Paul Bartell <paul.bart...@gmail.com> wrote: > > I'm aware of an attack on a bank which had implemented EAP, and had > fun when a Pen tester was simply getting domain login credentials > without having to work much at all. > > Could you maybe provide a rebuttal for this attack? and/or explain how > to make it especially secure? > Think of EAP like HTTP...a transport medium. PEAP/TTLS is EAP's version of SSL...would you expect a bank to use a valid certificate on their online banking page? Same thing, 100% the same thing. Network administrators, whilst generally in the mood "lets get this pesky thing working and fix the 101 other problems I have", easily forget: 1) if you do not force the root CA to a single registrar you can go to *any* registrar (you can use a self-signed one) and make sure the subject field in the certificate matches what the client is expecting (if anything) to leech user credentials 2) if no forced subject field match is made[1], then as long as you get a certificate signed by the marked registrar in (1), if you did indeed specify one, then you can leech user credentials
If you miss either of these two, you might as well slap all your users credentials on your organisations website in a textfile for folk to download. This (vaguely) works transparently for web browsers as they have a stash of root CA's[2] to call upon and those registrars supposedly[3] verify and check that you are legit and there are no duplicates....the web browser then checks whatever is in the address bar. With EAP you have to tell it what to expect in it's "address bar", this is why you have to specify the FQDN of the server. Actually, the whole SSL/TLS thing is horribly broken and we should just dump it...I'm not bright enough to suggest something better though :) Cheers [1] dear god, do not ever use wildcarded certificates, for it will be your 'crime and your punishment' [2] of course we all handle certificate revocations don't we? [3] http://www.amug.org/~glguerin/opinion/revocation.html http://www.theregister.co.uk/2008/12/29/ca_mozzilla_cert_snaf/ -- Alexander Clouter .sigmonster says: /earth is 98% full ... please delete anyone you can. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html