Detect benign retransmissions and new handshakes

README.md

@@ -24,14 +24,6 @@ Essentially, it wraps a normal `wpa_supplicant` client, and will keep replaying
 
 Remember that this is not an attack script! You require credentials to the network in order to test if an access point is affected by the attack.
 
-**This tool may incorrectly say an AP is vulnerable to due benign retransmissions of data frames.** However, we are already releasing this code because the script got leaked. Please run this script in an environment with low background noise. Benign retransmissions can be detected in the output of the script: if two data frames have the same `seq` (sequence number), it's a benign retransmission. Example of such a benign retransmission:
-
-	[15:48:47] AP transmitted data using IV=5 (seq=4)
-	[15:48:47] AP transmitted data using IV=5 (seq=4)
-	[15:48:47] IV reuse detected (IV=5, seq=4). AP is vulnerable!
-
-Here there was a benign retransmission of a data frame, because both frames used the same sequence number (`seq`). This wrongly got detected as IV reuse. There is code to fix this ready, but merging those fixes may take some time.
-
 
 # Suggested Solution
 

krack-ft-test.py

@@ -20,9 +20,7 @@ IEEE80211_RADIOTAP_CHANNEL = (1 << 3)
 IEEE80211_RADIOTAP_TX_FLAGS = (1 << 15)
 IEEE80211_RADIOTAP_DATA_RETRIES = (1 << 17)
 
-#TODO: - !!! Detect retransmissions based on packet time and sequence counter (see client tests) !!!
 #TODO: - Merge code with client tests to avoid code duplication (including some error handling)
-#TODO: - Detect new EAPOL handshake or normal association frames (reset state and stop replaying)
 #TODO: - Option to use a secondary interface for injection + WARNING if a virtual interface is used + repeat advice to disable hardware encryption
 #TODO: - Test whether injection works on the virtual interface (send probe requests to nearby AP and wait for replies)
 #TODO: - Execute rfkill unblock wifi because some will forget this
@@ -151,14 +149,20 @@ class KRAckAttackFt():
 
 		self.sock  = None
 		self.wpasupp = None
+
+		self.reset_client()
+
+	def reset_client(self):
 		self.reassoc = None
-		self.ivs = set()
+		self.ivs = IvCollection()
 		self.next_replay = None
 
-	def handle_rx(self):
-		p = self.sock.recv()
-		if p == None: return
+	def start_replay(self, p):
+		assert Dot11ReassoReq in p
+		self.reassoc = p
+		self.next_replay = time.time() + 1
 
+	def process_frame(self, p):
 		# Detect whether hardware encryption is decrypting the frame, *and* removing the TKIP/CCMP
 		# header of the (now decrypted) frame.
 		# FIXME: Put this check in MitmSocket? We want to check this in client tests as well!
@@ -173,32 +177,35 @@ class KRAckAttackFt():
 				log(ERROR, "   Try to disable hardware encryption, or use a 2nd interface for injection.", showtime=False)
 				quit(1)
 
-
-		if p.addr2 == self.clientmac and Dot11ReassoReq in p:
+		# Client performing a (possible new) handshake
+		if self.clientmac in [p.addr1, p.addr2] and Dot11Auth in p:
+			self.reset_client()
+			log(INFO, "Detected Authentication frame, clearing client state")
+		elif p.addr2 == self.clientmac and Dot11ReassoReq in p:
+			self.reset_client()
 			if get_tlv_value(p, IEEE_TLV_TYPE_RSN) and get_tlv_value(p, IEEE_TLV_TYPE_FT):
 				log(INFO, "Detected FT reassociation frame")
-				self.reassoc = p
-				self.next_replay = time.time() + 1
+				self.start_replay(p)
 			else:
 				log(INFO, "Reassociation frame does not appear to be an FT one")
-				self.reassoc = None
-			self.ivs = set()
-
 		elif p.addr2 == self.clientmac and Dot11AssoReq in p:
 			log(INFO, "Detected normal association frame")
-			self.reassoc = None
-			self.ivs = set()
+			self.reset_client()
 
 		elif p.addr1 == self.clientmac and Dot11WEP in p:
 			iv = dot11_get_iv(p)
 			log(INFO, "AP transmitted data using IV=%d (seq=%d)" % (iv, dot11_get_seqnum(p)))
-
-			# FIXME: When the client disconnects (or reconnects), clear the set of used IVs
-			if iv in self.ivs:
+			if self.ivs.is_iv_reused(p):
 				log(INFO, ("IV reuse detected (IV=%d, seq=%d). " +
 					"AP is vulnerable!") % (iv, dot11_get_seqnum(p)), color="green")
 
-			self.ivs.add(iv)
+			self.ivs.track_used_iv(p)
+
+	def handle_rx(self):
+		p = self.sock.recv()
+		if p == None: return
+
+		self.process_frame(p)
 
 	def configure_interfaces(self):
 		log(STATUS, "Note: disable Wi-Fi in your network manager so it doesn't interfere with this script")

libwifi.py

@@ -71,3 +71,40 @@ def get_tlv_value(p, type):
 		el = el.payload
 	return None
 
+
+class IvInfo():
+	def __init__(self, p):
+		self.iv = dot11_get_iv(p)
+		self.seq = dot11_get_seqnum(p)
+		self.time = p.time
+
+	def is_reused(self, p):
+		"""Return true if frame p reuses an IV and if p is not a retransmitted frame"""
+		iv = dot11_get_iv(p)
+		seq = dot11_get_seqnum(p)
+		return self.iv == iv and self.seq != seq and p.time >= self.time + 1
+
+class IvCollection():
+	def __init__(self):
+		self.ivs = dict() # maps IV values to IvInfo objects
+
+	def reset(self):
+		self.ivs = dict()
+
+	def track_used_iv(self, p):
+		iv = dot11_get_iv(p)
+		self.ivs[iv] = IvInfo(p)
+
+	def is_iv_reused(self, p):
+		"""Returns True if this is an *observed* IV reuse and not just a retransmission"""
+		iv = dot11_get_iv(p)
+		return iv in self.ivs and self.ivs[iv].is_reused(p)
+
+	def is_new_iv(self, p):
+		"""Returns True if the IV in this frame is higher than all previously observed ones"""
+		iv = dot11_get_iv(p)
+		if len(self.ivs) == 0: return True
+		return iv > max(self.ivs.keys())
+
+
+