Re: [NSE] eap-info

[Patrik Karlsson <patrik () cqure net>]

On Tue, Feb 28, 2012 at 10:32 PM, Riccardo Cecolin <nmap () rikiji de> wrote:

> I'm working on a NSE script that implements a subset of the 802.1x
> (EAP) protocol, i have a question about which is the correct way to
> get an interface in a "prerule" script.
> I'm forging directly the 802.1x packets and sending them with the dnet
> library through a not yet configured network interface, but when I
> open such interface with dnet:ethernet_open(), this function will
> always fail unless the interface has an ip address configured, even if
> it is up and cable-connected.
> I'm trying to do that because I think it could be the standard
> scenario of eap scanning. Is there a better way to access it from NSE
> (without giving it a bogus ip)?
>
> Attached there's a version of the mentioned library + script that
> successfully enumerates all the available authentication methods when
> tested against hostapd v0.6.10.
> I found that some other authentication systems have different
> behaviors (e.g. they do not respond to eap start packets) so the
> script needs some more development and testing in different
> environments, but it's a starting point.
>
> Riccardo
>
> nmap -dd -e eth2 -sn --script-trace --script=eap-info --datadir=. localhost
> Pre-scan script results:
> | eap-info:
> | Available authentication methods with identity="anonymous" on interface
> eth2
> |   true     PEAP
> |   true     EAP-TTLS
> |   false    EAP-TLS
> |_  false    EAP-MSCHAP-V2
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/

Hi Riccardo,

Nice work. I looked into the dnet problem for you. As far as I can tell,
the problem is not in dnet, but rather occurs due to the way that the
function get_interface_info works. This function calls another function
(getInterfaceByName) passing the address family type along so that the
correct interface can be fetched. If there is no ip set this operation will
therefore fail. My preliminary tests show that if I remove the code that
checks for the address family and call the function for an interface having
no ip, the script will work. So, technically it could work without having
to set that dummy address. I'm not sure of the effort and how this is best
fixed though? Also, I just realized that the PPPoE script I implemented
recently would most likely suffer from the same problem.

I wasn't able to test your script, as I don't have a proper test
environment set up, but I noticed a problem. When your using pcap to
receive responses, which is the only option in this case, you need to set
up the listener before sending the data that will trigger a response.
Otherwise, there's a risk that the response will come back before the
script has time to set up the listening pcap socket and you will miss it.
So the pcap_open should be called before eap.send_start.

What would be the easiest way for me to test this? Would two linux systems
in bridged vms do?
How does the configuration your running hostapd with look?

Thanks,
Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/