Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Basic questions about RADIUS authentication

from [Roger A. Grimes] Network Security [Permanent Link]
Subject: RE: Basic questions about RADIUS authentication
Date: Tue, 23 Nov 2004 18:29:31 -0500 
It was my understanding that PEAP (Protected EAP) authentication (if
used) protects RADIUS against these types of attacks...by negotiating a
secure tunnel before actual user or machine credentials are passed? 

-----Original Message-----
From: Bulgaria Online - Assen Totin [mailto:assen@online.bg] 
Sent: Tuesday, November 23, 2004 6:08 AM
To: security-basics@securityfocus.com
Subject: Re: Basic questions about RADIUS authentication

Hi all,

V> Q.1- Is it not possible to sniff this communication and launch a 
V> dictionary attack?

Provided the attacker pretends to be a valid RADIUS client, yes.
However, the RADIUS server normally responds only to clients listed in
its configuration. So the attack should also come from a "valid" (from
the point of view of the RADIUS server) IP address - or spoof the source
IP address _and_ take measures to receive the replies.

V> After the user is authenticated, RADIUS server creates and sends the 
V> user and the NAS session keys.
V> Q.2- Is it not possible in this instance to launch a 
V> man-in-the-middle attack?

I'm not sure about this. RADIUS can do not only authentication, but
solely accounting or authorisation. Thus "After the user is
authenticated" is not clear to me. From what I know, after the server
processes the query, it assigns a more or less unique Session-Id (which
is used further till the end of the session).

V> Q.3- How is the data (userids and passwords) secured in the RADIUS
server?
V> Is it not possible to launch an attack at the RADIUD server database?

I guess depends on the RADIUS server and configuration. As far as I
know, RADIUS server can authenticate requests against several sources,
including probably /etc/passwd, SQL database (Cistron RADIUS and its
successors at least), or even through an external application (e.g.
XtRadius). So the protection of the passwords is not really a RADIUS
issue, but a system administration task (of course, one should take care
not to configure RADIUS to show plain text passwords in its log files).
External attack (meaning an attack coming from a host, different from
the RADIUS server) would probably be a brute-force one trying to guess a
valid pair of username and password. However, if a potential attacker
gains access (even non-privileged) to the host where RADIUS server
resides, his opportunities to interfere in the authentication process
become much broader.

WWell,

Assen Totin
Development Manager

===============================
        BULGARIA ONLINE
  Your quality... Your price!
===============================
tel. (+359 2) 973-3000 ext. 511
     http://home.online.bg
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: which security hotfixs to implemet ?, Andrew Shore
Next by Date:  Re: securing an FTP service, Davide
Previous by Thread:  RE: Basic questions about RADIUS authentication, Ed Whitesell
Next by Thread:  FW: SQLServer SA password recovery, Barbara Filkins
Indexes:  [Date] [Thread] [Top] [All Lists]