#!/usr/bin/env python2
from __future__ import with_statement
# RADIUS comparison tee v1.0
# Sniffs local RADIUS traffic, replays incoming requests to a test
# server, and compares the sniffed responses with the responses
# generated by the test server.
#
# Copyright (c) 2009, Frontier Communications
# Copyright (c) 2010, John Morrissey <jwm@horde.net>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the Free
# Software Foundation; either version 2 of the License, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc., 59
# Temple Place, Suite 330, Boston, MA 02111-1307, USA.
# Requires
# ========
# - python 2.4 or newer
# - impacket
# - pcapy
# - pyrad, ideally 1.2 or newer
# Output
# ======
# - .: 50 successful, matching responses processed.
# - C=x.x.x.x: Ignored packet sniffed from unknown client.
# - D: Dropped sniffed packet due to processing bottleneck. Consider
# increasing THREADS.
# - I: Invalid/unparseable packet sniffed.
# - Mreq: Response was sniffed without sniffing a corresponding request.
# - Mresp: Request was sniffed without sniffing a corresponding response.
# - T: Request to test server timed out.
import fcntl
from getopt import gnu_getopt, GetoptError
import os
import Queue
import re
import signal
import socket
import struct
import sys
import thread
from threading import Thread
from time import sleep, time
from impacket.ImpactDecoder import EthDecoder
import pcapy
from pyrad.client import Client
from pyrad.dictionary import Dictionary
from pyrad import packet
TEST_DEST = 'server.example.com'
TEST_SECRET = 'examplesecret'
# Dictionary to use when decoding RADIUS packets. pyrad earlier than
# v1.2 can't parse $INCLUDE directives, so you must combine FreeRADIUS'
# dictionary manually, with something like this:
#
# import re
# import sys
#
# def combine(file):
# for line in open(file):
# matches = re.search(r'^\$INCLUDE\s+(.*)$', line)
# if not matches:
# sys.stdout.write(line)
# continue
#
# combine(matches.group(1))
#
# combine('/etc/freeradius/dictionary')
DICTIONARY = '/etc/freeradius/dictionary'
# Number of worker threads to run.
THREADS = 32
# Mapping of RADIUS request source addresses to shared secrets,
# so we can decode incoming RADIUS requests.
#
# For example:
# '127.0.0.1': 'test',
CLIENTS = {
}
# Ignore any sniffed requests from these IP addresses.
IGNORE_CLIENTS = [
]
# Expected mismatches to ignore and consider the packet matching.
# Only the differences are compared to these items, so only the
# differing attrs need be listed in the attrs array.
#
# Examples:
# - Ignore mismatched AccessRejects whose sole difference is a
# Reply-Message attribute with the values given.
# {
# 'sniffed': {
# 'code': packet.AccessReject,
# 'attrs': [
# 'Reply-Message=Request Denied',
# ],
# },
# 'test': {
# 'code': packet.AccessReject,
# 'attrs': [
# 'Reply-Message=Account is disabled.',
# ],
# }
# },
#
# - Ignore mismatched AccessRejects with Reply-Message=Request Denied
# and arbitrary Cisco dns-servers in the sniffed packet, and
# no Reply-Message and Cisco-AVPair attrs in the response from the
# test RADIUS server.
# {
# 'sniffed': {
# 'code': packet.AccessReject,
# 'attrs': [
# 'Reply-Message=Request Denied',
# 'regex:^Cisco-AVPair=ip:dns-servers=.*$',
# ],
# },
# 'test': {
# 'code': packet.AccessReject,
# 'attrs': [
# ],
# }
# },
#
# - Only apply this stanza to sniffed requests with
# 'User-Name= user@example.com' (note the leading whitespace).
# {
# 'check': [
# 'User-Name= user@example.com',
# ],
# 'sniffed': {
# 'code': packet.AccessReject,
# 'attrs': [
# 'Reply-Message=Request Denied',
# ],
# },
# 'test': {
# 'code': packet.AccessAccept,
# 'attrs': [
# 'Service-Type=Framed-User',
# 'Framed-Protocol=PPP',
# 'Framed-IP-Address=255.255.255.255',
# 'Framed-MTU=1500',
# 'Framed-Compression=Van-Jacobson-TCP-IP',
# ],
# }
# },
IGNORE = [
]
QUEUE = Queue.Queue(maxsize=25000)
DICT = Dictionary(DICTIONARY)
def code2str(code):
if code == packet.AccessRequest:
return "Access-Request"
elif code == packet.AccessAccept:
return "Access-Accept"
elif code == packet.AccessReject:
return "Access-Reject"
elif code == packet.AccountingRequest:
return "Accounting-Request"
elif code == packet.AccountingResponse:
return "Accounting-Response"
elif code == packet.AccessChallenge:
return "Access-Challenge"
elif code == packet.StatusServer:
return "Status-Server"
elif code == packet.StatusClient:
return "Status-Client"
elif code == packet.DisconnectRequest:
return "Disconnect-Request"
elif code == packet.DisconnectACK:
return "Disconnect-ACK"
elif code == packet.DisconnectNAK:
return "Disconnect-NAK"
elif code == packet.CoARequest:
return "CoA-Request"
elif code == packet.CoAACK:
return "CoA-ACK"
elif code == packet.CoANAK:
return "CoA-NAK"
def handlePacket(header, data):
"""Place captured packets in the queue to be picked up
by worker threads."""
global QUEUE
try:
QUEUE.put_nowait(data)
except Queue.Full:
sys.stdout.write('D')
sys.stdout.flush()
def ignore_applies(pkt, ignore):
"""Determine whether an ignore stanza (based on its check
items) applies to a packet."""
# All check items must match for this ignore stanza to apply.
stanza_applies = True
for pair in ignore.get('check', []):
attr, value = pair.split('=')
if attr not in pkt:
return False
if value.startswith('regex:'):
if not re.search(value.replace('regex:', '', 1), value):
return False
elif pkt[attr] != value:
return False
return True
def ignores_match(pkt, mismatched, ignore):
"""Determine whether mismatched AV pairs remain after accounting
for ignored differences."""
non_regex_ignore = [
q
for q
in ignore['attrs']
if not q.startswith('regex:')
]
regex_ignore = [
q
for q
in ignore['attrs']
if q.startswith('regex:')
]
unmatched_av = mismatched[:]
unmatched_rules = ignore['attrs'][:]
for av in mismatched:
if av in non_regex_ignore:
unmatched_av.remove(av)
unmatched_rules.remove(av)
continue
for regex in regex_ignore:
if re.search(regex.replace('regex:', '', 1), av):
unmatched_av.remove(av)
if regex in unmatched_rules:
unmatched_rules.remove(regex)
break
if unmatched_av or unmatched_rules:
return False
return True
def matches(req, sniffed_pkt, test_pkt):
"""Determine whether a response from the test server matches
the response sniffed from the wire, accounting for ignored
differences."""
global IGNORE
mis_attrs_sniffed = []
for k in sniffed_pkt.keys():
if sorted(sniffed_pkt[k]) == sorted(test_pkt.get(k, [])):
continue
mis_attrs_sniffed.append('%s=%s' % (
k, ', '.join([str(v) for v in sorted(sniffed_pkt[k])])))
mis_attrs_test = []
for k in test_pkt.keys():
if sorted(test_pkt[k]) == sorted(sniffed_pkt.get(k, [])):
continue
mis_attrs_test.append('%s=%s' % (
k, ', '.join([str(v) for v in sorted(test_pkt[k])])))
# The packets match without having to consider any ignores.
if sniffed_pkt.code == test_pkt.code and \
not mis_attrs_sniffed and not mis_attrs_test:
return True
for ignore in IGNORE:
if not ignore_applies(req, ignore):
continue
if ignore['sniffed']['code'] != sniffed_pkt.code or \
ignore['test']['code'] != test_pkt.code:
continue
if ignores_match(sniffed_pkt, mis_attrs_sniffed, i['sniffed']):
return True
if ignores_match(test_pkt, mis_attrs_test, i['test']):
return True
return False
def log_mismatch(nas, req, passwd, expected, got):
"""Emit notification that the test server has returned a response
that differs from the sniffed response."""
print 'Mismatch: %s' % nas
print 'Request: %s' % code2str(req.code)
for key in req.keys():
if key == 'User-Password':
print '\t%s: %s' % (key, passwd)
continue
print '\t%s: %s' % (
key, ', '.join([str(v) for v in req[key]]))
print 'Expected: %s' % code2str(expected.code)
for key in expected.keys():
print '\t%s: %s' % (
key, ', '.join([str(v) for v in expected[key]]))
print 'Got: %s' % code2str(got.code)
for key in got.keys():
print '\t%s: %s' % (
key, ', '.join([str(v) for v in got[key]]))
print
REQUESTS = {}
REQUESTS_LOCK = thread.allocate_lock()
NUM_SUCCESSFUL = 0
def check_for_match(key, req_resp):
"""Send a copy of the original request to the test server and
determine whether the response matches the response sniffed from
the wire."""
global DICT, NUM_SUCCESSFUL, TEST_DEST, TEST_SECRET
global REQUESTS, REQUESTS_LOCK
client = Client(server=TEST_DEST,
secret=TEST_SECRET, dict=DICT)
fwd_req = client.CreateAuthPacket(code=packet.AccessRequest)
fwd_req.authenticator = req_resp['req']['pkt'].authenticator
keys = req_resp['req']['pkt'].keys()
for k in keys:
for value in req_resp['req']['pkt'][k]:
fwd_req.AddAttribute(k, value)
if 'User-Password' in keys:
fwd_req['User-Password'] = fwd_req.PwCrypt(req_resp['req']['passwd'])
if 'NAS-IP-Address' in fwd_req:
del fwd_req['NAS-IP-Address']
fwd_req.AddAttribute('NAS-IP-Address', req_resp['req']['ip'])
try:
test_reply = client.SendPacket(fwd_req)
except:
# Request to test server timed out.
sys.stdout.write('T')
sys.stdout.flush()
with REQUESTS_LOCK:
del REQUESTS[key]
return
if not matches(req_resp['req']['pkt'],
req_resp['response']['pkt'], test_reply):
print
log_mismatch(req_resp['req']['ip'],
req_resp['req']['pkt'],
req_resp['req']['passwd'],
req_resp['response']['pkt'], test_reply)
with REQUESTS_LOCK:
# Occasionally, this key isn't present. Maybe retransmissions
# due to a short timeout on the remote RADIUS client's end
# and a subsequent race?
if key in REQUESTS:
del REQUESTS[key]
NUM_SUCCESSFUL += 1
if NUM_SUCCESSFUL % 50 == 0:
sys.stdout.write('.')
sys.stdout.flush()
class RadiusComparer(Thread):
def run(self):
global DICT, IGNORE_CLIENTS, QUEUE, REQUESTS, REQUESTS_LOCK
while True:
data = QUEUE.get()
if not data:
return
frame = EthDecoder().decode(data)
ip = frame.child()
udp = ip.child()
rad_raw = udp.child().get_buffer_as_string()
try:
pkt = packet.Packet(dict=DICT, packet=rad_raw)
except packet.PacketError:
sys.stdout.write('I')
sys.stdout.flush()
continue
if ip.get_ip_src() in IGNORE_CLIENTS:
continue
if pkt.code == packet.AccessRequest:
auth = packet.AuthPacket(data[42:])
auth.authenticator = pkt.authenticator
auth.secret = clients.CLIENTS.get(ip.get_ip_src(), None)
if not auth.secret:
# No configuration for this client.
sys.stdout.write('C=%s' % ip.get_ip_src())
sys.stdout.flush()
continue
passwd = None
if 'User-Password' in pkt.keys():
passwd = auth.PwDecrypt(pkt['User-Password'][0])
key = '%s:%d:%d' % (ip.get_ip_src(),
udp.get_uh_sport(), pkt.id)
do_compare = None
with REQUESTS_LOCK:
if key not in REQUESTS:
REQUESTS[key] = {}
REQUESTS[key]['req'] = {
'ip': ip.get_ip_src(),
'port': udp.get_uh_sport(),
'pkt': pkt,
'passwd': passwd,
}
REQUESTS[key]['tstamp'] = time()
if 'response' in REQUESTS[key]:
do_compare = REQUESTS[key]
if do_compare:
check_for_match(key, do_compare)
elif pkt.code in [packet.AccessAccept, packet.AccessReject]:
key = '%s:%d:%d' % (ip.get_ip_dst(),
udp.get_uh_dport(), pkt.id)
do_compare = None
with REQUESTS_LOCK:
if key not in REQUESTS:
REQUESTS[key] = {}
REQUESTS[key]['response'] = {
'ip': ip.get_ip_src(),
'port': udp.get_uh_sport(),
'pkt': pkt,
}
REQUESTS[key]['tstamp'] = time()
if 'req' in REQUESTS[key]:
do_compare = REQUESTS[key]
if do_compare:
check_for_match(key, do_compare)
else:
print >>sys.stderr, \
'Unsupported packet type received: %d' % pkt.code
class RequestsPruner(Thread):
"""Prune stale request state periodically."""
def run(self):
global REQUESTS, REQUESTS_LOCK
while True:
sleep(30)
now = time()
with REQUESTS_LOCK:
keys = REQUESTS.keys()
for key in keys:
if REQUESTS[key]['tstamp'] + 60 >= now:
continue
if 'req' not in REQUESTS[key]:
sys.stdout.write('Mreq')
sys.stdout.flush()
if 'response' not in REQUESTS[key]:
sys.stdout.write('Mresp')
sys.stdout.flush()
del REQUESTS[key]
def usage():
print 'Usage: %s INTERFACE' % os.path.basename(sys.argv[0])
print ''
print ' -h, --help display this help and exit'
if __name__ == '__main__':
global PID_FILE
progname = os.path.basename(sys.argv[0])
try:
options, iface = gnu_getopt(sys.argv[1:], 'h', ['help'])
except GetoptError, e:
print '%s: %s' % (progname, str(e))
usage()
sys.exit(1)
for option in options:
if option[0] == '-h' or option[0] == '--help':
usage()
sys.exit(0)
if len(iface) != 1:
usage()
sys.exit(1)
iface = iface[0]
if os.geteuid() != 0:
print >>sys.stderr, '%s: must be run as root.' % progname
sys.exit(1)
for i in range(0, THREADS):
RadiusComparer().start()
RequestsPruner().start()
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
# This is Linux-specific, and there's no tenable way to make
# it portable.
#
# Unfortunately, we need the interface's IP address to filter out
# only RADIUS traffic destined for this host (avoiding traffic sent
# *by* this host, such as proxied requests or our own traffic) to
# avoid replaying requests not directed to the local radiusd.
#
# Furthermore, this only obtains the interface's *first* IP address,
# so we won't notice traffic sent to additional IP addresses on
# the given interface.
#
# This is Good Enough For Me given the effort I care to invest.
# Of course, patches enhancing this are welcome.
if os.uname()[0] == 'Linux':
local_ipaddr = socket.inet_ntoa(fcntl.ioctl(
s.fileno(),
0x8915, # SIOCGIFADDR
struct.pack('256s', iface[:15])
)[20:24])
else:
raise Exception('Only the Linux operating system is currently supported.')
p = pcapy.open_live(iface, 1600, 0, 100)
p.setfilter('''
(dst host %s and udp and dst port 1812) or
(src host %s and udp and src port 1812)''' % \
(local_ipaddr, local_ipaddr))
while True:
try:
p.dispatch(1, handlePacket)
except KeyboardInterrupt:
sys.exit(0)