CTRL + C when waiting causes segmentation fault

[GoogleCodeExporter]

With Reaver r90 on Backtrack 5R1 i get an segmentation fault when canceling 
Reaver while it is waiting after 10 failed attempts.

Command given:
reaver -i mon0 -v -w -b xx:xx:xx:xx:xx:xx -s xxxxxxxxxxxx.wpc -x 600

Output:
[+] Trying pin 59474661
[+] 3.54% complete @ 2012-01-12 18:37:06 (18 seconds/attempt)
[+] Trying pin 35454663
[+] Trying pin 35454663
[+] Trying pin 35454663
[+] Trying pin 35454663
[+] Trying pin 35454663
[+] 3.54% complete @ 2012-01-12 18:38:51 (27 seconds/attempt)
[+] Trying pin 35454663
[+] Trying pin 35454663
[+] Trying pin 35454663
[+] Trying pin 35454663
[+] Trying pin 35454663
[!] WARNING: 10 failed connections in a row
^CSegmentation fault

Expectation:
Reaver saves the session and exits correctly.

Original issue reported on code.google.com by Qvist...@gmail.com on 12 Jan 2012 at 6:03

[GoogleCodeExporter]

Original comment by cheff...@tacnetsol.com on 13 Jan 2012 at 1:53

• Changed state: Accepted
• Added labels: Priority-Low
• Removed labels: Priority-Triage

[GoogleCodeExporter]

Reaver stops sometimes by itself with this Segmentation fault awnser after a 
while on a WPS responding AP (saving done correct)

reaver -i mon0 -b 50:67:F0:xx:xx:xx -c 1 -v 

BT 5 r1
reaver r93
AP Zyxel

Original comment by patricks...@gmail.com on 16 Jan 2012 at 4:10

[GoogleCodeExporter]

patrick, this is a separate bug. Should be fixed in r94 (just checked in).

Original comment by cheff...@tacnetsol.com on 16 Jan 2012 at 4:48

[GoogleCodeExporter]

[+] 11.48% complete @ 2012-01-16 12:49:21 (2 seconds/attempt)
[+] Trying pin 64705675
[+] Sending EAPOL START request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Sending M4 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 01075670
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
Segmentation fault (core dumped)

Chipset AR9271, Driver ath9k, Reaver 1.4 r94, Backtrack 5 R1, 

Original comment by didik.to...@gmail.com on 16 Jan 2012 at 5:53

[GoogleCodeExporter]

didik, are you sure you did a full re-build with r94?

make cleanall
./configure
make
make install

Original comment by cheff...@tacnetsol.com on 16 Jan 2012 at 6:27

[GoogleCodeExporter]

reaver-wps-svn/src# make distclean

reaver-wps-svn# svn up
U    src/wps/wps_registrar.c
Updated to revision 94.

reaver-wps-svn/src# ./configure
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for pcap_open_live in -lpcap... yes
checking for sqlite3_open in -lsqlite3... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for stdlib.h... (cached) yes
checking for stdint.h... (cached) yes
checking for string.h... (cached) yes
checking pcap.h usability... yes
checking pcap.h presence... yes
checking for pcap.h... yes
checking sqlite3.h usability... yes
checking sqlite3.h presence... yes
checking for sqlite3.h... yes
configure: creating ./config.status
config.status: creating Makefile

reaver-wps-svn/src# make && make install

reaver-wps-svn/src# reaver -i mon1 -vv -w -a -b 30:46:9A:39:A3:89

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from 30:46:9A:39:A3:89
[+] Switching mon1 to channel 2
[+] Switching mon1 to channel 3
[+] Switching mon1 to channel 4
[+] Switching mon1 to channel 5
[+] Switching mon1 to channel 6
[+] Switching mon1 to channel 7
[+] Switching mon1 to channel 8
[+] Switching mon1 to channel 9
[+] Switching mon1 to channel 11
[+] Associated with 30:46:9A:39:A3:89 (ESSID: NETGEAR)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Received M1 message
[+] Sending WSC NACK
[+] Received M3 message
Segmentation fault

Original comment by dirk.moe...@googlemail.com on 16 Jan 2012 at 6:49

[GoogleCodeExporter]

dirk, try r95.

Original comment by cheff...@tacnetsol.com on 16 Jan 2012 at 7:12

[GoogleCodeExporter]

r95 works for me - thanks

reaver-wps-svn/src# make distclean

reaver-wps-svn# svn up
U    src/Makefile.in
U    src/pins.c
U    src/wpscrack.c
U    src/exchange.c
U    src/cracker.c
Updated to revision 95.

reaver-wps-svn/src# ./configure
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for pcap_open_live in -lpcap... yes
checking for sqlite3_open in -lsqlite3... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for stdlib.h... (cached) yes
checking for stdint.h... (cached) yes
checking for string.h... (cached) yes
checking pcap.h usability... yes
checking pcap.h presence... yes
checking for pcap.h... yes
checking sqlite3.h usability... yes
checking sqlite3.h presence... yes
checking for sqlite3.h... yes
configure: creating ./config.status
config.status: creating Makefile

reaver-wps-svn/src# make && make install

reaver-wps-svn/src# reaver -i mon1 -vv -w -b 30:46:9A:39:A3:89

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from 30:46:9A:39:A3:89
[+] Switching mon1 to channel 11
[+] Associated with 30:46:9A:39:A3:89 (ESSID: NETGEAR)
[+] Trying pin 00000000
[+] Sending EAPOL START request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 00010009
[+] Sending EAPOL START request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 00020008
[+] Sending EAPOL START request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x3), re-trying last pin
[+] Trying pin 00020008
[+] Sending EAPOL START request
[+] Received M3 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x3), re-trying last pin
[+] Trying pin 00020008
[+] Sending EAPOL START request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x2), re-trying last pin
[+] Trying pin 00020008
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x3), re-trying last pin
[+] 0.02% complete @ 2012-01-16 20:31:02 (25 seconds/pin)
[+] Trying pin 00020008
[+] Sending EAPOL START request
[+] Received M3 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x3), re-trying last pin
[+] Trying pin 00020008
[+] Sending EAPOL START request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x2), re-trying last pin
[+] Trying pin 00020008
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
^C
[+] Session saved.

Original comment by dirk.moe...@googlemail.com on 16 Jan 2012 at 7:38

[GoogleCodeExporter]

OK, good. :)

Actually r95 introduced a separate bug, grab r96.

Original comment by cheff...@tacnetsol.com on 16 Jan 2012 at 7:47

[GoogleCodeExporter]

Thanks but I guess r95 introduced also Makefile issue :-)

--
make distclean
rm -f /usr/local/bin/reaver /usr/local/bin/wash /usr/local/bin/walsh
make: *** No rule to make target `cleanall', needed by `distclean'.  Stop.

Cheers,
Dirk

Original comment by dirk.moe...@googlemail.com on 16 Jan 2012 at 7:50

[GoogleCodeExporter]

Fixed. :)

Original comment by cheff...@tacnetsol.com on 16 Jan 2012 at 7:59

[GoogleCodeExporter]

Did you take off the randomized first four pin?
So it starts with 0001 and increments?
Well my idea was if you have 4 starting points so first 0000 second 5000 third 
4999 fourth 9999 
then the next four attemts would be incrementing the first two and decrementing 
the third and four
in the idea of comming close from four sides.
I do not think that a lot WPS will have two zeros in the first two digits.

Original comment by patricks...@gmail.com on 16 Jan 2012 at 8:43

[GoogleCodeExporter]

well i found the randomized idea good....

Original comment by patricks...@gmail.com on 16 Jan 2012 at 8:45

[GoogleCodeExporter]

Yes, pin randomization was removed. In reality, it didn't give much (any?) 
advantage to incremental pins (known common pins, i.e. 12345670, are still 
tried first). Statistically I think that either approach is pretty close in 
terms of speed/effectiveness

Probably not a lot of pins start with 00, but this is such a small subset of 
the entire pin range that skipping these would only save you a few minutes at 
best. In theory, pins are generated randomly so these pins are just as likely 
as any other pin anyway (again, theory...). We can probably add flags to 
certain pins that are less likely in the future.

Maybe I'll make pin randomization an option.

Original comment by cheff...@tacnetsol.com on 16 Jan 2012 at 9:07

[GoogleCodeExporter]

as a option would be good... its like a lottery sometimes someone will hit...

Original comment by patricks...@gmail.com on 16 Jan 2012 at 9:10

[GoogleCodeExporter]

I'm having trouble re-producing the original issue here.

QvistIan, can you confirm that this bug still exists in r97, and if so can you 
provide a gdb backtrace?

Original comment by cheff...@tacnetsol.com on 17 Jan 2012 at 12:57

[GoogleCodeExporter]

I'm not able to at the moment. I'll see if I can test it tomorrow.

Original comment by Qvist...@gmail.com on 18 Jan 2012 at 1:17

[GoogleCodeExporter]

The problem is still there. Note that I use the -x argument to make reaver wait 
600 seconds after it has 12 failed attempts. Once it has 12 failed attempts and 
it starts waiting the 600 seconds, I press CTRL+C and it segfaults.

I guess you can replicate the case by disconnecting the antenna after reaver 
has associated with the AP or blocking the signal with some foil.

Original comment by Qvist...@gmail.com on 19 Jan 2012 at 6:26

[GoogleCodeExporter]

I am getting the same issue with r119

Original comment by jokesare...@gmail.com on 28 Oct 2013 at 1:53