Page 3 of 7 FirstFirst 12345 ... LastLast
Results 21 to 30 of 65

Thread: Varmacscan2-0 an automatic multi-target reaver attack tool released

  1. #21
    Senior Member
    Join Date
    Jul 2013
    Posts
    797
    To brunoaduarte

    We think in some cases (ie not all) the WPA key was not obtained because the mac spoofing routines for kali2.0 were bugged. There are two different routines. If you spoof the mac address in reaver and then do not add the --mac= into the command line reaver many times only gets the Pin.

    Reference weak signals

    The reaver command line used was developed by the author of auto-reaver. He/she had cracked WPA keys at extreme range using this command line. MTeams duplicated these findings and uses it in other programs and it works well when trying to crack WPS locked routers with VMR-MDK.

    We have released verson 2.8. The download addresses are found at the beginning of this thread.

    Keep in mind that if you have fixed targets that respond to reaver we suggest you use the command line. When you run out of targets run up this scanner and go to bed and see what info varmacscan2-8 can obtain automatically.

    MTeams

  2. #22
    Member
    Join Date
    Nov 2015
    Posts
    45
    Awesome mmusket33, thanks ! I'm testing it...

    There are 2 cases, where i got the WPS PIN (no WPA as usual), but later when i try to attack it again (to get WPA pass with bully), it's WPS is DISABLED (not locked). Is this a security measure from the router ? Why did it allowed me to crack the pin and then disabled it ? It makes no sense... as when the pin is found attack's stopped.

    Any ideas ?
    Last edited by brunoaduarte; 2015-12-04 at 07:37 PM.

  3. #23
    Senior Member
    Join Date
    Jul 2013
    Posts
    797
    To brunoaduarte

    We have run four(4) computers kali 1.1a Hard Drive(HD) install Kali 2.0 HD install , kali 1.10a persistent usb, kali 2.0 persistent usb. We ran them at the same available targets. In only one(1) case did we not get the WPA key and in that case we removed the mac file from the VARMAC_WHITELST folder and the program automatically reattacked the network and on the second try got the WPA key. Just remember the complete set of data if obtained is found in the VARMAC_WPSWPA folder Not the VARMAC_WHITELST folder.

    Concerning the two(2) cases you comment on above - How did you determine that the WPS system was disabled?

    MTeams

    In closing we tried to use Eterm but were unable to get it to function in kali2.0.

  4. #24
    Member
    Join Date
    Nov 2015
    Posts
    45
    Yeah yeah, i always look at the VARMAC_WPSWPA folder, no files are created in VARMAC_WHITELST here, cause i've never got the WPA pass from reaver (i guess the bssid is only white listed when wpa is found)...

    I determined the WPS system was disabled after the process because there's a file "PIN_FOUND-63576764-victim_essid-XX:XX:XX:XX:XX:XX" in VARMAC_WPSWPA folder
    but "airodump-ng --wps" shows nothing in the WPS field, and the device does not appear in wash scan.

    Code:
    root@kali:~/VARMAC_WHITELST# ls -n
    total 0
    Code:
    root@kali:~/VARMAC_WPSWPA# ls -n
    total 1
    -rw-r--r-- 1 0 0 50 Dec  4 03:26 PIN_FOUND-63576764-victim_essid-XX:XX:XX:XX:XX:XX
    Code:
     BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH WPS       ESSID
     XX:XX:XX:XX:XX:XX  -63        5        0    0   6  54e  WPA2 CCMP   PSK            victim_essid
    As this WPA not being cracked with reaver only occurs here, maybe it's an issue with my wlan adapters:

    WLAN0: Broadcom Corporation BCM4311 802.11b/g WLAN (rev 01)
    WLAN1: Ralink Technology, Corp. MT7601U Wireless Adapter

    Anyway, i'm happy with bully, it does the job.
    Last edited by brunoaduarte; 2015-12-05 at 02:23 PM.

  5. #25
    Senior Member
    Join Date
    Jul 2013
    Posts
    797
    To brunuaduarte,

    We have seen routers which first show the WPS system is on but after one pin is received the WPS functionality disappears. We will give bully a try again we never had much luck with it in the past. We will load reaver first and then do the same attack with bully and see what occurs using the varmacscan program. We will advise.

    Thanks for the idea

    Could you post the bully command line you prefer to use?

    MTeams
    Last edited by mmusket33; 2015-12-06 at 02:48 AM.

  6. #26
    Member
    Join Date
    Nov 2015
    Posts
    45
    Quote Originally Posted by mmusket33 View Post
    Could you post the bully command line you prefer to use?
    Sure,

    Code:
    bully -b XX:XX:XX:XX:XX:XX -c 3 -v 3 -B -p 20863463 wlan0mon
    BTW, could you consider removing the confirmation (Y/n) dialogs from next version of released scripts ? Or maybe a menu option to disable it ?
    First thing i do after downloading MTeams scripts is commenting code like:

    Code:
    echo -e "$inp  You entered$yel $ERAS$info type$yel (y/Y)$inp to confirm or$yel (n/N)$inp to try again$txtrst"
    read ERASTEST
    to be like

    Code:
    #echo -e "$inp  You entered$yel $ERAS$info type$yel (y/Y)$inp to confirm or$yel (n/N)$inp to try again$txtrst"
    #read ERASTEST
    ERASTEST=Y
    Cause there are so many options, and confirming each one is very time consuming.

    Thanks !

  7. #27
    Senior Member
    Join Date
    Jul 2013
    Posts
    797
    To brunuaduarte

    Thanks for the command line example

    We have been running bully test alongside reaver we will let you know our results.

    Reference the input confirmations - we will consider alternatives.

    MTeams

  8. #28
    Member
    Join Date
    Nov 2015
    Posts
    45
    Ok thanks mmusket33 !

    FYI: About the WPS pin being disabled, seems it's just some firmware's protection style.
    Some only lock WPS, others lock and then after some time disable it. Others just disable it.
    And in all that options there are cases which WPS is unlocked/reenabled automatically.
    So there's not really a pattern for that.

  9. #29
    Senior Member
    Join Date
    Jul 2013
    Posts
    797
    To brunoadurte

    MTeams are seeing a group of routers which have a WPS system which is open but simply donot respond to pin requests. Some of these networks have withstood any pin request for many months until we turned on varmacscan2-8 for tests. The next morning we would look in the WPSWPA folder and there the WPA key would be. The key was always 12345670. When we referred to the log files we found that on one of the many many short requests for pins before moving on to another target thru the automatic functions of the script, the network just gave up its WPA Key and WPS Pin.

    We tried to duplicate this by actively attacking the network directly thru the command line with no effect.

    So as MTeams has noted elsewhere, when you have finished any active attacks thru the command line just run up varmacscan and go to bed you may get a key by the next day.

    A handshake collector module is being placed in the script as airodump-ng is run passively in the background and occasionally a handshake is collected.

    MTeams
    Last edited by mmusket33; 2015-12-09 at 11:56 PM.

  10. #30
    Junior Member
    Join Date
    Oct 2014
    Posts
    15
    Your script works great. I edited the script because I get fcs skipping and adding -C resolved that issue.


    Superb.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •