Subtitle: Don’t second guess Josh Wright & Scapy rocks

Tim Tomes (http://lanmaster53.com/) and I were asked to do a penetration test on a network with some 802.1X protection. I had a good bit going on at the time and Tim got to do all the hands on fun stuff (No.. I’m not bitter). We talked about attack strategies and bounced some ideas off each other on how to p0wn the network. While he did all the hands on, I got to write some code to help out.

Tim needed to do some brute force attacks against a 802.1X authentication packet that he captured, but there isn’t a tool out there to do that.     xtest does dictionary attacks, but not brute forcing.  He mentioned that SANS SEC660 covers a technique for doing it using a modified version of xtest to read passwords from STDIN. I said, “You don’t need to modify xtest.. just create a FIFO queue and read from there.”. So I dropped to a terminal and did something like this…

root@bt:/pentest/passwords/jtr# mknod pwque p
root@bt:/pentest/passwords/jtr# ./john -i:ALL –stdout > pwque &
root@bt:/pentest/passwords/jtr# ~/xtest-1.0/xtest -w ./pwque -c ~/xtest-1.0/sample-pcaps/7971G-EAP_Success.pcap

It doesn’t work. Lesson learned: Don’t question Josh Wright. There is a reason he rewrote part of the code. Both Tim and I are chomping at the bit to take SEC660, but we haven’t yet so we didn’t have access to the Josh’s modifications. Looking through the xtest code you can see a loop in “utils.c” in the password_discovery() function that looks like this…

/* Calculate Total Number of passwords for attack */
while( fgets(passwd, sizeof(passwd), in_file) != NULL ) {
wordcount++;
}
rewind(in_file);
printf(“[+] Attempting Dictionary Attack with %d passwords of the dictionary %s\n”,wordcount,dictFile);


while( fgets(passwd, sizeof(passwd), in_file) != NULL ) {


wordcount++;


}


rewind(in_file);


printf(“[+] Attempting Dictionary Attack with %d passwords of the dictionary %s\n”,wordcount,dictFile);

This loop reads the password file until it reaches the end and prints how many passwords it counted in the file. Then it does a “rewind” to start back at the beginning of the file with its guessing. That doesn’t work if you are brute forcing something and there is no end to of file. Remove ALL those lines of code and recompile so you can use the FIFO file object to brute force as input. After making that change the commands above works properly.   (Note:  Alternatively, you can use Josh’s patch.  Josh Wright was nice enough to email me his xtest patch.  You can download it here: xtest-stdin-warnfix.diff )

xtest can do more than just brute-force a EAP-MD5 hash in a packet capture and I kind of like having my password count in my output (the code we removed).  Tim said, “I bet SCAPY would make writing an EAP-MD5 brute-force pretty simple”. He was right. With SCAPY parsing packets is trivial. Writing an EAP-MD5 brute-force tool only requires a few lines of code.

Submitted for your approval: eapmd5crack.py

The tools accepts a packet capture containing an EAP-MD5 challenge and response and does a dictionary attack to determine the password. You can also use a FIFO queue to brute-force passwords with JTR.

Here is a sample run using a dictionary:


Download it here:
eapmd5crack.py



About the author