Cracking a CHAP from Freeradius

[honeyfairy]

Hi there

Playing around with a Freeradius installation and trying to extract the plaintext password from the CHAP challenge/response. How do I go about doing this?

Here is a successful login [Freeradius log]

Code:

Service-Type = Login-User
      User-Name = "testing"
      CHAP-Challenge = 0x45c915d82d6725720xxxxxxxxxxxxxxxxx9048420a31292d3
      CHAP-Password = 0x00777f2a3f6a2e66xxxxxxxxxxxxxxx1947b520c6777e0b25



[chap] login attempt by "testing" with CHAP password                                  
[chap] Using clear text password "password" for user testing authentication.
[chap] chap user testing authenticated succesfully

Here is a failed login [Freeradius log]

Code:

      Service-Type = Login-User
      User-Name = "testing"
      CHAP-Challenge = 0xc8274xxxxxxxxxxxxx

+group CHAP {
[chap] login attempt by "testing" with CHAP password
[chap] Using clear text password "password" for user testing authentication.
[chap] Password check failed
++[chap] = reject

Additional info:

Code:

  
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] = ok
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry testing at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = CHAP

How could I start cracking this:       CHAP-Password = 0x00777f2a3f6a2e661947b520c6777e0b25

[undeath]

this worked

./hashcat64.bin -m4800 -a3 777f2a3f6a2e661947b520c6777e0b25:45c915d82d67257209048420a31292d3:00 password

[honeyfairy]

this worked

./hashcat64.bin -m4800 -a3 777f2a3f6a2e661947b520c6777e0b25:45c915d82d67257209048420a31292d3:00 password

Oh Wow! How would I do this via Hashcat GUI [Windows} ?

[epixoip]

Hashcat GUI is a third-party utility and is not supported here.

[honeyfairy]

Thank you guys!
just to confirm, hashcat only runs on GPU, right?
Is there any way to make it the CPU so that i can run it on a VPS that doesnt have GPU

I get this error: clGetPlatformIDs(): CL_PLATFORM_NOT_FOUND_KHR

I do know about the guides on setting up the amazon EC2 GPU instances, just thought I'd clarfy

[honeyfairy]

Could you guide me to any trusted hash cracking services online?

[undeath]

hashcat runs on any device supporting opencl, which includes modern CPUs and GPUs. You just need to install the correct opencl runtime for the device.

If you want others to help you with cracking you might get some assistance at forum.hashkiller.co.uk

[honeyfairy]

hashcat runs on any device supporting opencl, which includes modern CPUs and GPUs. You just need to install the correct opencl runtime for the device.

If you want others to help you with cracking you might get some assistance at forum.hashkiller.co.uk

You helped me alot. I found this useful. I haveit working now on my VPS!

[ZerBea]

I do not want capture this thread, but I have a question:
Do you have some informations about (free)RADIUS, specifically about the packet structure of the Attribute Value Pairs in the Access-Request Packet [User-Password encrypted(2) or CHAP-Password(3)].
I know this Password is encrypted using a MD5 chiffre (MD5 xor Password). The MD5 is calculated from secret share+random Authenticator - but i don't have any ideas about this secret share. Also I know the rfc2865 document.
We have this both fields (Authenticator and encrypted User Password) in an Access-Request Packet (and additionally a HMAC_MD5 over the complete  Access-Request Packet).

I do not need an answer anymore as I found it:
A note on security: The security of the RADIUS protocol
depends COMPLETELY on this secret! We recommend using a
shared secret that is composed of:
- upper case letters
- lower case letters
- numbers
And is at LEAST 8 characters long, preferably 16 characters in
length. The secret MUST be random, and should not be words,
phrase, or anything else that is recognisable.
The default secret below is only for testing, and should
not be used in any real environment.

secret = testing123

[honeyfairy]

this worked

./hashcat64.bin -m4800 -a3 777f2a3f6a2e661947b520c6777e0b25:45c915d82d67257209048420a31292d3:00 password

Please explain the above parameters to me:

What does -m4800 mean?
How did you know to use -m4800?

Could you give me an explanation why you included both the hashed password and challenge

./hashcat64.bin -m4800 -a3 777f2a3f6a2e661947b520c6777e0b25:45c915d82d67257209048420a31292d3:00 



Will hashcat be able to crack it just with the hashed password supplied only?


BTW
I'm so excited, ran my first hashcat yay!

Code:

Time.Estimated...: Sat Feb 10 20:51:10 2018 (0 secs)
Guess.Mask.......: ?1?2?2?2?2?2?2 [7]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 7/15 (46.67%)
Speed.Dev.#1.....:  9606.6 kH/s (6.55ms)
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 134960504832/134960504832 (100.00%)
Rejected.........: 0/134960504832 (0.00%)
Restore.Point....: 1679616/1679616 (100.00%)
Candidates.#1....: v7qw8qg -> Xqxqxqg
HWMon.Dev.#1.....: N/A

777f2a3f6a2e661947b520c6777e0b25:45c915d82d67257209048420a31292d3:00:password

Session..........: hashcat
Status...........: Cracked
Hash.Type........: iSCSI CHAP authentication, MD5(CHAP)
Hash.Target......: 777f2a3f6a2e661947b520c6777e0b25:45c915d82d67257209...2d3:00
Time.Started.....: Sat Feb 10 20:51:10 2018 (6 mins, 34 secs)
Time.Estimated...: Sat Feb 10 20:57:44 2018 (0 secs)
Guess.Mask.......: ?1?2?2?2?2?2?2?3 [8]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 8/15 (53.33%)
Speed.Dev.#1.....:  9651.5 kH/s (6.57ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 3746054144/5533380698112 (0.07%)
Rejected.........: 0/3746054144 (0.00%)
Restore.Point....: 46592/68864256 (0.07%)
Candidates.#1....: v77o5urd -> 653koner
HWMon.Dev.#1.....: N/A

Started: Sat Feb 10 16:47:56 2018
Stopped: Sat Feb 10 20:57:45 2018