vanhoefm
commented
2 years ago Start the fragattack script in AP mode using the --ap parameter. Then trigger an event so that the IoT device will connect to the network created by the script.
Closed pococ31 closed 2 years ago
vanhoefm
commented
2 years ago Start the fragattack script in AP mode using the --ap parameter. Then trigger an event so that the IoT device will connect to the network created by the script.
pococ31
commented
2 years ago I followed the above steps and after triggering event, the IoT connects to AP and the script starts to run but pauses at [13:00:39] Waiting on client xx:xx:xx:xx:xx:xx to get IP, but there is no DHCP and IP allocation. The script resumes to wlan0: AP-STA-DISCONNECTED xx:xx:xx:xx:xx:xx.
What is happening ? How reliable is the result ?
================================================
┌──(venv)─(root㉿kali)-[/home/kali/fragattacks-master/research]
└─# ./fragattack.py --ap wlan0 ping I,E --amsdu
[13:00:25] This is FragAttack version 1.3.
[13:00:25] You are not running patched drivers, meaning this tool may give incorrect results!
[13:00:25] To ignore this warning and timeout add the parameter --no-drivercheck
[13:00:30] Using interface monwlan0 (mt76x0u) to inject frames.
[13:00:30] Starting hostapd using: ../hostapd/hostapd -i wlan0 hostapd.conf -K
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED
wlan0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: authenticated
wlan0: AP-STA-ASSOCIATING xx:xx:xx:xx:xx:xx handle_assoc
[13:00:37] Client xx:xx:xx:xx:xx:xx is connecting
[13:00:37] Station: setting BSS MAC address yy:yy:yy:yy:yy:yy
wlan0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: associated (aid 1)
wlan0: EAPOL-TX xx:xx:xx:xx:xx:xx 0203005f02008a001000000000000000015e0eaf20d94c6def9d8411d8c37bac6d025c111a92e77d33bb905d1789cb2bc80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
[13:00:38] Action.StartAuth
[13:00:38] [Injected packet] <Dot11 subtype=8 type=Data FCfield=from-DS addr1=xx:xx:xx:xx:xx:xx addr2=yy:yy:yy:yy:yy:yy addr3=yy:yy:yy:yy:yy:yy SC=256 |<Dot11QoS TID=1 |<LLC dsap=0xaa ssap=0xaa ctrl...
wlan0: EAPOL-TX xx:xx:xx:xx:xx:xx 020300970213ca001000000000000000025e0eaf20d94c6def9d8411d8c37bac6d025c111a92e77d33bb905d1789cb2bc800000000000000000000000000000000000000000000000000000000000000001c0e65ac7806553a0f2e4ce1e6e5e8c800388334c408783c6e4e51dd3798ff941887b3d99e4a3beb603dd3ae1f0efdc165e70da2337ebf81eceac8c38116bad736363595a1b5c7d4f839
[13:00:38] Action.BeforeAuth
[13:00:38] [Injected packet] <Dot11 subtype=8 type=Data FCfield=from-DS addr1=xx:xx:xx:xx:xx:xx addr2=yy:yy:yy:yy:yy:yy addr3=yy:yy:yy:yy:yy:yy SC=272 |<Dot11QoS TID=1 |<LLC dsap=0xaa ssap=0xaa ctrl...
wlan0: AP-STA-CONNECTED xx:xx:xx:xx:xx:xx
wlan0: STA xx:xx:xx:xx:xx:xx RADIUS: starting accounting session 830B87EE4C1136F0
wlan0: STA xx:xx:xx:xx:xx:xx WPA: pairwise key handshake completed (RSN)
[13:00:38] Obtained encryption keys from daemon
[13:00:38] Action.AfterAuth
[13:00:39] Action.Connected
[13:00:39] Waiting on client xx:xx:xx:xx:xx:xx to get IP
wlan0: AP-STA-DISCONNECTED xx:xx:xx:xx:xx:xx
wlan0: AP-STA-ASSOCIATING xx:xx:xx:xx:xx:xx handle_assoc
wlan0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: authenticated
[13:01:02] Client xx:xx:xx:xx:xx:xx is connecting
[13:01:02] Station: setting BSS MAC address yy:yy:yy:yy:yy:yy
wlan0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: associated (aid 1)
wlan0: EAPOL-TX xx:xx:xx:xx:xx:xx 0203005f02008a00100000000000000001235e13ced20fcd1deea0912d65db1498a1b57e177d03acdb90f82e78aeff0dc70000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
[13:01:03] Action.StartAuth
[13:01:03] [Injected packet] <Dot11 subtype=8 type=Data FCfield=from-DS addr1=xx:xx:xx:xx:xx:xx addr2=yy:yy:yy:yy:yy:yy addr3=yy:yy:yy:yy:yy:yy SC=288 |<Dot11QoS TID=1 |<LLC dsap=0xaa ssap=0xaa ctrl...
wlan0: EAPOL-TX xx:xx:xx:xx:xx:xx 020300970213ca00100000000000000002235e13ced20fcd1deea0912d65db1498a1b57e177d03acdb90f82e78aeff0dc70000000000000000000000000000000015000000000000000000000000000000eb7fa66248af9407b5e2437401047449003826c32c145c4aaa7bd54bc103ab417761c4cd97efbe19af1e3d3299d19e62ec2a0972074dde260eb2cbf6e9dc7cde364c625585d4965318bf
[13:01:03] Action.BeforeAuth
[13:01:03] [Injected packet] <Dot11 subtype=8 type=Data FCfield=from-DS addr1=xx:xx:xx:xx:xx:xx addr2=yy:yy:yy:yy:yy:yy addr3=yy:yy:yy:yy:yy:yy SC=304 |<Dot11QoS TID=1 |<LLC dsap=0xaa ssap=0xaa ctrl...
wlan0: AP-STA-CONNECTED xx:xx:xx:xx:xx:xx
wlan0: STA xx:xx:xx:xx:xx:xx RADIUS: starting accounting session 830B87EE4C1136F0
wlan0: STA xx:xx:xx:xx:xx:xx WPA: pairwise key handshake completed (RSN)
[13:01:03] Obtained encryption keys from daemon
[13:01:03] Action.AfterAuth
[13:01:04] Action.Connected
[13:01:04] Generating ping test
[13:01:04] Using key 0cbf71ff76ac0672950feba9938f808b to encrypt <Dot11 subtype=8 type=Data FCfield=from-DS addr1=xx:xx:xx:xx:xx:xx addr2=yy:yy:yy:yy:yy:yy addr3=yy:yy:yy:yy:yy:yy SC=320 |<Dot11QoS Reserved=1 TID=2 |<Ether dst=xx:xx:xx:xx:xx:xx src=yy:yy:yy:yy:yy:yy type=0x32 |<Raw load='\xaa\xaa\x03\x00\x00\x00\x08\x00E\x00\x00*\x00\x01\x00\x00@\x01|\xd0\x7f\x00\x00\x01\x7f\x00\x00\x01\x08\x00\t\x14\x00\x00\x00\x00test_ping_icmp' |<Raw |>>>>>
[13:01:04] [Injected] <Dot11 subtype=8 type=Data FCfield=from-DS+protected addr1=xx:xx:xx:xx:xx:xx addr2=yy:yy:yy:yy:yy:yy addr3=yy:yy:yy:yy:yy:yy SC=320 |<Dot11QoS Reserved=1 TID=2 |<Dot11CCMP PN0=1 PN1=1 key_id=0 ext_iv=1 PN2=0 PN3=0 PN4=0 PN5=0 |<Raw load='stT\x80\xb4\xfeC\xfa\x83\xfb\x8e\xdf]\xf3e\xc3\xf5lW+\xd4\x8b\x17[\xc0\xd2H\x83\xe0\x00\x96"\x1a\xd4\xabp\x86\x15\x17\x95\tw1:\x01\x8f\x15\x1b\x98\xe0\x12\x86er7\xd0>N\x9c\xe78\xa8\xde\x81' |<Raw load='Z\xa8X\x8e\x07\xafmv' |>>>>>
[13:01:09] >>> Test timed out! Retry to be sure, or manually check result.
[13:01:09] Closing daemon and cleaning up ...
wlan0: interface state ENABLED->DISABLED
wlan0: AP-STA-DISCONNECTED xx:xx:xx:xx:xx:xx
wlan0: AP-DISABLED
wlan0: CTRL-EVENT-TERMINATING
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
vanhoefm
commented
2 years ago First, a question just to double-check: when you connect with a different client to the AP, do you also see the "AP-STA-DISCONNECTED" after "Waiting on client xx:xx:xx:xx:xx:xx to get IP"?
With the test ping I,E --amsdu that you are using, the result should still be correct (since this test only injects frames once the device under test requested an IP address). It seems like the IoT device that you are testing doesn't support A-MSDU frames.
For battery operated WiFi clients that join network only when an event occurs. How to use frag script to detect vulnerability ?