mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-12-01 03:38:21 -05:00
43 lines
1.2 KiB
Python
Executable File
43 lines
1.2 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
from libwifi import *
|
|
|
|
def netbsd_forcefrag_verify():
|
|
# Capture made using independent TL-WN722N
|
|
cap = rdpcap("../../captures/netbsd-forward-eapol-before-auth-fragmented-1.pcapng")
|
|
fragments = []
|
|
fragments.append(cap[1204][Dot11])
|
|
fragments.append(cap[1207][Dot11])
|
|
fragments.append(cap[1262][Dot11])
|
|
fragments.append(cap[1262][Dot11])
|
|
fragments.append(cap[1266][Dot11])
|
|
fragments.append(cap[1270][Dot11])
|
|
fragments.append(cap[1277][Dot11])
|
|
fragments.append(cap[1355][Dot11])
|
|
|
|
# Taken from debug output hostapd on NetBSD
|
|
tk = "b7 2a 27 4c 50 6b c1 3b 86 3d 9a 97 fe 85 8b c9"
|
|
tk = bytes.fromhex(tk.replace(" ", ""))
|
|
|
|
print("Testing decryption")
|
|
for frag in fragments:
|
|
decrypt_ccmp(frag, tk)
|
|
|
|
# Encrypt newly constructed packet
|
|
pt = fragments[0].copy()
|
|
pt.remove_payload()
|
|
# Note: the import to give the original number of A's so the EAPOL length
|
|
# fields are properly reconstructed. After this, we trim the length.
|
|
payload = LLC()/SNAP()/EAPOL()/EAP(raw(EAP()/Raw(b"A" * 2600)))
|
|
pt = pt/raw(payload)[:2314]
|
|
test = encrypt_ccmp(pt, tk, pn=1)
|
|
|
|
print("Testing reconstructed encryption")
|
|
assert raw(fragments[0]) == raw(test)
|
|
|
|
def main():
|
|
netbsd_forcefrag_verify()
|
|
|
|
if __name__ == "__main__":
|
|
main()
|
|
|