Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2024-11-28 10:18:21 -05:00
Code Issues Projects Releases Wiki Activity

fragattack: option to send a fake A-MSDU

Browse Source
This commit is contained in:
Mathy 2020-04-23 21:15:15 -04:00 committed by Mathy Vanhoef
parent 34c17f2a4f
commit 5b526124bc
1 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
research/fragattack.py
View File

@ -247,11 +247,14 @@ class PingTest(Test):
# Generate the header and payload
header, request, self.check_fn = generate_request(station, self.ptype)
if self.as_msdu:
if self.as_msdu == 1:
# Set the A-MSDU frame type flag in the QoS header
header.Reserved = 1
# Encapsulate the request in an A-MSDU payload
request = add_msdu_frag(station.mac, station.get_peermac(), request)
elif self.as_msdu == 2:
# Set A-MSDU flag but include a normal payload (fake A-MSDU)
header.Reserved = 1
# Generate all the individual (fragmented) frames
num_frags = len(self.get_actions(Action.Inject))
@ -281,6 +284,7 @@ class PingTest(Test):
class LinuxTest(Test):
def __init__(self, ptype):
super().__init__([
Action(Action.Connected, Action.GetIp), # XXX we don't always want to wait on this?
Action(Action.Connected, enc=True),
Action(Action.Connected, enc=True),
Action(Action.Connected, enc=False)
@ -529,7 +533,9 @@ class Station():
return header
def encrypt(self, frame, inc_pn=1, force_key=None):
# TODO: Option to use per-QoS transmit replay counters?
self.pn += inc_pn
key, keyid = (self.tk, 0) if int(frame.addr1[1], 16) & 1 == 0 else (self.gtk, self.gtk_idx)
if force_key == 0:
log(STATUS, "Encrypting with all-zero key")
@ -642,7 +648,7 @@ class Station():
if act.encrypted:
assert self.tk != None and self.gtk != None
log(STATUS, "Encrypting with key " + self.tk.hex() + " " + repr(frame))
log(STATUS, "Encrypting with key " + self.tk.hex() + " " + repr(act.frame))
frame = self.encrypt(act.frame, inc_pn=act.inc_pn, force_key=act.key)
else:
frame = act.frame
@ -1170,7 +1176,7 @@ def stract2action(stract):
raise Exception("Unrecognized action")
def prepare_tests(test_name, stractions, delay=0, inc_pn=0, as_msdu=False, ptype=None):
def prepare_tests(test_name, stractions, delay=0, inc_pn=0, as_msdu=None, ptype=None):
if test_name == "ping":
if stractions != None:
actions = [stract2action(stract) for stract in stractions.split(",")]
@ -1288,6 +1294,18 @@ def args2ptype(args):
return None
def args2msdu(args):
# Only one of these should be given
if args.msdu + args.fake_msdu > 1:
log(STATUS, "You cannot combine --msdu and --fake_msdu. Please only supply one of them.")
quit(1)
if args.msdu: return 1
if args.fake_msdu: return 2
return None
if __name__ == "__main__":
log(WARNING, "Remember to use a modified backports and ath9k_htc firmware!\n")
@ -1302,6 +1320,7 @@ if __name__ == "__main__":
parser.add_argument('--delay', type=float, default=0, help="Delay between fragments in certain tests.")
parser.add_argument('--inc-pn', type=int, help="To test non-sequential packet number in fragments.")
parser.add_argument('--msdu', default=False, action='store_true', help="Encapsulate pings in an A-MSDU frame.")
parser.add_argument('--fake-msdu', default=False, action='store_true', help="Set A-MSDU flag but include normal payload.")
parser.add_argument('--arp', default=False, action='store_true', help="Override default request with ARP request.")
parser.add_argument('--dhcp', default=False, action='store_true', help="Override default request with DHCP discover.")
parser.add_argument('--icmp', default=False, action='store_true', help="Override default request with ICMP ping request.")
@ -1309,11 +1328,12 @@ if __name__ == "__main__":
args = parser.parse_args()
ptype = args2ptype(args)
as_msdu = args2msdu(args)
# Convert parsed options to TestOptions object
options = TestOptions()
options.interface = args.iface
options.test = prepare_tests(args.testname, args.actions, args.delay, args.inc_pn, args.msdu, ptype)
options.test = prepare_tests(args.testname, args.actions, args.delay, args.inc_pn, as_msdu, ptype)
options.ip = args.ip
options.peerip = args.peerip
options.rekey_request = args.rekey_request