niyyate / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

reaver gets stuck when AP changes channel #118

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
BT5, iwlagn 5100, r82, DLink DIR-628

Runs fine without false positives now, but this AP changes channels frequently. 
Which I hadn't ecnoutered before. If it changes channel, reaver gets "stuck" 
and doesn't realize the channel change obviously.
Workaround is to run airodump-ng mon0 to see new channel of AP and then 
airodump-ng --channel x mon0. That second reaver continues.

[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[!] WARNING: 25 successive start failures
[+] Sending EAPOL START request
[+] Trying pin 46935670
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending M2 message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[+] Sending M2D message
[+] Sending WSC NACK
[+] 5.46% complete @ 2012-01-09 19:05:44 (140 seconds/attempt)
[+] Trying pin 46935670
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending M2 message
[+] Sending M4 message
[+] Sending WSC NACK
[+] Trying pin 99825676
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending M2 message 

Original issue reported on code.google.com by efs...@gmail.com on 10 Jan 2012 at 6:27

Attachments:

GoogleCodeExporter commented 8 years ago
Reaver should detect the channel change and hop to the appropriate channel as 
long as you didn't set the channel number explicitly on the Reaver command 
line. I'll see if I can reproduce this to make sure Reaver is hopping channels 
properly.

Original comment by cheff...@tacnetsol.com on 10 Jan 2012 at 12:54

GoogleCodeExporter commented 8 years ago
It does hop channels only on startup and finds the AP and starts WPS. But 
whenever the AP changes channels reaver doesn't start hopping as usual, it just 
goes on with 
[!] WARNING: Receive timeout occurred

Somehow it seems that reaver doesn't notice anything changed. Also, when I run 
airodump on the new channel, reaver continues right away. There is no new 
association even if it's been stuck for hours.

And there is also this "decloak" message in the airodump output which I don'T 
know what it is.

Original comment by efs...@gmail.com on 10 Jan 2012 at 4:06

GoogleCodeExporter commented 8 years ago
Looking at the code, Reaver will only being channel hopping again if it can't 
associate to the AP anymore. My guess is that the AP is changing to an adjacent 
channel (and/or you are very close to the AP) such that Reaver is still able to 
associate but the degraded signal is not strong enough to perform a full WPS 
exchange. Will fix this and let you know when it's checked in.

Original comment by cheff...@tacnetsol.com on 10 Jan 2012 at 5:05

GoogleCodeExporter commented 8 years ago
r84 should now properly follow the AP as it changes channels.

Original comment by cheff...@tacnetsol.com on 10 Jan 2012 at 5:44

GoogleCodeExporter commented 8 years ago
Unfortunately it still has the same problems. One thing I hadn't seen before, 
though is the "failed to associate" 3 times. 
Don't have time to try things and check pcaps for something different. But have 
no ideas anyway. Maybe driver (iwlagn) thing? 

Original comment by efs...@gmail.com on 10 Jan 2012 at 8:28

GoogleCodeExporter commented 8 years ago
OK, reproduced the issue by manually channel hopping my own AP. Bug found and 
fixed in r85.

Original comment by cheff...@tacnetsol.com on 11 Jan 2012 at 4:38