ioactive / laf Goto Github PK

Hello Matias, first of all, thanks for sharing this much needed project!

I am recreating your video of the presentation of the tool at Black Hat 2019. At the moment I have already managed to recreate the LAF-009 “Password cracked” alert without problems. Where I have problems is when recreating the LAF-007 alert “Received smaller counter than expected (distinct from 0)”. Here is my scenario and the results I have obtained:

Scenario:

1 Gateway (Raspberry Pi)
1 physical node (OTAA)
1 Ubuntu VM with LAF

Results:

I capture the JoinRequest and JoinAccept packets in the UdpProxy.py.

When I have gathered the AppKey, the DevNonce and have the package data in hexadecimal, I run Loracrack and a segfault occurs (Issue 1). I managed to solve this mishap using loracrack_genkeys (as indicated in the official loracrack repository). In summary, I have the NwkSKey and the AppSKey, I compare them with the Network Server and they are indeed correct.

I carry out the rest of the steps and capture an UnconfirmedDataUp to which I only modify the fCnt and the frmpayload for a B64 with the message “HACKED”. I sign the packet with the AppSKey and the NwkSKey and use the UdpSender.py to send the packet and impersonate the legitimate node. I transmit the packet with the “packet_forwarder” format as indicated in UdpSender.py since I am not using a GV but a GW and a Network Server.

I send the packet with dst-ip = localhost and dst-port = one of those that appears in UdpProxy.py (although I suspect that one of the factors of the problem is the port, I don't quite understand the minute 9:35 roughly from the LAF YouTube video). Finally, the packet goes through the UdpProxy.py and the PacketForwarderCollector.py and is stored in the DB but does NOT impersonate the legitimate node: I check the Network Server and these "injected packets" do not appear in the history of the packets transmitted by the real node (no impersonation).

What can I be doing wrong?

I eagerly await your response. Thanks again!

Hi, I had mounted a local loraServer and app with chirpstack, also I mounted a device simulator .. it's working fine... can you explain if LAF can work with this environment?

Is there any working USB adapters that work with this?

I want to set up the db locally, attempted to run Packetforwader.py
I get this error
Traceback (most recent call last):
File "PacketForwarderCollector.py", line 7, in
from auditing.datacollectors.utils.PacketPersistence import save
File "/home/jack/laf/auditing/datacollectors/utils/PacketPersistence.py", line 2, in
import auditing.db.Service as db_service
File "/home/jack/laf/auditing/db/init.py", line 16, in
DB_HOST = os.environ["DB_HOST"]
File "/usr/lib/python3.8/os.py", line 675, in getitem
raise KeyError(key) from None
KeyError: 'DB_HOST'

I cant seem to find an easy way to build the DB schema. Is there a quick solution for this locally?

could you give me a suggestion for me?

The README states for LAF-002:

Two different devices might have been assigned the same DevAddr. This isn't a security threat, but it shouldn't happen since the lorawan server wouldn't be able to distinguish in which device a message is generated.

This is not true. The number of truly available DevAddr's is much too low to allow them to be unique. First, it contains a prefix:

6.1.1 End-device address (DevAddr)
...
The most significant 7 bits are used as network identifier (NwkID) to separate addresses of territorially overlapping networks of different network operators and to remedy roaming issues.

Next, a network may use specific logic in the remaining 25 bits, like for The Things Network (TTN):

Within TTN, we assign device address prefixes to “regions” (for example, device addresses in the eu region start with 0x2601). Within a region, the NetworkServer is responsible for assigning device addresses. We are using prefixes here too for different device classes (for example, ABP devices in the eu region start with 0x26011) or to shard devices over different servers
...
When a device joins the network, it receives a dynamic (non-unique) 32-bit address (DevAddr). It’s good to keep in mind that device addresses are not unique. We can (and probably will) give hundreds of devices the same address. Finding the actual device that belongs to that address is done by matching the cryptographic signature (MIC) of the message to a device in the database.

So, TTN only uses as few as 12 bits within a region and class to generate a DevAddr, yielding only 4,096 unique values within such region and class.

(Also, of course, devices might be assigned a DevAddr that was used by other devices in the past.)

Hi, I'm trying to capture and parse the packets passing through my gateway using the UdpProxy, however, it is not capturing any packets, no Join-Request, nothing.

I followed the installation instructions provided in the repository and was trying to replicate the video demonstration seen on Matias Sequeira-Youtube.

My environment:
Raspberry Pi 3 B + RAK2245 Lora module
(I'm running the gateway using the vendors firmware on port 1700)

cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian

My steps:
Followed the installation instructions on Github.

Tried the following:
/laf/tools python3 UdpProxy.py --port 1700 --dst-ip 127.0.0.1 --dst-port 1701

*tcpdump shows traffic on wlan0 port 1700 but not on localhost.

Maybe I'm missing something?