 So, anyway, our talks on, we call it BYO disaster and why corporate wireless security still sucks. A little bit about us, we need to push some buttons, anyways. My name is James. I also go by Punk and Poop online, back in the old IRC days and stuff. Independent security researcher, just an all-around nerd, boring guy, and with me I have Josh Hoover here, the guy that pooped today. Testing, can you guys hear me? No, you cannot. You're talking to us. No, you're not. That's fine. I'll switch over here. Yeah, I'm Josh. I've been coming to DEF CON since, well, since I had hair, and some of my friends over here, we're just starting to grow here, so we've been here for quite a while. Privilege to be here. Thank you for coming to our TBA talk. This picture, the gym selected of me is supposed to be kind of a joke. Did you guys read our profiles at all online? You probably can't see it in the book, but online. There's a funny profile I wrote for Jim, and this is his way of getting back at me. I told him to pick any random picture you could find on Facebook, so that's the evil one he picked of me. Cool. So anyways, at the end of the day, we're just nerds with random ideas and inconsistent results. That's been the story of our lives. So what we're going to talk about today is we're going to show you some ways to obtain clear text credentials without cracking a single hash for a PIP-enabled WPA2 enterprise networks. There's been a lot of research and work in the past that involves gathering hashes and cracking them offline using brute force dictionary attacks and those kind of things. We're pretty lazy. We don't have time or want to spend a lot of time cracking hashes, so our whole thought was to come together and try to find an easier way, a faster way of capturing clear text credentials to gain access to networks. Secondly, we're going to release a tool that kind of automates the whole process and does things for you right out of the gate really fast. So if anybody has done these attacks in the past to set up the interfaces and all that, it can be kind of time consuming. So we've kind of automated that whole process for you. How we're going to do this is we're going to explore a new functionality issue and I'll get into that more later that we found with how iOS and OXX devices are handling MSChat V2. Secondly, we're going to demonstrate the use of EAP GTC as an inter-authentication mechanism in place of MSChat V2. So I'll go ahead and give it to Josh here and he's going to kind of take you through some of the technicals for MSChat V2. So how many people here have showed hands that have ever set up a WPA2 enterprise network or know the ins and outs of that? You shouldn't, but anyway, that's great. That's what that guy said right there. So it looks like there's a fair amount of you that haven't yet. So I'm going to kind of go over some of the technical details on exactly what our research was looking at. I'm sure most of you have set up a WPA2 personal at home where you set a pre-shared key of some kind and you gave it a SID and you connected to it and you knew what the password is and you signed into it. Basically, WPA2 enterprise just adds one extra component to that, usually a back-end authentication server of some kind. In this particular instance, it's the radius server box you see on your right, I guess, of the screen. And that just adds another layer of authentication so you can authenticate every single client that connects to your network instead of just having one key that you'd use maybe at your home network. So you have a client that you see there on the left, an AP in the middle, and then we're adding an extra component for WPA2 enterprise, which is the authentication server. In this particular instance, it's going to be a radius server, but there are other options there for different kinds of servers, but this is what we were centering on for the MSChat V2 and GTC stuff. And it's a lot of what you'll see in enterprise-level networks and crazy people like us like to run this kind of thing at home for some weird reason. So what's the first thing that happens when you connect to an AP, right? I mean, most people are familiar with that, right? You pick your SID and you connect right up to it. You pick your network name there and that's pretty easy. So I'm going to blow your mind with technical details here, right? Association stuff. I'm not going to really go into that portion of it, but it's worth mentioning that this is the first layer of attack for a lot of people that want to set up what's called an evil twin network. And basically what you're doing is you are mirroring the exact same SID that your target is using and hoping that clients will connect to you instead of to the actual AP. And so that's the first layer of attack called the evil twin. And that has to do with, it's going to get dangerous. These guys are going to be very angry at me because I actually don't drink, so. Drink! And your co-speaker has to drink, too. Yeah, Jim's got to drink double because I can't drink, so. You guys can throw things at me instead if it makes you feel better, though. We've got to drink all of them? Yes. No way. We're here to help. Here's for you. Here's for your co-speaker. You know how many times in my career I've had to take one for the team for this guy? And also, as you may be familiar, raise your hand if this is your first F-con. Why is it everybody's new? Wait, why are we pointing at him? All right, you get up here. And the lady down here with the striped dress on. I got to suffer your suffering, too. It's your first time speakers. Wait, wait, wait. What are you doing? Hey! Where's mine? Two more cups. Bear with us. They know it was my first time. They know. Did you pick it up for the bar? I know it's a double. No, we didn't do that last time. I tried one. What, we got more? Geez, all right, everybody. Come on. We're actually out of coffee, so. All right. To all of you newbies, welcome. Thank you very much. I'm sorry your time is up now. Thanks for having us. It's already coming out the other end. I have no idea what I was doing. Where am I? Hi. So, association stuff, right? We've got the shots covered. So, association stuff. We're connecting to Evil Twin, blah, blah, blah. That's the first layer attack. Let's move on. The next portion that happens in WPA2 Enterprise is what's called an EAP proposal. So, what's EAP? EAP is Extensible Authentication Protocol. That's just a fancy acronym for a methodology or a framework that's used for authentication of all kinds of services. And this particular service is going to be Wi-Fi. So, it just allows you to add user name and password or certificates or one-time passwords, something like that to some kind of service. So, the first thing that'll happen here in this proportion is that the AP is going to request identity from the client. The client gets a pop-up on most clients that says nothing more than username and password. That's all it says. That'll be kind of important later. Because at this point, we haven't really established exactly what kind of authentication we're even using yet. So, it's going to send over the identity, which in this case is the username or some kind of login name. And this is another layer of attack that a lot of people like to use because now you could just stop here if you wanted and just gather username all day long. That's boring. We want passwords. We don't want to have to crack and we don't want to have to brute force it. So, that only gets us one step. So, after it sends it over to the client, it's protecting EAP. So, unfortunately, EAP by itself isn't inherently secure. So, if you were sending over hashes or whatever you're sending over using just regular EAP, you can pick them up usually over the air because at this point, there's no encryption at all at this point. So, you could pick up anything. And so, this is a way to protect that data. What PEEP does is it makes what's called an outer authentication and inner authentication. The outer authentication is not very fancy. And the inner authentication is the actual user's or client's information. So, it's attempting to protect that information inside of an encrypted tunnel. Which is great if you're sitting on the outside and you're just sniffing it, but if you're the evil twin they're sending it all to you. But you got to make sure all this stuff happens otherwise the client's going to freak out and it's not going to send you its credentials and its goodies that you want to get. So, you don't have to goodies. So, what happens next? So, anyway, the outer authentication happens next. We're going to do a lot of technical details here. It's TLS setup stuff. So, you guys can look up TLS if you're not familiar with it. But there's a server search that's on the radio server that gets sent over and it establishes a TLS tunnel in order to start sending over all the goodies. All the good authentication portions of whatever you happen to do. So, after that you go into the inner authentication portion. That's inner PEEP. In this particular instance we're going to be talking about MSChap v2. Now, v2 differs from v1 and I'll explain this. MSChap is generally used for NT or domain or whatever Windows login. So, username and password. It's a way to allow people to use that in order to log into a wireless network. So, this is kind of important for a lot of enterprises out there because they want to make it easy. People don't want separate passwords or have to worry about key management or people want to bring in their BYOD devices and just connect up to the network and this enables them to use their normal login that they would use on the corporate network So, the first thing that happens in this inner authentication portion is what's called oh, sorry, it just sends the identity again. So, it actually sends the identity again over to the radius server. So, it requests it and sends it. Yeah, great, we've already got that. That's nothing new. So, the first thing that happens from the radius server it sends over a challenge. MSChap v2 challenge. The client takes this challenge and takes its password and makes a hash from it. And then it sends it back to the radius server. Now, an important part of v2 over v1 is that there's a dual authentication happening here. Both the client and the radius server want to make sure that each other actually knows the password. So, the radius creates a challenge and sends it over to the client and says, hey, here's a challenge. Use this challenge portion to create a password for me, a hash, and send it back to me. The client says, okay, no problem. I will take that challenge, my password, create a hash, send the hash over to me. You know, it's a hash. There's lots of people here that can tell you how to crack those, but we're lazy and we still consider that too difficult for our small minds. So, it will send that back over with an actual challenge of itself and say, okay, here's my hash, but I want you to tell me that you know my passwords. Here's my own challenge. Take this challenge, hash it with whatever you think is my password, and send it back to me. So, the race says, okay, if I do actually have your password, I'm going to take this challenge and send a response back to the client. At this point, the client looks at it and says, okay, does this match? If it does not match, it's supposed to drop the connection at this point, which may or may not happen, as we see here going on, but this is an important part of re1 versus v2. Microsoft and Cisco specifically created this in order to try to circumvent some of what's going on here in the attacks you'll see here in a second by making sure the client actually knows my password. So, again, if that does work and does actually know the password, then the radius server will take that. It'll make its actual response and say, okay, your password was successful. Here's the response to your challenge. The client looks at that and says, okay, you do actually know my password, no problem. Let's send over a success to the radius server. The radius server says, great, we're all good. Let's start our connection. It sends the client acknowledges that and we're golden. So the inner authentication has happened correctly. Again, this is with MSChat v2. So what happens next is basically just an eep success portion here. We're installing some special keys onto the AP to start up the actual encrypted network connection so they can get the rest of their IP address and everything that they need to in order to get access to the actual network. And again, I'll blow your mind here with some really fancy connection stuff, right? I won't really go into that. But again, what we're really concentrating on here in our attack is the inner authentication portion because we want the password. We want them to make a full connection to us so we need to convince them that we know the password. We want them just to send the password to us anyway. And so this is where our researchers really focused. Now anybody who's done, how many people out here do security research other than showing up to DEF CON, I guess how difficult this can be, especially if you run into stuff like this where you're trying to get a full connection and Ms. Yapa is just hitting you in the face and saying, no, you can't have that connection and you try again and it hits you in the face and whatever happens. So we found this funny little video that kind of reminds us, some of you have probably seen this before, it kind of reminds us exactly what this feels like. Yeah, it's not a whole lot of fun, but you know, she's okay, so you'll be okay too. You take a few hits in the face, but anyway. So that's a little overview, quick overview of the way that our research, exactly what our research is looking at technology was. I think everybody loves that video. Okay, Jim, I'm going to pass over Jim here and he's going to tell you about our actual first attack. Thank you for sitting through all of that technical details. All righty. So you know, I have to say that I purposely only had like three drinks when I was coming to, that's just to take the edge off, so I'm going to do my best to get through these slides. So anyways, the first attack, we call it the iPoner because it's centraled around iOS and OXX devices. On the left side there you see that some mobile device, a phone, and then on the right side we have the actual radio server. We didn't put the AP in the middle, but if you can imagine, there's obviously an AP in the middle of this thing. So the radio server is a patched radio that kind of puts the exploit into there, kind of like what Josh Wright's done in the past with his patch for Radius for capturing hashes and cracking those offline. We kind of did the same type of thing in a different, I guess, a different way. But anyways, the first thing that happens is the server challenges a client, like what Josh was talking about earlier. The client gets that, it's going to send its MSChap response back along with its peer challenge. It's basically the client's way of authenticating the server to itself. It's basically to make sure that both people have knowledge of the clear text credentials. So once the server gets that in response, it's going to look in its database and obviously as the attacker, we don't know what the user's password is at this point. So we have two choices. We can either tell them, cool, your password's good, or hey, your password's wrong. So the first is that the matches that have been out in the past, they've been designed to say success for everything. Any password you send it is going to send a success in response. When we do that, the peer challenge doesn't match for all devices, right? It looks it up in its databases, hey, you're full of crap, what you sent me back is wrong. And typically it drops a connection or it sits in kind of a limbo state. It won't actually establish a connection to the network which is what we're consolidating this into the one that worked for you guys' sake. But anyway, so we reject the password. We just tell them, yep, what you sent me is incorrect. So the server then sends a TLV success at the end. So we tell that the user sends this as password, we send it back saying, whatever you sent me is incorrect. Expecting the client to drop the connection. For some reason IOS and OXX devices don't drop the connection. So we follow that up with the client that everything's good. We're going to go ahead and finish this connection and I'll send you a DHCP address and it starts sending you network services. OXX devices go, well, you know, I don't really know what this means, but okay, cool. We're good. So, right. So the client sends us a TLV success at that point. Meaning that they're ready for a DHCP address and everything else is going on. So the client checks it. Another crappy thing about your IOS and OXX mobile devices, most devices when you're connecting to a secured wireless network, it knows that there's not a captive portal. So there's no reason to send a probe out saying is there a captive portal there. IOS and OXX devices don't do that. They send that probe no matter what. So what we do is we capture that probe and say, sure, there's a captive portal on your secured network that you don't need. And we forward that on. So the captive portal, which is an HTTP, right? They type in their password again and we get it in clear text. That's how the attack basically works. We're very happy. So, right. So we're not. So from a user's perspective, you know, what does this look like from your mobile phone? So you get some manager that brings his personal phone to work and he wants to check his email because he's late for a meeting, all that jazz, even Tony's looking at it. Yeah, like Manny right here in the front. Tony Manny right here. Like those guys. Anyways. So you got your MS Chef test network. That's what we're calling it in this case. So you select it. It prompts you for your username and password like you're used to. You type that in. It's going to pop up a cert, right? How many users always accept a cert no matter what it says? It could say you're a douchebag on the cert and they'll say, okay, cool, so the next thing they see is this captive portal login. Now you can make this login look whatever you want. But we just took a standard one. So the very next thing pops up like, oh, what the hell, I already typed it in. Maybe I got my password wrong. So they type it in again. And basically that sends us over to your passwords in clear text. This last screenshot is what it looks like from an OS X device like your laptops, your Apple laptops. It really just showed you that that's not accurate. So at the end of the day, you're getting your clear text passwords. You have a full man in the middle connection at this point. So the sky is basically the limit. You can do whatever you want with limit this point. So a recap of basically the attack that we just went through. So the supplicants on OS X and iOS devices don't appear to be handling MS chat v2 properly. They don't require that you send it a message. No. But basically at that point, so much for mutual authentication. MS chat v2 is there specifically for mutual authentication. In this case, it's not working. So we're bypassing that inner authentication mechanism. We can say whatever we want at that point. And we're just letting it go through and then establishing that connection. We're trapping a captive portal. Probe requests, it's defaultly sent by these mobile devices and just forwarding them like you would if you were mimicking a hotspot network at Starbucks or someplace like that. Not that we have done that, but just saying. And then the users enter their credentials again and it's an HTTP so it's going to be sending clear text and we're there to capture them. So anyways, I'm going to, or actually the next slide here. So we'll talk about responsible disclosure. Not to say first off responsible disclosure because Josh gives me crap all the time. But it's a good thing and we encourage people to do that. It's kind of like telling a kid in elementary school that you're going to tell on him before you tell on him, right? He's in trouble. You're just, I'm going to tell. So whatever. So anyways, so here's how it went in this particular case. So we found a new issue. We're going to report it up the chain. Typically what happens is, hey, I discovered this thing that exposes your back door and I urge you to patch it before someone leaves laughing because you guys don't have a sixth sense of humor like me. But anyways, so that's what happens. Then the sociopath, right? The corporate because they really don't care. They don't have a personality. Their responses, thank you. Though you're probably wrong, we will have some of our outsourced managers put ten tards on it right away and never get back to you. That's typically how it goes, right? Actually in this case they did respond with their generic message right away, so anyways. So a month later, hey, can I get a status on that ticket I submitted, number nine, nine, whatever. And then you get a response, hey, me, Josh, four, three, seven, nine, I see not what you say. I like gummy bears, ticket closed. Basically meaning that whatever you just told us is crap and have a nice day. So okay, cool. So this is their actual response that they sent back. So basically they're telling us it's nothing. And then they tell us at the end here, hey, you know, why don't you try this GTC thing because that will just send the shit to you in clear text. So thanks, Apple. So we're going to go ahead and start our next attack. Wow, Apple, thanks. I don't know what to say. It's early Christmas. I mean, I'm not sure what's going on there, but with all this said, we actually were experimenting with GTC before it was absolutely hilarious that they were giving us our next attack. So what's GTC? Well, GTC basically replaces the portion of the inner authentication that's in this chat. And it was a protocol that was developed by Microsoft and Cisco for peep version one. And it was created basically for token cards and one-time passwords. So you guys have probably seen those secure ID cards. You can kind of see them on the screen like this or played lots of video games these days. They're giving them out like handy these days. It's very similar to peep version zero with MSChat v2, except it doesn't have a peer challenge. So a lot of it, I'm not going to go over the whole interaction again because it's all the same, except instead of the dual challenge and all of that stuff, it just sends over the one-time password. So it's similar in operation in that regard. So you guys remember what I said was asking for? Well, this is one of those areas where it might come in handy, right? If your client just pops up and says, give me username and password, you're like, oh, that must be my username and password from my NT login, right? Why wouldn't it be? It doesn't say one-time password, it doesn't say give me your token card. It just says give me your username and password. And this is kind of a weird funky thing with clients we'll get into here in a second. But think about how we can do this. This is our next attack. It's called the peeping Tom. Basically the same kind of setup. There's an AP in here you don't see, but you've got your client in this case. It can be an Android or an iOS device. The last attack was iOS only. And just before I get into this attack, this doesn't invalidate MSChat v2 and I think that's kind of what Apple was saying. But for some reason, you know, peep version 1 leaves or peep version 2 comes out and people decide they don't want to do it. Apple still hasn't fixed their problems. So that's still a valid attack vector. Just because this is out doesn't mean another vector is not open. Something about front doors and back doors and anyway. So what happens with our first attack here is we replace the radius server with an attack server just like the other one. Exactly the same. The server requests, well, you do the identity thing right in the beginning where it sends over the identity just like in MSChat v2. Again, the client has already interacted with the user. So the client just for some reason is like, oh, okay, well I've already got the password that he entered. Why not? Let's send that over. So the client responds with, sure, this is a GTC password. Why not? I just asked the client for username and password. So the radius server obviously in this attack instance, we don't actually know the password. So GTC fails and says no password for user. We don't care. You know, where the radius is. So it's a little short of the MSChat v2, but it sends, the server sends over TLV success anyway and says, okay, your password looks good. And the client's like, sure, I trust you. Why not? I send over the password. I'm not authenticating that you know it. It's a one-time password. Why would I do that anyway for a one-time password? And the client accepts and responds to TLV success and then we have a full connection there and a full connection is established. At this point, we can do all kinds of SSL trips or any of your normal attacks you might want to do against a client after you get him to connect to you. So once again, we're extremely excited and dancing because we got the client to attach to us. Great. Okay, great. Everyone's excited about that. Yeah, yeah, yeah. Jim liked his video better, but peanut butter jelly time is old school, right? Okay. So what does the client look like in this instance? Again, this works on iOS, but I'm going to use an Android device because something different happens here with Android. See if you guys can catch on what it is that's missing from this that was in the MSChap attack with the client. So the first thing that happens is, right, DefCon secure. You guys all use the DefCon secure network this weekend, right? Yeah. Right. So that was MSChap E2 just saying anyway. Great. So we connected DefCon secure. We just type in our username and password. Again, it just says identity on Android, but whatever. Most people think of that as their username and password. And bam, we're connected. So what's missing here? That's right. There is no acceptance of the cert. Our cert is bogus. It's example.com or goofball.com or whatever. Dooshier.com. Android doesn't actually ask you to accept a cert, which is interesting because that means later there's no user access. So this client interaction would change. If they've already connected to the corporate network or DefCon secure network and then they connect to your evil twin, it's a different cert, but Android doesn't care, accepts it anyway and just sends the password right on over. Okay. Awesome, right? I mean, anyway. Anyone see this this weekend at all on the DefCon network? Not one person? Well, we saw it a couple of people's networks. You know, shame was plugged for our TBA talk since no one had any idea that we were even in here and we basically took a... one of my buddies down here that helped me and he can raise his hand if he wants to. That's a notoriety. We basically took a Raspberry Pi and used our same attack tools in a slightly different configuration and basically just set up a captive portal that anytime somebody connected to us instead of DefCon secure, they got this captive portal page that popped up and said, hey, Jim doesn't know about this yet. This is a surprise for him. I took a lot of his work to do this, but I was surprised. He came a little late. Convenient for you. Yeah, yeah. Convenient for me. But, you know, promoting for us. So anyway, that's what we were doing there. So clear text anyway. So where do we get the password in this particular instance? We didn't have a captive portal. Well, gee, Radius, it was totally awesome for you to put your clear text passwords in your debug file for us. Cool. That's kind of weird, right? But if you think about it, it's a one-time password. So if somebody sees it in a Radius debug, what does it really matter? This is an actual MSChat v2 password that somebody mistaken for a one-time password. Because again, the way the clients are developed, and I know I keep going back to this, but this is a big thing. The way the clients are developed, they just ask you for username and password. You don't have any indication on exactly what they're looking for. So that's a big deal there. And again, this is actual screenshot from this weekend from the DefCon secure network. I've blanked out the passwords because I don't know why, who cares, but I did blank it out. But I don't know if anybody notices their password. We've got an MAA in there, and a WGRETZ user, and a RFDESO. Anyway, so that was from this weekend. Just to show you another example. I just want to say I had nothing to do with his attack that he did today or over the weekend. Sure, sure. You say that now. So let's talk about it. Let's do a recap on exactly what happened here. What does it work on? So P version one works on natively. So that includes things like iOS and OS X again, so your actual Mac computer or your personal device. It works on Android again without assert at all, which is a huge deal in these attack environments because it just sends you that password right on over. I don't care if it's a one-time password. Here's my goodies. Unix will work, but the user is really going to have a lot of interaction here. They're really going to have more with say like Ubuntu or something, but I didn't do an exhaustive test on all of the different platforms out there, but with Ubuntu, the attack would work, but typically, I'm just going to say it outright, Linux users typically have a little bit more about what's going on and why is that certain, why is that certain, say butthole.com instead of example.com or whatever it's supposed to. Windows, there's no native. Even though this install a supplicant or some kind of other software in order to get P version 1 in Windows to work, but again, that wasn't really our focus. Our focus here is execs or people that just want to bring in their phones or whatever mobile device or whatever device they have. They bring their own device, bring their own disaster kind of crap and connect up to the network because that's who they are and they can. So that was really the focus here, but again, it doesn't really work on Windows for once ever, right? It includes clear text passwords. We don't have to do a captive portal. We could, in this instance, I use it to advertise, but you could just serve them off to the Internet or even more fun, you could have them connect to DefCon secure and serve them off to regular DefCon because that's fun. Anyway, instant capture of MS chat v2 passwords on iOS devices after the user accepts the cert from the Evil Twin. So on iOS, you will actually have to accept the cert, so it won't just happen in their pocket, right? There are tons of ours that were around, just kept seeing their password over and over and over again because they were on Android, but if you're in iOS, it will actually pop up and say I don't recognize this cert and most people will be like, yeah, I want my porn. Give me access, okay, so anyway. So we're going to go into our demo here and the tool that we spend a lot of time on. I'm going to hand it over to Jim because he's going to give you the intro and then we'll pull the tool. So, we're going to go into the system. We've used Ubuntu 1204 both in the server and the desktop versions work great out of the box, so if you want to download those, you can. Any Wi-Fi adapter is needed. The alpha version there is the one that we've used. The important thing is we're using host APD in our tool set, so if as long as your card supported by host AP, it should work just fine. Our custom patch that we made, it just basically goes in and changes some of the modules built into radius, the PAP module and the MS-Chat v2 module to send the right stuff over to these clients and, you know, get them to establish the full connections. So you want to download that. And then the LootBooty Wi-Fi tools is just a tool set that we developed. We wrote it in Ruby. I always feel like why the hell did you guys use Ruby? So Ruby basically, to me, it's like the canvas for people that can't draw because I suck at coding. So you can take a giant shit on the canvas and smear it around with your hands, and it always works. And once you guys download the tool and you look at the code, you're going to go, now I know why he said that because he does suck at coding. And I do. I just have enough energy to make things work. I don't do it right by any means. So here you want to take this one? Yeah. This is sweet. So Josh is going to pull up our live demo here. And we encourage you guys to try this. Those of you that were not smart enough to turn your phones off before you came in. This is really meant to use in a VM, by the way. You probably don't want to run this just the way it's set up right now. Or you can just download and look at the code and do it however you want, like we did on a Raspberry Pi. But anyways, it's a menu-driven system. So we've got two of the attacks built into there. Two attacks that we talked about today. The first one is... I can't even see it from over here. So the peeping Tom attack. We're doing that one first. Yeah, peeping Tom. Okay, so we'll go ahead and do the Iponer first. So you go ahead and select option two. It's going to tell you a little brief description of what the attack is going to do. So you kind of have an idea of what's going on. Can you guys see that at all? Okay, let's make the font bigger here. Sorry. There we go. Jerk. That's right. How about that? Is any better? Even bigger? I'll say. Okay, we'll try it. Huge! Size matters, right? It says the lady in the front right here in the Stripe skirt. This is as big as it goes though. No more medicine for me. Anybody notice her limp when she walked in the room today? That was me. Just saying. Use your imagination. Team I, buddy. It was this crap they made me drink. I know, I know, I know. You took one from the team for me, too. That was yours. So anyways, menu-driven system, cool pictures, ASCII art, we like that. How many people like Colorize with Ruby? Nobody! Thank you! It looks really cool though, right? I mean old school, kind of neat. Josh likes colors. Anyways, so start. How hard is that, right? So you type in your wireless interface, in this case we're using WLAN1. We're going to tell it the network name that we want to clone. So whatever company you're working for, you'd want to type that in there. We're using what? My computer? My company rules. When you guys see this, start connecting to it. Please. Seriously, we're not going to steal your stuff. So if you want to spoof a MAC address you can, we put that functionality in here because it's kind of fun to do. You can take whatever your card's default MAC address is. You can select the channel if you'd like. If you hit enter it's going to default to 9. I don't know why I picked 9. I just did. Anyways, so it's going to go ahead and start a bunch of stuff. Basically what it's starting is it's starting a free radius, if you guys have ever used that. On the top left there, that's your free radius. On the bottom left corner, it's your web server. That's going to show you the captive portal. Well, it's using, I think it's called Web Brick. So you'll see as people are trying to hit your portal. Over on the right-hand side, you're going to see host AP and that's basically if you want to see from an access standpoint, you're going to see all the people associating with your access point. You're going to get their MAC addresses and those kinds of information. And the big screen in the middle is basically your captive portal creds which is what you're waiting to pop up. That's when people have made the connection, and then they're going to type in their credentials again. So hopefully somebody's doing it. It looks like we've got plenty of activity here. I will say you can type in whatever you want. So if you want everybody in here to see it, go ahead and do it now. Just try not to make it totally horrible. And again, this is iOS only. So if you're trying this with your Android device, it won't work because the MS-Chap V2 vulnerability is only hacked. I'm a loser. You're good. Well, nobody's done something really offensive. Bring it. Yeah, well, yeah. This is the kind of place you'd expect it to be. Of course everybody's afraid of it, right? So this is it. If you're doing a penetration test in a corporate environment that's using WPA2 Enterprise, which most of them do, you spend this tool up and you wait 10 minutes or 15 minutes until... Somebody fucked your mom, Jim. Oh! I fucked your mom. I know I've tried to talk her to her about that a few times, but she does her own thing. I encourage you to go for it. Good for you. Remember to do the poll and pray. Okay? All right, so the next attack is the peeping Tom one. So the first one only works in iOS and OXS because that's the only people that are screwing up MS-Chap V2 at this point in time. So the second attack is peeping Tom. That works on basically everything that supports GTC. So the same type of thing. You hit start, you type in your wireless interface that you've got plugged into your machine. It's my company rules, right? My company rules is the... My company rules, yeah. You're right. And then if you want to spoof a MAC address, no, we're not going to in this case. We go ahead and hit enter. We don't care what channel we're using. And basically the same things are starting up. You've got your radio server starting up, so you can see what's going on from that perspective. And then you've got your GTC passwords. The cool thing about this, so if you've ever connected to my company rules before, and you've accepted the cert or whatever, it's automatically going to send your stuff over now to this one because your Android devices are going to ask you to set the cert. It's just going to automatically send us your stuff. Yeah, and all you people that already connected with iOS, as soon as we spun this up, it automatically sent your password over without doing anything because you've already got it. Otherwise you would have to accept the cert. But this is just a demonstration. Fuck the police. I like the monkey balls. Who did that? Raise your hand. You're my hero. All right. I got monkey balls. We love you. Thank you. So anyway, yeah, I mean, it's just a great way to see exactly how the attack works right in a row, right? First attack was you logging into your company. The second attack is no, it's not even asking you for your credentials. Again, it's just logging in. I sent you that. So how many people are familiar with Aircrack? Sweet. Everybody's used that, right? You know that the thing they got were just automatically responds to any probe request. So imagine if you were just responding to anybody's probe request in this scenario that have connected to a corporate network before. And you're spinning up a fake corporate network. It's going to automatically start sending you their logins and passwords that they use in the past, which is kind of a big deal. Just saying. The guy that didn't drink his alcohol. Boo. Boo. Don't hate me. I'm sorry. You can beat me all later, I swear. Okay. No, you can just do it. You can take my word for it. All right, where are we? Let's see. We're beeping. All right. How about that? Okay, so let's talk a little bit about how we came about with this. And how do we achieve it? So historical perspective. The first thing we decided was, wow, you know, Josh Wright and who's the guy that did the divide and conquer talk? Anyway, moxie. It was moxie, right? Anyway, so there's been a lot of really good talks on how to crack passwords from WPA2 or crack the actual hash. And I don't have access to a web infrastructure or giant virtual infrastructure online or 10,000 GPUs or 10,000 PS2s or whatever the cool kids are doing these days. So we really wanted to make it easy and we're just like, you know, we're lazy. Cracking cash is too hard. There's got to be another way to do this. Can we just trick the client into giving it to us? That way, establishing some kind of full connection and maybe just, you know, hand it over directly to us so we don't have to crack it. Obviously that's what you guys just saw. Well, like you guys saw, what if we just accepted everything that Radius actually got sent and sent it back? Well, then you saw that in that there was actually some problems with that, where MSChap B2 actually worked correctly and just dumped the connection. So we started playing with that idea of, you know, what if Radius just said everything was okay? Can we trick the client somehow into making a full connection with us and then do something with them later to get the password? And so basically we started some past work. Josh writes some really good work on patching Radius to actually output the hashes directly in the Radius debug file, so then you could take those hashes and try to crack them off line or do one of the other different attacks or rootforces or whatever you want to do, which again was too hard for us, but we started kind of with that. And then we moved on from there and said, well, what else do we need to do with Radius? And I basically put Jim in a little box and I didn't let him come out for air two weeks, a month, something like that. A month. And I started going through every single module and we said, well, what about that one? What about that one? What if we send this back here? And a lot of people seem to be kind of interested in that and how we figured that out. And neither of us are coders at all, right? We started with somebody else's work. We didn't want to crack the hashes. We did this tool in Ruby that's really kind of scripty. So how can we do this to make this easy and again starting with this and yielded unexpected discoveries, right? We ended up finding a vulnerability as far as we know for iOS that has never been reported. You know, when we told Apple about it, obviously they told us to get stuffed. But, in so many words, but, you know, that it was just random. And I really encourage you guys that are interested in this kind of stuff to test things that people say work, right? Don't have to necessarily write a buffer overflow or stand in your head and do naked cartwheels or whatever it is to take you to do where you want to go. But just test things that you think should work that way. If they say it should work that way, test it. Make sure. You know, there were times in my... And I was like, well, I miss chat V2 doesn't work that way. There's no way that'll work. But here it is. Undiscovered discoveries here. So, you know, no, we didn't invent time or the flux capacitor or anything really cool like that. But what we did come up with is this patch. Again, I put him in this box and he came up with this crazy patch for radius that allowed us to test this and allowed us to see what would happen when we just accepted everything in certain ways. And so that was where the meat and potatoes of what we're giving to you guys today other than, you know, anybody ever set up wireless attacks. It takes some time. One minute. Okay, good. Perfect. It can take some time to set that stuff up. So, what we're giving you today is the patched. So you can test this against your own infrastructures or wherever else you want to test it. And some easy ways to set up the tools really, really quickly. I'm going to pass over here, Jim, to the last slide. He's going to tell you where to get some of this stuff. The last 30 seconds. So, lubooty.com, it's basically just going to forge you on to our GitHub site. You can download the tool. You can download the patch. It has an installer script that you can run. It's called sysprep. It's basically just going to do an app get and download some of the libraries that you're going to need and just make things a lot easier for you. But again, read the code. Make sure you understand what's going on before you run it against your guys' own corporate environments and all that jazz. I promise it won't send your passwords over to us. You should check though. Yeah, literally check. And then the picture is just a jab at what's going on in the media today. Stop spying on me. I don't do anything cool. I promise. Anyways, that's our talk. We appreciate you guys taking the time to listen to us. Thank you.