This article is a follow up of my previous articles about common security issues on WPA2 Enterprise networks and the mysterious “Connect to these servers” option of Windows. It describes an attack which could endanger your networks security with a simple social engineering attack.
As stated in my first article about WPA2 Enterprise, using MS-CHAP is not considered being secure in case you miss the server certificate validation as you loose the protecting layer of ProtectedEAP. I presented some mitigations but there is another issue with Windows’ default behavior which results into credential leaks.
When connecting to an unknown WPA2 Enterprise Network, Windows will try to send the local computers credentials using MS-CHAP. This applies for domain computers which get supplied with a strong domain password on domain join. These credentials should not grant access to sensitive resources like file servers. However there are Wireless Enterprise Networks out there using MS-CHAP and allowing to join the network with those credentials. This would be a first way into the private network for an attacker. Computers which are not part of a Windows domain are not affected by this as they ask directly for username and password. Those computers wouldn’t also be a target for this attack.
An attacker providing an EAP Network called “Guest” and announcing a password publicly could bring users to manually connect to this protected network. This way an attacker would gain credentials he could later use for further attacks on a company network. The user would never require the announced password but actually this wouldn’t be any problem as the user credentials would already have been sent. As the password is very strong it is unlikely to crack it using dictionary attacks. But as stated in my first article, MS-CHAP heavily relies on DES which can be easily cracked. This way an attacker will obtain an MD4 hash of the cleartext password which can be already used to authenticate.
Actually Windows shows a warning in case you start your first connection attempt to an EAP network stating that the user should abort the connection in case the network isn’t expected at this location. However the user would expect the guest network being present in his current location and would continue the connection.
While this attack should be only dangerous in case your wireless network uses domain credentials to authenticate clients, there doesn’t seem to be a way to change this default behavior. The only way seems to be to educate your users!
It is obvious that Microsoft’s PEAP implementation on Windows has multiple design flaws they should fix.