Reaver segmentation fault

[GoogleCodeExporter]

Moved from issue #2:


Comment 20 by gorilla.maguila, Today (43 minutes ago)
This is what I get with latest subversion:

[+] Waiting for beacon from C0:3F:0E:C1:DB:A7
[+] Switching mon0 to channel 2
[+] Switching mon0 to channel 4
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 
[+] Associated with C0:3F:0E:C1:DB:A7 
[+] Trying pin 90553301
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 
[+] Switching mon0 to channel 3
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
Segmentation fault

I'm under kernel 3.1.5 with iwlagn driver



Comment 21 by project member cheffner@tacnetsol.com, Today (33 minutes ago)
maguila,

I have not tested the iwlagn drivers, but since you were able to associate I'd 
suspect that injection is working properly. The failed associations and receive 
timeouts are usually an indication of poor signal strength or a lot of wireless 
interference.

The segfault is troubling though. Can you give more info on your OS ?



Comment 22 by gorilla.maguila, Today (12 minutes ago)
I'm using Archlinux x64. We use almost the latest packages on everything as it 
is a rolling release distro.

I have tried to run under gdb but I don't know why I don't get the segmentation 
fault:

$gdb ./reaver
GNU gdb (GDB) 7.3.1
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/user/reaver-wps-read-only/src/reaver...done.
(gdb) run -i mon0 -b C0:3F:0E:C1:DB:A7 -vv
Starting program: /home/user/reaver-wps-read-only/src/reaver -i mon0 -b 
C0:3F:0E:C1:DB:A7 -vv

Reaver v1.0 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from C0:3F:0E:C1:DB:A7
[+] Switching mon0 to channel 4
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[+] Associated with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[+] Trying pin 26141367
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[+] Switching mon0 to channel 2
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
...etc

But again I get the segmentation fault without gdb.

Original issue reported on code.google.com by cheff...@tacnetsol.com on 29 Dec 2011 at 3:36

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

This time I managed to make it segfault under gdb with -f 4 option:

$gdb ./reaver
GNU gdb (GDB) 7.3.1
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/user/reaver-wps-read-only/src/reaver...done.
(gdb) run -i mon0 -b C0:3F:0E:C1:DB:A7 -f 4 -vv
Starting program: /home/user/reaver-wps-read-only/src/reaver -i mon0 -b 
C0:3F:0E:C1:DB:A7 -f 4 -vv

Reaver v1.0 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from C0:3F:0E:C1:DB:A7
[+] Associated with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[+] Trying pin 91325709
[!] WARNING: Failed to associate with C0:3F:0E:C1:DB:A7 (ESSID: ONODBA7)
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred

Program received signal SIGSEGV, Segmentation fault.
0x0000000000411556 in wps_registrar_expire_pins ()
(gdb) backtrace
#0  0x0000000000411556 in wps_registrar_expire_pins ()
#1  0x00000000004116cf in wps_registrar_get_pin ()
#2  0x0000000000412532 in wps_get_dev_password ()
#3  0x0000000000414195 in wps_registrar_get_msg ()
#4  0x0000000000406a99 in send_msg () at send.c:80
#5  0x0000000000405705 in do_wps_exchange () at exchange.c:66
#6  0x0000000000405047 in crack () at cracker.c:160
#7  0x00000000004027b1 in main (argc=8, argv=<optimized out>) at wpscrack.c:80

(gdb) farme 1
Undefined command: "farme".  Try "help".
(gdb) frame 1
#1  0x00000000004116cf in wps_registrar_get_pin ()
(gdb) kill
Kill the program being debugged? (y or n) y
(gdb) quit


Tell me what to do to continue debugging and I will be happy to help.

Best Regards

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 3:43

[GoogleCodeExporter]

This bug also affects me. I'm using Arch x86-64 and iwlagn as well. Here's a 
trace with the function parameters:


#0  0x0000000000411556 in wps_registrar_expire_pins (reg=0x0) at 
wps_registrar.c:559
#1  0x00000000004116cf in wps_registrar_get_pin (reg=0x0, 
    uuid=0x6cca04 "VZ\251Ig\301L\016\252\217\363I\346\365\223\021\177\323\f\277\261h\351ٶ\244\266P", pin_len=0x7fffffffe8f0)
    at wps_registrar.c:600
#2  0x0000000000412532 in wps_get_dev_password (wps=0x6cc9e0) at 
wps_registrar.c:1000
#3  0x0000000000414195 in wps_registrar_get_msg (wps=0x6cc9e0, 
op_code=0x7fffffffe94c) at wps_registrar.c:1615
#4  0x0000000000406a99 in send_msg () at send.c:80
#5  0x0000000000405705 in do_wps_exchange () at exchange.c:66
#6  0x0000000000405047 in crack () at cracker.c:160
#7  0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80

I guess reg isn't supposed to be a NULL pointer.

Original comment by cos...@linux-geek.org on 29 Dec 2011 at 3:45

[GoogleCodeExporter]

Thanks, gdb output is very helpful. :)

I've added null checks to the wps_registrar_expire_pins function. Can you check 
out the latest SVN code and test it to see if this fixes the issue?

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 3:54

• Changed state: Started

[GoogleCodeExporter]

reaver -i mon0 -vv -b XX:XX:XX:XX:XX:XX

Reaver v1.0 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 2
[+] Switching mon0 to channel 3
[+] Switching mon0 to channel 1
[+] Associated with 14:D6:4D:C8:94:5E (ESSID: ANONYMOUS)
[+] Trying pin 71755106
Speicherzugriffsfehler
root@zaunkoenig:/reaver_svn/reaver-wps-read-only/src# gdb ./reaver
GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /reaver_svn/reaver-wps-read-only/src/reaver...done.
(gdb) run -i mon0 -vv -b XX:XX:XX:XX:XX:XX
Starting program: /reaver_svn/reaver-wps-read-only/src/reaver -i mon0 -vv -b 
XX:XX:XX:XX:XX:XX
Reaver v1.0 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 1
[+] Associated with 14:D6:4D:C8:94:5E (ESSID: ANONYMOUS)
[+] Trying pin 95384153
[!] WARNING: Receive timeout occurred

Program received signal SIGSEGV, Segmentation fault.
0x00000000004118f1 in wps_registrar_unlock_pin ()
(gdb) backtrace
#0  0x00000000004118f1 in wps_registrar_unlock_pin ()
#1  0x0000000000407ca3 in wps_deinit ()
#2  0x0000000000404eba in crack () at cracker.c:205
#3  0x0000000000402575 in main (argc=6, argv=<optimized out>) at wpscrack.c:80
(gdb) frame 1
#1  0x0000000000407ca3 in wps_deinit ()
(gdb) 



Linux anonymous 3.0.0-15-generic #24-Ubuntu SMP Mon Dec 12 15:23:55 UTC 2011 
x86_64 x86_64 x86_64 GNU/Linux

Tested chipsets and drivers:
wlan0       Intel 4965/5xxx iwlagn - [phy0]
wlan1       RTL8187     rtl8187 - [phy2]


Same results.

Original comment by schwammt...@gmail.com on 29 Dec 2011 at 3:58

[GoogleCodeExporter]

Yep same results here aswell:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004116b8 in wps_registrar_get_pin ()
(gdb) backtrace
#0  0x00000000004116b8 in wps_registrar_get_pin ()
#1  0x0000000000412517 in wps_get_dev_password ()
#2  0x000000000041417a in wps_registrar_get_msg ()
#3  0x0000000000406a69 in send_msg () at send.c:80
#4  0x00000000004056d5 in do_wps_exchange () at exchange.c:66
#5  0x0000000000405017 in crack () at cracker.c:160
#6  0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 4:04

[GoogleCodeExporter]

Tried it again with rev 12. Same results.

Original comment by schwammt...@gmail.com on 29 Dec 2011 at 4:05

[GoogleCodeExporter]

Added null checks. See if that fixed it.

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 4:10

[GoogleCodeExporter]

Here the strace.out

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 4:10

[GoogleCodeExporter]

Revision 13 still crashes. Here's the backtrace:


#0  0x00000000004116b8 in wps_registrar_get_pin (reg=0x0, 
    uuid=0x6cca04 "VZ\251Ig\301L\016\252\217\363I\346\365\223\021xn\263\032\033\227\362\321P@=c", pin_len=0x7fffffffe8f0) at wps_registrar.c:608
#1  0x0000000000412582 in wps_get_dev_password (wps=0x6cc9e0) at 
wps_registrar.c:1036
#2  0x00000000004141e5 in wps_registrar_get_msg (wps=0x6cc9e0, 
op_code=0x7fffffffe94c) at wps_registrar.c:1651
#3  0x0000000000406a69 in send_msg () at send.c:80
#4  0x00000000004056d5 in do_wps_exchange () at exchange.c:66
#5  0x0000000000405017 in crack () at cracker.c:160
#6  0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80

Original comment by cos...@linux-geek.org on 29 Dec 2011 at 4:10

[GoogleCodeExporter]

Revision 14:

#0  0x000000000041112e in wps_build_config_methods_r (reg=0x0, msg=0x6cd6a0) at 
wps_registrar.c:420
#1  0x0000000000413b42 in wps_build_m2d (wps=0x6ccd90) at wps_registrar.c:1446
#2  0x0000000000414244 in wps_registrar_get_msg (wps=0x6ccd90, 
op_code=0x7fffffffe94c) at wps_registrar.c:1668
#3  0x0000000000406a69 in send_msg () at send.c:80
#4  0x00000000004056d5 in do_wps_exchange () at exchange.c:66
#5  0x0000000000405017 in crack () at cracker.c:160
#6  0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80

Original comment by cos...@linux-geek.org on 29 Dec 2011 at 4:13

[GoogleCodeExporter]

With rev 14 I get this:

[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 1
[+] Associated with XX:XX:XX:XX:XX:XX (ESSID: ANONYMOUS)
[+] Trying pin 15878182
[!] WARNING: Receive timeout occurred
[+] Trying pin 15878182
Speicherzugriffsfehler


So reaver is now trying the same pin again, before the segmentation fault 
occurs.

Original comment by schwammt...@gmail.com on 29 Dec 2011 at 4:15

[GoogleCodeExporter]

Added some debug printfs and put in a NULL check at a higher layer...

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 4:25

[GoogleCodeExporter]

With rev 15:

[+] Waiting for beacon from C0:3F:0E:F3:9D:A3
[+] Switching mon0 to channel 6
[!] WARNING: Failed to associate with C0:3F:0E:F3:9D:A3 (ESSID: ONO9DA3)
[+] Associated with C0:3F:0E:F3:9D:A3 (ESSID: ONO9DA3)
[+] Trying pin 13030865
[!] WARNING: Receive timeout occurred
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] WARNING: Last message not processed properly, reverting state to previous 
message

Program received signal SIGSEGV, Segmentation fault.
0x000000000040f72f in wps_init ()
(gdb) backtrace
#0  0x000000000040f72f in wps_init ()
#1  0x00000000004063f1 in initialize_wps_data () at init.c:72
#2  0x0000000000404f33 in crack () at cracker.c:117
#3  0x00000000004027b1 in main (argc=6, argv=<optimized out>) at wpscrack.c:80
(gdb) frame 0
#0  0x000000000040f72f in wps_init ()

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 4:30

[GoogleCodeExporter]

I have tried revision 15 now. I find it weird that it fails to associate, 
because my WiFi signal is strong (-41dBm). It doesn't crash but it seems stuck 
at this point:


[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Switching mon0 to channel 1
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[+] Associated with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[+] Trying pin 32926729
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: APNAME)
[+] Switching mon0 to channel 2
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Last message not processed properly, reverting state to previous 
message

Original comment by cos...@linux-geek.org on 29 Dec 2011 at 4:32

[GoogleCodeExporter]

same here


[+] Trying pin 97035473
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[+] Trying pin 97035473
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[+] Trying pin 97035473


on revision 15  at least no more segfaulting

Original comment by shadow...@gmail.com on 29 Dec 2011 at 4:37

[GoogleCodeExporter]

Interesting...what access point (vendor, model, version) are you testing this 
against?

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 4:39

[GoogleCodeExporter]

I'm trying on a:

http://www.netgear.com/service-provider/products/routers-and-gateways/cable-gate
ways/CG3000_CG3100.aspx

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 4:43

[GoogleCodeExporter]

By the way I know the PIN on the one I'm trying: 50459360

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 4:45

[GoogleCodeExporter]

OK, first the silly question: are you sure WPS is enabled?

Second, can you provide a pcap file? Using the display filter of 'eap || eapol' 
should give you just the WPS packets.

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 4:47

[GoogleCodeExporter]

I'm quite sure it's enabled, I have enabled it on the router configuration page.

But then again could be that I'm doing something wrong.

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 5:09

[GoogleCodeExporter]

I am using a TP-LINK TL-WR1043N, having exactly the same problem.
WPS is enabled and working.

Original comment by schwammt...@gmail.com on 29 Dec 2011 at 5:13

[GoogleCodeExporter]

Mine is a Linksys E4200 HW Version 1.

Original comment by cos...@linux-geek.org on 29 Dec 2011 at 5:15

[GoogleCodeExporter]

From the pcap it looks like the AP maybe isn't seeing the packets? Hard to 
tell. I have tested netgears, tp-links and linksys devices, but not these 
specific models. What type of signal strength do you have, and can you move 
closer to the AP to rule this out as a potential cause?

Original comment by cheff...@tacnetsol.com on 29 Dec 2011 at 5:28

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

It's quite good the signal it's -38.

I'll try with a TP-LINK TL-WR1043N factory default also and see what I get.

Original comment by gorilla....@gmail.com on 29 Dec 2011 at 5:31

[GoogleCodeExporter]

I can confirm I'm on 64 bit Ubuntu and receiving problems. I either get the 
time-out or "not processed properly" errors, but yet to stumble upon 
"segmentation fault". Maybe I haven't ran it long enough for that though.

Original comment by rtstanif...@gmail.com on 29 Dec 2011 at 8:59

[GoogleCodeExporter]

I am getting the segmentation fault and therefore one try only at a PIN. I am 
on a 32-bit Ubuntu 10.04 system.I am using an Alfa USB adaptor.I have tried a 
few AP's and all follow the same pattern. Have tried on reaver 1.0 and 1.1

Hope this helps! ;-)

Original comment by stew.d...@gmail.com on 29 Dec 2011 at 9:12

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Maybe this could help.

On rev 16 I've changed build_wps_pin() function, so it matches my PIN, and 
added a printf as follows:

char *build_wps_pin()
{
        char *key = NULL, *pin = NULL;
        int pin_len = PIN_SIZE + 1;

        pin = malloc(pin_len);
        key = malloc(pin_len);
        if(pin && key)
        {
                memset(key, 0, pin_len);
                memset(pin, 0, pin_len);

                /* Generate a 7-digit pin from the given key index values */
                snprintf(key, pin_len, "%s%s", "2020", "6567");

                /* Generate and append the pin checksum digit */
                snprintf(pin, pin_len, "%s%d", key, wps_pin_checksum(atoi(key)));

                free(key);
        }
    printf(pin);
        return pin;
}

This is the output that I get:

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from F4:EC:38:A0:4F:06
[+] Switching mon0 to channel 9
[+] Associated with F4:EC:38:A0:4F:06 (ESSID: TP-LINK_A04F06)
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Receive timeout occurred
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
[+] 0.00% complete @ 0 seconds/attempt
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Receive timeout occurred
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
[!] WARNING: 10 failed connections in a row
20206567[+] Trying pin 20206567
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[!] Warning: Out of order packet received, re-trasmitting last message
[+] 0.00% complete @ 0 seconds/attempt
...etc

And the pcap file:

Hope this helps

Original comment by gorilla....@gmail.com on 30 Dec 2011 at 12:07

[GoogleCodeExporter]

Original comment by gorilla....@gmail.com on 30 Dec 2011 at 12:23

[GoogleCodeExporter]

I can confirm that switching to 32bit Ubuntu 11.10 (with kernel 3.0) works for 
me. I was previously having trouble with 64bit Arch Linux (with kernel 3.1.5).

I have cross-compiled reaver and libpcap to 32bit on my Arch Linux system and 
that doesn't seem to make any difference.

On my Ubuntu system it cracked the WPS pin on a Linksys E4200 (HW V. 1) in 7 
hours. It doesn't seem to employ rate limiting.

Original comment by cos...@linux-geek.org on 30 Dec 2011 at 8:04

[GoogleCodeExporter]

64 bit, linux 3.1, gentoo, libpcap 1.2.0

Starting program: /usr/bin/reaver -i wlan0 -b <redacted> -vv

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from <redacted>
[+] Switching wlan0 to channel <redacted>
[+] Associated with <redacted> (ESSID: <redacted>)
[+] Trying pin 92129740
[+] Trying pin 92129740

Program received signal SIGSEGV, Segmentation fault.
0x0000003b60d2c770 in __memcpy_ssse3_back () from /lib64/libc.so.6
(gdb) bt
#0  0x0000003b60d2c770 in __memcpy_ssse3_back () from /lib64/libc.so.6
#1  0x000000000040f96c in wps_init ()
#2  0x000000000040677d in initialize_wps_data () at init.c:72
#3  0x00000000004051f3 in crack () at cracker.c:117
#4  0x0000000000402d15 in main (argc=<optimized out>, argv=<optimized out>) at 
wpscrack.c:80


The os_memcpy in wps_init does it.

Original comment by Jason.Donenfeld on 30 Dec 2011 at 12:27

[GoogleCodeExporter]

Looks like structure packing cause this issue.
Main binary compiled with fpack-struct, but wps not.

Original comment by chengzhicn@gmail.com on 30 Dec 2011 at 1:49

[GoogleCodeExporter]

Thanks chengzhicn, I was just going through and removing ftpack-struct and 
using #pragma statements where structure packing is critical. :)

Hopefully this will fix the issue, will post when changes are checked in.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 1:58

[GoogleCodeExporter]

OK, removed -fpack-struct and placed #pragma pack statements around critical 
structures. 

I am no longer receiving segfaults in BT RC1 x64 (nor BT RC1 i686, nor Ubuntu 
10.04 i686), nor am I getting the recurring timeout warnings as I was before:


root@bt:~/Desktop/src# ./reaver -i mon0 -b C0:C1:C0:A5:73:F7 -vv

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from C0:C1:C0:A5:73:F7
[+] Switching mon0 to channel 11
[+] Associated with C0:C1:C0:A5:73:F7 (ESSID: cisco_e2500_normal_wifi)
[+] Trying pin 28475446
[+] Trying pin 44405441
[+] Trying pin 23165441
[+] Trying pin 46105448
[+] Trying pin 86945448
[+] Trying pin 27375440
[+] 0.05% complete @ 2 seconds/attempt
[+] Trying pin 89105443
[+] Trying pin 49135442
[+] Trying pin 55565448
[+] Trying pin 73005445
[+] Trying pin 84765444
[+] 0.10% complete @ 2 seconds/attempt
[+] Trying pin 66145448


Changes have been checked in, hopefully this fixes everyone's issues.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 2:25

[GoogleCodeExporter]

Great, it's working on 64 bit Ubuntu. :D

Original comment by rtstanif...@gmail.com on 30 Dec 2011 at 2:32

[GoogleCodeExporter]

These are my outputs on rev 20.

At least now is changing PIN's althought I still get WARNINGS.

Thanks for your efforts

Original comment by gorilla....@gmail.com on 30 Dec 2011 at 2:54

[GoogleCodeExporter]

maguila, this may be an issue with the AP. Some APs implement WPS a little 
differently and since TP-Link has "QSS" which is not exactly WPS, but is 
supposed to be compatible, I wouldn't be surprised. 

This is what the 'advanced' options are for in reaver - sometimes specifying 
different timeout periods or eap termination options (or others) can help 
alleviate compatibility issues like this. I have run reaver against other 
TP-Links, but probably not the exact model you have, so I can't say for sure.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 3:01

[GoogleCodeExporter]

One silly question;

If I change the build_wps_pin() function to force it to use my PIN, shouldn't 
it work?

Anyway I also tried with the netgear with the same results.

Original comment by gorilla....@gmail.com on 30 Dec 2011 at 3:15

[GoogleCodeExporter]

I'm going to download a 32 bits distro and see what I get.

Original comment by gorilla....@gmail.com on 30 Dec 2011 at 3:17

[GoogleCodeExporter]

Yes, you can change build_wps_pin to always return the same pin.

Let me know if your issues are different in 32/64 bit OSs. It's working fine 
here on Backtrack 5 RC1 32 and 64 bit.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 3:46

[GoogleCodeExporter]

No other verifications, positive or negative?

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 3:55

[GoogleCodeExporter]

New version works for me. (Ubuntu 10.04 x64 ipw3954)

Original comment by chengzhicn@gmail.com on 30 Dec 2011 at 4:10

[GoogleCodeExporter]

not for me 

BT5 R1 x64 RT3070

reaver -i mon0 -b C0:C1:C0:A5:73:F7 -vv

[+] Waiting for beacon from C0:C1:C0:A5:73:F7
[+] Switching mon0 to channel 9
[+] Associated with C0:C1:C0:A5:73:F7 
[+] Trying pin 91636102
[!] WARNING: Receive timeout occurred
Segmentation fault

Original comment by hurenhan...@googlemail.com on 30 Dec 2011 at 4:19

[GoogleCodeExporter]

hurenhannes, are you using r20? I have BT5 R1 x64 working with no issues (using 
rtl8187 drivers). 

Also why is your BSSID the same as mine? :)

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 4:22

[GoogleCodeExporter]

Issue 5 has been merged into this issue.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 4:23

[GoogleCodeExporter]

yes im using r20. I was lazy, copy paste.... :)

I will try the x86 of BT 5 R1.

Original comment by hurenhan...@googlemail.com on 30 Dec 2011 at 5:03

[GoogleCodeExporter]

Well Good News.

I tried with a 32 bit Ubuntu 11.10 under kernel 3.1.6 also with an old kernel 
2.6.34 on x64 bit system and also with an atheros device with the ath5k driver, 
and I was getting the same results. So it seems it's AP related.

Original comment by gorilla....@gmail.com on 30 Dec 2011 at 5:06

[GoogleCodeExporter]

Great news!

All is working..issues are cleared...
waiting to see end result (guessed pin :)))


Thanks

Original comment by ianc...@gmail.com on 30 Dec 2011 at 5:07

[GoogleCodeExporter]

Awesome! These changes are in release 1.2. I'm waiting to hear back from 
hurenhannes before closing the ticket, as he seems to still be having issues.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 5:16

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Nothing heard back from hurenhannes; by all other accounts and testing, the seg 
fault is fixed, closing ticket.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 9:16

• Changed state: Fixed

[GoogleCodeExporter]

Issue 36 has been merged into this issue.

Original comment by cheff...@tacnetsol.com on 2 Jan 2012 at 12:57

[GoogleCodeExporter]

I am running reaver version 1.4 and the issue is still occurring 
sometimes it crashes with Aborted message 

Original comment by jokesare...@gmail.com on 27 Oct 2013 at 12:15