LexMichdeappel

Reaver "AP rate limiting detected" and automatic mdk3 solution

108 posts in this topic

More and more routers are becoming resistant to the Reaver magic. That's a good thing, because we all want easy and secure working hardware in our (grand-)parents' homes. But are they really secure? Today I had an encounter with a stubborn fellow that tried to stop me from brutally forcing myself into his backdoor.

WARNING: Detected AP rate limiting, waiting 60 seconds

Good job boy, you kept me out, you're safe! Yeah right... So I fired up another command:

mdk3 mon0 a -a [MAC] -m

Let that rip for a minute, tried reaver again, bingo! It accepted my brute force methods again. But after a few minutes it locked up again. Time for some more of that mdk3 vaseline, let it rip again, and after reavering it accepted my crowbar.

Now my question is, can someone explain to me or show me how to write some kind of script that does this automatically?

So it should do this on it's own:

reaver -i mon0 -b [MAC] -vv -S

When it hits the AP rate limiter: ctrl-C

mdk3 mon0 a -a [MAC] -m

Run that for a minute or something and then again from the top:

reaver -i mon0 -b [MAC] -vv -S

When it hits the AP rate limiter: ctrl-C

mdk3 mon0 a -a [MAC] -m

And so on and so on and so on...

Edited by LexMichdeappel
1

Share this post


Link to post
Share on other sites

Funny stuff, I actually experimented with this last weekend.
But for me it didn't work.
You/I could probably write a script in python or something :)

0

Share this post


Link to post
Share on other sites

Funny stuff, I actually experimented with this last weekend.

But for me it didn't work.

You/I could probably write a script in python or something :)

My problem is, I can't. But I'd love to learn how. Should I first learn how to do Python or is it understandable how it works without in depth knowledge about Python?

0

Share this post


Link to post
Share on other sites

I'm not an expert in python, but it's pretty easy to learn.
I would recommend learning python first, but maybe learning is by doing hehe :)
I'll look into it though. I have spare tim this weekend. I want to make a script to make my life easier.
There are several python modules to interact with the terminal and controlling applications such as Reaver.

0

Share this post


Link to post
Share on other sites

I'm not an expert in python, but it's pretty easy to learn.

I would recommend learning python first, but maybe learning is by doing hehe :)

I'll look into it though. I have spare tim this weekend. I want to make a script to make my life easier.

There are several python modules to interact with the terminal and controlling applications such as Reaver.

That would be awesome. Especially if you do a little tiny bit of explaining how the script works. I don't really care if I crack open the router, I want to be able to understand how it's done.

I found out the router starts complaining after 21 tries and after that it locks up. The mdk3 command only needs a few seconds of time to reset the router, I always ctrl-C when it hits 3000 clients connected. After that it's back to reaver again. I found out that " reaver -i mon0 -b [MAC] -vv -S -a -g 21 " works best. I added -c 1 to it, but I saw the router hop channels a few times. Went from channel 1 to 11 after having the backdoor raped by mdk3 a few times, so I sat there waiting for beacons that were not going to come anymore.

I think reaver should come with some of those mdk3 functions embedded. When it hits the limiter, automatically switch to mdk3 and rape it.

I guess I'm going to have to watch some more of that Coding 101 with Snubs and that Christian guy...

0

Share this post


Link to post
Share on other sites

Yeah, maybe making the script so that it takes user input on how many clients should be connected with mdk3 before switching back to reaver.

I'll definetly look into this during the weekend. You have to test the script for me though, I don't have a router that is vulnerable to crashing with mdk3

1

Share this post


Link to post
Share on other sites

A script that i had worked on for fun but never meant to distribute....so now it is in distribution..have fun...

Bash Script name: ReVdK3.sh

Operations

Gives you the option of running any of the mdk3 attacks (Authentication DoS Flood, Eapol Start Flood and Eapol Log off Attack)

Starts reaver and detects when the AP is rate limiting pins, if rate limiting is detected.it floods the AP (three monitor interfaces must be started)

for a time period you input until AP unlock itself....after unlocking it resumes reaver..

the link is below

http://www72.zippyshare.com/v/82770958/file.html

Edited by repzeroworld
0

Share this post


Link to post
Share on other sites

It may be simpler to add some code-patch to the source. So when it detects the limiter it runs a script.

Edited by GuardMoony
0

Share this post


Link to post
Share on other sites

you mean to the "source" reaver?..that seems like a great idea!..hope they do that someday :)

0

Share this post


Link to post
Share on other sites

There is always more than 1 way to skin a tac

I actually like this idea, I will try and whip up something.

I can see a few ways of doing this in bash and python.

0

Share this post


Link to post
Share on other sites

Quickly looking at the source, patching this functionality in is rather trivial.

See line 143 of cracker.c. Simply do a system call to a script there. If you wish to change the script locations, you'll need to look at argparser.c and globule.c.

You would have to add the argument to argparser.c and a get/set pair to globule.c.

I might do this when I get some time..

Best Regards,

Sebkinne

1

Share this post


Link to post
Share on other sites

Line 211 is wps connection failed.

You mean line 144 Sebkine?

Maybe a quick and dirty line of testcode like:

system("rateLimitScript.sh");

0

Share this post


Link to post
Share on other sites

Line 211 is wps connection failed.

You mean line 144 Sebkine?

Maybe a quick and dirty line of testcode like:

system("rateLimitScript.sh");

Yeah, no idea where I got 211 from. Anyway, the above will do the trick for a static script indeed.

You will also want to basically decrease the wait timeout to a second or so - as the script will be executed in a blocking manner, you won't need the delay.

Best Regards,

Sebkinne

0

Share this post


Link to post
Share on other sites

RELEASE OF REVDK3-R1.sh

DOWNLOAD LINK

http://www32.zippyshare.com/v/12811261/file.html

----------------------------------------
ReVdK3-r1.sh (Revision 1 README Section |
---------------------------------------------------------------------------------------------
WARNING: |
Do not use this script without permission from the victim to carry out the specified attacks. |
|
This is the first offical revision of ReVdK3.sh script |
----------------------------------------------------------------------------------------------

Script features in this revision

1. Runs reaver,aireplay-ng in one terminal and detects continously when reaver is rate limiting pins.
After input of wireless adapter interface..it checks to see if there are any monitor interfaces on that adapter interface. Any existing monitor interfaces are wiped out and three new monitor interfaces are created. The script also uses these interface during the attacking process. In the event that aireplay times out because association issues or switches to "shared key open authentication", the script will re-run aireplay-ng.


2. Runs mdk3 attacks until reaver detects that the WPS state of the AP has been unlocked. Once WPS has been unlocked it kills all mdk3 attacks and waits until reaver detects WPS has been locked again..this process goes on...

3. Upon detection of 25 successive EAPOL start failures, the script floods the AP for 60 second to see if the AP will do a fresh reboot!

4. Killing the script in a terminal will trigger it to remove all tmp files, force all processes started by the script to terminate and wiping out the three monitor interfaces it created..be patient about 1-2 seconds for termination of the script...Also you call close the terminal instead of killing this will send a hang up signal to do the necessary cleaning up..

Edited by repzeroworld
2

Share this post


Link to post
Share on other sites

Repzeroworld. i downloaded your file i just need help with how to execute it. do i have to fill in anything? Im sure i do but im not exactly sure what. i came to this site after running into ap limits. im hoping youd be nice enough to help me considering im no where near you in skill set level. thanks

0

Share this post


Link to post
Share on other sites

hello 100j

download script and type in a linux terminal

chmod a+x <drag script here>

afterwords just drag script into a terminal

this is a bash script....i am thinking to write script in python..but i will leave it in bash codes for a while....

cheers

Edited by repzeroworld
1

Share this post


Link to post
Share on other sites

Keeping to the original post, I don't think MDK3 really makes a difference to the timeout of Reaver.

0

Share this post


Link to post
Share on other sites

Is there anything like this for Bully? Reaver doesn't work with me unfortunately.

0

Share this post


Link to post
Share on other sites

Heads up, gnome-terminal throws an error on pwnpi using this script, mainly because gnome-terminal is not installed. Currently installing gnome-terminal and it's related packages to test fix.

0

Share this post


Link to post
Share on other sites

The router I was doing this with was nowhere to be found a few days after posting this, so I completely forgot about it. Good to see it was picked up by others for testing, love you guys xxx. (Better late than never!)

0

Share this post


Link to post
Share on other sites

I am working on incorporating bully in revdk3 script (95% completed)....I notice mac spoofing is affecting proper functioning of bully as compared to reaver... a little scared of this (still thinking...).

2

Share this post


Link to post
Share on other sites

Is there a chance that there will be an openwrt compatible version of this?

0

Share this post


Link to post
Share on other sites

****************ReVdK3-r2 (Revision 2)********************************
Download Link
http://www56.zippyshare.com/v/UZrMxTtZ/file.html

I have revised the script for those who prefer to use bully wps pin cracker. Now you have two options for pin cracking either reaver 1.4 or bully

Dependency checks:
the program checks to see if you have the following are installed so that the script can function well
[1] reaver
[2] bully (if you are using)
[3] mdk3
[4] aireplay-ng
[5] gnome-terminal
[5] timeout

Possbily the last revision of the script since new access points are getting invulnerable to the attacks...however i will experiment new attacks and see if they are effective for rebooting APs biggrin.png..best of luck ReVdK3 users!..biggrin.png

Credit to my friend WaLkZ and others who prefer bully wps pin cracker

Edited by repzeroworld
1

Share this post


Link to post
Share on other sites

Is there a chance that there will be an openwrt compatible version of this?

seems a little technical for me AT THIS POINT but you are looking to embedd the program into a device?.. a little more details would be good :D

0

Share this post


Link to post
Share on other sites

Well, instead of using the gnome terminal, could the terminal invocations be replaced for an openwrt compatible one? Such as screen or tmux, byobu? As I'm still learning, this is beyond my current knowledge to make a working port for openwrt of your nice script! :-)

My reason for wanting such, is to have it running on my ( and im sure many others ) Pineapple MarkV.

so far it appears that the gnome terminal is the only thing hampering this from running on an openwrt system.

even if lets say it were made to run in all one screen would be fine aswell. 0E 800 had attempted this and modified your script and named it "ReVdK3-rW.sh", that version is here: https://drive.google.com/file/d/0BzolLN2vKwxjcGNrYmp1cVBFT28/edit

but i recall that one not working as planned on the pineapple, its been a while since ive tried it in order to pinpoint the problem. but there is a want / need for this script to be able to run on other systems that only supply a screen,tmux, byobu etc interfaces

Edited by datahead
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.