Disclaimer:
Attention! This article is for informational purposes only and is intended for educational purposes.
. , Ethernet-. , Ethernet- 802.1x. , . , . , : 802.1. ?
, 802.1x . , .
IEEE 802.1X β , . . , . .
802.1x
3 :
(Client/Supplicant) β , . Extensible Authentication Protocol via LAN (EAPoL)
(Authenticator) β , 802.1 , β .
(Authentication Server) β -, .
:
1.
. , "" (uncontrolled). 802.1x, .
2.
(EAPOL-Start). , EAP-request/identity. EAP-response (, ), , RADIUS Access-Request.
3. EAP
EAP, .
4.
-, EAP. (accept) (reject) , . «» (controlled), .
EAP
EAP , , EAP. EAP.
EAP-MD5
:
EAP-Request-Identity .
EAP-Response-Identity.
EAP-Response-Identity (challenge string) MD5-Challenge-Request .
, challenge string MD5 MD5-ChallengeResponse
MD5-Challenge-Response MD5- challenge string , . , .
EAP : MD5-Challenge-Request, MD5-Challenge-Response . .
EAP-PEAP/EAP-TTLS
:
2 β
1. :
1.1 Authentication Request .
1.2.
1.3. , , , .
1.4. TLS-.
2. . , MS-CHAPv2.
, , . , Β« Β».
EAP-TLS
, , . TLS.
, . .
, , . , Β« Β».
MAB
MAB (MAC Authentication Bypass) β «» , 802.1x. , , , , , . MAB MAC- .
. , 802.1X.
MAB
. MAB . Β«BypassΒ».
, (, , PDP-11β¦), MAC- . MAC .
( Β« Β»)
(Bridged-based)
2005 , Microsoft, 802.1x, Β« Β». , 802.1x . , , , Β«controlledΒ» . , , , MAC- IP- .
, , (race condition β https://en.wikipedia.org/wiki/Race_condition). , :
SYN- .
SYN / ACK, : , .
RST / ACK.
ACK.
RST/ACK , . UDP-.
MITM- .
- ( , ).
, β ( ). :
Promisc-
Promisc-
MAC MAC
SNAT , β , .
Rogue Gateway Attack
Evil Twin, LAN. , , . , Β« Β».
. :
MAC-
IP-
.
RADIUS- , .
RADIUS- EAPOL-Start MAC- . EAP-Request-Identity.
, .
MS-CHAPv2-challenge response, NTLM- . [AY1] .
, .
EAP-MD5
EAP-MD5 β EAP. .
MD5-Challenge-Request MD5-Challenge-Response MD5-. , , .
: , . , (, Raspberry Pi , ). -, Β«EAPoL-startΒ» .
Bridged-Based Fenrir.
Cisco
- (Cisco-ISE, AD)
Cisco ISE :
802.1x c EAP-MD5 β
802.1x c EAP-TTLS β
Windows
Kali Fenrir-
, .
kali, .
Fenrir : MAC- IP- . create_virtual_tap
, FENRIR. IP-.
run Fenrir . nmap- crackmapexec.
- . , . , .
, . , β β¦ - .
?
MAB . , Cisco ISE Windows, .. MAB- , MAC . , ( ), ( ).
EAP, EAP-MD5 . EAP-TTLS/EAP-PEAP/EAP-TLS/EAP-TTLS , .
MITM- . , , , . , , . β , 100%- . 100%- MITM- , . , IPsec.
802.1x, 802.1x-2010, . , .
802.1x AE
MITM- MACSec L2.
3 :
. , EAP, PSK.
EAP-.
(. Β« ), , EAPRequest-Identity . EAP-response, .
EAP, . EAP. MACSec.
, MACSec bridged-based : . EAP (Rouge Gateway EAP-MD5) .
NAC , 802.1x, . , ( bridged-based ).
- 802.1AE IPSec : , .
802.1AE , EAP (Rouge Gateway EAP-MD5).
, 99,9% LAN , :
, , macsec, .
MAsec+EAP-TLS ( )
( ) macsec+NEAT ( ), MITM- .