gylns / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

WSC_Start after EAP-Response Identity #107

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
0. What version of Reaver are you using?
I downloaded, extracted and compiled reaver-1.3

1. What operating system are you using (Linux is the only supported OS)?
Ubuntu

2. Is your wireless card in monitor mode (yes/no)?
Of course

3. What is the signal strength of the Access Point you are trying to crack?
It's about -60dBm

4. What is the manufacturer and model # of the device you are trying to
crack?
Sorry...

5. What is the entire command line string you are supplying to reaver?
sudo ./reaver -i mon0 -b 64:68:0C:F1:2E:43 -vv -f

6. Please describe what you think the issue is.
When I run reaver against this AP, I am always receiving the "Last message not 
processed properly, reverting state to previous message" warning.
And when I look at the capture I see a packet that mustn't be there accordingly 
to the steps described in the PDF of the vulnerability.
The packet is one that the AP sends after reaver sends the Response Identity 
with WFA-SimpleConfig-Registrar-1-0. AP sends an WSC_Start packet with no more 
data, and then reaver answers with an WSC_NACK packet, and starts 
authenticating again.
As described in the PDF, it should send the public key of the Diffie-Hellman...
I have attached a capture with one of the cycles that is always repeating.
I think it is not following the standard, but... how the authentication 
continues after de WSC_Start? I could not see the specification as the Wifi 
Alliance pays for downloading it.

7. Paste the output from Reaver below.
[+] Waiting for beacon from 64:68:0C:F1:2E:43
[+] Associated with 64:68:0C:F1:2E:43 (ESSID: WLAN_2E40)
[+] Trying pin 45280016
[!] WARNING: Receive timeout occurred
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[+] Trying pin 45280016
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[+] Trying pin 45280016
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[+] Trying pin 45280016
[!] WARNING: Last message not processed properly, reverting state to previous 
message
^C
[+] Nothing done, nothing to save.
[+] Session saved.

Original issue reported on code.google.com by a123a654...@gmail.com on 7 Jan 2012 at 9:34

Attachments:

GoogleCodeExporter commented 9 years ago
http://www.macvendorlookup.com/  There you can find out what Brand a Mac Adress 
belongs to.... so yours is Comtrend 

Original comment by patricks...@gmail.com on 7 Jan 2012 at 9:39

GoogleCodeExporter commented 9 years ago
The AP should not be sending a WSC_START message after the identity response; 
it should be sending an M1 message. Without the M1, Reaver can't generate the 
M2 message.

Original comment by cheff...@tacnetsol.com on 7 Jan 2012 at 9:48

GoogleCodeExporter commented 9 years ago
But it always sends it!
I have read in 
http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5
b/WCN-Netspec.doc (document mentioned in the PDF of the vulnerability) that 
WSC_Start "is sent by the access point when it receives an EAP 
Response/Identity that contains the NAI 'WFA-SimpleConfig-Enrollee-1-0'."
So I think the WPS of the AP is broken and it acts as if I were an enrollee.
I have changed the string to "WFA-SimpleConfig-Enrollee-1-0" (to see if the 
roles were changed), re-run reaver, and the result is the same, the AP again 
sends an WSC_Start (this time correctly)...

Original comment by a123a654...@gmail.com on 7 Jan 2012 at 10:30

GoogleCodeExporter commented 9 years ago
I understand that it always sends it. This would indicate that your AP does not 
support the registrar functionality and thus is not vulnerable to the Reaver 
attack.

Original comment by cheff...@tacnetsol.com on 8 Jan 2012 at 6:24