Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 44

Thread: Varmacreaver.sh Available For Free Download

  1. #21
    Senior Member
    Join Date
    Jun 2013
    Posts
    123
    musket... great stuff... thanks for the share!

  2. #22
    Senior Member
    Join Date
    Jul 2013
    Posts
    765
    After dealing with the vagaries of sticky and unresponsive routers, Musket Teams have expanded the functions in varmacreaver in an effort to improve WPS pin harvesting.

    The following has been added to the existing program:

    1. The ability to send a short deauthorization burst prior to starting a reaver attack cycle. We have found routers which were initially unresponsive to reaver request for keys, began to respond when deauthenticated.

    2. Assigning a specific mac address. In some cases if a client is seen associated to the target router which has been unresponsive, spoofing the mac address of the client results in WPS pin harvesting.

    3. Running an aireplay-ng fake authentication in parrellel with reaver to help stimulate router response.

    4. Running Airodump-ng to improve monitoring of the attack.

    5. Installing a countdown timer to main attack page to allow fine tuning of the -r x:y command and adjusting attack cycle length.

    You can download varmacreaver1A.sh at:

    http://www.axifile.com/en/047EF3EAD5

    Musket Teams A and D
    Last edited by mmusket33; 2014-04-11 at 01:00 AM.

  3. #23
    Junior Member
    Join Date
    Apr 2014
    Posts
    4
    Quote Originally Posted by mmusket33 View Post
    After dealing with the vagaries of sticky and unresponsive routers, Musket Teams have expanded the functions in varmacreaver in an effort to improve WPS pin harvesting.

    The following has been added to the existing program:

    1. The ability to send a short deauthorization burst prior to starting a reaver attack cycle. We have found routers which were initially unresponsive to reaver request for keys, began to respond when deauthenticated.

    2. Assigning a specific mac address. In some cases if a client is seen associated to the target router which has been unresponsive, spoofing the mac address of the client results in WPS pin harvesting.

    3. Running an aireplay-ng fake authentication in parrellel with reaver to help stimulate router response.

    4. Running Airodump-ng to improve monitoring of the attack.

    5. Installing a countdown timer to main attack page to allow fine tuning of the -r x:y command and adjusting attack cycle length.

    You can download varmacreaver1A.sh at:

    http://www.axifile.com/en/047EF3EAD5

    Musket Teams A and D
    Thank you Musket!

  4. #24
    Senior Member
    Join Date
    Jul 2013
    Posts
    765
    We have found bugs in the fixed mac module. We are still testing these versions trying to smooth out the key harvesting.

    You can download varmacreaver1D.sh at:

    http://www.axifile.com/en/5151495380

  5. #25
    Junior Member
    Join Date
    May 2014
    Posts
    1
    could u add a option to specify a essid for hidden network names?

  6. #26
    Senior Member
    Join Date
    Jul 2013
    Posts
    765
    We will do this - but we will need your advice as we have no way of testing the command string to see if it is functioning properly and all our scripts are tested prior to release. So our question(s) is/are as follows:

    For hidden -essid names

    1. Should we leave the mac address in the command string and just add an essid entry or remove the mac address and replace it with the essid entry. Or should there be options for both?

    Please expand on this theme anyway you wish that you think would be helpful. Putting these options in the script should take little time once we get an idea what you require.



    MTB

  7. #27
    Junior Member
    Join Date
    Jul 2014
    Posts
    4
    @mmusket33 Thanks! This is certainly helping my efforts!

    One concern/Issue I have that may be worth adding to varmacreaver is ability to change channels and/or test for channel change of the AP. Quite often I'm finding that after about 30 minutes or so, the router will change channels and then varmacreaver will continue to run and all the logs will say failed to associate after the channel change. I have to close and restart the process. In my case, the router jumps between the two same channels. Is there a way to automate a channel change so varmacreaver can continue to run unattended

    A few other comments:
    • I can't use wash directly from the program..I need to append --ignore-fcs. can you add an option or detection for this?
    • I've read that airmon-zc works better for some people..It "seems" to work better for me, but varmacreaver with airmon-ng seems good. Any thoughts on this?
    • also, in AIREPLAN-NG FAKEAUTH there are some errors, but it doesn't seems to heavily affect reaver that I can tell:
      Code:
      No Source MAC (-h) specified. Using the device MAC (xx:xx:xx:xx:xx:xx)
      Waiting for beacon frame (BSSID: yy:yy:yy:yy:yy:yy) on channel -1
      Couldn't determine current channel for mon0, you should either force the operation with --ignore-negative-one or apply a kernel patch
      Please specify and ESSID (-e)
      xx.. mac is the "Random Mac Address"
      yy.. is the target AP mac Address



    Thanks,
    Gismo.

  8. #28
    Senior Member
    Join Date
    Jul 2013
    Posts
    765
    To gismo,
    Musket Teams need to rewrite this script to handle negative-one errors. We have noted your comments and will try and augment as time permits.

    We ran a test and changed all the airmon-ng entries to airmon-zc. The program seemed to run but we got some very strange wifi and monitor designations. Furthermore macchanger did not seem to like airmon-zc. The eterm windows did seem to run correctly though.

    As to scanning for channel hopping we will have to give that a bit of thought. You might take a look at auto-reaver you can find the download and how to rewrite so it will run in kali in the forums. This is not our work and we are studying this programs potential as we speak

    MTA

  9. #29
    Junior Member
    Join Date
    Jul 2014
    Posts
    4
    Hey MTA,

    Thanks for the quick reply!(I appreciate that.) Thanks for doing some testing as well. Yea, I agree, the monitor designations get funky with airmon-zc. In using it with reaver, manually, the monitor was wlan0mon. Then I would reset everything to change the channel and somehow wlan0 would get renamed to wlan0mon. So when restarting monitor mode, it would become wlan0monmon. Anyway, I'm sure there's a fix for that or a way to clean it up, but I couldn't figure it out. I guess I'm wondering if there is any actual benefit or reasons to use ng or zc.

    Another thing.. I am testing is ReVdK3-r1. So far results are promising. Using the EAPOL start requests to reset the lock(Option 2) seems to be working much faster than varmacreaver alone at this point. Have you considering bundling this into varmacreaver? ...or injecting varmacreaver inside this tool.

    thread link: https://forums.kali.org/showthread.p...struction-Mode

    Thanks!
    Gismo

  10. #30
    Junior Member
    Join Date
    Oct 2013
    Posts
    8
    @gismo; @mmusket

    I really appreciate the reaver helper scripts that have been coming out. I was hoping that if a consolidation of reaver helper scripts did occur; that you could make the scripts able to run from any terminal and not specifically set to one particular terminal client (ie: gnome-terminal).

    Below is an example of how I was able to make Revdk3-r1.sh work without requiring gnome-terminal. The end result was that the whole script ran from a single terminal window.

    Example taken from Revdk3-r1.sh:

    Code:
    gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -e  "mdk3 $MON1 a -a $MAC -s 200" & gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -e  "mdk3 $MON2 a -a $MAC -s 200" & gnome-terminal -e --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -e "mdk3 $MON3 a -a $MAC -s 200";
    Modified to look like:

    Code:
    mdk3 $MON1 a -a $MAC -s 200 & mdk3 $MON2 a -a $MAC -s 200 & mdk3 $MON3 a -a $MAC -s 200;
    I just did a quick hack-job on the script so I still have to ctrl-c & ctrl-z when I want to get the script to stop. It still beats having windows pop up and it allows the script to be able to be run from other terminal clients.

    Another suggestion would be to optionally have the script connect to the router using wpa_cli:
    Code:
    wpa_cli wps_reg [ap mac-add] [wps pin#]
    dhclient wlanX
    Best regards,
    Last edited by 0E 800; 2014-07-07 at 11:24 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •