Best way to capture RADIUS passwords

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Nov 9 21:41:15 CET 2012


On 9 Nov 2012, at 20:09, Steven Staples <sstaples at mnsi.net> wrote:

>> Subject: Best way to capture RADIUS passwords
>> 
>> I am migrating from one RADIUS setup that checks against a flat file with
>> usernames and passwords inside it . Over to a RADIUS server with and LDAP
>> backend. I have used JTR to crack most of the passwords but I still have
>> some left over that JTR cant crack.
>> 
>> 
>> 
>> I was thinking of trying to run a packet capture to get the remaining
>> usernames and passwords. What would be the best way to do this? Run RADIUS
>> in debug mode Radius -X? Or try to use tcpdump and pick it up that way or
>> is it even possible to do? I have been trolling the internet for a few
> days
>> and have not come up with a good way to do it.
>> 
>> 
>> 
>> I setup tcpdump to dump to a file (tcpdump -i eth0 -n -s0 port radius -w
>> rad-capture.lpc) , but when I check it out with wireshark I am unable to
>> see the password (just the username). Am I going about this the wrong way?
>> 
> 
> You can use the radpostauth and mysql... that will give you
> username/passwords of connected, and failed connect attempts.


post-auth {
	update request {
		Tmp-String-1 := `echo "%{User-Password}" >> /tmp/passwords`
	}
}

Provided you're doing PAP (as your copy of the passwords are hashed i'm guessing you are).

The reason why you don't see them in TCP dump is because the passwords are also reversibly encrypted in the RADIUS packet.

Also, you know OpenLDAP can use a bunch of different types of password hashes right? As in, it will even use them for validating authenticated binds. You just add the right header onto the password string... You probably don't even need to be cracking them.

-Arran


More information about the Freeradius-Users mailing list