From ff3395caae4fe3864e7d3a9073bdbc6ee482efbb Mon Sep 17 00:00:00 2001 From: = <=> Date: Fri, 6 Sep 2024 11:16:59 +0200 Subject: [PATCH] improved faulty PMKID detection --- hcxpcapngtool.c | 72 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 57 insertions(+), 15 deletions(-) diff --git a/hcxpcapngtool.c b/hcxpcapngtool.c index a54fb4693..1cd3be6dd 100644 --- a/hcxpcapngtool.c +++ b/hcxpcapngtool.c @@ -163,6 +163,7 @@ static long int pcapreaderrors; static long int skippedpacketcount; static long int zeroedtimestampcount; static long int fcsframecount; +static long int fcsbadframecount; static long int band24count; static long int band5count; static long int band6count; @@ -481,6 +482,7 @@ pcapreaderrors = 0; skippedpacketcount = 0; zeroedtimestampcount = 0; fcsframecount = 0; +fcsbadframecount = 0; band24count = 0; band5count = 0; band6count = 0; @@ -660,6 +662,7 @@ else fprintf(stdout, "endianness (capture system)..............: big endian\ if(rawpacketcount > 0) fprintf(stdout, "packets inside...........................: %ld\n", rawpacketcount); if(skippedpacketcount > 0) fprintf(stdout, "skipped packets..........................: %ld\n", skippedpacketcount); if(fcsframecount > 0) fprintf(stdout, "frames with correct FCS..................: %ld\n", fcsframecount); +if(fcsbadframecount > 0) fprintf(stdout, "frames with bad FCS......................: %ld\n", fcsbadframecount); if(band24count > 0) fprintf(stdout, "packets received on 2.4 GHz..............: %ld\n", band24count); if(band5count > 0) fprintf(stdout, "packets received on 5 GHz................: %ld\n", band5count); if(band6count > 0) fprintf(stdout, "packets received on 6 GHz................: %ld\n", band6count); @@ -3218,7 +3221,7 @@ if((infolen != 0) && (infolen != 4) && (ef == false)) return false; return true; } /*===========================================================================*/ -static void process80211eapol_m4(uint64_t eaptimestamp, uint8_t *macap, uint8_t *macclient, uint32_t restlen, uint8_t *eapauthptr) +static void process80211eapol_m4(uint64_t eaptimestamp, uint8_t *macap, uint8_t *macclient, uint8_t *macsrc, uint32_t restlen, uint8_t *eapauthptr) { static int c; static messagelist_t *zeiger; @@ -3233,8 +3236,14 @@ static uint64_t rcgap; static uint8_t mpfield; static const uint8_t foxtrott[4] = { 0xff, 0xff, 0xff, 0xff }; + eapolm4count++; eapolmsgcount++; +if(memcmp(macap, macsrc, 6) != 0) + { + eapolm1errorcount++; + return; + } eapauth = (eapauth_t*)eapauthptr; authlen = ntohs(eapauth->len); if(authlen == 0) return; @@ -3364,7 +3373,7 @@ qsort(messagelist, MESSAGELIST_MAX +1, MESSAGELIST_SIZE, sort_messagelist_by_tim return; } /*===========================================================================*/ -static void process80211eapol_m3(uint64_t eaptimestamp, uint8_t *macclient, uint8_t *macap, uint32_t restlen, uint8_t *eapauthptr) +static void process80211eapol_m3(uint64_t eaptimestamp, uint8_t *macclient, uint8_t *macap, uint8_t *macsrc, uint32_t restlen, uint8_t *eapauthptr) { static int c; static messagelist_t *zeiger; @@ -3383,6 +3392,11 @@ static const uint8_t foxtrott[4] = { 0xff, 0xff, 0xff, 0xff }; eapolm3count++; eapolmsgcount++; +if(memcmp(macap, macsrc, 6) != 0) + { + eapolm1errorcount++; + return; + } zeigerakt = messagelist +MESSAGELIST_MAX; eapauth = (eapauth_t*)eapauthptr; authlen = ntohs(eapauth->len); @@ -3545,7 +3559,7 @@ qsort(messagelist, MESSAGELIST_MAX +1, MESSAGELIST_SIZE, sort_messagelist_by_tim return; } /*===========================================================================*/ -static void process80211eapol_m2(uint64_t eaptimestamp, uint8_t *macap, uint8_t *macclient, uint32_t restlen, uint8_t *eapauthptr) +static void process80211eapol_m2(uint64_t eaptimestamp, uint8_t *macap, uint8_t *macclient, uint8_t *macsrc, uint32_t restlen, uint8_t *eapauthptr) { static int c; static messagelist_t *zeiger; @@ -3565,6 +3579,11 @@ static const uint8_t foxtrott[4] = { 0xff, 0xff, 0xff, 0xff }; eapolm2count++; eapolmsgcount++; +if(memcmp(macap, macsrc, 6) != 0) + { + eapolm1errorcount++; + return; + } eapauth = (eapauth_t*)eapauthptr; authlen = ntohs(eapauth->len); if(authlen == 0) return; @@ -3739,11 +3758,21 @@ static uint8_t keyver; static uint64_t rc; static const uint8_t foxtrott[4] = { 0xff, 0xff, 0xff, 0xff }; + eapolm1count++; eapolmsgcount++; +if(memcmp(macap, macsrc, 6) != 0) + { + eapolm1errorcount++; + return; + } eapauth = (eapauth_t*)eapauthptr; authlen = ntohs(eapauth->len); -if(authlen > restlen) return; +if(authlen > restlen) + { + eapolm1errorcount++; + return; + } wpakptr = eapauthptr +EAPAUTH_SIZE; wpak = (wpakey_t*)wpakptr; keyver = ntohs(wpak->keyinfo) & WPA_KEY_INFO_TYPE_MASK; @@ -3918,11 +3947,11 @@ if((keylen != 0) && (keylen != 16) && (keylen != 32)) if(keyinfo == 1) process80211eapol_m1(eaptimestamp, macto, macfm, macsrc, eapauthlen, eapauthptr); else if(keyinfo == 2) { - if(authlen != 0x5f) process80211eapol_m2(eaptimestamp, macto, macfm, eapauthlen, eapauthptr); - else process80211eapol_m4(eaptimestamp, macto, macfm, eapauthlen, eapauthptr); + if(authlen != 0x5f) process80211eapol_m2(eaptimestamp, macto, macfm, macsrc, eapauthlen, eapauthptr); + else process80211eapol_m4(eaptimestamp, macto, macfm, macsrc, eapauthlen, eapauthptr); } -else if(keyinfo == 3) process80211eapol_m3(eaptimestamp, macto, macfm, eapauthlen, eapauthptr); -else if(keyinfo == 4) process80211eapol_m4(eaptimestamp, macto, macfm, eapauthlen, eapauthptr); +else if(keyinfo == 3) process80211eapol_m3(eaptimestamp, macto, macfm, macsrc, eapauthlen, eapauthptr); +else if(keyinfo == 4) process80211eapol_m4(eaptimestamp, macto, macfm, macsrc, eapauthlen, eapauthptr); return; } /*===========================================================================*/ @@ -4685,7 +4714,7 @@ else if(loba->family == LOBA_IPV630) processipv6(timestamp, caplen -LOBA_SIZE, p return; } /*===========================================================================*/ -static void getradiotapfield(uint16_t rthlen, uint32_t caplen, uint8_t *capptr) +static bool getradiotapfield(uint16_t rthlen, uint32_t caplen, uint8_t *capptr) { static int i; static uint16_t pf; @@ -4695,7 +4724,6 @@ static uint32_t *pp; frequency = 0; rth = (rth_t*)capptr; pf = RTH_SIZE; -if((rth->it_present & IEEE80211_RADIOTAP_CHANNEL) != IEEE80211_RADIOTAP_CHANNEL) return; if((rth->it_present & IEEE80211_RADIOTAP_EXT) == IEEE80211_RADIOTAP_EXT) { pp = (uint32_t*)capptr; @@ -4713,11 +4741,19 @@ if((rth->it_present & IEEE80211_RADIOTAP_TSFT) == IEEE80211_RADIOTAP_TSFT) if((pf %8) != 0) pf += 4; pf += 8; } -if((rth->it_present & IEEE80211_RADIOTAP_FLAGS) == IEEE80211_RADIOTAP_FLAGS) pf += 1; +if((rth->it_present & IEEE80211_RADIOTAP_FLAGS) == IEEE80211_RADIOTAP_FLAGS) + { + if((capptr[pf] & 0x50) == 0x50) + { + fcsbadframecount++; + return false; + } + pf += 1; + } if((rth->it_present & IEEE80211_RADIOTAP_RATE) == IEEE80211_RADIOTAP_RATE) pf += 1; if((rth->it_present & IEEE80211_RADIOTAP_CHANNEL) == IEEE80211_RADIOTAP_CHANNEL) { - if(pf > caplen) return; + if(pf > caplen) false; if((pf %2) != 0) pf += 1; frequency = (capptr[pf +1] << 8) + capptr[pf]; usedfrequency[frequency] += 1; @@ -4761,10 +4797,10 @@ if((rth->it_present & IEEE80211_RADIOTAP_FHSS) == IEEE80211_RADIOTAP_FHSS) } if((rth->it_present & IEEE80211_RADIOTAP_DBM_ANTSIGNAL) == IEEE80211_RADIOTAP_DBM_ANTSIGNAL) { - if(pf > caplen) return; + if(pf > caplen) return false; rssi = capptr[pf]; } -return; +return true; } /*===========================================================================*/ static void processlinktype(uint64_t captimestamp, uint32_t linktype, uint32_t caplen, uint8_t *capptr) @@ -4848,7 +4884,12 @@ if(linktype == DLT_IEEE802_11_RADIO) if(fh_log != NULL) fprintf(fh_log, "unsupported radiotap header version: %ld\n", rawpacketcount); return; } - getradiotapfield(rth->it_len, caplen, capptr); + if(getradiotapfield(rth->it_len, caplen, capptr) == false) + { + pcapreaderrors++; + radiotaperrorcount++; + return; + } packetlen = caplen -rth->it_len; packetptr = capptr +rth->it_len; } @@ -4975,6 +5016,7 @@ crc = fcscrc32check(packetptr, packetlen -4); #ifdef BIG_ENDIAN_HOST crc = byte_swap_32(crc); #endif + if(crc == fcs->fcs) { fcsframecount++;