This document provides an overview of attacking WPA-Enterprise wireless networks. It discusses the history of wireless security including WEP and the development of WPA/WPA2. It then explains how 802.1X authentication works with EAP types like PEAP and TTLS. Specific misconfigurations of PEAP are demonstrated that could allow attackers to capture credentials by spoofing the network. Defensive techniques like validating certificates and hardening infrastructure/clients are recommended. Regular security assessments are advised to check vulnerabilities.

1. Attacking WPA-Enterprise
Wireless Networks
By: Matt Neely
Presented: March 17, 2010 at NEO InfoSec Forum

2. Speaker Biography
• Matt Neely, CISSP, CTGA, GCIH, and GCWN –
Manager of the Profiling Team at SecureState
– Areas of expertise: wireless, penetration testing,
physical security, security convergence, and
incident response
– Formed and ran the TSCM team at a Fortune 200
company
– Over 10 years of security experience
• Outside of work:
– Co-host of the Security Justice podcast
– Licensed amateur radio operator (Technician) for
almost 20 years
• First radio I hacked:
– Fisher-Price Sky Talker walkie talkie

3. SecureState Overview
• Ohio-Based Company CISSP – Certified Information Systems Security
– Founded 2001 Professional
CISM – Certified Information Security Manager
CISA – Certified Information Systems Auditor
• 30+ Security Professionals QDSP – Qualified Data Security Professional
GSEC – SANS GIAC Security Essentials
NSA INFOSEC Assessment Methodology (IAM)
• Information Assurance & Forensics – NTI, EnCase
Protection ANSI X9/TG-3
• Audit and business
background (Big 10)
• Experts in ethical hacking
across many specialized
areas

4. What You Will Learn Today
• Short history of wireless security
• What is 802.11 Enterprise authentication
• How PEAP works
• How to attack WPA Enterprise networks
• How to defend WPA Enterprise networks

5. Brief History of Wireless
• WEP died over a decade ago
• Cisco released LEAP to make up for the deficiencies in
WEP
– Proprietary and susceptible to brute force attacks
• WPA/WPA2 was developed to provide strong encryption
and multiple authentication mechanisms

6. Brief History of Wireless - WPA
• WPA/WPA2 encryption and authentication options
– Encryption
• WPA – TKIP (RC4 based algorithm)
• WPA2 – CCMP (AES based algorithm)
– Authentication
• Pre-Shared Key (PSK) Authentication
– Designed for home and small offices
– Anything that uses a shared password is not secure
• Enterprise Authentication
– Uses 802.1X as the authentication framework
– Provides per-user or per-system authentication

7. 802.1X In One Slide
• Provides network access
authentication
– EAP provides authentication
– Access point handles encryption
(TKIP/CCMP)
• Three components:
– Supplicant (Client)
– Authenticator (AP)
– Authentication Server (RADIUS
or IAS server)
• Supplicant and authentication server
use an EAP type to authenticate

8. EAP
• Extensible Authentication Protocol (EAP) is an authentication
framework
• 802.1X uses various EAP types to authenticate users
– Common EAP types used with wireless: TLS, PEAP, TTLS, and
EAP-FAST
– EAP type and configuration can greatly impact the security of the
wireless network
• Breakdown of EAP deployments:
– 80% PEAP and TTLS
– 15% EAP-FAST or LEAP
– 5% TLS

9. Introduction To PEAP and TTLS
• EAP originally was designed to work over wired networks where
interception required physical access.
• Interception is a larger concern on wireless networks.
• Protected EAP (PEAP) and Tunneled Transport Layer Security
(TTLS) use TLS to protect legacy authentication protocols from
interception.
• Both require a certificate on the RADIUS server for the Supplicant to
validate server identity.
• PEAP supports MS-CHAPv2 as the inner authentication method.
• TTLS supports a large number of inner authentication protocols
(MS-CHAPv2, CHAP, PAP, etc).

10. PEAP Using MS-CHAPv2

11. Importance of TLS Certificate Validation With PEAP
• Network SSID can be spoofed easily.
• TLS provides a method for validating the access point
(Authenticator) and, therefore, the network.
• Once the certificate from the Authenticator is validated,
the client passes authentication information to the
network (Authentication Server).
• Authentication traffic is protected from eavesdropping by
the TLS tunnel.

12. Web Browser SSL/TLS Validation

13. What happens when your
wireless client trusts an
invalid certificate?

14. Vulnerable PEAP Misconfiguration One
• Many deployments
disable all validation
• PEAP supplicant will trust
any RADIUS server

15. How An Attacker Can Exploit This
• Attacker sets up a fake AP
– Mirrors target network’s SSID, encryption type (WPA/WPA2),
and band (a/b/g/n)
– Configures the AP to accept Enterprise authentication
– Sets AP to visible
• Attacker connects the fake AP to the special FreeRADIUS-WPE
server that captures and records all authentication requests
• Attacker waits for users to attach to the fake network and captures
their credentials
– Impatient attackers can de-auth clients from the legitimate
network
• Attacker cracks the challenge/response pair to recover the password

16. FreeRADIUS-WPE
• Josh Wright created the Wireless Pwnage Edition (WPE) patch for
FreeRADIUS 2.0.2
• Adds the following features:
– Returns success for any authentication requests
– Logs all authentication credentials
• Challenge/response
• Password
• Username
– Performs credential logging on PEAP, TTLS, LEAP, EAP-MD5,
EAP-MSCHAPv2, PAP, CHAP, and others

17. DEMO

18. DEMO

19. Vulnerable PEAP Misconfiguration Two
• Configuration:
– “Validate server certificate”
is enabled
– Default Wireless Zero
Configuration (WZC)
settings
– Prompts users to validate
server certificate
• Minimal detail is shown
in the dialog box
• Attack:
– Same attack applies but
requires users to validate
the certificate

20. Vulnerable PEAP Misconfiguration Three
• Configuration:
– “Validate server certificate” is
enabled
– Trusted Root Certificate
Authority is selected
– Does not validate certificate CN!
• Attack:
– Sniffs a valid login and identifies
the CA of the TLS certificate
– Purchases a certificate from the
trusted CA
• Any CN value can be used
– Configures the RADIUS server
to use this certificate

21. Concerns Around Mobile Devices

22. If At First You Don’t Succeed
• Some clients try multiple EAP types while trying to authenticate to a
wireless network.
– Easy for attackers to detect by analyzing a packet capture.
• Attackers can use this weakness to trick clients into authenticating to
a fake AP with an insecure EAP type.
– Often de-auth floods are used to prevent the client from
connecting to a legitimate AP.

23. SECURING WIRELESS
NETWORKS

24. Encryption and Authentication
• Use CCMP for encryption
– Migrate off TKIP
– Never use WEP
• Use PEAP, TTLS, or TLS for authentication
– TLS requires a PKI
– Avoid Pre-Shared Keys (PSK)
• Anything that is shared is not secure
• If you must use PSK, choose a unique SSID and use a
complex passphrase over 14 characters

25. Secure the Infrastructure
• Harden and patch the infrastructure:
– Access points
– Wireless controllers
– Authentication servers
• Apply the latest service pack to Windows Internet
Authentication Service (IAS) servers
• Do not use hidden access points
• Make sure insecure EAP types such as MD5 are disabled
• Prevent insecure clients from using the wireless network
• Firewall and isolate the wireless network from the internal network

26. Wireless IDS
• Consider deploying a wireless IDS
• Can detect:
– De-auth attacks
– RTS and CTS denial of service attacks
– Rogue APs
• Both on and off your wired network
• Remember IDS is only detection and not prevention
• Be very careful with wireless IPS
– IPS system could end up attacking neighboring networks
• Wireless IDS will not protect users while traveling

27. Secure the Clients
• Require long and complex passwords
• Apply all patches quickly
– Including firmware patches for wireless cards
• Harden the system
– Run Anti-Virus software and keep definitions up to date
– Have users login with a non-administrative level account
– Encrypt sensitive data on drive
– Turned on and configured personal firewall
• Disable ad-hoc networks
• Prevent network bridging
• Ensure the Supplicant is properly configured

28. Secure WZC PEAP Configuration
• Ensure the following items are
configured:
– Enable “Validate server
certificate”
– Enable “Connect to these
servers” and specify the CN of
the RADIUS server
– Under “Trusted Root
Certificate Authorities” check
ONLY the CA that issued the
certificate
– Enable “Do not prompt user to
authorize new servers or
trusted certification authorities
• Enforceable through Group Policy
• Refer to KB941123 for additional
information

29. Perform Regular Assessments
Act
• The Shewhart or Deming Cycle, used in Quality Assurance –
instead of PDCA, it’s Check-Act-Plan-Do when relating to
security strategy.
• It’s imperative to perform assessments on a regular basis.
• Have a third party perform a wireless security assessment.
• Ensure the assessment includes architecture and client
configuration reviews.

30. QUESTIONS?
For More Information:
www.SecureState.com
www.MatthewNeely.com
@matthewneely