fragattacks: check if modified drivers/firmware are used

research/fragattack.py

@@ -8,7 +8,6 @@
 import glob, importlib
 from fraginternals import *
 
-#TODO: Check that modified drivers are used using debugfs
 #TODO: Check that atheros is using patched firmware using debugfs
 # ==> Both have caused me issues!!! Checking this automatically is *ESSENTIAL*.
 
@@ -146,25 +145,6 @@ def prepare_tests(opt):
 	# No valid test ID/name was given
 	else: return None
 
-	# -----------------------------------------------------------------------------------------
-
-	# XXX TODO : Hardware decrypts it using old key, software using new key?
-	#	     So right after rekey we inject first with old key, second with new key?
-
-	# XXX TODO : What about extended functionality where we can have
-	#	     two simultaneously pairwise keys?!?!
-
-	# TODO:
-	# - Test case to check if the receiver supports interleaved priority
-	#   reception. It seems Windows 10 / Intel might not support this.
-	# - Test case with a very lage aggregated frame (which is normally not
-	#   allowed but some may accept it). And a variation to check how APs
-	#   will forward such overly large frame (e.g. force fragmentation).
-	# - [TKIP] Encrpted, Encrypted, no global MIC
-	# - Plain/Enc tests but first plaintext sent before installing key
-	# - Test fragmentation of management frames
-	# - Test fragmentation of group frames (STA mode of RT-AC51u?)
-
 	# If requested, override delay and inc_pn parameters in the test.
 	test.set_general_options(opt.delay, opt.inc_pn)
 
@@ -237,6 +217,7 @@ if __name__ == "__main__":
 	parser.add_argument('--freebsd-cache', default=False, action='store_true', help="Sent EAP(OL) frames as (malformed) broadcast EAPOL/A-MSDUs.")
 	parser.add_argument('--connected-delay', type=float, default=1, help="Second to wait after AfterAuth before triggering Connected event")
 	parser.add_argument('--to-self', default=False, action='store_true', help="Send ARP/DHCP/ICMP with same src and dst MAC address.")
+	parser.add_argument('--no-drivercheck', default=False, action='store_true', help="Don't check if patched drivers are being used.")
 	options = parser.parse_args()
 
 	# Default value for options that should not be command line parameters

research/fraginternals.py

@@ -4,7 +4,6 @@
 # This code may be distributed under the terms of the BSD license.
 # See README for more details.
 
-# TODO: Other traffic on the interface might interfere with attacks. How to prevent?
 from libwifi import *
 import abc, sys, socket, struct, time, subprocess, atexit, select, copy
 import argparse
@@ -21,7 +20,6 @@ def wpaspy_clear_messages(ctrl):
 	while ctrl.pending():
 		ctrl.recv()
 
-#TODO: Modify so we can ignore other messages over the command interface
 def wpaspy_command(ctrl, cmd):
 	wpaspy_clear_messages(ctrl)
 
@@ -482,7 +480,6 @@ class Station():
 			return self.bss
 		return self.peermac
 
-	# TODO: Show a warning when unusual transitions are detected?
 	def trigger_eapol_events(self, eapol):
 		# Ignore everything apart the 4-way handshake
 		if not WPA_key in eapol: return None
@@ -675,8 +672,6 @@ class Daemon(metaclass=abc.ABCMeta):
 		pass
 
 	def configure_interfaces(self):
-		log(STATUS, "Note: disable Wi-Fi in your network manager so it doesn't interfere with this script")
-
 		try:
 			subprocess.check_output(["rfkill", "unblock", "wifi"])
 		except Exception as ex:
@@ -684,6 +679,17 @@ class Daemon(metaclass=abc.ABCMeta):
 			quit(1)
 		self.nic_iface = self.options.iface
 
+		# TODO: Check if the interfaces exist
+
+		# 0. Verify whether patched drivers are being used
+		if not self.options.no_drivercheck:
+			if not os.path.exists("/sys/module/mac80211/parameters/"):
+				log(WARNING, "WARNING: Unable to check whether you are using patched drivers.")
+			elif not os.path.exists("/sys/module/mac80211/parameters/fragattack_version"):
+				log(ERROR, "You are not running patched drivers, meaning this tool may give incorrect results!")
+				log(STATUS, "To ignore this warning add the parameter --no-drivercheck")
+				time.sleep(5)
+
 		# 1. Assign/create interfaces according to provided options
 		if self.options.hwsim:
 			# TODO: Automatically create both interfaces?
@@ -710,9 +716,7 @@ class Daemon(metaclass=abc.ABCMeta):
 				subprocess.call(["iw", self.nic_mon, "del"], stdout=subprocess.PIPE, stdin=subprocess.PIPE)
 				subprocess.check_output(["iw", self.nic_iface, "interface", "add", self.nic_mon, "type", "monitor"])
 
-			log(WARNING, "Remember to use a modified backports and ath9k_htc firmware!")
-
-		# 2. Remember whether to need to use injection workarounds.
+		# 2.A Remember whether to need to use injection workarounds.
 		driver = get_device_driver(self.nic_mon)
 		if driver == None:
 			log(WARNING, "Unable to detect driver of interface!")
@@ -722,6 +726,17 @@ class Daemon(metaclass=abc.ABCMeta):
 			self.options.inject_mf_workaround = True
 			log(STATUS, f"Detected {driver}, using injection bug workarounds")
 
+		# 2.B Check if ath9k_htc is using patched firmware
+		if not self.options.no_drivercheck and driver == "ath9k_htc":
+			try:
+				with open("/sys/module/ath9k_htc/parameters/fragattack_fw") as fp:
+					if not int(fp.read()) == 1:
+						log(ERROR, "WARNING: It seems the ath9k_htc device is not using patched firmware!")
+						log(STATUS, "To ignore this warning add the parameter --no-drivercheck")
+						time.sleep(5)
+			except:
+				log(WARNING, "WARNING: Unable to check if the ath9k_htc device is using patched firmware!")
+
 		# 3. Enable monitor mode
 		set_monitor_mode(self.nic_mon)
 		log(STATUS, f"Using interface {self.nic_mon} ({get_device_driver(self.nic_mon)}) to inject frames.")