Comments (71)
[deleted comment]
from reaver-wps.
This time I managed to make it segfault under gdb with -f 4 option:
$gdb ./reaver
GNU gdb (GDB) 7.3.1
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/user/reaver-wps-read-only/src/reaver...done.
(gdb) run -i mon0 -b C0:3F:0E:C1:DB:A7 -f 4 -vv
Starting program: /home/user/reaver-wps-read-only/src/reaver -i mon0 -b
C0:3F:0E:C1:DB:A7 -f 4 -vv
Reaver v1.0 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<[email protected]>
[+] Waiting for beacon from C0:3F:0E:C1:DB:A7
[+] Associated with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[+] Trying pin 91325709
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
Program received signal SIGSEGV, Segmentation fault.
0x0000000000411556 in wps_registrar_expire_pins ()
(gdb) backtrace
#0 0x0000000000411556 in wps_registrar_expire_pins ()
#1 0x00000000004116cf in wps_registrar_get_pin ()
#2 0x0000000000412532 in wps_get_dev_password ()
#3 0x0000000000414195 in wps_registrar_get_msg ()
#4 0x0000000000406a99 in send_msg () at send.c:80
#5 0x0000000000405705 in do_wps_exchange () at exchange.c:66
#6 0x0000000000405047 in crack () at cracker.c:160
#7 0x00000000004027b1 in main (argc=8, argv=<optimized out>) at wpscrack.c:80
(gdb) farme 1
Undefined command: "farme". Try "help".
(gdb) frame 1
#1 0x00000000004116cf in wps_registrar_get_pin ()
(gdb) kill
Kill the program being debugged? (y or n) y
(gdb) quit
Tell me what to do to continue debugging and I will be happy to help.
Best Regards
Original comment by [email protected]
on 29 Dec 2011 at 3:43
from reaver-wps.
This bug also affects me. I'm using Arch x86-64 and iwlagn as well. Here's a
trace with the function parameters:
#0 0x0000000000411556 in wps_registrar_expire_pins (reg=0x0) at
wps_registrar.c:559
#1 0x00000000004116cf in wps_registrar_get_pin (reg=0x0,
uuid=0x6cca04 "VZ\251Ig\301L\016\252\217\363I\346\365\223\021\177\323\f\277\261h\351ٶ\244\266P", pin_len=0x7fffffffe8f0)
at wps_registrar.c:600
#2 0x0000000000412532 in wps_get_dev_password (wps=0x6cc9e0) at
wps_registrar.c:1000
#3 0x0000000000414195 in wps_registrar_get_msg (wps=0x6cc9e0,
op_code=0x7fffffffe94c) at wps_registrar.c:1615
#4 0x0000000000406a99 in send_msg () at send.c:80
#5 0x0000000000405705 in do_wps_exchange () at exchange.c:66
#6 0x0000000000405047 in crack () at cracker.c:160
#7 0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80
I guess reg isn't supposed to be a NULL pointer.
Original comment by [email protected]
on 29 Dec 2011 at 3:45
from reaver-wps.
Thanks, gdb output is very helpful. :)
I've added null checks to the wps_registrar_expire_pins function. Can you check
out the latest SVN code and test it to see if this fixes the issue?
Original comment by [email protected]
on 29 Dec 2011 at 3:54
- Changed state: Started
from reaver-wps.
reaver -i mon0 -vv -b XX:XX:XX:XX:XX:XX
Reaver v1.0 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<[email protected]>
[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 2
[+] Switching mon0 to channel 3
[+] Switching mon0 to channel 1
[+] Associated with 14:D6:4D:C8:94:5E (ESSID: ANONYMOUS)
[+] Trying pin 71755106
Speicherzugriffsfehler
root@zaunkoenig:/reaver_svn/reaver-wps-read-only/src# gdb ./reaver
GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /reaver_svn/reaver-wps-read-only/src/reaver...done.
(gdb) run -i mon0 -vv -b XX:XX:XX:XX:XX:XX
Starting program: /reaver_svn/reaver-wps-read-only/src/reaver -i mon0 -vv -b
XX:XX:XX:XX:XX:XX
Reaver v1.0 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<[email protected]>
[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 1
[+] Associated with 14:D6:4D:C8:94:5E (ESSID: ANONYMOUS)
[+] Trying pin 95384153
[!] WARNING: Receive timeout occurred
Program received signal SIGSEGV, Segmentation fault.
0x00000000004118f1 in wps_registrar_unlock_pin ()
(gdb) backtrace
#0 0x00000000004118f1 in wps_registrar_unlock_pin ()
#1 0x0000000000407ca3 in wps_deinit ()
#2 0x0000000000404eba in crack () at cracker.c:205
#3 0x0000000000402575 in main (argc=6, argv=<optimized out>) at wpscrack.c:80
(gdb) frame 1
#1 0x0000000000407ca3 in wps_deinit ()
(gdb)
Linux anonymous 3.0.0-15-generic #24-Ubuntu SMP Mon Dec 12 15:23:55 UTC 2011
x86_64 x86_64 x86_64 GNU/Linux
Tested chipsets and drivers:
wlan0 Intel 4965/5xxx iwlagn - [phy0]
wlan1 RTL8187 rtl8187 - [phy2]
Same results.
Original comment by [email protected]
on 29 Dec 2011 at 3:58
from reaver-wps.
Yep same results here aswell:
Program received signal SIGSEGV, Segmentation fault.
0x00000000004116b8 in wps_registrar_get_pin ()
(gdb) backtrace
#0 0x00000000004116b8 in wps_registrar_get_pin ()
#1 0x0000000000412517 in wps_get_dev_password ()
#2 0x000000000041417a in wps_registrar_get_msg ()
#3 0x0000000000406a69 in send_msg () at send.c:80
#4 0x00000000004056d5 in do_wps_exchange () at exchange.c:66
#5 0x0000000000405017 in crack () at cracker.c:160
#6 0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80
Original comment by [email protected]
on 29 Dec 2011 at 4:04
from reaver-wps.
Tried it again with rev 12. Same results.
Original comment by [email protected]
on 29 Dec 2011 at 4:05
from reaver-wps.
Added null checks. See if that fixed it.
Original comment by [email protected]
on 29 Dec 2011 at 4:10
from reaver-wps.
Here the strace.out
Original comment by [email protected]
on 29 Dec 2011 at 4:10
from reaver-wps.
Revision 13 still crashes. Here's the backtrace:
#0 0x00000000004116b8 in wps_registrar_get_pin (reg=0x0,
uuid=0x6cca04 "VZ\251Ig\301L\016\252\217\363I\346\365\223\021xn\263\032\033\227\362\321P@=c", pin_len=0x7fffffffe8f0) at wps_registrar.c:608
#1 0x0000000000412582 in wps_get_dev_password (wps=0x6cc9e0) at
wps_registrar.c:1036
#2 0x00000000004141e5 in wps_registrar_get_msg (wps=0x6cc9e0,
op_code=0x7fffffffe94c) at wps_registrar.c:1651
#3 0x0000000000406a69 in send_msg () at send.c:80
#4 0x00000000004056d5 in do_wps_exchange () at exchange.c:66
#5 0x0000000000405017 in crack () at cracker.c:160
#6 0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80
Original comment by [email protected]
on 29 Dec 2011 at 4:10
from reaver-wps.
Revision 14:
#0 0x000000000041112e in wps_build_config_methods_r (reg=0x0, msg=0x6cd6a0) at
wps_registrar.c:420
#1 0x0000000000413b42 in wps_build_m2d (wps=0x6ccd90) at wps_registrar.c:1446
#2 0x0000000000414244 in wps_registrar_get_msg (wps=0x6ccd90,
op_code=0x7fffffffe94c) at wps_registrar.c:1668
#3 0x0000000000406a69 in send_msg () at send.c:80
#4 0x00000000004056d5 in do_wps_exchange () at exchange.c:66
#5 0x0000000000405017 in crack () at cracker.c:160
#6 0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80
Original comment by [email protected]
on 29 Dec 2011 at 4:13
from reaver-wps.
With rev 14 I get this:
[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 1
[+] Associated with XX:XX:XX:XX:XX:XX (ESSID: ANONYMOUS)
[+] Trying pin 15878182
[!] WARNING: Receive timeout occurred
[+] Trying pin 15878182
Speicherzugriffsfehler
So reaver is now trying the same pin again, before the segmentation fault
occurs.
Original comment by [email protected]
on 29 Dec 2011 at 4:15
from reaver-wps.
Added some debug printfs and put in a NULL check at a higher layer...
Original comment by [email protected]
on 29 Dec 2011 at 4:25
from reaver-wps.
With rev 15:
[+] Waiting for beacon from C0:3F:0E:F3:9D:A3
[+] Switching mon0 to channel 6
[!] WARNING: Failed to associate with C0:3F:0E:F3:9D:A3 (ESSID: ONO9DA3)
[+] Associated with C0:3F:0E:F3:9D:A3 (ESSID: ONO9DA3)
[+] Trying pin 13030865
[!] WARNING: Receive timeout occurred
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
Program received signal SIGSEGV, Segmentation fault.
0x000000000040f72f in wps_init ()
(gdb) backtrace
#0 0x000000000040f72f in wps_init ()
#1 0x00000000004063f1 in initialize_wps_data () at init.c:72
#2 0x0000000000404f33 in crack () at cracker.c:117
#3 0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80
(gdb) frame 0
#0 0x000000000040f72f in wps_init ()
Original comment by [email protected]
on 29 Dec 2011 at 4:30
from reaver-wps.
I have tried revision 15 now. I find it weird that it fails to associate,
because my WiFi signal is strong (-41dBm). It doesn't crash but it seems stuck
at this point:
[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 1
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[+] Associated with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[+] Trying pin 32926729
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[+] Switching mon0 to channel 2
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Last message not processed properly, reverting state to previous
message
Original comment by [email protected]
on 29 Dec 2011 at 4:32
from reaver-wps.
same here
[+] Trying pin 97035473
[!] WARNING: Last message not processed properly, reverting state to previous
message
[+] Trying pin 97035473
[!] WARNING: Last message not processed properly, reverting state to previous
message
[+] Trying pin 97035473
on revision 15 at least no more segfaulting
Original comment by [email protected]
on 29 Dec 2011 at 4:37
from reaver-wps.
Interesting...what access point (vendor, model, version) are you testing this
against?
Original comment by [email protected]
on 29 Dec 2011 at 4:39
from reaver-wps.
I'm trying on a:
http://www.netgear.com/service-provider/products/routers-and-gateways/cable-gate
ways/CG3000_CG3100.aspx
Original comment by [email protected]
on 29 Dec 2011 at 4:43
from reaver-wps.
By the way I know the PIN on the one I'm trying: 50459360
Original comment by [email protected]
on 29 Dec 2011 at 4:45
from reaver-wps.
OK, first the silly question: are you sure WPS is enabled?
Second, can you provide a pcap file? Using the display filter of 'eap || eapol'
should give you just the WPS packets.
Original comment by [email protected]
on 29 Dec 2011 at 4:47
from reaver-wps.
I'm quite sure it's enabled, I have enabled it on the router configuration page.
But then again could be that I'm doing something wrong.
Original comment by [email protected]
on 29 Dec 2011 at 5:09
from reaver-wps.
I am using a TP-LINK TL-WR1043N, having exactly the same problem.
WPS is enabled and working.
Original comment by [email protected]
on 29 Dec 2011 at 5:13
from reaver-wps.
Mine is a Linksys E4200 HW Version 1.
Original comment by [email protected]
on 29 Dec 2011 at 5:15
from reaver-wps.
From the pcap it looks like the AP maybe isn't seeing the packets? Hard to
tell. I have tested netgears, tp-links and linksys devices, but not these
specific models. What type of signal strength do you have, and can you move
closer to the AP to rule this out as a potential cause?
Original comment by [email protected]
on 29 Dec 2011 at 5:28
from reaver-wps.
[deleted comment]
from reaver-wps.
It's quite good the signal it's -38.
I'll try with a TP-LINK TL-WR1043N factory default also and see what I get.
Original comment by [email protected]
on 29 Dec 2011 at 5:31
from reaver-wps.
wlan0 IEEE 802.11bgn ESSID:"wlantest"
Mode:Managed Frequency:2.437 GHz Access Point: XX:XX:XX:XX:XX:XX
Bit Rate=150 Mb/s Tx-Power=14 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=70/70 Signal level=-31 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:364 Invalid misc:52 Missed beacon:0
The AP is one meter away from the Laptop. ;-)
Anyway: Many thanks for your work and the effort to solve the problem(s)!
Original comment by [email protected]
on 29 Dec 2011 at 5:32
from reaver-wps.
i get the same timeoutmessage like above, WPS is definitely enabeld
router: dlink dir 615
http://www.dlink.de/cs/Satellite?c=TechSupport_C&childpagename=DLinkEurope-DE%2F
DLTechProduct&cid=1197374950653&p=1197318958220&packedargs=locale%3D119580666379
5&pagename=DLinkEurope-DE%2FDLWrapper
driver: rtl8187
Original comment by [email protected]
on 29 Dec 2011 at 5:33
from reaver-wps.
Here it's the cap file with a TP-Link 1043ND with Factory defaults, WPS
enabled, only changed the WPA2 key.
Original comment by [email protected]
on 29 Dec 2011 at 6:03
from reaver-wps.
A 24 byte pcap?
Original comment by [email protected]
on 29 Dec 2011 at 6:06
from reaver-wps.
Sorry :)
Original comment by [email protected]
on 29 Dec 2011 at 6:09
from reaver-wps.
I installed Ubuntu 10.04 LTS in a virtualbox vm and it works with my RTL8187
USB Adapter.
So I guess it is not an AP problem.
Original comment by [email protected]
on 29 Dec 2011 at 6:10
from reaver-wps.
This time didn't segfault.
The command output was:
[+] Waiting for beacon from F4:EC:38:A0:4F:06
[+] Switching mon0 to channel 9
[+] Associated with F4:EC:38:A0:4F:06 (ESSID: TP-LINK_A04F06)
[+] Trying pin 91636102
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
[+] Trying pin 91636102
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
[+] Trying pin 91636102
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Last message not processed properly, reverting state to previous
message
Original comment by [email protected]
on 29 Dec 2011 at 6:11
from reaver-wps.
@schwammtaucher,
So it didn't work before, but it works fine for you in 10.04?
Original comment by [email protected]
on 29 Dec 2011 at 7:36
from reaver-wps.
@cheff,
that is true. No more segmentation faults.
Original comment by [email protected]
on 29 Dec 2011 at 7:44
from reaver-wps.
OK, I've just made another check in, which will hopefully address both the seg
fault issue and the message processing warnings. It works for me under BT 5
with the rtl8187 drivers, but I couldn't reproduce the seg faults to begin
with, so some verification would be appreciated.
Original comment by [email protected]
on 29 Dec 2011 at 7:54
from reaver-wps.
[+] Waiting for beacon from EC:55:F9:23:62:2C
[+] Switching mon0 to channel 1
[+] Associated with EC:55:F9:23:62:2C (ESSID: Ziggo4ACAC)
[+] Trying pin 89158838
[!] WARNING: Receive timeout occurred
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] Warning: Out of order packet received, re-trasmitting last message
Segmentation fault
Rev 16 On bt5
Original comment by [email protected]
on 29 Dec 2011 at 8:19
from reaver-wps.
checked out revision 16
gdb ./reaver
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from
/root/Desktop/Downloads/reaver-wps-read-only/src/reaver...done.
(gdb) run -i wlan1 -b 00:1C:10:08:B7:A5 -vv -c 6
Starting program: /root/Desktop/Downloads/reaver-wps-read-only/src/reaver -i
wlan1 -b 00:1C:10:08:B7:A5 -vv -c 6
Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<[email protected]>
[+] Switching wlan1 to channel 6
[+] Waiting for beacon from 00:1C:10:08:B7:A5
[+] Switching wlan1 to channel 6
[+] Associated with 00:1C:10:08:B7:A5 (ESSID: linksys)
[+] Trying pin 06030254
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff762acae in memcpy () from /lib/libc.so.6
(gdb) run -i wlan1 -b 00:1C:10:08:B7:A5 -vv -c 6
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/Desktop/Downloads/reaver-wps-read-only/src/reaver -i
wlan1 -b 00:1C:10:08:B7:A5 -vv -c 6
Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<[email protected]>
[+] Switching wlan1 to channel 6
[+] Waiting for beacon from 00:1C:10:08:B7:A5
[+] Switching wlan1 to channel 6
[+] Associated with 00:1C:10:08:B7:A5 (ESSID: linksys)
[+] Trying pin 79956529
[!] WARNING: Receive timeout occurred
[+] Trying pin 79956529
[+] Trying pin 79956529
[!] WARNING: Receive timeout occurred
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff762acae in memcpy () from /lib/libc.so.6
I am running BackTrack5 (not BT5 R1) and testing with RTL8187L based Alfa 500mW
card
is there anything I can do to help you debug it?
Original comment by [email protected]
on 29 Dec 2011 at 8:22
from reaver-wps.
I am on rev16, bt5r1, 64bit running in VirtualBox. RTL8187 (using alfa antenna).
[+] Waiting for beacon from xx:xx:xx:xx:xx:xx
[+] Associated with xx:xx:xx:xx:xx:xx (ESSID: xxxxx)
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff762acae in memcpy () from /lib/libc.so.6
(gdb) bt
#0 0x00007ffff762acae in memcpy () from /lib/libc.so.6
#1 0x000000000040f8e8 in wps_init ()
#2 0x000000000040653e in initialize_wps_data () at init.c:72
#3 0x0000000000404f3a in crack () at cracker.c:117
#4 0x0000000000402b25 in main (argc=<value optimized out>, argv=<value
optimized out>) at wpscrack.c:80
Original comment by [email protected]
on 29 Dec 2011 at 8:25
from reaver-wps.
I also tried with a virtual box (ubuntu 10.04 lts)
and i was able to test 15 keys after it I get this warning again:
[!] WARNING: Receive timeout occurred.
my first attempt was with ubuntu 11.10, there i only get the timeout message
and no succefull test of a key
Original comment by [email protected]
on 29 Dec 2011 at 8:46
from reaver-wps.
rev 16. bt 5 r1 x64bit
---------------------------------------------------------------
wlan0 Atheros AR9285 ath9k - [phy0]
(monitor mode enabled on mon0)
---------------------------------------------------------------
root@bt:/opt/wpa/reaver-wps-read-only/src# ./reaver -i mon0 -b
00:1C:DF:99:EC:B4 -vv
Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<[email protected]>
[+] Waiting for beacon from 00:1C:DF:99:EC:B4
[+] Switching mon0 to channel 2
[+] Switching mon0 to channel 1
[+] Associated with 00:1C:DF:99:EC:B4 (ESSID: belkin54g)
[+] Trying pin 64563428
[!] WARNING: Receive timeout occurred
[+] Trying pin 64563428
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
Segmentation fault
Original comment by [email protected]
on 29 Dec 2011 at 8:50
from reaver-wps.
OK, I've only been able to reproduce these issues on 64 bit systems; neither
Ubuntu nor Backtrack 32 bit systems appear to be affected (some one speak up if
they have had these seg faults on a 32 bit system).
Not sure yet what the cuprit is for 64 bit, but running reaver 1.1 on a 32 bit
system should get you up and running in the mean time.
Original comment by [email protected]
on 29 Dec 2011 at 8:51
from reaver-wps.
I can confirm I'm on 64 bit Ubuntu and receiving problems. I either get the
time-out or "not processed properly" errors, but yet to stumble upon
"segmentation fault". Maybe I haven't ran it long enough for that though.
Original comment by [email protected]
on 29 Dec 2011 at 8:59
from reaver-wps.
I am getting the segmentation fault and therefore one try only at a PIN. I am
on a 32-bit Ubuntu 10.04 system.I am using an Alfa USB adaptor.I have tried a
few AP's and all follow the same pattern. Have tried on reaver 1.0 and 1.1
Hope this helps! ;-)
Original comment by [email protected]
on 29 Dec 2011 at 9:12
from reaver-wps.
[deleted comment]
from reaver-wps.
Maybe this could help.
On rev 16 I've changed build_wps_pin() function, so it matches my PIN, and
added a printf as follows:
char *build_wps_pin()
{
char *key = NULL, *pin = NULL;
int pin_len = PIN_SIZE + 1;
pin = malloc(pin_len);
key = malloc(pin_len);
if(pin && key)
{
memset(key, 0, pin_len);
memset(pin, 0, pin_len);
/* Generate a 7-digit pin from the given key index values */
snprintf(key, pin_len, "%s%s", "2020", "6567");
/* Generate and append the pin checksum digit */
snprintf(pin, pin_len, "%s%d", key, wps_pin_checksum(atoi(key)));
free(key);
}
printf(pin);
return pin;
}
This is the output that I get:
Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<[email protected]>
[+] Waiting for beacon from F4:EC:38:A0:4F:06
[+] Switching mon0 to channel 9
[+] Associated with F4:EC:38:A0:4F:06 (ESSID: TP-LINK_A04F06)
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] Warning: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Receive timeout occurred
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] Warning: Out of order packet received, re-trasmitting last message
[+] 0.00% complete @ 0 seconds/attempt
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Receive timeout occurred
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] Warning: Out of order packet received, re-trasmitting last message
[!] WARNING: 10 failed connections in a row
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] Warning: Out of order packet received, re-trasmitting last message
[+] 0.00% complete @ 0 seconds/attempt
...etc
And the pcap file:
Hope this helps
Original comment by [email protected]
on 30 Dec 2011 at 12:07
from reaver-wps.
Original comment by [email protected]
on 30 Dec 2011 at 12:23
from reaver-wps.
I can confirm that switching to 32bit Ubuntu 11.10 (with kernel 3.0) works for
me. I was previously having trouble with 64bit Arch Linux (with kernel 3.1.5).
I have cross-compiled reaver and libpcap to 32bit on my Arch Linux system and
that doesn't seem to make any difference.
On my Ubuntu system it cracked the WPS pin on a Linksys E4200 (HW V. 1) in 7
hours. It doesn't seem to employ rate limiting.
Original comment by [email protected]
on 30 Dec 2011 at 8:04
from reaver-wps.
64 bit, linux 3.1, gentoo, libpcap 1.2.0
Starting program: /usr/bin/reaver -i wlan0 -b <redacted> -vv
Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<[email protected]>
[+] Waiting for beacon from <redacted>
[+] Switching wlan0 to channel <redacted>
[+] Associated with <redacted> (ESSID: <redacted>)
[+] Trying pin 92129740
[+] Trying pin 92129740
Program received signal SIGSEGV, Segmentation fault.
0x0000003b60d2c770 in __memcpy_ssse3_back () from /lib64/libc.so.6
(gdb) bt
#0 0x0000003b60d2c770 in __memcpy_ssse3_back () from /lib64/libc.so.6
#1 0x000000000040f96c in wps_init ()
#2 0x000000000040677d in initialize_wps_data () at init.c:72
#3 0x00000000004051f3 in crack () at cracker.c:117
#4 0x0000000000402d15 in main (argc=<optimized out>, argv=<optimized out>) at
wpscrack.c:80
The os_memcpy in wps_init does it.
Original comment by Jason.Donenfeld
on 30 Dec 2011 at 12:27
from reaver-wps.
Looks like structure packing cause this issue.
Main binary compiled with fpack-struct, but wps not.
Original comment by [email protected]
on 30 Dec 2011 at 1:49
from reaver-wps.
Thanks chengzhicn, I was just going through and removing ftpack-struct and
using #pragma statements where structure packing is critical. :)
Hopefully this will fix the issue, will post when changes are checked in.
Original comment by [email protected]
on 30 Dec 2011 at 1:58
from reaver-wps.
OK, removed -fpack-struct and placed #pragma pack statements around critical
structures.
I am no longer receiving segfaults in BT RC1 x64 (nor BT RC1 i686, nor Ubuntu
10.04 i686), nor am I getting the recurring timeout warnings as I was before:
root@bt:~/Desktop/src# ./reaver -i mon0 -b C0:C1:C0:A5:73:F7 -vv
Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<[email protected]>
[+] Waiting for beacon from C0:C1:C0:A5:73:F7
[+] Switching mon0 to channel 11
[+] Associated with C0:C1:C0:A5:73:F7 (ESSID: cisco_e2500_normal_wifi)
[+] Trying pin 28475446
[+] Trying pin 44405441
[+] Trying pin 23165441
[+] Trying pin 46105448
[+] Trying pin 86945448
[+] Trying pin 27375440
[+] 0.05% complete @ 2 seconds/attempt
[+] Trying pin 89105443
[+] Trying pin 49135442
[+] Trying pin 55565448
[+] Trying pin 73005445
[+] Trying pin 84765444
[+] 0.10% complete @ 2 seconds/attempt
[+] Trying pin 66145448
Changes have been checked in, hopefully this fixes everyone's issues.
Original comment by [email protected]
on 30 Dec 2011 at 2:25
from reaver-wps.
Great, it's working on 64 bit Ubuntu. :D
Original comment by [email protected]
on 30 Dec 2011 at 2:32
from reaver-wps.
These are my outputs on rev 20.
At least now is changing PIN's althought I still get WARNINGS.
Thanks for your efforts
Original comment by [email protected]
on 30 Dec 2011 at 2:54
from reaver-wps.
maguila, this may be an issue with the AP. Some APs implement WPS a little
differently and since TP-Link has "QSS" which is not exactly WPS, but is
supposed to be compatible, I wouldn't be surprised.
This is what the 'advanced' options are for in reaver - sometimes specifying
different timeout periods or eap termination options (or others) can help
alleviate compatibility issues like this. I have run reaver against other
TP-Links, but probably not the exact model you have, so I can't say for sure.
Original comment by [email protected]
on 30 Dec 2011 at 3:01
from reaver-wps.
One silly question;
If I change the build_wps_pin() function to force it to use my PIN, shouldn't
it work?
Anyway I also tried with the netgear with the same results.
Original comment by [email protected]
on 30 Dec 2011 at 3:15
from reaver-wps.
I'm going to download a 32 bits distro and see what I get.
Original comment by [email protected]
on 30 Dec 2011 at 3:17
from reaver-wps.
Yes, you can change build_wps_pin to always return the same pin.
Let me know if your issues are different in 32/64 bit OSs. It's working fine
here on Backtrack 5 RC1 32 and 64 bit.
Original comment by [email protected]
on 30 Dec 2011 at 3:46
from reaver-wps.
No other verifications, positive or negative?
Original comment by [email protected]
on 30 Dec 2011 at 3:55
from reaver-wps.
New version works for me. (Ubuntu 10.04 x64 ipw3954)
Original comment by [email protected]
on 30 Dec 2011 at 4:10
from reaver-wps.
not for me
BT5 R1 x64 RT3070
reaver -i mon0 -b C0:C1:C0:A5:73:F7 -vv
[+] Waiting for beacon from C0:C1:C0:A5:73:F7
[+] Switching mon0 to channel 9
[+] Associated with C0:C1:C0:A5:73:F7
[+] Trying pin 91636102
[!] WARNING: Receive timeout occurred
Segmentation fault
Original comment by [email protected]
on 30 Dec 2011 at 4:19
from reaver-wps.
hurenhannes, are you using r20? I have BT5 R1 x64 working with no issues (using
rtl8187 drivers).
Also why is your BSSID the same as mine? :)
Original comment by [email protected]
on 30 Dec 2011 at 4:22
from reaver-wps.
Issue 5 has been merged into this issue.
Original comment by [email protected]
on 30 Dec 2011 at 4:23
from reaver-wps.
yes im using r20. I was lazy, copy paste.... :)
I will try the x86 of BT 5 R1.
Original comment by [email protected]
on 30 Dec 2011 at 5:03
from reaver-wps.
Well Good News.
I tried with a 32 bit Ubuntu 11.10 under kernel 3.1.6 also with an old kernel
2.6.34 on x64 bit system and also with an atheros device with the ath5k driver,
and I was getting the same results. So it seems it's AP related.
Original comment by [email protected]
on 30 Dec 2011 at 5:06
from reaver-wps.
Great news!
All is working..issues are cleared...
waiting to see end result (guessed pin :)))
Thanks
Original comment by [email protected]
on 30 Dec 2011 at 5:07
from reaver-wps.
Awesome! These changes are in release 1.2. I'm waiting to hear back from
hurenhannes before closing the ticket, as he seems to still be having issues.
Original comment by [email protected]
on 30 Dec 2011 at 5:16
from reaver-wps.
[deleted comment]
from reaver-wps.
Nothing heard back from hurenhannes; by all other accounts and testing, the seg
fault is fixed, closing ticket.
Original comment by [email protected]
on 30 Dec 2011 at 9:16
- Changed state: Fixed
from reaver-wps.
Issue 36 has been merged into this issue.
Original comment by [email protected]
on 2 Jan 2012 at 12:57
from reaver-wps.
I am running reaver version 1.4 and the issue is still occurring
sometimes it crashes with Aborted message
Original comment by [email protected]
on 27 Oct 2013 at 12:15
from reaver-wps.
Related Issues (20)
- is my interface blocked? "Warning: received timeout occurred" HOT 2
- AP Rate Limiting - Reaver HOT 2
- Enter one-line summary HOT 2
- Reaver strange problem
- Reaver won't associate or eapol error
- Reaver doesn't work. HOT 1
- latest reaver 1.4-2 confirmed bug HOT 1
- WPS transaction failed (code: 0x02) Please Help! HOT 1
- any advice? HOT 2
- reaver vodafone station revolution
- reaver starts at 90% with any pin HOT 1
- Integration with Cloudcracker
- "make" issues. ubuntu 15.04 amd 64 with (apt-get dist-upgrade) HOT 1
- how to get wps pin if you know the password of wifi?? HOT 1
- My computer doesn't have the program needed to open the downloaded file???
- My computer doesn't have the program needed to open the downloaded file??? HOT 1
- PROBLEME WITH REAVER/BROADCOM4313
- wps pin not found
- Resend M-Messages if AP did not receive last one
- apt-get install libpcap-dev [Not installing the packages]
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from reaver-wps.