EAP-MD5 password extraction
#1
I want to replace the ISP router with one of my choice. After a few network traces, I noticed that the WAN link between the router and ONU performs an 802.1X / EAP-MD5 identity challenge once an hour. I have a Cisco switch that can perform the supplicant authentication if I can recovery the password. The identity is in clear text, but the EAP-MD5 challenge and response is hashed. I found this link indicating that -m 4800 is appropriate to crack this. It seems that format is <response>:<challenge>:<id>. Unfortunately, I do not know the password length or keyspace. I am currently trying the following:

Code:
hashcat -m 4800 97e979ac7f1a3a8765646c4d2049de7e:c588689ad8b2a876416b528332cac2ac:02 -a 3 -i ?a?a?a?a?a?a?a?a?a?a?a?a?a?a

A few questions:

  1. The above link indicates that "eapid should be a 1-byte session identifier, however in many cases it's fixed to the default value 0x02". How can I verify if I need the session identifier or 02?
  2. I have multiple captures of this authentication. Assuming the password is the same, can these be combined in a way to speed up the crack, or will processing any single one be just as efficient?
    1. Code:
      # response:challenge:id97e979ac7f1a3a8765646c4d2049de7e:c588689ad8b2a876416b528332cac2ac:??418f853ba5cab7940d1b87768bcec4df:6440a9588d9f9e8f9cbe9fbfdc7eb4b0:??0fc219a188efdf6b78a3c9ec3bf3719a:fa5577ea377c7ecea162a5204959790d:??b2649c240becf48f05a4a08f96bb5705:88884925aca9a567843188d5aa7c6279:??7acbd6fc8b0ab254017d27355afdf3fa:a9354497cd8e915d6b5b7960aedb301a:??5ccaaa1156ff1c99b1ca56b478fae050:4fb9ce8e6a879a3d398d217e3775c68d:??66cb49a994309f3ce407fdb91c8b27f1:3793625f0c8dbc8d8172617278bc687d:??
  3. The packet captures have an "EAP-MD5 Extra Data" field. Looking at the given lengths it seems like padding, though I am not sure. Can this safely be ignored?

I am not sure if my approach is correct and would appreciate some comments. Thank you.
I can post the packet capture if desired.


Attached Files
.png   md5.png (Size: 6.34 KB / Downloads: 6)
Reply