Clever Geek Handbook

MSCHAPv2 with RADIUS - How exactly does the encryption process work?

I am creating a RADIUS server to handle MS-CHAPv2 in node.js. I have a RADIUS CLient which is a VPN server that sends me the following in Access-Request:

User-Name

MS-CHAP call

Ms-chap2-response

I tested on a real Microsoft RADIUS server and the Access-Accept response was always as follows:

MS-MPPE-RECV-KEY: Long string

MS-MPPE-SEND-KEY: Long string

MS-CHAP2-SUCESS: Long string

I've tried using RFC stuff, but it's very complicated and I just need to understand:

  • What should I do with Access-Request attributes (Call & Response) as server?

  • How should I create 3 keys in Access-Accept?

I have read many articles and places including pentesting examples.

Some have said using RC4,3DES, MD4, MD5, SHA1 and I don't know what to do as it only gives 2-3 lines of explanation.

What's encrypted? How do I authenticate a user? I have to create a duplicate call / response hash because it contains MD4 & 3DES encrypted password?

Help me please....

+3


source to share


1 answer


creating a radius server is very difficult,

What should I do with Access-Request (challenge & Response) attributes as server?

the server needs to respond to the client's request, ask for handshaking, create an ssl tunnel, request identification, etc.

How can I create 3 keys in Access-Accept?



ms-mppe keys are generated with data from the handshake and authentication process, and also very complex, you have to compute and encrypt a lot, which is more complicated than just using rc4, 3des, md4 ...

What's encrypted? How do I authenticate a user? I have to create a duplicate call / response hash because it contains MD4 & 3DES encrypted password?

if you are using ssl everything is encrypted from the Spec cipher code to access-accept. to authenticate the user, you need to compare the data provided by the client and your database, and at the end send the access consent to the NAS. depends on which authentication method you use, the password is much more complicated than just encrypted with md4 and 3des. if you are using ms-chapv2 for example hashing with some other data multiple times.

0


source






More articles:


All Articles