Extended Authentication Protocol (EAP) Vulnerabilities exploited through Rogue Access Points Stephen Cumella

Rogue Access Point Based MITM Attacks RAPs can be planted internally within corporate environment or setup in public areas with public internet access Evil Twin Attacks Preferred Network Lists MITM Attacks: All Network Traffic passes through the attacker’s device before being forwarded to the legitimate internet access point Even Secure Wireless networks that use WPA2 are vulnerable to this attack

MSCHAPv2 LEAP/PEAP Vulnerability Attacker can intercept any compromised device’s attempts to connect to their corporate network/encrypted tunnel Proven Weak all the way back in 1999 by Bruce Schneider’s Cryptanalysis of Microsoft’s PPTP Authentication Extensions (MSCHAPv2) The RAP can steal the device’s password Hash and use 3rd party programs to brute force the Hash This attack will bypass even the most robust WPA2 security protocols

Companies networks that implement Radius will be vulnerable to remote attacks without proper configuration Radius – Remote Authentication Dial-In User Service (RADIUS) Allows employees to connect to their company networks remotely as long as they pass the MSCHAPV2 Challenge the server gives them. If the attack succeeds, the hacker will be able to spoof his identity to the identity of the victim and remotely access all of the company files his victim would normally have access to. Company Network will think all is well and hand over requests as if the employee was requesting the data

Example of some EAP Data captured via MITM Attack: Mobile Devices attempting to connect to their company network through EAP will Hash the password that is susceptible to a MITM attack Password hash can be brute forced with proper tolls like Kali Linux, CloudCracker.com and John the Ripper

Attack is incredibly Cheap! No Special Equipment Necessary! Do not need a lot of processing power Can use devices like Raspberry Pi or any device capable of running openWRT to broadcast the RAP

Precautionary Prevention Against EAP Attacks Consider eliminating wireless access points in your corporate network, resort to direct connections only For BYOD corporate environments: enroll every new individual employee device to give it a unique certificate and pair the device’s MAC address with the server Turn off Device’s preferred network lists(PNL) so it will not automatically connect to insecure connections

Breakdown of MSCHAPv2 Authentication Protocol and primary vulnerability Even strong Passwords are vulnerable All the green represents data sent in the clear or data that can be derived from data in the clear NTHASH is the only thing attackers need to figure out If you know the Challenge and the Response, you can brute force the DES keys DES key is only 56-bit complexity so it is easy to brute force 3rd party sources like Cloud Cracker charge $17 a hack and can get this in a few hours

Precautionary Prevention Against EAP Attacks Continued Experts advise against using MSCHAPv2 in a company environment altogether however there are ways to make security more robust if switching is not an option Individual Device Enrollment that stores the device MAC address will also prevent an unauthorized device attempting to connect to the RADIUS server or onsite Network.

Moving Forward with Passive Network Rogue Access Point Scanning with DAIR systems DAIR- Dense Array of inexpensive computers All administrators felt that WLAN security was a problem Many of them would periodically walk around their buildings using WLAN scanning software looking for security vulnerabilities Some hired expensive outside consultants to conduct security vulnerability analyses of their WLAN deployment, only to conclude that what they really needed was an ongoing monitoring and alerting system. Most administrators believed that better systems to manage WLAN security are needed. DAIR passively scans corporate environments and checks for RAP through radio wave frequency scanning