NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Immunitysec Daily Dave> 2009-q3

Re: [Dailydave] WPA attack improved to 1min, MITM

From: Mike Kershaw (dragornkismetwireless.net)
Date: Thu Aug 27 2009 - 15:35:28 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Aug 27, 2009 at 01:05:48PM -0700, George Ou wrote:
> Not sure why we're spending time on this attack, when Moxie's SSL attack and
> Joshua Wright's FreeRadius-WPE would pretty much completely break you into
> most corporate wireless networks even if they were running WPA-AES. This
> would be even better than injecting a few arbitrary packets because you'd
> actually obtain user credentials.

Possibly - it's strongly dependent on how the supplicant validates the
certs. *IF* the supplicant uses the CN exclusively, then it's at risk,
but this also assumes that they use a global CA chain to start their
radius certs (instead of doing an internal CA for their private
network).

If the supplicant is configured to trust the parent CA of your
marlinspike'd cert, then sure - definitely time to be afraid - but this
is an insecure setup anyhow, as mentioned in Josh's presentation (some
versions of WZC validate the signing authority only, regardless of CN).

The moxie stuff is a big vuln in badly set up networks, but not
necessarily any bigger of a vuln than the badly set up network was
already. If you used a public CA and your users use a supplicant which
doesn't check CN, you're just as owned. If I can spike a cert that
matches your private CN, you're also... badly owned, without any of
these games.

It's much more interesting to combine the marlinspike stuff with, say,
airpwn or dns hijacking on open networks down the road from your target.

-m

--
Mike Kershaw/Dragorn <dragornkismetwireless.net>
GPG Fingerprint: 3546 89DF 3C9D ED80 3381 A661 D7B2 8822 738B BDB1

Life is just Natures way of keeping meat fresh -- The Doctor

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)

iEYEARECAAYFAkqW7hAACgkQ17KIInOLvbGI7ACfYo15sKkEoE4i7edq8X1Rz5w8
SqUAn3wnH2EZUEhO4oFMJzijJfUwk9Tc
=3Gmf
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]