The BYOD PEAP Show. isec Partners

Transcription

1 The BYOD PEAP Show Mobile Devices Bare Auth Josh Yavor isec Partners DEF CON XXI August, Josh Yavor (isec Partners) The BYOD PEAP Show DEF CON XXI, August, /

2 Introduction Welcome A Perfect Storm 1 1 noaa.gov Josh Yavor (isec Partners) The BYOD PEAP Show DEF CON XXI, August, /

3 Introduction Welcome PEAP: Pwned Extensible Authentication Protocol Joshua Wright & Brad Antoniewicz - ShmooCon It s amazing to me that lots of people seemed to have missed this issue in PEAP and other EAP methods, as it s still extremely useful in most of the pen-tests I engage in. Joshua Wright, May 1 Windows and OS X FreeRADIUS-WPE PEAP and TTLS can be secure when deployed carefully 1 Josh Yavor (isec Partners) The BYOD PEAP Show DEF CON XXI, August, /

4 Introduction Welcome Bring Your Own Device All the cool kids are doing it Growth %- % of companies Bring Your Own Definition EAP Types Josh Yavor (isec Partners) The BYOD PEAP Show DEF CON XXI, August, /

5 Introduction Welcome CloudCracker Moxie Marlinspike, David Hulton, Marsh Ray - DEF CON XX Enterprises who are depending on the mutual authentication properties of MS-CHAPv for connection to their WPA Radius servers should immediately start migrating to something else. Moxie Marlinspike, July, 2 Divide and conquer = % in hours 2 Josh Yavor (isec Partners) The BYOD PEAP Show DEF CON XXI, August, /

6 Introduction Welcome Take Aways Spoiler Alert Real-world deployments are messy PEAP is unsafe for BYOD environments Impact is enormous Immediate corrective action required No easy fix Users are in control Josh Yavor (isec Partners) The BYOD PEAP Show DEF CON XXI, August, /

7 Introduction Welcome Bottom Line Defense Josh Yavor (isec Partners) The BYOD PEAP Show DEF CON XXI, August, /

8 Introduction Welcome Bottom Line Offense Josh Yavor (isec Partners) The BYOD PEAP Show DEF CON XXI, August, /

9 Introduction Welcome Some Disagree In a properly implemented wireless network, this MS-CHAPv exploit is a non-issue. There is no need for Wi-Fi network administrators to abandon PEAP. Period. 3 3 revolutionwifi.blogspot.com/ / /is-wpa -security-broken-due-to-defcon.html Josh Yavor (isec Partners) The BYOD PEAP Show DEF CON XXI, August, /

10 Introduction Welcome Risk Characteristics Lower Risk Individual users (depends) Smaller organizations Static user base Higher Risk Internal network assets Larger organizations Transient user base

11 Introduction Welcome Misconfiguration is Everywhere Be cruel to your school

12 Introduction Welcome For Mobile Devices

13 Introduction Welcome Even for Windows

14 Introduction Prerequisite Knowledge PEAP Why is PEAP so popular? EAP Type Support ios Android Windows Phone BlackBerry PEAP Yes Yes Yes Yes EAP-TLS Yes Yes No Yes EAP-TTLS Yes Yes No Yes EAP-FAST Yes No No Yes

15 Introduction Prerequisite Knowledge Wireless Authentication Comparison Access Control Granularity Open WPA WPA Ent. None Group of users who know password Individual user accounts wifi? ok! getyourownwifi evaldoer / p

16 Introduction Prerequisite Knowledge Wireless Authentication Comparison Response to Credential Compromise Open WPA WPA Ent. N/A Change password, update all devices Modify single user account wifi? ok! getyourownwifi Error: User account locked

17 WPA Ent. &. X PEAP Association to AP.thisOneGoesTo

18 WPA Ent. &. X PEAP Outer Authentication Thanks to Brad & Joshua

19 WPA Ent. &. X PEAP Inner Authentication with MSCHAPv Thanks to Moxie

20 Mobile Platforms Mobile Platforms 2 2 ocio.osu.edu

21 Mobile Platforms Android Android

22 Mobile Platforms Android Android EAP Types

23 Mobile Platforms Android Android PEAP Configuration

24 Mobile Platforms Android Android CA Configuration

25 Mobile Platforms Android Android Inner Authentication

26 Mobile Platforms ios ios 3 3 apple.com

27 Mobile Platforms ios ios PEAP Configuration

28 Mobile Platforms ios ios CA Configuration

29 Mobile Platforms ios ios Cert Details

30 Mobile Platforms BlackBerry BlackBerry

31 Mobile Platforms BlackBerry BlackBerry EAP Types

32 Mobile Platforms BlackBerry BlackBerry PEAP Configuration

33 Mobile Platforms BlackBerry BlackBerry CA Configuration

34 Mobile Platforms Windows Phone Windows Phone 4 4 microsoft.com

35 Mobile Platforms Windows Phone Windows Phone PEAP Configuration

36 Mobile Platforms Windows Phone Windows Phone CA Configuration

37 Mobile Platforms Windows Phone Windows Phone Cert Details

38 Attacking PEAP Methodology Single Network Traditional attack Story time: - users, shared building >, users, campus Extra credit

39 Attacking PEAP Methodology Multiple Networks Curated Lists Geographical, industry, other? Story time: Industry Geographical Extra credit

40 Attacking PEAP Methodology All The Devices Everything (almost) Challenges Story time

41 Attacking PEAP It s Tool Time! Pwning Single target Multiple targets

42 Attacking PEAP It s Tool Time! Existing Tools FreeRADIUS-WPE hostapd & hostapd-wpe DD-WRT & OpenWrt

43 Attacking PEAP It s Tool Time! The Goal

44 Attacking PEAP It s Tool Time! What s Next? *WRT scripts *WRT integration hostapd-python-script 5 5 github.com/nims /hostapd-python-script

45 Attacking PEAP It s Tool Time! Getting Fancy Dynamic target selection GPS (wigle.net?) Single tool

46 Solutions How do we fix this? Hide yo kids, hide yo WiFi

47 Solutions How do we fix this? EAP-TLS Better Mobile Device Management

48 Solutions PEAP vs EAP-TLS Feature PEAP EAP-TLS Support Nearly Universal Nearly Universal Server Authentication Yes Yes User Authentication MSCHAPv Certificate Easy to Configure Yes No Easy to Manage Yes No

49 Solutions PEAP Mitigations Doing PEAP Right Mobile Device Management Custom CA vs Public CA Separate accounts

50 Solutions PEAP Mitigations Doing PEAP Right Josh Yavor (isec Partners) The BYOD PEAP Show DEF CON XXI, August 4, / 55

51 Demo DefConSecure Hacking the hackers

52 Demo Victims Needed Fair warning Turn off all of your WiFi devices if you do not wish to participate Targeting only DefConSecure No Man-in-the-Middle Username and MSCHAPv challenge/response collected Username and response displayed Brief Denial of Service Yes, I could crack your password later, but I know you didn t reuse an important one (right?) I expect to capture only a handful, but maybe we ll get lucky

53 Demo Additional Resources Windows Phone WiFi Configuration Guide - com/en-us/how-to/wp8/start/connect-to-a-wi-fi-network Apple ios WiFi Deployment Guide - Smart Phone WiFi Certifications - en&filter_category_id=24&listmode=1 Android WPA Enterprise UI Bug -

54 Demo Thank Yous DEF CON isec Partners / NCC Group EFF The victims

55 Demo Josh Yavor Senior Security Engineer isec Partners