I recently found an access point with WPA2 Enterprise configuration and EAP-MD5 authentication. Surely one of the last remaining, since this configuration is insecure, even more than WEP. But to my surprise, the password was quite robust.
Before entering the pit, let me make a brief introduction.
Both WPA and WPA2 support two different authentication methods:
1 -. Shared or PSK-toed Pre Shared Key, as simple as that both parties, the access point and all clients know the password password. Always the same.
2 -. "Enterprise" or 802.1x, where by a second radius authentication service validates called each of the different users and passwords using any of the extensions available on EAP (Extensible Authentication Protocol). One of these extensions is MD5.
For EAP-MD5, the verification of these credentials is done by a challenge and response as follows:
Until validation has been performed the access point only transmitted from the radius to the customer without being involved in the process.
The first step is to identify the client tries to connect with the user name "Identity" to the radius.
The radius responds with a packet containing the identifier of the request, such as "1", and a challenge that is randomly obtained md5 hash, for example: 6119212b50e2c9eba01fd618288f316c
The client obtains both values and with the password, for example "test", generates a new hash as follows: md5 (password + challenge + requestid), which translates as: md5 (\ x01test \ x61 \ x19 \ x21 \ x2b \ x50 \ xe2 \ XC9 \ xeb \ xa0 \ X1F \ xd6 \ x18 \ x28 \ X8F \ x31 \ 6c) and sends it back to the radius. In the above example: a4f3d177f37cff946daa45b8327e80c8
The radius will do the same md5 with the password for that user he knows and if you get the same hash sent to the client in response (a4f3d177f37cff946daa45b8327e80c8) is that the password is valid.
All this traffic is sent in clear text, so capture as connecting a customer can easily generate a dictionary attack on the password, generating many md5 as are necessary until it is obtained that the client sent in the last step .
With this concept there are a couple of scripts: eapmd5pass eapmd5crack and doing the work. But unfortunately these utilities are not optimized to test a large number of passwords in no time.
To try to optimize the process I modified eapmd5crack. Now instead of trying to get the password directly, create the necessary configuration to run hashcat later (if CPU) or if you have GPU oclhashcat showing the command to execute.
The script is available in the repository SbD.
Responding to a comment add this information explaining hashcat parameters:
-M 10: identifying which is a type MD5 hash: salt
- Quiet: to not display the full output and only the result.
- Hex-salt: to indicate that the salt (Submitted challange radius) is not a binary string in hexadecimal
- Outfile-format 7: to display the output with the result also in hexadecimal
ToPwn: is the file that contains the hash: salt
/ Usr / share / wordlists / rockyou.txt: the dictionary
Eap.rule-r: use to add the ID of the packet at the beginning of each word probada.Necesario as seen in the explanation of how the MD5 include.
sed awk ... is simply to remove the password of the ID package.
0 comments for "WPA / 2 ENTERPRISE - CRACKING EAP-MD5"