From 303b9cbec887b4419683e87492ecf9faebc0a32b Mon Sep 17 00:00:00 2001 From: Mathy Vanhoef Date: Wed, 5 Aug 2020 07:17:59 +0400 Subject: [PATCH] fragattack: add --amsdu-ssp option --- research/fragattack.py | 9 +++++---- research/fraginternals.py | 2 +- research/tests_common.py | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/research/fragattack.py b/research/fragattack.py index e22ec2dec..704d8def4 100755 --- a/research/fragattack.py +++ b/research/fragattack.py @@ -158,12 +158,12 @@ def args2ptype(args): def args2msdu(args): # Only one of these should be given - if args.amsdu + args.fake_amsdu > 1: - log(STATUS, "You cannot combine --amsdu and --fake-amsdu. Please only supply one of them.") + if args.amsdu + args.amsdu_fake > 1: + log(STATUS, "You cannot combine --amsdu and --amsdu-fake. Please only supply one of them.") quit(1) if args.amsdu: return 1 - if args.fake_amsdu: return 2 + if args.amsdu_fake: return 2 return None @@ -183,7 +183,8 @@ if __name__ == "__main__": parser.add_argument('--delay', type=float, default=0, help="Delay between fragments in certain tests.") parser.add_argument('--inc-pn', type=int, help="To test non-sequential packet number in fragments.") parser.add_argument('--amsdu', default=False, action='store_true', help="Encapsulate pings in an A-MSDU frame.") - parser.add_argument('--fake-amsdu', default=False, action='store_true', help="Set A-MSDU flag but include normal payload.") + parser.add_argument('--amsdu-fake', default=False, action='store_true', help="Set A-MSDU flag but include normal payload.") + parser.add_argument('--amsdu-ssp', default=False, action='store_true', help="Force authentication of QoS A-MSDU flag.") parser.add_argument('--arp', default=False, action='store_true', help="Override default request with ARP request.") parser.add_argument('--dhcp', default=False, action='store_true', help="Override default request with DHCP discover.") parser.add_argument('--icmp', default=False, action='store_true', help="Override default request with ICMP ping request.") diff --git a/research/fraginternals.py b/research/fraginternals.py index 893cd3ae1..f7a778b8a 100644 --- a/research/fraginternals.py +++ b/research/fraginternals.py @@ -446,7 +446,7 @@ class Station(): # TODO: Implement and test this function encrypted = encrypt_tkip(frame, key, self.pn[idx], keyid) elif len(key) == 16: - encrypted = encrypt_ccmp(frame, key, self.pn[idx], keyid) + encrypted = encrypt_ccmp(frame, key, self.pn[idx], keyid, self.options.amsdu_ssp) else: encrypted = encrypt_wep(frame, key, self.pn[idx], keyid) diff --git a/research/tests_common.py b/research/tests_common.py index 1b7c852a1..266e1d486 100644 --- a/research/tests_common.py +++ b/research/tests_common.py @@ -155,7 +155,7 @@ class LinuxTest(Test): # Fragment 2: make Linux update latest used crypto Packet Number. Use a dummy packet # that can't accidently aggregate with the first fragment in a corrrect packet. - p = station.get_header(prior=2)/LLC()/SNAP()/IP()/Raw(b"linux_plain decoy fragment") + p = station.get_header(prior=2)/LLC()/SNAP()/IP()/Raw(b"linux-plain decoy fragment") p.SC = frag2.SC ^ (1 << 4) # - In the attack against Linux, the decoy frame must have the same QoS TID.