Nmap Development mailing list archives

Re: [NSE] eap-info

From: Patrik Karlsson <patrik () cqure net>
Date: Wed, 7 Mar 2012 16:54:58 +0100

On Sat, Mar 3, 2012 at 4:24 PM, Riccardo Cecolin <nmap () rikiji de> wrote:

Thanks for checking it, I indeed made a mistake when reordering the
code for more readability... Attached there's a patched version with
also a minor fix that prevents an additional useless eap-start packet
in some cases.

Also maybe the category of the script has to be changed? Because
there's some simple mac spoofing in order to avoid to wait the hostapd
timeout when failing to authenticate. In this way it is possible to
scan dozens of auth protocols in less than half a second.

I'll send to you the configuration files i'm using to test it.

Riccardo

Hi Riccardo,

I just ran the script against a host running the configuration you sent me,
but I seem to have some problems.
The script always returns all mechanisms as unknown, even though I see
responses coming back.
Here's what I seen running with debug level 3:

Patriks-MacBook-Air:nmap-dev patrik$ sudo ./nmap --script eap-info -e en0
-d3

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-03-07 16:50 CET
Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nmap-services
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nse_main.lua
Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./scripts/script.db
Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nselib/stdnse.lua
Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nselib/strict.lua
Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./scripts/eap-info.nse
NSE: Script eap-info.nse was selected by file path.
Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nselib/packet.lua
Fetchfile found /Users/patrik/hacktools/rd/nmap-dev/./nselib/eap.lua
NSE: Loaded 1 scripts for scanning.
NSE: Loaded '/Users/patrik/hacktools/rd/nmap-dev/./scripts/eap-info.nse'.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting 'eap-info' (thread: 0x7f998b209df0).
Initiating NSE at 16:50
NSE: iface: en0
NSE: timeout: 10000
NSOCK (0.0480s) PCAP requested on device 'en0' with berkeley filter 'ether
proto 0x888e' (promisc=1 snaplen=512 to_ms=357913941) (IOD #1)
NSOCK (0.0480s) PCAP created successfully on device 'en0' (pcap_desc=3
bsd_hack=1 to_valid=1 l3_offset=14) (IOD #1)
NSE: selected: EAP-TLS
NSE: selected: EAP-TTLS
NSE: selected: PEAP
NSE: selected: EAP-MSCHAP-V2
NSOCK (0.0480s) Pcap read request from IOD #1  EID 13
NSOCK (0.0490s) Callback: READ-PCAP SUCCESS for EID 13
NSE: packet size: 0x12
NSE: packet size: 0x12
NSE: mac_src: 0180C2000003, mac_dest: 68A86D05F9CA, ether_type: 0x888E
NSE: version: 1, type: EAPOL Start, length: 0x0
NSE: packet valid
NSOCK (0.0490s) Pcap read request from IOD #1  EID 21
NSOCK (0.0580s) Callback: READ-PCAP SUCCESS for EID 21
NSE: packet size: 0x3c
NSE: packet size: 0x3c
NSE: mac_src: 68A86D05F9CA, mac_dest: 080027CE22B8, ether_type: 0x888E
NSE: version: 1, type: EAP Packet, length: 0xA
NSE: code: Request, id: 0xC6, length: 0xA, type: Identity
NSE: identity: hello
NSE: packet valid
NSE: server identity: hello
NSE: make eapol h?m??
NSOCK (0.0580s) Pcap read request from IOD #1  EID 29
NSOCK (0.0580s) Callback: READ-PCAP SUCCESS for EID 29
NSE: packet size: 0x20
NSE: packet size: 0x20
NSE: mac_src: 0180C2000003, mac_dest: 68A86D05F9CA, ether_type: 0x888E
NSE: version: 1, type: EAP Packet, length: 0xE
NSE: code: Response, id: 0xC6, length: 0xE, type: Identity
NSE: identity: anonymous
NSE: packet valid
NSOCK (0.0580s) Pcap read request from IOD #1  EID 37
NSOCK (3.3390s) Callback: READ-PCAP SUCCESS for EID 37
NSE: packet size: 0x3c
NSE: packet size: 0x3c
NSE: mac_src: 68A86D05F9CA, mac_dest: 080027CE22B8, ether_type: 0x888E
NSE: version: 1, type: EAP Packet, length: 0xA
NSE: code: Request, id: 0xC6, length: 0xA, type: Identity
NSE: identity: hello
NSE: packet valid
NSE: server identity: hello
NSE: make eapol h?m??
NSOCK (3.3390s) Pcap read request from IOD #1  EID 45
NSOCK (3.3400s) Callback: READ-PCAP SUCCESS for EID 45
NSE: packet size: 0x20
NSE: packet size: 0x20
NSE: mac_src: 0180C2000003, mac_dest: 68A86D05F9CA, ether_type: 0x888E
NSE: version: 1, type: EAP Packet, length: 0xE
NSE: code: Response, id: 0xC6, length: 0xE, type: Identity
NSE: identity: anonymous
NSE: packet valid
NSOCK (3.3400s) Pcap read request from IOD #1  EID 53
NSOCK (9.4890s) Callback: READ-PCAP SUCCESS for EID 53
NSE: packet size: 0x3c
NSE: packet size: 0x3c
NSE: mac_src: 68A86D05F9CA, mac_dest: 080027CE22B8, ether_type: 0x888E
NSE: version: 1, type: EAP Packet, length: 0xA
NSE: code: Request, id: 0xC6, length: 0xA, type: Identity
NSE: identity: hello
NSE: packet valid
NSE: server identity: hello
NSE: make eapol h?m??
NSOCK (9.4890s) Pcap read request from IOD #1  EID 61
NSOCK (9.4890s) Callback: READ-PCAP SUCCESS for EID 61
NSE: packet size: 0x20
NSE: packet size: 0x20
NSE: mac_src: 0180C2000003, mac_dest: 68A86D05F9CA, ether_type: 0x888E
NSE: version: 1, type: EAP Packet, length: 0xE
NSE: code: Response, id: 0xC6, length: 0xE, type: Identity
NSE: identity: anonymous
NSE: packet valid
NSOCK (9.4890s) Pcap read request from IOD #1  EID 69
NSOCK (21.4660s) Callback: READ-PCAP SUCCESS for EID 69
NSE: packet size: 0x3c
NSE: packet size: 0x3c
NSE: mac_src: 68A86D05F9CA, mac_dest: 080027CE22B8, ether_type: 0x888E
NSE: version: 1, type: EAP Packet, length: 0xA
NSE: code: Request, id: 0xC6, length: 0xA, type: Identity
NSE: identity: hello
NSE: packet valid
NSE: server identity: hello
NSE: make eapol h?m??
NSE: unknown  EAP-TTLS
NSE: unknown  EAP-TLS
NSE: unknown  EAP-MSCHAP-V2
NSE: unknown  PEAP
NSE: Finished 'eap-info' (thread: 0x7f998b209df0).
Completed NSE at 16:50, 21.42s elapsed
NSOCK (21.4670s) nsi_delete() (IOD #1)
NSE: N/A unknown protocol:0 > unknown protocol:0 | CLOSE
Pre-scan script results:
| eap-info:
| Available authentication methods with identity="anonymous" on interface
en0
|   unknown  EAP-TTLS
|   unknown  EAP-TLS
|   unknown  EAP-MSCHAP-V2
|_  unknown  PEAP


Any ideas on what I'm doing wrong?

Cheers,
Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] eap-info Riccardo Cecolin (Feb 28)
- Re: [NSE] eap-info Patrik Karlsson (Mar 02)
  - Re: [NSE] eap-info David Fifield (Mar 02)
  - Re: [NSE] eap-info Riccardo Cecolin (Mar 03)
    - Re: [NSE] eap-info Patrik Karlsson (Mar 07)
    - Re: [NSE] eap-info Riccardo Cecolin (Mar 08)
    - Re: [NSE] eap-info Patrik Karlsson (Mar 08)
    - Re: [NSE] eap-info Riccardo Cecolin (Mar 08)