Protected Management frames is an important security addition to wlan which can protect from different attacks such as connection termination by a 3rd party, management frame attacks.
{ "auth", WLANTEST_FRAME_AUTH },
PMF or MFP or robust management frames as its called came to popularity with recent addition to the latest 11n certification from WFA, this became a mandatory feature.
To test this feature thoroughly we need a management frame injector which can inject different kinds of frames protected, unprotected etc.
Lets take a look at the tool available as a part of the hostap.git wlantest which served this purpose, its a tricky tool and is less documented and used. Lets do some reverse engineering and find out the exact commands needed to inject packets. All text is taken from code as is.
Fetching and Compiling the Tool
- git clone git://w1.fi/srv/git/hostap.git
- cd wlantest
- make
Starting the Tool:
wlantest -cq -i <interface> -p <passphrase>
c ==> control interface, needed for wlantest_cli
q ==> Decrease debug level
d ==> Increase debug level
i ==> Interface Must be in monitor mode to inject frame, this is done using the libpcap and radiotap header based on which the mac80211 handles the frame.
For normal operation we need wlan0, so to inject create another interface (use iw interface add) in monitor mode.
For normal operation we need wlan0, so to inject create another interface (use iw interface add) in monitor mode.
Leave the window as is or fork it background. This should be running throughout the test.
Note: The tool should be started before running any tests to capture the 4-way handshake to retrieve the transient keys.
Form a connection: Connect the STA to the AP, this is crucial as the wlantest registers for EAPOL packets and extracts the security association from them given the passphrase, only then it can do the encryption.
Injection:
start the wlantest_cli, it will automatically connect to the wlantest is already running with control interface enabled.
Once we are in the prompt of wlantest_cli we can use the below commands to send different kinds of packets.
inject <frame> <prot> <sender> <BSSID> <STA/ff:ff:ff:ff:ff:ff>
frame: Frame Type
{ "auth", WLANTEST_FRAME_AUTH },
{ "assocreq", WLANTEST_FRAME_ASSOCREQ },
{ "reassocreq", WLANTEST_FRAME_REASSOCREQ },
{ "deauth", WLANTEST_FRAME_DEAUTH },
{ "disassoc", WLANTEST_FRAME_DISASSOC },
{ "saqueryreq", WLANTEST_FRAME_SAQUERYREQ }
As per the PMF WFA test plan we need to inject only disassoc, deauth, saqueryreq.
prot: Protection
Normal ==> Depending on the security type the packet is sent as protected/unprotected.
Protected ==> Send Encrypted
Unprotected ==> Skip the Encryption.
Incorrect ==> Packet sent with wrong key.
Sender: AP/STA (case insensitive)
BSSID: AP's MAC Address
STA/FF: In case of unicast frame injection use the STA address (or) when using broadcast frame injection (BIP) use the broadcast address.
Examples:
inject disassoc incorrect AP BSSID STA
inject disassoc incorrect AP BSSID ff:ff:ff:ff:ff:ff
inject deauth unprotected AP BSSID STA
In case of any issues increase the logging level with multiple dd's.
Happy Injecting ;-)
Updated: Fix the meaning of "q" and "d" and some cleanup.
Updated: Fix the meaning of "q" and "d" and some cleanup.
