Many organisations use 802.1X EAP-PEAP with MS-CHAPv2 as the inner authentication method (or PEAP for short) to join the corporate WLAN. If you use a username and password to join your WLAN then this is likely what you use too.
You might be surprised just how easy it is to crack PEAP if it is not configured correctly and before you ask, it doesn’t matter if you have the most complicated password in the world that even a savant couldn’t remember.
We won’t publish the exact steps involved here as we don’t want to make another hackers guide (but if you really want to know how to do it, Google is your friend).
The point of this blog is to point out that you don’t need to be an elite hacker or a government spy to do this. All it takes is a laptop running Linux, a vulnerable target device (a corporate laptop, phone or any other device for that matter) and a WLAN that uses PEAP. If the device is configured to only trust your authentication server, then this attack won’t work but many devices are not configured this way. When the device is not configured this way, the user may be prompted that the authentication server isn’t trusted but the user can choose to connect anyway (which most users will probably do as they just want to get on with things and do their work). Worse still, some operating systems (like Android) won’t even warn the user and will just go ahead and connect.
Using freely available software, a Linux laptop can be setup to impersonate your corporate WLAN, causing your device to connect to it instead. This is known as an “evil twin” attack. The evil twin won’t be able to capture your credentials in full (that’s not the way EAP-PEAP works) but it can capture your username in clear text. If you have a weak password, the captured info can then be attacked offline until the password is cracked through a bruteforce dictionary attack.
If you have a more complex password that is not susceptible to a dictionary attack however, that doesn’t mean you’re safe. There are cloud based server arrays that, for a small fee (as low as $20 USD), will churn through all of the 72,057,594,037,927,936 possible key combinations much faster than a single laptop could and will eventually provide an “NTHASH” of your password which can be used on a Linux pc to access your corporate network (the NTHASH is what your WLAN supplicant transforms your password into for WLAN authentication so the password itself is not actually required).
If the credentials you use to access your WLAN are the same as the ones used to log into Windows, then the attacker can then use the username and NTHash credentials to gain access to workstations as well as network drive shares.
EAP-TLS (using device certificates to authenticate with the WLAN) is not susceptible to this type of attack but is more complex to set up (requires a PKI infrastructure and a method to distribute the certificate files to the end devices). PEAP can be secure as long as all of the end-clients are configured properly – it only takes one incorrectly configured end-device to be able to steal credentials and gain network access.
If you would like IPTel Solutions to look into your WLAN and client device configuration to check for this vulnerability then contact us.