Wi-Fi Brokering

Presented at Black Hat Asia 2020 Virtual, Oct. 1, 2020, 2:20 p.m. (40 minutes)

The common perception of 802.1X WiFi networks using tunneled authentication methods such as PEAP, are that they offer good enough security. Attacks introduced in 2004 by Joshua Wright and Brad Antoniewicz allow the inner MSCHAPv2 challenge/response to be captured, and cracked offline. As MSCHAPv2 is based on DES, Moxie Marlinspike and David Hulton showed that the entire keyspace can be brute forced with specialised hardware at Defcon 20. However, what if you didn't need to crack the password at all, but simply relayed the challenge and response.<br /> <br /> When WiFi devices authenticate to a network, in a typical tunnelled EAP scenario, such as PEAP, the security of the authentication is provided by an outer TLS connection, and the inner MSCHAPv2 exchange is assumed secure as long as the TLS channel is. For these tunnelled EAPs, it's possible to relay the inner EAP exchange between a legitimate client device and it's legitimate network, to authenticate ourselves to the network without having to crack the password. This is conceptually similar to SMB relay attacks. The rogue AP and rogue supplicant merely require a network connection between them (via RADIUS), and don't need to be physically co-located, meaning this attack could for e.g. be done while a victim device is at home, and the attacker is at the target network.<br /> <br /> Using this method it is possible to authenticate to PEAP protected networks (and possibly others using the same idea) by tricking users into authenticating to your rogue access point without having to crack the MSCHAPv2 challenge/response to retrieve that user's password.<br /> <br /> This talk will intro just such an attack and corresponding toolset, as well as explain the process of developing the attack. Finally, we will cover practical defences to the vulnerability.

Presenters:

• Michael Kruger - Analyst, Orange Cyberdefense
  Michael Kruger is an analyst at SensePost and previously completed an honours degree in Computer Science at Rhodes University. He is the undisputed champion of dank memes at SensePost, and in between manages to persist at Wi-Fi hacks others told him would never work.

Links:

• https://www.blackhat.com/asia-20/briefings/schedule/#wi-fi-brokering-18260

Similar Presentations:

• 44CON 2017 / The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots
• Still Hacking Anyway (SHA2017) / Parkour communications: How you can communicate, free running style, using nothing but the 'fixtures' of the Internet.
• BSidesLV 2017 / The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots