From owner-freebsd-current@FreeBSD.ORG Wed Nov 26 05:15:11 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9058516A4CE for ; Wed, 26 Nov 2003 05:15:11 -0800 (PST) Received: from darkircop.org (sorbo.cs.ucl.ac.uk [128.16.80.126]) by mx1.FreeBSD.org (Postfix) with ESMTP id 755BA43FCB for ; Wed, 26 Nov 2003 05:15:10 -0800 (PST) (envelope-from root@darkircop.org) Received: by tribal.sorbonet.org (Postfix, from userid 0) id 6F000102C16; Wed, 26 Nov 2003 13:13:36 +0000 (GMT) Date: Wed, 26 Nov 2003 13:13:36 +0000 From: "Andrea Bittau (sorbo)" To: freebsd-current@freebsd.org Message-ID: <20031126131335.GA1605@tribal.sorbonet.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: wi driver reads wrong first 8 bytes when in monitor mode in data packets X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Nov 2003 13:15:11 -0000 If I am not wrong, it seems that the wi driver, when in monitor mode, will skip 8 bytes of data input (filling it in with random values). We notice in if_wi.c: case 7: switch (rx_frame->wi_whdr.i_fc[0] & IEEE80211_FC0_TYPE_MASK) { case IEEE80211_FC0_TYPE_DATA: hdrlen = WI_DATA_HDRLEN; data is then read according to the hdrlen offset. if (wi_read_bap(sc, fid, hdrlen, mtod(m, caddr_t) + hdrlen, datlen + 2) == 0) { in if_wavelan_ieee.h: #define WI_DATA_HDRLEN 0x44 #define WI_MGMT_HDRLEN 0x3C #define WI_CTL_HDRLEN 0x3C we notice that data frames seem to have an 8 byte "header" extra we then notice /* * all data packets have a snap (sub-network access protocol) header that * isn't entirely definied, but added for ethernet compatibility. */ struct wi_snap_frame { u_int16_t wi_dat[3]; u_int16_t wi_type; }; (it is 8 bytes) It seems like if the llc/snap is treated as a "802.11 header" per se and not act ual data. (Maybe this was the mentality of the developers). Under "normal" circumstances this is ok, since many people do not care about sna p/llc when in monitor mode. Infact, the ip header will be just fine. However when auditing wep, those 8 bytes are crucial (since the first 3+1 bytes contain IV information) and the first few bytes of cyphertext are normally used in known plaintext attacks. Infact, bsd-airtools will probably not work at all. I am running: FreeBSD tribal.sorbonet.org 5.2-BETA FreeBSD 5.2-BETA #5: Wed Nov 26 05:24:11 GM T 2003 root@tribal.sorbonet.org:/usr/obj/usr/src/sys/SORBO i386 A very basic patch which seems to works is: if_wavelan_ieee.h.diff: ********** CUT ******************** *** if_wavelan_ieee.h.orig Wed Nov 26 06:00:58 2003 --- if_wavelan_ieee.h Wed Nov 26 05:08:08 2003 *************** *** 466,472 **** u_int8_t wi_src_addr[6]; u_int16_t wi_len; }; ! #define WI_DATA_HDRLEN 0x44 #define WI_MGMT_HDRLEN 0x3C #define WI_CTL_HDRLEN 0x3C --- 466,472 ---- u_int8_t wi_src_addr[6]; u_int16_t wi_len; }; ! #define WI_DATA_HDRLEN 0x3C #define WI_MGMT_HDRLEN 0x3C #define WI_CTL_HDRLEN 0x3C ********** CUT **************** Andrea Bittau sorbox@yahoo.com http://www.darkircop.org