nicholasoh / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

QSS Protocol for TP-Link Devices #30

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
I've opened a new ticket for the possible implementation of the WPS mode of the 
tp-link devices.

So I have downloaded the QSS utility for windows, and I have captured the 
succesfull auth.

Then I have done the same with reaver, forcing the build_wps_pin() function to 
use my PIN:

char *build_wps_pin()
{
        char *key = NULL, *pin = NULL;
        int pin_len = PIN_SIZE + 1;

        pin = malloc(pin_len);
        key = malloc(pin_len);
        if(pin && key)
        {
                memset(key, 0, pin_len);
                memset(pin, 0, pin_len);

                /* Generate a 7-digit pin from the given key index values */
                snprintf(key, pin_len, "%s%s", "2020", "656");

                /* Generate and append the pin checksum digit */
                snprintf(pin, pin_len, "%s%d", key, wps_pin_checksum(atoi(key)));

                free(key);
        }
        return pin;
} 

The output that I get is:

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from F4:EC:38:A0:4F:06
[+] Switching mon0 to channel 9
[+] Associated with F4:EC:38:A0:4F:06 (ESSID: TP-LINK_A04F06)
Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
Trying pin 20206567
...etc

PIN:20206567
WPA2/KEY:12345678

I've attached the 2 caps.

If is there anything I can do to help on this issue, let me know.

Best Regards

Original issue reported on code.google.com by gorilla....@gmail.com on 30 Dec 2011 at 9:51

Attachments:

GoogleCodeExporter commented 8 years ago
I too have several TP-Link 1043 devices, and i don't have any issues cracking 
the wps/qss pincode.

Original comment by stefanen...@gmail.com on 31 Dec 2011 at 12:12

GoogleCodeExporter commented 8 years ago
Here there is another cap for a tl-wa901nd using the QSS utility.

This time I couldn't capture with reaver beacuse it gets stacked at this point:

Reaver v1.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from B0:48:7A:DB:6F:E7
[+] Switching mon0 to channel 9
[+] Associated with B0:48:7A:DB:6F:E7 (ESSID: TP-LINK_DB6FE7)

I tried with a 32 bits linux and with an ath5k with same results.

@stefanen

Are you using the latest firmware on your TP-Link 1043

Original comment by gorilla....@gmail.com on 31 Dec 2011 at 12:47

Attachments:

GoogleCodeExporter commented 8 years ago
Succesfull auth using wpa_supplicant

Original comment by gorilla....@gmail.com on 31 Dec 2011 at 10:31

Attachments:

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
I can see that the M2 packet of reaver is using:

Connection Type Flags: Unknown: 3 (0x03)

And the QSS utility and wpa_supplicant use :

Connection Type Flags: ESS (0x01)

Maybe is related to that? 

Original comment by gorilla....@gmail.com on 31 Dec 2011 at 10:37

GoogleCodeExporter commented 8 years ago
Reaver was updated to use connection type of 0x03 instead of 0x01 in some of 
the latest SVN check-ins, as this is what win7 sends (0x03 == ESS | IBSS).

Original comment by cheff...@tacnetsol.com on 31 Dec 2011 at 1:23

GoogleCodeExporter commented 8 years ago
Right after the M2 packet reaver is sending a M2D packet, shouldn't it wait for 
the M3 packet of the AP. 

Commenting wps_build_m2d in wps_registrar_get_msg(), reaver is able to send a 
M4 packet after the M3 packet of the AP, but then again reaver send some 
wsc_nack and the wps negotiation doesn't succeed.

Original comment by gorilla....@gmail.com on 31 Dec 2011 at 3:09

GoogleCodeExporter commented 8 years ago
I set the connection type to only use ESS. Also updated the code so that 
win7-specific options are only included in the M2 packet if --win7 is specified 
on the command line; run without --win7 and see if this changes anything for 
you.

FYI, based on the reaver pcap you provided, it looks like you may need to 
re-build reaver with 'make cleanall; ./configure; make'.

Original comment by cheff...@tacnetsol.com on 2 Jan 2012 at 3:32

GoogleCodeExporter commented 8 years ago
No luck with this option.

I'm attaching the output and the cap files.

Thank you for your support

Original comment by gorilla....@gmail.com on 2 Jan 2012 at 4:22

Attachments:

GoogleCodeExporter commented 8 years ago
Well, After all it maybe driver related.

I've just tried with a usb dongle ZyDAS ZD1211 that uses the zd1211rw driver 
and it's worked great.

So to sum up:

Intel Centrino Ultimate-N 6300 (rev 35)---Iwlagn dirver---Kernel 3.1.6----Not 
Working
Atheros AR5001X+---ath5k driver---Kernel 3.1.6/ Kernel 2.6.34---Not Working
ZyDAS ZD1211---zd1211rw---Kernel 3.1.6---Working

So I'll stick to the usb dongle :) Thanks!!

Original comment by gorilla....@gmail.com on 2 Jan 2012 at 4:43

Attachments:

GoogleCodeExporter commented 8 years ago
Hmm, interesting. I have not used the iwlagn or ath5k drivers myself, but I've 
had others tell me they worked for them. It may be specific to the actual card 
the drivers are talking to. 

Anyway, glad this fixed your issue as I have several TP-Links and Reaver works 
very well with all of them. I will add a "partially supported" section to the 
supported drivers wiki page and note that some of these drivers may or may not 
work depending on your card. Thanks!

Original comment by cheff...@tacnetsol.com on 2 Jan 2012 at 6:15