fragattack: working on updated README

2024-11-28 18:28:23 -05:00 · 2020-07-22 15:50:06 +04:00 · 2020-07-22 15:50:06 +04:00 · e6c2100b2d
commit e6c2100b2d
parent efbed6b7bc
1 changed files with 72 additions and 36 deletions
--- a/research/README.md
+++ b/research/README.md
@ -20,14 +20,22 @@ We have confirmed that the following network cards work properly with our script
 |      Network Card      | USB | 5GHz |        mixed mode       |      injection mode     | hwsim mode (experimental) |
 | ---------------------- | --- | ---- | ----------------------- | ----------------------- | ------------------------- |
-| Intel Wireless-AC 8265 | No  | Yes  | patched driver          | yes                     | as client                 |
+| Intel Wireless-AC 8265 | No  | Yes  | patched driver          | yes                     | _under development_       |
-| Intel Wireless-AC 3160 | No  | Yes  | patched driver          | yes                     | as client                 |
+| Intel Wireless-AC 3160 | No  | Yes  | patched driver          | yes                     | _under development_       |
-| Technoethical N150 HGA | Yes | No   | patched driver/firmware | patched driver/firmware | patched driver/firmware   |
+| Technoethical N150 HGA | Yes | No   | patched driver/firmware | patched driver/firmware | _under development_       |
-| TP-Link TL-WN722N v1.x | Yes | No   | patched driver/firmware | patched driver/firmware | patched driver/firmware   |
+| TP-Link TL-WN722N v1.x | Yes | No   | patched driver/firmware | patched driver/firmware | _under development_       |
-| Alfa AWUS036NHA        | Yes | No   | patched driver/firmware | patched driver/firmware | patched driver/firmware   |
+| Alfa AWUS036NHA        | Yes | No   | patched driver/firmware | patched driver/firmware | _under development_       |
-| Alfa AWUS036ACM        | Yes | Yes  | patched driver????      | yes                     | **yes?**                  |
+| Alfa AWUS036ACM        | Yes | Yes  | patched driver          | yes                     | _under development_       |
-| Alfa AWUS036ACH        | Yes | Yes  | no                      | patched driver          | _under development_       |
+| Alfa AWUS036ACH        | Yes | Yes  | **TODO**                | **TODO**                | _under development_       |
-| Netgear WN111v2        | Yes | No   | patched driver          | yes                     | yes                       |
+| Netgear WN111v2        | Yes | No   | patched driver          | yes                     | _under development_       |
 With patched drivers:
 1. Test mixed mode in client and AP
 2. Test injection mode
 3. Test hwsim mode against as client and AP
 Without patched drivers: perform exactly the same steps.
 **TODO: Verify 5 GHz and test it in practice.**
@ -58,12 +66,14 @@ use a USB2.0 (OHCI + ECHI) controller, because we found the USB3.0 controller to
 During our own tests, the AWUS036ACM dongle is supported by Linux, but at times was not correctly
 recognized during our experiments. It may be necessairy to use a recent Linux kernel, and manually
 executing `sudo modprobe mt76x2u` to load the driver.
-**Unstable when used on a USB3.0 port. Otherwise works fine.**
+**Unstable when used on a USB3.0 port. Otherwise works fine. VM must also use USB2.0 port.**
-The AWUS036ACH was tested on Kali Linux after installing the driver using `sudo apt install realtek-rtl88xxau-dkms`.
+The AWUS036ACH was tested on Kali Linux after installing the driver using the instructions on
-This device is generally not supported by default in most Linux distributions and requires manual
+[https://github.com/aircrack-ng/rtl8812au](GitHub). Before pluggin in the device, you must
-installation of drivers.
+execute `modprobe 88XXau rtw_monitor_retransmit=1`. Once our changes have been accepted
-**modprobe 88XXau rtw_monitor_retransmit=1**
+upstream you can instead simply install the driver using `sudo apt install realtek-rtl88xxau-dkms`.
 Note that this device is generally not supported by default in most Linux distributions and
 requires manual installation of drivers.
 We tested the Intel AX200 as well and found that it is _not_ compatible with our tool: its firmware
 crashes after sending a fragmented frame.
@ -78,7 +88,9 @@ Our scripts were tested on Kali Linux and Ubuntu 20.04. To install the required
 	# Kali Linux and Ubuntu
 	sudo apt-get update
-	sudo apt-get install libnl-3-dev libnl-genl-3-dev libnl-route-3-dev libssl-dev libdbus-1-dev git pkg-config build-essential macchanger net-tools python3-venv airmon-ng
+	sudo apt-get install libnl-3-dev libnl-genl-3-dev libnl-route-3-dev libssl-dev \
 		libdbus-1-dev git pkg-config build-essential macchanger net-tools python3-venv \
 		aircrack-ng firmware-ath9k-htc rfkill
 Now clone this repository, build the tools, and configure a virtual python3 environment:
@ -92,7 +104,8 @@ Now clone this repository, build the tools, and configure a virtual python3 envi
 	pip install wheel
 	pip install -r requirements.txt
-The above instructions only have to be executed once.
+By default the above instructions only have to be executed once. You have to execute
 **`./build.sh` again after pulling in new code using git**.
 ## Patched Drivers
@ -105,14 +118,16 @@ Install patched drivers:
 	make -j 4
 	sudo make install
-Install patched `ath9k_htc` firmware on Ubuntu:
+Install patched `ath9k_htc` firmware:
 	cd research/ath9k-firmware/
-	sudo cp htc_9271.fw /lib/firmware/ath9k_htc/htc_9271-1.4.0.fw
+	./install.sh
-	sudo cp htc_7010.fw /lib/firmware/ath9k_htc/htc_7010-1.4.0.fw
+	# Now reboot
-	# Now reboot the system
+
 The `./install.sh` script assumes the `ath9k_htc` firmware images are located in the
 directory `/lib/firmware/ath9k_htc`. If this is not the case on your system you have
 to manually copy the `htc_7010.fw` and `htc_9271.fw` to the appropriate directory.
 Note that the above directories depend on the specific Linux distribution you are running.
 If you Wi-Fi donle already is plugged in, unplug it. After installing the patched drivers
 and firmware you must reboot your system. The above instructions have to be executed again
 if your Linix kernel ever gets updated.
@ -274,8 +289,11 @@ In case the script doesn't appear to be working, check the following:
 9. If your Wi-Fi dongle is unreliable, use it from a live CD or USB. A virtual machine can be unreliable.
-10. Confirm using a second monitor interface that no other frames are sent in between fragments.
+10. If updated the code using git, did you execute `./build.sh` again (see [Prerequisites](#prerequisites))?
-    For instance, we found that our Intel device sometimes sends Block Ack Response Action frames between fragments.
+
 11. Confirm using a second monitor interface that no other frames are sent in between fragments.
    For instance, we found that our Intel device sometimes sends Block Ack Response Action frames
    between fragments, and this interfered with the defragmentation process of the device under test.
 ## Extended Vulnerability Tests
@ -332,9 +350,7 @@ to monitor whether frames are properly injected.
 **TODO: Testing the TP-Link against the Intel 3160 was very unreliable: many frames were not**
 **received although they in fact were sent by the device.**
-**Ack behaviour is best tested postauth so the client will not disconnected.**
+ case you do not have a second network
 In case you do not have a second network
 card, you can execute a partial injection test using:
 	./test-injection.py wlan0
@ -348,6 +364,8 @@ following two commands:
 	./fragattack wlan0 ping --inject-test wlan1
 	./fragattack wlan0 ping --inject-test wlan1 --ap
 **Ack behaviour is best tested postauth so the client will not disconnected.**
 Here we test whether `wlan0` properly injects frames by monitor the injected frames using the
 second network card `wlan1`. The first command tests if frames are properly injected when using
 mixed mode as a client, and the second when using mixed mode as a client. In order to start the
@ -371,7 +389,7 @@ This mode requires only one network card. The disadvantage is that this mode is
  or association.
 - When injeting frames, they may be retransmitted even though an acknowledgement was recieved.
-  This will further slightly slowdown the handling of frames.
+  This slightly slows the handling of frames.
 - Frames are not properly acknowledged depending on the wireless network card, which causes some
  tested clients or APs to disconnect during authentication or association.
@ -382,19 +400,34 @@ using this mode, create two virtual network cards:
 	./hwsim.sh
-This will output the two created virtual "hwsim" interfaces, for example wlan1 and wlan2. Then
+This will output the two created virtual "hwsim" interfaces, for example wlan1 and wlan2. When testing
-search for the channel of the AP you want to test, and put the real network card on this channel:
+an AP in this mode, you must first search for the channel of the AP, and put the real network card on
 this channel:
 	./scan.sh wlan0
 	ifconfig wlan0 down
 	iw wlan0 set type monitor
 	ifconfig wlan0 up
 	# Pick the channel that the AP is on (in this example 11)
 	iw wlan0 set channel 11
 Here wlan0 refers to the _real_ network card (not an interface created by `hwsim.sh`).
 You can now start the script as follows:
 	./fragattack wlan0 --hwsim wlan1,wlan2 [--ap] $COMMAND
-After the script executed, you can directly run it again with a new command.
+After the script executed, you can directly run it again with a new command. When testing a client, do
 do not first have to configure the channel (it is taken from `hostapd.conf`).
 **TODOs:**
 - Due to commit 1672c0e31917 ("mac80211: start auth/assoc timeout on frame status") authentication
  as a client will instantly timeout. We need to have a method to bypass this:
  1. We can patch the kernel
  2. Maybe configure wpa_supplicant to send auth frames using a monitor interface?
 ### Static IP Configuration
@ -428,6 +461,11 @@ Frequencies for channels that are _not_ marked as disabled, no IR, or radar dete
 conditions may depend on your network card, the current configured country, and the AP you are
 connected to. For more information see, for example, the [Arch Linux documentation](https://wiki.archlinux.org/index.php/Network_configuration/Wireless#Respecting_the_regulatory_domain).
 Although we have not yet encountered a device that behaved differently in the 2.4 GHz band compared
 to the 5 GHz band, this may occur in practice if different drivers are used to handle both bands.
 If you encounter such a case please let us know. Since we have not yet observed such differences
 between the 2.4 and 5 GHz band we believe that it is sufficient to only test one of these bands.
 Note that in mixed mode the Linux kernel may not allow the injection of frames even though it is
 allowed to send normal frames. This is because in `ieee80211_monitor_start_xmit` the kernel refuses
 to inject frames when `cfg80211_reg_can_beacon` returns false. As a result, Linux may refuse to
@ -440,16 +478,14 @@ under the correct conditions prevents this bug.
 #### ath9k_htc
-There is a known problem with the `ath9k_htc` driver, used by the Technoethical N150 HGA, TP-Link
+With kernel 5.7.3+ and 5.8.x there is a known problem problem with the `ath9k_htc` driver, used by
-TL-WN722N v1.x, and Alfa AWUS036NHA, causing it not to work on kernel 5.7.3 and above. Downgrading
+the Technoethical N150 HGA, TP-Link TL-WN722N v1.x, and Alfa AWUS036NHA, causing it not to work.
-to kernel `5.7.2` fixes this issue for now. More details are available at:
+Downgrading to kernel `5.7.2` fixes this issue. In the meantime a patch has also been submitted
-
+to fix this problem on new kernels: https://www.spinics.net/lists/linux-wireless/msg200825.html
 - **Patch that might fix it:** https://www.spinics.net/lists/linux-wireless/msg200825.html
 Older threads on this bug:
 - https://bugzilla.kernel.org/show_bug.cgi?id=208251
 - https://bugzilla.redhat.com/show_bug.cgi?id=1848631
 - https://lore.kernel.org/lkml/CAEJqkgjV8p6LtBV8YUGbNb0vYzKOQt4-AMAvYw5mzFr3eicyTg@mail.gmail.com/
 #### AWUS036ACM