wpa_supplicant fails group key attacks even after krack patch

Dan Williams dcbw at redhat.com
Mon Dec 4 09:10:34 PST 2017 

On Sun, 2017-12-03 at 14:04 -0800, David Park wrote:
> Hi,
> 
> I downloaded and cross-compiled wpa_supplicant for ARM from commit
> a0e3e22 which had all the patches relating to KRACK.
> 
> Using the vulnerability detection tool from the wifi alliance, I am
> now passing all the pairwise tests, but not the group key related
> tests. Specifically, I am failing the 4.1.3 and 4.2.1.
> 
> My wifi driver is part of the mainline kernel, interfacing with
> mac82011 and cfg82011, so I would have thought all the KRACK
> vulnerabilities would be completely handled by the wpa_supplicant
> patches. Is there something I'm missing?

There were some kernel-side mac80211 patches that resulted from KRACK
too, not sure if they fix your issue though.

fdf7cb4185b60c68e1a75e61691c4afdc15dea0e
cfbb0d90a7abb289edc91833d0905931f8805f12

Dan

> [17:30:38] Vulnerablity Detection Tool
> [17:30:38] Version 1.1
> [17:30:38] Note: disable Wi-Fi in network manager & disable hardware
> encryption. Both may interfere with this script.
> [17:30:39] Starting hostapd ...
> Configuration file: ./hostapd.conf
> Using interface wlan1 with hwaddr e8:94:f6:24:db:59 and ssid
> "test_client"
> wlan1: interface state UNINITIALIZED->ENABLED
> wlan1: AP-ENABLED
> [17:30:40] Ready. Connect to this Access Point to start the tests.
> Make sure the client requests an IP using DHCP!
> wlan1: STA d0:c1:93:02:ed:72 IEEE 802.11: authenticated
> wlan1: STA d0:c1:93:02:ed:72 IEEE 802.11: associated (aid 1)
> [17:34:32] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
> and sending Msg3/4
> wlan1: AP-STA-CONNECTED d0:c1:93:02:ed:72
> wlan1: STA d0:c1:93:02:ed:72 RADIUS: starting accounting session
> 70FD5AD6416A7E22
> [17:34:32] d0:c1:93:02:ed:72: transmitted data using IV=1 (seq=0)
> [17:34:34] d0:c1:93:02:ed:72: Hostapd: already installing pairwise
> key
> [17:34:34] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
> and sending Msg3/4
> [17:34:34] d0:c1:93:02:ed:72: transmitted data using IV=2 (seq=2)
> [17:34:35] d0:c1:93:02:ed:72: DHCP reply 192.168.100.2 to
> d0:c1:93:02:ed:72
> [17:34:35] d0:c1:93:02:ed:72: transmitted data using IV=3 (seq=1)
> [17:34:35] d0:c1:93:02:ed:72: client has IP address -> testing for
> group key reinstallation in the 4-way handshake
> [17:34:35] d0:c1:93:02:ed:72: sent 1 broadcasts ARPs this interval
> [17:34:35] d0:c1:93:02:ed:72: sending broadcast ARP to 192.168.100.2
> from 192.168.100.1
> [17:34:35] d0:c1:93:02:ed:72: DHCP reply 192.168.100.2 to
> d0:c1:93:02:ed:72
> [17:34:35] d0:c1:93:02:ed:72: transmitted data using IV=4 (seq=2)
> [17:34:36] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
> and sending Msg3/4
> [17:34:36] d0:c1:93:02:ed:72: transmitted data using IV=5 (seq=3)
> [17:34:37] d0:c1:93:02:ed:72: sent 2 broadcasts ARPs this interval
> [17:34:37] d0:c1:93:02:ed:72: sending broadcast ARP to 192.168.100.2
> from 192.168.100.1
> [17:34:37] d0:c1:93:02:ed:72: received 1 replies to the replayed
> broadcast ARP requests
> [17:34:37] d0:c1:93:02:ed:72: transmitted data using IV=6 (seq=3)
> [17:34:38] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
> and sending Msg3/4
> [17:34:38] d0:c1:93:02:ed:72: transmitted data using IV=7 (seq=4)
> [17:34:38] d0:c1:93:02:ed:72: no pairwise IV resets seem to have
> occured for one interval
> [17:34:38] d0:c1:93:02:ed:72: transmitted data using IV=8 (seq=4)
> [17:34:38] d0:c1:93:02:ed:72: transmitted data using IV=9 (seq=5)
> [17:34:39] d0:c1:93:02:ed:72: sent 3 broadcasts ARPs this interval
> [17:34:39] d0:c1:93:02:ed:72: sending broadcast ARP to 192.168.100.2
> from 192.168.100.1
> [17:34:39] d0:c1:93:02:ed:72: received 2 replies to the replayed
> broadcast ARP requests
> [17:34:39] d0:c1:93:02:ed:72: transmitted data using IV=10 (seq=6)
> [17:34:40] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
> and sending Msg3/4
> [17:34:40] d0:c1:93:02:ed:72: transmitted data using IV=11 (seq=5)
> [17:34:41] d0:c1:93:02:ed:72: sent 4 broadcasts ARPs this interval
> [17:34:41] d0:c1:93:02:ed:72: sending broadcast ARP to 192.168.100.2
> from 192.168.100.1
> [17:34:41] d0:c1:93:02:ed:72: received 3 replies to the replayed
> broadcast ARP requests
> [17:34:41] d0:c1:93:02:ed:72: transmitted data using IV=12 (seq=7)
> [17:34:42] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
> and sending Msg3/4
> [17:34:42] d0:c1:93:02:ed:72: transmitted data using IV=13 (seq=6)
> [17:34:43] d0:c1:93:02:ed:72: got a reply to broadcast ARP during
> this interval
> [17:34:43] d0:c1:93:02:ed:72: sent 1 broadcasts ARPs this interval
> [17:34:43] d0:c1:93:02:ed:72: sending broadcast ARP to 192.168.100.2
> from 192.168.100.1
> [17:34:43] d0:c1:93:02:ed:72: received 4 replies to the replayed
> broadcast ARP requests
> [17:34:43] d0:c1:93:02:ed:72: transmitted data using IV=14 (seq=8)
> [17:34:43] d0:c1:93:02:ed:72: transmitted data using IV=15 (seq=9)
> [17:34:43] d0:c1:93:02:ed:72: no pairwise IV resets seem to have
> occured for one interval
> [17:34:44] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
> and sending Msg3/4
> [17:34:44] d0:c1:93:02:ed:72: transmitted data using IV=16 (seq=7)
> [17:34:45] d0:c1:93:02:ed:72: sent 2 broadcasts ARPs this interval
> [17:34:45] d0:c1:93:02:ed:72: sending broadcast ARP to 192.168.100.2
> from 192.168.100.1
> [17:34:45] d0:c1:93:02:ed:72: transmitted data using IV=17 (seq=10)
> [17:34:45] d0:c1:93:02:ed:72: received 5 replies to the replayed
> broadcast ARP requests
> [17:34:45] d0:c1:93:02:ed:72: Received 5 unique replies to replayed
> broadcast ARP requests. Client is vulnerable to group
> [17:34:45]                    key reinstallations in the 4-way
> handshake (or client accepts replayed broadcast frames)!
> [17:34:46] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
> and sending Msg3/4
> [17:34:46] d0:c1:93:02:ed:72: transmitted data using IV=18 (seq=8)
> [17:34:48] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
> and sending Msg3/4
> [17:34:48] d0:c1:93:02:ed:72: transmitted data using IV=19 (seq=9)
> [17:34:48] d0:c1:93:02:ed:72: transmitted data using IV=20 (seq=11)
> [17:34:48] d0:c1:93:02:ed:72: no pairwise IV resets seem to have
> occured for one interval
> [17:34:50] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
> and sending Msg3/4
> [17:34:50] d0:c1:93:02:ed:72: transmitted data using IV=21 (seq=10)
> [17:34:52] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
> and sending Msg3/4
> [17:34:52] d0:c1:93:02:ed:72: transmitted data using IV=22 (seq=11)
> [17:34:54] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
> and sending Msg3/4
> [17:34:54] d0:c1:93:02:ed:72: transmitted data using IV=23 (seq=12)
> [17:34:54] d0:c1:93:02:ed:72: no pairwise IV resets seem to have
> occured for one interval
> [17:34:54] d0:c1:93:02:ed:72: client DOESN'T seem vulnerable to
> pairwise key reinstallation in the 4-way handshake (using standard
> attack).
> [17:34:54] Pairwise key test : NOT Vulnerable
> [17:34:54] Group key test : Vulnerable
> [17:34:54] Test Finished
> [17:34:54] Closing hostapd and cleaning up ...
> 
> --
> 
> _______________________________________________
> Hostap mailing list
> Hostap at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/hostap

More information about the Hostap mailing list