---
-- EAP (Extensible Authentication Protocol) library supporting a
-- limited subset of features.
--
-- The library was designed and tested against hostapd v0.6.10
-- The EAP protocol names are the ones specified in:
-- http://www.iana.org/assignments/eap-numbers/eap-numbers.xml
--
-- Scripts can use the library to start an eap session and then to
-- send identity and nak responses to identity and authentication
-- requests made by AP authenticators to analyze their behaviour.
--
-- The following sample code illustrates how to respond to an identity
-- request:
--
--
-- pcap:pcap_open(iface.device, 512, true, "ether proto 0x888e")
-- ...
-- local _, _, l2_data, l3_data, _ = pcap:pcap_receive()
-- local pkt = eap.parse(l2_data .. l3_data3)
-- if pkt then
-- if pkt.eap.type == eap.eap_t.IDENTITY and pkt.eap.code == eap.code_t.REQUEST then
-- eap.send_identity_response(iface, pkt.eap.id, "anonymous")
-- end
-- end
--
--
--
-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
--
-- @author Riccardo Cecolin
--
local math = require "math"
local nmap = require "nmap"
local packet = require "packet"
local stdnse = require "stdnse"
local string = require "string"
_ENV = stdnse.module("eap", stdnse.seeall)
-- Created 02/23/2012 - v0.1
local ETHER_BROADCAST = "01:80:c2:00:00:03"
local ETHER_HEADER_SIZE = 14
local EAPOL_HEADER_SIZE = 4
local EAP_HEADER_SIZE = 5
eapol_t = {
PACKET = 0,
START = 1,
LOGOFF = 2,
KEY = 3,
ASF = 4,
}
eapol_str = {
[0] = "EAP Packet",
[1] = "EAPOL Start",
[2] = "EAPOL Logoff",
[3] = "EAPOL Key",
[4] = "EAPOL Encapsulated ASF Alert",
}
code_t = {
REQUEST = 1,
RESPONSE = 2,
SUCCESS = 3,
FAILURE = 4,
INITIATE = 5,
FINISH = 6,
}
code_str = {
[1] = "Request",
[2] = "Response",
[3] = "Success",
[4] = "Failure",
[5] = "Initiate",
[6] = "Finish",
}
eap_t = {
IDENTITY = 1,
NAK = 3,
MD5 = 4,
TLS = 13,
TTLS = 21,
PEAP = 25,
MSCHAP = 29,
}
eap_str = {
[0] = "Reserved",
[1] = "Identity",
[2] = "Notification",
[3] = "Legacy Nak",
[4] = "MD5-Challenge",
[5] = "One-Time Password (OTP)",
[6] = "Generic Token Card (GTC)",
[7] = "Allocated",
[8] = "Allocated",
[9] = "RSA Public Key Authentication",
[10] = "DSS Unilateral",
[11] = "KEA",
[12] = "KEA-VALIDATE",
[13] = "EAP-TLS",
[14] = "Defender Token (AXENT)",
[15] = "RSA Security SecurID EAP",
[16] = "Arcot Systems EAP",
[17] = "EAP-Cisco Wireless",
[18] = "GSM Subscriber Identity Modules (EAP-SIM)",
[19] = "SRP-SHA1",
[20] = "Unassigned",
[21] = "EAP-TTLS",
[22] = "Remote Access Service",
[23] = "EAP-AKA Authentication",
[24] = "EAP-3Com Wireless",
[25] = "PEAP",
[26] = "MS-EAP-Authentication",
[27] = "Mutual Authentication w/Key Exchange (MAKE)",
[28] = "CRYPTOCard",
[29] = "EAP-MSCHAP-V2",
[30] = "DynamID",
[31] = "Rob EAP",
[32] = "Protected One-Time Password",
[33] = "MS-Authentication-TLV",
[34] = "SentriNET",
[35] = "EAP-Actiontec Wireless",
[36] = "Cogent Systems Biometrics Authentication EAP",
[37] = "AirFortress EAP",
[38] = "EAP-HTTP Digest",
[39] = "SecureSuite EAP",
[40] = "DeviceConnect EAP",
[41] = "EAP-SPEKE",
[42] = "EAP-MOBAC",
[43] = "EAP-FAST",
[44] = "ZoneLabs EAP (ZLXEAP)",
[45] = "EAP-Link",
[46] = "EAP-PAX",
[47] = "EAP-PSK",
[48] = "EAP-SAKE",
[49] = "EAP-IKEv2",
[50] = "EAP-AKA'",
[51] = "EAP-GPSK",
[52] = "EAP-pwd",
[53] = "EAP-EKE Version 1",
[54] = "EAP Method Type for PT-EAP",
[55] = "TEAP",
-- 56-253 Unassigned
[254] = "Reserved for the Expanded Type",
[255] = "Experimental",
}
local make_eapol = function (arg)
if not arg.src then return nil end
if not arg.type then arg.type = eapol_t.PACKET end
if not arg.version then arg.version = 1 end
if not arg.payload then arg.payload = "" end
local p = packet.Frame:new()
p.mac_src = arg.src
p.mac_dst = packet.mactobin(ETHER_BROADCAST)
p.ether_type = packet.ETHER_TYPE_EAPOL
p.buf = string.pack(">BBs2", arg.version, arg.type, arg.payload)
p:build_ether_frame()
return p.frame_buf
end
local make_eap = function (arg)
if not arg.header then return nil end
if not arg.code then arg.code = code_t.REQUEST end
if not arg.id then arg.id = math.random(0,255) end
if not arg.type then arg.type = eap_t.IDENTITY end
if not arg.payload then arg.payload = "" end
local bin_payload = arg.payload
arg.header.payload = string.pack(">BBI2B", arg.code, arg.id, #bin_payload + EAP_HEADER_SIZE, arg.type) .. bin_payload
local v = make_eapol(arg.header)
stdnse.debug2("make eapol %s", arg.header.src)
return v
end
parse = function (pkt)
local tb = {}
stdnse.debug2("packet size: 0x%x", #pkt )
-- parsing ethernet header
tb.mac_src, tb.mac_dst, tb.ether_type = string.unpack(">c6c6I2", pkt)
tb.mac_src_str = stdnse.tohex(tb.mac_src)
tb.mac_dst_str = stdnse.tohex(tb.mac_dst)
-- parsing eapol header
tb.version, tb.type, tb.length = string.unpack(">BBI2", pkt, ETHER_HEADER_SIZE + 1)
stdnse.debug1("mac_src: %s, mac_dest: %s, ether_type: 0x%X",
tb.mac_src_str, tb.mac_dst_str, tb.ether_type)
if tb.ether_type ~= packet.ETHER_TYPE_EAPOL then return nil, "not an eapol packet" end
stdnse.debug2("version: %X, type: %s, length: 0x%X",
tb.version, eapol_str[tb.type] or "unknown",
tb.length)
tb.eap = {}
if tb.length > 0 then
-- parsing body
tb.eap.code, tb.eap.id, tb.eap.length, tb.eap.type = string.unpack(">BBI2B", pkt,
ETHER_HEADER_SIZE + EAPOL_HEADER_SIZE + 1)
stdnse.debug2("code: %s, id: 0x%X, length: 0x%X, type: %s",
code_str[tb.eap.code] or "unknown",
tb.eap.id, tb.eap.length, eap_str[tb.eap.type] or "unknown" )
if tb.length ~= tb.eap.length then
stdnse.debug1("WARNING length mismatch: 0x%X and 0x%X", tb.length, tb.eap.length )
end
end
tb.eap.body = {}
-- parsing payload
if tb.length > 5 and tb.eap.type == eap_t.IDENTITY then
tb.eap.body.identity = string.unpack("z", pkt,
ETHER_HEADER_SIZE + EAPOL_HEADER_SIZE + EAP_HEADER_SIZE + 1)
stdnse.debug1("identity: %s", tb.eap.body.identity )
end
if tb.length > 5 and tb.eap.type == eap_t.MD5 then
tb.eap.body.challenge = string.unpack("s1", pkt, ETHER_HEADER_SIZE + EAPOL_HEADER_SIZE + EAP_HEADER_SIZE + 1)
end
return tb
end
send_identity_response = function (iface, id, identity)
if not iface then
stdnse.debug1("no interface given")
return
end
local dnet = nmap.new_dnet()
local tb = {src = iface.mac, type = eapol_t.PACKET}
local response = make_eap{header = tb, code = code_t.RESPONSE, type = eap_t.IDENTITY, id = id, payload = identity}
dnet:ethernet_open(iface.device)
dnet:ethernet_send(response)
dnet:ethernet_close()
end
send_nak_response = function (iface, id, auth)
if not iface then
stdnse.debug1("no interface given")
return
end
local dnet = nmap.new_dnet()
local tb = {src = iface.mac, type = eapol_t.PACKET}
local response = make_eap{header = tb, code = code_t.RESPONSE, type = eap_t.NAK, id = id, payload = string.pack("B",auth)}
dnet:ethernet_open(iface.device)
dnet:ethernet_send(response)
dnet:ethernet_close()
end
send_start = function (iface)
if not iface then
stdnse.debug1("no interface given")
return
end
local dnet = nmap.new_dnet()
local start = make_eapol{type = eapol_t.START, src = iface.mac}
dnet:ethernet_open(iface.device)
dnet:ethernet_send(start)
dnet:ethernet_close()
end
return _ENV;