fragattacks: example network captures

This commit is contained in:
Mathy Vanhoef 2021-05-11 04:20:35 +04:00
parent c5e2bced40
commit 316585952e
15 changed files with 47 additions and 0 deletions

View File

@ -15,6 +15,7 @@ The following additional resources are available:
- [Handouts](https://papers.mathyvanhoef.com/fragattacks-slides-2021-03-8.pdf) that give extra background and explain the vulnerabilities in more detail.
- A [demonstration](https://youtu.be/88YZ4061tYw) of three example attacks.
- The [research paper](https://papers.mathyvanhoef.com/usenix2021.pdf) published at USENIX Security.
- Example [network captures](example-pcaps/) illustrating some of the vulnerabilities.
- A [live USB image](#id-live-image) with this tool and modified drivers pre-installed.
See the [change log](#id-change-log) for a detailed overview of updates to the tool made since 11 August 2020.

46
example-pcaps/README.md Normal file
View File

@ -0,0 +1,46 @@
# Example Packet Captures
In all the following captures the Wi-Fi network is `testnetwork` with as password `abcdefgh`.
Note that the captures were made on the same network card that was injecting packets (with hardware encryption disabled). On Linux, **injected packets are shown twice in a network capture**. First it shows the frame as injected by userspace (the test tool will always set the `Has Seqnum` and `Order` in the radiotap header). After the frame was sent, the Linux kernel echoes the actual transmitted frame a second time. This second frame for instance contains the bitrate that was used to send the frame and whether an acknowledgement was received in response.
## A-MSDU attacks
- `amsdu-inject-fromap.pcapng`: used command was `amsdu-inject --ap`. Frame 124 contains the attack ping packet.
## Mixed key attacks
- `ping_I_F_BE_AE-fromap.pcapng`: used command was `ping I,F,BE,AE --ap`. Frame 170 contains the first fragment encrypted under TK `e4e41ad934f5caa7ff0064ad96609c2f` and frame 180 contains the second fragment encrypted under TK `1f38eee5960fb9d9d77e566c4b18008d`. The ping reply is shown in frame 185.
## Cache attacks
- `ping_I_E_R_E-fromclient.pcapng`: used command was `ping I,E,R,E`. Frame 69 contains the first fragment encrypted under TK `dda31c8516b9d92581fc17e4a8f1b47b`. Frame 72 and 74 shows that the client is reassociating. Frame 98 contains the second fragmented encrypted under TK `b4d1a94a4d126dbd39ec3557969f430b`. The ping reply is contained in frame 101.
## Non-consecutive PNs attack
- `ping_I_E_E___inc_pn_2-fromap.pcapng`: used command was `ping I,E,E --inc-pn 2 --ap`. Frame 130 contains the first fragment with CCMP Packet Number 0x101 and frame 132 contains the second fragment with CCMP Packet Number 0x103.
## Mixed plain/encrypt attack
- `linux-plain-fromap.pcapng`: used command was `linux-plain --ap`. Frame 79 contains the first legitimate encrypted fragment, frame 81 contains the second legitimate encrypted fragment but with a different sequence number, frame 83 contains the injected plaintext second fragment (with the same sequence number as the first fragment). The ping reply is in frame 94.
- `ping_I_E_P-fromclient.pcapng`: used command was `ping I,E,P`. Frame 51 contains the encrypted first fragment, frame 54 the plaintext second fragment, and frame 57 the encrypted ping reply.
- `ping_I_P-fromclient.pcapng`: used command was `ping I,P`. Frame 59 contains the injected plaintext ping request and frame 62 contains the encrypted ping reply.
## Broadcast fragment attack
- `ping_D_BP___bcast_ra-fromap.pcapng`: used command was `ping D,BP --bcast-ra --ap`. Frame 21 contains the attack packet. Capture `ping_D_BP___bcast_ra-onclient.pcap` shows the result on the target device (Samsung i9305) where frame 13 contains the injected ping request.
## A-MSDU EAPOL attack
- `eapol-amsdu_BP-fromap.pcapng`: used command was `eapol-amsdu BP --ap`. Frame 43 contains the injected ping packet. Capture `eapol-amsdu_BP-onclient.pcapng` shows the result on the target device (Pixel 4 XL) where frame 4 contains the injected ping request. Note that frame 3 is an invalid packet that is a side-effect of the attack (it's the content of the first A-MSDU subframe whose purpose was to make the packet look like an EAPOL handshake message).
## AP forwards EAPOL attack
- `eapol-inject-fromclient.pcapng`: used command was `eapol-inject 7e:1e:cd:49:9f:c6`. Frame 39 contained the inject EAPOL packet sent from client `64:70:02:2f:d7:67` in plaintext before this client authenticated. The AP forwards this EAPOL towards the destination client `7e:1e:cd:49:9f:c6` as an encrypted frame in frame 50 (we confirmed on the destination with Wireshark that this indeed is the forwarded packet).
## No fragmentation support attack
- `ping_I_D_E-fromap.pcapng`: used command was `ping I,D,E --ap`. Frame 51 contains the full ping request in the second fragment of a Wi-Fi frame (no other fragment is sent). Frame 58 contains the ping response from the vulnerable device.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.