Question about Test establishment

[zgsnj123]

Hi,

I'm a student learning 802.11 fuzzing. From my understanding. To try the script from you, I need 3 devices: Target AP, Target STA, and attack laptop(with 2 WNICs, one for monitor, one for attack). Is my understanding correct?

In addtion, I quickly check the codes, before the fuzzing, the script uses 'monitor WNIC' to scan the AP network to find the 'target STA'? So the 'attack WNIC' should be 'monitor mode', the 'Monitor WNIC' should be 'Normal Mode'? In the readme.md, to switch 'attack WNIC' to monitor mode, 'sudo airmon-ng check kill' command is used to kill process, after kill these process, how can I set the connection between 'Monitor WNIC' and 'Target AP'?

Many thanks

[efchatz]

Hello,

Yes, you will need an AP and a STA, along with a WNIC device, to use this tool. To fuzz SAE frames, you will need two different WNICs, one for attacking and one for monitoring. For the remaining frames (Management, Control, Data), you can use only one WNIC, which the tool will monitor and attack with the same WNIC.

Any WNIC you are going to use must be in monitor mode. This has to be done for the tool to be able to use this WNIC. Usually, to convert a WNIC into monitor mode, you will have to execute the following commands, depending on the WNIC driver:

sudo airmon-ng check kill
sudo airmon-ng start wlan0

or

sudo airmon-ng check kill
sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up

Now, for the attacker WNIC to be able to ping the targeted STA, both devices must be connected to the same network. To achieve this, the attacker's VM must be connected to this AP with an Ethernet cable. Otherwise, any VM in NAT/Bridged mode would also work. For instance, in our case, we used a laptop, an Ubuntu VM as the attacker, a smartphone for the STA and a USB WNIC. The laptop and the smartphone were connected to the same AP, which the fuzzer was going to target. A USB WNIC was directly connected to the Ubuntu VM, to inject frames to this AP, with the assist of this fuzzer.

Although, the ping functionality is needed to identify a case in which the STA becomes unresponsive, i.e., remains connected to that AP but without any internet access, the tool can be used without this functionality, by commenting out any relevant lines in the code. After that, there is no need for the attacker to be connected to this AP, and the tool will only monitor for Deauth/Disass frames.

If you have issues with the ping requests, you can restart the machine you are using the fuzzer and instead of executing this command, which disables all network relevant services:

sudo airmon-ng check kill

disable only the wifi service, with this command:

sudo service wpa_supplicant stop

[zgsnj123]

Hi, Thanks for your explaination! I successfully build the test environment. During some testing, I receive 'STA is unresponsive'. And I think the hexdump below is the frame which maybe cause STA offline etc.

Is that means some vul happened?

[byrkam]

Hi,

It could possibly be vuln, but then again you have to make sure that this is not a false positive. You can do it directly through the fifth mode of the WPAxFuzz tool called ''DoS attack module'', where you constantly transmit the above frame and wait to see how the connection between the AP and the STA will react.

[efchatz]

Closing due to inactivity. Feel free to re-open it again, if needed.