Deepdive

Understanding PEAP In-Depth

18 April 2019 ~16 min By Dominic White
Cve Deepdive Ios Mac Rf Rogue-Ap Wifi
tl;dr We reported a long standing PEAP bug in all Apple devices that would allow an attacker to force any Apple device (iOS, macOS or tvOS) to associate with a malicious access point, even if the authentication server (RADIUS) couldn’t prove knowledge of the password. To understand it fully, we go on a deep dive into EAP and MSCHAPv2. Table of Contents PEAP at a High LevelMSCHAPv2Decrypting the Inner TunnelThe Inner MSCHAPv2 ExchangeByte-Level Description of the MSCHAPv2 ExchangeMSCHAPv2 CalculationsMSCHAPv2 Failure BehaviourThe Apple VulnerabilityApple’s FixDisclosure Timeline & DetailsOriginal Vulnerability Report While prepping for our Defcon talk last year, Michael kept pushing me to implement hostapd-wpe‘s EAP success attack. In this attack, the authentication server will accept any username, then skip the step where it proves knowledge of the password back to the station (because it doesn’t know the password), and instead sends an EAP-success message back to the station. I refused for a long time, because I thought it was a dumb attack that would never work. This is because in MSCHAPv2 the authentication server also proves knowledge of the password back to the station, and if it couldn’t, I assumed the station would just refuse to continue, after all, that’s the whole point.

A new look at null sessions and user enumeration

11 May 2018 ~17 min By Reino Mostert
Active Directory Deepdive Tools
Hello, TLDR; I think I found three new ways to do user enumeration on Windows domain controllers, and I wrote some scripts for it. Over the years, I have often used the NULL session vulnerability to enumerate lists of users, groups, shares and other interesting information from remote Windows systems. For the uninitiated, Windows exposes several administrative and hidden shares via SMB by default. Some of these shares allow one to access the complete storage device on remote systems. For example, C$ will allow one to access the C Drive. Another share, Admin$, allows one to access the Windows installation directory. To be able to mount these shares however, one needs to be an administrator on the remote system.