Hacktopia

So you set up your radius server, and you want to make sure that it is authenicationg your users properly.

$radtest username password servername port secret

$radtest clinets-username clients-password (hostname of server) (radtest username password servername port secret) (shared secret between radius client and server)

I would like to note that if set the hostname to somewhere where a radius server does not exist then you will keep on getting output saying “Sending Access-Request of id 27 to 203.65.22.105 port 1812″ this is because the radius server works over UDP so it has no idea if the server received the packets or not, so it just keeps trying.

A successful test looks like this

hostname:~# radtest    username  userpassword hostname.com  1813 sharedsecret
Sending Access-Request of id 60 to 203.65.22.105 port 1812 User-Name = “username”
User-Password = “userpassword”
NAS-IP-Address =203.65.22.105
NAS-Port = 1813
rad_recv: Access-Accept packet from host 203.65.22.105 port 1812, id=60, length=20

A rejected login test looks like this

hostname:~# radtest    username  userpassword hostname.com  1813 sharedsecret
Sending Access-Request of id 60 to 203.65.22.105 port 1812 User-Name = “username”
User-Password = “userpassword”
NAS-IP-Address =203.65.22.105
NAS-Port = 1813
rad_recv: Access-Reject packet from host 208.73.74.68 port 1812, id=80, length=20

In this short tutorial I will show you how to generate your very own password list to feed into a password cracker. First make sure you have plenty of disk space. You will need terabytes to store all that you will be able to generate by using my example so be careful and watch the password file grow to make sure that it does not fill up your system. So for starters get a Unix system, preferbly Linux with some nice fast processor, and like I stated before plenty of disk space. Then install ‘John The Ripper often refered to as simply john when run from the command line.

Here is a example ubuntu system package search

user@server:~$ aptitude search john
i   john                                                      – active password cracking tool

I am sure you can use the power of john for good or evil, but pleas try to use it for good.  I have used it for noble reasons.  One company that I worked for wanted to make sure that the passwords of the accounts for the servers where secure so I was asked to run a password cracker on the user.  So I broke out john and watched how the majority of them where cracked in under a second.  it did take several times asking the users to make better passwords before it took a resonable amount of time to cracks them.  At the time I considered a couple of days good enough.

Recently I was unable to long into one of my systems.  I was authorized for the system so I simply asked a friend to reset my password.  Before the password was reset I had the freind copy my hash from the shadow file like so.

user@server:~$ grep user/etc/passwd > pass
user:x:1000:1000:user,,,:/home/user:/bin/bash

I used the resulting pass file to feed to john.  I did this with out a dictionary file.  The benifits to using a dictionary is that john does not need to use processign power to generate diffrent passwords.

bab@nixer:~$ john pass
Loaded 1 password (Standard DES [48/64 4K])

I finally was told what my password was after 11 days.  It is very neat that you can press return while it is running to see what kind of guesses john is trying.  For background info the password that was used was only 8 charaters long with one capital and one number the rest where lower case. The reason that it took so long was that john had to generate each password and then try it against the has that I provided.  As you might of guessed these kind of attaches are only usefull when you have the password and the hash.

Below is the command to generate 95 printable ASCII characters of lengths 1 to 8.  I would suggest simiting the list to something smaller like replacin ALL with Alpha or Digit.  You can also edit the /etc/john/john.conf file to shorten or letehen the passwords generated and a few other options.

john -incremental=All –stdout > john_string_list

Here are the 26 printiable ASCII charaters

!”#$%&’()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

Trying to find out where all your man pages are located, have no fear this is how you can find them.

user@server:~$ manpath
/usr/local/man:/usr/local/share/man:/usr/share/man

Which will tell you what directories you computer will look for man files.
you can also look in

$ grep MANPATH /etc/manpath.config

To see where you system expects the man pages to be located.

I you would like to read some man pages about man then then ‘man man’ and ‘man 5 manpath’ for more information.  If there are man pages that you have but you cant get them to show up by typing “man widget” then you simply have to add them to you man path.