1. Extended Authentication Protocol (EAP) Vulnerabilities exploited through Rogue Access Points
Stephen Cumella

2. Rogue Access Point Based MITM Attacks
RAPs can be planted internally within corporate environment or setup in public areas with public internet access
Evil Twin Attacks
Preferred Network Lists
MITM Attacks: All Network Traffic passes through the attacker’s device before being forwarded to the legitimate internet access point
Even Secure Wireless networks that use WPA2 are vulnerable to this attack

3. MSCHAPv2 LEAP/PEAP Vulnerability
Attacker can intercept any compromised device’s attempts to connect to their corporate network/encrypted tunnel
Proven Weak all the way back in 1999 by Bruce Schneider’s Cryptanalysis of Microsoft’s PPTP Authentication Extensions (MSCHAPv2)
The RAP can steal the device’s password Hash and use 3rd party programs to brute force the Hash
This attack will bypass even the most robust WPA2 security protocols

4. Companies networks that implement Radius will be vulnerable to remote attacks without proper configuration
Radius – Remote Authentication Dial-In User Service (RADIUS) Allows employees to connect to their company networks remotely as long as they pass the MSCHAPV2 Challenge the server gives them.
If the attack succeeds, the hacker will be able to spoof his identity to the identity of the victim and remotely access all of the company files his victim would normally have access to.
Company Network will think all is well and hand over requests as if the employee was requesting the data

5. Example of some EAP Data captured via MITM Attack:
Mobile Devices attempting to connect to their company network through EAP will Hash the password that is susceptible to a MITM attack
Password hash can be brute forced with proper tolls like Kali Linux, CloudCracker.com and John the Ripper

6. Attack is incredibly Cheap!
No Special Equipment Necessary!
Do not need a lot of processing power
Can use devices like Raspberry Pi or any device capable of running openWRT to broadcast the RAP

7. Precautionary Prevention Against EAP Attacks
Consider eliminating wireless access points in your corporate network, resort to direct connections only
For BYOD corporate environments: enroll every new individual employee device to give it a unique certificate and pair the device’s MAC address with the server
Turn off Device’s preferred network lists(PNL) so it will not automatically connect to insecure connections

8. Breakdown of MSCHAPv2 Authentication Protocol and primary vulnerability
Even strong Passwords are vulnerable
All the green represents data sent in the clear or data that can be derived from data in the clear
NTHASH is the only thing attackers need to figure out
If you know the Challenge and the Response, you can brute force the DES keys
DES key is only 56-bit complexity so it is easy to brute force
3rd party sources like Cloud Cracker charge $17 a hack and can get this in a few hours

9. Precautionary Prevention Against EAP Attacks Continued
Experts advise against using MSCHAPv2 in a company environment altogether however there are ways to make security more robust if switching is not an option
Individual Device Enrollment that stores the device MAC address will also prevent an unauthorized device attempting to connect to the RADIUS server or onsite Network.

10. Moving Forward with Passive Network Rogue Access Point Scanning with DAIR systems
DAIR- Dense Array of inexpensive computers
All administrators felt that WLAN security was a problem
Many of them would periodically walk around their buildings using WLAN scanning software looking for security vulnerabilities
Some hired expensive outside consultants to conduct security vulnerability analyses of their WLAN deployment, only to conclude that what they really needed was an ongoing monitoring and alerting system. Most administrators believed that better systems to manage WLAN security are needed.
DAIR passively scans corporate environments and checks for RAP through radio wave frequency scanning