Re: [NSE] eap-info

[Riccardo Cecolin <nmap () rikiji de>]

Thanks for checking it, I indeed made a mistake when reordering the
code for more readability... Attached there's a patched version with
also a minor fix that prevents an additional useless eap-start packet
in some cases.

Also maybe the category of the script has to be changed? Because
there's some simple mac spoofing in order to avoid to wait the hostapd
timeout when failing to authenticate. In this way it is possible to
scan dozens of auth protocols in less than half a second.

I'll send to you the configuration files i'm using to test it.

Riccardo

On Fri, Mar 2, 2012 at 12:59 PM, Patrik Karlsson <patrik () cqure net> wrote:
> On Tue, Feb 28, 2012 at 10:32 PM, Riccardo Cecolin <nmap () rikiji de> wrote:
> > I'm working on a NSE script that implements a subset of the 802.1x
> > (EAP) protocol, i have a question about which is the correct way to
> > get an interface in a "prerule" script.
> > I'm forging directly the 802.1x packets and sending them with the dnet
> > library through a not yet configured network interface, but when I
> > open such interface with dnet:ethernet_open(), this function will
> > always fail unless the interface has an ip address configured, even if
> > it is up and cable-connected.
> > I'm trying to do that because I think it could be the standard
> > scenario of eap scanning. Is there a better way to access it from NSE
> > (without giving it a bogus ip)?
> >
> > Attached there's a version of the mentioned library + script that
> > successfully enumerates all the available authentication methods when
> > tested against hostapd v0.6.10.
> > I found that some other authentication systems have different
> > behaviors (e.g. they do not respond to eap start packets) so the
> > script needs some more development and testing in different
> > environments, but it's a starting point.
> >
> > Riccardo
> >
> > nmap -dd -e eth2 -sn --script-trace --script=eap-info --datadir=.
> > localhost
> > Pre-scan script results:
> > | eap-info:
> > | Available authentication methods with identity="anonymous" on interface
> > eth2
> > |   true     PEAP
> > |   true     EAP-TTLS
> > |   false    EAP-TLS
> > |_  false    EAP-MSCHAP-V2
> >
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > Archived at http://seclists.org/nmap-dev/
>
>
> Hi Riccardo,
>
> Nice work. I looked into the dnet problem for you. As far as I can tell, the
> problem is not in dnet, but rather occurs due to the way that the
> function get_interface_info works. This function calls another function
> (getInterfaceByName) passing the address family type along so that the
> correct interface can be fetched. If there is no ip set this operation will
> therefore fail. My preliminary tests show that if I remove the code that
> checks for the address family and call the function for an interface having
> no ip, the script will work. So, technically it could work without having to
> set that dummy address. I'm not sure of the effort and how this is best
> fixed though? Also, I just realized that the PPPoE script I implemented
> recently would most likely suffer from the same problem.
>
> I wasn't able to test your script, as I don't have a proper test environment
> set up, but I noticed a problem. When your using pcap to receive responses,
> which is the only option in this case, you need to set up the listener
> before sending the data that will trigger a response. Otherwise, there's a
> risk that the response will come back before the script has time to set up
> the listening pcap socket and you will miss it. So the pcap_open should be
> called before eap.send_start.
>
> What would be the easiest way for me to test this? Would two linux systems
> in bridged vms do?
> How does the configuration your running hostapd with look?
>
> Thanks,
> Patrik
> --
> Patrik Karlsson
> http://www.cqure.net
> http://twitter.com/nevdull77

Attachment: eap-info.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/