WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake

This repository contains proof-of-concepts of selected attacks mentioned in my Black Hat 2017 talk. The talk was based on the paper Discovering logical vulnerabilities in the Wi-Fi handshake using model-based testing. The testing framework explained during the talk, and in the paper, is also public.

Table of Content

• OpenBSD: Client Man-in-the-Middle (view demo)
• OpenBSD: Access Point Denial-of-Service (view demo)
• Windows 7: Targeted DoS against hotspot (view demo)
• Windows 10: Insider DoS against hotspot
• Broadcom, Windows 10, Aerohive: Impossible TKIP Countermeasures Insider DoS

Acknowledgements

This work is based on the paper "Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing" which was co-authored with Domien Schepers and Frank Piessens.