Linux

 

Linux tools, Howtos

 

Tools Index

 

Wireless Commands

 

FC6 Build Howto

 

FC5 Build Howto

 

FC4 Build Howto

 

Live Linux Distros

 

 

Site Search

 

 

 

 

Windows

 

WIN32 tools, Howtos

 

Tools Index

 

 

Get Firefox!

 

 

General

 

Miscellaneous WI-FI

 

Default WI-FI Settings

 

Rogue AP Howtos

 

WI-FI Certifications

 

802.11 Standards

 

STEP BY STEP Guides

 

Formats / Extensions

 

WI-FI Home Security

 

Useful Links

 

 

 

 

 

FREERADIUS - Wireless Pwnage Edition (WPE)

A patch for the popular open-source FreeRADIUS implementation to demonstrate RADIUS impersonation vulnerabilities by Joshua Wright and Brad Antoniewicz, demonstrated at Shmoocon 4.  This patch adds the following functionality:

- Simplifies the setup of FreeRADIUS by adding all RFC1918 addresses as acceptable NAS devices;
- Simplifies the setup of EAP authentication by including support for all FreeRADIUS supported EAP types;
- Adds WPE logging in $prefix/var/log/radius/freeradius-server-wpe.log, can be controlled in radius.conf by changing the “wpelogfile” directive;
- Simplified the setup of user authentication with a default "users" file that accepts authentication for any username;
- Adds credential logging for multiple EAP types including PEAP, TTLS, LEAP, EAP-MD5, EAP-MSCHAPv2, PAP, CHAP and others

-FreeRadius WPE Homepage

 

Project Homepage: http://www.willhackforsushi.com/FreeRADIUS_WPE.html

 

 

Files:

 

Local Mirror: Freeradius-server-2.0.2.tar.gz

 

You will also need the FreeRadius WPE patch which can be downloaded from the project homepage.

 

 

Installation:

 

The tool's homepage provides a thorough installation guide

 

For a specific guide of how-to implement FreeRadius into BackTrack 3 see: http://wiki.remote-exploit.org/index.php/Howto:FreeRadius

 

 

Initial Configuration:

 

You will need to configure a Radius capable access point with the IP address of the FreeRadius WPE host and also configure the access point with the Radius servers shared key.  The shared keys default value in FreeRadius WPE is test (example below):

 

 

 

Running FreeRadius WPE:

 

First we start the radius daemon (radiusd)

 

radiusd

 

Now we monitor the FreeRadius WPE log file and wait for our first client connection:

 

tail -f /usr/local/var/log/radius/freeradius-server-wpe.log

 

NOTE: This log file will not exist until a new connection is detected if this is the first time you are running FreeRadius WPE.

 

 

Client Login:

 

Now FreeRadius WPE is up and running we simply wait for a wireless user to connect to the rogue access point (see below):

 

 

 

Capturing the challenge and response:

 

Once the user initiates the authentication process we are able to capture the MS Chap v2 challenge and response:

 

 

 

Recovering the password:

 

Using another one of Josh Wrights tools; asleap we are able to perform a dictionary attack against the captured MS Chap v2 Challenge and Response.  If the user's password is present in the dictionary then the clear text password will be presented in the tools output (e.g. Airhead below):

 

 

 

FreeRadius WPE Credential Logging Success and Failure Table (Windows Wireless Zero Configuration (WZC) only):

 

RED = FAILURE TO LOG USER CREDENTIALS

 

GREEN = SUCCESS IN LOGGING USER CREDENTIALS

 

EAP Type Validate Server Certificate Do not prompt user to authorise new certificates Authentication Method Automatically use my Windows login name and password FreeRadius WPE logs request
Protected EAP (PEAP) Yes Enabled EAP-MSCHAP v2 Yes No
Protected EAP (PEAP) Yes Enabled EAP-MSCHAP v2 No No
Protected EAP (PEAP) Yes Disabled EAP-MSCHAP v2 Yes Yes*
Protected EAP (PEAP) Yes Disabled EAP-MSCHAP v2 No Yes*
Protected EAP (PEAP) No N/A EAP-MSCHAP v2 Yes Yes
Protected EAP (PEAP) No N/A EAP-MSCHAP v2 No Yes
Protected EAP (PEAP) Yes N/A Smart card or other certificate N/A No
Protected EAP (PEAP) No N/A Smart card or other certificate N/A No
Smart card or other certificate Yes N/A N/A N/A No
Smart card or other certificate No N/A N/A N/A No

Note: Smart card testing was not carried out.

 

* FreeRadius WPE will log authentication requests if the user accepts to validate the certificate manually AND the certificate  installed on the radius server has been signed by an authentic certification authority (the default example.com certificate will not suffice).

 


 

 
 
  © Copyright 2010 Wirelessdefence.org. All Rights Reserved.