Howto frankenScript

[slim76]

@ Quest, Regarding post 139.

[4] = Bully & Default WPS Pin Keygens:
Option 4 would be the quickest attack so I thought it made sense to list it first.
I couldn't get option 4 to work until I added -F.

[5] = Bully Bruteforce Settings:
Option 5 would take longer than option 4 so I thought it made sense to list it after option 4.
I couldn't get option 5 to work until I added -F.

[6] = Bully Custom Settings:
Option 6 is more for advanced users and will probably be the least used, so I thought it should be placed last in the list.

I'm not sure what you mean here "Bully Current Attack Command:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -v 3 <------two spaces before "-v"?"

[Quest]

yes, I understood that logic, but I didn't(still don't) agree lol

[6] = Bully Custom Settings:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -v 3
is the simplest formula of the three, and probly the most efficient for most users, anytime, anywhere (easy does it, remember?). Then the user can build on that as an option.

[4] = Bully & Default WPS Pin Keygens:
The '-p' option is rarely used with Bully or (Reaver v1.4 fork r3). Only in weird AP cases would anyone resort to that trick. Please educate me if I'm missing something here, but the few times I had to use to the '-p' argument specifying the first 4 pin number, it's because Reaver had issues in a previous/botched session. So that should be last option imo.


[5] = Bully Bruteforce Settings:
if you could just rename that attack, I wouldn't have an issue with it.


The two spaces before the '-v 3' in # [6] = Bully Custom Settings results in this...

bully mon0 -c 8 -b 64:70:02:XX:XX:XX

the '-v 3' argument is not there.
Try it yourself you will see.

[Quest]

actually all three attacks should have a 'user input' as an option.

[4] = Bully Easy Settings With User Input Option:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -v 3

[5] = Bully Bruteforce Settings With User Input Option:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -F -B -l 60 -v 3

[6] = Bully & Default WPS Pin Keygens With User Input Option:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -F -B -l 60 -v 3 -p 65822746

[slim76]

actually all three attacks should have a 'user input' as an option.

[4] = Bully Easy Settings With User Input Option:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -v 3

[5] = Bully Bruteforce Settings With User Input Option:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -F -B -l 60 -v 3

[6] = Bully & Default WPS Pin Keygens With User Input Option:
bully mon0 -c 8 -b 64:70:02:XX:XX:XX -F -B -l 60 -v 3 -p 65822746

I left the -v out of Bully Custom Settings because some people might not want to see the output for whatever reason, wouldn't be customs settings if I forced people to use -v, besides it can still be added by the user.

The other two bully attacks are preset so even a dumb *** could perform the attack. LOL
Anyway there is no need to have user input for them when there is a custom setting option they can choose, the custom option can perform every bully attack.
So you see if I changed the other two to have user input it would be like having three of the same options, but two of them limited and pointless.

[Quest]

I left the -v out of Bully Custom Settings because some people might not want to see the output for whatever reason, wouldn't be customs settings if I forced people to use -v, besides it can still be added by the user.

I agree.

The other two bully attacks are preset so even a dumb *** could perform the attack. LOL
Anyway there is no need to have user input for them when there is a custom setting option they can choose, the custom option can perform every bully attack.
So you see if I changed the other two to have user input it would be like having three of the same options, but two of them limited and pointless.

I disagree.

Let's wait for more user input on the matter. I'm not a Bully/Reaver expert :]

[Quest]

Packaging
- the '()' should not be used when creating a .deb because it won't install.

Invoke
- fs3.sh, is version specific(3). I do not have to type in wifitev82 when invoking Wifite or Reaver.

Scans
- it is counter-intuitive to click on the first window and press [Enter] when stopping airodump or wash. [Ctrl]+[c] should be allowed to stop the process in the second window, and that would return the 'Enter' in the first window.

Features
- Script Launcher, that was useful.
- verify a .cap option separately would be useful also. cowpatty -r Xxxxxxx.cap -c , pyrit -r Xxxxxxx.cap analyze

...

[AngeloM]

Hello all,
it's a long time I'm following with great interest the FrankenScript thread, thank you Slim for your work and Quest for your tests!
I'd add a couple of items to Quest's laundry list:

1) giving the user the chance to increase TX power with three options - 27, 30 and, maybe, 33db for those 2000 milliwatt devices (if I'm not wrong 30 is for up to 1000 mW devices).
2) giving the user the chance to use the --band parameter of Airmon in order to scan both 2.4 and 5Ghz band.

A question or two about Bully bruteforce attack (my apologies if Quest has already asked that but I haven't found the messages): shouldn't the -B option be used in the command?
And shouldn't be better if the user would be asked for the deletion of the file aabbccddeeff.run, located in /root/.bully, if existing?
I ask this because I wonder if that file could be still useful if I change the Bully attack type on the same A/P.
Then I've another question about Bully but I have to copy&paste the messages on terminal, I'll post it later.
Many thanks in advance!
Best regards

Angelo

[AngeloM]

Here's the console after launching Bully (sorry for the long message):

~# bully mon0 -c 1 -b aa:bb:cc:dd:ee:ff -F -l 60 -v 3 -B

[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'mon0' to channel '1'
[!] Using 'gg:hh:ii:jj:kk:ll' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from 'aa:bb:cc:dd:ee:ff' on channel '1'
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Excessive (3) FCS failures while reading next packet
[!] Disabling FCS validation (assuming --nofcs)
[+] Got beacon for 'xxxxxxxxxxxxx' (aa:bb:cc:dd:ee:ff)
[+] Loading randomized pins from '/root/.bully/pins'
[+] Index of starting pin number is '00000000'
[+] Last State = 'NoAssoc' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( ID ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( M2 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( M2 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( Assn ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( ID ) = 'Timeout' Next pin '58840458'
[+] Rx( ID ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( ID ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( ID ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( Auth ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( ID ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( ID ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( M2 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( M2 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( Auth ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( Auth ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( ID ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( ID ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'
[+] Rx( M1 ) = 'Timeout' Next pin '58840458'

Then I did a CTRL+C.
So I'd like to know:

1) whick kind of file is '/root/.bully/pins' and how it works?
2) why the pin is always '58840458'?

As you can see I added the -B parameter, but with or without it the console messages are the same.
Thanks again!

Angelo

[slim76]

Hello all,
it's a long time I'm following with great interest the FrankenScript thread, thank you Slim for your work and Quest for your tests!
I'd add a couple of items to Quest's laundry list:

1) giving the user the chance to increase TX power with three options - 27, 30 and, maybe, 33db for those 2000 milliwatt devices (if I'm not wrong 30 is for up to 1000 mW devices).
2) giving the user the chance to use the --band parameter of Airmon in order to scan both 2.4 and 5Ghz band.

A question or two about Bully bruteforce attack (my apologies if Quest has already asked that but I haven't found the messages): shouldn't the -B option be used in the command?
And shouldn't be better if the user would be asked for the deletion of the file aabbccddeeff.run, located in /root/.bully, if existing?
I ask this because I wonder if that file could be still useful if I change the Bully attack type on the same A/P.
Then I've another question about Bully but I have to copy&paste the messages on terminal, I'll post it later.
Many thanks in advance!
Best regards

Angelo

You're welcome mate.

I didn't include a TX power option because I believe there is a change it could damage some wireless network cards.
I still might add the TX power option and add a big warning to go with it. LOL

Regarding the --band parameter of Airmon in order to scan both 2.4 and 5Ghz band.
I didn't know about it until you mentioned it, could you post the commands and explain a little about it please.

Regarding the Bully pin issue.
I've only used Bully a few times and don't know much about it, but I think your pin issue might be because of a weak or intermittent signal.

[slim76]

Ok now I'm completely confused about the bully bruteforce attack, can someone post the proper commands and double/triple check they're correct please.

[AngeloM]

Regarding the --band parameter of Airmon in order to scan both 2.4 and 5Ghz band.
I didn't know about it until you mentioned it, could you post the commands and explain a little about it please.

Sorry Slim, I meant Airodump, my bad.

I didn't include a TX power option because I believe there is a change it could damage some wireless network cards.
I still might add the TX power option and add a big warning to go with it. LOL

Fair enough.
I could add a script, or more than one with different power settings, to launch depending which adapter I'm using.

Regarding the Bully pin issue.
I've only used Bully a few times and don't know much about it, but I think your pin issue might be because of a weak or intermittent signal.

I'd say it's not something related to a weak or intermittent signal, let me try to explain: I noticed this problem using three different adapters on different locations, different adapters but all of them using the same driver (rt2800usb) so I wonder if doing a kernel update to a 3.16 version (as per instructions found here) could fix some problems.
I still wonder if the pin problem could be related to a bad/corrupted pins file (opened it and it isn't human readable, at least for me, so I don't know if it's corrupted, binary or whatever else).
Any thought about the deletion of aabbccddeeff.run located in /root/.bully, if existing?

[Quest]

sorry I was out.

Not sure what you want us to do Slim. The -B argument in Bully is bruteforce.

1) giving the user the chance to increase TX power with three options - 27, 30 and, maybe, 33db for those 2000 milliwatt devices (if I'm not wrong 30 is for up to 1000 mW devices).

Great idea as it seems to be popular, but just a side note to all, increasing your TX power does not augment the received signals strength. Unfortunately.

2) giving the user the chance to use the --band parameter of Airmon in order to scan both 2.4 and 5Ghz band.

Nice!! Thank you. Had no idea also.

A question or two about Bully bruteforce attack (my apologies if Quest has already asked that but I haven't found the messages): shouldn't the -B option be used in the command?

yess the score is now 2-1 lalalallaaallalalala

And shouldn't be better if the user would be asked for the deletion of the file aabbccddeeff.run, located in /root/.bully, if existing?
I ask this because I wonder if that file could be still useful if I change the Bully attack type on the same A/P.

i must admit my cluelessness on that one. But please educate us on that .run file.

Regarding the Bully pin issue.
I've only used Bully a few times and don't know much about it, but I think your pin issue might be because of a weak or intermittent signal.

yup that's what I'm thinking.

[AngeloM]

i must admit my cluelessness on that one. But please educate us on that .run file.

I'm still have a delay with the messages posted as they still must be moderator-approved, so sorry if you see my messages with some delay (this is my fourth post and I'm still waiting for the third one).
About the .run file, it seems that Bully save a sort of temp file on /root/.bully that should be recalled if the attack is interrupted so no need to restart from the beginning, but in the same time I wonder what happen if I change the Bully attack to the same A/P.
For example, I start a certain type of attack to the A/P on aa:bb:cc:dd:ee:ff, so a aabbccddeeff.run file is created under /root/.bully/.
Then I stop the attack, or it fails, and the .run file is still located under /root/.bully/.
I then launch a different attack, or even the same attack as before but with different parameters: I see that Bully check for the aabbccddeeff.run file and it find the previous one but no clues about how it will manage the contents, I don't know if Bully try to continue starting from the last try or what, I'm worried about the fact that the actual attack is 'dirtied' because the previous one (I hope I was able to explain myself in an understandable way, sorry but English is not my native language).

[slim76]

I'm still have a delay with the messages posted as they still must be moderator-approved, so sorry if you see my messages with some delay (this is my fourth post and I'm still waiting for the third one).
About the .run file, it seems that Bully save a sort of temp file on /root/.bully that should be recalled if the attack is interrupted so no need to restart from the beginning, but in the same time I wonder what happen if I change the Bully attack to the same A/P.
For example, I start a certain type of attack to the A/P on aa:bb:cc:dd:ee:ff, so a aabbccddeeff.run file is created under /root/.bully/.
Then I stop the attack, or it fails, and the .run file is still located under /root/.bully/.
I then launch a different attack, or even the same attack as before but with different parameters: I see that Bully check for the aabbccddeeff.run file and it find the previous one but no clues about how it will manage the contents, I don't know if Bully try to continue starting from the last try or what, I'm worried about the fact that the actual attack is 'dirtied' because the previous one (I hope I was able to explain myself in an understandable way, sorry but English is not my native language).

No need to be sorry for anything mate, I think your english is very good.
The files you mention are located at /root/.bully and I think they get overwritten every time you perform an attack.

[AngeloM]

No, I checked right now and those .run files are not overwritten, if you open them you see the 'history' of the attack with every pin used.

[Quest]

little voodoo stuff with your coffee?

I'm trying to test the above and my returns says:

Saved session to '/root/.bully/98fcxxxxxxxx.run'

but I do not have such file in root (Home). No .bully, no .run to be found in root. Weird.

So I cannot help with that, I don't even have that .run file.

[AngeloM]

It's an hidden folder, when I set my system in order to show hidden files and folders I then saw a lot of folders beginning with . (such .bully).

[slim76]

little voodoo stuff with your coffee?

I'm trying to test the above and my returns says:



but I do not have such file in root (Home). No .bully, no .run to be found in root. Weird.

So I cannot help with that, I don't even have that .run file.

Show Hidden Files ;-) LOL

[Quest]

I see what you are saying about the -B argument..

-B, --bruteforce : Bruteforce the WPS pin checksum digit [No]

what they mean by "bruteforce" concern only the checksum digit...

What did you mean Slim by 'bruteforce'? Check all combination of 8 numbers possible for APs that do not follow the 4-3-1 convention?

Because the only one that offers a true bruteforce is reaver 1.4 fork r3, with the '-X' argument. Takes alot longer.

[Quest]

It's an hidden folder, when I set my system in order to show hidden files and folders I then saw a lot of folders beginning with . (such .bully).

Show Hidden Files ;-) LOL

yes i got them. The problem is that Bully does not offer to start from the beginning. I wouldn't worry about that too much, because once a pin is tested, it is tested, regardless of the arguments. But when using the '-p' argument to start with a given pin, will it cycle trough all pins? That would be my question.

[Quest]

Slim, as I said before (can't remember where), Reaver 1.4 has difficulties with certain APs. I find it useful (necessary) to use reaver 1.3, reaver 1.4 fork r3, or bully.

Any chance you could incorporate reaver 1.3 and, reaver 1.4 fork r3 in FS? Otherwise I have to un/install reaver.

[AngeloM]

Speaking about Bully, could this page be useful?
Anyway there's something into the commands syntax that seems wrong (check first two examples, same syntax but different behaviour), still to check that.

[AngeloM]

Tried now.
First try: sudo bully mon0 --bssid aa:bb:cc:dd:ee:ff -v 3 --bruteforce
Messages:
Loading randomized pins from '/root/.bully/pins'
Restoring sessions from '/root/.bully/aabbccddeeff.run'
WARNING: Randomized search requested but prior session was sequential
Use --force to ignore above warning(s) and continue anyway.

Second try: sudo bully mon0 --bssid aa:bb:cc:dd:ee:ff -v 3 --bruteforce --force
Messages:
Index of starting pin number is '89244548'
Then lot of messages "Next pin '57292736'", pin never changed.

Third try: sudo bully mon0 --bssid aa:bb:cc:dd:ee:ff -v 3 --bruteforce --pin 00000001
Messages:
Starting pin specified, defaulting to sequential mode
Restoring session from '/root/.bully/aabbccddeeff.run' (so it restore the session even if I use the --pin parameter)
WARNING: Sequential search requested but prior session was randomized

Fourth try: sudo bully mon0 --bssid aa:bb:cc:dd:ee:ff -v 3 --bruteforce --pin 00000001 --force
Same as second try, first pin as per parameter given but it never change.
Tried even using the -S parameter (force sequential pins) without giving the --pin parameter, it started with 00000001 but it never changed.

[Quest]

and does deleting the .bin and start a new session with that AP solve that problem?

[slim76]

Slim, as I said before (can't remember where), Reaver 1.4 has difficulties with certain APs. I find it useful (necessary) to use reaver 1.3, reaver 1.4 fork r3, or bully.

Any chance you could incorporate reaver 1.3 and, reaver 1.4 fork r3 in FS? Otherwise I have to un/install reaver.

I'm not sure but we can try.
Do you know if the dependencies are the same for all the different versions of reaver?.
What architecture are you using?.

[Quest]

Great!

x64

The dependencies are the same.

Code:

apt-get install libsqlite3-dev && apt-get install libpcap0.8-dev

Reaver 1. 0/1/2/3/4 http://code.google.com/p/reaver-wps/downloads/list

Reaver 1.4 fork r3 https://code.google.com/p/reaver-wps-fork/
Original thread https://code.google.com/p/reaver-wps.../detail?id=195


That would rock. Alot of ppl are reporting that 1.3 works better than 1.4. You would make alot of friends.

1.4 fork r3 has some good features.

[slim76]

Great!

x64

The dependencies are the same.

Code:

apt-get install libsqlite3-dev && apt-get install libpcap0.8-dev

Reaver 1. 0/1/2/3/4 http://code.google.com/p/reaver-wps/downloads/list

Reaver 1.4 fork r3 https://code.google.com/p/reaver-wps-fork/
Original thread https://code.google.com/p/reaver-wps.../detail?id=195


That would rock. Alot of ppl are reporting that 1.3 works better than 1.4. You would make alot of friends.

1.4 fork r3 has some good features.

I got good news and bad news for you.
The good news is I've done it already, it was easy.

FrankenScript can now use Reaver 1.3, Reaver 1.4 fork r3 and whatever version you currently have installed.
No need to keep installing/uninstalling to use a different versions of reaver, and I think it might even be possible to perform multiple attacks simultaneously while using different versions of reaver.

Now for the bad news.
I haven't added it to the current version of FrankenScript, I've added it to the new one I'm currently writing.

[Quest]

really!?

i'M gonna need a howtoo on that one.

How do you install another version of reaver without uninstalling first?
How do you invoke a reaver if there are many?

Anyways that is really cool. Never asked before as I did not think it was feasible. Can't stop progress!

[Quest]

no difference betwenn 1.3 and 1.4. Only three more option with fork r3.

Code:

Reaver v1.3 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

Required Arguments:
	-i, --interface=<wlan>          Name of the monitor-mode interface to use
	-b, --bssid=<mac>               BSSID of the target AP

Optional Arguments:
	-m, --mac=<mac>                 MAC of the host system
	-e, --essid=<ssid>              ESSID of the target AP
	-c, --channel=<channel>         Set the 802.11 channel for the interface (implies -f)
	-o, --out-file=<file>           Send output to a log file [stdout]
	-s, --session=<file>            Restore a previous session file
	-a, --auto                      Auto detect the best advanced options for the target AP
	-f, --fixed                     Disable channel hopping
	-5, --5ghz                      Use 5GHz 802.11 channels
	-v, --verbose                   Display non-critical warnings (-vv for more)
	-q, --quiet                     Only display critical messages
	-h, --help                      Show help

Advanced Options:
	-p, --pin=<wps pin>             Use the specified 4 or 8 digit WPS pin
	-d, --delay=<seconds>           Set the delay between pin attempts [1]
	-l, --lock-delay=<seconds>      Set the time to wait if the AP locks WPS pin attempts [315]
	-g, --max-attempts=<num>        Quit after num pin attempts
	-x, --fail-wait=<seconds>       Set the time to sleep after 10 unexpected failures [0]
	-r, --recurring-delay=<x:y>     Sleep for y seconds every x pin attempts
	-t, --timeout=<seconds>         Set the receive timeout period [5]
	-T, --m57-timeout=<seconds>     Set the M5/M7 timeout period [0.20]
	-S, --dh-small                  Use small DH keys to improve crack speed
	-L, --ignore-locks              Ignore locked state reported by the target AP
	-E, --eap-terminate             Terminate each WPS session with an EAP FAIL packet
	-n, --nack                      Target AP always sends a NACK [Auto]
	-w, --win7                      Mimic a Windows 7 registrar [False]

Example:
	reaver -i mon0 -b 00:90:4C:C1:AC:21 -vv










Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

Required Arguments:
	-i, --interface=<wlan>          Name of the monitor-mode interface to use
	-b, --bssid=<mac>               BSSID of the target AP

Optional Arguments:
	-m, --mac=<mac>                 MAC of the host system
	-e, --essid=<ssid>              ESSID of the target AP
	-c, --channel=<channel>         Set the 802.11 channel for the interface (implies -f)
	-o, --out-file=<file>           Send output to a log file [stdout]
	-s, --session=<file>            Restore a previous session file
	-C, --exec=<command>            Execute the supplied command upon successful pin recovery
	-D, --daemonize                 Daemonize reaver
	-a, --auto                      Auto detect the best advanced options for the target AP
	-f, --fixed                     Disable channel hopping
	-5, --5ghz                      Use 5GHz 802.11 channels
	-v, --verbose                   Display non-critical warnings (-vv for more)
	-q, --quiet                     Only display critical messages
	-h, --help                      Show help

Advanced Options:
	-p, --pin=<wps pin>             Use the specified 4 or 8 digit WPS pin
	-d, --delay=<seconds>           Set the delay between pin attempts [1]
	-l, --lock-delay=<seconds>      Set the time to wait if the AP locks WPS pin attempts [60]
	-g, --max-attempts=<num>        Quit after num pin attempts
	-x, --fail-wait=<seconds>       Set the time to sleep after 10 unexpected failures [0]
	-r, --recurring-delay=<x:y>     Sleep for y seconds every x pin attempts
	-t, --timeout=<seconds>         Set the receive timeout period [5]
	-T, --m57-timeout=<seconds>     Set the M5/M7 timeout period [0.20]
	-A, --no-associate              Do not associate with the AP (association must be done by another application)
	-N, --no-nacks                  Do not send NACK messages when out of order packets are received
	-S, --dh-small                  Use small DH keys to improve crack speed
	-L, --ignore-locks              Ignore locked state reported by the target AP
	-E, --eap-terminate             Terminate each WPS session with an EAP FAIL packet
	-n, --nack                      Target AP always sends a NACK [Auto]
	-w, --win7                      Mimic a Windows 7 registrar [False]

Example:
	reaver -i mon0 -b 00:90:4C:C1:AC:21 -vv









Reaver v1.4 (fork r3) WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

Required Arguments:
	-i, --interface=<wlan>          Name of the monitor-mode interface to use
	-b, --bssid=<mac>               BSSID of the target AP

Optional Arguments:
	-m, --mac=<mac>                 MAC of the host system
	-e, --essid=<ssid>              ESSID of the target AP
	-c, --channel=<channel>         Set the 802.11 channel for the interface (implies -f)
	-o, --out-file=<file>           Send output to a log file [stdout]
	-s, --session=<file>            Restore a previous session file
	-C, --exec=<command>            Execute the supplied command upon successful pin recovery
	-D, --daemonize                 Daemonize reaver
	-a, --auto                      Auto detect the best advanced options for the target AP
	-f, --fixed                     Disable channel hopping
	-5, --5ghz                      Use 5GHz 802.11 channels
	-v, --verbose                   Display non-critical warnings (-vv for more)
	-q, --quiet                     Only display critical messages
	-h, --help                      Show help

Advanced Options:
	-p, --pin=<wps pin>             Use the specified 4 or 8 digit WPS pin
	-d, --delay=<seconds>           Set the delay between pin attempts [1]
	-l, --lock-delay=<seconds>      Set the time to wait if the AP locks WPS pin attempts [60]
	-g, --max-attempts=<num>        Quit after num pin attempts
	-x, --fail-wait=<seconds>       Set the time to sleep after 10 unexpected failures [0]
	-r, --recurring-delay=<x:y>     Sleep for y seconds every x pin attempts
	-t, --timeout=<seconds>         Set the receive timeout period [5]
	-T, --m57-timeout=<seconds>     Set the M5/M7 timeout period [0.20]
	-A, --no-associate              Do not associate with the AP (association must be done by another application)
	-N, --no-nacks                  Do not send NACK messages when out of order packets are received
	-S, --dh-small                  Use small DH keys to improve crack speed
	-L, --ignore-locks              Ignore locked state reported by the target AP
	-E, --eap-terminate             Terminate each WPS session with an EAP FAIL packet
	-n, --nack                      Target AP always sends a NACK [Auto]
	-w, --win7                      Mimic a Windows 7 registrar [False]
	-X, --exhaustive                Set exhaustive mode from the beginning of the session [False]
	-1, --p1-index                  Set initial array index for the first half of the pin [False]
	-2, --p2-index                  Set initial array index for the second half of the pin [False]

Example:
	reaver -i mon0 -b 00:90:4C:C1:AC:21 -vv

[Quest]

disregard my questions in post #178. Just massive confusion on my part with anything linux.

[slim76]

Have you got Reaver v1.4 (fork r3) installed on your system, or did you copy and paste the info from another source?.

[Quest]

i had to install it to make sure the info(arguments) were accurate...

decompress the archive in root.

Code:

cd /root/reaver-1.3/src -or- cd /root/reaver-wps-fork-read-only/src
./configure
make distclean && ./configure
make
make install

[slim76]

I get the following output from the 1.4-r3 fork (From your link), is this correct?.

Reaver v1.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

Required Arguments:
-i, --interface=<wlan> Name of the monitor-mode interface to use
-b, --bssid=<mac> BSSID of the target AP

Optional Arguments:
-m, --mac=<mac> MAC of the host system
-e, --essid=<ssid> ESSID of the target AP
-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
-o, --out-file=<file> Send output to a log file [stdout]
-s, --session=<file> Restore a previous session file
-C, --exec=<command> Execute the supplied command upon successful pin recovery
-D, --daemonize Daemonize reaver
-a, --auto Auto detect the best advanced options for the target AP
-f, --fixed Disable channel hopping
-5, --5ghz Use 5GHz 802.11 channels
-v, --verbose Display non-critical warnings (-vv for more)
-q, --quiet Only display critical messages
-h, --help Show help

Advanced Options:
-p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin
-d, --delay=<seconds> Set the delay between pin attempts [1]
-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]
-g, --max-attempts=<num> Quit after num pin attempts
-x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
-t, --timeout=<seconds> Set the receive timeout period [5]
-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.20]
-A, --no-associate Do not associate with the AP (association must be done by another application)
-N, --no-nacks Do not send NACK messages when out of order packets are received
-S, --dh-small Use small DH keys to improve crack speed
-L, --ignore-locks Ignore locked state reported by the target AP
-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
-n, --nack Target AP always sends a NACK [Auto]
-w, --win7 Mimic a Windows 7 registrar [False]
-X, --exhaustive Set exhaustive mode from the beginning of the session [False]
-1, --p1-index Set initial array index for the first half of the pin [False]
-2, --p2-index Set initial array index for the second half of the pin [False]

[Quest]

wow, mine never said

Reaver v1.5

where or how did you get this? Was that your edit? Mine(reaver 1.4 fork r3) says Reaver 1.4

Othere than that, yes, the arguments are the same as mine(-1, -2, -X).

[slim76]

Great!

x64

The dependencies are the same.

Code:

apt-get install libsqlite3-dev && apt-get install libpcap0.8-dev

Reaver 1. 0/1/2/3/4 http://code.google.com/p/reaver-wps/downloads/list

Reaver 1.4 fork r3 https://code.google.com/p/reaver-wps-fork/
Original thread https://code.google.com/p/reaver-wps.../detail?id=195


That would rock. Alot of ppl are reporting that 1.3 works better than 1.4. You would make alot of friends.

1.4 fork r3 has some good features.

I got it from your post, and I did a copy and paste without any editting.

[Quest]

So another version was uploaded, without the maker saying anything. That is not Reaver 1.5, as it does not exist. It is a fork of 1.4

They are driving me nuts with their file naming.

let me re-download it then...

Edit: Wait i see it now.

r8
Included exhaustive, p1_index and p2_index options Also, if the WPS pin is not found while running in normal mode, instead of exiting, it jumps into exhaustive mode and starts de loop again.
Jan 4, 2014
c.sala.stq
r7
Improved verbose messages and status print (now it includes elapsed and estimated time) Also, in this version I fixed a potential bug, which was probably the cause of the Issue number 1 (Segmentation fault exception)
Jan 4, 2014
c.sala.stq
r6
Fixed the issue 195 of the original reaver-wps project: Stuck at 99% The problem was that the pin_count never reached the get_max_pin_attempts value, so the loop was never broken I replaced the pin_count variable with a function which calculates the current pin_count on the fly
Jan 4, 2014
c.sala.stq
r5
Autoindented ALL code files. (No further changes included) Indention was done using vim defaults, with the following options: set shiftwidth=4 set softtabstop=4 set expandtab
Jan 4, 2014
c.sala.stq
r4
Revert the last revision to apply the changes in a cleaner way
Jan 4, 2014
c.sala.stq
r3
1. Fixed the 99.9% never ending loop: If the end is reached without success, the application exits as expected. (before it continued until it was interrupted or killed). Issue: http://code.google.com/p/reaver-wps/.../detail?id=195 2. Added an exhaustive option (--exhaustive, -X) which uses "set_p1(p1_index) + set_p1(p2_index)" instead of "set_p1(p1_index) + set_p2(p2_index)" to force covering all possible combinations. This ensures that the PIN is found even if it does not follow the "checksu
Jul 6, 2013
c.sala.stq
r2
Fork from http://reaver-wps.googlecode.com/svn/trunk/ revision 113
Jul 6, 2013
c.sala.stq
r1
Initial directory structure.
Jul 6, 2013
---

so it's not r3, but r8 !! Had no idea and nothing was ever said about that.

Now I'm having a stupid moment... How did I downloaded r3? I have it in my files as a .rar(which I compressed myself), but how do I DL r8 now to save it and keep that package as a .rar !??

[Quest]

ok nevermind i got it now *geez me and linux*

Reaver v1.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tact...

Wow so we have reaver 1.5 now. LOL can't stop progress.

[AngeloM]

and does deleting the .bin and start a new session with that AP solve that problem?

Mmmmmmm.... about which .bin file are you talking about?
If you're talking about the .run file no, deleting it doesn't solve the problem.

[Quest]

yes, .run i meant.

So it's a Bully problem and unless someone is willing to fork it and solve that prb, not sure how FS can help.

If you have ideas please share

[AngeloM]

I'm doing some searches about this issue (reported by other people as well), I'll let you know as soon as I'll have any answers.
In the meanwhile as I can't check it I'm curious to know if you'll find some improvements with reaver 1.5.

[Quest]

ok great!!

I've not tested reaver 1.5, but I'm very familiar with Carles's work(reaver fork r1-8) and reading the versions history(post 186 above) he basically solved reaver's problems, plus the 'floating point exception' problem that was induced in fork r3.

So in other words, we might not need to use Bully or reaver 1.3. That being said, more tools in the toolbox = more user options.

[slim76]

ok great!!

I've not tested reaver 1.5, but I'm very familiar with Carles's work(reaver fork r1-8) and reading the versions history(post 186 above) he basically solved reaver's problems, plus the 'floating point exception' problem that was induced in fork r3.

So in other words, we might not need to use Bully or reaver 1.3. That being said, more tools in the toolbox = more user options.

**** man, I'm getting more lost the more I read. LOL
So what versions of reaver do you what in FrankenScript?, and can you send me the versions you have please.

[Quest]

yes sorry, but that 1.5 version was unexpected.

We may not need reaver 1.3 or bully, but nothing as changed because the more tools we have (reaver 1.3, 1.4, 1.5, Bully) the more user choices. Plus we might see unexpected bugs rise with 1.5 on certain AP, where reaver 1.3 will save the day again.

In other words, put them all in. I want a world conquering arsenal [insert evil laugh here]

not sure what you want me to send you. If you can just include 1.3, 1.5, that would be good. Reaver 1.4 being already in Kali.

[Quest]

Reaver 1.3
http://code.google.com/p/reaver-wps/downloads/list

Reaver 1.5 (r8)
https://code.google.com/p/reaver-wps-fork/

Code:

svn checkout http://reaver-wps-fork.googlecode.com/svn/trunk/ reaver-wps-fork-read-only

then
reaver-wps-fork-read-only folder appeared in root. That's reaver 1.5


That's it really. Then we can look at the syntaxes later.

[staticn0de]

Hey guys!

Looks like a lot has been happening, I'll get a chance to work on some of that stuff you mentioned before starting tomorrow..

With all the work going on, I'll ask again if this could make it to Github, will certainly make it a lot easier so that Slim could just pull any changes he likes into the main project

[Quest]

Hi static!!

yes, i second that motion. That would also put an end to mirrorcreator.com

Do what you can. We all appreciate

[AngeloM]

Did some tests with Reaver 1.5 and no luck until now, same problem with repeated pins.
Tried even to update the kernel to 3.16, no changes.
After further investigation seems that I should see even M3 and M4 messages when I use Reaver and Bully, not only M1 and M2: if not, that should/could mean that the AP have the WPS on but pin is disabled or not defined, if so that AP is not vulnerable to WPS attack and it would explain why I always see the same pin repeated.
I'll reconfigure my test AP in order to verify.

[Quest]

http://www.kalilinux.net/community/t...-12345670.163/

the guy basically says to kill the PIDs(processes) "dhclient" "NetworkManager" "wpa_supplicant"

FS3 does that for you I believe if you choose to "kill processes" when asked in the routine. Right Slim?

If not then

Code:

airmon-ng start wlan0

Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
2069 dhclient
2413 NetworkManager
3195 wpa_supplicant

Code:

kill 2069 && kill .....

Yes you should definitely get M1, M2, M3, M4 messages from the start.

[slim76]

http://www.kalilinux.net/community/t...-12345670.163/

the guy basically says to kill the PIDs(processes) "dhclient" "NetworkManager" "wpa_supplicant"

FS3 does that for you I believe if you choose to "kill processes" when asked in the routine. Right Slim?

If not then

Code:

airmon-ng start wlan0

Code:

kill 2069 && kill .....

Yes you should definitely get M1, M2, M3, M4 messages from the start.

Sorry for the late reply, been sooo busy.
Yeah FS3 can check and kill processes that might cause issue's while performing some attacks.

[Quest]

I was asking because i never use that option, but i see it in the routine all the time...

Whatyouworkinon friend?

I'm testing Reaverrrr 1.5 and so far I have no complains.