That was really helpful reading telot, I understand a bit more about RADIUS now.
I would take this opportunity to also post the security challenge that got me into learning about RADIUS, I would appreciate if you could give me some feedback:
So I recently got into college and was assigned an account (user/passwd) that is used to access several services. That got me thinking a little bit about security issues that come with this.
As obtaining a random user and it's password would be possible through for example the RADIUS hacks in telot's given links, I thought about any security issues that would allow for you to obtain a known username password.
So for the rough layout:
There's a database with the credentials for the users, username and password. With the same username and password you can access: -A gmail based webmail account -A VPN server -A WPA RADIUS PEAP wifi -A moodle platform -A general website with your information Some of the options I considered:
Non-specific social engineering:
Mail phishing Well, we are all aware of the advantages and problems of phishing, as depending on the human factor can be both a clean fast way of getting the information, as well as a total disaster. In this case it has the added bonus of a single account accessing several platforms, giving the opportunity to choose which one to use as bait. We have access to the username which is the same as the email address. Although it's not a "pretty" way of doing things it is one of the most effective ones. Keylogger There is also the possibility of keyloging. I am not aware of the "latest" methods, but I have the idea (perhaps a wrong one?) that with the spreading of free anti-viruses and firewalls that keep up with the latest malware almost to the hour, and users getting more educated not to open .exe files and other suspicious attachments this is probably becoming an outdated form of social engineering, unless of course you are a skilled programer and are able to write your own custom malware.
Case-specific methods: Targeting the VPN server- ike-scan and VPN aggressive mode Another option would be to use ike-scan to obtain the hash key of a determined username, and crack it offline. This option would only be available in case the VPN server had the default "Aggressive mode" on. In this case, as it is a college environment with all the latest software updates and a brilliant IT team (probably not always the case) let's assume the server is well configured with Main Mode. I can't see any other ways to exploit the VPN for a hash. WPA RADIUS PEAP wifi: Already discussed as it was the subject of the topic. After some research through the sources provided, I reached the conclusion that although there are flaws in RADIUS and PEAP, the way the protocol works doesn't allow you to obtain any password hash from a user which didn't authenticate through your fake AP.
Last resource- Brute-force the hell out of everything There's this final alternative, although I think you all agree that it is not very appealing or viable. You could try to bruteforce the VPN, RADIUS AP, gmail service, moodle, or website for the password. This could take years because online bruteforcing methods are slow, besides that, it is probably not even possible, as these services could and probably do offer protection against these attacks by blocking the account after a few attemps or giving a waiting period between them. In my newbie opinion I think this environment is fairly safe, at least regarding credential stealing from a pre determined target and I could only think about social engineering as the only possible hole, as it usually is.
What's your opinion?
This example and methods are only for research, discussion and curiosity's sake.