Hello All,
Any clue where the original posting went? I was showing a buddy the guide that was written out, but noticed it says content deleted. Does anyone have the original?
Thanks!
Hello All,
Any clue where the original posting went? I was showing a buddy the guide that was written out, but noticed it says content deleted. Does anyone have the original?
Thanks!
Hello All,
Any clue where the original posting went? I was trying to show a buddy the post, but noticed that the "Content Deleted" on the original post. Anyone have the original guide?
Thank you very much !! It helped but didnt solve my problem... I used your code and at least i didnt get the "re-trying in 60 seconds" thing. but it is stuck on 0.04% and doesnt wanna go further... so its the same as it would have the 60 seconds retrying..
Im really confused how i could hack this wps locked wpa2-psk router..
Maybe could you tell me your email so we can talk or teamviewer or vnc? Or if you dont want that we can keep messaging here! I dont want to give up And thanks everyone for helping!
Just please someone tell me what to do. Maybe i didnt unlock the wps sucsessfully?
Have a look here http://code.google.com/p/reaver-wps/.../detail?id=167
I havn't read through it myself but that is the main area for problems related to reaver or do a google search for "WPS transaction failed (code 0x02)"
Rab.
Here is what i am using to get around locks...
while :; do echo
echo "starting reaver...";
echo y|reaver -i mon0 -b <bssid> -c <channel#> -g 5 -vv
echo ...
echo ...
echo ...
timeout 10s mdk3 mon0 a -a <bssid> -m
sleep 60
done
First off, you need to run "apt-get timeout install" to get the timeout app. After that the script should work. The first part is starting reaver and restoring session and executing 5 attempts before exiting. The second part is executing the mdk3 command that will timeout after 10 seconds of it running. at this point, the router should be rebooting (atleast the one im trying it on did). Next put a sleep for 60 seconds to allow the router to reboot and then the script will loop back to the beginning.
hello FAHQ please please explain more, how can i put the commands ?
hello is there any help from you FAHQ ?
hello ppl is there any trick to unlock locked wps ?
any clue guys ?
Make a blank document in your root folder called reset.sh. Then, open the document in a text editor and paste this into it:
Replace the values inside the code with the values of your target. If you don't know what I mean by that, then learn the basics of aircrack and reaver.Code:while :; do echo echo "starting reaver..."; echo y|reaver -i mon0 -b <bssid> -c <channel#> -g 5 -vv echo ... echo ... echo ... timeout 10s mdk3 mon0 a -a <bssid> -m sleep 60 done
When you're done, open terminal and run:
Code:bash reset.sh
To everyone-another effective method to unlock wps mechanism on a wps router!
Quote Originally Posted by repzeroworld View Post
TO: EVERYONE- EFFECTIVE WAY TO RESET A MODERN CISCO ACCESS POINT BY FLOODING FOR 10-20 SECONDS!
i have found a way to effectively flood a new model (either year 2012/2013 manufactured) cisco router to make it reboot with a wps locked
status as "NO". Also i will prove that using Authentication DOS mode flooding has no effects of flooding THIS router!
DETAILS OF THIS ROUTER
From one of the M1 EAP packets captured from my wireless card, details of this router are as follows
bssid c8:d7:19:0a:bf:35
Manufacturer: Cisco
Model Number: 123
Serial Number: 12345
Model Name: WAP
Channel type: 802.11g (pure-g) (0x00c0)
I did some research using these details found found out that this access point was modern in age.
Behaviour of this CISCO Router
This type of router is not affected by a script changing your mac address. Also if you try a 3 pins the router starts
an exponential clock that rate limit another counple of pins reaver tries and then the router totally lock itself for one/two day.
even if i gave reaver the option to try 1 pin every 3 minutes (worthless).. after a couple of pin attempts it locks up one/two days.
I will release my method for sure..gave me a couple of days for a nice video presentation!
EFFECTS OF USING MY METHOD
I haven't seen anyone discussing the method which i am going to reveal but it relates using mdk3
After using my method the router reboot and it needed sometime to "thaw off" before sending EAP again...this is roughly aorund
a couple of seconds..if you don't leave it to thaw off and use the reaver command, you will recieve alot of EAP timeout messages before
the router catches itself.but it is worth it rather than waiting for days for the router to unlock itself!!Also, it hops to another channel when it reboots so it
is not wise to run reaver with a -c flag...i suppose this COULD part of cisco security mechanism feature..
ANOTHER EFFECTIVE WAY TO REBOOT A WPS ACCESS POINT AND RESET WPS LOCKED STATUS TO “NO”
THIS LINK *REMOVED* HAS A VIDEO I HAVE DONE TO SHOW HOW I USE THE TWO ATTACKS AND WHICH ONE WAS MORE EFFECTIVE WITH THIS PARTICULAR AP.
BRIEF NOTES
I focused on the stated Cisco Access Point that I came across with the new exponential wps mechanism.
THE TWO ATTACKS I USED ARE:
1. MDK3 Authentication DOS Flood Attack- floods the AP with too much fake clients so that the router is overloaded
2. EAPOL Start Flood Attack- Authenticates to the AP and sends too much EAPOL Start requests so that the router is unable to respond to the volume of EAPOL requests and reboot itself.
MDK3 AUTHENTICATION DOS FLOOD ATTACK
This attack is useful on SOME routers. The important point to note is HOW I USE THESE ATTACKS!.
( I have three wireless adapter- AWUS036NHA, AWUS036NH and TP-LINK 722N and I use AWUS036NHA and AWUS036NH to carry out this attack numerous times)
HOW I ATTACKED THIS ACCESS POINT USING AUTHENTICATION DOS FLOOD ATTACK
I started my wireless card on three monitor interface, mon0, mon1 and mon2
In three terminal, I use the command line
mdk3 mon0 a –a C87:19:0A:BF:35 #TERMINAL 1
mdk3 mon1 a –a " " " # TERMINAL 2
mdk3 mon1 a –a " " " #TERMINAL 3
Note:
I ensure that the router was wps locked permanently so that I can test the effectiveness of the attack. Also, a point to note, I did not use one command line with one monitor interface since it was futile. I blasted the router on three monitor interfaces!.Now I am blasting away the router for hours!. After blasting away the Access Point is still locked! I tried this attack for days to convince myself!.
MDK3 EAPOL START FLOOD ATTACK
I started my wireless card on three monitor interface, mon0, mon1 and mon2
mdk3 mon1 x 0 –t C87:19:0A:BF:35 –n Riznet –s 100 #TERMINAL 1 (SEE VIDEO FOR REASON OF USING –S 100 FLAG)
mdk3 mon1 x 0 –t " " " –n Riznet –s 100 # TERMINAL 2
mdk3 mon1 x 0 –t " " " –n Riznet –s 100 #TERMINAL 3
Note: I tried again using 1 monitor interface to carry out the attack but it took hours for the router to reboot and I was not sure if the attack was the main reason for the router rebooting!. In this scenario I tried blasting the router in three terminals. This “Shock Attack” method ran for about 20 seconds and the router reboot with wps locked status as “NO”. I TRIED THIS ATTACK A COUPLE MORE TIMES FOR ABOUT 20 SECONDS WITH THE ACCESS POINT REBOOTING AND UNLOCKING ITSELF (WPS) !!. Also packet analysis significantly helped me to understand the connection between EAPOL and a router behavior to open authentication request which makes it impossible to stick to one method for flooding ALL AP (see the video link above).
BASH SCRIPT WRITING
Soon I will write a bash script to execute all the steps in my video (I need time to chill….).
OTHER ACCESS POINTS INVESTIGATED
I Have Also Assessed The Behaviour Of Three Other Cisco Access Points That Rate Limit Pin In A Systematic Way But Did Not Locked Up in an exponential manner!. I will give gave an update if I do come across any other access points that behaved somewhat different. Do share your experience in relation to any new updates on wps!
Last edited by g0tmi1k; 2014-12-09 at 15:12. Reason: Youtube
Your approach is both novel and intriguing. Those involved with the matter of reseting routers remotely should study this closely.
We realize successful WPS reset is dependent on a number of factors to include router make,signal strength and clients associated just to name a few. However Musket Teams will attempt to duplicate your results - however we will only report if we are successful.
hello hello friends thank you so much soxrok2212 you are great guy i am so grateful for your help
..........
Last edited by repzeroworld; 2014-04-13 at 15:32.
TO: EVERYONE-THREE OTHER ACCESS POINTS THAT WERE DEFEATED BY THE MDK3 EAPOL START ATTACK!!
I have underestimated this attack!. IT WORKS ON ALMOST ALL THE AP THAT I PICKED UP THAT HAS THE WPS RATE LIMITING FEATURE..
Despite some AP refuses to accept to many eapol packets, one mdk3 authenticates it floods the AP quickly until a deauthentication
packet is sent from the AP to break the connection.
FOR FURTHER PROOF CHECK ANOTHER VIDEO IS POST ON MY CHANNEL
LINK *REMOVED*
Also, instead of running three attacks in three terminal, i used one terminal to carry out three attacks RUNNING AT THE SAME TIME using
EXAMPLE
#timeout <seconds> mdk3 mon0 x 0 -t <bssid> -n <essid> -s <no. of packets/sec> & timeout <seconds> mdk3 mon1 x 0 -t <bssid> -n <essid> -s <no. of packets/sec) & timeout <seconds> mdk3 mon2 x 0 -t <bssid> -n <essid> -s <no. of packets/sec>
PENDING: I AM CURRENTLY WRITTING A GENERAL INTERACTIVE BASH SCRIPT TO CARRY OUT ANY MDK3 ATTACK USING MY METHOD WITH REAVER! I WILL POST ONCE FULLY FINSHED.IF ANYONE HAS A SCRIPT FOR REAVER AND MDK3 (TO CARRY OUT ANY ATTACKS) DO SHARE SO THAT I CAN COMPARE IT WITH MY WORK IN PROGRESS SCRIPT!
Last edited by g0tmi1k; 2014-12-09 at 15:11. Reason: Youtube
I have finally finished a script that took me a couple of days to complete. i would be grateful if others can test this out. what the script does.
1. It ask the user information on the target
2. It runs reaver and waits when reaver detects the AP is rate limiting pin
3. when the AP is 'rate limting pins' , the script pause reaver and floods the AP for a time you choose
4. after flooding, it detects if the AP is still rate limiting pins, if it is, then it continues to flood the AP until it unlocks itself
5. Once WPS is unlocked, the script continues reaver
those interested in testing can send me a email or a private message on my channel.
*REMOVED*
cheers!
The script is also shared through torrent but it takes a while to upload. the link below is the location of the torrent
http://www.legittorrents.info/index....&page=torrents
Last edited by g0tmi1k; 2014-12-09 at 15:11. Reason: youtube
Wow, I never expected to see this thread reach 50,000 views. I guess its pretty popular. I'm very doubtful here, but is there anyone who knows how to make a full GUI with all the methods posted by various users here? It would include options of:
1.) mac changing after a specified number of pin trials
2.) reaver incorporated, of course ;D
3.) MDK3 auth flodd
4.) beacon flood
5.) MIC failure
6.) deauth
7.) EAPOL failure
More??
It would just be nice to have a full GUI for EVERYTHING posted by users here... plus having a few terminal windows open and typing in the commands every time is a bit annoying. I'm not talking a script here, a full blown GUI.
I'm doubtful but the community here is pretty big. And maybe, just maybe we could get it pushed to be a standard tool in Kali!
Musket Teams wish to note that there are no mac address spoofing routines written into ReVdK3. Users will be broadcasting using their hardware installed mac address. We have no comment on the program itself as until we write these routines into the script we will only do cursory tests.
Please note i have written the little script ReVdK3 for free distribution and to contribute worthily to kali linux forum and mdk3 team,
it is COMMON COURTESY for any team or individual that wants to improve this script, request my consent or create the script with a
with an invented name of their own. This is because improvement of this script is set aside by me in the near future....thank you...
A Peer Review of ReVdK3
This thread will not discuss the ability of Revdk3 to actually reset a router.
Musket Teams have been working with soxrox2212 since this mdk3 approach to reset routers remotely was conceived.The current ReVdK3 approach by repzeroworld is novel, hence once we got a copy of the program we tested it in our lab.
This program tries to run three(3) mdk3 attacks from a single terminal window process using $MON1, $MON2 and $MON3(ie mon0,mon1,mon2). We have tested the stock ReVdK3 and find no indiction that $MON2 and $MON3 are functioning.
When running ReVdk3 against the targetAP, Airodump-ng clearly shows only one(1) mdk3 process running.
To prove these processes were not masking themselves one over the other.
We ran the three(3) processes in separate terminal windows, first manually, then in Eterm and Xterm windows. Airodump-ng clearly shows all three(3) processes functioning when run from separate terminal windows, and only one(1) process when running RevdK3.
To further prove this we gave each monitor ie $MON1, $MON2, $MON3 an individual mac address. When running the three(3) mdk3 attacks from Eterm windows embedded in the reVdk3 program these different mac addresses were expressed in the Eterm window AND airodump-ng showed data transference from these three(3) monitor/mac address pairs. When we ran the stock ReVdk3 only a single process running $MON1 was seen.
We believe the authors original approach using three(3) terminal windows was the correct one.
If you want to run three(3) separate processes off the physical device $WLAN from a bash script you need to run Eterm or Xterm windows, one(1) for each process.
As the author has expressed a desire to view other work on the subject, a copy of a possible Eterm window solution starting at line 438 in the stock program can be seen below:
if [ "$MDK3_MAIN_MENU_OPTION" = 2 ]; then
Eterm -g 80x10-1-400 --cmod "red" -T "Packet Flood $MON1" -e sh -c "timeout $TIMEOUT_OPTION_FOR_EAPOL_START_FLOOD mdk3 $MON1 x 0 -t $MAC -n $ESSID -s 100; bash" &
sleep 2
Eterm -g 80x10-1-250 --cmod "red" -T "Packet Flood $MON2" -e sh -c "timeout $TIMEOUT_OPTION_FOR_EAPOL_START_FLOOD mdk3 $MON2 x 0 -t $MAC -n $ESSID -s 100; bash" &
sleep 2
Eterm -g 80x10-1-70 --cmod "red" -T "Packet Flood $MON3" -e sh -c "timeout $TIMEOUT_OPTION_FOR_EAPOL_START_FLOOD mdk3 $MON3 x 0 -t $MAC -n $ESSID -s 100; bash" &
sleep 2
fi
killall -q Eterm &> /dev/null
MTA and MTD
Last edited by mmusket33; 2014-05-06 at 06:14.
When ReVdK3 was distributed, the script was shortly revised afterwards to correct this problem using a tricky method and was given to my acquintances who williingly volunteer to test.. for a second reminder see below.
"Please note i have written the little script ReVdK3 for free distribution and to contribute worthily to kali linux forum and mdk3 team,
it is COMMON COURTESY for any team or individual that wants to improve this script, request my consent or create the script with a
with an invented name of their own. This is because improvement of this script is set aside by me in the near future....thank you... "
ReVdK3 had some issues that I wasn't aware of when it was shortly distributed.
I became aware of these bugs when viewers tested the script and provided me with their feedback....
Thank you to those people who provide their feedback that helped me trace where the problems were...
Some of the problems were as follows:
1. whenever the script ran and was terminated, bash left mdk3 running in the background the "while ; do loop problem". if the script was restarted
this resulted in duplication of many mdk3 processes which affected not only the mdk3 attack but also reaver and the monitor interfaces
- this issue was fixed by killing all mdk3 process after running and looping again.
2. the first distributed script ran the mdk3 eapol start flood attack in one terminal!(the script was functioning but it was how bash was interpreting the instructions)...now all three eapol start attack will run in three little terminals!- issue fixed using gnome-terminal command
3. I increased the number of packets injected for eapol attacks to helped to reboot one of the access point that took long to reboot/ unlock (WPS).
4. I added instructions to the script to change your mac address of monitor and wireless interfaces..this is to help hide your identity
the old script was taken off of the torrent link. the link for the new script is below:
http://www.legittorrents.info/index....&page=torrents
NOTE:
MDK3 WILL NOT RESET ALL ROUTERS BASED ON FEEDBACK BUT IS VERY USEFUL. As a result, the revised script can be downloaded
from the link stated.
Last edited by repzeroworld; 2014-05-10 at 13:32.
If anyone is having trouble in reaver associating to an AP, make sure your wireless card supports wireless N because the target AP may be in N only mode.
soxrok2212
Could you recommend a few wifi adapters supporting N that work with Kali. From a sources of supply perspective could you recommend more then one.
MTA
I just purchased an Alfa AWUS051NH on eBay for about $35. It should be delivered within a couple of days and I'll report back after some testing. It's a dual band 150/300mbps card so I should see some speed increases over my AWUS036H, and based on some reviews, it looks pretty promising.
Got my hands on an Alfa AWUS051NH and I love it. Rt2800 drivers, injection works, and I definitely prefer it over my AWUS036H because the PWR levels in airodump-ng are much more accurate (I don't think its as powerful though...) I haven't extensively tested injection rates yet but it seems very promising. Excellent range too and only about $33 on eBay.
Last edited by soxrok2212; 2014-05-30 at 01:41.
Have you tried boosting the power levels. The routine we use to avoid the negative one issue also boosts an RTL8187 to 30dBm. See our thread Simple Solution to negative one issue. You can download the routines there or we can post them or send them to you if you wish.
MTA
Musket Teams have been working on a different approach to WPS locked routers. Instead of attempting to reset a WPS locked router, we attempted to prevent router WPS locking. Targets were routers known to lock the WPS system after X number of pin requests. We flooded the router with various combinations of mdk3 attacks while simultaneously conducting a reaver attack.
To date we have had little success! However for those writing reset router programs note the following.
Reaver was always able to harvest pins while the router was being subjected to various combined mdk3 attacks. Hence there is no reason to start and stop reaver. You can leave it running in the background. If the router locks, no pins will be collected, if the router resets pins will again be harvested even though multiple mdk3 attacks are assaulting the targetAP.
So basically if you run mdk3 concurrently with reaver it will never lock out?
No we are not saying that.
We have seen the following against routers in our areas of operation.
If your target is a router which the WPS systerm is open BUT will lock after x number of pin attempts then:
1. If you run combinations of mdk3 against the router AND you run reaver at the same time, reaver will continue to collect pins until the router locks. The mdk3 attacks do not disrupt the collection of pins. We have seen routers freeze but no reset and then continue which is congruent with reaver collecting pins. What is important here is that you can run your mdk3 attack(s) and your reaver attack at the same time. Should the router reset reaver will begin collecting pins again until the router locks even though mdk3 is attacking the router. You do not have to run the mdk3 attack then stop the attack and run reaver and then stop reaver and run the mdk3 attack again. Just run both and walk away.
The only problem here is that router when reset might jump channels.
For historical reference we had approx 10 target router which were open. We ran mdk3-reaver attacks at the same time and locked all the routers.
MTA
Gotcha, so its a bit more time efficient.
Hi guys. Can you please modify your script for me so that it starts Reaver with -L (Ignore lock) option and then does 10 attempts and stops, after that start only mdk3 (mdk3 a -a bssid -m) for another 40 secs and stop mdk3 and then resume Reaver with -L (ignore lock) option again and loop like this until WPS is found. Thanks alot waiting your reply. ( and please with only 1 monitor interface)
hello..i got your message...hectic working schedule these days...i will modify the script for your taste and send it...send me a private message with your email adds on my channel or kali.....i have finished working on a revision of the script..ReVdK3-r1.sh (revision 1)
Some of the features of this revised script:
1. Whenever 25 successive eapol failures is detected, the script will flood the AP for the specified time you choose (eapol start failures are caused by a variety of factors, but i decided to add this feature just to force unresponsive Access Point to overload itself and do a FRESH reboot.)
2. The script runs aireplay-ng and reaver in ONE terminal..it switches periodically between the two processes without terminating either of them.not SNAPSHOTS of reaver and mdk3.....also it keeps re-running aireplay in the event that it quits because of "no beacon frames" or other reasons....i found that aireplay significantly add persistence to the association process despite reaver can associate by itself.
3. Good House keeping- the script will automatically remove temporary files associated with the script and ensure all processes are killed prior to a SINGLE (1) SIGINT (Ctrl C) or SIGHUP signal (closing the terminal).
4. introduce the -S flag in the reaver command line to speed up cracking...
5. a couple of minor bug fixes
hmm.....One cold beer to "N1Ksan" who "push" me to do a revision and contributed some of the ideas above..not forgetting how many unstable versions of script i sent him to test........
Hey man, I sent you private message here in Kali, please send it to my email.
I found out that many TP-link router models whose MAC address start with "10-FE-ED" can be used MDK3 (mdk3 a -a bssid -m) for 30 seconds and then it will let you continue reaver for 10 attempts and then do the same thing again and again. But the issue is that WPS will show Locked as Yes even after mdk3 but will let you continue with ignore option -L . Your previous scipts I tried didn't reset those Tplink routers not even let me continue with Ignore lock option.
Best of luck and thanks again, will test it for you if you have other scripts.
Hey friends, i want to test your scripts. Im trying to crack wpa passwords but i fail in all tries. I need some help, some information about this you are working. Send me message plz. ps: sry for my english
o think i must say , that one of my wifi cards have broken itself using all the mdk# codes at same time pointing to a specific AP , and it was at its max power .
resuming , card was not able to transmit again
We'll if you set it to max power you probably fried it...
RELEASE OF REVDK3-R1.sh
DOWNLOAD LINK
http://www32.zippyshare.com/v/12811261/file.html
----------------------------------------
ReVdK3-r1.sh (Revision 1 README Section |
---------------------------------------------------------------------------------------------
WARNING: |
Do not use this script without permission from the victim to carry out the specified attacks. |
|
This is the first offical revision of ReVdK3.sh script |
----------------------------------------------------------------------------------------------
Script features in this revision
1. Runs reaver,aireplay-ng in one terminal and detects continously when reaver is rate limiting pins.
After input of wireless adapter interface..it checks to see if there are any monitor interfaces on that adapter interface. Any existing monitor interfaces are wiped out and three new monitor interfaces are created. The script also uses these interface during the attacking process. In the event that aireplay times out because association issues or switches to "shared key open authentication", the script will re-run aireplay-ng.
2. Runs mdk3 attacks until reaver detects that the WPS state of the AP has been unlocked. Once WPS has been unlocked it kills all mdk3 attacks and waits until reaver detects WPS has been locked again..this process goes on...
3. Upon detection of 25 successive EAPOL start failures, the script floods the AP for 60 second to see if the AP will do a fresh reboot!
4. Killing the script in a terminal will trigger it to remove all tmp files, force all processes started by the script to terminate and wiping out the three monitor interfaces it created..be patient about 1-2 seconds for termination of the script...Also you call close the terminal instead of killing this will send a hang up signal to do the necessary cleaning up..
Last edited by repzeroworld; 2014-06-17 at 03:02. Reason: to change download link
thanks for the thumbs up....having issues with the link too
but i did manage to upload it on zippyshare
the link is below (do tell me if it works):
http://www32.zippyshare.com/v/12811261/file.html
if the file is supposed to be 26.2 kB (26,158 bytes) in size, then yes it works.
Kali Linux USB Installation using LinuxLive USB Creator
Howto Install HDD Kali on a USB Key
Clean your laptop fan | basic knowledge
Awesome job with ReVdK3-r1.sh.
I was able to use it to crack my Belkin N+ router when the Reaver Pro couldnt attempt not one pin.
I posted a demonstration here for anyone interested:
EDIT: Youtube vids not allowed.
I think you could make the script better by including check for gnome-terminal and apt-get install gnome-terminal for us XFCE fans.
Also, if the script connected to WPS protected AP as soon as it found the pin would be cool too. (have itsend an email when done)
Regards,
Last edited by sickn3ss; 2014-07-06 at 13:20.
*Post Deleted* Wrong thread, moved to Belkin Mac Address/SSID Correlation.
Last edited by soxrok2212; 2014-07-03 at 16:34.
Very interesting...
Last edited by bolexxx; 2014-07-06 at 13:27.
Downloads for useful programs: I will do my best to keep these updated
Atrophy
ReVdk3-r1
FrankenScript 2[/QUOTE]
Hey can anyone give me a hint of what this little trio is about please? thank you very much and have a nice day.