Jump to content

Reaver "AP rate limiting detected" and automatic mdk3 solution


LexMichdeappel

Recommended Posts

More and more routers are becoming resistant to the Reaver magic. That's a good thing, because we all want easy and secure working hardware in our (grand-)parents' homes. But are they really secure? Today I had an encounter with a stubborn fellow that tried to stop me from brutally forcing myself into his backdoor.

WARNING: Detected AP rate limiting, waiting 60 seconds

Good job boy, you kept me out, you're safe! Yeah right... So I fired up another command:

mdk3 mon0 a -a [MAC] -m

Let that rip for a minute, tried reaver again, bingo! It accepted my brute force methods again. But after a few minutes it locked up again. Time for some more of that mdk3 vaseline, let it rip again, and after reavering it accepted my crowbar.

Now my question is, can someone explain to me or show me how to write some kind of script that does this automatically?

So it should do this on it's own:

reaver -i mon0 -b [MAC] -vv -S

When it hits the AP rate limiter: ctrl-C

mdk3 mon0 a -a [MAC] -m

Run that for a minute or something and then again from the top:

reaver -i mon0 -b [MAC] -vv -S

When it hits the AP rate limiter: ctrl-C

mdk3 mon0 a -a [MAC] -m

And so on and so on and so on...

Edited by LexMichdeappel
  • Upvote 1
Link to comment
Share on other sites

Guest spazi

Funny stuff, I actually experimented with this last weekend.
But for me it didn't work.
You/I could probably write a script in python or something :)

Link to comment
Share on other sites

Funny stuff, I actually experimented with this last weekend.

But for me it didn't work.

You/I could probably write a script in python or something :)

My problem is, I can't. But I'd love to learn how. Should I first learn how to do Python or is it understandable how it works without in depth knowledge about Python?

Link to comment
Share on other sites

Guest spazi

I'm not an expert in python, but it's pretty easy to learn.
I would recommend learning python first, but maybe learning is by doing hehe :)
I'll look into it though. I have spare tim this weekend. I want to make a script to make my life easier.
There are several python modules to interact with the terminal and controlling applications such as Reaver.

Link to comment
Share on other sites

I'm not an expert in python, but it's pretty easy to learn.

I would recommend learning python first, but maybe learning is by doing hehe :)

I'll look into it though. I have spare tim this weekend. I want to make a script to make my life easier.

There are several python modules to interact with the terminal and controlling applications such as Reaver.

That would be awesome. Especially if you do a little tiny bit of explaining how the script works. I don't really care if I crack open the router, I want to be able to understand how it's done.

I found out the router starts complaining after 21 tries and after that it locks up. The mdk3 command only needs a few seconds of time to reset the router, I always ctrl-C when it hits 3000 clients connected. After that it's back to reaver again. I found out that " reaver -i mon0 -b [MAC] -vv -S -a -g 21 " works best. I added -c 1 to it, but I saw the router hop channels a few times. Went from channel 1 to 11 after having the backdoor raped by mdk3 a few times, so I sat there waiting for beacons that were not going to come anymore.

I think reaver should come with some of those mdk3 functions embedded. When it hits the limiter, automatically switch to mdk3 and rape it.

I guess I'm going to have to watch some more of that Coding 101 with Snubs and that Christian guy...

Link to comment
Share on other sites

Guest spazi

Yeah, maybe making the script so that it takes user input on how many clients should be connected with mdk3 before switching back to reaver.

I'll definetly look into this during the weekend. You have to test the script for me though, I don't have a router that is vulnerable to crashing with mdk3

  • Upvote 1
Link to comment
Share on other sites

  • 2 weeks later...

A script that i had worked on for fun but never meant to distribute....so now it is in distribution..have fun...

Bash Script name: ReVdK3.sh

Operations

Gives you the option of running any of the mdk3 attacks (Authentication DoS Flood, Eapol Start Flood and Eapol Log off Attack)

Starts reaver and detects when the AP is rate limiting pins, if rate limiting is detected.it floods the AP (three monitor interfaces must be started)

for a time period you input until AP unlock itself....after unlocking it resumes reaver..

the link is below

http://www72.zippyshare.com/v/82770958/file.html

Edited by repzeroworld
Link to comment
Share on other sites

  • 2 weeks later...

Quickly looking at the source, patching this functionality in is rather trivial.

See line 143 of cracker.c. Simply do a system call to a script there. If you wish to change the script locations, you'll need to look at argparser.c and globule.c.

You would have to add the argument to argparser.c and a get/set pair to globule.c.

I might do this when I get some time..

Best Regards,

Sebkinne

  • Upvote 2
Link to comment
Share on other sites

Line 211 is wps connection failed.

You mean line 144 Sebkine?

Maybe a quick and dirty line of testcode like:

system("rateLimitScript.sh");

Yeah, no idea where I got 211 from. Anyway, the above will do the trick for a static script indeed.

You will also want to basically decrease the wait timeout to a second or so - as the script will be executed in a blocking manner, you won't need the delay.

Best Regards,

Sebkinne

Link to comment
Share on other sites

  • 3 weeks later...

RELEASE OF REVDK3-R1.sh

DOWNLOAD LINK

http://www32.zippyshare.com/v/12811261/file.html

----------------------------------------
ReVdK3-r1.sh (Revision 1 README Section |
---------------------------------------------------------------------------------------------
WARNING: |
Do not use this script without permission from the victim to carry out the specified attacks. |
|
This is the first offical revision of ReVdK3.sh script |
----------------------------------------------------------------------------------------------

Script features in this revision

1. Runs reaver,aireplay-ng in one terminal and detects continously when reaver is rate limiting pins.
After input of wireless adapter interface..it checks to see if there are any monitor interfaces on that adapter interface. Any existing monitor interfaces are wiped out and three new monitor interfaces are created. The script also uses these interface during the attacking process. In the event that aireplay times out because association issues or switches to "shared key open authentication", the script will re-run aireplay-ng.


2. Runs mdk3 attacks until reaver detects that the WPS state of the AP has been unlocked. Once WPS has been unlocked it kills all mdk3 attacks and waits until reaver detects WPS has been locked again..this process goes on...

3. Upon detection of 25 successive EAPOL start failures, the script floods the AP for 60 second to see if the AP will do a fresh reboot!

4. Killing the script in a terminal will trigger it to remove all tmp files, force all processes started by the script to terminate and wiping out the three monitor interfaces it created..be patient about 1-2 seconds for termination of the script...Also you call close the terminal instead of killing this will send a hang up signal to do the necessary cleaning up..

Edited by repzeroworld
  • Upvote 2
Link to comment
Share on other sites

  • 2 weeks later...

Repzeroworld. i downloaded your file i just need help with how to execute it. do i have to fill in anything? Im sure i do but im not exactly sure what. i came to this site after running into ap limits. im hoping youd be nice enough to help me considering im no where near you in skill set level. thanks

Link to comment
Share on other sites

hello 100j

download script and type in a linux terminal

chmod a+x <drag script here>

afterwords just drag script into a terminal

this is a bash script....i am thinking to write script in python..but i will leave it in bash codes for a while....

cheers

Edited by repzeroworld
  • Upvote 1
Link to comment
Share on other sites

  • 1 month later...
  • 2 months later...
  • 3 weeks later...
  • 4 weeks later...

****************ReVdK3-r2 (Revision 2)********************************
Download Link
http://www56.zippyshare.com/v/UZrMxTtZ/file.html

I have revised the script for those who prefer to use bully wps pin cracker. Now you have two options for pin cracking either reaver 1.4 or bully

Dependency checks:
the program checks to see if you have the following are installed so that the script can function well
[1] reaver
[2] bully (if you are using)
[3] mdk3
[4] aireplay-ng
[5] gnome-terminal
[5] timeout

Possbily the last revision of the script since new access points are getting invulnerable to the attacks...however i will experiment new attacks and see if they are effective for rebooting APs biggrin.png..best of luck ReVdK3 users!..biggrin.png

Credit to my friend WaLkZ and others who prefer bully wps pin cracker

Edited by repzeroworld
  • Upvote 1
Link to comment
Share on other sites

Well, instead of using the gnome terminal, could the terminal invocations be replaced for an openwrt compatible one? Such as screen or tmux, byobu? As I'm still learning, this is beyond my current knowledge to make a working port for openwrt of your nice script! :-)

My reason for wanting such, is to have it running on my ( and im sure many others ) Pineapple MarkV.

so far it appears that the gnome terminal is the only thing hampering this from running on an openwrt system.

even if lets say it were made to run in all one screen would be fine aswell. 0E 800 had attempted this and modified your script and named it "ReVdK3-rW.sh", that version is here: https://drive.google.com/file/d/0BzolLN2vKwxjcGNrYmp1cVBFT28/edit

but i recall that one not working as planned on the pineapple, its been a while since ive tried it in order to pinpoint the problem. but there is a want / need for this script to be able to run on other systems that only supply a screen,tmux, byobu etc interfaces

Edited by datahead
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...