search

IGRSoft / KisMac2

KisMAC is a free, open source wireless stumbling and security tool for Mac OS X.
http://igrsoft.com
GNU General Public License v2.0
901 stars 207 forks source link

Frame Check Sequence is ignored #56

Closed orinem closed 9 years ago

orinem commented 9 years ago

I get an awful lot of corrupt packets - about 100 per second here. I verified this by capturing with Wireshark independently.

Unfortunately, the Frame Check Sequence is currently ignored and bad packets get parsed. This results in random messages from the packet parsing, many "Packet with illegal 802.11 version captured" messages for example.

Depending on what is corrupted in any given packet, you can see bad SSIDs in the networks list, non-existent clients in the details list and so on.

The ability to check the FCS partially exists in FCS.h and FCS.m, though the parameter types and table should be changed to uint32_t (sizeof(long) may well be 8 these days).

In addition, WaveDriverAirportExtreme at least is not including the FCS bytes in frames returned from nextFrame. I have not looked at any of the other drivers.

Here is very basic code to do the FCS check. It will need fixing to handle any drivers that do not supply the FCS bytes, possibly by adding an FCS present flag to KCtrlFrame. It would also be possible for the drivers themselves to do the check.

WavePacket.mm Note the 80211 version check is moved after the FCS check.

// At global scope
static uint32_t checksumErrors = 0;
//...
    // Set frame pointer and length
    _length = f->ctrl.len;
    _frame = (UInt8*)(f->data);

    uint32_t crcReceived;
    memcpy(&crcReceived, &_frame[_length-4], 4);
    uint32_t crc = 0xFFFFFFFF;
    // This loop is _very_ inefficient; move it into a function and put UDPC32 implementation inline.
    for ( int i = 0; i < _length-4; ++i )
    {
        crc = UPDC32(_frame[i], crc);
    }
    crc ^= 0xFFFFFFFF;

    if ( crc != crcReceived ) {
        if ( ++checksumErrors % 1000 == 0 )
            DBNSLog(@"%u packets with bad checksum (this packet: 0x%08X received, 0x%08X calculated).\n", checksumErrors, crcReceived, crc);

        return NO;
    }

    // Check IEEE80211 Version
    if ((hdr1->frame_ctl & IEEE80211_VERSION_MASK) != IEEE80211_VERSION_0) {
        DBNSLog(@"Packet with illegal 802.11 version captured (frame_ctl=0x%04X).\n", hdr1->frame_ctl);
        return NO;
    }

WaveDriverAirportExtreme.m:

            case DLT_IEEE802_11_RADIO_AVS:
                dataLen = header.caplen - sizeof(avs_80211_1_header);
                //dataLen -= 4;       // Skip fcs?
orinem commented 9 years ago

Further note: discarding packets with a bad FCS should be a user option.

I think I'll implement an FCS check in WaveDriverAirportExtreme.m since that is what I'm using/testing (and leave WavePacket.mm alone). In other words, I'll replace the dataLen -= 4 with an FCS check. I can't see that being a problem since a failed FCS means we know the packet is corrupt.

ikorich commented 9 years ago

Could you add me to skype: #########

orinem commented 9 years ago

I don't have skype at the moment... I'll drop you an email - rather not post the address, though it's not really a secret.

orinem commented 9 years ago

Seems OK now for the Airport Extreme, so I'm closing it.