Yet another shared secret mismatch issue
Hi all, I'm trying to configure hardware (MAC) auth using FreeRADIUS. It works nice with another provider, but on this new one seems to do shared secret signing wrong. Fri Jul 6 08:37:40 2018 : Info: Ready to process requests Fri Jul 6 08:37:50 2018 : Debug: (0) Received Access-Request Id 4 from 10.70.8.199:44611 to 172.16.250.2:8812 length 271 Fri Jul 6 08:37:50 2018 : Info: Dropping packet without response because of error: Received packet from 10.70.8.199 with invalid Message-Authenticator! (Shared secret is incorrect.) (wireshark decoding below) RADIUS Protocol Code: Access-Request (1) Packet identifier: 0x2 (2) Length: 271 Authenticator: 579f8d81dc3deb6a9f37ebae3d0b7cde Attribute Value Pairs AVP: l=14 t=User-Name(1): 9068C3435B5A AVP: l=18 t=User-Password(2): Encrypted AVP: l=6 t=Service-Type(6): Call-Check(10) AVP: l=6 t=NAS-IP-Address(4): 10.70.8.199 AVP: l=22 t=NAS-Identifier(32): WLAN-pruebas_udguest AVP: l=30 t=Called-Station-Id(30): DC0856003BF0:pruebas_udguest AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) AVP: l=6 t=NAS-Port(5): 1 AVP: l=11 t=NAS-Port-Id(87): wifi-2.4G AVP: l=14 t=Calling-Station-Id(31): 9068C3435B5A AVP: l=46 t=Acct-Session-Id(44): 10.70.8.199_05/07/2018 12:13:28_9068c3435b5a AVP: l=6 t=Framed-MTU(12): 1400 AVP: l=28 t=Vendor-Specific(26) v=Xylan Corp.(800) AVP: l=20 t=Vendor-Specific(26) v=Xylan Corp.(800) AVP: l=18 t=Message-Authenticator(80): 7611eb291b65f41849d0451d3f027382 I have no doubt that FR does the right thing, and I'm sure that this is not a "maybe you didn't input the same secret in both places" issue. This is either a hardcoded secret (not their first time) or a bad implementation. They deny any wrongdoing on their part. I intend to prove that they are doing RADIUS secret wrong and have locate the fr_radius_verify function. My questions are: Can I brute force the secret somehow? Can I make my point to them somehow else? Regards, Alberto
On 12-07-18 08:59, Alberto Martínez Setién via Freeradius-Users wrote:
Hi all,
I'm trying to configure hardware (MAC) auth using FreeRADIUS. It works nice with another provider, but on this new one seems to do shared secret signing wrong.
Fri Jul 6 08:37:40 2018 : Info: Ready to process requests Fri Jul 6 08:37:50 2018 : Debug: (0) Received Access-Request Id 4 from 10.70.8.199:44611 to 172.16.250.2:8812 length 271 Fri Jul 6 08:37:50 2018 : Info: Dropping packet without response because of error: Received packet from 10.70.8.199 with invalid Message-Authenticator! (Shared secret is incorrect.)
(....)
I have no doubt that FR does the right thing, and I'm sure that this is not a "maybe you didn't input the same secret in both places" issue. This is either a hardcoded secret (not their first time) or a bad implementation.
They deny any wrongdoing on their part.
I intend to prove that they are doing RADIUS secret wrong and have locate the fr_radius_verify function.
My questions are: Can I brute force the secret somehow? Can I make my point to them somehow else?
https://wifiphil.blogspot.com/2015/12/troubleshooting-decrypt-radius-packets... You could use that to decrypt the User-Password attribute. If it turn out like garbage it probably used a different shared secret than you configured. -- Herwin Weststrate
Hi Herwin,
https://wifiphil.blogspot.com/2015/12/troubleshooting-decrypt-radius-packets...
You could use that to decrypt the User-Password attribute. If it turn out like garbage it probably used a different shared secret than you configured.
Garbage indeed. RADIUS Protocol Code: Access-Request (1) Packet identifier: 0x2 (2) Length: 271 Authenticator: 579f8d81dc3deb6a9f37ebae3d0b7cde Attribute Value Pairs AVP: l=14 t=User-Name(1): 9068C3435B5A AVP: l=18 t=User-Password(2): Decrypted: \223c\3711=\374\215E|\362B\343F\271d\227 AVP: l=6 t=Service-Type(6): Call-Check(10) AVP: l=6 t=NAS-IP-Address(4): 10.70.8.199 AVP: l=22 t=NAS-Identifier(32): WLAN-pruebas_udguest AVP: l=30 t=Called-Station-Id(30): DC0856003BF0:pruebas_udguest AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) AVP: l=6 t=NAS-Port(5): 1 AVP: l=11 t=NAS-Port-Id(87): wifi-2.4G AVP: l=14 t=Calling-Station-Id(31): 9068C3435B5A AVP: l=46 t=Acct-Session-Id(44): 10.70.8.199_05/07/2018 12:13:28_9068c3435b5a AVP: l=6 t=Framed-MTU(12): 1400 AVP: l=28 t=Vendor-Specific(26) v=Xylan Corp.(800) AVP: l=20 t=Vendor-Specific(26) v=Xylan Corp.(800) AVP: l=18 t=Message-Authenticator(80): 7611eb291b65f41849d0451d3f027382 Thanks! -- Alberto Martínez Setién Middleware Comunicación y Sistemas Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 944 139 000 Ext. 2859 Fax: +34 944 139 101
Hi again, For the time being I am trying to brute-force the secret following this guide: http://openwall.info/wiki/john/Using-john-to-crack-RADIUS-shared-secrets I'll update if John finds the secret. Cheers, Alberto
On Jul 12, 2018, at 2:59 AM, Alberto Martínez Setién via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm trying to configure hardware (MAC) auth using FreeRADIUS. It works nice with another provider, but on this new one seems to do shared secret signing wrong.
It happens. :(
I have no doubt that FR does the right thing, and I'm sure that this is not a "maybe you didn't input the same secret in both places" issue. This is either a hardcoded secret (not their first time) or a bad implementation.
They deny any wrongdoing on their part.
They can: a) believe that they made a mistake, because some (likely) junior engineer screwed up b) believe that FreeRADIUS is wrong, even tho it's running in 10M different sites with ~1B different users authenticating every day. Those are really the only two options.
I intend to prove that they are doing RADIUS secret wrong and have locate the fr_radius_verify function.
My questions are: Can I brute force the secret somehow? Can I make my point to them somehow else?
Try it with 3-4 different RADIUS implementations. There are other (old, shitty) open source RADIUS servers available. When their equipment fails with all of them, it should be pretty clear that their equipment is crap. Alan DeKok.
participants (3)
-
Alan DeKok -
Alberto Martínez Setién -
Herwin Weststrate