WPAxFuzz: full-featured open-source Wi-Fi fuzzer

Wi-Fi fuzzer

WPAxFuzz

Wi-Fi fuzzer

This tool is capable of fuzzing either any management, control, or data frame of the 802.11 protocol or the SAE exchange. For the management, control, or data frames, you can choose either the “standard” mode where all of the frames transmitted have valid size values or the “random” mode where the size value is random. The SAE fuzzing operation requires an AP that supports WPA3. Management, control, or data frame fuzzing can be executed against any AP (WPA2 or WPA3). Finally, a DoS attack vector is implemented, which exploits the findings of the management, control, or data frame fuzzing. Overall, WPAxFuzz offers the below options:

    1) Fuzz Management Frames

2) Fuzz SAE exchange
3) Fuzz Control Frames
4) Fuzz Data Frames (BETA)
5) DoS attack module

 

Fuzz SAE-exchange

This module focuses on the so-called SAE Commit and SAE Confirm Authentication frames which are exchanged during the SAE handshake. According to the 802.11 standards, both these frames carry the Authentication algorithm (3), the Authentication Sequence (1 for Commit and 2 for Confirm), and a Status code, namely, a value between 0 and 65535, with 0 standing for “Successful”. Note that Status code values between 1 and 129 (except 4, 8, 9, 20, 21, 26, 29, 36, 48, 66, 69-71, 90-91, 116, 124, and 127) designate a different failure cause, while the rest are reserved by the protocol.

In more detail, the current module, selected through WPAxFuzz’s CLI, optionally capitalizes on the burst frame sending mode, namely, it sprays multiple frames, i.e., 128, at once towards the target AP. It comprises four different circles: (i) transmit SAE (Authentication) frames to the radio channel the target STA operates, (ii) transmit SAE frames to a different radio channel than that of the target STA(s), and (iii) either of the previous, but with the burst mode enabled. Further, each fuzzing cycle is executed over seven diverse variants based on the stateless approach of the WPA3-SAE authentication procedure as follows:

  1. An empty SAE auth frame.
  2. A valid (well-formed) SAE-Commit frame followed by (1).
  3. A valid SAE-Commit frame, followed by an SAE-Confirm frame with the so-called Send-Confirm field set to 0. Recall that the Send-Confirm field carries the counter of the already sent Confirm frames, hence acting as an anti-replay counter.
  4. As with (3), but the value of the Send-Confirm field is set to 2. This specific value (2) was chosen, using a value between 2 and 65,534 for this field, “the AP disconnected the target STA after 20 sec on average”.
  5. A valid SAE-Commit frame.
  6. A valid SAE-Confirm frame with the Send-Confirm field equal to 0.
  7. As with (6), but the Send-Confirm field’s value is set to 2.

As with the Management frames module, the present one uses the same monitoring logic and is split in two different types of fuzzing procedures, namely, Standard and Extensive. For instance, the Authentication algorithm field is fuzzed using specific, cherry-picked values, including 0, 1, 2, and 200, and not random ones generated by Blab or otherwise. On the other hand, the Extensive mode concentrates on grindingly testing every valid SAE field combination, that is, every possible value in the range of 0 to 65535, making it far more time-consuming vis-à-vis the Standard mode.

DoS802.11 (DoS attack module)

This module launches a DoS attack based on the data (log files) collected from the fuzzing process. It can only be performed against the same AP and STA used during the fuzzing process. Namely, the frames that caused any kind of problematic behavior during the fuzzing are being transmitted in a way decided by the below options.

Description

STEP1: Pick the option 5), namely:

5) DoS attack module

STEP2: Pick the attack module you wish

1) Frames detected at the moment of connectivity disruption, one-by-one
2) Sequence of frames till the moment a disruption was detected (BETA)

STEP3: The first mode of DoS802.11, tests all the frames that the fuzzer detected up to that moment. It is a second hand filtering to separate the true positive from the false positive frames. In case a frame is positive, i.e., causes a DoS to the associated STA, an exploit is being produced automatically.
STEP4: DoS802.11 exits when the log files have been considered.

Install

Copyright (c) 2022 Vyron Kampourakis (Management frames, Control frames, Data frames, and DoS tools)
Copyright (c) 2022 Apostolos Dolmes (SAE Exchange tool)
Copyright (c) 2022 Efstratios Chatzoglou