Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 15

By Steven Darracott ·

In this blog series, members of Optiv’s attack and penetration team are covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering:

csc-15

CSC 15: Wireless Access Control

The Control
The processes and tools used to track, control, prevent and correct the security use of wireless local area networks (LANs), access points and wireless client systems.

The Attack
With the ubiquity of wireless technology on the rise, it often is overlooked as a critical piece of network security for an organization. There are many different ways to protect a wireless network from unauthorized users, and these security controls are getting easier to bypass each year. Since every organization has different needs, it can be difficult to point to one solution as the most secure implementation of wireless access controls. No matter the authentication mechanism in place, most organizations tend to forget about wireless security after the initial deployment.

The following scenario will demonstrate a common and what appears to be a secure configuration many organizations use for securing wireless networks and how it can be breached.

Airodump, part of the aircrack-ng suite, is a tool that passively gathers information on nearby wireless networks. Note how the tool quickly scanned for wireless networks and identified the type of encryption in use, the authentication mechanism in use and the number of clients probing for access to wireless networks.

Upon reviewing the packet capture in Wireshark, a few more details regarding the target network are uncovered. 

From the above passively gathered information, it can be determined that the target network is using WPA2 (AES) for encryption and 802.1x with EAP-PEAP for authentication. 

At first glance, it appears this configuration is a good example of how to properly implement wireless network security for any organization, as this does not use a pre-shared key like in WPA2-PSK implementations and is backed by RADIUS and domain credentials. However, there are two radios in all wireless communication. What is commonly overlooked is the configuration and security of the devices connecting to a wireless network.

To demonstrate this attack, an evil twin wireless access point will be used. An evil twin is a wireless access point that attempts to mimic the legitimate network to coerce unsuspecting users into unknowingly connecting to it. FreeRADIUS, with 802.1x authentication, will be used to capture the credentials of victim users. Airodump output is shown below as it scans the evil twin access point.

In comparing it with the first airodump screenshot, there are very little differences. Below demonstrates how it appears on the real targets of this attack, the client device.

While it should be noted that generating a fake certificate to mimic the company’s legitimate certificate  could aid in hiding this attack from the security conscious users who may examine certificates before connecting, it is not a requirement for this attack to work. From looking at the screenshots taken from an iPhone, it is very easy to see that the certificate has not been signed by the organization’s certificate authority. If a user looked at the certificate before connecting to the access point, the individual would be able to determine this as a fake access point. Since this is an easy thing to spot, why is this so often a viable attack vector for wireless networks? The reason is simple: mobile devices will connect to the access point automatically.

For convenience, manufacturers have included features in mobile devices for maintaining access to wireless networks to prevent users from using their data plans when they have Wi-Fi available. Features like this are dangerous because without manually validating certificates a device will automatically connect to an evil twin access point.

Under normal conditions, EAP-PEAP will establish a TLS tunnel first only requiring a cert on the radius server to secure the authentication against eavesdropping. After the initial outer tunnel is established, an inner EAP authentication takes place that can be EAP-GTC, EAP-MSCHAPV2, EAP-SIM or EAP-TLS depending on what the client and radius server support.

When client devices pass credentials to an untrusted radius server, they should be protected by the inner EAP authentication encryption or hashing mechanisms in place. However, since an attacker controls the RADIUS server configuration, the attacker can also downgrade the inner authentication mechanism to Extensible Authentication Protocol Generic Token Card (“EAP-GTC”). EAP-GTC is an authentication protocol developed by Cisco as an alternative to EAP-MSCHAPv2 and transmits passwords in cleartext (still within the encrypted EAP-PEAP tunnel). Based on security research conducted by Torinson, The Windows operating system does not support EAP-GTC, but mobile devices including Android and iPhone are susceptible to EAP-GTC downgrade authentication attacks and can be influenced to provide cleartext authentication credentials. This attack is especially lethal for organizations using a Bring Your Own Device (“BYOD”) rule to allow employees to connect their mobile devices to the organization’s wireless networks.

Another common flaw with EAP-PEAP client implementations is when they are configured to pass usernames over the air. An attacker passively gathering wireless traffic can see usernames in cleartext, as they are transmitted prior to initializing any encryption. 

To demonstrate how this looks from the attacker’s perspective, let’s examine what an authentication attempt to the evil twin access point from an iPhone looks like.

The RADIUS logs show the authentication and association attempts, along with the user’s cleartext credentials.

It is important to note that this attack is run against client devices. This allows anyone sniffing wireless traffic to potentially create their own evil twin access point and gather credentials without user interaction. This can happen anywhere the mobile device happens to be, such as an airport, shopping mall, etc.

After capturing valid network credentials, an attacker can authenticate to the wireless network as a legitimate user. Most organizations use a RADIUS server connected to Microsoft’s Active Directory meaning that these credentials are also valid for their VPN or Outlook Web Application (“OWA”) services available on the Internet. This allows a malicious actor to gain access and pivot through machines while appearing as legitimate user traffic.

The Solution
To mitigate the risk of this attack, multiple steps need to be taken. First, implement a stronger form of authentication. Utilizing username and password authentication, as demonstrated above, can easily be intercepted. Using EAP-TLS with certificates for authentication greatly mitigates this attack vector. A device-level access control list should also be used, as it ensures that only approved devices using approved certificates are allowed to connect to the network.

Additionally, a defensive measure that could prevent this attack is to ensure that wireless clients validate the server certificate, to prevent wireless clients from connecting to potential evil twin wireless networks. For mobile devices that are not managed by the organization, such as in a BYOD program, this can be difficult to enforce on every device.

In conclusion, it is easy to see how some wireless network security controls appear secure on the surface. However, upon taking a closer look at the underlying technologies, their vulnerabilities and how easily they can be exploited, it becomes clear that things are not as secure as they were at first glance. Staying up to date with the most recently released encryption schemes becomes paramount in securing your wireless infrastructure. Aside from securing the wireless access points and authentication mechanisms in an organization, an equal amount of effort should go into securing your wireless client devices and educating users. Ensure only devices that need to be on the network have access and users are validating certificates before connecting to a known network. 

The next post will cover CSC 16: Account Monitoring and Control.

Steven Darracott

Security Consultant

Steven Darracott is a consultant in Optiv’s advisory services practice on the attack and penetration team. Steven’s role is to provide network penetration testing to determine vulnerabilities and weaknesses in customer networks and environments. He specializes in wireless infrastructure attacks of customer networks.