Nmap Development mailing list archives
Re: [NSE] eap-info
From: Riccardo Cecolin <nmap () rikiji de>
Date: Sat, 3 Mar 2012 16:24:07 +0100
Thanks for checking it, I indeed made a mistake when reordering the code for more readability... Attached there's a patched version with also a minor fix that prevents an additional useless eap-start packet in some cases. Also maybe the category of the script has to be changed? Because there's some simple mac spoofing in order to avoid to wait the hostapd timeout when failing to authenticate. In this way it is possible to scan dozens of auth protocols in less than half a second. I'll send to you the configuration files i'm using to test it. Riccardo On Fri, Mar 2, 2012 at 12:59 PM, Patrik Karlsson <patrik () cqure net> wrote:
On Tue, Feb 28, 2012 at 10:32 PM, Riccardo Cecolin <nmap () rikiji de> wrote:I'm working on a NSE script that implements a subset of the 802.1x (EAP) protocol, i have a question about which is the correct way to get an interface in a "prerule" script. I'm forging directly the 802.1x packets and sending them with the dnet library through a not yet configured network interface, but when I open such interface with dnet:ethernet_open(), this function will always fail unless the interface has an ip address configured, even if it is up and cable-connected. I'm trying to do that because I think it could be the standard scenario of eap scanning. Is there a better way to access it from NSE (without giving it a bogus ip)? Attached there's a version of the mentioned library + script that successfully enumerates all the available authentication methods when tested against hostapd v0.6.10. I found that some other authentication systems have different behaviors (e.g. they do not respond to eap start packets) so the script needs some more development and testing in different environments, but it's a starting point. Riccardo nmap -dd -e eth2 -sn --script-trace --script=eap-info --datadir=. localhost Pre-scan script results: | eap-info: | Available authentication methods with identity="anonymous" on interface eth2 | true PEAP | true EAP-TTLS | false EAP-TLS |_ false EAP-MSCHAP-V2 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/Hi Riccardo, Nice work. I looked into the dnet problem for you. As far as I can tell, the problem is not in dnet, but rather occurs due to the way that the function get_interface_info works. This function calls another function (getInterfaceByName) passing the address family type along so that the correct interface can be fetched. If there is no ip set this operation will therefore fail. My preliminary tests show that if I remove the code that checks for the address family and call the function for an interface having no ip, the script will work. So, technically it could work without having to set that dummy address. I'm not sure of the effort and how this is best fixed though? Also, I just realized that the PPPoE script I implemented recently would most likely suffer from the same problem. I wasn't able to test your script, as I don't have a proper test environment set up, but I noticed a problem. When your using pcap to receive responses, which is the only option in this case, you need to set up the listener before sending the data that will trigger a response. Otherwise, there's a risk that the response will come back before the script has time to set up the listening pcap socket and you will miss it. So the pcap_open should be called before eap.send_start. What would be the easiest way for me to test this? Would two linux systems in bridged vms do? How does the configuration your running hostapd with look? Thanks, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77
Attachment:
eap-info.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] eap-info Riccardo Cecolin (Feb 28)
- Re: [NSE] eap-info Patrik Karlsson (Mar 02)
- Re: [NSE] eap-info David Fifield (Mar 02)
- Re: [NSE] eap-info Riccardo Cecolin (Mar 03)
- Re: [NSE] eap-info Patrik Karlsson (Mar 07)
- Re: [NSE] eap-info Riccardo Cecolin (Mar 08)
- Re: [NSE] eap-info Patrik Karlsson (Mar 08)
- Re: [NSE] eap-info Riccardo Cecolin (Mar 08)
- Re: [NSE] eap-info Patrik Karlsson (Mar 02)