Jump to content

Testing RADIUS


Recommended Posts

Hi guys, so I recently accessed for the first time a wireless network with RADIUS username and password style instead of the traditional wifi PSK, got a bit curious and after a little research about it's way of functioning and vulnerabilities I read that it was possible to obtain the MD5 hash relating to the password and username, but there seems to be little information on anything more specific.

Do you know how this works? Is the MD5 obtained by monitoring an authentication or can you fake simulate an authentication with a username and get the MD5 with the password?

Cheers ;)

Link to comment
Share on other sites

When using RADIUS you are using WPA-Enterprise. This uses EAP to do the authentication and you can chose which EAP type to use. EAP-MD5 is an option but it is rarely used as it is isn't secure.

If you have a look at FreeRADIUS WPE there is plenty of info there.


Link to comment
Share on other sites

Checkout Vivek's wifi megaprimers 29-35 as well: http://www.securitytube.net/groups?operation=view&groupId=9 EAP-ttls, peap, and md5 all have various degrees of vulnerability. You might also want to take a look at chapcrack from Moxie: https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/


Link to comment
Share on other sites

That was really helpful reading telot, I understand a bit more about RADIUS now.

I would take this opportunity to also post the security challenge that got me into learning about RADIUS, I would appreciate if you could give me some feedback:

So I recently got into college and was assigned an account (user/passwd) that is used to access several services. That got me thinking a little bit about security issues that come with this.

As obtaining a random user and it's password would be possible through for example the RADIUS hacks in telot's given links, I thought about any security issues that would allow for you to obtain a known username password.

So for the rough layout:

There's a database with the credentials for the users, username and password.

With the same username and password you can access:

-A gmail based webmail account
-A VPN server
-A moodle platform
-A general website with your information

Some of the options I considered:

Non-specific social engineering:

Mail phishing

Well, we are all aware of the advantages and problems of phishing, as depending on the human factor can be both a clean fast way of getting the information, as well as a total disaster. In this case it has the added bonus of a single account accessing several platforms, giving the opportunity to choose which one to use as bait. We have access to the username which is the same as the email address. Although it's not a "pretty" way of doing things it is one of the most effective ones.


There is also the possibility of keyloging. I am not aware of the "latest" methods, but I have the idea (perhaps a wrong one?) that with the spreading of free anti-viruses and firewalls that keep up with the latest malware almost to the hour, and users getting more educated not to open .exe files and other suspicious attachments this is probably becoming an outdated form of social engineering, unless of course you are a skilled programer and are able to write your own custom malware.

Case-specific methods:

Targeting the VPN server- ike-scan and VPN aggressive mode

Another option would be to use ike-scan to obtain the hash key of a determined username, and crack it offline. This option would only be available in case the VPN server had the default "Aggressive mode" on. In this case, as it is a college environment with all the latest software updates and a brilliant IT team (probably not always the case) let's assume the server is well configured with Main Mode. I can't see any other ways to exploit the VPN for a hash.


Already discussed as it was the subject of the topic. After some research through the sources provided, I reached the conclusion that although there are flaws in RADIUS and PEAP, the way the protocol works doesn't allow you to obtain any password hash from a user which didn't authenticate through your fake AP.

Last resource- Brute-force the hell out of everything

There's this final alternative, although I think you all agree that it is not very appealing or viable. You could try to bruteforce the VPN, RADIUS AP, gmail service, moodle, or website for the password. This could take years because online bruteforcing methods are slow, besides that, it is probably not even possible, as these services could and probably do offer protection against these attacks by blocking the account after a few attemps or giving a waiting period between them.

In my newbie opinion I think this environment is fairly safe, at least regarding credential stealing from a pre determined target and I could only think about social engineering as the only possible hole, as it usually is.

What's your opinion?

This example and methods are only for research, discussion and curiosity's sake.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...