Attacking and Defending WPA Enterprise Networks

Attacking and Defending WPA Enterprise Networks

This blog gives an overview of possible attack vectors against WPA Enterprise networks and how to mitigate them, continuing our series on Wi-Fi Protected Access (WPA) security. We follow on from the intial blog which outlined how to deploy a secure WPA Enterprise wireless environment.

By Daniel Kumar

Assurance Consultant

03 Oct 2020

For more detailed information on how organisations can increase their WPA Enterprise security posture, you can download our White Paper which delves deeper into the topic, demonstrating real world attack vectors against enterprise networks, exploring how to defend against these attacks and giving overall guidance on how to secure a WPA Enterprise wireless deployment with a strong configuration.

Attacking and defending WPA enterprise networks

In today’s age, wireless networks pose as a highly valuable and accessible attack vector against an organisation for attackers. This is due to many factors, including, but not limited to, corporate wireless networks generally being configured with access to internal networks, authentication occurring using corporate user accounts and a lack of hardening on connecting devices. These traits of typical corporate networks mean that malicious actors have ample attack avenues to target not only network configurations but also an organisation’s users. Furthermore, pursuing these attack avenues can be very fruitful for malicious actors, potentially taking an unauthenticated actor straight into an organisation’s internal network as an authenticated user.

With wireless networks being so accessible by attackers, why wouldn’t every organisation just enforce the strongest network configurations possible? Many factors come into play when choosing a suitable configuration for an Enterprise wireless network: Which clients will be connecting to the network? What are the current and future configuration provisioning methods which are available? And what infrastructure is available to host the wireless network?

By answering these and many more questions, we are able to delve deeper into the inner workings of the various authentication methods available within WPA Enterprise mode and give you guidance on how to take a holistic approach to securing a wireless environment. While our White Paper takes you on a more in-depth tour through the world of WPA Enterprise security, here is a summary of the main points to consider:

The Extensible Authentication Protocol (EAP) authentication framework

The EAP framework underpins all the different authentication methods within a WPA Enterprise network. By understanding how the EAP framework works, you are able to gain a deeper understanding of how the many authentication methods work at a high level.

Once this deeper understanding of the EAP framework is achieved, you will be able to analyse enterprise networks yourself and give yourself the baseline understanding required to do your own further research within the wireless field, potentially allowing for new offensive and defensive tools to be created, new vulnerabilities to be found, and more.

The EAP framework consists of messages which define message formats and common functionality for how authentication should be implemented (not a specific authentication implementation itself). Our White Paper details how methods within the EAP framework are defined, what types of EAP methods exist, what process flows exist for the differing EAP types, and what popular EAP methods currently exist.

There are many different types of authentication methods which abide by the EAP framework (referred to as EAP methods). The following table highlights popular tunnelled EAP authentication methods and their compatibility with popular devices and authentication servers:

Similarly, the following table highlights popular native EAP authentication methods and their device and authentication server compatibility:

Fingerprinting wireless enterprise networks

In order to attack or defend a network effectively, teams must understand the configuration of the network. Therefore, performing reconnaissance against a network is a key step in identifying which EAP methods a network supports.

Being able to identify the authentication methods used by a wireless network is a skill useful to both offensive and defensive teams. Readers within defensive teams can utilise this to perform network monitoring for weak configurations, rogue access point identification, etc. Readers on the offensive side can utilise this information in order to identify various attack vectors towards a target network.

There are both passive as well as active methods to performing fingerprinting, and a number of tools have been created to fingerprint EAP types within Enterprise wireless networks, e.g. EAPeak and crEAP.

Figure 1 - Active fingerprinting performed using the ‘eapscan’ tool

Figure 2 - Passive fingerprinting performed using the ‘crEAP’ tool

Additionally, our White Paper also demonstrates how to perform network fingerprinting manually though Wireshark. This is helpful in situations where tools don’t work for the many random reasons, you’ve run into a network type which is not accounted for within a tool, and also just to double check that the tool output you’re utilising is valid.

Weaknesses within enterprise wireless configurations

Once you know how to identify the EAP methods which are supported by an Enterprise network, you can gain a quick understand what potential weaknesses the network could be exposed to and start to plan attack vectors against the network.

Attacks on Enterprise networks can be performed based on a number of factors, including the type of EAP method in use, inherent vulnerabilities within supported EAP methods, and the configurations of connecting clients. Our White Paper examines these issues in depth, and also provides demonstrations of identified weaknesses and mitigations for each issue. A summary of these vulnerability categories is below:

Tunnelled vs Native EAP method weaknesses

An Enterprise network could be exposed to weaknesses due to the type of EAP methods which are supported. All native EAP methods are sent in plain-text as the EAP framework assumes that messages are sent over a protected communication channel, thus allowing attackers to sniff sensitive communication such as authentication details passively and also exposes weakly configured clients to rogue access point attacks. While tunnelled EAP methods can potentially disclose usernames in plain-text if clients are not configured appropriately.

Mitigations for these weaknesses include ensuring only tunnelled EAP methods are supported by the authentication server, and also ensuring that clients are configured to connect utilising an anonymous identity.

Inherent weaknesses within the EAP method in use

EAP methods can contain vulnerabilities within their inherent implementation. In our White Paper we demonstrate practical attacks against four EAP methods, EAP-MSCHAPv2, EAP-GTC, EAP-MD5 and LEAP. Three of the attacks demonstrated allow credentials hashes to be recovered which can later be extracted to plain-text credentials through password cracking techniques. The fourth attack can result in plain-text credentials being simply recovered by an attacker over the air. As these attacks allow the recovery of user credentials, more often than not, the credentials can be utilised as an avenue into an organisations internal network.

Mitigations for these attacks include a variety of defences, including, completely disabling support for older authentication protocols like LEAP and EAP-MD5, ensuring EAP methods are always utilised within a tunnelled EAP method to ensure encryption of data over the air, and ensuring EAP methods are configured securely, e.g. no plain-text GTC credentials. In most cases however, weaker authentication methods should simply be upgraded to a stronger EAP method such as EAP-TLS within a tunnelled authentication method. This setup will provide authentication through digital certificates, secured through the use of an encrypted tunnel.

Weak client configurations

In today’s world, the state of a wireless networks security is not left up to only the infrastructure and network configuration. Connecting devices play a crucial role in ensuring the security of an organisations environment. With clients holding sensitive credentials which must be submitted to an authentication server, clients must have absolute trust that they are interfacing with legitimate network devices, and not those of a malicious actor.

Our White Paper focusses on four specific client configurations which have been identified throughout organisations as a weak point. All four issues tackle a uniquely weak client configuration, e.g. a lack of server validation, weak validation, and the use of weak authentication parameters.

These issues can result in a weakly configured device authenticating and disclosing credentials to rogue access points, potentially facilitating credential recover and replay attacks in order to gain authenticated access to an organisations network.

Mitigations for these configuration weaknesses revolve around automatically applying standard configurations to all devices connecting to a network through managed configuration deployment software. By doing so, the chance of a user manually connecting to an organisational network with a weak configuration are heavily minimised. Popular managed configuration deployment software includes Active Directory for Windows systems, Apple Configurator for MacOS systems, Apples’ Mobile Device Management software for iOS devices, and third-party solutions can be utilised for Linux and Android devices.

In events where managed configuration deployment software cannot be utilised and the only option is to allow users to manually configure their own networks, such as Android devices, extensive setup documentation with clear steps and images should be provided to users. With clear documentation available, there is a lower likelihood that users will knowingly implement weak configurations.

The Network and Connecting Devices

If you would like to secure an enterprise wireless network, you need to take into account both the configuration of the network itself and the configuration of connecting devices.

In the case where a weak authentication server configuration is supported, clients could be configured to utilise weak authentication methods which are susceptible to attacks, e.g. passive sniffing. Whereas in the case that weak client configurations are enforced, connecting clients could be vulnerable to rogue access point attacks. In both cases, there is potential for user credentials to be retrieved, lowering the security posture of the environment as a whole. As such, both the authentication server and client configurations are equally as important in protecting the network.

Recommendations for a secure enterprise network

Overall, the initial blog post in this series gave a baseline understanding of WPA Enterprise security, but focused mainly on how to achieve a successful deployment. The release of our White Paper hopes to better inform readers on the authentication process within enterprise wireless networks. In doing this, and by demonstrating attacks and mitigations against popular authentication methods, this paper will give readers and organisations the ability to identify why a certain authentication mechanism is insecure, and recommend secure enterprise wireless configurations.

If you have a question for us or require any further information, please get in touch.

Contact Us

About Daniel Kumar

Assurance Consultant

Daniel is part of our Assurance team and is based in our Sydney, Australia office, he specialises in Infrastructure, Web and Mobile Applications and Wireless assessments.

CHECK IT Health Check Service
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor