Short paper: exploiting WPA2-enterprise vendor implementation weaknesses through challenge response oracles

Many of today's enterprise-scale wireless networks are protected by the WPA2-Enterprise Protected Extensible Authentication Protocol (PEAP). In this paper it is demonstrated how an attacker can steal a user's credentials and gain unauthorized access to such networks, by utilizing a class of vulnerable devices as MSCHAPv2 challenge response oracles. More specifically this paper explains how on these devices, Lightweight EAP (LEAP) MSCHAPv1 credentials can be captured and converted to PEAP MSCHAPv2 credentials by using a rogue Access Point. This man-in-the-middle vulnerability was found to be present in all current versions of Apple's iOS and OS X operating systems, and may impact other devices as well. A proof-of-concept implementation is available that shows how Authentication Server certificate validation and certificate pinning mechanisms may be bypassed. Mitigation strategies for the attack and protective actions which can be undertaken by end-users are also described in this paper.

[1]  Lee G. Cooper,et al.  Market-Share Analysis , 1988 .

[2]  Glen Zorn,et al.  Microsoft PPP CHAP Extensions , 1998, RFC.

[3]  Bruce Schneier,et al.  Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2) , 1999, CQRE.

[4]  Glen Zorn,et al.  Microsoft PPP CHAP Extensions, Version 2 , 2000, RFC.

[5]  Matthew S. Gast,et al.  802.11 Wireless Networks: The Definitive Guide , 2002 .

[6]  Valtteri Niemi,et al.  Man-in-the-Middle in Tunnelled Authentication Protocols , 2003, Security Protocols Workshop.

[7]  Glen Zorn,et al.  Protected EAP Protocol (PEAP) Version 2 , 2004 .

[8]  John C. Mitchell,et al.  Analysis of the 802.11i 4-way handshake , 2004, WiSe '04.

[9]  Matthew S Gast 802.11 Wireless Networks: The Definitive Guide, Second Edition , 2005 .

[10]  Giac Security Essentials Wireless Intrusion Detection Systems , 2005 .

[11]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[12]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[13]  Damon McCoy,et al.  Mitigating Evil Twin Attacks in 802.11 , 2008, 2008 IEEE International Performance, Computing and Communications Conference.

[14]  Volker Roth,et al.  Simple and effective defense against evil twin access points , 2008, WiSec '08.

[15]  Dong Xuan,et al.  Link-layer protection in 802.11i WLANS with dummy authentication , 2009, WiSec '09.

[16]  Sam Hartman,et al.  Extensible Authentication Protocol (EAP) Mutual Cryptographic Binding , 2013, RFC.

[17]  ibrahim hassan alshurbaji,et al.  Wireless Intrusion Detection Systems , 2013 .

[18]  Guevara Noubir,et al.  A Practical, Targeted, and Stealthy Attack Against WPA Enterprise Authentication , 2013, NDSS.

[19]  Sean Turner,et al.  Transport Layer Security , 2014, IEEE Internet Computing.