Nmap Development mailing list archives
Re: [NSE] eap-info
From: Riccardo Cecolin <nmap () rikiji de>
Date: Thu, 8 Mar 2012 12:09:44 +0100
Hi, Are you using hostapd 0.7.3? I just made some tests, i found that when using the wired driver with ieee802.1x authentication it behaves differently than 0.6.10 (previous stable), maybe we could file a bug because it's impossible to authenticate, even with wpa supplicant. I found confirmation here: http://lists.shmoo.com/pipermail/hostap/2010-May/021425.html Basically the only proper way to test it with hostapd 0.7.3 would be using a wireless AP or commenting the "return" in src/ap/ieee802_1x.c, since it is looking for wlan association before accepting the packet: if (!sta || !(sta->flags & WLAN_STA_ASSOC)) { wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " "associated STA"); //return; } You can check that even running "wpa_supplicant -Dwired -ieth0 -c /usr/share/doc/wpasupplicant/examples/ieee8021x.conf -dd" the autenticator will never reply a second time to the supplicant. I think this will just make it a little bit more uncomfortable to debug and won't hurt the script, since this authenticator configuration is not even usable with proper clients. Riccardo On Wed, Mar 7, 2012 at 4:54 PM, Patrik Karlsson <patrik () cqure net> wrote:
On Sat, Mar 3, 2012 at 4:24 PM, Riccardo Cecolin <nmap () rikiji de> wrote:Thanks for checking it, I indeed made a mistake when reordering the code for more readability... Attached there's a patched version with also a minor fix that prevents an additional useless eap-start packet in some cases. Also maybe the category of the script has to be changed? Because there's some simple mac spoofing in order to avoid to wait the hostapd timeout when failing to authenticate. In this way it is possible to scan dozens of auth protocols in less than half a second. I'll send to you the configuration files i'm using to test it. RiccardoHi Riccardo, I just ran the script against a host running the configuration you sent me, but I seem to have some problems. The script always returns all mechanisms as unknown, even though I see responses coming back. Here's what I seen running with debug level 3: Patriks-MacBook-Air:nmap-dev patrik$ sudo ./nmap --script eap-info -e en0 -d3 Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-03-07 16:50 CET Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nmap-services PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0) The max # of sockets we are using is: 0 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nse_main.lua Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./scripts/script.db Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nselib/stdnse.lua Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nselib/strict.lua Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./scripts/eap-info.nse NSE: Script eap-info.nse was selected by file path. Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nselib/packet.lua Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nselib/eap.lua NSE: Loaded 1 scripts for scanning. NSE: Loaded '/Users/patrik/hacktools/rd/nmap-dev/./scripts/eap-info.nse'. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 1) scan. NSE: Starting 'eap-info' (thread: 0x7f998b209df0). Initiating NSE at 16:50 NSE: iface: en0 NSE: timeout: 10000 NSOCK (0.0480s) PCAP requested on device 'en0' with berkeley filter 'ether proto 0x888e' (promisc=1 snaplen=512 to_ms=357913941) (IOD #1) NSOCK (0.0480s) PCAP created successfully on device 'en0' (pcap_desc=3 bsd_hack=1 to_valid=1 l3_offset=14) (IOD #1) NSE: selected: EAP-TLS NSE: selected: EAP-TTLS NSE: selected: PEAP NSE: selected: EAP-MSCHAP-V2 NSOCK (0.0480s) Pcap read request from IOD #1 EID 13 NSOCK (0.0490s) Callback: READ-PCAP SUCCESS for EID 13 NSE: packet size: 0x12 NSE: packet size: 0x12 NSE: mac_src: 0180C2000003, mac_dest: 68A86D05F9CA, ether_type: 0x888E NSE: version: 1, type: EAPOL Start, length: 0x0 NSE: packet valid NSOCK (0.0490s) Pcap read request from IOD #1 EID 21 NSOCK (0.0580s) Callback: READ-PCAP SUCCESS for EID 21 NSE: packet size: 0x3c NSE: packet size: 0x3c NSE: mac_src: 68A86D05F9CA, mac_dest: 080027CE22B8, ether_type: 0x888E NSE: version: 1, type: EAP Packet, length: 0xA NSE: code: Request, id: 0xC6, length: 0xA, type: Identity NSE: identity: hello NSE: packet valid NSE: server identity: hello NSE: make eapol h?m?? NSOCK (0.0580s) Pcap read request from IOD #1 EID 29 NSOCK (0.0580s) Callback: READ-PCAP SUCCESS for EID 29 NSE: packet size: 0x20 NSE: packet size: 0x20 NSE: mac_src: 0180C2000003, mac_dest: 68A86D05F9CA, ether_type: 0x888E NSE: version: 1, type: EAP Packet, length: 0xE NSE: code: Response, id: 0xC6, length: 0xE, type: Identity NSE: identity: anonymous NSE: packet valid NSOCK (0.0580s) Pcap read request from IOD #1 EID 37 NSOCK (3.3390s) Callback: READ-PCAP SUCCESS for EID 37 NSE: packet size: 0x3c NSE: packet size: 0x3c NSE: mac_src: 68A86D05F9CA, mac_dest: 080027CE22B8, ether_type: 0x888E NSE: version: 1, type: EAP Packet, length: 0xA NSE: code: Request, id: 0xC6, length: 0xA, type: Identity NSE: identity: hello NSE: packet valid NSE: server identity: hello NSE: make eapol h?m?? NSOCK (3.3390s) Pcap read request from IOD #1 EID 45 NSOCK (3.3400s) Callback: READ-PCAP SUCCESS for EID 45 NSE: packet size: 0x20 NSE: packet size: 0x20 NSE: mac_src: 0180C2000003, mac_dest: 68A86D05F9CA, ether_type: 0x888E NSE: version: 1, type: EAP Packet, length: 0xE NSE: code: Response, id: 0xC6, length: 0xE, type: Identity NSE: identity: anonymous NSE: packet valid NSOCK (3.3400s) Pcap read request from IOD #1 EID 53 NSOCK (9.4890s) Callback: READ-PCAP SUCCESS for EID 53 NSE: packet size: 0x3c NSE: packet size: 0x3c NSE: mac_src: 68A86D05F9CA, mac_dest: 080027CE22B8, ether_type: 0x888E NSE: version: 1, type: EAP Packet, length: 0xA NSE: code: Request, id: 0xC6, length: 0xA, type: Identity NSE: identity: hello NSE: packet valid NSE: server identity: hello NSE: make eapol h?m?? NSOCK (9.4890s) Pcap read request from IOD #1 EID 61 NSOCK (9.4890s) Callback: READ-PCAP SUCCESS for EID 61 NSE: packet size: 0x20 NSE: packet size: 0x20 NSE: mac_src: 0180C2000003, mac_dest: 68A86D05F9CA, ether_type: 0x888E NSE: version: 1, type: EAP Packet, length: 0xE NSE: code: Response, id: 0xC6, length: 0xE, type: Identity NSE: identity: anonymous NSE: packet valid NSOCK (9.4890s) Pcap read request from IOD #1 EID 69 NSOCK (21.4660s) Callback: READ-PCAP SUCCESS for EID 69 NSE: packet size: 0x3c NSE: packet size: 0x3c NSE: mac_src: 68A86D05F9CA, mac_dest: 080027CE22B8, ether_type: 0x888E NSE: version: 1, type: EAP Packet, length: 0xA NSE: code: Request, id: 0xC6, length: 0xA, type: Identity NSE: identity: hello NSE: packet valid NSE: server identity: hello NSE: make eapol h?m?? NSE: unknown EAP-TTLS NSE: unknown EAP-TLS NSE: unknown EAP-MSCHAP-V2 NSE: unknown PEAP NSE: Finished 'eap-info' (thread: 0x7f998b209df0). Completed NSE at 16:50, 21.42s elapsed NSOCK (21.4670s) nsi_delete() (IOD #1) NSE: N/A unknown protocol:0 > unknown protocol:0 | CLOSE Pre-scan script results: | eap-info: | Available authentication methods with identity="anonymous" on interface en0 | unknown EAP-TTLS | unknown EAP-TLS | unknown EAP-MSCHAP-V2 |_ unknown PEAP Any ideas on what I'm doing wrong? Cheers, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] eap-info Riccardo Cecolin (Feb 28)
- Re: [NSE] eap-info Patrik Karlsson (Mar 02)
- Re: [NSE] eap-info David Fifield (Mar 02)
- Re: [NSE] eap-info Riccardo Cecolin (Mar 03)
- Re: [NSE] eap-info Patrik Karlsson (Mar 07)
- Re: [NSE] eap-info Riccardo Cecolin (Mar 08)
- Re: [NSE] eap-info Patrik Karlsson (Mar 08)
- Re: [NSE] eap-info Riccardo Cecolin (Mar 08)
- Re: [NSE] eap-info Patrik Karlsson (Mar 02)