There’s been much debate in the IPv6 community regarding the abysmal support or IPv6 Secure Neighbour Discovery (SeND). To get you up to speed on what IPv6 Secure Neighbour Discovery is think IPv6 + 802.1x-like + ARP security + PKI environment. Later in this blog I’ll show you how to set up an IPv6 SeND environment (minus a decent host platform). SeND has a great way to securely authenticate ALL communication on a LAN (unlike 802.1x) – I’ll show you this in Part 2 of this series that goes into great depth on IPv6 SeND. In this first part of the series, I’d like to show you why 802.1x is not the answer (or the only answer). If your enterprise isn’t moving towards IPv6 any time soon, then you are becoming more vulnerable to this attack. If you need help just moving to IPv6, we can help – click here: tachyondynamics.com/ipv6 Otherwise, please read on.
Why 802.1x Is Not the Answer
There are two basic reasons why 802.1x on wired and wireless LANs is not as secure as you may think:
- It can be bypassed
- It can be hacked
1. It can be bypassed
PWNIE Express released a product, that anyone can buy today, that uses the infrastructure to bypass even having to do authentication in the first place. This is something someone can do even if the LAN is using 802.1x EAP-TLS. EAP-TLS uses certificate authentication – unlike common user name and password PEAP. However, here’s the problem. 802.1x does not authenticate every packet. Meaning, if you can get in the middle and capture a the source MAC address immediately upon authentication/re-authentication then you are in. By the IEEE authentication, it only requires re-authentication every 60 minutes or so. This is how PWNIE Express does it:
- Plug Pwnie Express wall jack in between PC and wall jack
- Pwnie express captures all EAPOL authentication packets
- Creates a bridge between the switch and PC
- Establishes an SSH tunnel out the cell network using 3G/4G (if using the full Power PWN product) and the external user is looking at everything on the network
Basically, if 802.1x required each packet to be authenticated you would never be able to bypass it. However, a AAA infrastructure would NEVER be able to handle that kind of workload on the backbone. SeND: 1, 802.1x: 0
2. It can be hacked
This technique really only deals with 802.1x using PEAP or anything less secure (LEAP, MSCHAP w/o EAP). EAP-TLS is not affected by straight hacking as there is no plain text authentication details. Depth Security put together a great video tutorial using Backtrack Linux with many of the tools associated, and IT Security has a great write up on how to do it as well. Basically, it goes something like this:
- with a network tap view the hashed RADIUS packets from host and server by capturing the EAP Challenge and Response messages (MD4 hashed using a weak DES key).
- asleap -i <interface name> -o -t 10 -v
- asleap -r <pcap dumpfile> -v
- The remaining bits checked through those pre-packaged password files that are usually leaked or stolen on the Internet
- Then the PEAP session is totally hijacked because the likelihood is the PEAP user name and password is also a Windows Active Directory credential – double win!
- Considering an AES RSA algorithm is used with certificate-based authentication on EVERY packet, this isn’t possible with IPv6 SeND. SeND: 2, 802.1x: 0