A Wi-Fi fuzzer implemented in C++. Uses generator coroutines to effortlessly generate fuzzed content.
Due to the reliance on coroutines the code must be compiled with GCC. Thanks to a bug in newer version of compiler (internal compiler errors) the code must be compiled with the GCC v10.2.0 and not the newest 11.1. Dockerfile can be used for compilation until the bugs are resolved.
To build the dockerfile run:
docker build -t fuzzer .
docker run --rm -it -v $(pwd):/code fuzzer
cd /code
Then you can continue with the normal build.
Two versions can be build:
- with GRPC monitor support
- without
To build basic version without GRPC monitor support you need to satisfy dependencies:
- cmake >= 3.17
- g++ == 10.2.0 (newer versions produces internal compiler errors)
- libpcap-dev
- libspdlog-dev
- libyaml-cpp-dev
- libboost-container-dev
For debian:
apt install g++ cmake libpcap-dev libspdlog-dev libyaml-cpp-dev libboost-container-dev
For arch:
pacman -S cmake gcc make libpcap spdlog yaml-cpp boost --needed
mkdir build
cd build
cmake ..
make
For GRPC monitor support to use with serial port on ESP32 you need additional dependencies.
Additional dependencies:
- pkgconfig
- grpc
For arch:
pacman -S pkgconfig grpc
To compile protofiles to .cpp
and .h
files run in source root directory:
mkdir -p build/proto && protoc -I ./proto --cpp_out=build/proto ./proto/monitor.proto
mkdir build
cd build
cmake -DGRPC_ENABLED=1 ..
make -j
Produced binary is in build/src/wifuzz++
The wireless interfaces used must be in the monitor mode before starting the program. Also, they have to be set to the correct channel. This can be done by Airmon-ng or manually.
Program takes one argument, which is a config file in /yaml
format.
Example config can be found in conf/wifuzz.yaml
.
Can be one of "beacon"
, "prb_resp"
, "auth"
, "auth_resp"
, "deauth"
, "deass"
fuzzer_type: "beacon"
The wireless interface used for injection.
interface: "wlp3s0"
An unsigned
number to be used for randomized operations. Currently not used.
random_seed: 42
An address to be used as fake device in format "8c:dc:02:12:34:56"
src_mac: "8c:dc:02:12:34:56"
An address of the fuzzed device "3c:71:bf:78:90:12"
test_device_mac: "3c:71:bf:78:90:12"
Number of the random contents tried for each information element (total random inputs tried = fuzz_random * 256
)
fuzz_random: 100
The wait_duration_ms
and packet_resend_count
affect only frames which are not responses.
controller:
wait_duration_ms: 100
packet_resend_count: 5
Monitor config is different for every type of monitor used.
Passive monitor can be used only with request/response type of frames.
It must be notified by the fuzzer, when frame from the test_device_mac
is received.
It uses config:
monitor:
type: passive
timeout_s: 5
Sniffing monitor performs independent sniffing and resets it's counter when test_device_mac
is received.
Config:
monitor:
type: snifing
timeout_s: 50
interface: wpl3s0
Must be enabled during compilation.
It runs GRPC server on server_address
and failures are set, when it is notified from external sources.
Config:
monitor:
type: grpc
server_address: 0.0.0.0:50051