Attacks/Breaches

11/1/2017
10:15 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

How Wireless Intruders Can Bypass NAC Controls

A researcher at this month's SecTor conference will demonstrate the dangers of not employing EAP-TLS wireless security.

Organizations using port-based network access control (NAC) devices to contain wireless intruders may be less secure than they assume.

Unless an organization is using the most secure WPA2-EAP authentication, an attacker with an initial foothold on the enterprise wireless network can bypass the protections enabled by NAC appliances and pivot deeper into the enterprise.

That's according to Gabriel Ryan, security engineer at Gotham Digital Science, who will present a paper on the topic at the upcoming SecTor security conference in Toronto this month.

Ryan's presentation on the "Black Art of Wireless Post-Exploitation" examines the implications of the practice, by many organizations, to use NAC appliances as a way to try and contain attackers who may have breached the wireless network.

Often, companies employ this method to compensate for the relatively weak perimeter security provided by EAP-TTLS and EAP-PEAP authentication mechanisms, says Ryan. Both protocols have long been susceptible to so-called evil twin attacks for harvesting usernames and passwords. But many enterprises still continue to use TTLS and PEAP because the more secure certificate-based, two-way authentication provided by EAP-TLS is much harder to implement.

Rather than using EAP-TLS to try and prevent wireless breaches from happening, many organizations instead rely on NAC appliances to identify and quarantine any devices that might manage to breach their wireless network protections.

The problem with this approach is that it assumes a wireless device that is quarantined in a VLAN is truly isolated and cannot communicate with other devices on the network when in reality it can.

"On a wired network if you violate a rule imposed by the NAC, the NAC will see you and quarantine you," Ryan says. The model works because it banks on the assumption that the physical layer is secure.

"In wireless, you cannot keep two radio receivers from working with each other," Ryan says. "Client isolation is a logical control, not a physical control."

In a wireless network, WPA2-EAP provides the physical layers of protection. If weak forms of WPA2-EAP are used, an attacker can take control of the physical layer via rogue access point attacks and bypass NAC protections, he says.

At SecTor, Ryan will demonstrate two attacks. One of them is a so-called hostile portal attack to steal Active Directory credentials from a WPA2-EAP network, without network access. The other is what Ryan describes as indirect wireless pivots in which rogue wireless access points are used as mechanisms for bypassing port based access control completely.

Ryan's hostile portal attack involves the use of a rogue wireless access point to force a client device that is trying to access an enterprise wireless network to connect with the attacker's device instead so authentication credentials can be obtained. The hostile attack then leverages previously demonstrated techniques to crack the RADIUS passwords needed for the attacker's device to fully associate with the victim client device.

The indirect wireless pivots method leverages the same technique to get an attacker device that is in a quarantined VLAN to communicate with a victim device in a restricted VLAN segment. The pivot involves forcing the victim device to associate with the attacker's network via a rogue access point and then relaying traffic from the victim to an SMB share on the attacker's system in the quarantine VLAN.

Attackers can use the technique to grab the NT LAN Manager hash from the victim device, crack it using previously demonstrated techniques, and eventually associate the victim device to the attacker in the quarantine VLAN segment.

"The takeaway here is that you cannot rely on NAC appliances as a means of compensating for the risk," of not using EAP-TLS, Ryan says. When designing security mechanism for you network take into account the way that the underling physical layer works, he notes. "Security controls that work on a wired network do not work the same on a wireless network."

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Cracking 2FA: How It's Done and How to Stay Safe
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2018
What Israel's Elite Defense Force Unit 8200 Can Teach Security about Diversity
Lital Asher-Dotan, Senior Director, Security Research and Content, Cybereason,  5/21/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Shhh!  They're watching... And you have a laptop?  
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-17158
PUBLISHED: 2018-05-24
Some Huawei smart phones with the versions before Berlin-L21HNC185B381; the versions before Prague-AL00AC00B223; the versions before Prague-AL00BC00B223; the versions before Prague-AL00CC00B223; the versions before Prague-L31C432B208; the versions before Prague-TL00AC01B223; the versions before Prag...
CVE-2017-17315
PUBLISHED: 2018-05-24
Huawei DP300 V500R002C00; RP200 V600R006C00; TE30 V100R001C10; V500R002C00; V600R006C00; TE40 V500R002C00; V600R006C00; TE50 V500R002C00; V600R006C00; TE60 V100R001C10; V500R002C00; V600R006C00 have a numeric errors vulnerability. An unauthenticated, remote attacker may send specially crafted SCCP m...
CVE-2018-5485
PUBLISHED: 2018-05-24
NetApp OnCommand Unified Manager for Windows versions 7.2 through 7.3 are susceptible to a vulnerability which could lead to a privilege escalation attack.
CVE-2018-5487
PUBLISHED: 2018-05-24
NetApp OnCommand Unified Manager for Linux versions 7.2 through 7.3 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service bound to the network, and are susceptible to unauthenticated remote code execution.
CVE-2018-7902
PUBLISHED: 2018-05-24
Huawei 1288H V5 and 288H V5 with software of V100R005C00 have a JSON injection vulnerability. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Due to insufficient verification of the input, this could be exploited to obtain the management privile...