search

apm1007 / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

Reaver cannot associate or complete WPS transaction under some circumstances #709

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Summary: on Kali Linux, Reaver associates and progresses through testing PINs. 
On Debian Wheezy with Kali packages, it cannot. This is the case for both v1.4 
and SVN r119.

TEMPLATE QUESTIONS:

0. What version of Reaver are you using?
   Released 1.4 and SVN r119

1. What operating system are you using (Linux is the only supported OS)?
   Kali Linux and Debian Wheezy with Kali packages.

2. Is your wireless card in monitor mode (yes/no)?
   Yes.

3. What is the signal strength of the Access Point you are trying to crack?
   RSSI -18 (less than 1m away)

4. What is the manufacturer and model # of the device you are trying to
crack?
   TP Link TD-W8960N

5. What is the entire command line string you are supplying to reaver?
   reaver -i mon0 -e "${ESSID}" -b ${BSSID} -c ${CHAN} -vv -S

6. Please describe what you think the issue is.
   Something in Kali is allowing Reaver to work; something in Debian isn't. It suggests a compatibility problem that could be documented.

7. Paste the output from Reaver below.
   See end (reaver output and pcap files linked)

DETAILS

Wireless card (from lspci): Realtek Semiconductor Co., Ltd. RTL8723BE PCIe 
Wireless Network Adapter. Device is labelled "wlan0", monitor is "mon0".

PC: Metabox Alpha WA50SJ variant

OSes:

1. Kali Linux 1.1.0 amd64 from 
http://cdimage.kali.org/kali-1.1.0/kali-linux-1.1.0-amd64.iso

2. Debian Wheezy live image (built using live-build). The code for the build I 
used for this test is here: https://github.com/detly/dart/tree/reaver-bug . If 
you would like an image of this to test, please contact me (Reaver devs only) - 
it's 210MB.

To be honest, this will probably be reproducible on any recent Debian or Ubuntu 
distro with libpcap0.8 before 1.6.

Procedure: I wrote up a shell script (should work on any POSIX compliant shell) 
for the procedure I used: 
https://github.com/detly/dart/blob/reaver-bug/config/includes.chroot/root/go on 
each system.

NOTE: Please take care running this script! I wrote it purely so I could do 
this repeatably; I have no idea if it will work on other systems without eg. 
wiping your hard drive. If you download it and use it, please inspect it and 
run it only on disposable systems.

ON KALI:

1. Boot into Kali and connect to a network.

2. (If testing SVN r119) Download my package of Reaver r119 with "wget 
https://github.com/detly/dart/blob/reaver-bug/config/packages.chroot/reaver_1.4.
detly-1_amd64.deb?raw=true" (or, if you like luxury, host it somewhere with a 
shorter URL or put it in Dropbox or something). Install this with "dpkg -i 
reaver_1.4.detly-1_amd64.deb".

3. Download my testing script: "wget 
https://raw.githubusercontent.com/detly/dart/reaver-bug/config/includes.chroot/r
oot/go"

4. Edit the script to put the details of your AP at the top.

4. Make the script executable and run it: "chmod a+x ./go && ./go"

This will stop network-manager and wpa_supplicant, put the card in monitor 
mode, run wash and reaver capturing the output of both (plus a packet capture 
for reaver).

ON DEBIAN:

1. Boot into the live image.

2. Use "sudo -i" to get a root shell.

3. The script is already on the live image, but if you're not using that, 
download the script as above. Similarly, the live image uses reaver r119, but 
if your distro doesn't have that, download and install that too.

4. Edit and run the script: "./go"

RESULTS:

1. Not so important, but still puzzling: wash lists no APs when using r119. 
v1.4 works fine.

2. On Kali, reaver associates and crunches through PINs nice and quick. I have 
not run it to completion yet, but I have run it for about 8 hours and it was 
still progressing when I killed it.

3. On Debian, reaver often can't even associate. I have actually tried the 
trick of using "aireplay-ng -1 120 ..." to associate, and in another terminal 
running reaver with the "-A" flag. No luck.

FILES:

Unfortunately Google Code tells me your project has exceeded its quota for 
issue attachments. So I've put the output in Dropbox: 
https://www.dropbox.com/sh/iqjiefjt750v73o/AABxm9p3FW9cMPy2zA3i3zS6a?dl=0

Each subfolder contains: wash/reaver output, pcap files (tcpdump output for 
mon0) and ifconfig output for wlan0 and mon0.

Subfolders:

Kali_Reaver_1.4 - Kali's ISO with the 1.4 release of reaver (ie. without 
downloading the r119 package). Note that this is the only one with valid wash 
output.

Kali_Reaver_r119 - Kali's ISO with reaver r119 (SVN HEAD when I did this). Note 
that reaver still works great, even though wash doesn't.

Dart_Reaver_r119 - My Debian/Kali live image, with reaver r119.

RE. BUG VALIDITY

It might be reasonable to say that it's just a bug in Debian/Ubuntu/whatever I 
did with my live image, because clearly it works under Kali. But as far as I 
can tell, all dependencies are satisfied, the hardware is identical, and the 
packages are the same. Even if the bug itself can't be diagnosed from this, it 
would be nice to have some pointers so I can track this down further.

REAVER OUTPUT

Sample only, full logs are in the Dropbox folder linked.

Good (Kali/v1.4):

[+] Switching mon0 to channel 6
[+] Waiting for beacon from 64:70:02:A0:D5:17
[+] Associated with 64:70:02:A0:D5:17 (ESSID: Jeff Winger's Wireless Hairdryer)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 00005678
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01235678
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 11115670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 22225672
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK

Bad (Debain/r119):

[+] Switching mon0 to channel 6
[+] Waiting for beacon from 64:70:02:A0:D5:17
[!] WARNING: Failed to associate with 64:70:02:A0:D5:17 (ESSID: Jeff Winger's 
Wireless Hairdryer)
[!] WARNING: Failed to associate with 64:70:02:A0:D5:17 (ESSID: Jeff Winger's 
Wireless Hairdryer)
[+] Associated with 64:70:02:A0:D5:17 (ESSID: Jeff Winger's Wireless Hairdryer)
[+] Trying pin 12345670
[!] WARNING: Failed to associate with 64:70:02:A0:D5:17 (ESSID: Jeff Winger's 
Wireless Hairdryer)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670

Original issue reported on code.google.com by jason.he...@gmail.com on 8 Mar 2015 at 11:29

GoogleCodeExporter commented 9 years ago 
I forgot to mention: my first theory was that since I would try the Debian 
image after Kali, perhaps the router had locked WPS and I was only seeing it on 
the second distro I tried. However both wash and the router itself confirmed 
that this was not the case. It has always been possible to switch back to Kali 
and use reaver without any problems no matter how long I do this for.

Original comment by jason.he...@gmail.com on 8 Mar 2015 at 11:32