Kernel/iwd
3
0
Fork 0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-22 06:29:23 +01:00
Code Releases Activity

auto-t: Rework spoofing code

Browse Source 
Use scapy library which allows one to easily construct and fudge various
network packets.  This makes constructing spoofed packets much easier
and more readable compared to hex-encoded, hand-crafted frames.
This commit is contained in:
Denis Kenzior 2022-05-11 17:18:38 -05:00
parent 2019823443
commit e44ccf3daa
1 changed files with 51 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
autotests/util/hwsim.py
View File

@ -6,6 +6,8 @@ import collections
from weakref import WeakValueDictionary from weakref import WeakValueDictionary
from abc import ABCMeta, abstractmethod from abc import ABCMeta, abstractmethod
from enum import Enum from enum import Enum
from scapy.all import *
from scapy.contrib.wpa_eapol import WPA_key
import iwd import iwd
from config import ctx from config import ctx
@ -396,28 +398,59 @@ class Hwsim(iwd.AsyncOpAbstract):
def object_manager(self): def object_manager(self):
return self._object_manager_if return self._object_manager_if
@staticmethod
def _convert_address(address):
first = int(address[0:2], base=16)
first |= 0x40
first = format(first, 'x')
address = first + address[2:]
return address
def spoof_disassociate(self, radio, freq, station): def spoof_disassociate(self, radio, freq, station):
''' '''
Send a spoofed disassociate frame to a station Send a spoofed disassociate frame to a station
''' '''
dest = radio.addresses[0].replace(':', '') frame = Dot11()/Dot11Disas(reason=7)
frame[Dot11].addr1 = station
frame[Dot11].addr2 = radio.addresses[0]
frame[Dot11].addr3 = radio.addresses[0]
frame = 'a0 00 3a 01' self.spoof_frame(radio, freq, station, raw(frame))
frame += station.replace(':', '')
frame += dest def spoof_deauthenticate(self, radio, freq, station):
frame += dest '''
frame += '30 01 07 00' Send a spoofed deauthenticate frame to a station
self.spoof_frame(radio, freq, station, frame) '''
frame = Dot11()/Dot11Deauth(reason=6)
frame[Dot11].addr1 = station
frame[Dot11].addr2 = radio.addresses[0]
frame[Dot11].addr3 = radio.addresses[0]
self.spoof_frame(radio, freq, station, raw(frame))
def spoof_eap_fail(self, radio, freq, station):
'''
Send a spoofed EAP-Failure frame to a station
'''
frame = Dot11(type="Data", subtype=0)
frame[Dot11].addr1 = station
frame[Dot11].addr2 = radio.addresses[0]
frame[Dot11].addr3 = radio.addresses[0]
frame /= LLC()/SNAP()/EAPOL( version="802.1X-2001" )
frame /= EAP( code="Failure" )
self.spoof_frame(radio, freq, station, raw(frame))
def spoof_invalid_ptk_1_of_4(self, radio, freq, station):
'''
Send a spoofed PTK 1/4 frame to a station
'''
frame = Dot11(type="Data", subtype=0)
frame[Dot11].addr1 = station
frame[Dot11].addr2 = radio.addresses[0]
frame[Dot11].addr3 = radio.addresses[0]
# NOTE: Expected key_info is 0x008a, with the install flag
# this becomes 0x00ca.
eapol = WPA_key( descriptor_type = 2,
key_info = 0x00ca, # Includes an invalid install flag!
replay_counter = struct.pack(">Q", 100))
frame /= LLC()/SNAP()/EAPOL(version="802.1X-2004", type="EAPOL-Key")
frame /= eapol
self.spoof_frame(radio, freq, station, raw(frame))
def spoof_frame(self, radio, freq, station, frame): def spoof_frame(self, radio, freq, station, frame):
''' '''
@ -442,7 +475,7 @@ class Hwsim(iwd.AsyncOpAbstract):
HWSIM_INTERFACE_INTERFACE) HWSIM_INTERFACE_INTERFACE)
iface.SendFrame(dbus.ByteArray.fromhex(station.replace(':', '')), iface.SendFrame(dbus.ByteArray.fromhex(station.replace(':', '')),
freq, -30, dbus.ByteArray.fromhex(frame)) freq, -30, frame)
def get_radio(self, name): def get_radio(self, name):
for path in self.radios: for path in self.radios: