We are talking about different things.
You can crack a RADIUS password with hashmode -m 4800 (CHAP). But that's only one single variant.
For example: sometimes the password is stored as BASE64(SHA1(password)) in the database of the server.
My question relates to the transport layer (packet layer of IP communication) between the client and the server.
Right now we are able to crack 2 variants (LEAP-CHAP[PPP], MD-5 challenge[EAP]). During my packet analysis I found 3 other variants (PAP, CHAP, MD5), we are not able to crack.
For your example above:
Username: alishiazav
Password: zavreski
secret share=29495ade5d6f88f1
The client build an access-request packet and sends this to the server. This packets contains
- an authenticator (random generated),
- the encrypted user password: MD5 chiffre = key xor zavreski, the key is calculated MD5(29495ade5d6f88f1+authenticator)
- and a HMAC_MD5 calculated over the packet
The server responds to the request with an access-accept packet.
Goal is to retrieve the password, if we captured this access-request packet.
You can crack a RADIUS password with hashmode -m 4800 (CHAP). But that's only one single variant.
For example: sometimes the password is stored as BASE64(SHA1(password)) in the database of the server.
My question relates to the transport layer (packet layer of IP communication) between the client and the server.
Right now we are able to crack 2 variants (LEAP-CHAP[PPP], MD-5 challenge[EAP]). During my packet analysis I found 3 other variants (PAP, CHAP, MD5), we are not able to crack.
For your example above:
Username: alishiazav
Password: zavreski
secret share=29495ade5d6f88f1
The client build an access-request packet and sends this to the server. This packets contains
- an authenticator (random generated),
- the encrypted user password: MD5 chiffre = key xor zavreski, the key is calculated MD5(29495ade5d6f88f1+authenticator)
- and a HMAC_MD5 calculated over the packet
The server responds to the request with an access-accept packet.
Goal is to retrieve the password, if we captured this access-request packet.