How to force packets with bad MIC?

Jouni Malinen j at
Fri May 25 20:23:05 EDT 2007

On Fri, May 25, 2007 at 11:17:43PM -0000, Queisser, Andrew (Idol pick: Blake) wrote:

> I built wpa_supplicant with the goal to create packets to force MIC
> failures on an AP we're having trouble with. My goal was to first verify
> that the AP does indeed go into TKIP countermeasure mode correctly and
> then checking whether sending junk in the TSC, ICV and and so on does
> not trigger the countermeasure.
> I thought I could inject some debug code into wpa_supplicant but after
> digging through the code a bit it seems like this kind of modification
> has to be done at the card driver level.

Indeed, wpa_supplicant does not do any TKIP processing for the frames.

> I have a working zd1211 and
> madwifi setup but at first glance it looks like either of these chipsets
> do MIC in hardware.

I'm not familiar with zd1211 design, but at least Atheros cards can be
configured to do TKIP in software.

> Does anyone know of a way to override the TSC, ICV and MIC fields that
> go out into the air? Is it worth continuing with the zd1211 and madwifi
> drivers? I can't tell whether these things calculate the MIC and hand it
> back to the driver or whether that's done just before the packet goes
> out, which would prevent me from messing with the values.

Devicescape IEEE 802.11 stack has optional support for WPA testing and I
would assume it does exactly what you are asking for here. I have used
it to validate replay protection (TSC), TKIP countermeasures (MIC), and
decryption (ICV). This code was just merged for the next Linux version
in net/mac80211, so that could be a good place to look at.

I have to admit that I have not verified whether the WPA testing code
still works in the Linux kernel version. Anyway, I would suggest taking
a look at net/mac80211/{wpa,ieee80211_ioctl}.c. Search for
CONFIG_HOSTAPD_WPA_TESTING and you'll see the places that involve
TKIP/CCMP testing. The test functionaliy can be triggered from userspace
using ioctls (this part may not have been merged into Linux mainline, so
you may have to take a look at wireless-dev.git tree for it).

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list