Embed Size (px)
DESCRIPTION
This presentation covers different attacks that can be leveraged against wireless networks using Enterprise (802.1x) authentication. Attendees will learn about and see demonstrations of these attacks, many of which can be used to reveal the credentials used to join the wireless network. The presentation concludes with recommendations on how to defend against these attacks. Matt Neely (CISSP, CTGA, GCIH and GCWN) is the Profiling Team Manager at SecureState, a Cleveland Ohio based security consulting company. At SecureState, Matt and his team perform traditional penetration tests, physical penetration tests, web application security reviews and wireless security assessments. His research interests include the convergence of physical and logical security, cryptography and all things wireless. Matt is also a host on the Security Justice podcast.
Citation preview
Attacking WPA-Enterprise Wireless Networks
By: Matt Neely Presented: March 17, 2010 at NEO InfoSec Forum
Speaker Biography
• Matt Neely, CISSP, CTGA, GCIH, and GCWN – Manager of the Profiling Team at SecureState – Areas of expertise: wireless, penetration testing,
physical security, security convergence, and incident response
– Formed and ran the TSCM team at a Fortune 200 company
– Over 10 years of security experience • Outside of work:
– Co-host of the Security Justice podcast – Licensed amateur radio operator (Technician) for
almost 20 years • First radio I hacked:
– Fisher-Price Sky Talker walkie talkie
SecureState Overview
• Ohio-Based Company – Founded 2001
• 30+ Security Professionals
• Information Assurance & Protection
• Audit and business background (Big 10)
• Experts in ethical hacking across many specialized areas
CISSP – Certified Information Systems Security Professional CISM – Certified Information Security Manager CISA – Certified Information Systems Auditor QDSP – Qualified Data Security Professional GSEC – SANS GIAC Security Essentials NSA INFOSEC Assessment Methodology (IAM) Forensics – NTI, EnCase ANSI X9/TG-3
What You Will Learn Today
• Short history of wireless security • What is 802.11 Enterprise authentication • How PEAP works • How to attack WPA Enterprise networks • How to defend WPA Enterprise networks
Brief History of Wireless
• WEP died over a decade ago • Cisco released LEAP to make up for the deficiencies in
WEP – Proprietary and susceptible to brute force attacks
• WPA/WPA2 was developed to provide strong encryption and multiple authentication mechanisms
Brief History of Wireless - WPA
• WPA/WPA2 encryption and authentication options – Encryption
• WPA – TKIP (RC4 based algorithm) • WPA2 – CCMP (AES based algorithm)
– Authentication • Pre-Shared Key (PSK) Authentication
– Designed for home and small offices – Anything that uses a shared password is not secure
• Enterprise Authentication – Uses 802.1X as the authentication framework – Provides per-user or per-system authentication
802.1X In One Slide
• Provides network access authentication – EAP provides authentication – Access point handles encryption
(TKIP/CCMP) • Three components:
– Supplicant (Client) – Authenticator (AP) – Authentication Server (RADIUS
or IAS server) • Supplicant and authentication server
use an EAP type to authenticate
EAP
• Extensible Authentication Protocol (EAP) is an authentication framework
• 802.1X uses various EAP types to authenticate users – Common EAP types used with wireless: TLS, PEAP, TTLS, and
EAP-FAST – EAP type and configuration can greatly impact the security of the
wireless network • Breakdown of EAP deployments:
– 80% PEAP and TTLS – 15% EAP-FAST or LEAP – 5% TLS
Introduction To PEAP and TTLS
• EAP originally was designed to work over wired networks where interception required physical access.
• Interception is a larger concern on wireless networks. • Protected EAP (PEAP) and Tunneled Transport Layer Security
(TTLS) use TLS to protect legacy authentication protocols from interception.
• Both require a certificate on the RADIUS server for the Supplicant to validate server identity.
• PEAP supports MS-CHAPv2 as the inner authentication method. • TTLS supports a large number of inner authentication protocols
(MS-CHAPv2, CHAP, PAP, etc).
PEAP Using MS-CHAPv2
Importance of TLS Certificate Validation With PEAP
• Network SSID can be spoofed easily. • TLS provides a method for validating the access point
(Authenticator) and, therefore, the network. • Once the certificate from the Authenticator is validated,
the client passes authentication information to the network (Authentication Server).
• Authentication traffic is protected from eavesdropping by the TLS tunnel.
Web Browser SSL/TLS Validation
What happens when your wireless client trusts an
invalid certificate?
Vulnerable PEAP Misconfiguration One
• Many deployments disable all validation
• PEAP supplicant will trust any RADIUS server
How An Attacker Can Exploit This
• Attacker sets up a fake AP – Mirrors target network’s SSID, encryption type (WPA/WPA2),
and band (a/b/g/n) – Configures the AP to accept Enterprise authentication – Sets AP to visible
• Attacker connects the fake AP to the special FreeRADIUS-WPE server that captures and records all authentication requests
• Attacker waits for users to attach to the fake network and captures their credentials – Impatient attackers can de-auth clients from the legitimate
network • Attacker cracks the challenge/response pair to recover the password
FreeRADIUS-WPE
• Josh Wright created the Wireless Pwnage Edition (WPE) patch for FreeRADIUS 2.0.2
• Adds the following features: – Returns success for any authentication requests – Logs all authentication credentials
• Challenge/response • Password • Username
– Performs credential logging on PEAP, TTLS, LEAP, EAP-MD5, EAP-MSCHAPv2, PAP, CHAP, and others
DEMO
DEMO
Vulnerable PEAP Misconfiguration Two
• Configuration: – “Validate server certificate”
is enabled – Default Wireless Zero
Configuration (WZC) settings
– Prompts users to validate server certificate
• Minimal detail is shown in the dialog box
• Attack: – Same attack applies but
requires users to validate the certificate
Vulnerable PEAP Misconfiguration Three
• Configuration: – “Validate server certificate” is
enabled – Trusted Root Certificate
Authority is selected – Does not validate certificate CN!
• Attack: – Sniffs a valid login and identifies
the CA of the TLS certificate – Purchases a certificate from the
trusted CA • Any CN value can be used
– Configures the RADIUS server to use this certificate
Concerns Around Mobile Devices
If At First You Don’t Succeed
• Some clients try multiple EAP types while trying to authenticate to a wireless network. – Easy for attackers to detect by analyzing a packet capture.
• Attackers can use this weakness to trick clients into authenticating to a fake AP with an insecure EAP type. – Often de-auth floods are used to prevent the client from
connecting to a legitimate AP.
SECURING WIRELESS NETWORKS
Encryption and Authentication
• Use CCMP for encryption – Migrate off TKIP – Never use WEP
• Use PEAP, TTLS, or TLS for authentication – TLS requires a PKI – Avoid Pre-Shared Keys (PSK)
• Anything that is shared is not secure • If you must use PSK, choose a unique SSID and use a
complex passphrase over 14 characters
Secure the Infrastructure
• Harden and patch the infrastructure: – Access points – Wireless controllers – Authentication servers
• Apply the latest service pack to Windows Internet Authentication Service (IAS) servers
• Do not use hidden access points • Make sure insecure EAP types such as MD5 are disabled • Prevent insecure clients from using the wireless network • Firewall and isolate the wireless network from the internal network
Wireless IDS
• Consider deploying a wireless IDS • Can detect:
– De-auth attacks – RTS and CTS denial of service attacks – Rogue APs
• Both on and off your wired network • Remember IDS is only detection and not prevention • Be very careful with wireless IPS
– IPS system could end up attacking neighboring networks • Wireless IDS will not protect users while traveling
Secure the Clients
• Require long and complex passwords • Apply all patches quickly
– Including firmware patches for wireless cards • Harden the system
– Run Anti-Virus software and keep definitions up to date – Have users login with a non-administrative level account – Encrypt sensitive data on drive – Turned on and configured personal firewall
• Disable ad-hoc networks • Prevent network bridging • Ensure the Supplicant is properly configured
Secure WZC PEAP Configuration
• Ensure the following items are configured: – Enable “Validate server
certificate” – Enable “Connect to these
servers” and specify the CN of the RADIUS server
– Under “Trusted Root Certificate Authorities” check ONLY the CA that issued the certificate
– Enable “Do not prompt user to authorize new servers or trusted certification authorities
• Enforceable through Group Policy • Refer to KB941123 for additional
information
Perform Regular Assessments
Act
• The Shewhart or Deming Cycle, used in Quality Assurance – instead of PDCA, it’s Check-Act-Plan-Do when relating to security strategy.
• It’s imperative to perform assessments on a regular basis. • Have a third party perform a wireless security assessment.
• Ensure the assessment includes architecture and client configuration reviews.
QUESTIONS? For More Information:
www.SecureState.com www.MatthewNeely.com @matthewneely
