WPS Locked Intrusion Script using reaver,mdk3,wash

[musketteams]

Musket Teams have completed the latest WPS Locked intrusion script using reaver,mdk3 and wash in a automated process

This approach works on some routers. The program can be used for normal reaver operations as well.

The VMR-MDK009.zip file contains

1. VMR-MDK009i.sh script
2. VMR-MDK009j.sh script (untested see bcomments in help file)
3. Introductory help files
4. VARMAC_CONFIG folder containing

1. maclistreavermdkvar1
2. configtemplate1
3. configtemplate2
4. configtemplate3
5 configtemplate4
6. configtemplate5

Download VMR-MDK009.zip at

http://www.axifile.com/en/5C34EBC933

[ZaraByte]

Explain more about this.

[musketteams]

Since you asked here is a short history

Soxrox212 started this with his note of alternative mdk3 approaches to reset routers in kali-linux forums

MTeams tried all sorts of combinations but got nowhere.

Later

The author of autoreaver noted in his bash program for BT5R3 that the following reaver command line worked well against routers having weak realative strength (i.e. RSSI)

reaver -i mon0 -a -b 55:44:33:22:11:00 -r 3:15 -E -S -vv -N -T 1 -t 20 -d 0 -x 30

See https://forums.kali.org/showthread.php?22446-A-reaver-command-line-for-routers-at-long-range-or-routers-responding-erratically&highlight=reaver+99.99%25

Musket Teams began experimenting with this command line and discovered that routers showing an unlocked WPS state that responded poorly to simple reaver command lines, could be induced to give up WPS Pins with the above command.

MTeams also discovered that if the router ran up to 99.99% and spun at that number, if you reset the reaver command line in a certain way, the WPS pin and WPA key was provided in one iteration from reaver. Go here for the steps:

https://forums.kali.org/showthread.php?22507-Cracking-6C-19-8F-D-Link-Router-with-reaver-and-defeating-the-99-99-problem&highlight=reaver+99.99%25

MTeams turned their attention to WPS Locked routers and discovered that some routers showing a WPS locked state gave up pins and then locked. Furthermore, if subjected to combinations of mdk3, the router would giveup more pins. Hence you could collect pins, hit the router with a short burst of mdk3, then pause, and then collect pins again in an endless cycle. This required an automated script and is far more complex then noted here, as it is a balancing act between reaver - mdk3 attack type - router recovery time

From this, the scripts above were written.

With this download there are long help files in a text file and also embedded in the primary config file. You have the history. Go to the help files for more details.

In closing this does not work with all routers. But a short test will tell you if the router is susceptible.

Musket Team

Edited November 16, 2014 by musketteams

[ZaraByte]

Meh tested this against a Comcast Router failed to associate i think its due to the fact that comcast routers are push button :D and or they need to add like a replay-ng to make it associate to the router that way.

[musketteams]

Mteams can add any additional Eterm modules you rqr. We are not sure what you mean by replay-ng. Do you mean?

aireplay-ng -1.

If you mean aireplay-ng -1 you can test this. Run the script on the channel of the target, do not use channel hopping then open a terminal window and type in

aireplay-ng -1 10 -a XX:XX:XX:XX:XX:XX mon0

Set the LIVE1 variable at least 300 seconds or more to give you time to test.

The problem with aireplay-ng is that if it doesnot get association with the router quickly it terminates. It also doesnot like channel hopping. We corresponded with aircrack-ng trying to find a way to keep aireplay-ng live but the solutions they suggested did not work. You can find this correspondence in the aircrack-ng forums

In our areas of operation we do not have any problem with association so it is difficult for us to develop a program that we cannot actually test.

Edited November 17, 2014 by musketteams

[ZaraByte]

Mteams can add any additional Eterm modules you rqr. We are not sure what you mean by replay-ng. Do you mean?

aireplay-ng -1.

If you mean aireplay-ng -1 you can test this. Run the script on the channel of the target, do not use channel hopping then open a terminal window and type in

aireplay-ng -1 10 -a XX:XX:XX:XX:XX:XX mon0

Set the LIVE1 variable at least 300 seconds or more to give you time to test.

The problem with aireplay-ng is that if it doesnot get association with the router quickly it terminates. It also doesnot like channel hopping. We corresponded with aircrack-ng trying to find a way to keep aireplay-ng live but the solutions they suggested did not work. You can find this correspondence in the aircrack-ng forums

In our areas of operation we do not have any problem with association so it is difficult for us to develop a program that we cannot actually test.

https://code.google.com/p/reaver-wps/issues/detail?id=205

comment #7 some people claim your too far from the router

[musketteams]

The previous hosting site has stoped functioning

You can download varmacreaversav99-3.zip at:

http://www.datafilehost.com/d/88864143

You can download VMR-MDK009.zip at

http://www.datafilehost.com/d/ec0c478c

MTeams

[musketteams]

The following VMR-MDK009x2.sh has been written to take advantage of a flaw in some WPs locked routers allowing the collection of pins even though reaver and wash show the router is locked.

The downloaded includes extensive helpfiles and has been tested against numerous routers showing this flaw. All were cracked.

Also included in the help files is how to handle the 99.99% problem which occurs in almost half of the successful attacks

against routers providing small numbers of pins when the WPS system is locked.

Reference the download VMR-MDK009x2.sh

We have found an error in one configuration file named:

configfiledetailed1x2

You can REM/COMMENT out with a # the following two(2) variables

USE_PIN1= should read #USE_PIN1=
WPS_PIN1= should read #WPS_PIN1=

or you can download the corrected version

New Download package VMRMDK150108

http://www.datafilehost.com/d/18156813

Musket Teams

Edited January 8, 2015 by musketteams