Jump to content

Trying to stump RADIUS


awwNope

Recommended Posts

Hi all,

I'm trying to do some internal sysadmin debugging stuff on a few machines, but since we have RADIUS turned on, it's locking the port out.

Is there a way to enable the spoofed MAC address for the 'external' port on the PS, but then when I do hook that port up, all traffic from the network gets blindly passed to the machine in question?

In my mind PS should be able to blindly pass packets to the machine behind it so that box can do the RADIUS auth, instead of the PS trying to negotiate an IP from the network. Does anyone know how the config would be written for this?

Link to comment
Share on other sites

I've tried transparent, but it keeps not getting past RADIUS. I also need it to clone the target PC's MAC address- do you know if it's possible to do something like:

NETMODE TRANSPARENT CLONE

or would it be the other way around?

Link to comment
Share on other sites

The other need for the MAC clone is that I have my switches set to shut down the port if it gets two MACs at once (such as if a switch is installed.)

I tried doing the code below, but it just keeps blinking the white LED, waiting for me to plug "into the wall" instead of switching to transparent mode after cloning the mac.

NETMODE CLONE
SLEEP 10
NETMODE TRANSPARENT

 

Link to comment
Share on other sites

10 hours ago, awwNope said:

I've tried transparent, but it keeps not getting past RADIUS. I also need it to clone the target PC's MAC address- do you know if it's possible to do something like:


NETMODE TRANSPARENT CLONE

or would it be the other way around?

NETMODE only takes 1 argument.

If the PS is in CLONE mode, sure, it will clone the MAC, but it also gets an IP from the WAN port, whereas TRANSPARENT won't, but it won't clone the MAC either (because it's never going to broadcast it, it's just acting as a "wire" or a dumb switch).

I think you're making it too complicated - you've said that the reason you want to clone the MAC is so the PS can pass-through all data as if it's not there. TRANSPARENT is made to do that - if RADIUS authentication isn't going through it's either a problem for Sebkinne to fix, or a problem on your end - whether it be the script or the way you've plugged your PS in.

Have you tried using the TCPDump payload? Here's the step-by-step instructions (just for clarity) on the configuration:

Quote

The USB flash drive must be formatted in either the NTFS (Windows, Mac OSX) or EXT4 (Linux) file system. This is of particular importance since most USB drives come formatted with a FAT32 or exFAT file system.

  1. Plug a USB drive formatted in NTFS or EXT4 into the USB host port on the right side of the Packet Squirrel.
  2. Flip the switch to position 1 to select the built-in tcpdump payload. Position one is on the far left, closest to the Micro USB power port.
  3. Plug the device you want to capture packets from into the Ethernet In port. It’s the Ethernet port on the left side above the Micro USB power port. This could be a computer, a network printer, an IP camera, or similar.
  4. Plug the network into the Ethernet Out port. That’s the one on the side with the USB type A female port.
  5. Power on the Packet Squirrel with a Micro USB cable and any ordinary USB power adapter like a smartphone charger, a computer’s USB port, USB battery bank, etc…
  6. Wait 40 seconds while the Packet Squirrel boots up, indicated by a flashing green LED. Once booted, tcpdump will begin saving pcap files containing the packets between the two Ethernet links to a loot folder on the inserted USB disk, indicated by a single flashing yellow LED.
  7. When you’re ready to stop capturing packets, press the button atop the Packet Squirrel. The LED will flash red to indicate that the file has completed writing to the USB flash drive. It is now safe to unplug the Packet Squirrel, remove the USB flash drive, and inspect the stored pcap file with a protocol analyzer such as Wireshark.

 

Link to comment
Share on other sites

OK, so I have a bit more progress- after looking at pcap on my client and the PS, it looks like PS is not passing the 802.1X (Protocol EAPOL) from my client to the switch.

I usually don't swim in the deep end with networking stuff, so forgive me if this seems to be a 'no duh' thing. I'm going to some more double packet capture later today, to see if I can find anything else that's not getting passed or behaving unexpectedly. If I notice enough of a trend, I'll bring this to Sebkinne's attention (I don't want to claim there's a bug if it's just me being a dope.)

Link to comment
Share on other sites

  • 1 year later...

I am guessing this is because the bridge module uses the standard one, and drops EAPOL traffic. Likely need to follow the process done by 'skip' at DEFCON 19. This requires a rebuild of the kernel module, which I have not done for OpenWRT in a couple years ... maybe something the hak5 team can do in 30 minutes?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...