The tale of a rogue access point
Wireless for all
In late 2014 UPC has activated a roaming wifi service called Wi-Free on it’s CPE devices. The service is designed to allow subscribers to use each other’s network connections and thus create a sort of a roaming network. The service is appealing to many users since it provides fast and unlimited internet access almost everywhere in contrast to the usually slow and expensive mobile network packages.
The service is activated for all subscribers by default, with the possibility to opt out; in which case the user can no longer access the wireless network.
How it works
The Wi-Free service works by setting up a secondary access point on Wi-Fi enabled devices. Subscribers can register for a username/password pair to access the network. New users are assigned with a randomized password consisting of eight alphanumeric characters and symbols.
When a user connects to an access point he/she gets a public IP address on UPC’s network. All traffic between the private network (including the CPE device) and the roaming wifi is firewalled off; the router acts only as a gateway forwarding packets to the public internet. Compromising the gateway is not possible from the Wi-Free network without some kind of serious vulnerability in the firewall or the network stack of the device’s operating system.
The weak spot
The secondary access point is protected by WPA2-Enterprise using the PEAP/MSCHAP2 802.1X authentication protocol. Generally WPA2-Enterprise authentication is considered secure if both the access point and the client can verify the authenticity of each other and the authentication is done through a secure protocol. The authenticity of the client can be verified either by a certificate or by the credentials it provides. The authenticity of the server must be verified using a trusted certificate.
Without authentication implemented for the server, a malicious user could easily set up a rogue access point which advertises itself as part of the wifi network, but secretly gathers credentials sent to it by the users trying to connect. The attacker could also perform a MITM attack by providing network access.
Unfortunately UPC provides no CA certificate for it’s Wi-Free access points and has made no attempt to warn it’s users about this kind of attack. A user connecting to the Wi-Free network cannot know whether he/she is connecting to a legitimate access point. To further aggravate the problem, most devices automatically try to connect to wireless networks when the network’s name (ESSID) matches the name of a network that was connected to before.
The attack in detail
Setting up the rogue ap
To perform the attack the attacker needs to set up both an access point and an authenticator. On Linux this can be done using hostapd
and freeradius
.
There is a modified version of the radius server called freeradius-wpe, which adds patches for logging credentials and it is preconfigured to request the weakest authentication method possible. Unfortunately for the attacker, the authentication method cannot be downgraded to plaintext methods in this case. To gain access to the Wi-Free network, the attacker has to crack a NETNTLM hash.
NETNTLM hashes are a challenge response variant of the NTLM hash. Both the client and the server chooses a random challenge, so cracking these hashes using a rainbow table is not possible. Bruteforcing is still an option however, and a powerful GPU would crack any eight character NETNTLM password in a matter of days.
freeradius-wpe logging a sample NETNTLM hash:
1 2 3 4 | username: TEST challenge: de:3c:d4:df:27:80:91:c3 response: d7:91:78:05:e5:15:91:44:34:5a:42:e7:c7:4c:d4:d5:29:fa:5e:e5:23:a6:4a:a7 john NETNTLM: TEST:$NETNTLM$de3cd4df278091c3$d7917805e5159144345a42e7c74cd4d529fa5ee523a64aa7 |
Challenging the challenge
Using the technique described in "Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate" we can crack any MS-CHAPv2 challenge in a matter of days, regardless of the password strength.
The NETNTLM challenge-response protocol in essence works as follows. The server chooses a random 16 byte challenge (S) and sends it to the client. The client then chooses another random 16 byte challenge (C) and calculates the challenge as follows:
The client then calculates an MD4 hash of the password and zero pads it to 21 bytes. The zero padded hash is split into three parts $K_1, K_2, K_3$.
In the last step, the client calculates the response and sends it back to the server for verification. The chunks $K_1, K_2, K_3$ are used as keys for encrypting the challenge.
Since we can authenticate using the MD4 key, we don’t have to know the original password and we can attack each $K_i$ independently. DES has a complexity of $2^{56}$ and our default passwords have $\log_2(96^8) \approx 53$ bits, thus setting a longer password could only make the time needed for bruteforcing the key at most eight times longer.
The last key $K_3$ can be bruteforced easily since it has only two non-zero bytes, meaning that we need to check at most $2^{16}$ keys. Cracking the two remaining keys doesn’t take much more time than cracking one of them, because the same data is encrypted in both cases, so we have to go through each key only once.
Conclusion
We have shown that it is possible to gather a large number of credentials for the Wi-Free network and that choosing a stronger password doesn’t increase the time needed to bruteforce the key. An attacker can perform a MITM attack using the rogue access point or using the recovered key can decrypt previous traffic where the 4-way handshake was captured.
Never trust networks you don’t own. If it is possible, connect using a trusted VPN. It might not solve every problem, but at least your traffic will be secure.