Scapy fails to capture RADIUS responses

1.4k views Asked by At

I am trying to use Scapy to send a simple RADIUS access-request to my RADIUS server, but Scapy fails to catch the response. I have used tcpdump and a Scapy sniff to verify that the access-accept is in fact received by the client.

Here is my setup:

The Packet: (AVP is a custom built layer)

<IP  frag=0 proto=udp dst=10.200.202.19 |<UDP  sport=10999 dport=radius |<Radius  code=Access-Request authenticator='W\xe8\xe1\x81FD\xdalR,\x9e8?\x8e\xda&' |<AVP  type=User-Name data='testing' |<AVP  type=User-Password data=',\xea\x84p\x8b\x8e\x8bo\x1c\xa5P\x9cR\xea\xb5M' |<AVP  type=NAS-IP-Address data='127.0.1.1' |<AVP  type=NAS-Port data='0' |>>>>>>> 

2 terminals on the client side:

terminal 1

usesr:~$ sudo tcpdump -i eth0 'udp and port 1812'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
****SEND PACKET FROM OTHER TERMINAL****
18:05:47.567307 IP radclient.10999 > radserver.radius: RADIUS, Access Request (1), id: 0x00 length: 61
18:05:47.568041 IP radserver.radius > radclient.10999: RADIUS, Access Accept (2), id: 0x00 length: 20

terminal 2

>>> sr(pkt, iface='eth0', filter='udp and port 1812', timeout=5)
Begin emission:

.Finished to send 1 packets.
.
Received 2 packets, got 0 answers, remaining 1 packets
(<Results: TCP:0 UDP:0 ICMP:0 Other:0>, <Unanswered: TCP:0 UDP:1 ICMP:0 Other:0>)

I dug around the Scapy source code a bit and noticed that when looking for a response, we do two main things, compare the hashret() value of the received packet to the hashret() value of the sent packet, and we verify that recPkt.answeres(sentPkt) is true. To satisfy these checks, I did the following:

>>> a = sniff(iface='eth0', filter='udp and port 1812')
♥>>> a
<Sniffed: TCP:1 UDP:2 ICMP:0 Other:0>
>>> a.summary()
Ether / IP / TCP 10.200.202.191:ssh > 10.200.201.242:51044 PA / Raw
Ether / IP / UDP 10.200.202.191:10999 > 10.200.202.19:radius / Raw
Ether / IP / UDP 10.200.202.19:radius > 10.200.202.191:10999 / Raw / Padding
>>> a[1].hashret()
'\x00\x08\x00\x00\x00\xac\x11'
>>> a[2].hashret()
'\x00\x08\x00\x00\x00\xac\x11'
>>> a[2].answers(a[1])
1

After this, I started running a simple test in eclipse and trying to step through the program, from what I can tell, the sr() seems to miss the response altogether and subsequently never does any processing on it.

0

There are 0 answers