Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2024-11-25 00:38:24 -05:00
Code Issues Projects Releases Wiki Activity

fragattack: 5 GHz notes and README improvements

Browse Source
This commit is contained in:
Mathy Vanhoef 2020-07-15 06:48:42 +04:00 committed by Mathy Vanhoef
parent 648a2d59fd
commit 584e024cb3
2 changed files with 42 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
research/README.md
View File

@ -57,8 +57,8 @@ use a USB2.0 (OHCI + ECHI) controller, because we found the USB3.0 controller to
During our own tests, the AWUS036ACM dongle is supported by Linux, but at times was not correctly During our own tests, the AWUS036ACM dongle is supported by Linux, but at times was not correctly
recognized during our experiments. It may be necessairy to use a recent Linux kernel, and manually recognized during our experiments. It may be necessairy to use a recent Linux kernel, and manually
executing `sudo modprobe mt76x2u` to load the driver. This devices then works out-of-the-box without executing `sudo modprobe mt76x2u` to load the driver.
patched drives. We also found it to be unreliable when used inside VirtualBox. **Unstable when used on a USB3.0 port. Otherwise works fine.**
The AWUS036ACH was tested on Kali Linux after installing the driver using `sudo apt install realtek-rtl88xxau-dkms`. The AWUS036ACH was tested on Kali Linux after installing the driver using `sudo apt install realtek-rtl88xxau-dkms`.
This device is generally not supported by default in most Linux distributions and requires manual This device is generally not supported by default in most Linux distributions and requires manual
@ -78,7 +78,7 @@ Our scripts were tested on Kali Linux and Ubuntu 20.04. To install the required
# Kali Linux and Ubuntu # Kali Linux and Ubuntu
sudo apt-get update sudo apt-get update
sudo apt-get install libnl-3-dev libnl-genl-3-dev libnl-route-3-dev libssl-dev libdbus-1-dev git pkg-config build-essential macchanger net-tools python3-venv sudo apt-get install libnl-3-dev libnl-genl-3-dev libnl-route-3-dev libssl-dev libdbus-1-dev git pkg-config build-essential macchanger net-tools python3-venv airmon-ng
Now clone this repository, build the tools, and configure a virtual python3 environment: Now clone this repository, build the tools, and configure a virtual python3 environment:
@ -127,6 +127,9 @@ as root. This can be done using:
source venv/bin/activate source venv/bin/activate
You should now disable Wi-Fi in your network manager so it will not interfere with our scripts. You should now disable Wi-Fi in your network manager so it will not interfere with our scripts.
Also make sure no other network services are causing outgoing traffic. You can assure this by
using iptables rules by executing `./droptraffic.sh` (you can revert this by rebooting). Optionally
check using `sudo airmon-ng check` to see which other processing might interfere.
Our script can test both clients and APs: Our script can test both clients and APs:
@ -204,7 +207,7 @@ the paper in which section the vulnerability is explained.
| `ping I,R,BE,AE` | Inject two fragments encrypted under a different key. | `ping I,R,BE,AE` | Inject two fragments encrypted under a different key.
| `ping I,R,BE,AE --pn-per-qos` | Same as above, but also works if the target only accepts consecutive fragments. | `ping I,R,BE,AE --pn-per-qos` | Same as above, but also works if the target only accepts consecutive fragments.
| <div align="center">*Cache attacks (Section 5)*</div> | | <div align="center">*Cache attacks (Section 5)*</div> |
| `ping I,E,C,AE` | Inject a fragment, reconnect or as client _reassociate_, then inject second fragment. | `ping I,E,C,AE` | Inject a fragment then reconnect (as client _reassociate_) and inject second fragment.
| `ping I,E,C,E` | Same as above, but with a longer delay before sending the second fragment. | `ping I,E,C,E` | Same as above, but with a longer delay before sending the second fragment.
| `ping I,E,C,AE --full-reconnect` | Inject a fragment, reconnect, then inject second fragment. | `ping I,E,C,AE --full-reconnect` | Inject a fragment, reconnect, then inject second fragment.
| `ping I,E,C,E --full-reconnect` | Same as above, but with a longer delay before sending the second fragment. | `ping I,E,C,E --full-reconnect` | Same as above, but with a longer delay before sending the second fragment.
@ -262,7 +265,8 @@ In case the script doesn't appear to be working, check the following:
5. Run the [injection tests](#Network-card-injection-test) to make sure injection is working properly. 5. Run the [injection tests](#Network-card-injection-test) to make sure injection is working properly.
6. Check that you machine isn't generating background traffic that interferes with the tests. In 6. Check that you machine isn't generating background traffic that interferes with the tests. In
particular, disable networking in your OS, manually kill your DHCP client/server, etc. particular, disable networking in your OS, manually kill your DHCP client/server, etc. See
also [Before every usage](#before-every-usage).
7. Confirm that you are connecting to the correct network. Double-check `client.conf`. 7. Confirm that you are connecting to the correct network. Double-check `client.conf`.
@ -270,6 +274,9 @@ In case the script doesn't appear to be working, check the following:
9. If your Wi-Fi dongle is unreliable, use it from a live CD or USB. A virtual machine can be unreliable. 9. If your Wi-Fi dongle is unreliable, use it from a live CD or USB. A virtual machine can be unreliable.
10. Confirm using a second monitor interface that no other frames are sent in between fragments.
For instance, we found that our Intel device sometimes sends Block Ack Response Action frames between fragments.
## Extended Vulnerability Tests ## Extended Vulnerability Tests
Optionally you can also run more advanced tests. These have a lower chance of uncovering new vulnerabilities, Optionally you can also run more advanced tests. These have a lower chance of uncovering new vulnerabilities,
@ -318,9 +325,15 @@ using _injection mode_:
Here we test if network card `wlan0` properly injects frames and we use network card `wlan1` Here we test if network card `wlan0` properly injects frames and we use network card `wlan1`
to monitor whether frames are properly injected. to monitor whether frames are properly injected.
**TODO: In case tests are not working, try to first unplug USB dongles and reboot the device(s).**
**If the tests still fail, try to use a different network card to monitor whether frames are**
**injected properly.**
**TODO: Testing the TP-Link against the Intel 3160 was very unreliable: many frames were not** **TODO: Testing the TP-Link against the Intel 3160 was very unreliable: many frames were not**
**received although they in fact were sent by the device.** **received although they in fact were sent by the device.**
**Ack behaviour is best tested postauth so the client will not disconnected.**
In case you do not have a second network In case you do not have a second network
card, you can execute a partial injection test using: card, you can execute a partial injection test using:
@ -406,6 +419,21 @@ We recommend cards based on `ath9khtc`. Not all cards that use `iwlmvm` will be
using an alternative network card, we strongly recommend to first run the [injection tests](#Network-card-injection-test) using an alternative network card, we strongly recommend to first run the [injection tests](#Network-card-injection-test)
to confirm that the network card is compatible. to confirm that the network card is compatible.
### 5 GHz support
In order to use our script on 5 GHz channels the network card being used must allow the injection
of frames in the 5 GHz channel. Unfortunately, this is not always possible due to regulatory
constraints. To see on which channels you can inject frames you can execute `iw list` and look under
Frequencies for channels that are _not_ marked as disabled, no IR, or radar detection. Note that these
conditions may depend on your network card, the current configured country, and the AP you are
connected to. For more information see, for example, the [Arch Linux documentation](https://wiki.archlinux.org/index.php/Network_configuration/Wireless#Respecting_the_regulatory_domain).
Note that in mixed mode the Linux kernel may not allow the injection of frames even though it is
allowed to send normal frames. This is because in `ieee80211_monitor_start_xmit` the kernel refuses
to inject frames when `cfg80211_reg_can_beacon` returns false. As a result, Linux may refuse to
inject frames even though this is actually allowed. Making `cfg80211_reg_can_beacon` return true
under the correct conditions prevents this bug.
### Notes on device support ### Notes on device support
**TODO: Reference or include the DEVICES.md file** **TODO: Reference or include the DEVICES.md file**
@ -416,6 +444,8 @@ There is a known problem with the `ath9k_htc` driver, used by the Technoethical
TL-WN722N v1.x, and Alfa AWUS036NHA, causing it not to work on kernel 5.7.3 and above. Downgrading TL-WN722N v1.x, and Alfa AWUS036NHA, causing it not to work on kernel 5.7.3 and above. Downgrading
to kernel `5.7.2` fixes this issue for now. More details are available at: to kernel `5.7.2` fixes this issue for now. More details are available at:
- **Patch that might fix it:** https://www.spinics.net/lists/linux-wireless/msg200825.html
- https://bugzilla.kernel.org/show_bug.cgi?id=208251 - https://bugzilla.kernel.org/show_bug.cgi?id=208251
- https://bugzilla.redhat.com/show_bug.cgi?id=1848631 - https://bugzilla.redhat.com/show_bug.cgi?id=1848631

7
research/droptraffic.sh Normal file
View File

@ -0,0 +1,7 @@
#!/bin/bash
set -e
iptables -P INPUT DROP
iptables -P FORWARD DROP
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP