Saturday, December 22, 2012
RADIUS Brute-Force Tool
I was doing an assessment of an authentication solution using the RADIUS protocol and found the need to verify if there was a lock-out policy enforced. Also to verify my suspicions that one-time passwords were not used on all accounts.
Lock-out policies are useful and truly are a good countermeasure against bruteforce attacks. Also delaying an Access-Reject in the RADIUS server even just for a second causes the bruteforce attack to render useless since it takes too long.
Starting to investigate and browsing the web for a RADIUS Brute-force tool but i could not find one.
radclient which ships with FreeRADIUS can surely be used in combination with bash or shell scripting.
I found Pyrad which was exactly what i was after.
A RADIUS packet creator in python!
So i started to look at the examples and combining functionality.
This is what i came up with
radcrack.py
The output:
# ./radcrack.py userfile passfile
Attacking target...
Sending authentication request User-Name: admin
Access accepted: admin,password
To note:
A RADIUS server needs the following for this to apply.
- Shared secret configured must match the client (attacker) and the server
- Source IP-address needs to match.
Hope you find it useful as i did.
The code includes comments that can aid in troubleshooting and as examples, that is why i left them there, i am also using the freeradius dictionary.
/M
Subscribe to:
Posts (Atom)