Commit Graph

17002 Commits

Author SHA1 Message Date
Mathy Vanhoef
2a03fc6523 fragattacks: update changelog in README 2023-10-11 22:47:20 +02:00
Mathy Vanhoef
6fd347ee1c fragattacks: always encrypt EAPOL Request frames
When the parameter --rekey-plaintext is used, the rekey 4-way handshake
itself should be sent in plaintext. But possible EAPOL Request frames,
which ask the AP for a new 4-way handshake, should ideally still be sent
using encryption.

This patch assures that EAPOL (Rekey) Request frames are always sent
encrypted, even when --rekey-plaintext is used.
2023-10-11 22:42:55 +02:00
Mathy Vanhoef
c894c820ff fragattacks: ignore old EAPOL replay counters
When testing the TelenetWiFree hotspot using the command:

  ./fragattack.py wlan0 --no-drivercheck ping I,F,E --rekey-req --rekey-plain

Then the AP would reuse old EAPOL replay counters in the rekey 4-way
handshake. So for the rekey handshake to succeed, the client has to
accept these EAPOL handshake messages with a "reused" replay counter.

Note that these networks also performed the rekey handshake in
plaintext, which will be handled by a subsequent patch.
2023-10-11 22:39:10 +02:00
Mathy Vanhoef
05a607526e fragattacks: enable MS-CHAPv2 with OpenSSL >=3.0
This patch re-enables the usage of MS-CHAPv2 when linking with OpenSSL
version 3.0 or higher.
2023-10-11 04:10:52 +02:00
Mathy Vanhoef
abf9b9bd8b fragattacks: import latest frame injection tests 2023-01-07 18:09:13 +01:00
Mathy Vanhoef
7ca38f02ab fragattacks: add note on DHCP server IP address 2023-01-07 17:38:11 +01:00
Mathy Vanhoef
6af88a2dcb fragattacks: include server_id in DHCP request 2023-01-07 16:25:21 +01:00
Mathy Vanhoef
2ccd42033a fragattacks: add experimental ping-before test
This uses fragmented IPv4 packets to perfrom (variants of) the test
"ping BP" without needing to run a packet capture on the victim device.
This is accomplished by sending the first IPv4 fragment of a ping
request before authenticating, and the second IPv4 fragment after
authenticating. If the device is vulnerable, it should replay with a
ping response. Note that both ping IPv4 fragments are sent in a normal
non-fragmented Wi-Fi frame.

The test was confirmed to work against a Huawei MRD-LZ1F (Huawei Y6
2019).
2022-11-07 10:47:20 +01:00
vanhoefm
1b63ee6d23
README: Add design notes and update change log 2022-11-04 21:17:46 +01:00
Mathy Vanhoef
b7a520637e fragattacks: do not use format strings
There are only supported on Python 3.6 and above. With openwifi we
likely need to support an older Python version.

This patch may be reverted in the future once support for older
Python versions is no longer needed.
2022-10-16 18:44:11 +02:00
Mathy
934878c386 fragattacks: openssl: quick fix to allow compilation with older openssl 2022-10-16 18:09:42 +02:00
Mathy
5af02f03a9 fragattacks: disable MACSEC so hostap compiles on old platforms 2022-10-16 18:09:42 +02:00
Mathy
97cd085bb2 fragattacks: fix for compilation on old platforms 2022-10-16 18:09:42 +02:00
Mathy
73fd084aaf fragattacks: remove dragonfly from libwifi 2022-10-16 18:09:33 +02:00
vanhoefm
a51b3d6afc
README: Format tweaks 2022-10-16 15:46:11 +02:00
vanhoefm
7974da6d45
README: link about disabling Wi-Fi in network manager 2022-10-10 21:06:58 +02:00
Mathy Vanhoef
b75ddbea75 README: Updates notes on the AWUS036ACM 2022-10-02 01:52:26 +02:00
Mathy Vanhoef
8092813616 injection test: sniff longer in reorder test
This was important to avoid false negatives when testing the MT7612U,
specifcally a device with internally an MT7612UN.
2022-10-02 00:40:31 +02:00
vanhoefm
8936e2d33e
README: document the --pre-test-delay parameter 2022-03-31 15:25:23 +08:00
vanhoefm
baa1c9357f
Merge pull request #44 from angeloc/connected_delay
research/fragattack: implement --pre-test-delay
2022-03-31 15:18:33 +08:00
Angelo Compagnucci
0375781b8e research/fragattack: add --pre-test-delay parameter
This parameter can be used each time a test needs to be delayed before
actually executing it.

Suggested-by: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
2022-03-31 13:44:04 +08:00
Angelo Compagnucci
4c59cdfffd research/fraginternals: Test: adding enforce_pre_delay
Adding a delay before actually executing the test. This can be useful in
all the cases the network stack of the victim is still not ready to
receive packets leading to a timed out test result.

Suggested-by: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
2022-03-31 13:43:58 +08:00
Angelo Compagnucci
33b49cbad3 research/fraginternals: Test: adding pre_delay
pre_delay can be used to add a delay before actually executing the test.

Suggested-by: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
2022-03-31 13:25:54 +08:00
Mathy Vanhoef
95a01225e2 README: Put latest changes in the changelog 2022-03-31 05:22:24 +02:00
Mathy Vanhoef
133153d0f6 README: Explain how to install kernel 5.8 on Ubuntu 2022-03-31 05:04:51 +02:00
Mathy Vanhoef
568d566478 fragattack: add RT5572 notes 2022-01-27 17:15:05 +01:00
Mathy Vanhoef
0e9ef74801 fragattack: add comment in code 2022-01-27 16:23:15 +01:00
vanhoefm
eb4507b4af
README: Reference AWUS036ACM experience 2022-01-04 09:05:24 +01:00
vanhoefm
f4fb23d3f3
README.md: fix a typo 2021-12-11 16:59:36 +01:00
vanhoefm
6efcdf1cf6
README.md: fix typo 2021-12-10 15:45:49 +01:00
vanhoefm
e50f7f15e6
Merge pull request #43 from dalten/master
Add Fortinet advisory
2021-09-20 01:58:20 +02:00
David Alten
1ec03ddf58 Add Fortinet advisory 2021-09-19 17:43:59 -05:00
Mathy Vanhoef
93441c3e45 fragattacks: avoid python dependency with vulnerability
The py dependency in requirements.txt causes a security warning on
GitHub and attracts automated bug hunters (without the hunters verifying
the relevancy of the finding). Avoid this.

Flaws in py: CVE-2020-29651
Vulnerable versions: < 1.10.0
Patched version: 1.10.0
Description: A denial of service via regular expression in the py.path.svnwc
component of py (aka python-py) through 1.9.0 could be used by attackers to
cause a compute-time denial of service attack by supplying malicious input
to the blame functionality.

This fixes #40
2021-09-06 13:59:31 +02:00
vanhoefm
44b46d4b04
README: alternative to airmon-ng 2021-08-28 16:57:44 +02:00
vanhoefm
19f372500e
README: advice to manually set 5GHz channel first 2021-08-16 22:43:24 +02:00
vanhoefm
1e9c1a0ef8
Merge pull request #32 from ethans/patch-1
Added link to Check Point's advisory
2021-08-06 23:40:38 +04:00
Ethan Schorer
930a19f621
Added link to Check Point's advisory
Added Check Point SK: https://supportcontent.checkpoint.com/solutions?id=sk173718
2021-08-05 12:37:03 +03:00
vanhoefm
5d8682dd2a
Merge pull request #30 from Ma5onic/patch-1
Small ReadMe Correction
2021-07-27 12:55:02 +04:00
Malcolm
0d99a37668
Small ReadMe Correction
updated table description.
2021-07-26 13:25:16 -04:00
vanhoefm
0fcebec0bd
Advisories: add Arlo 2021-07-14 06:37:24 +04:00
vanhoefm
67e72c1417
README: Further clarify A-MSDU tests 2021-06-26 03:01:22 +04:00
vanhoefm
d07958d7f9
Advisories: add texas instruments 2021-06-22 23:22:19 +04:00
Mathy Vanhoef
003b78972e fragattacks: README: clarify A-MSDU tests 2021-06-22 17:37:06 +04:00
Mathy Vanhoef
f27bf12e32 fragattacks: README: clarify ping-frag-sep tests 2021-06-21 23:57:45 +04:00
vanhoefm
e35da72fdf
Advisories: further highlight mistakes in some advisories 2021-06-20 16:03:06 +04:00
vanhoefm
72d4b27d62
Advisories: clarify mistake in NETGEAR advisory 2021-06-20 16:01:48 +04:00
vanhoefm
bea93c049f
fragattacks: create links in example pcaps overview 2021-06-13 17:47:57 +04:00
Mathy Vanhoef
6420cc1314 fragattacks: add pcap for cache attack with full reconnect 2021-06-13 17:46:33 +04:00
vanhoefm
7dcef13aff
Advisories: add OpenWRT 2021-06-07 12:55:29 +04:00
vanhoefm
b2a46b7fa9
Advisories: clarify Ruckus wrong advice 2021-06-07 12:50:34 +04:00