802.1X / EAP Bypass

• Physical port-based network access control

• The new device has to authenticate in order to access the network beyond the switch

3 roles involved:

1. SUPPLICANT : The new device

2. AUTHENTICATOR : The switch (or Wireless AP)

3. AUTHENTICATION SERVER : The server responsible for checking credentials (Usually a RADIUS server)

a switch port is considered "closed" by the network until successful authentication completes. The client must use an 802.1X supplicant to authenticate to the network before the port becomes "open," granting access to the internal network.

EAP

EAP (Extensible Authentication Protocol)

• Defines authentication message formats

• LOTS of different formats (EAP-MD5, EAP-TLS, EAP-TTLS, EAP-PSK, etc…)

  • Some are very weak (LEAP)

• EAP is NOT a wire protocol

• EAP messages are encapsulated by other protocols

  • EAPoL = EAP over LAN

  • PEAP = Protected EAP (mainly used on Windows systems)

To use NAC with 802.1X, all devices that are authenticating to the network must support the EAP method in use and have the necessary supplicant software. Devices that do not support 802.1X or do not support the EAP type in use are generally excluded from network policies (such as printers and other embedded devices), creating a bypass opportunity if an attacker can access the port.

Supplicant must be able to send EAP traffic to RADIUS for authentication. also switch is agnostic to EAP method, so it does not inspect packet content. so there is an opportunity to fuzz, exploit RADIUS backend before authentication

Port-Based Access Control

• The Authenticator defines 2 logical states per physical port

  • Uncontrolled State

  • Controlled State

• The uncontrolled state allows 802.1x frames only

  • The Authenticator forwards the frames to the Authentication Server

• The controlled state acts like a “normal” port

  • The network is fully accessible

  • From this point, any packet can go wherever it needs to on the network without authentication

802.1x only acts as a gatekeeper, If a device is compromised when already connected to the LAN, 802.1x protection is useless.

802.1x is not a solution to protect a LAN against BYOD hazards, The compromised device will authenticate against 802.1x as usual.

It is also possible to retrieve credentials/certificates on legitimate devices

bruteforce is not possible

Pre-connection Scenario

Wired EAP Shadow Attack

It is possible to spoof the mac address of following devices and obtain network access:

1. Physical devices like old VOIP phone, Printers, cameras etc may not support 802.1x authentication and mac addresses assigned to these devices can be spoofed to obtain IP address.

2. Physical access to 802.1x authenticated VOIP phones, printer, etc may disclose mac and IP info from the network settings menu, stickers on the backside, etc.

3. Boot menu of certain workstations, laptops etc may disclose mac address.

In order to avoid an IP address conflict, the attacker uses a different IP address than the impersonated system (but the same MAC address). Since IEEE 802.1X is a Layer 2 protocol, the authenticating device (the switch in this case) doesn't care about the IP address of the attacker, allowing the attacker to communicate freely.

macchanger -m XX:XX:XX:XX:XX:XX

VOIP Hopping via CDP packets

CDP protocol can be abused to hop the VLAN and obtain IP address.

Voiphopper can be used to execute this attack.

voiphopper -i eth0 -c 1 -E 'SIP00070EEA5086' -P 'Port 1' -C Host -L   'Cisco IP Phone 7940' -S 'P003-08-8-00' -U 1

VLAN Hopping via DTP Packets

It is possible to hop VLANs by abusing DTP protocol.

frogger can be used to execute such attacks

root@kali:/opt/# git clone https://github.com/nccgroup/vlan-hopping
root@kali:/opt# cd vlan-hopping/
root@kali:/opt/vlan-hopping# ls
frogger.sh  LICENSE  README.md
root@kali:/opt/vlan-hopping# ./frogger.sh

Probe Request

Fire up wireshark and check for MAC addresses in probe request. Try spoofing the MAC gathered from probe request.

Post-Connect Scenario

In a post-connect scenario you are allowed to the network for a small period of time and a set of checks are ran against your endpoint. If the endpoint fails to meet the requirements, it will be disallowed to use any resource further

Traffic Injection

802.1x provides Network Access Control. It does NOT provide traffic encryption (many people believe it does). It does NOT provide per-packet authentication.

Traffic Injection : spoof a legitimate and authenticated supplicant’s MAC and IP address to fake legitimate packets. it still works today in a vast majority of cases (Especially works in traditional Windows environments)

Traffic Injection is the most reliable technique to physically attack a 802.1x network

FENRIR

GitHub - Orange-Cyberdefense/fenrir-ocdGitHub

You need 2 interfaces for this

• Frames at “A” : appear to be coming from the legitimate host

• Frames at “B” : appear to be coming from the network

• Frames at “C” : appear to be addressed to the legitimate host

• Frames at “D” : appear to be addressed to the network

FENRIR captures frames on both physical interfaces and rewrites headers to make the FENRIR host disappear. Frames from/to the legitimate host are forwarded (You can also do whatever you want to do on them too here). Frames from/to FENRIR are rewritten.

Tools

GitHub - scipag/nac_bypass: Script collection to bypass Network Access Control (NAC, 802.1x)GitHub