FreeRADIUS - Wireless Pwnage Edition

news

A patch for the popular open-source FreeRADIUS implementation to demonstrate RADIUS impersonation vulnerabilities by Joshua Wright and Brad Antoniewicz, demonstrated at Shmoocon 4.  This patch adds the following functionality:


  1. Simplifies the setup of FreeRADIUS by adding all RFC1918 addresses as acceptable NAS devices;

  2. Simplifies the setup of EAP authentication by including support for all FreeRADIUS supported EAP types;

  3. Adds WPE logging in $prefix/var/log/radius/freeradius-server-wpe.log, can be controlled in radius.conf by changing the “wpelogfile” directive;

  4. Simplified the setup of user authentication with a default "users" file that accepts authentication for any username;

  5. Adds credential logging for multiple EAP types including PEAP, TTLS, LEAP, EAP-MD5, EAP-MSCHAPv2, PAP, CHAP and others


For setup information, see the SETUP section below, or our slides from Shmoocon 4.

screenshot

February 18 2008

Thanks to everyone who made it out to our presentation at Shmoocon 200 where we debuted FreeRADIUS Wireless Pwnage Edition.  Check out our slides, and you can get the patch for freeradius-wpe below.  Drop me a note with any questions. -Josh

download

To utilize FreeRADIUS WPE, download FreeRADIUS from www.freeradius.org and  patch from the download section below that matches (or is closest to) the FreeRADIUS version.  Unpack FreeRADIUS and change to the "freeradius-2.N.N" directory.  Apply the patch and configure FreeRADIUS as shown below:


$ cd freeradius-server-2.0.2/

$ patch -p1 < ../freeradius-wpe-2.0.2.patch

$ ./configure && make && sudo make install && sudo ldconfig


Once FreeRADIUS is built and installed with the WPE patch, you can build your certificates.  We assume you use "sudo" for root access:


$ cd freeradius-server-2.0.2/raddb/certs

$ ./bootstrap

$ sudo cp -r * /usr/local/etc/raddb/certs


All set, now run "radiusd" (you can optionally run "radiusd -X -f" to get verbose debugging information printed to the screen) and you can monitor your log file using tail:


# radiusd

# tail -f /usr/local/var/log/radius/freeradius-server-wpe.log


While RADIUS is running, you could setup an AP that supports 802.1X (such as any Linksys WRT with recent firmware, although Brad recommends the Airport Extreme AP) and impersonate the SSID of the network you are targeting.

SETUP

 

FreeRADIUS 2.0.2 patch (MD5: 6671917d602373d8010fe38de66377e4)