nicholasoh / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

Exit after one pin attempt #5

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. ./reaver -i mon0 -b <mac> -vv 
2.
3.

What is the expected output? What do you see instead?
expect several attempts, quits after one.

What version of the product are you using? On what operating system?
svn checkout after Issue: 2. Fedora 16

Please provide any additional information below.

./reaver -i mon0 -b 00:1C:F0:C4:BF:26 -vv

Reaver v1.0 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from 00:1C:F0:C4:BF:26
[+] Switching mon0 to channel 10
[+] Associated with 00:1C:F0:C4:BF:26 (ESSID: Test)
[+] Trying pin 22430373
[root@fedora src]$

Original issue reported on code.google.com by Tommyn...@gmail.com on 29 Dec 2011 at 3:30

GoogleCodeExporter commented 8 years ago
Dec 29 16:32:21 fedora kernel: [1446351.705655] reaver[27494]: segfault at 48 
ip 0000000000411206 sp 00007fff3d4b5960 error 4 in reaver[400000+3d000]

Original comment by Tommyn...@gmail.com on 29 Dec 2011 at 3:33

GoogleCodeExporter commented 8 years ago
This is probably related to issue #6...what wireless card and driver are you 
using?

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 3:39

GoogleCodeExporter commented 8 years ago
awus036h - rtl8187

Original comment by Tommyn...@gmail.com on 29 Dec 2011 at 3:42

GoogleCodeExporter commented 8 years ago
Can you provide a core dump or valgrind log?

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 3:45

GoogleCodeExporter commented 8 years ago
Same issue with Atheros 9285 useing ath9k driver

Original comment by shadow...@gmail.com on 29 Dec 2011 at 3:52

GoogleCodeExporter commented 8 years ago
Just checked in some code that may be a fix for this. Can anyone check out the 
latest SVN code and see if the bug still exists?

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 3:56

GoogleCodeExporter commented 8 years ago
I am also have this issue using ALFA AWUS036H(rtl8187). I'm assuming it's 
crashing because sometimes no output is displayed, indicating that the attempt 
was unsuccessful.

Original comment by rtstanif...@gmail.com on 29 Dec 2011 at 3:59

GoogleCodeExporter commented 8 years ago
after one pIN in 1.1 ver

root@bt:/opt/wpa/reaver-1.1/src# reaver -i mon1 -b 00:1C:DF:99:EC:B4 -vv

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from 00:1C:DF:99:EC:B4
[+] Switching mon1 to channel 1
[+] Associated with 00:1C:DF:99:EC:B4 (ESSID: belkin54g)
[+] Trying pin 64816807
Segmentation fault

Original comment by stoneman...@gmail.com on 29 Dec 2011 at 4:01

GoogleCodeExporter commented 8 years ago
valgrind --track-origins=yes ./reaver -i mon0 -b 00:1C:F0:C2:BF:27 -vv
==29147== Memcheck, a memory error detector
==29147== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==29147== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==29147== Command: ./reaver -i mon0 -b 00:1C:F0:C2:BF:27 -vv
==29147== 

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from 00:1C:F0:C4:BF:26
[+] Switching mon0 to channel 10
[+] Associated with 00:1C:F0:C4:BF:26 (ESSID: Test)
==29147== Conditional jump or move depends on uninitialised value(s)
==29147==    at 0x4071C5: get_wps_data_element (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x406C97: parse_wps_tag (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x406B69: parse_wps_parameters (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x403578: is_wps_locked (80211.c:133)
==29147==    by 0x404BD7: crack (cracker.c:105)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147==  Uninitialised value was created by a stack allocation
==29147==    at 0x406B72: parse_wps_tag (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147== 
==29147== Invalid read of size 4
==29147==    at 0x410F52: wps_registrar_init (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x406077: initialize_wps_data (init.c:56)
==29147==    by 0x404BE2: crack (cracker.c:117)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147==  Address 0x4d1dfe4 is 0 bytes after a block of size 84 alloc'd
==29147==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29147==    by 0x40600E: initialize_wps_data (init.c:32)
==29147==    by 0x404BE2: crack (cracker.c:117)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147== 
==29147== Invalid read of size 8
==29147==    at 0x40F38E: wps_init (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x406099: initialize_wps_data (init.c:68)
==29147==    by 0x404BE2: crack (cracker.c:117)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147==  Address 0x4d1df48 is 56 bytes inside a block of size 60 alloc'd
==29147==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29147==    by 0x405FE1: initialize_wps_data (init.c:24)
==29147==    by 0x404BE2: crack (cracker.c:117)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147== 
==29147== Invalid read of size 4
==29147==    at 0x40F3C2: wps_init (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x406099: initialize_wps_data (init.c:68)
==29147==    by 0x404BE2: crack (cracker.c:117)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147==  Address 0x4d1df50 is 4 bytes after a block of size 60 alloc'd
==29147==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29147==    by 0x405FE1: initialize_wps_data (init.c:24)
==29147==    by 0x404BE2: crack (cracker.c:117)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147== 
[+] Trying pin 27176948
==29147== Invalid read of size 8
==29147==    at 0x411368: wps_registrar_get_pin (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x4121C6: wps_get_dev_password (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x413E29: wps_registrar_get_msg (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x406718: send_msg (send.c:80)
==29147==    by 0x405384: do_wps_exchange (exchange.c:66)
==29147==    by 0x404CC6: crack (cracker.c:160)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147==  Address 0x48 is not stack'd, malloc'd or (recently) free'd
==29147== 
==29147== 
==29147== Process terminating with default action of signal 11 (SIGSEGV)
==29147==  Access not within mapped region at address 0x48
==29147==    at 0x411368: wps_registrar_get_pin (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x4121C6: wps_get_dev_password (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x413E29: wps_registrar_get_msg (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x406718: send_msg (send.c:80)
==29147==    by 0x405384: do_wps_exchange (exchange.c:66)
==29147==    by 0x404CC6: crack (cracker.c:160)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147==  If you believe this happened as a result of a stack
==29147==  overflow in your program's main thread (unlikely but
==29147==  possible), you can try to increase the size of the
==29147==  main thread stack using the --main-stacksize= flag.
==29147==  The main thread stack size used in this run was 8388608.
==29147== 
==29147== HEAP SUMMARY:
==29147==     in use at exit: 155,143 bytes in 11,025 blocks
==29147==   total heap usage: 11,085 allocs, 60 frees, 157,789 bytes allocated
==29147== 
==29147== LEAK SUMMARY:
==29147==    definitely lost: 54,915 bytes in 11,007 blocks
==29147==    indirectly lost: 10,322 bytes in 6 blocks
==29147==      possibly lost: 0 bytes in 0 blocks
==29147==    still reachable: 89,906 bytes in 12 blocks
==29147==         suppressed: 0 bytes in 0 blocks
==29147== Rerun with --leak-check=full to see details of leaked memory
==29147== 
==29147== For counts of detected and suppressed errors, rerun with: -v
==29147== ERROR SUMMARY: 18 errors from 5 contexts (suppressed: 2 from 2)
Segmentation fault (core dumped)

Original comment by Tommyn...@gmail.com on 29 Dec 2011 at 4:07

GoogleCodeExporter commented 8 years ago
Tried revision 12, problem still arising.

Original comment by rtstanif...@gmail.com on 29 Dec 2011 at 4:11

GoogleCodeExporter commented 8 years ago
Looks like there are some unhandled NULL pointer exceptions. Added null checks 
to the latest check in, try now.

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 4:12

GoogleCodeExporter commented 8 years ago
Just tried revision 14. Sometimes it gives "[!] WARNING: Receive timeout 
occurred" and sometimes it exits with nothing.

Original comment by rtstanif...@gmail.com on 29 Dec 2011 at 4:15

GoogleCodeExporter commented 8 years ago
just tried revision 14 tries 1 pin and segfaults

Original comment by shadow...@gmail.com on 29 Dec 2011 at 4:19

GoogleCodeExporter commented 8 years ago
[+] Trying pin 97035473
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[+] Trying pin 97035473
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[+] Trying pin 97035473

revision 15

Original comment by shadow...@gmail.com on 29 Dec 2011 at 4:34

GoogleCodeExporter commented 8 years ago
as of revision 16 the segfault is cleared..

i am trying with some SSID but what is get is...
[+] Waiting for beacon from 74:EA:3A:D5:E3:3A
[+] Switching mon0 to channel 1
[+] Associated with 74:EA:3A:D5:E3:3A (ESSID: Gecevi)
[+] Trying pin 71951249
[+] Trying pin 71951249
[+] Trying pin 71951249
[+] Trying pin 71951249
[+] Trying pin 71951249
[!] WARNING: Receive timeout occurred
[+] Trying pin 71951249
[!] WARNING: Receive timeout occurred
[+] 0.00% complete @ 0 seconds/attempt
[+] Trying pin 71951249
[!] WARNING: Receive timeout occurred
[+] Trying pin 71951249
[+] Trying pin 71951249

Original comment by ianc...@gmail.com on 30 Dec 2011 at 9:41

GoogleCodeExporter commented 8 years ago
but again nothing happens..

/reaver -i mon0 -b 74:EA:3A:B9:E3:B0 -vv

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from 74:EA:3A:B9:E3:B0
[+] Switching mon0 to channel 11
[+] Associated with 74:EA:3A:B9:E3:B0 (ESSID: RADDY)
[+] Trying pin 04781530
[!] WARNING: Receive timeout occurred
[+] Trying pin 04781530
[!] WARNING: Receive timeout occurred
[+] Trying pin 04781530
[!] WARNING: Receive timeout occurred
[+] Trying pin 04781530
[!] WARNING: Receive timeout occurred
[+] Trying pin 04781530
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[+] Trying pin 04781530
^C

Original comment by ianc...@gmail.com on 30 Dec 2011 at 9:44

GoogleCodeExporter commented 8 years ago
I am also getting the same output as comment 15 and 16.

Original comment by rtstanif...@gmail.com on 30 Dec 2011 at 9:51

GoogleCodeExporter commented 8 years ago
Actually the svn 16 again core dumped..
My first try was with Backtrack 5 on x64bit and it does not segfault but was 
only trying same PIn..
However on x64 Fedora 16 svn 16 
i got:

/reaver -i mon0 -b 70:71:BC:26:EE:C0 -vv

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from 70:71:BC:26:EE:C0
[+] Switching mon0 to channel 2
[+] Switching mon0 to channel 3
[+] Switching mon0 to channel 1
[+] Associated with 70:71:BC:26:EE:C0 (ESSID: fe5f4c)
[+] Trying pin 98850471
Segmentation fault (core dumped)

Original comment by ianc...@gmail.com on 30 Dec 2011 at 10:29

GoogleCodeExporter commented 8 years ago
DMESG:

[ 1862.958153] reaver[5202] general protection ip:40f3df sp:7fff32cc7ca0 
error:0 in reaver[400000+3d000]

Original comment by ianc...@gmail.com on 30 Dec 2011 at 10:30

GoogleCodeExporter commented 8 years ago

after 
debuginfo-install glibc-2.14.90-21.x86_64 libpcap-1.1.1-4.fc16.x86_64

(gdb) backtrace 
#0  0x000000000040f3df in wps_init ()
#1  0x00000000004060a1 in initialize_wps_data () at init.c:72
#2  0x0000000000404be3 in crack () at cracker.c:117
#3  0x0000000000402461 in main (argc=6, argv=<optimized out>) at wpscrack.c:80

Original comment by ianc...@gmail.com on 30 Dec 2011 at 10:49

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
The latest code (r20) seems to have fixed these issues. Please check out the 
lastet code and verify.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 2:43

GoogleCodeExporter commented 8 years ago
Issues 5 & 6 are the same; more comments have been happening on issue #6, so 
rolling this into #6.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 4:23