Permalink
Browse files

released jumbo-3

  • Loading branch information...
1 parent fb6721d commit cad3b0ec43b6b9af0eb478bed0e84e1461d7e412 magnum committed Dec 15, 2011
View
1 README
View
Binary file not shown.
View
Binary file not shown.
View
Binary file not shown.
View
@@ -6,7 +6,7 @@
# $Id$
#
ATTRIBUTE User-Name 1 string
-ATTRIBUTE User-Password 2 string
+ATTRIBUTE User-Password 2 string
ATTRIBUTE CHAP-Password 3 octets
ATTRIBUTE NAS-IP-Address 4 ipaddr
ATTRIBUTE NAS-Port 5 integer
View
Binary file not shown.
View
@@ -587,41 +587,6 @@ void init()
max = 5;
}
-
-# Trivial parallel processing example
-[List.External_base:Parallel]
-/*
- * This word filter makes John process some of the words only, for running
- * multiple instances on different CPUs. It can be used with any cracking
- * mode except for "single crack". Note: this is not a good solution, but
- * is just an example of what can be done with word filters.
- */
-
-int node, total; // This node's number, and node count
-int number; // Current word number
-
-void filter()
-{
- if (number++ % total) // Word for a different node?
- word = 0; // Yes, skip it
-}
-
-[List.External:Parallel1_2]
-.include [List.External_base:Parallel]
-void init()
-{
- node = 1; total = 2; // Node 1 of 2
- number = node - 1; // Speedup the filter a bit
-}
-[List.External:Parallel2_2]
-.include [List.External_base:Parallel]
-void init()
-{
- node = 2; total = 2; // Node 2 of 2
- number = node - 1; // Speedup the filter a bit
-}
-
-
# Strip 0.5 ("Secure Tool for Recalling Important Passwords") cracker,
# based on analysis done by Thomas Roessler and Ian Goldberg. This will
# crack passwords you may have generated with Strip; other uses of Strip
@@ -1391,6 +1356,74 @@ void filter()
word[i] = map2[(o & 0xfff) + (e >> 12)];
}
+# Trivial parallel processing example
+[List.External_base:Parallel]
+/*
+ * This word filter makes John process some of the words only, for running
+ * multiple instances on different CPUs. It can be used with any cracking
+ * mode except for "single crack". Note: this is not a good solution, but
+ * is just an example of what can be done with word filters.
+ */
+
+int node, total; // This node's number, and node count
+int number; // Current word number
+
+void filter()
+{
+ if (number++ % total) // Word for a different node?
+ word = 0; // Yes, skip it
+}
+
+[List.External:Parallel1_2]
+.include [List.External_base:Parallel]
+void init()
+{
+ node = 1; total = 2; // Node 1 of 2
+ number = node - 1; // Speedup the filter a bit
+}
+[List.External:Parallel2_2]
+.include [List.External_base:Parallel]
+void init()
+{
+ node = 2; total = 2; // Node 2 of 2
+ number = node - 1; // Speedup the filter a bit
+}
+
+# Interrupt the cracking session after "max" words tried
+[List.External:AutoAbort]
+int max; // Maximum number of words to try
+int number; // Current word number
+
+void init()
+{
+ max = 1000;
+ number = 0;
+}
+
+void filter()
+{
+ if (++number > max)
+ abort = 1; // Interrupt the cracking session
+}
+
+# Print the status line after every "interval" words tried
+[List.External:AutoStatus]
+int interval; // How often to print the status
+int number; // Current word number
+
+void init()
+{
+ interval = 1000;
+ number = 0;
+}
+
+void filter()
+{
+ if (number++ % interval)
+ return;
+ status = 1; // Print the status line
+}
+
# dumb-force UTF-16, in an external file
.include "$JOHN/dumb16.conf"
@@ -1400,4 +1433,3 @@ void filter()
# Dynamic ($dynamic_n$) scripting code, in an external file
# also shows/tests that .include <file> works the same as .include "$JOHN/file"
.include <dynamic.conf>
-
View
Binary file not shown.
View
@@ -1,9 +1,9 @@
-#!/opt/local/bin/perl
+#!/usr/bin/perl
-# This software is Copyright © 2011 Didier ARENZANA <darenzana-at-gmail.com>,
+# This software is Copyright © 2011 Didier ARENZANA <darenzana-at-gmail.com>,
# and it is hereby released to the general public under the following terms:
# Redistribution and use in source and binary forms, with or without modification, are permitted, as long as the original
-# author is referenced.
+# author is referenced.
# Utility to bruteforce RADIUS shared-secret
# Usage: perl rad2john.pl <pcap files>
@@ -12,15 +12,15 @@
# "3.3 User-Password Attribute Based Shared Secret Attack" and
# "3.1 "Response Authenticator Based Shared Secret Attack"
-# For attack 3.3 :
+# For attack 3.3 :
# we try authentications using a known password, and sniff the radius packets to a pcpap file.
# This script reads access-request in the pcap file, and dumps the md5(RA+secret) and RA, in a john-friendly format.
# The password must be always the same, be less then 16 bytes long, and entered in the $PASSWORD variable below.
# The user names used during this attack must be entered in @LOGINS below.
# For attack 3.1:
# we don't need to try authentications. Just sniff the radius packets in a pcap file.
-# This script reads the pcap file, matches radius responses with the corresponding requests,
+# This script reads the pcap file, matches radius responses with the corresponding requests,
# and dumps md5 and salt as needed.
# This script assumes there is one radius secret per client IP, that does not change during the whole time of packet dump.
@@ -66,32 +66,32 @@
sub read_file {
my ($filename) = @_ ;
my ($err, $object,$filter) ;
-
+
$object = Net::Pcap::open_offline($filename, \$err) ;
- if (defined $object ) {
- print STDERR "Processing $filename\n" ;
+ if (defined $object ) {
+ print STDERR "Processing $filename\n" ;
} else {
print STDERR "unable to read file $filename - $err\n" ;
return ;
}
-
- Net::Pcap::compile( $object,
+
+ Net::Pcap::compile( $object,
\$filter,'udp port 1812',
- 0, 0
+ 0, 0
) && die 'Unable to compile packet capture filter';
-
+
Net::Pcap::setfilter($object, $filter) &&
die 'Unable to set packet capture filter';
-
+
Net::Pcap::loop($object, -1, \&process_packet, Net::Pcap::datalink($object)) ; # || die "Unable to read packet : " . Net::Pcap::geterr($object) ;
-
+
Net::Pcap::close($object) ;
}
sub process_packet {
my ($linktype, $header, $packet) = @_ ;
my ($iner_data, $protocol) ;
-
+
#print join (" ", $header->{len}, $header->{tv_sec}, $header->{tv_usec}) . "\n" ;
#print Dumper($header, $packet) ;
@@ -117,7 +117,7 @@ sub process_packet {
print STDERR "Link type $linktype not supported.\n" ;
return ;
}
-
+
# we should have an IP packet in $iner_data
my $ip = NetPacket::IP->decode($iner_data);
if ($ip->{proto} != 17) {
@@ -126,10 +126,10 @@ sub process_packet {
print STDERR Dumper(\$ip) ;
die ;
}
-
+
# We now have an UDP packet in $ip->{data}
my $udp = NetPacket::UDP->decode($ip->{'data'});
-
+
my $radius= new Net::Radius::Packet($dict, $udp->{'data'});
$radius->show_unknown_entries(0) ;
@@ -139,62 +139,62 @@ sub process_packet {
sub process_radius {
my ($ip, $rad) = @_ ;
-
+
local $_= $rad-> code ;
-
+
if ( /Access-Request/ ) {
dump_access_request(
$ip->{'src_ip'},
- $rad->attr('User-Name'),
- $rad->authenticator(),
+ $rad->attr('User-Name'),
+ $rad->authenticator(),
$rad->attr('User-Password')
) if defined($VALID_LOGIN{$rad->attr('User-Name')}) ;
-
+
$requests{$ip->{'src_ip'}. '-' . $rad->identifier()} = $rad->authenticator() ;
}
elsif (/Access-Accept/ || /Access-Challenge/ || /Access-Reject/) {
my $key=$ip->{'dest_ip'}. '-' . $rad->identifier() ;
return unless defined($requests{$key}) ;
- dump_response($ip->{'dest_ip'}, $requests{$key}, $rad) ;
+ dump_response($ip->{'dest_ip'}, $requests{$key}, $rad) ;
}
}
sub dump_response {
# Extract md5 hash from the response packet,
# and build salt from the response packet and the corresponding request authenticator
my ($ip, $req_ra, $rad) = @_ ;
-
+
return if ($UNIQUE && defined ($dumped_ips{$ip})) ;
-
+
# extract the hash
my $hash = $rad->authenticator() ;
-
+
#extract the packet raw data to get the salt
my $salt= $rad->pack() ;
#replace Response Authenticator with the Request Authenticator
substr($salt, 4, 16)=$req_ra ;
-
- print $ip . ':$dynamic_1009$' .
- unpack('H*', $hash) .
+
+ print $ip . ':$dynamic_1009$' .
+ unpack('H*', $hash) .
'$HEX$' . unpack('H*', $salt) .
"\n" ;
-
+
$dumped_ips{$ip} = 'reply' ;
}
-sub dump_access_request {
+sub dump_access_request {
# Extract the md5 hash and salt from the packet
# and dump them in 'joomla' form.
my ($ip, $login, $ra, $hashed) = @_ ;
-
+
return if ($UNIQUE && defined ($dumped_ips{$ip}) && ($dumped_ips{$ip} eq 'request')) ;
-
- print $ip . ':$dynamic_1008$' .
+
+ print $ip . ':$dynamic_1008$' .
# the RADIUS User-Password attribute contains MD5(RA+secret) XOR password
# we need to xor it to get back MD5(RA+secret)
unpack("H*", $hashed ^ $PASSWORD) .
- '$HEX$' . unpack("H*", $ra) .
+ '$HEX$' . unpack("H*", $ra) .
"\n" ;
-
+
$dumped_ips{$ip} = 'request' ;
}
Oops, something went wrong.

0 comments on commit cad3b0e

Please sign in to comment.