Page 1 of 2 12 LastLast
Results 1 to 50 of 55

Thread: Force an AP to reboot

  1. #1
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520

    Force an AP to reboot

    *This thread is under construction*- Be responsible with whatever is cooked up in this thread. Nobody here is going to be responsible for any trouble you get into if you choose to be stupid with this stuff.

    Hello friends. Chef soxrok2212 is in the kitchen again, looking to cook up a new way to force an AP to reboot remotely. Over the course of the past few months, following all the Pixie Dust developments, I figured finding a new way to remotely reboot APs would be a huge improvement over the depreciated MDK3, as it is not very effective on newer hardware. Here are some of the proposed ideas (from myself and a few other members).

    1- Invalid SSID Character Attack
    -Thanks to a Musket Developer, the community now has a modified version of MDK3! This version features a new test mode "t" where it sends a user specified amount of invalid probe requests to an AP.

    -The hope here is that the AP will get confused and use those "Self Healing" features and just do a reboot. I have tested briefly on some newer hardware, and while I wasn't able to completely crash anything, it pretty much killed everything. On older hardware, I suspect that this will work.

    -You can download mdk3-master here
    Install Instructions
    Code:
    cd /mdk3-master
    make
    sudo make install
    Usage
    Code:
    t   - Probe Request Tests (mod-musket)
      mdk3 <mon> t <channel> <bssid AP> <frames/sec>
    -All other stranded MDK3 options are included as well

    -Please leave a comment if you are successful!

    *Strangely enough, after I had suggested this idea a few weeks ago, a new flaw was found in P2P devices which does essentially what I was thinking of (though it is used for a different application)*

    2- WPS M2 Exploit
    -Datahead has been testing this new method, where we basically send a bunch of M2 messages (yes, the M2 messages in a WPS exchange.)

    -What needs to be done, is we need to associate with the AP, (either through Reaver or aireplay-ng, etc) and then generate and flood M2 packets that can even be made with random data.

    3- QOS-TKIP Inject
    -There has been a lot of stir over semi-recent WPA-TKIP attacks, specifically the Beck-Tews, or the newer Ohigashi-Morii attack. Basically, we are able to recover the MIC key and some other small components which allows up to inject arbitrary data into a network supporting TKIP, and I'm wondering if we can trigger the network to reset with that data. It seems promising since simply trying 2 invalid MIC keys within 60 seconds locks all wireless traffic on the AP for 60? seconds, so maybe we can incorporate something new. I'm not 100% familiar with the attack in details, but I'm looking into it.

    4- The Infamous MDK3 Secret Destruction Mode Attack
    -This method has been depreciated since most newer hardware is invulnerable. Check it out here
    Last edited by soxrok2212; 2015-05-23 at 13:00. Reason: New MDK3

  2. #2
    Join Date
    2015-Apr
    Posts
    5
    Hey chef... eager to know more about this project.

  3. #3
    Join Date
    2013-Jul
    Posts
    820
    MTeams was about to post this research and this looks like the best place.

    We have been using VMR-MDK009x5.sh a newer version pf VMR-MDK009x2.sh to break thru WPS locked routers and harvest pins. The only main difference between Version x5 and version x2 is that the script allows you to clone a mac address of any client associated to the router.

    In a subset of routers showing a WPS locked state, a number of pins can be harvested. When the router stops providing pins, if the router is hit with a combination of MDK3 usually DDOS and EAPOL Packet Flooding for usually only 15 to 20 seconds, the router will give up more pins.

    1. However with respect to reaver pin harvesting this only works when --dh-small is in the reaver command line.
    2. If a client is associated the efficiency of pin harvesting is increased if reaver is using the mac address of the associated client.

    Cracking routers in this manner requires an automated script and does not require resetting the router. And only works on certain routers. It also takes time.

    MTeams
    Last edited by mmusket33; 2015-05-12 at 11:59.

  4. #4
    Join Date
    2015-Apr
    Posts
    29
    @mmusket33
    Respect for your work.
    I think that your answer is not matching with the theme.


    @ soxrok2212
    Thanks for all your great ideas.
    Is there 1. and 2. have new inspirations?

  5. #5
    Join Date
    2013-Jul
    Posts
    820
    To Laserman75

    For historical reference:

    The reason for the resetting of routers and soxrok2212's original thread last year, which he has posted here in part, is to open up the router to further WPS pin collection. Unfortunately the complete older thread are not available for your purview. The original theory was that if the router could be reset then WPS pin collection could be restarted.

    The point MTeams is making here, is that a complete resetting of the router is not always necessary to effect pin collection. Under certain conditions pin collection can be done thru combinations of reaver command line settings and small amounts of mdk3.

    On other subjects

    Further to our comments on the use of --dh-small in the command line we have extracted this warning from wiire.

    NOTE: if you use small keys on pixiewps but not on reaver, then pixiewps won't be able to find the pin even if the router is vulnerable, no matter what.

    Also for Realtek you shouldn't use small keys.

    MTeams
    Last edited by mmusket33; 2015-05-15 at 01:03.

  6. #6
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    I'm working with a guy right now, I guess he's very familiar with C and is attempting to modify MDK3 for the Invalid SSID Character Attack. I've had one person take a different approach to this and he reported unsuccessful but there are a lot of possible variations in setup. It will take a lot of tinkering and figuring but hopefully we can come up with a working solution.

    The reason I'm particularly interested in this is because some ISPs began taking action to prevent against Pixie Dust attacks, particularly TWC at the moment, and they now lock WPS after 1 exchange, even if the exchange completely fails.

    Hence, a quick way to reboot after grabbing the necessary data would lead to a successful attack.

  7. #7
    Join Date
    2015-Mar
    Posts
    141
    I've been trying the invalid ssid chars for a few days now, using tcpreplay seems to work very well, tried hexinject and scapy also,
    AP is responding to directed probe requests, I modified the packet to target it specificaly instead of FF:FF:FF:FF:FF:FF, it does acknowledge the packet so it is transmitting correctly.

    I litterally blasted this thing for 12 hours straight at over 600pps of randomly generated invalid characters in ssid, it acknowledged every single one and kept going fine, didn't unlock or reboot, not even a DOS...

    Tried invalid chars in ssid, invalid lengths, overflow lenghts, zero length, and a few other things i cant remember at the moment.

    I will try it on a few different targets, but so far i've only tried one. A broadcom chipset, i think.

    Tried the M2 thing also. Pointed four cards at it all with the same spoofed mac address, and unloaded at well over 1200pps combined.
    During which, with a seperate machine, i was still able to do a complete wps transaction just fine using reaver if it was previously unlocked, or never get past identity response if it was locked.

    Still have a few other ideas i'm playing with, like randomize mac each transaction, or combine the two attacks at the same time, playing with QOS packets...
    Maybe seeing if there is a way to insert some junk traffic to disrupt the network enough so the owner reboots it manually...

    Just trying to be careful not to only crash the wps stack and leave the rest of the router standing.
    Last edited by aanarchyy; 2015-05-15 at 18:55.

  8. #8
    Join Date
    2013-Jul
    Posts
    820
    To: aanarchyy

    MTeams is assuming the router is showing a WPS Locked State

    Try hitting the router for short periods of time with your newer methods.

    Next start reaver with the -L in the command line, We suggest the following:

    reaver -i mon0 -a -f -c 1 -b XX:XX:XX:XX:XX:XX -r 3:15 -L -E -S -vv -N -T 1 -t 20 -d 0 -x 30

    As you can see we are ignoring the locked state. Watch to see if the router gives up some pins.

    Start with 15 to 20 seconds of your DDOS methods and increase the time out and see if you can induce pin collection.

    If you want a quick way to randomize your macs we can send or post you our coding however you must use the older airmon-ng. The new airmon-ng limits this. You cannot make multiple monitors off a single device. Want any help just write us.


    MTeams
    Last edited by mmusket33; 2015-05-16 at 09:52.

  9. #9
    Join Date
    2015-May
    Posts
    18
    I have maby an idea.
    If you do 2 wrong tries with reaver and someone do a valid login on the router, does the count begin from scratch again and you can do 2 moore try??
    And if, is it enough if they login via wpa and that reset wps count 2??
    If so maby you can do a script that do 2 hits with reaver, then do a deauth with aireplay so a client on the router reconnect and then reset the logintry count, the sccript make 2 another hits and so on.

  10. #10
    Join Date
    2013-Jul
    Posts
    820
    To squash,

    The script would be easy to write however .

    1. What do you mean by the logintry count?

    2. Explain how you are resetting the logintry count.

    MTeams

  11. #11
    Join Date
    2015-May
    Posts
    18
    Quote Originally Posted by mmusket33 View Post
    To squash,

    The script would be easy to write however .

    1. What do you mean by the logintry count?

    2. Explain how you are resetting the logintry count.

    MTeams
    I have no idea if wps works this way, have no own router with wps so i can try..

    But in exempel when i log into my bank, if i made 3 faillogin its got locked, but if i do 2 fails and then succeded its start over on scratch next time i make 1 wrong attemp, so its not get locked.
    Is it the same way with wps?? and does it is enough if it is a wpalogin and not a succeded wpslogin?

    sorry for my bad english:P

  12. #12
    Join Date
    2015-Mar
    Posts
    141
    That's not how WPS work's, it is a seperate process from WPA.

    @mmusket33
    I was trying this against locked and unlocked routers. A locked router just discards any WPS transaction packets(like M2's) you throw at it. Which is why ive been looking for data packets to copy and blast back to maybe dos so the owner resets the router. Or inject some other type of invalid data into the router to crash/lock it. Some routers to continue to accept WPS transactions even when reporting locked, but all of what i've done hasn't made a difference to how many, for how long, or anything.

    So far all ive done successfully is crash the wps stack, and the rest of the router keeps going fine... And as for the invalid characters in the OP, there isn't really a way to put those in, those are longer than two hex digits. such as œ is 0xc5 0x93, and the router will parse each one seperately. Which is still invalid...

    And i've broken like 4 routers ripping the flash chip out and spi dumping it and digging through the flash dumps... im running out of routers i own that have wps... :-(
    Last edited by aanarchyy; 2015-05-17 at 15:49.

  13. #13
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    I'll be uploading a modification to MDK3 later tonight or sometime this weekend! What it does is it probes an AP with invalid SSID characters. Since I only have access to newer hardware, I was unable to completely brick my router, but I was able to drop my download speeds from 60mbps to 2mbps and my uploads from 4mbps to 1mbps and my ping spiked up to over 100 until I stopped. So it is obviously doing something but I don't have enough hardware to test it on. This modification was NOT made by me, but a new friend who decided to help the community. He is not a user on here, so I can't properly address him but if you want to give thanks, I guess you could thank "Musket Developer". I hope you guys can do some tests and hopefully it'll work for y'all, and if not we will have to find something new!
    Last edited by soxrok2212; 2015-05-23 at 12:19.

  14. #14
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Hey guys! I've got the new version of MDK3 up on GitHub! Check it out here: https://github.com/soxrok2212/mdk3-master I'll update the original post with all the details Test it and let me know if it works for you!

  15. #15
    Join Date
    2013-Jul
    Posts
    820
    Pixie Dust Surprises!!

    MTeams have been running tests with a reaver/mdk3/pixiedust combination that has obtained unexpected results on several occasions. For Historical Reference the targetAPs previously only gave up a few complete Pixie Dust Data sequences and then would only respond occasionaly if at all to reaver requests for pins. These routers did not lock their WPS systems they just stopped responding regularly to pin requests.
    Every Pixie Dust sequence captured had been tested with pixiewps1.1 to include brute force with no result. We have been attacking these routers for about a month with no effect. In short nothing worked.

    MTeams changed tactics and attack router with MDK3 usually combinations of DDOS and EAPOL Packet Flooding using a VMR-MDK lab variant. We incorporated pixiewps1.1 into VMR-MDK so it would test a Pixiedust data sequence when first obtained. VMR-MDK ran reaver for 120 seconds DDOSed the router for 20 seconds then checked the data output with pixiewps1.1 and then rested for 60 seconds in a consant cycle.
    Suddenly pixiewps1.1 produced the WPS pin which was 12345670. It looks to us that these routers had reset the WPS pin.
    We jammed the pin in the reaver comand line and the WPA Key was produced.

    This tells us that routers which appear invulnerable to pixiewps1.1 might actually give up their WPS pin given time.
    Last edited by mmusket33; 2015-06-01 at 05:20.

  16. #16
    Join Date
    2015-May
    Posts
    4
    Quote Originally Posted by mmusket33 View Post
    Pixie Dust Surprises!!

    MTeams have been running tests with a reaver/mdk3/pixiedust combination that has obtained unexpected results on several occasions. For Historical Reference the targetAPs previously only gave up a few complete Pixie Dust Data sequences and then would only respond occasionaly if at all to reaver requests for pins. These routers did not lock their WPS systems they just stopped responding regularly to pin requests.
    Every Pixie Dust sequence captured had been tested with pixiewps1.1 to include brute force with no result. We have been attacking these routers for about a month with no effect. In short nothing worked.

    MTeams changed tactics and attack router with MDK3 usually combinations of DDOS and EAPOL Packet Flooding using a VMR-MDK lab variant. We incorporated pixiewps1.1 into VMR-MDK so it would test a Pixiedust data sequence when first obtained. VMR-MDK ran reaver for 120 seconds DDOSed the router for 20 seconds then checked the data output with pixiewps1.1 and then rested for 60 seconds in a consant cycle.
    Suddenly pixiewps1.1 produced the WPS pin which was 12345670. It looks to us that these routers had reset the WPS pin.
    We jammed the pin in the reaver comand line and the WPA Key was produced.

    This tells us that routers which appear invulnerable to pixiewps1.1 might actually give up their WPS pin given time.
    Hey mmusket33,

    I'm all new to the field and have been learning steadily starting from WEP attacks stumbling upon you releases and I wanted to know if I could use your version of the script with the pixie dust attack incorporated or if there was a way to use the two combined without the script, I'm attacking a Technicolor router which proved to be quite challenging, locks for one minute after 3 attempts then accepts other tries then locks for a long time, I never know how long since I DoS it and then it starts accepting again but it accepts few tries. I want to try and see if it resets its PIN

  17. #17
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    You could try using -P in reaver, sets it I to PixieLoop mode which 99% of the time avoids lockouts, but it won't crack the pin through a standard 11,000 pin bruteforce. It is generally used for gathering hashes or for APs that lock out even after 1 failed attempt.

  18. #18
    Join Date
    2015-May
    Posts
    4
    I tried that but it just kept retrying the last pin until I launched fakeauth each 3s then it started moving, but should I have added the -K 1 command along with the -P, in any case, do you think the output would be interesting to read?

    it's a (Technicolor) mediaAccess tG589vn v3

  19. #19
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by othmam View Post
    I tried that but it just kept retrying the last pin until I launched fakeauth each 3s then it started moving, but should I have added the -K 1 command along with the -P, in any case, do you think the output would be interesting to read?

    it's a (Technicolor) mediaAccess tG589vn v3
    I mean it couldn't hurt but I wasn't able to find any information about the model online in a quick search which is usually all it takes.

  20. #20
    Join Date
    2015-May
    Posts
    4
    I just got to accept the fact that it's a no go for this one especially that i can't automate the process with my little knowledge, oh well, I'll be hoping for advances to be made. Thanks a lot soxrok2212

  21. #21
    Join Date
    2013-Jul
    Posts
    820
    To othman

    The automated process you seek is found in the VMRMDK 150108 package.

    You can downlad it at

    http://www.datafilehost.com/d/18156813

    It is also found as a download in the aircrack forums

    http://forum.aircrack-ng.org/index.php/topic,868.0.html


    MTeams are in the process of updating the script. We are just completing the last module and then will start testing and working on the help file. However the current script will work as long as you are using the older airmon-ng.

    Musket Teams

  22. #22
    Join Date
    2013-Jul
    Posts
    820
    Reaver replay techniques.

    When routers are subjected to mdk3 or they are restarted, sometimes the WPS pin resets to 12345670

    Reaver checks pin 12345670 at the start of the brute force attack, therefore if you are attacking a router with reaver etc and the router resets to 12345670, reaver has already checked this pin. In this case reaver will climb to 99.99% and cycle endlessly as the pin changed during the attack.

    To check to see it the router has reset the WPS pin and not disrupt any brute force attack being conducted suggest you use the following technique.

    1. Stop the brute force.

    2. Restart reaver but add the --pin=12345670 and the --session=path to file/filename to the command line

    You can use root and any file name. Just DO NOT use the same folder and file name where reaver normally stores its .wpc files.

    To find where reaver normally stores its .wpc files type

    locate .wpc

    A reaver command line is as follows:

    reaver -i mon0 -c 1 -b 55:44:33:22:11:00 -vv -x 60 --pin=12345670 --session=test12345670

    Run reaver for a few cycles. If the pin has reset the attack will stop and the WPA Key will be seen etc.

    If the WPS Key is not found continue your brute force which should not be disrupted. The attack should continue where it left. Make sure you remove the --pin= and --session= from the commandline when you restart the brute force again.

    Recheck pin 12345670 ocassionally.

    We have incorporated a replay sequence into our VMR-MDK variant and have gotten good results.

    MTeams

  23. #23
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by mmusket33 View Post
    Reaver replay techniques.

    When routers are subjected to mdk3 or they are restarted, sometimes the WPS pin resets to 12345670

    Reaver checks pin 12345670 at the start of the brute force attack, therefore if you are attacking a router with reaver etc and the router resets to 12345670, reaver has already checked this pin. In this case reaver will climb to 99.99% and cycle endlessly as the pin changed during the attack.

    To check to see it the router has reset the WPS pin and not disrupt any brute force attack being conducted suggest you use the following technique.

    1. Stop the brute force.

    2. Restart reaver but add the --pin=12345670 and the --session=path to file/filename to the command line

    You can use root and any file name. Just DO NOT use the same folder and file name where reaver normally stores its .wpc files.

    To find where reaver normally stores its .wpc files type

    locate .wpc

    A reaver command line is as follows:

    reaver -i mon0 -c 1 -b 55:44:33:22:11:00 -vv -x 60 --pin=12345670 --session=test12345670

    Run reaver for a few cycles. If the pin has reset the attack will stop and the WPA Key will be seen etc.

    If the WPS Key is not found continue your brute force which should not be disrupted. The attack should continue where it left. Make sure you remove the --pin= and --session= from the commandline when you restart the brute force again.

    Recheck pin 12345670 ocassionally.

    We have incorporated a replay sequence into our VMR-MDK variant and have gotten good results.

    MTeams
    Are there any specific devices you have tested this on?

  24. #24
    Join Date
    2015-Jun
    Posts
    7
    Quote Originally Posted by soxrok2212 View Post
    Are there any specific devices you have tested this on?
    I think this is actually the issue here. There are so many devices, so many firmware versions, and also different chipsets even within the same model that it complicates this exponentially. Unless of course you find a silver bullet for everything which if you did there are allot bigger ramifications then using it to reboot for wps

    I can just imagine thousands of people driving around rebooting all the things

  25. #25
    Join Date
    2013-Jul
    Posts
    820
    Musket Teams have voted to release their latest WPS Locked Intrusion Script

    VMR-MDK-11x8.sh and Tools

    for General Use:

    Included in the VMR-MDK.zip file

    1. mdk3-v6 folder
    2. configfiledetailed
    3. Help Files VMR-MDK011x8.txt
    4. PDDSA-06.sh
    5. VMR-MDK-11x8.sh

    The script has been written to take advantage of a flaw in some WPS locked routers allowing the collection of pins even though reaver and wash show the router is locked.The downloaded includes extensive help files and has been tested against numerous routers showing this flaw. All were cracked.
    Also included in the help files is how to handle the 99.99% problem which occurs in almost half of the successful attacks against routers providing small numbers of pins when the WPS system is locked. Details are also included in the help files.

    Download the zip package attached iat

    http://www.datafilehost.com/d/b7e4b1d9

    Musket Teams

  26. #26
    Join Date
    2015-May
    Posts
    18
    Quote Originally Posted by mmusket33 View Post
    Musket Teams have voted to release their latest WPS Locked Intrusion Script

    VMR-MDK-11x8.sh and Tools

    for General Use:

    Included in the VMR-MDK.zip file

    1. mdk3-v6 folder
    2. configfiledetailed
    3. Help Files VMR-MDK011x8.txt
    4. PDDSA-06.sh
    5. VMR-MDK-11x8.sh

    The script has been written to take advantage of a flaw in some WPS locked routers allowing the collection of pins even though reaver and wash show the router is locked.The downloaded includes extensive help files and has been tested against numerous routers showing this flaw. All were cracked.
    Also included in the help files is how to handle the 99.99% problem which occurs in almost half of the successful attacks against routers providing small numbers of pins when the WPS system is locked. Details are also included in the help files.

    Download the zip package attached iat

    http://www.datafilehost.com/d/b7e4b1d9

    Musket Teams
    Cant make mdk3 start at all. :/

    I downloaded vmr-mdk, extracted the files, put the mdk folder into root.

    then open terminal and typed

    Code:
    cd md*
    make
    got this output

    make -C osdep
    make[1]: Entering directory `/root/mdk3-v6/osdep'
    Building for Linux
    make[2]: Entering directory `/root/mdk3-v6/osdep'
    make[2]: ".os.Linux" är färsk. (swedish for is fresh)
    make[2]: Leaving directory `/root/mdk3-v6/osdep'
    make[1]: Leaving directory `/root/mdk3-v6/osdep'

    Code:
    make install
    got this

    make -C osdep install
    make[1]: Entering directory `/root/mdk3-v6/osdep'
    Building for Linux
    make[2]: Entering directory `/root/mdk3-v6/osdep'
    make[2]: ".os.Linux" är färsk.
    make[2]: Leaving directory `/root/mdk3-v6/osdep'
    make[1]: Leaving directory `/root/mdk3-v6/osdep'
    install -D -m 0755 mdk3 //usr/local/sbin/mdk3

    Code:
    chmod 755 /root/mdk3-v6/*
    Now i tried to run mdk3 by type

    Code:
    mdk3
    got

    bash: /usr/local/sbin/mdk3: Filen eller katalogen finns inte (swedish for "the file or directory doesent exist".)

    tried
    Code:
    /root/mdk3-v6/mdk3
    got

    bash: /root/mdk3-v6/mdk3: Filen eller katalogen finns inte



    Any ideas what im doing wrong??

    Thanks// squash.

  27. #27
    Join Date
    2013-Jul
    Posts
    820
    To squash

    MTeams downloaded the file and extracted it and then loaded it on a Hardrive install of Kali-linux1.10a i386

    We got exactly the same output you got minus the swedish when we ran make and make install.

    We ran the program and got the help files three(3) different ways

    cd mdk3-V6

    mdk3 or ./mdk3 either gave the help files

    and

    /root/mdk3-v6/mdk3 gave us the help files


    There is another download site for this in these forums I think thru github. You can try that but our version is straight from our MTeam Associate C-Programmer. The mdk3 program providing Invalid SSID is only a dependency for VMR-MDK. There are 15 DDOS selections you can still test other DDOS processes until you sort this out.

    MTeams


    MTeams

  28. #28
    Join Date
    2015-May
    Posts
    18
    Quote Originally Posted by mmusket33 View Post
    To squash

    MTeams downloaded the file and extracted it and then loaded it on a Hardrive install of Kali-linux1.10a i386

    We got exactly the same output you got minus the swedish when we ran make and make install.

    We ran the program and got the help files three(3) different ways

    cd mdk3-V6

    mdk3 or ./mdk3 either gave the help files

    and

    /root/mdk3-v6/mdk3 gave us the help files


    There is another download site for this in these forums I think thru github. You can try that but our version is straight from our MTeam Associate C-Programmer. The mdk3 program providing Invalid SSID is only a dependency for VMR-MDK. There are 15 DDOS selections you can still test other DDOS processes until you sort this out.

    MTeams


    MTeams
    Tried with my hdd installed kali 1.10a doesent work.

    Tried with my live iso (same i used to install on hdd) doesent work.

    downloaded the 32 bit kali 1.10a mdk3 worked and i got this output.

    MDK 3.0 v6(mod-musket-r1) - "**** the censorship"
    by ASPj of k2wrlz, using the osdep library from aircrack-ng
    And with lots of help from the great aircrack-ng community:
    Antragon, moongray, Ace, Zero_Chaos, Hirte, thefkboss, ducttape,
    telek0miker, Le_Vert, sorbo, Andy Green, bahathir and Dawid Gajownik
    THANK YOU!

    MDK is a proof-of-concept tool to exploit common IEEE 802.11 protocol weaknesses.
    IMPORTANT: It is your responsibility to make sure you have permission from the
    network owner before running MDK against it.

    This code is licenced under the GPLv2

    MDK USAGE:
    mdk3 <interface> <test_mode> [test_options]

    Try mdk3 --fullhelp for all test options
    Try mdk3 --help <test_mode> for info about one test only

    TEST MODES:
    b - Beacon Flood Mode
    Sends beacon frames to show fake APs at clients.
    This can sometimes crash network scanners and even drivers!
    a - Authentication DoS mode
    Sends authentication frames to all APs found in range.
    Too much clients freeze or reset some APs.
    p - Basic probing and ESSID Bruteforce mode
    Probes AP and check for answer, useful for checking if SSID has
    been correctly decloaked or if AP is in your adaptors sending range
    SSID Bruteforcing is also possible with this test mode.
    d - Deauthentication / Disassociation Amok Mode
    Kicks everybody found from AP
    m - Michael shutdown exploitation (TKIP)
    Cancels all traffic continuously
    x - 802.1X tests
    w - WIDS/WIPS Confusion
    Confuse/Abuse Intrusion Detection and Prevention Systems
    f - MAC filter bruteforce mode
    This test uses a list of known client MAC Adresses and tries to
    authenticate them to the given AP while dynamically changing
    its response timeout for best performance. It currently works only
    on APs who deny an open authentication request properly
    g - WPA Downgrade test
    deauthenticates Stations and APs sending WPA encrypted packets.
    With this test you can check if the sysadmin will try setting his
    network to WEP or disable encryption.
    t - Probe request tests (mod-musket)
    ./mdk3 <mon> t <channel> <bssid AP> <frames/sec>
    Last edited by g0tmi1k; 2015-08-12 at 09:56. Reason: Swaering

  29. #29
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    If you're looking to install MDK3, download this: https://github.com/soxrok2212/mdk3-m...ive/master.zip then
    Code:
    cd /path/to/mdk3-master
    make
    make install
    That should work. If not, let me know.

  30. #30
    Join Date
    2015-May
    Posts
    18
    Quote Originally Posted by soxrok2212 View Post
    If you're looking to install MDK3, download this: https://github.com/soxrok2212/mdk3-m...ive/master.zip then
    Code:
    cd /path/to/mdk3-master
    make
    make install
    That should work. If not, let me know.
    Well i got mdk3 in mmuskets zip 2 work in 32 bit and now installed your (soxrok) variant in my 64 bit and that worked 2.

    now is the only prolem that the VMR-MDK011x8.sh script just stop after i have selected device and chose no to tx powerbost. if i chose yes i got some strange failmessage blinking fast away and the the scrip stoped.

    when sript start it create 3 files in root called airmon-ng 01 02 03 or somethig, those disapear after script stoped, then he create 2 files called lan0p and lan1p and sometimes i see a wlan1p file.

    The script doesent create any VARMAC_CONFIG map and it was not any VARMAC_CONFIG map in the zip.


    To musket:

    SHOULD IT BE A VARMAC_CONFIG MAP IN THE ZIP?? COUSE IN SOME PLACE I READ THE PACKAGES CONTAIN A VARMAC_CONFIG MAP AND SOMEWHERE ELSE NOT.

  31. #31
    Join Date
    2013-Jul
    Posts
    820
    To squash

    1. The red output you posted is what you should get when you typed mdk3

    As to your other problems. We have tried everything to reproduce them with no effect. We have this program running on six(6) computers from laptops to desktops all HD installs of kali-linux from 1.09 to 1.10a i386. Furthermore the program was beta tested by others outside our group.

    We have not tested persistent usb installs or any virtual solutions.

    Your computer seems to have some sort of problem with root. The mdk3 program you installed did not run. Furthermore the airmon files you are mentioning are simple text files written to root thru tee temporarily and then erased. Also the VARMAC folders are written to root.

    We would gladly code around your problem even write a special edition for you only but we first have to duplicate it.

    Post the line of code you see at 3293 thru 3297 in the VMR-MDK script. Open the script with leafpad ctrl j enter 3293 and paste what you see on the lines mentioned.

    MTeams

  32. #32
    Join Date
    2015-May
    Posts
    18
    Quote Originally Posted by mmusket33 View Post
    To squash

    1. The red output you posted is what you should get when you typed mdk3

    As to your other problems. We have tried everything to reproduce them with no effect. We have this program running on six(6) computers from laptops to desktops all HD installs of kali-linux from 1.09 to 1.10a i386. Furthermore the program was beta tested by others outside our group.

    We have not tested persistent usb installs or any virtual solutions.

    Your computer seems to have some sort of problem with root. The mdk3 program you installed did not run. Furthermore the airmon files you are mentioning are simple text files written to root thru tee temporarily and then erased. Also the VARMAC folders are written to root.

    We would gladly code around your problem even write a special edition for you only but we first have to duplicate it.

    Post the line of code you see at 3293 thru 3297 in the VMR-MDK script. Open the script with leafpad ctrl j enter 3293 and paste what you see on the lines mentioned.

    MTeams
    Thanks for the answer.

    yeah my computer seems to have big problem with everythingXD

    i think i reinstall kali like once in the month just couse i **** up something on itXD

    Thats the way i learn

    this kali i have installed now is just 2 days old so cant have messed it up so much, and even on the live iso the script doesent work.

    the lines you ask about is those.

    Code:
    cat < airmon01.txt | awk -F' ' '{ if(($1 != "Interface")) {print $1}}' > airmon02.txt
    
    cat < airmon02.txt | awk -F' ' '{ if(($1 != "")) {print $1}}' > airmon03.txt
    
      AIRMONNAME=$(cat airmon03.txt | nl -ba -w 1  -s ': ')
    btw, my computer is a "msi gt70 onc"

    well i dont know if you should bother yourself with doing something right now for just me, maby wait until the release of kali 2.0
    i gona try that out and e if it works bether

    many thanks

    EDIT: I dont know if you count the space between the lines for a line:P but i post some moore lines if you dont

    cat < airmon01.txt | awk -F' ' '{ if(($1 != "Interface")) {print $1}}' > airmon02.txt

    cat < airmon02.txt | awk -F' ' '{ if(($1 != "")) {print $1}}' > airmon03.txt

    AIRMONNAME=$(cat airmon03.txt | nl -ba -w 1 -s ': ')

    fi


    if [ $airmontype != Interface ]; then


    echo -e "$txtrst"
    airmon-old_fn | tee airmon01.txt

    cat < airmon01.txt | awk -F' ' '{ if(($2 != "Interface")) {print $2}}' > airmon02.txt

    cat < airmon02.txt | awk -F' ' '{ if(($1 != "")) {print $2}}' > airmon03.txt

    AIRMONNAME=$(cat airmon03.txt | nl -ba -w 1 -s ': ')

    fi
    Last edited by g0tmi1k; 2015-08-12 at 09:55. Reason: Swearing

  33. #33
    Join Date
    2015-May
    Posts
    18
    Quote Originally Posted by squash View Post
    Thanks for the answer.

    yeah my computer seems to have big problem with everythingXD

    i think i reinstall kali like once in the month just couse i **** up something on itXD

    Thats the way i learn

    this kali i have installed now is just 2 days old so cant have messed it up so much, and even on the live iso the script doesent work.

    the lines you ask about is those.

    Code:
    cat < airmon01.txt | awk -F' ' '{ if(($1 != "Interface")) {print $1}}' > airmon02.txt
    
    cat < airmon02.txt | awk -F' ' '{ if(($1 != "")) {print $1}}' > airmon03.txt
    
      AIRMONNAME=$(cat airmon03.txt | nl -ba -w 1  -s ': ')
    btw, my computer is a "msi gt70 onc"

    well i dont know if you should bother yourself with doing something right now for just me, maby wait until the release of kali 2.0
    i gona try that out and e if it works bether

    many thanks

    EDIT: I dont know if you count the space between the lines for a line:P but i post some moore lines if you dont

    cat < airmon01.txt | awk -F' ' '{ if(($1 != "Interface")) {print $1}}' > airmon02.txt

    cat < airmon02.txt | awk -F' ' '{ if(($1 != "")) {print $1}}' > airmon03.txt

    AIRMONNAME=$(cat airmon03.txt | nl -ba -w 1 -s ': ')

    fi


    if [ $airmontype != Interface ]; then


    echo -e "$txtrst"
    airmon-old_fn | tee airmon01.txt

    cat < airmon01.txt | awk -F' ' '{ if(($2 != "Interface")) {print $2}}' > airmon02.txt

    cat < airmon02.txt | awk -F' ' '{ if(($1 != "")) {print $2}}' > airmon03.txt

    AIRMONNAME=$(cat airmon03.txt | nl -ba -w 1 -s ': ')

    fi
    I downloaded kali iso 1.10a 64 bit again and put it o my usb as usual and booted the live iso on my desktop i usual run as a cryptocoin miningrig.
    Same thing there, script stoped after chose yes or no to tx boost.

    must relly being some stupid thing im doing wrong
    this time i didnt do any apt-get update or anything.just downloaded the sript right after boot. unpacked all files to root. chmoded the script and run it.

    EDIT: Have now installed a 32bit on hdd and tried 2, didnt work.
    But the PDDSA-06.sh work perfect and made a log folder.

    But i was thinking couse the program stop right after boost choise maby those error message showing up quick if i chose yes may give a hint of the problem. (i attach a screenshot)

    I got this error if i chose yes to boost, both with my integrated intelcard and my awus036nha.
    Last edited by g0tmi1k; 2015-08-12 at 09:56. Reason: Swearing

  34. #34
    Join Date
    2015-May
    Posts
    18
    Attachment 686

    screenshot

  35. #35
    Join Date
    2014-Nov
    Location
    Bulgaria
    Posts
    9
    2- WPS M2 Exploit
    Can someone explain me how to generate and flood M2 packets ?

  36. #36
    Join Date
    2015-May
    Posts
    18
    I tried 1 time moore and this time i made the VARMAC_CONFIG folder by myself and put the file "configfiledetailed" in it and this time it worked like a charm.

    Tried the program for like 3 times and it worked and create all config,folders and so.

    but sudenly it start like before, just quite after choise about tx power. didnt do any change at all between a succeded try and this one

    Now i cant make it work anymore.

  37. #37
    Join Date
    2013-Jul
    Posts
    820
    To squash,

    MTeams has not extensively tested a persistent usb install with VMR-MDK. However you could take your operating system out of the problem by running kali-linux thru a persistent usb install. We suggest you download thru torrents the 32 bit -386 version load on a usb, enable persistence, install all the dependencies and then run VMR-MDK and see what happens.

    When you had your problems we cranked up two computers pointed them at targets and left them running. The attacks are still running as we speak.

    We have tried to induce your problem:

    The only bug we can find so far was that if the user made a monitor with the newer airmon-ng i.e. wlan0mon etc the user needs to manually remove it thru the terminal window:

    airmon-ng stop wlan0mon

    before you the run VMR-MDK program.

    As we mention in the help files the newer airmon-ng limits the number of virtual monitors made against a specific device.

    MTeams
    Last edited by mmusket33; 2015-08-11 at 01:23.

  38. #38
    Join Date
    2015-May
    Posts
    18
    Quote Originally Posted by mmusket33 View Post
    To squash,

    MTeams has not extensively tested a persistent usb install with VMR-MDK. However you could take your operating system out of the problem by running kali-linux thru a persistent usb install. We suggest you download thru torrents the 32 bit -386 version load on a usb, enable persistence, install all the dependencies and then run VMR-MDK and see what happens.

    When you had your problems we cranked up two computers pointed them at targets and left them running. The attacks are still running as we speak.

    We have tried to induce your problem:

    The only bug we can find so far was that if the user made a monitor with the newer airmon-ng i.e. wlan0mon etc the user needs to manually remove it thru the terminal window:

    airmon-ng stop wlan0mon

    before you the run VMR-MDK program.

    As we mention in the help files the newer airmon-ng limits the number of virtual monitors made against a specific device.

    MTeams
    I have solved it.
    Was total my fault all the timeXD
    when to chose card to use i wrote wlan0, wlan1 etc,,,,not 1 or 2.
    so when i got it to work for some test i must have type 1 and 2 and later again start to write wlan0,wlan1
    Sorry for any trouble i have make youXD and thanks for the try to help.

  39. #39
    Join Date
    2015-Aug
    Posts
    3
    well, wat to do for this make: *** No rule to make target 'osdep/libosdep.a', needed by 'mdk3'. Stop.

  40. #40
    Join Date
    2015-Aug
    Posts
    3
    solved!

  41. #41
    Join Date
    2014-Oct
    Posts
    14
    I am using Kali 2.0 and getting an error when using this script.

    After choosing the wireless monitor interface I get the following text in the window:


    Running wash scan target for target AP selection.
    /root/VMR-MDK011x8.sh: line 4994: Eterm: command not found
    /root/VMR-MDK011x8.sh: line 4994: Eterm: command not found

  42. #42
    Join Date
    2013-Jul
    Posts
    820
    To Scolder
    VMR-MDK was written before kali2 was published and will not run in kali2.0. MTeams has a Kali2 version ready for release. The program is running fine during tests. Give us a day or two to correct the help files and we will publish the download link in these forums.

    MTeams

  43. #43
    Join Date
    2015-Sep
    Posts
    9
    Last edited by Nadav_Cohen; 2015-09-09 at 17:42.

  44. #44
    Join Date
    2015-Sep
    Posts
    1
    Hi muskets,
    Instill dont understan some stuff, but Ive successfully restarted router with mdk attack. Problem comes after first cyrcle (wiating for to restart: 00:00)... it dropes me to line: basename: extra operand "Kali" Ive tried to start program manually again, because help file says that it can continue after stop. Also pin count jumps to 10000 right in the beginning. Any advice is greatly appreciated!

  45. #45
    Join Date
    2013-Jul
    Posts
    820
    If you used the default settings then the pin 12345670 would be checked at start as a specific pin. After the first run of 120 sec the program would start the brute force session and the pin count for a specific pin here 12345670 of 1000 would jump up to the brute force count. The program runs two different sessions and rechecks pin 12345670 every X times as the mdk3 DDOS can reset the WPS in the firmware to 12345670 anytime.
    As to your warning you may have entered an incorrect number of cycles during setup. We have never seen this. Insure you put a numeric number like 1000 when asked how many program cycles.
    You can stop and restart the program any time. The pin count for the brute force 11,000 pin session is restored by reaver for that attack. The specific pin check of 12345670 would always be 1000. Once the brute force session begins to work thru the pins you will see the brute force pin count slowly decrease.

    We will try and induce this warning but again we have never seen it. If you identify the problem let us know and we will code in some error handling routines to prevent it.


    MTeams
    Last edited by mmusket33; 2015-09-30 at 22:51.

  46. #46
    Join Date
    2015-Oct
    Posts
    8
    Hey MTeam,
    Thankyou for all the awesome work.
    I got the mdk3-v6 script, got everything to run on kali2.0
    so im unable to set virtual monitor modes due to the limitations.. And I understand due to the new airmon-ng

    Im trying to reset/mdk my cisco linksys e900 router v1 FW 1.00.00.01, which locks up for 60 seconds after every 5 successful incorrect pins, then for 15 seconds for the next incorrect pin - and this cycle continues.. (Yes I know its weird, but Its happening)
    So How do I use the MDk3 script to run along with reaver ?
    Im eager to try this - but presently mdk3 is completely broken..

    -Also, Is it possible for the PKR value(s) - of the same router to change ?
    My e900 - happened to have a PKR value the first time I used reaver against it.. Was something else the next time, and now its 00:00:00:00:00......:00:00:00:02 (yes all zeroes and two).
    I noticed this As I tried inputting the values manually in PixyWps

    Kind Regards


    ===========

    Edit:
    Tried this on d-link router - rtl 8xxx chipset [2.4 + 5ghz mimo] - wps locked
    mdk3 wlan0mon a -n xx:xx:xx:xx:xx:xx (in one term initially, then 2 terms, then 3 terms) for an hr

    2-3 times 19.5k clients connected - NO Effect
    the term window did mention Ap seems to have frozen, Ap back up again..
    But on checking via another machine - Airodump and browsing in general.. no effect

    Same for linksys e2500 and linksys e900 - no effect
    (have physical access to all 3 AP's, all wps locked)

    Also - The TKIP -m mode has no effect whatsoever.

    Point me in the right direction if Im doing something wrong

    thx

  47. #47
    Join Date
    2013-Jul
    Posts
    820
    Any questions concerning Pixiedust(PD) should be directed here. The source for ALL questions concerning this tool should be directed to soxrok. We prefer to not comment on PD as soxok2212 is the authority here.

    https://forums.kali.org/showthread.p...st-attack-tool

    We suspect you are using the older version of VMR-MDK with kali-linux2.0 it will not work. We have released a VMR-MDK-K2 specifically for kali2.0

    Note VMR-MDK has its own airmon-ng version embedded in the script as the newer airmon-ng doesnot support multiple monitors.

    VMR-MDK is not attempting to actually reset the router. Read the help files carefully

    With the Cisco router if it locks up and then unlocks shortly thereafter. Then just use in the command line --lock-delay and set it to restart after the expected unlock. If not using Pixiedust and trying to brute force all 11,000 pins try -S in the command line and add the --session=Filename. This will keep these different attack types separated with reference to reaver keeping pin counts.

    If you are using the K2 version please restate your questions again. However we are running this tool constantly with no bugs on six(6) different 386i computers from lap tops to desktops

    MTeams

  48. #48
    Join Date
    2015-Oct
    Posts
    8
    Hi,
    My posts in this forum show up 24hrs later, or maybe it was a registration/verification thing.
    Thats the reason for the same question @ airmon thread. Im new to AP security & stuff.


    Anyhow,
    Im using the one for Kali 2.0 since i upgraded.

    but the AP shows no effect.
    And i know this, as I did try the 3 terminal approach, following some tutorial from repzerworld on yutube. which seemed effective on both my Cisco linksys AP's

    However, that isnt possible with kali 2.0 & MDR-K6 isnt affecting Linksys AP's. also My dlink AP Firmware V -ET-1.02 | HW V - a1 | Model-DIR803

    However, FW -1.0 for the same Ap is vulnerable to reaver.

    Musket Teams have voted to release the following WPS Locked Intrusion Script for General Use:

    Included in the VMR-MDK-K2.zip package

    1. mdk3-v6 folder
    2. configfiledetailed for reference only
    3. Help Files VMR-MDK-K2-011x8.txt
    4. PDDSA-K2-06.sh
    5. VMR-MDK-K2-11x8.sh

    For the Kali2.0 Version

    You can download at:

    http://www.datafilehost.com/d/3c81deb0


    You can still download the kali1.10a version at:

    http://www.datafilehost.com/d/b7e4b1d9


    Musket Teams(STO)
    However, Ill will go through the help files provided and try once again.
    Cheers!

  49. #49
    Join Date
    2015-Oct
    Posts
    8
    Hey MTeams..
    until now, i was running mdk3 wlan0 a/g -t xx:xx:xx:xx:xx.. and for some reason mdk3 I feel is broken.. as its no longer affecting any AP. Ive tried 8-9 APs

    I finally got the script to work.. until now, ive been following the instructions.. and for some reason simply typing
    /root VMR-MDK-V6
    wont work..
    So dragging and dropping in terminal finally ran the script. it starts with instructing to turnoff the monitor mode..
    wash & airodump running..

    So I selected stage 14 of mdk3, and 10 cycles to test, So for every cycle it will make a new monitor mode (wlan0, wlan0mon, wlan0mon1, etc) and then will loop and kill the previous one it made.

    Same for macchanger.. changes mac addr every cycle.. (its arright with me.. but I suppose its not required every cycle)

    - So im trying this against my own AP(s) Dlink 803 for now.. and the WPS is natively locked.. however I suppose reaver is running with ignore Lockouts thats why its proceeding with brut force..
    But fails miserably, as it shows 0x04 error on M2 message, then waits for 15 seconds.. lockout. Im not sure where this 15 seconds lockout is coming from.. Ive not selected any delay from the menu.

    -Also what i dont understand, is how & why is reaver running with Aireplay and airodump simultaneously. As when I do it myself, it causes reaver to slow down & get stuck at m2/m4 msg / wsc_nack msg..

    But the biggest Issue.. is
    In this script and in general now.. MDK3 seems to be in-effective/broken post the installation of mdk3-v6 (I can very well be wrong) as its now ineffective against almost all the Ap's ive tested.
    And all tests.. a/b/g fail ( dont give the desired result/effect, not even remotely close)

    Other than this, the script is great. nice automated process to deploy and sit back.
    Thank you.

  50. #50
    Join Date
    2013-Jul
    Posts
    820
    To rho

    This attack does not work against all routers.

    To see if attack 14 is working runup airodump-ng on the same channel when the mdk3 process is running and watch the fireworks on the screen. the ESSID Probes go wild

    Try DDOS type 3 or 4 for 15 secs against D-link and see if you can harvest some pins from the router when it is locked

    If these is no response then this attack will not work against the router.

    MTeams

Similar Threads

  1. Force an AP to reboot
    By soxrok2212 in forum Project Archive
    Replies: 40
    Last Post: 2015-09-07, 05:33
  2. Force format Micro SD?
    By Jayden_Blade in forum General Archive
    Replies: 4
    Last Post: 2014-11-14, 07:35
  3. Brute Force vs. Dictionary
    By Kalinoob in forum General Archive
    Replies: 6
    Last Post: 2014-01-05, 15:45

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •