off topic - eapol_test alternative
Greetings FR-users, We don't have access to the shared secrets of a RADIUS server performing EAP, but we'd like to download the RADIUS server SSL certs. Is anyone aware of a GNU/Linux utility similar to eapol_test to do this? I'm not sure if NetworkManager can do it - I've searched the internet a bit. Is there a proprietary solution that anyone is aware of? Thanks for any pointers! -m
You'll see the EAP server cert in an over the air packet capture. On 3/12/18, 2:46 PM, "Freeradius-Users on behalf of Matt Zagrabelny" <freeradius-users-bounces+timc=hpe.com@lists.freeradius.org on behalf of mzagrabe@d.umn.edu> wrote: Greetings FR-users, We don't have access to the shared secrets of a RADIUS server performing EAP, but we'd like to download the RADIUS server SSL certs. Is anyone aware of a GNU/Linux utility similar to eapol_test to do this? I'm not sure if NetworkManager can do it - I've searched the internet a bit. Is there a proprietary solution that anyone is aware of? Thanks for any pointers! -m - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mon, 2018-03-12 at 18:55 +0000, Cappalli, Tim (Aruba Security) wrote:
You'll see the EAP server cert in an over the air packet capture.
Wireshark might show it from the EAPoL frames? You can also extract it from the RADIUS EAP-Message attributes if you've got a capture of the RADIUS packets. I've done it manually, but not sure if there's any utilities which will do it. Matthew
On 3/12/18, 2:46 PM, "Freeradius-Users on behalf of Matt Zagrabelny" <freeradius-users-bounces+timc=hpe.com@lists.freeradius.org on behalf of mzagrabe@d.umn.edu> wrote:
Greetings FR-users,
We don't have access to the shared secrets of a RADIUS server performing EAP, but we'd like to download the RADIUS server SSL certs. Is anyone aware of a GNU/Linux utility similar to eapol_test to do this?
I'm not sure if NetworkManager can do it - I've searched the internet a bit.
Is there a proprietary solution that anyone is aware of?
-- Matthew
On Mon, Mar 12, 2018 at 2:05 PM, Matthew Newton <mcn@freeradius.org> wrote:
On Mon, 2018-03-12 at 18:55 +0000, Cappalli, Tim (Aruba Security) wrote:
You'll see the EAP server cert in an over the air packet capture.
Wireshark might show it from the EAPoL frames?
Wireshark and tcpdump both exit as the interface (wlan0) is brought up. Both capture programs start fine with the interface not configured, but when I select an SSID in NetworkManager the capture exits immediately.
You can also extract it from the RADIUS EAP-Message attributes if you've got a capture of the RADIUS packets. I've done it manually, but not sure if there's any utilities which will do it.
I'm having a hard time getting the capture as libpcap seems to not want to transition between an L2 interface and an L2 + L3 interface. ?? Any help is appreciated. Thanks! -m
On Mon, 2018-03-12 at 14:17 -0500, Matt Zagrabelny wrote:
On Mon, Mar 12, 2018 at 2:05 PM, Matthew Newton <mcn@freeradius.org> wrote:
Wireshark and tcpdump both exit as the interface (wlan0) is brought up. Both capture programs start fine with the interface not configured, but when I select an SSID in NetworkManager the capture exits immediately.
Guess more likely that NetworkManager bounces the interface as it configures it. Might have more joy running wpasupplicant manually. But that is even more off-topic. -- Matthew
Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:
We don't have access to the shared secrets of a RADIUS server performing EAP, but we'd like to download the RADIUS server SSL certs. Is anyone aware of a GNU/Linux utility similar to eapol_test to do this?
Are you looking for an alternative to eapol_test for some reason (?), or are you just not aware that eapol_test has a -o <filename> option which dumps the certs to a file?
On Mon, Mar 12, 2018 at 2:15 PM, Brian Julin <BJulin@clarku.edu> wrote:
Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:
We don't have access to the shared secrets of a RADIUS server performing EAP, but we'd like to download the RADIUS server SSL certs. Is anyone aware of a GNU/Linux utility similar to eapol_test to do this?
Are you looking for an alternative to eapol_test for some reason (?),
It seems eapol_test needs a shared secret with the RADIUS server. I don't have that.
or are you just not aware that eapol_test has a -o <filename> option which dumps the certs to a file?
Yup. I'm aware of the option. Thanks! -m
Matt Zagrabelny <mzagrabe@d.umn.edu> wrote
It seems eapol_test needs a shared secret with the RADIUS server. I don't have that.
Ah I should have read more carefully. If you can wrest control of wpa_supplicant away from NetworkManager, and run it in the foreground with a lot of -d's it will dump its EAPOL traffic (including sensitive stuff). You'd be looking for several >= 1024 RX chunks followed by one smaller one with some messages about needing more data in between... that's sure to be the certificate chain as it's the biggest object transferred. Glue those chunks together (chop off 10 bytes I think at the start of each to get rid of the EAP header) and your certs are in there. You just have to concatinate those, unhex it, and figure out what parts to chop off to get each cert in the chain into some reasonable facsimili of a .DER file, I think, then use "openssl x509" to convert it to PEM or view it. But... the ASCII parts of the cert will immediately be visible with a simple strings command after unhexing. One afternoon of perl hackery and that all could be automated pretty easily...
Ah, much easier: This does the trick. You'll need to install text2pcap and have a copy of whatever NetWorkManager was using for a wireless.conf to truly check what's going on with a particular client. wpa_supplicant -ddddd -iwlan0 -c /etc/wpa_supplicant/wireless.conf | perl -ne 'print "00000000 ff ff ff ff ff ff 00 11 22 33 44 55 88 8e $1\n" if m/RX EAPOL - hexdump\(len=\d+\): (.*)/' | text2pcap - /tmp/eapol_crap.txt & sleep 30; wpa_cli terminate; wireshark /tmp/eapol_crap.txt
On Mon, Mar 12, 2018 at 3:31 PM, Brian Julin <BJulin@clarku.edu> wrote:
Ah, much easier:
No kidding! :)
This does the trick. You'll need to install text2pcap and have a copy of whatever NetWorkManager was using for a wireless.conf to truly check what's going on with a particular client.
wpa_supplicant -ddddd -iwlan0 -c /etc/wpa_supplicant/wireless.conf | perl -ne 'print "00000000 ff ff ff ff ff ff 00 11 22 33 44 55 88 8e $1\n" if m/RX EAPOL - hexdump\(len=\d+\): (.*)/' | text2pcap - /tmp/eapol_crap.txt & sleep 30; wpa_cli terminate; wireshark /tmp/eapol_crap.txt
Well... I've never used wpa_supplicant manually and have only used an open network and iwconfig, way back in the day, or NetworkManager for secure wireless networks. So the above script looks a bit out of my domain for knitting into NM. :/ I'll keep reading on NM and wpa_supplicant. Thanks for all the help! -m
On Mon, Mar 12, 2018 at 1:43 PM, Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:
Greetings FR-users,
We don't have access to the shared secrets of a RADIUS server performing EAP, but we'd like to download the RADIUS server SSL certs. Is anyone aware of a GNU/Linux utility similar to eapol_test to do this?
Not solved yet, but I did find ssldump, which looks like it could be useful. -m
participants (4)
-
Brian Julin -
Cappalli, Tim (Aruba Security) -
Matt Zagrabelny -
Matthew Newton