Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

bugfixes and TODOs

Mathy Vanhoef 6 years ago
parent
ae5a1c7e64
commit
b30235f41e
1 changed files with 15 additions and 2 deletions
Split View Show Diff Stats
  1. 15 2
      krackattack/krack-test-client.py

+ 15 - 2
krackattack/krack-test-client.py
View File 

@@ -14,11 +14,23 @@ from libwifi import *
 
 import sys, socket, struct, time, subprocess, atexit, select, os.path
 
 from wpaspy import Ctrl
 
 
+# Concrete TODOs:
 
+# 0. Option to send plaintext retransmissions of message 3 (this is now easy to do)
 
+# 1. More reliable group key high RSC installation test in the 4-way HS (see below)
 
+# 2. Test for unicast replay protection
 
+# 3. Retransmit the handshake messages?
 
+# 4. --group --gtkinit is a bit unreliable. Perhaps due to race condition between
 
+#    install the group key and sending the broadcast ARP request?
 
+# 5. How are we sure the broadcast ARP indeed using a PN=1? We should monitor
 
+#    this interface and throw an error if there is other traffic!
 
+
 
 # TODOs:
 
 # - Always mention 4-way handshake attack test (normal, tptk, tptk-rand)
 
 # - Stop testing a client even when we think it's patched?
 
 # - The --gtkinit with the 4-way handshake is very sensitive to packet loss
 
 # - Add an option to test replays of unicast traffic
 
+# - Also send replayed broadcast using a PN of 2 to avoid edge cases where
 
+#   the client may always reject PNs of zero or 1.
 
 
 # Futute work:
 
 # - If the client installs an all-zero key, we cannot reliably test the group key handshake
 
@@ -379,7 +391,7 @@ class KRAckAttackClient():
 
 			hostapd_command(self.hostapd_ctrl, cmd)
 
 
 		# Send a replayed broadcast ARP request to the client
 
-		request = Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(op=1, hwsrc=self.apmac, psrc=self.broadcast_sender_ip, pdst=clientip)
 
+		request = Ether(src=self.apmac, dst="ff:ff:ff:ff:ff:ff")/ARP(op=1, hwsrc=self.apmac, psrc=self.broadcast_sender_ip, pdst=clientip)
 
 		self.sock_eth.send(request)
 
 		client.broadcast_requests_sent += 1
 
 		log(INFO, "%s: sending broadcast ARP to %s from %s (sent %d ARPs this interval)" % (client.mac,
 
@@ -497,7 +509,7 @@ class KRAckAttackClient():
 
 							hostapd_command(self.hostapd_ctrl, "RESEND_M1 " + client.mac + " change-anonce")
 
 
 						# Note that we rely on an encrypted message 4 as reply to detect pairwise key reinstallations reinstallations.
 
-						hostapd_command(self.hostapd_ctrl, "RESEND_M3 " + client.mac + ("maxrsc" if self.options.gtkinit else ""))
 
+						hostapd_command(self.hostapd_ctrl, "RESEND_M3 " + client.mac + (" maxrsc" if self.options.gtkinit else ""))
 
 
 					# 2. Test if broadcast ARP request are accepted by the client. Keep injecting even
 
 					#    to PATCHED clients (just to be sure they keep rejecting replayed frames).
 
@@ -507,6 +519,7 @@ class KRAckAttackClient():
 
 
 						# 2b. Send new broadcast ARP requests (and handshake messages if needed)
 
 						if client.vuln_bcast != ClientState.VULNERABLE and client.mac in self.dhcp.leases:
 
+							time.sleep(1)
 
 							self.broadcast_send_request(client)