search

secdev / scapy

Scapy: the Python-based interactive packet manipulation program & library.
https://scapy.net
GNU General Public License v2.0
10.29k stars 1.99k forks source link

Dot11Elt() adding \xC2 into RSN info? #4408

Closed PhatHub closed 1 month ago

PhatHub commented 1 month ago

Brief description

I am attempting to send out a WiFi beacon packet, but bytes (\xc2) are being added into the "RSN info" field.

Scapy version

2.6.0rc1.dev20

Python version

3.8.10

Operating system

Ubuntu 20.04

Additional environment information

Version: 2.6.0rc1.dev20 Adapter: Ralink RT5370 OS: Ubuntu 20.04

How to reproduce

I have taken the example from this blog. Below was the code I tried to run:

from scapy.all import Dot11,Dot11Beacon,Dot11Elt,RadioTap,sendp,hexdump

netSSID = 'testLockedSSID'       #Network name here
iface = '(wifidevice)'         #Interface name here

dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff',
addr2='22:22:22:22:22:22', addr3='33:33:33:33:33:33')
beacon = Dot11Beacon(cap='ESS+privacy')
essid = Dot11Elt(ID='SSID',info=netSSID, len=len(netSSID))
rsn = Dot11Elt(ID='RSN', info=("\x01\x00\x00\x0f\xac\x02\x02\x00\x00\x0f\xac\x04\x00\x0f\xAC\x02\x01\x00\x00\x0f\xAC\x02\x00\x00"))

frame = RadioTap()/dot11/beacon/essid/rsn

frame.show()
print("\nHexdump of frame:")
hexdump(frame)
input("\nPress enter to start\n")

sendp(frame, iface=iface, inter=0.100, loop=1)

Actual result

Here is the frame.show() of the packet showing the added \xc2 (between each \x0f and \xac) in the RSN info field.

###[ RadioTap ]###
  version   = 0
  pad       = 0
  len       = None
  present   = None
  notdecoded= b''
###[ 802.11 ]###
     subtype   = Beacon
     type      = Management
     proto     = 0
     FCfield   = 
     ID        = 0
     addr1     = ff:ff:ff:ff:ff:ff (RA=DA)
     addr2     = 22:22:22:22:22:22 (TA=SA)
     addr3     = 33:33:33:33:33:33 (BSSID/STA)
     SC        = 0
###[ 802.11 Beacon ]###
        timestamp = 0
        beacon_interval= 100
        cap       = ESS+privacy
###[ 802.11 Information Element ]###
           ID        = SSID
           len       = 14
           info      = b'testLockedSSID'
###[ 802.11 Information Element ]###
           ID        = RSN
           len       = None
           info      = b'\x01\x00\x00\x0f\xc2\xac\x02\x02\x00\x00\x0f\xc2\xac\x04\x00\x0f\xc2\xac\x02\x01\x00\x00\x0f\xc2\xac\x02\x00\x00'

Expected result

The RSN info bytes have added '\xc2' after every '\x0f' byte. The RSN info field should actually look like:

###[ 802.11 Information Element ]###
           ID        = RSN
           len       = None
           info      = b'\x01\x00\x00\x0f\xac\x02\x02\x00\x00\x0f\xac\x04\x00\x0f\xac\x02\x01\x00\x00\x0f\xac\x02\x00\x00'

Related resources

In addition, when trying to scan for SSIDs using iw dev wlo1 scan I get the following bogus tail data for the beacon I put out, which includes the \xc2 bytes in the RSN info:

BSS 33:33:33:33:33:33(on wlo1)
    last seen: 4925421.232s [boottime]
    TSF: 0 usec (0d, 00:00:00)
    freq: 2417
    beacon interval: 100 TUs
    capability: ESS Privacy (0x0011)
    signal: -17.00 dBm
    last seen: 25456 ms ago
    SSID: testLockedSSID
    RSN:     * Version: 1
         * Group cipher: 00-0f-c2:172
         * bogus tail data (22): 02 02 00 00 0f c2 ac 04 00 0f c2 ac 02 01 00 00 0f c2 ac 02 00 00
PhatHub commented 1 month ago

Sorry, found the answer in #2076, where the "b" has to be added for binary strings.