diff --git a/research/README.md b/research/README.md index 08cfd97f9..0a51062a4 100644 --- a/research/README.md +++ b/research/README.md @@ -24,20 +24,24 @@ the paper also briefly discusses the applicability of the attacks against WEP. - Tool will automatically quit after a test completed or timed out. -- Tool detects if the 4-way handshake is looping or if there is not replly to a rekey request (`--rekey-req`). +- Tool detects if the 4-way handshake is looping or if there is no reply to a rekey request (`--rekey-req`). -- When using an external DHCP server, the tool will now send rekey EAPOL frames with as destination address - the AP (instead of the DHCP server). +- When using an external DHCP server, the tool will now always send EAPOL frames with as destination address + the AP (instead of the DHCP server). This is important in mixed key and cache attack tests when using an + external DHCP server. -- When acting as a client, the tool will send EAPOL Rekey Request with a Replay Counter of one instead of zero. +- When testing an AP using `--rekey-req` the tool will now send EAPOL Rekey Request with a Replay Counter of + one instead of zero. - Debug output now shows the correct (group) key when encrypting broadcast/multicast frames. This does not influence any test results, it only changes the output of the test tool. -- Clarified that all commands can test both clients and APs unless noted otherwise. +- Clarified that all commands in this README can test both clients and APs unless noted otherwise. - Clarified the description of cache attacks, Broadcast fragment, and A-MSDU EAPOL attack tests in this README. +- Clarified that it's important to test both the 2.4 and 5 GHz band in this README. + **Version 1.1 (20 October 2020)**: - Fixed a bug where the command `ping I,E,D` would send a normal encrypted ping request. It now sends an @@ -592,7 +596,8 @@ these alternative mixed key attack tests. Some remarks: driver. These routers perform the rekey handshake in plaintext, and the client can actively request a rekey handshake. - `ping I,E,F,AE --rekey-early-install`: A low number of clients (incorrectly) install the key too early during - a pairwise session rekey. To reliably test these clients, add the `--rekey-early-install` parameter. + a pairwise session rekey. To reliably test these clients, add the `--rekey-early-install` parameter. This test + is not meaningfull against APs. Finally, in case the test `ping-frag-sep` doesn't succeed, you should try the following mixed key attack test: diff --git a/research/fragattack.py b/research/fragattack.py index c3f4af62a..92bb8e9c8 100755 --- a/research/fragattack.py +++ b/research/fragattack.py @@ -165,7 +165,7 @@ def args2msdu(args): return None if __name__ == "__main__": - parser = argparse.ArgumentParser(description=f"Test for fragmentation vulnerabilities (v{FRAGVERSION} - {FRAGDATE}).") + parser = argparse.ArgumentParser(description=f"Test for fragmentation vulnerabilities (version {FRAGVERSION}).") parser.add_argument('iface', help="Interface to use for the tests.") parser.add_argument('testname', help="Name or identifier of the test to run.") parser.add_argument('actions', nargs='?', help="Optional textual descriptions of actions") @@ -240,7 +240,7 @@ if __name__ == "__main__": change_log_level(-options.debug) # Now start the tests --- TODO: Inject Deauths before connecting with client... - log(STATUS, f"This is fragattack version {FRAGVERSION} - {FRAGDATE}.") + log(STATUS, f"This is fragattack version {FRAGVERSION}.") if options.ap: daemon = Authenticator(options) else: diff --git a/research/fraginternals.py b/research/fraginternals.py index 40a0e8a57..51115b031 100644 --- a/research/fraginternals.py +++ b/research/fraginternals.py @@ -12,7 +12,6 @@ from scapy.contrib.wpa_eapol import WPA_key from scapy.arch.common import get_if_raw_hwaddr FRAGVERSION = "1.2" -FRAGDATE = "27 October 2020" # ----------------------------------- Utility Commands ----------------------------------- @@ -631,7 +630,7 @@ class Station(): if not self.test.requires_manual_check(): log(ERROR, ">>> Test timed out! Retry to be sure, or manually check result.") else: - log(STATUS, "Closing down. Remember to manually check whether test succeeded or not.") + log(STATUS, "Closing down. Remember to manually check whether the test succeeded or not.") self.stop_test() # ----------------------------------- Client and AP Daemons -----------------------------------