Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date...
Transcript of Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date...
![Page 1: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/1.jpg)
Exploring RADIUS
Brad Antoniewicz
![Page 2: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/2.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 2 [email protected] @brad_anton @foundstone
Hi, I’m @brad_anton
![Page 3: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/3.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 3 [email protected] @brad_anton @foundstone
Thank You, Canada!
![Page 10: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/10.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 10 [email protected] @brad_anton @foundstone
RADIUS Remote Access Dial-In User Service
![Page 11: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/11.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 11 [email protected] @brad_anton @foundstone
Getting old people on the Internet DSL/Dial-Up Access
![Page 12: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/12.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 12 [email protected] @brad_anton @foundstone
Anonymity for l33tz VPN
![Page 13: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/13.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 13 [email protected] @brad_anton @foundstone
Network Access 802.1x (wired/wireless)
![Page 14: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/14.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 14 [email protected] @brad_anton @foundstone
RADIUS
Fuzz
![Page 15: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/15.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 15 [email protected] @brad_anton @foundstone
User Access Server RADIUS Server
Flow
![Page 16: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/16.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 16 [email protected] @brad_anton @foundstone
Supplicant Authenticator Authentication Server
Flow (IEEE 802.1x)
![Page 17: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/17.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 17 [email protected] @brad_anton @foundstone
TRUSTED UNTRUSTED
![Page 18: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/18.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 18 [email protected] @brad_anton @foundstone
TRUSTED UNTRUSTED
Targeting RADIUS Servers
from Untrusted Networks
![Page 19: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/19.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 19 [email protected] @brad_anton @foundstone
User Access Server RADIUS Server
Flow
HTTP
PPP
VPN
Switch
Access Point
![Page 20: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/20.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 20 [email protected] @brad_anton @foundstone
User Access Server RADIUS Server
Flow
RADIUS
PROTOCOL
![Page 21: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/21.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 21 [email protected] @brad_anton @foundstone
User Access Server RADIUS Server
Flow User Database
Active Directory
SecurID
LDAP
![Page 22: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/22.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 22 [email protected] @brad_anton @foundstone
Surface
![Page 23: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/23.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 23 [email protected] @brad_anton @foundstone
RA
DIU
S H
an
dle
r RA
DIU
S H
an
dle
r
Surface
![Page 24: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/24.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 24 [email protected] @brad_anton @foundstone
Surface C
lien
t Ha
nd
ler
![Page 25: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/25.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 25 [email protected] @brad_anton @foundstone
Surface
Mgmt Web UI Mgmt Web UI
![Page 26: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/26.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 26 [email protected] @brad_anton @foundstone
Surface
External Auth Handler
Mgmt Web UI
![Page 27: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/27.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 27 [email protected] @brad_anton @foundstone
Surface Mgmt Web UI
Mgmt Web UI Mgmt Web UI
StringMutator.Data.cs: namespace Peach.Core.Mutators { public partial class StringMutator { static readonly string[] values = new string[] {
LDAP Injection XSS SQL Injection CMD Injection etc… } }
![Page 28: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/28.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 28 [email protected] @brad_anton @foundstone
Protocol
![Page 29: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/29.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 29 [email protected] @brad_anton @foundstone
Authentication
Accounting
(Don’t care about)
RFC 2865
RFC 2866
![Page 30: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/30.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 30 [email protected] @brad_anton @foundstone
UDP 1645
Shared Secret Used for various purposes
Lame
Source IP Filters Bypassed w/ encapsulation/spoofing
Key-Wrap
Only for keys later on
1812
![Page 31: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/31.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 31 [email protected] @brad_anton @foundstone
code
Packetz
1: Access-Request 2: Access-Accept 3: Access-Reject 11: Access-Challenge
Radius.xml:RADIUS-Header
![Page 32: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/32.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 32 [email protected] @brad_anton @foundstone
code Pkt Id Length
Packetz Radius.xml:RADIUS-Header
![Page 33: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/33.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 33 [email protected] @brad_anton @foundstone
code Pkt Id Length
Authenticator
Packetz
./john –-format=dynamic_1008 radius.john
Radius.xml:RADIUS-Header
![Page 34: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/34.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 34 [email protected] @brad_anton @foundstone
AVPs
Type Length Value..
Value can be:
String, Address, Time, Integer
Radius.xml:AVP-*
![Page 35: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/35.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 35 [email protected] @brad_anton @foundstone
Built In Authentication
PAP:–-format=dynamic_1009 CHAP: hashcat md5(chap)
RadiusPap Transformer
(RFC 2865)
![Page 36: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/36.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 36 [email protected] @brad_anton @foundstone
Encapsulation RFC 2869: RADIUS Extensions
![Page 37: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/37.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 37 [email protected] @brad_anton @foundstone
EAP RFC 3748: Extensible Authentication Protocol
type Length Value.. EAP
RADIUS AVP Eap.xml
![Page 38: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/38.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 38 [email protected] @brad_anton @foundstone
EAP Eap.xml
Code
1: Request 2: Response 3: Success 4: Failure
![Page 39: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/39.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 39 [email protected] @brad_anton @foundstone
EAP Eap.xml
Code Id Length
![Page 40: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/40.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 40 [email protected] @brad_anton @foundstone
EAP Eap.xml
Code Id Length
Type Data
1: Identity – Eap.xml 3: Nak – Eap.xml 4: EAP-MD5 – EapMd5.xml 17: EAP-TLS – EapTls.xml 25: PEAP – EapPeap.xml 26: EAP_MSCHAPv2 – EapMschapv2.xml ..And more!
![Page 41: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/41.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 41 [email protected] @brad_anton @foundstone
EAP
RADIUS
![Page 42: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/42.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 42 [email protected] @brad_anton @foundstone
Message-Authenticator RFC 2869: RADIUS Extensions
HMAC-MD5
Would stop spoofing but..
![Page 43: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/43.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 43 [email protected] @brad_anton @foundstone
Tools and Attax
![Page 44: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/44.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 44 [email protected] @brad_anton @foundstone
Tools
Existing: libeap
pyradius
eapol_test* (w/ hostapd)
Releasing: Radius .Net (forked)
Eap .Net
..i know.. “ugh .Net”
![Page 45: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/45.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 45 [email protected] @brad_anton @foundstone
Sniffing
Offline Brute-Force Shared Secret/User-Password: john
CHAP: hashcat
EAP Data..: asleap, and eapmd5pass
Clear-text Data User-name AVP/Eap Ident
NAS-Id
Calling-Station
State
![Page 46: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/46.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 46 [email protected] @brad_anton @foundstone
Profiling
AVP-State (RADIUS)
Maintains State of the Connection
Active/Passive
Cisco: “acs/Number/Number”
MS NPS: 38 Bytes
EAP-Res/Ident Username
MS NPS: Will reject if ! valid
Others: Doesn’t matter
Msg-Auth. (RADIUS)
Cisco: Ignores
Others: Access-Reject
RadiusEapProfiler.exe
![Page 47: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/47.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 47 [email protected] @brad_anton @foundstone
Brute-Force
Password a.k.a Active Brute
Force (..meh)
Usernames NPS: Eap-Resp/Identity
EAP-Type Client Downgrade
eapEnum.exe
Or Enumeration …whatever
![Page 48: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/48.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 48 [email protected] @brad_anton @foundstone
The Man in the Middle (impersonation)
hostapd-WPE
FreeRADIUS-WPE
![Page 49: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/49.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 49 [email protected] @brad_anton @foundstone
Fuzzing
DataModels
Fuzzers
Supporting Utils
PeachPits
Existing: radius-fuzzer
![Page 50: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/50.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 50 [email protected] @brad_anton @foundstone
DataModels EAP
Eap.xml
EapFast.xml
EapGtc.xml
EapLeap.xml
EapMd5.xml
EapMschapv2.xml
EapPeap.xml
EapTls.xml
EapTlv.xml
RADIUS
Radius.xml
Supporting
Protocols
Tls.xml
Mschapv2.xml
Utilities
Utils.xml
802.1x
Ieee802.1x.xml
![Page 51: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/51.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 51 [email protected] @brad_anton @foundstone
DataModel
Radius.xml
Cisco ACS
StateModel
Tests
VS DataModel
TekRADIUS
StateModel
Tests
VS DataModel
MS NPS/IAS
StateModel
Tests
VS DataModel
SBR/FreeRadius
StateModel
Tests
VS DataModel
Fuzzers
UDPPublisher
![Page 52: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/52.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 52 [email protected] @brad_anton @foundstone
Publishers
RadiusPublisher.cs
DataModel
Eap.xml
8021xPublisher.cs
DataModel
Ieee8021x.xml
![Page 53: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/53.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 53 [email protected] @brad_anton @foundstone
TLS, OHNO!
UdpClient Y u no Stream?!
![Page 54: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/54.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 54 [email protected] @brad_anton @foundstone
DataModel
Eap.xml
TcpPublisher
EapBridge
eapol_test
Target
![Page 55: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/55.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 55 [email protected] @brad_anton @foundstone
802.1x Publisher
RADIUS Publisher Bridge
![Page 56: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/56.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 56 [email protected] @brad_anton @foundstone
Exploitation
&
![Page 57: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/57.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 57 [email protected] @brad_anton @foundstone
Demo Arch
![Page 58: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/58.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 58 [email protected] @brad_anton @foundstone
!!!!DEMO!!!!
![Page 59: Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM](https://reader034.fdocuments.us/reader034/viewer/2022052009/601eb23fd32d9f0f4b485509/html5/thumbnails/59.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 59 [email protected] @brad_anton @foundstone
? @brad_anton
*many of the pics in this presentation were found on the
internet – credit goes to images.google.com