tylerbuckles14 / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

Cisco E3200 AP timeouts, out of order packets, failed attack. #53

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
Run reaver against a Cisco/Linksys E3200 AP

What is the expected output? What do you see instead?
Expect a successful attack resulting in pin disclosure.
Seeing receive timeouts, message processing errors, out of order packets, no 
pin change, retransmits.

Product and OS version info:

Backtrack 5 Linux 2.6.39.4 #1 SMP Thu Aug 18 13:38:02 NZST 2011 i686 GNU/Linux
wlan0: 03:00.0 Network controller: Intel Corporation Centrino Advanced-N 6200 
(rev 35)
Cisco E3200 AP Firmware 1.0.02

root@root:~/reaver-wps-read-only/src# svn info
Path: .
URL: http://reaver-wps.googlecode.com/svn/trunk/src
Repository Root: http://reaver-wps.googlecode.com/svn
Repository UUID: 027a3e96-2d37-f1c0-85d6-5ce5a08386c2
Revision: 37
Node Kind: directory
Schedule: normal
Last Changed Author: cheffner@tacnetsol.com
Last Changed Rev: 37
Last Changed Date: 2012-01-02 10:30:32 -0500 (Mon, 02 Jan 2012)

iwconfig wlan0 mode monitor

root@root:~/reaver-wps-read-only/src# ./reaver -i wlan0 -b 58:6d:8f:07:62:0d -c 
11 -vv > /root/cisco-e3200-reaverlog.txt

[+] Waiting for beacon from 58:6D:8F:07:62:0D
[+] Switching wlan0 to channel 11
[!] WARNING: Failed to associate with 58:6D:8F:07:62:0D (ESSID: Cisco47272)
[!] WARNING: Failed to associate with 58:6D:8F:07:62:0D (ESSID: Cisco47272)
[+] Associated with 58:6D:8F:07:62:0D (ESSID: Cisco47272)
[+] Trying pin 59631507
[!] WARNING: Receive timeout occurred
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Out of order packet received, re-trasmitting last message
[+] Trying pin 59631507
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred

Original issue reported on code.google.com by pah...@gmail.com on 2 Jan 2012 at 5:06

Attachments:

GoogleCodeExporter commented 9 years ago
Put the card in monitor mode

$airmon-ng start wlan0

and then 

$./reaver -i mon0 -b 58:6d:8f:07:62:0d -c 11 -vv

Original comment by gorilla....@gmail.com on 2 Jan 2012 at 5:10

GoogleCodeExporter commented 9 years ago
I'm having the same issues, testing on a Thomson TG 787 router and using the 
latest svn.

Procedure:

airmon-ng start wlan1 11
./reaver -i mon2 -b 08:76:ff:04:a8:ea -vv -c 11 > reaver-svn-thomson-787

aireplay-ng -1 manages to authenticate successfuly with the ap.

Original comment by mikfishe...@gmail.com on 2 Jan 2012 at 5:32

Attachments:

GoogleCodeExporter commented 9 years ago
These issues are indicative of poor connectivity. 

Looking at the RSSI in the radio tap headers from both of these pcaps, you both 
have signal strengths in the -55 to -60dbm range. I would suggest getting in 
the -45dbm range or better, which you should be able to get by using a 
directional antenna and/or amplifiers.

Reaver isn't using a "reliable" protocol like TCP, it's sending and receiving 
raw EAP packets. Even if you can see the AP, you have no idea what kind of 
interference may be present at the AP's location, how sensitive its receiver 
is, how selective (or not selective...) its RF front end is, etc. Unfortunately 
this is one of the biggest drawbacks to preforming an active attack such as 
this one. I suspect that if you can get closer or increase your signal strength 
you will see better results.

Original comment by cheff...@tacnetsol.com on 2 Jan 2012 at 6:32

GoogleCodeExporter commented 9 years ago
Thanks, I'll try it closer and report.

Original comment by pah...@gmail.com on 2 Jan 2012 at 6:37

GoogleCodeExporter commented 9 years ago
I'm testing this on my router, right close to it in the same room. I've heard 
that being to much close might actually produce interference, so I'll try this 
at other distances.

Thanks.

Original comment by mikfishe...@gmail.com on 2 Jan 2012 at 6:41

GoogleCodeExporter commented 9 years ago
Let me know how it goes pahtzo. I have not tested the E3200 specifically, but 
Reaver works well with Linksys routers in general.

Original comment by cheff...@tacnetsol.com on 2 Jan 2012 at 6:46

GoogleCodeExporter commented 9 years ago
Craig, sure thing.  FWIW, I tested the other day from an IBM T42 laptop against 
a Cisco E2500 with success.

Original comment by pah...@gmail.com on 2 Jan 2012 at 7:05

GoogleCodeExporter commented 9 years ago
No luck on the E3200.  I'm in the 1 meter range.  I also tried it from a 
different laptop and hardware, also Backtrack 5, with the same errors.  I'll 
see if I can test against the known E2500 with my current set up.

Original comment by pah...@gmail.com on 2 Jan 2012 at 7:31

GoogleCodeExporter commented 9 years ago
Managed to test with another wireless card/drivers and it's working.

Btw has anyone started compiling a list of tested/vulnerable AP's?

Original comment by mikfishe...@gmail.com on 2 Jan 2012 at 7:33

GoogleCodeExporter commented 9 years ago
I have an E2500 also and it works very well for me too. I assume you're using 
the latest code from SVN? Have you tried the --win7 option? This seemed to help 
with some other APs that were having similar (but not quite identical) issues.

Original comment by cheff...@tacnetsol.com on 2 Jan 2012 at 7:35

GoogleCodeExporter commented 9 years ago
mikfisher, what wireless card and drivers did and did not work? I'll update the 
wiki with them.

pahtzo, from the pcaps it looks like you are having the exact same issues as 
mikfisher; do you have another wireless card you can try to see if it fixes 
your problems as well?

Original comment by cheff...@tacnetsol.com on 2 Jan 2012 at 8:28

GoogleCodeExporter commented 9 years ago
Craig, yes, svn r38.  I did try the --win7 option, and changing some timings as 
well, no luck.  I'll see if I can update the drivers and try again, I don't 
have a different card on hand though.  I can't imagine the codebase between 
E2500 and E3200 is all that different to cause issues.

Original comment by pah...@gmail.com on 2 Jan 2012 at 8:41

GoogleCodeExporter commented 9 years ago
@Craig Ralink 2570 USB stick using rt2500 USB driver.

Original comment by mikfishe...@gmail.com on 2 Jan 2012 at 9:06

GoogleCodeExporter commented 9 years ago
pahtzo, to confirm: using the same set-up you can attack the E2500, but not the 
E3200?

Original comment by cheff...@tacnetsol.com on 3 Jan 2012 at 12:36

GoogleCodeExporter commented 9 years ago
Craig, negative, the E2500 I was able to attack with different hardware than 
what I'm using against the E3200.  I'll have access to the E2500 at some point 
tomorrow so I'll hit it with the same hardware that's failing on the E3200.

Original comment by pah...@gmail.com on 3 Jan 2012 at 2:38

GoogleCodeExporter commented 9 years ago
FYI, I've had others report that the E3200 does implement a lock out period, 
but it is a temporary lock (reported to be 60 seconds).

Original comment by cheff...@tacnetsol.com on 4 Jan 2012 at 1:05

GoogleCodeExporter commented 9 years ago

Original comment by cheff...@tacnetsol.com on 4 Jan 2012 at 2:44

GoogleCodeExporter commented 9 years ago
I can confirm the 60 seconds/3 PINs cycle on firmware 1.0.02. I used 
--ignore-locks to overcome this using 1.3 non svn. Will try the SVN updates.

Original comment by philippe...@hotmail.com on 4 Jan 2012 at 8:29

GoogleCodeExporter commented 9 years ago
Thanks for the info on the E3200.  I'm sure this is driver related.  I have two 
identical laptops, IBM T60 with the Intel PRO/Wireless 3945ABG (rev 02) card.

Laptop A: Fedora 14 2.6.35.14-106.fc14.x86_64 kernel with the iwl3945 driver.
Laptop B: BackTrack 5 2.6.39.4 i686 kernel with the iwl3945 driver.

Laptop A has no trouble attacking the E2500.
Laptop B fails with the same symptoms as above against the same E2500.

I'll try BT5R1 64 bit and report results.

Original comment by pah...@gmail.com on 4 Jan 2012 at 8:32

GoogleCodeExporter commented 9 years ago
No prob. Might add in my info though:

BT5-32 pretty much stock running VM, RT73usb device (Hawkings).

Original comment by philippe...@hotmail.com on 4 Jan 2012 at 8:47

GoogleCodeExporter commented 9 years ago
Confirmed driver issue.  Fixed by patching BT5R1 with the latest 
compat-wireless drivers.  Instructions here: 
http://www.backtrack-linux.org/wiki/index.php/Wireless_Drivers#rt2800usb I used 
the latest compat-wireless from here: 
http://linuxwireless.org/download/compat-wireless-2.6/

So, Intel 3945ABG works fine with patched drivers on BT5R1 i686.  Thanks for 
the help all.

Original comment by pah...@gmail.com on 5 Jan 2012 at 2:48

GoogleCodeExporter commented 9 years ago
Awesome, glad it's working now. :)

Original comment by cheff...@tacnetsol.com on 5 Jan 2012 at 3:35

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Could someone please elaborate on Comment 21 and show the specific commands 
required to patch the latest compat-wireless drivers for an Intel 3945ABG on 
BT5R1? I'm having a few difficulties installing this correctly. Thanks

Original comment by tezz...@gmail.com on 19 Jan 2012 at 6:13

GoogleCodeExporter commented 9 years ago
ln -s /usr/src/linux /lib/modules/2.6.39.4/build
cd /usr/src/
wget 
http://linuxwireless.org/download/compat-wireless-2.6/compat-wireless-2011-07-14
.tar.bz2
tar jxpf compat-wireless-2011-07-14.tar.bz2  
wget http://www.backtrack-linux.org/2.6.39.patches.tar
tar xpf 2.6.39.patches.tar
cd compat-wireless-2011-07-14 
patch -p1 < ../patches/mac80211-2.6.29-fix-tx-ctl-no-ack-retry-count.patch 
patch -p1 < ../patches/mac80211.compat08082009.wl_frag+ack_v1.patch 
patch -p1 < ../patches/zd1211rw-2.6.28.patch 
patch -p1 < ../patches/ipw2200-inject.2.6.36.patch 
./scripts/driver-select
make 
make install
make wlunload

reboot your system

this should work @ the line ./scripts/driver-select you can choose a specified 
chipset but i do not do that because i have many adapters
it takes longer 
it is not sure that it will work better after that. good luck

Original comment by patricks...@gmail.com on 19 Jan 2012 at 6:22

GoogleCodeExporter commented 9 years ago
@25 Thanks for the response,I'll give it a try. I found the same help from 
http://www.backtrack-linux.org/wiki/index.php/Wireless_Drivers#rt2800usb. Am I 
correct in saying that this doesn't work when using a Backtrack Live DVD? Sorry 
if that's a stupid question!

Original comment by tezz...@gmail.com on 19 Jan 2012 at 7:12

GoogleCodeExporter commented 9 years ago
well you can not reboot your system... well it get lost because of live CD so
nothing can be destroyed. 
Ive seen a way that you do not need to reboot you load the new drivers after 
this
procedure.....
But why you do not try to install on a USB drive? If you do not want to install 
it beside of Windows so every change will persist. 

Original comment by patricks...@gmail.com on 19 Jan 2012 at 7:20

GoogleCodeExporter commented 9 years ago
I've installed to USB without any issues, thanks for the tip. However, I'm 
still having the same problems after following the commands in Comment 25.
If I use the latest compat-wireless from 
http://linuxwireless.org/download/compat-wireless-2.6/compat-wireless-2012-01-21
.tar.bz2 instead, do I use the same patch commands? To be clear, I only need 
the latest drivers for Intel 3945ABG.
Sorry again for my noobishness everyone. Just trying to get my head around the 
world of Linux drivers! Thanks for your help...

Original comment by tezz...@gmail.com on 21 Jan 2012 at 11:25

GoogleCodeExporter commented 9 years ago
@ tezz, I don't know if you need the driverspatch, you can do the compat 
installation
twice once without the patches and once with those patches and see the 
difference.
Just keep on experimenting, you will learn much moore... 

A tip if reaver does not look like it should don't watch for houres on it or 
dig too much into the OS system try other wireless adapters too see what 
happens.

Original comment by patricks...@gmail.com on 22 Jan 2012 at 8:11

GoogleCodeExporter commented 9 years ago
That makes sense. Thanks for sparing the time to help a noob like me out. 
Hopefully, I'll get there eventually! Congrats to cheffner for his work on this 
tool!

Original comment by tezz...@gmail.com on 22 Jan 2012 at 2:59