EAP-PEAP-MSCHAPv2€¦ · Winphone Windows 10 OSX Macbook Outer tunnel Inner Tunnel BINGO! 10...
Transcript of EAP-PEAP-MSCHAPv2€¦ · Winphone Windows 10 OSX Macbook Outer tunnel Inner Tunnel BINGO! 10...
1
EAP-PEAP-MSCHAPv2Why you should (not) use it…
2
About me
– Herman Robers
– Background in network security engineering and consulting
– Joined WLAN industry: Aruba Networks in 2011
– Current: Aruba, a Hewlett Packard Enterprise company (the networking part of HPE)
– Twitter: @hrwlan
– ACCX, ACDX, CISSP certified
– Airheads community: Herman Robers
– Youtube: ABC Networking (youtube.com/c/ABCnetworking)
– Today: my personal opinion…
3
EAP-PEAP-MSCHAPv2
– Used for authentication an crypto setup in WPA2 Enterprise
– EAP in Wireless LANs: RFC 4017 https://www.ietf.org/rfc/rfc4017.txt
– PEAP: Protected EAP: EAP in a TLS tunnelrfc draft https://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10
– PEAPv0 what everyone uses; inner authentication MSCHAPv2 (password)..
– .. But TLS (Certifcate authentication is implemented as well); and EAP-SIM has been defined (never seen it).
– MSCHAPv2: RFC 2759 https://www.ietf.org/rfc/rfc2759.txt
Outer tunnel: PEAPTLS with server cert. Just like a website.Inner authentication: MSCHAPv2
TLS with server cert. Just like a website.
RADIUSServer
4
EAP-PEAP-MSCHAPv2
– CHAP means challenge response authentication protocol
– Authenticates a user by questioning/answering (handshakes) without sending the actual password over.
– Outer tunnel protects the MSCHAPv2 handshakes
Outer tunnel: PEAPTLS with server cert. Just like a website.Inner authentication: MSCHAPv2
TLS with server cert. Just like a website.
RADIUSServer
5
MSCHAPv2: why & the issue
– MSCHAPv2 has been proven weak (broken) back in 1999:
– 1999: Bruce Schneier: Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2)https://www.schneier.com/academic/archives/1999/09/cryptanalysis_of_mic_1.html
– Resulted into tools that can brute-force the password from collected challenge-responses.Most known: asleap (http://www.willhackforsushi.com/?page_id=41) (2007)
– … Don’t worry; it will get worse…
Source: Decon20 Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2
WARNING:Only try this at home!(if law allows you to)
Attacking other people’s networks, is probably illegal in your country. Attacking your own network and or having/using the tools may even be illegal in your country.
7
Test setup
AP WPA2 EAP-PEAPSSID: corporate-wpa2
Evil Twin WPA2 EAP-PEAPSSID: corporate-wpa2
Clients underattack
hostapd-wpe‘Evil’ RADIUS
8
Test setup
AP WPA2 EAP-PEAPSSID: corporate-wpa2
Evil Twin WPA2 EAP-PEAPSSID: corporate-wpa2
Clients underattack
hostapd-wpe‘Evil’ RADIUS
9
Winphone
Windows 10
OSX Macbook
Outer tunnelInner TunnelBINGO!
10
Windows Phone 8.1Windows 10
11
Meanwhile on the device….
Windows Phone 8.1
Apple OSX
12
…. And the other devices
– Happily connect to the rogue AP/RADIUS, without any user intervention.
13
Now we have some challenge-responses..
File hashes4john.txt:
win10.doe:$NETNTLM$065b3259a7c38a46$67f05bf1e944ad63033f083dace3bbebfb3766e7af8c4805
kindle.doe:$NETNTLM$ad985b8190684861$227dbc2b4978916804d194ae65804fbe70ddd2d578833d30
osx.doe:$NETNTLM$45a2b55b0beac2e5$dec93443784410a3542f1b54e14f9884ea90a012e1dfcdcd
kindle.doe:$NETNTLM$194e46fc539ec008$8d5d9a24432f16f106bd1e2e6940eea73553ebf4d4d221ce
ubuntu.doe:$NETNTLM$c0bb4f56dfe37d73$6c74a501020d32a0aa51f9a1777ed36e9c3a5cebb750f4f4
chromebook.doe:$NETNTLM$7012580be7e072a7$b7637c5192a4013b1e40c6ddbe17657fe9bb5295750e0326
14
Cracking the hashes
kali:~# john --wordlist:/usr/share/wordlists/rockyou.txt --format=netntlm-naive hashes4john.txt
Note: this is just a virtual machine on a loaded ESXi server; nothing special…
15
Cracking the hashes
kali:~# john --wordlist:/usr/share/wordlists/rockyou.txt --format=netntlm-naive hashes4john.txt
Note: this is just a virtual machine on a loaded ESXi server; nothing special…
16
So what if I bring up a corporate network, eduroam, well known provider network… Or use Karma (respond to any probe)?
(Kidding..)
17
But…. You are cheating: My users pick very strong passwords!
– YEAH SURE!
– I told you it get worse..
– Would this password be secure enough?
@1JBUwiIAsV#Dcl@uZaT3dS2Hh7f=kZS
18
So what if I have a strong password?
– In 2012 at Defcon 20, Moxie Marlinspike and David Hulton: https://www.youtube.com/watch?v=qjBHTS6BKX4
– Long story short:
– In MSCHAPv2 the only secret is the NTHash
– NTHash is used in 3 parts as the encryption keyfor the ChallengeResponse
– If you know the Challenge and the Response,you can brute-force the DES keys
– Due to some stupidities, you can break the threeDES keys in a single run, resulting into only 56-bit‘complexity’
– DES hardware crackers that can do this in fewhours; cloud services are available.
– CloudCracker (down) charged $17 US per crack.
– The NTHash is enough to login to the network(or VPN, or improper configured servers); orauthenticate a client on a rogue network
19
Cloudcracker
– Original site seems down… long live archive.org:http://web.archive.org/web/20160316174007/https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
– Overview of the backgrounds.
20
No password needed to connect to the network!
– I don’t have the DES cracker in my offices, so lets cheat a bit, and find the NTHash from the plaintext password:
– So this hash: 3975114583a053ba3a3101d756bf9281 would be the result of the CloudCracker(100% success rate in <24 hours!)
– We can use the NThash to login to the network! Or authenticate a client to my evil-twin AP…
– Note: this method also works for Windows computer authentication
% pass2ntlm.py '@1JBUwiIAsV#Dcl@uZaT3dS2Hh7f=kZS'
3975114583a053ba3a3101d756bf9281
21
22
23
What could I use for such an attack?
– Cheap, $20-40
– Small
– Runs OpenWRT including some free available SW
– Free available instructions (you might need to search a bit though)
– USB stick for unlimited storage
– Power via USB (Powerbank?!)
24
MSCHAPv2 cracking for dummies: workplan
Start here:Lure client
Collect a MSCHAPv2Challenge-Response
Crack the NTHash
CrackPassword
(Dictionary, brute force)
Login to the network
Do other nasty things with the
password(VPN? Webmail)
25
Summary and next steps
– Don’t use MSCHAPv2 in WPA2 Enterprise WLAN authentication
– Yes, I know it is convenient…
– It is only secure if you have FULL control over your clients, likein an AD domain: Follow the 1-2-3-4 protection rules ======
– You cannot trust your users to make these settings
– Android, and derivatives (Kindle, Chromebook) are a disaster(on this subject)
– Windows, iOS, OSX, as strong as your users are (weak?!)
– Do not use MSCHAPv2 with accounts that have value(like Active Directory accounts)
– Alternative: use the opportunity move away from passwords to certificates (TLS)
Thank youHerman RobersTwitter: @hrwlan