When the parameter --rekey-plaintext is used, the rekey 4-way handshake
itself should be sent in plaintext. But possible EAPOL Request frames,
which ask the AP for a new 4-way handshake, should ideally still be sent
using encryption.
This patch assures that EAPOL (Rekey) Request frames are always sent
encrypted, even when --rekey-plaintext is used.
When testing the TelenetWiFree hotspot using the command:
./fragattack.py wlan0 --no-drivercheck ping I,F,E --rekey-req --rekey-plain
Then the AP would reuse old EAPOL replay counters in the rekey 4-way
handshake. So for the rekey handshake to succeed, the client has to
accept these EAPOL handshake messages with a "reused" replay counter.
Note that these networks also performed the rekey handshake in
plaintext, which will be handled by a subsequent patch.
This uses fragmented IPv4 packets to perfrom (variants of) the test
"ping BP" without needing to run a packet capture on the victim device.
This is accomplished by sending the first IPv4 fragment of a ping
request before authenticating, and the second IPv4 fragment after
authenticating. If the device is vulnerable, it should replay with a
ping response. Note that both ping IPv4 fragments are sent in a normal
non-fragmented Wi-Fi frame.
The test was confirmed to work against a Huawei MRD-LZ1F (Huawei Y6
2019).
There are only supported on Python 3.6 and above. With openwifi we
likely need to support an older Python version.
This patch may be reverted in the future once support for older
Python versions is no longer needed.
This parameter can be used each time a test needs to be delayed before
actually executing it.
Suggested-by: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Adding a delay before actually executing the test. This can be useful in
all the cases the network stack of the victim is still not ready to
receive packets leading to a timed out test result.
Suggested-by: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
pre_delay can be used to add a delay before actually executing the test.
Suggested-by: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
The py dependency in requirements.txt causes a security warning on
GitHub and attracts automated bug hunters (without the hunters verifying
the relevancy of the finding). Avoid this.
Flaws in py: CVE-2020-29651
Vulnerable versions: < 1.10.0
Patched version: 1.10.0
Description: A denial of service via regular expression in the py.path.svnwc
component of py (aka python-py) through 1.9.0 could be used by attackers to
cause a compute-time denial of service attack by supplying malicious input
to the blame functionality.
This fixes#40
