Reaver segmentation fault about reaver-wps HOT 71 CLOSED

[deleted comment]

This time I managed to make it segfault under gdb with -f 4 option:

$gdb ./reaver
GNU gdb (GDB) 7.3.1
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/user/reaver-wps-read-only/src/reaver...done.
(gdb) run -i mon0 -b C0:3F:0E:C1:DB:A7 -f 4 -vv
Starting program: /home/user/reaver-wps-read-only/src/reaver -i mon0 -b 
C0:3F:0E:C1:DB:A7 -f 4 -vv

Reaver v1.0 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<[email protected]>

[+] Waiting for beacon from C0:3F:0E:C1:DB:A7
[+] Associated with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[+] Trying pin 91325709
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred

Program received signal SIGSEGV, Segmentation fault.
0x0000000000411556 in wps_registrar_expire_pins ()
(gdb) backtrace
#0  0x0000000000411556 in wps_registrar_expire_pins ()
#1  0x00000000004116cf in wps_registrar_get_pin ()
#2  0x0000000000412532 in wps_get_dev_password ()
#3  0x0000000000414195 in wps_registrar_get_msg ()
#4  0x0000000000406a99 in send_msg () at send.c:80
#5  0x0000000000405705 in do_wps_exchange () at exchange.c:66
#6  0x0000000000405047 in crack () at cracker.c:160
#7  0x00000000004027b1 in main (argc=8, argv=<optimized out>) at wpscrack.c:80

(gdb) farme 1
Undefined command: "farme".  Try "help".
(gdb) frame 1
#1  0x00000000004116cf in wps_registrar_get_pin ()
(gdb) kill
Kill the program being debugged? (y or n) y
(gdb) quit


Tell me what to do to continue debugging and I will be happy to help.

Best Regards

This bug also affects me. I'm using Arch x86-64 and iwlagn as well. Here's a 
trace with the function parameters:


#0  0x0000000000411556 in wps_registrar_expire_pins (reg=0x0) at 
wps_registrar.c:559
#1  0x00000000004116cf in wps_registrar_get_pin (reg=0x0, 
    uuid=0x6cca04 "VZ\251Ig\301L\016\252\217\363I\346\365\223\021\177\323\f\277\261h\351ٶ\244\266P", pin_len=0x7fffffffe8f0)
    at wps_registrar.c:600
#2  0x0000000000412532 in wps_get_dev_password (wps=0x6cc9e0) at 
wps_registrar.c:1000
#3  0x0000000000414195 in wps_registrar_get_msg (wps=0x6cc9e0, 
op_code=0x7fffffffe94c) at wps_registrar.c:1615
#4  0x0000000000406a99 in send_msg () at send.c:80
#5  0x0000000000405705 in do_wps_exchange () at exchange.c:66
#6  0x0000000000405047 in crack () at cracker.c:160
#7  0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80

I guess reg isn't supposed to be a NULL pointer.

Thanks, gdb output is very helpful. :)

I've added null checks to the wps_registrar_expire_pins function. Can you check 
out the latest SVN code and test it to see if this fixes the issue?

reaver -i mon0 -vv -b XX:XX:XX:XX:XX:XX

Reaver v1.0 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<[email protected]>

[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 2
[+] Switching mon0 to channel 3
[+] Switching mon0 to channel 1
[+] Associated with 14:D6:4D:C8:94:5E (ESSID: ANONYMOUS)
[+] Trying pin 71755106
Speicherzugriffsfehler
root@zaunkoenig:/reaver_svn/reaver-wps-read-only/src# gdb ./reaver
GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /reaver_svn/reaver-wps-read-only/src/reaver...done.
(gdb) run -i mon0 -vv -b XX:XX:XX:XX:XX:XX
Starting program: /reaver_svn/reaver-wps-read-only/src/reaver -i mon0 -vv -b 
XX:XX:XX:XX:XX:XX
Reaver v1.0 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<[email protected]>

[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 1
[+] Associated with 14:D6:4D:C8:94:5E (ESSID: ANONYMOUS)
[+] Trying pin 95384153
[!] WARNING: Receive timeout occurred

Program received signal SIGSEGV, Segmentation fault.
0x00000000004118f1 in wps_registrar_unlock_pin ()
(gdb) backtrace
#0  0x00000000004118f1 in wps_registrar_unlock_pin ()
#1  0x0000000000407ca3 in wps_deinit ()
#2  0x0000000000404eba in crack () at cracker.c:205
#3  0x0000000000402575 in main (argc=6, argv=<optimized out>) at wpscrack.c:80
(gdb) frame 1
#1  0x0000000000407ca3 in wps_deinit ()
(gdb) 



Linux anonymous 3.0.0-15-generic #24-Ubuntu SMP Mon Dec 12 15:23:55 UTC 2011 
x86_64 x86_64 x86_64 GNU/Linux

Tested chipsets and drivers:
wlan0       Intel 4965/5xxx iwlagn - [phy0]
wlan1       RTL8187     rtl8187 - [phy2]


Same results.

Yep same results here aswell:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004116b8 in wps_registrar_get_pin ()
(gdb) backtrace
#0  0x00000000004116b8 in wps_registrar_get_pin ()
#1  0x0000000000412517 in wps_get_dev_password ()
#2  0x000000000041417a in wps_registrar_get_msg ()
#3  0x0000000000406a69 in send_msg () at send.c:80
#4  0x00000000004056d5 in do_wps_exchange () at exchange.c:66
#5  0x0000000000405017 in crack () at cracker.c:160
#6  0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80

Tried it again with rev 12. Same results.

Added null checks. See if that fixed it.

Here the strace.out

Revision 13 still crashes. Here's the backtrace:


#0  0x00000000004116b8 in wps_registrar_get_pin (reg=0x0, 
    uuid=0x6cca04 "VZ\251Ig\301L\016\252\217\363I\346\365\223\021xn\263\032\033\227\362\321P@=c", pin_len=0x7fffffffe8f0) at wps_registrar.c:608
#1  0x0000000000412582 in wps_get_dev_password (wps=0x6cc9e0) at 
wps_registrar.c:1036
#2  0x00000000004141e5 in wps_registrar_get_msg (wps=0x6cc9e0, 
op_code=0x7fffffffe94c) at wps_registrar.c:1651
#3  0x0000000000406a69 in send_msg () at send.c:80
#4  0x00000000004056d5 in do_wps_exchange () at exchange.c:66
#5  0x0000000000405017 in crack () at cracker.c:160
#6  0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80

Revision 14:

#0  0x000000000041112e in wps_build_config_methods_r (reg=0x0, msg=0x6cd6a0) at 
wps_registrar.c:420
#1  0x0000000000413b42 in wps_build_m2d (wps=0x6ccd90) at wps_registrar.c:1446
#2  0x0000000000414244 in wps_registrar_get_msg (wps=0x6ccd90, 
op_code=0x7fffffffe94c) at wps_registrar.c:1668
#3  0x0000000000406a69 in send_msg () at send.c:80
#4  0x00000000004056d5 in do_wps_exchange () at exchange.c:66
#5  0x0000000000405017 in crack () at cracker.c:160
#6  0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80

With rev 14 I get this:

[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 1
[+] Associated with XX:XX:XX:XX:XX:XX (ESSID: ANONYMOUS)
[+] Trying pin 15878182
[!] WARNING: Receive timeout occurred
[+] Trying pin 15878182
Speicherzugriffsfehler


So reaver is now trying the same pin again, before the segmentation fault 
occurs.

Added some debug printfs and put in a NULL check at a higher layer...

With rev 15:

[+] Waiting for beacon from C0:3F:0E:F3:9D:A3
[+] Switching mon0 to channel 6
[!] WARNING: Failed to associate with C0:3F:0E:F3:9D:A3 (ESSID: ONO9DA3)
[+] Associated with C0:3F:0E:F3:9D:A3 (ESSID: ONO9DA3)
[+] Trying pin 13030865
[!] WARNING: Receive timeout occurred
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message

Program received signal SIGSEGV, Segmentation fault.
0x000000000040f72f in wps_init ()
(gdb) backtrace
#0  0x000000000040f72f in wps_init ()
#1  0x00000000004063f1 in initialize_wps_data () at init.c:72
#2  0x0000000000404f33 in crack () at cracker.c:117
#3  0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80
(gdb) frame 0
#0  0x000000000040f72f in wps_init ()

I have tried revision 15 now. I find it weird that it fails to associate, 
because my WiFi signal is strong (-41dBm). It doesn't crash but it seems stuck 
at this point:


[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 1
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[+] Associated with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[+] Trying pin 32926729
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[+] Switching mon0 to channel 2
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Last message not processed properly, reverting state to previous 
message

same here


[+] Trying pin 97035473
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[+] Trying pin 97035473
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[+] Trying pin 97035473


on revision 15  at least no more segfaulting

Interesting...what access point (vendor, model, version) are you testing this 
against?

I'm trying on a:

http://www.netgear.com/service-provider/products/routers-and-gateways/cable-gate
ways/CG3000_CG3100.aspx

By the way I know the PIN on the one I'm trying: 50459360

OK, first the silly question: are you sure WPS is enabled?

Second, can you provide a pcap file? Using the display filter of 'eap || eapol' 
should give you just the WPS packets.

I'm quite sure it's enabled, I have enabled it on the router configuration page.

But then again could be that I'm doing something wrong.

I am using a TP-LINK TL-WR1043N, having exactly the same problem.
WPS is enabled and working.

Mine is a Linksys E4200 HW Version 1.

From the pcap it looks like the AP maybe isn't seeing the packets? Hard to 
tell. I have tested netgears, tp-links and linksys devices, but not these 
specific models. What type of signal strength do you have, and can you move 
closer to the AP to rule this out as a potential cause?

[deleted comment]

It's quite good the signal it's -38.

I'll try with a TP-LINK TL-WR1043N factory default also and see what I get.

wlan0     IEEE 802.11bgn  ESSID:"wlantest"  
          Mode:Managed  Frequency:2.437 GHz  Access Point: XX:XX:XX:XX:XX:XX   
          Bit Rate=150 Mb/s   Tx-Power=14 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=70/70  Signal level=-31 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:364  Invalid misc:52   Missed beacon:0


The AP is one meter away from the Laptop. ;-)

Anyway: Many thanks for your work and the effort to solve the problem(s)!

i get the same timeoutmessage like above, WPS is definitely enabeld

router: dlink dir 615
http://www.dlink.de/cs/Satellite?c=TechSupport_C&childpagename=DLinkEurope-DE%2F
DLTechProduct&cid=1197374950653&p=1197318958220&packedargs=locale%3D119580666379
5&pagename=DLinkEurope-DE%2FDLWrapper

driver: rtl8187

Here it's the cap file with a TP-Link 1043ND with Factory defaults, WPS 
enabled, only changed the WPA2 key.

A 24 byte pcap?

Sorry :)

I installed Ubuntu 10.04 LTS in a virtualbox vm and it works with my RTL8187 
USB Adapter.
So I guess it is not an AP problem.

This time didn't segfault.

The command output was:

[+] Waiting for beacon from F4:EC:38:A0:4F:06
[+] Switching mon0 to channel 9
[+] Associated with F4:EC:38:A0:4F:06 (ESSID: TP-LINK_A04F06)
[+] Trying pin 91636102
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[+] Trying pin 91636102
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message                                          
[!] WARNING: Last message not processed properly, reverting state to previous 
message                                          
[+] Trying pin 91636102                                                         

[!] WARNING: Last message not processed properly, reverting state to previous 
message                                          
[!] WARNING: Last message not processed properly, reverting state to previous 
message

@schwammtaucher,

So it didn't work before, but it works fine for you in 10.04?

@cheff,

that is true. No more segmentation faults.

OK, I've just made another check in, which will hopefully address both the seg 
fault issue and the message processing warnings. It works for me under BT 5 
with the rtl8187 drivers, but I couldn't reproduce the seg faults to begin 
with, so some verification would be appreciated.

[+] Waiting for beacon from EC:55:F9:23:62:2C
[+] Switching mon0 to channel 1
[+] Associated with EC:55:F9:23:62:2C (ESSID: Ziggo4ACAC)
[+] Trying pin 89158838
[!] WARNING: Receive timeout occurred
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
Segmentation fault

Rev 16 On bt5

checked out revision 16

gdb ./reaver
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from 
/root/Desktop/Downloads/reaver-wps-read-only/src/reaver...done.
(gdb) run -i wlan1 -b 00:1C:10:08:B7:A5  -vv -c 6
Starting program: /root/Desktop/Downloads/reaver-wps-read-only/src/reaver -i 
wlan1 -b 00:1C:10:08:B7:A5  -vv -c 6

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<[email protected]>

[+] Switching wlan1 to channel 6
[+] Waiting for beacon from 00:1C:10:08:B7:A5
[+] Switching wlan1 to channel 6
[+] Associated with 00:1C:10:08:B7:A5 (ESSID: linksys)
[+] Trying pin 06030254

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff762acae in memcpy () from /lib/libc.so.6
(gdb) run -i wlan1 -b 00:1C:10:08:B7:A5  -vv -c 6
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/Desktop/Downloads/reaver-wps-read-only/src/reaver -i 
wlan1 -b 00:1C:10:08:B7:A5  -vv -c 6

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<[email protected]>

[+] Switching wlan1 to channel 6
[+] Waiting for beacon from 00:1C:10:08:B7:A5
[+] Switching wlan1 to channel 6
[+] Associated with 00:1C:10:08:B7:A5 (ESSID: linksys)
[+] Trying pin 79956529
[!] WARNING: Receive timeout occurred
[+] Trying pin 79956529
[+] Trying pin 79956529
[!] WARNING: Receive timeout occurred

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff762acae in memcpy () from /lib/libc.so.6


I am running BackTrack5 (not BT5 R1) and testing with RTL8187L based Alfa 500mW 
card

is there anything I can do to help you debug it?

I am on rev16, bt5r1, 64bit running in VirtualBox. RTL8187 (using alfa antenna).

[+] Waiting for beacon from xx:xx:xx:xx:xx:xx
[+] Associated with xx:xx:xx:xx:xx:xx (ESSID: xxxxx)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff762acae in memcpy () from /lib/libc.so.6
(gdb) bt
#0  0x00007ffff762acae in memcpy () from /lib/libc.so.6
#1  0x000000000040f8e8 in wps_init ()
#2  0x000000000040653e in initialize_wps_data () at init.c:72
#3  0x0000000000404f3a in crack () at cracker.c:117
#4  0x0000000000402b25 in main (argc=<value optimized out>, argv=<value 
optimized out>) at wpscrack.c:80

I also tried with a virtual box (ubuntu 10.04 lts)
and i was able to test 15 keys after it I get this warning again:
[!] WARNING: Receive timeout occurred.

my first attempt was with ubuntu 11.10, there i only get the timeout message 
and no succefull test of a key

rev 16. bt 5 r1 x64bit
---------------------------------------------------------------
wlan0           Atheros AR9285  ath9k - [phy0]
                                (monitor mode enabled on mon0)
---------------------------------------------------------------
root@bt:/opt/wpa/reaver-wps-read-only/src# ./reaver -i mon0 -b 
00:1C:DF:99:EC:B4 -vv

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<[email protected]>

[+] Waiting for beacon from 00:1C:DF:99:EC:B4
[+] Switching mon0 to channel 2
[+] Switching mon0 to channel 1
[+] Associated with 00:1C:DF:99:EC:B4 (ESSID: belkin54g)
[+] Trying pin 64563428
[!] WARNING: Receive timeout occurred
[+] Trying pin 64563428
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
Segmentation fault

OK, I've only been able to reproduce these issues on 64 bit systems; neither 
Ubuntu nor Backtrack 32 bit systems appear to be affected (some one speak up if 
they have had these seg faults on a 32 bit system). 

Not sure yet what the cuprit is for 64 bit, but running reaver 1.1 on a 32 bit 
system should get you up and running in the mean time.

I can confirm I'm on 64 bit Ubuntu and receiving problems. I either get the 
time-out or "not processed properly" errors, but yet to stumble upon 
"segmentation fault". Maybe I haven't ran it long enough for that though.

I am getting the segmentation fault and therefore one try only at a PIN. I am 
on a 32-bit Ubuntu 10.04 system.I am using an Alfa USB adaptor.I have tried a 
few AP's and all follow the same pattern. Have tried on reaver 1.0 and 1.1

Hope this helps! ;-)

[deleted comment]

Maybe this could help.

On rev 16 I've changed build_wps_pin() function, so it matches my PIN, and 
added a printf as follows:

char *build_wps_pin()
{
        char *key = NULL, *pin = NULL;
        int pin_len = PIN_SIZE + 1;

        pin = malloc(pin_len);
        key = malloc(pin_len);
        if(pin && key)
        {
                memset(key, 0, pin_len);
                memset(pin, 0, pin_len);

                /* Generate a 7-digit pin from the given key index values */
                snprintf(key, pin_len, "%s%s", "2020", "6567");

                /* Generate and append the pin checksum digit */
                snprintf(pin, pin_len, "%s%d", key, wps_pin_checksum(atoi(key)));

                free(key);
        }
    printf(pin);
        return pin;
}

This is the output that I get:

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<[email protected]>

[+] Waiting for beacon from F4:EC:38:A0:4F:06
[+] Switching mon0 to channel 9
[+] Associated with F4:EC:38:A0:4F:06 (ESSID: TP-LINK_A04F06)
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Receive timeout occurred
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
[+] 0.00% complete @ 0 seconds/attempt
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Receive timeout occurred
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
[!] WARNING: 10 failed connections in a row
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
[+] 0.00% complete @ 0 seconds/attempt
...etc

And the pcap file:

Hope this helps

I can confirm that switching to 32bit Ubuntu 11.10 (with kernel 3.0) works for 
me. I was previously having trouble with 64bit Arch Linux (with kernel 3.1.5).

I have cross-compiled reaver and libpcap to 32bit on my Arch Linux system and 
that doesn't seem to make any difference.

On my Ubuntu system it cracked the WPS pin on a Linksys E4200 (HW V. 1) in 7 
hours. It doesn't seem to employ rate limiting.

64 bit, linux 3.1, gentoo, libpcap 1.2.0

Starting program: /usr/bin/reaver -i wlan0 -b <redacted> -vv

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<[email protected]>

[+] Waiting for beacon from <redacted>
[+] Switching wlan0 to channel <redacted>
[+] Associated with <redacted> (ESSID: <redacted>)
[+] Trying pin 92129740
[+] Trying pin 92129740

Program received signal SIGSEGV, Segmentation fault.
0x0000003b60d2c770 in __memcpy_ssse3_back () from /lib64/libc.so.6
(gdb) bt
#0  0x0000003b60d2c770 in __memcpy_ssse3_back () from /lib64/libc.so.6
#1  0x000000000040f96c in wps_init ()
#2  0x000000000040677d in initialize_wps_data () at init.c:72
#3  0x00000000004051f3 in crack () at cracker.c:117
#4  0x0000000000402d15 in main (argc=<optimized out>, argv=<optimized out>) at 
wpscrack.c:80


The os_memcpy in wps_init does it.

Looks like structure packing cause this issue.
Main binary compiled with fpack-struct, but wps not.

Thanks chengzhicn, I was just going through and removing ftpack-struct and 
using #pragma statements where structure packing is critical. :)

Hopefully this will fix the issue, will post when changes are checked in.

OK, removed -fpack-struct and placed #pragma pack statements around critical 
structures. 

I am no longer receiving segfaults in BT RC1 x64 (nor BT RC1 i686, nor Ubuntu 
10.04 i686), nor am I getting the recurring timeout warnings as I was before:


root@bt:~/Desktop/src# ./reaver -i mon0 -b C0:C1:C0:A5:73:F7 -vv

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<[email protected]>

[+] Waiting for beacon from C0:C1:C0:A5:73:F7
[+] Switching mon0 to channel 11
[+] Associated with C0:C1:C0:A5:73:F7 (ESSID: cisco_e2500_normal_wifi)
[+] Trying pin 28475446
[+] Trying pin 44405441
[+] Trying pin 23165441
[+] Trying pin 46105448
[+] Trying pin 86945448
[+] Trying pin 27375440
[+] 0.05% complete @ 2 seconds/attempt
[+] Trying pin 89105443
[+] Trying pin 49135442
[+] Trying pin 55565448
[+] Trying pin 73005445
[+] Trying pin 84765444
[+] 0.10% complete @ 2 seconds/attempt
[+] Trying pin 66145448


Changes have been checked in, hopefully this fixes everyone's issues.

Great, it's working on 64 bit Ubuntu. :D

These are my outputs on rev 20.

At least now is changing PIN's althought I still get WARNINGS.

Thanks for your efforts

maguila, this may be an issue with the AP. Some APs implement WPS a little 
differently and since TP-Link has "QSS" which is not exactly WPS, but is 
supposed to be compatible, I wouldn't be surprised. 

This is what the 'advanced' options are for in reaver - sometimes specifying 
different timeout periods or eap termination options (or others) can help 
alleviate compatibility issues like this. I have run reaver against other 
TP-Links, but probably not the exact model you have, so I can't say for sure.

One silly question;

If I change the build_wps_pin() function to force it to use my PIN, shouldn't 
it work?

Anyway I also tried with the netgear with the same results.

I'm going to download a 32 bits distro and see what I get.

Yes, you can change build_wps_pin to always return the same pin.

Let me know if your issues are different in 32/64 bit OSs. It's working fine 
here on Backtrack 5 RC1 32 and 64 bit.

No other verifications, positive or negative?

New version works for me. (Ubuntu 10.04 x64 ipw3954)

not for me 

BT5 R1 x64 RT3070

reaver -i mon0 -b C0:C1:C0:A5:73:F7 -vv

[+] Waiting for beacon from C0:C1:C0:A5:73:F7
[+] Switching mon0 to channel 9
[+] Associated with C0:C1:C0:A5:73:F7 
[+] Trying pin 91636102
[!] WARNING: Receive timeout occurred
Segmentation fault

hurenhannes, are you using r20? I have BT5 R1 x64 working with no issues (using 
rtl8187 drivers). 

Also why is your BSSID the same as mine? :)

Issue 5 has been merged into this issue.

yes im using r20. I was lazy, copy paste.... :)

I will try the x86 of BT 5 R1.

Well Good News.

I tried with a 32 bit Ubuntu 11.10 under kernel 3.1.6 also with an old kernel 
2.6.34 on x64 bit system and also with an atheros device with the ath5k driver, 
and I was getting the same results. So it seems it's AP related.

Great news!

All is working..issues are cleared...
waiting to see end result (guessed pin :)))


Thanks

Awesome! These changes are in release 1.2. I'm waiting to hear back from 
hurenhannes before closing the ticket, as he seems to still be having issues.

[deleted comment]

Nothing heard back from hurenhannes; by all other accounts and testing, the seg 
fault is fixed, closing ticket.

Issue 36 has been merged into this issue.

I am running reaver version 1.4 and the issue is still occurring 
sometimes it crashes with Aborted message