Thursday, November 10, 2011

FreeRADIUS-WPE Updated!

By. Brad Antoniewicz

A couple years ago Josh Wright and myself created FreeRADIUS-WPE (Wireless Pwnage Edition) for attacking WPA-Enterprise clients. It doesn't always need to be updated, because FreeRADIUS is a pretty solid RADIUS server, however I was recently contacted about WPE not working well with clients using Windows 7's supplicant. Rather than troubleshoot the problem using the old version, I updated the patch to support the most recent FreeRADIUS release.

http://www.opensecurityresearch.com/files/freeradius-wpe-2.1.11.patch
http://www.opensecurityresearch.com/files/freeradius-server-wpe_2.1.11-1_i386.deb

I've also created a github repo @ https://github.com/brad-anton/freeradius-wpe

A quick note

Under "Advanced settings", "802.1X settings" there is a "Specify Authentication mode" option (shown in the image below). This the default value is unchecked. I've noticed that unless this option is checked and the drop down is set to "User or computer authentication", or "User Authentication", FreeRADIUS just denies the connection. I'm looking into if there is any way to address that but as of now, this setting has to be set in order to reliably work.

Installation from Source

wget ftp://ftp.freeradius.org/pub/radius/old/freeradius-server-2.1.11.tar.bz2
wget http://www.opensecurityresearch.com/files/freeradius-wpe-2.1.11.patch

tar -jxvf freeradius-server-2.1.11.tar.bz2
cd freeradius-server-2.1.11
patch -p1 < freeradius-wpe-2.1.11.patch

./configure
make
sudo make install

You may also have to:


cd /usr/local/etc/raddb/certs/
./bootstrap


Using Binary


If you're using the .deb, it has been tested with BackTrack 5 R1, but will likely work with other versions and Ubuntu/Debian. 

wget http://www.opensecurityresearch.com/files/freeradius-server-wpe_2.1.11-1_i386.deb

sudo dpkg --install freeradius-server-wpe_2.1.11-1_i386.deb
sudo ldconfig

You may also have to:


cd /usr/local/etc/raddb/certs/
./bootstrap
Posted by at

7 comments:

  1. AnonymousNovember 7, 2011 at 10:48 AM

    Thanks Brad. I've updated your patch:
    http://trac.pentoo.ch/changeset/2574
    (files/freeradius-2.1.11-wpe.patch and config files)
    feel free to backport it.

    ReplyDelete
  2. BrianNovember 30, 2011 at 3:37 PM

    Hi Brad,
    I installed everything as you've outlined and it is working fine...except that the log file "freeradius-server-wpe.log" never gets generated. Instead, a log file named "radius.log" appears in the log directory, but does not contain the Challenge and Response data...any idea what I'm doing wrong??

    I'm running BT5 R1 KDE and a Windows7 wireless client.

    ReplyDelete
  3. AnonymousDecember 1, 2011 at 1:14 PM

    Brad,
    I just patch everything in my BackTrack R1 , but when i try to conect the "users" file does not accepts authentication for any username.
    When i add a user to that file it works fine.

    Any ideia why it´s not working?

    ReplyDelete
  4. TyggerBobDecember 16, 2011 at 8:43 AM

    Hi.. I'm having the same problem as Brian.. can't seem to get it to write out the wpe log. I've doublechecked my paths and permissions and they look fine. Any thoughts?
    Thanks
    Bob

    Anonymous, are you getting a "Rejecting unknown client" error? if so, you need to amend your clients.conf file to reflect the network that your AP is connecting from. Mine was using 192.168.1.1, and there was no definition in the file for that network.. once I added one, it worked great. Hope that helps.
    Thanks in advance
    Bob

    ReplyDelete
  5. sparkyMay 30, 2012 at 11:27 PM

    I have tried installing, but when I try running radiusd -X, I get the following error: Could someone please assist? I am running out of ideas.

    Thanks

    Generating a 2048 bit RSA private key
    ...............Child PID 7198 is taking too much time: forcing failure and killing child.
    rlm_eap: Failed to initialize type tls
    /usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
    /usr/local/etc/raddb/sites-enabled/default[299]: Failed to load module "eap".
    /usr/local/etc/raddb/sites-enabled/default[241]: Errors parsing authenticate section.
    root@xxx:/pentest/wireless/freeradius-server-2.1.11# ...................+++

    ReplyDelete
  6. wlwlwJuly 19, 2012 at 7:44 AM

    also having an issue with the log file not being created.. BT R1 / Win 7 client with 'User or computer authentication' explicitly specified.

    I can see the client attempting to connect in the debug log, (failing obviously) but no dice with the logging..

    ReplyDelete
  7. diegoJune 13, 2013 at 6:15 AM

    Hi,

    I was having the same problem with the freeradius-wpe.log not being created. The solution is described in this link:
    http://eznemegy.blog.hu/2008/12/14/using_rt2x00_wireless_driver_with_hostapd

    Basically need to patch hostapd and recompile it (make, make install).

    After this running radius with wpe patch and hostapd with wpe patch should work like a charm.

    ReplyDelete

Subscribe to: Post Comments (Atom)