Cracking a CHAP from Freeradius
#1
Heart 
Hi there

Playing around with a Freeradius installation and trying to extract the plaintext password from the CHAP challenge/response. How do I go about doing this?

Here is a successful login [Freeradius log]

Code:
Service-Type = Login-User
      User-Name = "testing"
      CHAP-Challenge = 0x45c915d82d6725720xxxxxxxxxxxxxxxxx9048420a31292d3
      CHAP-Password = 0x00777f2a3f6a2e66xxxxxxxxxxxxxxx1947b520c6777e0b25



[chap] login attempt by "testing" with CHAP password                                  
[chap] Using clear text password "password" for user testing authentication.
[chap] chap user testing authenticated succesfully




Here is a failed login [Freeradius log]

Code:
      Service-Type = Login-User
      User-Name = "testing"
      CHAP-Challenge = 0xc8274xxxxxxxxxxxxx

+group CHAP {
[chap] login attempt by "testing" with CHAP password
[chap] Using clear text password "password" for user testing authentication.
[chap] Password check failed
++[chap] = reject




Additional info:

Code:
  
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] = ok
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry testing at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = CHAP


How could I start cracking this:       CHAP-Password = 0x00777f2a3f6a2e661947b520c6777e0b25
Reply
#2
this worked

./hashcat64.bin -m4800 -a3 777f2a3f6a2e661947b520c6777e0b25:45c915d82d67257209048420a31292d3:00 password
Reply
#3
(02-10-2018, 11:30 AM)undeath Wrote: this worked

./hashcat64.bin -m4800 -a3 777f2a3f6a2e661947b520c6777e0b25:45c915d82d67257209048420a31292d3:00 password

Oh Wow! How would I do this via Hashcat GUI [Windows} ?
Reply
#4
Hashcat GUI is a third-party utility and is not supported here.
Reply
#5
Thank you guys!
just to confirm, hashcat only runs on GPU, right?
Is there any way to make it the CPU so that i can run it on a VPS that doesnt have GPU

I get this error: clGetPlatformIDs(): CL_PLATFORM_NOT_FOUND_KHR

I do know about the guides on setting up the amazon EC2 GPU instances, just thought I'd clarfy
Reply
#6
Could you guide me to any trusted hash cracking services online?
Reply
#7
hashcat runs on any device supporting opencl, which includes modern CPUs and GPUs. You just need to install the correct opencl runtime for the device.

If you want others to help you with cracking you might get some assistance at forum.hashkiller.co.uk
Reply
#8
(02-10-2018, 11:20 PM)undeath Wrote: hashcat runs on any device supporting opencl, which includes modern CPUs and GPUs. You just need to install the correct opencl runtime for the device.

If you want others to help you with cracking you might get some assistance at forum.hashkiller.co.uk

You helped me alot. I found this useful. I haveit working now on my VPS!
Reply
#9
I do not want capture this thread, but I have a question:
Do you have some informations about (free)RADIUS, specifically about the packet structure of the Attribute Value Pairs in the Access-Request Packet [User-Password encrypted(2) or CHAP-Password(3)].
I know this Password is encrypted using a MD5 chiffre (MD5 xor Password). The MD5 is calculated from secret share+random Authenticator - but i don't have any ideas about this secret share. Also I know the rfc2865 document.
We have this both fields (Authenticator and encrypted User Password) in an Access-Request Packet (and additionally a HMAC_MD5 over the complete  Access-Request Packet).

I do not need an answer anymore as I found it:
A note on security: The security of the RADIUS protocol
depends COMPLETELY on this secret! We recommend using a
shared secret that is composed of:
- upper case letters
- lower case letters
- numbers
And is at LEAST 8 characters long, preferably 16 characters in
length. The secret MUST be random, and should not be words,
phrase, or anything else that is recognisable.
The default secret below is only for testing, and should
not be used in any real environment.

secret = testing123
Reply
#10
(02-10-2018, 11:30 AM)undeath Wrote: this worked

./hashcat64.bin -m4800 -a3 777f2a3f6a2e661947b520c6777e0b25:45c915d82d67257209048420a31292d3:00 password

Please explain the above parameters to me:

What does -m4800 mean?
How did you know to use -m4800?

Could you give me an explanation why you included both the hashed password and challenge

./hashcat64.bin -m4800 -a3 777f2a3f6a2e661947b520c6777e0b25:45c915d82d67257209048420a31292d3:00 



Will hashcat be able to crack it just with the hashed password supplied only?


BTW
I'm so excited, ran my first hashcat yay!
Code:
Time.Estimated...: Sat Feb 10 20:51:10 2018 (0 secs)
Guess.Mask.......: ?1?2?2?2?2?2?2 [7]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 7/15 (46.67%)
Speed.Dev.#1.....:  9606.6 kH/s (6.55ms)
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 134960504832/134960504832 (100.00%)
Rejected.........: 0/134960504832 (0.00%)
Restore.Point....: 1679616/1679616 (100.00%)
Candidates.#1....: v7qw8qg -> Xqxqxqg
HWMon.Dev.#1.....: N/A

777f2a3f6a2e661947b520c6777e0b25:45c915d82d67257209048420a31292d3:00:password

Session..........: hashcat
Status...........: Cracked
Hash.Type........: iSCSI CHAP authentication, MD5(CHAP)
Hash.Target......: 777f2a3f6a2e661947b520c6777e0b25:45c915d82d67257209...2d3:00
Time.Started.....: Sat Feb 10 20:51:10 2018 (6 mins, 34 secs)
Time.Estimated...: Sat Feb 10 20:57:44 2018 (0 secs)
Guess.Mask.......: ?1?2?2?2?2?2?2?3 [8]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 8/15 (53.33%)
Speed.Dev.#1.....:  9651.5 kH/s (6.57ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 3746054144/5533380698112 (0.07%)
Rejected.........: 0/3746054144 (0.00%)
Restore.Point....: 46592/68864256 (0.07%)
Candidates.#1....: v77o5urd -> 653koner
HWMon.Dev.#1.....: N/A

Started: Sat Feb 10 16:47:56 2018
Stopped: Sat Feb 10 20:57:45 2018
Reply