import reaver

Reaver implements a brute force attack against Wifi Protected Setup
(WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as
described in Brute forcing Wi-Fi Protected Setup When poor design meets
poor implementation. by Stefan Viehboeck.  Reaver has been designed to
be a robust and practical attack against Wi-Fi Protected Setup (WPS)
registrar PINs in order to recover WPA/WPA2 passphrases and has been
tested against a wide variety of access points and WPS implementations.
Depending on the target's Access Point (AP), to recover the plain text
WPA/WPA2 passphrase the average amount of time for the transitional
online brute force method is between 4-10 hours. In practice, it will
generally take half this time to guess the correct WPS pin and recover
the passphrase. When using the offline attack, if the AP is vulnerable,
it may take only a matter of seconds to minutes.

feedback and OK already some time ago sthen@, gonzalo@

security/reaver/Makefile

@@ -0,0 +1,30 @@
+# $OpenBSD: Makefile,v 1.1.1.1 2019/04/16 20:45:43 sebastia Exp $
+
+COMMENT =	online brute force WPS PINs
+
+VERSION =	1.6.5
+GH_ACCOUNT =	t6x
+GH_PROJECT =	reaver-wps-fork-t6x
+GH_TAGNAME =	v${VERSION}
+PKGNAME =	reaver-${VERSION}
+
+CATEGORIES =	security net
+
+MAINTAINER =	Sebastian Reitenbach <sebastia@openbsd.org>
+
+# GPLv2 or later
+PERMIT_PACKAGE_CDROM =	Yes
+
+WANTLIB +=	c m pcap
+
+USE_GMAKE =	Yes
+RUN_DEPENDS =	security/pixiewps
+
+CONFIGURE_STYLE = gnu
+
+WRKSRC=		${WRKDIST}/src
+
+post-install:
+	${INSTALL_MAN} ${WRKDIST}/docs/reaver.1 ${PREFIX}/man/man1/
+
+.include <bsd.port.mk>

security/reaver/distinfo

@@ -0,0 +1,2 @@
+SHA256 (reaver-wps-fork-t6x-1.6.5.tar.gz) = 5nYdLU75yytF/gpg1rlASM5EQuSsIJkE/olQb/HpTEQ=
+SIZE (reaver-wps-fork-t6x-1.6.5.tar.gz) = 479441

security/reaver/patches/patch-src_80211_c

@@ -0,0 +1,27 @@
+$OpenBSD: patch-src_80211_c,v 1.1.1.1 2019/04/16 20:45:43 sebastia Exp $
+
+radio_tap header is somehow automatically included in OpenBSD, so no
+need to construct and account for it
+
+Index: src/80211.c
+--- src/80211.c.orig
++++ src/80211.c
+@@ -321,7 +321,7 @@ static void deauthenticate(void)
+         dot11_frame_len = build_dot11_frame_header(&dot11_frame, FC_DEAUTHENTICATE);
+ 	packet_len = radio_tap_len + dot11_frame_len + DEAUTH_REASON_CODE_SIZE;
+ 
+-	unsigned char packet[sizeof radio_tap + sizeof dot11_frame + DEAUTH_REASON_CODE_SIZE];
++	unsigned char packet[sizeof dot11_frame + DEAUTH_REASON_CODE_SIZE];
+ 	assert(sizeof packet == packet_len);
+ 
+ 	memcpy(packet, &radio_tap, radio_tap_len);
+@@ -347,8 +347,7 @@ static void authenticate(void)
+ 
+ 	packet_len = radio_tap_len + dot11_frame_len + management_frame_len;
+ 
+-	unsigned char packet[ sizeof (struct radio_tap_header)
+-			    + sizeof (struct dot11_frame_header)
++	unsigned char packet[sizeof (struct dot11_frame_header)
+ 			    + sizeof (struct authentication_management_frame)];
+ 
+ 	assert(packet_len == sizeof packet);

security/reaver/patches/patch-src_builder_c

@@ -0,0 +1,17 @@
+$OpenBSD: patch-src_builder_c,v 1.1.1.1 2019/04/16 20:45:43 sebastia Exp $
+
+no need to build radio_tap_header on OpenBSD, it's 
+automatically there and just fine
+
+Index: src/builder.c
+--- src/builder.c.orig
++++ src/builder.c
+@@ -36,6 +36,8 @@
+ 
+ size_t build_radio_tap_header(struct radio_tap_header *rt_header)
+ {
++	// Seems we don't really need that
++	return 0;
+ 	memcpy(rt_header, "\0\0" "\x08\0" "\0\0\0\0", 8);
+ 	return sizeof(*rt_header);
+ }

security/reaver/patches/patch-src_config_mak_in

@@ -0,0 +1,13 @@
+$OpenBSD: patch-src_config_mak_in,v 1.1.1.1 2019/04/16 20:45:43 sebastia Exp $
+
+Index: src/config.mak.in
+--- src/config.mak.in.orig
++++ src/config.mak.in
+@@ -1,6 +1,6 @@
+ prefix=@prefix@
+ exec_prefix=@exec_prefix@
+-CONFDIR=@localstatedir@/lib/@target@
++CONFDIR=@localstatedir@/@target@
+ 
+ CC=@CC@
+ CFLAGS_USER=@CFLAGS@

security/reaver/patches/patch-src_iface_c

@@ -0,0 +1,34 @@
+$OpenBSD: patch-src_iface_c,v 1.1.1.1 2019/04/16 20:45:43 sebastia Exp $
+
+Index: src/iface.c
+--- src/iface.c.orig
++++ src/iface.c
+@@ -32,14 +32,18 @@
+  */
+ 
+ #include "iface.h"
++#ifndef __OpenBSD__
+ #include "lwe/iwlib.h"
++#else
++#include <sys/wait.h>
++#endif
+ #include "globule.h"
+ #include <net/if.h>
+ #include <netinet/in.h>
+ #include <sys/ioctl.h>
+ #include <stdlib.h>
+ 
+-#if defined(__FreeBSD__) || defined(__APPLE__)
++#if defined(__FreeBSD__) || defined(__APPLE__) || defined(__OpenBSD__)
+ #include <ifaddrs.h>
+ #include <net/if_dl.h>
+ int read_iface_mac() {
+@@ -141,7 +145,7 @@ int next_channel()
+ }
+ 
+ /* Sets the 802.11 channel for the selected interface */
+-#ifdef __APPLE__
++#if defined (__APPLE__) || defined (__OpenBSD__)
+ int change_channel(int channel)
+ {
+ 	cprintf(VERBOSE, "[+] Switching %s to channel %d\n", get_iface(), channel);

security/reaver/patches/patch-src_lwe_iwlib_h

@@ -0,0 +1,18 @@
+$OpenBSD: patch-src_lwe_iwlib_h,v 1.1.1.1 2019/04/16 20:45:43 sebastia Exp $
+
+Index: src/lwe/iwlib.h
+--- src/lwe/iwlib.h.orig
++++ src/lwe/iwlib.h
+@@ -33,7 +33,12 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <netdb.h>		/* gethostbyname, getnetbyname */
++#ifndef __OpenBSD__
+ #include <net/ethernet.h>	/* struct ether_addr */
++#else
++#include <net/if_arp.h>
++#include <netinet/if_ether.h>	/* struct ether_addr */
++#endif
+ #include <sys/time.h>		/* struct timeval */
+ #include <unistd.h>
+ 

security/reaver/pkg/DESCR

@@ -0,0 +1,13 @@
+Reaver implements a brute force attack against Wifi Protected Setup
+(WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as
+described in Brute forcing Wi-Fi Protected Setup When poor design meets
+poor implementation. by Stefan Viehboeck.  Reaver has been designed to
+be a robust and practical attack against Wi-Fi Protected Setup (WPS)
+registrar PINs in order to recover WPA/WPA2 passphrases and has been
+tested against a wide variety of access points and WPS implementations.
+Depending on the target's Access Point (AP), to recover the plain text
+WPA/WPA2 passphrase the average amount of time for the transitional
+online brute force method is between 4-10 hours. In practice, it will
+generally take half this time to guess the correct WPS pin and recover
+the passphrase. When using the offline attack, if the AP is vulnerable,
+it may take only a matter of seconds to minutes.

security/reaver/pkg/PLIST

@@ -0,0 +1,6 @@
+@comment $OpenBSD: PLIST,v 1.1.1.1 2019/04/16 20:45:43 sebastia Exp $
+@bin bin/reaver
+@bin bin/wash
+@extraunexec rm -f ${LOCALSTATEDIR}/reaver/*
+@man man/man1/reaver.1
+@sample ${LOCALSTATEDIR}/reaver/