Launch Reaver from WPS button

[airman_dopey]

EDIT 2: Version 1.2 of the script has been release. See post 16 for changes

EDIT: Version 1.1 of the script has been release. See 3rd post for changes

Hope this is the right section.

Hey guys. I was researching Reaver attacks straight from the pineapple and I could not find anything I liked. I wanted something completely automated from the WPS button. Since I couldn't find one I wrote one and thought I'd share.

This script attempts a WPS attack utilizing Reaver and the wifi pineapple

Usage: ./reaver.sh [-b BSSID] [-d] [-e ESSID] [-f] [-h] [-i location]
           [-w time] [-o file] [-s]

    -b BSSID    When scanning for networks this BSSID will be attacked
                regardless of both signal strength and if it was
                cracked before. (Note: When scanning networks if both
                ESSID and BSSID are listed the BSSID is used first)

    -d          Debug mode: Prints extra information to
                help with debugging

    -e ESSID    When scanning for networks this ESSID will be attacked
                regardless of both signal strength and if it was
                cracked before. (Note: When scanning networks if both
                ESSID and BSSID are listed the BSSID is used first)

    -f          Force attack of closest network
                (override check of previously cracked networks)

    -h          This screen

    -i          Installs Reaver (if missing) and offers
                to integrate with WPS button.
                (Requires internet connection)

    -o file     Sends copy of all output to file

    -s          Overrides the minimum signal strength required

    -w delay    wait "N" seconds before beginning attack

(The help screen of the script)

Basically here's how the script runs: Once you push the WPS button, It will start with phase 1 and blink the light once. During this phase karma will be stopped and the wireless card will be prepped for the attack.

Once this is complete the WPS light will blink twice and phase 2 will start. This is where the pineapple will start scanning for networks using wash. First thing that happens is it checks the self-created "cracked.txt" for previously cracked networks and omits them from the scan (unless the -f argument is used). It then checks all the networks seen and, if an ESSID or BSSID was requested it will use that network if visible. If not seen it will attack the network with the strongest signal.

Once the network is determined it will switch to phase 3 and the WPS light will blink 3 times. This is where the actual attack starts. Aireplay-ng will attempt to associate with the network and, if successful, Reaver will begin. Once Reaver completes the WPS light will light back up and the network will be saved in the cracked.txt file.

If any errors happen throughout the script it will stall out and the WPS light will start flashing off and on. I have really tried to capture all possible errors, but since I cannot foresee all problems if you run into any problems please let me know and I will modify my script.

Installation is extremely simple. Just SSH into your pineapple, and while in the "/root" directory (which is the default directory when you SSH in) run ONE of the following commands to install the script:

To install Reaver:

wget http://hax0rbl0x.googlecode.com/files/reaver.sh; chmod +x reaver.sh; ./reaver.sh -i

Once that is installed, follow the post-installation instruction, or if you selected to modify the WPS button functionality, simply press the WPS button.

I have tested this using just the Pineapple holiday bundle and it works like a charm. Not only that, but simply using the pineapple juice for power the pineapple was still going 14 hours later. I guess karma really eats up the battery. So just the pineapple juice should be sufficient for any attacks you are trying to accomplish. If for some reason you run out of juice prior to Reaver finishing the attack it will pick up where it left off.

Hope you guys like it. Enjoy.

Edited September 2, 2013 by airman_dopey

[demonjester]

Since mine is different target each time I just use the mac address make shell script hold the wps button and leave. This is pretty cool regardless though.

[airman_dopey]

Updated to version 1.1. Change log is as follows:

- Fixed bug where installing to USB would fail
- Added Aireplay-ng and Reaver monitoring. This allows the script to ensure everything is running properly and, if either program fails, causes the script to relaunch the suspect program up to the threshold set in the beginning of the script (currently set to 3)
- Added signal checking to discard network if signal strength is below -81 as shown by Wash
- Added flag to bypass minimum signal strength check
- Added output flag to send a copy of all output to file
- Added ability to have second press of WPS button close script gracefully (This function requires the WPS button script to be rewritten by running the install portion of the script).
- Added steadily blinking light to signify script is waiting "N" seconds prior to starting attack
- Added sanity checks to verify Reaver and Aireplay-ng are installed prior to running
- Fixed numerous bugs relating to the overall function of the script

If you are upgrading from an older version please make sure you run the install again and overwrite the WPS button script to add the button-cancel function of the script

Thank you all who have tried this script. I hope it is useful.

Edited July 4, 2013 by airman_dopey

[Sebkinne]

Could I suggest you turning this into an infusion? I think it would work out pretty well!

Best Regards,

Sebkinne

[ou812]

Any plans to release this for the 3.0.0 firmware?

[airman_dopey]

Yes. Started a new job and haven't had the time to dig in. Also have a MITM addon to it that will start sniffing creds when it cracks the network. Just need to update for 3.0 and polish it.

[ou812]

Looking forward to it.

[buggz]

Hello,

I am curious about the 3.0 change requirements?

For a shell script?

Are there any needed?

Or are you commenting on the GUI parts?

I'm a new owner of a MkIV 3.0 Pineapple, and still testing things out.

Yes. Started a new job and haven't had the time to dig in. Also have a MITM addon to it that will start sniffing creds when it cracks the network. Just need to update for 3.0 and polish it.

Any plans to release this for the 3.0.0 firmware?

[airman_dopey]

I don't expect much to change. There should be a warning message that comes up as I coded the last version of the firmware in there. To remove that message just change the version number to match the current version. I should be able to have all the new code ready this weekend

[buggz]

Ahh, I only perused the code, really didn't look hard at it.

I will look at it again tonight, thanks!

Okay, I see the part w/ the version check, no big deal, just a warning.

reaver.sh:3:#reaver.sh version 1.1
reaver.sh:1069:elif [[ `cat /pineapple/includes/fwversion` != "2.8.1" ]]; then
reaver.sh:1070: FWver=`cat /pineapple/includes/fwversion`
reaver.sh:1071: echo "Warning! This script has been tested on FW version 2.8.1"
reaver.sh:1072: echo "Your current version is $FWver"

I am going to test it tonight.

Thanks!

Edited August 26, 2013 by buggz

[buggz]

My brief play:

- there isn't an aireplay-ng on my Pineapple, nor is there one at http://cloud.wifipineapple.com/packages

- there isn't a wash on my Pineapple, nor is there one at http://cloud.wifipineapple.com/packages

Itried reaver manually, I had errors, I will have to post my error message saves in a later post, they are on another machine.

[airman_dopey]

Aireplay was installed stock on 2.8.1. That may have changed. I'll check it out.

Wash is a part of the reaver install.

[buggz]

ifconfig wlan0 up; airmon-ng start wlan0

airodump-ng mon0 and find your bssid of the station to test

reaver -i mon0 -b XX:XX:XX:XX:XX:XX0 -vv

root@Pineapple:~# reaver -i mon1 -b XX:XX:XX:XX:XX:XX -vv

Reaver v1.4 WiFi Protected Setup Attack Tool

Copyright © 2011, Tactical Network Solutions, Craig Heffner

reaver: can't resolve symbol 'pcap_open_live' in lib 'reaver'.

Edited August 28, 2013 by buggz

[airman_dopey]

So I finally had a chance to upgrade to 3.0.0 and with a fresh install of Reaver I am not getting those errors. Try reinstalling Reaver/firmware and see if that resolves your issue.

As for the script itself a couple of tweaks are needed to make it work properly but the core of it is still functional. I hope to release all the new code this weekend.

[say.what]

So I finally had a chance to upgrade to 3.0.0 and with a fresh install of Reaver I am not getting those errors. Try reinstalling Reaver/firmware and see if that resolves your issue.

As for the script itself a couple of tweaks are needed to make it work properly but the core of it is still functional. I hope to release all the new code this weekend.

I'm encouraging you from here!!! Can't you hear me?!?!?!? ;D

...&& don't give up!!! ;)

[airman_dopey]

Hey guys,

Version 1.2 is finally released. If you upgrade to this version you will need to be running fw 3.0.0 as code needed to be changed to make it work properly. Also the install process has changed. You no longer need to specify where you want Reaver installed; it will determine the location within the script. Just type "./reaver.sh -i" to install (after downloading the new version of course). Please let me know what you guys think. I will be releasing the cred harvesting add-on in a few days. I need to polish it up.

- Updated code to run on FW 3.0.0 (WPS Button install, fw version check)
- Removed the ability to cancel the code by pressing the WPS button again (needed to be removed for the add-on)
- Added ability to blacklist certain ESSID/BSSIDs. If you create "/root/blacklist.txt" and add in the format "ESSID BSSID" (no spaces in ESSID) then it will bypass those networks
- Modified install process to choose location within the script

Edited September 2, 2013 by airman_dopey

[dutchdog]

Can we have 1 post with links and install instructions for 3.0

Any chance this is coming in downloadable infusion? Would be nice if you can specify there network to attack.

[airman_dopey]

I edited the first post with installation instructions. That is how you install on 3.0.0. As for the infusion part, I do not know php and have too much going on right now to learn it ATM. If someone else wants to help tackle it I'm all for it, but I mostly did this as a side project. I didn't expect much demand for it

Edited September 4, 2013 by airman_dopey

[m40295]

i would love to run this one a dip swich

for the mkv 1.0.3

can the wps button code be stripped ?

./reaver.sh: line 96: /sys/class/leds/alfa:blue:wps/trigger: No such file or directory
./reaver.sh: line 92: /sys/class/leds/alfa:blue:wps/trigger: No such file or directory
./reaver.sh: line 96: /sys/class/leds/alfa:blue:wps/trigger: No such file or directory
./reaver.sh: line 92: /sys/class/leds/alfa:blue:wps/trigger: No such file or directory

Edited November 19, 2013 by m40295

[numericaldigitaldroned]

Hey, I've been having an issue where I'll be running reaver on an access point and go to bed and the next day it had gotten up to around 55% finished and stalled, but every time I go to start it again it seems to want to start all over again on the PINs.

...I see the history file but I wasn't sure of a correct method to ensure the reaver module is checking all of the past history logs to eliminate all known PIN guesses from its lists before starting all over again.

Thanks