r e t s a s i D O ! s k c BY u S ll i t S s s le W

e r i W e at r o p r o hy C

djwishbone

PuNk1nPo0p

We’re just nerds with random ideas and inconsistent results!

Why you should stay! What

How

!   Obtain Clear-Text credentials from any PEAP enabled WPA2-Enterprise Network without cracking a single HASH.

!   Explore a “Functionality Issue” discovered with how IOS / OSX devices process MSChapV2.

!   Get access to a new set of tools that automates all the attacks for you.

!   Demonstrate the use of EAP-GTC as the inner authentication mechanism in place of MSChapV2

Association Stuff EAP Request (Identity) EAP Response (Identity) PEAP Start

Radius Access Request PEAP Start

TLS Setup Stuff

TLS Setup Stuff

Send Identity Again

Send Identity Again

MsCHAPv2 Challenge Response w/ Client Challenge

MsCHAPv2 Challenge Response with Client Challenge

Success w/ Challenge Response

Success w/ Challenge Response

MsCHAPv2 Success

MsCHAPv2 Success

EAP-TLV Success EAP-TLV Success

EAP-TLV Success EAP-TLV Success

EAP Success

Install Keys on AP

Finish Connection Stuff

EAP Type Proposal TLS Tunnel Setup

Inner EAP MsCHAPv2

EAP Success

IPWNER Server Challenges Client Client Responds with MS-ChapV2 hash and Peer Challenge No Password in database Accept Password Anyway Reject Password Peer Challenge Server Sends TLV-Success does not match Uh, what? Fine, why not Client Responds TLV-Success Client Checks for Captive Portal Attacker Responds with Captive Portal

Clear-Text Anyone? Now that the MITM is complete, we can direct all DNS requests to our captive portal page and capture credentials in Clear-Text!

What Just Happened? !   IOS/OSX supplicants do not appear to require MSChapV2 success when connecting to the wireless network. So much for mutual authentication L !   Bypassing inner authentication !   Establishing a MITM connection !   Trapping captive portal request sent by the mobile device by default, and redirect it to our malicious portal !   User re enters credentials which are now captured in clear-text. Hackers Win again!

Responsible Disclosure The Hacker

hahaha, funny!

The Sociopath (Corp)

“After examining your report we do not see any actual !  security I discovered a way to expose !   Thank You! of Though you’re to implications.  It is the responsibility the client your backdoor and are urgecommunicating you probably Weserver will have ensure that they with awrong! trusted to patch it up before someone our outsourced MSP put 10 beforea attempting MSCHAPv2tards inner dumps nasty payloadthe in it! on authentication. it right away and

Here’s all my research, never get back to you. Have a screenshots, blessed day! (The serveretc.. could just as well have suggested the EAP-

protocol, after which have !   GTC (A month later) Can I get the the client !   Hi, would me Josh 4379.provided I see not its password in cleartext as thewhat server status of ticket number you instructed.)” say, I like gummy 999999999999999999999999 bears, ticket closed!... Have a 999999999999999999999? blessed day!

GENERIC TOKEN CARD !   EAP Method created by Microsoft/Cisco for use with PEAPv1 !   Created to support hardware token cards and one time passwords !   Similar to PEAPv0 EAP-MSCHAPv2 with no peer challenge !   Some clients do not state what type of password they are asking for, they just prompt for a username and password !   Can we use this to our advantage?

PEAPINGTOM Server Requests one-time password Client Responds with “GTC” password GTC fails No password for user Server Sends TLV-Success anyway Sure I trust you why not Client Respond