Microsoft supplicant for wireless connections supports either TLS
(certificate)
or PEAP using MS-CHAP v1. and v2. as modes of authentication. When using
PEAP/MS-CHAP, it is designed to use regular NT login credentials.
In various organizations the latter is being chosen as a de-facto
standard due to
"easy implementation".
So, here is what I am thinking:
- Attacker sets up his own access point and authentication server in a
location away
from the target organization. The condition is that one of the org.
users visits that location
with his/her mobile device, perhaps a local Starbucks, or even user's
own backyard.
- The AP advertises same SSID as org. wireless system. The authenticator
server is
equipped with server certificate signed by one of the common cert.
authorities, from the
list that is present by default on a Windows installation, to pass
client's certificate check
during PEAP initial connection.
- User's wireless device senses the presence of known SSID and attempts
to automatically
connect to the network.
- The rogue authenticator server challenges the wireless device by
MS-CHAP v2.
Potentially, they may request MS-CHAP v1 and/or craft the session key to
simplify
subsequent cracking of the password.
- The wireless device responds and authenticator "denies access", left
with a copy of
encrypted password hash. The process may be repeated with different
session keys,
and a number of times.
In the end user is never prompted or notified of any communication
(spare some blinking of
the wireless card "Link" led). The attacker is left with a user ID and
password hash to be broken.
Does it make sense to anyone else?
--Gene
Received on May 19 2004
Intro
