vanhoefm / fragattacks

Other
1.23k stars 185 forks source link

Wrong test setup for sanity check #48

Closed Flynask closed 2 years ago

Flynask commented 2 years ago

Hi, Vanhoefm

I'm having troubles to pass sanity check (--ap mode) to verify my setup: live USB image you provided, WN-H3 Atheros AR9271 in injection mode, RALINK RT5370 for AP hosting and my target is a Raspberry Pi 3 model B.

I went through troubleshooting checklist :

wlx001986719691=RALINK RT5370, wlxf469d5800472=WN-H3 Atheros AR9271

(venv) root@ubuntu:/home/ubuntu/fragattacks/research# ./fragattack.py wlx001986719691 --debug 2 --inject wlxf469d5800472 --ap ping
[19:27:08] This is FragAttack version 1.3.
[19:27:08] Detected ath9k_htc, using injection bug workarounds
[19:27:08] Using interface wlxf469d5800472 (ath9k_htc) to inject frames.
[19:27:08] Starting hostapd using: ../hostapd/hostapd -i wlx001986719691 hostapd.conf -dd -K
random: Trying to read entropy from /dev/random
Configuration file: hostapd.conf
ctrl_interface_group=0
[...]      
[19:27:12] Obtained encryption keys from daemon
[19:27:12] Action.AfterAuth
[19:27:13] b8:27:eb:39:e5:ae: DHCP reply 192.168.100.2 to b8:27:eb:39:e5:ae
[19:27:13] Client b8:27:eb:39:e5:ae with IP 192.168.100.2 has connected
[19:27:13] Waiting on IP before forming next actions: False
[19:27:13] Action.Connected
[19:27:13] Generating ping test
[19:27:13] Using key b2eba885b8959cb4acc2ec8609a07192 to encrypt <Dot11  subtype=8 type=Data FCfield=from-DS addr1=b8:27:eb:39:e5:ae addr2=00:19:86:71:96:91 addr3=00:19:86:71:96:91 SC=288 |<Dot11QoS  TID=2 |<LLC  dsap=0xaa ssap=0xaa ctrl=3 |<SNAP  code=IPv4 |<IP  frag=0 proto=icmp src=192.168.100.1 dst=192.168.100.2 |<ICMP  |<Raw  load='test_ping_icmp' |>>>>>>>
[19:27:13] [Injected] <Dot11  subtype=8 type=Data FCfield=from-DS+protected addr1=b8:27:eb:39:e5:ae addr2=00:19:86:71:96:91 addr3=00:19:86:71:96:91 SC=288 |<Dot11QoS  TID=2 |<Dot11CCMP  PN0=1 PN1=1 key_id=0 ext_iv=1 PN2=0 PN3=0 PN4=0 PN5=0 |<Raw  load='\xc3i|b\xb1\xf14"\x87C\xdb\x9a\xf7}o\xdf|@\xc9\xb8\t\x1a\xf5\xbc\x1a~\xdd/g\xda\xbd\x1a8\x15\x80\x8f&\xd4\x96:u`+\xa8t\x86\x12J\x84a' |<Raw  load='\x83\xe4\xed\x88\x7fZ\x82!' |>>>>>
nl80211: Event message available
nl80211: BSS Event 59 (NL80211_CMD_FRAME) received for wlx001986719691
nl80211: MLME event 59 (NL80211_CMD_FRAME) on wlx001986719691(00:19:86:71:96:91) A1=ff:ff:ff:ff:ff:ff A2=ec:9b:f3:71:c0:87
nl80211: MLME event frame - hexdump(len=134): 40 00 00 00 ff ff ff ff ff ff ec 9b f3 71 c0 87 ff ff ff ff ff ff 90 03 00 00 01 04 02 04 0b 16 32 08 0c 12 18 24 30 48 60 6c 03 01 03 2d 1a 2d 00 17 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 08 00 00 08 80 01 40 00 40 6b 01 0f dd 05 50 6f 9a 10 10 dd 13 00 90 4c 04 08 bf 0c 32 58 81 0f fa ff 00 00 fa ff 00 00 dd 07 00 50 f2 08 00 11 00 dd 09 00 10 18 02 00 00 10 00 00
nl80211: Frame event
nl80211: RX frame da=ff:ff:ff:ff:ff:ff sa=ec:9b:f3:71:c0:87 bssid=ff:ff:ff:ff:ff:ff freq=2422 ssi_signal=-45 fc=0x40 seq_ctrl=0x390 stype=4 (WLAN_FC_STYPE_PROBE_REQ) len=134
nl80211: send_mlme - da=ec:9b:f3:71:c0:87 noack=1 freq=0 no_cck=0 offchanok=0 wait_time=0 no_encrypt=0 fc=0x50 (WLAN_FC_STYPE_PROBE_RESP) nlmode=3
nl80211: send_mlme - Use bss->freq=2422
nl80211: send_mlme -> send_frame_cmd
nl80211: CMD_FRAME freq=2422 wait=0 no_cck=0 no_ack=1 offchanok=0
CMD_FRAME - hexdump(len=178): 50 00 00 00 ec 9b f3 71 c0 87 00 19 86 71 96 91 00 19 86 71 96 91 00 00 00 00 00 00 00 00 00 00 64 00 11 04 00 08 6f 70 65 6e 77 69 66 69 01 08 82 84 8b 96 0c 12 18 24 03 01 03 2a 01 04 32 04 30 48 60 6c 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 02 0c 00 2d 1a 0c 00 12 ff 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 3d 16 03 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 08 00 00 00 00 00 00 00 40 dd 18 00 50 f2 02 01 01 01 00 03 a4 00 00 27 a4 00 00 42 43 5e 00 62 32 2f 00
nl80211: Frame TX command accepted (no ACK); cookie 0x0
nl80211: Event message available
nl80211: BSS Event 59 (NL80211_CMD_FRAME) received for wlx001986719691
nl80211: MLME event 59 (NL80211_CMD_FRAME) on wlx001986719691(00:19:86:71:96:91) A1=ff:ff:ff:ff:ff:ff A2=ec:9b:f3:71:c0:87
nl80211: MLME event frame - hexdump(len=134): 40 00 00 00 ff ff ff ff ff ff ec 9b f3 71 c0 87 ff ff ff ff ff ff a0 03 00 00 01 04 02 04 0b 16 32 08 0c 12 18 24 30 48 60 6c 03 01 03 2d 1a 2d 00 17 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 08 00 00 08 80 01 40 00 40 6b 01 0f dd 05 50 6f 9a 10 10 dd 13 00 90 4c 04 08 bf 0c 32 58 81 0f fa ff 00 00 fa ff 00 00 dd 07 00 50 f2 08 00 11 00 dd 09 00 10 18 02 00 00 10 00 00
nl80211: Frame event
nl80211: RX frame da=ff:ff:ff:ff:ff:ff sa=ec:9b:f3:71:c0:87 bssid=ff:ff:ff:ff:ff:ff freq=2422 ssi_signal=-47 fc=0x40 seq_ctrl=0x3a0 stype=4 (WLAN_FC_STYPE_PROBE_REQ) len=134
nl80211: send_mlme - da=ec:9b:f3:71:c0:87 noack=1 freq=0 no_cck=0 offchanok=0 wait_time=0 no_encrypt=0 fc=0x50 (WLAN_FC_STYPE_PROBE_RESP) nlmode=3
nl80211: send_mlme - Use bss->freq=2422
nl80211: send_mlme -> send_frame_cmd
nl80211: CMD_FRAME freq=2422 wait=0 no_cck=0 no_ack=1 offchanok=0
CMD_FRAME - hexdump(len=178): 50 00 00 00 ec 9b f3 71 c0 87 00 19 86 71 96 91 00 19 86 71 96 91 00 00 00 00 00 00 00 00 00 00 64 00 11 04 00 08 6f 70 65 6e 77 69 66 69 01 08 82 84 8b 96 0c 12 18 24 03 01 03 2a 01 04 32 04 30 48 60 6c 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 02 0c 00 2d 1a 0c 00 12 ff 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 3d 16 03 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 08 00 00 00 00 00 00 00 40 dd 18 00 50 f2 02 01 01 01 00 03 a4 00 00 27 a4 00 00 42 43 5e 00 62 32 2f 00
nl80211: Frame TX command accepted (no ACK); cookie 0x0
[19:27:18] >>> Test timed out! Retry to be sure, or manually check result.

fragattacks.log

vanhoefm commented 2 years ago

Is there a reason why you are using the --inject wlxf469d5800472 parameter? This parameter hasn't been extensively tested. The Atheros dongle can act as AP and simultaneously be used to inject frames. In other words, try:

./fragattack.py wlxf469d5800472 --debug 2 --ap ping

When running the script like this, Linux will automatically retransmit the injected frame if it's not acknowledged.

Flynask commented 2 years ago

Thank you for this quick response.

I've been testing using this parameter because the retransmission behavior testing of the WN-H3 Atheros AR9271 wasn't conclusive

./fragattack.py wlxf469d5800472 ping --inject-test monwlan --ap

also, I've had the same issue running without it.

Here's the log trying the command, not so different from the previously linked: fragattacks2.log

vanhoefm commented 2 years ago

This might be because the Wi-Fi chip of the Rapsberry is going into sleep mode. You could try disabling sleep mode on the Raspberry: https://raspberrypi.stackexchange.com/questions/47087/raspberry-pi-3-wifi-goes-to-sleep

If that doesn't help:

Flynask commented 2 years ago
  1. I have disabled the sleep mode and I had the same result (Test timed out): fragattacks3.log

  2. With a different client (Samsung Galaxy S6), it actually worked one out of two times:

  3. Here's the capture with the other dongle in monitor mode: fragattacks-cap.zip

vanhoefm commented 2 years ago

From the capture I can see that the injected ping request is received by the Raspberry (it's acknowledged). The Packet Number of 101 should also be good (no higher PN hasn't been used previously). So that all seems good, I would expect the Raspberry to properly receive and decrypt the ping request.

Next things to check:

Flynask commented 2 years ago

Yay! After updating live USB fragattacks version, test was successful for the Raspberry Pi 3 Model B by adding the 5 seconds delay --pre-test-delay 5 (still had the issue for only 2 seconds delay).

Thank you for your replies and your amazing work on both krack and frag attacks.