mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2025-01-17 18:34:03 -05:00
fragattacks: create links in example pcaps overview
This commit is contained in:
parent
6420cc1314
commit
bea93c049f
@ -6,43 +6,43 @@ Note that the captures were made on the same network card that was injecting pac
|
||||
|
||||
## A-MSDU attacks
|
||||
|
||||
- `amsdu-inject-fromap.pcapng`: used command was `amsdu-inject --ap`. Frame 124 contains the attack ping packet.
|
||||
- [`amsdu-inject-fromap.pcapng`](amsdu-inject-fromap.pcapng): used command was `amsdu-inject --ap`. Frame 124 contains the attack ping packet.
|
||||
|
||||
## Mixed key attacks
|
||||
|
||||
- `ping_I_F_BE_AE-fromap.pcapng`: used command was `ping I,F,BE,AE --ap`. Frame 170 contains the first fragment encrypted under TK `e4e41ad934f5caa7ff0064ad96609c2f` and frame 180 contains the second fragment encrypted under TK `1f38eee5960fb9d9d77e566c4b18008d`. The ping reply is shown in frame 185.
|
||||
- [`ping_I_F_BE_AE-fromap.pcapng`](ping_I_F_BE_AE-fromap.pcapng): used command was `ping I,F,BE,AE --ap`. Frame 170 contains the first fragment encrypted under TK `e4e41ad934f5caa7ff0064ad96609c2f` and frame 180 contains the second fragment encrypted under TK `1f38eee5960fb9d9d77e566c4b18008d`. The ping reply is shown in frame 185.
|
||||
|
||||
## Cache attacks
|
||||
|
||||
- `ping_I_E_R_E-fromclient.pcapng`: used command was `ping I,E,R,E`. Frame 69 contains the first fragment encrypted under TK `dda31c8516b9d92581fc17e4a8f1b47b`. Frame 72 and 74 shows that the client is reassociating. Frame 98 contains the second fragment encrypted under TK `b4d1a94a4d126dbd39ec3557969f430b`. The ping reply is contained in frame 101.
|
||||
- [`ping_I_E_R_E-fromclient.pcapng`](ping_I_E_R_E-fromclient.pcapng): used command was `ping I,E,R,E`. Frame 69 contains the first fragment encrypted under TK `dda31c8516b9d92581fc17e4a8f1b47b`. Frame 72 and 74 shows that the client is reassociating. Frame 98 contains the second fragment encrypted under TK `b4d1a94a4d126dbd39ec3557969f430b`. The ping reply is contained in frame 101.
|
||||
|
||||
- `ping_I_E_R_E__full-recon-fromclient.pcapng`: used command was `ping I,E,R,E --full-recon`. Frame 63 contains the first fragmented encrypted under TK `7911b7173daf49c898fa42119232885e`. Frame 66 shows the deauthentication frame, and frames 67 and 71 show that the client is authenticating and reassociating. Frame 107 contains the second fragment encrypted under TK `292184b9c862a4b640d4c920aba35a48`. The ping reply is contained in frame 110.
|
||||
- [`ping_I_E_R_E__full-recon-fromclient.pcapng`](ping_I_E_R_E__full-recon-fromclient.pcapng): used command was `ping I,E,R,E --full-recon`. Frame 63 contains the first fragmented encrypted under TK `7911b7173daf49c898fa42119232885e`. Frame 66 shows the deauthentication frame, and frames 67 and 71 show that the client is authenticating and reassociating. Frame 107 contains the second fragment encrypted under TK `292184b9c862a4b640d4c920aba35a48`. The ping reply is contained in frame 110.
|
||||
|
||||
## Non-consecutive PNs attack
|
||||
|
||||
- `ping_I_E_E___inc_pn_2-fromap.pcapng`: used command was `ping I,E,E --inc-pn 2 --ap`. Frame 130 contains the first fragment with CCMP Packet Number 0x101 and frame 132 contains the second fragment with CCMP Packet Number 0x103.
|
||||
- [`ping_I_E_E___inc_pn_2-fromap.pcapng`](ping_I_E_E___inc_pn_2-fromap.pcapng): used command was `ping I,E,E --inc-pn 2 --ap`. Frame 130 contains the first fragment with CCMP Packet Number 0x101 and frame 132 contains the second fragment with CCMP Packet Number 0x103.
|
||||
|
||||
## Mixed plain/encrypt attack
|
||||
|
||||
- `linux-plain-fromap.pcapng`: used command was `linux-plain --ap`. Frame 79 contains the first legitimate encrypted fragment, frame 81 contains the second legitimate encrypted fragment but with a different sequence number, frame 83 contains the injected plaintext second fragment (with the same sequence number as the first fragment). The ping reply is in frame 94.
|
||||
- [`linux-plain-fromap.pcapng`](linux-plain-fromap.pcapng): used command was `linux-plain --ap`. Frame 79 contains the first legitimate encrypted fragment, frame 81 contains the second legitimate encrypted fragment but with a different sequence number, frame 83 contains the injected plaintext second fragment (with the same sequence number as the first fragment). The ping reply is in frame 94.
|
||||
|
||||
- `ping_I_E_P-fromclient.pcapng`: used command was `ping I,E,P`. Frame 51 contains the encrypted first fragment, frame 54 the plaintext second fragment, and frame 57 the encrypted ping reply.
|
||||
- [`ping_I_E_P-fromclient.pcapng`](ping_I_E_P-fromclient.pcapng): used command was `ping I,E,P`. Frame 51 contains the encrypted first fragment, frame 54 the plaintext second fragment, and frame 57 the encrypted ping reply.
|
||||
|
||||
- `ping_I_P-fromclient.pcapng`: used command was `ping I,P`. Frame 59 contains the injected plaintext ping request and frame 62 contains the encrypted ping reply.
|
||||
- [`ping_I_P-fromclient.pcapng`](ping_I_P-fromclient.pcapng): used command was `ping I,P`. Frame 59 contains the injected plaintext ping request and frame 62 contains the encrypted ping reply.
|
||||
|
||||
## Broadcast fragment attack
|
||||
|
||||
- `ping_D_BP___bcast_ra-fromap.pcapng`: used command was `ping D,BP --bcast-ra --ap`. Frame 21 contains the attack packet. Capture `ping_D_BP___bcast_ra-onclient.pcap` shows the result on the target device (Samsung i9305) where frame 13 contains the injected ping request.
|
||||
- [`ping_D_BP___bcast_ra-fromap.pcapng`](ping_D_BP___bcast_ra-fromap.pcapng): used command was `ping D,BP --bcast-ra --ap`. Frame 21 contains the attack packet. Capture `ping_D_BP___bcast_ra-onclient.pcap` shows the result on the target device (Samsung i9305) where frame 13 contains the injected ping request.
|
||||
|
||||
## A-MSDU EAPOL attack
|
||||
|
||||
- `eapol-amsdu_BP-fromap.pcapng`: used command was `eapol-amsdu BP --ap`. Frame 43 contains the injected ping packet. Capture `eapol-amsdu_BP-onclient.pcapng` shows the result on the target device (Pixel 4 XL) where frame 4 contains the injected ping request. Note that frame 3 is an invalid packet that is a side-effect of the attack (it's the content of the first A-MSDU subframe whose purpose was to make the packet look like an EAPOL handshake message).
|
||||
- [`eapol-amsdu_BP-fromap.pcapng`](eapol-amsdu_BP-fromap.pcapng): used command was `eapol-amsdu BP --ap`. Frame 43 contains the injected ping packet. Capture `eapol-amsdu_BP-onclient.pcapng` shows the result on the target device (Pixel 4 XL) where frame 4 contains the injected ping request. Note that frame 3 is an invalid packet that is a side-effect of the attack (it's the content of the first A-MSDU subframe whose purpose was to make the packet look like an EAPOL handshake message).
|
||||
|
||||
## AP forwards EAPOL attack
|
||||
|
||||
- `eapol-inject-fromclient.pcapng`: used command was `eapol-inject 7e:1e:cd:49:9f:c6`. Frame 39 contained the inject EAPOL packet sent from client `64:70:02:2f:d7:67` in plaintext before this client authenticated. The AP forwards this EAPOL towards the destination client `7e:1e:cd:49:9f:c6` as an encrypted frame in frame 50 (we confirmed on the destination with Wireshark that this indeed is the forwarded packet).
|
||||
- [`eapol-inject-fromclient.pcapng`](eapol-inject-fromclient.pcapng): used command was `eapol-inject 7e:1e:cd:49:9f:c6`. Frame 39 contained the inject EAPOL packet sent from client `64:70:02:2f:d7:67` in plaintext before this client authenticated. The AP forwards this EAPOL towards the destination client `7e:1e:cd:49:9f:c6` as an encrypted frame in frame 50 (we confirmed on the destination with Wireshark that this indeed is the forwarded packet).
|
||||
|
||||
## No fragmentation support attack
|
||||
|
||||
- `ping_I_D_E-fromap.pcapng`: used command was `ping I,D,E --ap`. Frame 51 contains the full ping request in the second fragment of a Wi-Fi frame (no other fragment is sent). Frame 58 contains the ping response from the vulnerable device.
|
||||
- [`ping_I_D_E-fromap.pcapng`](ping_I_D_E-fromap.pcapng): used command was `ping I,D,E --ap`. Frame 51 contains the full ping request in the second fragment of a Wi-Fi frame (no other fragment is sent). Frame 58 contains the ping response from the vulnerable device.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user