You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello Matias, first of all, thanks for sharing this much needed project!
I am recreating your video of the presentation of the tool at Black Hat 2019. At the moment I have already managed to recreate the LAF-009 “Password cracked” alert without problems. Where I have problems is when recreating the LAF-007 alert “Received smaller counter than expected (distinct from 0)”. Here is my scenario and the results I have obtained:
Scenario:
1 Gateway (Raspberry Pi)
1 physical node (OTAA)
1 Ubuntu VM with LAF
Results:
I capture the JoinRequest and JoinAccept packets in the UdpProxy.py.
When I have gathered the AppKey, the DevNonce and have the package data in hexadecimal, I run Loracrack and a segfault occurs (Issue 1). I managed to solve this mishap using loracrack_genkeys (as indicated in the official loracrack repository). In summary, I have the NwkSKey and the AppSKey, I compare them with the Network Server and they are indeed correct.
I carry out the rest of the steps and capture an UnconfirmedDataUp to which I only modify the fCnt and the frmpayload for a B64 with the message “HACKED”. I sign the packet with the AppSKey and the NwkSKey and use the UdpSender.py to send the packet and impersonate the legitimate node. I transmit the packet with the “packet_forwarder” format as indicated in UdpSender.py since I am not using a GV but a GW and a Network Server.
I send the packet with dst-ip = localhost and dst-port = one of those that appears in UdpProxy.py (although I suspect that one of the factors of the problem is the port, I don't quite understand the minute 9:35 roughly from the LAF YouTube video). Finally, the packet goes through the UdpProxy.py and the PacketForwarderCollector.py and is stored in the DB but does NOT impersonate the legitimate node: I check the Network Server and these "injected packets" do not appear in the history of the packets transmitted by the real node (no impersonation).
What can I be doing wrong?
I eagerly await your response. Thanks again!
The text was updated successfully, but these errors were encountered:
Hello Matias, first of all, thanks for sharing this much needed project!
I am recreating your video of the presentation of the tool at Black Hat 2019. At the moment I have already managed to recreate the LAF-009 “Password cracked” alert without problems. Where I have problems is when recreating the LAF-007 alert “Received smaller counter than expected (distinct from 0)”. Here is my scenario and the results I have obtained:
Scenario:
1 Gateway (Raspberry Pi)
1 physical node (OTAA)
1 Ubuntu VM with LAF
Results:
I capture the JoinRequest and JoinAccept packets in the UdpProxy.py.
When I have gathered the AppKey, the DevNonce and have the package data in hexadecimal, I run Loracrack and a segfault occurs (Issue 1). I managed to solve this mishap using loracrack_genkeys (as indicated in the official loracrack repository). In summary, I have the NwkSKey and the AppSKey, I compare them with the Network Server and they are indeed correct.
I carry out the rest of the steps and capture an UnconfirmedDataUp to which I only modify the fCnt and the frmpayload for a B64 with the message “HACKED”. I sign the packet with the AppSKey and the NwkSKey and use the UdpSender.py to send the packet and impersonate the legitimate node. I transmit the packet with the “packet_forwarder” format as indicated in UdpSender.py since I am not using a GV but a GW and a Network Server.
I send the packet with dst-ip = localhost and dst-port = one of those that appears in UdpProxy.py (although I suspect that one of the factors of the problem is the port, I don't quite understand the minute 9:35 roughly from the LAF YouTube video). Finally, the packet goes through the UdpProxy.py and the PacketForwarderCollector.py and is stored in the DB but does NOT impersonate the legitimate node: I check the Network Server and these "injected packets" do not appear in the history of the packets transmitted by the real node (no impersonation).
What can I be doing wrong?
I eagerly await your response. Thanks again!
The text was updated successfully, but these errors were encountered: