Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Crack radius option

  1. #1
    Junior Member
    Join Date
    Feb 2007
    Posts
    47

    Default Crack radius option

    Hi

    Is it possible to crack a encryption with radius support?
    ex:wpa with 802.1x (RADIUS)

    Thanks

  2. #2
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by ASTRAPI View Post
    Hi

    Is it possible to crack a encryption with radius support?
    ex:wpa with 802.1x (RADIUS)

    Thanks
    Possible...anything is possible. Although that doesn't mean it is likely, or easy.

    You're probably better off going the social engineering route than the cracking route.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  3. #3
    Just burned his ISO
    Join Date
    Feb 2007
    Posts
    11

    Default yes.

    it could be done, but if the double authentication process is on, it's hard or maybe impossible to make your attack in a hidden state.

    The essence of attacking 802.1x is based on state machine logic

    if only one way authentication is in process mitm is possible.

    theSnail

  4. #4
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by ASTRAPI View Post
    Hi

    Is it possible to crack a encryption with radius support?
    ex:wpa with 802.1x (RADIUS)

    Thanks
    This is one of the primary reasons I've gotten back into 'offensve security'...

    I manage not only a (somewhat comprehensive) home net, but a network at work (that 'insists' on having wireless). I'm also subsequently one of those ppl to whom everyone in the book thinks they should call / confer with to network their soho nets...

    Anyways, I suppose the point I'm attempting to make now is the point that I've been trying to make to myself regarding wireless security: I'm not convinced that it is possible, whatsoever.

    A couple of months ago I had a convo with an IT friend of mine who flat out tried to convince me that wpa2 / eap-tls is 99.99999999999999999% secure... I called bullshit.

    So now I'm in the process of building my own AP's with an authentication server to test/break the various protocols; Radius is on my plate currently so I will post my findings after all is said/done.
    dd if=/dev/swc666 of=/dev/wyze

  5. #5
    Developer balding_parrot's Avatar
    Join Date
    May 2007
    Posts
    3,399

    Default

    Your IT friend obviously knows much more about this than you do

    You are going to waste a lot of time on this and fail

    WPA with a decent passphrase will take you 10's of years or more to crack
    WPA2 is going to be no different to WPA
    WPA2 with a RADIUS server you are in the region of hundreds if not thousands of years

    A decent passphrase is something like:

    +@o|veeP63dMy_yKww=nCpg!__vO?aK!tLw_0L <NAzJ^Mw]xP9A^*^+UuX1SBM

    Unless someone uses a passphrase like this: mynetwork

    You are just are going to waste a whole lot of time and effort for nothing.

  6. #6
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by balding_parrot View Post
    WPA with a decent passphrase will take you 10's of years or more to crack
    ....WPA2 with a RADIUS server you are in the region of hundreds if not thousands of years

    A decent passphrase is something like:

    +@o|veeP63dMy_yKww=nCpg!__vO?aK!tLw_0L <NAzJ^Mw]xP9A^*^+UuX1SBM

    Unless someone uses a passphrase like this: mynetwork

    You are just are going to waste a whole lot of time and effort for nothing.
    So are you saying that you would bet the farm that WPA2 w/radius auth is not at all crackable at all?

    What is your basis of the system resources of the cracking system that give you those figures?

    Are there not computer systems / network farms out there that can crack even a passphrase like the aformentioned in less time?

    I'm REALLY not trying to come across as a smart a$$, but let's think real world and realistic scenarios... where there's a will, time effort and dinero, there's a way to cut that timeframe down
    dd if=/dev/swc666 of=/dev/wyze

  7. #7
    Developer balding_parrot's Avatar
    Join Date
    May 2007
    Posts
    3,399

    Default

    If you do your research on creating a dictionary, you will soon find that a suitable dictionary to cover this type of passphrase will run into many hundreds of thousands of TerraBytes.

    Here is a quote from another thread on creating a dictionary

    What exactly did you expect? why do you think bruteforce attacks take so long? what you are trying to do is make a brute force dictionary

    so lets say for argument sake you look at the 128 characters in the standard ascii table and a password is only 4 characters long

    128x128x128x128= 268,435,456 bytes for a 4 character password=268mb

    6 chars 4,398,046,511,104 bytes 4.5TB if i got my factors right in my head and its a sunday afternoon so i might not have

    OK so 128 is extreme so try 70 characters (or so) on a standard key board with out any extra effort and not counting case sensitivity

    4 chars = 24,010,000 bytes
    6 chars = 117,649,000,000 bytes
    So from that if you take into account that the passphrase I gave would need you to create the dictionary using approx 200 possible characters for each of the 63 characters in my passphrase, how big is that dictionary going to be and how long will it take to create?
    Supposing that you had created that dictionary, if you just limited it to only the lines that had 63 characters it would have 9.223372036854775808e+144 words a decent computer set to crack a wpa key when it has all of the parts needed can manage about 50 per second which is about 1.8446744073709551616e+143 seconds to guarantee to find the right one. which is 5.8494241735507203247082699137494e+135 years
    Now consider that I limited this to 200 character when it could have been more like 350 or so.
    All of this is based on you knowing that I am using 63 characters, what if you don't know if it is 21 43 50 8 62 or whatever.

    All of this is based on just WPA, if you were to throw a RADIUS server into the mix then.... well you get the idea.

    So yes at this moment in time I would bet the farm

  8. #8
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    My theory is a combinatioin of an availability attack to use bad length fields to try to crash radius server, followed by an integrity attack for replay would be enough to crash a RADIUS server, and then performing a DoS...etc etc...

    I'm convicnced (until I prove myself otherwise) that a network of this topology can be cracked... without an NSA basement cray
    dd if=/dev/swc666 of=/dev/wyze

  9. #9
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by swc666 View Post
    My theory is a combinatioin of an availability attack to use bad length fields to try to crash radius server, followed by an integrity attack for replay would be enough to crash a RADIUS server, and then performing a DoS...etc etc...

    I'm convicnced (until I prove myself otherwise) that a network of this topology can be cracked... without an NSA basement cray
    But you're not going to be able to have that kind of access to the RADIUS server via Wireless until you've cracked the WPA encryption. So unless you've got the money for a pocket Cray, I doubt even the method above is going to work.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  10. #10
    Developer balding_parrot's Avatar
    Join Date
    May 2007
    Posts
    3,399

    Default

    All my previous calculations were done without taking into account the radius server so if you do bring it down you would still have to crack the WPA
    If by bringing down the server you intend to actually use that to give you the key.. then.... I would still say that that kind of attack is a long way off and fraught with problems and dangers.
    Even if you did pull it off it would be that noticeable that the passphrase would be changed when they bring the server back up anyway, so you would still not have the key.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •