Agent SkillsSnailSploit/Claude-Red › offensive-krack-fragattacks

offensive-krack-fragattacks

GitHub

用于评估WPA2客户端的KRACK和FragAttacks漏洞。针对嵌入式设备、旧版IoT及未修补系统,利用Vanhoef脚本检测密钥重安装和帧拼接攻击风险,验证补丁状态并输出CVE详情。

Skills/wireless/offensive-krack-fragattacks/SKILL.md SnailSploit/Claude-Red

Trigger Scenarios

需要测试WPA2客户端对KRACK或FragAttacks漏洞的易感性 评估嵌入式设备、老旧手机或IoT产品的Wi-Fi安全补丁情况 进行渗透测试时针对遗留 supplicant 或补丁更新缓慢的厂商

Install

npx skills add SnailSploit/Claude-Red --skill offensive-krack-fragattacks -g -y
More Options

Non-standard path

npx skills add https://github.com/SnailSploit/Claude-Red/tree/main/Skills/wireless/offensive-krack-fragattacks -g -y

Use without installing

npx skills use SnailSploit/Claude-Red@offensive-krack-fragattacks

指定 Agent (Claude Code)

npx skills add SnailSploit/Claude-Red --skill offensive-krack-fragattacks -a claude-code -g -y

安装 repo 全部 skill

npx skills add SnailSploit/Claude-Red --all -g -y

预览 repo 内 skill

npx skills add SnailSploit/Claude-Red --list

SKILL.md

Frontmatter
{
    "name": "offensive-krack-fragattacks",
    "description": "KRACK (CVE-2017-13077..082) and FragAttacks (CVE-2020-24586..588 + 26139-26147) — key reinstallation, fragmentation, and aggregation attacks against WPA2 supplicants. Covers Vanhoef's test scripts, viability against modern patched stacks (mostly mitigated post-2021), residual unpatched embedded devices and IoT vendors, and the practical limitations of these attacks in modern engagements. Use when assessing legacy supplicants, embedded clients, or vendors with poor patch cadence."
}

KRACK & FragAttacks

Two attack families against WPA2 client implementations. Both well-disclosed (KRACK 2017, FragAttacks 2021) and largely patched on modern OSes — but the embedded/IoT long tail keeps them in scope for many engagements.

When These Apply

Family Target Patch Status
KRACK WPA2 supplicants in 4-way handshake / GTK / FT / TDLS Major OSes patched 2017–2018
FragAttacks Frame fragmentation/aggregation across WPA2/3 Most stacks patched 2021–2022

Probability of success today is high only against:

  • Embedded OEM devices (cameras, sensors, point-of-sale)
  • Old Android phones (<8 unpatched)
  • Industrial / SCADA Wi-Fi clients
  • Wi-Fi-enabled toys, smart bulbs, no-name IoT

Modern Win11 / iOS 16+ / Android 13+ / hostapd-2.10 are mitigated.

KRACK — Key Reinstallation

The 4-way handshake's M3 retransmission causes the supplicant to reinstall the same PTK with reset nonce/replay counters. Frames encrypted under the reused keystream become decryptable.

# Vanhoef's official test scripts
git clone https://github.com/vanhoefm/krackattacks-scripts
cd krackattacks-scripts/krackattack
sudo ./krack-test-client.py --interface wlan0
# Tests the supplicant on a connected client

Output identifies which CVE variants the client is vulnerable to.

Practical Outcomes

When successful:

  • Decryption of WPA2-encrypted frames between client and AP
  • TKIP downgrade enables packet injection
  • Recovery of session keys for the duration of the affected key cycle

Not a PSK recovery — you don't get the wireless password from KRACK.

FragAttacks — Frame Splicing

FragAttacks abuse 802.11 fragmentation and aggregation to inject frames that mix encrypted and plaintext fragments, or to splice attacker-controlled fragments into legitimate frames.

git clone https://github.com/vanhoefm/fragattacks
cd fragattacks
sudo ./test-fragattacks.py wlan0 --interface wlan0
# Suite of ~12 tests covering each variant
CVE Mechanism
CVE-2020-24588 A-MSDU spoofing — inject crafted A-MSDU subframes
CVE-2020-24587 Mixed-key fragment cache poisoning
CVE-2020-24586 Decoupled fragment cache → reuse
CVE-2020-26139 Forwarding plaintext frames before authentication
CVE-2020-26140 Accepting plaintext frames in protected network

Practical Outcomes

  • Inject malicious frames that the client treats as legitimate (HTTP redirect, DNS poison)
  • Read decrypted fragments from cached state
  • Cross-protect data exfil via crafted A-MSDU

Targeting Workflow

  1. Identify the in-scope client (MAC, OS, vendor)
  2. Estimate patch likelihood — if modern OS, likely patched; if embedded, likely vulnerable
  3. Run the test suite from a controlled AP setup
  4. Report each vulnerable variant separately with the matching CVE
# Rogue AP that drives the test
sudo hostapd-mana /tmp/krack_test_ap.conf

# Force client to associate (deauth from real AP, or social-engineer)
sudo aireplay-ng --deauth 5 -a <real-BSSID> -c <client-MAC> wlan0mon

# Run test once associated
sudo ./krack-test-client.py --interface wlan0

Detection

  • WIPS may flag deauth-driven roams to attacker AP
  • Test scripts generate distinctive frame patterns; modern WIPS recognizes Vanhoef's tooling
  • Successful exploitation is essentially silent at protocol level

Reporting

For each vulnerable CVE:

  • Client model + firmware version (be specific)
  • Variant tested + result (vulnerable / patched / partial)
  • Practical impact in the engagement context (decryption only, or injection viable?)
  • Remediation: vendor patch URL, mitigation (WPA3 + PMF blocks most)

Key References

Version History

  • aeb41ec Current 2026-07-05 18:43

Same Skill Collection

Skills/auth/offensive-jwt/SKILL.md
Skills/fuzzing/offensive-fuzzing/SKILL.md
Skills/infrastructure/offensive-shellcode/SKILL.md
Skills/wireless/offensive-deauth-disassoc/SKILL.md
Skills/wireless/offensive-wpa3-sae/SKILL.md
Skills/wireless/offensive-wps/SKILL.md
Skills/wireless/offensive-z-wave/SKILL.md
Skills/active-directory/offensive-active-directory/SKILL.md
Skills/cloud/offensive-cloud/SKILL.md
Skills/exploit-dev/offensive-toctou/SKILL.md
Skills/iot/offensive-iot/SKILL.md
Skills/mobile/offensive-mobile/SKILL.md
Skills/recon/offensive-osint/SKILL.md
Skills/utility/offensive-reporting/SKILL.md
Skills/web/offensive-business-logic/SKILL.md
Skills/web/offensive-sqli/SKILL.md
Skills/wireless/offensive-bluetooth-ble/SKILL.md
Skills/wireless/offensive-bluetooth-classic/SKILL.md
Skills/wireless/offensive-evil-twin/SKILL.md
Skills/wireless/offensive-lorawan-sub-ghz/SKILL.md
Skills/wireless/offensive-wifi-recon/SKILL.md
Skills/wireless/offensive-wifi/SKILL.md
Skills/wireless/offensive-wpa-enterprise/SKILL.md
Skills/wireless/offensive-wpa2-psk/SKILL.md
Skills/wireless/offensive-zigbee-thread-matter/SKILL.md

Metadata

Files
0
Version
aeb41ec
Hash
12dea4e7
Indexed
2026-07-05 18:43

trang chủ - Wiki
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-08 18:36
浙ICP备14020137号-1 $bản đồ khách truy cập$