Posted by:
admin
14 years, 4 months ago
Every year at DefCon there is a Wall of Sheep where the usernames and passwords for non-encrypted logins are posted and every year there are usernames and password on it.
We have setup OpenVPN on an Amazon instance and configured it to use WiKID Strong Authentication without any user validation (i.e.: we don't care who you are). This configuration will allow you to get an outbound Internet connection without using static credentials. The OpenVPN client is set up to push all your connections through Amazon.
How do you get it?
First, download and install a WiKID software token. You can use any token - Blackberry, Android, iPhone, Windows Mobile, Windows/Mac/Linux. Add the domain 888888888888. You will be prompted to set your PIN and you will get back an alphanumeric registration code. You need this code. Enter this code into this registration page.
Ok, you've swapped public keys with the server and you've associated the key exchange with the username you submitted on the form. Now, install OpenVPN and download the appropriate Openvpn client flie:
And download this ca.crt:
You will need to edit the client configuration file to point to the location of the ca.crt. Other changes shouldn't be needed, but if they are, please let me know. If something is mis-configured, please let me know (via @wikidsytems on twitter).
Start the client. You will be prompted for a username. Use the name you registered. Generate an one-time password from the token and enter it as the password. You should get connected. Please don't abuse the connection.
The client should route all your traffic through the Amazon cloud over OpenVPN and from there out to the Internet. It has been tested on OSX and Ubuntu.
If you have problems, you can try to find me at DefCon or BSidesLV. You can ping me on twitter too: @wikidsystems. Any feedback is much appreciated.
Enjoy & be safe.
PS: Special thanks to @andrewsmhay for testing and the Mac OSX conf file!
Share on Twitter Share on FacebookRecent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)