diff --git a/research/fragattack.py b/research/fragattack.py index c5ace5f65..1b58df411 100755 --- a/research/fragattack.py +++ b/research/fragattack.py @@ -208,6 +208,7 @@ if __name__ == "__main__": # TODO: Properly test the --bad-mic option parser.add_argument('--bad-mic', default=False, action='store_true', help="Send pings using an invalid authentication tag.") parser.add_argument('--pn-per-qos', default=False, action='store_true', help="Use separate Tx packet counter for each QoS TID.") + parser.add_argument('--no-qos', default=False, action='store_true', help="Don't send QoS data frames (experimental - may break some tests).") parser.add_argument('--freebsd-cache', default=False, action='store_true', help="Sent EAP(OL) frames as (malformed) broadcast EAPOL/A-MSDUs.") parser.add_argument('--connected-delay', type=float, default=1, help="Second to wait after AfterAuth before triggering Connected event") parser.add_argument('--to-self', default=False, action='store_true', help="Send ARP/DHCP/ICMP with same src and dst MAC address.") @@ -227,6 +228,9 @@ if __name__ == "__main__": # Sanity check and convert some arguments to more usable form options.ptype = args2ptype(options) options.as_msdu = args2msdu(options) + if options.pn_per_qos and options.no_qos: + log(STATUS, f"Cannot specify option --pn-per-qos and --no-qos simultaneously.") + quit(1) # Make the --inject-test-postauth flags easier to check if options.inject_test_postauth != None: diff --git a/research/fraginternals.py b/research/fraginternals.py index beb74647c..63d159ed6 100644 --- a/research/fraginternals.py +++ b/research/fraginternals.py @@ -437,6 +437,11 @@ class Station(): def encrypt(self, frame, inc_pn=1, force_key=None): # TODO: Add argument to force a bad authenticity check + # Need to already remove Dot11QoS here since this affects authenticity tag + if self.options.no_qos and Dot11QoS in frame: + log(DEBUG, "Station.encrypt: removing Dot11QoS header as requested by user") + frame = remove_dot11qos(frame) + idx = dot11_get_priority(frame) if self.options.pn_per_qos else 0 self.pn[idx] += inc_pn @@ -795,6 +800,10 @@ class Daemon(metaclass=abc.ABCMeta): set_monitor_mode(self.options.inject_test) def inject_mon(self, p): + # If requested send all frames as normal data frames (i.e. remove Dot11QoS if present) + if self.options.no_qos and Dot11QoS in p: + log(DEBUG, "Station.inject_mon: removing Dot11QoS header as requested by user") + p = remove_dot11qos(p) self.sock_mon.send(p) def inject_eth(self, p):