Owfuzz: a WiFi protocol fuzzing tool

Related tags

Miscellaneous Owfuzz
Overview

owfuzz

owfuzz: a WiFi protocol fuzzing tool using openwifi.

Openwifi is an open-source WiFi protocol stack based on SDR that is fully compatible with Linux mac80211. It's driver takes advantage of the Linux kernel's supports (mac80211, cfg80211) for WiFi high MAC, so it can provide an interface to the application layer like a common WiFi USB dongle. In The hardware part, CSMA/CA protocol and other functions of WiFi low MAC layer are implemented on FPGA. It supports monitoring and injection of arbitrary WiFi frames,The application layer software can also directly communicate with the openwifi driver/FPGA/RF underlying functions through nl80211, which provides users with great autonomous and controllable ability. Owfuzz is the first to use openwifi platform to implements a WiFi protocol fuzzing test framework, which supports the fuzzing test of all WiFi frames and the interactivity testing of WiFi protocols.

Owfuzz can also use a wireless network card that supports monitor mode and frame injection.

Architecture

Features:

  • IEEE Std 802.11 1999/2007/2012/2016/2020
  • 2.4Ghz and 5Ghz
  • Supports all WiFi devices: APs and Clients
  • Fuzzing all frames: management/control/data
  • Any state of WiFi
  • Interactivity testing
  • OPEN/WEP/WPA/WPA2/WPA3
  • Automatically generates poc log and locates the vulnerability.
  • Multichannel monitor and transmission

Usage

  • owfuzz usage:
    • example: sudo ./owfuzz -i wlan0 -m ap -c [channel] -t [target-mac] -b [ap-mac] -s [ap-mac] -T 2 -A WPA2_PSK_TKIP_AES -I [targe-ip]
    • -i [interface], Interface to use.
    • -m [ap/sta/mitm], Set the mode of fuzzer, default is ap.
    • -c [channel], Set the working channel of fuzzer, default is 1.
    • -t [mac], Target's MAC address.
    • -S [SSID], AP's SSID.
    • -A [auth type], Target's auth type: OPEN_NONE, OPEN_WEP, SHARE_WEP, WPA_PSK_TKIP, WPA_PSK_AES, WPA_PSK_TKIP_AES, WPA2_PSK_TKIP, WPA2_PSK_AES, WPA2_PSK_TKIP_AES, EAP_8021X, WPA3
    • -I [IP address], Target's IP address
    • -b [BSSID], AP's Mac address
    • -s [mac], Fuzzer's (source) Mac address.
    • -T [test type], Test type, default 1, 0: Poc test, 1: interactive test, 2: frames test, 3: interactive & frames test
    • -f [log file], Log file path
    • -h Help.

Building

  • Install dependencies (Kali/Ubuntu)
sudo apt-get install pkg-config libnl-3-dev libnl-genl-3-dev libpcap-dev
  • Compiling
make

Start in openwifi

  • Copy owfuzz and openwifi_owfuzz.sh to openwifi with password openwifi.

    scp -r owfuzz openwifi_env.sh [email protected]:~/
    
  • Login to the board from your PC (PC Ethernet should have IP 192.168.10.1) with password openwifi.

  • Install dependencies

sudo apt-get install pkg-config libnl-3-dev libnl-genl-3-dev libpcap-dev
  • Compiling
make
  • Init openwifi env
    ./openwifi_owfuzz.sh
    

Example

  • Fuzzing Client
sudo ./owfuzz -i wlan0 -m ap -c [channel] -t [sta-mac] -b [ap-mac] -s [ap-mac] -T 2 -A WPA2_PSK_TKIP_AES -I [sta-ip]
  • Fuzzing AP
sudo ./owfuzz -i wlan0 -m sta -c [channel] -t [ap-mac] -b [ap-mac] -s [sta-mac] -T 2 -A WPA3 -S [ssid-name] -I [ap-ip]
  • Interactivity fuzzing
sudo ./owfuzz -i wlan0 -m ap -c [channel] -t [sta-mac] -b [ap-mac] -s [ap-mac] -T 1 -A WPA2_PSK_AES

Discovered vulnerabilities

Please see here.

License

This project is available as open source under the terms of the GPL 3.0 Or later. However, some elements are being licensed under GPL 2-0 or later and BSD 3 license . For accurate information, please check individual files.

Comments
  • Error modifying channel when running the program

    Error modifying channel when running the program

    When I was running, I encountered the following error. 信道出错 then,I found that the channel setting failed by adding the printf function to the source code. 信道问题 image Specific code path:owfuzz/src/fuzz_control.c int oi_init() function Why is this happening?could you give me some advice. thank you!

    opened by Mrxia111 2
  • How can I check the fuzzing program is running in the normal status?

    How can I check the fuzzing program is running in the normal status?

    ┌──(kali㉿kali)-[~/00.tools/Owfuzz-main/owfuzz/src]
    └─$ sudo ./owfuzz -i wlan1 -m ap -c 4 -t 38:c8:04:d3:73:bd -b D4:EE:07:3B:07:02 -s D4:EE:07:3B:07:02  -T 2 -A WPA2_PSK_TKIP_AES -I 192.168.119.185 
    Interface: wlan1, channel: 4
    Fuzzing mode: ap
    Target mac: 38:C8:04:D3:73:BD
    Source mac: D4:EE:07:3B:07:02
    Bssid: D4:EE:07:3B:07:02
    Fuzzing target's SSID: owfuzz
    auth_type: 8
    test_type: 2
    
                            WiFi(IEEE802.11) Protocol Fuzzing Test
    __________________________________________________________________________________________
    
            Interface: wlan1                Working Channel: 4
            Target MAC: 38:C8:04:D3:73:BD           Fuzzing MAC: D4:EE:07:3B:07:02
            BSSID: D4:EE:07:3B:07:02                Fuzzing Mode: ap
            Fuzzing Type: 2 (Frame testing)         Frame types: 35
            AP SSID: owfuzz                         Target IP: 192.168.119.185
            Fuzzing Frame Count: 1          PoC Count: 0
    (management)IEEE80211_TYPE_ASSOCRES-->(42)\x10\x00\x3A\x01\x38\xC8\x04\xD3\x73\xBD\xD4\xEE\x07\x3B\x07\x02\xD4\xEE\x07\x3B\x07\x02\x10\x00\x11\x85\x00\x00\x01\x00\x01\x08\x82\x84\x8B\x96\x12\x24\x48\x6C\x01\x00
            Target's network is disconnected...
    __________________________________________________________________________________________
    read failed: Network is down
    wi_read(): Network is down
    read failed: Network is down
    wi_read(): Network is down
    read failed: Network is down
    wi_read(): Network is down
    

    how can i check it ? there is no output and got just arp request in wireshark.

    opened by HeyManMan 1
  • 在运行 openwifi_owfuzz.sh文件后sdr0网卡的MAC地址出现异常?

    在运行 openwifi_owfuzz.sh文件后sdr0网卡的MAC地址出现异常?

    image 如图所示为openwifi_owfuzz.sh文件的内容,我在运行完./wgd.sh之后,显示如下图,这时候网卡能正常显示MAC地址,但是当我执行 sudo ip link set sdr0 down sudo iwconfig sdr0 monitor sudo ip link set sdr0 up 这三条指令之后(这三条指令应该是将网卡设置为监听模式),网卡的MAC地址却显示异常? image 如下图所示:网卡地址异常? image 以前都是直接运行openwifi_owfuzz.sh文件后网卡的MAC地址出现这种情况,这次一步一步的执行openwifi_owfuzz.sh文件里面的指令还是出现这种问题。这该怎么处理? openwifi环境搭建应该没问题,运行./wgd.sh以及./fosdem.sh两个文件之后,电脑连接openwifi热点,登录192.168.13.1网址能正常打开

    opened by Mrxia111 8
  • Using owfuzz, enter the command line and there is no result?

    Using owfuzz, enter the command line and there is no result?

    When testing the hotspot of the mobile phone, enter the command line. The result is as shown in the figure. The cursor flashes all the time and there is no result `YD GED){G4E @I6Y{9)U 5

    opened by Mrxia111 2
  • An error occurred while performing the make operation?

    An error occurred while performing the make operation?

    image When executing make on the open WiFi development board, the following occurs: RY% 8{LSKEWWYG4$%RI}3 How can I solve this problem?The following is the relevant makefile file image

    opened by Mrxia111 5
  • Network disconnection occurred while executing the file openwifi_owfuzz.sh?

    Network disconnection occurred while executing the file openwifi_owfuzz.sh?

    When connecting SSH, I directly connect openwifi with my computer, and the virtual machine adopts NAT mode to realize SSH [email protected] Operation. Now when executing the file openwifi_owfuzz.sh, there is a problem caused by the following image, including Open WiFi connection interrupted. Y8)XYI~X{K%JIUODDZRZ9BL Here's a question. Do you need to connect a router or wireless network card to open WiFi for these tests

    opened by Mrxia111 1
Owner
Alipay
Ant Group Open Source
Alipay
CollabFuzz: A Framework for Collaborative Fuzzing

Collaborative Fuzzing Design In this cooperative framework, the fuzzers collaborate using a centralized scheduler.

VUSec 59 Nov 9, 2022
The artifact associated with our ISSTA 2021 paper "Seed Selection for Successful Fuzzing"

Seed Selection for Successful Fuzzing The artifact associated with our ISSTA 2021 paper "Seed Selection for Successful Fuzzing". While our primary art

HexHive 34 Dec 7, 2022
USENIX 2021 - Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types

Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types Nyx is fast full-VM snapshot fuzzer for type-2 hypervisors. It's built upon kAFL

Chair for Sys­tems Se­cu­ri­ty 161 Dec 7, 2022
BSOD: Binary-only Scalable fuzzing Of device Drivers

bsod-kernel-fuzzing This repository contains the implementations described in "BSOD: Binary-only Scalable fuzzing Of device Drivers". The paper and th

Fabian Toepfer 131 Dec 27, 2022
StochFuzz - Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting

StochFuzz: A New Solution for Binary-only Fuzzing StochFuzz is a (probabilistically) sound and cost-effective fuzzing technique for stripped binaries.

Zhuo Zhang 164 Dec 5, 2022
OSS-Fuzz - continuous fuzzing for open source software.

OSS-Fuzz: Continuous Fuzzing for Open Source Software Fuzz testing is a well-known technique for uncovering programming errors in software. Many of th

Google 8.2k Jan 9, 2023
TAFuzzer: Effective and Efficient Targeted Fuzzing framework for Smart Contract Vulnerability Detection (CCS2022a Under Review).

TAFuzzer An effective and efficient targeted fuzzing framework for smart contract vulnerability detection. Requirements TAFuzzer is supported on Linux

null 2 Feb 7, 2022
This is customized version of Seagull tool to support MD5 Hash calculation for Diameter Protocol(Digest-HA1 AVP)

This is customized version of Seagull tool to support MD5 Hash calculation for Diameter Protocol(Digest-HA1 AVP)

null 1 Nov 18, 2021
Web Server based on the Raspberry Pico using an ESP8266 with AT firmware for WiFi

PicoWebServer This program runs on a Raspberry Pico RP2040 to provide a web server when connected to an Espressif ESP8266. This allows the Pico to be

null 52 Jan 7, 2023
Control Heidelberg Wallbox Energy Control over WiFi using ESP8266 and configure your own local load management

< scroll down for English version and additional information > wbec WLAN-Anbindung der Heidelberg WallBox Energy Control über ESP8266 Die Heidelberg W

null 95 Jan 3, 2023
JJY timecode emitter using ESP32 and WiFi/NTP

ビルドの方法 README.rstをみてください あと、接続先APの設定は src/main.cpp の中を見てください 使い方 デフォルトではGPIO 22番に40kHzのタイムコードが、GPIO 23番に60kHzのタイムコードが出ます。 以下のように抵抗を介して混合し、電線を電波時計のまわりに

null 12 Dec 21, 2021
ESP based wifi adapter for Celestron telescopes

CelestronESPWifi ESP8266 based wifi adapter for Celestron telescopes The official Celestron Skyportal WiFi module is €190~. (aka SkyQ Link, aka Skylin

null 6 Nov 16, 2022
Linux Driver for USB WiFi Adapters that are based on the RTL8811AU and RTL8821AU Chipsets

Click for USB WiFi Adapter Information for Linux 8821au ( 8821au.ko ) ?? Linux Driver for USB WiFi Adapters that are based on the RTL8811AU and RTL882

Nick 177 Dec 30, 2022
Linux Driver for USB WiFi Adapters that are based on the RTL8812BU and RTL8822BU Chipsets

Click for USB WiFi Adapter Information for Linux 88x2bu ( 88x2bu.ko ) ?? Linux Driver for USB WiFi Adapters that are based on the RTL8812BU and RTL882

Nick 397 Jan 5, 2023
Simple WPA-PSK default password candidates generator for mobile broadband WIFI routers, based on IMEI

IMEIgen Simple WPA-PSK default password candidates generator for mobile broadband WIFI routers, based on IMEI. Background In their conquest for more u

Alex Stanev 13 Nov 29, 2022
Updated Vindriktning with Wifi Connectivity, Motion sensor, Temperature and Humidity

Vindriktning-plus Updated Vindriktning with Wifi Connectivity, Motion sensor, Temperature and Humidity Inspired & parts of the code are used from: htt

Glittering Dealer 4 Sep 20, 2022
ESP32 and ESP8266 Arduino wifi template

ESP wifi template ESP32 and ESP8266 Arduino wifi template Features Popular WiFI AP mode WiFI STA mode ETH mode DNS server for AP mode Async DDNS clien

Tien Huy Huynh 5 Dec 14, 2022
Linux Driver for USB WiFi Adapters that are based on the RTL8812AU Chipset - v5.13.6

Click for USB WiFi Adapter Information for Linux A FAQ is available at the end of this document. Problem reports go in Issues. Problem reports should

Nick 240 Dec 29, 2022
An easy to build CO2 Monitor/Meter with Android and iOS App for real time visualization and charting of air data, data logger, a variety of communication options (BLE, WIFI, MQTT, ESP-Now) and many supported sensors.

CO2-Gadget An easy to build CO2 Monitor/Meter with cell phone App for real time visualization and charting of air data, datalogger, a variety of commu

Mariete 30 Dec 17, 2022