1

EAP-PEAP-MSCHAPv2Why you should (not) use it…

2

About me

– Herman Robers

– Background in network security engineering and consulting

– Joined WLAN industry: Aruba Networks in 2011

– Current: Aruba, a Hewlett Packard Enterprise company (the networking part of HPE)

– Twitter: @hrwlan

– ACCX, ACDX, CISSP certified

– Airheads community: Herman Robers

– Youtube: ABC Networking (youtube.com/c/ABCnetworking)

– Today: my personal opinion…

3

EAP-PEAP-MSCHAPv2

– Used for authentication an crypto setup in WPA2 Enterprise

– EAP in Wireless LANs: RFC 4017 https://www.ietf.org/rfc/rfc4017.txt

– PEAP: Protected EAP: EAP in a TLS tunnelrfc draft https://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10

– PEAPv0 what everyone uses; inner authentication MSCHAPv2 (password)..

– .. But TLS (Certifcate authentication is implemented as well); and EAP-SIM has been defined (never seen it).

– MSCHAPv2: RFC 2759 https://www.ietf.org/rfc/rfc2759.txt

Outer tunnel: PEAPTLS with server cert. Just like a website.Inner authentication: MSCHAPv2

TLS with server cert. Just like a website.

RADIUSServer

4

EAP-PEAP-MSCHAPv2

– CHAP means challenge response authentication protocol

– Authenticates a user by questioning/answering (handshakes) without sending the actual password over.

– Outer tunnel protects the MSCHAPv2 handshakes

Outer tunnel: PEAPTLS with server cert. Just like a website.Inner authentication: MSCHAPv2

TLS with server cert. Just like a website.

RADIUSServer

5

MSCHAPv2: why & the issue

– MSCHAPv2 has been proven weak (broken) back in 1999:

– 1999: Bruce Schneier: Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2)https://www.schneier.com/academic/archives/1999/09/cryptanalysis_of_mic_1.html

– Resulted into tools that can brute-force the password from collected challenge-responses.Most known: asleap (http://www.willhackforsushi.com/?page_id=41) (2007)

– … Don’t worry; it will get worse…

Source: Decon20 Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2

WARNING:Only try this at home!(if law allows you to)

Attacking other people’s networks, is probably illegal in your country. Attacking your own network and or having/using the tools may even be illegal in your country.

7

Test setup

AP WPA2 EAP-PEAPSSID: corporate-wpa2

Evil Twin WPA2 EAP-PEAPSSID: corporate-wpa2

Clients underattack

hostapd-wpe‘Evil’ RADIUS

8

Test setup

AP WPA2 EAP-PEAPSSID: corporate-wpa2

Evil Twin WPA2 EAP-PEAPSSID: corporate-wpa2

Clients underattack

hostapd-wpe‘Evil’ RADIUS

9

Winphone

Windows 10

OSX Macbook

Outer tunnelInner TunnelBINGO!

10

Windows Phone 8.1Windows 10

11

Meanwhile on the device….

Windows Phone 8.1

Apple OSX

12

…. And the other devices

– Happily connect to the rogue AP/RADIUS, without any user intervention.

13

Now we have some challenge-responses..

File hashes4john.txt:

win10.doe:$NETNTLM$065b3259a7c38a46$67f05bf1e944ad63033f083dace3bbebfb3766e7af8c4805

kindle.doe:$NETNTLM$ad985b8190684861$227dbc2b4978916804d194ae65804fbe70ddd2d578833d30

osx.doe:$NETNTLM$45a2b55b0beac2e5$dec93443784410a3542f1b54e14f9884ea90a012e1dfcdcd

kindle.doe:$NETNTLM$194e46fc539ec008$8d5d9a24432f16f106bd1e2e6940eea73553ebf4d4d221ce

ubuntu.doe:$NETNTLM$c0bb4f56dfe37d73$6c74a501020d32a0aa51f9a1777ed36e9c3a5cebb750f4f4

chromebook.doe:$NETNTLM$7012580be7e072a7$b7637c5192a4013b1e40c6ddbe17657fe9bb5295750e0326

14

Cracking the hashes

kali:~# john --wordlist:/usr/share/wordlists/rockyou.txt --format=netntlm-naive hashes4john.txt

Note: this is just a virtual machine on a loaded ESXi server; nothing special…

15

Cracking the hashes

kali:~# john --wordlist:/usr/share/wordlists/rockyou.txt --format=netntlm-naive hashes4john.txt

Note: this is just a virtual machine on a loaded ESXi server; nothing special…

16

So what if I bring up a corporate network, eduroam, well known provider network… Or use Karma (respond to any probe)?

(Kidding..)

17

But…. You are cheating: My users pick very strong passwords!

– YEAH SURE!

– I told you it get worse..

– Would this password be secure enough?

@1JBUwiIAsV#Dcl@uZaT3dS2Hh7f=kZS

18

So what if I have a strong password?

– In 2012 at Defcon 20, Moxie Marlinspike and David Hulton: https://www.youtube.com/watch?v=qjBHTS6BKX4

– Long story short:

– In MSCHAPv2 the only secret is the NTHash

– NTHash is used in 3 parts as the encryption keyfor the ChallengeResponse

– If you know the Challenge and the Response,you can brute-force the DES keys

– Due to some stupidities, you can break the threeDES keys in a single run, resulting into only 56-bit‘complexity’

– DES hardware crackers that can do this in fewhours; cloud services are available.

– CloudCracker (down) charged $17 US per crack.

– The NTHash is enough to login to the network(or VPN, or improper configured servers); orauthenticate a client on a rogue network

19

Cloudcracker

– Original site seems down… long live archive.org:http://web.archive.org/web/20160316174007/https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

– Overview of the backgrounds.

20

No password needed to connect to the network!

– I don’t have the DES cracker in my offices, so lets cheat a bit, and find the NTHash from the plaintext password:

– So this hash: 3975114583a053ba3a3101d756bf9281 would be the result of the CloudCracker(100% success rate in <24 hours!)

– We can use the NThash to login to the network! Or authenticate a client to my evil-twin AP…

– Note: this method also works for Windows computer authentication

% pass2ntlm.py '@1JBUwiIAsV#Dcl@uZaT3dS2Hh7f=kZS'

3975114583a053ba3a3101d756bf9281

21

22

23

What could I use for such an attack?

– Cheap, $20-40

– Small

– Runs OpenWRT including some free available SW

– Free available instructions (you might need to search a bit though)

– USB stick for unlimited storage

– Power via USB (Powerbank?!)

24

MSCHAPv2 cracking for dummies: workplan

Start here:Lure client

Collect a MSCHAPv2Challenge-Response

Crack the NTHash

CrackPassword

(Dictionary, brute force)

Login to the network

Do other nasty things with the

password(VPN? Webmail)

25

Summary and next steps

– Don’t use MSCHAPv2 in WPA2 Enterprise WLAN authentication

– Yes, I know it is convenient…

– It is only secure if you have FULL control over your clients, likein an AD domain: Follow the 1-2-3-4 protection rules ======

– You cannot trust your users to make these settings

– Android, and derivatives (Kindle, Chromebook) are a disaster(on this subject)

– Windows, iOS, OSX, as strong as your users are (weak?!)

– Do not use MSCHAPv2 with accounts that have value(like Active Directory accounts)

– Alternative: use the opportunity move away from passwords to certificates (TLS)

Thank youHerman RobersTwitter: @hrwlan