Shmoocon Day 3

On the final day of Shmoocon I went to two talks. Here’s some notes.
I’m still fighting the cold that hit just after the conference. Three days of sick people on the metro and in a hotel ballroom seem to have taken their toll.
Dan Griffin, Hacking Windows Security
This talk presented four tools, three developed while working for Microsoft and are available on MSDN.
Hacking smartcards was an interesting concept for fuzzing smartcard middleware. I’m not sure if it was the early start to the day or not, but I didn’t understand if this was a problem in the smart card driver software as it comes in Windows or if this would be smart card software already written.
“Smart Cards have a vm and shouldn’t be treated as trustworthy.”
The other parts of the talk were using “hack” in the older white hat sense of the word. He showed how to add a new algorithm such as twofish to Windows.
PEAP: Pwned Extensible Authentication Protocol, Wright, Antoniewicz
If you’re up on wireless security you probably know this. Otherwise its a good presentation. Worth checking out when posted to
With EAP, your Access Point and Radius server are exposed to the world. Does it seem like a good idea for a RADIUS server to be so attackable?
To this point the supplicant and radius server code have not been explored thoroughly. This is a great opportunity for research.
EAP- MD5 not RFC4017 complaint
No support for encryption key delivery
No native supplicant in windows
eapmd5pass- a tool to read pcap file or monitor and brute force the password.
Security through obscurity with proprietary protocol
attacked through asleap tool
Uses PAC – protected authentication credential
But the PAC is transmitted anonymously by default (Eap FAST Phase 0)
If you use manual PAC provisioning now you have a cumbersome process that must be repeated as the PAC expires.
A rogue AP could be used to get the clients MSCHAP credentials.
Mutual authentication between client and servers.
Can still screw things up by not verifying the server certificate. This allows anyone to impersonate the Radius server.