musketteams

The following VMR-MDK009x2.sh has been written to take advantage of a flaw in some WPs locked routers allowing the collection of pins even though reaver and wash show the router is locked. The downloaded includes extensive helpfiles and has been tested against numerous routers showing this flaw. All were cracked. Also included in the help files is how to handle the 99.99% problem which occurs in almost half of the successful attacks against routers providing small numbers of pins when the WPS system is locked. Reference the download VMR-MDK009x2.sh We have found an error in one configuration file named: configfiledetailed1x2 You can REM/COMMENT out with a # the following two(2) variables USE_PIN1= should read #USE_PIN1= WPS_PIN1= should read #WPS_PIN1= or you can download the corrected version New Download package VMRMDK150108 http://www.datafilehost.com/d/18156813 Musket Teams

If you run into a negative one issue with aircrack-ng when on a specific channel write us and we will send you the commands to work around this problem. Post your file at http://www.datafilehost.com/ The will give you a download link and an erase link. MTeams

We are using the latest reaver in kali-linux 1-09a The router was Tenda

We have seen instances where reaver provided the WPA key in the wrong case. For example the key given by reaver for the WPA key was : john1234 In fact the actual key was: JOHN1234 Therefore if the key provided by reaver dosenot work try altering the case. If altering the entire letter string doesnot work, try altering character by character example: JOHN1234 jOHN1234 JoHN1234 etc etc etc MTeams

The previous hosting site has stoped functioning You can download varmacreaversav99-3.zip at: http://www.datafilehost.com/d/88864143 You can download VMR-MDK009.zip at http://www.datafilehost.com/d/ec0c478c MTeams

Musket Teams developed what we term the Reaver Replay Attack for our own use. We have published this previously but have found a mac-spoofing twist. Using a simple reaver command line did not work against the targeted router. To drag WPS pins out of the router we had to use the longer command line suggest by the author of autoreaver: reaver -i mon0 -a -f -c 1 -b XX:XX:XX:XX:XX:XX -r 3:10 -E -S -vv -T 1 -t 20 -d 0 -x 30 --mac=00:11:22:33:44:55 The pins jumped from less than 10% up to 91% but it still took two days to move thru approx 1000 pins. Finally as we suspected would occur, at 99% the pins spun endlessly . To solve the problem we used the replay attack - we ran reaver again: reaver -i mon0 -c 1 -b XX:XX:XX:XX:XX:XX -r 3:10 -E -vv -T 1 -t 20 -d 0 -x 30 --mac=00:11:22:33:44:55 We removed the -a and the -f and the -S use DH-SMALL Reaver asked us to restore previous session AND WE SELECTED NO This started reaver with a new session BUT NOT using DH-Small The WPS pin fell out after a single successful pin request HOWEVER there was no WPA key? Confused we ran the attack again -still no WPA Key . We checked the command line and found that the mac address that we were spoofing had not been set up properly. The mac in the reaver command line did not match the actual spoofed mac address. We corrected, this, ran the reaver attack again, ie new session without DH-small and bingo both the WPA Key and the WPS pin were provided. Note the mac problem only occured when we ran the replay. In all other sessions the mac was correct as we used our new version of VMR-MDK009x.sh which will be released soon, However the replay was done from the command line. . In short if the WPS pin spins at 99:99%. Restart the attack from the beginning, remove the -S DH-small. Make sure the mac address you are spoofing in the reaver command line is the mac address shown for the monitor when you type ifconfig. We have duplicated the reaver replay attack many many times however the mac problem was something new. .MTeams

If you are following WPS exploits you will know there is a new attack called Pixie Dust which was accidently discovered. The coding for this attack has not been published. HOWEVER As MTeams have also seen WPS/WPA info provided unexpectedly, and to impliment this attack only a few lines of reaver coding needs to be changed, you might try ryreaver-reaver. Stands for reverse reaver. It runs in kali-linux. Unfortunately it doesnot save its work so if you stop the process it starts all over. We downloaded the rar file, converted it and ran from root ./ryreaver-reverse. We will do some tests to write the output to text and screen thru tee and Eterm windows and post here when finished The direct download is: http://sethioz.com/forum/download/file.php?id=1450&sid=908e86c38c50c62ab3034b82f22693d5 Commentary http://sethioz.com/forum/viewtopic.php?p=9757 Those interested in Pixie dust seach kali-linux forums - links to this topic can be found there.

Mteams can add any additional Eterm modules you rqr. We are not sure what you mean by replay-ng. Do you mean? aireplay-ng -1. If you mean aireplay-ng -1 you can test this. Run the script on the channel of the target, do not use channel hopping then open a terminal window and type in aireplay-ng -1 10 -a XX:XX:XX:XX:XX:XX mon0 Set the LIVE1 variable at least 300 seconds or more to give you time to test. The problem with aireplay-ng is that if it doesnot get association with the router quickly it terminates. It also doesnot like channel hopping. We corresponded with aircrack-ng trying to find a way to keep aireplay-ng live but the solutions they suggested did not work. You can find this correspondence in the aircrack-ng forums In our areas of operation we do not have any problem with association so it is difficult for us to develop a program that we cannot actually test.

Since you asked here is a short history Soxrox212 started this with his note of alternative mdk3 approaches to reset routers in kali-linux forums MTeams tried all sorts of combinations but got nowhere. Later The author of autoreaver noted in his bash program for BT5R3 that the following reaver command line worked well against routers having weak realative strength (i.e. RSSI) reaver -i mon0 -a -b 55:44:33:22:11:00 -r 3:15 -E -S -vv -N -T 1 -t 20 -d 0 -x 30 See https://forums.kali.org/showthread.php?22446-A-reaver-command-line-for-routers-at-long-range-or-routers-responding-erratically&highlight=reaver+99.99%25 Musket Teams began experimenting with this command line and discovered that routers showing an unlocked WPS state that responded poorly to simple reaver command lines, could be induced to give up WPS Pins with the above command. MTeams also discovered that if the router ran up to 99.99% and spun at that number, if you reset the reaver command line in a certain way, the WPS pin and WPA key was provided in one iteration from reaver. Go here for the steps: https://forums.kali.org/showthread.php?22507-Cracking-6C-19-8F-D-Link-Router-with-reaver-and-defeating-the-99-99-problem&highlight=reaver+99.99%25 MTeams turned their attention to WPS Locked routers and discovered that some routers showing a WPS locked state gave up pins and then locked. Furthermore, if subjected to combinations of mdk3, the router would giveup more pins. Hence you could collect pins, hit the router with a short burst of mdk3, then pause, and then collect pins again in an endless cycle. This required an automated script and is far more complex then noted here, as it is a balancing act between reaver - mdk3 attack type - router recovery time From this, the scripts above were written. With this download there are long help files in a text file and also embedded in the primary config file. You have the history. Go to the help files for more details. In closing this does not work with all routers. But a short test will tell you if the router is susceptible. Musket Team

1. If you know the mac address that is being filtered just spoof your mac to that address. 2. If you do not know the address try using mdk3 f to brute force the mac(even author says it only works on some routers) 3. Monitor the AP with airodump-ng and see what mac has access then spoof your mac to that address 4. Try loging onto the router with the default password. 5 If the router is TP-Link there may be a rom-0 backdoor. Go to kali linux forums search TP-LINK routers the thread and how is there.. 6. Brute force the user/password pair with hydra If you get to many false positives then 5. Use Burpsuite. Try and find the pro version.

Musket Teams have completed the latest WPS Locked intrusion script using reaver,mdk3 and wash in a automated process This approach works on some routers. The program can be used for normal reaver operations as well. The VMR-MDK009.zip file contains 1. VMR-MDK009i.sh script 2. VMR-MDK009j.sh script (untested see bcomments in help file) 3. Introductory help files 4. VARMAC_CONFIG folder containing 1. maclistreavermdkvar1 2. configtemplate1 3. configtemplate2 4. configtemplate3 5 configtemplate4 6. configtemplate5 Download VMR-MDK009.zip at http://www.axifile.com/en/5C34EBC933

You can google or better yet startpage the word pixie dust. You can also go to kali-linux forums - general area and find the pixie dust thread. There are several links to read thru. MTeams

Reference Reaver, Mteams suggest those interested should reference issues 675,676 677 in the WPS reaver site http://code.google.com/p/reaver-wps/issues/detail?id=675&start=500 http://code.google.com/p/reaver-wps/issues/detail?id=676&start=500 http://code.google.com/p/reaver-wps/issues/detail?id=677&start=500 There are script downloads and cracking methods available for download MTeams.

Musketteams wish to add the following expansion on WPA Phishing. We have no issue with the comments above. The beginnings of WPA Phishing was really started by two groups. Weaknet Labs(WNL) for WPA Enterprise and Techdynamics(TD) for WPA.. The WNL required a active participation it was not fire and forget. The TD method looked good on paper BUT it had several operational problems. Musketteams worked thru the TD step by step. 1. The rogueAP had to be on a different channel then the target to avoid mdk3 g or aireplay-ng -0 0 signal interference when the target was DDOSed. 2.The second problem was how to get clients to connect to the rogueAP. Because almost all clients would have the WPA key already loaded there could be no automatic association to a same named Open AP. To have the client associate to a same named rogueAP would require the removal of the WPA setting. We thought this a highly unlikely social; engineering event. So we came up with a router malfunction. to induce association wherein the rogueAP is on a different channel, with almost the same mac code and broadcasting an open AP name that looks the same but is not. The idea is that the user unable to associate to the targetAP must then by default look at the wifi devices. Seeing the samed name rougueAP associates to it and is immediatley given the cause of the problem and the solution ie the router needs its WPA key refreshed. A special use pwnstar9.0 phishing program wherein the web page that was expressed could be altered to meet the router name as provided. We do not do videos only text explanations You can download the pwmstar-mv.zip file at: http://www.axifile.com/en/8D0DEA0B60 This zip file contains: pwnstar9.0-mv1.2 routerwpa3 folder a. formdata.txt b. index.html c. processs-form-data.php Install instructions - pwnstar9.0mv1.2.txt .