Securing Wi-Fi Networks

We recently discussed how to break WPA2 keys very quickly using cloud computing. We’ve also looked at how to use a Rogue AP to capture user credentials from a network using PEAP (MSCHAP).

In this article we’ll look at hardening Enterprise wireless networks from these attacks.

The most secure option is to utilise mutual authentication (where both the server and the client authenticate to each other) using digital certificate based authentication, such as offered by EAP-TLS. However, there can be more administrative overhead involved in the deployment of these networks and therefore PEAP may be offer a balance of security and overhead.

To be clear, we recommend the use of EAP-TLS wherever possible – but if you must use PEAP, we offer the following hardening steps:

Hardening PEAP (EAP-MSCHAPv2)

PEAP (EAP-MSCHAPv2) can be used either with the user password or the machine account password. Using user passwords is potentially a bad option as it lowers the security of the wireless network to the strength of the weakest user password. Therefore if PEAP is to be used, using the machine account is recommended. We discussed how quickly threat actors can break user passwords password hashes previously; the short story is – very quickly.

If using PEAP the configuration can be hardened to prevent attacks such as Rogue Access Points, by ensuring only the expected certificates are trusted.

This can be done with Group Policy:

Computer Configuration → Policies → Windows Settings → Security Settings → Wireless Network (IEEE 802.11) Policies

In Protected EAP Properties select:

• Trusted Root Certification Authorities: select just the relevant Root CA for the certificate in use
• Connect to these servers: type the names of the servers as given in the certificate subject field
• Select Do not prompt user to authorize new servers or trusted certification authorities

That’s it!

Read More

• Wireless Security: WEP
• Wireless Security: WPA
• Breaking Enterprise Wireless
• Bruteforcing WPA with AWS