802.1x bypass on LAN

Disclaimer:

Attention! This article is for informational purposes only and is intended for educational purposes.





. , Ethernet-. , Ethernet- 802.1x. , . , . , : 802.1. ?





, 802.1x . , .









  • 802.1x









  • EAP





  • MAB









  • MAB





  • (Bridged-based)





  • Rogue Gateway Attack





  • EAP-MD5





















  • ?





  • 802.1x AE









IEEE 802.1X β€• , . . , . .





802.1x

3 :





  •   (Client/Supplicant) ― , . Extensible Authentication Protocol via LAN (EAPoL)





  • (Authenticator) ― , 802.1 ,  β€• .





  • (Authentication Server) ― -, .





:





1.      





. , "" (uncontrolled). 802.1x, .





2.      





(EAPOL-Start).   , EAP-request/identity. EAP-response (, ), , RADIUS Access-Request.





3.       EAP





EAP, .





4.      





-, EAP. (accept) (reject) , . «» (controlled), .





EAP

EAP , , EAP. EAP.





EAP-MD5





:





  1. EAP-Request-Identity .





  2. EAP-Response-Identity.





  3.   EAP-Response-Identity (challenge string) MD5-Challenge-Request .





  4. , challenge string MD5 MD5-ChallengeResponse





  5. MD5-Challenge-Response MD5- challenge string , . , .





EAP : MD5-Challenge-Request, MD5-Challenge-Response . .





EAP-PEAP/EAP-TTLS





:





2 –





1. :





1.1 Authentication Request .





1.2.





1.3. , , , .





1.4. TLS-.





2. . , MS-CHAPv2.





, , . , Β« Β».





EAP-TLS





, , . TLS.





, . .





, , . , Β« Β».





MAB

MAB (MAC Authentication Bypass) – «» , 802.1x. , , , , , . MAB MAC- .





. , 802.1X.





MAB

. MAB . Β«BypassΒ».





, (, , PDP-11…), MAC- . MAC .





( Β« Β»)





(Bridged-based)

 





2005  , Microsoft, 802.1x, Β« Β». , 802.1x . , , , Β«controlledΒ» . , , , MAC- IP- .





, , (race condition  ― https://en.wikipedia.org/wiki/Race_condition). , :





SYN- .





  1. SYN / ACK, : , .





  2. RST / ACK.





  3. ACK.





RST/ACK , . UDP-.





MITM- .









- ( , ).





, – ( ). :   









  1.   Promisc-





  2. Promisc-





  3. MAC MAC





  4. SNAT , – , .









Rogue Gateway Attack

Evil Twin, LAN. , , . , Β« Β».





. :





  • MAC-





  • IP-













.





  1. RADIUS- , .





  2. RADIUS- EAPOL-Start MAC- .   EAP-Request-Identity.





  3. , .





  4. MS-CHAPv2-challenge response, NTLM- . [AY1]  .





, .





EAP-MD5

EAP-MD5 ― EAP. .





MD5-Challenge-Request MD5-Challenge-Response MD5-. , , .





: , . , (, Raspberry Pi , ). -, Β«EAPoL-startΒ» .





Bridged-Based Fenrir.





Cisco





- (Cisco-ISE, AD)





Cisco ISE :





  1. 802.1x c EAP-MD5 –





  2. 802.1x c EAP-TTLS –





Windows





Kali Fenrir-





, .





kali, .





Fenrir : MAC- IP- . create_virtual_tap





, FENRIR. IP-.





run Fenrir . nmap- crackmapexec.





- . , . , .





, . , – … - .





?

MAB . , Cisco ISE Windows, .. MAB- , MAC . , ( ), ( ).





EAP, EAP-MD5 . EAP-TTLS/EAP-PEAP/EAP-TLS/EAP-TTLS , .





MITM- . , , , . , , . ― , 100%- . 100%- MITM- , . , IPsec.





802.1x, 802.1x-2010, . , .





802.1x AE

MITM- MACSec L2.





3 :





  1. . , EAP, PSK.









  2.  





EAP-.





(. Β« ), , EAPRequest-Identity . EAP-response, .





EAP, . EAP. MACSec.





  , MACSec bridged-based : . EAP (Rouge Gateway EAP-MD5) .





NAC , 802.1x, . , ( bridged-based ).





- 802.1AE IPSec : , .





802.1AE , EAP (Rouge Gateway EAP-MD5).





, 99,9% LAN , :





  1. , , macsec,  .





  2. MAsec+EAP-TLS ( )





  3. ( ) macsec+NEAT ( ), MITM- .








All Articles