CWNP CWSP – Module 04 – 802.11 Authentication Methods Part 6

14. PACs

Alright, now let’s take a look at the packs, the protected access credential. Like I said, it’s very much like a digital certificate. Some people would say that those and certificates are cousins. It actually is a shared secret. But Repast is the only EEP type that is going to use these packs. And so we kind of want to talk a little bit about what they contain. So like I said, it’s like that digital certificate, it does use pre shared keys. All right? Pre shared keys does make things faster than verifying certificates.

They also talk about the pack opaque or the opaque element, which basically here is a variable length data element that we use. Variable length. So it’s harder to guess to help the tunnel establishment and the PACs, depending on the version of EEP fast you’re using, can have some other information which might be things like the authority of the identity or maybe the pack issuer. It’s just other information, maybe the lifetime of the pack or even which radius server is used as the master. So it’s just extra information. Now it goes through three phases and I’m not going to take you step by step through each one. Phase zero here you can see is where we do what they call the automatic pack provisioning with Diffi Hellman. So Diffie Hellman, some people call it encryption. It really isn’t.

I think I told you before, it’s mathematical magic that we can exchange an encryption key without exchanging the key. But both sides have to have some common things. Diffie Hellman has to have what they call a prime number, which is represented by groups, typically the larger the group number, the larger prime number. And when I say prime number, if you were to look at it, it’s like 1028 bits. So I’m surprised because I mean, two to the 1028 is a huge number. I don’t even know how many what that number would be, but it would be huge. It’d be what my kids say is infinity. But I’m impressed that we can use those large prime numbers and that somebody actually found a prime number that that’s big anyway. And there’s more than one for each one of these. So you’d have to choose the group.

And there’s also kind of a common reference and pre shared key that we have to agree on. Both sides, both sides have to have the same data. So that means we have some pre configuration to do. And then what happens in Diffie Hellman is one side picks a random number and with that random number does some mathematics with all this stuff and then sends that out as their public number. And the other side picks a random number, does math with the same group and everything else of information and sends out their public number.

And then apparently, if we take the public number my partner sent me and do some more math with this stuff and my random number that I sent them and vice versa, that we’re both going to mathematically have the same answer. Okay? They use things like exponents and logarithms. And this is not a math class, so it’s not really an encryption, but it’s a key exchange. Call it diffie hellman. It’s very popular. Use them a lot in the setup of IPsec VPNs, basically. Now of course, once you log in, then it’s subsequent connections. Phase zero would basically become the optional phase. Then phase one, which is the next part. During this phase, the supplement I should say is going to send the outer bogus identity to let the authentication server know that the client seeks validation. The client and the authentication server are going to negotiate using a symmetric key that’s going to be derived from the pack. And as a result they’re going to have an encrypted tunnel back and forth. Like I said, I’m not going to take you step by step through here. Now that we’ve done that, phase two becomes very easy because once the Supplicant is validated with that encrypted tunnel, then Eepfast is going to support several different types of inner authentication methods which could use TLS. Like I said before, it could use certificates or some other protocol that we can set up and do the encryption. Not the encryption, but the exchange of real information inside of the encrypted tunnel and then get the message back hopefully eventually of the success or failure as to whether or not we want to get in there. And then like I said, later we’ll talk about this four way handshake at some other point to talk about these keys.

15. Demo – Certificate Authority Server Credentials

All right, so we’re going to take a look at some of the credentials that we talked about. I talked about these things called certificates and also talked a little bit about some of the abilities to have a man in the middle try to use fake certificates. And this was in the aspect of talking to you about different types of authentication methods and I thought this would be just an interesting exercise to show you this one of many tools, this one’s called Cane and Able. People in the hacking world seem to use it as one of their favorites. But what I’m going to do is I’m going to our network is 100 zero one. That’s the wireless router or access point. And I have another host out there that’s 100 zero six. And I think I’m ten, 0003 too many zeros, I said. But my address doesn’t show up in the list of addresses that we found by just sniffing to see what’s out there. Now what we’re going to do basically is do what’s called ARP poisoning.

And what I want to do is I want to convince and this is just one of many things I can do to cause a man in the middle. But what I’d like to do is I’d like to come up here and go into this thing they call ARP poisoning and routing. And what I’m going to do is poison between the access point and this poor guy over here at 100 zero six. I’m going to poison between them and what’s going to happen is I’m going to feed in my Mac address for the access point and to the other victim so that they’re going to go through me and then I’ll send everything off to the access point and basically try to intercept their traffic. Now remember, this is one of the times where having encryption would be great because this particular tool is not going to allow me to encrypt. But I’m going to show you a different one that can do encryption and act as a hotspot if you wanted to.

And now that I’ve got that set up, what I’m going to do, what you can’t see is go to a bank website and so now you can see that it says it’s doing full routing. And what you might notice here under Https is okay, so you can see where I’m trying to get to, trying to get to this place called bank of America. And if I were to try to log in, let’s say with this particular one, I would hope that I start getting some errors about the certificates because what I’m doing is I’m going to create some fake certificates to try to get in there. And yeah, so I’m having some problems on my laptop. It doesn’t like what I’m doing. And when I come up here, you can see that it’s creating these self signed certificates that is causing me errors on my screen letting me know that these are not fake or not real certificates.

If I were to open up any one of these. Let’s see if I can look at the get certificate. No, I can’t do that. Anyway, so if I actually started going into the secure connection and actually started to type in my information, then what you would start seeing over here is a list of files or text files. So there you can see Mail, Google. com, a lot of other things. You start being able to see all of that traffic. And the idea is like here, I say this is all clear text except for the Https. The idea here is that you can intercept that traffic, issue fake certificates, and if the user is not smart enough, then the user is going to, as a hacker, I would hope would accept the certificate and I could start decoding their SSL traffic.

Now that’s different than if I’m trying to work with somebody connected to an access point, doing encryption with the access point, because at that particular juncture, I’m not going to see their IPS. Remember, that was a big deal. I’m not going to see their IPS, okay? So I’m going to turn that off because I don’t need to poison myself anymore. And I’m not going to take you through there. If I go to passwords here, if I had typed any passwords, you would have seen them show up on this little list over here. So it’s a cool little toy. It even has wireless settings so that you can scan for access points if they’re out there. There you can see there’s a lot of access points out there with a lot of different names.

And you can actually, from this, start getting access to those keys that I talked about, the communications back and forth of everybody trying to authenticate and set up their encryption keys. And so as you’re looking at those but I don’t have air PCAP turned on, otherwise I would start being able to lock on a channel. And here you can see it would let me help capture the web IVs and be able to do web injection or to start cracking WPA pre shared key authentications. So I guess you could say it’s kind of a nasty tool. So let me turn that off. Yes, I want to exit. So that’s one example of ways in which we can take advantage of authentication. Even though I said certificates are great, we still need to give users education about making sure that they know not to accept a certificate that has a certificate error.

16. Module 04 Review

So we covered a lot of information in this module. We talked about the wireless LAN authentication as an overview, went over AAA, the authentication authorization and accounting port based authentication 802 one X. We talked about the process of the Supplicant, the types of credentials that you can use, the authentication server credentials, the shared secrets. We also talked about the authenticator itself.

We looked looked at some legacy authentication protocols, talked about their weaknesses and why we are using something else. And then hopefully gave you some good information about the extensible authentication protocol and the variety of types that we use, like Peep or some of the older ones like Leap.