1 00:00:00,000 --> 00:00:02,876 JOSHUA YAVOR: Hi, everyone, I'm Joshua Yavor. 2 00:00:02,876 --> 00:00:07,999 I'm from iSEC partners and you're currently attending BYOD 3 00:00:07,999 --> 00:00:10,000 PEAP show. 4 00:00:11,167 --> 00:00:13,751 Today we're going to be playing with the wireless here, 5 00:00:13,751 --> 00:00:15,999 specifically DEF CON secure. 6 00:00:15,999 --> 00:00:18,125 It is not my fault that it is down right now. 7 00:00:18,459 --> 00:00:19,999 I had nothing to do with that. 8 00:00:19,999 --> 00:00:21,417 It helps us and makes it easier and makes me not have 9 00:00:21,417 --> 00:00:23,751 to blast you with that thing. 10 00:00:23,999 --> 00:00:26,999 We'll let you know when that's going to happen. 11 00:00:26,999 --> 00:00:28,334 It's completely voluntary. 12 00:00:28,334 --> 00:00:31,083 We've made it so it will likely only affect you guys 13 00:00:31,083 --> 00:00:36,000 but who knows what everyone else is doing with the wireless. 14 00:00:36,999 --> 00:00:39,999 You'll have full warning, I encourage you to participate 15 00:00:39,999 --> 00:00:42,167 because I know the credentials you used 16 00:00:42,167 --> 00:00:46,918 for DEF CON Wi Fi are not the same as your gmail at home, I hope. 17 00:00:48,667 --> 00:00:50,834 When the time comes it would be nice if you turn your phones on, 18 00:00:50,834 --> 00:00:52,334 I'll let you know. 19 00:00:53,999 --> 00:00:58,999 So over the past five years or so, a perfect storm has been brewing. 20 00:00:59,250 --> 00:01:00,876 This perfect storm has three components much 21 00:01:00,876 --> 00:01:02,834 like the perfect storm of '91 which you see 22 00:01:02,834 --> 00:01:04,999 the NOAA weather graph from. 23 00:01:05,375 --> 00:01:09,334 These started in 2008 at a single event at DEF CON 2008, 24 00:01:09,334 --> 00:01:14,083 which we'll talk about, and the growth at BYOD. 25 00:01:14,083 --> 00:01:17,083 And a talk last year here at DEF CON that made everything easy 26 00:01:17,083 --> 00:01:19,751 for what we're trying to do. 27 00:01:20,083 --> 00:01:21,292 Let's look at those. 28 00:01:21,584 --> 00:01:24,542 In 2008 at SHMOO con. 29 00:01:24,876 --> 00:01:27,584 Joshua White and Brad shared a talk 30 00:01:27,584 --> 00:01:34,999 about how PEAP was misconfigured and this worked with desktop systems. 31 00:01:37,083 --> 00:01:43,501 BYOD wasn't a thing yet and the iPhone was less than a year old. 32 00:01:43,501 --> 00:01:45,292 This was not on anybody's radar that this would 33 00:01:45,292 --> 00:01:48,959 eventually affect BYOD and mobile devices. 34 00:01:48,999 --> 00:01:53,083 So this research included a tool equaled free radius WPE 35 00:01:53,083 --> 00:01:57,250 and that's been a standard for network presentation tests 36 00:01:57,250 --> 00:01:59,083 ever since. 37 00:01:59,709 --> 00:02:02,459 What Josh and Brad found was that by default 38 00:02:02,459 --> 00:02:06,834 the main configuration that were in use on desktop operating systems 39 00:02:06,834 --> 00:02:09,999 did not do certificate validation. 40 00:02:09,999 --> 00:02:11,375 There were some other findings within the research, I encourage you 41 00:02:11,375 --> 00:02:14,709 to look at it but that's the thing we're going to leverage today. 42 00:02:14,999 --> 00:02:17,125 Because they didn't check the certificates they had no way 43 00:02:17,125 --> 00:02:19,792 to know if the authentication server they were talking 44 00:02:19,792 --> 00:02:21,999 to was legitimate or rogue. 45 00:02:22,999 --> 00:02:26,417 So the result from this research was that desktop 46 00:02:26,417 --> 00:02:28,999 systems were changed. 47 00:02:28,999 --> 00:02:31,542 They were upgrades and patches, there were security advisories that 48 00:02:31,542 --> 00:02:34,167 came out tell people how to configure things properly 49 00:02:34,167 --> 00:02:38,792 and this has largely gone the way of the dinosaur as far as an issue. 50 00:02:38,792 --> 00:02:41,999 We still run across it once in a while but typically it's largely mitigated 51 00:02:41,999 --> 00:02:45,751 at this time at least in desktop operating systems. 52 00:02:46,999 --> 00:02:51,999 One of the lessons that came out of that research at that time was 53 00:02:51,999 --> 00:02:56,584 the notion that PEAP network can actually still be configured 54 00:02:56,584 --> 00:02:58,626 and be secure. 55 00:02:58,876 --> 00:03:01,375 And that's something that we're going to revisit today in the light 56 00:03:01,375 --> 00:03:04,083 of the other two parts of the storm. 57 00:03:05,542 --> 00:03:07,999 Then there's bring your own device. 58 00:03:07,999 --> 00:03:10,083 I have to apologize for how many times I'm going 59 00:03:10,083 --> 00:03:13,375 to say that buzz word but know when I say bring your own 60 00:03:13,375 --> 00:03:15,751 device, I'm not just talking about BYOD 61 00:03:15,751 --> 00:03:19,083 as in its true definition which is users actually bringing 62 00:03:19,083 --> 00:03:21,709 the devices that they own. 63 00:03:22,083 --> 00:03:24,334 The research and the tools and techniques we're going 64 00:03:24,334 --> 00:03:26,999 to talk about also works against mobile deployments 65 00:03:26,999 --> 00:03:29,083 within a corporation. 66 00:03:29,083 --> 00:03:32,125 So, if your business buys you an Android device or an iPhone 67 00:03:32,125 --> 00:03:36,834 or BlackBerry, these attacks can still work against you. 68 00:03:36,834 --> 00:03:40,167 It's not just the devices that users bring that they personally own. 69 00:03:40,584 --> 00:03:42,167 So BYOD is huge. 70 00:03:42,167 --> 00:03:44,667 I don't think I need to talk too much about that. 71 00:03:44,667 --> 00:03:46,375 What's been really amazing is how fast it's grown 72 00:03:46,375 --> 00:03:48,667 in the past five years. 73 00:03:48,999 --> 00:03:51,999 So it's just yeah, it's absolutely crazy. 74 00:03:51,999 --> 00:03:57,209 It's grown so fast that metrics that are reliable are really difficult to find. 75 00:03:57,209 --> 00:04:00,125 So the best I can give you is that anywhere between 60 and 85% 76 00:04:00,125 --> 00:04:03,999 of companies support BYOD in some shape or form. 77 00:04:03,999 --> 00:04:07,125 Whether or not that means hey, we give you an open Wi Fi or we set 78 00:04:07,125 --> 00:04:11,083 up WPA enterprise with PEAP is hard to tell and there are no real hard 79 00:04:11,083 --> 00:04:15,209 numbers we can give you There's also the issue where we don't really know 80 00:04:15,209 --> 00:04:20,083 what the definition of BYOD is when we're trying to collect metrics. 81 00:04:20,083 --> 00:04:22,959 Because that definition changes between environments and based 82 00:04:22,959 --> 00:04:26,083 on who's actually collecting those metrics. 83 00:04:26,167 --> 00:04:29,459 What we can tell you is that in BYOD deployments that support 84 00:04:29,459 --> 00:04:33,459 WPA 2 enterprise, the vast majority of those deployments use PEAP 85 00:04:33,459 --> 00:04:36,375 for the authentication protocol. 86 00:04:36,918 --> 00:04:41,667 And we'll go into a little bit more detail as to why that is in a few minutes. 87 00:04:41,667 --> 00:04:44,876 But just know that by and large, that is the most common WPA 2 enterprise 88 00:04:44,876 --> 00:04:49,209 authentication protocol which is why it was the juiciest target. 89 00:04:50,083 --> 00:04:54,584 And the third part of our storm and the most recent was Moxie's research 90 00:04:54,584 --> 00:04:58,292 last year that was presented here at DEF CON in at DEF CON 20 91 00:04:58,292 --> 00:05:02,250 and his associated product called cloud Cracker. 92 00:05:02,834 --> 00:05:06,459 So Cloud Cracker, for those of you who might not have heard 93 00:05:06,459 --> 00:05:11,999 about this or weren't here last year, is a commercial service that's available 94 00:05:11,999 --> 00:05:14,751 now and through Moxie's research where 95 00:05:14,751 --> 00:05:19,250 he was able to reduce the strength of v2 challenge and responses, 96 00:05:19,250 --> 00:05:23,292 he was actually able to work with some other guys to come 97 00:05:23,292 --> 00:05:28,417 up with some heavy duty computing systems that were available online now 98 00:05:28,417 --> 00:05:30,959 that guarantee that they can crack 99 00:05:30,959 --> 00:05:34,999 a MSv2 credential challenge or response in 24 hours or less 100 00:05:34,999 --> 00:05:36,999 for 100 bucks. 101 00:05:37,083 --> 00:05:40,209 And so, if you think about the companies that tend 102 00:05:40,209 --> 00:05:44,999 to use BYOD deployments, they tend to have a lot of users. 103 00:05:44,999 --> 00:05:47,709 That would be a network that I'd really like to get on. 104 00:05:47,709 --> 00:05:48,751 So 100 bucks is really not that much money when 105 00:05:48,751 --> 00:05:51,209 we're talking about a type of credential that will get me 106 00:05:51,209 --> 00:05:52,918 on a network. 107 00:05:52,959 --> 00:05:55,542 While we're talking about that credential, it's important 108 00:05:55,542 --> 00:05:58,999 to know it's not just some random user name and password that that person 109 00:05:58,999 --> 00:06:01,876 is using for logging on to the network. 110 00:06:02,083 --> 00:06:05,083 That's typically because of the way deployments work, 111 00:06:05,083 --> 00:06:09,501 these are typically AT creds, domain creds that get you into VPN, 112 00:06:09,501 --> 00:06:14,209 e mail and any other services that are managed through active directory 113 00:06:14,209 --> 00:06:16,459 or the equivalent. 114 00:06:16,959 --> 00:06:19,999 So this is a credential that we'd really like to have and that makes it much 115 00:06:19,999 --> 00:06:23,334 more likely that someone is going to be willing to spend the 100 bucks 116 00:06:23,334 --> 00:06:26,334 in order to get that Also don't forget if it's a weak password, 117 00:06:26,334 --> 00:06:28,876 you can also crack it locally. 118 00:06:28,876 --> 00:06:29,876 All right. 119 00:06:29,876 --> 00:06:35,459 I'm going to spoil the rest of my talk here. 120 00:06:35,834 --> 00:06:37,667 So I'm going to tell you everything that we want you 121 00:06:37,667 --> 00:06:39,999 to walk away from this talk. 122 00:06:40,375 --> 00:06:44,999 So on paper PEAP should work. 123 00:06:44,999 --> 00:06:47,292 As long as everything is perfectly configured, 124 00:06:47,292 --> 00:06:49,375 PEAP should work. 125 00:06:49,959 --> 00:06:52,417 If all the devices validate the certificate, everything's going 126 00:06:52,417 --> 00:06:56,959 to be okay But that doesn't actually happen in real world deployments. 127 00:06:56,959 --> 00:07:00,083 Even when you have a multimillion dollar company 128 00:07:00,083 --> 00:07:04,999 with huge and really expensive and really fancy mobile device 129 00:07:04,999 --> 00:07:08,999 management system or MDM, those networks still have 130 00:07:08,999 --> 00:07:11,083 the same issue. 131 00:07:11,083 --> 00:07:13,167 And we know that because we've worked 132 00:07:13,167 --> 00:07:15,999 with those organizations. 133 00:07:15,999 --> 00:07:17,209 And we found this issue. 134 00:07:17,626 --> 00:07:20,834 And so this isn't something that you can say just flat out that you know, 135 00:07:20,834 --> 00:07:23,999 it's going to always be okay if you configure everything properly 136 00:07:23,999 --> 00:07:27,083 and we'll talk why that is later as well. 137 00:07:27,083 --> 00:07:33,626 The impact is staggering if you know who could be affected. 138 00:07:34,501 --> 00:07:38,999 The organizations that use BYOD are growing, the vast number 139 00:07:38,999 --> 00:07:43,626 of organizations that are using BYOD are growing. 140 00:07:43,709 --> 00:07:46,584 And over the next few years it's expected that we're going 141 00:07:46,584 --> 00:07:49,999 to get closer and closer to 80 90% acceptance and that means 142 00:07:49,999 --> 00:07:54,209 that by default, we're going to see the use of WPA 2 enterprise increase 143 00:07:54,209 --> 00:07:57,626 as security becomes more of a concern with mobile devices 144 00:07:57,626 --> 00:07:59,918 and as mobile devices need more access 145 00:07:59,918 --> 00:08:03,667 to internal network assets and that's something that we're seeing 146 00:08:03,667 --> 00:08:07,999 with the development of more mobile to mobile applications that integrate 147 00:08:07,999 --> 00:08:10,999 with more what used to be traditionally only internal 148 00:08:10,999 --> 00:08:14,459 or nonmobile internal assets and services. 149 00:08:15,167 --> 00:08:19,751 If you support one of these networks, first of all, I did come prepared. 150 00:08:19,751 --> 00:08:23,584 I have two motion sickness bags if you need to come up and get one. 151 00:08:23,584 --> 00:08:25,292 They're right here. 152 00:08:25,292 --> 00:08:30,083 (Applause.) JOSHUA YAVOR: So the impact is enormous and there 153 00:08:30,083 --> 00:08:36,999 is no corrective action that's going to fix this really easily. 154 00:08:36,999 --> 00:08:39,292 But we need to start working on it immediately. 155 00:08:39,292 --> 00:08:41,501 We'll have some ideas as we start to wrap up near the end here 156 00:08:41,501 --> 00:08:44,083 on what you can do to actually fix this issue if you're 157 00:08:44,083 --> 00:08:46,999 in the position of needing one of those. 158 00:08:47,459 --> 00:08:53,751 The key thing that damages the assertion that PEAP can work 159 00:08:53,751 --> 00:08:58,667 is the users are in complete control. 160 00:08:58,999 --> 00:09:02,334 All I need to know my user name and password to get a mobile device 161 00:09:02,334 --> 00:09:04,083 on the network. 162 00:09:04,999 --> 00:09:08,542 I don't know about you but, if I was running the wireless network 163 00:09:08,542 --> 00:09:12,417 for an organization that had 10, 20, 30,000 users, I'm not going to trust 164 00:09:12,417 --> 00:09:15,375 all of them to know how to configure their devices right 165 00:09:15,375 --> 00:09:19,250 and even if I configure their devices right for them and hand it to them, 166 00:09:19,250 --> 00:09:22,459 nothing stops them from bringing on their own mobile device 167 00:09:22,459 --> 00:09:25,751 because they know how to connect because it's just their user 168 00:09:25,751 --> 00:09:27,709 name and password. 169 00:09:30,792 --> 00:09:32,584 So here's the bottom line. 170 00:09:32,999 --> 00:09:35,999 Again, vomit bags up here. 171 00:09:36,125 --> 00:09:38,125 On defense, this is bad news. 172 00:09:39,167 --> 00:09:42,999 We'll go through some things that you can do to make this a little better. 173 00:09:42,999 --> 00:09:46,999 But it's going to take a while for this to be fixed and for these issues 174 00:09:46,999 --> 00:09:48,584 to go away. 175 00:09:59,083 --> 00:10:03,751 (Applause) Fucking A right Lafoy, now that is rocking. 176 00:10:13,542 --> 00:10:14,999 What's this called? 177 00:10:14,999 --> 00:10:16,000 " 178 00:10:16,792 --> 00:10:19,375 shot the n00b" thank you very much. 179 00:10:19,375 --> 00:10:20,375 Why are we doing it? 180 00:10:21,501 --> 00:10:23,542 First time speaker. 181 00:10:23,542 --> 00:10:24,834 Who do we need on stage? 182 00:10:25,167 --> 00:10:27,709 Someone whose first time at DEF CON. 183 00:10:27,751 --> 00:10:29,834 All right, this guy over here. 184 00:10:29,834 --> 00:10:30,834 Thank you. 185 00:10:30,834 --> 00:10:31,834 Yeah. 186 00:10:34,334 --> 00:10:36,667 So good question. 187 00:10:36,667 --> 00:10:39,000 Only second person who's asked that. 188 00:10:39,000 --> 00:10:41,042 (off mic) So are the speaker goons doing a shot 189 00:10:41,042 --> 00:10:44,501 in every track for every new speaker. 190 00:10:44,501 --> 00:10:46,125 The answer is yes. 191 00:10:51,209 --> 00:10:54,959 How many is that during this DEF CON? 192 00:10:54,959 --> 00:10:56,999 We have way freaking lost count. 193 00:10:56,999 --> 00:10:58,999 There is no chance we know that number. 194 00:10:58,999 --> 00:11:01,751 Think about it this way Wait, we're almost ready. 195 00:11:01,751 --> 00:11:05,834 It's 4 6 an hour since 10:00 a.m. 196 00:11:06,083 --> 00:11:07,292 every day. 197 00:11:07,876 --> 00:11:14,083 (Applause) We're here for you! 198 00:11:14,584 --> 00:11:15,584 All right. 199 00:11:15,584 --> 00:11:17,626 To our new speaker and our new attendee. 200 00:11:27,083 --> 00:11:30,999 (Applause.) JOSHUA YAVOR: All right, if you happen to be 201 00:11:30,999 --> 00:11:35,125 on the other side of the fence you should be happy. 202 00:11:36,125 --> 00:11:39,999 This is an appropriate crowd to share both those images. 203 00:11:40,083 --> 00:11:43,751 The barrier to entry to gain local access 204 00:11:43,751 --> 00:11:48,167 to wireless network has been drastically lowered and 205 00:11:48,167 --> 00:11:53,918 the credentials that are exposed to the Internet is also reduced 206 00:11:53,918 --> 00:11:59,876 and you don't really need that much equipment to do that. 207 00:12:01,667 --> 00:12:05,959 There are some people who disagree and this dates back to right 208 00:12:05,959 --> 00:12:11,209 after Moxie's talk last year and some of the things you'll find and there's lots 209 00:12:11,209 --> 00:12:15,918 of follow up after Moxie's talk last year mainly about the VPN issue 210 00:12:15,918 --> 00:12:19,209 but also WPA 2 enterprise from PEAP there was a lot 211 00:12:19,209 --> 00:12:24,999 of response from technical writers and people interested in security. 212 00:12:24,999 --> 00:12:27,834 Some of it is absolutely right but some of it I tend to disagree 213 00:12:27,834 --> 00:12:29,459 with as well. 214 00:12:29,918 --> 00:12:31,999 So like I said earlier, it is completely true that 215 00:12:31,999 --> 00:12:36,501 a perfectly configured PEAP deployment is going to be just fine. 216 00:12:36,501 --> 00:12:38,209 But that never happens in reality. 217 00:12:38,250 --> 00:12:41,667 So what we're going to see is that we're going to rely 218 00:12:41,667 --> 00:12:44,999 on the same people who did the same follow up last year 219 00:12:44,999 --> 00:12:49,083 after Moxie to hopefully help come up with better deployment guides 220 00:12:49,083 --> 00:12:52,999 and configuration guides because we typically still see these 221 00:12:52,999 --> 00:12:55,999 issues in pen tests with mobile devices where some 222 00:12:55,999 --> 00:12:59,083 features that exist within mobile platforms aren't 223 00:12:59,083 --> 00:13:00,876 being used. 224 00:13:01,250 --> 00:13:04,751 A good example that comes to mind is iOS profiles. 225 00:13:04,751 --> 00:13:06,501 That can be installed on phones, that makes it really easy 226 00:13:06,501 --> 00:13:08,125 to deploy things. 227 00:13:08,459 --> 00:13:12,918 Deploy configuration including WPA 2 enterprise configuration. 228 00:13:12,999 --> 00:13:14,959 So that's one of the things that we're going to rely 229 00:13:14,959 --> 00:13:17,209 on the people who a year ago were saying this isn't 230 00:13:17,209 --> 00:13:19,834 a problem to then turn around and say hopefully, this 231 00:13:19,834 --> 00:13:22,459 is a problem, let's figure out some more solutions on how 232 00:13:22,459 --> 00:13:24,209 to fix it easier. 233 00:13:25,459 --> 00:13:27,709 So let's talk about some of the risks. 234 00:13:27,999 --> 00:13:31,334 These are broad generalizations just to kind of give you a decent overview 235 00:13:31,334 --> 00:13:36,083 of course it drastically differs in site to site and organization to organization. 236 00:13:36,459 --> 00:13:38,999 But typically, we find that individual users, 237 00:13:38,999 --> 00:13:41,792 the chances of you being targeted and the chances 238 00:13:41,792 --> 00:13:46,417 of you really caring that much if your work e mail is compromised. 239 00:13:46,459 --> 00:13:49,918 Chances are if that's a device the employer handed to you, 240 00:13:49,918 --> 00:13:54,417 you can say hey, that's not my problem, I didn't configure it. 241 00:13:54,417 --> 00:13:56,292 The user experience varies. 242 00:13:56,375 --> 00:13:59,959 In the type of attack we'll talk about in a few minutes you'll see why 243 00:13:59,959 --> 00:14:01,209 that is. 244 00:14:01,375 --> 00:14:04,876 There are certain attack methodologies you can use 245 00:14:04,876 --> 00:14:08,167 to target really high profile users. 246 00:14:08,501 --> 00:14:10,626 So let's say for example that you knew that 247 00:14:10,626 --> 00:14:14,083 if you a few COs from a group of companies were going to be 248 00:14:14,083 --> 00:14:17,876 in a certain location, the type of attack we're going to talk 249 00:14:17,876 --> 00:14:22,083 about shortly would be a lot easier and more impactful. 250 00:14:22,999 --> 00:14:26,999 The smaller organization, I'm talking about smaller 251 00:14:26,999 --> 00:14:31,918 in both size and IT resources will also tend to have a smaller 252 00:14:31,918 --> 00:14:36,667 in numbers of people, not resources, smaller number of people 253 00:14:36,667 --> 00:14:39,959 will likely have lower risk. 254 00:14:39,959 --> 00:14:41,459 And that's primarily because you have fewer devices that 255 00:14:41,459 --> 00:14:43,876 you need to actually configure. 256 00:14:43,876 --> 00:14:47,167 If you're a mom and pop shop that uses WPA 2 enterprise with PEAP, well, first, 257 00:14:47,167 --> 00:14:50,584 kudos to you for configuring that on your own. 258 00:14:50,918 --> 00:14:52,542 But you probably have your hands on every single 1 259 00:14:52,542 --> 00:14:55,542 of those devices every single day and probably make physical contact 260 00:14:55,542 --> 00:14:58,918 with every person that carries one of those devices. 261 00:14:58,918 --> 00:15:00,999 So it's probably going to be easy to manage. 262 00:15:00,999 --> 00:15:04,501 The twist to that is once you get into small and medium size full grown 263 00:15:04,501 --> 00:15:07,125 businesses but they lack those IT resources 264 00:15:07,125 --> 00:15:09,999 to come up with a full-fledged MDM solution we 265 00:15:09,999 --> 00:15:13,999 see they're much more likely to be vulnerable. 266 00:15:14,667 --> 00:15:17,250 If you have a user base that doesn't change very 267 00:15:17,250 --> 00:15:20,167 much, you're going to have an easier time configuring 268 00:15:20,167 --> 00:15:23,626 and managing those devices regardless of your MDM solution or 269 00:15:23,626 --> 00:15:25,959 if you have one or not. 270 00:15:25,959 --> 00:15:28,501 The higher risks or to the internal network assets that exist 271 00:15:28,501 --> 00:15:33,751 within the network that can then be compromised with those credentials. 272 00:15:33,751 --> 00:15:37,334 Large organizations with more users of course have more users that are 273 00:15:37,334 --> 00:15:40,250 likely to have misconfiguration. 274 00:15:40,250 --> 00:15:43,667 I'll share metrics from my testing experience a little later. 275 00:15:43,959 --> 00:15:45,626 And of course the more phones and devices you have coming 276 00:15:45,626 --> 00:15:48,751 in and out, the more likely you are to make mistakes. 277 00:15:50,083 --> 00:15:53,083 And this configuration is everywhere. 278 00:15:53,083 --> 00:15:55,667 And one of the things I wanted to point out is a public example that we 279 00:15:55,667 --> 00:15:56,999 can share. 280 00:15:56,999 --> 00:15:58,999 I'm not going to call out any individual universities 281 00:15:58,999 --> 00:16:02,918 or public education institutions, you can do that yourself. 282 00:16:02,918 --> 00:16:03,918 It's really easy. 283 00:16:04,167 --> 00:16:06,999 Because those types of organizations have 284 00:16:06,999 --> 00:16:10,709 to support so many users, and their IT Help Desk staff 285 00:16:10,709 --> 00:16:14,459 is typically just swamped regardless of trying to manage 286 00:16:14,459 --> 00:16:18,667 the WPA 2 enterprise, they tend to put all their instructions 287 00:16:18,667 --> 00:16:21,876 for accessing the wireless network online which 288 00:16:21,876 --> 00:16:25,083 private companies tends not to do. 289 00:16:25,626 --> 00:16:27,751 But, if you can see their Wikis like if you go back 290 00:16:27,751 --> 00:16:30,999 to your employer and you want to check to see what the likelihood 291 00:16:30,999 --> 00:16:34,250 of your organization being vulnerable to this type of attack is, 292 00:16:34,250 --> 00:16:37,959 check your internal Wiki that tells you how to configure your devices 293 00:16:37,959 --> 00:16:40,999 if you have a BYOD policy at your employer. 294 00:16:41,083 --> 00:16:43,999 And that will tell you pretty quickly whether or not you're going 295 00:16:43,999 --> 00:16:45,918 to have an issue. 296 00:16:45,918 --> 00:16:47,876 And we'll show you what that looks like. 297 00:16:48,626 --> 00:16:52,999 So this is taken from one of the universities in that search result. 298 00:16:53,083 --> 00:16:57,083 And typically what we find is that the instructions are super old. 299 00:16:57,083 --> 00:17:01,584 Really old versions of Android, BlackBerry, the Windows phone before, 300 00:17:01,584 --> 00:17:05,459 Windows mobile is on there too often and what we see 301 00:17:05,459 --> 00:17:09,083 as well is either the user is explicitly told not 302 00:17:09,083 --> 00:17:12,999 to install a certificate or they don't say anything 303 00:17:12,999 --> 00:17:18,626 about the certificate and just put up a screen shot like this. 304 00:17:18,999 --> 00:17:22,999 So that's the configuration I need and what I'm going to go with. 305 00:17:24,501 --> 00:17:27,459 And we still see that for Windows as well. 306 00:17:27,459 --> 00:17:30,667 Even today, even after Brad and Josh's talk in 2008, 307 00:17:30,667 --> 00:17:34,417 we still see publicly available information from the authority 308 00:17:34,417 --> 00:17:38,125 for it a network telling users not to validate the certificate 309 00:17:38,125 --> 00:17:40,999 and you see that in the other settings comment 310 00:17:40,999 --> 00:17:43,167 at the bottom there. 311 00:17:43,167 --> 00:17:44,709 So that's pretty scary. 312 00:17:44,792 --> 00:17:48,083 So we have a lot of catching up to do even in 2008. 313 00:17:48,083 --> 00:17:50,751 But now we have to catch up even faster because BYOD 314 00:17:50,751 --> 00:17:52,667 is growing so much. 315 00:17:55,501 --> 00:17:56,999 So why PEAP? 316 00:17:57,959 --> 00:18:01,667 Well, this shows a little bit of it. 317 00:18:02,083 --> 00:18:04,999 So PEAP and each TLS, EAPTLS requiring 318 00:18:04,999 --> 00:18:07,999 mutual authentication. 319 00:18:10,542 --> 00:18:15,334 So the user validates that hopefully and sends their own certificate back. 320 00:18:15,709 --> 00:18:17,999 So it's not actually using AD creds. 321 00:18:18,250 --> 00:18:23,667 EAP TLS and PEAP are the two most woo idly supported EAP 322 00:18:23,667 --> 00:18:30,417 types across platforms and as well desktop operating systems. 323 00:18:30,709 --> 00:18:34,250 It used to be that the Wi Fi alliance required support 324 00:18:34,250 --> 00:18:39,542 for EAP TLS if you were going to be WPA 2 enterprise certified. 325 00:18:39,667 --> 00:18:40,999 That's no longer true. 326 00:18:41,417 --> 00:18:44,751 I think that changed back in 2005 or 2006. 327 00:18:44,834 --> 00:18:47,709 I wasn't quite able to get an exact date on that. 328 00:18:48,083 --> 00:18:49,999 But what you see is that PEAP is the most widely supported 329 00:18:49,999 --> 00:18:51,999 across mobile devices. 330 00:18:52,125 --> 00:18:55,584 So, if your goal is to just support as many devices as you can, 331 00:18:55,584 --> 00:18:57,999 truly be a BYOD organization, then PEAP 332 00:18:57,999 --> 00:19:00,918 is a very attractive objection. 333 00:19:01,125 --> 00:19:03,709 It's also much easier to configure. 334 00:19:03,959 --> 00:19:06,417 Because I don't know about you, but I know that, like, 335 00:19:06,417 --> 00:19:09,083 my mom doesn't know how to actually download and install 336 00:19:09,083 --> 00:19:11,083 a client certificate. 337 00:19:11,250 --> 00:19:13,250 I mean, it's hard enough trying to tell her how to find a pdf that 338 00:19:13,250 --> 00:19:16,167 she downloaded on her mobile operating system that. 339 00:19:16,167 --> 00:19:20,083 Can be tricky and trying to manage a certificate and get that 340 00:19:20,083 --> 00:19:25,584 on the device securely, especially for a device platforms that don't 341 00:19:25,584 --> 00:19:31,167 support MDM solutions or that don't have a robust integration with them, 342 00:19:31,167 --> 00:19:34,083 that can be troublesome. 343 00:19:34,542 --> 00:19:36,375 There are many other EAP types. 344 00:19:36,375 --> 00:19:38,417 But other ones that you see on the screen are 345 00:19:38,417 --> 00:19:41,918 the ones supported by those devices or not. 346 00:19:42,083 --> 00:19:44,501 So really quick just for a few people who might not be 347 00:19:44,501 --> 00:19:48,083 familiar with WPA enterprise and the difference why we use that versus 348 00:19:48,083 --> 00:19:51,501 a shared key like open we'll talk about that. 349 00:19:53,083 --> 00:19:55,834 It's about access controlled granularity. 350 00:19:55,834 --> 00:19:57,375 In an open network, it's open. 351 00:19:57,375 --> 00:19:58,375 We get that. 352 00:19:58,375 --> 00:20:02,999 With WPA 2 you just need one shared key, the pass phrase. 353 00:20:03,083 --> 00:20:04,959 And everybody knows it. 354 00:20:04,959 --> 00:20:07,125 And that's great for like your family network 355 00:20:07,125 --> 00:20:09,751 and what you go home to. 356 00:20:09,751 --> 00:20:12,667 But as an organization grows and you get 100, 200, thousands 357 00:20:12,667 --> 00:20:15,209 of users, it gets pretty bulky and cumbersome 358 00:20:15,209 --> 00:20:16,999 because what ends up happening 359 00:20:16,999 --> 00:20:20,959 unlike WPA 2 enterprise where each individual user has a user name 360 00:20:20,959 --> 00:20:25,501 and password or some other credential that associates that device to that user, 361 00:20:25,501 --> 00:20:29,999 when we actually have a compromise of those credentials or let's say it's not 362 00:20:29,999 --> 00:20:33,292 a compromise or let's say somebody leaves an organization 363 00:20:33,292 --> 00:20:38,042 and we don't want them to know the password, it becomes an issue. 364 00:20:38,542 --> 00:20:41,542 Because in WPA 2 what you have to do is change the password 365 00:20:41,542 --> 00:20:45,292 of the Wi Fi network and change that setting on every single one 366 00:20:45,292 --> 00:20:48,501 of your wireless devices and that does not scale well 367 00:20:48,501 --> 00:20:51,375 and that's why WPA 2 enterprise is used so widely 368 00:20:51,375 --> 00:20:53,876 in large organizations. 369 00:20:53,876 --> 00:20:55,918 Because at that point all you have to do is lock a single account 370 00:20:55,918 --> 00:20:57,542 and you're good. 371 00:20:59,584 --> 00:21:02,626 So let's talk about where these issues actually lie 372 00:21:02,626 --> 00:21:06,834 and this will build up the path to talking about the actual more likely 373 00:21:06,834 --> 00:21:08,999 than notation methods. 374 00:21:09,209 --> 00:21:10,709 Exploitation methods. 375 00:21:18,584 --> 00:21:23,667 There's a request for the user name, identity, the identity is then given back. 376 00:21:23,667 --> 00:21:25,501 That's actually outside directly speaking 377 00:21:25,501 --> 00:21:30,709 to the radius server as far as establishing a secure tunnel. 378 00:21:30,876 --> 00:21:33,542 So regardless of whether or not you have a rogue 379 00:21:33,542 --> 00:21:36,584 or real access point, access point displaying 380 00:21:36,584 --> 00:21:40,751 a rogue or real radio server, you can still get the user name 381 00:21:40,751 --> 00:21:44,125 of the person that's trying to connect their device, 382 00:21:44,125 --> 00:21:48,751 that's something we've known for a really long time. 383 00:21:48,751 --> 00:21:50,125 It's just fun to know. 384 00:21:50,125 --> 00:21:54,083 So outer authentication and this is what was broken by Brad and Josh. 385 00:21:55,334 --> 00:21:57,999 So that identity goes to the radius server, 386 00:21:57,999 --> 00:22:01,918 the radius server then sends back a certificate. 387 00:22:02,083 --> 00:22:04,959 The client is supposed to validate that certificate, 388 00:22:04,959 --> 00:22:09,459 but in order to do that, it just has to have either that certificate pinned 389 00:22:09,459 --> 00:22:14,334 already or it has to have a trusted root for the CA identified. 390 00:22:14,334 --> 00:22:16,459 And we'll get more into that later. 391 00:22:16,459 --> 00:22:18,209 But that establishes the secure tunnel and 392 00:22:18,209 --> 00:22:21,999 inside that secure tunnel is where Moxie comes in. 393 00:22:22,999 --> 00:22:26,334 Now that that secure tunnel has been published, there's 394 00:22:26,334 --> 00:22:29,667 an access challenge that comes from the radius server 395 00:22:29,667 --> 00:22:33,292 to the mobile device and a challenge response that goes back 396 00:22:33,292 --> 00:22:36,459 from the mobile device to the radius server, that's 397 00:22:36,459 --> 00:22:40,417 the part where if you can get a mobile device to connect to you, 398 00:22:40,417 --> 00:22:44,626 even with a invalid certificate, the fact that you can capture those 399 00:22:44,626 --> 00:22:49,999 challenges means you can reverse that using Moxie's tools and research. 400 00:22:51,999 --> 00:22:55,375 Mobile platforms and talk about how they differ. 401 00:22:55,375 --> 00:22:58,167 What's really interesting in doing research and live testing 402 00:22:58,167 --> 00:23:02,125 with organizations is that none of the mobile device platforms 403 00:23:02,125 --> 00:23:03,999 are perfect. 404 00:23:05,292 --> 00:23:09,542 Somewhere better, some are worse, but it's a really diverse set 405 00:23:09,542 --> 00:23:13,542 of support and features for WPA 2 enterprise. 406 00:23:13,626 --> 00:23:16,834 One thing we want to note is that remember that I'm not saying 407 00:23:16,834 --> 00:23:19,667 that one platform is more secure than the other over all, 408 00:23:19,667 --> 00:23:23,417 we're specifically just talking about WPA 2 enterprise. 409 00:23:23,792 --> 00:23:27,501 We're going to talk about the four major platforms, 410 00:23:27,501 --> 00:23:31,999 Android, BlackBerry, iOS, and Windows phone 8. 411 00:23:32,999 --> 00:23:36,999 So for Android, Android has the largest user base just 412 00:23:36,999 --> 00:23:39,999 in the population worldwide. 413 00:23:40,167 --> 00:23:44,083 What's difficult to find metrics on is in organizations that support 414 00:23:44,083 --> 00:23:46,667 BYOD is how many users are using Android 415 00:23:46,667 --> 00:23:51,501 versus iOS, that data is not readily available at this time. 416 00:23:51,501 --> 00:23:55,834 But from the experience I've had doing tests at different environments iOS 417 00:23:55,834 --> 00:23:58,876 and Android from the organizations I've worked 418 00:23:58,876 --> 00:24:03,542 with are probably about 50/50, 60/40, somewhere in there. 419 00:24:04,751 --> 00:24:07,459 So Android supports those. 420 00:24:08,417 --> 00:24:13,083 What's interesting for configuring WPA 2 enterprise 421 00:24:13,083 --> 00:24:19,709 is it's reused between EAP TLS and all the other EAP types. 422 00:24:21,999 --> 00:24:25,209 It made it easy because nothing is going to move 423 00:24:25,209 --> 00:24:28,667 around but people actually tend to start to ignore 424 00:24:28,667 --> 00:24:31,959 the certificate configuration part if they don't 425 00:24:31,959 --> 00:24:37,501 if they're not specifically told what they're supposed to do with it. 426 00:24:37,501 --> 00:24:39,334 You can see I'm configuring my device here following 427 00:24:39,334 --> 00:24:43,167 the instructions we found on the college's Web site. 428 00:24:45,083 --> 00:24:52,083 By default if I click on the certificate, there's nothing available to me. 429 00:24:52,083 --> 00:24:53,709 That's both good and bad. 430 00:24:53,999 --> 00:24:56,209 It's good because public CAs can be used 431 00:24:56,209 --> 00:24:59,459 but there's some drawbacks to using public CAs 432 00:24:59,459 --> 00:25:02,999 for authenticating the radius server. 433 00:25:03,209 --> 00:25:08,167 The reason that can be a challenge is because mobile devise don't validate 434 00:25:08,167 --> 00:25:11,626 the CN name and the certificate. 435 00:25:11,999 --> 00:25:18,709 Let's say they use trust wave for your or Verisign for your certificate. 436 00:25:18,709 --> 00:25:20,709 That means all of your mobile devices are going 437 00:25:20,709 --> 00:25:22,792 to have that root CA as the trusted CA 438 00:25:22,792 --> 00:25:25,083 for your wireless network. 439 00:25:26,209 --> 00:25:30,792 All I need is a certificate from one of those public CAs and their public so 440 00:25:30,792 --> 00:25:34,209 I'm going to spend 100 bucks, 150 bucks, something like that 441 00:25:34,209 --> 00:25:37,792 and then I can then potentially get your devices to connect 442 00:25:37,792 --> 00:25:40,959 to me and I'll pass that validation. 443 00:25:41,250 --> 00:25:42,834 It's good and bad. 444 00:25:42,834 --> 00:25:47,375 This selects you from public CAs by default but didn't prompt you 445 00:25:47,375 --> 00:25:53,209 to connect with the radius server and see what the certificate is or 446 00:25:53,209 --> 00:25:57,999 to install one that's available externally. 447 00:26:03,834 --> 00:26:07,459 Inside Phase II that leads to misconceptions outside the scope 448 00:26:07,459 --> 00:26:10,417 of what we're talking about here. 449 00:26:10,417 --> 00:26:13,876 Let's say when you're doing testing and Android devices are misconfigured 450 00:26:13,876 --> 00:26:17,375 you can see silly things come across the network. 451 00:26:21,375 --> 00:26:22,999 On to iOS. 452 00:26:22,999 --> 00:26:24,125 IOS has a strong business presence parts 453 00:26:24,125 --> 00:26:26,792 of that from the feedback I've received comes 454 00:26:26,792 --> 00:26:30,959 from their configurability especially from iOS profiles that can be pushed 455 00:26:30,959 --> 00:26:32,999 out to the devices. 456 00:26:33,999 --> 00:26:36,792 The PEAP configuration is straightforward. 457 00:26:36,792 --> 00:26:38,751 You enter your user name and password. 458 00:26:38,792 --> 00:26:42,167 It actually prompts you to validate the certificate. 459 00:26:42,167 --> 00:26:43,999 It's trust on first use approach. 460 00:26:44,209 --> 00:26:47,375 So the user is actually shown a certificate. 461 00:26:47,375 --> 00:26:49,375 It says not verified if it's not in one of the installed CAs 462 00:26:49,375 --> 00:26:51,876 within the operating system. 463 00:26:51,999 --> 00:26:54,999 And before you accept it, you can actually take a look 464 00:26:54,999 --> 00:26:56,792 at the details. 465 00:26:56,792 --> 00:26:58,417 And this way you can see whether it's 466 00:26:58,417 --> 00:27:02,083 the default service that comes with radius EAP or what you're 467 00:27:02,083 --> 00:27:05,083 expecting from your organization. 468 00:27:05,083 --> 00:27:08,083 Users are terrible atrophying that out but often times 469 00:27:08,083 --> 00:27:11,626 if the organization says, for example, Inc. 470 00:27:11,626 --> 00:27:13,459 and you're expecting it's going to be your business's certificate, 471 00:27:13,459 --> 00:27:16,083 hopefully, that's going to raise a flag. 472 00:27:17,999 --> 00:27:21,999 BlackBerry: And I do apologize for the screen shots. 473 00:27:21,999 --> 00:27:25,792 It's not easy to get a screen capture out of an old BlackBerry. 474 00:27:26,083 --> 00:27:29,167 So BlackBerry actually has a lot of different EAP types that 475 00:27:29,167 --> 00:27:30,999 they support. 476 00:27:31,083 --> 00:27:33,667 They have the most of any of the mobile platforms. 477 00:27:33,918 --> 00:27:37,918 Not all EAP types are created equal though and only a handful 478 00:27:37,918 --> 00:27:40,209 of them remain secure. 479 00:27:40,667 --> 00:27:43,584 And if you want more information on that, Josh and Brad's research goes 480 00:27:43,584 --> 00:27:45,999 into a lot of details there. 481 00:27:45,999 --> 00:27:47,959 So this is both good and bad. 482 00:27:47,999 --> 00:27:49,918 There's wide support on the platform for just 483 00:27:49,918 --> 00:27:53,999 about every EAP type you can find in a mobile environment. 484 00:27:54,459 --> 00:27:57,501 But again, some of those are not that great to use. 485 00:27:58,209 --> 00:28:00,999 The PEAP configuration is nice. 486 00:28:01,417 --> 00:28:05,250 In that if you see the blue bar at the bottom, you actually have 487 00:28:05,250 --> 00:28:07,999 to explicitly disable certificate validation 488 00:28:07,999 --> 00:28:10,999 if that's what you want it to do. 489 00:28:10,999 --> 00:28:14,792 By default, BlackBerry requires you to validate the certificate. 490 00:28:14,792 --> 00:28:18,125 You can't complete that configuration until you've either disabled it 491 00:28:18,125 --> 00:28:20,209 or given it a CA. 492 00:28:21,999 --> 00:28:26,876 But this one, BlackBerry, has all the public CAs available. 493 00:28:26,999 --> 00:28:29,999 Again, it's both good and bad, depends on your risk per file 494 00:28:29,999 --> 00:28:32,292 and things like that. 495 00:28:35,083 --> 00:28:38,999 Windows Phone 8 doesn't have a very large business presence 496 00:28:38,999 --> 00:28:40,667 right now. 497 00:28:40,667 --> 00:28:44,083 But since it comes from such a well known vendor and manufacturer, 498 00:28:44,083 --> 00:28:47,209 it's something worth talking about. 499 00:28:48,167 --> 00:28:52,417 The PEAP configuration is similar to iOS at the start where it's just 500 00:28:52,417 --> 00:28:54,999 a simple user interface. 501 00:28:54,999 --> 00:28:56,083 User name and password. 502 00:28:56,083 --> 00:28:59,667 But you'll notice that the validate server certificate option 503 00:28:59,667 --> 00:29:03,999 is at the very bottom and it's off by default. 504 00:29:04,083 --> 00:29:06,999 So that's something that makes it easy to click 505 00:29:06,999 --> 00:29:10,584 through without installing the certificate. 506 00:29:10,999 --> 00:29:12,999 In fact, you don't even see a certificate prompt or 507 00:29:12,999 --> 00:29:16,918 a place that you can enter a certificate until you turn that on. 508 00:29:18,999 --> 00:29:22,999 The certificates available on Windows Phone 8 are interesting. 509 00:29:23,083 --> 00:29:26,083 There's a small number which is good. 510 00:29:26,334 --> 00:29:28,083 The fewer CAs you trust the better. 511 00:29:28,083 --> 00:29:31,584 But they actually and this has nothing to do with security of the platform 512 00:29:31,584 --> 00:29:36,751 but I find it interesting that there are two expired certificates that it has. 513 00:29:36,999 --> 00:29:38,876 Odd, strange finding. 514 00:29:41,083 --> 00:29:43,959 So you understand now the different platform support 515 00:29:43,959 --> 00:29:45,999 for WPA enterprise. 516 00:29:45,999 --> 00:29:48,083 You see that PEAP is the most widely supported 517 00:29:48,083 --> 00:29:49,999 and Oh, yeah. 518 00:29:50,083 --> 00:29:52,792 Just wanted to mention again that you saw 519 00:29:52,792 --> 00:29:57,167 on the table that Windows phone 8 only supports PEAP not TOS 520 00:29:57,167 --> 00:29:59,667 or other EAP types. 521 00:29:59,709 --> 00:30:02,834 But now that we've gone through the different mobile platforms, 522 00:30:02,834 --> 00:30:04,999 you understand that the user experience varies 523 00:30:04,999 --> 00:30:07,584 and that's one of the reasons why it's so difficult 524 00:30:07,584 --> 00:30:10,959 to write instructions for your users to follow. 525 00:30:11,000 --> 00:30:12,626 If you're a university or other large organization 526 00:30:12,626 --> 00:30:13,999 for example. 527 00:30:14,334 --> 00:30:17,375 So the chances for misconfiguration are pretty high. 528 00:30:17,417 --> 00:30:21,999 Let's take a look at how we attack then. 529 00:30:21,999 --> 00:30:22,999 That's the fun part. 530 00:30:23,209 --> 00:30:25,125 When I'm telling you about these things 531 00:30:25,125 --> 00:30:27,667 in the traditional network, we're going 532 00:30:27,667 --> 00:30:32,042 to be using some anonymized data about some real life attacks we're able 533 00:30:32,042 --> 00:30:36,417 to do as we get into the more exotic and fun attacks. 534 00:30:36,417 --> 00:30:40,417 There will be some hypothesized things based on some other fun stuff. 535 00:30:40,542 --> 00:30:43,959 An attritional attack is a rogue access point. 536 00:30:43,999 --> 00:30:46,083 All you need is a laptop really. 537 00:30:46,083 --> 00:30:49,999 My setup up here, we'll talk about that later but I'm using 538 00:30:49,999 --> 00:30:55,751 a regular router and another wifi card and antenna because I expected 539 00:30:55,751 --> 00:30:59,918 a lot more pushback from the audience and hostility 540 00:30:59,918 --> 00:31:04,999 of the wireless network here, but it turns out we might not run 541 00:31:04,999 --> 00:31:07,999 into any problems there. 542 00:31:09,709 --> 00:31:12,459 Now since I said that, I see all the laptops coming on. 543 00:31:12,459 --> 00:31:15,083 That would be good for me, I'd really like that now actually 544 00:31:15,083 --> 00:31:17,250 in a few more minutes. 545 00:31:17,334 --> 00:31:20,334 An attritional attack is just like trying to capture somebody 546 00:31:20,334 --> 00:31:25,083 on an open Wi Fi network with a pineapple or something like that. 547 00:31:25,667 --> 00:31:28,083 The best way to perform these attacks 548 00:31:28,083 --> 00:31:31,083 is to broadcast as an access point connected 549 00:31:31,083 --> 00:31:33,417 to a radius server. 550 00:31:33,417 --> 00:31:35,918 The de facto standard is free radius WEP right now 551 00:31:35,918 --> 00:31:39,999 but we'll talk about other tools that do that as well. 552 00:31:40,083 --> 00:31:43,999 I'll broadcast the SSID, network name of company X and the best way 553 00:31:43,999 --> 00:31:48,751 to do this attack is actually not to be on site at company X what you want 554 00:31:48,751 --> 00:31:51,792 to do is go to someplace where you you're going 555 00:31:51,792 --> 00:31:56,209 to find their employees and users but away from their wireless networks 556 00:31:56,209 --> 00:32:00,834 and that's for multiple reasons, first, it makes it easier to get them 557 00:32:00,834 --> 00:32:04,167 to associate with you because then you're not fighting 558 00:32:04,167 --> 00:32:08,999 the broadcast and the power of the other real access points. 559 00:32:09,334 --> 00:32:14,125 You can D off but that makes it a lot more of a headache. 560 00:32:14,501 --> 00:32:16,999 Additionally testing away from buildings and 561 00:32:16,999 --> 00:32:20,083 the real network reduces the likelihood that you're going 562 00:32:20,083 --> 00:32:21,959 to be caught. 563 00:32:21,959 --> 00:32:24,999 A lot of wireless systems now come with features where you can triangulate 564 00:32:24,999 --> 00:32:27,999 the location rogue access points and so, if you're camped 565 00:32:27,999 --> 00:32:30,459 out in a parking lot and you're too close, there's 566 00:32:30,459 --> 00:32:34,999 a good chance that physical security might come knocking on the door. 567 00:32:35,375 --> 00:32:37,709 I can tell you from experience having your daughter 568 00:32:37,709 --> 00:32:40,876 holding the router makes it a lot less likely that anybody 569 00:32:40,876 --> 00:32:44,417 from physical security is going to mess with you. 570 00:32:46,083 --> 00:32:49,167 (Laughter) So story time. 571 00:32:49,626 --> 00:32:52,083 So an example that I can tell you about is an organization 572 00:32:52,083 --> 00:32:54,250 with about 50 or 100 users, they don't have 573 00:32:54,250 --> 00:32:57,918 a building or anything like that, they are on a multi level building 574 00:32:57,918 --> 00:32:59,999 on one of the floors. 575 00:33:00,250 --> 00:33:04,751 Their access points were weak enough where you couldn't really get reception 576 00:33:04,751 --> 00:33:08,626 outside of the building, though, so a great way to perform an attack 577 00:33:08,626 --> 00:33:12,542 is to sit out if there's a park or lobby out front. 578 00:33:12,542 --> 00:33:15,959 If you can find any choke point entryway or exit that's great. 579 00:33:15,959 --> 00:33:18,459 Was able to sit down in the lobby and actually get everyone 580 00:33:18,459 --> 00:33:21,584 on their way in and out as they're going to the elevator 581 00:33:21,584 --> 00:33:23,334 or the stairs. 582 00:33:24,999 --> 00:33:27,125 There's a choke point. 583 00:33:27,501 --> 00:33:30,751 That will be difficult to target out in the gem population, 584 00:33:30,751 --> 00:33:33,999 I'm saying that because I'm going to lead up to some 585 00:33:33,999 --> 00:33:38,083 of the more fanciful attacks that are coming next. 586 00:33:38,125 --> 00:33:40,501 When you have a much larger organization though 587 00:33:40,501 --> 00:33:43,999 for about a thousand people or more, some of the organizations that come 588 00:33:43,999 --> 00:33:46,667 to find can even be in the 10s and maybe even hundreds 589 00:33:46,667 --> 00:33:48,999 of thousands of people you're much more likely 590 00:33:48,999 --> 00:33:53,250 to run across those users other places just out in the general public. 591 00:33:55,292 --> 00:33:58,999 For organizations that have their own campus, one of the best ways to pull 592 00:33:58,999 --> 00:34:02,834 off this attack is actually to sit at the edge of the parking lot especially 593 00:34:02,834 --> 00:34:05,626 if there's a major freeway there or stoplight or anything 594 00:34:05,626 --> 00:34:09,834 like that where they're queuing up to come into the parking lot. 595 00:34:09,999 --> 00:34:14,876 One of my favorite experiences was doing a test like this on the edge 596 00:34:14,876 --> 00:34:19,250 of a campus and there was a lot of people who rode their bicycles 597 00:34:19,250 --> 00:34:23,334 to work and as I'm monitoring the tools and you can see who 598 00:34:23,334 --> 00:34:25,999 is trying to access your access point 599 00:34:25,999 --> 00:34:30,459 and you talk to the radio server and you see all this traffic goes 600 00:34:30,459 --> 00:34:33,999 by and it drops off as they ride by. 601 00:34:33,999 --> 00:34:35,167 So that was pretty fun. 602 00:34:36,834 --> 00:34:41,918 So finding a choke point, a physical presence is great. 603 00:34:41,918 --> 00:34:45,125 Now these traditional attacks are well known, well established. 604 00:34:45,375 --> 00:34:46,999 Everyone can do this. 605 00:34:46,999 --> 00:34:49,999 The trouble is what if you're not there? 606 00:34:49,999 --> 00:34:52,083 What if you want to be able to compromise somebody's active 607 00:34:52,083 --> 00:34:54,751 directory creds from their mobile devices and you can't 608 00:34:54,751 --> 00:34:57,584 get access to where they actually work? 609 00:34:57,918 --> 00:35:00,167 Well, they have to go find them somewhere else. 610 00:35:00,167 --> 00:35:01,334 That's where the more interesting attacks would 611 00:35:01,334 --> 00:35:02,709 come up. 612 00:35:03,167 --> 00:35:08,209 For multiple networks, what if I didn't just want to get 613 00:35:08,209 --> 00:35:11,250 into my bank's network? 614 00:35:11,250 --> 00:35:15,083 What if I wanted to get into any or all bank's networks? 615 00:35:17,083 --> 00:35:21,501 Can't do a traditional attack but I'd have to sit in one place, 616 00:35:21,501 --> 00:35:27,125 one network name, one SSID for a long time, wait, stop, do it again. 617 00:35:27,125 --> 00:35:28,751 It's going to take a long time. 618 00:35:28,999 --> 00:35:33,959 What if we did something like create a tool that would actually let 619 00:35:33,959 --> 00:35:38,083 us rotate the SSIDs on a predetermined basis? 620 00:35:38,250 --> 00:35:40,959 What that would let us do is hop in the car and do 621 00:35:40,959 --> 00:35:46,209 like word driving 3.0 where you're not actually targeting access points. 622 00:35:46,334 --> 00:35:48,083 You are the access point and you're targeting multiple 623 00:35:48,083 --> 00:35:49,792 device users. 624 00:35:49,918 --> 00:35:51,417 So I'm going to use San Francisco which 625 00:35:51,417 --> 00:35:54,083 is where our headquarters is as an example. 626 00:35:54,709 --> 00:35:59,167 If I wanted to target banks what I would do is hop in the car with my list 627 00:35:59,167 --> 00:36:03,834 of SSIDs matched to a whole bunch of banks or any other organization that 628 00:36:03,834 --> 00:36:06,999 would be around there and all I have to do is drive 629 00:36:06,999 --> 00:36:10,626 around the financial district at lunchtime. 630 00:36:10,999 --> 00:36:13,999 Chances are I'm going to find a bunch of people who are 631 00:36:13,999 --> 00:36:17,250 out to lunch away from the organization. 632 00:36:17,709 --> 00:36:21,125 Away from with wifi networks and that means it's going to be easy 633 00:36:21,125 --> 00:36:23,999 to connect to my access point. 634 00:36:23,999 --> 00:36:28,876 The only catch is we have to rotate SSID frequently enough 635 00:36:28,876 --> 00:36:32,209 in order to make it effective. 636 00:36:34,083 --> 00:36:39,999 If you think that you can curate this by industry or geographical location. 637 00:36:39,999 --> 00:36:41,250 In that example we did both. 638 00:36:41,584 --> 00:36:46,918 You can get awesome extra credit if you do it on public transit as well. 639 00:36:47,209 --> 00:36:50,542 That's fantastic especially in the Bay Area because you have 640 00:36:50,542 --> 00:36:53,083 a lot of tech companies that use services 641 00:36:53,083 --> 00:36:55,542 like BART and CAL tran. 642 00:36:55,667 --> 00:37:02,125 So public transportation services can be a really good hunting area. 643 00:37:02,125 --> 00:37:04,834 Finally what if we don't care. 644 00:37:04,834 --> 00:37:09,083 I want to get on some network, I want ED creds, I just think it's fun. 645 00:37:09,999 --> 00:37:11,584 We can do that too. 646 00:37:12,209 --> 00:37:15,125 That means instead of a predetermined curated list, 647 00:37:15,125 --> 00:37:18,667 we're going to dynamically change the list. 648 00:37:19,375 --> 00:37:23,167 We can do that by listening for probe requests, 649 00:37:23,167 --> 00:37:27,709 beacons and also going a little further and using some 650 00:37:27,709 --> 00:37:29,876 outside tools. 651 00:37:30,626 --> 00:37:32,626 So let's talk about that. 652 00:37:33,709 --> 00:37:38,083 The existing tools that we have for BPE which you heard me talk 653 00:37:38,083 --> 00:37:41,876 about a radius server that's been modified to shoot 654 00:37:41,876 --> 00:37:44,792 out the MS chap v2 challenge and response 655 00:37:44,792 --> 00:37:47,876 instead of keeping it secret. 656 00:37:47,999 --> 00:37:49,834 That's pretty fun. 657 00:37:50,083 --> 00:37:56,709 Host ADP and host ADP WEP for testing EAP fest which you should 658 00:37:56,709 --> 00:38:01,626 look into if you want to support that. 659 00:38:01,709 --> 00:38:05,209 There's also DD word and open word which you can easily script and one 660 00:38:05,209 --> 00:38:09,209 of the things I haven't done yet but I'd like to look at is patching 661 00:38:09,209 --> 00:38:14,542 the free radius tool that's available for Open Word with free radius WEP. 662 00:38:14,542 --> 00:38:15,918 That would be cool because you'd have 663 00:38:15,918 --> 00:38:20,501 a stand alone router that you drop somewhere and let it go. 664 00:38:20,918 --> 00:38:24,959 So the goal of this tool is to give every single network a PEAP. 665 00:38:29,125 --> 00:38:31,334 Just give it to everyone. 666 00:38:31,334 --> 00:38:33,375 You can script in open WURT. 667 00:38:38,626 --> 00:38:41,626 You have to listen to them and build the list and get them 668 00:38:41,626 --> 00:38:43,834 on to the WURT somehow. 669 00:38:43,834 --> 00:38:45,584 You could probably do it on the WURT. 670 00:38:45,999 --> 00:38:55,167 There's a host APD python script which allows you to do SCAPI to listen 671 00:38:55,167 --> 00:39:02,083 for probes and beacons and then dynamically add those 672 00:39:02,083 --> 00:39:04,709 to the list. 673 00:39:10,292 --> 00:39:12,334 That's fantastic. 674 00:39:12,417 --> 00:39:15,209 That just made things easier, but host APD karma. 675 00:39:15,999 --> 00:39:18,584 Getting fancy, what else could we do? 676 00:39:18,792 --> 00:39:21,751 We could use GPS potentially. 677 00:39:22,209 --> 00:39:24,083 Haven't done that yet. 678 00:39:24,083 --> 00:39:26,626 But, if you can give coordinates and query a resource saying hey, 679 00:39:26,626 --> 00:39:29,999 I want every WPA 2 enterprise SSDI within two miles where I am, 680 00:39:29,999 --> 00:39:33,334 you can go anywhere in the world and potentially exploit a bunch 681 00:39:33,334 --> 00:39:36,792 of networks you don't know exist and do the research and figure 682 00:39:36,792 --> 00:39:38,959 out where they are and what networks you 683 00:39:38,959 --> 00:39:40,334 got into. 684 00:39:40,999 --> 00:39:43,999 So the goal is to get this into a single tool. 685 00:39:43,999 --> 00:39:47,542 My colleague Ryan lacy and I have been working on this a little bit. 686 00:39:47,542 --> 00:39:49,751 It's difficult, not easy at all. 687 00:39:49,751 --> 00:39:53,083 There's a group called called EA peak that was presented at one 688 00:39:53,083 --> 00:39:56,834 of the black hats in 2011 that got far along that path 689 00:39:56,834 --> 00:40:01,209 but I think they took a different approach later on. 690 00:40:01,375 --> 00:40:03,999 But it's not easy but we're getting there. 691 00:40:03,999 --> 00:40:07,375 Hopefully, eventually we'll be able to release a full single tool that 692 00:40:07,375 --> 00:40:10,751 will actually do all this in one install. 693 00:40:17,959 --> 00:40:19,999 We'll use tools we've been using to build the logic to build 694 00:40:19,999 --> 00:40:21,709 the dynamic SSIDs. 695 00:40:22,375 --> 00:40:24,334 So how do we fix this? 696 00:40:26,250 --> 00:40:28,542 You can't just turn off your Internet. 697 00:40:28,542 --> 00:40:31,375 I bring that up because well, it actually happened here which 698 00:40:31,375 --> 00:40:34,667 reminds me of a place we did this once. 699 00:40:34,834 --> 00:40:38,459 We're working with an organization where there was 700 00:40:38,459 --> 00:40:42,209 and we were working with a network and said we can't 701 00:40:42,209 --> 00:40:44,167 support this. 702 00:40:44,751 --> 00:40:46,709 Rolls out an EAP TLS network. 703 00:40:50,334 --> 00:40:52,999 You can exploit this without a network. 704 00:40:53,292 --> 00:40:56,375 So 5, 6 months later you can go back and broadcast 705 00:40:56,375 --> 00:40:59,959 as that old network name if you happen to know it 706 00:40:59,959 --> 00:41:03,709 and still communicate with the devices. 707 00:41:04,083 --> 00:41:07,250 And if they don't rotate their credentials regularly and 708 00:41:07,250 --> 00:41:11,667 if they don't have high device turnover, there's ray really good chance that 709 00:41:11,667 --> 00:41:13,959 you're still going to find somebody who 710 00:41:13,959 --> 00:41:17,250 is misconfigured even though the network doesn't exist which 711 00:41:17,250 --> 00:41:18,959 is creepy. 712 00:41:19,999 --> 00:41:25,167 EAP TLS is difficult to support and difficult to roll out but it leads 713 00:41:25,167 --> 00:41:27,501 to more security. 714 00:41:27,667 --> 00:41:30,250 We also need better mobile device management. 715 00:41:32,501 --> 00:41:34,083 Quick comparison. 716 00:41:34,209 --> 00:41:37,542 EAP TLS is nearly universal as is PEAP. 717 00:41:37,999 --> 00:41:40,751 Difference is that PEAP is easy. 718 00:41:40,999 --> 00:41:41,999 PEAP is hard. 719 00:41:42,083 --> 00:41:43,501 PEAP ELTS is hard. 720 00:41:43,501 --> 00:41:45,167 Let's look at why I'm running out of time and I want to get 721 00:41:45,167 --> 00:41:46,709 to the demo. 722 00:41:47,083 --> 00:41:49,959 So doing PEAP takes a lot of work. 723 00:41:49,959 --> 00:41:51,501 We talked about a perfect storm. 724 00:41:51,501 --> 00:41:53,999 To do PEAP right, you have to do so much work that hopefully 725 00:41:53,999 --> 00:41:56,999 and this is what I hope you experience for those of you 726 00:41:56,999 --> 00:41:59,709 on the defensive side of this. 727 00:41:59,751 --> 00:42:03,501 In order to do PEAP ride you have to do so much work that it's probably 728 00:42:03,501 --> 00:42:05,999 going to still be easier to deploy EAP TLS 729 00:42:05,999 --> 00:42:09,999 because in the end even if you perfectly configure your network, 730 00:42:09,999 --> 00:42:14,626 that one user or 10 users that want to add their own device still know their 731 00:42:14,626 --> 00:42:17,999 user name and password and your MDM solution isn't going 732 00:42:17,999 --> 00:42:21,834 to touch that especially if they misconfigure it so badly that 733 00:42:21,834 --> 00:42:24,292 they don't bring it in and you can pick it 734 00:42:24,292 --> 00:42:28,334 up in your car and pick up 3.0 all the way around. 735 00:42:28,999 --> 00:42:34,501 DEF CON is secure, I'm hoping some of you didn't install the certificate. 736 00:42:34,626 --> 00:42:39,459 Those of you using iOS probably are going to be more okay. 737 00:42:39,542 --> 00:42:43,834 Right now we're going to get into the demo. 738 00:42:43,834 --> 00:42:45,209 We have four minutes for that. 739 00:42:45,459 --> 00:42:47,083 Last warning. 740 00:42:47,501 --> 00:42:49,999 I'm asking all of you to be victims. 741 00:42:50,667 --> 00:42:53,209 This is not going to hurt, I promise. 742 00:42:53,918 --> 00:42:56,999 I I will not crack your passwords. 743 00:42:56,999 --> 00:42:59,999 I don't really think your DEF CON secure password is worth 100 bucks 744 00:42:59,999 --> 00:43:03,999 or the time or energy it would take for me to do on my own. 745 00:43:04,167 --> 00:43:06,999 No man in the middle is going to be conducted. 746 00:43:09,083 --> 00:43:11,999 I'm not connected to the Internet here. 747 00:43:11,999 --> 00:43:14,959 So I can't even provide you a service even if I wanted to. 748 00:43:15,125 --> 00:43:17,292 So you're going to be all set there. 749 00:43:17,999 --> 00:43:19,292 And yeah. 750 00:43:19,292 --> 00:43:20,542 We'll see what happens. 751 00:43:20,834 --> 00:43:24,417 Last chance if you don't want to participate, turn your phones off. 752 00:43:24,918 --> 00:43:27,250 Switch your laptops off. 753 00:43:27,250 --> 00:43:28,999 This is end of DEF CON. 754 00:43:28,999 --> 00:43:31,375 This would be fun if I got 40 of you. 755 00:43:31,999 --> 00:43:37,334 Turn your phones on please and participate and let's get into that. 756 00:43:42,834 --> 00:43:50,209 By the way, that's everyone probing for DEF CON secure right now. 757 00:43:50,209 --> 00:43:52,167 So this might actually work. 758 00:43:54,334 --> 00:43:58,542 I was going to need DEF CON, but I don't think I need to any more. 759 00:44:04,792 --> 00:44:08,167 We got to make sure I'm on the right address. 760 00:44:09,709 --> 00:44:10,999 Should be. 761 00:44:16,083 --> 00:44:19,999 Anyone picking up DEF CON secure now? 762 00:44:20,083 --> 00:44:21,292 No? 763 00:44:21,292 --> 00:44:23,250 Okay, might take a second here. 764 00:44:23,542 --> 00:44:39,375 Got to turn my Wi Fi back on. 765 00:44:39,375 --> 00:44:40,375 Still booting up. 766 00:44:40,375 --> 00:44:41,375 Okay. 767 00:44:42,999 --> 00:44:47,167 Should be coming up. 768 00:44:47,167 --> 00:44:48,167 Wow, yeah. 769 00:44:48,167 --> 00:44:49,167 Okay. 770 00:44:49,167 --> 00:44:52,999 Some of you are hitting it. 771 00:44:52,999 --> 00:45:05,125 All right, now, let's see if I can show you not there yet. 772 00:45:05,125 --> 00:45:07,999 One of the problems is even if you don't even if you still validate 773 00:45:07,999 --> 00:45:12,417 the certificate, you still talk to this and a lot of you are still talking to it 774 00:45:12,417 --> 00:45:14,999 and this is falling apart. 775 00:45:19,626 --> 00:45:22,999 But I do have a backup example I can show you. 776 00:45:27,751 --> 00:45:31,501 I just saw my name go by. 777 00:45:35,167 --> 00:45:36,999 Oops, sorry. 778 00:45:44,999 --> 00:45:48,542 So on the screen what you see is the output every time somebody 779 00:45:48,542 --> 00:45:50,999 is trying to connect to me. 780 00:45:51,083 --> 00:45:53,083 And when you see the big TLS blobs go by, 781 00:45:53,083 --> 00:45:55,542 that's when I get happy. 782 00:46:00,083 --> 00:46:01,501 Really? 783 00:46:01,501 --> 00:46:02,501 That's awesome. 784 00:46:02,501 --> 00:46:05,167 That's a good name. 785 00:46:08,959 --> 00:46:11,584 You guys are validating your certificates. 786 00:46:30,999 --> 00:46:32,834 Black hat, no. 787 00:46:35,083 --> 00:46:37,709 No, that was not me at black hat. 788 00:46:48,999 --> 00:46:54,999 Well, that's disappointing, yes, I'm in the right directory. 789 00:46:54,999 --> 00:47:02,334 Thanks, though. 790 00:47:02,334 --> 00:47:05,999 No, other way at least in my experience. 791 00:47:05,999 --> 00:47:08,834 I've had it when the log is there, it won't update. 792 00:47:09,959 --> 00:47:11,876 I'm running out of time. 793 00:47:11,876 --> 00:47:13,876 So what I'm going to do is I'm going to leave this 794 00:47:13,876 --> 00:47:15,959 on for another couple seconds, make 795 00:47:15,959 --> 00:47:18,999 a minute or 2 and hopefully get more. 796 00:47:18,999 --> 00:47:20,501 We see EAP traffic. 797 00:47:22,667 --> 00:47:25,083 Somebody had strong feelings about black hat. 798 00:47:25,999 --> 00:47:28,999 So what I can tell you is that I see, like, my name coming 799 00:47:28,999 --> 00:47:32,167 by and when you see that big blop there, that's the certificate 800 00:47:32,167 --> 00:47:35,167 and that's the challenge and the EAP challenge going back 801 00:47:35,167 --> 00:47:36,792 and forth. 802 00:47:36,834 --> 00:47:38,999 We're getting it but it's just not logging. 803 00:47:38,999 --> 00:47:40,083 There's too many of you. 804 00:47:40,083 --> 00:47:42,083 I've got to wrap up. 805 00:47:42,083 --> 00:47:42,709 But thank you, it's been a lot of fun (Applause.) So go forth 806 00:47:42,709 --> 00:47:44,083 and deploy EAP TLS.