badboy7 / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

Does not run properly in openwrt #46

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
I compiled the code in openwrt build tree. It does compile and seems to run. 
Although the code does now compile using this makefile it does not run properly.

It does start hopping the channels but never associates.

Please find a copy of the makefile :-
#
# Copyright (C) 2012 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#

include $(TOPDIR)/rules.mk

PKG_NAME:=reaver-wps
PKG_REV:=35
PKG_VERSION:=r$(PKG_REV)
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
PKG_SOURCE_PROTO:=svn
PKG_SOURCE_URL:=http://reaver-wps.googlecode.com/svn/trunk/src
PKG_SOURCE_VERSION:=$(PKG_REV)

include $(INCLUDE_DIR)/package.mk

define Package/reaver-wps
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=wireless
  TITLE:=Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs
  URL:=http://code.google.com/p/reaver-wps/
  DEPENDS:=+libpcap 
endef

define Package/reaver-wps/description
  Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2
  passphrases, as described in http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf .
endef

TARGET_CFLAGS += -I$(STAGING_DIR)/usr/include/

define Build/Prepare
    $(call Build/Prepare/Default)
#   sed -i 's/Q=@/Q=/' $(PKG_BUILD_DIR)/common/lib.rules
    sed -i 's/$$$$(CC)/$$$$(CC) $$$$(CFLAGS)/' $(PKG_BUILD_DIR)/wps/Makefile
    sed -i 's/CC=gcc/CC?=gcc/' $(PKG_BUILD_DIR)/libwps/Makefile
    sed -i 's/CFLAGS=/CFLAGS+=/' $(PKG_BUILD_DIR)/libwps/Makefile
    sed -i 's/CC = gcc/CC ?= gcc/' $(PKG_BUILD_DIR)/lwe/Makefile
    sed -i 's/AR = ar/AR ?= ar/' $(PKG_BUILD_DIR)/lwe/Makefile
    sed -i 's/RANLIB = ranlib/RANLIB ?= ranlib/' $(PKG_BUILD_DIR)/lwe/Makefile
    sed -i 's/CFLAGS=/CFLAGS+=/' $(PKG_BUILD_DIR)/lwe/Makefile
endef

define Package/reaver-wps/install
    $(INSTALL_DIR) $(1)/usr/sbin
    $(INSTALL_BIN) $(PKG_BUILD_DIR)/reaver $(1)/usr/sbin/
endef

$(eval $(call BuildPackage,reaver-wps))

http://paste.debian.net/150669/

What version of the product are you using? On what operating system? r35

Original issue reported on code.google.com by g...@watchingyou.info on 1 Jan 2012 at 9:58

Attachments:

GoogleCodeExporter commented 9 years ago
You didn't mention what device you were running openwrt on. Does the wireless 
chipset in the device support monitor mode?  Did you put the wireless interface 
into monitor mode?  Does the wireless interface support packet injection? Do 
you have any pcap files you can supply to help troubleshoot the issue?

Original comment by cheff...@tacnetsol.com on 2 Jan 2012 at 1:14

GoogleCodeExporter commented 9 years ago
Same here! I´m using OpenWRT trunk with ath9k. (TP Link WR841ND: Atheros 
AR9287)
reaver stops working while waiting for beacon. airodump-ng captures all frames 
well..

"Reaver v1.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from xx:xx:xx:xx:xx:xx"

Original comment by SimonPol...@googlemail.com on 2 Jan 2012 at 3:07

Attachments:

GoogleCodeExporter commented 9 years ago
Thanks for the pcap simon. Are you running Reaver in verbose mode (-vv)? If 
not, use -vv and see what output you get. You should at least see it hopping 
channels while looking for the beacon packets.

Original comment by cheff...@tacnetsol.com on 2 Jan 2012 at 3:24

GoogleCodeExporter commented 9 years ago
I suspect it didn't work on mips because mips is BE, but to understand the 
exact source of the problem more debugging is needed. 

Original comment by g...@watchingyou.info on 2 Jan 2012 at 10:35

GoogleCodeExporter commented 9 years ago
With -vv

"Reaver v1.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from D8:5D:4C:F6:2C:96
[+] Switching wlan0 to channel 2
[+] Switching wlan0 to channel 3
[+] Switching wlan0 to channel 4
[+] Switching wlan0 to channel 5
[+] Switching wlan0 to channel 6
[+] Switching wlan0 to channel 7
[+] Switching wlan0 to channel 8
[+] Switching wlan0 to channel 9
[+] Switching wlan0 to channel 10
[+] Switching wlan0 to channel 11
[+] Switching wlan0 to channel 12
[+] Switching wlan0 to channel 13
[+] Switching wlan0 to channel 14
[+] Switching wlan0 to channel 1"

Channel switching works, as i can see the changing frequency in iwconfig.

Looks like it doesnt get the packets properly or its interpreting them bad for 
some reason. (perhaps really a BE issue?)

Original comment by SimonPol...@googlemail.com on 2 Jan 2012 at 11:07

GoogleCodeExporter commented 9 years ago
I am running this on a UBNT Nanostation M2
The wifi driver is ath9k
The wireless interface was in monitor mode mon0
The ath9k wifi driver on openwrt r29631 does support packet injection.
aircrack-ng suite all works OK

Comment 1 by project member cheff...@tacnetsol.com, Today (9 hours ago)

You didn't mention what device you were running openwrt on. Does the wireless 
chipset in the device support monitor mode?  Did you put the wireless interface 
into monitor mode?  Does the wireless interface support packet injection? Do 
you have any pcap files you can supply to help troubleshoot the issue?

Original comment by g...@watchingyou.info on 2 Jan 2012 at 11:35

GoogleCodeExporter commented 9 years ago

Original comment by cheff...@tacnetsol.com on 2 Jan 2012 at 3:33

GoogleCodeExporter commented 9 years ago
Very likely is a BE issue. If we get a chance we'll try to test this and track 
it down, but putting it as low priority right now.

Original comment by cheff...@tacnetsol.com on 3 Jan 2012 at 2:04

GoogleCodeExporter commented 9 years ago
This is a new openwrt makefile but the BE problem is still in the code.
It does compile now all that remains is to fix the BE issue.

#
# Copyright (C) 2011 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#

include $(TOPDIR)/rules.mk

PKG_NAME:=reaver
PKG_VERSION:=1.3
PKG_RELEASE:=1

PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://reaver-wps.googlecode.com/files
PKG_MD5SUM:=6ec7dbb11b67e1b4a20f2ceba5f69547

include $(INCLUDE_DIR)/package.mk

define Package/reaver
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=wireless
  TITLE:=Brute force attack against Wifi Protected Setup
  URL:=https://code.google.com/p/reaver-wps/
  DEPENDS:=+libpcap +sqlite3 +libsqlite3-dev
endef

define Package/reaver/description
  Reaver targets the external registrar functionality mandated by the WiFi
  Protected Setup specification.
  Access points will provide authenticated registrars with their current
  wireless configuration (including the WPA PSK), and also accept a new
  configuration from the registrar.
endef

CONFIGURE_PATH:=src

MAKE_PATH:=src

TARGET_CFLAGS+=$(TARGET_CPPFLAGS)

define Package/reaver/install
    $(INSTALL_DIR) $(1)/usr/bin
    $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/reaver $(1)/usr/bin/
endef

$(eval $(call BuildPackage,reaver)) 

Original comment by g...@watchingyou.info on 4 Jan 2012 at 8:42

GoogleCodeExporter commented 9 years ago
Does it compile for you with only...(below)...? 
DEPENDS:=+libpcap +libsqlite3

Original comment by kopl...@gmail.com on 5 Jan 2012 at 3:36

GoogleCodeExporter commented 9 years ago

Yes it will compile but it does not work properly it just sits '[+] Waiting for 
beacon from 00:22:33:44:55:66'

No matter which AP you choose.

Comment 10 by kopl...@gmail.com, Today (6 hours ago)

Does it compile for you with only...(below)...? 
DEPENDS:=+libpcap +libsqlite3

Original comment by g...@watchingyou.info on 5 Jan 2012 at 10:55

GoogleCodeExporter commented 9 years ago
As I understand the question, it refers to the "depends" actually needed to 
successfully compile reaver - I also wondered about it already as neither 
+sqlite3 nor +libsqlite3-dev are available as an OpenWrt package/dependency (at 
least in current trunk) but +libsqlite3 is. Also, the Makefile should, from my 
perspective, introduce both walsh and reaver.db to the "define 
Package/reaver/install" section.

Original comment by rhors...@googlemail.com on 5 Jan 2012 at 11:32

GoogleCodeExporter commented 9 years ago
Should by DEPENDS:=+libpcap +libsqlite3

not -dev

Original comment by cezary.j...@gmail.com on 5 Jan 2012 at 4:12

GoogleCodeExporter commented 9 years ago
Same issue here,

# reaver -i ath0 -b 00:12:17:D5:39:25 -vv

Reaver v1.3 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

,[+] Waiting for beacon from 00:12:17:D5:39:25
[+] Switching ath0 to channel 2
[+] Switching ath0 to channel 3
[+] Switching ath0 to channel 4
[+] Switching ath0 to channel 5
[+] Switching ath0 to channel 6
[+] Switching ath0 to channel 7
[+] Switching ath0 to channel 8
[+] Switching ath0 to channel 9
[+] Switching ath0 to channel 10
[+] Switching ath0 to channel 11
[+] Switching ath0 to channel 12
[+] Switching ath0 to channel 13
[+] Switching ath0 to channel 14
[+] Switching ath0 to channel 1

I attach a strace of the same commands as above (also here; 
http://pastebay.com/270522)

Original comment by GeleGrodan on 8 Jan 2012 at 9:41

Attachments:

GoogleCodeExporter commented 9 years ago
Same here, on AR7 (TI acx), which is MIPS little endian (mipsel).

Additionally, when it reaches CH14, it hangs (no restart from CH1).
Using fixed channel didn't help (switches channel, but still no assiciation).

Monitor mode enabled, aircrack-ng tools working.

Original comment by avr32fr...@gmail.com on 9 Jan 2012 at 7:33

GoogleCodeExporter commented 9 years ago
Hmmm...perhaps not an endian bug then.

Original comment by cheff...@tacnetsol.com on 9 Jan 2012 at 8:19

GoogleCodeExporter commented 9 years ago
Issue 120 has been merged into this issue.

Original comment by cheff...@tacnetsol.com on 10 Jan 2012 at 5:43

GoogleCodeExporter commented 9 years ago
I'm guessing this won't be solved until the integration with aircrack-ng libs?

Original comment by GeleGrodan on 10 Jan 2012 at 7:13

GoogleCodeExporter commented 9 years ago
Gele, that is correct. I'm close to releasing Reaver 1.4 (a few more bugs I 
want fixed before that release), which will be the last release before 
integration into aircrack-ng. 

Original comment by cheff...@tacnetsol.com on 11 Jan 2012 at 12:38

GoogleCodeExporter commented 9 years ago
Sorry for being a pain but do you have any ETA on that? We talk a week or 
3months? 

Original comment by GeleGrodan on 11 Jan 2012 at 12:54

GoogleCodeExporter commented 9 years ago
Probably somewhere in between. I've been added to the aircrack project 
officially now and have been looking at what it will take to integrate reaver 
in with the existing aircrack code and libraries, which I think will be pretty 
straight forward. The 1.4 release should be out this week and I can start work 
on aircrack integration in ernest. 

Original comment by cheff...@tacnetsol.com on 11 Jan 2012 at 1:06

GoogleCodeExporter commented 9 years ago
Please review issue 120, it is not an openwrt issue.

See patch attached to issue 120

Original comment by annemarc...@gmail.com on 12 Jan 2012 at 12:19

GoogleCodeExporter commented 9 years ago
Sorry annemarcel, my bad. Thanks for the patch, fix is checked in to SVN.

Original comment by cheff...@tacnetsol.com on 12 Jan 2012 at 12:43

GoogleCodeExporter commented 9 years ago
So does 1.4 version now compile and run ok on openwrt?

Original comment by valent.turkovic on 30 Jan 2012 at 7:34

GoogleCodeExporter commented 9 years ago
Valent; "I'm close to releasing Reaver 1.4 (a few more bugs I want fixed before 
that release), which will be the last release before integration into 
aircrack-ng."

Original comment by GeleGrodan on 31 Jan 2012 at 2:00

GoogleCodeExporter commented 9 years ago
same issue:
I use Backtrack 5(no Rc1) live dvd.
First I coinnect to my wifi network and 
apt-get update
apt-get instal reaver
then I disconnect it.
modprobe -r rtl8187 && modprobe r8187
Now I work with good driver(not ieee one).
airmon-ng start wlan0
airodump-ng wlan0
I choose network, I tried many
and I always see switching channels.
I also used that trick:
1. run: aireplay-ng mon0 -1 120 -a 68:7F:74:E2:4A:1C -e kitty-Home
2. then: reaver -i mon0 -A -b 68:7F:74:E2:4A:1C -c 6 -vv --no-nacks --win7

assosciation works but reaver....  does not.

Original comment by piotrchm...@poczta.fm on 15 Feb 2012 at 7:58

GoogleCodeExporter commented 9 years ago
[ bug found ]

#reaver-wps: v1.4

#hardware: TL-WR703N (upgrade version 16mb flash & 64ram)
#system: Linux mips
#kernel: 3.2.9

#testing wireless drivers: ath9k, rtl8187 & rt73usb

#ldd reaver

        libdl.so.0 => /lib/libdl.so.0 (0x2af20000)
        libm.so.0 => /lib/libm.so.0 (0x2af33000)
        libpcap.so.1.1 => /lib/libpcap.so.1.1 (0x2af58000)
        libsqlite3.so.0 => /usr/lib/libsqlite3.so.0 (0x2af98000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x2b043000)
        libc.so.0 => /lib/libc.so.0 (0x2b065000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x2b0d0000)
        ld-uClibc.so.0 => /lib/ld-uClibc.so.0 (0x2af08000)

-------------------------------------------------------------------------------
#strace:

wait4(-1, NULL, 0, NULL)                = 24334
--- SIGCHLD (Child exited) @ 0 (0) ---
alarm(0)                                = 3
rt_sigaction(SIGCHLD, {SIG_DFL, [], 0}, NULL, 16) = 0
execve("/usr/bin/reaver", ["reaver", "-i", "mon0", "-b", "5c:d9:98:21:AB:CD", 
"-vv", "-a"], [/* 11 vars */]) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|0x4000000, 
-1, 0) = 0x2b425000
stat("/etc/ld.so.cache", 0x7fd661e0)    = -1 ENOENT (No such file or directory)
open("/lib/libdl.so.0", O_RDONLY)       = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=8352, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|0x4000000, 
-1, 0) = 0x2b426000
read(3, 
"\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\10\0\0\0\1\0\0\t\300\0\0\0004"..., 4096) 
= 4096
old_mmap(NULL, 77824, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b436000
old_mmap(0x2b436000, 7840, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 
0x2b436000
old_mmap(0x2b447000, 4256, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 
0x1000) = 0x2b447000
close(3)                                = 0
munmap(0x2b426000, 4096)                = 0
open("/lib/libm.so.0", O_RDONLY)        = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=84116, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|0x4000000, 
-1, 0) = 0x2b426000
read(3, 
"\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\10\0\0\0\1\0\0\26\0\0\0\0004"..., 4096) 
= 4096
old_mmap(NULL, 151552, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b449000
old_mmap(0x2b449000, 83664, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 
0x2b449000
old_mmap(0x2b46d000, 2196, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 
0x14000) = 0x2b46d000
close(3)                                = 0
munmap(0x2b426000, 4096)                = 0
open("/lib/libpcap.so.1.1", O_RDONLY)   = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=192720, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|0x4000000, 
-1, 0) = 0x2b426000
read(3, 
"\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\10\0\0\0\1\0\0005\240\0\0\0004"..., 
4096) = 4096
old_mmap(NULL, 262144, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b46e000
old_mmap(0x2b46e000, 189916, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) 
= 0x2b46e000
old_mmap(0x2b4ac000, 4304, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 
0x2e000) = 0x2b4ac000
close(3)                                = 0
munmap(0x2b426000, 4096)                = 0
open("/lib/libsqlite3.so.0", O_RDONLY)  = -1 ENOENT (No such file or directory)
open("/usr/lib/libsqlite3.so.0", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=632484, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|0x4000000, 
-1, 0) = 0x2b426000
read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\10\0\0\0\1\0\0M\20\0\0\0004"..., 
4096) = 4096
old_mmap(NULL, 700416, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b4ae000
old_mmap(0x2b4ae000, 625264, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) 
= 0x2b4ae000
old_mmap(0x2b556000, 9892, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 
0x98000) = 0x2b556000
close(3)                                = 0
munmap(0x2b426000, 4096)                = 0
open("/lib/libgcc_s.so.1", O_RDONLY)    = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=71576, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|0x4000000, 
-1, 0) = 0x2b426000
read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\10\0\0\0\1\0\0005p\0\0\0004"..., 
4096) = 4096
old_mmap(NULL, 139264, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b559000
old_mmap(0x2b559000, 69228, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 
0x2b559000
old_mmap(0x2b57a000, 1944, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 
0x11000) = 0x2b57a000
close(3)                                = 0
munmap(0x2b426000, 4096)                = 0
open("/lib/libc.so.0", O_RDONLY)        = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=351360, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|0x4000000, 
-1, 0) = 0x2b426000
read(3, 
"\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\10\0\0\0\1\0\0\234@\0\0\0004"..., 4096) 
= 4096
old_mmap(NULL, 438272, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b57b000
old_mmap(0x2b57b000, 343436, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) 
= 0x2b57b000
old_mmap(0x2b5df000, 7296, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 
0x54000) = 0x2b5df000
old_mmap(0x2b5e1000, 17092, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2b5e1000
close(3)                                = 0
munmap(0x2b426000, 4096)                = 0
open("/lib/libc.so.0", O_RDONLY)        = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=351360, ...}) = 0
close(3)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=351360, ...}) = 0
close(3)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=351360, ...}) = 0
close(3)                                = 0
open("/lib/libgcc_s.so.1", O_RDONLY)    = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=71576, ...}) = 0
close(3)                                = 0
open("/lib/libdl.so.0", O_RDONLY)       = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=8352, ...}) = 0
close(3)                                = 0
open("/lib/libpthread.so.0", O_RDONLY)  = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=78652, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|0x4000000, 
-1, 0) = 0x2b426000
read(3, 
"\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\10\0\0\0\1\0\0?\360\0\0\0004"..., 4096) 
= 4096
old_mmap(NULL, 155648, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b5e6000
old_mmap(0x2b5e6000, 74008, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 
0x2b5e6000
old_mmap(0x2b608000, 4924, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 
0x12000) = 0x2b608000
old_mmap(0x2b60a000, 5216, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2b60a000
close(3)                                = 0
munmap(0x2b426000, 4096)                = 0
open("/lib/libgcc_s.so.1", O_RDONLY)    = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=71576, ...}) = 0
close(3)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=351360, ...}) = 0
close(3)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=351360, ...}) = 0
close(3)                                = 0
open("/lib/libdl.so.0", O_RDONLY)       = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=8352, ...}) = 0
close(3)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=351360, ...}) = 0
close(3)                                = 0
stat("/lib/ld-uClibc.so.0", {st_mode=S_IFREG|0755, st_size=28980, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|0x4000000, 
-1, 0) = 0x2b426000
set_thread_area(0x2b42d2d0)             = 0
mprotect(0x2b447000, 4096, PROT_READ)   = 0
mprotect(0x2b5df000, 4096, PROT_READ)   = 0
mprotect(0x2b608000, 4096, PROT_READ)   = 0
mprotect(0x2b434000, 4096, PROT_READ)   = 0
set_tid_address(0x2b425ef8)             = 24333
SYS_4309()                              = 0
rt_sigaction(SIGRT_0, {0x8, [RT_68 RT_69 RT_71 RT_74 RT_75 RT_76 RT_77 RT_84 
RT_85 RT_87 RT_89 RT_90 RT_92 RT_94], SA_STACK|SA_INTERRUPT|0x35ef4b4}, NULL, 
16) = 0
rt_sigaction(SIGRT_1, {0x10000008, [RT_68 RT_69 RT_71 RT_74 RT_75 RT_76 RT_77 
RT_84 RT_85 RT_87 RT_89 RT_90 RT_92 RT_94], SA_STACK|SA_INTERRUPT|0x35ef390}, 
NULL, 16) = 0
rt_sigprocmask(SIG_UNBLOCK, [RT_0 RT_1], NULL, 16) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
ioctl(0, TIOCNXCL, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TIOCNXCL, {B38400 opost isig icanon echo ...}) = 0
brk(0)                                  = 0x4e5000
brk(0x4f0000)                           = 0x4f0000
brk(0x4f1000)                           = 0x4f1000
stat64(0x4f0710, 0x7fd65e68)            = 0
open("/etc/reaver/reaver.db", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = 3
fcntl64(3, F_GETFD)                     = 0
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
fstat64(3, {st_mode=S_IFREG|0777, st_size=14336, ...}) = 0
_llseek(3, 0, [0], SEEK_SET)            = 0
read(3, "SQLite format 3\0\4\0\1\1\0@  \0\3.\340\0\0\0\16"..., 100) = 100
brk(0x501000)                           = 0x501000
write(2, "\nReaver v", 9)               = 9
write(2, "1.4", 3)                      = 3
write(2, " WiFi Protected Setup Attack Too"..., 34) = 34
write(2, "Copyright (c) 2011, Tactical Net"..., 88) = 88
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
ioctl(4, 0x8927, {ifr_name="mon0", ifr_hwaddr=5c:63:bf:fe:38:a9}) = 0
close(4)                                = 0
rt_sigaction(SIGINT, {SIG_DFL, [], 0x408440 /* SA_??? */}, NULL, 16) = 0
rt_sigaction(SIGALRM, {SIG_DFL, [], 0x408300 /* SA_??? */}, NULL, 16) = 0
time(NULL)                              = 1331160148
open("/proc/net/dev", O_RDONLY|O_LARGEFILE) = 4
ioctl(4, TIOCNXCL, 0x7fd65fa8)          = -1 ENOTTY (Inappropriate ioctl for 
device)
brk(0x502000)                           = 0x502000
read(4, "Inter-|   Receive               "..., 4096) = 1923
close(4)                                = 0
socket(PF_PACKET, SOCK_RAW, 3)          = 4
ioctl(4, 0x8933, {ifr_name="lo", ifr_index=1}) = 0
ioctl(4, 0x8927, {ifr_name="mon0", ifr_hwaddr=5c:63:bf:fe:38:a9}) = 0
ioctl(4, 0x8933, {ifr_name="mon0", ifr_index=16}) = 0
bind(4, {sa_family=AF_PACKET, proto=0x03, if16, pkttype=PACKET_HOST, 
addr(0)={0, }, 20) = 0
getsockopt(4, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
setsockopt(4, SOL_PACKET, PACKET_ADD_MEMBERSHIP, 
"\0\0\0\20\0\1\0\0\0\0\0\0\0\0\0\0", 16) = 0
setsockopt(4, SOL_PACKET, PACKET_AUXDATA, [1], 4) = 0
getsockopt(4, SOL_PACKET, PACKET_HDRLEN, [28], [4]) = 0
setsockopt(4, SOL_PACKET, PACKET_VERSION, [1], 4) = 0
setsockopt(4, SOL_PACKET, PACKET_RESERVE, [4], 4) = 0
setsockopt(4, SOL_PACKET, PACKET_RX_RING, {block_size=8192, block_nr=504, 
frame_size=4160, frame_nr=504}, 16) = 0
mmap(NULL, 4128768, PROT_READ|PROT_WRITE, MAP_SHARED, 4, 0) = 0x2b60c000
brk(0x503000)                           = 0x503000
brk(0x504000)                           = 0x504000
... ... ... ...
... ... ... ...
... ... ... ...
brk(0x52f000)                           = 0x52f000
stat("/etc/reaver/5CD99821ABCD.wpc", {st_mode=S_IFREG|0777, st_size=54006, 
...}) = 0
open("/etc/reaver/5CD99821ABCD.wpc", O_RDONLY) = 5
ioctl(5, TIOCNXCL, 0x7fd662a8)          = -1 ENOTTY (Inappropriate ioctl for 
device)
brk(0x530000)                           = 0x530000
read(5, "4\n0\n0\n1234\n0000\n0123\n1111\n2222\n3"..., 4096) = 4096
brk(0x531000)                           = 0x531000
brk(0x532000)                           = 0x532000
... ... ... ...
... ... ... ...
... ... ... ...
read(5, "8\n809\n810\n811\n812\n813\n814\n815\n81"..., 4096) = 758
brk(0x55b000)                           = 0x55b000
close(5)                                = 0
write(1, "[+] Restored previous session\n", 30) = 30
write(1, "[+] Waiting for beacon from 5C:D"..., 46) = 46
time(NULL)                              = 1331160148
time(NULL)                              = 1331160148
poll([{fd=4, events=POLLIN}], 1, -1)    = 1 ([{fd=4, revents=POLLIN}])
... ... ... ...
... ... ... ...
... ... ... ...
poll([{fd=4, events=POLLIN}], 1, -1)    = 1 ([{fd=4, revents=POLLIN}])
time(NULL)                              = 1331160150
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
write(1, "[+] Switching mon0 to channel 1\n", 32) = 32
ioctl(5, 0x8b04, 0x7fd66448)            = 0
close(5)                                = 0
time(NULL)                              = 1331160150
poll([{fd=4, events=POLLIN}], 1, -1)    = 1 ([{fd=4, revents=POLLIN}])
time(NULL)                              = 1331160150
poll([{fd=4, events=POLLIN}], 1, -1)    = 1 ([{fd=4, revents=POLLIN}])
time(NULL)                              = 1331160150
poll([{fd=4, events=POLLIN}], 1, -1)    = 1 ([{fd=4, revents=POLLIN}])
time(NULL)                              = 1331160152
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
write(1, "[+] Switching mon0 to channel 2\n", 32) = 32
ioctl(5, 0x8b04, 0x7fd66448)            = 0
close(5)                                = 0
time(NULL)                              = 1331160152
poll([{fd=4, events=POLLIN}], 1, -1)    = 1 ([{fd=4, revents=POLLIN}])
time(NULL)                              = 1331160153
... ... ... ...
... ... ... ...
... ... ... ...
poll([{fd=4, events=POLLIN}], 1, -1)    = 1 ([{fd=4, revents=POLLIN}])
time(NULL)                              = 1331160154
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
write(1, "[+] Switching mon0 to channel 3\n", 32) = 32
ioctl(5, 0x8b04, 0x7fd66448)            = 0
close(5)                                = 0
time(NULL)                              = 1331160154
poll([{fd=4, events=POLLIN}], 1, -1)    = 1 ([{fd=4, revents=POLLIN}])
time(NULL)                              = 1331160154
... ... ... ...
... ... ... ...
... ... ... ...
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
write(1, "[+] Switching mon0 to channel 4\n", 32) = 32
ioctl(5, 0x8b04, 0x7fd66448)            = 0
close(5)                                = 0
time(NULL)                              = 1331160156
poll([{fd=4, events=POLLIN}], 1, -1)    = 1 ([{fd=4, revents=POLLIN}])
time(NULL)                              = 1331160156
poll([{fd=4, events=POLLIN}], 1, -1)    = 1 ([{fd=4, revents=POLLIN}])
time(NULL)                              = 1331160156
time(NULL)                              = 1331160156
poll([{fd=4, events=POLLIN}], 1, -1)    = 1 ([{fd=4, revents=POLLIN}])
... ... ... ...
... ... ... ...
... ... ... ...
write(5, "\n9018\n9019\n9020\n9021\n9022\n9023\n9"..., 4096) = 4096
write(5, "9837", 4)                     = 4
write(5, "\n9838\n9839\n9840\n9841\n9842\n9843\n9"..., 4094) = 4094
write(5, "820", 3)                      = 3
fcntl64(3, F_SETLK64, {type=F_RDLCK, whence=SEEK_SET, start=1073741824, len=1}, 
0x7fd64a08) = 0
fcntl64(3, F_SETLK64, {type=F_RDLCK, whence=SEEK_SET, start=1073741826, 
len=510}, 0x7fd64a08) = 0
fcntl64(3, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=1073741824, len=1}, 
0x7fd64a08) = 0
access("/etc/reaver/reaver.db-journal", F_OK) = -1 ENOENT (No such file or 
directory)
fstat64(3, {st_mode=S_IFREG|0777, st_size=14336, ...}) = 0
access("/etc/reaver/reaver.db-wal", F_OK) = -1 ENOENT (No such file or 
directory)
fstat64(3, {st_mode=S_IFREG|0777, st_size=14336, ...}) = 0
_llseek(3, 0, [0], SEEK_SET)            = 0
read(3, "SQLite format 3\0\4\0\1\1\0@  \0\3.\340\0\0\0\16"..., 1024) = 1024
brk(0x55c000)                           = 0x55c000
brk(0x55d000)                           = 0x55d000
fcntl64(3, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}, 
0x7fd645c8) = 0
fcntl64(3, F_SETLK64, {type=F_RDLCK, whence=SEEK_SET, start=1073741824, len=1}, 
0x7fd64a28) = 0
fcntl64(3, F_SETLK64, {type=F_RDLCK, whence=SEEK_SET, start=1073741826, 
len=510}, 0x7fd64a28) = 0
fcntl64(3, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=1073741824, len=1}, 
0x7fd64a28) = 0
access("/etc/reaver/reaver.db-journal", F_OK) = -1 ENOENT (No such file or 
directory)
fstat64(3, {st_mode=S_IFREG|0777, st_size=14336, ...}) = 0
_llseek(3, 24, [24], SEEK_SET)          = 0
read(3, "\0\3.\340\0\0\0\16\0\0\0\7\0\0\0\6", 16) = 16
fstat64(3, {st_mode=S_IFREG|0777, st_size=14336, ...}) = 0
access("/etc/reaver/reaver.db-wal", F_OK) = -1 ENOENT (No such file or 
directory)
fstat64(3, {st_mode=S_IFREG|0777, st_size=14336, ...}) = 0
fcntl64(3, F_SETLK64, {type=F_WRLCK, whence=SEEK_SET, start=1073741825, len=1}, 
0x7fd64ac0) = 0
_llseek(3, 4096, [4096], SEEK_SET)      = 0
read(3, 
"\r\0\0\0\2\3\234\0\3\312\3\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 
1024) = 1024
gettimeofday({1331160199, 321884}, NULL) = 0
_llseek(3, 5120, [5120], SEEK_SET)      = 0
read(3, 
"\n\0\0\0\2\3\322\0\3\322\3\351\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 
1024) = 1024
stat64(0x7fd64650, 0x7fd64528)          = 0
open("/etc/reaver/reaver.db-journal", O_RDWR|O_CREAT|O_LARGEFILE, 0777) = 6
fcntl64(6, F_GETFD)                     = 0
fcntl64(6, F_SETFD, FD_CLOEXEC)         = 0
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 7
read(7, 
"J\314\317\246\217\230-y\301\3045\220\353N\312h\341\352\333A7\t\367\220ig]\247\3
57%u\342"..., 256) = 256
close(7)                                = 0
_llseek(6, 0, [0], SEEK_SET)            = 0
write(6, 
"\0\0\0\0\0\0\0\0\0\0\0\0\276\203\26P\0\0\0\16\0\0\2\0\0\0\4\0\0\0\0\0"..., 
512) = 512
_llseek(6, 512, [512], SEEK_SET)        = 0
write(6, "\0\0\0\6", 4)                 = 4
_llseek(6, 516, [516], SEEK_SET)        = 0
write(6, 
"\n\0\0\0\2\3\322\0\3\322\3\351\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 
1024) = 1024
_llseek(6, 1540, [1540], SEEK_SET)      = 0
write(6, "\276\203\26P", 4)             = 4
_llseek(6, 1544, [1544], SEEK_SET)      = 0
write(6, "\0\0\0\5", 4)                 = 4
_llseek(6, 1548, [1548], SEEK_SET)      = 0
write(6, 
"\r\0\0\0\2\3\234\0\3\312\3\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 
1024) = 1024
_llseek(6, 2572, [2572], SEEK_SET)      = 0
write(6, "\276\203\26P", 4)             = 4
fcntl64(3, F_SETLK64, {type=F_WRLCK, whence=SEEK_SET, start=1073741824, len=1}, 
0x7fd64a78) = 0
fcntl64(3, F_SETLK64, {type=F_WRLCK, whence=SEEK_SET, start=1073741826, 
len=510}, 0x7fd64a78) = 0
_llseek(6, 2576, [2576], SEEK_SET)      = 0
write(6, "\0\0\0\1", 4)                 = 4
_llseek(6, 2580, [2580], SEEK_SET)      = 0
write(6, "SQLite format 3\0\4\0\1\1\0@  \0\3.\340\0\0\0\16"..., 1024) = 1024
_llseek(6, 3604, [3604], SEEK_SET)      = 0
write(6, "\276\203\27\353", 4)          = 4
_llseek(6, 4096, [4096], SEEK_SET)      = 0
read(6, "", 8)                          = 0
fsync(6)                                = 0
open("/etc/reaver", O_RDONLY|O_LARGEFILE) = 7
fcntl64(7, F_GETFD)                     = 0
fcntl64(7, F_SETFD, FD_CLOEXEC)         = 0
fsync(7)                                = 0
close(7)                                = 0
_llseek(6, 0, [0], SEEK_SET)            = 0
write(6, "\331\325\5\371 \241c\327\0\0\0\3", 12) = 12
fsync(6)                                = 0
_llseek(3, 0, [0], SEEK_SET)            = 0
write(3, "SQLite format 3\0\4\0\1\1\0@  \0\3.\341\0\0\0\16"..., 1024) = 1024
_llseek(3, 4096, [4096], SEEK_SET)      = 0
write(3, 
"\r\0\0\0\2\3\234\0\3\312\3\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 
1024) = 1024
_llseek(3, 5120, [5120], SEEK_SET)      = 0
write(3, 
"\n\0\0\0\2\3\322\0\3\322\3\351\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 
1024) = 1024
fsync(3)                                = 0
close(6)                                = 0
unlink("/etc/reaver/reaver.db-journal") = 0
fcntl64(3, F_SETLK64, {type=F_RDLCK, whence=SEEK_SET, start=1073741826, 
len=510}, 0x7fd64a40) = 0
fcntl64(3, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=1073741824, len=2}, 
0x7fd64a40) = 0
fcntl64(3, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}, 
0x7fd64a40) = 0
nanosleep({0, 100000}, NULL)            = 0
write(5, "\n821\n822\n823\n824\n825\n826\n827\n828"..., 709) = 709
close(5)                                = 0
write(1, "[+] Session saved.\n", 19)    = 19
setsockopt(4, SOL_PACKET, PACKET_RX_RING, {block_size=0, block_nr=0, 
frame_size=0, frame_nr=0}, 16) = -1 EBUSY (Device or resource busy)
munmap(0x2b60c000, 4128768)             = 0
close(4)                                = 0
close(1)                                = 0
exit_group(1)                           = ?

-------------------------------------------------------------------------------

Problem below:

ioctl(5, TIOCNXCL, 0x7fd662a8)          = -1 ENOTTY (Inappropriate ioctl for 
device)

can you fix?

Original comment by jia...@gmail.com on 10 Mar 2012 at 6:43

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Hy all!

I tried to use reaver-wps 1.4 in tp-link wr841 v7, but it cannot work good.
it just can change channel, but dont do other think.

Can somebody work with reaver in tp-link?

Original comment by edesal...@gmail.com on 6 May 2012 at 10:59

GoogleCodeExporter commented 9 years ago
Put please Makefile for version 1.4 
Trendnet 673GRU(ar71xx) Openwt/trunk

Original comment by saka...@gmail.com on 11 Jun 2012 at 2:02

GoogleCodeExporter commented 9 years ago
I tried to start reaver v1.4 on TP-Link TL-1043ND (cpu AR9132, openwrt), but it 
doesn't work.

---------------------------------------------
[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 1
[+] Switching mon0 to channel 2
...................
[+] Switching mon0 to channel 1
---------------------------------------------

Whether there is a solution of this problem?

Original comment by maxim.lu...@gmail.com on 13 Jun 2012 at 12:02

GoogleCodeExporter commented 9 years ago
#This is the Makefile

# Copyright (C) 2011 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#

include $(TOPDIR)/rules.mk

PKG_NAME:=reaver
PKG_VERSION:=1.4
PKG_RELEASE:=1

PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://reaver-wps.googlecode.com/files
PKG_MD5SUM:=05441dda7bacfcbe1e831c85d1ea3bc9

include $(INCLUDE_DIR)/package.mk

define Package/reaver
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=wireless
  TITLE:=Brute force attack against Wifi Protected Setup
  URL:=https://code.google.com/p/reaver-wps/
  DEPENDS:=+libpcap +libsqlite3
endef

define Package/reaver/description
  Reaver targets the external registrar functionality mandated by the WiFi
  Protected Setup specification.
  Access points will provide authenticated registrars with their current
  wireless configuration (including the WPA PSK), and also accept a new
  configuration from the registrar.
endef

CONFIGURE_PATH:=src

MAKE_PATH:=src

TARGET_CFLAGS+=$(TARGET_CPPFLAGS)

define Package/reaver/install
    $(INSTALL_DIR) $(1)/usr/bin
    $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/{reaver,wash} $(1)/usr/bin/
endef

$(eval $(call BuildPackage,reaver)) 

Original comment by john...@gmail.com on 9 Jul 2012 at 9:55

GoogleCodeExporter commented 9 years ago
#This is the Big Endian patch
From 4e7af9f022996cb0a03b30f6af265b757807dfa2 Mon Sep 17 00:00:00 2001
From: Paul Fertser <fercerpav@gmail.com>
Date: Wed, 27 Jun 2012 17:44:55 +0400
Subject: [PATCH] wpscrack: big-endian fixes

This should fix access to the radiotap, 802.11, LLC/SNAP and WFA
headers' fields. Run-time tested on an ar71xx BE system.

Signed-off-by: Paul Fertser <fercerpav@gmail.com>
---
 src/80211.c    |   65 +++++++++++++++++++------------
 src/builder.c  |   23 +++++------
 src/defs.h     |  116 +++++++++++++++++++++++++++++++++++++++-----------------
 src/exchange.c |   23 ++++++-----
 src/wpsmon.c   |   13 ++++--
 5 files changed, 151 insertions(+), 89 deletions(-)

diff --git a/src/80211.c b/src/80211.c
index c2aff59..19f1e92 100644
--- a/src/80211.c
+++ b/src/80211.c
@@ -90,17 +90,19 @@ void read_ap_beacon()
                 if(header.len >= MIN_BEACON_SIZE)
                 {
                         rt_header = (struct radio_tap_header *) radio_header(packet, header.len);
-                        frame_header = (struct dot11_frame_header *) (packet + 
rt_header->len);
-
+           size_t rt_header_len = __le16_to_cpu(rt_header->len);
+           frame_header = (struct dot11_frame_header *) (packet + rt_header_len);
+           
            if(is_target(frame_header))
            {
-                                if(frame_header->fc.type == MANAGEMENT_FRAME 
&& frame_header->fc.sub_type == SUBTYPE_BEACON)
+                                if((frame_header->fc & 
__cpu_to_le16(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE)) ==
+                  __cpu_to_le16(IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_BEACON))
                                 {
-                                           beacon = (struct 
beacon_management_frame *) (packet + rt_header->len + sizeof(struct 
dot11_frame_header));
+                                           beacon = (struct 
beacon_management_frame *) (packet + rt_header_len + sizeof(struct 
dot11_frame_header));
                                            set_ap_capability(beacon->capability);

                    /* Obtain the SSID and channel number from the beacon packet */
-                   tag_offset = rt_header->len + sizeof(struct dot11_frame_header) + 
sizeof(struct beacon_management_frame);
+                   tag_offset = rt_header_len + sizeof(struct dot11_frame_header) + 
sizeof(struct beacon_management_frame);
                    channel = parse_beacon_tags(packet, header.len);

                    /* If no channel was manually specified, switch to the AP's current channel */
@@ -135,29 +137,31 @@ int8_t signal_strength(const u_char *packet, size_t len)
    {
        header = (struct radio_tap_header *) packet;

-       if((header->flags & SSI_FLAG) == SSI_FLAG)
+       uint32_t flags = __le32_to_cpu(header->flags);
+       
+       if((flags & SSI_FLAG) == SSI_FLAG)
        {
-           if((header->flags & TSFT_FLAG) == TSFT_FLAG)
+           if((flags & TSFT_FLAG) == TSFT_FLAG)
            {
                offset += TSFT_SIZE;
            }

-           if((header->flags & FLAGS_FLAG) == FLAGS_FLAG)
+           if((flags & FLAGS_FLAG) == FLAGS_FLAG)
            {
                offset += FLAGS_SIZE;
            }

-           if((header->flags & RATE_FLAG) == RATE_FLAG)
+           if((flags & RATE_FLAG) == RATE_FLAG)
            {
                offset += RATE_SIZE;
            }

-           if((header->flags & CHANNEL_FLAG) == CHANNEL_FLAG)
+           if((flags & CHANNEL_FLAG) == CHANNEL_FLAG)
            {
                offset += CHANNEL_SIZE;
            }

-           if((header->flags & FHSS_FLAG) == FHSS_FLAG)
+           if((flags & FHSS_FLAG) == FHSS_FLAG)
            {
                offset += FHSS_FLAG;
            }
@@ -196,11 +200,13 @@ int is_wps_locked()
        if(header.len >= MIN_BEACON_SIZE)
        {
            rt_header = (struct radio_tap_header *) radio_header(packet, header.len);
-           frame_header = (struct dot11_frame_header *) (packet + rt_header->len);
+           size_t rt_header_len = __le16_to_cpu(rt_header->len);
+           frame_header = (struct dot11_frame_header *) (packet + rt_header_len);

            if(memcmp(frame_header->addr3, get_bssid(), MAC_ADDR_LEN) == 0)
            {
-               if(frame_header->fc.type == MANAGEMENT_FRAME && frame_header->fc.sub_type 
== SUBTYPE_BEACON)
+                                if((frame_header->fc & 
__cpu_to_le16(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE)) ==
+                  __cpu_to_le16(IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_BEACON))
                {
                    if(parse_wps_parameters(packet, header.len, &wps))
                    {
@@ -411,24 +417,30 @@ int associate_recv_loop()
                 if(header.len >= MIN_AUTH_SIZE)
                 {
            rt_header = (struct radio_tap_header *) radio_header(packet, header.len);
-                        dot11_frame = (struct dot11_frame_header *) (packet + 
rt_header->len);
+           size_t rt_header_len = __le16_to_cpu(rt_header->len);
+           dot11_frame = (struct dot11_frame_header *) (packet + rt_header_len);

                         if((memcmp(dot11_frame->addr3, get_bssid(), MAC_ADDR_LEN) == 0) &&
                            (memcmp(dot11_frame->addr1, get_mac(), MAC_ADDR_LEN) == 0))
                         {
-               if(dot11_frame->fc.type == MANAGEMENT_FRAME)
+                                if((dot11_frame->fc & 
__cpu_to_le16(IEEE80211_FCTL_FTYPE)) ==
+                  __cpu_to_le16(IEEE80211_FTYPE_MGMT))
                {
-                                   auth_frame = (struct 
authentication_management_frame *) (packet + sizeof(struct dot11_frame_header) 
+ rt_header->len);
-                                   assoc_frame = (struct 
association_response_management_frame *) (packet + sizeof(struct 
dot11_frame_header) + rt_header->len);
+                                   auth_frame = (struct 
authentication_management_frame *) (packet + sizeof(struct dot11_frame_header) 
+ rt_header_len);
+                                   assoc_frame = (struct 
association_response_management_frame *) (packet + sizeof(struct 
dot11_frame_header) + rt_header_len);

                    /* Did we get an authentication packet with a successful status? */
-                   if((dot11_frame->fc.sub_type == SUBTYPE_AUTHENTICATION) && 
(auth_frame->status == AUTHENTICATION_SUCCESS))
+                   if((dot11_frame->fc & __cpu_to_le16(IEEE80211_FCTL_STYPE)) ==
+                      __cpu_to_le16(IEEE80211_STYPE_AUTH)
+                      && (auth_frame->status == __cpu_to_le16(AUTHENTICATION_SUCCESS)))
                                        {
                                                ret_val = AUTH_OK;
                                                break;
                                        }
                    /* Did we get an association packet with a successful status? */
-                                       else if((dot11_frame->fc.sub_type == 
SUBTYPE_ASSOCIATION) && (assoc_frame->status == ASSOCIATION_SUCCESS))
+                                       else if((dot11_frame->fc & 
__cpu_to_le16(IEEE80211_FCTL_STYPE)) ==
+                       __cpu_to_le16(IEEE80211_STYPE_ASSOC_RESP)
+                       && (assoc_frame->status == __cpu_to_le16(ASSOCIATION_SUCCESS)))
                    {
                        ret_val = ASSOCIATE_OK;
                        break;
@@ -455,13 +467,14 @@ enum encryption_type supported_encryption(const u_char 
*packet, size_t len)
    if(len > MIN_BEACON_SIZE)
    {
        rt_header = (struct radio_tap_header *) radio_header(packet, len);
-       beacon = (struct beacon_management_frame *) (packet + rt_header->len + 
sizeof(struct dot11_frame_header));
-       offset = tag_offset = rt_header->len + sizeof(struct dot11_frame_header) + 
sizeof(struct beacon_management_frame);
+       size_t rt_header_len = __le16_to_cpu(rt_header->len);
+       beacon = (struct beacon_management_frame *) (packet + rt_header_len + 
sizeof(struct dot11_frame_header));
+       offset = tag_offset = rt_header_len + sizeof(struct dot11_frame_header) + 
sizeof(struct beacon_management_frame);

        tag_len = len - tag_offset;
        tag_data = (const u_char *) (packet + tag_offset);

-       if((beacon->capability & CAPABILITY_WEP) == CAPABILITY_WEP)
+       if((__le16_to_cpu(beacon->capability) & CAPABILITY_WEP) == CAPABILITY_WEP)
        {
            enc = WEP;

@@ -509,7 +522,7 @@ int parse_beacon_tags(const u_char *packet, size_t len)
    struct radio_tap_header *rt_header = NULL;

    rt_header = (struct radio_tap_header *) radio_header(packet, len);
-   tag_offset = rt_header->len + sizeof(struct dot11_frame_header) + 
sizeof(struct beacon_management_frame);
+   tag_offset = __le16_to_cpu(rt_header->len) + sizeof(struct 
dot11_frame_header) + sizeof(struct beacon_management_frame);

    if(tag_offset < len)
    {
@@ -548,7 +561,7 @@ int parse_beacon_tags(const u_char *packet, size_t len)
        {
            if(ie_len  == 1)
            {
-               memcpy((int *) &channel, channel_data, ie_len);
+               channel = *(uint8_t*)channel_data;
            }
            free(channel_data);
        }
@@ -603,13 +616,13 @@ int check_fcs(const u_char *packet, size_t len)
    if(len > 4)
    {
        /* Get the packet's reported FCS (last 4 bytes of the packet) */
-       memcpy((uint32_t *) &fcs, (packet + (len-4)), 4);
+       fcs = __le32_to_cpu(*(uint32_t*)(packet + (len-4)));

        /* FCS is not calculated over the radio tap header */
        if(has_rt_header())
        {
            rt_header = (struct radio_tap_header *) packet;
-           offset += rt_header->len;
+           offset += __le16_to_cpu(rt_header->len);
        }

        if(len > offset)
diff --git a/src/builder.c b/src/builder.c
index 37f2de7..6bf89e7 100644
--- a/src/builder.c
+++ b/src/builder.c
@@ -44,9 +44,8 @@ const void *build_radio_tap_header(size_t *len)
        memset((void *) buf, 0, sizeof(struct radio_tap_header));
        rt_header = (struct radio_tap_header *) buf;

-       rt_header->len = sizeof(struct radio_tap_header);
-   
-       *len = rt_header->len;
+       *len = sizeof(struct radio_tap_header);
+       rt_header->len = __cpu_to_le16(*len);
    }

    return buf;
@@ -67,9 +66,9 @@ const void *build_dot11_frame_header(uint16_t fc, size_t *len)

        frag_seq += SEQ_MASK;

-       header->duration = DEFAULT_DURATION;
-       memcpy((void *) &header->fc, (void *) &fc, sizeof(struct frame_control));
-       header->frag_seq = frag_seq;
+       header->duration = __cpu_to_le16(DEFAULT_DURATION);
+       header->fc = __cpu_to_le16(fc);
+       header->frag_seq = __cpu_to_le16(frag_seq);

        memcpy((void *) header->addr1, get_bssid(), MAC_ADDR_LEN);
        memcpy((void *) header->addr2, get_mac(), MAC_ADDR_LEN);
@@ -91,8 +90,8 @@ const void *build_authentication_management_frame(size_t *len)
        memset((void *) buf, 0, *len);
        frame = (struct authentication_management_frame *) buf;

-       frame->algorithm = OPEN_SYSTEM;
-       frame->sequence = 1;
+       frame->algorithm = __cpu_to_le16(OPEN_SYSTEM);
+       frame->sequence = __cpu_to_le16(1);
        frame->status = 0;
    }

@@ -111,8 +110,8 @@ const void *build_association_management_frame(size_t *len)
        memset((void *) buf, 0, *len);
        frame = (struct association_request_management_frame *) buf;

-       frame->capability = get_ap_capability();
-       frame->listen_interval = LISTEN_INTERVAL;
+       frame->capability = __cpu_to_le16(get_ap_capability());
+       frame->listen_interval = __cpu_to_le16(LISTEN_INTERVAL);
    }

    return buf;
@@ -133,7 +132,7 @@ const void *build_llc_header(size_t *len)
        header->dsap = LLC_SNAP;
        header->ssap = LLC_SNAP;
        header->control_field = UNNUMBERED_FRAME;
-       header->type = DOT1X_AUTHENTICATION;
+       header->type = __cpu_to_be16(DOT1X_AUTHENTICATION);

    }

@@ -279,7 +278,7 @@ const void *build_wfa_header(uint8_t op_code, size_t *len)
        header = (struct wfa_expanded_header *) buf;

        memcpy(header->id, WFA_VENDOR_ID, sizeof(header->id));
-       header->type = SIMPLE_CONFIG;
+       header->type = __cpu_to_be32(SIMPLE_CONFIG);
        header->opcode = op_code;
    }

diff --git a/src/defs.h b/src/defs.h
index b2f45ea..0c628e7 100644
--- a/src/defs.h
+++ b/src/defs.h
@@ -41,6 +41,7 @@
 #include <string.h>
 #include <time.h>
 #include <pcap.h>
+#include <asm/byteorder.h>

 #include "wps.h"

@@ -65,10 +66,10 @@
 #define MANAGEMENT_FRAME   0x00
 #define SUBTYPE_BEACON     0x08

-#define DOT1X_AUTHENTICATION   0x8E88
+#define DOT1X_AUTHENTICATION   0x888E
 #define DOT1X_EAP_PACKET   0x00

-#define SIMPLE_CONFIG      0x01000000
+#define SIMPLE_CONFIG      0x00000001

 #define P1_SIZE            10000
 #define P2_SIZE            1000
@@ -282,66 +283,111 @@ enum wfa_elements
    WEP_TRANSMIT_KEY = 0x10064
 };

+#define IEEE80211_FCTL_VERS        0x0003
+#define IEEE80211_FCTL_FTYPE       0x000c
+#define IEEE80211_FCTL_STYPE       0x00f0
+#define IEEE80211_FCTL_TODS        0x0100
+#define IEEE80211_FCTL_FROMDS      0x0200
+#define IEEE80211_FCTL_MOREFRAGS   0x0400
+#define IEEE80211_FCTL_RETRY       0x0800
+#define IEEE80211_FCTL_PM      0x1000
+#define IEEE80211_FCTL_MOREDATA        0x2000
+#define IEEE80211_FCTL_PROTECTED   0x4000
+#define IEEE80211_FCTL_ORDER       0x8000
+
+#define IEEE80211_SCTL_FRAG        0x000F
+#define IEEE80211_SCTL_SEQ     0xFFF0
+
+#define IEEE80211_FTYPE_MGMT       0x0000
+#define IEEE80211_FTYPE_CTL        0x0004
+#define IEEE80211_FTYPE_DATA       0x0008
+
+/* management */
+#define IEEE80211_STYPE_ASSOC_REQ  0x0000
+#define IEEE80211_STYPE_ASSOC_RESP 0x0010
+#define IEEE80211_STYPE_REASSOC_REQ    0x0020
+#define IEEE80211_STYPE_REASSOC_RESP   0x0030
+#define IEEE80211_STYPE_PROBE_REQ  0x0040
+#define IEEE80211_STYPE_PROBE_RESP 0x0050
+#define IEEE80211_STYPE_BEACON     0x0080
+#define IEEE80211_STYPE_ATIM       0x0090
+#define IEEE80211_STYPE_DISASSOC   0x00A0
+#define IEEE80211_STYPE_AUTH       0x00B0
+#define IEEE80211_STYPE_DEAUTH     0x00C0
+#define IEEE80211_STYPE_ACTION     0x00D0
+
+/* control */
+#define IEEE80211_STYPE_BACK_REQ   0x0080
+#define IEEE80211_STYPE_BACK       0x0090
+#define IEEE80211_STYPE_PSPOLL     0x00A0
+#define IEEE80211_STYPE_RTS        0x00B0
+#define IEEE80211_STYPE_CTS        0x00C0
+#define IEEE80211_STYPE_ACK        0x00D0
+#define IEEE80211_STYPE_CFEND      0x00E0
+#define IEEE80211_STYPE_CFENDACK   0x00F0
+
+/* data */
+#define IEEE80211_STYPE_DATA           0x0000
+#define IEEE80211_STYPE_DATA_CFACK     0x0010
+#define IEEE80211_STYPE_DATA_CFPOLL        0x0020
+#define IEEE80211_STYPE_DATA_CFACKPOLL     0x0030
+#define IEEE80211_STYPE_NULLFUNC       0x0040
+#define IEEE80211_STYPE_CFACK          0x0050
+#define IEEE80211_STYPE_CFPOLL         0x0060
+#define IEEE80211_STYPE_CFACKPOLL      0x0070
+#define IEEE80211_STYPE_QOS_DATA       0x0080
+#define IEEE80211_STYPE_QOS_DATA_CFACK     0x0090
+#define IEEE80211_STYPE_QOS_DATA_CFPOLL        0x00A0
+#define IEEE80211_STYPE_QOS_DATA_CFACKPOLL 0x00B0
+#define IEEE80211_STYPE_QOS_NULLFUNC       0x00C0
+#define IEEE80211_STYPE_QOS_CFACK      0x00D0
+#define IEEE80211_STYPE_QOS_CFPOLL     0x00E0
+#define IEEE80211_STYPE_QOS_CFACKPOLL      0x00F0
+
 #pragma pack(1)
 struct radio_tap_header
 {
    uint8_t revision;   
    uint8_t pad;
-   uint16_t len;
-   uint32_t flags;
-};
-
-struct frame_control
-{
-        unsigned version : 2;
-        unsigned type : 2;
-        unsigned sub_type : 4;
-
-        unsigned to_ds : 1;
-        unsigned from_ds : 1;
-        unsigned more_frag : 1;
-        unsigned retry : 1;
-        unsigned pwr_mgt : 1;
-        unsigned more_data : 1;
-        unsigned protected_frame : 1;
-        unsigned order : 1;
+   __le16 len;
+   __le32 flags;
 };

 struct dot11_frame_header
 {
-   struct frame_control fc;
-        uint16_t duration;
+   __le16 fc;
+   __le16 duration;
    unsigned char addr1[MAC_ADDR_LEN];
    unsigned char addr2[MAC_ADDR_LEN];
    unsigned char addr3[MAC_ADDR_LEN];
-   uint16_t frag_seq;
+   __le16 frag_seq;
 };

 struct authentication_management_frame
 {
-   uint16_t algorithm;
-   uint16_t sequence;
-   uint16_t status;
+   __le16 algorithm;
+   __le16 sequence;
+   __le16 status;
 };

 struct association_request_management_frame
 {
-   uint16_t capability;
-   uint16_t listen_interval;
+   __le16 capability;
+   __le16 listen_interval;
 };

 struct association_response_management_frame
 {
-   uint16_t capability;
-   uint16_t status;
-   uint16_t id;
+   __le16 capability;
+   __le16 status;
+   __le16 id;
 };

 struct beacon_management_frame
 {
    unsigned char timestamp[TIMESTAMP_LEN];
-   uint16_t beacon_interval;
-   uint16_t capability;
+   __le16 beacon_interval;
+   __le16 capability;
 };

 struct llc_header
@@ -350,7 +396,7 @@ struct llc_header
    uint8_t ssap;
    uint8_t control_field;
    unsigned char org_code[3];
-   uint16_t type;
+   __be16 type;
 };

 struct dot1X_header
@@ -371,7 +417,7 @@ struct eap_header
 struct wfa_expanded_header
 {
    unsigned char id[3];
-   uint32_t type;
+   __be32 type;
    uint8_t opcode;
    uint8_t flags;
 };
diff --git a/src/exchange.c b/src/exchange.c
index 23c87e9..4f9a82b 100644
--- a/src/exchange.c
+++ b/src/exchange.c
@@ -306,26 +306,27 @@ enum wps_type process_packet(const u_char *packet, struct 
pcap_pkthdr *header)

    /* Cast the radio tap and 802.11 frame headers and parse out the Frame Control field */
    rt_header = (struct radio_tap_header *) packet;
-   frame_header = (struct dot11_frame_header *) (packet+rt_header->len);
+   size_t rt_header_len = __le16_to_cpu(rt_header->len);
+   frame_header = (struct dot11_frame_header *) (packet+rt_header_len);

    /* Does the BSSID/source address match our target BSSID? */
    if(memcmp(frame_header->addr3, get_bssid(), MAC_ADDR_LEN) == 0)
    {
        /* Is this a data packet sent to our MAC address? */
-       if(frame_header->fc.type == DATA_FRAME && 
-           frame_header->fc.sub_type == SUBTYPE_DATA && 
-           (memcmp(frame_header->addr1, get_mac(), MAC_ADDR_LEN) == 0)) 
+       if (((frame_header->fc & __cpu_to_le16(IEEE80211_FCTL_FTYPE | 
IEEE80211_FCTL_STYPE)) ==
+            __cpu_to_le16(IEEE80211_FTYPE_DATA | IEEE80211_STYPE_DATA)) &&
+           (memcmp(frame_header->addr1, get_mac(), MAC_ADDR_LEN) == 0)) 
        {
            llc = (struct llc_header *) (packet +
-                           rt_header->len +
+                           rt_header_len +
                            sizeof(struct dot11_frame_header)
            );

            /* All packets in our exchanges will be 802.1x */
-           if(llc->type == DOT1X_AUTHENTICATION)
+           if(llc->type == __cpu_to_be16(DOT1X_AUTHENTICATION))
            {
                dot1x = (struct dot1X_header *) (packet +
-                               rt_header->len +
+                               rt_header_len +
                                sizeof(struct dot11_frame_header) +
                                sizeof(struct llc_header)
                );
@@ -334,7 +335,7 @@ enum wps_type process_packet(const u_char *packet, struct 
pcap_pkthdr *header)
                if(dot1x->type == DOT1X_EAP_PACKET && (header->len >= EAP_PACKET_SIZE))
                {
                    eap = (struct eap_header *) (packet +
-                                   rt_header->len +
+                                   rt_header_len +
                                    sizeof(struct dot11_frame_header) +
                                    sizeof(struct llc_header) +
                                    sizeof(struct dot1X_header)
@@ -366,7 +367,7 @@ enum wps_type process_packet(const u_char *packet, struct 
pcap_pkthdr *header)
                        else if((eap->type == EAP_EXPANDED) && (header->len > WFA_PACKET_SIZE))
                        {
                            wfa = (struct wfa_expanded_header *) (packet +
-                                           rt_header->len +
+                                           rt_header_len +
                                            sizeof(struct dot11_frame_header) +
                                            sizeof(struct llc_header) +
                                            sizeof(struct dot1X_header) +
@@ -374,14 +375,14 @@ enum wps_type process_packet(const u_char *packet, struct 
pcap_pkthdr *header)
                            );

                            /* Verify that this is a WPS message */
-                           if(wfa->type == SIMPLE_CONFIG)
+                           if(wfa->type == __cpu_to_be32(SIMPLE_CONFIG))
                            {
                                wps_msg_len =   (size_t) ntohs(eap->len) - 
                                        sizeof(struct eap_header) - 
                                        sizeof(struct wfa_expanded_header);

                                wps_msg = (const void *) (packet +
-                                           rt_header->len +
+                                           rt_header_len +
                                                                                            sizeof(struct dot11_frame_header) +
                                                                                            sizeof(struct llc_header) +
                                                                                            sizeof(struct dot1X_header) +
diff --git a/src/wpsmon.c b/src/wpsmon.c
index d976924..22a394f 100644
--- a/src/wpsmon.c
+++ b/src/wpsmon.c
@@ -295,7 +295,8 @@ void parse_wps_settings(const u_char *packet, struct 
pcap_pkthdr *header, char *
         }

    rt_header = (struct radio_tap_header *) radio_header(packet, header->len);
-   frame_header = (struct dot11_frame_header *) (packet + rt_header->len);
+   size_t rt_header_len = __le16_to_cpu(rt_header->len);
+   frame_header = (struct dot11_frame_header *) (packet + rt_header_len);

    /* If a specific BSSID was specified, only parse packets from that BSSID */
    if(!is_target(frame_header))
@@ -323,15 +324,17 @@ void parse_wps_settings(const u_char *packet, struct 
pcap_pkthdr *header, char *
                channel_changed = 1;
            }

-           if(frame_header->fc.sub_type == PROBE_RESPONSE ||
-                                   frame_header->fc.sub_type == SUBTYPE_BEACON)
+           unsigned fsub_type = frame_header->fc & __cpu_to_le16(IEEE80211_FCTL_STYPE);
+
+           if(fsub_type == __cpu_to_le16(IEEE80211_STYPE_PROBE_RESP) ||
+              fsub_type == __cpu_to_le16(IEEE80211_STYPE_BEACON))
            {
                wps_parsed = parse_wps_parameters(packet, header->len, wps);
            }

            if(!is_done(bssid) && (get_channel() == channel || source == PCAP_FILE))
            {
-               if(frame_header->fc.sub_type == SUBTYPE_BEACON && 
+               if(fsub_type == __cpu_to_le16(IEEE80211_STYPE_BEACON) && 
                   mode == SCAN && 
                   !passive && 
                   should_probe(bssid))
@@ -369,7 +372,7 @@ void parse_wps_settings(const u_char *packet, struct 
pcap_pkthdr *header, char *
                 * If there was no WPS information, then the AP does not support WPS and we should ignore it from here on.
                 * If this was a probe response, then we've gotten all WPS info we can get from this AP and should ignore it from here on.
                 */
-               if(!wps_parsed || frame_header->fc.sub_type == PROBE_RESPONSE)
+               if(!wps_parsed || fsub_type == __cpu_to_le16(IEEE80211_STYPE_PROBE_RESP))
                {
                    mark_ap_complete(bssid);
                }
-- 
1.7.7

Original comment by john...@gmail.com on 9 Jul 2012 at 9:56

GoogleCodeExporter commented 9 years ago
For best result in openwrt you need to make a folder /etc/reaver
and then copy into it from the reaver /src folder reaver.db so you finish up 
with 

/etc/reaver/reaver.db 

in openwrt

Original comment by john...@gmail.com on 9 Jul 2012 at 9:59

GoogleCodeExporter commented 9 years ago
Just tried patch on Fonera 2100 (Atheros AR2315)
Got the same result as before. Switching channels, not receiving beacon.
Got any idea?

Original comment by kopl...@gmail.com on 10 Jul 2012 at 2:29

GoogleCodeExporter commented 9 years ago
Kinda same here, "failed to associate" errors. On WR1043ND (ath9k). Wash didn't 
found the AP :(

Original comment by ravine...@gmail.com on 11 Jul 2012 at 10:19

GoogleCodeExporter commented 9 years ago
I have only been able to test this on my Nanostation M2 and it works fine.

Wash needs to have the /etc/reaver folder manually made

Original comment by john...@gmail.com on 11 Jul 2012 at 8:34

GoogleCodeExporter commented 9 years ago
Right, wash found the AP after one minute later.

Original comment by ravine...@gmail.com on 12 Jul 2012 at 8:56

GoogleCodeExporter commented 9 years ago
This is a new patch which corrects the Big Endian problem and brings reaver up 
to the current revision.

https://lists.openwrt.org/pipermail/openwrt-devel/2012-July/015972.html

make a folder called reaver like  >>  trunk/feeds/packages/net/reaver
Download the patch, save as a "add-reaver.patch" 
put the patch in the trunk/feeds/packages directory
cd trunk/feeds/packages
Then do "patch -p1 < add-reaver.patch"
cd trunk
./scripts/feeds update -i -a
./scripts/feeds install reaver
make menuconfig
select reaver in network/wireless
make

Original comment by john...@gmail.com on 12 Jul 2012 at 9:14

GoogleCodeExporter commented 9 years ago
Hm...still not works for me on wr1043nd. Patch is applyed successfully, i can 
see it on 'wash' output, and wash works, but reaver still fails to associate.

Original comment by ravine...@gmail.com on 13 Jul 2012 at 10:12

GoogleCodeExporter commented 9 years ago
reaver has now been added as a package in openwrt.

Original comment by john...@gmail.com on 15 Jul 2012 at 1:20

GoogleCodeExporter commented 9 years ago
Still can't get it to work. I've compiled the new trunk (r32732) with reaver, 
flashed, and now not even 'wash' works. I have the reaver.db in /etc/reaver dir 
(is it still required to copy manually?), but wash cannot finds the router 
(which is a wr941nd with wps, beside the wr1043nd test-router).
Reaver just fails to associate. Am i doing something wrong?

Original comment by ravine...@gmail.com on 16 Jul 2012 at 9:00

GoogleCodeExporter commented 9 years ago
Trunk is having some problems recently for scanning on mon0 so use r32647

Original comment by john...@gmail.com on 20 Jul 2012 at 10:20

GoogleCodeExporter commented 9 years ago
Tried it, wash works again, but reaver still unusable :(

Original comment by ravine...@gmail.com on 21 Jul 2012 at 11:25

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
The problem with trunk is that now you need to remove wlan0 for mon0 to scan.

If you have wlan0 up then mon0 will not scan so you can either do 
ifconfig wlan0 down 
or 
iw dev wlan0 del
to delete it.

If you need wlan0 later to connect to an AP you could recreate it with the 
command wifi

Original comment by john...@gmail.com on 25 Jul 2012 at 8:04

GoogleCodeExporter commented 9 years ago
As mentioned by other users there is still an issue with the association on big 
endian. Authentication works fine but association fails which results in a 
association failure message from reaver . Even after looking for hours at the 
code I was not able to fix this bug but found a workaround.

You can use aireplay-ng -1 5 -e YOUR_SSID mon0 > authlog.txt & to associate to 
your access point and reaver -i mon0 -b your_mac -vv -A to authenticate.

If you do the above steps you can only submit 1 EAP start request every minute 
/ 60 seconds, meaning it will take up to 7 days to crack the PIN. 

You need to apply the following patch (submitted to OpenWRT dev list) on the 
exchange.c function to deauthenticate after each WPS exchange which will 
improve considerably the cracking speed:

Index: reaver-r113/src/exchange.c
===================================================================
--- reaver-r113.orig/src/exchange.c 2012-10-13 20:20:23.452675557 +0200
+++ reaver-r113/src/exchange.c  2012-10-13 20:29:39.741682088 +0200
@@ -273,7 +273,12 @@
        send_termination();
        stop_timer();
    }
-   
+
+   if (get_external_association()) 
+   {
+       deauthenticate();
+   }
+
    return ret_val;
 }

Original comment by mathias....@gmail.com on 13 Oct 2012 at 7:53

GoogleCodeExporter commented 9 years ago
Also make sure that you have your wlan0 and mon0 interface up
ifconfig wlan0 up
ifconfig mon0 up

You may also need to set the channel before bringing up the interface with
iw wlan0 set channel X

Original comment by mathias....@gmail.com on 13 Oct 2012 at 7:58

GoogleCodeExporter commented 9 years ago
Download openwrt trunk or maybe the SDK (I had no luck with it), select your 
target with menuconfig.
Run ./scripts/feeds update -a and then ./scripts/feeds/install -a.
Go to the feeds/packages/net/reaver directory and create a new patch 0004-XXX 
file pasting the patch file contents above.
Go back to the openwrt/trunk folder and run make 
package/feeds/packages/reaver/compile V=99.
You can check in the build_dir/TARGET/reaver-XXX/src directory the exchange.c 
file at line number 277 to see if the patch has been applied correctly.
Go back to the openwrt/trunk folder and run make package/feeds/packages/reaver 
install V=99
Run make package/feeds/packages/aircrack-ng/compile and make 
package/feeds/packages/aircrack-ng/install.

Go to the bin/TARGET/packages directory and transfer with scp *.ipk 
root@IP:/tmp all ipk packages. Open a ssh shell to the router and run the 
following command in the tmp folder: opkg install *lib*.ipk. When complete vi 
/etc/opkg.conf and modify dest root / to dest root /tmp.
Install with opkg install aircrack-ng-XXX.ipk --force-depends and do the same 
for reaver.
Ignore the message about failed dependencies. Once finished go to /tmp/usr/sbin 
and run airmon-ng start wlan0 CHANNELNO. You also might need to configure the 
channel with iw wlan0 set channel CHANNELNO (bring the wlan0 interface down 
before and up after). Run aireplay -1 5 -e YOURSSID mon0 > /dev/null & to 
authenticate and run reaver with the -A switch.

Save the patch above 

Original comment by mathias....@gmail.com on 14 Oct 2012 at 9:23

GoogleCodeExporter commented 9 years ago
hi,there,

I use a DB120(brcm63xx)in openwrt AA 12.09 rc1 with TP-link TL-WN722N (AR9271) 
USB, ath9k-htc driver.

Everthing is fine with airodump-ng, wash, when it comes to reaver, it works 
fine.
But for sometime, it will display"segmentation fault", and no pin anymore, 
continue the reaver,it continues the pin work again, but for some time, it 
shows "segmentation fault"again,find no rule why it stopped.

Is it the reaver 1.4 bug? If I use a laptop,never see segmentation fault, is it 
the router DB120's RAM 32MB too small or the reaver's bug in LE mips? Anyone 
had success in reaver in  BE mips AR71XX router with openwrt? Why no update for 
Reaver 1.4 anymore?

What exactly does it need for the operating RAM when running reaver 
1.4(including it's dependent libs)? CPU speed? 

Thanks

Original comment by anteros2...@gmail.com on 25 Jan 2014 at 6:05