search

nzymedefense / nzyme

Network Defense System.
https://www.nzyme.org/
Other
1.4k stars 144 forks source link

Add parsing for WPA3 crypto type #352

Closed andrewbeard closed 3 years ago

andrewbeard commented 3 years ago

I turned on mixed WPA2/WPA3 mode on my access points for giggles and ended up with the following alert:

META INFORMATION
ssid
<SNIP>
bssid
<SNIP>
encountered_security
WPA2-PSK-UNKNOWN-CCMP
channel
11
frequency
2462
antenna_signal
-47

Frames
7,633
Subsystem
DOT_11
Alert Type ID
CRYPTO_CHANGE_PROBERESP

It looks like there's no enumeration for WPA3 crypto types available. Any chance this could be added?

andrewbeard commented 3 years ago

I played around with this a little more and got even more confused. Changing my config to reflect [WPA2-PSK-UNKNOWN-CCMP] resulted in getting alerts for WPA2-PSK-CCMP. Changing the config to [WPA2-PSK-CCMP, WPA2-PSK-UNKNOWN-CCMP] resulted in getting alerts for BOTH.

It seems like there's a key management mode that isn't being parsed (understandable), possibly the new-to-WPA3 SAE mode.

andrewbeard commented 3 years ago

I just noticed this in the logs, 99% sure this is related to SAE:

00:37:51.702 [probe-loop-0] INFO  horse.wtf.nzyme.dot11.probes.Dot11Probe - Skipping malformed frame on probe [broad-mon
itor-wlx00c0ca8deca8].
horse.wtf.nzyme.dot11.MalformedFrameException: Invalid algorithm type with code [3]. Skipping.
        at horse.wtf.nzyme.dot11.parsers.Dot11AuthenticationFrameParser.doParse(Dot11AuthenticationFrameParser.java:82) 
~[nzyme-1.0.0.jar:?]
        at horse.wtf.nzyme.dot11.parsers.Dot11AuthenticationFrameParser.doParse(Dot11AuthenticationFrameParser.java:31) 
~[nzyme-1.0.0.jar:?]
        at horse.wtf.nzyme.dot11.parsers.Dot11FrameParser.parse(Dot11FrameParser.java:47) ~[nzyme-1.0.0.jar:?]
        at horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe.lambda$loop$0(Dot11MonitorProbe.java:246) ~[nzyme-1.0.0.jar:?]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?]
        at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
        at java.lang.Thread.run(Thread.java:834) [?:?]
andrewbeard commented 3 years ago

I started adding some initial support for parsing out some of the SAE and encryption-related field values at this branch: https://github.com/andrewbeard/nzyme/tree/wpa3

Almost all the values are based on this blog post, so take it with a grain of salt: https://mrncciew.com/2019/11/29/wpa3-sae-mode/

lennartkoopmann commented 3 years ago

Thank you! I'll try to set up a WPA3 test network and implement it. Very good point.

lennartkoopmann commented 3 years ago

I've read up on WPA3 a little and I think I got it to work. Adding some tests and also checking the uplink message generation but I'm confident.

2021-04-17-122759_809x158_scrot

lennartkoopmann commented 3 years ago

Tested that it works with PSK SHA256, too. SAE authentication sequence is parsed and tested.

lennartkoopmann commented 3 years ago

PR is #375

lennartkoopmann commented 3 years ago

Done and merged.