Hello Matias, first of all, thanks for sharing this much needed project!
I am recreating your video of the presentation of the tool at Black Hat 2019. At the moment I have already managed to recreate the LAF-009 “Password cracked” alert without problems. Where I have problems is when recreating the LAF-007 alert “Received smaller counter than expected (distinct from 0)”. Here is my scenario and the results I have obtained:
Scenario:
1 Gateway (Raspberry Pi)
1 physical node (OTAA)
1 Ubuntu VM with LAF
Results:
I capture the JoinRequest and JoinAccept packets in the UdpProxy.py.
When I have gathered the AppKey, the DevNonce and have the package data in hexadecimal, I run Loracrack and a segfault occurs (Issue 1). I managed to solve this mishap using loracrack_genkeys (as indicated in the official loracrack repository). In summary, I have the NwkSKey and the AppSKey, I compare them with the Network Server and they are indeed correct.
I carry out the rest of the steps and capture an UnconfirmedDataUp to which I only modify the fCnt and the frmpayload for a B64 with the message “HACKED”. I sign the packet with the AppSKey and the NwkSKey and use the UdpSender.py to send the packet and impersonate the legitimate node. I transmit the packet with the “packet_forwarder” format as indicated in UdpSender.py since I am not using a GV but a GW and a Network Server.
I send the packet with dst-ip = localhost and dst-port = one of those that appears in UdpProxy.py (although I suspect that one of the factors of the problem is the port, I don't quite understand the minute 9:35 roughly from the LAF YouTube video). Finally, the packet goes through the UdpProxy.py and the PacketForwarderCollector.py and is stored in the DB but does NOT impersonate the legitimate node: I check the Network Server and these "injected packets" do not appear in the history of the packets transmitted by the real node (no impersonation).
What can I be doing wrong?
I eagerly await your response. Thanks again!
Hello Matias, first of all, thanks for sharing this much needed project!
I am recreating your video of the presentation of the tool at Black Hat 2019. At the moment I have already managed to recreate the LAF-009 “Password cracked” alert without problems. Where I have problems is when recreating the LAF-007 alert “Received smaller counter than expected (distinct from 0)”. Here is my scenario and the results I have obtained:
Scenario:
1 Gateway (Raspberry Pi)
1 physical node (OTAA)
1 Ubuntu VM with LAF
Results:
I capture the JoinRequest and JoinAccept packets in the UdpProxy.py.
When I have gathered the AppKey, the DevNonce and have the package data in hexadecimal, I run Loracrack and a segfault occurs (Issue 1). I managed to solve this mishap using loracrack_genkeys (as indicated in the official loracrack repository). In summary, I have the NwkSKey and the AppSKey, I compare them with the Network Server and they are indeed correct.
I carry out the rest of the steps and capture an UnconfirmedDataUp to which I only modify the fCnt and the frmpayload for a B64 with the message “HACKED”. I sign the packet with the AppSKey and the NwkSKey and use the UdpSender.py to send the packet and impersonate the legitimate node. I transmit the packet with the “packet_forwarder” format as indicated in UdpSender.py since I am not using a GV but a GW and a Network Server.
I send the packet with dst-ip = localhost and dst-port = one of those that appears in UdpProxy.py (although I suspect that one of the factors of the problem is the port, I don't quite understand the minute 9:35 roughly from the LAF YouTube video). Finally, the packet goes through the UdpProxy.py and the PacketForwarderCollector.py and is stored in the DB but does NOT impersonate the legitimate node: I check the Network Server and these "injected packets" do not appear in the history of the packets transmitted by the real node (no impersonation).
What can I be doing wrong?
I eagerly await your response. Thanks again!