Page 1 of 2 12 LastLast
Results 1 to 50 of 65

Thread: Varmacscan2-0 an automatic multi-target reaver attack tool released

  1. #1
    Join Date
    2013-Jul
    Posts
    818

    Varmacscan2-0 an automatic multi-target reaver attack tool released

    Varmacscan supporting Kali 1.10a, 2 and Kali 2016.1 R is released for community use.

    Program supports options to not kill Network-Manager Functions on other devices when running varmacscan.

    Several text output bugs when a WPA key was found were corrected.

    Differences between the three(3) different Operating Systems were incorporated into one package.

    Version 3-3 updated from 3-1

    Routines when attacking specific routers models have been rewritten.

    You can download here thru kali or at

    https://github.com/musket33/varmacscan


    http://www.datafilehost.com/d/5ea4b8f4


    The following script was originally designed to be used against a specific model of router which locked its WPS system after 10 pin requests. These routers were also NOT susceptible to any of the DDOS attacks available thru VMR-MDK series nor were they vulnerable to pixiedust. A few were cracked when the WPS pin reset to 12345670 and the WPS system was open. But in general reaver was not the tool of choice. To crack these routers the only methods remaining were either brute forcing a WPA handshake or social engineering approaches like WPA Phishing.

    MTeams areas of operation are surrounded by this model of router. In short our areas are rich in these targets. After studying the WPA locking and unlocking a different approach was conceived. If a program could constantly search the area of reception and automatically attack any routers which had unlocked, then a small number of WPS pins could slowly be collected from a large number of routers and in time, the WPA key could be extracted.

    This program was not originally considered for a MTeams release until a surprising side effect occurred. The program began cracking other models that either were resistant to previous reaver attacks or routers that we did not even know existed. This success is not because of any special reaver command line. It is simply that the program is constantly searching and then attacking all WPS enabled routers found for short periods of time automatically gathering data and moving to the next target endlessly.

    Varmacscan2-0 is a totally automatic fire and forget script. Once running the script will search for any WPS enabled networks within reception range and then attack each in turn. Both search and attack times are set by the user. No specific targets are selected. After each router is subjected to reaver, any data acquired is searched for a viable pixiedust data sequence. If a sequence is found and the WPS pin extracted, it is loaded into reaver which reattacks the router using the pin number in the reaver command line. During both search and attack, modes aircrack-ng is run in the background collecting ESSIDPROBES. If a WPA key is obtained the program will skip the target in future attacks. Once all networks seen have been attacked the program rescans for targets and then attacks all seen again. This process will continue for as long as the user requires, no user input is needed.

    When you have exhausted attacks against stationary unlocked WPS enabled Networks thru the command line, and/or tested VMR-MDK against all WPS locked routers, run this program up and go to bed and see what tomorrow brings..

    Happy Hunting

    Musket Teams
    Attached Files Attached Files
    Last edited by mmusket33; 2016-03-10 at 07:35. Reason: Version Update from 3-1 to 3-3

  2. #2
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    Thanks for your R&D and sharing with the rest of us!

    Does this replace that https://forums.kali.org/showthread.p...sh-for-Kali2-0 or am I confused again?
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  3. #3
    Join Date
    2013-Jul
    Location
    United States
    Posts
    519
    GitHub GitHub GitHub!

  4. #4
    Join Date
    2013-Jul
    Posts
    818
    To Quest

    This script does not employ DDOS processes like VMR-MDK. And is not specifically designed to break thru WPS locking. No targets are loaded the program seeks them automatically and collects pins if possible.

    MTeams

  5. #5
    Join Date
    2015-May
    Posts
    18
    Works for me. Started it before bed and got 5 different correct pins when i woke up. I already knows those was working with pixie but anyway BUT!! got no wpakey in any of them. it was just empty on the line after wpa in the txtfile.



    Edit: Maby it has something with my new laptop to do.
    Installed kali yesterday.
    Got a warning that my diskspace was low and saw that the program complain about that.
    Have only a 24gb ssd in that laptop and the swapfile take 13bg of that, how much in swapfile is recommended for kali?
    Last edited by squash; 2015-11-27 at 15:34.

  6. #6
    Join Date
    2015-Nov
    Posts
    45
    Seems to work here too, but with same no wpa key problem related by squash

    VARMAC_WPSWPA
    Code:
    WPS Pin: = '12345670'
    WPA Key: = 
    AP SSID: = 
     
       Note WPA Key is found between the two(2) tick symbols

  7. #7
    Join Date
    2013-Jul
    Posts
    818
    To brunoaduarte squash

    Thanks for the test.

    We ran the program against known routers and it gave us the key. Go into the log file in VARMAC_LOGS and see if the key is listed. As you have the pin run it from the command line and see if it gives you the key.

    We are interested in the text output found in the reaver log file in VARMAC_LOGS. It is possible your OS or version gives a different output. We use awk to extract the data from the log or reaver output and dump it on the screen. If we know what your output is we will code it in for you.

    Look back here is 24 hours we have version 2-2 which gives u more control over the ESSIDPROBE module but we will delay release and run some tests and see if we can induce this error.

    MTeams
    Last edited by mmusket33; 2015-11-28 at 13:01.

  8. #8
    Join Date
    2015-Oct
    Location
    Chicago IL
    Posts
    1
    newbie here, be kind:
    Only data collected in essidprobesdic.txt & essidprobes8dic.txt.
    Clean data patterns never seen before forming. Can this data be reused each session or clean start each time?
    Using Kali2.0 live usb.
    Is "Found packet with bad FCS, skipping...". slowing down process?

  9. #9
    Join Date
    2015-Nov
    Posts
    45
    Hi mmusket33,

    I'm running my tests on Kali v2.0 Live USB with Persistence (BCM4311 wifi chipset).

    Here are the contents from both VARMAC_LOGS and VARMAC_WPSWPA folders:

    http://pastebin.com/FTBQCRm2
    (Couldn't paste text here cause it gives me some weird cloud proxy errors)

    Thanks

  10. #10
    Join Date
    2015-Apr
    Posts
    29
    @mmusket33

    1.
    Nice Script !

    2.
    Can you give the script an option whether the association with Aireplay done instead Reaver?
    The association with Airplay often works better than using Reaver.

    In Reaver there are the flag -A

    3.
    Then there's the problem with hidden SSIDs.
    Current SSID (null)
    The should be automaitsch excluded, as these quoted otherwise unnecessary time.
    Last edited by Laserman75; 2015-11-30 at 00:28.

  11. #11
    Join Date
    2013-Jul
    Posts
    818
    To brunoaduarte

    Thanks again for your input

    MTeams has been running tests on version 2-4 with three(3) computers running both kali 2.0 and 1.10a in both harddrive and persistent usb installs. In only one(1) case did reaver not get the WPA key. We think the problem is with output from tee.

    We are considering dumping xterm and trying Eterm as it is now available thru kali.

    To Laserman75

    MTeams has never tried association thru aireplay-ng. What a nice idea. As you have reported it works better we will give it a try and add for you a module allowing a association choice in the dropdown menus. However we do run aireplay-ng -1 alot with VMR-MDK without the -A in the reaver command line because there is no way to keep aireplay-ng functioning if it does not get a response which would in turn kill reaver function. Please comment on this point.

    We are aware of the hidden ssid matter as this option was coded into VMR-MDK at users request. However varmacscan is really just a scanner - and uses the bssid not the essid so if wash then gives the name as (null) the program would use that as the essid. We cannot test this as we have no hidden essid targets. If you have such please test this.


    MTeams
    Last edited by mmusket33; 2015-11-30 at 09:09.

  12. #12
    Join Date
    2015-Nov
    Posts
    45
    Ok mmusket33, it seems to happen more often here, i've got 6 pins and no WPA.

    I though the problem would be the same related in this link: https://code.google.com/p/reaver-wps/issues/detail?id=203 (Issue 203: Reaver finds PIN but not passphrase)

    So i tried to use "bully" to crack the WPA and it worked !

    "bully -b XX:XX:XX:XX:XX:XX -c 3 -B -v 2 -p 20863463"

    Maybe another solution, would be to auto run bully instead of reaver at line 695, after wps pin is found...

    Code:
    xterm -g 80x15-1+100 -T "reaver pin= $WPSPIN" -e "reaver -i $monitor -a -f -c $channel -b $bssid -r 2:15 -L -E -vvv -N -T 1 -t 20 -d 0 -x 30 --pin=$WPSPIN --mac=$VARMAC --session tmp/$bssid  2>&1 | tee VARMAC_LOGS/$bssid-$ssid-$DATEFILE-$PAD" &
    BTW: There's a small bug at line 708 of "varmacscan2-0.sh"

    Code:
    [+] echo -e " Standby while all ESSID Probe Data from airodump-ng is processed...."
    should be

    Code:
    echo -e "[+] Standby while all ESSID Probe Data from airodump-ng is processed...."
    Last edited by brunoaduarte; 2015-11-30 at 17:24.

  13. #13
    Join Date
    2013-Jul
    Posts
    818
    To: brunoaduarte

    MTeams has tried to duplicate and only found one instance where reaver did not write the WPA key to the log file. Again we think tee is terminating the process before reaver can write the file.

    We are just coding in the -A request by Laserman75 as we speak.

    MTeam

  14. #14
    Join Date
    2015-Nov
    Posts
    45
    mmusket33,

    As now i have the wps pin code, i manually loaded reaver (same line that is executed by varmacscan):

    Code:
    reaver -i wlan0mon -a -f -c 10 -b XX:XX:XX:XX:XX:XX -r 2:15 -L -E -vvv -N -T 1 -t 20 -d 0 -x 30 --pin=59133049
    Here's reaver output:

    http://pastebin.com/a7qJzV8t

    As you can see, no WPA key is found, so the problem really seems to be with "reaver", and not with "tee".

    FYI: varmacscan found this exact same pin 3 times, so i don't believe it's a wrong pin problem.

  15. #15
    Join Date
    2013-Jul
    Posts
    818
    To brunoaduarte

    Thanks for your independent analysis. We will release version 2.6 within 24 hours as the program has been running on three computers both kali1.1 and 2.0. We switched to Eterm but could not get it to run under kali2.0 so we restored xterm. Furthermore Laserman75's idea of using aireplay-ng and -A with reaver seems to work as it cracked one network that had never even responded to a reaver pin request in over a year.

    Again Thanks

    MTeams

  16. #16
    Join Date
    2015-Aug
    Posts
    5
    Which network did laserman got it worked?
    Which router model?
    Please specify it

  17. #17
    Join Date
    2015-Nov
    Posts
    45
    Nice mmusket33,

    Hoping to see the new version of your script... also i'll try to use aireplay-ng auth here and see if i can crack the wpa passphrase.

    Btw, could you remove those confirmation (for every action there's a confirmation) texts from varmacscan2-0.sh ?

    Other features that would be cool to have:
    - Ignore low signal APs
    - Attack by signal level (start with stronger signal AP)
    Last edited by brunoaduarte; 2015-12-03 at 04:39.

  18. #18
    Join Date
    2015-Apr
    Posts
    29
    Quote Originally Posted by brunoaduarte View Post
    Nice mmusket33,

    Hoping to see the new version of your script... also i'll try to use aireplay-ng auth here and see if i can crack the wpa passphrase.
    No aireplay-ng auth is only there in order not to carry out the association with Reaver, because this fails for some routers.
    This has not to do with the WPA passphrase.

    @mmusket33
    I hope that soon the new version available for testing

  19. #19
    Join Date
    2015-Nov
    Posts
    45
    Quote Originally Posted by Laserman75 View Post
    No aireplay-ng auth is only there in order not to carry out the association with Reaver, because this fails for some routers.
    This has not to do with the WPA passphrase.
    Yeah Laserman75, i know aireplay-ng will not crack the WPA pass. What i meant is that i was going to try aireplay-ng to make the auth/association process for reaver (reaver -A flag), because i was having some problems cracking the WPA pass after pin code was found (reaver only found wps pin, and no wpa pass) as you can see in my last log...

    Anyway, your idea worked ! Not with reaver, but with "bully"...

    I started aireplay-ng auth/association and started bully with fixed pincode, wpa passphrase was recovered in seconds.

    Thanks !
    Last edited by brunoaduarte; 2015-12-03 at 04:28.

  20. #20
    Join Date
    2015-Apr
    Posts
    29
    @brunoaduarte
    No need to thank me, you're welcome.
    Nice to hear that it works for you.

  21. #21
    Join Date
    2013-Jul
    Posts
    818
    To brunoaduarte

    We think in some cases (ie not all) the WPA key was not obtained because the mac spoofing routines for kali2.0 were bugged. There are two different routines. If you spoof the mac address in reaver and then do not add the --mac= into the command line reaver many times only gets the Pin.

    Reference weak signals

    The reaver command line used was developed by the author of auto-reaver. He/she had cracked WPA keys at extreme range using this command line. MTeams duplicated these findings and uses it in other programs and it works well when trying to crack WPS locked routers with VMR-MDK.

    We have released verson 2.8. The download addresses are found at the beginning of this thread.

    Keep in mind that if you have fixed targets that respond to reaver we suggest you use the command line. When you run out of targets run up this scanner and go to bed and see what info varmacscan2-8 can obtain automatically.

    MTeams

  22. #22
    Join Date
    2015-Nov
    Posts
    45
    Awesome mmusket33, thanks ! I'm testing it...

    There are 2 cases, where i got the WPS PIN (no WPA as usual), but later when i try to attack it again (to get WPA pass with bully), it's WPS is DISABLED (not locked). Is this a security measure from the router ? Why did it allowed me to crack the pin and then disabled it ? It makes no sense... as when the pin is found attack's stopped.

    Any ideas ?
    Last edited by brunoaduarte; 2015-12-04 at 19:37.

  23. #23
    Join Date
    2013-Jul
    Posts
    818
    To brunoaduarte

    We have run four(4) computers kali 1.1a Hard Drive(HD) install Kali 2.0 HD install , kali 1.10a persistent usb, kali 2.0 persistent usb. We ran them at the same available targets. In only one(1) case did we not get the WPA key and in that case we removed the mac file from the VARMAC_WHITELST folder and the program automatically reattacked the network and on the second try got the WPA key. Just remember the complete set of data if obtained is found in the VARMAC_WPSWPA folder Not the VARMAC_WHITELST folder.

    Concerning the two(2) cases you comment on above - How did you determine that the WPS system was disabled?

    MTeams

    In closing we tried to use Eterm but were unable to get it to function in kali2.0.

  24. #24
    Join Date
    2015-Nov
    Posts
    45
    Yeah yeah, i always look at the VARMAC_WPSWPA folder, no files are created in VARMAC_WHITELST here, cause i've never got the WPA pass from reaver (i guess the bssid is only white listed when wpa is found)...

    I determined the WPS system was disabled after the process because there's a file "PIN_FOUND-63576764-victim_essid-XX:XX:XX:XX:XX:XX" in VARMAC_WPSWPA folder
    but "airodump-ng --wps" shows nothing in the WPS field, and the device does not appear in wash scan.

    Code:
    root@kali:~/VARMAC_WHITELST# ls -n
    total 0
    Code:
    root@kali:~/VARMAC_WPSWPA# ls -n
    total 1
    -rw-r--r-- 1 0 0 50 Dec  4 03:26 PIN_FOUND-63576764-victim_essid-XX:XX:XX:XX:XX:XX
    Code:
     BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH WPS       ESSID
     XX:XX:XX:XX:XX:XX  -63        5        0    0   6  54e  WPA2 CCMP   PSK            victim_essid
    As this WPA not being cracked with reaver only occurs here, maybe it's an issue with my wlan adapters:

    WLAN0: Broadcom Corporation BCM4311 802.11b/g WLAN (rev 01)
    WLAN1: Ralink Technology, Corp. MT7601U Wireless Adapter

    Anyway, i'm happy with bully, it does the job.
    Last edited by brunoaduarte; 2015-12-05 at 14:23.

  25. #25
    Join Date
    2013-Jul
    Posts
    818
    To brunuaduarte,

    We have seen routers which first show the WPS system is on but after one pin is received the WPS functionality disappears. We will give bully a try again we never had much luck with it in the past. We will load reaver first and then do the same attack with bully and see what occurs using the varmacscan program. We will advise.

    Thanks for the idea

    Could you post the bully command line you prefer to use?

    MTeams
    Last edited by mmusket33; 2015-12-06 at 02:48.

  26. #26
    Join Date
    2015-Nov
    Posts
    45
    Quote Originally Posted by mmusket33 View Post
    Could you post the bully command line you prefer to use?
    Sure,

    Code:
    bully -b XX:XX:XX:XX:XX:XX -c 3 -v 3 -B -p 20863463 wlan0mon
    BTW, could you consider removing the confirmation (Y/n) dialogs from next version of released scripts ? Or maybe a menu option to disable it ?
    First thing i do after downloading MTeams scripts is commenting code like:

    Code:
    echo -e "$inp  You entered$yel $ERAS$info type$yel (y/Y)$inp to confirm or$yel (n/N)$inp to try again$txtrst"
    read ERASTEST
    to be like

    Code:
    #echo -e "$inp  You entered$yel $ERAS$info type$yel (y/Y)$inp to confirm or$yel (n/N)$inp to try again$txtrst"
    #read ERASTEST
    ERASTEST=Y
    Cause there are so many options, and confirming each one is very time consuming.

    Thanks !

  27. #27
    Join Date
    2013-Jul
    Posts
    818
    To brunuaduarte

    Thanks for the command line example

    We have been running bully test alongside reaver we will let you know our results.

    Reference the input confirmations - we will consider alternatives.

    MTeams

  28. #28
    Join Date
    2015-Nov
    Posts
    45
    Ok thanks mmusket33 !

    FYI: About the WPS pin being disabled, seems it's just some firmware's protection style.
    Some only lock WPS, others lock and then after some time disable it. Others just disable it.
    And in all that options there are cases which WPS is unlocked/reenabled automatically.
    So there's not really a pattern for that.

  29. #29
    Join Date
    2013-Jul
    Posts
    818
    To brunoadurte

    MTeams are seeing a group of routers which have a WPS system which is open but simply donot respond to pin requests. Some of these networks have withstood any pin request for many months until we turned on varmacscan2-8 for tests. The next morning we would look in the WPSWPA folder and there the WPA key would be. The key was always 12345670. When we referred to the log files we found that on one of the many many short requests for pins before moving on to another target thru the automatic functions of the script, the network just gave up its WPA Key and WPS Pin.

    We tried to duplicate this by actively attacking the network directly thru the command line with no effect.

    So as MTeams has noted elsewhere, when you have finished any active attacks thru the command line just run up varmacscan and go to bed you may get a key by the next day.

    A handshake collector module is being placed in the script as airodump-ng is run passively in the background and occasionally a handshake is collected.

    MTeams
    Last edited by mmusket33; 2015-12-09 at 23:56.

  30. #30
    Join Date
    2014-Oct
    Posts
    14
    Your script works great. I edited the script because I get fcs skipping and adding -C resolved that issue.


    Superb.

  31. #31
    Join Date
    2013-Jul
    Posts
    818
    To Scolder,

    MTeams will probably tweak the ESSIDPROBE Modules and when we do we will take care of the -C matters.

    We are seeing an marked increase in the amount of WPA keys in clear text since collection thru these ESSID Probe modules were embedded in our scripts. We are not sure why this is. Our current view is it is coming from android/Ipad phones.

    Again Thanx for your input.

    MTeams

  32. #32
    Join Date
    2013-Jul
    Posts
    818
    Varmacscan supporting Kali 1.10a, 2 and Kali 2016.1 R is released for community use

    See details at the beginning of this thread.


    Musket Teams

  33. #33
    Join Date
    2013-Jul
    Posts
    818
    Varmacscan supporting Kali 1.10a, 2 and Kali 2016.1 R is released for community use

    Version 3-1 has been updated to version 3-3

    Coding when attacking specific router models and the white listing of routers by mac address has been rewritten.

    MTeams

  34. #34
    Join Date
    2016-Feb
    Posts
    1
    Outstanding work mmusket33, runs beautifully. Is it possible to run this with multiple wifi Adapters on the same machine to speed up the process? 20+ networks in range

    Thanks for all your hard work!

  35. #35
    Join Date
    2013-Jul
    Posts
    818
    To catfig

    If MTeams understands your idea you want to have two or more wifi devices all seeking targets thru a robotic process like varmacscan. The idea will be looked into.
    For your info users have encouraged the use of Bully instead of reaver.
    We ran many many tests with Bully along with Reaver and Bully never even got the first WPS pin and ran so poorly that we gave up on incorporating that program into varmacscan. In our areas of operation Bully does not work at all. Hence we are limited by the type of equipment we have to both test and operate with.

    MTeams
    Last edited by mmusket33; 2016-02-14 at 02:42.

  36. #36
    Join Date
    2014-Oct
    Posts
    7
    Hi there,

    First of all tanks for this very nice work. I'm starting to test this script in my laptop. Today i tried to run it on my new Raspberry Pi 2 with kali and it get's lots of errors. What should I do to be able to run it ? I think there are some tools that are not installed tks in advance!!

  37. #37
    Join Date
    2013-Jul
    Posts
    818
    To Jimbas

    Any MTeams releases are written and tested for the Operating Systems listed in this case Kali 1.1a, kali 2.0 and kali 2016.1R using kali i386. All were tested on the slowest computer we have running a persistent usb install of kali i386 and 5 meter long usb extensions to the wifi device.

    MTeams cannot write or test for Rasperry Pi2. To our knowledge this uses ARM of which we have no operational experience.

    Maybe someone in these forums can help you.

    MTeams

  38. #38
    Join Date
    2016-Jan
    Posts
    99
    and 5 meter long usb extensions to the wifi device.


    MTeams[/QUOTE]

    which one are you using?

  39. #39
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    What do you mean? It's a 5 meters long USB extension, one end male the other female, from the computer to the WiFi dongle, to allow for best positioning of the WiFi device to receive the strongest signal(s).

    https://ixquick-proxy.com/do/spg/sho...b61cd40cf72386

    Edit: oh you meant which device. That makes more sense
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  40. #40
    Join Date
    2013-Jul
    Posts
    818
    Best reception is to have the wifi device outside a building with the antenna attached directly to the device ie no sma cable.

    MTeams wrap the wifi device in layers of plastic with the antenna outside the plastic layers. We have run AWUSO36H devices wrapped in plastic in direct sunlight with OAT at 48 degrees and 100 percent humidity in the afternoon for years and never had any problem.

    If you dig thru the literature you will find that usb extension cable longer then 5 meters is not reliable. In tests this has held true.

    Use any basic usb cable. Do not buy usb extension cable that has an egg shaped container near one end with circuits inside as they do not work. Simple usb cable works best

    You can boost electric power down the line by a usb splitter plugged into a y cable. Do not run the signal thru the splitter.

    MTeams tests with long cable as some routines like mac changing have to be slowed with sleep commands or the processes do not work consistently. Same with persistent usb devices. We gave up on luks encryption for this very reason.

    MTeams
    Last edited by mmusket33; 2016-02-15 at 12:39.

  41. #41
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    you should try with a white PVC pipe, capped on both ends, with a hole on the bottom cap to allow the USB cable to get in. Easy and slick

    Edit: something like this..

    http://www.yatesbanjos.com/neck_tube.jpg
    Last edited by Quest; 2016-02-15 at 12:47.
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  42. #42
    Join Date
    2016-Jan
    Posts
    99
    i have this: http://www.amazon.it/WIFISKY-ANTENNA.../dp/B00DHJWP22 and i can tell for sure that if i put it near the window, it can reach an AP 200-300 m with no problems, no matter how many trees or buildings are between us. not so good maybe in city. i have more stable signal from outside than from my neighbour one floor up. and no need for plastic layers since it's waterproof. i will try another one, same model more or less, with a 5 m cable to see if it's true that are better due the cable length. this one though has two usb , one for signal and one for power. maybe we can open a thread in wich everyone can share their experience with different antennas, this way one can choose between products which are best in different situations

  43. #43
    Join Date
    2013-Jul
    Posts
    818
    MTeams has been sent this link concerning varmacscan in github

    This was not posted by MTeams. We think it supports other Operating Systems but are unsure.

    https://github.com/L33T-H4X0R-D00D/Varmascan-reaver

  44. #44
    Join Date
    2014-Nov
    Posts
    14
    I still cannot understand why you don't include the -C switch for wash. Once I've found the line in the script file and included it I have no problems. Why not just include it in the beginning?

  45. #45
    Join Date
    2016-Apr
    Posts
    5
    Pippin, everyones hardware/software is slightly different. What works for you, may not work for others.

    Gonna try this script tonight. Tried command line attacks on wps and wpa handshakes, then tried vmr-mdk, and this is the newest tool i will attempt to use.

    P.s. im a fairly new at this, so apologise in advance for noob questions, but i try my best! Will let you know how it goes.

    EDIT: can confirm it worked for a single ap over approximately 12 hours, after attackin around 10. Its also one of the only ap's I've managed to crack using command line (the other 2 were unavailable/out of range).
    I didnt even use my best equipment, it was using the built in wifi card on a low-end consumer laptop and kali live usb 2016.

    Conclusion: Good stuff, although didnt grab any previously unattainable pins so far. Will try with better equipment and update.
    Last edited by Volat; 2016-04-29 at 12:41. Reason: Updated progress feedback

  46. #46
    Join Date
    2013-Jul
    Posts
    818
    To Pippen


    varmacscan-K1-2-2016-3-3.sh available for download has the -C entry in all wash scans


    See line 2167

    See line 2279

    If you are using this version and having problems please advise and MTeams will try and correct the problem if we can duplicate it

    Mteams

  47. #47
    Join Date
    2016-Jun
    Posts
    12
    mmusket33, thanks for your work and sharing

    I'm currently trying this script with all the default options, it's going through it's first cycle...
    Want to share my experience and report some problems. I'm using Kali 16.1 Light with Alpha NHA card.
    First, I had to use check kill option, otherwise script it wouldn't work for me. Also here's the output with the latest arimon when script offers card selection:
    Code:
    Your kernel supports rfkill but you don't have rfkill installed.
    To ensure devices are unblocked you must install rfkill.
    
    PHY    Interface    Driver        Chipset
    
    phy0    wlan0        ??????        VIA Technologies, Inc. VIA VNT-6656 [WiFi 802.11b/g USB Dongle]
    phy1    wlan1        ath9k_htc    Atheros Communications, Inc. AR9271 802.11n
    
    
     Devices found by airmon-ng.
     
           1: kernel
           2: ensure
           3: wlan0
           4: wlan1
    
         Enter the line number of the wireless device (i.e. wlan0, wlan1 etc)
      to be used.
    (VIA is a built in adapter, supports monitor mode, but can't do packet injection)
    Another problem is for every AP I see "Spoofing with random mac address" but "Current device Mac" shown is always the same and it's the card's original mac
    Also aireplay always prints "No source MAC (-h) specified. Using the device MAC" and this also seems inconsistent with "Spoofing with random mac address" message of the script.

  48. #48
    Join Date
    2016-Jun
    Posts
    12
    the script found 2 pins out of around 30 wps networks, but no WPA keys for them

    and I figured why mac spoofing didn't work for me - I didn't have macchanger isntalled (Kali Light)

  49. #49
    Join Date
    2013-Jul
    Posts
    818
    To Major Tom

    First MTeams tests these scripts in kali-linux i386 for Hard Drive and persistent usb install. We do not test with luks and never use light.

    The reason no WPA key was found is probably a direct result of the mac spoofing failure. To spoof a mac and use reaver you must first spoof the mac with macchanger and then ADD the spoofed mac to the reaver command line thru --mac= . If the spoofed mac does not equal what is found in the command line then only the WPS Pin may be found.

    MTeams suggests you attack your targets first thru the command line. Then turn on varmacscan and go to bed. If you extract pins but no WPA keys you can focus the attack the next day by adding --pin= to your commandline.

    We probably will release an updated handshakeharvest which can collect handshakes robotically. The newer version supports deauthing individual clients seen associated which greatly increases handshake collection. You just turn it on and walk away. We are testing in kali 1 2 and 2016.


    Musket Teams
    Last edited by mmusket33; 2016-06-07 at 13:13.

  50. #50
    Join Date
    2016-Jun
    Posts
    12
    mmusket33

    Thanks, I know I can pass a pin to reaver or bully, though haven't tried yet.

    After installing macchanger I ran the script for another day (with working spoofing) and it found one more pin, but no WPA key again. End of reaver log looks like
    Code:
    [+] Pin cracked in 38 seconds
    [+] WPS PIN: '12345670'
    [+] Nothing done, nothing to save.
    As you can see it's the very first pin reaver tries but it took 5 script cycles (with hours between them) for reaver to retrieve it. Former 4 times AP just wouldn't go past M1. So I think I witnessed the phenomenon which you mentioned when AP doesn't respond to attacks but then all of a sudden gives out a pin. AP signal is very weak though and often disappears.

    Yeah, I think auto collection of handshakes would be a nice feature, I was going to ask about it

Similar Threads

  1. Replies: 18
    Last Post: 2017-01-12, 01:14
  2. Takes quite long to obtain HID driver on target machine for HID attack
    By simonpunk2016 in forum NetHunter General Questions
    Replies: 1
    Last Post: 2015-06-04, 19:56
  3. A Reaver Based Multi-Target Pin Harvesting Program
    By mmusket33 in forum Community Generated How-Tos
    Replies: 10
    Last Post: 2014-10-29, 02:15

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •