Although this doesn't prove anything that hasn't already been proven, seeing often cements belief much more effectively than reading. In this video, I compromise access to three separate wireless networks using three separate authentication and encryption schemes.
Test Networks - The Victims:
ClientGuest: WEP-128 PSK
Full Disclosure - This video is different than a real-world attack in the following ways:
- For the 802.1x compromise, I used supplicants that are either not configured to validate the RADIUS certificate or bypassed the warning screen that discloses that the RADIUS server is serving an untrusted certificate.
- Also for the 802.1x compromise I authenticated with test victim users using passwords pulled from my password list.
- For the WPA compromise, I used pre-computed a hash table using CoWPAtty's "genpmk" since the SSID of a WPA network is factored into the handshake. A huge torrent exists with pre-computed hashes of the top 1000 SSID names using a very large dictionary. I didn't check, but I doubted "ClientVendor" would be included so I made my own.
- Also for the WPA compromise, I used a PSK that was pulled from my password list.
- I wasn't smooth enough to pull this off in one take so it's chopped up. The attacks, however, are not sped up.
Perspectives -The AP used in this video was either an attacking or victim AP depending on the attack utilized.
- The DD-WRT'd Linksys wireless router I used can be considered a victim AP for the WEP and WPA-PSK attacks.
- However, my AP should be considered an attacker AP for the 802.1x attack since I am actively trying to use it along with a fake RADIUS server to attract victims of the legitimate 802.1x wireless network that I am attacking.
Mitigating Wireless Risk - So what do I do about this?
- WEP: Don't use WEP.
- WPA-PSK: Use a complex PSK like "R$g2Gn#~qzZ4@" (rather than "MyBank123", "HomeWiFi! or "CoolDude1993"). If your PSK is in my dictionary, then I can crack your PSK.
- Ensure a trusted RADIUS certificate is deployed, but not too trusted. An internal CA works fine as long as its root cert is in your clients cert stores.
- Ensure that clients are configured to validate the RADIUS server cert as specifically as possible.
- Only trust the CA that generated the cert.
- Don't rely on users to get it right, use GPOs or more advanced tools that give you central administration like Juniper Odyssey Access Client.
- Helpdesk and other folks commonly called on to fix wireless problems will likely resort to unchecking "Validate Server Certificate" so watch them and train them.
- Ensure that your password complexity policies are sufficient on whatever credential stores the RADIUS talks to. Again, if a users' password is in my dictionary, and I obtain an MSCHAPV2 challenge/response pair from that user, I've got their credentials and access to whatever they have access to.
Tools Used / Props -
The fine tools listed below were absolutely required to make it this easy to test and penetration wireless networks. Like a lot of technology, they are very powerful and can do a lot of positive and negative things in the right (wrong) hands.