Full Report
Joff Thyer // A network can authenticate a client workstation using the 802.1X and Extensible Authentication Protocol (EAP) using multiple different methods. EAP is used both in a wired network […] The post TLS Certificates from EAP Network Traffic appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: EAP-PEAP and EAP-TLS Certificate Capture via 802.1X Sniffing
## Overview
This summary details the process of capturing X.509 certificates exchanged during Extensible Authentication Protocol (EAP) authentication, specifically EAP-PEAP (using MSCHAPv2 within a TLS tunnel) and EAP-TLS (using mutual certificate authentication) over 802.1X wired or wireless networks. The captured certificates can reveal sensitive information, especially if certificate exchange alone is used for machine authentication.
## Technical Details
- Type: Technique (Network Protocol Analysis)
- Platform: Wired and Wireless Networks utilizing 802.1X/EAP
- Capabilities: Capturing credentials (EAP-PEAP) or client/server/CA certificates (EAP-TLS) exchanged over the TLS tunnel established via RADIUS negotiation.
- First Seen: N/A (Relies on standard network protocols)
## MITRE ATT&CK Mapping
Since this describes an adversary technique used for reconnaissance/credential theft via passive network listening rather than a specific malware, the mapping focuses on the resulting action: Credential Access or Network Reconnaissance.
- **TA0006 - Credential Access**
- **T1003 - OS Credential Dumping** (Indirectly, if harvested credentials are used to gain further access)
- **TA0043 - Network Collection**
- **T1049 - Egress Traffic Monitoring** (Passive network monitoring)
## Functionality
### Core Capabilities
- **EAP-PEAP Inspection**: Capturing MSCHAPv2 encoded credentials protected within a TLS tunnel established through RADIUS/EAP handshake (though the credentials themselves are encrypted, the certificates used to establish the tunnel are visible during the handshake).
- **EAP-TLS Inspection**: Capturing the client certificate, server certificate, and potentially the Certificate Authority (CA) certificate during the mutual authentication phase.
- **Traffic Capture**: Utilizing packet sniffing tools like Wireshark on a passive tap (wired) or in monitor mode (wireless) to capture Layer 2 EAP traffic fragments.
### Advanced Features
- **Certificate Extraction**: Exporting the captured certificate data (fragmented over multiple EAP frames) in DER format using Wireshark's packet byte export functionality.
- **Certificate Parsing**: Converting the captured raw binary certificates (DER) into readable PEM format using OpenSSL for inspection, allowing analysis of CNs (e.g., identifying 'living.thyer.org' as the RADIUS server and 'ROOT-CA').
- **Dual-Level Authentication Monitoring**: Capturing both machine credentials (boot phase) and user credentials (login phase) associated with the 802.1X session.
## Indicators of Compromise
This technique focuses on capturing legitimate network artifacts rather than malicious IOCs.
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (The interaction involves legitimate RADIUS servers and authenticators).
- Behavioral Indicators: High volume of Layer 2 EAP traffic containing large fragmented objects (X.509 certificates).
## Associated Threat Actors
This mechanism is widely used by legitimate network administrators and security testers, but adversaries can employ the same passive sniffing techniques if they gain access to the network infrastructure or wireless airspace.
- Security Researchers/Auditors (Legitimate Use)
- Adversaries performing reconnaissance against enterprise access controls.
## Detection Methods
Detection focuses on monitoring the capture processes and the abnormal traffic patterns associated with certificate extraction.
- Signature-based detection: N/A (Protocol is legitimate).
- Behavioral detection: Monitoring endpoints/tools configured for monitor mode operation on wireless interfaces (`iw dev wlan0 interface add wlan0mon type monitor`). Monitoring for large volumes of EAP traffic fragments across a single session. Deploying network access control (NAC) solutions that actively check for certificate validity and integrity.
- YARA rules: N/A
## Mitigation Strategies
The primary mitigation involves ensuring that certificate-based authentication is robustly implemented, especially concerning certificate trust validation.
- **Strong Authentication Enforcement:** Require strong credential authentication beyond mere certificate exchange, particularly for machine authentication.
- **Network Segmentation and Monitoring:** Implement strong physical/logical port security and monitor network taps for unexpected data extraction activity.
- **Certificate Hardening:** Ensure that the CA certificates used are strictly validated and that client/server certificate usage policies adhere to least privilege. Utilize mechanisms that rely on pre-shared keys or stronger authentication methods where possible if certificate exposure is high risk.
- **In-Band Signaling Control:** Where possible, restrict the ability of supplicants to engage in insecure EAP modes or downgrade TLS versions.
## Related Tools/Techniques
- **Wireshark**: Used for capturing and dissecting EAP traffic via filter `eap`.
- **OpenSSL**: Used for post-capture analysis and conversion of DER certificates to human-readable PEM format.
- **RADIUS Protocol**: The underlying network component facilitating the EAP exchange.