← @singe Twitter archive

singe

@singe

2/14 When defending against rogue AP attacks, enterprise wifi auth security basically comes down to a single certificate validation, that of the RADIUS server.

8/7/2018, 10:48:11 AM

Favs: 2

Retweets: 2

singe

@singe

3/14 In wifi it's hard to do cert validation because the CN doesn't match the wifi name like a website cert's CN matches the hostname.

8/7/2018, 10:48:47 AM

Favs: 3

Retweets: 0

singe

@singe

4/14 So the most common way to validate a cert is based on it's CA. That the default for Linux and Windows. The Defcon cert is from DigiCert. Windows can be fixed, Linux can't.

8/7/2018, 10:49:48 AM

Favs: 2

Retweets: 0

singe

@singe

5/14 If you just validate on CA, then I can buy a DigiCert signed cert, and your wifi client will happily accept that as valid. Defcon's Linux config is vulnerable to this.

8/7/2018, 10:51:00 AM

Favs: 4

Retweets: 0

singe

@singe

6/14 That means a rogue AP can automatically intercept the credentials you create on the portal. Username in the clear but creds need MSCHAPv2 cracking. Here's an eg with Defcon's config.

8/7/2018, 10:51:37 AM

Favs: 3

Retweets: 0

singe

@singe

7/14 So don't sign up with creds you use anywhere else, and make the password obnoxious. Apart from disclosure, if they are cracked, your device will connect to the bad AP without you knowing, and then MitM happens.

8/7/2018, 10:52:05 AM

Favs: 2

Retweets: 1

singe

@singe

8/14 As an aside, if you hand config your iOS/macOS device, instead of using the config Defcon provides, then your device will connect instantly, without cracking required (vuln reported), and MitM will happen. So use the recommended config.

8/7/2018, 10:52:45 AM

Favs: 2

Retweets: 0

singe

@singe

10/14 Back to cert validation. The Windows config Defcon suggests prevents this by also validating the certificate CN. While I can buy a DigiCert cert, I can't buy one for http://wifireg.defcon.org, so you're safe.

8/7/2018, 10:54:17 AM

Favs: 1

Retweets: 0

singe

@singe

11/14 The iOS/macOS config also prevents this, because it loads the exact wifireg cert, and validates on that. So because I can't clone that exact cert, you're safe.

8/7/2018, 10:54:39 AM

Favs: 1

Retweets: 0

singe

@singe

12/14 That said, if you don't follow Defcon's sage advice and use their profile, then I can do this, and unless you're validating on fingerprint, you won't be able to spot the malicious cert. And no valid CA doesn't matter to iOS. https://github.com/sensepost/apostille

8/7/2018, 10:55:42 AM

Favs: 5

Retweets: 0

singe

@singe

13/14 Another aside, even if you use the profile, if you have iCloud synching on, your other iDevices could connect to the Defcon network, and if they don't also have a VPN, you might get a surprise (not tested). So VPN all the things.

8/7/2018, 10:56:14 AM

Favs: 1

Retweets: 0

singe

@singe

14/14 So, tl;dr. Use the Defcon wifi, but use strong disposable creds, avoid using Linux/Android, prefer iOS/macOS (via Defcon's profile) or Windows (with Defcon's config) & make sure you have a decent VPN on all devices.

8/7/2018, 10:57:20 AM

Favs: 4

Retweets: 4

singe

@singe

As a bonus, to those hoping to run WiFi attacks, rather don’t be a dick & just let people use the WiFi in peace.

8/7/2018, 11:11:30 AM

Favs: 12

Retweets: 0