FREERADIUS - Wireless Pwnage
Edition (WPE)
A patch for the popular
open-source FreeRADIUS implementation to demonstrate RADIUS impersonation
vulnerabilities by Joshua Wright and Brad Antoniewicz, demonstrated at Shmoocon
4. This patch adds the following functionality:
- Simplifies the setup of FreeRADIUS by adding all RFC1918 addresses as
acceptable NAS devices;
- Simplifies the setup of EAP authentication by including support for all
FreeRADIUS supported EAP types;
- Adds WPE logging in $prefix/var/log/radius/freeradius-server-wpe.log, can
be controlled in radius.conf by changing the “wpelogfile” directive;
- Simplified the setup of user authentication with a default "users" file
that accepts authentication for any username;
- Adds credential logging for multiple EAP types including PEAP, TTLS, LEAP,
EAP-MD5, EAP-MSCHAPv2, PAP, CHAP and others
-FreeRadius WPE
Homepage
Project Homepage:
http://www.willhackforsushi.com/FreeRADIUS_WPE.html
Files:
Local Mirror:
Freeradius-server-2.0.2.tar.gz
You will also need the FreeRadius WPE
patch which can be downloaded from the project homepage.
Installation:
The tool's homepage provides a
thorough
installation guide
For a specific guide of how-to
implement FreeRadius into BackTrack 3 see:
http://wiki.remote-exploit.org/index.php/Howto:FreeRadius
Initial Configuration:
You will need to configure a Radius
capable access point with the IP address of the FreeRadius WPE host and also
configure the access point with the Radius servers shared key. The shared
keys default value in FreeRadius WPE is test (example below):
Running FreeRadius WPE:
First we start the radius daemon (radiusd)
radiusd
Now we monitor the FreeRadius WPE log
file and wait for our first client connection:
tail -f /usr/local/var/log/radius/freeradius-server-wpe.log
NOTE: This log file will not exist
until a new connection is detected if this is the first time you are
running FreeRadius WPE.
Client Login:
Now FreeRadius WPE is up and running
we simply wait for a wireless user to connect to the rogue access point (see
below):
Capturing the challenge and
response:
Once the user initiates the
authentication process we are able to capture the MS Chap v2 challenge and
response:
Recovering the password:
Using another one of Josh Wrights
tools; asleap we are able to
perform a dictionary attack against the captured MS Chap v2 Challenge and
Response. If the user's password is present in the dictionary then the
clear text password will be presented in the tools output (e.g. Airhead below):
FreeRadius WPE Credential Logging
Success and Failure Table (Windows Wireless Zero Configuration (WZC) only):
RED = FAILURE
TO LOG USER CREDENTIALS
GREEN = SUCCESS IN LOGGING
USER CREDENTIALS
| EAP
Type |
Validate Server Certificate |
Do
not prompt user to authorise new certificates |
Authentication Method |
Automatically use my Windows login name and password |
FreeRadius WPE logs request |
|
Protected EAP (PEAP) |
Yes |
Enabled |
EAP-MSCHAP v2 |
Yes |
No |
|
Protected EAP (PEAP) |
Yes |
Enabled |
EAP-MSCHAP v2 |
No |
No |
|
Protected EAP (PEAP) |
Yes |
Disabled |
EAP-MSCHAP v2 |
Yes |
Yes* |
|
Protected EAP (PEAP) |
Yes |
Disabled |
EAP-MSCHAP v2 |
No |
Yes* |
|
Protected EAP (PEAP) |
No |
N/A |
EAP-MSCHAP v2 |
Yes |
Yes |
|
Protected EAP (PEAP) |
No |
N/A |
EAP-MSCHAP v2 |
No |
Yes |
|
Protected EAP (PEAP) |
Yes |
N/A |
Smart
card or other certificate |
N/A |
No |
|
Protected EAP (PEAP) |
No |
N/A |
Smart card or other certificate |
N/A |
No |
|
Smart card or other certificate |
Yes |
N/A |
N/A |
N/A |
No |
| Smart
card or other certificate |
No |
N/A |
N/A |
N/A |
No |
Note: Smart card testing was not
carried out.
* FreeRadius WPE will log
authentication requests if the user accepts to validate the certificate manually
AND the certificate installed on the radius server has been signed by
an authentic certification authority (the default example.com certificate will
not suffice).
|
Linux
