Note:
In this article I will elaborate on the security of the enterprise 802.1X resolution, there are some analysis of data protocol and analyze the personal infiltration too much too verbose I would not write, have the opportunity to say.
Because I do not want to part of the writing, so simply put three of content written together, if you feel there is a problem, welcome correction and communication.
A About NIC工欲善其事, its prerequisite. In the wireless penetration or wireless attack, not any Linux-enabled network adapter is supported by wireless tools. Recommended a network card: ' awus036h ' I have used this network card, is the RT8187 chip. Really good, perfect support tool. Of course, you can also choose RTL3070 chip. In fact, in addition to incompatible tools, choose a good NIC also has a very important factor is the quality problem, the quality of the bad may be unstable, resulting in disconnection, or blue screen, sniffing the packet when the loss of packets and other conditions.
Two Enterprise-Class Wireless penetrationInternet enterprises as long as there is a certain size of the company, the general wireless erection will choose radius. Wpa+radius should be considered as standard.
This is a simple radius of the working principle diagram, I draw the picture is not good, get a simple, complicated also not necessarily someone to look, can express on the line.
In the personal wireless network settings There will be some let us choose authentication mechanism and encryption method (WPA-WPA2 Tkip-aes CCMP) and so on. There are also authentication mechanisms in 802.11X that use TLS-based authentication. TLS is derived from an IETF organization. And 802.11 comes from the IEEE one reason. There are now three standards developed and deployed to the wireless network.
EAP is a 802.1X certified protocol. EAP provides a validation framework for 802.1X and is a scalable protocol that supports multiple authentication methods.
EAP in the Enterprise Wpa-802.11x authentication Method (sure enough or the foreigner's figure is understandable):
The 802.1X protocol is on the second tier and the previous layer is EAP. The first layer of EAP is a variety of authentication methods, the bottom is 802.11 (figure does not draw.) Please fill your brain. The entire EAP communication, including the EAP negotiation, is performed through the TLS tunnel.
The above has just listed three kinds of commonly used mechanisms, in fact, the certification mechanism has a lot of, what leap,eap-md5 and so on .... The most fire is these three kinds.
Because EAP is not protected by itself, its eap-identity plaintext shows that information such as eap-success is counterfeit or crawled:
(1) EAP-TLS: It is a two-way authentication mechanism that completes authentication between server and client. It's all good, it's two fatal: (1) is the transmission user name is clear text can be caught (2) is he asked the enterprise to deploy PKI, because it is based on this certificate system. But the PKI is too large and too complex. So....
(2) Eap-ttls&&peap: Because of the defect above, so with the EAP-TTLS, these two can be put together to say, it is like WPA/WPA2 similarity is very high. They also want certificates, but they want the server side instead of the client. Compared to these two, PEAP is convenient and compatible with all aspects. So businesses are generally PEAP.
EAP requires protection, and EAP negotiation is done inside the Secure Tunnel (TLS) to ensure data security for all communications. Then it will also choose some authentication in the interior: "Eap-ms-chapv2" "EAP-GTC"
This is the two PEAP subtype allowed by WPA/WPA2. The most used enterprise is the first domain schema "Eap-ms-chapv2". Said so much, may be corporate wireless deployment is such a situation can understand, did not encounter a kind of architecture may be more difficult to complement. I'll give you a few pictures:
This is the case, in general, with your domain account login, you can connect your company's wireless network.
About MSCHAPV2In fact, before MSCHAPV2 there is a MSCHAPV1 version, because the former security encryption and authentication are better than the latter to replace it.
In the PEAP-MSCHAPV2 certification process, there will be some server-to-client interaction, which contains the Eap-respons/identitye and challenge strings. Under the protection of PEAP, because they are certified in the internal TLS tunnel, it is difficult to do anything directly to MSCHAPV2, but MSCHAPV2 broke the loophole can be violently cracked. So we can fake the AP to get their hash.
If the TLS certificate for the server is not verified. Then through the simulated AP, the attacker could trick the customer into connecting to the rogue access point and obtain the customer's internal authentication. Unfortunately, the issue of PKI has been mentioned above. In this way, the hacker enters your enterprise domain. The specific way to attack is to use the HOSTAPD-WPE tool. It replaces the FREERADIUS-WPE.
Github:https://github.com/opensecurityresearch/hostapd-wpe
Types of EAP Support:
When we build a pseudo AP, we generate two identical SSIDs. If we are targeting an attack and our target is already connected to a normal wireless network, then we can deauth this SSID to force the disconnection to our fake AP.
Command:aireplay-ng -0 10 –a <ap mac> -c <my mac> mon0
When the target is connected to our fake AP:
This is the hash that was fetched. All of your crawled hashes are in a file named Host-wpe.log under the HOSTAPD directory.
When we catch these hashes, we need to crack it and use asleap to crack the password. The Kali built-in looks like. You can also go to GitHub on your own.
Perhaps some people think that a brute force hack, the key is to look at the dictionary, the complexity of password settings is not related. But have you ever thought that a wireless architecture in the radius of the enterprise, I assume it has 2000 people. 2000 people I keep a little estimate to catch 1000 of the person hash. Don't I even have a 1000/5 chance? Not to mention wireless other attacks are also many, get a few domain accounts at all no difficulty. The combination of attacks is still not to be underestimated.
Eap-md5There is a certification is EAP-MD5, this may not be seen now, but should also have it, everything is not absolute, encountered a simple mention, it's certification I don't say, in fact, there is nothing to say, no security can be said, the data is not protected by SSL, only a MD5, only provides the lowest level of encryption, Md5hash can be broken by a dictionary and does not support key generation, so it is not suitable for enterprise encryption at all. I do not know who this is to come out, perhaps the development of this encryption time is not wireless security it. Grab the bag and you can catch it.
This is an AP that is connected to the EAP-MD5 authentication. By grasping the bag we can see the challenge of it directly. We caught the whole process of their communication. Just like the WPA/WPA2 handshake bag. After capturing the packet, there is a hack tool specifically for EAP-MD5 called: Eapmd5pass.
The method of use is also simple:
LEAPeapmd5pass -r <握手包文件名> -w <字典>
Cisco's Stuff. Called Lightweight EAP, the feature is also the data is not protected by SSL, using MS-CHAPV1, which is the first version I said above. This is even less, than a wep,03 years can be black.
Eap-fastLeap upgrade version, there is a protected access credentials (PAC) in the TLS side of the authentication, said there is a loophole, but I do not have too much of this encryption contact, and have not encountered, may see short bar, we have met can exchange, but estimated also no value.
Leap's Hack method is also to capture four handshakes and then brute force hack. Concrete method see above all a reason. Simple things not much to say.
For some high-complexity passwords, we can try John the Ripper. Also called JTR, also good. The supported algorithms are also many:
Https://github.com/magnumripper/JohnTheRipper
When we infiltrate an unknown business hotspot, we need to know in advance what encryption it is using, and we can filter the type by Wireshark:
It's a little trick.
By the way, a MDK3 about 802.1X attack method.
#!bashmdk3 mon0 x 0-eapol Start Packet flooding #EAPOL格式的报文洪水攻击-n<Ssid>-T<bssid> #目标客户端的mac地址-W <
WPA
type> Set WPA type (1:WPA, 2:WPA2/RSN; default:wpa)-u <unicast cipher> Set unicast cipher type (1:tkip, 2:ccmp; Default:tkip)-M <multicast cipher> Set Multicast cipher type (1:tkip, 2:ccmp; default:tkip)-S <pps> #速率, default 400 1- EAPOL Logoff Test #注销认证攻击-T <bssid> #目标客户端的mac地址-C <bssid> #目标ap的合法客户端mac-S <pps> #速率, default 400
MDK3 X 1-t < destination MAC address > -C < Client MAC address >
Recommend a tool again: 3vilTiwnAttacker
Foreigner wrote a wireless hijacking, sniffing as one of the tools. New, feel good everyone can try.
Https://github.com/joridos/3vilTiwnAttacker with demo video inside
In fact, I think, if you really want to study the words, you might as well download a Freeradius to study.
http://freeradius.org/
Buy a router, in general there are set radius options, useless can also brush a firmware. Although the installation process is a bit slow, but really can learn a lot of things, I would like to each step involved in the radius of the settings and configuration file said, helpless school Internet client restrictions I can't Ann router, sad urge, and later.
There is a backdoor,worm about corporate WiFi, I put a PDF of people interested to see:
http://www.securitybyte.org/resources/2011/presentations/ Enterprise-wi-fi-worms-backdoors-and-botnets-for-fun-and-profit.pdf
About Defense StrategiesSome days ago I read an article: Http://drops.wooyun.org/wireless/15269?from=timeline&isappinstalled=0
It was a coincidence that the author was my colleague at the internship last summer. ID changed, but to Micro Bo, Weibo ID is not changed.
He made a flaw in the certificate mechanism. That's true, but this thing is a tedious project. Even if this is resolved, there will be other attacks that can disrupt the wireless network. Let's develop strategies to fully protect the wireless network. In fact, I also recently thought of some, I only put the simple idea to say, and there is no tangible things to make, interested we can also chat.
1. Because of the particularity of the wireless network, we have to really detect whether an attack is real or not, how many errors there are. Simple example:
This client has launched a deauth attack on this AP, should I decide whether to flood or capture the handshake package?
Because the Deauth packet is to make its AP wire break to re-connect the captured data. One is a Dos attack, one is a password threat. What's more, if I lose the wrong number of times, will I call the police?
So these are the problems, this parameter is difficult to set. I used to want to calculate the normal difference between them and then put the accuracy to the highest, but still feel good enough, I can only from the data changes and traffic to do, because it is offline attack.
Also, corporate issues general staff to build a private hotspot, once breached, it is also very serious thing, so this aspect of consciousness is to be cultivated.
2. There is also a pseudo AP for this.
For example, we can use some MAC address policies to identify these ' fake APS '.
A tool called "Airdrop-ng" it started out as a ' deauth ' tool, but was later used to do IPs. Really should that sentence: ' Tool is a double-edged sword, see how you use it. '
AirDrop play a lot, but also can have the effect of honeypot oh. Specifically, you can refer to:
Https://github.com/aircrack-ng/aircrack-ng/tree/master/scripts/airdrop-ng
function is almost a black-and-white list of mechanisms, according to their own requirements can write some rules.
There is a foreigner wrote an IDs, but for personal places more, but can also learn from the next.
Https://github.com/SYWorks/waidps
This guy has a big brain hole, and previously wrote a cracked script for WPA without a client. Of course, it is still related to the conditions of things, but people can think of it is indeed stronger than we, not to be able to obey.
I also have some rules against other attacks but do not want to say, because still need to improve, but I think it should be very useful, and so on when really no problem to send it.
0x01 Wireless Data analysisSay some data analysis, 802.11 has several standards, like what 802.11g 802.11n and so on, different standards correspond to different channels. Analysis of the data is certainly not to be avoided, moreover, wireless is the protocol of things. I'll just talk about the common, often used. Even if you do not analyze, at least met can understand not.
There are three types of 802.11 packets.
Maybe someone has heard of something called Beacon Bag, in fact, the most important thing is this, Beacon contains a number of AP features, information Network name, configuration, security information and other things. So there's a pattern in MDK3 that's called Beacon Flood.
This is not the complete data, just a part of it whose head's ' type ' is defined as beacon. It is sent as a broadcast packet by WAP.
This is not all, the simple point we can see is the message: its head defines it as the type: Beacon. The device information is: Huawei. MAC address and the like. The name of the SSID can be seen below. Using the 802.11B protocol. Work 11 channels.
It is also possible to analyze whether the AP is encrypted with the site:
First look at whether the Authentiction Algorithm:open System (0) value in the Authentiction data is 0, it is not shared encryption mode, but open encryption or WPA encryption. and whether the value in the Beacon data below is (1) determines whether encryption is enabled. The AP is consistent with STA authentication.
Of course, there are other encryption. Just one example.
There is the analysis of Dos attacks, this is more simple, a lot of Dos attacks, what beacon Flood authentication DoS deauthentication/disassociation and so on. Take authentication Flood as an example.
You can see what kind of attack type (authentiction) is from type and request.
Other types of attacks are roughly the same, with a slight discrepancy that you can tell.
There is also the 802.11 wireless channel and frequency
| Channel | Center Frequency (MHZ) |
|---|---|
| 1 | 2412 |
| 2 | 2417 |
| 3 | 2422 |
| 4 | 2427 |
| 5 | 2432 |
| 6 | 2437 |
| 7 | 2442 |
| 8 | 2447 |
| 9 | 2452 |
| 10 | 2457 |
| 11 | 2462 |
| 12 | 2467 |
| 13 | 2472 |
This is the data that shows only 10 channels.
In fact, the wireless data inside the headache is its packet structure, control frames, management frames, data frames. It's not easy to understand all the truth. I am still in the study, if the simple analysis is not much of these things. I will give you some 802.11 types with subtype type. Convenient for everyone to control
There are also some Wireshark filter parameters:
This is not all, the foreigner has compiled a set of filter parameters, 802.11 models and data values interpreted as one of the PDF:
Http://www.willhackforsushi.com/papers/80211_Pocket_Reference_Guide.pdf I think Super Bull B, novice see also easy to understand.
If you want to analyze the specified AP package, you can
We can also analyze the handshake package below, with WPA as an example,
Because WPA-PSK (Personal Edition) uses the EAPOL protocol to process user login authentication after the STA and AP have established data. It is then composed of four handshakes. When a WPA-enabled AP works, it uses 802.1X authentication if the client has a RADIUS server. To be certified in a PSK manner. The above is the fourth time the data captured in the handshake, the other is understood, this mic I say, this value is the final handshake success is a focus.
During the authentication process, the SSID and the password use a specific algorithm to generate the PSK. The client then receives the information sent by the AP and uses the algorithm to generate the PSK. Then the two parts are authenticated by the algorithm, and finally the mic KEY is extracted. If the mic KEY of the STA and AP is equal, they will succeed if they fail.
Honestly, I don't think I'm writing that right now. Good confusion good confused feeling, may I do not how can write the article's sake, I always want to know all write, but some low, some cumbersome. I would like to write the analysis of WPA/WPA2 and 802.1X data but hundreds of data per comment is really not a small workload, and I do not have a route in the dorm building 802.1X. Maybe I'll write a separate article about that later. If you just use it and you can use it for me, I can give you all I know. It's a little farfetched. Because the 802.11 protocol thing too much too cumbersome. I'm a little caught up in the point, too. Sorry.
Extend a little more knowledge about 802.11 fuzzing things.
Now Fuzzer is a very popular kind of exploit, whether in the Web or other security, fuzz is now very hot, but the wireless fuzz before the fire, and recently seemed to have no movement. The information is few and far between. Simply mention it.
Borrow a foreigner's picture bar:
Actually, it's almost like an overflow explanation. In fact, the initial approach is to put a large number of SSIDs, if beyond its length, to achieve the crash. And some other CVE, which is related to the wireless driver.
Someone has developed a fuzz script about the 802.11 stack called Wifuzz.
Https://github.com/0x90/wifuzz
It takes advantage of the Scapy package generated. So environment to download scapy
First need to use Airmon-ng to listen to the network card.
The following parameters correspond to the type of attack.
#!bash$ sudo python wifuzz.py-s admin authWedSep2810:38:362011 {MAIN}TargetSsid: admin;Interface: WLAN0;PingTimeout60;PCAPDirectory:/DEV/SHM;Test mode?False;Fuzzer (s): Auth;WedSep2810:38:362011 {WIFI}WaitingFor a beacons fromSsid=[admin]WedSep2810:38:362011 {WIFI}Beacon fromSsid=[admin] Found (mac=[00: AA: BB: CC:d D: EE])WedSep2810:38:362011 {WIFI}Starting fuzz' Auth 'WedSep2810:38:362011 {WIFI} [R00001]Sending packets1-100WedSep2810:38:502011 {WIFI} [R00001]CheckingIf theAP is still ...WedSep2810:38:502011 {WIFI}WaitingFor a beacons fromSsid=[admin]WedSep2810:38:502011 {WIFI}Beacon fromSsid=[admin] Found (mac=[00: AA: BB: CC:d D: EE])WedSep2810:38:502011 {WIFI} [R00002]Sending packets101-200WedSep2810:39:042011 {WIFI} [R00002]CheckingIf theAP is still ...WedSep2810:39:042011 {WIFI}WaitingFor a beacons fromSsid=[admin]WedSep2810:39:042011 {WIFI}Beacon fromSsid=[admin] Found (mac=[00: AA:bb:cc:d d:ee]) wed sep 28 10:39:04" {WiFi} [R00003] sending packets 201-300wed SEP (10:39:18) {wifi} [R00003] Checking if the AP is Still up ... Wed Sep 10:39:18 (WiFi} Waiting for a beacons from ssid=[admin]wed Sep 10:39:19 (WiFi} Beacon from Ssid=[ad Min] found (Mac=[00:aa:bb:cc:dd:ee]) Wed Sep (10:39:19) {WIFI} [R00004] sending packets 301-400wed SEP 28 10:39:42 20 {WIFI} [R00004] recv () timeout exceeded! (Packet #325) Wed Sep 10:39:42 (WIFI} [R00004] Checking if the AP is still up ... Wed Sep 10:39:42 (WiFi} Waiting for a beacons from ssid=[admin]wed Sep 10:40:42 + wifi} [!] The AP does not respond anymore. Latest test-case have been written to '/dev/shm/wifuzz-ek97nb.pcap ' /span> The admin is the auth fuzz of the SSID name. At the end of the day, the discovery has collapsed.
Wed Sep (10:40:42) {WIFI} [!] The AP does not respond anymore. Latest test-case have been written to '/dev/shm/wifuzz-ek97nb.pcap '
Wifuzz can detect bacon frame on its own, assuming that the target has crashed and then generating a PACP to reproduce the crash.
In fact, there are some fuzzer scripts built into the Metasploit. To fuzz the Metasploit, install a lorcon2 module. This module is dedicated to wireless injection. Google has removed the code. If you want to do it yourself, environment variables should be set by yourself.
Own airodump an STA's Mac. Because it is Beacon Fuzz, it has to produce a large number of SSIDs.
You can see the Essid of the channel. This proves the beginning of fuzz.
No way, 802.11 of the fuzz can be expressed out of such a thing, perhaps more difficult I did not see, there are some of the driving layer of things, but I do not, and do not focus on the view.
Actually, there are still a lot of things not written out. It's in my head, and I don't know how to write it. May be too lazy, people will be easy to stay lazy ah. If you want to communicate, you can communicate with each other.
Also very grateful in Unicorn team's two months, after a year, a short period of two months I saw their shortcomings, but also let me clear the direction, back to try to mend. Thanks to Ir0smith Sweeper for his help in all aspects of my time. I still remember the first day I went, sweeper let me see the Vivek Ramachandran video, at that time did not rest assured on, later looked very difficult, Indian dialect, is thunder me. But after several successive reading, I benefited greatly from the understanding. Thanks again for the people who have helped me.
0x02 Reference DocumentsAnalysis of enterprise-level wireless infiltration and wireless data
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
