 Good morning first announcement. I got a list of announcements here Tommy Pickles could not make it. I have his presentation here. I've read it in Albertson's and I think I could do it Second one doesn't like those people who have this badge, you know Everyone has this bad, right? Does anyone figure it out the fourth clicking on it like the Morris code that's coming out of it That's wrong. It says welcome to queer con The fourth thing or the third thing that I want to do and this is really asking you guys a lot I really want to see if we can get a wave going because no one's done it yet So if we could do like we could start it from either side I think this side looks a little ambitious if we want to try to do the wave. It would be so awesome Thank you guys. All right. Good way to start off All right This is 802 next networking does anyone know what 802 next networking is can I get a share of hands? All right, that's a good portion of you. So we don't have to do this then Who wants to talk about Jenny McCarthy or something? If I'm not speaking loud enough at times just yell This is a pretty loose thing. I think we know each other well enough That we can yell at each other Who is Tommy Pickles? Well did the Def Con Cannon ball run for like four years? Until you got a DUI in Las Vegas. It's not that funny 15 years doing computer stuff MTV Google Nature magazine and that guy's a media whore If you haven't seen him on TV, you probably don't live in any of the countries that speak English Okay, what is 802 next and is one of the things we're gonna talk about? Why do we use it? How does it work? What is required? How do you set this up? What problems exist? Can the problems be fixed and we'll try to answer as many questions as possible All right, I'm really like dry mouth from last night from yeah What stays in Vegas stays in Vegas, right? Port based network access Basically 802 1x is a way of securing network access and doing authentication over ports It's not a wireless spec a lot of people will confuse 802 1x as being a next-generation wireless. It's not It's an IEEE spec that was created for wired ethernet it could be used for automatic VLAN assignments, which we'll talk about a little later and Obviously could be used to secure access especially on wireless LANs Wireless example on why we would use such things well if you don't know already web is very insecure And this is the thing that everyone uses for network access They'll use MAC address filtering and all that stuff. It's so easy to break Wireless with replays and stuff like that. So you really shouldn't use web at all It also slows down your encryption on your access point just by using The encryption on the access point 802 1x or T-Kip, you know WPA T-Kip. It's not open to replay attacks So you that's another reason why you should use better encryption I Could go through a lot of these things and talk about web. It's very useless to really talk about Web and the man in the van Kind of stuff because if I could stay outside your business long enough. I'm going to generate So many IVs that I can actually Decrypt your traffic really easy. So it's not even worth even covering web These are all of the tools you can crack Wireless with One of the things that's really funny if you haven't seen it and I know it's really hard to Copy the tiny URL on the bottom, but there's a really funny video Where they actually crack a 40-bit web off of like a Mac laptop in like I think it's like seven minutes or something Just by doing replay attacks So you could show it to your bosses and say the wireless is insecure here Watch this video and it has a cool like like techno loop in the background. So you don't get really bored And also, let me give it like props to like the the shmoop people because Air snort is pretty cool, especially since it does work on Windows as well. So if you're gonna run a Packet, you know capture and try to crack web air snorts pretty good If you want to go like really better than that I would actually suggest backtrack backtracks are really cool CD if anyone knows what that is It was actually made from whopper But they switched to slacks for the OS and it's it's you put it in and it's just great cracking CD All right wired example. Why would we use 802 next? We're gonna want to force Unauthorized users into like a guest d-lan or an example would be you have a large company and you have conference rooms And I come in with my little ranch one bag or you know, Pizza Hut bag You don't know what's in it and I'm walking around the office. I could always drop a laptop in the corner and just Start capturing packets off your lands You're gonna want to force any unauthorized MAC addresses or Things without a supplicant into a guest d-lan so they only have internet only The other thing you can do is you can take your wired assets such as like an employee workstation He works an end. She have a salesperson and you want to swap those two seats You don't actually have to call networking to swap those two people and put them in different V-Lands You could automatically do that stuff All right. Um, I already pretty much covered this Basically, I worked for a company aka moogle will call it because I don't want to disclose any information Some smart people out there lot of employees Sales HR IT departments the problem is you want to be able to move these departments you might have like 300 people in a department you move them from one floor to another. It's really hard to keep V-Lands and tracks So you might want to do something like Have all these supplicants authenticate against a switch and then you can actually switch them from floor to floor without even dealing with networks What's required anyone have any questions yet so far like they don't understand or you know, they Every OS this works with everything pretty much What's required for 802 an X network You have to have a decent switch that actually Supports 802 an X. You can't just buy a neck gear and it's gonna work in an 802 an X Environment as an authentication switch You're gonna have to get something more like You know like HP or you know like 4000 whatever switch the access points a lot of access points out there will support 802 an X but the the Wireless access points here tend to be a lot less Favorable 802 an X if you go to like Dublin or something like that pick up one of those neck gears They always support 802 an X. So I don't know why other countries are ahead of us on the curve for Security, but that's the way it goes Radius This is what you're gonna use to do a lot of your authentication There's a lot of different radius servers, I recommend free radius because it says it right in the title. It's free There's funk Radius NT and radius X funk was just acquired by Cisco. I think about 2003 Juniper, thank you so Obviously, it's a good product They also make client software. There's a lot of free client software out there X supplicant is what you'd use on Linux OS 10 has its own client Microsoft has its own client And you're gonna need a switched environment 802 an X is heavily dependent on Arping and Mac addresses you can't run it in a broadcast network It's you can't even run it through multiple switches unless you're a funny Excuse me. I got like really dry mouth Blame half a for that if anyone you know knows half a Switch environment because you basically have to ensure that that node is that node All right, how does it work? I'm not gonna read through this whole rigmarole But basically it's passing authentication credentials to your authentication server It's you your switch isn't really doing the authentication it's the radius server that's doing the authentication it's Only passing the credentials back and forth and then authenticating you on that switch basically This is how it kind of looks in a whole diagram What it's actually doing? Think of the authenticator as your wireless switch and Your radius is obviously doing your authentication. The supplicant is going to be your your node It could be even a wired node It could be a wireless node it doesn't really matter and you're gonna pass some sort of credentials there which can be certificates Or it can be username and password. It's whatever you decide in your network and 802 an X can support a multiple multiple amount of protocols This is even taking it one step forward Talking about how you can actually link your L dapper your ad server To your authentication server to actually extend the authentication I'll talk more about how you can actually You know tighten up security and use LDAP servers later in the presentation But this is just one one diagram to show you how everything actually works on different layers This I don't think you're gonna be able to read unfortunately because it's so tiny but Everything's on the DEF CON CDs I tried to get as much in this slide as possible But it shows the authentication flow chart when you're actually using either a wireless node node or a wired mode If you go through one one side of the the slide And your wireless if you connect to the SSID and you exchange the right t-kip and you're in the radius boom You can either at that point. You're either forbidden or you get the proper VLAN and Same thing on the wired end you could do the same exact thing. I wish I had some music in the background or something So it seemed like this conversation flowed a little more How would you set up 802 1x The way you do this is you have to have a switch Some sort of switch that supports 802 1x. You have to have a radius server That's very important. And like I said, you could get a free one you got to configure the secrets for the switch to talk to your radius server and I Would do this through a very secure tunnel because radius the way it talks It's not very secure and you could talk to the shmug guys. They have a great presentation on radius insecurities You want to configure your authentication on your radius server you could support like MS chap You can support MS chap v2. You could support LDAP. It doesn't matter Then you're going to configure the supplicant on the workstation Some of this stuff on the workstation that you can Configure is you can configure the supplicant to actually use Certificates you could do it through to TLS. You could actually do it through TTLS and only have the supplicant Know what certificate you're authenticating against and then use username password There's 8 million ways of running it probably but not really 8 million. There's probably 8 million minus 7 million blah, blah, blah What problems exist with 802 1x networks Laptop theft is one of them and I'll tell you a funny story about stealing laptops supplicant configs are in clear text on a lot of these things and Obviously the shmug guys have this presentation on how radius can be attacked All right, if the laptop gets stolen you have all these credentials on the laptop so one of the things that is a problem is a lot of people don't report laptop theft and When they don't I could clone the MAC address I could actually copy the Authentication stuff I could just take the hard drive usually out of it and put in something else Unless they're doing Mac authentication Still cloning a Mac is very trivial If this happened on a weekend You know a couple goes to Barbados and they forget their laptop or think they forgot their laptop and I have it They're not going to call work until Monday morning and usually security is not going to be there until Monday morning So I have all weekend to break into that company and if they have an edge VLAN or that laptop It could be huge Supplicants that have in clear text ex-supplicant on Linux is in clear text OS 10 has a supplicant also and that's also in clear text and whenever you put your username and password in this This is this is in the clear and you can get to it through the file system Which is true for most Linux and OS 10 stuff a lot of stuff is in the clear Radius can be attacked funny story working at Mugle will say The you might use a radius server for more than one authentication You might be using this for say one-time password and also be using it for Something like you know your 802 1x Authentication if you Doss radius and cause too many connections because it's kind of limited with the UDP Because it serializes connections You can actually take down the radius server and Then you're not going to have any more thought authentications on your network Can this be fixed? Laptops. Yeah, maybe supplicant configs. Yeah Radius protected from a tax share and is there more ways of authenticating users to make this more secure share All right, I didn't write this in the slides because we're this is just between us. Okay Talking about laptop theft I worked for a company called MTV They might have heard of them they have a big security booth at the bottom and X amount of floors above them and I had red hair back then so I was a target people said How can you be a hacker with red hair? They know when you're coming Well, they also get really used to you coming in and out of the building when you have bright red hair And you talk sports with the guys at the security desk and all that stuff and make them happy I actually didn't work there for a whole three years and still was coming in and out of that building Because they thought I worked there still because they're all the other red-headed guy. So things we used to do though is we used to dress up as delivery guys for ranch one and Carry those bags that keep the food hot Because when you go in the building, they don't stop you when you come out of that building They never asked to search that bag. So we'd have three or four laptops in there just as a proof of concept and Then we would leave with them There's a way of fixing this and I'll talk about in a second Supplicants in the clear text Mac OS has file of all I'm not a Mac OS guy I don't know a lot of stuff about Mac OS But one of the things when we were instituting Mac OS 10 and a lot of I mean Oh eight or two in X in the companies that had OS 10 in it We were kind of worried that it was in clear text and if a laptop gets stolen We don't want the credentials easily off this laptop So you might be able to use file vault and encrypt the file system like just like Microsoft encrypts its file system now And IBM has a chip on their computer or Lenovo or whatever has a chip on their computer to do encryption You might be able to just encrypt the file system on Linux is another issue Linux you might actually be able to write a shell script to GPG your credentials and then on GPG the credentials and that might be another way so that you're actually putting in a really tight password to unlock your credentials Radius well if you set up your networks properly No one's going to be able to adopt your radius unless they're inside and if they're inside you should know who is Actually sending out this much traffic You could just look at cricket grass and stuff All right more ways of authenticating users This this turns out to be the best thing ever because when you do set up rate or Eight or two one X in a network. You're usually set up the supplicant as A one-time, you know you enter the password username and password and it sticks in there because you don't want the CEO of your Company sitting there entering something over and over again. That's a randomized password because he's going to get very upset at you So what you do is you actually have it just boom you like put it in once and never take it out Problem here is now if I steal your laptop through or ants one bag and walk out with the MTV with it You're you're pretty much you left a hole open So you have to like get some other way of authenticating users one way of doing this is you can actually connect Your cap the portal up on your network So they actually go through a web browser just like in any hotel and Authenticate that user and there's ways of doing it through like active directory and LDAP but you could also even go further than that and use cookies or you could use some other way of Letting that thing expire so the user has to do it again And if you're doing it through active directory or LDAP They're gonna use a password that they've always used for their email or whatever So it becomes very easy and said CEO doesn't get mad and when they don't get mad you end up keeping your job All right, that's all I got really much. I ran through it because I think this should be more of a discussion and I really got a headache so I Wanted to know what questions and what could we go through To really drill this thing down Go ahead. Oh, oh shoot. See I actually went through my slides and I thought I actually had that on my slide Okay, one of the things that we actually worked with for MTV is we used those Proximity tags inside the laptop shell like if you open up a laptop shell you actually on the IBM's you have a lot of area between the laptop and the Actual screen so you could put a lot of stuff in there now when an employee leaves your office They go through, you know the Walmart security thing and it'll start beeping on them and If it beeps on them, they have to actually show ID When they walk out so it just helps determine who was supposed to walk out with a laptop there's other companies such as Their New York mercantile exchange I just worked for they won't let laptops leave unless You're authorized to do so they'll actually take your bag and they'll scan it through a You know like one of those x-ray machines and actually see if you have a laptop in your bag And then if you do they actually have to Get some sort of authorization to for you to remove the bag Anyone else right over here? true Very true You can do username Authentication from the machine just by doing the machine the problem is when a user logs onto a machine They're using their LDAP potentials usually using username and password When you bring up the 802 1x client you don't want to or the supplicant You're not going to want to actually configure that for the same username and password Because now you're just making things a little too easy to hack I know it's a little security through obscurity, but you're gonna want to Configure it for something different You're not gonna want your your employees to type in something different all the time because that will get them mad So instead you create something that can you can actually lock down To a time-based period of them going through a captive portal therefore making it a little obscure But you can take the Microsoft client and actually make it so that they have to enter a username and password each time Funk is actually doing their Odyssey client the same way. They're actually making it so you could Not keep a password in there So there's different ways of not doing the machine you could actually be changing that password as much as you want But it's a lot easier to authenticate the machine on the network And then do a captive portal then actually make the machine Just have one factor of authentication like that. Does that answer? Okay Anyone else questions over here in radius No No kidding with you. I Believe it was you had a question about the guest vlan being of when it falls back to a default fallbacks to a default vlan Is that done by the radius server and the question is yeah, I mean the answer is yes You could actually put vlan IDs in your radius So when something authenticates against radius it actually throws a vlan like ideas like 101 or 102 or something and that vlan will actually Be configured to your switch what vlan's are actually thrown up And if you don't authenticate you could actually have it throw the guest vlan From radius or even from the switch at that point over here on the what switch it'll turn it'll on the VoIP switch He'll turn 802 1x off Okay, there seems to be an issue. He's saying with Cisco environment when you're using a Cisco VoIP Phone it'll actually turn off the 802 1x off off for that environment for that node though for that particular node we'll See in that if you're using that though It did not get back to a guest network, so I don't think it depends. What kind of network you're trying to hop vlan's Does anyone work for Cisco in this room anyway if they do please raise your hand because I want to talk some shit about Cisco Oh really Cisco has gone ahead and Cisco makes a radius server also I didn't include it because they like to go outside the This this spectrum the actual protocol they actually run UDP over TCP and that's to get more connections So I don't use it. The other thing is in a wireless environment. It's I just A it's insecure Be the the L WAP stuff is I think a generation behind I the Ruba network that we're using for wireless here, even though I think we're getting overloaded Aruba is awesome. If any of you guys are thinking about doing any really severe wireless I'll plug Aruba because Aruba is just friggin amazing when it comes to next-generation authentication And the question somewhere. Oh, sorry. I'm sorry. Okay he The comment was When you're running VoIP on your network, it's going to be separated from your data network anyway Again depending on who's configuring your vlan like I'm not gonna bash any network engineers or something like that But usually you're not gonna have I I've never had VoIP in a network either because there was no reason for VoIP Alexander Graham Bell did a really good job with telephones So I will never go to a business goal. You got to do what VoIP It's it's it's really confusing. I do VoIP at home. I use Vonage and I'm not gonna give it any of you guys my phone number, but the I Don't use VoIP in business. So the those are great comments and if I ever have to do VoIP in a business Awesome Next question don't see any hands. Oh The question is getting rid of hubs that might be in a network when you're trying to prepare for a 2-1x It's really hard to tell you like a lot of engineers love to do the dual machine thing and have their machines And there's a lot of issues with that So they'll want their actual switch Most businesses though start running like four ports to each desk because they want to run their phone over a cat five and stuff Like that to do VoIP phones But the only way to do that is actually put switches at desks and stuff like that and Try to keep switches there. You can actually Be really heard if you actually put broadcast stuff on each desk Your 8-2-1x will work sometimes only like you know It'll it won't work all the time But if you have the other node come on there You're gonna see all the traffic and be able to clone that Mac and do a replay attack against the authenticator server to actually steal that traffic or hijack it so The best policy is just tight with security. I Just couldn't even name anything because you know, it's not something that I would I've supported in a network Rear Say again a remote wipe No, that's why I've supported a captive portal because the captive portal I'm sorry people who didn't hear the question the question was When the laptop gets stolen what kind of end-point? Security would we use if the laptop was stolen? Like a remote wipe or something I've never used a remote wipe or even thought about that because by using a captive portal the When the laptop is stolen they would have to authenticate again against the captive portal to get back in By that time I shouldn't be notified by security or something like that that they actually had a laptop stolen because To get someone's username and password It it might be trivial in some cases, you know like you know Keyloggers and stuff like that, but the chances I don't think Are enough reward for the overhead of trying to work out some remote wipe software for you know Like wiping out the credentials up for 802 1x over you That's true PG even PGP desktop. I think actually works. Yeah, you could use PGP desktop to Encrypt the software on your laptop so that no one can get to those credentials anyone else Over here Yeah, I he was talking about the low jack software for laptops Also, there it there is another piece of software. It came out a long time ago I'm not sure if it's still around and you guys might remember it the laptop actually gets stolen There was one that actually had a modem dial around the the The boot layer of the disk or something like that So if I ever connected to the internet or something it would actually dial out and try to locate the laptop I don't know if you could still use something like that because people don't usually use modems now and if you do Good go on a Alexander Graham Bell Over here no I You know I can imagine in the future if it was that kind of printer usually in like a trading environment and stuff like that I've seen that they they always resort to a local printer You know and local devices that way they don't use network devices and if you were going to do a to an X for that There might be an actual node kind of thing like a switch that you would connect to it or something like printer sharing switch or something, but I haven't seen anything come out like that and The way that you would configure any a to an X supplicants I think there's just too many options in the network to actually have a shared device that actually uses a to an X credentials You know because it's a firmware thing. I and it's always changing. I mean who knows the one world will have MS chap v3, which we should have coming out pretty soon after Vista and That's will be in like 20 20 or something Anyone else Okay true Again, we're he's talking about the if you hibernate a laptop and you already logged in with 802 on X credentials you're already logged in so what stops you from Going to another location or you know get back on the network if you steal a laptop the one problem I see with that is when I hibernate it asks for username password when I unlock my laptop so obviously It's going to secure my laptop by default And that should be set by a help desk department or something as a security policy the other thing is that's why you would use probably a cap the portal in your network because Like for example one of the companies I worked for had a four hour cap the portal So after four hours it would lock you out anyway, and you would have to re-authenticate through a browser And now that you're using a username password in your browser You would actually secure yourself from that laptop being stolen and used on the network again, and Over there. Can you say that again? Okay? The comment was the if on a Cisco network if you actually Hibernate it's going to force you to re-authenticate If you have link state change which of course would be in a hibernation It'll ask you to reauthenticate with the the network. How am I on time? I don't want to keep on Okay, it's you have like five minutes ten minutes or something. So get them in one little hot Anyone anyone over here. I hear two people cook talking The guy here with the hat Any cap the portal software which what? Oh? Oh that I recommend using no they the cap the portal software or the cap the portal stuff should come from your switch maybe I Should have talked more about that Your switch is being doing all the authentication for you like it's passing authentication back and forth You're gonna want that switch to support a cap the portal And if that vendor doesn't support a cap the portal they should be working on one and I again I don't want to bash Cisco, but Cisco is really hard to get a cap the portal working with it You can do it off of a server, but now you're adding confusion to your network if you if you're not doing all your author or Enforcing your authentication from your authentic cater which is going to be your switch That's the way to do it. Someone else was talking over here when the question I'd like You I guess it was you over there. Oh, yeah. Go ahead. I Again It depends how you design your network and your firewall controls whether or not you're gonna prevent VLAN hopping I can't go into the way. I'm gonna design a network here For VLAN hopping we could be like here for a while, and I don't have a whiteboard Anyone else who got five more minutes here To actually talk to each other you're saying yeah, is there any authentication between the switches? The switch it in the networks I do the switches don't talk to each other because They're all talking to the radio server for their VLAN controls the switches I think you're talking about core switches, right I Don't know what switches you're talking about talking to each other Yeah Yeah, yeah, they they don't though. That's the thing you're not Yeah, they they don't actually talk to each other that way they actually your your switch is gonna be a core switch anyway The in an 802 1x network, it's got to be a core switch because that's what you're doing authentication through you don't want other devices Basically screwing up your authentication there. So your your switch is actually a core switch So it doesn't actually talk to any other devices. I Think Let's say I got one more. I'm out of here All right, I if you need to contact me or Tommy Pickles This is the info you can get them at and That's pretty much all I got and if you see me around I'm pretty good talking one-on-one This is just a lot of people and I really appreciated you guys doing that way if that was pretty fucking awesome So, thank you