Monday, November 7, 2011

Wireless Attack on Microsoft Peap - Part 3 of 3

Just to recap on what we have configure on the previous session.We have completed by installing the Wireless Pwnage Edition (WPE) which provide credential logging for credential logging for multiple EAP types including PEAP, TTLS, LEAP, EAP-MD5, EAP-MSCHAPv2, PAP, CHAP and others. It is part of the radius configuration which we need in our next steps.

The next step would be configuring the hardware to support Wireless Pwnage Edition (WPE) so that we can break the wireless PEAP. The wireless devices must be configure to use the radius ip address from the Wireless Pwnage Edition (WPE).

The last steps would be the most interesting part, where by we going to locate our target. In this demo, it is done in a control environment where by the client is authenticating using the Active Directory credential. The credential going to be sent over from the wireless access point to Microsoft IAS for validation.

Now we need to force the client to connect to our Wireless Pwnage Edition (WPE) radius so that we can log down all the credential. I will show you 2 example here regard to the different on the logs where by the client use the notebook that is join to the Active Directory and also using standalone devices such as ipad, portable computer and etc. Please take note that , this attack often happen where by the users being left with the decision to trust or reject certificates from the unknown certificate of authority. The hackers  can exploit this deployment weakness by impersonating the target network’s AP service set identifier (SSID) and RADIUS server which I have cover in the previous article on Configure Radius server to log account information and configuring the wireless access point to divert all the request to the Wireless Pwnage Edition (WPE) radius. After we have all the information of the account, we can hack it in the offline mode.I will explain more later.

By now we are ready to test the exploit
1)start the radius server by typing the following command radiusd
2)validate the logs by typing the following command tail -f /usr/local/var/log/radius/freeradius-server-wpe.log

If you do see your username and password capture by the radius server that mean you have a weak configuration and you will need to measure in such a way, whether you have a strong password policy to mitigate the issue. I will cover more on my next article toward the 4 major steps that we need to do to ensure the security of the wireless network.

As on the sample below, I have screen capture 2 samples on which one of the device is part of active directory and another device is a standalone which I use ipad in this lab. On this lab, the password is been hardcode to the dictionary for the sake of proofing how it works.

Sample 1 : Attacking Ipad
wireless peap attack on ipad

wireless peap attack on ipad using asleap
If you notice carefully, the username is capture as ckwong and we can see the challenge and response which have been capture by our radius server. The next step is to hack the password.As you can see on the result, we can break the password if it is part of our wordlist.

Sample 2 : Attacking a machine that is join to active directory
wireless peap attack on active directory client
wireless peap attack on active directory client using asleap
The attempt for hacking machine that is part of the active directory will be the same. The username is capture as ckwong and we can see the challenge and response which have been capture by our radius server. The next step is to hack the password. As you can see, we can't break it and it end with an error " Could not recover last 2 bytes of hash from the challenge/response". This happen because the different between the 2 attempt, the 2nd attempt does contain domain information.

I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.

Related Article:
3)Breaking the wireless security

2 comments:

  1. And how can the active directory credential been cracked?

    ReplyDelete
    Replies
    1. The last phase, you need a dictionary that contain the password. Chances of breaking the password will depend how complex the password it would be.

      Delete