wi driver reads wrong first 8 bytes when in monitor mode in data
packets
Andrea Bittau (sorbo)
sorbox at yahoo.com
Wed Nov 26 05:15:11 PST 2003
If I am not wrong, it seems that the wi driver, when in monitor mode, will skip
8 bytes of data input (filling it in with random values).
We notice in if_wi.c:
case 7:
switch (rx_frame->wi_whdr.i_fc[0] & IEEE80211_FC0_TYPE_MASK) {
case IEEE80211_FC0_TYPE_DATA:
hdrlen = WI_DATA_HDRLEN;
data is then read according to the hdrlen offset.
if (wi_read_bap(sc, fid, hdrlen, mtod(m, caddr_t) + hdrlen,
datlen + 2) == 0) {
in if_wavelan_ieee.h:
#define WI_DATA_HDRLEN 0x44
#define WI_MGMT_HDRLEN 0x3C
#define WI_CTL_HDRLEN 0x3C
we notice that data frames seem to have an 8 byte "header" extra
we then notice
/*
* all data packets have a snap (sub-network access protocol) header that
* isn't entirely definied, but added for ethernet compatibility.
*/
struct wi_snap_frame {
u_int16_t wi_dat[3];
u_int16_t wi_type;
};
(it is 8 bytes)
It seems like if the llc/snap is treated as a "802.11 header" per se and not act
ual data. (Maybe this was the mentality of the developers).
Under "normal" circumstances this is ok, since many people do not care about sna
p/llc when in monitor mode. Infact, the ip header will be just fine.
However when auditing wep, those 8 bytes are crucial (since the first 3+1 bytes
contain IV information) and the first few bytes of cyphertext are normally used
in known plaintext attacks. Infact, bsd-airtools will probably not work at all.
I am running:
FreeBSD tribal.sorbonet.org 5.2-BETA FreeBSD 5.2-BETA #5: Wed Nov 26 05:24:11 GM
T 2003 root at tribal.sorbonet.org:/usr/obj/usr/src/sys/SORBO i386
A very basic patch which seems to works is:
if_wavelan_ieee.h.diff:
********** CUT ********************
*** if_wavelan_ieee.h.orig Wed Nov 26 06:00:58 2003
--- if_wavelan_ieee.h Wed Nov 26 05:08:08 2003
***************
*** 466,472 ****
u_int8_t wi_src_addr[6];
u_int16_t wi_len;
};
! #define WI_DATA_HDRLEN 0x44
#define WI_MGMT_HDRLEN 0x3C
#define WI_CTL_HDRLEN 0x3C
--- 466,472 ----
u_int8_t wi_src_addr[6];
u_int16_t wi_len;
};
! #define WI_DATA_HDRLEN 0x3C
#define WI_MGMT_HDRLEN 0x3C
#define WI_CTL_HDRLEN 0x3C
********** CUT ****************
Andrea Bittau
sorbox at yahoo.com
http://www.darkircop.org
More information about the freebsd-current
mailing list