Linux tools, Howtos


Tools Index


Wireless Commands


FC6 Build Howto


FC5 Build Howto


FC4 Build Howto


Live Linux Distros



Site Search







WIN32 tools, Howtos


Tools Index



Get Firefox!





Miscellaneous WI-FI


Default WI-FI Settings


Rogue AP Howtos


WI-FI Certifications


802.11 Standards




Formats / Extensions


WI-FI Home Security


Useful Links






FREERADIUS - Wireless Pwnage Edition (WPE)

A patch for the popular open-source FreeRADIUS implementation to demonstrate RADIUS impersonation vulnerabilities by Joshua Wright and Brad Antoniewicz, demonstrated at Shmoocon 4.  This patch adds the following functionality:

- Simplifies the setup of FreeRADIUS by adding all RFC1918 addresses as acceptable NAS devices;
- Simplifies the setup of EAP authentication by including support for all FreeRADIUS supported EAP types;
- Adds WPE logging in $prefix/var/log/radius/freeradius-server-wpe.log, can be controlled in radius.conf by changing the “wpelogfile” directive;
- Simplified the setup of user authentication with a default "users" file that accepts authentication for any username;
- Adds credential logging for multiple EAP types including PEAP, TTLS, LEAP, EAP-MD5, EAP-MSCHAPv2, PAP, CHAP and others

-FreeRadius WPE Homepage


Project Homepage:





Local Mirror: Freeradius-server-2.0.2.tar.gz


You will also need the FreeRadius WPE patch which can be downloaded from the project homepage.





The tool's homepage provides a thorough installation guide


For a specific guide of how-to implement FreeRadius into BackTrack 3 see:



Initial Configuration:


You will need to configure a Radius capable access point with the IP address of the FreeRadius WPE host and also configure the access point with the Radius servers shared key.  The shared keys default value in FreeRadius WPE is test (example below):




Running FreeRadius WPE:


First we start the radius daemon (radiusd)




Now we monitor the FreeRadius WPE log file and wait for our first client connection:


tail -f /usr/local/var/log/radius/freeradius-server-wpe.log


NOTE: This log file will not exist until a new connection is detected if this is the first time you are running FreeRadius WPE.



Client Login:


Now FreeRadius WPE is up and running we simply wait for a wireless user to connect to the rogue access point (see below):




Capturing the challenge and response:


Once the user initiates the authentication process we are able to capture the MS Chap v2 challenge and response:




Recovering the password:


Using another one of Josh Wrights tools; asleap we are able to perform a dictionary attack against the captured MS Chap v2 Challenge and Response.  If the user's password is present in the dictionary then the clear text password will be presented in the tools output (e.g. Airhead below):




FreeRadius WPE Credential Logging Success and Failure Table (Windows Wireless Zero Configuration (WZC) only):






EAP Type Validate Server Certificate Do not prompt user to authorise new certificates Authentication Method Automatically use my Windows login name and password FreeRadius WPE logs request
Protected EAP (PEAP) Yes Enabled EAP-MSCHAP v2 Yes No
Protected EAP (PEAP) Yes Enabled EAP-MSCHAP v2 No No
Protected EAP (PEAP) Yes Disabled EAP-MSCHAP v2 Yes Yes*
Protected EAP (PEAP) Yes Disabled EAP-MSCHAP v2 No Yes*
Protected EAP (PEAP) No N/A EAP-MSCHAP v2 Yes Yes
Protected EAP (PEAP) No N/A EAP-MSCHAP v2 No Yes
Protected EAP (PEAP) Yes N/A Smart card or other certificate N/A No
Protected EAP (PEAP) No N/A Smart card or other certificate N/A No
Smart card or other certificate Yes N/A N/A N/A No
Smart card or other certificate No N/A N/A N/A No

Note: Smart card testing was not carried out.


* FreeRadius WPE will log authentication requests if the user accepts to validate the certificate manually AND the certificate  installed on the radius server has been signed by an authentic certification authority (the default certificate will not suffice).



  © Copyright 2010 All Rights Reserved.