Results 1 to 11 of 11

Thread: A Reaver Based Multi-Target Pin Harvesting Program

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Join Date

    A Reaver Based Multi-Target Pin Harvesting Program

    Musket Teams have been watching the growing resistance to reaver WPs pin harvesting. Some routers lock after x number of pin requests, while others simply stop responding to pin requests for some period of time. In cases where the router locked the WPS system, these routers many times unlock within the next 18 to 24 hours. Very few in our areas of operation remain permanently locked. Those routers that stopped responding to pin request but remained open, were found to accept pin requests again in a few minutes. Hence WPS pins could be collected from these routers but this would take allot of effort.

    The problem therefore was not technical but administrative. Musket Teams were in the process of automating these processes when we discovered auto-reaver. This program could collect pins from a large number of targets and looked very promising at first. But after testing the program for a month we found that auto-reaver would hang on targets under several different circumstances even though the author had attempted to prevent the problem thru various bash methods. With auto-reaver off the map, we went back to writing a script with a new view of the problems and developed a very simple pin harvesting program primarily dependent on time.

    The script file we call varmacreaverlocked18 was developed to slowly harvest pins from routers which either 1.lock their WPS systems after X number of pin requests or 2.stop responding to these pin requests but remain open. It employs the existing reaver program and should not be used if the router is open to WPS pin requests and is responding normally.The program requires a setup phase where the user enters the target APs and attack details of each target into a configuration txt file called maclistreaver. Once written the user simply runs the program, answers a few simple questions and the program works its way thru the target APs listed in the maclistreaver configuration file.

    Varmacreaverlocked allows you to load up to 50 targets into the program thru the maclistreaver configuration file. We will add more target slots if users so rqr.
    A user can set the -r x:y command thru the configuration file.
    A long range weak RSSI feature has been added.
    Special attack requirements for individual target APs could also be loaded into the reaver command lines manually if the user has some understanding of bash.

    The reaver attack is time based. It cannot lock in a endless EAPOL hang on one target. When the program starts, it monitors the output of reaver. If a WPS locked state occurs or there is a failure to associate or reaver output is idle the script shuts down reaver and moves on to the next target. If the attack is active the script will allow the process to continue till the time as set by the user expires. We are constantly refining the coding driving this section of the script.
    Each target has it own individual time element. You can attack target1 for 120 seconds then go to target2 and attack it for 300 seconds as per the configuration file.

    Enclosed is an updated version of varmacreaversav called We have added the ability to adjust the maclistreaver configuration file while the program is running.

    The ability of the program to sense when reaver pin harvesting has stoped has been improved.

    Older versions are withdrawn

    An updated version of varmacreaversav called is available for download.

    A bug in the automatic removal of log files has been corrected

    Older versions have been withdrawn contains:

    2. varmacreaversav993-help.txt
    3. maclistreaversav

    You can down this update at

    WPS Special Tools is available at

    Last edited by mmusket33; 2014-10-26 at 03:38.

Similar Threads

  1. Replies: 0
    Last Post: 2017-05-12, 13:40
  2. Replies: 64
    Last Post: 2017-01-10, 08:38
  3. Aerial - Multi-mode wireless LAN Based on a Software Access point
    By Nick_the_Greek in forum How-To Archive
    Replies: 72
    Last Post: 2015-10-13, 15:15

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts