Sniffing PAP/CHAP

Thu, 1 Jun 2000 23:40:36 +0100

On Thu, 01 Jun 2000, Roland Perry wrote:
> In article <00060122593801.03818@lacunae.clara.co.uk>, Jonathan Care
> <jonc@lacunae.clara.co.uk> writes
> >If you are using RADIUS, the interesting bit is not necessarily the tr=
affic of
> >the authentication session itself, but the logging information (START,=
 STOP, and
> >AUTH) which maps IP address to calling number ID, and shows the sessio=
n
> >duration - all needed for billing, etc. This is sent in clear in UDP p=
ackets,
> >and hence is easily sniffable.
>=20
> Does that stuff contain enough information to tie up usernames with IP
> numbers though.

It does, and it is routinely used to do so. Off the shelf IP billing pack=
ages do
this.

>=20
> Perhaps the NAS says: I have user <crypted> with password <crypted> fro=
m
> phone number <?is this crypted?> trying to log in. And the Radius serve=
r
> says to the NAS: Yes, I recognise him, give him IP number a.b.c.d, and
> starts a log within the Radius Server (so no traffic on the ISP's not-
> backbone) to track the length of the session.

I beleive that the password field is crypt()'ed (or a similar scheme).
Username, calling line, called line, and IP address (if authenticated) ar=
e all
in clear in the logs.

Radius accounting servers tend to be on physically separate boxes from th=
e
authentication servers. Not forgetting that most modern CCABS systems sla=
p a
directory or two in there, so there is the content of the LDAP messages a=
lso to
read.

>=20
> Just a theory.
=2E...at twilight, when the lights are low?

--=20
Jonathan Care - +44 (0) 7061 170337
Nobody does it better, makes me feel sad for the rest.