Closed GoogleCodeExporter closed 9 years ago
I decided to go back and try previous versions: r64, r63, ..., r48 and all
exhibit the same behavior with my ongoing session (92% or second half of the
PIN). I guess I never noticed before. All revisions try each PIN twice before
proceeding to the next one, at this rate it will take twice the time to guess
the second half of the PIN. Please, see if you can find the error in the state
machine. Thanks!
P.S.: It could be that timeouts are received but not presented (printed with
-vv) but then it would be too suspicious that each PIN needs exactly 2 tries to
go through.
P.S.: I vaguely remember that before the session saving was implemented in the
open source version it would only try PINs once for the second half. But I do
not want to regress my installed version that far back...
Original comment by vsil...@gmail.com
on 5 Jan 2012 at 6:47
Does this happen on every AP, or just a specific one? Can you provide a pcap?
Original comment by cheff...@tacnetsol.com
on 5 Jan 2012 at 4:19
The old AP with the problem above was a Netgear E0:91:F5:... .
I tried again, using r66 now, on another AP from Cisco-Linksys 7C:03:4C:...
that was already completed by decreasing the second number in the .wps file and
making the third number in the .wps file a 2 --> 1 (revert to secod half of PIN
testing). As you can see from the output below, the problem persists.
Not sure if I'll be able to produce a pcap file, but advise what's the best way
to capture: airodump-ng, tcpdump, or wireshark? What filter? Thanks!
[+] Switching mon0 to channel xx
[+] Associated with 7C:03:4C:xx:xx:xx (ESSID: xxxxxxxxxx)
[+] Trying pin 15346414
[+] Trying pin 15340504
[+] Trying pin 15340504
[+] Trying pin 15341310
[+] Trying pin 15341310
[+] Trying pin 15345257
[+] 94.62% complete @ 2012-01-05 12:58:38 (8 seconds/attempt)
[+] Trying pin 15345257
[+] Trying pin 15344632
[+] Trying pin 15344632
[+] Trying pin 15343307
[+] Trying pin 15343307
[+] 94.65% complete @ 2012-01-05 12:59:03 (8 seconds/attempt)
[+] Trying pin 15340757
[+] Trying pin 15340757
[+] Trying pin 15340634
[+] Trying pin 15340634
[+] Trying pin 15340788
[+] 94.66% complete @ 2012-01-05 12:59:23 (8 seconds/attempt)
[+] Trying pin 15340788
[+] Trying pin 15342508
Original comment by vsil...@gmail.com
on 5 Jan 2012 at 7:08
What command line options are you supplying to Reaver?
The easiest way to capture the traffic is to use Wireshark with a display
filter of 'eap || eapol'.
Original comment by cheff...@tacnetsol.com
on 5 Jan 2012 at 7:19
In addition to the -i, -b, and -s:
1) On the Netgear: -vv -c 6 -E -S -a -l 60 -s
2) On the Linksys: -vv -c 6 -E -S -d 0 -t 30
Original comment by vsil...@gmail.com
on 5 Jan 2012 at 7:24
I have noticed on some Linksys devices that with -d 0 I get repeated pins (but
it happens when brute forcing both the first and second half of the pin). On
the Linksys, try only specifying the -i -b -s and -vv options and see if there
are still repeated pins.
Original comment by cheff...@tacnetsol.com
on 5 Jan 2012 at 7:30
I took the "-d 0" out (removed it) and tried again the Linksys. Problem
persists (see log below). I am surprised nobody else reproduced and commented
on this problem.
Note that I used "-d 0" originally after determining empirically that the AP
would buy it (no lockdowns) and since it was faster (on the Linksys), but the
same was not working well on the Netgear (maybe lower signal strength) so I
resorted to defaults (-a) on the Netgear. I.e., they were the optimum
parameters for my test cases in terms of overall speed.
There were definitely no duplicate PINs on the 1st half of the PIN tests on
either AP. Thanks!
[+] Switching mon0 to channel xx
[+] Associated with 7C:03:4C:xx:xx:xx (ESSID: xxxxxxxx)
[+] Trying pin 15345066
[!] WARNING: Last message not processed properly, reverting state to previous
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[+] Trying pin 15345066
[+] Trying pin 15345066
[+] Trying pin 15340917
[+] Trying pin 15340917
[+] Trying pin 15341211
[!] WARNING: Receive timeout occurred
[+] 94.56% complete @ 2012-01-05 13:34:09 (27 seconds/attempt)
[+] Trying pin 15341211
[+] Trying pin 15343987
[+] Trying pin 15343987
[+] Trying pin 15344359
[+] Trying pin 15344359
[+] 94.59% complete @ 2012-01-05 13:34:32 (15 seconds/attempt)
[+] Trying pin 15346414
Original comment by vsil...@gmail.com
on 5 Jan 2012 at 7:42
With the "-d 0" still out I tried the 1st half of the PIN on the same Linksys
AP: no repeated PINS.
[+] Trying pin 12116416
[+] Trying pin 84946416
[+] Trying pin 68406417
[+] Trying pin 24676410
[+] Trying pin 85856417
[+] Trying pin 27896419
Restoring the "-d 0" option and continuing on the 1st half of the PIN: no
duplicate PINs.
[+] Trying pin 57906416
[+] Trying pin 50296415
[+] Trying pin 74836413
[+] Trying pin 65436417
[+] Trying pin 41176412
[+] 52.11% complete @ 2012-01-05 13:51:34 (9 seconds/attempt)
[+] Trying pin 78866416
[+] Trying pin 81926411
[+] Trying pin 85826410
Original comment by vsil...@gmail.com
on 5 Jan 2012 at 7:54
I tried to reproduce the problem with r67 (with debug output)--by the way the
-o option only sends stdout to the file, not stderr, so it is harder than it
should be to capture both stdout and stderr, I just didn't use -o and copied
all the output from the terminal--.
Surprisingly, I do not see duplicate PINs on the 2nd half of the PIN tests over
the Linksys AP. Output attached. Thanks!
P.S.: Hopefully that stays the same after you take the debug output out :-)
Original comment by vsil...@gmail.com
on 5 Jan 2012 at 8:43
Attachments:
Part of the r67 update was to also ensure that M2D messages do not get sent;
checked in r68 which removes the debug output, verify that you still aren't
getting repeated pins.
Original comment by cheff...@tacnetsol.com
on 5 Jan 2012 at 9:21
Finally, r68 fixes the issue: no repeated PINs. Thanks!
[+] Switching mon0 to channel 6
[+] Associated with 7C:03:4C:xx:xx:xx (ESSID: xxxxxxxx)
[+] Trying pin 15344953
[+] Trying pin 15343628
[+] Trying pin 15346933
[+] Trying pin 15347060
[+] Trying pin 15347565
[+] Trying pin 15341365
[+] 94.85% complete @ 2012-01-05 15:25:59 (2 seconds/attempt)
[+] Trying pin 15348227
Original comment by vsil...@gmail.com
on 5 Jan 2012 at 9:29
Good, sounds like the removal of M2D message support (not needed for the
attack) fixed it. :)
Original comment by cheff...@tacnetsol.com
on 5 Jan 2012 at 9:31
Original issue reported on code.google.com by
vsil...@gmail.com
on 5 Jan 2012 at 5:53