Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/1/2017
10:15 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

How Wireless Intruders Can Bypass NAC Controls

A researcher at this month's SecTor conference will demonstrate the dangers of not employing EAP-TLS wireless security.

Organizations using port-based network access control (NAC) devices to contain wireless intruders may be less secure than they assume.

Unless an organization is using the most secure WPA2-EAP authentication, an attacker with an initial foothold on the enterprise wireless network can bypass the protections enabled by NAC appliances and pivot deeper into the enterprise.

That's according to Gabriel Ryan, security engineer at Gotham Digital Science, who will present a paper on the topic at the upcoming SecTor security conference in Toronto this month.

Ryan's presentation on the "Black Art of Wireless Post-Exploitation" examines the implications of the practice, by many organizations, to use NAC appliances as a way to try and contain attackers who may have breached the wireless network.

Often, companies employ this method to compensate for the relatively weak perimeter security provided by EAP-TTLS and EAP-PEAP authentication mechanisms, says Ryan. Both protocols have long been susceptible to so-called evil twin attacks for harvesting usernames and passwords. But many enterprises still continue to use TTLS and PEAP because the more secure certificate-based, two-way authentication provided by EAP-TLS is much harder to implement.

Rather than using EAP-TLS to try and prevent wireless breaches from happening, many organizations instead rely on NAC appliances to identify and quarantine any devices that might manage to breach their wireless network protections.

The problem with this approach is that it assumes a wireless device that is quarantined in a VLAN is truly isolated and cannot communicate with other devices on the network when in reality it can.

"On a wired network if you violate a rule imposed by the NAC, the NAC will see you and quarantine you," Ryan says. The model works because it banks on the assumption that the physical layer is secure.

"In wireless, you cannot keep two radio receivers from working with each other," Ryan says. "Client isolation is a logical control, not a physical control."

In a wireless network, WPA2-EAP provides the physical layers of protection. If weak forms of WPA2-EAP are used, an attacker can take control of the physical layer via rogue access point attacks and bypass NAC protections, he says.

At SecTor, Ryan will demonstrate two attacks. One of them is a so-called hostile portal attack to steal Active Directory credentials from a WPA2-EAP network, without network access. The other is what Ryan describes as indirect wireless pivots in which rogue wireless access points are used as mechanisms for bypassing port based access control completely.

Ryan's hostile portal attack involves the use of a rogue wireless access point to force a client device that is trying to access an enterprise wireless network to connect with the attacker's device instead so authentication credentials can be obtained. The hostile attack then leverages previously demonstrated techniques to crack the RADIUS passwords needed for the attacker's device to fully associate with the victim client device.

The indirect wireless pivots method leverages the same technique to get an attacker device that is in a quarantined VLAN to communicate with a victim device in a restricted VLAN segment. The pivot involves forcing the victim device to associate with the attacker's network via a rogue access point and then relaying traffic from the victim to an SMB share on the attacker's system in the quarantine VLAN.

Attackers can use the technique to grab the NT LAN Manager hash from the victim device, crack it using previously demonstrated techniques, and eventually associate the victim device to the attacker in the quarantine VLAN segment.

"The takeaway here is that you cannot rely on NAC appliances as a means of compensating for the risk," of not using EAP-TLS, Ryan says. When designing security mechanism for you network take into account the way that the underling physical layer works, he notes. "Security controls that work on a wired network do not work the same on a wireless network."

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12551
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
CVE-2019-12552
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.