How to force packets with bad MIC?
Queisser, Andrew Idol pick: Blake
andrew.queisser
Fri May 25 16:17:43 PDT 2007
Hi all,
I built wpa_supplicant with the goal to create packets to force MIC
failures on an AP we're having trouble with. My goal was to first verify
that the AP does indeed go into TKIP countermeasure mode correctly and
then checking whether sending junk in the TSC, ICV and and so on does
not trigger the countermeasure.
I thought I could inject some debug code into wpa_supplicant but after
digging through the code a bit it seems like this kind of modification
has to be done at the card driver level. I have a working zd1211 and
madwifi setup but at first glance it looks like either of these chipsets
do MIC in hardware.
Does anyone know of a way to override the TSC, ICV and MIC fields that
go out into the air? Is it worth continuing with the zd1211 and madwifi
drivers? I can't tell whether these things calculate the MIC and hand it
back to the driver or whether that's done just before the packet goes
out, which would prevent me from messing with the values.
Needless to say this is for debugging, not DoS attacks.
Thanks,
Andrew Queisser
HP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20070525/bc627f82/attachment.htm
More information about the Hostap
mailing list