black hat | home - 802.1x and beyond!...title 802.1x and beyond! author brad antoniewicz...
TRANSCRIPT
![Page 1: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/1.jpg)
802.1x and
BEYOND!
Brad Antoniewicz
![Page 2: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/2.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 2 [email protected] @brad_anton @foundstone
Hi, I’m @brad_anton
![Page 3: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/3.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 3 [email protected] @brad_anton @foundstone
Agenda
About 802.1x
Attacks
Fuzzing/Tools
![Page 4: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/4.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 4 [email protected] @brad_anton @foundstone
■ SZ
y
IEEE 802.1x Port-Based network access control
Cause not everyone is welcome at church?
![Page 5: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/5.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 5 [email protected] @brad_anton @foundstone
Supplicant Authenticator Authentication Server
Flow (IEEE 802.1x)
![Page 6: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/6.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 6 [email protected] @brad_anton @foundstone
Wireless Client
Access Point
RADIUS Server
802.11
![Page 7: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/7.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 7 [email protected] @brad_anton @foundstone
Wired Client
Network Switch
RADIUS Server
Ethernet
![Page 8: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/8.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 8 [email protected] @brad_anton @foundstone
TRUSTED UNTRUSTED
![Page 9: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/9.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 9 [email protected] @brad_anton @foundstone
What if I….
Cisco ACS 4.2
![Page 10: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/10.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 10 [email protected] @brad_anton @foundstone
`
EAP Extensible Authentication Protocol
RFC3748
![Page 11: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/11.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 11 [email protected] @brad_anton @foundstone
EAP
802.1x
(Layer 2)
![Page 12: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/12.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 12 [email protected] @brad_anton @foundstone
EAP
Type:
PEAP, EAP-TTLS,
EAP-FAST, etc.. (Layer 2)
![Page 13: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/13.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 13 [email protected] @brad_anton @foundstone
EAP
RADIUS
![Page 14: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/14.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 14 [email protected] @brad_anton @foundstone
DALAI LAMA
![Page 15: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/15.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 15 [email protected] @brad_anton @foundstone
(layer 3)
RADIUS
![Page 16: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/16.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 16 [email protected] @brad_anton @foundstone
RADIUS Remote Access Dial-In User Service
DSL/Dialup VPN
RFC2865/2869
![Page 17: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/17.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 17 [email protected] @brad_anton @foundstone
Integration User Database
Active Directory
SecurID
LDAP
![Page 18: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/18.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 18 [email protected] @brad_anton @foundstone
Surface
![Page 19: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/19.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 19 [email protected] @brad_anton @foundstone
Surface
External Auth Handler
RADIUS/EAP/Types 802.1x/EAP/Types
(Protocol/Configuration/Handling issues)
![Page 20: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/20.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 20 [email protected] @brad_anton @foundstone
Surface Mgmt Web UI
Mgmt Web UI Mgmt Web UI
![Page 21: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/21.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 21 [email protected] @brad_anton @foundstone
Attacks
![Page 22: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/22.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 22 [email protected] @brad_anton @foundstone
Sniffing
Offline Brute-Force Shared Secret/User-Password: john
CHAP: hashcat
EAP Data..: asleap, and eapmd5pass
Clear-text Data User-name AVP/Eap Ident
NAS-Id
Calling-Station
State
no need to be fancy, just
use Wireshark
(Protocol Issue)
![Page 23: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/23.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 23 [email protected] @brad_anton @foundstone
(Configuration Issue)
Impersonation
Attacker Controlled
![Page 24: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/24.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 24 [email protected] @brad_anton @foundstone
(Configuration Issue)
FreeRADIUS-WPE
![Page 25: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/25.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 25 [email protected] @brad_anton @foundstone
(Configuration Issue)
hostapd-wpe https://github.com/OpenSecurityResearch/hostapd-wpe
• Supports Tons of EAP-Types (including EAP-FAST Phase 0)
• Always Returns EAP-Success
• Requests PAP first
• Responds to all 802.11 probe requests
• Heartbleed (Cupid)
• Saves to file/outputs NETNTLM format
Thanks to JoMo-Kun, @lgrangeia, and @haxorthematrix for
Patches/Functionality and improvement suggestions
![Page 27: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/27.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 27 [email protected] @brad_anton @foundstone
RADIUS/EAP/802.1x
Fuzz
![Page 28: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/28.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 28 [email protected] @brad_anton @foundstone
Peach
Overview DataModel
StateModel
Publisher
Agent Agent
Transformers,
mutators, etc.. Targets
![Page 29: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/29.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 29 [email protected] @brad_anton @foundstone
DataModels EAP
Eap.xml
EapFast.xml
EapGtc.xml
EapLeap.xml
EapMd5.xml
EapMschapv2.xml
EapPeap.xml
EapTls.xml
EapTlv.xml
RADIUS
Radius.xml
Supporting
Protocols
Tls.xml
Mschapv2.xml
Utilities
Utils.xml
802.1x
Ieee802.1x.xml
![Page 30: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/30.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 30 [email protected] @brad_anton @foundstone
DataModel
Radius.xml
Cisco ACS
StateModel
Tests
VS DataModel
TekRADIUS
StateModel
Tests
VS DataModel
MS NPS/IAS
StateModel
Tests
VS DataModel
SBR/FreeRadius
StateModel
Tests
VS DataModel
Fuzzers
UDPPublisher
![Page 32: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/32.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 32 [email protected] @brad_anton @foundstone
Publishers
all via wired, supports all tunneled EAP Types
RadiusPublisher Eap.xml
RadiusPeapPublisher Eap.xml
EthernetPeapPublisher Eap.xml
RawEthernetPublisher Ieee8021x.xml
TL
S
![Page 33: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/33.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 33 [email protected] @brad_anton @foundstone
Surface Mgmt Web UI
Mgmt Web UI Mgmt Web UI
StringMutator.Data.cs: namespace Peach.Core.Mutators { public partial class StringMutator { static readonly string[] values = new string[] {
LDAP Injection XSS SQL Injection CMD Injection etc… } }
![Page 34: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/34.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 34 [email protected] @brad_anton @foundstone
RADIUS/802.1x/EAP
![Page 35: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/35.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 35 [email protected] @brad_anton @foundstone
Tools
Existing: libeap
Pyradius
Releasing: Radius .Net (forked)
Eap .Net
OpenSSL .NET ..i know.. “ugh .Net”
![Page 36: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/36.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 36 [email protected] @brad_anton @foundstone
Libz
OpenSSL.NET (Fork) SslUdp SslClient = new SslUdp(false) SslUdp SslSvr= new SslUdp(pub, priv, true) SslSvr.Send(ePkt.RawData)
Eap.NET (New) RadiusEapSession eClient = new RadiusEapSession(host, secret) EthernetEapSession eSvr = new EthernetEapSession(dev, pub, priv) EapPacket ePkt = new EapPacket(bytes) // Recv EapPacket ePkt = new EapPacket(Code, Type, ID); ePkt.SetEapData(bytes);
![Page 37: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/37.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 37 [email protected] @brad_anton @foundstone
Profiling
AVP-State (RADIUS)
Maintains State of the Connection
Active/Passive
Cisco: “acs/Number/Number”
MS NPS: 38 Bytes
EAP-Res/Ident Username
MS NPS: Will reject if ! valid
Others: Doesn’t matter
Msg-Auth. (RADIUS)
Cisco: Ignores
Others: Access-Reject
RadiusEapProfiler.exe
![Page 38: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/38.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 38 [email protected] @brad_anton @foundstone
Brute-Force
Password a.k.a Active Brute
Force (..meh)
Usernames NPS: Eap-Resp/Identity
EAP-Type Client Downgrade
eapEnum.exe
Or Enumeration …whatever
![Page 39: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/39.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 39 [email protected] @brad_anton @foundstone
wpa_supplicant-wpe enumeration/profiles/exploits
TODO
![Page 40: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/40.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 40 [email protected] @brad_anton @foundstone
■ Don’t try to fuzz EAP over WiFi or using
wpa_supplicant or through an authenticator
■ eapol_test is great (“make eapol_test“ in
wpa_supplicant)
■ netsh lan reconnect will start a 802.1x
connection on Windows 7 and 8.1
■ +hpa +ust to find the real goodies
Notes for the researchers
![Page 41: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/41.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 41 [email protected] @brad_anton @foundstone
Exploitation
&
![Page 42: Black Hat | Home - 802.1x and Beyond!...Title 802.1x and Beyond! Author Brad Antoniewicz (brad.antoniewicz@foundstone.com - @brad_anton) Subject New tools and techniques for finding](https://reader035.vdocuments.site/reader035/viewer/2022071506/6126c9d31506716e30692699/html5/thumbnails/42.jpg)
www.foundstone.com
Copyright © 2014
McAfee, Inc. 42 [email protected] @brad_anton @foundstone
? @brad_anton
*many of the pics in this presentation were found on the
internet – credit goes to images.google.com