PEAP at DEF CON 21

History

Last year Moxie Marlinspike and David Hulton presented "Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2" at Defcon 20. Moxie's blog post [1] describes how DES is still relevant in 2013. Their cracker [2] turns captured WPA2 handshakes that use MS-CHAPv2 into NT hashes. These hashes can get you onto the network. This wasn't the first attack on MS-CHAPv2. Asleap [3], the MS-CHAPv2 cracker that Joshua Wright wrote in 2003-2008, uses a weakness in MS-CHAPv2 to crack LEAP and PPTP handshakes much faster than brute force. LEAP was abandoned after Asleap was released.

PEAP at Defcon 21

Which brings us to PEAP. Defcon 21 featured 2 talks about PEAP, both with functional demos. Josh Yavor's "BYOD PEAP Show" showed the default settings for Android, iPhone, Blackberry, and Windows Phone, all of which include PEAP with insecure settings. His demo showed blobs flying by which he promised were NT hashes of passwords. He also gave advice on how to exploit networks. Public transit, choke points, and lunch seems to offer the best opportunity to find insecure phones. James Snodgrass (PuNk1nPo0p) and Josh Hoover (wishbone) demoed their tool LootBooty [4] which capitalizes on iPhone and Android weaknesses in PEAP. Their talk "BYO-Disaster and Why Corporate Wireless Security Still Sucks" utilized flaws in implementation of PEAP to get plaintext passwords which are sent over WPA2-Enterprise. iPwner exploits a man-in-the-middle attack against IOS/OSX devices using PEAP-MSCHAPv2. After connecting to the rogue access point, the user is prompted for username and password to access any website. These credentials are sent in cleartext over WPA2 and the attacker logs them. This attack requires the user to be sufficiently convinced to type in their username and password and not a fake password but is an interesting attack. PEAPing Tom is a second attack which uses EAP-GTC to capture users credentials in plaintext using a rogue RADIUS server on a rogue access point.

From the author of LootBooty, PuNk1nPo0p:

PEAPv0 only supports MSChapV2 as its inner authentication mechanism and is the only PEAP version natively supported by Microsoft. The problem is IOS, OSX, Android, etc all support PEAPv0 too, which makes them all vulnerable to Josh Wright's and Moxie's offline dictionary attack of the captured challenge / response or HASH as we nerds call it.

PEAPv1 continues to support EAP-MSChapV2, but also adds support for EAP-GTC as an inner authentication alternative to EAP-MSChapV2. Microsoft does not natively support EAP-GTC, but IOS, OSX, Android, and pretty much everyone but Microsoft natively supports it. So.... EAP-GTC was designed to be used (but not LIMITED too) for one time passwords like secure Id tokens, etc. So our PEAPING-TOM attack just tells all connecting clients to use EAP-GTC in place of EAP-MSChapV2 thus delivering their domain credentials in clear text instead of your typical HASH that requires offline cracking.

Conclusion

Both talks focused on attacking enterprise wireless weaknesses that present themselves in a specific configuration that has gained popularity over time: bring your own device (BYOD). Since the wireless setup requires only an employee's domain username and password an unintended device can be added by an employee. Little do they know that an attacker can leverage weaknesses in the protocol to compromise the wireless network as well as the rest of the network. "BYOD PEAP Show" gave good advice which says that EAP-TLS is easier to setup than securing PEAP is. This is solid advice that we can echo. Using client certificates and server certificates eliminates the weakness of passwords and gives the attacker no chance to harvest credentials or man-in-the-middle a user. This eliminates the ease of use that EAP-MSCHAPv2 and BYOD offer, but it also eliminates the vulnerabilities described above.

After writing this, I found that Microsoft released a security advisory and Slashdot posted an article to the front page, MS: Windows Phone 8 Wi-Fi Vulnerable, Cannot Be Patched. The title is misleading, but the article received over 100 comments many of which were insightful.

For those who are looking for a solution: please implement EAP-TLS with certificate verification and avoid PEAP.

Many thanks to the authors, especially PuNk1nPo0p for their contribution to security without which this post would not be possible.

Works Cited

1) Marlinspike, Moxie. URL: https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
2) CloudCracker. URL: https://www.cloudcracker.com/
3) Wright, Joshua. "Asleap - exploiting cisco leap". URL: http://www.willhackforsushi.com/Asleap.html
4) PuNk1nPo0p. "Lo0tBo0ty Wifi-To0lz". URL: https://github.com/punk1npo0p/lootbooty