Home

Awesome

<div align="center">FragAttacks: Fragmentation & Aggregation Attacks</div>

1. Introduction

This repository contains the FragAttacks tool. It can test Wi-Fi clients and access points for fragmentation and aggregation attacks. These vulnerabilities affect all protected Wi-Fi networks. For more information about these vulnerabilities see fragattacks.com.

The following additional resources are available:

See the change log for a detailed overview of updates to the tool made since 11 August 2020. This change log also contains information on which version of hostap the FragAttacks tool is based on.

Note that the attacks are identical against WPA2 and WPA3 because their CCMP and GCMP encryption ciphers are identical. Older WPA networks by default use TKIP for encryption, and the applicability of the attacks against TKIP are discussed in the paper and on the website. To illustrate that Wi-Fi has been vulnerable since its creation, the paper and website also briefly discusses the applicability of the attacks against WEP.

<a id="id-supported-cards"></a>

2. Supported Network Cards

Only specific wireless network cards are supported. This is because some network cards may overwrite the sequence or fragment number of injected frames, or may reorder frames of different priority, and this interferes with the test tool (i.e. the tool might say a device is secure although it's not). I have confirmed that the following network cards work properly:

Network CardUSB5GHzmixed modeinjection mode
Technoethical N150 HGAYesNopatched driver/firmwarepatched driver/firmware
TP-Link TL-WN722N v1.xYesNopatched driver/firmwarepatched driver/firmware
Alfa AWUS036NHAYesNopatched driver/firmwarepatched driver/firmware
Intel Wireless-AC 8265NoYespatched driveryes
Intel Wireless-AC 3160NoYespatched driveryes
Alfa AWUS036ACMYesYespatched driveryes
Netgear WN111v2YesNopatched driveryes
Alfa AWUS036ACHYesYesnoyes

The last two columns signify:

  1. Mixed mode: whether the network card can be used in the recommended mixed mode.

  2. Injection mode: whether the network card can be used as a second interface to inject frames in injection mode.

Yes indicates the card works out-of-the-box in the given mode. Patched driver/firmware means that the card is compatible when used with patched drivers and/or firmware. No means this mode is not supported by the network card. I recommend using the test tool in mixed mode.

Note that USB devices can be used inside a virtual machine, and the modified drivers and/or firmware can be installed in this virtual machine. However, I found that the usage of virtual machines can make network cards less reliable, and I instead recommend the usage of a live USB image if you cannot install the modified drivers/firmware natively.

My experience with the above network cards can be found here. Summarized:

If you are unable to find one of the above network cards, you can search for alternative network cards that have a high chance of also working. When using a network card that is not explicitly supported I strongly recommend to first run the injection tests before using it, and using the tool against a known-vulnerable implementation to confirm the tool works properly.

<a id="id-prerequisites"></a>

3. Prerequisites

The test tool was tested on Ubuntu 20.04 using kernel 5.8. If you use another Linux distribution, please note that only kernel versions below or equal to 5.12 are supported.

Ubuntu 20.04 specific

When using Ubuntu 20.04 you will first have to install kernel 5.8 as follows. Note that your existing kernel will keep being installed and will also keep being used by default:

sudo apt install linux-image-5.8.0-63-generic linux-headers-5.8.0-63-generic linux-hwe-5.8-headers-5.8.0-63 \
	linux-modules-5.8.0-63-generic linux-modules-extra-5.8.0-63-generic

Now reboot Ubuntu, hold the shift key while booting, select "Advanced options for Ubuntu", and then start kernel 5.8 by picking "Ubuntu, with Linux 5.8.0-63-generic". You can edit your GRUB config so Ubuntu will use this kernel version by default. Continue the next instructions under this now-running kernel.

General Instructions

Install the required dependencies:

sudo apt-get update
sudo apt-get install libnl-3-dev libnl-genl-3-dev libnl-route-3-dev libssl-dev \
	libdbus-1-dev git pkg-config build-essential macchanger net-tools python3-venv \
	aircrack-ng rfkill firmware-ath9k-htc
# Note: on Kali linux use the package firmware-atheros instead of firmware-ath9k-htc

Now clone this repository, build the tools, and configure a virtual python3 environment:

git clone https://github.com/vanhoefm/fragattacks.git fragattacks
cd fragattacks/research
./build.sh
./pysetup.sh

The above instructions only have to be executed once. After pulling in new code using git you do have to execute ./build.sh and ./pysetup.sh again.

<a id="id-patched-drivers"></a>

4. Patched Drivers

Install patched drivers using:

sudo apt-get install bison flex linux-headers-$(uname -r)
git clone https://github.com/vanhoefm/fragattacks-drivers58.git fragattacks-drivers58
cd fragattacks-drivers58
make defconfig-wifi
make -j 4
sudo make install

This compiles the drivers for most network cards supported by Linux. If you only want to compile the drivers for network cards I explicitly tested, use make defconfig-experiments instead. During the install command you may get several warnings containing .. needs unknown symbol ... You can ignore these warning as long they do not contain the directory /lib/modules/*/updates/ and the compiled drivers are working.

Now install patched ath9k_htc firmware:

cd research/ath9k-firmware/
./install.sh
# Now reboot

The ./install.sh script assumes the ath9k_htc firmware images are located in the directory /lib/firmware/ath9k_htc. If this is not the case on your system you have to manually copy htc_7010.fw and htc_9271.fw to the appropriate directory.

After installing the patched drivers and firmware you must unplug your Wi-Fi dongles and reboot your system. The above instructions have to be executed again if your Linux kernel gets updated or if the patched drivers get updated.

Note that even when your device works out of the box, I still recommend to install the modified drivers, as this assures there are no unexpected regressions in kernel and driver code.

In case you cannot install the modified drivers/firmware natively, you can download a live USB image that contains the modified drivers/firmware along with our test tool. Alternatively, you can use a virtual machine with USB network cards, although I found that using a virtual machine is less reliable in pratice.

<a id="id-before-every-usage"></a>

5. Before every usage

Every time you want to use the test tool, you first have to load the virtual python environment as root. This can be done using:

cd research
sudo su
source venv/bin/activate

You should now disable Wi-Fi in your network manager so it will not interfere with the test tool. Also make sure no other network services are causing outgoing traffic. You can assure this by using iptables to block traffic by executing ./droptraffic.sh (you can revert this by rebooting). Optionally check using sudo airmon-ng check to see which other processes might be using the wireless network card and might interfere with our tool.

The test tool can test both clients and APs:

<a id="id-interface-modes"></a>

6. Interface Modes

<a id="id-mixed-mode"></a>

6.1. Mixed mode

This mode requires only one wireless network card, but generally requires a patched driver and/or firmware. See Patched Drivers on how to install patched drivers/firmware, and Supported Network Cards for compatible network cards. Execute the test tool in this mode using:

./fragattack.py wlan0 [--ap] $COMMAND

Possible values of $COMMAND are listed in testing for vulnerabilities and extended vulnerability tests.

One advantage of this mode is that it works fairly well when testing clients that may enter a sleep state. Nevertheless, if possible, I recommend disabling sleep functionality of the client being tested, see Handling sleep mode.

<a id="id-injection-mode"></a>

6.2. Injection mode

This mode requires two wireless network cards: one will act as an AP or the client, and the other one will be used to inject frames. The advantage is that this mode way work without requiring patched drivers. Execute the test tool in this mode using:

./fragattack.py wlan0 --inject wlan1 [--ap] $COMMAND

Here interface wlan0 will act as a legitimate client or AP, and wlan1 will be used to inject frames. For wlan0, any card that supports normal client or AP mode on Linux can be used. For wlan1, a card must be used that supports injection mode according to Supported Network Cards.

When testing clients in this mode, injected frames may be sent when the client is in a sleep state. This causes attacks to fail, so you must make sure the client will not enter a sleep state.

<a id="id-hwsim-mode"></a>

6.3. Hwsim mode

This mode is experimental and only for research purposes. See hwsim mode details for more information.

<a id="id-testing-for-flaws"></a>

7. Testing for Vulnerabilities

You can test devices by running the test tool as discussed in interface modes and replacing $COMMAND with one of the commands in the table blow. We assume that clients will request an IP using DHCP (if this is not the case see static IP configuration). All commands work against both clients and APs unless noted otherwise.

The tool outputs TEST COMPLETED SUCCESSFULLY if the device is vulnerable to the attack corresponding to the given $COMMAND, and outputs Test timed out! Retry to be sure, or manually check result if the device is not vulnerable. After the test completed you can close the test tool using CTRL+C. Most attacks have several slight variants represented by different $COMMAND values.

Verifying the result of some tests requires running tcpdump or wireshark on the device under test (the table below states if tcpdump has to be used). This tcpdump packet capture must only include packets that passed PHY and MAC layer processing. For instance, on Linux this capture should be made while the wireless interface is in "managed" or "ap" mode, not in monitor mode, meaning the capture will only contain packets that passed processing at the Wi-Fi layer. See avoiding tcpdump on APs for a discussion on how some tests can nevertheless be performed without having to run tcpdump on APs.

To verify your test setup, the first command in the table below performs a normal ping that must succeed. The second command sends the ping as two fragmented Wi-Fi frames, and should only fail in the rare case that the tested device doesn't support fragmentation. In case one of these tests is not working, follow the instructions in network card injection test to assure your network card is properly injecting frames. If the client being tested might enter sleep mode, see Handling sleep mode.

The third, fourth, and fifth commands are not attacks but verify basic defragmentation behaviour of a device and are further discussed below the table.

CommandShort description
<div align="center">Sanity checks</div>
pingSend a normal ping.
ping I,E,ESend a normal fragmented ping.
<div align="center">Basic device behaviour</div>
ping I,E,E --delay 5Send a normal fragmented ping with a 5 second delay between fragments.
ping-frag-sepSend a normal fragmented ping with fragments separated by another frame.
ping-frag-sep --pn-per-qosSame as above, but also works if the target only accepts consecutive PNs.
<div align="center">A-MSDU attacks (§3)</div>
ping I,E --amsduSend a ping encapsulated in a normal (non SPP protected) A-MSDU frame.
amsdu-injectSimulate attack: send A-MSDU frame whose start is also a valid rfc1042 header.
amsdu-inject-badSame as above, but against targets that incorrectly parse the frame.
<div align="center">Mixed key attacks (§4)</div>
ping I,F,BE,AEInject two fragments encrypted under a different key.
ping I,F,BE,AE --pn-per-qosSame as above, but also works if the target only accepts consecutive PNs.
<div align="center">Cache attacks (§5)</div>
ping I,E,R,AEInject a fragment, try triggering a reassociation, and inject second fragment.
ping I,E,R,ESame as above, but with a longer delay before sending the second fragment.
ping I,E,R,AE --full-reconInject a fragment, deauthenticate and reconnect, then inject second fragment.
ping I,E,R,E --full-reconSame as above, but with a longer delay before sending the second fragment.
<div align="center">Non-consecutive PNs attack (§6.2)</div>
ping I,E,E --inc-pn 2Send a fragmented ping with non-consecutive packet numbers.
<div align="center">Mixed plain/encrypt attack (§6.3)</div>
ping I,E,PSend a fragmented ping: first fragment encrypted, second fragment in plaintext.
ping I,P,ESend a fragmented ping: first fragment in plaintext, send fragment encrypted.
ping I,PSend a plaintext ping.
ping I,P,PSend a fragmented ping: both fragments are sent in plaintext.
linux-plainMixed plaintext/encrypted fragmentation attack specific to Linux.
<div align="center">Broadcast fragment attack (§6.4)</div>
ping I,D,P --bcast-raSend a unicast ping in a plaintext broadcasted 2nd fragment once connected.
ping D,BP --bcast-raSame as above, but frame is sent during 4-way handshake (check with tcpdump).
<div align="center">A-MSDU EAPOL attack (§6.5)</div>
eapol-amsdu I,PSend a plaintext A-MSDU containing a ping request cloacked as an EAPOL frame.
eapol-amsdu BPSame as above, but the frame is sent during the handshake (check with tcpdump).
eapol-amsdu-bad I,PSend malformed plain. A-MSDU containing a ping req. cloacked as EAPOL frame.
eapol-amsdu-bad BPSame as above, but the frame is sent while connecting (check with tcpdump).

How commands match to CVEs is listed below. Note that for implementation flaws we list a reference CVE identifier, however, vendors may use different CVEs because an implementation vulnerability normally receives a unique CVE for each affected codebase. We nevertheless recommend to always refer to these reference CVEs as a way to easily refer to each type of discovered implementation flaw.

<a id="id-test-sanity"></a>

7.1. Sanity checks

<a id="id-test-behaviour"></a>

7.2. Basic device behaviour

<a id="id-test-amsdu"></a>

7.3. A-MSDU attack tests (§3 -- CVE-2020-24588)

The test ping I,E --amsdu checks if an implementation supports non-SPP A-MSDUs (it doesn't check if the device is vulnerable to CVE-2020-24588). To prevent attacks, ideally the network must mandate the usage of SPP A-MSDUs and drop all non-SPP A-MSDUs. However, most vendors are currently implementing ad-hoc mitigations instead (see Section 7.2 of the paper). Because of this, you must use the following two tests to check whether a device is vulnerable to aggregation (A-MSDU) attacks (CVE-2020-24588):

<a id="id-test-mixedkey"></a>

7.4. Mixed key attack tests (§4 -- CVE-2020-24587)

<a id="id-test-cache"></a>

7.5. Cache attack tests (§5 -- CVE-2020-24586)

<a id="id-test-nonconsec"></a>

7.6. Non-consecutive PNs attack (§6.2 -- CVE-2020-26146)

In our experiments, this test only failed against Linux and against devices that don't support fragmentation.

<a id="id-test-mixplainenc"></a>

7.7. Mixed plain/encrypt attack (§6.3 -- CVE-2020-26147/26140/26143)

<a id="id-test-broadcastfrag"></a>

7.8. Broadcast fragment attack tests (§6.4 -- CVE-2020-26145)

The following two tests send broadcast frames, which are not automatically retransmitted, and it is therefore recommended to execute them several times. This is because background noise may prevent the tested devices from receiving the injected broadcast frame. In my experiments, mainly clients were affected (out of the tested APs only Free/NetBSD ones were affected).

<a id="id-test-cloackamsdu"></a>

7.9. A-MSDU EAPOL attack tests (§6.5 -- CVE-2020-26144)

<a id="id-troubleshooting"></a>

7.10. Troubleshooting checklist

In case the test tool doesn't appear to be working, check the following:

  1. Check that no other process is using the network card (e.g. kill your network manager).

  2. If everything worked previously, try unplugging your Wi-Fi dongle, restart your computer or virtual machine, and then try again. Also try to disable hardware encryption using the disable-hwcrypto.sh script (reboot your computer after executing this script).

  3. Assure the device you are testing doesn't enter a sleep state (causing it to miss injected frames). I recommend running the test tool in mixed mode since this better handles clients that may go into a sleep state.

  4. Run the injection tests to make sure injection is working properly. Also assure that a 20 MHz channel is used, injection on other channels is untested.

  5. Check that your machine isn't generating background traffic that interferes with the tests. In particular, disable networking in your OS, manually kill your DHCP client/server, etc. See also Before every usage.

  6. Confirm that you are connecting to the correct network. Double-check client.conf.

  7. Make sure the AP being tested is using (AES-)CCMP as the encryption algorithm. Other encryption algorithms such as TKIP or GCMP are not supported.

  8. If you updated the code using git, execute ./build.sh and ./pysetup.sh again (see Prerequisites). In case the patched drivers got updated, remember to recompile them as well.

  9. If you are using a virtual machine, try to run the test tool from a live USB image instead.

  10. Check that the tested device doesn't block ICMP ping requests. In case it doesn't reply to pings, you can run tcpdump or wireshark on the device, or you can try any of the other methods listed in No ICMP Support.

  11. Run the tool with the extra parameter --debug 2 to get extra debug output from wpa_supplicant or hostapd and from the test tool itself.

  12. Confirm using a second monitor interface that no other frames are sent in between fragments. For instance, I found that my Intel device sometimes sends Block Ack Response Action frames between fragments, and this interfered with the defragmentation process of the device under test.

  13. Double-check that you are using modified firmware if needed for your wireless network card. The test tool already checks this automatically for ath9k_htc devices. The test tool also automatically checks if you are using modified drivers, though it might be good to manually double-check this on your specific Linux distribution.

  14. It may help to add a delay between getting the IP address and the transmission of the first fragment/frame. Do this using the --pre-test-delay parameter.

<a id="id-extended-tests"></a>

8. Extended Vulnerability Tests

Due to implementation variations it can be difficult to confirm/exploit certain vulnerabilities, in particular the mixed key and cache attack can be non-trivial to confirm in practice. Therefore, I recommend to only consider a device secure if there are explicit checks in the code to prevent these attacks. Additionally, if time permits, I also recommend the following more advanced tests. These have a lower chance of uncovering new vulnerabilities, but might reveal attack variants or particular device behaviour that the normal tests can't detect.

If the normal tests in Testing for Vulnerabilities have already confirmed the presence of a certain vulnerability class, there is little need to test the other attack variants of that vulnerability. All commands work against both clients and APs unless noted otherwise.

CommandShort description
<div align="center">A-MSDU attacks (§3)</div>
ping I,E --amsdu-fakeIf this test succeeds, the A-MSDU flag is ignored (§3.5).
ping I,E --amsdu-fake --amsdu-sppCheck if the A-MSDU flag is authenticated but then ignored (§3.5).
<div align="center">Mixed key attacks (§4)</div>
ping I,F,BE,EIn case the new key is installed relatively late.
ping I,E,F,AEVariant if no data frames are accepted during the rekey handshake.
ping I,E,F,AE --rekey-plainIf the device performs the rekey handshake in plaintext.
ping I,E,F,AE --rekey-plain --rekey-reqSame as above, and actively request a rekey as client.
ping I,E,F,AE --rekey-early-installInstall the new key after sending message 3 of the 4-way handshake.
ping I,E,F,E [--rekey-pl] [--rekey-req]Same as above 4 tests, but with longer delay before 2nd fragment.
ping I,F,BE,AE --freebsdMixed key attack against FreeBSD or similar implementations.
<div align="center">Cache attacks (§5)</div>
ping I,E,R,AE --freebsd [--full-reconnect]Cache attack specific to FreeBSD implementations.
ping I,E,R,AP --freebsd [--full-reconnect]Cache attack specific to FreeBSD implementations.
ping I,E,R,AP [--full-reconnect]Cache attack test where 2nd fragment is sent in plaintext.
<div align="center">Mixed plain/encrypt attack (§6.3)</div>
ping I,E,E --amsduSend a normal ping as a fragmented A-MSDU frame.
ping I,E,P,EPing with first frag. encrypted, second plaintext, third encrypted.
linux-plain 3Same as linux-plain but decoy fragment is sent using QoS priority 3.
<div align="center">Broadcast checks (extensions of §6.4)</div>
ping I,P --bcast-raPing in a plaintext broadcast frame after 4-way HS.
ping BP --bcast-ra [--bcast-dst]Ping in plaintext broadcast frame during 4-way HS (use tcpdump).
ping BP [--bcast-dst]Ping in a plaintext frame during the 4-way handshake (use tcpdump).
eapfrag BP,BPExperimental broadcast fragment attack (use tcpdump).
<div align="center">A-MSDU EAPOL attack (§6.5)</div>
eapol-amsdu[-bad] BP --bcast-dstSame as eapol-amsdu BP but easier to verify against APs (use tcpdump).
<div align="center">AP forwards EAPOL attack (§6.6)</div>
eapol-inject 00:11:22:33:44:55Test if AP forwards EAPOL frames before authenticated (use tcpdump).
eapol-inject-large 00:11:22:33:44:55Make AP send fragmented frames by EAPOL injection (use tcpdump).
<div align="center">No fragmentation support attack (§6.8)</div>
ping I,D,ESend ping inside an encrypted second fragment (no 1st fragment).
ping I,E,DSend ping inside an encrypted first fragment (no 2nd fragment).

<a id="id-extended-amsdu"></a>

8.1. A-MSDU attack tests (§3 -- CVE-2020-24588)

It is only useful to execute these two tests if the main test ping I,E --amsdu fails and you want to better understand how the tested device handles A-MSDU frames:

<a id="id-extended-mixedkey"></a>

8.2. Mixed key attack tests (§4 -- CVE-2020-24587)

Most devices I tested are vulnerable to mixed key attacks. In case the normal mixed key attack tests indicate that a device is not vulnerable, but the test ping-frag-sep does succeed, it is highly recommended to try these alternative mixed key attack tests.

As a general remark, when testing an AP, you can add the --rekey-req parameter to any of the mixed key attack tests to actively request a rekey handshake. A low number of APs will then perform the rekey handshake. Most APs will ignore this request though, and have to be explicitly configured to regularly renew the session key (PTK).

Some notes regarding the tests:

Finally, in case the test ping-frag-sep doesn't succeed, you should try the following mixed key attack test:

<a id="id-extended-cache"></a>

8.3. Cache attack tests (§5 -- CVE-2020-24586)

<a id="id-extended-mixplainenc"></a>

8.4. Mixed plain/encrypt attack (§6.3 -- CVE-2020-26147)

<a id="id-extended-bcast-check"></a>

8.5. Broadcast fragment attack tests (extensions of §6.4)

Most of the following tests send broadcast frames, which are not automatically retransmitted, and it is therefore recommended to execute them several times. This is because background noise may prevent the tested devices from receiving the injected broadcast frame. In my experiments, mainly clients were affected. Most clients are only vulnerable while connecting to the network (i.e. during the execution of the 4-way handshake).

<a id="id-extended-bcast-check-ping-bp"></a>

<a id="id-extended-cloackamsdu"></a>

8.6. A-MSDU EAPOL attack tests (§6.5 -- CVE-2020-26144)

This test can be used in case you want to execute the eapol-amsdu[-bad] BP tests but cannot run tcpdump or wireshark on the AP. This test is only meaningfull against APs: the command eapol-amsdu[-bad] BP --bcast-dst causes a vulnerable AP to broadcast the injected ping request to all connected clients. In other words, to check if an AP is vulnerable, execute this command, and listen for broadcast Wi-Fi frames on a second device that is connected to the AP by using the filter icmp or frame contains "test_ping_icmp".

<a id="id-extended-apforward"></a>

8.7. AP forwards EAPOL attack tests (§6.6 -- CVE-2020-26139)

<a id="id-extended-nofrag"></a>

8.8. No fragmentation support attack test (§6.8 -- CVE-2020-26142)

9. Advanced Usage

<a id="id-injection-tests"></a>

9.1. Network card injection tests

Injection mode

The script test-injection.py can be used to test whether frames are properly injected when using injection mode:

./test-injection.py wlan0 wlan1

Here we test if the network card wlan0 properly injects frames and we use network card wlan1 to monitor whether frames are properly injected. Note that both interfaces need to support monitor mode for this test script to work.

In case you do not have a second network card, you can execute a partial injection test using:

./test-injection.py wlan0

Unfortunately, the above test can only test if the kernel overwrites fields of injected frames, it cannot test whether the firmware or wireless chip itself overwrites fields.

Mixed mode

To test whether a network card properly injects frames in mixed mode, which is the mode I recommend to use, you can execute the following two commands:

./fragattack.py wlan0 ping --inject-test wlan1
./fragattack.py wlan0 ping --inject-test wlan1 --ap

Here we test whether wlan0 properly injects frames by monitoring the injected frames using the second network card wlan1. The first command tests if frames are properly injected when using mixed mode while acting as a client, and the second command when using mixed mode while acting as an AP. In order to start the test, the client must be able to connect to a network, and the AP waits until a client is connecting before starting the injection tests (see Before every usage for configuring the connection setup of the client and AP).

If you also want to test the retransmission behaviour of wlan0 in mixed mode you can execute:

./fragattack.py wlan0 ping --inject-test-postauth wlan1
./fragattack.py wlan0 ping --inject-test-postauth wlan1 --ap

In case you do not have a second network card, you can execute a partial mixed mode injection test using:

./fragattack.py wlan0 ping --inject-test[-postauth] self
./fragattack.py wlan0 ping --inject-test[-postauth] self --ap

Unfortunately, the above tests can only test if the kernel overwrites fields of injected frames, it cannot test whether the firmware or wireless chip itself overwrites fields.

Interpreting test results

The test script will give detailed output on which tests succeeded or failed, and will conclude by outputting either ==> The most important tests have been passed successfully or a message indicating that either important tests failed or that it couldn't capture certain injected frames.

Note that the injection scripts only test the most important behaviour. The best way to confirm that injection is properly working is to perform the vulnerability tests against devices that are known to be vulnerable, and confirming that the tool correctly identifies the device(s) as vulnerable.

When certain injected frames could not be captured, this may either be because of background noise, or because the network card being tested is unable to properly inject certain frames (e.g. the firmware of the Intel AX200 crashes when injecting fragmented frames). It could also be that frames are in fact properly injected, but that the network card used to monitor whether frames are injected properly (wlan1 in the above examples) is not reliable and is, for example, missing most frames due to background noise. Try running the tests on a different channel as well.

When the injection tests are working, but you have problems reliably performing the attack tests, this may be because the devices you are testing are entering sleep mode. See Handling sleep mode for additional notes on this problem.

Manual checks notes

When using wireshark to inspect the injection behaviour of a device it is recommended to use a second device in monitor mode to see how frames are injected.

In case you open the interface used to inject frames then you should see injected frames twice: (1) first you see the frame as injected by whatever tool is sending it, and then (2) a second time by how the frame was injected by the driver. These two frames may slightly differ if the kernel overwrote certain fields. If you only see an injected frame once it may have been dropped by the kernel.

<a id="id-static-ip-config"></a>

9.2. Static IP Configuration

In case the device you are testing doesn't support DHCP, you can manually specify the IP addresses that the test tool should use. For example:

./fragattack.py wlan0 [--ap] ping --inject wlan1 --ip 192.168.100.10 --peerip 192.168.100.1

Here the test tool will use IP address 192.168.100.10, and it will inject a ping request to the peer IP address 192.168.100.1.

When a test sends IP packets before obtaining IP addresses using DHCP, it will use the default IP address 127.0.0.1. To use different (default) IP addresses, you can also use the --ip and -peerip parameters.

<a id="id-no-icmp"></a>

9.3. No ICMP Support

Most attack tests work by sending ICMP ping requests in special manners, and seeing wether we receive an ICMP ping response. In case the device being tested does not support ICMP pings you can instead use ARP requests by adding the --arp parameter to all tests. In case a test doesn't support sending ARP requests the tool will display the error Cannot override request type of the selected test, in which case the specific test can only be executed using ICMP ping requests.

TODO: When acting as a client we can also inject DHCP requests intead.

<a id="id-alternative-cards"><a/>

9.4. Alternative network cards

In case you cannot get access to one of the recommended wireless network cards, a second option is to get a network card that uses the same drivers on Linux. In particular, you can try:

  1. Network cards that use ath9k_htc

  2. Network cards that use carl9170

  3. Network cards that use iwlmvm.

I recommend cards based on ath9k_htc. Not all cards that use iwlmvm will be compatible. When using an alternative network card, I strongly recommend to first run the injection tests to confirm that the network card is compatible.

9.5. 5 GHz support

In order to use the test tool on 5 GHz channels the network card being used must allow the injection of frames in the 5 GHz channel. Unfortunately, this is not always possible due to regulatory constraints. To see on which channels you can inject frames you can execute iw list and look under Frequencies for channels that are not marked as disabled, no IR, or radar detection. Note that these conditions may depend on your network card, the current configured country, and the AP you are connected to. For more information see, for example, the Arch Linux documentation.

Note that a device may use different drivers to handle the 2.4 and 5 GHz band. As a result, it is important to test devices in both these bands, since a device may behave differently depending on which frequency band is being used.

Note that in mixed mode the Linux kernel may not allow the injection of frames even though it is allowed to send normal frames. This is because in the function ieee80211_monitor_start_xmit the kernel refuses to inject frames when cfg80211_reg_can_beacon returns false. As a result, Linux may refuse to inject frames even though this is actually allowed. Making cfg80211_reg_can_beacon return true under the correct conditions prevents this bug.

In practice, some people have found that you must first manually set the wireless network card to the 5GHz channel that the AP is operating on. See this GitHub issue for details.

<a id="id-handling-sleep"></a>

9.6. Handling sleep mode

Devices such as mobile phones or IoT gadgets may put their Wi-Fi radio in sleep mode to reduce energy usage. When in sleep mode, these devices are unable to receive Wi-Fi frames, which may interfere with our tests. There are some options to try to mitigate this problem:

  1. Try to disable sleep mode on the device being tested. This is the most reliable solution, but unfortunately not always possible.

  2. Run the test tool in mixed mode. Most network cards will then queue injected frames until the device being tested is awake again.

  3. Try a different network card to perform the tests. I found that different network cards will inject frames at (slightly) different times, and this may be the difference between injected frame properly arriving or being missed. For instance, against a Pixel 4 XL the test tool was unreliable when using a TL-WN722N but worked reliably with an Intel 8265.

  4. Assign static IPs to the device under test and let the test tool use static IPs (see Static IP Configuration). With many tests this can be more reliable because the test tool can then immediately send the test frame instead of first having to use/wait on DHCP.

<a id="id-avoiding-tcpdump-aps"></a>

9.7. Avoiding tcpdump on APs

Some vulnerabilities can only be exploited while the device under test is connecting to the network, i.e., when it's executing the 4-way handshake. This makes them harder to test automatically and typically means that tcpdump or similar has to be used on the device under test. However, APs can be tested without running tcpdump on it. In particular, the broadcast fragment attack tests (CVE-2020-26145) and A-MSDU EAPOL attack tests (CVE-2020-26144) can be performed without running tcpdump on the device under test. Instead, tcpdump has to run on another client connected to the AP. Concretely, the following commands can be used:

With these commands, you can monitor for the ping request on another client that is connected to the AP. In case the ping request is received on this independent client, the AP under test is vulnerable. Unfortunately, currently, it appears hard to test clients against these attack variants without running tcpdump on the client.

<a id="id-notes-device-support"></a>

9.8. Notes on device support

AWUS036ACM

If for some reason Linux does not automatically recognize this dongle, execute sudo modprobe mt76x2u to manually load the driver. This dongle seems reliable with our latest drivers. If the dongle is unreliable, create the file /etc/modprobe.d/mt76.conf with the following content:

options mt76_usb disable_usb_sg=1

Then reboot your machine. Also be sure to use a good USB cable with this dongle! I previously encountered unreliable behavior with this dongle, which was caused by a bad USB 3.0 cable. So if you experience issues, it may help to directly plug in the dongle without using a cable.

When using VirtualBox, make sure you enable USB3.0 so that the dongle gets recognized. See this issue for details.

The AWUS036ACM internally uses a MT7612U chipset. There are now also dongles with a MT7612UN chipset that are also reliable with our testing tool. An example is the CSL Wireless Network Adaptor.

ath9k_htc

The Technoethical N150 HGA, TP-Link TL-WN722N v1.x, and Alfa AWUS036NHA, all use the ath9k_htc driver.

For me these devices worked fairly well in a virtual machine, although like with all devices they are more reliable when used natively. When using a VM, I recommend to configure the VM to use a USB2.0 controller, since that appeared more stable (at least with VirtualBox).

In recent kernels there was a (now fixed) regression with the ath9k_htc driver causing it not to work. Simply use an up-to-date kernel or our patched drivers to avoid this issue.

AWUS036ACH

This device is generally not supported by default in most Linux distributions and requires manual installation of drivers. On Kali Linux you can install the driver using sudo apt install realtek-rtl88xxau-dkms. To install the driver on other distributions check your package manager or follow the installation instructions on GitHub. Before plugging in the device, it is recommended to execute modprobe 88XXau rtw_monitor_retransmit=1.

Unfortunately, this device doesn't work in mixed mode, which is the recommended mode, and is difficult to use in combination with our modified drivers. In practice, you will have to uninstall the modified drivers and then run the test tool using the parameters --no-drivercheck and using --inject wlan0 where wlan0 refers to the AWUS036ACH card. Because of these limitations this device is not recommended.

Intel AX200

I tested the Intel AX200 and found that it is not compatible with the test tool: its firmware crashes after injecting a frame with the More Fragments flag set. If an Intel developer is reading this, please update the firmware and make it possible to inject fragmented frames.

RT5572-based chips

I tested this chipset using the general CSL USB 2.0 WLAN Adapter 300Mbit adapter. After disabling hardware decryption by executing the disable-hwcrypto.sh script I was able to perform a basic ping test (ping). A fragmented ping test (ping I,E,E) was very unreliable but sometimes worked.

The current conclusion is that RT5572 chips might work with the test tool after disabling hardware encryption. But extra experiments are needed to confirm this (feedback is welcome).

<a id="id-hwsim-details"></a>

9.9. Hwsim mode details

Warning: this is currently an experimental mode, only use it for research purposes.

This mode requires only one network card that supports monitor mode, and in contrast to mixed mode, the network card does not have to support virtual interfaces. The disadvantage is that in this mode frames are handled a bit slower, and it is not reliable when the network card does not acknowledge frames:

Before using this mode, create two virtual network cards:

./hwsim.sh

This will output the two created virtual "hwsim" interfaces, for example wlan1 and wlan2. When testing an AP in this mode, you must first search for the channel of the AP, and put the real network card on this channel:

./scan.sh wlan0
ifconfig wlan0 down
iw wlan0 set type monitor
ifconfig wlan0 up
# Pick the channel that the AP is on (in this example 11)
iw wlan0 set channel 11

Here wlan0 refers to the real network card (not an interface created by hwsim.sh). hen testing a client, do do not first have to configure the channel (it is taken from hostapd.conf). You can now start the test tool as follows:

./fragattack.py	 wlan0 --hwsim wlan1,wlan2 [--ap] $COMMAND

After the tool executed, you can directly run it again with a new $COMMAND.

<a id="id-wpa3-sae"></a>

9.10. Testing WPA3 and SAE devices

You can test a WPA3/SAE AP by including the following two lines in client.conf:

key_mgmt=SAE
ieee80211w=1

To test WPA3/SAE clients you can modify hostapd.conf and set the parameters:

wpa_key_mgmt=SAE
ieee80211w=2

We tested the above with an Intel 8265, Intel 3160, Netgear WN111v2 (carl9170), TP-Link TL-WN722N (ath9k_htc) and WNDA3200 (ath9k_htc). With those devices I was able to connect with the AP and run some tests. So it seems this should work with all already supported dongles. Note that I haven't tested this in detail: my assumption has been that whether a device is operating in WPA2 or WPA3 mode won't impact test results.

The provided client.conf by default enables both the hunting-and-pecking method and the hash-to-element method. To set up an AP that supports hash-to-element (and thereby test the latest WPA3/SAE clients) you can modify hostapd.conf and set the parameter:

sae_pwe=2

By setting this value the AP will accept both the hunting-and-pecking method and the hash-to-element method.

<a id="id-live-image"></a>

9.11. Live USB image

Download the live USB image and write it to USB using:

# Unmount in case there's an old partition on the USB
sudo umount /dev/sdb*
# Copy the image
sudo dd bs=4M if=ubuntu-20.04.2-fragattacks-1.3.3-amd64.iso of=/dev/sdb conv=fdatasync status=progress

The sha256sum of the image is 4b973452a08b981778285a33accfd4ce58625a91e8e0eab20941facf54904bba. Replace /dev/sdb with your USB stick. If you're not running Linux, search online how to write an ISO image to your USB stick.

When starting the live image click on "Try Ubuntu" during startup. Start a terminal by right clicking on the desktop and selecting "Open in Terminal" and execute:

cd ~/fragattacks/research
sudo su
nmcli radio wifi off
source venv/bin/activate

You can now run ./fragattacks.py and follow the normal instructions in this README. Remember to disable Wi-Fi using nmcli radio wifi off as shown above, otherwise the network manager of Ubuntu will interfere with the test tool. This README is also present on the live image at ~/fragattacks/README.md.

Note that airmon-ng may be unreliable on the live image and it's better to use iw.

<a id="id-design-notes"></a>

10. Design notes

The arguments given to the ping command define which actions the test tool will perform and when these actions are performed. Each action is separated by a comma (,). By default an action is performed after the client connected, and in that case a single letter represents which action is performed. Note that this is implemented in the stract2action function. Possible actions are:

If there is only a single E or P action, then the ping request is injected as a single frame. If there are multiple E, P actions, then the ping request is fragmented, where the number of fragments equal the number of E or P actions. If there is the special D action, then the ping request is fragmented over the remaining E or P actions (see the examples in the table). This fragmentation behavior is implemented in the PingTest class.

A letter can be put in front of the above actions to change when the action should be performed:

For example see the above two tables with commands.

<a id="id-change-log"></a>

11. Change log

Version 1.3.4 (under progress)::

Version 1.3.3 (11 May 2021):

Version 1.3.2 (8 March 2021):

Version 1.3.1 (1 March 2021):

Version 1.3 (20 January 2021):

Version 1.2 (15 November 2020):

Version 1.1 (20 October 2020):

Version 1.0 (11 August 2020):