Skip to content

chungzi/apbleed

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6,995 Commits

doc

doc

 
 

eap_example

eap_example

 
 

hostapd

hostapd

 
 

hs20

hs20

 
 

mac80211_hwsim

mac80211_hwsim

 
 

patches

patches

 
 

radius_example

radius_example

 
 

src

src

 
 

tests

tests

 
 

wlantest

wlantest

 
 

wpa_supplicant

wpa_supplicant

 
 

wpadebug

wpadebug

 
 

wpaspy

wpaspy

 
 

.gitignore

.gitignore

 
 

Android.mk

Android.mk

 
 

CONTRIBUTIONS

CONTRIBUTIONS

 
 

COPYING

COPYING

 
 

README

README

 
 

README.md

README.md

 
 

build_release

build_release

 
 

Repository files navigation

Testing Servers

Testing whether servers are vulnerable is done using wpa_supplicant. Once connect to the AP it will listen on localhost:45678. You can now connect to this socket as if it were the actual RADIUS server. This allows you to use existing heartbleed tools to test the RADIUS server.

Installation

The default .config in this repository is sufficient for normal heartbleed testing. Hence simply execute the following to compile a working version:

git clone https://github.com/vanhoefm/apbleed.git
cd apbleed/wpa_supplicant
make

Usage

You begin the same way as any wpa_supplicant session. That means:

sudo ./wpa_supplicant -Dnl80211 -iwlan0 -cexample.conf

Modify example.conf to specify the AP you want to test. The example config file will attempt to connect to eduroam and test the radius server of example.com (which does not exist):

network={
    # 1. Filters to specify which network to test
    ssid="eduroam"
    key_mgmt=WPA-EAP

    # 2. Configure which RADIUS server (realm) to connect to.
    anonymous_identity="anonymous@example.com"

    # 3. Tell wpa_supp to listen at 127.0.0.1:56789 once connected
    eap=SOCKET
}

In general take the configuration file of a network and change the line eap=XXXX to eap=SOCKET and you are good to go. Once connected it will open a socket to which you must connect.

wlan2: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
>> eap_socket_init

		==== ApBleed: connect to localhost:45678 ====

	Be fast enough, otherwise the connection will time out...

You can now use any heartbleed tool to test the server. For example with heartleech:

mathy@kali:~/heartleech$ ./heartleech 127.0.0.1 -p 45678

--- heartleech/1.0.0i ---
https://github.com/robertdavidgraham/heartleech
[-] PATCHED: heartBEAT received, but not BLEED

Remarks

The code has not been tested for reliability. Patches are welcome. Possible improvements:

  1. Detect the inner EAP method the server is expecting, and use that.
  2. Write the packets incapculsated in the EAP requests and responses to a .pcap file.
  3. Improved error handling.
  4. Improved packet forwarding.
  5. ...

Testing Clients

Testing clients has not yet been implemented. Look at the commits to see how to do this, it will be similar to testing servers. Patches are welcome.

About

apbleed

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages

  • C 87.2%
  • Python 9.3%
  • Makefile 1.3%
  • C++ 1.3%
  • Shell 0.4%
  • Java 0.3%
  • Other 0.2%