reaver attacks. automation and scripting tutorials

[i8igmac]

its been a while since i have messed around, but the time has come that i document what im doing...

wash

reaver wps pin attacks

deauth and capture handshakes

hashcat gpu cracking

wpa word list's

'couch potato 123' comcast word generator type of password attacks that are router specific.

wifi antennas

2.4 ghz and 5.8ghz

 

it looks like nonsense but ill do some automation in my favorite language (ruby)

ill do some multi threaded task like clock work to automate almost the hole process. ill start with small simple snippets.

if people want to make comments on techniques that have worked for them that are related to wifi cracking/reaver/gpu-cracking.

please for example post your reaver commands. if any one has seen mdk3 attacks work to reset routers, make comments on this as well.

[Bigbiz]

 

Mdk3 is awesome.

[i8igmac]

6 hours ago, Bigbiz said:

 

Mdk3 is awesome.

with mdk3 ill run some test maybe tonight to see what router models can be forced to reboot and unlock the wps pin module to allow for further progress of pin attempts...

im excited to post some example code and explanation of my techniques.

[Just_a_User]

3 hours ago, i8igmac said:

with mdk3

Looking forward to reading more! BTW Did you already have a play with mdk4? I have been playing with it on my tetra and have had some pretty good results.

[i8igmac]

21 hours ago, Just_a_User said:

Looking forward to reading more! BTW Did you already have a play with mdk4? I have been playing with it on my tetra and have had some pretty good results.

I forgot there was v4

 

last night I captured some handshakes and converted to hccapx with hashcat-utils.

wordlist suggestions. Phone numbers with crunch I have success before.

 

ill make a mobile raspPi wps-pin-brute/handshake-grabber. A multithreaded automated solution.

[Bigbiz]

Know what MDK stands for. 

murder death kill?

[Just_a_User]

3 hours ago, Bigbiz said:

murder death kill?

yes

[i8igmac]

Has any one tried wpatools. I had some success with this word list..

 

The most success I had was with crunch and phone numbers. Old people use there phone for wifi passwords

 

Crunch 10 10 -t 253%%%%%%% | hashcat64.bin 2500 out.hccap

 

Ill make a video of the process this weekend. The hole process, starting from capturing a handshake, gpu cracking, manual configuration of wpa_supplicant config, authenticate with wpa_cli using the passphrase and then a failed attempt to brute force the router admin page...

[icarus255]

On 3/8/2019 at 9:00 PM, i8igmac said:

The most success I had was with crunch and phone numbers. Old people use there phone for wifi passwords 

This is not just an old people thing. A lot of ISPs (at least here in Australia anyway) use phone numbers as default wifi passes for the 3G and 4G modems (and many others). And yes I agree, this is a great way to start your brute forcing.

On 3/8/2019 at 9:00 PM, i8igmac said:

Crunch 10 10 -t 253%%%%%%% | hashcat64.bin 2500 out.hccap

You don't need to pipe this through crunch though. You can use hashcat's mask generator 😉

hash64.bin -a 3 -m 2500 TelstraA84A9F.hccapx 253?d?d?d?d?d?d?d (this will generate 7 random numbers following "253" which presumably you know).

A lot of the netgear modem/routers use a combination of adjective+noun+XXX (where xxx is 3 random digits) e.g. "luckybanana437". I had a list specific to netgear's factory passes somewhere so let me know if you want me to find it and I will upload it somewhere. Netgear Arlo base stations used this for their camera systems as well 😄

10 random hex chars is another favourite default pass but that can become unmanageable unless you have multiple GPUs or some really neat rules to minimise the cracking time.

I guess it's worth mentioning that rockyou.txt gets a few hits every once in a while as well.

Most people never change their default passes so bottom line: doing a bit of research at the start will save you a LOT of brute forcing time down the track 😉

[i8igmac]

yah the pipe lol. Wpatools Has a lot of eordlist for default routers like netgear. 1800 numbers also is a default set by the isp

 

I would suggest phone numbers and 1800 numbers first for a quick check.

[Bigbiz]

My default password on my router consised of 15 numbers id liked to think piping crunch into aircrack would be good way ti crack if u can get around aircracks cpu high usage. I though a 32 Gb ram would speed up the crack, turns out if it only runs at a certain freq. then its like limited to a certain speed. O well back to the drawn board as they say.

[i8igmac]

I have been messing with some ram tweaks. If you had 30 gigs free of ram. Your system can boot to ram with the remaining 2 gigs.

 

Store a 30 gig wordlist in ram, run it in hashcat64.bin... 

 

I only have a machine with 8gigs of ram. Ill run some performance test on my machines.

 

A kali or linuxmint bootable usb stick with the boot parameter 'toram'

[Bigbiz]

Ill look into it thankx

[botjack854]

 Id sure appreciate it if you found that netgear router wordlist!! becausein the west usa theres a wholebunch of netgear routers still with that exact password format. thanks either way!