Garbled data in 802.11 management frames - missing FCS check? about snoopy-ng HOT 4 OPEN

I should have listed this in the bugs section - certain wireless cards are prone to this, for example the TPLINK TL-WN722N. Other cards, like the Alfa Awus036h seem to perform better. I spent a lot of time last year trying to implement the Wireshark FCS algorithm from C (in Wireshark) to Python to patch Scapy, but didn't succeed in the end. Read my question on the Scapy mailing list here:

http://comments.gmane.org/gmane.comp.security.scapy.general/4918

And the Wireshark C code for the FCS:
https://gist.github.com/glennzw/6365693

I'm trying to find my Python FCS implementation (that was not quite working) to see if you'd have any insight into fixing it. I think it's on a VM back at home, I'll check and update this thread when I find it.

We'd add this to prefilter.py (https://github.com/sensepost/snoopy-ng/blob/master/plugins/mods80211/prefilter/prefilter.py) You can see the dirty hack I've got in there at the moment.

Also, I've recently discovered Impacket:

https://code.google.com/p/impacket/

It has native support for FCS checking, and potetially better performance than Scapy. Well, I'll re-implement and compare performance.

from snoopy-ng.

Yes, TP-LINK - exactly what I'm using in my tests. Happy to check out the Python FCS implementation if you can resurrect it.

Impacket looks very promising indeed, I haven't seen that before myself.

I've actually got a tshark-based probe and beacon sniffing PoC here in the meantime:

https://github.com/maximcherny/snoopy-ng/blob/headway/plugins/tshark.py

If you are interested in pulling that in that please let me know. This one does not deal with handshake capture or cookie snarfing though.

from snoopy-ng.

That'd be useful to have as a separate plugin perhaps - wifi-maxim or some-such?

from snoopy-ng.

Going back to this - using scapy_ex it is also possible to determine the presence and the value of the FCS flag, I have got working code here:

https://github.com/maximcherny/snoopy-ng/blob/headway/plugins/mods80211/wifi_clients.py

if p.Flags is not None:
    if p.Flags & 64 != 0:
        self.droppedCount += 1
        fcs = 0
    elif p.Flags & 64 == 0:
        fcs = 1

However, I've collected almost 3 million probes and the flag only appears in roughly 75% of the data, remaining unknown for the rest. While it can be an improvement, it's not a silver bullet. Happy to organise a pull request.

from snoopy-ng.