encountered an AP that turned off WPS completely after a couple
NACK-interrupted attempts.
reaver then went into an endless loop trying to figure out whether
it is locked.
it seems some badly written drivers require/expect to see some
TX capability flags in the radiotap header.
this was discovered by a study of aircrack-ng commit history
(which turned out to be very annoying because the current build
system maintainer @jbenden seems to love to move files from one
directory to the other, apply automatic code formatting programs
etc which limits usability of git log/git history very much ...)
the interesting commit in aircrack-ng is
commit 47743c161800721d9c09d3fe4ba7e457360f7fe5
Author: Gábor Stefanik <netrolller.3d@gmail.com>
Date: Mon Dec 15 16:22:19 2008 +0000
Set the proposed F_TX_NOACK and F_TX_NOSEQ flags in the TX radiotap header. (Kernel patch to handle these flags in mac
80211 coming soon.)
the code is prepared to additionally allow usage of a TX rate
field, which aircrack-ng uses as well and even sets it to
the rate of the current adapter. Hopefully this will turn
out to not be required.
unfortunately during reaver development it was decided to
use a struct radio_tap_header even for sending of packets,
rather than just using raw bytes which complicates any
changes to it.
there's also libwps/libwps.h which uses its own copy of the
struct, though fortunately only for the code inside libwps.c,
and only for reading purposes. therefore it was left untouched.
addressing #279
in file replay mode (-f), there is no scanned channel, therefore
APs might come out with channel 0 if they don't have a tagged IE
with the channel number. we now take it from radiotap header, if
existing. FIXME fixed.
when pcap-file output for interesting packets for reaver was added in
fd5dc9590a, only reaver itself properly init-
ialized the output fd to -1. wash however didn't initialize it, so it was still
0 from the memset of the globule struct, which caused packets with wrong FCS to
be dumped to stdin, where it eventually produced garbled output on the tty.
this fixes wash output with some broken mac drivers that only sporadically have
correct packets in monitor mode.
even though most drivers on linux properly work with rfmon turned on, a few
badly written ones create issues:
issue #202 : rfmon mode causes additional interfaces to appear
issue #265 : issues with RTL8812AU hackjob driver
argsparser.c: deleted 'set_key_status(KEY2_WIP)' for fix key status
because do_wps_exchange() will do it.
keys.c: 'get_k1_key_index()' and 'get_k2_key_index()' are for get
the index of k1[] and k2[] respectively.
pinc.c: lines deleted are for not create invalid format .wpc file.
pinc.c: news lines are for to generate .wpc file with the first half
and second half specified PIN in first position.
the packets we send have a minimalistic radiotap header without
additional flags set in presentflags. it was previously wrongly
assumed that lack of those flags would imply the FCS checksum has
to be appended at the end of the packet, but that is not the case.
feitoi
rofl0r
rofl0r
schoonc