Closed hsuethan closed 2 years ago
vanhoefm
commented
2 years ago How did you obtain the decrypted bytes? And on which device where these packets captured: on the system that is running the fragattack tool or on the system being tested? It seems as if the bytes that you mention in "remaining IP data" are still encrypted and/or were incorrectly decrypted.
Can you show the full output of the tool? Which wireless network card are you using?
hsuethan
commented
2 years ago Thank you, It seems that there is a problem with the tool parsing. I uses Ellisys bluetooth Analyzer, my wifi usb dongle is Realtek RTL8192CU 902.11n WLAN Adapter.
Those data decrypted on Ellisys is, A3 DB D1 13 02 01 AD 9C 65 BA 14 06 D1 D7 4A 16 64 C6 7E E0 C8 75 F8 47 FE Also, decrypted on Wireshark is, a8 64 2d 08 00 09 14 00 00 00 00 74 65 73 74 5f 70 69 6e 67 5f 69 63 6d 70
I am confirming this with Ellisys corporation.
Hi
I'm verifying "Mixed key attacks" and see the wrong packet content. My environment is using live CD.( https://github.com/vanhoefm/fragattacks#id-live-image ). This is my tests command with this IP address. ./fragattack.py wlan0 --ap --ip 192.168.100.254 --peerip 192.168.100.45 ping I,F,BE,AE
Below is the raw data , , Fragment 1: 88 46 66 00 90 F1 57 E7 ED C4 00 1A EF 51 23 41 00 1A EF 51 23 41 30 01 02 00 AA AA 03 00 00 00 08 00 45 00 00 2A 00 01 00 00 40 01 30 56 C0 A8 64 FE C0 5C AD 7C 2B ==> IP header: 45 00 00 2A 00 01 00 00 40 01 30 56 C0 A8 64 FE C0
Fragment 2: 88 4A 76 00 90 F1 57 E7 ED C4 00 1A EF 51 23 41 00 1A EF 51 23 41 31 01 02 00 32 B0 4A 91 1C 49 A2 57 DF E8 4D 3C D9 03 57 94 74 C1 A5 E6 19 D7 4F 59 A8 59 F2 F1 8F ==> remaining ip data: 32 B0 4A 91 1C 49 A2 57 DF E8 4D 3C D9 03 57 94 74 C1 A5 E6 19 D7 4F 59 A8
Decode ip header from https://hpd.gasmi.net/
Destination Address is 192.50.176.74.
The tool injects fragmented frames into other IP/wrong addresses, so we timed out in this test.