATE LIMITING"
i've tried all 15 MDK attacks but router is still locked in wash. and reaver can not brute force a single pin. any suggestion ? please pardon me for my lack of knowledge in this field.
hi! mmusket33, I' m problem with ESSID characters specials type eg. ">>>LIDIO<<<" and "Arte&Papel" It is to fix it? I tried to edit the script VMR-MDK-K2_2016R-011x9.sh I not found the line to correct. Not create file of log in VARMACS_LOGS.
thanks.
To: sohilmalvat
The readme files note that the VMR-MDK approach only works with a small subset of routers. Suggest you consult the suggestions found in the readme on how to test for this vulnerability.
MTeams
quick question gentlemen and ladies, during the wash stage, i am getting bad fcs on the wash window, would it be feasible to add the '--ignore-fcs' line to the wash script? if not, how do you solve this dilemma? thanks y'all
WPS transaction failed (code: 0x04) please help me !!!
Attachment 1740
I'm getting the exact same problem and I can't figure it out for the life of me. I've followed the steps both assuming that root is the home folder and root is ./ I first tried it running Kali Live USB with 2016.1r, and then I tried installing thinking it wasn't taking. Both of those failed, so I tried Kali Live USB 2.0 Sana, and that failed also, I'm at my wits end! The following are the responses I get no matter what I try:
bash: ./mdk3-v6/mdk3: No such file or directory
bash: /root/mdk3-v6/mdk3: No such file or directory
what am I doing wrong?
You should not try and run this program from a live usb. Either use a hard drive install or a persistent usb. Do not try and run a usb with luks encryption
Make sure you are using VMR-MDK-K2-2016R-011x9.sh not older versions
This program only works with a small number of routers. Read the help files and run the tests suggested. If the router shows the vulnerability then continue. If not try a different approach.
Suggest you run varmacscan constantly when the computer is idle.
MTeams
I am running kali 2016.1 on a hard drive install and I'm using VMR-MDK-K2-2016R-011x9. I wish I could get far enough to use VMR-MDK-K2-2016R-011x9.sh but I can't even get /root/mdk3-v6/mdk3 to work. It keeps giving me the following error no matter what I try:
bash: /usr/local/sbin/mdk3: No such file or directory
Even though I'm looking right at it when I run a dir command...very strange.
Nevermind, I found out what was wrong...you need to be running the 32-bit version of Kali. 64-bit version of Kali returns the no file error even though it means it doesn't have the library to run 32-bit programs such as your mdk3. Thanks so much for your quick reply!
If I had only saw this thread 5 mins ago I wouldn't have just wiped my whole VM machine and started over. Thank you for pointing this out, I was at a complete loss for where mdk3 went.
Reference the modified mdk3 program that comes in the VMR-MDK download package. This mdk3 version does not replace any installed mdk3 program. The modified version is installed in root and the program only accesses the modified mdk3 in root if you select a DDOS process that calls for invalid essid. Hence if you cannot install the modified mdk3 program VMR-MDK will run fine. All that will occur is if you select an invalid ESSID DDOS process in the config file the Xterm window will not run the process. Just change the DDOS process in the config file to any other process thru leafpad or another text editor and continue.
Musket Teams
hi friends.
no config files?
I was wondering if anyone has run into this issue.
I can only run it through one cycle and then it dies and spits out this line:
usage: VMR-MDK-K2-2016R-011x9.sh <start|stop|check> <interface> [channel or frequency]
Eveyrthing else runs smoothly just trying to get ti to continue running ha proven to be an issue.
I have chmod 'ed to 755
also manually killed _supplicant & network-manager
Any ideas?
Thanks again for writing this!
MTeams saw this occur when during program construction. We had to slow the routines down so all commands between the wifi device and the computer could be completed successfully.
Are you using luks encryption or a usb cable connection to your wifi device longer then 5 meters? You are loosing your connection to your wifi device. When the program tried to spoof the mac addresses etc it cannot start your device.
Since you state the program runs successfully for one complete cycle then it is probably not in your initial setup. However make sure you select line numbers for you devices when asked do not enter mon0 or wlan0mon etc. This is a common error.
MTeams
If I'm very greatful for the script. Nicely done. But I'm getting the same problem whatever I do. It's keeps repeating the pin 12345670 and on and on. WPS transaction failed (code 0x04). The script is running fine. And I set all the things as they should as the video shows. Injection is working. And I get a handshake. What a I doing wrong. Got the same problem running reaver on it's own without this script. Please can someone help me out?
To Pietje
You probably are doing nothing wrong. The router is simply not responding. You could try bully try using AAnarchy's version the link can be found in these forums. Mteams also suggests when your computer is not in use run varmacscan . Sometimes routers that do not respond to reaver pin requests suddenly begin functioning. Varmacscan will attack all WPS enabled routers within reception range.
Musket Teams
Thanks for answering so quickly I'm going to look into asap.:)
hi evrybody my question is how to increase stage 2 more than 90s
I have same question to, please help us
IN the config file there is a selection to recheck pin 12345670 every x cycles. If you selected y/Y then the program at start will check that pin for 90 sec. On cycle two the program will start the brute force attack for the length of time set in the configfile. Read the help files for further.
MTeams
From my testing , i am starting to get the feeling that when i change the MDKTYPE1 variable i tend to collect more pins.Is it it possible that we can be more succesfull i we change attack type on every cycle or is it just me ?.
To NeoCore,
VMR-MDK was written from responses seen from WPS locked routers in real time. MTeams never tested a variable DDOS approach. Therefore if you have a target that responds to variable DDOS please run some tests and find the sequence of DDOS that provides better results. MTeams will write a patch for you to allow the sequence(s) you require. If you find the sequence(s) work, a update to VMR-MDK will be published to allow this feature for community use.
Musket Teams
Hi friends and thank you for your help and patience.
up till today i used the TL-WN722N and it did a very good job (a slow one... but good).
today i had the ALFA AWUS36NH and it feels like its not working properly.
i need help with VMR-MDK. when the WASH process start i get the "ERROR FCS".
i found out the with alfa-36NH i need to command it like this: wash -i mon --ignore-fcs or wash -i mon -C.
since it is an auto script, what do i need to do to make it work?
thank you.
To 1stcowgirl
Here is your -C patch. You need to change two lines of code only
Open the script with leafpad
Go to line number 5077
ctrl g and enter the line number will take you there
You will find the following:
xterm -g 100x30-1+1 -T "Wash" -e "wash -i $MON 2>&1 | tee VARMAC_WASH/wash01.txt" &
Change the line by adding your -C
xterm -g 100x30-1+1 -T "Wash" -e "wash -i $MON -C 2>&1 | tee VARMAC_WASH/wash01.txt" &
Go to line 7901
You will find:
xterm -g 100x30-1+1 -T "Wash" -e "wash -i $MON 2>&1 | tee VARMAC_WASH/wash01.txt" &
Change the line by adding your -C
xterm -g 100x30-1+1 -T "Wash" -e "wash -i $MON -C 2>&1 | tee VARMAC_WASH/wash01.txt" &
Note there are similar lines of code with a # at the beginning. The # turns the line into a remark and the computer ignores this so make sure you enter the -C in the right line and after the $MON
Test your script
We will add this if we ever offer a update
Musket Teams
In the last year MTeams has seen WPS locked routers when subjected to the VMR-MDK process which give up pins while locked for a period and then stop. The WPS locked status does not change. After a few days usually if the channel has changed the WPS locked router gives up more pins and then stops again.
Spoofing the mac address to an associated client seems to obtain more pins but this view is subjective. We also have only a few routers in our areas of operation which respond in this manner.
We think the router freezes as aireplay-ng -1 also stops obtaining any router response.
The DDOS process was only 15 to 20 sec. More then that just seems to lock the router completely.
Musket Teams