Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

WiFi is a large part of every day life. This is a common way that computers of all kinds have internet access. The Wifi protocol being secure is the only thing that isolates the devices in a network from being inaccessible to attackers.

By carefully injecting frames unencrypted frames into a WiFi network, it can be used maliciously to break the security of the network. For instance, it could be used in order to trick the client into using a malicious DNS server or bypass NAT/firewall protections.

The plaintext injection vulnerability described above can be triggered remotely when an attacker sends a malicious TCP packet as a response to some request from the user. This request can be used to trick WiFi into believing the request is actually a part of a WiFi frame instead of a normal TCP connection. The plaintext injection is a class of vulnerabilities that allow the WiFi to accept broadcast fragments even when sent unencrypted

The first vulnerability is in the frame aggregation functionality. In order to increase the throughput of the application, WiFi has the ability to put multiple frames into a larger super frame. In order to do this, there is a header in each frame that contains a flag on whether or not this is a single or aggregated frame.

The vulnerability is that the is_aggregated frame flag is NOT authenticated. Hence, a malicious actor can trick the WiFi to processing the transported data in an unintended way. In particular, it can be abused to inject arbitrary frames and the combining of single frames into an aggregated frame. This vulnerability is not an issue with the specification but a common issue with implementation.

The second issue is a design flaw in the fragmentation feature of WiFi. When fragmenting a large frame into smaller frames, the data should be encrypted with the same key. However, receivers are not required to check this! So, an attacker could theoretically exfiltrate data this way (even though the author does not explain how).

The third issue is a common issue with caching. The fragments are cached whenever they are used. However, an attacker could send a fragmented packet, which may be used by the user later. Again, an attacker could theoretically exfiltrate data this way (even though the author does not explain how).

These protocol confusion attacks have been taking off recently. In particular, the re-discovery of HTTP Smuggling and the revamping of the NAT Slipstreaming. This attack also reminded me how important HTTPS can be as a defense-in-depth measure for all sorts of crazy attacks.

These findings are extremely impactful and complex in nature. Even though the protocols look secure, there are always ways to poke holes into random backbones of the internet.

TODO... add more documentation on how the fragmentation attack works.