Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2025-02-17 17:43:06 -05:00
Code Issues Projects Releases Wiki Activity

fragattacks: the tool is now called FragAttack

Browse Source
This commit is contained in:
Mathy Vanhoef 2021-03-01 20:55:14 +04:00
parent 3ad0d1a883
commit c362116dcd
2 changed files with 17 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
research/README.md
View File

@ -2,6 +2,9 @@
# 1. Introduction # 1. Introduction
This repository contains the **FragAttack** tool. It can test for **FR**agmentation and **AG**gregation
Attacks (FragAttacks) against protected Wi-Fi networks.
The discovered vulnerabilities affect all Wi-Fi networks. A short overview of all vulnerabilities can be The discovered vulnerabilities affect all Wi-Fi networks. A short overview of all vulnerabilities can be
found [here](SUMMARY.md) and a summary of resulting attacks and their preconditions can be found [here](attacks.pdf). found [here](SUMMARY.md) and a summary of resulting attacks and their preconditions can be found [here](attacks.pdf).
We also recommend reading the [paper](fragattacks.pdf). Note that the attacks are identical against WPA2 We also recommend reading the [paper](fragattacks.pdf). Note that the attacks are identical against WPA2
@ -32,6 +35,10 @@ the paper also briefly discusses the applicability of the attacks against WEP.
## 1.3. Change log ## 1.3. Change log
**Version ? (? 2021)**:
- Minor fixes in this README.
**Version 1.3.1 (1 March 2021)**: **Version 1.3.1 (1 March 2021)**:
- Added the test [`ping BP [--bcast-dst]`](#id-extended-bcast-check-ping-bp) to this README. It injects a plaintext ping - Added the test [`ping BP [--bcast-dst]`](#id-extended-bcast-check-ping-bp) to this README. It injects a plaintext ping
@ -275,7 +282,7 @@ firmware. See [Patched Drivers](#id-patched-drivers) on how to install patched d
[Supported Network Cards](#id-supported-cards) for compatible network cards. Execute the test [Supported Network Cards](#id-supported-cards) for compatible network cards. Execute the test
tool in this mode using: tool in this mode using:
./fragattack wlan0 [--ap] $COMMAND ./fragattack.py wlan0 [--ap] $COMMAND
Possible values of `$COMMAND` are listed in [testing for vulnerabilities](#id-testing-for-flaws) Possible values of `$COMMAND` are listed in [testing for vulnerabilities](#id-testing-for-flaws)
and [extended vulnerability tests](#id-extended-tests). and [extended vulnerability tests](#id-extended-tests).
@ -291,7 +298,7 @@ This mode requires two wireless network cards: one will act as an AP or the clie
one will be used to inject frames. The advantage is that this mode way work without requiring patched one will be used to inject frames. The advantage is that this mode way work without requiring patched
drivers. Execute the test tool in this mode using: drivers. Execute the test tool in this mode using:
./fragattack wlan0 --inject wlan1 [--ap] $COMMAND ./fragattack.py wlan0 --inject wlan1 [--ap] $COMMAND
Here interface wlan0 will act as a legitimate client or AP, and wlan1 will be used to inject Here interface wlan0 will act as a legitimate client or AP, and wlan1 will be used to inject
frames. For wlan0, any card that supports normal client or AP mode on Linux can be used. For frames. For wlan0, any card that supports normal client or AP mode on Linux can be used. For
@ -811,8 +818,8 @@ it cannot test whether the firmware or wireless chip itself overwrites fields.
To test whether a network card properly injects frames in _mixed mode_, which is the mode I To test whether a network card properly injects frames in _mixed mode_, which is the mode I
recommend to use, you can execute the following two commands: recommend to use, you can execute the following two commands:
./fragattack wlan0 ping --inject-test wlan1 ./fragattack.py wlan0 ping --inject-test wlan1
./fragattack wlan0 ping --inject-test wlan1 --ap ./fragattack.py wlan0 ping --inject-test wlan1 --ap
Here we test whether `wlan0` properly injects frames by monitoring the injected frames using the Here we test whether `wlan0` properly injects frames by monitoring the injected frames using the
second network card `wlan1`. The first command tests if frames are properly injected when using second network card `wlan1`. The first command tests if frames are properly injected when using
@ -823,14 +830,14 @@ for configuring the connection setup of the client and AP).
If you also want to test the retransmission behaviour of `wlan0` in mixed mode you can execute: If you also want to test the retransmission behaviour of `wlan0` in mixed mode you can execute:
./fragattack wlan0 ping --inject-test-postauth wlan1 ./fragattack.py wlan0 ping --inject-test-postauth wlan1
./fragattack wlan0 ping --inject-test-postauth wlan1 --ap ./fragattack.py wlan0 ping --inject-test-postauth wlan1 --ap
In case you do not have a second network card, you can execute a partial mixed mode injection test In case you do not have a second network card, you can execute a partial mixed mode injection test
using: using:
./fragattack wlan0 ping --inject-test[-postauth] self ./fragattack.py wlan0 ping --inject-test[-postauth] self
./fragattack wlan0 ping --inject-test[-postauth] self --ap ./fragattack.py wlan0 ping --inject-test[-postauth] self --ap
Unfortunately, the above tests can only test if the kernel overwrites fields of injected frames, Unfortunately, the above tests can only test if the kernel overwrites fields of injected frames,
it cannot test whether the firmware or wireless chip itself overwrites fields. it cannot test whether the firmware or wireless chip itself overwrites fields.
@ -1045,7 +1052,7 @@ Here wlan0 refers to the _real_ network card (not an interface created by `hwsim
client, do do not first have to configure the channel (it is taken from `hostapd.conf`). You can now client, do do not first have to configure the channel (it is taken from `hostapd.conf`). You can now
start the test tool as follows: start the test tool as follows:
./fragattack wlan0 --hwsim wlan1,wlan2 [--ap] $COMMAND ./fragattack.py wlan0 --hwsim wlan1,wlan2 [--ap] $COMMAND
After the tool executed, you can directly run it again with a new `$COMMAND`. After the tool executed, you can directly run it again with a new `$COMMAND`.

2
research/fragattack.py
View File

@ -171,7 +171,7 @@ def get_expected_scapy_ver():
return None return None
if __name__ == "__main__": if __name__ == "__main__":
log(STATUS, f"This is fragattack version {FRAGVERSION}.") log(STATUS, f"This is FragAttack version {FRAGVERSION}.")
parser = argparse.ArgumentParser(description=f"Test for fragmentation vulnerabilities (version {FRAGVERSION}).") parser = argparse.ArgumentParser(description=f"Test for fragmentation vulnerabilities (version {FRAGVERSION}).")
parser.add_argument('iface', help="Interface to use for the tests.") parser.add_argument('iface', help="Interface to use for the tests.")