Insecure 802.1X Port-based Authentication Using EAP-MD5
Introduction
802.1X port-based security is built into network devices, such as network switch and firewall to prevent unauthorized insider or intruder to access the trusted network through unprotected physical port.
802.1X port-based authentication is one of the security controls at Data Link Layer in OSI model. When 802.1X port-based authentication is configured in the network device, the following requirements shall be met by Applicant that runs Windows Operating System (OS):
- IEEE 802.1X authentication is enabled for ethernet adapter
- Network authentication method (e.g. EAP-MD5) used by network device is supported by the OS
- Wired AutoConfig service (DOT3SVC) is running
- Correct user credentials are entered for the network authentication
1. Man-in-The-Middle (MiTM)
802.1X authentication information passed over the network during the authentication could be captured by an adversary when Man-in-The-Middle (MiTM) (T1557) attack is performed. This could be done when physical access to the devices is not controlled or the RADIUS server is compromised.
We performed 802.1X authentication on MOXA EDR-810 router (Authenticator) with FreeRADIUS (Service Provider) and the network packets are captured. Then, we open the PCAP file using Wireshark to highlight four (4) key information required by the adversary to perform the password cracking after MiTM attack is successfully conducted.
Key Information #1, Request ID (eap.id):
4Key Information #2, Request Challenge(eap.md5.value): 4103a0309f402ad8d006f5344183f4fc
Key Information #3, Response Challenge(eap.md5.value): cb128044ce36cf3ce9b3989afd85e7a1Key Information #4,Username(eap.md5.extra_data):
6c656e67
2. Cracking EAP-MD5
The formula below shows how the Response Challenge is calculated:
Response Challenge = MD5(Hexadecimal Escape Sequence(Request ID Password Request Challenge))
We retrieved Response Challenge value in Key information #3 above. Now, let us explore the formula step by step.
Step 1: Generate Hexadecimal Escape Sequence for Request ID, Password and Request Challenge
echo <Hexadecimal for Request ID or Request Challenge> | sed 's/../\\x&/g'
echo "<Password>" | od -A n -t x1 | sed 's/ /\\x/g'
Step 2: Hash Hexadecimal Escape Sequence Generated using MD5
echo -n -e "<Hexadecimal escape sequence for Request ID, Password and Request Challenge>" | md5sum
Bingo! The hash value shown in output is same with what we seen in the Wireshark earlier!
2.1 Dictionary Attack
A dictionary file basically is a file that store a list of passwords and to be supplied into password attack tools, such as eapmd5pass.
We will use eapmd5pass to perform dictionary attack against EAP-MD5.
Step 1: Generate Colon Hexadecimal for Request Challenge and Response Challenge
echo <Hexadecimal for Request Challenge or Response Challenge> | sed ‘s/\(..\)/\1:/g;s/:$//’
Step 2: Get Username from Hexadecimal
echo <Hexadecimal for Username> | xxd -r -p
Step 3: Run eapmd5pass with a Dictionary file and other parameters value
eapmd5pass -r <Path of PCAP file> -w <Path of Dictionary File> -U <Username> -C <Request Challenge> -R <Response Challenge> -E <Request ID>
eapmd5pass will test all the passwords inside dictionary file until the correct password is found. As what we seen in the screenshot above, password of “password” is found with the dictionary file supplied!
Now, you should change the password to a complex password that meet the security requirements to ensure the password is not listed in any publicly known dictionary.
Conclusion
In this article, we discussed the requirements for applicant to access to the trusted network protected by 802.1X port-based authentication. We also learnt how to crack the password for 802.1X port-based authentication that use EAP-MD5 using manual technique and password attack tool, eapmd5pass.