Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] eap-info

From: Riccardo Cecolin <nmap () rikiji de>
Date: Thu, 8 Mar 2012 12:09:44 +0100
Hi,

Are you using hostapd 0.7.3? I just made some tests, i found that when
using the wired driver with ieee802.1x authentication it behaves
differently than 0.6.10 (previous stable), maybe we could file a bug
because it's impossible to authenticate, even with wpa supplicant. I
found confirmation here:
http://lists.shmoo.com/pipermail/hostap/2010-May/021425.html

Basically the only proper way to test it with hostapd 0.7.3 would be
using a wireless AP or commenting the "return" in src/ap/ieee802_1x.c,
since it is looking for wlan association before accepting the packet:

        if (!sta || !(sta->flags & WLAN_STA_ASSOC)) {
                wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not "
                           "associated STA");
                //return;
        }

You can check that even running "wpa_supplicant -Dwired -ieth0 -c
/usr/share/doc/wpasupplicant/examples/ieee8021x.conf -dd" the
autenticator will never reply a second time to the supplicant. I think
this will just make it a little bit more uncomfortable to debug and
won't hurt the script, since this authenticator configuration is not
even usable with proper clients.

Riccardo


On Wed, Mar 7, 2012 at 4:54 PM, Patrik Karlsson <patrik () cqure net> wrote:



On Sat, Mar 3, 2012 at 4:24 PM, Riccardo Cecolin <nmap () rikiji de> wrote:


Thanks for checking it, I indeed made a mistake when reordering the
code for more readability... Attached there's a patched version with
also a minor fix that prevents an additional useless eap-start packet
in some cases.

Also maybe the category of the script has to be changed? Because
there's some simple mac spoofing in order to avoid to wait the hostapd
timeout when failing to authenticate. In this way it is possible to
scan dozens of auth protocols in less than half a second.

I'll send to you the configuration files i'm using to test it.

Riccardo



Hi Riccardo,

I just ran the script against a host running the configuration you sent me,
but I seem to have some problems.
The script always returns all mechanisms as unknown, even though I see
responses coming back.
Here's what I seen running with debug level 3:

Patriks-MacBook-Air:nmap-dev patrik$ sudo ./nmap --script eap-info -e en0
-d3

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-03-07 16:50 CET
Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nmap-services
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nse_main.lua
Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./scripts/script.db
Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nselib/stdnse.lua
Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nselib/strict.lua
Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./scripts/eap-info.nse
NSE: Script eap-info.nse was selected by file path.
Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nselib/packet.lua
Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nselib/eap.lua
NSE: Loaded 1 scripts for scanning.
NSE: Loaded '/Users/patrik/hacktools/rd/nmap-dev/./scripts/eap-info.nse'.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting 'eap-info' (thread: 0x7f998b209df0).
Initiating NSE at 16:50
NSE: iface: en0
NSE: timeout: 10000
NSOCK (0.0480s) PCAP requested on device 'en0' with berkeley filter 'ether
proto 0x888e' (promisc=1 snaplen=512 to_ms=357913941) (IOD #1)
NSOCK (0.0480s) PCAP created successfully on device 'en0' (pcap_desc=3
bsd_hack=1 to_valid=1 l3_offset=14) (IOD #1)
NSE: selected: EAP-TLS
NSE: selected: EAP-TTLS
NSE: selected: PEAP
NSE: selected: EAP-MSCHAP-V2
NSOCK (0.0480s) Pcap read request from IOD #1  EID 13
NSOCK (0.0490s) Callback: READ-PCAP SUCCESS for EID 13
NSE: packet size: 0x12
NSE: packet size: 0x12
NSE: mac_src: 0180C2000003, mac_dest: 68A86D05F9CA, ether_type: 0x888E
NSE: version: 1, type: EAPOL Start, length: 0x0
NSE: packet valid
NSOCK (0.0490s) Pcap read request from IOD #1  EID 21
NSOCK (0.0580s) Callback: READ-PCAP SUCCESS for EID 21
NSE: packet size: 0x3c
NSE: packet size: 0x3c
NSE: mac_src: 68A86D05F9CA, mac_dest: 080027CE22B8, ether_type: 0x888E
NSE: version: 1, type: EAP Packet, length: 0xA
NSE: code: Request, id: 0xC6, length: 0xA, type: Identity
NSE: identity: hello
NSE: packet valid
NSE: server identity: hello
NSE: make eapol h?m??
NSOCK (0.0580s) Pcap read request from IOD #1  EID 29
NSOCK (0.0580s) Callback: READ-PCAP SUCCESS for EID 29
NSE: packet size: 0x20
NSE: packet size: 0x20
NSE: mac_src: 0180C2000003, mac_dest: 68A86D05F9CA, ether_type: 0x888E
NSE: version: 1, type: EAP Packet, length: 0xE
NSE: code: Response, id: 0xC6, length: 0xE, type: Identity
NSE: identity: anonymous
NSE: packet valid
NSOCK (0.0580s) Pcap read request from IOD #1  EID 37
NSOCK (3.3390s) Callback: READ-PCAP SUCCESS for EID 37
NSE: packet size: 0x3c
NSE: packet size: 0x3c
NSE: mac_src: 68A86D05F9CA, mac_dest: 080027CE22B8, ether_type: 0x888E
NSE: version: 1, type: EAP Packet, length: 0xA
NSE: code: Request, id: 0xC6, length: 0xA, type: Identity
NSE: identity: hello
NSE: packet valid
NSE: server identity: hello
NSE: make eapol h?m??
NSOCK (3.3390s) Pcap read request from IOD #1  EID 45
NSOCK (3.3400s) Callback: READ-PCAP SUCCESS for EID 45
NSE: packet size: 0x20
NSE: packet size: 0x20
NSE: mac_src: 0180C2000003, mac_dest: 68A86D05F9CA, ether_type: 0x888E
NSE: version: 1, type: EAP Packet, length: 0xE
NSE: code: Response, id: 0xC6, length: 0xE, type: Identity
NSE: identity: anonymous
NSE: packet valid
NSOCK (3.3400s) Pcap read request from IOD #1  EID 53
NSOCK (9.4890s) Callback: READ-PCAP SUCCESS for EID 53
NSE: packet size: 0x3c
NSE: packet size: 0x3c
NSE: mac_src: 68A86D05F9CA, mac_dest: 080027CE22B8, ether_type: 0x888E
NSE: version: 1, type: EAP Packet, length: 0xA
NSE: code: Request, id: 0xC6, length: 0xA, type: Identity
NSE: identity: hello
NSE: packet valid
NSE: server identity: hello
NSE: make eapol h?m??
NSOCK (9.4890s) Pcap read request from IOD #1  EID 61
NSOCK (9.4890s) Callback: READ-PCAP SUCCESS for EID 61
NSE: packet size: 0x20
NSE: packet size: 0x20
NSE: mac_src: 0180C2000003, mac_dest: 68A86D05F9CA, ether_type: 0x888E
NSE: version: 1, type: EAP Packet, length: 0xE
NSE: code: Response, id: 0xC6, length: 0xE, type: Identity
NSE: identity: anonymous
NSE: packet valid
NSOCK (9.4890s) Pcap read request from IOD #1  EID 69
NSOCK (21.4660s) Callback: READ-PCAP SUCCESS for EID 69
NSE: packet size: 0x3c
NSE: packet size: 0x3c
NSE: mac_src: 68A86D05F9CA, mac_dest: 080027CE22B8, ether_type: 0x888E
NSE: version: 1, type: EAP Packet, length: 0xA
NSE: code: Request, id: 0xC6, length: 0xA, type: Identity
NSE: identity: hello
NSE: packet valid
NSE: server identity: hello
NSE: make eapol h?m??
NSE: unknown  EAP-TTLS
NSE: unknown  EAP-TLS
NSE: unknown  EAP-MSCHAP-V2
NSE: unknown  PEAP
NSE: Finished 'eap-info' (thread: 0x7f998b209df0).
Completed NSE at 16:50, 21.42s elapsed
NSOCK (21.4670s) nsi_delete() (IOD #1)
NSE: N/A unknown protocol:0 > unknown protocol:0 | CLOSE
Pre-scan script results:
| eap-info:
| Available authentication methods with identity="anonymous" on interface
en0
|   unknown  EAP-TTLS
|   unknown  EAP-TLS
|   unknown  EAP-MSCHAP-V2
|_  unknown  PEAP


Any ideas on what I'm doing wrong?

Cheers,
Patrik
--
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: