Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pyrad Proxy Question/Problem? #166

Open
PandyDev opened this issue Mar 9, 2022 · 1 comment
Open

Pyrad Proxy Question/Problem? #166

PandyDev opened this issue Mar 9, 2022 · 1 comment

Comments

@PandyDev
Copy link

PandyDev commented Mar 9, 2022

Hello,

I am trying to build a simple proxy server which sends packets to a different radius (freeradius). Everything works so far. The only Problem I have seen was that freeradius sends back MPPE Keys and the eappol_test which I am using for testing EAP-TLS / PEAP authentication seems to dislike the keys:

WARNING: PMK mismatch
PMK from AS - hexdump(len=32): 16 00 76 8b f5 9a 3d 6b 07 12 fb 35 a1 2d 72 72 78 ee e0 03 18 77 5b 31 17 a9 18 78 c0 12 19 20
No EAP-Key-Name received from server
WPA: Clear old PMK and PTK
EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0  mismatch: 1
FAILURE

From the code I use, within the HandleAuthPacket:
I Create a Client

client = Client(server='10.0.0.1', secret='secret, dict=Dictionary("dicts/dictionary"),authport=1812)
req = client.CreateAuthPacket(code=pkt.code)

and copy every key over to the proxied packet and send it out

if pkt.keys():
        for i in pkt.keys():
            if i != "Message-Authenticator":
                # Add each key to proxied packet
                req[i] = pkt[i]
req.add_message_authenticator()
reply = client.SendPacket(req)

Same goes for the response back to the client pkt is the initial packet from the requesting client

attrs = {}
if reply.keys():
    for i in reply.keys():
        if i != "Message-Authenticator":
            # Add each key to reply packet
            attrs[i] = reply[i]

replyTOHost = self.CreateReplyPacket(pkt,**attrs)
replyTOHost.code = reply.code
replyTOHost.add_message_authenticator()
self.SendReplyPacket(pkt.fd, replyTOHost)

I am also using the latest commit which has the salt decrypt function in packet.py
@TheHolm
Copy link

TheHolm commented Jun 2, 2022

I guess you need to "re-encrypt" password on the way to server. User-Password-s hashed with secret and Message-Authenticator. So it will change when you forward it.
I'm also trying to create proxy server, but packet.PwDecrypt is not working for me.
File "/home/theholm/.local/lib/python3.10/site-packages/pyrad/packet.py", line 712, in PwDecrypt pw += bytes((hash[i] ^ buf[i],)) TypeError: unsupported operand type(s) for ^: 'int' and 'bytes'
MPPE Keys also encrypted using shared secret. so you need to re-encrypt it on transit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TheHolm @PandyDev