802.1X / EAP Bypass
Physical port-based network access control
The new device has to authenticate in order to access the network beyond the switch
3 roles involved:
SUPPLICANT : The new device
AUTHENTICATOR : The switch (or Wireless AP)
AUTHENTICATION SERVER : The server responsible for checking credentials (Usually a RADIUS server)
a switch port is considered "closed" by the network until successful authentication completes. The client must use an 802.1X supplicant to authenticate to the network before the port becomes "open," granting access to the internal network.
EAP
EAP (Extensible Authentication Protocol)
Defines authentication message formats
LOTS of different formats (EAP-MD5, EAP-TLS, EAP-TTLS, EAP-PSK, etc…)
Some are very weak (LEAP)
EAP is NOT a wire protocol
EAP messages are encapsulated by other protocols
EAPoL = EAP over LAN
PEAP = Protected EAP (mainly used on Windows systems)
To use NAC with 802.1X, all devices that are authenticating to the network must support the EAP method in use and have the necessary supplicant software. Devices that do not support 802.1X or do not support the EAP type in use are generally excluded from network policies (such as printers and other embedded devices), creating a bypass opportunity if an attacker can access the port.
Supplicant must be able to send EAP traffic to RADIUS for authentication. also switch is agnostic to EAP method, so it does not inspect packet content. so there is an opportunity to fuzz, exploit RADIUS backend before authentication
Port-Based Access Control
The Authenticator defines 2 logical states per physical port
Uncontrolled State
Controlled State
The uncontrolled state allows 802.1x frames only
The Authenticator forwards the frames to the Authentication Server
The controlled state acts like a “normal” port
The network is fully accessible
From this point, any packet can go wherever it needs to on the network without authentication
802.1x only acts as a gatekeeper, If a device is compromised when already connected to the LAN, 802.1x protection is useless.
802.1x is not a solution to protect a LAN against BYOD hazards, The compromised device will authenticate against 802.1x as usual.
It is also possible to retrieve credentials/certificates on legitimate devices
bruteforce is not possible
Pre-connection Scenario
Wired EAP Shadow Attack
It is possible to spoof the mac address of following devices and obtain network access:
Physical devices like old VOIP phone, Printers, cameras etc may not support 802.1x authentication and mac addresses assigned to these devices can be spoofed to obtain IP address.
Physical access to 802.1x authenticated VOIP phones, printer, etc may disclose mac and IP info from the network settings menu, stickers on the backside, etc.
Boot menu of certain workstations, laptops etc may disclose mac address.
In order to avoid an IP address conflict, the attacker uses a different IP address than the impersonated system (but the same MAC address). Since IEEE 802.1X is a Layer 2 protocol, the authenticating device (the switch in this case) doesn't care about the IP address of the attacker, allowing the attacker to communicate freely.
VOIP Hopping via CDP packets
CDP protocol can be abused to hop the VLAN and obtain IP address.
Voiphopper can be used to execute this attack.
VLAN Hopping via DTP Packets
It is possible to hop VLANs by abusing DTP protocol.
frogger can be used to execute such attacks
Probe Request
Fire up wireshark and check for MAC addresses in probe request. Try spoofing the MAC gathered from probe request.
Post-Connect Scenario
In a post-connect scenario you are allowed to the network for a small period of time and a set of checks are ran against your endpoint. If the endpoint fails to meet the requirements, it will be disallowed to use any resource further
Traffic Injection
802.1x provides Network Access Control. It does NOT provide traffic encryption (many people believe it does). It does NOT provide per-packet authentication.
Traffic Injection : spoof a legitimate and authenticated supplicant’s MAC and IP address to fake legitimate packets. it still works today in a vast majority of cases (Especially works in traditional Windows environments)
Traffic Injection is the most reliable technique to physically attack a 802.1x network
FENRIR
You need 2 interfaces for this
Frames at “A” : appear to be coming from the legitimate host
Frames at “B” : appear to be coming from the network
Frames at “C” : appear to be addressed to the legitimate host
Frames at “D” : appear to be addressed to the network
FENRIR captures frames on both physical interfaces and rewrites headers to make the FENRIR host disappear. Frames from/to the legitimate host are forwarded (You can also do whatever you want to do on them too here). Frames from/to FENRIR are rewritten.
Tools
Last updated