a small tool to be used as a frontend to pixiewps to do a smart series of
short timespan checks when the initial run fails, before finally doing a
full --force run.
additionally, it supports an option -u where the caller can pass the timestamp
contained in the AP's last beacon packet before the attack, which practically
gives us already the exact seed when we guess the router reset date correctly.
theoretically, we could just pass a range of ~60 seconds around the guessed
date and would hit it with huge likelyhood. however pixiewps needs a relatively
big amount of time to get the cracking started, so effectively the amount of
time needed to scan for a whole month isn't much longer than for a few seconds.
a future version of reaver might automatically supply that uptime timestamp.
in my personal setup, i renamed the pixiewps binary to pixie-core, and compile
the program with the CPPFLAGS=-DPIXIE_BIN=\"pixie-core\", then rename pixie-
wrapper to pixiewps itself, so this is what gets called by reaver.
Because of the modulo trick the current glibc PRNG version doesn't work for seed == 0x7fffffff or seed == 0xfffffffe.
The former is used only if the user specifically uses --start / --end 02/2038. The latter is never used as negative values are not legal for time.
In any case a compilation guard (PWPS_UNERRING) has been added for correctness to make the PRNG spit correct values even for those 2 seeds.
On my laptop the difference with these new changes, compared to the older code is more than 4x faster. The code was tested on ~10 different data sets and seems to work fine.
The code is based on a precomputed initial seed table, instead of re-seeding from scratch everytime the whole state. On my x86 test machine this new code seems to be ~60% faster.
Some further testing and tuning may be needed.
Credits to @1yura.
This reverts commit e552d93a50.
Usign GCC version 5.4.0 20160609 the code was 3 times slower (probably due to missing inlining and other optimizations). The binary was also >15kB bigger.
sources list created via
make clean ; make CC=gcc LDFLAGS="-Wl,--gc-sections" CFLAGS="-O -ffunction-sections"
readelf -a pixiewps | grep '\.c' | awk '{print "./" $8 " \\"}' > tfm_used.txt
and some manual cleanups.
we can disable highly optimized mul/sqr operations for about 30% speed
decrease but saving a lot in binary size.
only build the files necessary by including an explicit list of filenames
rather than doing a wildcard over tfm/*.c.
compiling with tinycc, we get:
fp_montgomery_reduce.c:510: error: invalid clobber register '%rax'
disabling asm pulls in a couple new files, adding them too.
Added casts to u32 for 'rcons' and 'Td4s' which are of type uint8_t*, so their elements, before being shifted, are promoted to int (not to unsigned int) unless explicitly casted, due to integer promotion rules of the C language.
This caused the "left shift of * by 24 places cannot be represented in type 'int'" error when compiling with GCC's -fsanitize=undefined.
The code is from an old version of wpa_supplicant/hostapd.
Victor Golovanenko
rofl0r
rofl0r
wiire-a