owfuzz
owfuzz: a WiFi protocol fuzzing tool using openwifi.
Openwifi is an open-source WiFi protocol stack based on SDR that is fully compatible with Linux mac80211. It's driver takes advantage of the Linux kernel's supports (mac80211, cfg80211) for WiFi high MAC, so it can provide an interface to the application layer like a common WiFi USB dongle. In The hardware part, CSMA/CA protocol and other functions of WiFi low MAC layer are implemented on FPGA. It supports monitoring and injection of arbitrary WiFi frames,The application layer software can also directly communicate with the openwifi driver/FPGA/RF underlying functions through nl80211, which provides users with great autonomous and controllable ability. Owfuzz is the first to use openwifi platform to implements a WiFi protocol fuzzing test framework, which supports the fuzzing test of all WiFi frames and the interactivity testing of WiFi protocols.
Owfuzz can also use a wireless network card that supports monitor mode and frame injection.
Architecture
Features:
- IEEE Std 802.11 1999/2007/2012/2016/2020
- 2.4Ghz and 5Ghz
- Supports all WiFi devices: APs and Clients
- Fuzzing all frames: management/control/data
- Any state of WiFi
- Interactivity testing
- OPEN/WEP/WPA/WPA2/WPA3
- Automatically generates poc log and locates the vulnerability.
- Multichannel monitor and transmission
Usage
- owfuzz usage:
- example: sudo ./owfuzz -i wlan0 -m ap -c [channel] -t [target-mac] -b [ap-mac] -s [ap-mac] -T 2 -A WPA2_PSK_TKIP_AES -I [targe-ip]
- -i [interface], Interface to use.
- -m [ap/sta/mitm], Set the mode of fuzzer, default is ap.
- -c [channel], Set the working channel of fuzzer, default is 1.
- -t [mac], Target's MAC address.
- -S [SSID], AP's SSID.
- -A [auth type], Target's auth type: OPEN_NONE, OPEN_WEP, SHARE_WEP, WPA_PSK_TKIP, WPA_PSK_AES, WPA_PSK_TKIP_AES, WPA2_PSK_TKIP, WPA2_PSK_AES, WPA2_PSK_TKIP_AES, EAP_8021X, WPA3
- -I [IP address], Target's IP address
- -b [BSSID], AP's Mac address
- -s [mac], Fuzzer's (source) Mac address.
- -T [test type], Test type, default 1, 0: Poc test, 1: interactive test, 2: frames test, 3: interactive & frames test
- -f [log file], Log file path
- -h Help.
Building
Kali/Ubuntu
- Install dependencies
sudo apt-get install pkg-config libnl-3-dev libnl-genl-3-dev libpcap-dev
- Compiling
make
OpenWiFi
- Copy owfuzz and openwifi_owfuzz.sh to openwifi with password openwifi.
scp -r owfuzz openwifi_owfuzz.sh [email protected]:~/
- Login to the board from your PC (PC Ethernet should have IP 192.168.10.1) with password openwifi.
- Install dependencies
sudo apt-get install pkg-config libnl-3-dev libnl-genl-3-dev libpcap-dev
- Compiling
cd ~/owfuzz
make
- Init openwifi env
./openwifi_owfuzz.sh
Example
- Fuzzing Client
sudo ./src/owfuzz -i wlan0 -m ap -c [channel] -t [sta-mac] -b [ap-mac] -s [ap-mac] -T 2 -A WPA2_PSK_TKIP_AES -I [sta-ip]
- Fuzzing AP
sudo ./src/owfuzz -i wlan0 -m sta -c [channel] -t [ap-mac] -b [ap-mac] -s [sta-mac] -T 2 -A WPA3 -S [ssid-name] -I [ap-ip]
- Interactivity fuzzing
sudo ./src/owfuzz -i wlan0 -m ap -c [channel] -t [sta-mac] -b [ap-mac] -s [ap-mac] -T 1 -A WPA2_PSK_AES
Discovered vulnerabilities
- CVE-2021-34173
- CVE-2021-34174
- CVE-2021-1903
- CVE-2021-30310
- CVE-2021-33028
- CVE-2021-33029
- CVE-2022-34744
- CVE-2022-34745
License
This project is available as open source under the terms of the GPL 3.0 Or later. However, some elements are being licensed under GPL 2-0 or later and BSD 3 license . For accurate information, please check individual files.