Breaking into 802.1x EAP-MD5 Port based authentication in Wired VoIP Network – II

Now that we have simulated the production network, we can proceed for the real attack. I will explain the password breaking procedure using freely available tool. Read more here about setting up port based authentication in wired VoIP Network.
Sipera Viper Lab has released a new tool- XTest for automating the password breaking procedure of 802.1x EAP-MD5 port based authentication.
The tool released under GPL3 license and hosted on Tool has some cool features like –

  • 802.1x Supplicant: Test can test the username and password against an 802.1x Authenticator (Ethernet Switch), and supports re-authentication.
  • Offline pcap dictionary attack: If you capture a valid 802.1x authentication sequence into a pcap file, XTest will run a dictionary attack against the pcap using a supplied wordlist.  XTest will elicit the password from the pcap if the dictionary file contains the valid password.
  • Shared Hub unauthorized access: Using a shared hub, XTest can use the successful authentication of a valid 802.1x supplicant to gain unauthorized access to the network.

Here are the list of steps attacker could take to get un-authorize access in Physical network.
Assumption: Attacker is already in victim premises and has access to phones lying in Lobby or reception.
1) Attacker looks at phone model and MAC address to learn username.  Unplug phone from switch port.
2) As we already know Cisco uses hard coded username as an identity for the authentication. So for Cisco 7961G Phone the username can be CP-7961G-SEP<MacAddress>
3) Using XTest, attacker can try to get access by using learned username and random passwords.
bughira@bt:~/xtest-1.0# ./xtest -u <UserName> -p <test-Pwd>
Above command will try to complete the authentication sequence for the used username. Instead of testing passwords one by one, you can use Live Dictionary attack feature of XTest.
Just feed good collection of password dictionary to the tool and ask it to break password based on passwords from dictionary.
bughira@bt:~/xtest-1.0# ./xtest -u <UserName> -w <DictionaryFile>

4) XTest has Offline Dictionary attack feature: You can supply EAP-MD5-SUCCESS pcap file and tool will break a password for you by retrieving username and challenge from the successful authentication feature.
bughira@bt:~/xtest-1.0# ./xtest -c EAP_MD5_SUCCESS.pcap -w <Disctionary File>

5) XTest has built in 802.1x Supplicant and can be used to perform re-authentication attack as show below.

“XTest makes sure that no one can completely rely on EAP-MD5 port based authentication schemes. “

Donwnload XTest here.
Happy Hunting..


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


Bughira :

  • Is A hardcore Linux Guy
  • Is Fascinated by Apple
  • Is Fan of C,Perl, Python
  • Loves SLAX
  • Always have BackTrack in back pocket
  • Is Currently working on Video Hijacking
  • Loves to develop New Security/hacking Tools
  • Does iPhone Hacking
  • Does Reverse Engineering
  • Does Malware Analysis
  • Work as Security Research Engineer
  • A music lover
  • And nowadays is a good cook 😉

%d bloggers like this: