Thursday 20 March 2014

Cracking WAP2 Enterprise


In one of my recent assessments I had to look at some wireless networks at a few locations. I had not done a Wireless Security Assessment in ages so it was a good exercise to see whats changed, learn about some new authentication protocols and learn a few new attack vectors.

Everything was run from my Kali installation running on my Macbook via VMware Fusion and I used the Alfa AR 9271 Wireless USB card for WiFi (came with my wifipineapple (:  ). Yes VMware does not pickup your native built-in wifi cards, hence why I used an external USB WiFi adapter which I attached to my guest system which picks it up just fine.

All the used tools:
  • FreeRadius-WPE
  • Hostap
  • Kali
  • asleap
  • John the Ripper
My target networks were running WPA2 Enterprise, essentially users authenticate using ta username and password, in this case their domain credentials to associate to the access points. This is not as simple as cracking WPA or even worse WEP sort of attacks (which was big in my day...yeah im that old nowadays), attacking WPA2 Enterprise requires a semi-different approach. 

The approach taken was to impersonate the access points you are attacking and to run your own RADIUS server which will be used to capture password hashes. The password hashes are then cracked offline using either asleap or as I found out and worked better for me, John the Ripper.

Essentially you run hostap to impersonate the access point and run a patched FreeRADIUS server to handle the authentication, by handle I mean capture hashes of users authenticating to your spoofed access point. 

FreeRADIUS-WPE

The first step is to download and compile/run/install  FreeRADIUS Wireless Pwnage Edition (WPE) which has been tweaked exactly for the purpose of capturing RADIUS authentication requests.
  • https://github.com/brad-anton/freeradius-wpe
Just follow the instructions for compiling. There are debian package you can download and simply install. You may need to make a few tweaks, I kept getting errors when trying to run the FreeRADIUS-WPE app, as the directory where the logs are stored did not exist, just a simple mkdir fixed that (:

The logs which contains the captured hashes is located here:
  •      /usr/local/var/log/radius/freeradius-server-wpe.log

 

HostAP

Now that FreeRADIUS is installed we make sure hostap is running/installed. If you dont have it installed you can find a copy here:
  • http://hostap.epitest.fi/releases/hostapd-2.0.tar.gz
You will run hostap with a specific config file for a WPA Enterprise access point (wpe-test.conf). Hostap will turn your wifi card into an access point spoofing the access point, be sure to edit the below config to match your requirements:


interface=wlan0
driver=nl80211
ssid=SpooFed4cc3sspoint 
country_code=ZA
logger_stdout=-1
logger_stdout_level=0
dump_file=/tmp/hostapd.dump
ieee8021x=1
eapol_key_index_workaround=0
own_ip_addr=127.0.0.1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123
auth_algs=3
wpa=2
wpa_key_mgmt=WPA-EAP
channel=1
wpa_pairwise=CCMP
rsn_pairwise=CCMP


Command:
  • hostapd -dd wpe-test.conf
The above example config file assumes that FreeRADIUS-WPE is listening locally. Also I noticed that my FreeRADIUS-WPE was not logging the credentials correctly when a client authenticated. After looking around I found I had to edit the following file:
  •  /usr/local/etc/raddb/modules/mschap
By adding the following line (This is specifically for WPA2 Enterprise using domain credentials for user authentication):
  • with_ntdomain_hack = yes
Once everything is up and running test the system and ensure all is good and that nothing is broken. Once it seems like all is good you should be able to simply monitor the FreeRADIUS-WPE log files for incoming logs:
  • tail -f /usr/local/var/log/radius/freeradius-server-wpe.log
Output:

mschap: Mon Feb  1 12:15:52 2014

 username: domain\testuser
 challenge: ab:bb:dd:c6:a1:13:53:dd
 response: de:14:c8:a8:7e:ce:53:5304:f8:a0:75:ce:53:53:ca:70:35:e1:e6:21:0c:f1:b6
 john NETNTLM: domain\testuser:$NETNTLM$9d0addde98e8474$d09ef8t43db04f8a075ce5353cd993571b621aeeec4

 

Cracking the captured Credentials

Here you can use either asleap or in my case John. I didnt have a large enough wordlist at the time of the assessment o use with asleap (wordlist based cracking). So I found that john supports the captured WPE hashes (NETNTLM), and this is accommodated by WPE. 

Simply take the NETNTLM hashes and use john to crack.

*Remember this is only for use of networks you are authorised to test and I hold no responsibility should you use this for malicious means.

Some recommendations:
  • Users should be vigilant of the networks they connecting to, in the above attack I found that most mobile devices happily connected to the "spoofed" access point with no issues, however my Macbook and Windows picked up that the certificate did not match and prompted the user with a warning. Although some users continued connection after the prompt (:  So user awareness is important, but there is no patch for human stupidity!
  • I dont think using domain credentials for authenitcation over the wireless network is the best idea, yes its practical but you are potentially broadcasting those hashes to the world and its not that hard to crack them! And who knows where else you can reuse the credentials to obtain further access. So I would suggest seperate set of credentials for authentication

Other WiFi tools for Mac OSX that I came across:

 iStumbler for Mac - http://istumbler.net/
 Kismac 2 - https://github.com/IGRSoft/KisMac2