Attacking WPA-Enterprise
    Wireless Networks
                  By: Matt Neely
  Presented: March 17, 2010 at NEO InfoSec...
Speaker Biography



•  Matt Neely, CISSP, CTGA, GCIH, and GCWN –
   Manager of the Profiling Team at SecureState
    –  A...
SecureState Overview



•  Ohio-Based Company           CISSP – Certified Information Systems Security
    –  Founded 2001...
What You Will Learn Today



•    Short history of wireless security
•    What is 802.11 Enterprise authentication
•    Ho...
Brief History of Wireless


•  WEP died over a decade ago
•  Cisco released LEAP to make up for the deficiencies in
   WEP...
Brief History of Wireless - WPA


•  WPA/WPA2 encryption and authentication options
   –  Encryption
       •  WPA – TKIP ...
802.1X In One Slide


•  Provides network access
   authentication
    –  EAP provides authentication
    –  Access point ...
EAP



•  Extensible Authentication Protocol (EAP) is an authentication
   framework
•  802.1X uses various EAP types to a...
Introduction To PEAP and TTLS



•  EAP originally was designed to work over wired networks where
   interception required...
PEAP Using MS-CHAPv2
Importance of TLS Certificate Validation With PEAP




•  Network SSID can be spoofed easily.
•  TLS provides a method for...
Web Browser SSL/TLS Validation
What happens when your
 wireless client trusts an
    invalid certificate?
Vulnerable PEAP Misconfiguration One



•  Many deployments
   disable all validation
•  PEAP supplicant will trust
   any...
How An Attacker Can Exploit This



•  Attacker sets up a fake AP
    –  Mirrors target network’s SSID, encryption type (W...
FreeRADIUS-WPE



•  Josh Wright created the Wireless Pwnage Edition (WPE) patch for
   FreeRADIUS 2.0.2
•  Adds the follo...
DEMO
DEMO
Vulnerable PEAP Misconfiguration Two



•  Configuration:
    –  “Validate server certificate”
       is enabled
    –  De...
Vulnerable PEAP Misconfiguration Three


•    Configuration:
      –  “Validate server certificate” is
         enabled
  ...
Concerns Around Mobile Devices
If At First You Don’t Succeed



•  Some clients try multiple EAP types while trying to authenticate to a
   wireless netw...
SECURING WIRELESS
NETWORKS
Encryption and Authentication



•  Use CCMP for encryption
    –  Migrate off TKIP
    –  Never use WEP
•  Use PEAP, TTLS...
Secure the Infrastructure



•  Harden and patch the infrastructure:
    –  Access points
    –  Wireless controllers
    ...
Wireless IDS



•  Consider deploying a wireless IDS
•  Can detect:
    –  De-auth attacks
    –  RTS and CTS denial of se...
Secure the Clients



•  Require long and complex passwords
•  Apply all patches quickly
    –  Including firmware patches...
Secure WZC PEAP Configuration


•    Ensure the following items are
     configured:
      –  Enable “Validate server
    ...
Perform Regular Assessments




                         Act




•  The Shewhart or Deming Cycle, used in Quality Assuranc...
QUESTIONS?
For More Information:
       www.SecureState.com
       www.MatthewNeely.com
       @matthewneely
Upcoming SlideShare
Loading in...5
×

Attacking and Securing WPA Enterprise Networks

18,000

Published on

This presentation covers different attacks that can be leveraged against wireless networks using Enterprise (802.1x) authentication. Attendees will learn about and see demonstrations of these attacks, many of which can be used to reveal the credentials used to join the wireless network. The presentation concludes with recommendations on how to defend against these attacks.

Matt Neely (CISSP, CTGA, GCIH and GCWN) is the Profiling Team Manager at SecureState, a Cleveland Ohio based security consulting company. At SecureState, Matt and his team perform traditional penetration tests, physical penetration tests, web application security reviews and wireless security assessments. His research interests include the convergence of physical and logical security, cryptography and all things wireless. Matt is also a host on the Security Justice podcast.

Published in: Technology
0 Comments
8 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
18,000
On Slideshare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
387
Comments
0
Likes
8
Embeds 0
No embeds

No notes for slide

Attacking and Securing WPA Enterprise Networks

  1. 1. Attacking WPA-Enterprise Wireless Networks By: Matt Neely Presented: March 17, 2010 at NEO InfoSec Forum
  2. 2. Speaker Biography •  Matt Neely, CISSP, CTGA, GCIH, and GCWN – Manager of the Profiling Team at SecureState –  Areas of expertise: wireless, penetration testing, physical security, security convergence, and incident response –  Formed and ran the TSCM team at a Fortune 200 company –  Over 10 years of security experience •  Outside of work: –  Co-host of the Security Justice podcast –  Licensed amateur radio operator (Technician) for almost 20 years •  First radio I hacked: –  Fisher-Price Sky Talker walkie talkie
  3. 3. SecureState Overview •  Ohio-Based Company CISSP – Certified Information Systems Security –  Founded 2001 Professional CISM – Certified Information Security Manager CISA – Certified Information Systems Auditor •  30+ Security Professionals QDSP – Qualified Data Security Professional GSEC – SANS GIAC Security Essentials NSA INFOSEC Assessment Methodology (IAM) •  Information Assurance & Forensics – NTI, EnCase Protection ANSI X9/TG-3 •  Audit and business background (Big 10) •  Experts in ethical hacking across many specialized areas
  4. 4. What You Will Learn Today •  Short history of wireless security •  What is 802.11 Enterprise authentication •  How PEAP works •  How to attack WPA Enterprise networks •  How to defend WPA Enterprise networks
  5. 5. Brief History of Wireless •  WEP died over a decade ago •  Cisco released LEAP to make up for the deficiencies in WEP –  Proprietary and susceptible to brute force attacks •  WPA/WPA2 was developed to provide strong encryption and multiple authentication mechanisms
  6. 6. Brief History of Wireless - WPA •  WPA/WPA2 encryption and authentication options –  Encryption •  WPA – TKIP (RC4 based algorithm) •  WPA2 – CCMP (AES based algorithm) –  Authentication •  Pre-Shared Key (PSK) Authentication –  Designed for home and small offices –  Anything that uses a shared password is not secure •  Enterprise Authentication –  Uses 802.1X as the authentication framework –  Provides per-user or per-system authentication
  7. 7. 802.1X In One Slide •  Provides network access authentication –  EAP provides authentication –  Access point handles encryption (TKIP/CCMP) •  Three components: –  Supplicant (Client) –  Authenticator (AP) –  Authentication Server (RADIUS or IAS server) •  Supplicant and authentication server use an EAP type to authenticate
  8. 8. EAP •  Extensible Authentication Protocol (EAP) is an authentication framework •  802.1X uses various EAP types to authenticate users –  Common EAP types used with wireless: TLS, PEAP, TTLS, and EAP-FAST –  EAP type and configuration can greatly impact the security of the wireless network •  Breakdown of EAP deployments: –  80% PEAP and TTLS –  15% EAP-FAST or LEAP –  5% TLS
  9. 9. Introduction To PEAP and TTLS •  EAP originally was designed to work over wired networks where interception required physical access. •  Interception is a larger concern on wireless networks. •  Protected EAP (PEAP) and Tunneled Transport Layer Security (TTLS) use TLS to protect legacy authentication protocols from interception. •  Both require a certificate on the RADIUS server for the Supplicant to validate server identity. •  PEAP supports MS-CHAPv2 as the inner authentication method. •  TTLS supports a large number of inner authentication protocols (MS-CHAPv2, CHAP, PAP, etc).
  10. 10. PEAP Using MS-CHAPv2
  11. 11. Importance of TLS Certificate Validation With PEAP •  Network SSID can be spoofed easily. •  TLS provides a method for validating the access point (Authenticator) and, therefore, the network. •  Once the certificate from the Authenticator is validated, the client passes authentication information to the network (Authentication Server). •  Authentication traffic is protected from eavesdropping by the TLS tunnel.
  12. 12. Web Browser SSL/TLS Validation
  13. 13. What happens when your wireless client trusts an invalid certificate?
  14. 14. Vulnerable PEAP Misconfiguration One •  Many deployments disable all validation •  PEAP supplicant will trust any RADIUS server
  15. 15. How An Attacker Can Exploit This •  Attacker sets up a fake AP –  Mirrors target network’s SSID, encryption type (WPA/WPA2), and band (a/b/g/n) –  Configures the AP to accept Enterprise authentication –  Sets AP to visible •  Attacker connects the fake AP to the special FreeRADIUS-WPE server that captures and records all authentication requests •  Attacker waits for users to attach to the fake network and captures their credentials –  Impatient attackers can de-auth clients from the legitimate network •  Attacker cracks the challenge/response pair to recover the password
  16. 16. FreeRADIUS-WPE •  Josh Wright created the Wireless Pwnage Edition (WPE) patch for FreeRADIUS 2.0.2 •  Adds the following features: –  Returns success for any authentication requests –  Logs all authentication credentials •  Challenge/response •  Password •  Username –  Performs credential logging on PEAP, TTLS, LEAP, EAP-MD5, EAP-MSCHAPv2, PAP, CHAP, and others
  17. 17. DEMO
  18. 18. DEMO
  19. 19. Vulnerable PEAP Misconfiguration Two •  Configuration: –  “Validate server certificate” is enabled –  Default Wireless Zero Configuration (WZC) settings –  Prompts users to validate server certificate •  Minimal detail is shown in the dialog box •  Attack: –  Same attack applies but requires users to validate the certificate
  20. 20. Vulnerable PEAP Misconfiguration Three •  Configuration: –  “Validate server certificate” is enabled –  Trusted Root Certificate Authority is selected –  Does not validate certificate CN! •  Attack: –  Sniffs a valid login and identifies the CA of the TLS certificate –  Purchases a certificate from the trusted CA •  Any CN value can be used –  Configures the RADIUS server to use this certificate
  21. 21. Concerns Around Mobile Devices
  22. 22. If At First You Don’t Succeed •  Some clients try multiple EAP types while trying to authenticate to a wireless network. –  Easy for attackers to detect by analyzing a packet capture. •  Attackers can use this weakness to trick clients into authenticating to a fake AP with an insecure EAP type. –  Often de-auth floods are used to prevent the client from connecting to a legitimate AP.
  23. 23. SECURING WIRELESS NETWORKS
  24. 24. Encryption and Authentication •  Use CCMP for encryption –  Migrate off TKIP –  Never use WEP •  Use PEAP, TTLS, or TLS for authentication –  TLS requires a PKI –  Avoid Pre-Shared Keys (PSK) •  Anything that is shared is not secure •  If you must use PSK, choose a unique SSID and use a complex passphrase over 14 characters
  25. 25. Secure the Infrastructure •  Harden and patch the infrastructure: –  Access points –  Wireless controllers –  Authentication servers •  Apply the latest service pack to Windows Internet Authentication Service (IAS) servers •  Do not use hidden access points •  Make sure insecure EAP types such as MD5 are disabled •  Prevent insecure clients from using the wireless network •  Firewall and isolate the wireless network from the internal network
  26. 26. Wireless IDS •  Consider deploying a wireless IDS •  Can detect: –  De-auth attacks –  RTS and CTS denial of service attacks –  Rogue APs •  Both on and off your wired network •  Remember IDS is only detection and not prevention •  Be very careful with wireless IPS –  IPS system could end up attacking neighboring networks •  Wireless IDS will not protect users while traveling
  27. 27. Secure the Clients •  Require long and complex passwords •  Apply all patches quickly –  Including firmware patches for wireless cards •  Harden the system –  Run Anti-Virus software and keep definitions up to date –  Have users login with a non-administrative level account –  Encrypt sensitive data on drive –  Turned on and configured personal firewall •  Disable ad-hoc networks •  Prevent network bridging •  Ensure the Supplicant is properly configured
  28. 28. Secure WZC PEAP Configuration •  Ensure the following items are configured: –  Enable “Validate server certificate” –  Enable “Connect to these servers” and specify the CN of the RADIUS server –  Under “Trusted Root Certificate Authorities” check ONLY the CA that issued the certificate –  Enable “Do not prompt user to authorize new servers or trusted certification authorities •  Enforceable through Group Policy •  Refer to KB941123 for additional information
  29. 29. Perform Regular Assessments Act •  The Shewhart or Deming Cycle, used in Quality Assurance – instead of PDCA, it’s Check-Act-Plan-Do when relating to security strategy. •  It’s imperative to perform assessments on a regular basis. •  Have a third party perform a wireless security assessment. •  Ensure the assessment includes architecture and client configuration reviews.
  30. 30. QUESTIONS? For More Information: www.SecureState.com www.MatthewNeely.com @matthewneely
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×