Results 1 to 19 of 19

Thread: varmacscan-K1-2-2016-5-6.sh released for community use

  1. #1
    Join Date
    2013-Jul
    Posts
    819

    varmacscan-K1-2-2016-5-6.sh released for community use

    As of 5 May 2018

    Varmacscan-K1-2-2017-8-6 has been released for community use.

    This version corrects a bug in the AP Name List when the vendor output from wash is null or unknown.

    Supports kali 1.1, 2.0 and Rolling thru 2017.3

    Supports text output from reaver v1.63 required by pixiewps

    Tested with reaver v1.52 and v1.63

    https://github.com/musket33/varmacscan

    https://www.datafilehost.com/d/614f890c

    An overview of the attack sequence is provided below: After setup operations are robotic in nature:

    Place in root

    chmod 755 varmacscan-K1-2-2017-8-6.sh

    Run

    ./varmacscan-K1-2-2017-8-6.sh

    After initial setup by user:

    Scan Phase With Wash

    A wash scan of all targets is first conducted. Any Targets that have had their WPA key extracted are excluded.

    Attack Phase with reaver supported by aireplay-ng and mdk3

    Attack Step 1

    The script looks for any previous WPS pin found and attempts to extract the WPA key from the network-wps pin pair using reaver and pixiedust.

    Attack Step 2

    If the WPA key is not extracted or no previous WPS Pin found, then a standard reaver brute force attack is conducted.

    Attack Step 3

    Reaver attacks the target using default pin 12345670

    Attack stage 4

    Reaver attacks the target using default pin 00000000

    Attack stage 5

    Reaver attacks all targets with default pin as selected by user.

    Reaver moves to next target in sequence

    When all targets are exhausted another wash scan is begun and the automatic cycle continues.

    Network Activators

    Four(4) different Network activators are included using aireplay-ng and mdk3. All four(4) processes are placed within regenerative loops to keep functioning in cases where signal strength is weak and/or the process terminates.

    Airmon-ng

    As MTeams has noted in these forums, if reaver is able to extract the WPS Pin BUT cannot extract the WPA Key then using an older version of airmon-ng solves the problem. During tests the results when using the older version of airmon-ng with kali 2.0 and Kali Rolling were far superior to results when using the airmon-ng found with the kali distro. In WPA key extraction the older version provided a statistical 10 to 1 advantage over the newer version.

    MTeams has therefore embedded an older version of airmon-ng into the varmacscan script. Users are given the option of using the older version or using the version found in the kali distro as required.

    Pixie Dust Manual Extraction

    Reaver log data is written to a single log for each target each cycle and checked for a pixiedust data sequence after every stage. This log can be later brute forced by the user. You can download PDDSA-06.sh for kali 1.10A or PDDSA-K2-06.sh for kali 2 and 2016. This is available for download in these forums.

    Essidprobe data is written to file for use in brute forcing a WPA handshake with aircrack-ng elcomsoft etc.

    In closing MTeams suggests users run this script anytime the computer is not being used especially during sleep or at night when terrestrial radiation causes low level inversions in the atmosphere trapping the wifi signal in a tight band along the surface thus expanding range and increasing strength.

    Musket Teams
    Attached Files Attached Files
    Last edited by mmusket33; 2018-05-05 at 02:53.

  2. #2
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    oh goody, a new toy!! Thank you mmusket. I'm still using KL1, and will report back if something wrong, with the usual moaning and complaining.

    Cheers! =]
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  3. #3
    Join Date
    2013-Jul
    Posts
    819
    To Quest

    MTeams is down to one functioning k1.10a We have been unable to find sources that function. We tried all the suggestions listed. If you know a method please post in the how tos.

  4. #4
    Join Date
    2017-Apr
    Posts
    3
    I have been tinkering and learning things from team musket for years, thank you so much for everything.
    I would like to contribute to your project with a discovery I made, and perhaps I'm not the first, but I haven't seen this yet.
    Recently (2017), my large cable / isp service has been handing out preconfigured wifi modems from technicolor and arris that broadcast their wifi psk.
    Before attempting to attack a wps, take the broadcast name and the mac address that shows from any wifi scan. That the first half of the broadcast name thru the first letter after the numbers, and add the 4th and 5th characters of the mac, and then the last 2 characters from the broadcat name, all characters in caps, and you will have the psk.
    Ex: bssid= TG1672G92
    Mac= d4:05:98:bf:86:90
    Psk= TG1672GBF8692

    This is my modem, I find this disturbingly simple, but it's here...
    Last edited by grundlestain; 2017-04-21 at 10:25. Reason: Typo

  5. #5
    Join Date
    2013-Jul
    Posts
    819
    To Grundlestain

    Thanks for your observations and discovery!

    Reference the broadcast name - is this name part of the default settings and entered automatically by the firmware or is it selected by the user during setup?

    MTeams hopes you will repost this exploit in other forums as well. Possibly soxrok2212, Annarchy or others can give you some ideas on where to post so as to get better community exposure.


    Musket Teams

  6. #6
    Join Date
    2017-Apr
    Posts
    3
    This is the default set that corresponds to the stickers on the device for reference during initial setup, and after a factory reset.
    I was not as clear as I could have been, it is the 4th and 5th octet from the mac, input before the last 2 characters of the broadcast bssid. And all characters should be in capital's.
    I have been looking for a method of wps pin recovery when psk is known, is there a way to do this without manually logging into the router configuration page? I have been searching but it would seem that this scenario has not been presented, however I would like a simple method of retrieving the pin, in the event of a user changing a password, but not generating a new pin.

  7. #7
    Join Date
    2013-Jul
    Posts
    819
    Reference your question of retrieving the WPS pin when the WPA key is known. When the WPS Reaver site was active MTeams requested this facility. To our knowledge no such exploit exists. You might post your question in the Pixiedust threads. You could of course run a reaver attack and attempt to obtain the WPS pin OR as you point out find a way to access the routers setup pages and just read the WPS pin. MTeams is currently working on a program that works with MKBRUTUS to crack Mikrotek OS routers username/password that only allow x number of pins before stopping. We will post when finished.

    MTeams

  8. #8
    Join Date
    2013-Sep
    Posts
    262
    I have been looking for a method of wps pin recovery when psk is known,
    Not possible.

  9. #9
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    It is actually the model of the AP... just a poor security implementation. Many vendors of gateways (modem/router combos) assume some ISP will use their hardware and that they will NOT use the reference code provided. (Un)fortunately, a lot do and the result is disgustingly insecure systems. This is already publicly known.

  10. #10
    Join Date
    2017-Apr
    Posts
    3
    Ok, for an already well known weakness, it would seem to me that (for more learned folk than I, at least for now) an algorithm that would run the bssid + mac, as a psk, and not run the risk of lockout, would make a great addition to a script like this.
    Thanks for taking the time to entertain my efforts to contribute something.

  11. #11
    Join Date
    2017-Jun
    Posts
    1
    Program restarting every 3 minutes, but every time it restarts, it tries the pin 12345670
    Maybe stuck in a loop.
    Please post the best setting combination to use to achieve the best results.

  12. #12
    Join Date
    2013-Jul
    Posts
    819
    Reaver 1.53 in Kali 2017.1 doesnot support -a in reaver and -C in wash.

    MTeams has released varmacscan-K1-2-2017-6-1.sh which supports kali 1.1, 2, 2016 and 2017 and older and newer versions of Reaver.

    You can download

    https://github.com/musket33/varmacsc...2-2017-6-1.zip

    or

    http://www.datafilehost.com/d/82ab4a25
    Last edited by mmusket33; 2017-07-06 at 01:11.

  13. #13
    Join Date
    2013-Jul
    Posts
    819
    MTeams has released varmacscan-K1-2-2017-7-7.sh which supports kali 1.1, 2, 2016 and 2017 and older and newer versions of Reaver.

    Corrects bugs in the default pin modules

    You can download

    https://github.com/musket33/varmacsc...-2-2017-7-7.sh

    or

    http://www.datafilehost.com/d/558f379b



    Musket Teams

  14. #14
    Join Date
    2013-Jul
    Posts
    819
    Due to text output changes in Reaver version 1.63, pixiedust pin extraction modules in varmacscan-K1-2-2017-7-7 will no longer function. The code is being corrected and a new version supporting the latest will be posted after testing.

    Musket Teams

  15. #15
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    FWIW, you should use GitHub to post the source code of your projects, not host zip files.

  16. #16
    Join Date
    2013-Jul
    Posts
    819
    Varmacscan-K1-2-2017-8-4 has been released for community use.

    Supports kali 1.1, 2.0 and Rolling thru 2017.3

    Supports text output from reaver v1.63 required by pixiewps1.3

    Tested with reaver v1.52 and v1.63

    You can download from

    https://github.com/musket33/varmacscan

    https://www.datafilehost.com/d/c21867a1

    Musket Teams

  17. #17
    Join Date
    2016-Dec
    Posts
    125
    I recently modded your programs, to better co-side with kali i like them. Keep up the good work.

  18. #18
    Join Date
    2016-Dec
    Posts
    125

    link to file

    Quote Originally Posted by bigbiz View Post
    I recently modded your programs, to better co-side with kali i like them. Keep up the good work.
    drag directly into the downloads file
    Attached Files Attached Files

  19. #19
    Join Date
    2013-Jul
    Posts
    819
    Varmacscan-K1-2-2017-8-6 has been released for community use.

    This version corrects a bug in the AP Name List when the vendor output from wash is null or unknown.

    Supports kali 1.1, 2.0 and Rolling thru 2017.3

    Supports text output from reaver v1.63 required by pixiewps

    Tested with reaver v1.52 and v1.63

    https://github.com/musket33/varmacscan

    https://www.datafilehost.com/d/614f890c

Similar Threads

  1. Community Cracking
    By shaberu in forum Community Projects
    Replies: 15
    Last Post: 2018-02-07, 05:13
  2. Replies: 4
    Last Post: 2016-03-04, 18:50

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •