Sniffing PAP/CHAP
Roland Perry
roland at linx.net
Thu, 1 Jun 2000 23:22:24 +0100
In article <00060122593801.03818@lacunae.clara.co.uk>, Jonathan Care
<jonc@lacunae.clara.co.uk> writes
>If you are using RADIUS, the interesting bit is not necessarily the traffic of
>the authentication session itself, but the logging information (START, STOP, and
>AUTH) which maps IP address to calling number ID, and shows the session
>duration - all needed for billing, etc. This is sent in clear in UDP packets,
>and hence is easily sniffable.
Does that stuff contain enough information to tie up usernames with IP
numbers though.
Perhaps the NAS says: I have user <crypted> with password <crypted> from
phone number <?is this crypted?> trying to log in. And the Radius server
says to the NAS: Yes, I recognise him, give him IP number a.b.c.d, and
starts a log within the Radius Server (so no traffic on the ISP's not-
backbone) to track the length of the session.
Just a theory.
--
Roland Perry | tel: +44 1733 207705 | roland@linx.org
Regulation Officer | fax: +44 1733 353929 | http://www.linx.net
London Internet Exchange | mbl: +44 7050 604080 | /contact/roland