Aug 4, 2013 - iOS Android Windows Phone 8 BlackBerry. PEAP. Yes. Yes ... iOS. PEAP Configuration. Josh Yavor (iSEC Partn
The BYOD PEAP Show Mobile Devices Bare Auth
Josh Yavor
iSEC Partners DEF CON XXI August 4, 2013
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
1 / 55
Introduction
Welcome
A Perfect Storm
1
1
noaa.gov Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
2 / 55
Introduction
Welcome
PEAP: Pwned Extensible Authentication Protocol Joshua Wright & Brad Antoniewicz - ShmooCon 2008
“It’s amazing to me that lots of people seemed to have missed this issue in PEAP and other EAP methods, as it’s still extremely useful in most of the pen-tests I engage in.” – Joshua Wright, May 2010 1 Windows and OS X FreeRADIUS-WPE “PEAP and TTLS can be secure when deployed carefully”
1
http://www.willhackforsushi.com/?page_id=37 Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
3 / 55
Introduction
Welcome
Bring Your Own Device All the cool kids are doing it
Growth 60%-85% of companies “Bring Your Own Definition” EAP Types
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
4 / 55
Introduction
Welcome
CloudCracker Moxie Marlinspike, David Hulton, Marsh Ray - DEF CON XX
“Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.” – Moxie Marlinspike, July 29, 2012 2 Divide and conquer $100 = 100% in 24 hours
2
https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
5 / 55
Introduction
Welcome
Take Aways Spoiler Alert
Real-world deployments are messy PEAP is unsafe for BYOD environments Impact is enormous Immediate corrective action required No easy fix Users are in control
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
6 / 55
Introduction
Welcome
Bottom Line Defense
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
7 / 55
Introduction
Welcome
Bottom Line Offense
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
8 / 55
Introduction
Welcome
Some Disagree
“In a properly implemented wireless network, this MS-CHAPv2 exploit is a non-issue. There is no need for Wi-Fi network administrators to abandon PEAP. Period.” 3
3
revolutionwifi.blogspot.com/2012/07/is-wpa2-security-broken-due-to-defcon.html Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
9 / 55
Introduction
Welcome
Risk Characteristics
Lower Risk
Higher Risk
Individual users (depends)
Internal network assets
Smaller organizations
Larger organizations
Static user base
Transient user base
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
10 / 55
Introduction
Welcome
Misconfiguration is Everywhere Be cruel to your school
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
11 / 55
Introduction
Welcome
For Mobile Devices
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
12 / 55
Introduction
Welcome
Even for Windows
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
13 / 55
Introduction
Prerequisite Knowledge
PEAP 101 Why is PEAP so popular?
PEAP EAP-TLS EAP-TTLS EAP-FAST
Josh Yavor (iSEC Partners)
iOS Yes Yes Yes Yes
EAP Type Support Android Windows Phone 8 Yes Yes Yes No Yes No No No
The BYOD PEAP Show
BlackBerry Yes Yes Yes Yes
DEF CON XXI, August 4, 2013
14 / 55
Introduction
Prerequisite Knowledge
Wireless Authentication Comparison
Open None wifi? ok!
Access Control Granularity WPA2 WPA2 Ent. Group of users who know password Individual user accounts getyourownwifi evalDoer / 1337p455
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
15 / 55
Introduction
Prerequisite Knowledge
Wireless Authentication Comparison
Open N/A wifi? ok!
Response to Credential Compromise WPA2 WPA2 Ent. Change password, update all devices Modify single user account getyourownwifi2 Error: User account locked
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
16 / 55
WPA2 Ent. & 802.1X
PEAP
Association to AP 802.thisOneGoesTo11
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
17 / 55
WPA2 Ent. & 802.1X
PEAP
Outer Authentication Thanks to Brad & Joshua
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
18 / 55
WPA2 Ent. & 802.1X
PEAP
Inner Authentication with MSCHAPv2 Thanks to Moxie
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
19 / 55
Mobile Platforms
Mobile Platforms
2
2
ocio.osu.edu Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
20 / 55
Mobile Platforms
Android
Android
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
21 / 55
Mobile Platforms
Android
Android EAP Types
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
22 / 55
Mobile Platforms
Android
Android PEAP Configuration
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
23 / 55
Mobile Platforms
Android
Android CA Configuration
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
24 / 55
Mobile Platforms
Android
Android Inner Authentication
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
25 / 55
Mobile Platforms
iOS
iOS
3
3
apple.com Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
26 / 55
Mobile Platforms
iOS
iOS PEAP Configuration
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
27 / 55
Mobile Platforms
iOS
iOS CA Configuration
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
28 / 55
Mobile Platforms
iOS
iOS Cert Details
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
29 / 55
Mobile Platforms
BlackBerry
BlackBerry
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
30 / 55
Mobile Platforms
BlackBerry
BlackBerry EAP Types
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
31 / 55
Mobile Platforms
BlackBerry
BlackBerry PEAP Configuration
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
32 / 55
Mobile Platforms
BlackBerry
BlackBerry CA Configuration
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
33 / 55
Mobile Platforms
Windows Phone
Windows Phone 8
4
4
microsoft.com Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
34 / 55
Mobile Platforms
Windows Phone
Windows Phone 8 PEAP Configuration
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
35 / 55
Mobile Platforms
Windows Phone
Windows Phone 8 CA Configuration
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
36 / 55
Mobile Platforms
Windows Phone
Windows Phone 8 Cert Details
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
37 / 55
Attacking PEAP
Methodology
Single Network
Traditional attack Story time: 50-100 users, shared building > 1,000 users, campus Extra credit
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
38 / 55
Attacking PEAP
Methodology
Multiple Networks
Curated Lists Geographical, industry, other? Story time: Industry Geographical Extra credit
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
39 / 55
Attacking PEAP
Methodology
All The Devices Everything (almost) Challenges Story time
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
40 / 55
Attacking PEAP
It’s Tool Time!
Pwning 101
Single target Multiple targets
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
41 / 55
Attacking PEAP
It’s Tool Time!
Existing Tools
FreeRADIUS-WPE hostapd & hostapd-wpe DD-WRT & OpenWrt
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
42 / 55
Attacking PEAP
It’s Tool Time!
The Goal
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
43 / 55
Attacking PEAP
It’s Tool Time!
What’s Next?
*WRT scripts *WRT integration hostapd-python-script 5
5
github.com/nims11/hostapd-python-script Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
44 / 55
Attacking PEAP
It’s Tool Time!
Getting Fancy
Dynamic target selection GPS (wigle.net?) Single tool
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
45 / 55
Solutions
How do we fix this? Hide yo’ kids, hide yo’ WiFi
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
46 / 55
Solutions
How do we fix this?
EAP-TLS Better Mobile Device Management
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
47 / 55
Solutions
PEAP vs EAP-TLS
Feature Support Server Authentication User Authentication Easy to Configure Easy to Manage
Josh Yavor (iSEC Partners)
PEAP Nearly Universal Yes MSCHAPv2 Yes Yes
The BYOD PEAP Show
EAP-TLS Nearly Universal Yes Certificate No No
DEF CON XXI, August 4, 2013
48 / 55
Solutions
PEAP Mitigations
Doing PEAP “Right”
Mobile Device Management Custom CA vs Public CA Separate accounts
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
49 / 55
Solutions
PEAP Mitigations
Doing PEAP “Right”
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
50 / 55
Demo
DefConSecure Hacking the hackers
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
51 / 55
Demo
Victims Needed Fair warning
Turn off all of your WiFi devices if you do not wish to participate Targeting only DefConSecure No Man-in-the-Middle Username and MSCHAPv2 challenge/response collected Username and response displayed Brief Denial of Service Yes, I could crack your password later, but I know you didn’t reuse an important one (right?) I expect to capture only a handful, but maybe we’ll get lucky
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
52 / 55
Demo
Additional Resources
Windows Phone 8 WiFi Configuration Guide - http://www.windowsphone. com/en-US/how-to/wp8/start/connect-to-a-wi-fi-network
Apple iOS WiFi Deployment Guide http://images.apple.com/iphone/business/docs/iOS_6_Wifi_Sept12.pdf
Smart Phone WiFi Certifications http://certifications.wi-fi.org/search_products.php?search=1&lang= en&filter_category_id=24&listmode=1
Android WPA2 Enterprise UI Bug https://code.google.com/p/android/issues/detail?id=1386
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
53 / 55
Demo
Thank Yous
DEF CON iSEC Partners / NCC Group EFF The “victims”
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
54 / 55
Demo
Josh Yavor Senior Security Engineer iSEC Partners https://www.isecpartners.com @schwascore
Josh Yavor (iSEC Partners)
The BYOD PEAP Show
DEF CON XXI, August 4, 2013
55 / 55
