WPA2-PSK vs WPA2-Enterprise: hacking and hardening

-

This post has the aim to summarise the security aspects of WPA2, with a focus on WPA2-Enterprise hacking. At the end, EAP-TLS is presented as a pretty secure implementation.

WPA2 in brief
The Wi-Fi Protected Access is a wireless technology designed to secure the communiciations between stations and the Access Point from eavesdropping and tampering attacks. It is defined in 802.11i standard and has been adopted in home, small business (WPA2-Personal) and enterprises (WPA2-Enterprise) since 2004. 

The WPA2 implementation is based on the 4-way handshake.
The PMK (pairwise master key) is the value that both station and AP know and from which the PTK (pairwise transient key) is calculated and valid for the session. The station MAC, the AP MAC and two nonces (A-Nonce, S-Nonce) that are exchanged during the 4-way handshake are also part of the PTK generation process.

From an offensive point of view, capturing the messages of the 4-way handshake that are transmitted in clear is crucial to crack the passphrase of the ESSID (in case of WPA2-PSK) or of a single user (in case of most WPA2-EAP types).

WPA2-PSK (Personal)
In WPA2-PSK, all station shares the same passphrase and therefore the PMK, which is calculated from the password and the ESSID name, is the same among all stations.

Weaknesses of WPA2-Personal
The major security issue of WPA2-PSK is the compromise of the shared passphrase. If its value is leaked accidentally (or intentionally), the network is at risk because an attacker could both authenticate to the network and perform targeted attacks against the devices connected or can just capture the encrypted traffic of other users and then decrypting it with the PMK he knows. 
Note that in the latter scenario, for succesfully decrypting the data exchanged over WPA2-PSK, the attacker needs, of course, the value that are part of the PTK generation (MACs, nonces) but to retrieve them he has only to sniff a 4-way handshake (indeed, just 2th and 3rd packet or 3rd and 4th).
If an attacker does not know the passphrase, he can retrieve it by sniffing a 4-way handshake of a station connecting to the target ESSID and then performing a brute-force/dictionary attack.


Lastly, another common threat to WPA2-PSK is the insecure presence of WPS (Wi-Fi Protected Setup) enabled on some routers. WPS feature is considered very bad for security concerns because a bruteforce on the 8 PIN value allows to retrieve the cleartext value of the passphrase in few hours.


WPA2-EAP (Enterprise)
WPA2-Enterprise reduces the attack surface by adopting multiple implementations that have in common the uniquess of PMK (derived from password, security certificates, smartcards, OTP tokens) for each station client. The Access Points verify users identity through a RADIUS server, which has the duty to supervise the AAA process for all clients that want to connect to the network. The RADIUS server is usually combined with Active Directory or LDAP to monitor domain accounts activity, password complexity and expiry. 

Weaknesses of WPA2-Enterprise
The practical attacks against WPA2-EAP are addressed to the cracking of the passphrase of a single user. 
For implementations that use an outer tunnel for mutual authentication, these attacks are more articulated and possible in case of a misconfigured deployment.


We need to briefly have a look to the EAP types available, separating them based on the additional security provided by the outer tunnel. The outer tunnel, in fact, is the game changer in the wireless security because it encapsulates and encrypts the 4-way handshake that in the other wireless implementations is performed in clear.

EAP Types
Here I shortly present some EAP variations. For a full reference, have a look at IANA reference.

EAP types without an outer tunnel
These solutions do not protect against the capture of the 4-way handshake  and the cracking attempts to recover the passphrase of a single comprimised user.
  • EAP-MD5: transmits username in cleartext 'EAP Response Identity' message and the 4-way handshake can be sniffed in order to launch an offline bruteforce attack.
  • EAP-LEAP: it is based on the MSCHAPv2 challenge-response protocol, that uses DES encryption. Challenge and response are trasmitted in clear and therefore cracking attempts are still possible.
EAP types with an outer tunnel
The idea behind this type of more secure WPA2-EAP is to encapsulate the 4-way handshake inside an outer tunnel that provides authentication (ideally mutual). This way a TLS tunnel protects the inner authentication (generally MSCHAPv2) from being captured.
  • EAP-FAST: it is the safer version of EAP-LEAP and similar to PEAP and EAP-TTLS but with a peculiarity: there is a PAC file that contains the secret and other infos necessary to validate a user authentication attempt. The weak aspect of this implementation by Cisco is that the phase 0 timeframe (PAC provisioning) allows an attacker to setup a fake AP and possibly capture the encrypted credentials of the user. This attack is possible under the condition that 'unauthenticated PAC provisioning' option is set in the Cisco wireless client software.
  • PEAP (protected EAP) and EAP-TTLS: these two types both allow mutual authentication by firstly establishing the TLS tunnel between the station and the RADIUS and secondly sending credentials in the inner authentication protocol. This is called mutual authentication because in the outer tunnel the client station validates the RADIUS identity based on its TLS certificate and in the inner tunnel the RADIUS validates the user's credentials. The vulnerability lies when there is a misconfiguration in the client validation of the TLS certificate of the RADIUS. Id est, the client has not been configured to validate the certificate that it receives from the AP. Therefore, an attacker could setup a fake AP with better signal, send its fake certificate, waits the client to leak the credentials and brute-force them offline.
  • EAP-TLS: this is truly the safest way to provide mutual authentication with a double verification of the certificates owned by both the RADIUS and the station client. Once the identity of both parts is verified, a random key for the session is generated and then used to create the PMK.
Wireless lab| hacking bad configuration and deploying a secure one
Now I show the results of a test I have done regarding the attack scenario for WPA2-Enterprise. 
The devices involved in this test are:
1.      two stations: a windows 10 pc and an android 8 phone
2.     an attacker OS: a simple kali does its job here ;-)
3.     SSID that uses WPA2-EAP: a OpenWRT router that integrates a RADIUS server (in my case freeradius3 package)
4.     Packet injection capable antenna: TL-WN722N
5.     Fake AP software: Hostapd-WPE

/etc/config/wireless file of the Access Point

The target SSID name that implements WPA2-EAP is GL-AR750-444-5G.
Note that auth_server and acct_server are the value of the RADIUS.

In case of Hacking section, the AP is set to accept PEAP and EAP-TTLS connections. 

[Hacking] PEAP/EAP-TTLS with no RADIUS certificate verification from client
If the CA certificate that signed the RADIUS certificate is not imported on the stations, the following hacking scenario is possible.

An attacker starts a fake AP with hostapd-wpe as shown below:

The extract of the hostapd-wpe file that needs to be changed accordingly to the target

The fake AP is now ready

We now wait a station to connect to our malicious AP (... or we can de-authenticate it, if Management frame protection is disabled). 

The station leaks its challenge and response contained in the 4-way handshake of the inner authentication protocol

Once we captured these credentials, the process of cracking them is very similar to the one for WPA2-PSK.

Ok, I cheated with the dictionary attack :-)

[Deploying] EAP-TLS in a home environment
We now deploy EAP-TLS to avoid that a malicious AP can fool to be the legitimate Enterprise Access Point when a station interacts with it. This is possible by ensuring the use of TLS certificates for both stations and the RADIUS server that authenticates them.
Note: creating a minimal PKI is not the goal of this article, but I provide a good guide available at this link.


For EAP-TLS to work, the clients and the RADIUS certificate must be signed by an internal Certificate Authority and its CA certificate must be imported on the stations and the RADIUS.

This time eap configuration file allows only EAP-TLS among EAP types

Installing the certificate of the Windows client

Installing the certificate of the Android client

Installing the RADIUS server certificate

Let's try to authenticate to the AP with the certificates imported.

The windows client provides its certificate to the AP

The Android phone provides its certificate to the AP

The stations alerts that the RADIUS server is not signed by a known certificate authority

So, the attack has failed. At this point I thought that this article was come to the end. 
Indeed, a look to the above images of the installation of the certificate on the android phone and the windows 10, a comparison of the different way the CA certificate is imported and a thrilling lateral thinking approach pushed me to an additional analysis. As you may notice, for the connection of the windows client only the client certificate is asked... but what about the CA that signed the RADIUS? Ok, it is imported in the Windows certificate store, but what if we sign the RADIUS certificate with a different CA that a victim is fooled to install on the Windows certificate store?
Well, what I would expect is that the windows 10 client connects anyway to the fake AP. But the question is, what the client will possibly leak in such remote scenario? Credentials? No, there is not an inner-authentication in EAP-TLS. However, curious about the result of this test, I fired hostapd-wpe and... the result was the same: the client alerts unkown CA. Game over :-).

Bottom line
As discussed in this post, WPA2-PSK and even WPA2-Enterprise (without a secure configuration) can easily leak the messages of the 4-way handshake and an attacker can perform a cracking attempt to retrieve the correct wireless password. However, the WPA2-EAP is always the desiderable method because reduces the attack surface due to the absence of a shared passphrase and a granular control over the wireless accounts.
A very secure implementation is EAP-TLS, which is based on the mutual authentication of the stations and RADIUS by using TLS certificates signed by a CA. The limitation of this solution, however, is the difficult manageability inherited from the deployment of a Public Key Infrastructure.

Comments

Post a Comment

Popular posts from this blog

Abusing Windows 10 Narrator's 'Feedback-Hub' URI for Fileless Persistence

-
Image
Novel Accessibility Feature Abuse technique While investigating Ease of Access options in Windows 10 for new persistence techniques, I have actually found an undocumented one via 'Provide Narrator feedback' functionality. Behind the scenes the Narrator feedback consists in launching the custom handler via URI scheme ‘feedback-hub’. However, in a post exploitation scenario is possible to trivially backdoor this component with fileless payloads hosted in the registry. Even if there is no security boundary between windows logon screen and the default user desktop (indeed both part of the same window station WinSta0) the possibility of the interaction between the Narrator instance running in the environment of the locked out users and the Windows logon screen opens the chance to trigger the malicious command defined in the registry as soon as the 'Provide Narrator feedback' combination keys are pressed in the latter context. The novel technique presented in this arti
Read more

Management Frame Protection and its limitations

-
Image
In this article we talk about management frames, their exposure to Denial of Service (DoS) via de-authentication attack, how Management Frames Protection can prevent this and its limitations against other DoS attacks discovered during the years by security researchers. A brief overview of Management Frames Management frames are at the centre of the WLAN operability and also have an important role in the negotiation activity between an access point and its stations. Code Field (Wireshark filter) Subtype 0x00 Association Request 0x01 Association Response 0x02 Re-Association Request 0x03 Re-Association Response 0x04 Probe Request 0x05 Probe Response 0x06 Reserved 0x07 Reserved 0x08 Beacon 0x09 ATIM 0x0a Disassociation 0x0b Authentication 0x0c Deauthentication 0x0d Actio
Read more