作者:颖奇L'Amore
QQ:1249714854
iSafe/爱安全技术社区: www.ixsec.org
====================================
注:本文方法参考于《kali linux无线网络渗透测试详解》
0x00 前言
众所周知,wpa/wpa2-预共享密钥已经不够安全,黑客只需要一个握手包和一个足够给力的字典即可破解!
诸如mac地址过滤、关闭SSID广播、关闭DHCP对于一个无线黑客来说也只不过是雕虫小技而已,简简单单即可突破这类安全机制!
dot1x需要有一个独立的AAA服务器(AAA全称认证、授权、审计),当然可以使用VMware版的ISE/ACS/windows server等等来做aaa,提升安全 又提升逼格!0x01 安装
1.下载 解压 cd进解压出来的freeradius-server-2.2.9目录
ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.2.9.tar.bz2
2. 配置软件
./configure
如果权限不够 chmod 777 configure
3.编译软件
make
4.安装 make install
5.server/debug模式运行
-s server mode
-X debugging mode
如果缺少动态链接库,那么ldconfig
如果提示openssl存在心脏出血漏洞,启动失败
cd /usr/local/etc/raddb/
nano radiusd.conf
修改allow_vulnerable_openssl = yes
然后重新启动即可:
---------------省略--------------
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 96 with timestamp +713
Ready to process requests.
0x02 可用性测试
在本机创建一个用户
cd /usr/local/etc/raddb/
nano users 
修改sercet
nano clients.conf
之后测试
11:14 root@L'Amore:~ $radtest iSafe iSafe12345 127.0.0.1 1234 iSafe12345
radclient:: Failed to find IP address for L'Amore
radclient: Nothing to send.
这是freeradius2.x的报错,
如果是3.x,会提示:
(0) Error parsing "-": ip_hton: Name or service not known
解决方法:为/etc/hosts添加主机名解析:
重新测试:
0x03 配置Radius服务
编辑radiusd.conf
第538行,修改reject_delay=5 出于安全考虑 
删掉743行的注释符启用mysql
编辑eap.conf
根据原文作者思路 修改为PEAP,默认是EAP-MD5
注:eap只是一个外部认证框架,现在有几十种不通的方法 比如EAP-TLS,EAP-SIM,LEAP等,还有一些厂商私有 比如思科私有的eap fast,现在TLS分三种:TLS TTLS PEAP(后两者不需要PKI),更多参考CCNP Security AAA部分。
编辑client.conf
client添加NAS
sql.conf中有数据库和radius连接的一些内容,保持默认即可
编辑sites-enabled/default
删除掉177行的sql前面的注释符,注释掉171行的files
编辑sites-enabled/inner-tunnel
删除掉132行的sql前面的注释符,注释掉125行的files
0x04 配置mysql
service mysql start //启用mysql服务
mysqladmin -u root create radius //创建数据库名为radius
mysql -u root < /usr/local/etc/raddb/sql/mysql/admin.sql //创建管理员用户,导入admin.sql
mysql -u root radius < /usr/local/etc/raddb/sql/mysql/schema.sql //创建数据库架构,导入schema.sql
mysql -u root radius登陆到radius数据库中:
mysql> INSERT INTO radcheck (username,attribute,op,value) VALUES ('iSafe12345','Cleartext-Password',':=','iSafe12345');
mysql> INSERT INTO radreply (username,attribute,op,value) VALUES ('iSafe12345','Reply-Message','=','test by Yingqi ixsec.org gem-love.com');
然后就可以exit退出了、
运行radius,出现如下错误:
解决方法:
1.安装apt-get install libmysqlclient-dev
2.编译sql模块
cd /root/freeradius-server-2.2.9/src/modules/rlm_sql/drivers/rlm_sql_mysql/
chmod 777 configure
./configure --with-mysql-dir=/var/lib/mysql --with-lib-dir=/usr/lib/mysql
make
make install
然后即可成功运行:
然后我们进行测试
radtest iSafe12345 iSafe12345 127.0.0.1 1234 iSafe12345 在radiusd上出现如下错误:
原因是此时mysql已经停止运行了,service mysql start
重新测试,注意这里的密码是iSafe而不是iSafe12345,这是我故意输入错误的!
已经看到了我们在配置mysql时的test by颖奇等返回消息(如果mysql没启用即刚刚解决的错误,则不会有reply-message)
因此,仅仅reply-message并不能说明什么:
我们需要看看radiusd上面的log信息,发现password not match因此failed to authen:
rad_recv: Access-Request packet from host 127.0.0.1 port 32784, id=228, length=80
User-Name = "iSafe12345"
User-Password = "iSafe"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1234
Message-Authenticator = 0x0c3e7bc6141fda34c4f3cbbb8400abd9
===省略===
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group PAP {
[pap] login attempt with password "iSafe"
[pap] Using clear text password "iSafe12345"
[pap] Passwords don't match
++[pap] = reject
+} # group PAP = reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed): [iSafe12345/iSafe] (from client localhost port 1234)
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[eap] Request didn't contain an EAP-Message, not inserting EAP-Failure
++[eap] = noop
===省略===
Sending Access-Reject of id 228 to 127.0.0.1 port 32784
Reply-Message = "test by Yingqi ixsec.org gem-love.com"
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32784, id=228, length=80
Sending duplicate reply to client localhost port 32784 - ID: 228
Sending Access-Reject of id 228 to 127.0.0.1 port 32784
Reply-Message = "test by Yingqi ixsec.org gem-love.com"
Waking up in 4.9 seconds.
Cleaning up request 2 ID 228 with timestamp +848
下面我们重新测试,输入正确用户名密码:
看看log:
rad_recv: Access-Request packet from host 127.0.0.1 port 53281, id=240, length=80
User-Name = "iSafe12345"
User-Password = "iSafe12345"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1234
Message-Authenticator = 0x9832f595d9fc96969b1708f858ccb856
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "iSafe12345", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[sql] expand: %{User-Name} -> iSafe12345
[sql] sql_set_user escaped user --> 'iSafe12345'
rlm_sql (sql): Trying to (re)connect unconnected handle 28..
rlm_sql (sql): Attempting to connect rlm_sql_mysql #28
rlm_sql_mysql: Starting connect to MySQL server for #28
rlm_sql (sql): Connected new DB handle, #28
rlm_sql (sql): Reserving sql socket id: 28
rlm_sql (sql): got socket 28 after skipping 0 unconnected handles, tried to reconnect 1 though
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'iSafe12345' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'iSafe12345' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'iSafe12345' ORDER BY priority
rlm_sql (sql): Released sql socket id: 28
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = updated
+} # group authorize = updated
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group PAP {
[pap] login attempt with password "iSafe12345"
[pap] Using clear text password "iSafe12345"
[pap] User authenticated successfully
++[pap] = ok
+} # group PAP = ok
Login OK: [iSafe12345/iSafe12345] (from client localhost port 1234)
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 240 to 127.0.0.1 port 53281
Reply-Message = "test by Yingqi ixsec.org gem-love.com"
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 5 ID 240 with timestamp +1536
如上,已经认证成功!!
0x05 配置802.1x无线网络
编辑SSID,如下:
用airodump-ng抓包 发现认证处该SSID为MGT,即所谓的dot1x
然后来连接
输入账号密码点击确定之后,就会有一些log 
之后确定继续连接,又会弹出一些log
然后就会成功连接了
log较多,就不贴了
这样 就可以了成功认证!