vanhoefm / krackattacks-scripts Goto Github PK

License: Other

Shell 0.47% Python 25.75% Makefile 1.00% C 71.47% Roff 0.02% Perl 0.01% PHP 0.15% C++ 0.87% QMake 0.01% Java 0.24% AIDL 0.02%

krackattacks-scripts's Introduction

This project contains scripts to test if clients or access points (APs) are affected by the KRACK attack against WPA2. For details behind this attack see our website and the research paper.

Remember that our scripts are not attack scripts! You will need the appropriate network credentials in order to test if an access point or client is affected by the KRACK attack.

21 January 2021: the scripts have been made compatible with Python3 and has been updated to better support newer Linux distributions. If you want to revert to the old version, execute git fetch --tags && git checkout v1 after cloning the repository (and switch back to the latest version using git checkout research).

Prerequisites

Our scripts were tested on Kali Linux. To install the required dependencies on Kali, execute:

sudo apt update
sudo apt install libnl-3-dev libnl-genl-3-dev pkg-config libssl-dev net-tools git sysfsutils python3-venv iw

Now compile our modified hostapd instance and create a python virtual environment. This assure you're using compatible python libraries (those listed in krackattack/requirements.txt):

git clone https://github.com/vanhoefm/krackattacks-scripts.git
cd krackattacks-scripts/krackattack
./build.sh
./pysetup.sh

Then disable hardware encryption for optimal results:

cd krackattack
sudo ./disable-hwcrypto.sh

Note that if needed you can later re-enable hardware encryption using the script sudo ./reenable-hwcrypto.sh. It's recommended to reboot after disabling hardware encryption. We tested our scripts with an Intel Dual Band Wireless-AC 7260 and a TP-Link TL-WN722N v1 on Kali Linux.

Before every usage

Every time before you use the scripts you must disable Wi-Fi in your network manager. Then execute:

sudo rfkill unblock wifi
cd krackattack
sudo su
source venv/bin/activate

After doing this you can executing the scripts multiple times as long as you don't close the terminal.

If you want to undo the effects of the disable-hwcrypto.sh then delete the file /etc/modprobe.d/nohwcrypt.conf.

Testing Clients

First modify hostapd/hostapd.conf and edit the line interface= to specify the Wi-Fi interface that will be used to execute the tests. Note that for all tests, once the script is running, you must let the device being tested connect to the SSID testnetwork using the password abcdefgh. You can change settings of the AP by modifying hostapd/hostapd.conf. In all tests the client must use DHCP to get an IP after connecting to the Wi-Fi network. This is because some tests only start after the client has requested an IP using DHCP!

You should now run the following tests located in the krackattacks/ directory:

./krack-test-client.py --replay-broadcast. This tests whether the client accepts replayed broadcast frames. If the client accepts replayed broadcast frames, this must be patched first. If you do not patch the client, our script will not be able to determine if the group key is being reinstalled (because then the script will always say the group key is being reinstalled).
./krack-test-client.py --group --gtkinit. This tests whether the client installs the group key in the group key handshake with the given receive sequence counter (RSC). See section 6.4 of our [follow-up research paper(https://papers.mathyvanhoef.com/ccs2018.pdf)] for the details behind this vulnerability.
./krack-test-client.py --group. This tests whether the client reinstalls the group key in the group key handshake. In other words, it tests if the client is vulnerable to CVE-2017-13080. The script tests for reinstallations of the group key by sending broadcast ARP requests to the client using an already used (replayed) packet number (here packet number = nonce = IV). Note that if the client always accepts replayed broadcast frames (see --replay-broadcast), this test might incorrectly conclude the group key is being reinstalled.
./krack-test-client.py. This tests for key reinstallations in the 4-way handshake by repeatedly sending encrypted message 3's to the client. In other words, this tests for CVE-2017-13077 (the vulnerability with the highest impact) and for CVE-2017-13078 . The script monitors traffic sent by the client to see if the pairwise key is being reinstalled. Note that this effectively performs two tests: whether the pairwise key is reinstalled, and whether the group key is reinstalled. Make sure the client requests an IP using DHCP for the group key reinstallation test to start. To assure the client is sending enough unicast frames, you can optionally ping the AP: ping 192.168.100.254.
./krack-test-client.py --tptk. Identical to test 4, except that a forged message 1 is injected before sending the encrypted message 3. This variant of the test is important because some clients (e.g. wpa_supplicant v2.6) are only vulnerable to pairwise key reinstallations in the 4-way handshake when a forged message 1 is injected before sending a retransmitted message 3.
./krack-test-client.py --tptk-rand. Same as the above test, except that the forged message 1 contains a random ANonce.
./krack-test-client.py --gtkinit. This tests whether the client installs the group key in the 4-way handshake with the given receive sequence counter (RSC). The script will continously execute new 4-way handshakes to test this. Unfortunately, this test can be rather unreliable, because any missed handshake messages cause synchronization issues, making the test unreliable. You should only execute this test in environments with little background noise, and execute it several times.

Some additional remarks:

The most important test is ./krack-test-client, which tests for ordinary key reinstallations in the 4-way handshake.
Perform these tests in a room with little interference. A high amount of packet loss will make this script less reliable!
Optionally you can manually inspect network traffic to confirm the output of the script (some Wi-Fi NICs may interfere with our scripts):
- Use an extra Wi-Fi NIC in monitor mode to conform that our script (the AP) sends out frames using the proper packet numbers (IVs). In particular, check whether replayed broadcast frames indeed are sent using an already used packet number (IV).
- Use an extra Wi-Fi NIC in monitor mode to check pairwise key reinstalls by monitoring the IVs of frames sent by the client.
- Capture traffic on the client to see if the replayed broadcast ARP requests are accepted or not.
If the client can use multiple Wi-Fi radios/NICs, perform the test using several Wi-Fi NICs.
You can add the --debug parameter for more debugging output.
All unrecognized parameters are passed on to hostapd, so you can include something like -dd -K to make hostapd output all debug info.

Correspondence to Wi-Fi Alliance tests

The Wi-Fi Alliance created a custom vulnerability detection tool based on our scripts. At the time of writing, this tool is only accessible to Wi-Fi Alliance members. Their tools supports several different tests, and these tests correspond to the functionality in our script as follows:

4.1.1 (Plaintext retransmission of EAPOL Message 3). We currently do not support this test. This test is not necessary anyway. Make sure the device being tested passes test 4.1.3, and then it will also pass this test.
4.1.2 (Immediate retransmission of EAPOL M3 in plaintext). We currently do not suppor this test. Again, make sure the device being tested passes test 4.1.3, and then it will also pass this test.
4.1.3 (Immediate retransmission of encrypted EAPOL M3 during pairwise rekey handshake). This corresponds to ./krack-test-client.py, except that encrypted EAPOL M3 are sent periodically instead of immediately.
4.1.5 (PTK reinstallation in 4-way handshake when STA uses Temporal PTK construction, same ANonce). Execute this test using ./krack-test-client.py --tptk.
4.1.6 (PTK reinstallation in 4-way handshake when STA uses Temporal PTK construction, random ANonce). Execute this test using ./krack-test-client.py --tptk-rand.
4.2.1 (Group key handshake vulnerability test on STA). Execue this test using ./krack-test-client.py --group.
4.3.1 (Reinstallation of GTK and IGTK on STA supporting WNM sleep mode). We currently do not support this test (and neither does the Wi-Fi Alliance actually!).

Testing Access Points: Detecting a vulnerable FT Handshake (802.11r)

Create a wpa_supplicant configuration file that can be used to connect to the network. A basic example is:
```
 ctrl_interface=/var/run/wpa_supplicant
 network={
   ssid="testnet"
   key_mgmt=FT-PSK
   psk="password"
 }
```
Note the use of "FT-PSK". Save it as network.conf or similar. For more info see wpa_supplicant.conf.
Try to connect to the network using your platform's wpa_supplicant. This will likely require a command such as:
```
 sudo wpa_supplicant -D nl80211 -i wlan0 -c network.conf
```
If this fails, either the AP does not support FT, or you provided the wrong network configuration options in step 1. Note that if the AP does not support FT, it is not affected by this vulnerability.
Use this script as a wrapper over the previous wpa_supplicant command:
```
 sudo su
 source venv/bin/activate
 ./krack-ft-test.py wpa_supplicant -D nl80211 -i wlan0 -c network.conf
```
This will execute the wpa_supplicant command using the provided parameters, and will add a virtual monitor interface that will perform attack tests. It's important to first become root and then load the python virtual environment (see above how to create this virtual environment).

Use wpa_cli to roam to a different AP of the same network. For example:

 wpa_cli -i wlan0
 > status
 bssid=c4:e9:84:db:fb:7b
 ssid=testnet
 ...
 > scan_results 
 bssid / frequency / signal level / flags / ssid
 c4:e9:84:db:fb:7b	2412  -21  [WPA2-PSK+FT/PSK-CCMP][ESS] testnet
 c4:e9:84:1d:a5:bc	2412  -31  [WPA2-PSK+FT/PSK-CCMP][ESS] testnet
 ...
 > roam c4:e9:84:1d:a5:bc
 ...

In this example we were connected to AP c4:e9:84:db:fb:7b of testnet (see status command). The scan_results command shows this network also has a second AP with MAC c4:e9:84:1d:a5:bc. We then roam to this second AP.

Generate traffic between the AP and client. For example:
```
 arping -I wlan0 192.168.1.10
```
Now look at the output of ./krack-ft-test.py to see if the AP is vulnerable.
1. First it should say "Detected FT reassociation frame". Then it will start replaying this frame to try the attack.
2. The script shows which IVs (= packet numbers) the AP is using when sending data frames.
3. Message IV reuse detected (IV=X, seq=Y). AP is vulnerable! means we confirmed it's vulnerable.
Be sure to manually check network traces as well, to confirm this script is replaying the reassociation request properly, and to manually confirm whether there is IV (= packet number) reuse or not.

Example output of vulnerable AP:
```
 [15:59:24] Replaying Reassociation Request
 [15:59:25] AP transmitted data using IV=1 (seq=0)
 [15:59:25] Replaying Reassociation Request
 [15:59:26] AP transmitted data using IV=1 (seq=0)
 [15:59:26] IV reuse detected (IV=1, seq=0). AP is vulnerable!
```
Example output of patched AP (note that IVs are never reused):
```
 [16:00:49] Replaying Reassociation Request
 [16:00:49] AP transmitted data using IV=1 (seq=0)
 [16:00:50] AP transmitted data using IV=2 (seq=1)
 [16:00:50] Replaying Reassociation Request
 [16:00:51] AP transmitted data using IV=3 (seq=2)
 [16:00:51] Replaying Reassociation Request
 [16:00:52] AP transmitted data using IV=4 (seq=3)
```

Extra: Hardware Decryption

To confirm that hardware decryption is disable, execute systool -vm ath9k_htc or similar after plugging in your Wi-Fi NIC to confirm the nohwcript/swcrypto/hwcrypto parameter has been set. Note that you must replace ath9k_htc with the kernel module for your wireless network card.

Extra: 5 GHz not supported

There's no official support for testing devices in the 5 GHz band.

If you nevertheless want to use the tool on 5 GHz channels, the network card being used must allow the injection of frames in the 5 GHz channel. Unfortunately, this is not always possible due to regulatory constraints. To see on which channels you can inject frames you can execute iw list and look under Frequencies for channels that are not marked as disabled, no IR, or radar detection. Note that these conditions may depend on your network card, the current configured country, and the AP you are connected to. For more information see, for example, the Arch Linux documentation.

Note that the Linux kernel may not allow the injection of frames even though it is allowed to send normal frames. This is because in the function ieee80211_monitor_start_xmit the kernel refuses to inject frames when cfg80211_reg_can_beacon returns false. As a result, Linux may refuse to inject frames even though this is actually allowed. Making cfg80211_reg_can_beacon return true under the correct (or all) conditions prevents this bug. So you'll have to patch the Linux drivers so that cfg80211_reg_can_beacon always returns true, for instance, by manually patching the packport driver code.

Extra: Manual Tests

It's also possible to manually perform (more detailed) tests by cloning the hostap git repository:

git clone git://w1.fi/srv/git/hostap.git

And following the instructions in tests/cipher-and-key-mgmt-testing.txt.

krackattacks-scripts's People

Contributors

Stargazers

Watchers

Forkers

kodenix vulnbe expertasif idkwim hanshaze crashev hackers-0f-syr mmaatuq yacineboulyali c0axial dsooky battletux todb-r7 4mon michalkoczwara corlobin goffinet zaidaliraqi juanmanavella magnetonbora komblawi santaklouse schrodyn baraalmasri majid03 leewarnock mrmugiwara ikarius6 demonsec666 hsounazinoubi choutba manda-lawine kernullist mmilleror houcy jutazhu dothanthitiendiettiende redwifiteam anupsv mrx6s0 sengkyaut mahmoudredash migferna42 loopsystems thesuperteacher puujee0238 0xsunsama andyvaikunth fr3eb1t superrats yhzx2013 d30sa1 windbox-zero pinenappler macattack5 andyb66 islam-farahat kuteminh11 mishaelajay 0utcode akamajoris slaffcheff david378 ubtedu ck00004 jardelsantana aharen tserj bb33bb mame82 nydubh3 mswell oneiroi devnullteam vaginessa hajjiwajih samyoyo shoaibr garethayres schaback w00t3k an2ni ecwolf jeperez holinder4s khr0x40sh shisen404 rasoulcarrera adde88 itmaciek argosax-reborn aln7 rosdyana xuancanh 0x43f trandiepbang hungdohuy 00derp muftiarfan brownbelt

krackattacks-scripts's Issues

Short video demonstration by using your code

I prepared a short video demonstrating how the vulnerability can be tested with Mininet-WiFi: https://www.youtube.com/watch?v=aA4notyZph0

line 7: syntax error near unexpected token `newline'

Hi,

Anyone encountered this error when running the krack-ft-test python script? Any idea how to resolve it? thanks.

line 7: syntax error near unexpected token `newline'
line 7 :''

How long or how many runs should I check to confirm it's patched?

Hi @vanhoefm
This is really great work! I had a device that claimed patched, and I verified with your instructions, but how long or how many runs should I check to confirm it's patched?

Here are several pieces from the log, does this means that the patch failed?
./krack-test-client.py --tptk-rand
[10:11:43]
...
[10:55:59] 00:00:00:00:00:00: IV reuse detected (IV=1, seq=4). Client is vulnerable to pairwise key reinstallations in the 4-way handshake!

[11:57:03]
...
[14:12:22] 00:00:00:00:00:00: IV reuse detected (IV=3, seq=5). Client is vulnerable to pairwise key reinstallations in the 4-way handshake!

This piece show up only once
./krack-test-client.py --group
[14:04:22]
...
[14:04:47] 00:00:00:00:00:00: Received 5 unique replies to replayed broadcast ARP requests. Client is vulnerable to group
[14:04:47] Key reinstallations in the group key handshake (or client accepts replayed broadcast frames)!

Thanks so much for guiding me.

krack-test-client.py not working

I have a problem with this script. I did the latest updates as well as installed recommended files but no go. Can I please ask for your assistance ? Kindest regards and thank you for your hard work.

uname -a
Linux parrot 4.13.0-parrot4-amd64 #1 SMP Parrot 4.13.4-2parrot0 (2017-10-17) x86_64 GNU/Linux

/krack-test-client.py
Traceback (most recent call last):
File "./krack-test-client.py", line 612, in
attack.run(test_grouphs=test_grouphs, test_tptk=test_tptk)
File "./krack-test-client.py", line 461, in run
self.configure_interfaces()
File "./krack-test-client.py", line 443, in configure_interfaces
log(STATUS, "Note: disable Wi-Fi in network manager & disable hardware encryption. Both may interfere with this script.")
File "/home/parrot/Downloads/krackattacks-scripts-research/krackattack/libwifi.py", line 22, in log
print (datetime.now().strftime('[%H:%M:%S] ') if showtime else " "*11) + COLORCODES.get(color, "") + msg + "\033[1;0m"
NameError: global name 'datetime' is not defined
Error in atexit._run_exitfuncs:
Traceback (most recent call last):
File "/usr/lib/python2.7/atexit.py", line 24, in _run_exitfuncs
func(*targs, **kargs)
File "./krack-test-client.py", line 542, in cleanup
attack.stop()
File "./krack-test-client.py", line 533, in stop
log(STATUS, "Closing hostapd and cleaning up ...")
File "/home/parrot/Downloads/krackattacks-scripts-research/krackattack/libwifi.py", line 22, in log
print (datetime.now().strftime('[%H:%M:%S] ') if showtime else " "*11) + COLORCODES.get(color, "") + msg + "\033[1;0m"
NameError: global name 'datetime' is not defined
Error in sys.exitfunc:
Traceback (most recent call last):
File "/usr/lib/python2.7/atexit.py", line 24, in _run_exitfuncs
func(*targs, **kargs)
File "./krack-test-client.py", line 542, in cleanup
attack.stop()
File "./krack-test-client.py", line 533, in stop
log(STATUS, "Closing hostapd and cleaning up ...")
File "/home/parrot/Downloads/krackattacks-scripts-research/krackattack/libwifi.py", line 22, in log
print (datetime.now().strftime('[%H:%M:%S] ') if showtime else " "*11) + COLORCODES.get(color, "") + msg + "\033[1;0m"
NameError: global name 'datetime' is not defined

ctrl_iface not found

Hi,

Firstly, thanks for all your hard work.

I cannot make it run.

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:fd:30:4d brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic eth0
       valid_lft 82371sec preferred_lft 82371sec
    inet6 fe80::a00:27ff:fefd:304d/64 scope link 
       valid_lft forever preferred_lft forever
6: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 04:f0:21:0e:35:cf brd ff:ff:ff:ff:ff:ff

nano hostapd.conf
# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for
# management frames with the Host AP driver); wlan0 with many nl80211 drivers
# Note: This attribute can be overridden by the values supplied with the '-i'
# command line parameter.
interface=wlan0

uname -r
4.12.0-kali2-amd64

And this is what the script returns:

[15:24:49] Note: disable Wi-Fi in network manager & disable hardware encryption. Both may interfere with this script.
[15:24:50] Starting hostapd ...
Configuration file: ./hostapd.conf
Could not unlink existing ctrl_iface socket 'hostapd_ctrl/wlan0': No such file or directory
Failed to setup control interface for wlan0
wlan0: Unable to setup interface.
wlan0: interface state UNINITIALIZED->DISABLED
wlan0: AP-DISABLED 
hostapd_free_hapd_data: Interface wlan0 wasn't started
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
connect exception  hostapd_ctrl/wlan0 9877
[15:24:51] It seems hostapd did not start properly, please inspect its output.
[15:24:51] Did you disable Wi-Fi in the network manager? Otherwise hostapd won't work.

It looks like it is trying to open a UDP connection as the line 25 (wpaspy/wpaspy.py) raises an exception. Then the UDP connection with the ctrl_interface cannot be established. Could you help me?

krack- krack-ft-test.py error: IOError: [Errno 2] No such file or directory: 'hostapd.conf'

Hi,

when I run script krack-krack-ft-test.py in another dir than krackattacks-scripts/hostapd I get this error:

thomas@pc8-nb:~$ sudo Scripte/krackattacks-scripts/krackattack/krack-test-client.py 
[00:54:53] Failed to parse the hostapd.conf config file
Traceback (most recent call last):
  File "Scripte/krackattacks-scripts/krackattack/krack-test-client.py", line 602, in <module>
    interface = hostapd_read_config("hostapd.conf")
  File "Scripte/krackattacks-scripts/krackattack/krack-test-client.py", line 564, in hostapd_read_config
    with open(config) as fp:
IOError: [Errno 2] No such file or directory: 'hostapd.conf'

how to fix Successfully initialized wpa_supplicant wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlan0: No network configuration found for the current AP

my save file network.conf

ctrl_interface=/var/run/wpa_supplicant
network={
ssid="MY TEST AP"
key_mgmt=FT-PSK
psk="123456789"
}
i try use

sudo wpa_supplicant -D nl80211 -i wlan0 -c network.conf
Successfully initialized wpa_supplicant
wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlan0: No network configuration found for the current AP
wlan0: CTRL-EVENT-DISCONNECTED bssid=b4:ee:b4:4c:1f:d4 reason=3 locally_generated=1
wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlan0: No network configuration found for the current AP
wlan0: CTRL-EVENT-DISCONNECTED bssid=b4:ee:b4:4c:1f:d4 reason=3 locally_generated=1
wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlan0: No network configuration found for the current AP
wlan0: CTRL-EVENT-DISCONNECTED bssid=b4:ee:b4:4c:1f:d4 reason=3 locally_generated=1
wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
............
my AP network test passwork 987654321.
i try use 123456789 login wifi not work please help me how to config for next step
thank a lot. @vanhoefm @insp3ctre @DanRobinsonHPE

ft-script reassociates with AP in a loop

OS: Kali

Wifi-Adapter:
TP-Link TL-WN821N v3 / TL-WN822N v2 802.11n [Atheros AR7010+AR9287]
Ralink Technology, Corp. RT5572 Wireless Adapter
Intel Corporation PRO/Wireless 3945ABG [Golan]

unblocked wifi and disabled hwcrypto

created working network.conf

sudo wpa_supplicant -D nl80211 -i wlan0 -c network.conf
works as expected, the client connects to the AP. I can use wpa_cli to roam between the 2 APs. arping is working fine.

sudo ./krack-ft-test.py wpa_supplicant -D nl80211 -i wlan0 -c network.conf
client connects to first AP
arping works
If i use wpa_cli to roam to the second AP i get the following log:
Authenticated WLAN station
Reassociated WLAN station
Fast transition for WLAN station
Connected WLAN station
Completed handover for WLAN station
Reassociated WLAN station
Fast transition for WLAN station
Connected WLAN station
Reassociated WLAN station
Fast transition for WLAN station
Connected WLAN station
Reassociated WLAN station
...

of course arping is not working anymore
All 3 Wifi-Adapters show the same behaviour.

Is there a way to fix this?

ls

KRACK

sudo ./krack-ft-test.py wlp0s20u1 wlp020u2 Aamasoom --target 64:bc:0c:7e:d4:a8

[11:08:15] Failed to determine wireless interface. Specify one using the -i parameter.

a question about wpa_supplicant

my network.conf is
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="YunHeSiJi"
key_mgmt=FT-PSK
psk="password"
}
i have a little question
Is this SSID the SSID I'm going to attack?
and Doesn't the rest need to change?
When I execute "sudo wpa_supplicant -D nl80211 -i wlan0 -c network.conf" is wrong
such this
Successfully initialized wpa_supplicant
ctrl_iface exists and seems to be in use - cannot override it
Delete '/var/run/wpa_supplicant/wlan0' manually if it is not used anymore
Failed to initialize control interface '/var/run/wpa_supplicant'.
You may have another wpa_supplicant process already running or the file was
left by an unclean termination of wpa_supplicant in which case you will need
to manually remove this file before starting wpa_supplicant again.

and my Network card is 8187

hostapd_free_hapd_data: Interface wlan0 wasn't started

Hi,
after disabling Wifi (in network manager of XFCE4) I execute script krack-test-client.py.
However this script reports error that "hostapd did not start properly".

thomas@pc8-nb:~/Scripte/krackattacks-scripts/krackattack$ sudo ./krack-test-client.py 
[10:06:05] Note: disable Wi-Fi in network manager & disable hardware encryption. Both may interfere with this script.
[10:06:06] Starting hostapd ...
Configuration file: hostapd.conf
nl80211: Could not configure driver mode
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
nl80211 driver initialization failed.
wlan0: interface state UNINITIALIZED->DISABLED
wlan0: AP-DISABLED 
hostapd_free_hapd_data: Interface wlan0 wasn't started
connect exception  hostapd_ctrl/wlan0 9877
[10:06:07] It seems hostapd did not start properly, please inspect its output.
[10:06:07] Did you disable Wi-Fi in the network manager? Otherwise hostapd won't work.
Traceback (most recent call last):
  File "./krack-test-client.py", line 612, in <module>
    attack.run(test_grouphs=test_grouphs, test_tptk=test_tptk)
  File "./krack-test-client.py", line 474, in run
    self.hostapd_ctrl = Ctrl("hostapd_ctrl/" + self.nic_iface)
  File "/home/thomas/Scripte/krackattacks-scripts/krackattack/wpaspy.py", line 49, in __init__
    socket.SOCK_DGRAM)
socket.gaierror: [Errno -3] Temporary failure in name resolution
[10:06:07] Closing hostapd and cleaning up ...

I have identified kernel module iwlwifi:

thomas@pc8-nb:~/Scripte/krackattacks-scripts$ sudo modinfo iwlwifi
filename:       /lib/modules/4.13.0-kali1-amd64/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko
license:        GPL
author:         Copyright(c) 2003- 2015 Intel Corporation <[email protected]>
description:    Intel(R) Wireless WiFi driver for Linux
firmware:       iwlwifi-100-5.ucode
firmware:       iwlwifi-1000-5.ucode
firmware:       iwlwifi-135-6.ucode
firmware:       iwlwifi-105-6.ucode
firmware:       iwlwifi-2030-6.ucode
firmware:       iwlwifi-2000-6.ucode
firmware:       iwlwifi-5150-2.ucode
firmware:       iwlwifi-5000-5.ucode
firmware:       iwlwifi-6000g2b-6.ucode
firmware:       iwlwifi-6000g2a-6.ucode
firmware:       iwlwifi-6050-5.ucode
firmware:       iwlwifi-6000-4.ucode
firmware:       iwlwifi-7265D-29.ucode
firmware:       iwlwifi-7265-17.ucode
firmware:       iwlwifi-3168-29.ucode
firmware:       iwlwifi-3160-17.ucode
firmware:       iwlwifi-7260-17.ucode
firmware:       iwlwifi-8265-33.ucode
firmware:       iwlwifi-8000C-33.ucode
firmware:       iwlwifi-9260-th-b0-jf-b0--33.ucode
firmware:       iwlwifi-9260-th-a0-jf-a0--33.ucode
firmware:       iwlwifi-9000-pu-a0-jf-b0--33.ucode
firmware:       iwlwifi-9000-pu-a0-jf-a0--33.ucode
firmware:       iwlwifi-Qu-a0-jf-b0--33.ucode
firmware:       iwlwifi-Qu-a0-hr-a0--33.ucode
alias:          pci:v00008086d00002720sv*sd00001080bc*sc*i*
[...]
alias:          pci:v00008086d00004232sv*sd00001201bc*sc*i*
depends:        cfg80211
intree:         Y
name:           iwlwifi
vermagic:       4.13.0-kali1-amd64 SMP mod_unload modversions 
parm:           swcrypto:using crypto in software (default 0 [hardware]) (int)
parm:           11n_disable:disable 11n functionality, bitmap: 1: full, 2: disable agg TX, 4: disable agg RX, 8 enable agg TX (uint)
parm:           amsdu_size:amsdu size 0: 12K for multi Rx queue devices, 4K for other devices 1:4K 2:8K 3:12K (default 0) (int)
parm:           fw_restart:restart firmware in case of error (default true) (bool)
parm:           antenna_coupling:specify antenna coupling in dB (default: 0 dB) (int)
parm:           nvm_file:NVM file name (charp)
parm:           d0i3_disable:disable d0i3 functionality (default: Y) (bool)
parm:           lar_disable:disable LAR functionality (default: N) (bool)
parm:           uapsd_disable:disable U-APSD functionality bitmap 1: BSS 2: P2P Client (default: 3) (uint)
parm:           bt_coex_active:enable wifi/bt co-exist (default: enable) (bool)
parm:           led_mode:0=system default, 1=On(RF On)/Off(RF Off), 2=blinking, 3=Off (default: 0) (int)
parm:           power_save:enable WiFi power management (default: disable) (bool)
parm:           power_level:default power save level (range from 1 - 5, default: 1) (int)
parm:           fw_monitor:firmware monitor - to debug FW (default: false - needs lots of memory) (bool)
parm:           d0i3_timeout:Timeout to D0i3 entry when idle (ms) (uint)
parm:           disable_11ac:Disable VHT capabilities (default: false) (bool)

thomas@pc8-nb:~/Scripte/krackattacks-scripts$ systool -vm iwlwifi
Module = "iwlwifi"

  Attributes:
    coresize            = "167936"
    initsize            = "0"
    initstate           = "live"
    refcnt              = "1"
    taint               = ""
    uevent              = <store method only>

  Parameters:
    11n_disable         = "0"
    amsdu_size          = "0"
    antenna_coupling    = "0"
    bt_coex_active      = "Y"
    d0i3_disable        = "Y"
    d0i3_timeout        = "1000"
    disable_11ac        = "N"
    fw_monitor          = "N"
    fw_restart          = "Y"
    lar_disable         = "N"
    led_mode            = "0"
    nvm_file            = "(null)"
    power_level         = "0"
    power_save          = "N"
    swcrypto            = "1"
    uapsd_disable       = "3"

  Sections:
    .altinstr_replacement= "0xffffffffc0bf940a"
    .altinstructions    = "0xffffffffc0c05690"
    .bss                = "0xffffffffc0c06d40"
    .data.unlikely      = "0xffffffffc0c069cc"
    .data               = "0xffffffffc0c06000"
    .exit.text          = "0xffffffffc0bf9405"
    .gnu.linkonce.this_module= "0xffffffffc0c06a00"
    .init.text          = "0xffffffffc0c0e000"
    .note.gnu.build-id  = "0xffffffffc0bfa000"
    .parainstructions   = "0xffffffffc0c05808"
    .rodata.str1.1      = "0xffffffffc0c015f0"
    .rodata.str1.8      = "0xffffffffc0c02410"
    .rodata             = "0xffffffffc0bfa3e0"
    .smp_locks          = "0xffffffffc0c056ac"
    .strtab             = "0xffffffffc0c16320"
    .symtab             = "0xffffffffc0c0f000"
    .text               = "0xffffffffc0be4000"
    __bug_table         = "0xffffffffc0c062b8"
    __kcrctab_gpl       = "0xffffffffc0bfa310"
    __ksymtab_gpl       = "0xffffffffc0bfa030"
    __ksymtab_strings   = "0xffffffffc0c04a44"
    __mcount_loc        = "0xffffffffc0c04db0"
    __param             = "0xffffffffc0c05410"

How can I fix this?

THX

The result of "./krack-test-client.py" is two.

I run "./krack-test-client.py" .

[01:56:53] 81:12:01:20:81:92: Hostapd: Resetting Tx IV of group key and sending Msg3/4
[01:56:54] 81:12:01:20:81:92: sending broadcast ARP to 112.70.10.2 from 112.70.10.1
[01:56:55] 81:12:01:20:81:92: Hostapd: Resetting Tx IV of group key and sending Msg3/4
[01:56:56] 81:12:01:20:81:92: sending broadcast ARP to 112.70.10.2 from 112.70.10.1
[01:56:56] 81:12:01:20:81:92: Received 5 unique replies to replayed broadcast ARP requests. Client is vulnerable to group
[01:56:56] key reinstallations in the 4-way handshake (or client accepts replayed broadcast frames)!
[01:56:57] 81:12:01:20:81:92: Hostapd: Resetting Tx IV of group key and sending Msg3/4
[01:56:59] 81:12:01:20:81:92:Hostapd: Resetting Tx IV of group key and sending Msg3/4
[01:57:01] 81:12:01:20:81:92: Hostapd: Resetting Tx IV of group key and sending Msg3/4
[01:57:03] 81:12:01:20:81:92: Hostapd: Resetting Tx IV of group key and sending Msg3/4
[01:57:05] 81:12:01:20:81:92: Hostapd: Resetting Tx IV of group key and sending Msg3/4
[01:57:07] 81:12:01:20:81:92:: Hostapd: Resetting Tx IV of group key and sending Msg3/4
[01:57:07] 81:12:01:20:81:92: client DOESN'T seem vulnerable to pairwise key reinstallation in the 4-way handshake (using standard attack).
[01:57:09] 81:12:01:20:81:92: Hostapd: Resetting Tx IV of group key and sending Msg3/4
[01:57:11] 81:12:01:20:81:92:Hostapd: Resetting Tx IV of group key and sending Msg3/4
[01:57:13] 81:12:01:20:81:92: Hostapd: Resetting Tx IV of group key and sending Msg3/4

What does this result mean?
Please help me

Other tests are unreliable due to all-zero key usage, please fix this first

Hi,

I am trying to update the wpa_supplicant version 2.5 with all the security advisories from http://git.yoctoproject.org/cgit.cgi/poky/commit/?h=krogoth&id=54e3f82bd77203c3d578e26c86506e6ef5c27000

I completed all three tests and did not show any errors.
./krack-test-client.py
./krack-test-client.py –group
./krack-test-client.py –tptk

But, When I execute the './krack-test-client.py --tptk-rand' test script, the following message appears.

[01:20:13] 00:25:ca:07:be:55: usage of all-zero key detected (IV=5, seq=8). Client is vulnerable to (re)installation of an all-zero key in the 4-way handshake!
[01:20:13] 00:25:ca:07:be:55: !!! Other tests are unreliable due to all-zero key usage, please fix this first !!!

Is this a normal phenomenon?

krackattacks-AP

I have connected with AP, Frames are detected and also krack attack stated using this script (./krack-ft-test.py). But i didn't get any "Replaying Reassociation Request" or "IV reuse detected (IV=1, seq=0). AP is vulnerable!" on the output screen. can any one explain me about this issue.Below is terminal log

Note: I am using WPA2-PSK security mode.

root@wipro123-Latitude-E5430-non-vPro:/home/wipro123/krackattacks-scripts/krackattack# ./krack-ft-test.py wpa_supplicant -D nl80211 -i wlp2s0 -c network.conf
[12:53:53] Note: disable Wi-Fi in your network manager so it doesn't interfere with this script
Successfully initialized wpa_supplicant
wlp2s0: SME: Trying to authenticate with 30:91:8f:7b:a8:47 (SSID='guru_5G' freq=5240 MHz)
wlp2s0: Trying to associate with 30:91:8f:7b:a8:47 (SSID='guru_5G' freq=5240 MHz)
[12:53:57] Detected Authentication frame, clearing client state
[12:53:57] Detected Authentication frame, clearing client state
[12:53:57] Detected normal association frame
wlp2s0: Associated with 30:91:8f:7b:a8:47
wlp2s0: WPA: Key negotiation completed with 30:91:8f:7b:a8:47 [PTK=CCMP GTK=CCMP]
wlp2s0: CTRL-EVENT-CONNECTED - Connection to 30:91:8f:7b:a8:47 completed [id=0 id_str=]
[12:53:57] AP transmitted data using IV=1 (seq=0)
[12:54:37] AP transmitted data using IV=382 (seq=1)
[12:54:38] AP transmitted data using IV=383 (seq=2)
[12:54:38] AP transmitted data using IV=384 (seq=3)
[12:54:38] AP transmitted data using IV=385 (seq=4)
[12:54:38] AP transmitted data using IV=386 (seq=5)
[12:54:39] AP transmitted data using IV=409 (seq=6)
[12:54:40] AP transmitted data using IV=440 (seq=7)
[12:54:41] AP transmitted data using IV=475 (seq=8)
[12:54:41] AP transmitted data using IV=490 (seq=9)

Help Wanted - FT-PSK not working, only WPA-PSK

I've trying to connect to connect to various wifi adaptors to test krack-ft, but not matter which ones I connect to I cannot use FT-PSK ( fast roaming), only WPA-PSK seems to work.

I know my Wifi APs support 802.11r, so perhaps its my wifi adaptor.

Wifi adaptor

```

phy0 wlan0mon ath9k_htc Atheros Communications, Inc. AR9271 802.11n


** Working configuration

 ctrl_interface=/var/run/wpa_supplicant
      network={
          ssid="BOM - Wireless WiFi"
          key_mgmt=WPA-PSK 
          psk="XXXXXXXX"
      }

** Non-working configuration

 ctrl_interface=/var/run/wpa_supplicant
      network={
          ssid="BOM - Wireless WiFi"
          key_mgmt=FT-PSK 
          psk="XXXXXX"
      }


** ERROR received

    wlan0:    skip RSN IE - key mgmt mismatch
    wlan0:    reject due to mismatch with WPA/WPA2

ImportError: No module named Cryptodome.Cipher

Hi,
As i was trying to run the script for the first time, ./krack-ft-test.py, and the result is:
Traceback (most recent call last):
File "./krack-ft-test.py", line 11, in
from libwifi import *
File "/root/Desktop/krackattacks-scripts-research/krackattack/libwifi.py", line 6, in
from Cryptodome.Cipher import AES
ImportError: No module named Cryptodome.Cipher

I try'd to update like was said in the instructions, apt-get install libnl-3-dev libnl-genl-3-dev pkg-config libssl-dev net-tools git sysfsutils python-scapy python-pycryptodome
, and the result is:
_Reading package lists... Done
Building dependency tree
Reading state information... Done
Package pkg-config is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Unable to locate package libnl-3-dev
E: Unable to locate package libnl-genl-3-dev
E: Package 'pkg-config' has no installation candidate
E: Unable to locate package libssl-dev
E: Unable to locate package sysfsutils
E: Unable to locate package python-pycryptodome_

Anyone knows why this is appening?

Channel Switch Announcement

FT-PSK Question

So I have the TPLINK WN722N and Kali Linux. Putting the key_mgmt=FT-PSK and running wpa_supplicant, it does nothing, all it says is Successfully initialized wpa_supplicant. Running wpa_cli and it just keeps scanning. Is this because the AP isn't broadcasting using FT?

how to fix error python2 krack-test-client.py Failed to get MAC address of wlan0.....

please help me
how to fix error setup script on ubutu 16.04
~/krackattacks-scripts/krackattack$ python2 krack-test-client.py
[10:48:07] Failed to get MAC address of wlan0. Specify an existing interface in hostapd.conf at the line "interface=NAME".
Traceback (most recent call last):
File "krack-test-client.py", line 615, in
attack = KRAckAttackClient()
File "krack-test-client.py", line 349, in init
self.apmac = scapy.arch.get_if_hwaddr(interface)
File "/usr/local/lib/python2.7/dist-packages/scapy-2.4.0rc4-py2.7.egg/scapy/arch/init.py", line 32, in get_if_hwaddr
addrfamily, mac = get_if_raw_hwaddr(iff)
File "/usr/local/lib/python2.7/dist-packages/scapy-2.4.0rc4-py2.7.egg/scapy/arch/linux.py", line 105, in get_if_raw_hwaddr
return struct.unpack("16xh6s8x",get_if(iff,SIOCGIFHWADDR))
File "/usr/local/lib/python2.7/dist-packages/scapy-2.4.0rc4-py2.7.egg/scapy/arch/common.py", line 22, in get_if
ifreq = ioctl(sck, cmd, struct.pack("16s16x", iff.encode("utf8")))
IOError: [Errno 19] No such device

AND error for use command from help option
~/krackattacks-scripts/krackattack$ python2 krack-test-client.py --help

v4k@v4k:/krackattacks-scripts/hostapd$ cd ../hostapd
v4k@v4k:/krackattacks-scripts/hostapd$ cp defconfig .config
v4k@v4k:~/krackattacks-scripts/hostapd$ make -j 2
fatal: No names found, cannot describe anything.

please help me how to fix
thank a lot

krackattacks reports that a patched wpa_supplicant is still vulnerable

I am logging this ticket just a precaution to whether if this is a legitimate problem with krackattacks.

I ran krackattacks-test-client.py against a patched wpa_supplicant. Wpa_supplicant version 2.6 with the 8 patched released here "https://w1.fi/security/2017-1/"

The results were mixed. Krackattacks claimed the patched wpa_supplicant is not vulnerable to " pairwise key reinstallation" but is still vulnerable to "group key reinstallations".

I have contacted wpa_supplicant working group. They recommend verifying the test tool. They also recommend that I look into our "DUT Wi-Fi driver/firmware not implementing CCMP replay protection correctly". Hopefully it is because of my wifi driver. But is there a chance that might be because of krackattacks?

Here are the 2 reports from krackattacks:

[18:55:23] aa:bb:bb:dd:ee: client DOESN'T seem vulnerable to pairwise key reinstallation in the 4-way handshake (using standard attack).

[18:55:34] aa:bb:bb:dd:ee: Received 5 unique replies to replayed broadcast ARP requests. Client is vulnerable to group
[18:55:34] key reinstallations in the 4-way handshake (or client accepts replayed broadcast frames)!

My environment:

CPU: Freescale imx28
OS: linux 3.10.6 armv5tejl GNU/Linux
Wifi driver: rt2800usb

ATTENTION: Someone maybe offense your copyright.

Dear author:
I have read your paper in CSS 2017 and the source code in this repository. It's amazing.
Thanks for your sharing.
But I have find a serious probolem that there is a Chinese named NoahhhRyan and claimed that he is the only Chinese in your company to complety the project and put out a article in the most well-known chinese security web-site freebuf on how he reappear your work.
The github page of his project is https://github.com/NoahhhRyan/krackattacks-test and the article he put out in the most well-known Chinese security-website is www.freebuf.com/articles/wireless/153255.html.
Can you confirm that? Is he is really the only Chinese engineering in your company? Or he is just offense your Copyright.

SSLstrip not redirecting traffic

Hi there! 1st of all, congrats on your research! Tremendous work!
2nd, im trying to replicate a MITM attack with sslstrip but cant quite figure it out. i have a Raspberry pi 2 with a TL-WN722N usb wifi adapter (Kali Linux) and configured hostapd.conf to use the ssid and pre-shared key i'm trying to compromise (don't worry, it's research purposes on my home network). Already did the echo 1 > /proc/sys/net/ipv4/ip_forward so enable redirect but any device that connects to the rogue AP doesn't seem to be redirected, after sslstrip is started. Can it be an iptables issue? Like iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 ?
Thanks in advance!

EDIT: Not after starting sslstrip, after starting the krack-test-client script!! It connects to the AP but no redirect do the internet...

Not able to see if I am vunerable or not

Hi,
I successfuly installed and configured the project. However when I run krack-test-client.py, I am not able to see if I am vulnerable of not.

What I am doing wrong?

$ sudo ./krack-test-client.py
[10:36:51] Note: disable Wi-Fi in network manager & disable hardware encryption. Both may interfere with this script.
[10:36:53] Starting hostapd ...
Configuration file: /home/ubuntu/repos/krackattacks-scripts/krackattack/hostapd.conf
Using interface wlp58s0 with hwaddr d6:dd:87:14:c2:53 and ssid "testnetwork"
wlp58s0: interface state UNINITIALIZED->ENABLED
wlp58s0: AP-ENABLED 
[10:36:54] Ready. Connect to this Access Point to start the tests. Make sure the client requests an IP using DHCP!
wlp58s0: STA 00:0c:e7:02:86:dd IEEE 802.11: authenticated
wlp58s0: STA 00:0c:e7:02:86:dd IEEE 802.11: associated (aid 1)
[10:36:58] 00:0c:e7:02:86:dd: Hostapd: Resetting Tx IV of group key and sending Msg3/4
wlp58s0: AP-STA-CONNECTED 00:0c:e7:02:86:dd
wlp58s0: STA 00:0c:e7:02:86:dd RADIUS: starting accounting session 8A1EDD0CD73B9607
[10:37:00] 00:0c:e7:02:86:dd: Hostapd: already installing pairwise key
[10:37:00] 00:0c:e7:02:86:dd: Hostapd: Resetting Tx IV of group key and sending Msg3/4
[10:37:02] 00:0c:e7:02:86:dd: Hostapd: Resetting Tx IV of group key and sending Msg3/4
[10:37:02] 00:0c:e7:02:86:dd: DHCP reply 192.168.100.2 to 00:0c:e7:02:86:dd
[10:37:04] 00:0c:e7:02:86:dd: Hostapd: Resetting Tx IV of group key and sending Msg3/4
[10:37:06] 00:0c:e7:02:86:dd: Hostapd: Resetting Tx IV of group key and sending Msg3/4
[10:37:08] 00:0c:e7:02:86:dd: Hostapd: Resetting Tx IV of group key and sending Msg3/4
[10:37:10] 00:0c:e7:02:86:dd: Hostapd: Resetting Tx IV of group key and sending Msg3/4
...
[10:37:42] 00:0c:e7:02:86:dd: Hostapd: Resetting Tx IV of group key and sending Msg3/4

Same for krack-test-client.py --group

$ sudo ./krack-test-client.py --group
[10:42:39] Note: disable Wi-Fi in network manager & disable hardware encryption. Both may interfere with this script.
[10:42:40] Starting hostapd ...
Configuration file: /home/ubuntu/repos/krackattacks-scripts/krackattack/hostapd.conf
Using interface wlp58s0 with hwaddr d6:dd:87:14:c2:53 and ssid "testnetwork"
wlp58s0: interface state UNINITIALIZED->ENABLED
wlp58s0: AP-ENABLED 
[10:42:41] Hostapd: starting group key handshake tests
[10:42:41] Ready. Connect to this Access Point to start the tests. Make sure the client requests an IP using DHCP!
wlp58s0: STA 00:0c:e7:02:86:dd IEEE 802.11: authenticated
wlp58s0: STA 00:0c:e7:02:86:dd IEEE 802.11: associated (aid 1)
wlp58s0: AP-STA-CONNECTED 00:0c:e7:02:86:dd
wlp58s0: STA 00:0c:e7:02:86:dd RADIUS: starting accounting session 8E51ACE867ADC700
wlp58s0: STA 00:0c:e7:02:86:dd WPA: pairwise key handshake completed (RSN)
[10:42:47] 00:0c:e7:02:86:dd: DHCP reply 192.168.100.2 to 00:0c:e7:02:86:dd
wlp58s0: STA 00:0c:e7:02:86:dd WPA: group key handshake completed (RSN)
wlp58s0: STA 00:0c:e7:02:86:dd WPA: group key handshake completed (RSN)
wlp58s0: STA 00:0c:e7:02:86:dd WPA: group key handshake completed (RSN)
wlp58s0: STA 00:0c:e7:02:86:dd WPA: group key handshake completed (RSN)
wlp58s0: STA 00:0c:e7:02:86:dd WPA: group key handshake completed (RSN)
wlp58s0: STA 00:0c:e7:02:86:dd WPA: group key handshake completed (RSN)
wlp58s0: STA 00:0c:e7:02:86:dd WPA: group key handshake completed (RSN)
...
wlp58s0: STA 00:0c:e7:02:86:dd WPA: group key handshake completed (RSN)

Thanks in advance. :)

make -j 2 not working

how to solve this? I tried to follow the instructions in > /krack-test-client.py --help >cp defconfig .config make -j 2 ,but ended up with this

root@authorized:/krackattack/krackattack/hostapd# cp defconfig .config
root@authorized:/krackattack/krackattack/hostapd# make -j 2
In file included from /root/krackattack/krackattack/src/utils/includes.h:19:0,
from main.c:9:
/root/krackattack/krackattack/src/utils/stdlib.h:33:10: fatal error: bits/wait.h: No such file or directory
#include <bits/wait.h>
^~~~~~~~~~~~~
compilation terminated.
Makefile:1036: recipe for target 'main.o' failed
make: *** [main.o] Error 1
make: *** Waiting for unfinished jobs....
In file included from /root/krackattack/krackattack/src/utils/includes.h:19:0,
from config_file.c:9:
/root/krackattack/krackattack/src/utils/stdlib.h:33:10: fatal error: bits/wait.h: No such file or directory
#include <bits/wait.h>
^~~~~~~~~~~~~
compilation terminated.
Makefile:1036: recipe for target 'config_file.o' failed
make: *** [config_file.o] Error 1

Some questions about the paper details

Firstly ,thank you for provide these codes and a paper.It's an amazing way to do Mitm.
When I read the paper,I don‘t understand a place which is " will be encrypted with a nonce value of 1".
I known the "nonce" means random number in pc, but I can't get the whole meaning.
Hope your reply.Thank you

Group Key reinstall is vulnerable

I have merge all the official patch and still tips vulnerable, compared to others, it is because 5 unique arp response, why deal it vulnerable when response the arp request? I have decrypt the frame, broadcast frame use correct GTK, it should be decrypted and response, what purpose to judge it?

Could not read interface flags: No such device

Thanks for your hard work, it's amazing.
And I have a little question, I run the script and find the following messages:

~/krackattacks-test/krackattack$ sudo wpa_supplicant -D nl80211 -i wlan0 -c network.conf
Successfully initialized wpa_supplicant
Could not read interface wlan0 flags: No such device
nl80211: Driver does not support authentication/association or connect commands
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
Could not read interface wlan0 flags: No such device
wlan0: Failed to initialize driver interface

My network.conf file is as follow:
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="Test"
key_mgmt=FT-PSK
psk="password"
}

And "Test" is my target SSID.
Why I can't accomplish my attack?

krack-ft-test.py issue in ubuntu 16.04

i completed all necessary setup for script and successfully tested kract-test-client.py all works fine, but problem arise when i started krack-ft-test i follow all instructions and created configuration file with following

ctrl_interface=wpa_supplicant
network={
ssid="AndroidAP"
key_mgmt=FT-PSK
psk="dfbe542bab34"
}

my android device has patch for CVE-2017-13082
sequence which i follow is

1-> ./disable-hwcrypto.sh then "rebooted "
systool -vm ath9k_htc gives me "nohwcript = 1"
2-> sudo wpa_supplicant -D nl80211 -i wlan0 -c network.conf
3-> sudo ./krack-ft-test.py wpa_supplicant -D nl80211 -i wlan0 -c network.conf

so far neither my PC connect with my android device so i manually try to connect but i keep prompt me for right password although password is correct
-> output of step 2 is following

Successfully initialized wpa_supplicant
wlan0: No network configuration found for the current AP
wlan0: CTRL-EVENT-DISCONNECTED bssid=02:1a:11:f4:17:57 reason=3 locally_generated=1
wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlan0: No network configuration found for the current AP
wlan0: CTRL-EVENT-DISCONNECTED bssid=02:1a:11:f4:17:57 reason=3 locally_generated=1
wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD

-> at the same time output of step 3 is something like

[15:17:13] Detected normal association frame
[15:17:17] Detected normal association frame
[15:17:19] Detected normal association frame
[15:17:20] Detected normal association frame
[15:17:22] Detected normal association frame
[15:17:26] Detected normal association frame
[15:17:41] Detected normal association frame

wlan0mon interface is not work.

Thanks for your hard work, it's amazing.
And I have a little question.
I run the script and find the network options.

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.254  netmask 255.255.255.0  broadcast 192.168.100.255
        ether 5a:c0:50:d1:0d:b7  txqueuelen 1000  (Ethernet)
        RX packets 89733  bytes 2605444 (2.4 MiB)
        RX errors 0  dropped 577  overruns 0  frame 0
        TX packets 15196  bytes 2189361 (2.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0mon: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0mon interface's packets is zero.
i thank.. monitor interface(wlan0mon) not seeing any packets. (i try PING, PING, PING to AP)
Is it no problem?

I only see the one message like this.

    [18:11:10] 00:11:22:33:44:55: Hostapd: Resetting Tx IV of group key and sending Msg3/4
    [18:11:12] 00:11:22:33:44:55: Hostapd: Resetting Tx IV of group key and sending Msg3/4
    [18:11:14] 00:11:22:33:44:55: Hostapd: Resetting Tx IV of group key and sending Msg3/4
    [18:11:16] 00:11:22:33:44:55: Hostapd: Resetting Tx IV of group key and sending Msg3/4

I use a WiFi USB Adapter AWUS036ACH.
Please What can I do now?

Thank you.

key_mgmt=FT-PSK

My AP is WPA PSK when i use FT-PSK on my config file wlan0 can't associated to AP .

Replaying reassociate request failed on 5G

I have tested successfully on my AP 2.4G follow your tools and WFA tool 👍
then I try to test my AP 5G band FT vulnerable, follow your guide, everything is OK

The console show Replaying reassociate request all the time
I use sniffer to sniffing reassociate request, but I cannot see it, I can see it in 2.4G case.

This issue appeared on both AR9462 and Intel3165.

Thank you!

issue with running test-client in 5GHz mode

Has anyone able to run the test client in 5GHz mode? I changed the hw_mode=a and Channel =36 in hostapd.conf.

Also ensured that 5GHz supported in my computers, two different ones running Intel/AC 7265 (iwlwifi) and Killer 1535 / QCA6174 (ath10k_pci). I am testing on ubuntu 16.04 x86_64.

Both of them give the following error:
IEEE 802.11 Configured channel (36) not found from the channel list of current mode (2) IEEE 802.11a

I am trying to test a device which has 5GHz only radio and haven't had success with wifi allicance test tool or krackattacks-scripts on which alliance tool based on.

Any help or direction in this topic is appreciated. Hope i am not missing something simple in my configuration.

I am trying with various combinations in hostapd conf, but reaching no where so far. Will keep the thread posted if there are any updates ...

Here is the error i am running into:

[17:23:15] Note: disable Wi-Fi in network manager & disable hardware encryption. Both may interfere with this script. [17:23:15] Starting hostapd ... Configuration file: /home/test/krackattacks-scripts/krackattack/hostapd.conf wlp2s0: IEEE 802.11 Configured channel (36) not found from the channel list of current mode (2) IEEE 802.11a wlp2s0: IEEE 802.11 Hardware does not support configured channel Could not select hw_mode and channel. (-3) wlp2s0: interface state UNINITIALIZED->DISABLED wlp2s0: AP-DISABLED wlp2s0: Unable to setup interface. wlp2s0: interface state DISABLED->DISABLED wlp2s0: AP-DISABLED hostapd_free_hapd_data: Interface wlp2s0 wasn't started nl80211: deinit ifname=wlp2s0 disabled_11b_rates=0 connect exception hostapd_ctrl/wlp2s0 9877 [17:23:16] It seems hostapd did not start properly, please inspect its output. [17:23:16] Did you disable Wi-Fi in the network manager? Otherwise hostapd won't work. Traceback (most recent call last): File "./krack-test-client.py", line 617, in <module> attack.run(test_grouphs=test_grouphs, test_tptk=test_tptk) File "./krack-test-client.py", line 488, in run self.hostapd_ctrl = Ctrl("hostapd_ctrl/" + self.nic_iface) File "/home/test/krackattacks-scripts/krackattack/wpaspy.py", line 49, in __init__ socket.SOCK_DGRAM) socket.gaierror: [Errno -3] Temporary failure in name resolution [17:23:16] Closing hostapd and cleaning up ...

Does anyone know for Windows? thanks in advance

Windows Version/... or windows method etc

How to make AP work on 5GHz?

I want to test my client which only connects to Access Points operating on 5GHz. Can I tweak the script to make AP work on 5GHz?

Thanks!

Error detecting vulnerability

./krack-test-client.py
Traceback (most recent call last):
File "./krack-test-client.py", line 12, in
from libwifi import *
File "/home/nicolas/krackattacks-scripts/krackattack/libwifi.py", line 6, in
from Cryptodome.Cipher import AES
ImportError: No module named Cryptodome.Cipher

I have this error what is the problem???

root@Alex:~/Downloads/krackattacks-scripts-research/krackattack# sudo ./krack-ft-test.py
Traceback (most recent call last):
File "./krack-ft-test.py", line 10, in
from scapy.all import *
File "/usr/local/lib/python2.7/dist-packages/scapy/all.py", line 10, in
from .config import *
File "/usr/local/lib/python2.7/dist-packages/scapy/config.py", line 11, in
from .data import *
File "/usr/local/lib/python2.7/dist-packages/scapy/data.py", line 184, in
TCP_SERVICES,UDP_SERVICES=load_services("/etc/services")
File "/usr/local/lib/python2.7/dist-packages/scapy/data.py", line 109, in load_services
f=open(filename, errors='ignore')
TypeError: 'errors' is an invalid keyword argument for this function

How to identify kernel module

Hi,
my understanding is that I need to disable hardware encryption and therefore the kernel module must be known.
I'm testing on Lenovo T410 and have identified this network cards:
lspci -nn | grep Network 00:19.0 Ethernet controller [0200]: Intel Corporation 82577LM Gigabit Network Connection [8086:10ea] (rev 06) 03:00.0 Network controller [0280]: Intel Corporation Centrino Advanced-N 6200 [8086:4239] (rev 35)

How can I identify the relevant kernel module for this network card "Intel Corporation Centrino Advanced-N 6200"?

THX

./krack-ft-test.py Problem

What I must ?
Traceback (most recent call last):
File "./krack-ft-test.py", line 11, in
from libwifi import *
File "/root/Masaüstü/krackattacks-scripts/krackattack/libwifi.py", line 6, in
from Cryptodome.Cipher import AES
File "/usr/lib/python2.7/dist-packages/Cryptodome/Cipher/init.py", line 3, in
from Cryptodome.Cipher._mode_ecb import _create_ecb_cipher
File "/usr/lib/python2.7/dist-packages/Cryptodome/Cipher/_mode_ecb.py", line 29, in
from Cryptodome.Util._raw_api import (load_pycryptodome_raw_lib,
File "/usr/lib/python2.7/dist-packages/Cryptodome/Util/_raw_api.py", line 106, in
Array = ffi.new("uint8_t[1]").class.bases
File "/usr/local/lib/python2.7/dist-packages/cffi/api.py", line 249, in new
cdecl = self._typeof(cdecl)
File "/usr/local/lib/python2.7/dist-packages/cffi/api.py", line 169, in _typeof
result = self._typeof_locked(cdecl)
File "/usr/local/lib/python2.7/dist-packages/cffi/api.py", line 154, in _typeof_locked
type = self._parser.parse_type(cdecl)
File "/usr/local/lib/python2.7/dist-packages/cffi/cparser.py", line 461, in parse_type
return self.parse_type_and_quals(cdecl)[0]
File "/usr/local/lib/python2.7/dist-packages/cffi/cparser.py", line 464, in parse_type_and_quals
ast, macros = self._parse('void __dummy(\n%s\n);' % cdecl)[:2]
File "/usr/local/lib/python2.7/dist-packages/cffi/cparser.py", line 271, in _parse
self.convert_pycparser_error(e, csource)
File "/usr/local/lib/python2.7/dist-packages/cffi/cparser.py", line 300, in convert_pycparser_error
raise CDefError(msg)
cffi.error.CDefError: cannot parse "typedef int uint8_t;"
:1:13: before: uint8_t

How to execute an attack

Good day sir! Can you help me how to execute your script to attack and cracked password of a wifi sir?

disable-hwcrypto.sh fails to unload iwlwifi

The iwlwifi driver is depended upon by the module iwldvm, which can cause disable-hwcrypto.sh to silently fail to unload the iwlwifi driver.

Running rmmod iwldvm prior to disable-hwcrypto.sh results in the script working as expected.

It may be helpful for disable-hwcrypto.sh to output errors besides Module [...] is not currently loaded so users can take the appropriate action. Alternatively, the README could be updated to include notes on Wi-Fi adapters that require additional steps such as removing another module, or disable-hwcrypto.sh could attempt to parse errors such as Module [...] is in use by: [...] and take the appropriate action automatically. Are there any thoughts as to the best approach?

Output of lspci and lsmod for reference:

00:00.0 Host bridge: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor DRAM Controller (rev 06)
00:01.0 PCI bridge: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor PCI Express x16 Controller (rev 06)
00:02.0 VGA compatible controller: Intel Corporation 4th Gen Core Processor Integrated Graphics Controller (rev 06)
00:03.0 Audio device: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor HD Audio Controller (rev 06)
00:14.0 USB controller: Intel Corporation 8 Series/C220 Series Chipset Family USB xHCI (rev 04)
00:16.0 Communication controller: Intel Corporation 8 Series/C220 Series Chipset Family MEI Controller #1 (rev 04)
00:19.0 Ethernet controller: Intel Corporation Ethernet Connection I217-LM (rev 04)
00:1a.0 USB controller: Intel Corporation 8 Series/C220 Series Chipset Family USB EHCI #2 (rev 04)
00:1b.0 Audio device: Intel Corporation 8 Series/C220 Series Chipset High Definition Audio Controller (rev 04)
00:1c.0 PCI bridge: Intel Corporation 8 Series/C220 Series Chipset Family PCI Express Root Port #1 (rev d4)
00:1c.2 PCI bridge: Intel Corporation 8 Series/C220 Series Chipset Family PCI Express Root Port #3 (rev d4)
00:1c.4 PCI bridge: Intel Corporation 8 Series/C220 Series Chipset Family PCI Express Root Port #5 (rev d4)
00:1c.5 PCI bridge: Intel Corporation 8 Series/C220 Series Chipset Family PCI Express Root Port #6 (rev d4)
00:1c.6 PCI bridge: Intel Corporation 8 Series/C220 Series Chipset Family PCI Express Root Port #7 (rev d4)
00:1c.7 PCI bridge: Intel Corporation 8 Series/C220 Series Chipset Family PCI Express Root Port #8 (rev d4)
00:1d.0 USB controller: Intel Corporation 8 Series/C220 Series Chipset Family USB EHCI #1 (rev 04)
00:1f.0 ISA bridge: Intel Corporation QM87 Express LPC Controller (rev 04)
00:1f.2 RAID bus controller: Intel Corporation 82801 Mobile SATA Controller [RAID mode] (rev 04)
00:1f.3 SMBus: Intel Corporation 8 Series/C220 Series Chipset Family SMBus Controller (rev 04)
01:00.0 Display controller: Advanced Micro Devices, Inc. [AMD/ATI] Sun XT [Radeon HD 8670A/8670M/8690M / R5 M330 / M430] (rev ff)
03:00.0 Network controller: Intel Corporation Centrino Advanced-N 6235 (rev 24)
0e:00.0 SD Host controller: O2 Micro, Inc. SD/MMC Card Reader Controller (rev 01)

Module                  Size  Used by
iwldvm                135168  0
iwlwifi               167936  1 iwldvm
nls_ascii              16384  2
nls_cp437              20480  2
vfat                   20480  2
fat                    65536  1 vfat
fuse                   98304  3
binfmt_misc            20480  1
intel_rapl             20480  0
x86_pkg_temp_thermal    16384  0
intel_powerclamp       16384  0
ppdev                  20480  0
coretemp               16384  0
arc4                   16384  2
mac80211              659456  1 iwldvm
kvm_intel             196608  0
uvcvideo               90112  0
kvm                   577536  1 kvm_intel
videobuf2_vmalloc      16384  1 uvcvideo
videobuf2_memops       16384  1 videobuf2_vmalloc
videobuf2_v4l2         24576  1 uvcvideo
videobuf2_core         36864  2 uvcvideo,videobuf2_v4l2
iTCO_wdt               16384  0
videodev              167936  3 uvcvideo,videobuf2_core,videobuf2_v4l2
cfg80211              598016  3 iwlwifi,mac80211,iwldvm
iTCO_vendor_support    16384  1 iTCO_wdt
dell_laptop            20480  0
dell_smm_hwmon         16384  0
irqbypass              16384  1 kvm
crct10dif_pclmul       16384  0
crc32_pclmul           16384  0
media                  40960  2 uvcvideo,videodev
ghash_clmulni_intel    16384  0
intel_cstate           16384  0
intel_uncore          122880  0
btusb                  45056  0
intel_rapl_perf        16384  0
btrtl                  16384  1 btusb
snd_soc_rt5640        118784  0
btbcm                  16384  1 btusb
btintel                16384  1 btusb
dell_wmi               16384  0
bluetooth             540672  5 btrtl,btintel,btbcm,btusb
joydev                 20480  0
dell_smbios            16384  2 dell_wmi,dell_laptop
pcspkr                 16384  0
dcdbas                 16384  1 dell_smbios
serio_raw              16384  0
sparse_keymap          16384  1 dell_wmi
wmi_bmof               16384  0
sg                     32768  0
mei_me                 40960  0
mei                    98304  1 mei_me
battery                20480  0
snd_soc_rl6231         16384  1 snd_soc_rt5640
snd_hda_codec_realtek    94208  1
parport_pc             28672  0
snd_soc_core          217088  1 snd_soc_rt5640
snd_hda_codec_hdmi     49152  1
parport                49152  2 parport_pc,ppdev
dw_dmac                16384  0
snd_hda_codec_generic    69632  1 snd_hda_codec_realtek
dell_smo8800           16384  0
snd_soc_sst_acpi       16384  0
snd_soc_sst_match      16384  1 snd_soc_sst_acpi
dw_dmac_core           24576  1 dw_dmac
elan_i2c               36864  0
snd_hda_intel          36864  4
dell_rbtn              16384  1
snd_compress           20480  1 snd_soc_core
drbg                   28672  1
spi_pxa2xx_platform    24576  0
snd_hda_codec         126976  4 snd_hda_intel,snd_hda_codec_hdmi,snd_hda_codec_generic,snd_hda_codec_realtek
ac                     16384  0
evdev                  24576  16
ansi_cprng             16384  0
ecdh_generic           24576  1 bluetooth
rfkill                 24576  7 bluetooth,dell_laptop,dell_rbtn,cfg80211
crc16                  16384  1 bluetooth
snd_hda_core           77824  5 snd_hda_intel,snd_hda_codec,snd_hda_codec_hdmi,snd_hda_codec_generic,snd_hda_codec_realtek
snd_hwdep              16384  1 snd_hda_codec
ie31200_edac           16384  0
snd_pcm                98304  6 snd_hda_intel,snd_hda_codec,snd_hda_core,snd_soc_rt5640,snd_hda_codec_hdmi,snd_soc_core
lpc_ich                24576  0
mfd_core               16384  1 lpc_ich
snd_timer              32768  1 snd_pcm
snd                    77824  18 snd_compress,snd_hda_intel,snd_hwdep,snd_hda_codec,snd_timer,snd_hda_codec_hdmi,snd_hda_codec_generic,snd_hda_codec_realtek,snd_soc_core,snd_pcm
shpchp                 36864  0
soundcore              16384  1 snd
ip_tables              24576  0
x_tables               36864  1 ip_tables
autofs4                40960  2
squashfs               53248  1
loop                   28672  2
overlay                65536  1
nls_utf8               16384  1
isofs                  40960  1
sr_mod                 24576  0
cdrom                  61440  1 sr_mod
sd_mod                 49152  4
uas                    24576  0
usb_storage            69632  4 uas
crc32c_intel           24576  0
aesni_intel           188416  0
aes_x86_64             20480  1 aesni_intel
crypto_simd            16384  1 aesni_intel
cryptd                 24576  3 crypto_simd,ghash_clmulni_intel,aesni_intel
glue_helper            16384  1 aesni_intel
psmouse               143360  0
ahci                   36864  0
libahci                32768  1 ahci
libata                237568  2 ahci,libahci
scsi_mod              212992  6 sd_mod,usb_storage,libata,uas,sr_mod,sg
i2c_i801               24576  0
sdhci_pci              28672  0
ehci_pci               16384  0
ehci_hcd               81920  1 ehci_pci
e1000e                241664  0
ptp                    20480  1 e1000e
pps_core               20480  1 ptp
i915                 1556480  17
radeon               1454080  1
xhci_pci               16384  0
i2c_algo_bit           16384  2 radeon,i915
xhci_hcd              208896  1 xhci_pci
drm_kms_helper        151552  2 radeon,i915
ttm                    94208  1 radeon
usbcore               245760  8 uvcvideo,usb_storage,ehci_hcd,xhci_pci,btusb,uas,xhci_hcd,ehci_pci
usb_common             16384  1 usbcore
drm                   348160  8 radeon,i915,ttm,drm_kms_helper
thermal                20480  0
wmi                    24576  2 dell_wmi,wmi_bmof
i2c_hid                20480  0
video                  40960  3 dell_wmi,dell_laptop,i915
hid                   118784  1 i2c_hid
sdhci_acpi             16384  0
sdhci                  45056  2 sdhci_pci,sdhci_acpi
mmc_core              139264  3 sdhci,sdhci_pci,sdhci_acpi
i2c_designware_platform    16384  0
i2c_designware_core    20480  1 i2c_designware_platform
button                 16384  1 i915

krack-test-client.py not report result

This script successfully starts Wi-Fi AP. Then I connecting my phone to it and can't get a result even after ~20 minutes.
Only a lot of lines like this:

[15:34:10] 00:11:22:33:44:55: Hostapd: Resetting Tx IV of group key and sending Msg3/4

802.1x

Is this work with WPA2(802.1x) which require login/password?

[14:38:00] Note: disable Wi-Fi in network manager & disable hardware encryption. Both may interfere with this script.

Hi:

I am testing krack-test-clint.py but it doesnt work fo me :(.

I have TL-WN722NN v1. I have Kali 2017.1. I follow the instructions with the same order without succeful and of course I execute disable-hwcrypto.sh.

This is my currectly error, any idea?:

root@kal:~/krackattacks-scripts/krackattack# ./krack-test-client.py
[14:38:00] Note: disable Wi-Fi in network manager & disable hardware encryption. Both may interfere with this script.
Traceback (most recent call last):
File "./krack-test-client.py", line 617, in
attack.run(test_grouphs=test_grouphs, test_tptk=test_tptk)
File "./krack-test-client.py", line 472, in run
self.configure_interfaces()
File "./krack-test-client.py", line 457, in configure_interfaces
subprocess.check_output(["rfkill", "unblock", "wifi"])
File "/usr/lib/python2.7/subprocess.py", line 212, in check_output
process = Popen(stdout=PIPE, *popenargs, **kwargs)
File "/usr/lib/python2.7/subprocess.py", line 390, in init
errread, errwrite)
File "/usr/lib/python2.7/subprocess.py", line 1024, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory
[14:38:00] Closing hostapd and cleaning up ...

Thanks a lot
Best Regards
Perico

L2Socket is Not defined in the MitmSocket ???

as the title

Failed to determine wireless interface

root@pi3:~/krackattacks-test-ap-ft# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.0.8  netmask 255.255.255.0  broadcast 10.10.0.255
        inet6 fe80::9263:99c9:27f0:57d1  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:a4:28:32  txqueuelen 1000  (Ethernet)
        RX packets 3027  bytes 1064986 (1.0 MiB)
        RX errors 0  dropped 3  overruns 0  frame 0
        TX packets 3399  bytes 747832 (730.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether b8:27:eb:f1:7d:67  txqueuelen 1000  (Ethernet)
        RX packets 5  bytes 739 (739.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 18  bytes 2362 (2.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@pi3:~/krackattacks-test-ap-ft# ./krack-ft-test.py wlan0 loskiq --target 6C:3B:6B:14:57:61
[10:02:29] Failed to determine wireless interface. Specify one using the -i parameter.
root@pi3:~/krackattacks-test-ap-ft#

What am I doing wrong?

How to restore network manager?

I have use the scripts but now i am not able to restore network manager. What do i have to modify to solve it?

is not at POC

Sorry for my English , well what is a proof of concept ? It is a script which displays messages about the alleged vulnerability or invulnerability of a particular device , perhaps this script displays false reports and possibly not if you decided to pay ( proof of concept ) I had to pay for what was provided in the demo video and not this crap , or the other could not spread and silent to blackmail vendors for some sort of redemption , and so I think that you raised a fuss on an empty place not allowing consumers to see for themselves the vulnerabilities of their devices

Video How to run script.

Hi guys, can someone make a video how to use /krackattacks-scripts/krackattack script? I Tried but got some errors.