Major update to Python3

.gitignore

@@ -33,3 +33,4 @@ wlantest/test_vectors
 wlantest/wlantest
 wlantest/wlantest_cli
 **/parallel-vm.log
+venv/

README.md

@@ -2,24 +2,45 @@ This project contains scripts to test if clients or access points (APs) are affe
 
 Remember that our scripts are not attack scripts! You will need the appropriate network credentials in order to test if an access point or client is affected by the KRACK attack.
 
+**21 January 2021**: the scripts have been made compatible with Python3 and has been updated to better support newer Linux distributions.
+
+
 # Prerequisites
 
 Our scripts were tested on Kali Linux. To install the required dependencies on Kali, execute:
 
-	apt-get update
-	apt-get install libnl-3-dev libnl-genl-3-dev pkg-config libssl-dev net-tools git sysfsutils python-scapy python-pycryptodome virtualenv
+	sudo apt update
+	sudo apt install libnl-3-dev libnl-genl-3-dev pkg-config libssl-dev net-tools git sysfsutils virtualenv
+
+Then **disable hardware encryption**:
+
+	cd krackattack
+	sudo ./disable-hwcrypto.sh
+
+Note that if needed you can later re-enable hardware encryption using the script `sudo ./reenable-hwcrypto.sh`. It's recommended to reboot after disabling hardware encryption. We tested our scripts with an Intel Dual Band Wireless-AC 7260 and a TP-Link TL-WN722N v1 on Kali Linux.
+
+Now compile our modified hostapd instance:
+
+	cd krackattack
+	./build.sh
+
+Finally, to assure you're using compatible python libraries, create a virtualenv with the dependencies listed in `krackattack/requirements.txt`:
+
+	cd krackattack
+	./pysetup.sh
 
-Then **disable hardware encryption** using the script `./krackattack/disable-hwcrypto.sh`. It's recommended to reboot after executing this script. If you want to confirm this script work, execute `systool -vm ath9k_htc` or similar after plugging in your Wi-Fi NIC to confirm the nohwcript/swcrypto/hwcrypto parameter has been set. We tested our scripts with an Intel Dual Band Wireless-AC 7260 and a TP-Link TL-WN722N v1 on Kali Linux.
 
-Finally compile our modified hostapd instance:
+# Before every usage
 
-      cd hostapd
-      cp defconfig .config
-      make -j 2
+Every time before you use the scripts you must **disable Wi-Fi** in your network manager. Then execute:
 
-Remember to disable Wi-Fi in your network manager before using our scripts. After disabling Wi-Fi, execute `sudo rfkill unblock wifi` so our scripts can still use Wi-Fi.
+	sudo rfkill unblock wifi
+	cd krackattack
+	sudo su
+	source venv/bin/activate
+
+After doing this you can executing the scripts multiple times as long as you don't close the terminal.
 
-To assure you're using the correct version of scapy, you can create a virtualenv with the dependencies listed in `krackattack/requirements.txt`.
 
 # Testing Clients
 
@@ -28,23 +49,41 @@ First modify `hostapd/hostapd.conf` and **edit the line `interface=` to specify
 You should now run the following tests located in the `krackattacks/` directory:
 
 1. **`./krack-test-client.py --replay-broadcast`**. This tests whether the client acceps replayed broadcast frames. If the client accepts replayed broadcast frames, this must be patched first. If you do not patch the client, our script will not be able to determine if the group key is being reinstalled (because then the script will always say the group key is being reinstalled).
+
 2. **`./krack-test-client.py --group --gtkinit`**. This tests whether the client installs the group key in the group key handshake with the given receive sequence counter (RSC). See section 6.4 of our [follow-up research paper(https://papers.mathyvanhoef.com/ccs2018.pdf)] for the details behind this vulnerability.
+
 3. **`./krack-test-client.py --group`**. This tests whether the client reinstalls the group key in the group key handshake. In other words, it **tests if the client is vulnerable to CVE-2017-13080**. The script tests for reinstallations of the group key by sending broadcast ARP requests to the client using an already used (replayed) packet number (here packet number = nonce = IV). Note that if the client always accepts replayed broadcast frames (see `--replay-broadcast`), this test might incorrectly conclude the group key is being reinstalled.
+
 4. **`./krack-test-client.py`**. This tests for key reinstallations in the 4-way handshake by repeatedly sending encrypted message 3's to the client. **In other words, this tests for CVE-2017-13077 (the vulnerability with the highest impact) and for CVE-2017-13078 .** The script monitors traffic sent by the client to see if the pairwise key is being reinstalled. Note that this effectively performs two tests: whether the pairwise key is reinstalled, and whether the group key is reinstalled. Make sure the client requests an IP using DHCP for the group key reinstallation test to start. To assure the client is sending enough unicast frames, you can optionally ping the AP: `ping 192.168.100.254`.
+
 5. **`./krack-test-client.py --tptk`**. Identical to test 4, except that a forged message 1 is injected before sending the encrypted message 3. This variant of the test is important because some clients (e.g. wpa_supplicant v2.6) are only vulnerable to pairwise key reinstallations in the 4-way handshake when a forged message 1 is injected before sending a retransmitted message 3.
-6. **`./krack-test-client.py --gtkinit`**. This tests whether the client installs the group key in the 4-way handshake with the given receive sequence counter (RSC). The script will continously execute new 4-way handshakes to test this. Unfortunately, this test can be rather unreliable, because any missed handshake messages cause synchronization issues, making the test unreliable. You should only execute this test in environments with little background noise, and execute it several times.
+
+6. **`./krack-test-client.py --tptk-rand`**. Same as the above test, except that the forged message 1 contains a random ANonce.
+
+7. **`./krack-test-client.py --gtkinit`**. This tests whether the client installs the group key in the 4-way handshake with the given receive sequence counter (RSC). The script will continously execute new 4-way handshakes to test this. Unfortunately, this test can be rather unreliable, because any missed handshake messages cause synchronization issues, making the test unreliable. You should only execute this test in environments with little background noise, and execute it several times.
+
 
 Some additional remarks:
+
 * The most important test is `./krack-test-client`, which tests for ordinary key reinstallations in the 4-way handshake.
+
 * Perform these tests in a room with little interference. A high amount of packet loss will make this script less reliable!
+
 * Optionally you can manually inspect network traffic to confirm the output of the script (some Wi-Fi NICs may interfere with our scripts):
+
 	- Use an extra Wi-Fi NIC in monitor mode to conform that our script (the AP) sends out frames using the proper packet numbers (IVs). In particular, check whether replayed broadcast frames indeed are sent using an already used packet number (IV).
+
 	- Use an extra Wi-Fi NIC in monitor mode to check pairwise key reinstalls by monitoring the IVs of frames sent by the client.
+
 	- Capture traffic on the client to see if the replayed broadcast ARP requests are accepted or not.
+
 * If the client can use multiple Wi-Fi radios/NICs, perform the test using several Wi-Fi NICs.
+
 * You can add the `--debug` parameter for more debugging output.
+
 * All unrecognized parameters are passed on to hostapd, so you can include something like `-dd -K` to make hostapd output all debug info.
 
+
 ## Correspondence to Wi-Fi Alliance tests
 
 The [Wi-Fi Alliance created a custom vulnerability detection tool](https://www.wi-fi.org/security-update-october-2017) based on our scripts.
@@ -52,11 +91,17 @@ At the time of writing, this tool is only accessible to Wi-Fi Alliance members.
 Their tools supports several different tests, and these tests correspond to the functionality in our script as follows:
 
 - 4.1.1 (Plaintext retransmission of EAPOL Message 3). We currently do not support this test. This test is not necessary anyway. Make sure the device being tested passes test 4.1.3, and then it will also pass this test.
+
 - 4.1.2 (Immediate retransmission of EAPOL M3 in plaintext). We currently do not suppor this test. Again, make sure the device being tested passes test 4.1.3, and then it will also pass this test.
+
 - 4.1.3 (Immediate retransmission of encrypted EAPOL M3 during pairwise rekey handshake). This corresponds to `./krack-test-client.py`, except that encrypted EAPOL M3 are sent periodically instead of immediately.
+
 - 4.1.5 (PTK reinstallation in 4-way handshake when STA uses Temporal PTK construction, same ANonce). Execute this test using `./krack-test-client.py --tptk`.
+
 - 4.1.6 (PTK reinstallation in 4-way handshake when STA uses Temporal PTK construction, random ANonce). Execute this test using `./krack-test-client.py --tptk-rand`.
+
 - 4.2.1 (Group key handshake vulnerability test on STA). Execue this test using `./krack-test-client.py --group`.
+
 - 4.3.1 (Reinstallation of GTK and IGTK on STA supporting WNM sleep mode). We currently do not support this test (and neither does the Wi-Fi Alliance actually!).
 
 
@@ -132,14 +177,11 @@ Their tools supports several different tests, and these tests correspond to the
 		[16:00:51] Replaying Reassociation Request
 		[16:00:52] AP transmitted data using IV=4 (seq=3)
 
-# Extra: Ubuntu 16.04
 
-Our scripts are officially only supported on Kali Linux. Nevertheless, some users have been able to get it running on Ubuntu 16.04. These users remarked that the `python-pycryptodome` package is not present on Ubuntu, but can be installed as follows:
+# Extra: Hardware Decryption
 
-1. Install the python-pip package
-2. Execute `pip install pycryptodomex`
+To confirm that hardware decryption is disable, execute `systool -vm ath9k_htc` or similar after plugging in your Wi-Fi NIC to confirm the nohwcript/swcrypto/hwcrypto parameter has been set. Note that you must replace `ath9k_htc` with the kernel module for your wireless network card.
 
-It is recommended to install this python module under a virtual python environment using virtualenv.
 
 # Extra: Manual Tests
 

krackattack/build.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+cd ../hostapd/
+cp defconfig .config
+make -j 2

krackattack/debug-ft-hwsim/README.md

@@ -7,6 +7,8 @@ To verify the script is working correctly, try it out against a virtualized Wi-F
 
 Now read the documentation in `krack-ft-test.py`. Go to step 3 and start the tool using:
 
+	sudo su
+	source ../venv/bin/activate
 	../krack-ft-test.py wpa_supplicant -D nl80211 -i wlan2 -c supplicant.conf
 
 Follow the next steps. To generate traffic in step 5 use `./gen-traffic.py`.

krackattack/debug-ft-hwsim/gen-traffic.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python2
+#!/usr/bin/env python3
 import logging, time
 logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
 from scapy.all import *

krackattack/disable-hwcrypto.sh

@@ -34,4 +34,4 @@ do rmmod $MODULE 2> /dev/null || true; done
 
 # 3. Done. To be sure parameters are reloaded, reboot computer.
 
-echo "Done. Reboot your computer."
+echo "Hardware decryption disabled. Reboot your computer."

krackattack/krack-ft-test.py

@@ -1,6 +1,6 @@
-#!/usr/bin/env python2
+#!/usr/bin/env python3
 
-# Copyright (c) 2017, Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+# Copyright (c) 2017-2021, Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
 #
 # This code may be distributed under the terms of the BSD license.
 # See LICENSE for more details.
@@ -11,14 +11,6 @@ from scapy.all import *
 from libwifi import *
 import sys, socket, struct, time, subprocess, atexit, select
 
-IEEE_TLV_TYPE_RSN = 48
-IEEE_TLV_TYPE_FT  = 55
-
-IEEE80211_RADIOTAP_RATE = (1 << 2)
-IEEE80211_RADIOTAP_CHANNEL = (1 << 3)
-IEEE80211_RADIOTAP_TX_FLAGS = (1 << 15)
-IEEE80211_RADIOTAP_DATA_RETRIES = (1 << 17)
-
 #TODO: - Merge code with client tests to avoid code duplication (including some error handling)
 #TODO: - Option to use a secondary interface for injection + WARNING if a virtual interface is used + repeat advice to disable hardware encryption
 #TODO: - Test whether injection works on the virtual interface (send probe requests to nearby AP and wait for replies)
@@ -52,11 +44,11 @@ class KRAckAttackFt():
 		# FIXME: Put this check in MitmSocket? We want to check this in client tests as well!
 		if self.clientmac in [p.addr1, p.addr2] and Dot11WEP in p:
 			# If the hardware adds/removes the TKIP/CCMP header, this is where the plaintext starts
-			payload = str(p[Dot11WEP])
+			payload = get_ccmp_payload(p)
 
 			# Check if it's indeed a common LCC/SNAP plaintext header of encrypted frames, and
 			# *not* the header of a plaintext EAPOL handshake frame
-			if payload.startswith("\xAA\xAA\x03\x00\x00\x00") and not payload.startswith("\xAA\xAA\x03\x00\x00\x00\x88\x8e"):
+			if payload.startswith(b"\xAA\xAA\x03\x00\x00\x00") and not payload.startswith(b"\xAA\xAA\x03\x00\x00\x00\x88\x8e"):
 				log(ERROR, "ERROR: Virtual monitor interface doesn't seem to pass 802.11 encryption header to userland.")
 				log(ERROR, "   Try to disable hardware encryption, or use a 2nd interface for injection.", showtime=False)
 				quit(1)
@@ -67,7 +59,7 @@ class KRAckAttackFt():
 			log(INFO, "Detected Authentication frame, clearing client state")
 		elif p.addr2 == self.clientmac and Dot11ReassoReq in p:
 			self.reset_client()
-			if get_tlv_value(p, IEEE_TLV_TYPE_RSN) and get_tlv_value(p, IEEE_TLV_TYPE_FT):
+			if get_element(p, IEEE_TLV_TYPE_RSN) and get_element(p, IEEE_TLV_TYPE_FT):
 				log(INFO, "Detected FT reassociation frame")
 				self.start_replay(p)
 			else:
@@ -77,7 +69,7 @@ class KRAckAttackFt():
 			self.reset_client()
 
 		# Encrypted data sent to the client
-		elif p.addr1 == self.clientmac and Dot11WEP in p:
+		elif p.addr1 == self.clientmac and dot11_is_encrypted_data(p):
 			iv = dot11_get_iv(p)
 			log(INFO, "AP transmitted data using IV=%d (seq=%d)" % (iv, dot11_get_seqnum(p)))
 			if self.ivs.is_iv_reused(p):
@@ -152,7 +144,7 @@ def argv_get_interface():
 
 if __name__ == "__main__":
 	if len(sys.argv) <= 1 or "--help" in sys.argv or "-h" in sys.argv:
-		print "See README.md for instructions on how to use this script"
+		print("See README.md for instructions on how to use this script")
 		quit(1)
 
 	# TODO: Verify that we only accept CCMP?
@@ -164,5 +156,3 @@ if __name__ == "__main__":
 	attack = KRAckAttackFt(interface)
 	atexit.register(cleanup)
 	attack.run()
-
-

krackattack/krack-test-client.py

@@ -1,7 +1,7 @@
-#!/usr/bin/env python2
+#!/usr/bin/env python3
 
 # Tests for key reinstallation vulnerabilities in Wi-Fi clients
-# Copyright (c) 2017, Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+# Copyright (c) 2017-2021, Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
 #
 # This code may be distributed under the terms of the BSD license.
 # See README for more details.
@@ -99,21 +99,19 @@ class ClientState():
 		self.broadcast_requests_sent = -1 # -1 because the first broadcast ARP requests are still valid
 		self.broadcast_patched_intervals = 0
 
-	# TODO: Put in libwifi?
 	def get_encryption_key(self, hostapd_ctrl):
 		if self.TK is None:
 			# Contact our modified Hostapd instance to request the pairwise key
 			response = hostapd_command(hostapd_ctrl, "GET_TK " + self.mac)
 			if not "FAIL" in response:
-				self.TK = response.strip().decode("hex")
+				self.TK = bytes.fromhex(response.strip())
 		return self.TK
 
-	# TODO: Put in libwifi?
 	def decrypt(self, p, hostapd_ctrl):
 		payload = get_ccmp_payload(p)
 		llcsnap, packet = payload[:8], payload[8:]
 
-		if payload.startswith("\xAA\xAA\x03\x00\x00\x00"):
+		if payload.startswith(b"\xAA\xAA\x03\x00\x00\x00"):
 			# On some kernels, the virtual interface associated to the real AP interface will return
 			# frames where the payload is already decrypted (this happens when hardware decryption is
 			# used). So if the payload seems decrypted, just extract the full plaintext from the frame.
@@ -123,8 +121,8 @@ class ClientState():
 			plaintext = decrypt_ccmp(p, key)
 
 			# If it still fails, try an all-zero key
-			if not plaintext.startswith("\xAA\xAA\x03\x00\x00\x00"):
-				plaintext = decrypt_ccmp(p, "\x00" * 16)
+			if plaintext == None:
+				plaintext = decrypt_ccmp(p, b"\x00" * 16)
 
 		return plaintext
 
@@ -305,24 +303,14 @@ class KRAckAttackClient():
 		header = Ether(dst=self.apmac, src=clientmac)
 		header.time = p.time
 
-		# Decrypt the payload and obtain LLC/SNAP header and packet content
+		# Decrypt the Wi-Fi frame
 		client = self.clients[clientmac]
 		plaintext = client.decrypt(p, self.hostapd_ctrl)
-		llcsnap, packet = plaintext[:8], plaintext[8:]
-
-		# Rebuild the full Ethernet packet
-		if   llcsnap == "\xAA\xAA\x03\x00\x00\x00\x08\x06":
-			decap = header/ARP(packet)
-		elif llcsnap == "\xAA\xAA\x03\x00\x00\x00\x08\x00":
-			decap = header/IP(packet)
-		elif llcsnap == "\xAA\xAA\x03\x00\x00\x00\x86\xdd":
-			decap = header/IPv6(packet)
-		#elif llcsnap == "\xAA\xAA\x03\x00\x00\x00\x88\x8e":
-		# 	# EAPOL
-		else:
+		if plaintext == None:
 			return
 
 		# Now process the packet as if it were a valid (non-replayed) one
+		decap = header/plaintext[SNAP].payload
 		self.process_eth_rx(decap)
 
 	def handle_mon_rx(self):
@@ -351,7 +339,7 @@ class KRAckAttackClient():
 			iv = dot11_get_iv(p)
 			log(DEBUG, "%s: transmitted data using IV=%d (seq=%d)" % (clientmac, iv, dot11_get_seqnum(p)))
 
-			if decrypt_ccmp(p, "\x00" * 16).startswith("\xAA\xAA\x03\x00\x00\x00"):
+			if decrypt_ccmp(p, b"\x00" * 16) != None:
 				client.mark_allzero_key(p)
 			if self.options.variant == TestOptions.Fourway and not self.options.gtkinit:
 				client.check_pairwise_reinstall(p)
@@ -575,8 +563,8 @@ def hostapd_read_config(config):
 
 if __name__ == "__main__":
 	if "--help" in sys.argv or "-h" in sys.argv:
-		print "\nSee README.md for usage instructions. Accepted parameters are"
-		print "\n\t" + "\n\t".join(["--replay-broadcast", "--group", "--tptk", "--tptk-rand", "--gtkinit", "--debug"]) + "\n"
+		print("\nSee README.md for usage instructions. Accepted parameters are")
+		print("\n\t" + "\n\t".join(["--replay-broadcast", "--group", "--tptk", "--tptk-rand", "--gtkinit", "--debug"]) + "\n")
 		quit(1)
 
 	options = TestOptions()
@@ -587,7 +575,7 @@ if __name__ == "__main__":
 	groupkey = argv_pop_argument("--group")
 	fourway = argv_pop_argument("--fourway")
 	if replay_broadcast + replay_unicast + fourway + groupkey > 1:
-		print "You can only select one argument of out replay-broadcast, replay-unicast, fourway, and group"
+		print("You can only select one argument of out replay-broadcast, replay-unicast, fourway, and group")
 		quit(1)
 	if replay_broadcast:
 		options.variant = TestOptions.ReplayBroadcast
@@ -602,7 +590,7 @@ if __name__ == "__main__":
 	tptk = argv_pop_argument("--tptk")
 	tptk_rand = argv_pop_argument("--tptk-rand")
 	if tptk + tptk_rand > 1:
-		print "You can only select one argument of out tptk and tptk-rand"
+		print("You can only select one argument of out tptk and tptk-rand")
 		quit(1)
 	if tptk:
 		options.tptk = TestOptions.TptkReplay

krackattack/libwifi.py

@@ -1,245 +0,0 @@
-# Copyright (c) 2017, Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
-#
-# This code may be distributed under the terms of the BSD license.
-# See README for more details.
-from scapy.all import *
-from Cryptodome.Cipher import AES
-from datetime import datetime
-
-#### Basic output and logging functionality ####
-
-ALL, DEBUG, INFO, STATUS, WARNING, ERROR = range(6)
-COLORCODES = { "gray"  : "\033[0;37m",
-               "green" : "\033[0;32m",
-               "orange": "\033[0;33m",
-               "red"   : "\033[0;31m" }
-
-global_log_level = INFO
-def log(level, msg, color=None, showtime=True):
-	if level < global_log_level: return
-	if level == DEBUG   and color is None: color="gray"
-	if level == WARNING and color is None: color="orange"
-	if level == ERROR   and color is None: color="red"
-	print (datetime.now().strftime('[%H:%M:%S] ') if showtime else " "*11) + COLORCODES.get(color, "") + msg + "\033[1;0m"
-
-
-#### Back-wards compatibility with older scapy
-
-if not "Dot11FCS" in locals():
-	class Dot11FCS():
-		pass
-if not "Dot11Encrypted" in locals():
-	class Dot11Encrypted():
-		pass
-	class Dot11CCMP():
-		pass
-	class Dot11TKIP():
-		pass
-
-#### Packet Processing Functions ####
-
-class DHCP_sock(DHCP_am):
-	def __init__(self, **kwargs):
-		self.sock = kwargs.pop("sock")
-		self.server_ip = kwargs["gw"]
-		super(DHCP_sock, self).__init__(**kwargs)
-
-	def make_reply(self, req):
-		rep = super(DHCP_sock, self).make_reply(req)
-
-		# Fix scapy bug: set broadcast IP if required
-		if rep is not None and BOOTP in req and IP in rep:
-			if req[BOOTP].flags & 0x8000 != 0 and req[BOOTP].giaddr == '0.0.0.0' and req[BOOTP].ciaddr == '0.0.0.0':
-				rep[IP].dst = "255.255.255.255"
-
-		# Explicitly set source IP if requested
-		if not self.server_ip is None:
-			rep[IP].src = self.server_ip
-
-		return rep
-
-	def send_reply(self, reply):
-		self.sock.send(reply, **self.optsend)
-
-	def print_reply(self, req, reply):
-		log(STATUS, "%s: DHCP reply %s to %s" % (reply.getlayer(Ether).dst, reply.getlayer(BOOTP).yiaddr, reply.dst), color="green")
-
-	def remove_client(self, clientmac):
-		clientip = self.leases[clientmac]
-		self.pool.append(clientip)
-		del self.leases[clientmac]
-
-class ARP_sock(ARP_am):
-	def __init__(self, **kwargs):
-		self.sock = kwargs.pop("sock")
-		super(ARP_am, self).__init__(**kwargs)
-
-	def send_reply(self, reply):
-		self.sock.send(reply, **self.optsend)
-
-	def print_reply(self, req, reply):
-		log(STATUS, "%s: ARP: %s ==> %s on %s" % (reply.getlayer(Ether).dst, req.summary(), reply.summary(), self.iff))
-
-
-#### Packet Processing Functions ####
-
-class MitmSocket(L2Socket):
-	def __init__(self, **kwargs):
-		super(MitmSocket, self).__init__(**kwargs)
-
-	def send(self, p):
-		# Hack: set the More Data flag so we can detect injected frames (and so clients stay awake longer)
-		p.FCfield |= 0x20
-		L2Socket.send(self, RadioTap()/p)
-
-	def _strip_fcs(self, p):
-		# Older scapy can't handle the optional Frame Check Sequence (FCS) field automatically
-		if p[RadioTap].present & 2 != 0 and not Dot11FCS in p:
-			rawframe = str(p[RadioTap])
-			pos = 8
-			while ord(rawframe[pos - 1]) & 0x80 != 0: pos += 4
-
-			# If the TSFT field is present, it must be 8-bytes aligned
-			if p[RadioTap].present & 1 != 0:
-				pos += (8 - (pos % 8))
-				pos += 8
-
-			# Remove FCS if present
-			if ord(rawframe[pos]) & 0x10 != 0:
-				return Dot11(str(p[Dot11])[:-4])
-
-		return p[Dot11]
-
-	def recv(self, x=MTU):
-		p = L2Socket.recv(self, x)
-		if p == None or not (Dot11 in p or Dot11FCS in p):
-			return None
-
-		# Hack: ignore frames that we just injected and are echoed back by the kernel
-		if p.FCfield & 0x20 != 0:
-			return None
-
-		# Strip the FCS if present, and drop the RadioTap header
-		if Dot11FCS in p:
-			return p
-		else:
-			return self._strip_fcs(p)
-
-	def close(self):
-		super(MitmSocket, self).close()
-
-def dot11_get_seqnum(p):
-	return p.SC >> 4
-
-def dot11_is_encrypted_data(p):
-	# All these different cases are explicitly tested to handle older scapy versions
-	return (p.FCfield & 0x40) or Dot11CCMP in p or Dot11TKIP in p or Dot11WEP in p or Dot11Encrypted in p
-
-def payload_to_iv(payload):
-	iv0 = payload[0]
-	iv1 = payload[1]
-	wepdata = payload[4:8]
-
-	# FIXME: Only CCMP is supported (TKIP uses a different IV structure)
-	return ord(iv0) + (ord(iv1) << 8) + (struct.unpack(">I", wepdata)[0] << 16)
-
-def dot11_get_iv(p):
-	"""
-	Assume it's a CCMP frame. Old scapy can't handle Extended IVs.
-	This code only works for CCMP frames.
-	"""
-	if Dot11CCMP in p or Dot11TKIP in p or Dot11Encrypted in p:
-		# Scapy uses a heuristic to differentiate CCMP/TKIP and this may be wrong.
-		# So even when we get a Dot11TKIP frame, we should treat it like a Dot11CCMP frame.
-		payload = str(p[Dot11Encrypted])
-		return payload_to_iv(payload)
-
-	elif Dot11WEP in p:
-		wep = p[Dot11WEP]
-		if wep.keyid & 32:
-			# FIXME: Only CCMP is supported (TKIP uses a different IV structure)
-			return ord(wep.iv[0]) + (ord(wep.iv[1]) << 8) + (struct.unpack(">I", wep.wepdata[:4])[0] << 16)
-		else:
-			return ord(wep.iv[0]) + (ord(wep.iv[1]) << 8) + (ord(wep.iv[2]) << 16)
-
-	elif p.FCfield & 0x40:
-		return payload_to_iv(p[Raw].load)
-
-	else:
-		log(ERROR, "INTERNAL ERROR: Requested IV of plaintext frame")
-		return 0
-
-def get_tlv_value(p, type):
-	if not Dot11Elt in p: return None
-	el = p[Dot11Elt]
-	while isinstance(el, Dot11Elt):
-		if el.ID == type:
-			return el.info
-		el = el.payload
-	return None
-
-def dot11_get_priority(p):
-	if not Dot11QoS in p: return 0
-	return ord(str(p[Dot11QoS])[0])
-
-
-#### Crypto functions and util ####
-
-def get_ccmp_payload(p):
-	if Dot11WEP in p:
-		# Extract encrypted payload:
-		# - Skip extended IV (4 bytes in total)
-		# - Exclude first 4 bytes of the CCMP MIC (note that last 4 are saved in the WEP ICV field)
-		return str(p.wepdata[4:-4])
-	elif Dot11CCMP in p or Dot11TKIP in p or Dot11Encrypted in p:
-		return p[Dot11Encrypted].data
-	else:
-		return p[Raw].load
-
-def decrypt_ccmp(p, key):
-	payload   = get_ccmp_payload(p)
-	sendermac = p.addr2
-	priority  = dot11_get_priority(p)
-	iv        = dot11_get_iv(p)
-	pn        = struct.pack(">I", iv >> 16) + struct.pack(">H", iv & 0xFFFF)
-	nonce     = chr(priority) + sendermac.replace(':','').decode("hex") + pn
-	cipher    = AES.new(key, AES.MODE_CCM, nonce, mac_len=8)
-	plaintext = cipher.decrypt(payload)
-	return plaintext
-
-class IvInfo():
-	def __init__(self, p):
-		self.iv = dot11_get_iv(p)
-		self.seq = dot11_get_seqnum(p)
-		self.time = p.time
-
-	def is_reused(self, p):
-		"""Return true if frame p reuses an IV and if p is not a retransmitted frame"""
-		iv = dot11_get_iv(p)
-		seq = dot11_get_seqnum(p)
-		return self.iv == iv and self.seq != seq and p.time >= self.time + 1
-
-class IvCollection():
-	def __init__(self):
-		self.ivs = dict() # maps IV values to IvInfo objects
-
-	def reset(self):
-		self.ivs = dict()
-
-	def track_used_iv(self, p):
-		iv = dot11_get_iv(p)
-		self.ivs[iv] = IvInfo(p)
-
-	def is_iv_reused(self, p):
-		"""Returns True if this is an *observed* IV reuse and not just a retransmission"""
-		iv = dot11_get_iv(p)
-		return iv in self.ivs and self.ivs[iv].is_reused(p)
-
-	def is_new_iv(self, p):
-		"""Returns True if the IV in this frame is higher than all previously observed ones"""
-		iv = dot11_get_iv(p)
-		if len(self.ivs) == 0: return True
-		return iv > max(self.ivs.keys())
-
-
-

krackattack/libwifi/.gitignore

@@ -0,0 +1 @@
+__pycache__/

krackattack/libwifi/__init__.py

@@ -0,0 +1,2 @@
+from .wifi import *
+from .crypto import *

krackattack/libwifi/crypto.py

@@ -0,0 +1,169 @@
+#!/usr/bin/env python3
+import struct, binascii
+from .wifi import *
+#from binascii import a2b_hex
+#from struct import unpack,pack
+
+from Crypto.Cipher import AES, ARC4
+from scapy.layers.dot11 import Dot11, Dot11CCMP, Dot11QoS
+
+import zlib
+
+def pn2bytes(pn):
+	pn_bytes = [0] * 6
+	for i in range(6):
+		pn_bytes[i] = pn & 0xFF
+		pn >>= 8
+	return pn_bytes
+
+def pn2bin(pn):
+	return struct.pack(">Q", pn)[2:]
+
+def dot11ccmp_get_pn(p):
+	pn = p.PN5
+	pn = (pn << 8) | p.PN4
+	pn = (pn << 8) | p.PN3
+	pn = (pn << 8) | p.PN2
+	pn = (pn << 8) | p.PN1
+	pn = (pn << 8) | p.PN0
+	return pn
+
+def ccmp_get_nonce(priority, addr, pn):
+	return struct.pack("B", priority) + addr2bin(addr) + pn2bin(pn)
+
+def ccmp_get_aad(p, amsdu_spp=False):
+	# FC field with masked values
+	fc = raw(p)[:2]
+	fc = struct.pack("<BB", fc[0] & 0x8f, fc[1] & 0xc7)
+
+	# Sequence number is masked, but fragment number is included
+	sc = struct.pack("<H", p.SC & 0xf)
+
+	addr1 = addr2bin(p.addr1)
+	addr2 = addr2bin(p.addr2)
+	addr3 = addr2bin(p.addr3)
+	aad = fc + addr1 + addr2 + addr3 + sc
+	if Dot11QoS in p:
+		if not amsdu_spp:
+			# Everything except the TID is masked
+			aad += struct.pack("<H", p[Dot11QoS].TID)
+		else:
+			# TODO: Mask unrelated fields
+			aad += raw(p[Dot11QoS])[:2]
+
+	return aad
+
+def Raw(x):
+	return x
+
+def encrypt_ccmp(p, tk, pn, keyid=0, amsdu_spp=False):
+	"""Takes a plaintext Dot11 frame, encrypts it, and adds all the necessairy headers"""
+
+	# Update the FC field
+	p = p.copy()
+	p.FCfield |= Dot11(FCfield="protected").FCfield
+	if Dot11QoS in p:
+		payload = raw(p[Dot11QoS].payload)
+		p[Dot11QoS].remove_payload()
+		# Explicitly set TID so we can assume it's an integer
+		if p[Dot11QoS].TID == None:
+			p[Dot11QoS].TID = 0
+		priority = p[Dot11QoS].TID
+	else:
+		payload = raw(p.payload)
+		p.remove_payload()
+		priority = 0
+
+	# Add the CCMP header. res0 and res1 are by default set to zero.
+	newp = p/Dot11CCMP()
+	pn_bytes = pn2bytes(pn)
+	newp.PN0, newp.PN1, newp.PN2, newp.PN3, newp.PN4, newp.PN5 = pn_bytes
+	newp.key_id = keyid
+	newp.ext_iv = 1
+
+	# Generate the CCMP Header and AAD for encryption.
+	ccm_nonce = ccmp_get_nonce(priority, newp.addr2, pn)
+	ccm_aad = ccmp_get_aad(newp, amsdu_spp)
+	#print("CCM Nonce:", ccm_nonce.hex())
+	#print("CCM aad  :", ccm_aad.hex())
+
+	# Encrypt the plaintext using AES in CCM Mode.
+	#print("Payload:", payload.hex())
+	cipher = AES.new(tk, AES.MODE_CCM, ccm_nonce, mac_len=8)
+	cipher.update(ccm_aad)
+	ciphertext = cipher.encrypt(payload)
+	digest = cipher.digest()
+	newp = newp/Raw(ciphertext)
+	newp = newp/Raw(digest)
+
+	#print("Ciphertext:", ciphertext.hex())
+	#print(repr(newp))
+	#print(raw(newp).hex())
+
+	return newp
+
+def decrypt_ccmp(p, tk, verify=True):
+	"""Takes a Dot11CCMP frame and decrypts it"""
+
+	p = p.copy()
+
+	# Get used CCMP parameters
+	keyid = p.key_id
+	priority = dot11_get_priority(p)
+	pn = dot11ccmp_get_pn(p)
+
+	# TODO: Mask flags in p.FCfield that are not part of the AAD
+	fc = p.FCfield
+	payload = get_ccmp_payload(p)
+
+	if Dot11QoS in p:
+		p[Dot11QoS].remove_payload()
+	else:
+		p.remove_payload()
+
+	# Prepare for CCMP decryption
+	ccm_nonce = ccmp_get_nonce(priority, p.addr2, pn)
+	ccm_aad = ccmp_get_aad(p)
+
+	# Decrypt using AES in CCM Mode.
+	cipher = AES.new(tk, AES.MODE_CCM, ccm_nonce, mac_len=8)
+	cipher.update(ccm_aad)
+	plaintext = cipher.decrypt(payload[:-8])
+
+	try:
+		if verify:
+			cipher.verify(payload[-8:])
+	except ValueError:
+		return None
+
+	return p/LLC(plaintext)
+
+def encrypt_wep(p, key, pn, keyid=0):
+	"""Takes a plaintext Dot11 frame, encrypts it, and adds all the necessairy headers"""
+
+	# Update the FC field --- XXX share this with encrypt_ccmp
+	p = p.copy()
+	p.FCfield |= Dot11(FCfield="protected").FCfield
+	if Dot11QoS in p:
+		payload = raw(p[Dot11QoS].payload)
+		p[Dot11QoS].remove_payload()
+		# Explicitly set TID so we can assume it's an integer
+		if p[Dot11QoS].TID == None:
+			p[Dot11QoS].TID = 0
+		priority = p[Dot11QoS].TID
+	else:
+		payload = raw(p.payload)
+		p.remove_payload()
+		priority = 0
+
+	# Add the WEP ICV which will be encrypted
+	payload += struct.pack("<I", zlib.crc32(payload) & 0xffffffff)
+	iv = struct.pack(">I", pn)[1:]
+	cipher = ARC4.new(iv + key)
+	ciphertext = cipher.encrypt(payload)
+
+	# Construct packet ourselves to avoid scapy bugs
+	newp = p/iv/struct.pack("<B", keyid)/ciphertext
+
+	return newp
+

krackattack/libwifi/wifi.py

@@ -0,0 +1,488 @@
+# Copyright (c) 2019-2020, Mathy Vanhoef <mathy.vanhoef@nyu.edu>
+#
+# This code may be distributed under the terms of the BSD license.
+# See README for more details.
+from scapy.all import *
+from Crypto.Cipher import AES
+from datetime import datetime
+import binascii
+
+#### Constants ####
+
+IEEE_TLV_TYPE_SSID    = 0
+IEEE_TLV_TYPE_CHANNEL = 3
+IEEE_TLV_TYPE_RSN     = 48
+IEEE_TLV_TYPE_CSA     = 37
+IEEE_TLV_TYPE_FT      = 55
+IEEE_TLV_TYPE_VENDOR  = 221
+
+WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY = 4
+WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA = 6
+WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA = 7
+
+#TODO: Not sure if really needed...
+IEEE80211_RADIOTAP_RATE = (1 << 2)
+IEEE80211_RADIOTAP_CHANNEL = (1 << 3)
+IEEE80211_RADIOTAP_TX_FLAGS = (1 << 15)
+IEEE80211_RADIOTAP_DATA_RETRIES = (1 << 17)
+
+#### Basic output and logging functionality ####
+
+ALL, DEBUG, INFO, STATUS, WARNING, ERROR = range(6)
+COLORCODES = { "gray"  : "\033[0;37m",
+               "green" : "\033[0;32m",
+               "orange": "\033[0;33m",
+               "red"   : "\033[0;31m" }
+
+global_log_level = INFO
+def log(level, msg, color=None, showtime=True):
+	if level < global_log_level: return
+	if level == DEBUG   and color is None: color="gray"
+	if level == WARNING and color is None: color="orange"
+	if level == ERROR   and color is None: color="red"
+	msg = (datetime.now().strftime('[%H:%M:%S] ') if showtime else " "*11) + COLORCODES.get(color, "") + msg + "\033[1;0m"
+	print(msg)
+
+def change_log_level(delta):
+	global global_log_level
+	global_log_level += delta
+
+#### Back-wards compatibility with older scapy
+
+if not "Dot11FCS" in locals():
+	class Dot11FCS():
+		pass
+if not "Dot11Encrypted" in locals():
+	class Dot11Encrypted():
+		pass
+	class Dot11CCMP():
+		pass
+	class Dot11TKIP():
+		pass
+
+#### Linux ####
+
+def get_device_driver(iface):
+	path = "/sys/class/net/%s/device/driver" % iface
+	try:
+		output = subprocess.check_output(["readlink", "-f", path])
+		return output.decode('utf-8').strip().split("/")[-1]
+	except:
+		return None
+
+#### Utility ####
+
+def get_mac_address(interface):
+	return open("/sys/class/net/%s/address" % interface).read().strip()
+
+def addr2bin(addr):
+	return binascii.a2b_hex(addr.replace(':', ''))
+
+def get_channel(iface):
+	output = str(subprocess.check_output(["iw", iface, "info"]))
+	p = re.compile("channel (\d+)")
+	m = p.search(output)
+	if m == None: return None
+	return int(m.group(1))
+
+def get_channel(iface):
+	output = str(subprocess.check_output(["iw", iface, "info"]))
+	p = re.compile("channel (\d+)")
+	m = p.search(output)
+	if m == None:
+		return None
+	return int(m.group(1))
+
+def set_channel(iface, channel):
+	subprocess.check_output(["iw", iface, "set", "channel", str(channel)])
+
+def set_macaddress(iface, macaddr):
+	# macchanger throws an error if the interface already has the given MAC address
+	if get_macaddress(iface) != macaddr:
+		subprocess.check_output(["ifconfig", iface, "down"])
+		subprocess.check_output(["macchanger", "-m", macaddr, iface])
+
+def get_macaddress(iface):
+	"""This works even for interfaces in monitor mode."""
+	s = get_if_raw_hwaddr(iface)[1]
+	return ("%02x:" * 6)[:-1] % tuple(orb(x) for x in s)
+
+def get_iface_type(iface):
+	output = str(subprocess.check_output(["iw", iface, "info"]))
+	p = re.compile("type (\w+)")
+	return str(p.search(output).group(1))
+
+def set_monitor_mode(iface, up=True, mtu=1500):
+	# Note: we let the user put the device in monitor mode, such that they can control optional
+	#       parameters such as "iw wlan0 set monitor active" for devices that support it.
+	if get_iface_type(iface) != "monitor":
+		# Some kernels (Debian jessie - 3.16.0-4-amd64) don't properly add the monitor interface. The following ugly
+		# sequence of commands assures the virtual interface is properly registered as a 802.11 monitor interface.
+		subprocess.check_output(["ifconfig", iface, "down"])
+		subprocess.check_output(["iw", iface, "set", "type", "monitor"])
+		time.sleep(0.5)
+		subprocess.check_output(["iw", iface, "set", "type", "monitor"])
+
+	if up:
+		subprocess.check_output(["ifconfig", iface, "up"])
+	subprocess.check_output(["ifconfig", iface, "mtu", str(mtu)])
+
+def rawmac(addr):
+	return bytes.fromhex(addr.replace(':', ''))
+
+def set_amsdu(p):
+	if "A_MSDU_Present" in [field.name for field in Dot11QoS.fields_desc]:
+		p.A_MSDU_Present = 1
+	else:
+		p.Reserved = 1
+
+def is_amsdu(p):
+	if "A_MSDU_Present" in [field.name for field in Dot11QoS.fields_desc]:
+		return p.A_MSDU_Present == 1
+	else:
+		return p.Reserved == 1
+
+#### Packet Processing Functions ####
+
+class DHCP_sock(DHCP_am):
+	def __init__(self, **kwargs):
+		self.sock = kwargs.pop("sock")
+		self.server_ip = kwargs["gw"]
+		super(DHCP_sock, self).__init__(**kwargs)
+
+	def prealloc_ip(self, clientmac, ip=None):
+		"""Allocate an IP for the client before it send DHCP requests"""
+		if clientmac not in self.leases:
+			if ip == None:
+				ip = self.pool.pop()
+			self.leases[clientmac] = ip
+		return self.leases[clientmac]
+
+	def make_reply(self, req):
+		rep = super(DHCP_sock, self).make_reply(req)
+
+		# Fix scapy bug: set broadcast IP if required
+		if rep is not None and BOOTP in req and IP in rep:
+			if req[BOOTP].flags & 0x8000 != 0 and req[BOOTP].giaddr == '0.0.0.0' and req[BOOTP].ciaddr == '0.0.0.0':
+				rep[IP].dst = "255.255.255.255"
+
+		# Explicitly set source IP if requested
+		if not self.server_ip is None:
+			rep[IP].src = self.server_ip
+
+		return rep
+
+	def send_reply(self, reply):
+		self.sock.send(reply, **self.optsend)
+
+	def print_reply(self, req, reply):
+		log(STATUS, "%s: DHCP reply %s to %s" % (reply.getlayer(Ether).dst, reply.getlayer(BOOTP).yiaddr, reply.dst), color="green")
+
+	def remove_client(self, clientmac):
+		clientip = self.leases[clientmac]
+		self.pool.append(clientip)
+		del self.leases[clientmac]
+
+class ARP_sock(ARP_am):
+	def __init__(self, **kwargs):
+		self.sock = kwargs.pop("sock")
+		super(ARP_am, self).__init__(**kwargs)
+
+	def send_reply(self, reply):
+		self.sock.send(reply, **self.optsend)
+
+	def print_reply(self, req, reply):
+		log(STATUS, "%s: ARP: %s ==> %s on %s" % (reply.getlayer(Ether).dst, req.summary(), reply.summary(), self.iff))
+
+
+#### Packet Processing Functions ####
+
+# Compatibility with older Scapy versions
+if not "ORDER" in scapy.layers.dot11._rt_txflags:
+	scapy.layers.dot11._rt_txflags.append("ORDER")
+
+class MonitorSocket(L2Socket):
+	def __init__(self, iface, dumpfile=None, detect_injected=False, **kwargs):
+		super(MonitorSocket, self).__init__(iface, **kwargs)
+		self.pcap = None
+		if dumpfile:
+			self.pcap = PcapWriter("%s.%s.pcap" % (dumpfile, self.iface), append=False, sync=True)
+		self.detect_injected = detect_injected
+		self.default_rate = None
+
+	def set_channel(self, channel):
+		subprocess.check_output(["iw", self.iface, "set", "channel", str(channel)])
+
+	def attach_filter(self, bpf):
+		log(DEBUG, "Attaching filter to %s: <%s>" % (self.iface, bpf))
+		attach_filter(self.ins, bpf, self.iface)
+
+	def set_default_rate(self, rate):
+		self.default_rate = rate
+
+	def send(self, p, rate=None):
+		# Hack: set the More Data flag so we can detect injected frames (and so clients stay awake longer)
+		if self.detect_injected:
+			p.FCfield |= 0x20
+
+		# Control data rate injected frames
+		if rate is None and self.default_rate is None:
+			rtap = RadioTap(present="TXFlags", TXFlags="NOSEQ+ORDER")
+		else:
+			use_rate = rate if rate != None else self.default_rate
+			rtap = RadioTap(present="TXFlags+Rate", Rate=use_rate, TXFlags="NOSEQ+ORDER")
+
+		L2Socket.send(self, rtap/p)
+		if self.pcap: self.pcap.write(RadioTap()/p)
+
+	def _strip_fcs(self, p):
+		"""
+		Scapy may throw exceptions when handling malformed short frames,
+		so we need to catch these exceptions and just ignore these frames.
+		This in particular happened with short malformed beacons.
+		"""
+		try:
+			return Dot11(raw(p[Dot11FCS])[:-4])
+		except:
+			return None
+
+	def _detect_and_strip_fcs(self, p):
+		# Older scapy can't handle the optional Frame Check Sequence (FCS) field automatically
+		if p[RadioTap].present & 2 != 0 and not Dot11FCS in p:
+			rawframe = raw(p[RadioTap])
+			pos = 8
+			while orb(rawframe[pos - 1]) & 0x80 != 0: pos += 4
+
+			# If the TSFT field is present, it must be 8-bytes aligned
+			if p[RadioTap].present & 1 != 0:
+				pos += (8 - (pos % 8))
+				pos += 8
+
+			# Remove FCS if present
+			if orb(rawframe[pos]) & 0x10 != 0:
+				return self._strip_fcs(p)
+
+		return p[Dot11]
+
+	def recv(self, x=MTU, reflected=False):
+		p = L2Socket.recv(self, x)
+		if p == None or not (Dot11 in p or Dot11FCS in p):
+			return None
+		if self.pcap:
+			self.pcap.write(p)
+
+		# Hack: ignore frames that we just injected and are echoed back by the kernel
+		if self.detect_injected and p.FCfield & 0x20 != 0:
+			return None
+
+		# Ignore reflection of injected frames. These have a small RadioTap header.
+		if not reflected and p[RadioTap].len < 13:
+			return None
+
+		# Strip the FCS if present, and drop the RadioTap header
+		if Dot11FCS in p:
+			return self._strip_fcs(p)
+		else:
+			return self._detect_and_strip_fcs(p)
+
+	def close(self):
+		if self.pcap: self.pcap.close()
+		super(MonitorSocket, self).close()
+
+# For backwards compatibility
+class MitmSocket(MonitorSocket):
+	pass
+
+def dot11_get_seqnum(p):
+	return p.SC >> 4
+
+def dot11_is_encrypted_data(p):
+	# All these different cases are explicitly tested to handle older scapy versions
+	return (p.FCfield & 0x40) or Dot11CCMP in p or Dot11TKIP in p or Dot11WEP in p or Dot11Encrypted in p
+
+def payload_to_iv(payload):
+	iv0 = payload[0]
+	iv1 = payload[1]
+	wepdata = payload[4:8]
+
+	# FIXME: Only CCMP is supported (TKIP uses a different IV structure)
+	return orb(iv0) + (orb(iv1) << 8) + (struct.unpack(">I", wepdata)[0] << 16)
+
+def dot11_get_iv(p):
+	"""
+	Assume it's a CCMP frame. Old scapy can't handle Extended IVs.
+	This code only works for CCMP frames.
+	"""
+	if Dot11CCMP in p:
+		payload = raw(p[Dot11CCMP])
+		return payload_to_iv(payload)
+
+	elif Dot11TKIP in p:
+		# Scapy uses a heuristic to differentiate CCMP/TKIP and this may be wrong.
+		# So even when we get a Dot11TKIP frame, we should treat it like a Dot11CCMP frame.
+		payload = raw(p[Dot11TKIP])
+		return payload_to_iv(payload)
+
+	if Dot11CCMP in p:
+		payload = raw(p[Dot11CCMP])
+		return payload_to_iv(payload)
+	elif Dot11TKIP in p:
+		payload = raw(p[Dot11TKIP])
+		return payload_to_iv(payload)
+	elif Dot11Encrypted in p:
+		payload = raw(p[Dot11Encrypted])
+		return payload_to_iv(payload)
+
+	elif Dot11WEP in p:
+		wep = p[Dot11WEP]
+		if wep.keyid & 32:
+			# FIXME: Only CCMP is supported (TKIP uses a different IV structure)
+			return orb(wep.iv[0]) + (orb(wep.iv[1]) << 8) + (struct.unpack(">I", wep.wepdata[:4])[0] << 16)
+		else:
+			return orb(wep.iv[0]) + (orb(wep.iv[1]) << 8) + (orb(wep.iv[2]) << 16)
+
+	elif p.FCfield & 0x40:
+		return payload_to_iv(p[Raw].load)
+
+	else:
+		return None
+
+def dot11_get_priority(p):
+	if not Dot11QoS in p: return 0
+	return p[Dot11QoS].TID
+
+
+#### Crypto functions and util ####
+
+def get_ccmp_payload(p):
+	if Dot11WEP in p:
+		# Extract encrypted payload:
+		# - Skip extended IV (4 bytes in total)
+		# - Exclude first 4 bytes of the CCMP MIC (note that last 4 are saved in the WEP ICV field)
+		return str(p.wepdata[4:-4])
+	elif Dot11CCMP in p:
+		return p[Dot11CCMP].data
+	elif Dot11TKIP in p:
+		return p[Dot11TKIP].data
+	elif Dot11Encrypted in p:
+		return p[Dot11Encrypted].data
+	else:
+		return p[Raw].load
+
+class IvInfo():
+	def __init__(self, p):
+		self.iv = dot11_get_iv(p)
+		self.seq = dot11_get_seqnum(p)
+		self.time = p.time
+
+	def is_reused(self, p):
+		"""Return true if frame p reuses an IV and if p is not a retransmitted frame"""
+		iv = dot11_get_iv(p)
+		seq = dot11_get_seqnum(p)
+		return self.iv == iv and self.seq != seq and p.time >= self.time + 1
+
+class IvCollection():
+	def __init__(self):
+		self.ivs = dict() # maps IV values to IvInfo objects
+
+	def reset(self):
+		self.ivs = dict()
+
+	def track_used_iv(self, p):
+		iv = dot11_get_iv(p)
+		self.ivs[iv] = IvInfo(p)
+
+	def is_iv_reused(self, p):
+		"""Returns True if this is an *observed* IV reuse and not just a retransmission"""
+		iv = dot11_get_iv(p)
+		return iv in self.ivs and self.ivs[iv].is_reused(p)
+
+	def is_new_iv(self, p):
+		"""Returns True if the IV in this frame is higher than all previously observed ones"""
+		iv = dot11_get_iv(p)
+		if len(self.ivs) == 0: return True
+		return iv > max(self.ivs.keys())
+
+def create_fragments(header, data, num_frags):
+	# This special case is useful so scapy keeps the full "interpretation" of the frame
+	# instead of afterwards treating/displaying the payload as just raw data.
+	if num_frags == 1: return [header/data]
+
+	data = raw(data)
+	fragments = []
+	fragsize = (len(data) + num_frags - 1) // num_frags
+	for i in range(num_frags):
+		frag = header.copy()
+		frag.SC |= i
+		if i < num_frags - 1:
+			frag.FCfield |= Dot11(FCfield="MF").FCfield
+
+		payload = data[fragsize * i : fragsize * (i + 1)]
+		frag = frag/Raw(payload)
+		fragments.append(frag)
+
+	return fragments
+
+def get_element(el, id):
+	if not Dot11Elt in el: return None
+	el = el[Dot11Elt]
+	while not el is None:
+		if el.ID == id:
+			return el
+		el = el.payload
+	return None
+
+def get_ssid(beacon):
+	if not (Dot11 in beacon or Dot11FCS in beacon): return
+	if Dot11Elt not in beacon: return
+	if beacon[Dot11].type != 0 and beacon[Dot11].subtype != 8: return
+	el = get_element(beacon, IEEE_TLV_TYPE_SSID)
+	return el.info.decode()
+
+def is_from_sta(p, macaddr):
+	if not (Dot11 in p or Dot11FCS in p):
+		return False
+	if p.addr1 != macaddr and p.addr2 != macaddr:
+		return False
+	return True
+
+def get_bss(iface, clientmac, timeout=20):
+	ps = sniff(count=1, timeout=timeout, lfilter=lambda p: is_from_sta(p, clientmac), iface=iface)
+	if len(ps) == 0:
+		return None
+	return ps[0].addr1 if ps[0].addr1 != clientmac else ps[0].addr2
+
+def create_msdu_subframe(src, dst, payload, last=False):
+	length = len(payload)
+	p = Ether(dst=dst, src=src, type=length)
+
+	payload = raw(payload)
+
+	total_length = len(p) + len(payload)
+	padding = ""
+	if not last and total_length % 4 != 0:
+		padding = b"\x00" * (4 - (total_length % 4))
+
+	return p / payload / Raw(padding)
+
+def find_network(iface, ssid):
+	ps = sniff(count=1, timeout=0.3, lfilter=lambda p: get_ssid(p) == ssid, iface=iface)
+	if ps is None or len(ps) < 1:
+		log(STATUS, "Searching for target network on other channels")
+		for chan in [1, 6, 11, 3, 8, 2, 7, 4, 10, 5, 9, 12, 13]:
+			set_channel(iface, chan)
+			log(DEBUG, "Listening on channel %d" % chan)
+			ps = sniff(count=1, timeout=0.3, lfilter=lambda p: get_ssid(p) == ssid, iface=iface)
+			if ps and len(ps) >= 1: break
+
+	if ps and len(ps) >= 1:
+		# Even though we capture the beacon we might still be on another channel,
+		# so it's important to explicitly switch to the correct channel.
+		actual_chan = orb(get_element(ps[0], IEEE_TLV_TYPE_CHANNEL).info)
+		set_channel(iface, actual_chan)
+
+		# Return the beacon that we captured
+		return ps[0]
+
+	return None
+

krackattack/pysetup.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Start from a clean environment
+rm -rf venv/
+
+# Basic python3 virtual environment
+python3 -m venv venv
+source venv/bin/activate
+pip install wheel
+pip install -r requirements.txt
+
+# Fix a bug in scapy that isn't fixed in the PyPI version yet. For background see
+# https://github.com/secdev/scapy/commit/46fa40fde4049ad7770481f8806c59640df24059
+sed -i 's/find_library("libc")/find_library("c")/g' venv/lib/python*/site-packages/scapy/arch/bpf/core.py

krackattack/reenable-hwcrypto.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Copyright (c) 2021, Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+#
+# This code may be distributed under the terms of the BSD license.
+# See README for more details.
+
+set -e
+
+NOHWCRYPT="ath5k ath9k ath9k_htc rt2800usb carl9170 b43 p54common rt2500usb rt2800pci rt2800usb rt73usb"
+SWCRYPTO="iwlwifi iwl3945 iwl4965"
+HWCRYPTO="ipw2200"
+
+
+# 1. Create nohwcrypt.conf options file
+
+rm -f /etc/modprobe.d/nohwcrypt.conf
+
+
+# 2. Remove loaded modules so they'll reload parameters
+
+for MODULE in $NOHWCRYPT $SWCRYPTO $HWCRYPTO
+do
+	rmmod $MODULE 2> /dev/null || true;
+done
+
+
+# 3. Done. To be sure parameters are reloaded, reboot computer.
+
+echo "Hardware decryption re-enabled. Reboot your computer."

krackattack/requirements.txt

@@ -1,2 +1,2 @@
-pycryptodomex==3.9.4
-scapy==2.4.3
+pycryptodome==3.9.9
+scapy==2.4.4

wpaspy/wpaspy.py

@@ -54,7 +54,7 @@ class Ctrl:
                     break
                 self.s = socket.socket(af, socktype)
                 self.s.settimeout(5)
-                self.s.sendto("GET_COOKIE", sockaddr)
+                self.s.sendto(b"GET_COOKIE", sockaddr)
                 reply, server = self.s.recvfrom(4096)
                 self.cookie = reply
                 self.port = port
@@ -83,13 +83,24 @@ class Ctrl:
             self.started = False
 
     def request(self, cmd, timeout=10):
+        if type(cmd) == str:
+            try:
+                cmd2 = cmd.encode()
+                cmd = cmd2
+            except UnicodeDecodeError as e:
+                pass
         if self.udp:
             self.s.sendto(self.cookie + cmd, self.sockaddr)
         else:
             self.s.send(cmd)
         [r, w, e] = select.select([self.s], [], [], timeout)
         if r:
-            return self.s.recv(4096)
+            res = self.s.recv(4096).decode()
+            try:
+                r = str(res)
+            except UnicodeDecodeError as e:
+                r = res
+            return r
         raise Exception("Timeout on waiting response")
 
     def attach(self):
@@ -104,6 +115,9 @@ class Ctrl:
     def detach(self):
         if not self.attached:
             return None
+        if self.s.fileno() == -1:
+            self.attached = False
+            return None
         while self.pending():
             ev = self.recv()
         res = self.request("DETACH")
@@ -129,5 +143,9 @@ class Ctrl:
         return False
 
     def recv(self):
-        res = self.s.recv(4096)
-        return res
+        res = self.s.recv(4096).decode()
+        try:
+            r = str(res)
+        except UnicodeDecodeError as e:
+            r = res
+        return r