Although this doesn’t prove anything that hasn’t already been proven, seeing often cements belief much more effectively than reading. In this video, I compromise access to three separate wireless networks using three separate authentication and encryption schemes.
Test Networks – The Victims:
ClientCorporate: 802.1x/PEAP
ClientVendor: WPA2-PSK/AES
ClientGuest: WEP-128 PSK
Full Disclosure – This video is different than a real-world attack in the following ways:
- For the 802.1x compromise, I used supplicants that are either not configured to validate the RADIUS certificate or bypassed the warning screen that discloses that the RADIUS server is serving an untrusted certificate.
- Also for the 802.1x compromise I authenticated with test victim users using passwords pulled from my password list.
- For the WPA compromise, I used pre-computed a hash table using CoWPAtty’s “genpmk” since the SSID of a WPA network is factored into the handshake. A huge torrent exists with pre-computed hashes of the top 1000 SSID names using a very large dictionary. I didn’t check, but I doubted “ClientVendor” would be included so I made my own.
- Also for the WPA compromise, I used a PSK that was pulled from my password list.
- I wasn’t smooth enough to pull this off in one take so it’s chopped up. The attacks, however, are not sped up.
Perspectives –The AP used in this video was either an attacking or victim AP depending on the attack utilized.
- The DD-WRT’d Linksys wireless router I used can be considered a victim AP for the WEP and WPA-PSK attacks.
- However, my AP should be considered an attacker AP for the 802.1x attack since I am actively trying to use it along with a fake RADIUS server to attract victims of the legitimate 802.1x wireless network that I am attacking.
Mitigating Wireless Risk – So what do I do about this?
- WEP: Don’t use WEP.
- WPA-PSK: Use a complex PSK like “R$g2Gn#~qzZ4@” (rather than “MyBank123”, “HomeWiFi! or “CoolDude1993”). If your PSK is in my dictionary, then I can crack your PSK.
- 802.1x:
- Ensure a trusted RADIUS certificate is deployed, but not too trusted. An internal CA works fine as long as its root cert is in your clients cert stores.
- Ensure that clients are configured to validate the RADIUS server cert as specifically as possible.
- Only trust the CA that generated the cert.
- Don’t rely on users to get it right, use GPOs or more advanced tools that give you central administration like Juniper Odyssey Access Client.
- Helpdesk and other folks commonly called on to fix wireless problems will likely resort to unchecking “Validate Server Certificate” so watch them and train them.
- Ensure that your password complexity policies are sufficient on whatever credential stores the RADIUS talks to. Again, if a users’ password is in my dictionary, and I obtain an MSCHAPV2 challenge/response pair from that user, I’ve got their credentials and access to whatever they have access to.
Tools Used / Props –
The fine tools listed below were absolutely required to make it this easy to test and penetration wireless networks. Like a lot of technology, they are very powerful and can do a lot of positive and negative things in the right (wrong) hands.