attacking and securing wpa enterprise networks
DESCRIPTION
This presentation covers different attacks that can be leveraged against wireless networks using Enterprise (802.1x) authentication. Attendees will learn about and see demonstrations of these attacks, many of which can be used to reveal the credentials used to join the wireless network. The presentation concludes with recommendations on how to defend against these attacks. Matt Neely (CISSP, CTGA, GCIH and GCWN) is the Profiling Team Manager at SecureState, a Cleveland Ohio based security consulting company. At SecureState, Matt and his team perform traditional penetration tests, physical penetration tests, web application security reviews and wireless security assessments. His research interests include the convergence of physical and logical security, cryptography and all things wireless. Matt is also a host on the Security Justice podcast.TRANSCRIPT
![Page 1: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/1.jpg)
Attacking WPA-Enterprise Wireless Networks
By: Matt Neely Presented: March 17, 2010 at NEO InfoSec Forum
![Page 2: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/2.jpg)
Speaker Biography
• Matt Neely, CISSP, CTGA, GCIH, and GCWN – Manager of the Profiling Team at SecureState – Areas of expertise: wireless, penetration testing,
physical security, security convergence, and incident response
– Formed and ran the TSCM team at a Fortune 200 company
– Over 10 years of security experience • Outside of work:
– Co-host of the Security Justice podcast – Licensed amateur radio operator (Technician) for
almost 20 years • First radio I hacked:
– Fisher-Price Sky Talker walkie talkie
![Page 3: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/3.jpg)
SecureState Overview
• Ohio-Based Company – Founded 2001
• 30+ Security Professionals
• Information Assurance & Protection
• Audit and business background (Big 10)
• Experts in ethical hacking across many specialized areas
CISSP – Certified Information Systems Security Professional CISM – Certified Information Security Manager CISA – Certified Information Systems Auditor QDSP – Qualified Data Security Professional GSEC – SANS GIAC Security Essentials NSA INFOSEC Assessment Methodology (IAM) Forensics – NTI, EnCase ANSI X9/TG-3
![Page 4: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/4.jpg)
What You Will Learn Today
• Short history of wireless security • What is 802.11 Enterprise authentication • How PEAP works • How to attack WPA Enterprise networks • How to defend WPA Enterprise networks
![Page 5: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/5.jpg)
Brief History of Wireless
• WEP died over a decade ago • Cisco released LEAP to make up for the deficiencies in
WEP – Proprietary and susceptible to brute force attacks
• WPA/WPA2 was developed to provide strong encryption and multiple authentication mechanisms
![Page 6: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/6.jpg)
Brief History of Wireless - WPA
• WPA/WPA2 encryption and authentication options – Encryption
• WPA – TKIP (RC4 based algorithm) • WPA2 – CCMP (AES based algorithm)
– Authentication • Pre-Shared Key (PSK) Authentication
– Designed for home and small offices – Anything that uses a shared password is not secure
• Enterprise Authentication – Uses 802.1X as the authentication framework – Provides per-user or per-system authentication
![Page 7: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/7.jpg)
802.1X In One Slide
• Provides network access authentication – EAP provides authentication – Access point handles encryption
(TKIP/CCMP) • Three components:
– Supplicant (Client) – Authenticator (AP) – Authentication Server (RADIUS
or IAS server) • Supplicant and authentication server
use an EAP type to authenticate
![Page 8: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/8.jpg)
EAP
• Extensible Authentication Protocol (EAP) is an authentication framework
• 802.1X uses various EAP types to authenticate users – Common EAP types used with wireless: TLS, PEAP, TTLS, and
EAP-FAST – EAP type and configuration can greatly impact the security of the
wireless network • Breakdown of EAP deployments:
– 80% PEAP and TTLS – 15% EAP-FAST or LEAP – 5% TLS
![Page 9: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/9.jpg)
Introduction To PEAP and TTLS
• EAP originally was designed to work over wired networks where interception required physical access.
• Interception is a larger concern on wireless networks. • Protected EAP (PEAP) and Tunneled Transport Layer Security
(TTLS) use TLS to protect legacy authentication protocols from interception.
• Both require a certificate on the RADIUS server for the Supplicant to validate server identity.
• PEAP supports MS-CHAPv2 as the inner authentication method. • TTLS supports a large number of inner authentication protocols
(MS-CHAPv2, CHAP, PAP, etc).
![Page 10: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/10.jpg)
PEAP Using MS-CHAPv2
![Page 11: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/11.jpg)
Importance of TLS Certificate Validation With PEAP
• Network SSID can be spoofed easily. • TLS provides a method for validating the access point
(Authenticator) and, therefore, the network. • Once the certificate from the Authenticator is validated,
the client passes authentication information to the network (Authentication Server).
• Authentication traffic is protected from eavesdropping by the TLS tunnel.
![Page 12: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/12.jpg)
Web Browser SSL/TLS Validation
![Page 13: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/13.jpg)
What happens when your wireless client trusts an
invalid certificate?
![Page 14: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/14.jpg)
Vulnerable PEAP Misconfiguration One
• Many deployments disable all validation
• PEAP supplicant will trust any RADIUS server
![Page 15: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/15.jpg)
How An Attacker Can Exploit This
• Attacker sets up a fake AP – Mirrors target network’s SSID, encryption type (WPA/WPA2),
and band (a/b/g/n) – Configures the AP to accept Enterprise authentication – Sets AP to visible
• Attacker connects the fake AP to the special FreeRADIUS-WPE server that captures and records all authentication requests
• Attacker waits for users to attach to the fake network and captures their credentials – Impatient attackers can de-auth clients from the legitimate
network • Attacker cracks the challenge/response pair to recover the password
![Page 16: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/16.jpg)
FreeRADIUS-WPE
• Josh Wright created the Wireless Pwnage Edition (WPE) patch for FreeRADIUS 2.0.2
• Adds the following features: – Returns success for any authentication requests – Logs all authentication credentials
• Challenge/response • Password • Username
– Performs credential logging on PEAP, TTLS, LEAP, EAP-MD5, EAP-MSCHAPv2, PAP, CHAP, and others
![Page 17: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/17.jpg)
DEMO
![Page 18: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/18.jpg)
DEMO
![Page 19: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/19.jpg)
Vulnerable PEAP Misconfiguration Two
• Configuration: – “Validate server certificate”
is enabled – Default Wireless Zero
Configuration (WZC) settings
– Prompts users to validate server certificate
• Minimal detail is shown in the dialog box
• Attack: – Same attack applies but
requires users to validate the certificate
![Page 20: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/20.jpg)
Vulnerable PEAP Misconfiguration Three
• Configuration: – “Validate server certificate” is
enabled – Trusted Root Certificate
Authority is selected – Does not validate certificate CN!
• Attack: – Sniffs a valid login and identifies
the CA of the TLS certificate – Purchases a certificate from the
trusted CA • Any CN value can be used
– Configures the RADIUS server to use this certificate
![Page 21: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/21.jpg)
Concerns Around Mobile Devices
![Page 22: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/22.jpg)
If At First You Don’t Succeed
• Some clients try multiple EAP types while trying to authenticate to a wireless network. – Easy for attackers to detect by analyzing a packet capture.
• Attackers can use this weakness to trick clients into authenticating to a fake AP with an insecure EAP type. – Often de-auth floods are used to prevent the client from
connecting to a legitimate AP.
![Page 23: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/23.jpg)
SECURING WIRELESS NETWORKS
![Page 24: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/24.jpg)
Encryption and Authentication
• Use CCMP for encryption – Migrate off TKIP – Never use WEP
• Use PEAP, TTLS, or TLS for authentication – TLS requires a PKI – Avoid Pre-Shared Keys (PSK)
• Anything that is shared is not secure • If you must use PSK, choose a unique SSID and use a
complex passphrase over 14 characters
![Page 25: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/25.jpg)
Secure the Infrastructure
• Harden and patch the infrastructure: – Access points – Wireless controllers – Authentication servers
• Apply the latest service pack to Windows Internet Authentication Service (IAS) servers
• Do not use hidden access points • Make sure insecure EAP types such as MD5 are disabled • Prevent insecure clients from using the wireless network • Firewall and isolate the wireless network from the internal network
![Page 26: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/26.jpg)
Wireless IDS
• Consider deploying a wireless IDS • Can detect:
– De-auth attacks – RTS and CTS denial of service attacks – Rogue APs
• Both on and off your wired network • Remember IDS is only detection and not prevention • Be very careful with wireless IPS
– IPS system could end up attacking neighboring networks • Wireless IDS will not protect users while traveling
![Page 27: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/27.jpg)
Secure the Clients
• Require long and complex passwords • Apply all patches quickly
– Including firmware patches for wireless cards • Harden the system
– Run Anti-Virus software and keep definitions up to date – Have users login with a non-administrative level account – Encrypt sensitive data on drive – Turned on and configured personal firewall
• Disable ad-hoc networks • Prevent network bridging • Ensure the Supplicant is properly configured
![Page 28: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/28.jpg)
Secure WZC PEAP Configuration
• Ensure the following items are configured: – Enable “Validate server
certificate” – Enable “Connect to these
servers” and specify the CN of the RADIUS server
– Under “Trusted Root Certificate Authorities” check ONLY the CA that issued the certificate
– Enable “Do not prompt user to authorize new servers or trusted certification authorities
• Enforceable through Group Policy • Refer to KB941123 for additional
information
![Page 29: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/29.jpg)
Perform Regular Assessments
Act
• The Shewhart or Deming Cycle, used in Quality Assurance – instead of PDCA, it’s Check-Act-Plan-Do when relating to security strategy.
• It’s imperative to perform assessments on a regular basis. • Have a third party perform a wireless security assessment.
• Ensure the assessment includes architecture and client configuration reviews.
![Page 30: Attacking and Securing WPA Enterprise Networks](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c9030b4a79598e478b45a4/html5/thumbnails/30.jpg)
QUESTIONS? For More Information:
www.SecureState.com www.MatthewNeely.com @matthewneely