Attacking WPA-Enterprise Wireless Networks
By: Matt Neely Presented: March 17, 2010 at NEO InfoSec Forum
Speaker Biography
• Matt Neely, CISSP, CTGA, GCIH, and GCWN – Manager of the Profiling Team at SecureState – Areas of expertise: wireless, penetration testing,
physical security, security convergence, and incident response
– Formed and ran the TSCM team at a Fortune 200 company
– Over 10 years of security experience • Outside of work:
– Co-host of the Security Justice podcast – Licensed amateur radio operator (Technician) for
almost 20 years • First radio I hacked:
– Fisher-Price Sky Talker walkie talkie
SecureState Overview
• Ohio-Based Company – Founded 2001
• 30+ Security Professionals
• Information Assurance & Protection
• Audit and business background (Big 10)
• Experts in ethical hacking across many specialized areas
CISSP – Certified Information Systems Security Professional CISM – Certified Information Security Manager CISA – Certified Information Systems Auditor QDSP – Qualified Data Security Professional GSEC – SANS GIAC Security Essentials NSA INFOSEC Assessment Methodology (IAM) Forensics – NTI, EnCase ANSI X9/TG-3
What You Will Learn Today
• Short history of wireless security • What is 802.11 Enterprise authentication • How PEAP works • How to attack WPA Enterprise networks • How to defend WPA Enterprise networks
Brief History of Wireless
• WEP died over a decade ago • Cisco released LEAP to make up for the deficiencies in
WEP – Proprietary and susceptible to brute force attacks
• WPA/WPA2 was developed to provide strong encryption and multiple authentication mechanisms
Brief History of Wireless - WPA
• WPA/WPA2 encryption and authentication options – Encryption
• WPA – TKIP (RC4 based algorithm) • WPA2 – CCMP (AES based algorithm)
– Authentication • Pre-Shared Key (PSK) Authentication
– Designed for home and small offices – Anything that uses a shared password is not secure
• Enterprise Authentication – Uses 802.1X as the authentication framework – Provides per-user or per-system authentication
802.1X In One Slide
• Provides network access authentication – EAP provides authentication – Access point handles encryption
(TKIP/CCMP) • Three components:
– Supplicant (Client) – Authenticator (AP) – Authentication Server (RADIUS
or IAS server) • Supplicant and authentication server
use an EAP type to authenticate
EAP
• Extensible Authentication Protocol (EAP) is an authentication framework
• 802.1X uses various EAP types to authenticate users – Common EAP types used with wireless: TLS, PEAP, TTLS, and
EAP-FAST – EAP type and configuration can greatly impact the security of the
wireless network • Breakdown of EAP deployments:
– 80% PEAP and TTLS – 15% EAP-FAST or LEAP – 5% TLS
Introduction To PEAP and TTLS
• EAP originally was designed to work over wired networks where interception required physical access.
• Interception is a larger concern on wireless networks. • Protected EAP (PEAP) and Tunneled Transport Layer Security
(TTLS) use TLS to protect legacy authentication protocols from interception.
• Both require a certificate on the RADIUS server for the Supplicant to validate server identity.
• PEAP supports MS-CHAPv2 as the inner authentication method. • TTLS supports a large number of inner authentication protocols
(MS-CHAPv2, CHAP, PAP, etc).
PEAP Using MS-CHAPv2
Importance of TLS Certificate Validation With PEAP
• Network SSID can be spoofed easily. • TLS provides a method for validating the access point
(Authenticator) and, therefore, the network. • Once the certificate from the Authenticator is validated,
the client passes authentication information to the network (Authentication Server).
• Authentication traffic is protected from eavesdropping by the TLS tunnel.
Web Browser SSL/TLS Validation
What happens when your wireless client trusts an
invalid certificate?
Vulnerable PEAP Misconfiguration One
• Many deployments disable all validation
• PEAP supplicant will trust any RADIUS server
How An Attacker Can Exploit This
• Attacker sets up a fake AP – Mirrors target network’s SSID, encryption type (WPA/WPA2),
and band (a/b/g/n) – Configures the AP to accept Enterprise authentication – Sets AP to visible
• Attacker connects the fake AP to the special FreeRADIUS-WPE server that captures and records all authentication requests
• Attacker waits for users to attach to the fake network and captures their credentials – Impatient attackers can de-auth clients from the legitimate
network • Attacker cracks the challenge/response pair to recover the password
FreeRADIUS-WPE
• Josh Wright created the Wireless Pwnage Edition (WPE) patch for FreeRADIUS 2.0.2
• Adds the following features: – Returns success for any authentication requests – Logs all authentication credentials
• Challenge/response • Password • Username
– Performs credential logging on PEAP, TTLS, LEAP, EAP-MD5, EAP-MSCHAPv2, PAP, CHAP, and others
DEMO
DEMO
Vulnerable PEAP Misconfiguration Two
• Configuration: – “Validate server certificate”
is enabled – Default Wireless Zero
Configuration (WZC) settings
– Prompts users to validate server certificate
• Minimal detail is shown in the dialog box
• Attack: – Same attack applies but
requires users to validate the certificate
Vulnerable PEAP Misconfiguration Three
• Configuration: – “Validate server certificate” is
enabled – Trusted Root Certificate
Authority is selected – Does not validate certificate CN!
• Attack: – Sniffs a valid login and identifies
the CA of the TLS certificate – Purchases a certificate from the
trusted CA • Any CN value can be used
– Configures the RADIUS server to use this certificate
Concerns Around Mobile Devices
If At First You Don’t Succeed
• Some clients try multiple EAP types while trying to authenticate to a wireless network. – Easy for attackers to detect by analyzing a packet capture.
• Attackers can use this weakness to trick clients into authenticating to a fake AP with an insecure EAP type. – Often de-auth floods are used to prevent the client from
connecting to a legitimate AP.
SECURING WIRELESS NETWORKS
Encryption and Authentication
• Use CCMP for encryption – Migrate off TKIP – Never use WEP
• Use PEAP, TTLS, or TLS for authentication – TLS requires a PKI – Avoid Pre-Shared Keys (PSK)
• Anything that is shared is not secure • If you must use PSK, choose a unique SSID and use a
complex passphrase over 14 characters
Secure the Infrastructure
• Harden and patch the infrastructure: – Access points – Wireless controllers – Authentication servers
• Apply the latest service pack to Windows Internet Authentication Service (IAS) servers
• Do not use hidden access points • Make sure insecure EAP types such as MD5 are disabled • Prevent insecure clients from using the wireless network • Firewall and isolate the wireless network from the internal network
Wireless IDS
• Consider deploying a wireless IDS • Can detect:
– De-auth attacks – RTS and CTS denial of service attacks – Rogue APs
• Both on and off your wired network • Remember IDS is only detection and not prevention • Be very careful with wireless IPS
– IPS system could end up attacking neighboring networks • Wireless IDS will not protect users while traveling
Secure the Clients
• Require long and complex passwords • Apply all patches quickly
– Including firmware patches for wireless cards • Harden the system
– Run Anti-Virus software and keep definitions up to date – Have users login with a non-administrative level account – Encrypt sensitive data on drive – Turned on and configured personal firewall
• Disable ad-hoc networks • Prevent network bridging • Ensure the Supplicant is properly configured
Secure WZC PEAP Configuration
• Ensure the following items are configured: – Enable “Validate server
certificate” – Enable “Connect to these
servers” and specify the CN of the RADIUS server
– Under “Trusted Root Certificate Authorities” check ONLY the CA that issued the certificate
– Enable “Do not prompt user to authorize new servers or trusted certification authorities
• Enforceable through Group Policy • Refer to KB941123 for additional
information
Perform Regular Assessments
Act
• The Shewhart or Deming Cycle, used in Quality Assurance – instead of PDCA, it’s Check-Act-Plan-Do when relating to security strategy.
• It’s imperative to perform assessments on a regular basis. • Have a third party perform a wireless security assessment.
• Ensure the assessment includes architecture and client configuration reviews.
QUESTIONS? For More Information:
www.SecureState.com www.MatthewNeely.com @matthewneely
