EAP-pwd and NT-Password

Brian Candler b.candler at pobox.com
Fri Oct 7 19:16:14 CEST 2016

On 07/10/2016 15:30, Brian Candler wrote:
> Ah - so maybe Control:NT-Password is "NtPasswordHash" which means it 
> needs running through another iteration of MD4. I'll try that. 

In the end, I got it working. As well as the additional level of hashing:

- I wasn't sending the correct password prep type in the initial 
message. I now made this a module-level configuration.

- there was a bug in wpa_supplicant 2.6 where it was always sending back 
PREP_NONE even if the server asked for PREP_MS

With those changes, it works. There is a proof-of-concept patch at:
but it needs extending to work with PREP_MS and CLEARTEXT_PASSWORD (it 
has to convert to UTF16LE and then hash twice)

The fix to wpa_supplicant 2.6 is below.



--- ./src/eap_peer/eap_pwd.c.orig    2016-10-02 19:51:11.000000000 +0100
+++ ./src/eap_peer/eap_pwd.c    2016-10-07 18:01:33.092325628 +0100
@@ -345,7 +345,7 @@
      wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_RAND_FUNC);
      wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_PRF);
      wpabuf_put_data(data->outbuf, id->token, sizeof(id->token));
-    wpabuf_put_u8(data->outbuf, EAP_PWD_PREP_NONE);
+    wpabuf_put_u8(data->outbuf, id->prep);
      wpabuf_put_data(data->outbuf, data->id_peer, data->id_peer_len);

      eap_pwd_state(data, PWD_Commit_Req);

More information about the Freeradius-Users mailing list