Testing wireless access points

Nowadays, wireless devices are ubiquitous. Despite the widespread diffusion of this technology,  the security of wireless systems still needs a thorough scrutiny, in particular at the 802.11 network stack level.

Today we introduce WiFuzz, a very simple but nifty tool for testing wireless access point (AP) devices. WiFuzz generates "fuzzy" 802.11 network packets to trigger corner-case errors in the AP 802.11 stack.


How it works?
WiFuzz is written entirely in Python, and leverages the Scapy library for packet generation. To use WiFuzz, the network card driver must support traffic injection. Moreover, the wi-fi interface must be put into "monitor mode"; as an example, with my NIC these commands do the job:
$ sudo rmmod iwlagn
$ sudo modprobe iwlagn
$ sudo ifconfig wlan0 down
$ sudo iwconfig wlan0 mode monitor
$ sudo ifconfig wlan0 up
Only two mandatory parameters are required before starting to fuzz: the fuzzer type, and the SSID of the target AP.

WiFuzz is somehow a "stateful" fuzzer: depending on the chosen fuzzer type, it first moves to a suitable 802.11 state before starting to fuzz the AP. As an example, 802.11 Association requests are fuzzed with the "assoc" fuzzer, that first moves to the "probed" state, then authenticates with the AP ("authenticated" state), and finally starts to fuzz Association packets. Available fuzzers are visible in the following screenshot.

WiFuzz help screen
Fortunately, state transitions are handled transparently by the tool, so you can just forget them ;-) For example, to fuzz the AP identified by the "TestMe" SSID the following syntax can be used:
$ sudo python wifuzz.py -s TestMe assoc
To detect AP crashes, WiFuzz periodically listens for Beacon frames from the target access point: if no Beacon is received, WiFuzz assumes the target has crashed, and a PCAP test case is generated to reproduce the crash. Test cases can be replayed using the wireply.py utility.

Use case
Here is a brief example of WiFuzz in action. In this scenario, we used WiFuzz to test the access point with SSID "TestMe".

$ sudo python wifuzz.py -s TestMe auth
Wed Sep 28 10:38:36 2011 {MAIN} Target SSID: TestMe; Interface: wlan0; Ping timeout: 60; PCAP directory: /dev/shm; Test mode? False; Fuzzer(s): auth;
Wed Sep 28 10:38:36 2011 {WIFI} Waiting for a beacon from SSID=[TestMe]
Wed Sep 28 10:38:36 2011 {WIFI} Beacon from SSID=[TestMe] found (MAC=[00:aa:bb:cc:dd:ee])
Wed Sep 28 10:38:36 2011 {WIFI} Starting fuzz 'auth'
Wed Sep 28 10:38:36 2011 {WIFI} [R00001] Sending packets 1-100
Wed Sep 28 10:38:50 2011 {WIFI} [R00001] Checking if the AP is still up...
Wed Sep 28 10:38:50 2011 {WIFI} Waiting for a beacon from SSID=[TestMe]
Wed Sep 28 10:38:50 2011 {WIFI} Beacon from SSID=[TestMe] found (MAC=[00:aa:bb:cc:dd:ee])
Wed Sep 28 10:38:50 2011 {WIFI} [R00002] Sending packets 101-200
Wed Sep 28 10:39:04 2011 {WIFI} [R00002] Checking if the AP is still up...
Wed Sep 28 10:39:04 2011 {WIFI} Waiting for a beacon from SSID=[TestMe]
Wed Sep 28 10:39:04 2011 {WIFI} Beacon from SSID=[TestMe] found (MAC=[00:aa:bb:cc:dd:ee])
Wed Sep 28 10:39:04 2011 {WIFI} [R00003] Sending packets 201-300
Wed Sep 28 10:39:18 2011 {WIFI} [R00003] Checking if the AP is still up...
Wed Sep 28 10:39:18 2011 {WIFI} Waiting for a beacon from SSID=[TestMe]
Wed Sep 28 10:39:19 2011 {WIFI} Beacon from SSID=[TestMe] found (MAC=[00:aa:bb:cc:dd:ee])
Wed Sep 28 10:39:19 2011 {WIFI} [R00004] Sending packets 301-400
Wed Sep 28 10:39:42 2011 {WIFI} [R00004] recv() timeout exceeded! (packet #325)
Wed Sep 28 10:39:42 2011 {WIFI} [R00004] Checking if the AP is still up...
Wed Sep 28 10:39:42 2011 {WIFI} Waiting for a beacon from SSID=[TestMe]
Wed Sep 28 10:40:42 2011 {WIFI} [!] The AP does not respond anymore. Latest test-case has been written to '/dev/shm/wifuzz-eK97nb.pcap'

The AP has been tested using the "auth" module (802.11 Authentication Request fuzzer). In this case, the AP has crashed after roughly 325 packets, and a PCAP file with all the generated packets since the beginning of the last fuzz round has been written to "/dev/shm/wifuzz-eK97nb.pcap".

Conclusions
We use WiFuzz in our daily activities, and it lead to the identification of some interesting wireless bugs. The tool is available here, and it is released under the GPL license. so feel free to contribute!

2 comments:

  1. I found the tool Wifuzz interesting. But, I am not able to find it from where I could install it and start using it. Could you please provide me with the link?

    ReplyDelete
  2. we have successfully installed the fuzzer but we have a problem with it. the router doesnt crash at all so kindly help us wit it.

    ReplyDelete