-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix challenge_hash when user starts with "domain\" #4
Fix challenge_hash when user starts with "domain\" #4
Conversation
Maybe add options for both hashes in the .conf? (log both if both options are set) |
That could be a possibility. However, I have yet to see a client which use the full |
In RFC 2759 under section 4: "When computing the NT-Response field contents, only the user name is used, without any associated Windows NT domain name. This is true regardless of whether a Windows NT domain name is present in the Name field..." So I guess we can safely assume that no device should use the domain name? |
Well done with the RFC pointer!
I agree. So there is no need to have an option to log the non-RFC-compliant one, unless someone finds a client which uses the full |
So I wasn't aware that some devices may not comply to RFC standards. Sorry. What do you suggest in case some devices do use the domain to compute the hashes? |
I have encountered a device where the domain was also used, i was able to crack the hash with FreeRADIUS-WPE and ntdomain hack, but not with HostAPD-WPE, which resulted in a different hash. Since there does not seem to be any activity here from the author, perhaps a fork with these changes + the other pending pull requests would be a good idea? |
Sorry, I am not sure I understand your message perfectly. Did you find a device which uses the domain to compute the challenge? If possible, could you share the following:
I would recommend to go and look at mana, and more specifically at hostapd-mana. It seems that the pull request has been merged there (although incorrectly, I just made a pull request on their repo to fix it), and the project is maintained. |
No you are right, i was mistaken and i indeed meant the opposite: your fix should indeed be enough, just the username is used and NOT the domain. I know about mana but never tried it before, i'll give it a better look and thnx alot for your fix! |
That's good to hear, I was afraid that you found one device that behaved differently, and that we needed to handle that case as well.
Same, I've just tried it a few days ago, seems to be the way to go now :-) I also like the fact that they have different repositories, so you don't have to clone everything, you can just use hostapd-mona if you want!
It was really not much to code, the hardest part was to identify where the problem came from! |
I can confirm that the mana project is well maintained: my pull request was merged within 24h 👍 |
@Rogdham I saw it indeed, thnx for the notification anyway. I'll be playing with it. I can't seem to find some form of output file for hashes grabbed. It loads them off to the cracker directly and only if cracked then added to the eap user file. Cannot seem to find a parameter such as wpe_logfile= to regular cred logging. E.g. [mschapv2] etc. Did i miss something or would this indeed be a handy enhancement? |
92b1090
to
cc0d42d
Compare
Rebased on current master for hostapd 2.6. Fixes #19. |
@brad-anton: could you give this PR a look? |
thanks for the nudge @Rogdham! |
Haha, my pleasure @brad-anton! Could you close #19 while you are at it? |
Hi folks, Im seeing this issue again, perhaps a client update issue, as I my build has not changed. Comments under #19 Cheers - Rob |
Some clients (e.g. with Windows) send
domain\username
as the user, but do the computations for the challenge/response withusername
only.In freeradius, that was solved with the directive
with_ntdomain_hack = yes
.Here, I did not see any directive that looks like it.
As a result, we obtain wrong NETNTLM output. For example, with domain
abc
, usernamedef
and passwordqwerty
:NETNTLM: abc\def:$NETNTLM$b081024eca01be3f$ca96218159d29a8443506fc2b5e1a86e41eec71f7abe8119
;NETNTLM: abc\def:$NETNTLM$b71e3c37cd629d7d$dac787f9f3f721bb7a985c2f92f262c1668653f140f443c4
.There is no way to break the first one, the second one is found within seconds with John the Ripper.
I have a few questions though:
domain\
part to compute the challenge-response? In other words, will this patch will not work with those clients?Finally, the code diff in this PR is quite simple, but as we see a diff of a diff, it starts to look confusing.