Looking toward the future and after a successful Wireshark capture of the relevant information, the next step would be to read the "login" half of the credentials (in my case, passed in plain-text) and then use either
Hashcat or
dechap to recover the "password" half of the credentials.
Here are three lines from a Wireshark capture that I performed some months ago --
No. Time Source Protocol Length Info
10 1.055028 JuniperN_ea:28:52 PPP CHAP 66 Challenge (NAME='nge001.ips', VALUE=0x86351c587caed0e81ca62cbf0b4dafcd6cf83237c2)
12 1.057853 Dell_c1:20:9e PPP CHAP 69 Response (NAME='burakkucat@talktalk', VALUE=0xf025510d4a8c1c1bc69f4a907e0163bb)
13 1.307018 JuniperN_ea:28:52 PPP CHAP 66 Success (MESSAGE='')
Of the two techniques, I suspect that dechap may prove to be the easier as both the size of the password (i.e. its "width") and the character set that is used are unknowns.
[Duo2 ~]$ dechap
dechap: a dictionary attack for captured PPPoE, RADIUS, L2TP, OSPF and BGP traffic.
Version v0.4 alpha, October 2013
Usage:
dechap -c capfile -w wordfile
Where capfile is a tcpdump-style .cap file containing PPPoE, RADIUS
or L2TP CHAP authentications or MD5 authenticated OSPF / BGP packets and
wordfile is a plain text file containing password guesses. VLAN tags
and MPLS labels are automatically stripped.
[Duo2 ~]$
If required, I have some code that will generate all permutations of a "password" of a specified "width" (i.e. size) using the full 95 character-set from " " (space) to "~" (tilda). So a sequence of wordfiles, of widths 1, 2, . . . , n-1, n, could be pre-computed for eventual supply to the dechap utility.
How much disk space will such wordfiles occupy? Let's derive the formula required . . .
Let
C be the character set size and
W be the width of a password.
Then the number of passwords,
P =
CW [1]
Assuming that the wordfiles are generated on a Unix or Linux kernel-using system then there will be a new-line character at the end of each password.
Thus the size of the resultant file,
T =
P(W + 1) bytes. [2]
Substituting equation [1] for
P into equation [2] . . .
T =
CW(W + 1) bytes.
So using a character-set size of 95 . . .
a wordfile containing passwords of width one would occupy
951(1 + 1) =
190 bytes a wordfile containing passwords of width five would occupy
955(5 + 1) ~=
4.64 x 1010 bytes a wordfile containing passwords of width ten would occupy
9510(10 + 1) ~=
6.58 x 1020 bytes