phantbn / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

Reaver segmentation fault #6

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Moved from issue #2:

Comment 20 by gorilla.maguila, Today (43 minutes ago)
This is what I get with latest subversion:

[+] Waiting for beacon from C0:3F:0E:C1:DB:A7
[+] Switching mon0 to channel 2
[+] Switching mon0 to channel 4
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 
[+] Associated with C0:3F:0E:C1:DB:A7 
[+] Trying pin 90553301
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 
[+] Switching mon0 to channel 3
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
Segmentation fault

I'm under kernel 3.1.5 with iwlagn driver

Comment 21 by project member cheffner@tacnetsol.com, Today (33 minutes ago)
maguila,

I have not tested the iwlagn drivers, but since you were able to associate I'd 
suspect that injection is working properly. The failed associations and receive 
timeouts are usually an indication of poor signal strength or a lot of wireless 
interference.

The segfault is troubling though. Can you give more info on your OS ?

Comment 22 by gorilla.maguila, Today (12 minutes ago)
I'm using Archlinux x64. We use almost the latest packages on everything as it 
is a rolling release distro.

I have tried to run under gdb but I don't know why I don't get the segmentation 
fault:

$gdb ./reaver
GNU gdb (GDB) 7.3.1
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/user/reaver-wps-read-only/src/reaver...done.
(gdb) run -i mon0 -b C0:3F:0E:C1:DB:A7 -vv
Starting program: /home/user/reaver-wps-read-only/src/reaver -i mon0 -b 
C0:3F:0E:C1:DB:A7 -vv

Reaver v1.0 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from C0:3F:0E:C1:DB:A7
[+] Switching mon0 to channel 4
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[+] Associated with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[+] Trying pin 26141367
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[+] Switching mon0 to channel 2
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
...etc

But again I get the segmentation fault without gdb.

Original issue reported on code.google.com by cheff...@tacnetsol.com on 29 Dec 2011 at 3:36

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
This time I managed to make it segfault under gdb with -f 4 option:

$gdb ./reaver
GNU gdb (GDB) 7.3.1
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/user/reaver-wps-read-only/src/reaver...done.
(gdb) run -i mon0 -b C0:3F:0E:C1:DB:A7 -f 4 -vv
Starting program: /home/user/reaver-wps-read-only/src/reaver -i mon0 -b 
C0:3F:0E:C1:DB:A7 -f 4 -vv

Reaver v1.0 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from C0:3F:0E:C1:DB:A7
[+] Associated with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[+] Trying pin 91325709
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred

Program received signal SIGSEGV, Segmentation fault.
0x0000000000411556 in wps_registrar_expire_pins ()
(gdb) backtrace
#0  0x0000000000411556 in wps_registrar_expire_pins ()
#1  0x00000000004116cf in wps_registrar_get_pin ()
#2  0x0000000000412532 in wps_get_dev_password ()
#3  0x0000000000414195 in wps_registrar_get_msg ()
#4  0x0000000000406a99 in send_msg () at send.c:80
#5  0x0000000000405705 in do_wps_exchange () at exchange.c:66
#6  0x0000000000405047 in crack () at cracker.c:160
#7  0x00000000004027b1 in main (argc=8, argv=<optimized out>) at wpscrack.c:80

(gdb) farme 1
Undefined command: "farme".  Try "help".
(gdb) frame 1
#1  0x00000000004116cf in wps_registrar_get_pin ()
(gdb) kill
Kill the program being debugged? (y or n) y
(gdb) quit

Tell me what to do to continue debugging and I will be happy to help.

Best Regards

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 3:43

GoogleCodeExporter commented 9 years ago
This bug also affects me. I'm using Arch x86-64 and iwlagn as well. Here's a 
trace with the function parameters:

#0  0x0000000000411556 in wps_registrar_expire_pins (reg=0x0) at 
wps_registrar.c:559
#1  0x00000000004116cf in wps_registrar_get_pin (reg=0x0, 
    uuid=0x6cca04 "VZ\251Ig\301L\016\252\217\363I\346\365\223\021\177\323\f\277\261h\351ٶ\244\266P", pin_len=0x7fffffffe8f0)
    at wps_registrar.c:600
#2  0x0000000000412532 in wps_get_dev_password (wps=0x6cc9e0) at 
wps_registrar.c:1000
#3  0x0000000000414195 in wps_registrar_get_msg (wps=0x6cc9e0, 
op_code=0x7fffffffe94c) at wps_registrar.c:1615
#4  0x0000000000406a99 in send_msg () at send.c:80
#5  0x0000000000405705 in do_wps_exchange () at exchange.c:66
#6  0x0000000000405047 in crack () at cracker.c:160
#7  0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80

I guess reg isn't supposed to be a NULL pointer.

Original comment by cos...@linux-geek.org on 29 Dec 2011 at 3:45

GoogleCodeExporter commented 9 years ago
Thanks, gdb output is very helpful. :)

I've added null checks to the wps_registrar_expire_pins function. Can you check 
out the latest SVN code and test it to see if this fixes the issue?

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 3:54

GoogleCodeExporter commented 9 years ago
reaver -i mon0 -vv -b XX:XX:XX:XX:XX:XX

Reaver v1.0 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 2
[+] Switching mon0 to channel 3
[+] Switching mon0 to channel 1
[+] Associated with 14:D6:4D:C8:94:5E (ESSID: ANONYMOUS)
[+] Trying pin 71755106
Speicherzugriffsfehler
root@zaunkoenig:/reaver_svn/reaver-wps-read-only/src# gdb ./reaver
GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /reaver_svn/reaver-wps-read-only/src/reaver...done.
(gdb) run -i mon0 -vv -b XX:XX:XX:XX:XX:XX
Starting program: /reaver_svn/reaver-wps-read-only/src/reaver -i mon0 -vv -b 
XX:XX:XX:XX:XX:XX
Reaver v1.0 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 1
[+] Associated with 14:D6:4D:C8:94:5E (ESSID: ANONYMOUS)
[+] Trying pin 95384153
[!] WARNING: Receive timeout occurred

Program received signal SIGSEGV, Segmentation fault.
0x00000000004118f1 in wps_registrar_unlock_pin ()
(gdb) backtrace
#0  0x00000000004118f1 in wps_registrar_unlock_pin ()
#1  0x0000000000407ca3 in wps_deinit ()
#2  0x0000000000404eba in crack () at cracker.c:205
#3  0x0000000000402575 in main (argc=6, argv=<optimized out>) at wpscrack.c:80
(gdb) frame 1
#1  0x0000000000407ca3 in wps_deinit ()
(gdb) 

Linux anonymous 3.0.0-15-generic #24-Ubuntu SMP Mon Dec 12 15:23:55 UTC 2011 
x86_64 x86_64 x86_64 GNU/Linux

Tested chipsets and drivers:
wlan0       Intel 4965/5xxx iwlagn - [phy0]
wlan1       RTL8187     rtl8187 - [phy2]

Same results.

Original comment by schwammt...@gmail.com on 29 Dec 2011 at 3:58

GoogleCodeExporter commented 9 years ago
Yep same results here aswell:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004116b8 in wps_registrar_get_pin ()
(gdb) backtrace
#0  0x00000000004116b8 in wps_registrar_get_pin ()
#1  0x0000000000412517 in wps_get_dev_password ()
#2  0x000000000041417a in wps_registrar_get_msg ()
#3  0x0000000000406a69 in send_msg () at send.c:80
#4  0x00000000004056d5 in do_wps_exchange () at exchange.c:66
#5  0x0000000000405017 in crack () at cracker.c:160
#6  0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 4:04

GoogleCodeExporter commented 9 years ago
Tried it again with rev 12. Same results.

Original comment by schwammt...@gmail.com on 29 Dec 2011 at 4:05

GoogleCodeExporter commented 9 years ago
Added null checks. See if that fixed it.

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 4:10

GoogleCodeExporter commented 9 years ago
Here the strace.out

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 4:10

Attachments:

GoogleCodeExporter commented 9 years ago
Revision 13 still crashes. Here's the backtrace:

#0  0x00000000004116b8 in wps_registrar_get_pin (reg=0x0, 
    uuid=0x6cca04 "VZ\251Ig\301L\016\252\217\363I\346\365\223\021xn\263\032\033\227\362\321P@=c", pin_len=0x7fffffffe8f0) at wps_registrar.c:608
#1  0x0000000000412582 in wps_get_dev_password (wps=0x6cc9e0) at 
wps_registrar.c:1036
#2  0x00000000004141e5 in wps_registrar_get_msg (wps=0x6cc9e0, 
op_code=0x7fffffffe94c) at wps_registrar.c:1651
#3  0x0000000000406a69 in send_msg () at send.c:80
#4  0x00000000004056d5 in do_wps_exchange () at exchange.c:66
#5  0x0000000000405017 in crack () at cracker.c:160
#6  0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80

Original comment by cos...@linux-geek.org on 29 Dec 2011 at 4:10

GoogleCodeExporter commented 9 years ago
Revision 14:

#0  0x000000000041112e in wps_build_config_methods_r (reg=0x0, msg=0x6cd6a0) at 
wps_registrar.c:420
#1  0x0000000000413b42 in wps_build_m2d (wps=0x6ccd90) at wps_registrar.c:1446
#2  0x0000000000414244 in wps_registrar_get_msg (wps=0x6ccd90, 
op_code=0x7fffffffe94c) at wps_registrar.c:1668
#3  0x0000000000406a69 in send_msg () at send.c:80
#4  0x00000000004056d5 in do_wps_exchange () at exchange.c:66
#5  0x0000000000405017 in crack () at cracker.c:160
#6  0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80

Original comment by cos...@linux-geek.org on 29 Dec 2011 at 4:13

GoogleCodeExporter commented 9 years ago
With rev 14 I get this:

[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 1
[+] Associated with XX:XX:XX:XX:XX:XX (ESSID: ANONYMOUS)
[+] Trying pin 15878182
[!] WARNING: Receive timeout occurred
[+] Trying pin 15878182
Speicherzugriffsfehler

So reaver is now trying the same pin again, before the segmentation fault 
occurs.

Original comment by schwammt...@gmail.com on 29 Dec 2011 at 4:15

GoogleCodeExporter commented 9 years ago
Added some debug printfs and put in a NULL check at a higher layer...

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 4:25

GoogleCodeExporter commented 9 years ago
With rev 15:

[+] Waiting for beacon from C0:3F:0E:F3:9D:A3
[+] Switching mon0 to channel 6
[!] WARNING: Failed to associate with C0:3F:0E:F3:9D:A3 (ESSID: ONO9DA3)
[+] Associated with C0:3F:0E:F3:9D:A3 (ESSID: ONO9DA3)
[+] Trying pin 13030865
[!] WARNING: Receive timeout occurred
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message

Program received signal SIGSEGV, Segmentation fault.
0x000000000040f72f in wps_init ()
(gdb) backtrace
#0  0x000000000040f72f in wps_init ()
#1  0x00000000004063f1 in initialize_wps_data () at init.c:72
#2  0x0000000000404f33 in crack () at cracker.c:117
#3  0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80
(gdb) frame 0
#0  0x000000000040f72f in wps_init ()

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 4:30

GoogleCodeExporter commented 9 years ago
I have tried revision 15 now. I find it weird that it fails to associate, 
because my WiFi signal is strong (-41dBm). It doesn't crash but it seems stuck 
at this point:

[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 1
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[+] Associated with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[+] Trying pin 32926729
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[+] Switching mon0 to channel 2
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Last message not processed properly, reverting state to previous 
message

Original comment by cos...@linux-geek.org on 29 Dec 2011 at 4:32

GoogleCodeExporter commented 9 years ago
same here

[+] Trying pin 97035473
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[+] Trying pin 97035473
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[+] Trying pin 97035473

on revision 15  at least no more segfaulting

Original comment by shadow...@gmail.com on 29 Dec 2011 at 4:37

GoogleCodeExporter commented 9 years ago
Interesting...what access point (vendor, model, version) are you testing this 
against?

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 4:39

GoogleCodeExporter commented 9 years ago
I'm trying on a:

http://www.netgear.com/service-provider/products/routers-and-gateways/cable-gate
ways/CG3000_CG3100.aspx

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 4:43

GoogleCodeExporter commented 9 years ago
By the way I know the PIN on the one I'm trying: 50459360

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 4:45

GoogleCodeExporter commented 9 years ago
OK, first the silly question: are you sure WPS is enabled?

Second, can you provide a pcap file? Using the display filter of 'eap || eapol' 
should give you just the WPS packets.

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 4:47

GoogleCodeExporter commented 9 years ago
I'm quite sure it's enabled, I have enabled it on the router configuration page.

But then again could be that I'm doing something wrong.

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 5:09

Attachments:

GoogleCodeExporter commented 9 years ago
I am using a TP-LINK TL-WR1043N, having exactly the same problem.
WPS is enabled and working.

Original comment by schwammt...@gmail.com on 29 Dec 2011 at 5:13

GoogleCodeExporter commented 9 years ago
Mine is a Linksys E4200 HW Version 1.

Original comment by cos...@linux-geek.org on 29 Dec 2011 at 5:15

GoogleCodeExporter commented 9 years ago
From the pcap it looks like the AP maybe isn't seeing the packets? Hard to 
tell. I have tested netgears, tp-links and linksys devices, but not these 
specific models. What type of signal strength do you have, and can you move 
closer to the AP to rule this out as a potential cause?

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 5:28

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
It's quite good the signal it's -38.

I'll try with a TP-LINK TL-WR1043N factory default also and see what I get.

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 5:31

GoogleCodeExporter commented 9 years ago
wlan0     IEEE 802.11bgn  ESSID:"wlantest"  
          Mode:Managed  Frequency:2.437 GHz  Access Point: XX:XX:XX:XX:XX:XX   
          Bit Rate=150 Mb/s   Tx-Power=14 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=70/70  Signal level=-31 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:364  Invalid misc:52   Missed beacon:0

The AP is one meter away from the Laptop. ;-)

Anyway: Many thanks for your work and the effort to solve the problem(s)!

Original comment by schwammt...@gmail.com on 29 Dec 2011 at 5:32

GoogleCodeExporter commented 9 years ago
i get the same timeoutmessage like above, WPS is definitely enabeld

router: dlink dir 615
http://www.dlink.de/cs/Satellite?c=TechSupport_C&childpagename=DLinkEurope-DE%2F
DLTechProduct&cid=1197374950653&p=1197318958220&packedargs=locale%3D119580666379
5&pagename=DLinkEurope-DE%2FDLWrapper

driver: rtl8187

Original comment by brosin...@googlemail.com on 29 Dec 2011 at 5:33

GoogleCodeExporter commented 9 years ago
Here it's the cap file with a TP-Link 1043ND with Factory defaults, WPS 
enabled, only changed the WPA2 key.

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 6:03

Attachments:

GoogleCodeExporter commented 9 years ago
A 24 byte pcap?

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 6:06

GoogleCodeExporter commented 9 years ago
Sorry :)

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 6:09

Attachments:

GoogleCodeExporter commented 9 years ago
I installed Ubuntu 10.04 LTS in a virtualbox vm and it works with my RTL8187 
USB Adapter.
So I guess it is not an AP problem.

Original comment by schwammt...@gmail.com on 29 Dec 2011 at 6:10

GoogleCodeExporter commented 9 years ago
This time didn't segfault.

The command output was:

[+] Waiting for beacon from F4:EC:38:A0:4F:06
[+] Switching mon0 to channel 9
[+] Associated with F4:EC:38:A0:4F:06 (ESSID: TP-LINK_A04F06)
[+] Trying pin 91636102
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[+] Trying pin 91636102
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message                                          
[!] WARNING: Last message not processed properly, reverting state to previous 
message                                          
[+] Trying pin 91636102                                                         

[!] WARNING: Last message not processed properly, reverting state to previous 
message                                          
[!] WARNING: Last message not processed properly, reverting state to previous 
message

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 6:11

GoogleCodeExporter commented 9 years ago
@schwammtaucher,

So it didn't work before, but it works fine for you in 10.04?

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 7:36

GoogleCodeExporter commented 9 years ago
@cheff,

that is true. No more segmentation faults.

Original comment by schwammt...@gmail.com on 29 Dec 2011 at 7:44

GoogleCodeExporter commented 9 years ago
OK, I've just made another check in, which will hopefully address both the seg 
fault issue and the message processing warnings. It works for me under BT 5 
with the rtl8187 drivers, but I couldn't reproduce the seg faults to begin 
with, so some verification would be appreciated.

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 7:54

GoogleCodeExporter commented 9 years ago
[+] Waiting for beacon from EC:55:F9:23:62:2C
[+] Switching mon0 to channel 1
[+] Associated with EC:55:F9:23:62:2C (ESSID: Ziggo4ACAC)
[+] Trying pin 89158838
[!] WARNING: Receive timeout occurred
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
Segmentation fault

Rev 16 On bt5

Original comment by Sca...@gmail.com on 29 Dec 2011 at 8:19

GoogleCodeExporter commented 9 years ago
checked out revision 16

gdb ./reaver
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from 
/root/Desktop/Downloads/reaver-wps-read-only/src/reaver...done.
(gdb) run -i wlan1 -b 00:1C:10:08:B7:A5  -vv -c 6
Starting program: /root/Desktop/Downloads/reaver-wps-read-only/src/reaver -i 
wlan1 -b 00:1C:10:08:B7:A5  -vv -c 6

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Switching wlan1 to channel 6
[+] Waiting for beacon from 00:1C:10:08:B7:A5
[+] Switching wlan1 to channel 6
[+] Associated with 00:1C:10:08:B7:A5 (ESSID: linksys)
[+] Trying pin 06030254

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff762acae in memcpy () from /lib/libc.so.6
(gdb) run -i wlan1 -b 00:1C:10:08:B7:A5  -vv -c 6
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/Desktop/Downloads/reaver-wps-read-only/src/reaver -i 
wlan1 -b 00:1C:10:08:B7:A5  -vv -c 6

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Switching wlan1 to channel 6
[+] Waiting for beacon from 00:1C:10:08:B7:A5
[+] Switching wlan1 to channel 6
[+] Associated with 00:1C:10:08:B7:A5 (ESSID: linksys)
[+] Trying pin 79956529
[!] WARNING: Receive timeout occurred
[+] Trying pin 79956529
[+] Trying pin 79956529
[!] WARNING: Receive timeout occurred

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff762acae in memcpy () from /lib/libc.so.6

I am running BackTrack5 (not BT5 R1) and testing with RTL8187L based Alfa 500mW 
card

is there anything I can do to help you debug it?

Original comment by jcdento...@gmail.com on 29 Dec 2011 at 8:22

GoogleCodeExporter commented 9 years ago
I am on rev16, bt5r1, 64bit running in VirtualBox. RTL8187 (using alfa antenna).

[+] Waiting for beacon from xx:xx:xx:xx:xx:xx
[+] Associated with xx:xx:xx:xx:xx:xx (ESSID: xxxxx)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff762acae in memcpy () from /lib/libc.so.6
(gdb) bt
#0  0x00007ffff762acae in memcpy () from /lib/libc.so.6
#1  0x000000000040f8e8 in wps_init ()
#2  0x000000000040653e in initialize_wps_data () at init.c:72
#3  0x0000000000404f3a in crack () at cracker.c:117
#4  0x0000000000402b25 in main (argc=<value optimized out>, argv=<value 
optimized out>) at wpscrack.c:80

Original comment by bialek.j...@gmail.com on 29 Dec 2011 at 8:25

GoogleCodeExporter commented 9 years ago
I also tried with a virtual box (ubuntu 10.04 lts)
and i was able to test 15 keys after it I get this warning again:
[!] WARNING: Receive timeout occurred.

my first attempt was with ubuntu 11.10, there i only get the timeout message 
and no succefull test of a key

Original comment by brosin...@googlemail.com on 29 Dec 2011 at 8:46

GoogleCodeExporter commented 9 years ago
rev 16. bt 5 r1 x64bit
---------------------------------------------------------------
wlan0           Atheros AR9285  ath9k - [phy0]
                                (monitor mode enabled on mon0)
---------------------------------------------------------------
root@bt:/opt/wpa/reaver-wps-read-only/src# ./reaver -i mon0 -b 
00:1C:DF:99:EC:B4 -vv

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from 00:1C:DF:99:EC:B4
[+] Switching mon0 to channel 2
[+] Switching mon0 to channel 1
[+] Associated with 00:1C:DF:99:EC:B4 (ESSID: belkin54g)
[+] Trying pin 64563428
[!] WARNING: Receive timeout occurred
[+] Trying pin 64563428
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
Segmentation fault

Original comment by stoneman...@gmail.com on 29 Dec 2011 at 8:50

GoogleCodeExporter commented 9 years ago
OK, I've only been able to reproduce these issues on 64 bit systems; neither 
Ubuntu nor Backtrack 32 bit systems appear to be affected (some one speak up if 
they have had these seg faults on a 32 bit system). 

Not sure yet what the cuprit is for 64 bit, but running reaver 1.1 on a 32 bit 
system should get you up and running in the mean time.

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 8:51

GoogleCodeExporter commented 9 years ago
I can confirm I'm on 64 bit Ubuntu and receiving problems. I either get the 
time-out or "not processed properly" errors, but yet to stumble upon 
"segmentation fault". Maybe I haven't ran it long enough for that though.

Original comment by rtstanif...@gmail.com on 29 Dec 2011 at 8:59

GoogleCodeExporter commented 9 years ago
I am getting the segmentation fault and therefore one try only at a PIN. I am 
on a 32-bit Ubuntu 10.04 system.I am using an Alfa USB adaptor.I have tried a 
few AP's and all follow the same pattern. Have tried on reaver 1.0 and 1.1

Hope this helps! ;-)

Original comment by stew.d...@gmail.com on 29 Dec 2011 at 9:12

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Maybe this could help.

On rev 16 I've changed build_wps_pin() function, so it matches my PIN, and 
added a printf as follows:

char *build_wps_pin()
{
        char *key = NULL, *pin = NULL;
        int pin_len = PIN_SIZE + 1;

        pin = malloc(pin_len);
        key = malloc(pin_len);
        if(pin && key)
        {
                memset(key, 0, pin_len);
                memset(pin, 0, pin_len);

                /* Generate a 7-digit pin from the given key index values */
                snprintf(key, pin_len, "%s%s", "2020", "6567");

                /* Generate and append the pin checksum digit */
                snprintf(pin, pin_len, "%s%d", key, wps_pin_checksum(atoi(key)));

                free(key);
        }
    printf(pin);
        return pin;
}

This is the output that I get:

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from F4:EC:38:A0:4F:06
[+] Switching mon0 to channel 9
[+] Associated with F4:EC:38:A0:4F:06 (ESSID: TP-LINK_A04F06)
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Receive timeout occurred
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
[+] 0.00% complete @ 0 seconds/attempt
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Receive timeout occurred
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
[!] WARNING: 10 failed connections in a row
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
[+] 0.00% complete @ 0 seconds/attempt
...etc

And the pcap file:

Hope this helps

Original comment by gorilla....@gmail.com on 30 Dec 2011 at 12:07

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by gorilla....@gmail.com on 30 Dec 2011 at 12:23

Attachments:

GoogleCodeExporter commented 9 years ago
I can confirm that switching to 32bit Ubuntu 11.10 (with kernel 3.0) works for 
me. I was previously having trouble with 64bit Arch Linux (with kernel 3.1.5).

I have cross-compiled reaver and libpcap to 32bit on my Arch Linux system and 
that doesn't seem to make any difference.

On my Ubuntu system it cracked the WPS pin on a Linksys E4200 (HW V. 1) in 7 
hours. It doesn't seem to employ rate limiting.

Original comment by cos...@linux-geek.org on 30 Dec 2011 at 8:04

GoogleCodeExporter commented 9 years ago
64 bit, linux 3.1, gentoo, libpcap 1.2.0

Starting program: /usr/bin/reaver -i wlan0 -b <redacted> -vv

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from <redacted>
[+] Switching wlan0 to channel <redacted>
[+] Associated with <redacted> (ESSID: <redacted>)
[+] Trying pin 92129740
[+] Trying pin 92129740

Program received signal SIGSEGV, Segmentation fault.
0x0000003b60d2c770 in __memcpy_ssse3_back () from /lib64/libc.so.6
(gdb) bt
#0  0x0000003b60d2c770 in __memcpy_ssse3_back () from /lib64/libc.so.6
#1  0x000000000040f96c in wps_init ()
#2  0x000000000040677d in initialize_wps_data () at init.c:72
#3  0x00000000004051f3 in crack () at cracker.c:117
#4  0x0000000000402d15 in main (argc=<optimized out>, argv=<optimized out>) at 
wpscrack.c:80

The os_memcpy in wps_init does it.

Original comment by Jason.Donenfeld on 30 Dec 2011 at 12:27

GoogleCodeExporter commented 9 years ago
Looks like structure packing cause this issue.
Main binary compiled with fpack-struct, but wps not.

Original comment by chengzhicn@gmail.com on 30 Dec 2011 at 1:49