diff --git a/research/ath9k-firmware/htc_7010.fw b/research/ath9k-firmware/htc_7010.fw index abe2f4cee..b2955e992 100644 Binary files a/research/ath9k-firmware/htc_7010.fw and b/research/ath9k-firmware/htc_7010.fw differ diff --git a/research/ath9k-firmware/htc_9271.fw b/research/ath9k-firmware/htc_9271.fw index 32af75f2c..2ded88bf8 100644 Binary files a/research/ath9k-firmware/htc_9271.fw and b/research/ath9k-firmware/htc_9271.fw differ diff --git a/research/fragattack.py b/research/fragattack.py index ad988ccc1..b36fcad9d 100755 --- a/research/fragattack.py +++ b/research/fragattack.py @@ -8,7 +8,6 @@ import glob, importlib from fraginternals import * -#TODO: Check that modified drivers are used using debugfs #TODO: Check that atheros is using patched firmware using debugfs # ==> Both have caused me issues!!! Checking this automatically is *ESSENTIAL*. @@ -146,25 +145,6 @@ def prepare_tests(opt): # No valid test ID/name was given else: return None - # ----------------------------------------------------------------------------------------- - - # XXX TODO : Hardware decrypts it using old key, software using new key? - # So right after rekey we inject first with old key, second with new key? - - # XXX TODO : What about extended functionality where we can have - # two simultaneously pairwise keys?!?! - - # TODO: - # - Test case to check if the receiver supports interleaved priority - # reception. It seems Windows 10 / Intel might not support this. - # - Test case with a very lage aggregated frame (which is normally not - # allowed but some may accept it). And a variation to check how APs - # will forward such overly large frame (e.g. force fragmentation). - # - [TKIP] Encrpted, Encrypted, no global MIC - # - Plain/Enc tests but first plaintext sent before installing key - # - Test fragmentation of management frames - # - Test fragmentation of group frames (STA mode of RT-AC51u?) - # If requested, override delay and inc_pn parameters in the test. test.set_general_options(opt.delay, opt.inc_pn) @@ -237,6 +217,7 @@ if __name__ == "__main__": parser.add_argument('--freebsd-cache', default=False, action='store_true', help="Sent EAP(OL) frames as (malformed) broadcast EAPOL/A-MSDUs.") parser.add_argument('--connected-delay', type=float, default=1, help="Second to wait after AfterAuth before triggering Connected event") parser.add_argument('--to-self', default=False, action='store_true', help="Send ARP/DHCP/ICMP with same src and dst MAC address.") + parser.add_argument('--no-drivercheck', default=False, action='store_true', help="Don't check if patched drivers are being used.") options = parser.parse_args() # Default value for options that should not be command line parameters diff --git a/research/fraginternals.py b/research/fraginternals.py index 093a240d6..bedf1b6f6 100644 --- a/research/fraginternals.py +++ b/research/fraginternals.py @@ -4,7 +4,6 @@ # This code may be distributed under the terms of the BSD license. # See README for more details. -# TODO: Other traffic on the interface might interfere with attacks. How to prevent? from libwifi import * import abc, sys, socket, struct, time, subprocess, atexit, select, copy import argparse @@ -21,7 +20,6 @@ def wpaspy_clear_messages(ctrl): while ctrl.pending(): ctrl.recv() -#TODO: Modify so we can ignore other messages over the command interface def wpaspy_command(ctrl, cmd): wpaspy_clear_messages(ctrl) @@ -482,7 +480,6 @@ class Station(): return self.bss return self.peermac - # TODO: Show a warning when unusual transitions are detected? def trigger_eapol_events(self, eapol): # Ignore everything apart the 4-way handshake if not WPA_key in eapol: return None @@ -675,8 +672,6 @@ class Daemon(metaclass=abc.ABCMeta): pass def configure_interfaces(self): - log(STATUS, "Note: disable Wi-Fi in your network manager so it doesn't interfere with this script") - try: subprocess.check_output(["rfkill", "unblock", "wifi"]) except Exception as ex: @@ -684,6 +679,17 @@ class Daemon(metaclass=abc.ABCMeta): quit(1) self.nic_iface = self.options.iface + # TODO: Check if the interfaces exist + + # 0. Verify whether patched drivers are being used + if not self.options.no_drivercheck: + if not os.path.exists("/sys/module/mac80211/parameters/"): + log(WARNING, "WARNING: Unable to check whether you are using patched drivers.") + elif not os.path.exists("/sys/module/mac80211/parameters/fragattack_version"): + log(ERROR, "You are not running patched drivers, meaning this tool may give incorrect results!") + log(STATUS, "To ignore this warning add the parameter --no-drivercheck") + time.sleep(5) + # 1. Assign/create interfaces according to provided options if self.options.hwsim: # TODO: Automatically create both interfaces? @@ -710,9 +716,7 @@ class Daemon(metaclass=abc.ABCMeta): subprocess.call(["iw", self.nic_mon, "del"], stdout=subprocess.PIPE, stdin=subprocess.PIPE) subprocess.check_output(["iw", self.nic_iface, "interface", "add", self.nic_mon, "type", "monitor"]) - log(WARNING, "Remember to use a modified backports and ath9k_htc firmware!") - - # 2. Remember whether to need to use injection workarounds. + # 2.A Remember whether to need to use injection workarounds. driver = get_device_driver(self.nic_mon) if driver == None: log(WARNING, "Unable to detect driver of interface!") @@ -722,6 +726,17 @@ class Daemon(metaclass=abc.ABCMeta): self.options.inject_mf_workaround = True log(STATUS, f"Detected {driver}, using injection bug workarounds") + # 2.B Check if ath9k_htc is using patched firmware + if not self.options.no_drivercheck and driver == "ath9k_htc": + try: + with open("/sys/module/ath9k_htc/parameters/fragattack_fw") as fp: + if not int(fp.read()) == 1: + log(ERROR, "WARNING: It seems the ath9k_htc device is not using patched firmware!") + log(STATUS, "To ignore this warning add the parameter --no-drivercheck") + time.sleep(5) + except: + log(WARNING, "WARNING: Unable to check if the ath9k_htc device is using patched firmware!") + # 3. Enable monitor mode set_monitor_mode(self.nic_mon) log(STATUS, f"Using interface {self.nic_mon} ({get_device_driver(self.nic_mon)}) to inject frames.")