02-12-2018, 12:48 AM
Go to https://hashcat.net/wiki/doku.php?id=example_hashes and search for "chap". Should clear up your questions. I also recommend taking a look at the output of hashcat --help
|
Cracking a CHAP from Freeradius
|
02-12-2018, 12:52 AM
(02-11-2018, 02:05 AM)ZerBea Wrote: I do not want capture this thread, but I have a question: I do not understand completely. 1. How would an easy shared secret be used to compromise the radius? 2. If I set a 16 character shared secret, will the hashes be harder to crack? PS: i'm [very] new to cryptography, but I AM enjoying myself with great guys like you!
02-12-2018, 01:00 AM
If I understand correctly, the password hash cannot be cracked without the correct Challenge [salt] - Am I correct?
For example, if the RADIUS 
02-12-2018, 01:01 AM
yes, the challenge is required in order to crack the hash.
02-12-2018, 01:05 AM
If I understand correctly, the password hash cannot be cracked without the correct Challenge [salt] - Am I correct?
For example, if the RADIUS database has a user stored as follows: Username: alishiazav Password: honeyfairy And If a user logs in with the following: Username: alishiazav Password: zavreski Then, could the hash still be cracked using the method that we used, or not [due to the salt being incorrect] Lastly, what is the ID at the end?
02-12-2018, 01:13 AM
I don't know how the CHAP handshake works but I would expect you can still crack a hash with a wrong password. The challenge should still be transmitted.
Unless it was coincidence the ID at the end is what is prepended to the "password" hash in your first post. 
We are talking about different things.
You can crack a RADIUS password with hashmode -m 4800 (CHAP). But that's only one single variant. For example: sometimes the password is stored as BASE64(SHA1(password)) in the database of the server. My question relates to the transport layer (packet layer of IP communication) between the client and the server. Right now we are able to crack 2 variants (LEAP-CHAP[PPP], MD-5 challenge[EAP]). During my packet analysis I found 3 other variants (PAP, CHAP, MD5), we are not able to crack. For your example above: Username: alishiazav Password: zavreski secret share=29495ade5d6f88f1 The client build an access-request packet and sends this to the server. This packets contains - an authenticator (random generated), - the encrypted user password: MD5 chiffre = key xor zavreski, the key is calculated MD5(29495ade5d6f88f1+authenticator) - and a HMAC_MD5 calculated over the packet The server responds to the request with an access-accept packet. Goal is to retrieve the password, if we captured this access-request packet.
02-12-2018, 02:46 PM
(02-12-2018, 01:13 AM)undeath Wrote: I don't know how the CHAP handshake works but I would expect you can still crack a hash with a wrong password. The challenge should still be transmitted. Thank you for the info. I checked the link you gave me. I understand now. Just one more question, how did you know that the ID is the first two digits after 0x? I could not find this info.
02-12-2018, 03:13 PM
|
|
« Next Oldest | Next Newest »
|