From bea93c049f9f841f6155ce20f2251932e1469434 Mon Sep 17 00:00:00 2001 From: vanhoefm Date: Sun, 13 Jun 2021 17:47:57 +0400 Subject: [PATCH] fragattacks: create links in example pcaps overview --- example-pcaps/README.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/example-pcaps/README.md b/example-pcaps/README.md index 727706e84..6cfbe4803 100644 --- a/example-pcaps/README.md +++ b/example-pcaps/README.md @@ -6,43 +6,43 @@ Note that the captures were made on the same network card that was injecting pac ## A-MSDU attacks -- `amsdu-inject-fromap.pcapng`: used command was `amsdu-inject --ap`. Frame 124 contains the attack ping packet. +- [`amsdu-inject-fromap.pcapng`](amsdu-inject-fromap.pcapng): used command was `amsdu-inject --ap`. Frame 124 contains the attack ping packet. ## Mixed key attacks -- `ping_I_F_BE_AE-fromap.pcapng`: used command was `ping I,F,BE,AE --ap`. Frame 170 contains the first fragment encrypted under TK `e4e41ad934f5caa7ff0064ad96609c2f` and frame 180 contains the second fragment encrypted under TK `1f38eee5960fb9d9d77e566c4b18008d`. The ping reply is shown in frame 185. +- [`ping_I_F_BE_AE-fromap.pcapng`](ping_I_F_BE_AE-fromap.pcapng): used command was `ping I,F,BE,AE --ap`. Frame 170 contains the first fragment encrypted under TK `e4e41ad934f5caa7ff0064ad96609c2f` and frame 180 contains the second fragment encrypted under TK `1f38eee5960fb9d9d77e566c4b18008d`. The ping reply is shown in frame 185. ## Cache attacks -- `ping_I_E_R_E-fromclient.pcapng`: used command was `ping I,E,R,E`. Frame 69 contains the first fragment encrypted under TK `dda31c8516b9d92581fc17e4a8f1b47b`. Frame 72 and 74 shows that the client is reassociating. Frame 98 contains the second fragment encrypted under TK `b4d1a94a4d126dbd39ec3557969f430b`. The ping reply is contained in frame 101. +- [`ping_I_E_R_E-fromclient.pcapng`](ping_I_E_R_E-fromclient.pcapng): used command was `ping I,E,R,E`. Frame 69 contains the first fragment encrypted under TK `dda31c8516b9d92581fc17e4a8f1b47b`. Frame 72 and 74 shows that the client is reassociating. Frame 98 contains the second fragment encrypted under TK `b4d1a94a4d126dbd39ec3557969f430b`. The ping reply is contained in frame 101. -- `ping_I_E_R_E__full-recon-fromclient.pcapng`: used command was `ping I,E,R,E --full-recon`. Frame 63 contains the first fragmented encrypted under TK `7911b7173daf49c898fa42119232885e`. Frame 66 shows the deauthentication frame, and frames 67 and 71 show that the client is authenticating and reassociating. Frame 107 contains the second fragment encrypted under TK `292184b9c862a4b640d4c920aba35a48`. The ping reply is contained in frame 110. +- [`ping_I_E_R_E__full-recon-fromclient.pcapng`](ping_I_E_R_E__full-recon-fromclient.pcapng): used command was `ping I,E,R,E --full-recon`. Frame 63 contains the first fragmented encrypted under TK `7911b7173daf49c898fa42119232885e`. Frame 66 shows the deauthentication frame, and frames 67 and 71 show that the client is authenticating and reassociating. Frame 107 contains the second fragment encrypted under TK `292184b9c862a4b640d4c920aba35a48`. The ping reply is contained in frame 110. ## Non-consecutive PNs attack -- `ping_I_E_E___inc_pn_2-fromap.pcapng`: used command was `ping I,E,E --inc-pn 2 --ap`. Frame 130 contains the first fragment with CCMP Packet Number 0x101 and frame 132 contains the second fragment with CCMP Packet Number 0x103. +- [`ping_I_E_E___inc_pn_2-fromap.pcapng`](ping_I_E_E___inc_pn_2-fromap.pcapng): used command was `ping I,E,E --inc-pn 2 --ap`. Frame 130 contains the first fragment with CCMP Packet Number 0x101 and frame 132 contains the second fragment with CCMP Packet Number 0x103. ## Mixed plain/encrypt attack -- `linux-plain-fromap.pcapng`: used command was `linux-plain --ap`. Frame 79 contains the first legitimate encrypted fragment, frame 81 contains the second legitimate encrypted fragment but with a different sequence number, frame 83 contains the injected plaintext second fragment (with the same sequence number as the first fragment). The ping reply is in frame 94. +- [`linux-plain-fromap.pcapng`](linux-plain-fromap.pcapng): used command was `linux-plain --ap`. Frame 79 contains the first legitimate encrypted fragment, frame 81 contains the second legitimate encrypted fragment but with a different sequence number, frame 83 contains the injected plaintext second fragment (with the same sequence number as the first fragment). The ping reply is in frame 94. -- `ping_I_E_P-fromclient.pcapng`: used command was `ping I,E,P`. Frame 51 contains the encrypted first fragment, frame 54 the plaintext second fragment, and frame 57 the encrypted ping reply. +- [`ping_I_E_P-fromclient.pcapng`](ping_I_E_P-fromclient.pcapng): used command was `ping I,E,P`. Frame 51 contains the encrypted first fragment, frame 54 the plaintext second fragment, and frame 57 the encrypted ping reply. -- `ping_I_P-fromclient.pcapng`: used command was `ping I,P`. Frame 59 contains the injected plaintext ping request and frame 62 contains the encrypted ping reply. +- [`ping_I_P-fromclient.pcapng`](ping_I_P-fromclient.pcapng): used command was `ping I,P`. Frame 59 contains the injected plaintext ping request and frame 62 contains the encrypted ping reply. ## Broadcast fragment attack -- `ping_D_BP___bcast_ra-fromap.pcapng`: used command was `ping D,BP --bcast-ra --ap`. Frame 21 contains the attack packet. Capture `ping_D_BP___bcast_ra-onclient.pcap` shows the result on the target device (Samsung i9305) where frame 13 contains the injected ping request. +- [`ping_D_BP___bcast_ra-fromap.pcapng`](ping_D_BP___bcast_ra-fromap.pcapng): used command was `ping D,BP --bcast-ra --ap`. Frame 21 contains the attack packet. Capture `ping_D_BP___bcast_ra-onclient.pcap` shows the result on the target device (Samsung i9305) where frame 13 contains the injected ping request. ## A-MSDU EAPOL attack -- `eapol-amsdu_BP-fromap.pcapng`: used command was `eapol-amsdu BP --ap`. Frame 43 contains the injected ping packet. Capture `eapol-amsdu_BP-onclient.pcapng` shows the result on the target device (Pixel 4 XL) where frame 4 contains the injected ping request. Note that frame 3 is an invalid packet that is a side-effect of the attack (it's the content of the first A-MSDU subframe whose purpose was to make the packet look like an EAPOL handshake message). +- [`eapol-amsdu_BP-fromap.pcapng`](eapol-amsdu_BP-fromap.pcapng): used command was `eapol-amsdu BP --ap`. Frame 43 contains the injected ping packet. Capture `eapol-amsdu_BP-onclient.pcapng` shows the result on the target device (Pixel 4 XL) where frame 4 contains the injected ping request. Note that frame 3 is an invalid packet that is a side-effect of the attack (it's the content of the first A-MSDU subframe whose purpose was to make the packet look like an EAPOL handshake message). ## AP forwards EAPOL attack -- `eapol-inject-fromclient.pcapng`: used command was `eapol-inject 7e:1e:cd:49:9f:c6`. Frame 39 contained the inject EAPOL packet sent from client `64:70:02:2f:d7:67` in plaintext before this client authenticated. The AP forwards this EAPOL towards the destination client `7e:1e:cd:49:9f:c6` as an encrypted frame in frame 50 (we confirmed on the destination with Wireshark that this indeed is the forwarded packet). +- [`eapol-inject-fromclient.pcapng`](eapol-inject-fromclient.pcapng): used command was `eapol-inject 7e:1e:cd:49:9f:c6`. Frame 39 contained the inject EAPOL packet sent from client `64:70:02:2f:d7:67` in plaintext before this client authenticated. The AP forwards this EAPOL towards the destination client `7e:1e:cd:49:9f:c6` as an encrypted frame in frame 50 (we confirmed on the destination with Wireshark that this indeed is the forwarded packet). ## No fragmentation support attack -- `ping_I_D_E-fromap.pcapng`: used command was `ping I,D,E --ap`. Frame 51 contains the full ping request in the second fragment of a Wi-Fi frame (no other fragment is sent). Frame 58 contains the ping response from the vulnerable device. +- [`ping_I_D_E-fromap.pcapng`](ping_I_D_E-fromap.pcapng): used command was `ping I,D,E --ap`. Frame 51 contains the full ping request in the second fragment of a Wi-Fi frame (no other fragment is sent). Frame 58 contains the ping response from the vulnerable device.