Results 1 to 11 of 11

Thread: A Reaver Based Multi-Target Pin Harvesting Program

  1. #1
    Join Date
    2013-Jul
    Posts
    844

    A Reaver Based Multi-Target Pin Harvesting Program

    Musket Teams have been watching the growing resistance to reaver WPs pin harvesting. Some routers lock after x number of pin requests, while others simply stop responding to pin requests for some period of time. In cases where the router locked the WPS system, these routers many times unlock within the next 18 to 24 hours. Very few in our areas of operation remain permanently locked. Those routers that stopped responding to pin request but remained open, were found to accept pin requests again in a few minutes. Hence WPS pins could be collected from these routers but this would take allot of effort.

    The problem therefore was not technical but administrative. Musket Teams were in the process of automating these processes when we discovered auto-reaver. This program could collect pins from a large number of targets and looked very promising at first. But after testing the program for a month we found that auto-reaver would hang on targets under several different circumstances even though the author had attempted to prevent the problem thru various bash methods. With auto-reaver off the map, we went back to writing a script with a new view of the problems and developed a very simple pin harvesting program primarily dependent on time.

    The script file we call varmacreaverlocked18 was developed to slowly harvest pins from routers which either 1.lock their WPS systems after X number of pin requests or 2.stop responding to these pin requests but remain open. It employs the existing reaver program and should not be used if the router is open to WPS pin requests and is responding normally.The program requires a setup phase where the user enters the target APs and attack details of each target into a configuration txt file called maclistreaver. Once written the user simply runs the varmacreaverlocked.sh program, answers a few simple questions and the program works its way thru the target APs listed in the maclistreaver configuration file.

    Varmacreaverlocked allows you to load up to 50 targets into the program thru the maclistreaver configuration file. We will add more target slots if users so rqr.
    A user can set the -r x:y command thru the configuration file.
    A long range weak RSSI feature has been added.
    Special attack requirements for individual target APs could also be loaded into the reaver command lines manually if the user has some understanding of bash.

    The reaver attack is time based. It cannot lock in a endless EAPOL hang on one target. When the program starts, it monitors the output of reaver. If a WPS locked state occurs or there is a failure to associate or reaver output is idle the script shuts down reaver and moves on to the next target. If the attack is active the script will allow the process to continue till the time as set by the user expires. We are constantly refining the coding driving this section of the script.
    Each target has it own individual time element. You can attack target1 for 120 seconds then go to target2 and attack it for 300 seconds as per the configuration file.

    New
    Enclosed is an updated version of varmacreaversav called

    varmascreaver992.sh. We have added the ability to adjust the maclistreaver configuration file while the program is running.

    The ability of the program to sense when reaver pin harvesting has stoped has been improved.


    Older versions are withdrawn

    An updated version of varmacreaversav called varmascreaver993.sh is available for download.

    A bug in the automatic removal of log files has been corrected

    Older versions have been withdrawn

    varmacreaversav99-3.zip contains:

    1. varmacreaversav99-3.sh
    2. varmacreaversav993-help.txt
    3. maclistreaversav


    You can down this update at

    http://www.axifile.com/en/91AF3E59AD

    WPS Special Tools is available at

    http://www.axifile.com/en/DCA5819C59

    MTA
    Last edited by mmusket33; 2014-10-26 at 03:38.

  2. #2
    Join Date
    2013-Jul
    Posts
    844
    Varmacreaverlocked18 has been updated to 19. See above for new download link

  3. #3
    Join Date
    2013-Jul
    Posts
    844
    Musket Teams have updated the program to varmacreaversav.sh. . We have added the ability to save text files written to

    screen and add known wps pins to the command line.


    Older version are withdrawn. Upload varmacreaversav at:


    http://www.axifile.com/en/83E5E4EACA

    MTeams

  4. #4
    Join Date
    2014-Jun
    Location
    Greece
    Posts
    133
    Hi there!
    Your script looks promising! I will try it for sure.

    Just a quick question. What did you mean by that?
    Quote Originally Posted by mmusket33 View Post
    ....In cases where the router locked the WPS system, these routers many times unlock within the next 18 to 24 hours. Very few in our areas of operation remain permanently locked. Those routers that stopped responding to pin request but remained open, were found to accept pin requests again in a few minutes....
    Did you attack routers that you don't own?
    Or those routers are in a testing environment that you own?

    If this is the case then please refer to this:
    https://forums.kali.org/showthread.p...-guidelines%29

    6. Ethical guidelines.
    Any advice/information offered on these forums is to be used for the legal informational/professional/educational purposes for which it is intended.
    We will not tolerate any questions pertaining to illegal activities. Any indication of illegal activities in your post will result in an immediate ban and deletion of your account from the forums.
    It's well known that my English are terrible and pardon me in advanced if I understand wrong.
    Last edited by Nick_the_Greek; 2014-09-05 at 06:37.
    Security always begins with personal responsibility. - quietman7

  5. #5
    Join Date
    2013-Jul
    Posts
    844
    We have updated varmacreaversav to varmacreaversav992 available at

    http://www.axifile.com/en/57D8CB36AF

    Improvements include the ability to adjust the configuration file while the program is running.

    Sensing that the reaver attack has stalled is also improved.


    In closing we wish to quote Merlin and magic. To know their secret name it to own them. So if you know the WPS pin you own the router. Slowly cracking 11000 WPS pins is far better then trying to brute force a WPA handshake where the attack could stretch to decades.

  6. #6
    Join Date
    2013-Jul
    Posts
    844
    An updated version of varmacreaversav called varmascreaversav99-3.sh is available for download.

    A bug in the automatic removal of log files has been corrected.

    Older versions have been withdrawn.


    varmacreaversav99-3.zip contains:

    1. varmacreaversav99-3.sh
    2. varmacreaversav993-help.txt
    3. maclistreaversav


    You can download this update at

    http://www.axifile.com/en/91AF3E59AD
    -
    MTB

  7. #7
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    Got it! Thank you. Will give it spin.
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  8. #8
    Join Date
    2013-Jul
    Posts
    844
    WPS Special Tools can be available at:

    http://www.axifile.com/en/DCA5819C59

  9. #9
    Join Date
    2014-Oct
    Posts
    14
    The updated script works great, at first. Because reaver is trying to associate itself to the AP, pin requests fail after the first loop. I tested this by using aireplay-ng to associate and reaver started moving along nicely. However, because everything gets restarted in the loop, including the wireless card, aireplay has to be restarted manually for your script to work.

    If aireplay can be added so association can be passed through from reaver to aireplay then you script would fully automated.

  10. #10
    Join Date
    2013-Jul
    Posts
    844
    We have run this script on three(3) different computers two(2) running kali 1-09 and one(1) running 1.07. The scripts ran unattended for two(2) days straight. We have been unable to duplicate this bug.

    1. To be clear which script are you refering to?
    2. Post the aireplay-ng command line that you used. Aireplay has -0 thru -9. We can add the aireplay-ng routine that you used into the script and send it to you no problem. We simply cannot test it as we are not seeing this.

    MTeams

  11. #11
    Join Date
    2014-Oct
    Posts
    14
    I am using the 006 version of your script.

    The following aireplay command is currently being used:
    aireplay-ng -1 60 -a bssid -e essid -q 10 mon0

    Thanks

    Scolder

Similar Threads

  1. Replies: 0
    Last Post: 2017-05-12, 13:40
  2. Replies: 64
    Last Post: 2017-01-10, 08:38
  3. Aerial - Multi-mode wireless LAN Based on a Software Access point
    By Nick_the_Greek in forum How-To Archive
    Replies: 72
    Last Post: 2015-10-13, 15:15

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •