fragattacks/research/README.md

550 lines
29 KiB
Markdown
Raw Normal View History

2020-06-19 23:49:39 -04:00
# Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation
2020-04-15 13:43:28 -04:00
## Introduction
Our attacks affect all Wi-Fi networks. Note that the recent WPA3 specification only introduced
a new authentication method, but its encryption ciphers (CCMP and GCMP) are identical to WPA2.
Because of this, our attack is identical against WPA2 and WPA3 networks.
Older WPA networks by default use TKIP for encryption, and the applicability of our attacks
against this cipher is discussed in the paper. Out of completeness, and to illustrate that Wi-Fi
has been vulnerable since its creation, the paper also briefly discusses the applicability of
our results against WEP.
2020-05-23 20:39:15 -04:00
## Supported Network Cards
Only specific wireless network cards are supported. This is because some network cards may overwrite the
sequence number of injected frames, may overwrite the fragment number, or reorder frames of different priority,
and this interferes with our scripts (i.e. our script might incorrectly say a device is secure although it's not).
We have confirmed that the following network cards work properly with our scripts:
2020-06-27 09:27:46 -04:00
| Network Card | USB | 5GHz | mixed mode | injection mode | hwsim mode (experimental) |
| ---------------------- | --- | ---- | ----------------------- | ----------------------- | ------------------------- |
2020-07-22 07:50:06 -04:00
| Intel Wireless-AC 8265 | No | Yes | patched driver | yes | _under development_ |
| Intel Wireless-AC 3160 | No | Yes | patched driver | yes | _under development_ |
| Technoethical N150 HGA | Yes | No | patched driver/firmware | patched driver/firmware | _under development_ |
| TP-Link TL-WN722N v1.x | Yes | No | patched driver/firmware | patched driver/firmware | _under development_ |
| Alfa AWUS036NHA | Yes | No | patched driver/firmware | patched driver/firmware | _under development_ |
| Alfa AWUS036ACM | Yes | Yes | patched driver | yes | _under development_ |
| Alfa AWUS036ACH | Yes | Yes | **TODO** | **TODO** | _under development_ |
| Netgear WN111v2 | Yes | No | patched driver | yes | _under development_ |
With patched drivers:
1. Test mixed mode in client and AP
2. Test injection mode
3. Test hwsim mode against as client and AP
Without patched drivers: perform exactly the same steps.
2020-06-27 09:27:46 -04:00
**TODO: Verify 5 GHz and test it in practice.**
**TODO: No longer recommend Virtual Machine, but instead show whether it supports 5GHz?**
**TODO: AWUS036ACM `iw set wlanX monitor active` in injection mode (but in mixed mode that crashes)**
2020-05-23 20:39:15 -04:00
2020-06-28 04:55:11 -04:00
**TODO: Always recommend running our backported drivers to assure there are not unexpected regressions?**
2020-05-23 20:39:15 -04:00
The three last colums signify:
2020-06-19 23:49:39 -04:00
1. Injection mode: whether the network card can be used as a second interface to inject frames in [injection mode](#Injection-mode).
2020-05-23 20:39:15 -04:00
2020-06-19 23:49:39 -04:00
2. Mixed mode: whether the network card can be used in [mixed mode](#Mixed-mode).
2020-05-23 20:39:15 -04:00
2020-06-19 23:49:39 -04:00
3. Hwsim mode: whether the network card can be used in [hwsim mode](#Hwsim-mode).
2020-05-23 20:39:15 -04:00
2020-06-19 23:49:39 -04:00
_Yes_ indicates the card works out-of-the-box in the given mode. _Patched driver/firmware_
means that the card is compatible when used in combination with patched drivers (and/or firmware).
2020-06-19 23:49:39 -04:00
_As client_ means the mode only works when the test script is acting as a client (i.e. you
when are testing an AP). _No_ means this mode is not supported.
2020-05-23 20:39:15 -04:00
We recommend the use of the Technoethical N150 HGA in either injection mode or mixed mode. This deivce
2020-05-23 20:39:15 -04:00
requires the use of a patched driver and firmware, but since it's a USB dongle this can be
configured inside a virtual machine. When using Virtual Box, we recommend to configure the VM to
use a USB2.0 (OHCI + ECHI) controller, because we found the USB3.0 controller to be unreliable.
During our own tests, the AWUS036ACM dongle is supported by Linux, but at times was not correctly
recognized during our experiments. It may be necessairy to use a recent Linux kernel, and manually
executing `sudo modprobe mt76x2u` to load the driver.
2020-07-22 07:50:06 -04:00
**Unstable when used on a USB3.0 port. Otherwise works fine. VM must also use USB2.0 port.**
2020-06-19 23:49:39 -04:00
2020-07-22 07:50:06 -04:00
The AWUS036ACH was tested on Kali Linux after installing the driver using the instructions on
[https://github.com/aircrack-ng/rtl8812au](GitHub). Before pluggin in the device, you must
execute `modprobe 88XXau rtw_monitor_retransmit=1`. Once our changes have been accepted
upstream you can instead simply install the driver using `sudo apt install realtek-rtl88xxau-dkms`.
Note that this device is generally not supported by default in most Linux distributions and
requires manual installation of drivers.
2020-05-23 20:39:15 -04:00
We tested the Intel AX200 as well and found that it is _not_ compatible with our tool: its firmware
crashes after sending a fragmented frame.
If you are unable to find one of the above network cards, you can search for [alternative network cards](#Alternative-network-cards)
that have a high chance of also working. When using a network card that is not explicitly support,
we strongly recommend to first run the [injection tests](#Network-card-injection-test).
2020-06-13 12:41:30 -04:00
2020-05-23 20:39:15 -04:00
## Prerequisites
2020-05-27 02:45:46 -04:00
Our scripts were tested on Kali Linux and Ubuntu 20.04. To install the required dependencies, execute:
2020-05-23 20:39:15 -04:00
# Kali Linux and Ubuntu
sudo apt-get update
2020-07-22 07:50:06 -04:00
sudo apt-get install libnl-3-dev libnl-genl-3-dev libnl-route-3-dev libssl-dev \
libdbus-1-dev git pkg-config build-essential macchanger net-tools python3-venv \
aircrack-ng firmware-ath9k-htc rfkill
2020-05-23 20:39:15 -04:00
Now clone this repository, build the tools, and configure a virtual python3 environment:
2020-06-19 23:49:39 -04:00
# **Self note: replace with real HTTP unauthenticated link on release**
git clone https://gitlab.com/aconf/wifi.git fragattack --recursive
cd fragattack
2020-05-23 20:39:15 -04:00
./build.sh
cd research
python3 -m venv venv
source venv/bin/activate
2020-05-27 02:45:46 -04:00
pip install wheel
2020-05-23 20:39:15 -04:00
pip install -r requirements.txt
2020-07-22 07:50:06 -04:00
By default the above instructions only have to be executed once. You have to execute
**`./build.sh` again after pulling in new code using git**.
2020-05-23 20:39:15 -04:00
2020-05-27 02:45:46 -04:00
## Patched Drivers
Install patched drivers:
sudo apt-get install bison flex linux-headers-$(uname -r)
2020-06-19 23:49:39 -04:00
# **Self note: replace with real HTTP unauthenticated link on release instead of separate directory**
cd driver-backports-5.7-rc3-1
2020-05-27 02:45:46 -04:00
make defconfig-experiments
make -j 4
sudo make install
2020-07-22 07:50:06 -04:00
Install patched `ath9k_htc` firmware:
2020-05-27 02:45:46 -04:00
cd research/ath9k-firmware/
2020-07-22 07:50:06 -04:00
./install.sh
# Now reboot
The `./install.sh` script assumes the `ath9k_htc` firmware images are located in the
directory `/lib/firmware/ath9k_htc`. If this is not the case on your system you have
to manually copy the `htc_7010.fw` and `htc_9271.fw` to the appropriate directory.
2020-05-27 02:45:46 -04:00
If you Wi-Fi donle already is plugged in, unplug it. After installing the patched drivers
and firmware you must reboot your system. The above instructions have to be executed again
if your Linix kernel ever gets updated.
2020-05-27 02:45:46 -04:00
2020-05-23 20:39:15 -04:00
## Before every usage
Every time you want to use the script, you first have to load the virtual python environment
as root. This can be done using:
cd research
2020-05-23 20:39:15 -04:00
sudo su
source venv/bin/activate
You should now disable Wi-Fi in your network manager so it will not interfere with our scripts.
Also make sure no other network services are causing outgoing traffic. You can assure this by
using iptables rules by executing `./droptraffic.sh` (you can revert this by rebooting). Optionally
check using `sudo airmon-ng check` to see which other processing might interfere.
2020-05-23 20:39:15 -04:00
Our script can test both clients and APs:
2020-06-19 23:49:39 -04:00
- Testing APs: **configure the AP you want to test** by editing `research/client.conf`. This is a
standard `wpa_supplicant` configuration file, see the [hostap documentation] on how to edit it.
2020-05-23 20:39:15 -04:00
- Testing clients: you must execute the script with the extra `--ap` parameter. This instructs
the script into creating an AP with as name **testnetwork** and password **abcdefgh**. Connect
2020-06-19 23:49:39 -04:00
to this network with the client you want to test. By default the client must request an IP
using DHCP. To edit properties of the created AP, such as the channel it's created on, you
2020-05-23 20:39:15 -04:00
can edit `research/hostapd.conf`.
2020-06-19 23:49:39 -04:00
## Testing Modes
2020-05-23 20:39:15 -04:00
2020-06-19 23:49:39 -04:00
### Injection mode
2020-05-23 20:39:15 -04:00
2020-06-19 23:49:39 -04:00
This mode requires two wireless network cards: one will act as an AP or the client, and the other
one will be used to inject frames. Execute the script in this mode using:
2020-05-23 20:39:15 -04:00
./fragattack wlan0 --inject wlan1 [--ap] $COMMAND
Here interface wlan0 will act as a legitimate client or AP, and wlan1 will be used to inject
2020-06-19 23:49:39 -04:00
frames. For wlan0, any card that supports normal client or AP mode on Linux can be used. For
wlan1, a card must be used that supports injection mode according to [Supported Network Cards](#Supported-Network-Cards).
2020-05-23 20:39:15 -04:00
2020-05-27 02:45:46 -04:00
In case the tests do not seem to be working, you can confirm that injection is properly working using:
./test-injection wlan1 wlan0
This will script will inject frames using interface wlan1, and uses wlan0 to check if frames are
properly injected. Note that both interfaces need to support monitor mode for this script to work.
**TODO: First test a normal ping. Frames may not arrive because the target is sleeping!**
2020-05-23 20:39:15 -04:00
### Mixed mode
2020-06-19 23:49:39 -04:00
This mode requires only one wireless network card. This disadvantage is that this mode requires a patched
driver and/or firmware, and that only a small amount of network cards are supported. Execute the script
in this mode using:
2020-05-23 20:39:15 -04:00
./fragattack wlan0 [--ap] $COMMAND
2020-06-19 23:49:39 -04:00
See [Supported Network Cards](#Supported-Network-Cards) for network cards that support this mode.
For most network cards, this mode requires the installation of modified drivers and/or firmware.
See [Patched Drivers](#Patched-Drivers) on how to install our patched drivers/firmware.
### Hwsim mode
This mode is experimental and only for research purposes. See [hwsim mode details](#Hwsim-mode-details)
for more information.
## Testing for Vulnerabilities
Before testing for vulnerabilities we recommand to execute the first five commands in the table
below. The first command performs a normal ping and can be used to confirm that the test setup
works. The second performs a fragmented ping, and the third can be used to determine how time-
sensitive attacks against the device would be.
The commands that test for vulnerabilities are grouped by their type along with a reference to
the paper in which section the vulnerability is explained.
| Command | Short description
| -------------------------------- | ---------------------------------
| `ping I,E` | Send a normal ping
| `ping I,E,E` | Send a normal fragmented ping
| `ping I,E,E --delay 5` | Send a normal fragmented ping with a 5 second delay between fragments
| `ping-frag-sep` | Send a normal fragmented ping with fragments separated by another frame
| <div align="center">*A-MSDU attacks (Section 3)*</div>
| `ping I,E --amsdu` | Send a normal ping encapsulated in a normal A-MSDU frame.
| `ping I,E,E --amsdu` | Send a normal ping an a fragmented A-MSDU frame.
| `amsdu-inject` | Send a valid A-MSDU frame whose start is also a valid LLC/SNAP header.
| `amsdu-inject linux` | Same as above, but works against targets that incorrectly parse the frame.
| <div align="center">*Mixed key attacks (Section 4)*</div> |
| `ping I,R,BE,AE` | Inject two fragments encrypted under a different key.
| `ping I,R,BE,AE --pn-per-qos` | Same as above, but also works if the target only accepts consecutive fragments.
| <div align="center">*Cache attacks (Section 5)*</div> |
| `ping I,E,C,AE` | Inject a fragment then reconnect (as client _reassociate_) and inject second fragment.
2020-06-19 23:49:39 -04:00
| `ping I,E,C,E` | Same as above, but with a longer delay before sending the second fragment.
| `ping I,E,C,AE --full-reconnect` | Inject a fragment, reconnect, then inject second fragment.
| `ping I,E,C,E --full-reconnect` | Same as above, but with a longer delay before sending the second fragment.
| <div align="center">*Non-consecutive (Section 6.2)*</div> |
| `ping I,E,E --inc-pn 2` | Send a fragmented ping with non-consecutive packet numbers.
| <div align="center">*Mixed plain/enc (Section 6.3)*</div> |
| `ping I,E,P` | Send a fragmented ping: first fragment encrypted, second fragment in plaintext.
| `ping I,P,E` | Send a fragmented ping: first fragment in plaintext, send fragment encrypted.
| `ping I,P` | Send a plaintext ping.
| `ping I,P,P` | Send a fragmented ping: both fragments are sent in plaintext.
| `linux-plain` | Mixed plaintext/encrypted fragmentation attack specific to Linux.
| <div align="center">*EAPOL forwarding (Section 6.4)*</div> |
| `eapol-inject 00:11:22:33:44:55` | Test if the AP forwards EAPOL frames before being connected.
| <div align="center">*Broadcast fragments (Section 6.7)*</div> |
| `ping I,D,P --bcast-ra` | Send ping in a 2nd plaintext broadcasted fragment.
| <div align="center">*EAPOL A-MSDUs (Section 6.8)*</div> |
| `eapol-amsdu BB` | Send A-MSDU frame disguised as EAPOL frame. Use tcpdump to check if vulnerable.
| `eapol-amsdu I,CC` | Same as above, except the frame is injected after obtaining an IP.
| `eapol-amsdu M,BB` | Send a malformed A-MSDU disguised as EAPOL. Use tcpdump to check if vulnerable.
| `eapol-amsdu M,I,CC` | Same as above, except the frame is injected after obtaining an IP.
Notable remarks:
- `ping I,E,E --delay 5`: this test is used to check the maximum accepted delay between two fragments.
If the default test doesn't work, try with `--delay 1.5` or lower. In case the maximum accepted delay
is low, this may impact other tests. In particular, all fragments sent in other tests must be sent
within the maximum delay, otherwise the test will trivially fail (and you might conclude a device
isn't vulnerable to an attack even though it might be).
- _Mixed key attacks_: When running the mixed key test against an AP, the AP must be configured to
regularly renew the PTK by executing a new 4-way handshake (e.g. every 30 seconds or minute). Against
a low number of APs, the client can also request the AP to renew the PTK. This can be done by adding
the `--rekey-request` parameter.
Home routers with a MediaTek driver will perform the rekey handshake in plaintext. To test these
devices, also add the `--rekey-plaintext` parameter.
Certain clients install the key too early during a pairwise session rekey. To test these devices,
add the `--rekey-early-install` parameter and retry the test.
2020-06-28 04:55:11 -04:00
### Checklist
2020-06-19 23:49:39 -04:00
In case the script doesn't appear to be working, check the following:
2020-06-27 09:27:46 -04:00
1. Check that no other process is using the network card (e.g. kill your network manager).
2020-06-19 23:49:39 -04:00
2020-06-27 09:27:46 -04:00
2. Check that you are using modified drivers if needed for your wireless network card.
2020-06-28 04:55:11 -04:00
If you updated your kernel, you will need to recompile and reinstall the drivers.
2020-06-19 23:49:39 -04:00
2020-06-27 09:27:46 -04:00
3. Check that you are using modified firmware if needed for your wireless network card.
2020-06-19 23:49:39 -04:00
2020-06-28 04:55:11 -04:00
4. Assure the device you are testing doesn't enter sleep mode (causing it to miss injected frames).
**Or use a compatible device in mixed mode?**
2020-06-27 09:27:46 -04:00
2020-06-28 04:55:11 -04:00
5. Run the [injection tests](#Network-card-injection-test) to make sure injection is working properly.
6. Check that you machine isn't generating background traffic that interferes with the tests. In
particular, disable networking in your OS, manually kill your DHCP client/server, etc. See
also [Before every usage](#before-every-usage).
2020-06-19 23:49:39 -04:00
2020-06-28 04:55:11 -04:00
7. Confirm that you are connecting to the correct network. Double-check `client.conf`.
8. Make sure the AP being tested is using (AES-)CCMP as the encryption algorithm.
2020-06-19 23:49:39 -04:00
2020-06-28 04:55:11 -04:00
9. If your Wi-Fi dongle is unreliable, use it from a live CD or USB. A virtual machine can be unreliable.
2020-06-19 23:49:39 -04:00
2020-07-22 07:50:06 -04:00
10. If updated the code using git, did you execute `./build.sh` again (see [Prerequisites](#prerequisites))?
11. Confirm using a second monitor interface that no other frames are sent in between fragments.
For instance, we found that our Intel device sometimes sends Block Ack Response Action frames
between fragments, and this interfered with the defragmentation process of the device under test.
2020-06-19 23:49:39 -04:00
## Extended Vulnerability Tests
Optionally you can also run more advanced tests. These have a lower chance of uncovering new vulnerabilities,
but against more exotic implementations these might reveal flaws that the normal tests could not detect.
| Command | Short description
| ---------------------------------- | ---------------------------------
| <div align="center">*A-MSDU attacks (Section 3)*</div>
| `ping I,E --fake-amsdu` | If this test succeeds, the A-MSDU flag is ignored (Section 3.5).
2020-06-19 23:49:39 -04:00
| <div align="center">*Mixed key attacks (Section 4)*</div>
| `ping I,E,R,AE` | In case the delay between fragments must be small.
| `ping I,E,R,AE --rekey-plaintext` | If the device performs the rekey handshake in plaintext.
| `ping I,E,R,AE --rekey-req --rekey-plain`| Same as above, and actively request a rekey as client.
| `ping I,E,R,AE --rekey-early-install`| Install the new key before sending message 4 as an AP.
| `ping I,R,BE,AE --freebsd` | Mixed key attack against FreeBSD.
| `ping I,R,BE,E` | In case the new key is installed relatively late.
| <div align="center">*Mixed plain/enc (Section 6.3)*</div>
| `ping I,E,P,E` | Ping with first frag. encrypted, second plaintext, third encrypted.
| `linux-plain 3` | Same as linux-plain but decoy fragment is sent using QoS priority 3.
| <div align="center">*EAPOL forwarding (Section 6.4)*</div>
| `eapol-inject L,00:11:22:33:44:55` | Try to make the AP send fragmented frames by EAPOL injection.
| <div align="center">*No fragmentation support (Section 6.6)*</div>
| `ping I,E,D` | Send ping inside an encrypted first fragment (no 2nd fragment).
| `ping I,D,E` | Send ping inside an encrypted second fragment (no 1st fragment).
2020-06-19 23:49:39 -04:00
| <div align="center">*Broadcast fragments (Section 6.7)*</div>
| `ping D,SP --bcast-ra` | Ping in a 2nd plaintext broadcasted fragment before 4-way handshake.
| `ping D,BP --bcast-ra` | Ping in a 2nd plaintext broadcasted fragment during 4-way handshake.
| `ping I,P --bcast-ra` | Ping in a plaintext broadcast Wi-Fi frame after 4-way handshake.
| `macos CC` | Experimental attack against macos.
| `macos BB` | Same as above, but inject during 4-way handshake.
| <div align="center">*EAPOL A-MSDUs (Section 6.8)*</div>
| `eapol-amsdu [M,]BB --bcast-dst` | Same as "eapol-amsdu [M,]BB" but ping is broadcasted.
| `eapol-amsdu [M,]I,CC --bcast-dst` | Same as "eapol-amsdu [M,]I,CC" but ping is broadcasted.
| `eapol-amsdu SS` | Same as "eapol-amsd BB" but inject frame before 4-way handshake.
| `eapol-amsdu AA` | Same as "eapol-amsd BB" but inject frame right after 4-way handshake.
## Advanced Usage
### Network card injection test
The script `test-injection.py` can be used to test whether frames are properly injected when
using _injection mode_:
./test-injection.py wlan0 wlan1
2020-05-23 20:39:15 -04:00
2020-06-19 23:49:39 -04:00
Here we test if network card `wlan0` properly injects frames and we use network card `wlan1`
2020-06-28 04:55:11 -04:00
to monitor whether frames are properly injected.
**TODO: In case tests are not working, try to first unplug USB dongles and reboot the device(s).**
**If the tests still fail, try to use a different network card to monitor whether frames are**
**injected properly.**
2020-06-28 04:55:11 -04:00
**TODO: Testing the TP-Link against the Intel 3160 was very unreliable: many frames were not**
**received although they in fact were sent by the device.**
2020-07-22 07:50:06 -04:00
case you do not have a second network
2020-06-19 23:49:39 -04:00
card, you can execute a partial injection test using:
2020-05-23 20:39:15 -04:00
2020-06-19 23:49:39 -04:00
./test-injection.py wlan0
2020-05-23 20:39:15 -04:00
2020-06-19 23:49:39 -04:00
Unfortunately, the above test can only test if the kernel overwrites fields of injected frames,
it cannot test whether the firmware or wireless chip itself overwrites fields.
To test whether a network card properly injects frames in _mixed mode_, you can execute the
following two commands:
./fragattack wlan0 ping --inject-test wlan1
./fragattack wlan0 ping --inject-test wlan1 --ap
2020-07-22 07:50:06 -04:00
**Ack behaviour is best tested postauth so the client will not disconnected.**
2020-06-19 23:49:39 -04:00
Here we test whether `wlan0` properly injects frames by monitor the injected frames using the
second network card `wlan1`. The first command tests if frames are properly injected when using
mixed mode as a client, and the second when using mixed mode as a client. In order to start the
test, the client must be able to connect to a network, and the AP waits until a client is
connecting. In case you do not have a second network card, you can execute a partial mixed mode
test using:
./fragattack wlan0 ping --inject-selftest
./fragattack wlan0 ping --inject-selftest --ap
Unfortunately, the above tests can only test if the kernel overwrites fields of injected frames,
it cannot test whether the firmware or wireless chip itself overwrites fields.
### Hwsim mode details
**Warning**: *this is currently an experimental mode, only use it for research purposes.*
This mode requires only one network card. The disadvantage is that this mode is the least reliable:
2020-05-23 20:39:15 -04:00
- Frames are handled slower, possibly causing the tested client/AP to timeout during authentication
or association.
- When injeting frames, they may be retransmitted even though an acknowledgement was recieved.
2020-07-22 07:50:06 -04:00
This slightly slows the handling of frames.
2020-05-23 20:39:15 -04:00
- Frames are not properly acknowledged depending on the wireless network card, which causes some
tested clients or APs to disconnect during authentication or association.
2020-06-19 23:49:39 -04:00
Nevertheless, the advantage is that is mode requires only one wirelss network card and can,
depending on the network card, be used without patches to the driver and/or firmware. Before
using this mode, create two virtual network cards:
2020-05-23 20:39:15 -04:00
./hwsim.sh
2020-07-22 07:50:06 -04:00
This will output the two created virtual "hwsim" interfaces, for example wlan1 and wlan2. When testing
an AP in this mode, you must first search for the channel of the AP, and put the real network card on
this channel:
2020-05-23 20:39:15 -04:00
./scan.sh wlan0
2020-07-22 07:50:06 -04:00
ifconfig wlan0 down
2020-05-23 20:39:15 -04:00
iw wlan0 set type monitor
ifconfig wlan0 up
2020-07-22 07:50:06 -04:00
# Pick the channel that the AP is on (in this example 11)
2020-05-23 20:39:15 -04:00
iw wlan0 set channel 11
2020-07-22 07:50:06 -04:00
Here wlan0 refers to the _real_ network card (not an interface created by `hwsim.sh`).
2020-05-23 20:39:15 -04:00
You can now start the script as follows:
./fragattack wlan0 --hwsim wlan1,wlan2 [--ap] $COMMAND
2020-07-22 07:50:06 -04:00
After the script executed, you can directly run it again with a new command. When testing a client, do
do not first have to configure the channel (it is taken from `hostapd.conf`).
**TODOs:**
- Due to commit 1672c0e31917 ("mac80211: start auth/assoc timeout on frame status") authentication
as a client will instantly timeout. We need to have a method to bypass this:
1. We can patch the kernel
2. Maybe configure wpa_supplicant to send auth frames using a monitor interface?
2020-05-23 20:39:15 -04:00
2020-06-19 23:49:39 -04:00
### Static IP Configuration
2020-05-23 20:39:15 -04:00
In case the device you are testing doesn't support DHCP, you can manually specify the IP addresses
that the script should use. For example:
./fragattack.py wlan0 ping --inject wlan1 --ip 192.168.100.10 --peerip 192.168.100.1
Here the testing script will use address 192.168.100.10, and it will inject a ping request
to the peer IP address 192.168.100.1.
### Alternative network cards
In case you cannot get access to one of the recommended wireless network cards, a second option
is to get a network card that uses the same drivers on Linux. In particular, you can try:
- Network cards that use [ath9k_htc](https://wikidevi.wi-cat.ru/Ath9k_htc)
- Network cards that use [iwlmvm](https://wireless.wiki.kernel.org/en/users/drivers/iwlwifi)
We recommend cards based on `ath9khtc`. Not all cards that use `iwlmvm` will be compatible. When
using an alternative network card, we strongly recommend to first run the [injection tests](#Network-card-injection-test)
to confirm that the network card is compatible.
2020-05-23 20:39:15 -04:00
### 5 GHz support
In order to use our script on 5 GHz channels the network card being used must allow the injection
of frames in the 5 GHz channel. Unfortunately, this is not always possible due to regulatory
constraints. To see on which channels you can inject frames you can execute `iw list` and look under
Frequencies for channels that are _not_ marked as disabled, no IR, or radar detection. Note that these
conditions may depend on your network card, the current configured country, and the AP you are
connected to. For more information see, for example, the [Arch Linux documentation](https://wiki.archlinux.org/index.php/Network_configuration/Wireless#Respecting_the_regulatory_domain).
2020-07-22 07:50:06 -04:00
Although we have not yet encountered a device that behaved differently in the 2.4 GHz band compared
to the 5 GHz band, this may occur in practice if different drivers are used to handle both bands.
If you encounter such a case please let us know. Since we have not yet observed such differences
between the 2.4 and 5 GHz band we believe that it is sufficient to only test one of these bands.
Note that in mixed mode the Linux kernel may not allow the injection of frames even though it is
allowed to send normal frames. This is because in `ieee80211_monitor_start_xmit` the kernel refuses
to inject frames when `cfg80211_reg_can_beacon` returns false. As a result, Linux may refuse to
inject frames even though this is actually allowed. Making `cfg80211_reg_can_beacon` return true
under the correct conditions prevents this bug.
2020-06-27 09:27:46 -04:00
### Notes on device support
2020-06-28 04:55:11 -04:00
**TODO: Reference or include the DEVICES.md file**
2020-06-27 09:27:46 -04:00
#### ath9k_htc
2020-07-22 07:50:06 -04:00
With kernel 5.7.3+ and 5.8.x there is a known problem problem with the `ath9k_htc` driver, used by
the Technoethical N150 HGA, TP-Link TL-WN722N v1.x, and Alfa AWUS036NHA, causing it not to work.
Downgrading to kernel `5.7.2` fixes this issue. In the meantime a patch has also been submitted
to fix this problem on new kernels: https://www.spinics.net/lists/linux-wireless/msg200825.html
2020-07-22 07:50:06 -04:00
Older threads on this bug:
2020-06-27 09:27:46 -04:00
- https://bugzilla.kernel.org/show_bug.cgi?id=208251
- https://bugzilla.redhat.com/show_bug.cgi?id=1848631
- https://lore.kernel.org/lkml/CAEJqkgjV8p6LtBV8YUGbNb0vYzKOQt4-AMAvYw5mzFr3eicyTg@mail.gmail.com/
#### AWUS036ACM
The reliability of our `AWUS036ACM` device, which uses the mt76x2u driver, varied depending on how
it was used. We found that:
- On kernel 5.5.0 this device didn't work properly when connected to a USB3.0 port. In particular,
it kept showing `error: mt7602u_mcu_wait_resp failed with -108` when testing on Kali Linux. The
device did work properly when connected to a USB2.0 port.
Frame injection in the 2.4 GHz band was also working properly in the above setup. Frame injection
was also working in the 5 GHz band (tested by running the `test-injection,py` script on channel 40
and capturing the frame using an Intel 3160).
Strangely, this device refuses to inject frames when: (1) it's a data frame; (2) the destination
MAC address is not all-zeros; and (3) the to-DS and from-DS are both not set. This was independent
of the sender MAC address. Such frames are generally never sent anyway, so this has no practical
impact, but it required us to tweak the `test-injection.py` script to always set the to-DS or
from-DS flags.
In mixed mode frames using the MAC address of the AP or client as sender MAC address were only
being injected when injected _after_ authentication. Before authenticating, these frames were
dropped. In mixed client/monitor mode, the sequence counter of injected frames was being overwritten.
In mixed AP/monitor mode, we were unable to inject frames towards the client when using the MAC
address of the AP as the sender MAC address _correctly_ (without the sequence counter being
overwritten - we confirmed this with a fragmented ping against a client).
**TODO: test mixed mode with patched drivers**
**Note: with an ath9k_htc we cannot inject frames with spoofed MAC addresses before and after**
**authenticating in AP/monitor mode? It does inject frames (incorrectly) in client/monitor mode.**
2020-06-28 04:55:11 -04:00
_This was likely because capturing with the Intel 3160 was very unreliable._
- On kernel 5.6.13 on Arch Linux, client mode didn't work properly when using an USB3.0 port. But
AP mode did work properly on a USB3.0 port.
2020-06-27 09:27:46 -04:00
2020-06-28 04:55:11 -04:00
In mixed mode, non-EAPOL data frames were not sent when injected before authentication. After
authentication, these were transmitted. **Is that patchable?**
2020-06-27 09:27:46 -04:00
2020-06-28 04:55:11 -04:00
**Note: with an ath9k_htc we can inject frames with spoofed MAC addresses before and after**
**authenticating in client/monitor mode. Same thing in AP/monitor mode. But capturing is unreliable.**
2020-06-27 09:27:46 -04:00
2020-06-19 23:49:39 -04:00
## TODOs
2020-04-20 19:26:15 -04:00
2020-05-23 20:39:15 -04:00
- Confirm each device can detect all vulnerabilities in the recommended modes.
2020-05-23 20:39:15 -04:00
- Test the attacks against PEAP-MSchap for eduroam tests (basic test was working).
2020-05-23 20:39:15 -04:00
- TODO: Is it important to disable encryption? I don't think it is. Otherwise we need sysfsutils as a dependency too.
2020-05-23 20:39:15 -04:00
- Create an example pcap and debug output of all tests.
2020-04-15 13:43:28 -04:00
2020-05-23 20:39:15 -04:00
- Release a known vulnerable linux image to test against? Essential to confirm the tests are working!
2020-04-15 13:43:28 -04:00
2020-06-19 23:49:39 -04:00
- sudo iw wlan0 set monitor otherbss. Does airmon-ng handle this better? Move to general section?
2020-04-15 13:43:28 -04:00
2020-06-19 23:49:39 -04:00
- Describe AP mode in hwsim mode?
2020-05-27 02:45:46 -04:00
- Support non-20MHz channels?