Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers for making 2018 a success welcome to own the land 2018 Splinter Cell edition / Ghost Recon so I work for a company called digital silence or a Denver based security consulting firm basically we're a small boutique if you will firm of pen testers who give a if you've ever had a pen test people who don't give a you probably know what I'm talking about my name is Gabriel Ryan I'm a co-founder senior security assessment manager at this little silence you sort for GDS and also Chantilly based firm called og systems red teamer researcher new dad actually

so hence the lack of sleep my LinkedIn handles kind of interesting as Emma zero A zero six seven so this is a talk that primarily doodle deals with a 22.1 ex so before we kind of go into like the new stuff we should probably do some background information so let's talk about what a tattoo that when X is 8 to 10 I when X is an authentication protocol it's used to protect local area networks or even Wireless local area networks with rudimentary authentication it's about when X to the finest exchange between three parties you basically have a supplicant that's the the kleine device that's trying to connect the network you have the Authenticator which is the network device it's usually like

a switch that is providing access to the network so the supplicants connected to the Authenticator to get to the network and you have the authentication server the authentication server it's basically the host that's running into the network usually running radius software or something similar and its job is pretty much to make the final decisions as to whether the supplicant can access the network or not so you can think of the Authenticator is kind of a gatekeeper the supplicant will connect to it via a switch port and provide it with its credentials and then the authenticators can afford its credentials to the authentication server which point the authentication servers gonna validate those credentials either allow the

device to access the network or not 802 dot 1 X is typically a four step sequence beginning with initialization going to initiation EAP negotiation finally authentication so when we have a port that's protected by 82 at 1x it can be in one or two states authorized in which traffic is the unrestricted at least by at the port level or unauthorized on which traffic is restricted to a total next traffic only so the first step of this process we mention was initialization what this means is that during this the first step the supplicants gonna connect to the switch port which is going to start out disabled the Authenticator is gonna detect there's a new connection there

and actually enable to switch port the switch port is gonna start off in the unauthorized State once that happens we proceed to initiation or which were initiating the authentication process the first step which is optional the supplicant is going to send an equal start frame what this frame is doing is saying hey I want to authenticate the Authenticator is going to respond with an EAP request at any frame and that's Pixley asking the supplicant hey who are you give me a username or something the supplicants going to send that yep a response at any frame response to that containing an identifier usually a username and the Authenticator is gonna encapsulate that EAP response a Teddy in

in something that the authentication server can understand so it's gonna encapsulate it in a radius access request frame and for that off the authentication server at that point basically the supplicant and the authentication server haggle a bit and the reason because why they do this is that we mentioned that well okay so a deterrent 1x is basically an encapsulation of EAP or extensible authentication protocol for use over local area networks and the reason why a APS is known as extensible authentication protocol or extensible is because it's really more of a black box for performing authentication it's more of a framework rather than a fully fledged protocol it's defining message formats and those message formats it's

pretty much left up to the individual implementation at the AP and those implementations are known as EAP methods as to the nitty-gritty details about how the authentication should take place so long story short if the occations server in the supplicant they're gonna go she ate until they decide on an EAP method they're both okay with and once they do that they proceed to the authentication itself always as we mentioned the specific details are implementation specific or methods specific but the important takeaway here is that it will always result in an EAP success story if you failure message if you get an EAP success message it means that the authentication has succeeded and you know we at that point switch to the

ports switches to an authorized state and you can send traffic through otherwise remains unauthorized so we mentioned EAP what is it so EAP it's as we mentioned it's more medication framework only to fight formats is not really a fully-fledged protocol itself and we mentioned that EAP methods are what we call a TPM the individual is at U P implementations and that you can think about it as a black box for performing authentication some notable EAP methods there's EAP md5 it's been around for a really long time spoiler it sucks there's ap peep another spoiler it doesn't quite suck as much as like EAP md5 but it's still not great I know it's open it looks delicious so I

just have to throw it in there and there's the EAP TLS which has historically been regarded as one of the better implementations of EAP but some stuff that was released last summer are just kind of a little bit throws a wrench in that so I think which let's do a brief history of wired for security just to kind of establish the groundwork for what we're going to talk about today so back in 2001 the 2.1 X 2001 standard was created to provide read material that occasions to land that was the first version of the protocol fast forward bits of 2004 we got the 8 e 2.1 X 2004 standard was amendment to the protocol that was created - it was it

basically extending the protocol to facilitate its use in wireless networks as well as wired networks in 2005 a year after that you know the first major bypass for this protocol was released Steve Riley demonstrated that you could simply put a hub between the supplicant and the Authenticator and what that would do is it would you know allow you to passively sniff traffic you couldn't really inject traffic fully because if you tried to inject TCP packets to cause a race condition but you can inject UDP packets which is still kind of cool but it was your first real bypass for this 6 years after that AB from grammo security create a tool called Marvin implemented in Java and it was able to bypass it 800

next byte introducing the road device directly between the sub look in the switch so you didn't really need a hub aney more you could actually just put a device with two network interfaces between the Suffolk and the switch and kind of like you'd use a bridge essentially a litters bridge to forward traffic back and forth between the two of them and it was able to interact fully with the network so full TCP injection or and full UDP using using back and objection later that year actually it was always like interesting cases where you had two people working on this similar like a similar problem at the same time income came up with slightly different but

pretty unique solutions to it later that your alpha duck walk read the his own ADA to note when x2000 forward by pass light like ABS bypass use a transparent bridge to introduce the road device directly between the suppli and the switch but what he did that was a bit different as he used source netting to instead of pack an injection to achieve full network interactions so essentially what happens there is that use iptables to create a source nad it makes it look as if all traffic originating for the road device it's coming from the supplicant so it's pretty cool and we're going to talk about that more in a bit you know fast forward again to 2017 velaryon Legrand

created tool called Fenrir which works similarly to duck Wells tool but implements ngata using in Python you to escapee so it basically does something similar but just at a very high level which makes it a bit more affordable and easier to use has a modular design support for responder all kinds of interesting stuff so I think whenever you're starting off on like a research project I think it's useful to go over the existing work and also you know try to see if you can implement the existing attacks if that's you know just so you have a better understanding what you're doing and if this room so to improve them you should do that as well so kind

of along that line of thought like one thing I did was starting out this project was to look at duct walls a doughnut a tattoo that when X 5 has a bit more closely we mentioned it uses a transparent breeze to slightly introduce the road device between the supplicant and authenticator and that duct walls bypass uses network interaction or a cheese full network or network interaction by creating a source that to make it look like all the traffic originated from the rope from the the workstation or or whatever the supplicant is it makes it look as if it's originating from the rogue device interesting thing is like when you think about a situation where you have to

bypass port security wired for security a tattoo dot 1x right you're usually in a situation where you know it's it's either like some kind of like physical security assessment or a lot of times it's like a Red Team assessment where you're you're basically in a physical location that you probably you know aren't allowed to be in and you know you're leaving something behind right you're not you don't want to sit there trying to mess with this stuff you want to drop something off and then get out and then it needs to work so but you need a way of connecting to the road device remotely well it's on someone else's network so with that in mind the

way duct wall kind of approach that that problem is well he had two solutions the first was to create a hidden SSH service using desk netting which is cool because you could connect to the device if you know depending on what your IP address was you could connect to it remotely and the other the other solution that he provided was and this is the one that I think he'd end up using more often you know just so you can deal with stuff like NAT was to create you know basically their road device had the ability to tunnel outward over SSH and then create a reverse tunnel that would like to just punch pit and you know

through the firewall into the device so that was kind of he achieved how he achieved the the remote access problem with that there are some issues that he had to that he had to deal with the first one was that little inch kernel at least at the time it would not forward evil packets over a bridge we would letting you know existing tools they they deal with this problem usually by patching the Linux kernel or relying on higher-level library such escapees so that's what why Valera in the ground was implementing everything at a higher level is so that you didn't have to worry about patching the kernel so there problems with both these approaches though you know relying on the kernel

patches can become unwieldy there aren't any publicly available kernel patches for modern curl versions and you know relying on high-level tools such as Skippy it can make the bridge still under heavy loads and if you're introducing a bottleneck to the network that's one you know surefire way it's a way to have someone go and track down your device because you're causing an outage and people will complain you know granted I mean at the time period when duck wallet releases thing you can really have a choice in the matter he had to use the the kernel patches because that was all there was but fortunately you know after looking into it turns out the situation has improved dramatically since duck

Wells contribution was released in fact as of 2012 Evo bridging can actually be enabled using something called the profile system the profile system you can think about it as an API to the Linux kernel it's basically intial files you can edit values on the fly and it will change configurations and one thing you can do now is you can change the value of and one of the important cross file system to enable evil bridging which is which is great because it means no more patching so that that's one improvement I added the other improvement I had was support for side channel action interaction when duckville created is his original beta 2x bypass you had to

figure out how to provide the attacker with access thorough device but remember this was in 2011 and cellular modems were pretty unsophisticated they're slow and they were expensive could just go down to to the Best Buy and get like a ltd dongle and plug it into your rogue device that just wasn't an option so that's why you had to rely on SSH there are some problems with this approach though it's not perfect it relies on the assumption that egress filtering can be bypassed which it can't always be bypassed and also relies on pushing traffic through the target network which creates yet another opportunity for detection fortunately you know now it's you know and we actually have a lot more available in

terms of side channel options you know specifically you know LTE dongles there's in the different radios and stuff you can you can add to your device so the objective implantation basically like why did is add some you know add to modify some the existing firewall rules from the original scripts and and add support for side channel interaction so now you can connect over over LTE if you want to and it makes this a lot smoother so I'm just gonna demo this really fast and so what you're seeing here you guys see that okay okay well all right we're gonna play like let's play pretend okay well it's not really for ten because it's up there and but all right so I

want you to visualize I'm just joking I want you to on the left side of the screen here there is a terminal and on this terminal that terminal corresponds to a session that's SS aging into the row device over the over the over the side channel and on the bottom right here we have the switch and there's like a little green light here and with a either net plugged into it and when this green light is green it means that we're currently authenticated and connected and connected and what it's when it's yellow what that means is that you know essentially it's currently authenticating or trying to connect if it's if it turns off and stays off it

means that either we've disconnected the device or we've trip we've caused a port security violation and the switch has been blocks which is not good and in the top right we have a screen share of a workstation that is connected to the switch so we're inserted our rogue device directly between this workstation the top right and which and you can see that the workstation is just constantly pinging Google actually just because their DNS servers are good for this kind of stuff so what happens is that when we connect your device you're gonna briefly see that the paying attempts start failing because it and that light will turn off because we've kind of interrupted that connection but then we're gonna start

our bridge space bypass and what that's gonna do we're gonna run it now and create our bridge and what you're gonna see in a second is that that yellow light turns on and then turns green and the authentically the the supplicant has managed to real finicky with the switch and we are now sitting directly between the switch and the supplicant now we can pretty much sniff any traffic line you know between the two of them we can use that information to get the prerequisite metadata to add floor action so we're going to run a second command that uses that and that's gonna give us you know essentially said of our source and adding that's going to give us our full

network interaction so you don't do that and it's gonna run and you can see here we run it and now it's gonna happen on the left is that we're going to run nmap and we're able to actually you know running a map scan as if we were the the the hosts up in the top right there so that's that's our full full full a fully visible bypass so yeah so the reason why this works right all traditional eita to note when XY passes you know hug based injection based bridge based they all take advantage of the same fundamental security flaw and that's that a to 2.1 x at least in its traditional forms up until recently did not provide

encryption and it did not provide support for authentication on packet by packet basis authentication happens upfront and then once it's authenticated and you know that's it's done right so that's why you can kind of get away with doing that to deal with this issue there's another amendment to the ada to know when x protocol which is actually just starting to you you just started to take off you know actually the like the top I want to say like four or five ish men you know manufacturers of enterprise networking hardware are just you know starting to actually offer support for this and some of their higher-end models but yeah the to no one stood up next 2010 protocol

was designed to deal with this and the way that it deals with this is by using something called Mac SEC and Mac SEC what it does is it provides layer two encryption on a hop by hop basis and also provides packet by packet integrity checks so if the packet gets modified any way you or you'll see that the support for the hop by hop encryption is actually particularly important because not only does it protect against the bridge based attacks that we just saw it also allows network administrators with the means to inspect data in transit you know so if you're a network administrator you want to be able to look at what the traffic is doing and if

you encrypt everything right that you know it normally you think well that might actually work against because now I can't look at it but because the encryption is being implemented I will hop by hop basis you can still look at it because it gets decrypted every between every hop so if you want to inspect it you can that's pretty cool so they turtlenecks 2010 it works in three stages there's the authentication and master key master key distribution and then we move to the session key agreement and finally moved to the session secure state we're gonna talk about these me in a second authentication it pretty much plays out like the authentication that we just n acacia process that we

described in the very beginning you know you know if your initialization initiation EP negotiation finally move on to your you know your EAP whatever implantation of e appears in your authentication the only difference is at the very end of it you need to be able to support of you know a few more things transfer transmitted from the authentication server to the supplicant but I mean other than that it's pretty much analogous once we managed to get through stage one we then go to these stay choose the session key agreement and you know pretty much that what's gonna happen there is that we're gonna establish that the supplicants actually capable of supporting mac sec if it is

we're going to install this that we're gonna sell the sack and key name on the on the supplicant once we do that moves us to stage three and that's the solution such a secure state and that by the way once we've reached stage three that is when we are actually protecting all this communication using that layer two encryption using back so if you think about how how you could bypass something like this because we you know our traditional methods kind of go out the window and we had to deal with this this new version the protocol well this is kind of this passage in the in the I Triple E attitude oh when X 2010 standard actually its section 6.6

you want to look it up it actually kind of like stuck out I mean the reason for that well if you read it it pretty much says that the layer 2 encryption provided by MAC SEC is actually in some ways comparable to the two similar forms of protection that you'd see protecting wireless networks using 802 11 so I think what they're really referring to here is WPA and actually if you if you look at this closely there are some parallels between max SEC and WPA and whenever you're trying to you know find some way of you know exploiting some new software or you know even you know finding finding a weakness in a fairly new technology you know it's it's it's

always useful to look for parallels between whatever you're working with and stuff that has been compromised in the past so that in mind if we look back to 2003 wpa wpa2 on was released and you know that what was the cool new feature at WPA 1 well it was offering hop-by-hop layer 2 encryption and at this point you know with WPA was offering from the access point to the station but you know authentication was provided by extensible authentication protocol or EAP and you could also use PSK pre shared key as a fallback or alternative you know when this was released we pretty much we had to you know the wireless security community pretty much had to at least the offensive wireless

security community had had to pretty much undergo a pretty big paradigm shift because up until then you know people were relying on injection based attacks they were relying on sniffing you know men and middle attacks itself I Bennett that didn't really work as well anymore particularly once we moved on to wpa2 so there had to be a pocus shift and that focus shift was from those just all attacks to attacking the authentication mechanism so you started to see instead of attacking WPA itself people would attack the authentication mechanism so they attack the PSK which is when you see the traditional WPA handshake apps your dictionary attack and more recently the the PM key idea and for enterprise networks you'd see

the rogue ap attacks against weak EAP methods if we fast forward with the 2010 a to 2.1 X 2010 is released and what's it providing it's also providing hop-by-hop layer 2 encryption this I'm using Mac SEC this time it's providing that that hop-by-hop layer 2 encryption between the devices switch or these switch to the switch but like WPA it's the authentication is provided by extensible authentication protocol or EAP or PSK as a fallback or alternative kind of see where I'm going with this so basically it the initial hypothesis from this should be can you know could you perform a similar shift to focus to achieve similar results with Macs mxx so obviously our bridge and injection based

attacks aren't really possible anymore due to the introduction of that layer 2 encryption so the first thing that comes to mind to try is acting authentication mechanism especially if you're like a wireless you know come from Wireless background it's like well I've seen this over here why not try try it in this environment my guess would be that the PSK implementation of this might be vulnerable to some kind of dictionary attack I'm still working on that so I really have no idea but EAP which is what we're talking about today it does make sense that you could also use attacks against weak EAP methods just kind of man would take away of this talk so to kind of understand what we mean by

tax cuts we KP methods we can't have to look at wpa2 EAP a bit and most commonly I love that sound so the most commonly seen EAP method is epi peep and and basically you know the way that works is that you have the the supplicant which is your wireless device just gonna try to connect to the network and in you know when it does that it's gonna have to send an authentication request to the authentication server the authentication server is going to reply with an X file and I certificate now the reason why the authentication server has to give a supplicant that's ex-59 certificate is that it needs to prove it sell it prove

its identity to the supplicant before the supplicant receives that x.509 certificate it doesn't really know who is connecting to so the supplicants going to look at the certificate and decide whether or not you know it can trust the server if the certificates valid and trusted certificate then it trusts the server if not this entire process aborted because it doesn't want to authenticate with something that isn't what it's actually trying to authenticate with so you know once that happens if the supplicant accepts the certificate we move from what was what's notice like phase one or the outer vindication phase to the Internet occasion phase or phase two which is going to happen through a secure tunnel so essentially a secure

tunnel is gonna be established between the supplicant the authentication server because without that secure tunnel even even for this is you know part of WPA remember you don't get access to WPA until this entire process completes so you either secure tunnel to protect what's gonna happen next and basically what's gonna happen is that the supplicants going to send you know hash versions of it's what's gonna be issued a challenge from you know from the server and then essentially it's going to issue the Senate response back to the server that's derived from the challenge and its password and that's gonna that's gonna be sent through the secure tunnel to the server and depending on whether that's that response is valid or not

it's gonna be either allowed to back to the network or it's not gonna be allowed to actual the network health indications gonna fail so back in 2008 two researchers named Brad and Tony woods and Josh right they figured out that you could use something called a rogue accident attack to to force a supplicant elf indicate with a robot that occasion server what do we mean by this so kids here unaware of what a rogue access point attack is so if you see this diagram here essentially we have this this access point here and you know how close to open it's it's running on channel 6 we have these four laptops they're connected to it essentially

rogue access point attack is when you create another access point you force all these devices to connect to it you know easiest way to do that is just to use the same SSID and channel as the that's the target access point and then make sure that you're providing a better signal and if you do that those devices will roam to you and then you do that you have that man the middle established and once you do that you can you can then actually if your target is a wpa2 EAP access point and your access point at WP to a PAP access point you can then force them to authenticate with you instead of the intended authentication server and

capture those hashes which even crack and then you can use that to get radius credentials which you can use to access the network that kind of makes sense to everyone by the way cuz that's super important okay good stuff right so I mean the biggest problem here by the way is that the the onus is kind of on the supplicant to either accept or deny the certificate which causes problems but to make matters worse by the way with AV peope typically you're going to see there's actually like even more flexibility we mentioned the extensible authentication protocol it's can be implemented in any number of ways well this phase 2 that happens through the tunnel actually you have different

options available to you one of what you can use for that the most common inter-ethnic ation method is a protocol as Emmas Chafee - and essentially it was Chafee - back in 2012 maxime out to researchers named Moxie Marlinspike and David Holton they discovered some cryptographic weaknesses in this protocol that essentially they figured out the MFE - pretty much analogous to ntlm v1 and that you can reduce it to a single 56 bits of DES encryption which is not great in fact they discovered that you know once you did that using well they had $100,000 cracking rig at the time but you know that cracking rig you know if you look if you bought something with similar

processing power now you know several years later you could get one for you know 10 20 grand something like that but they discovered you know with sufficiently powerful hardware you could then you know convert those 56 bits into a password equivalent NT hash within 24 hours of the hundred percent success rate regardless of the length of the password which is you know pretty bad so basically once you get those hashes using using this method you're pretty much guarantee to be able to crack them particularly because you could specify the challenge you know that the that is used to derive that that their response and therefore remove the and a lot of the entropy from the protocol so you

know kind of fast-forward back to a 2.1 X 2010 why are we talking about all this wpa2 stuff well the most important takeaway from it about 80 to 1 X 2010 at least from attackers perspective is that it still uses the AP to authenticate devices to the network and EAP is we kind of looked at just just like just a second ago is only as secure as the EAP method used the 82 decks 2010 standard allows any EAP method so long as it supports mutual authentication supports the derivation of keys there at least 128 bits in length and generation m/s gave at least 64 Octus there are plenty of commonly seen EAP methods that me of these

requirements EEP EEP EEP which we just described EAP TLS which is you know similar enough to eep eep eep that if you understand if you keep in the the issues that affect it you can't understand EAP TLS as well I think you kind of see where we're going with this once again and and this is the part where we talk about you know defeat well this slide says defeating max like using rogue gateway attacks that's kind of misleading because we're not actually defeating max tech we're cowardly avoiding max tech and attacking the AP instead like we've been doing for 10 years because I'm lazy and that well doesn't everyone but and so so the goal

of a rogue gateway attack much like a rogue ap Zack is to force the supplicant to authenticate with your device how do you do that and once you do that you can you can crack at the hashes that it sends you and you can use those to authenticate with a network when we look at 80 2.1 X 2004 we were using a man the middle cell bypass you can see this this diagram here essentially replace the rogue device directly between the supplicant and the Authenticator as of right now there really isn't a way to do that if you're dealing with a - August 2010 so you kind of have to go for a direct access you need to steal

credentials and then authenticate directly with the switch which is what we're gonna try to do so if we were going to build a rogue device that could do this kind of attack how do we do it well so first step would be to set our core device and you can see here we're putting our transparent bridge capabilities there just because they're useful of not necessary for this but it's good to have them but that's there in case we need it but the main features of this you know you're gonna need an upstream interface your upstream interface is gonna be connected the interface is connected to it's going to be facing toward the switch right and

your fire interface is going to be our second interface we're gonna be using and that's gonna be facing towards the supplicant we also have our side channel interface which we talked about earlier and that would give us the ability to control this device remotely and you just put this on like a small microcomputer I use an Intel anoke running for our 28 because for our 28 has good support from mac sec but you could use anything that could really support max like to be honest and Linux but we need a way of diverting traffic to the road device and we can't just perform a rogue ap attack because we're not on a wireless network anymore we're

on a wired network so we're kind of out of luck there so question is how do we do that well if you look at this picture here can you can you guys kind of see the picture there with it with the train tracks okay awesome so we see these train tracks here and you see you know these tracks go like two ways the first direction is straight ahead and that goes directly to the station but there's there's a mechanical switch here that will actually redirect the railroad traffic to the right and it will bypass that station up there so you know position a you go to the station switch moves in the position B and you

bypass it entirely you can actually do something similar with the ethernet you can get these little devices here on Amazon for it was like five ten bucks something like that it's basically mechanical you know splitter you just test two buttons on it and depending on which one you hit the the Ethernet traffic will be routed through port a or port B that's a really rudimentary way of redirecting traffic of course you you really you really can't just be sitting you know unless you want to have someone hide in the closet and then just you know on signal just switch the traffic to the road device you know on the network you're attacking that's you can't really just use these as they are

you have to find some way of manipulating the pushed wits there are a couple ways you can go about this the first of which you could use something called a relay to basically what other way it really works in very crude terms because I'm an electrical engineer is that you know depending if you have like a higher load current running through it it will send the traffic one direction or the other or the the the signal one way or the other it's very hard to do a implements something like that with ethernet without causing impedance issues which is why if you buy two even at relay on on the Internet it'll cost you like a thousand bucks sorry because

they're they're pretty difficult to make but option B is to use something called a solenoid and there are couple kinds of solenoids basically they're push-pull annoyed zan pole solenoids bonus the low end is it's a metal rod and it's wrapped in this this this metal coil and when you run electricity through this coil if it's a pull solenoid it will actually pull the the the metal rod inward creating a pulling motion and if it's a push solenoid when you run electricity through this coil it'll push the solenoid outward actually depending on the size of slowmode you can get it can have quite a lot of force to it but I mean yeah it's basically a linear a

linear motor which is kind of what we need here pushing motion specifically so that's that's pretty much how I figured out to how to manipulate the switches it just have a pair of solenoids they're controlled by a Arduino microcontroller that's then you know kind of being used as a slave to the to the primary device here but the full the full bypass for the full the full set up that you see essentially it would look like this you'd have the device we just talked about with our two interfaces or upstream interface interface as well as our slide channel interface but we'd also have on either side we have we'd have two of these mechanical AV ethernet

splitters we have an upstream one and a Phi splitter as well when these splitters are in position a the the traffic essentially is rerouted so that bypasses a road device entirely and we also set up like a little lamp tap have you guys seen the throwing star land tap before it's yeah so pretty much that concept right you have a this little thing on the wire there so that you know even a traffic kind of spills out one direction but can't get back and that less allows us to passively look at the traffic that's going between here and it's gonna be encrypted so we can't really see much but we can see metadata which is all we need to be MAC addresses

and stuff like that so we have that best position a we put the switches in position B and it will reroute traffic to our device which you know so basically the the it will connect the switch to our upstream interface and the workstation or supplicant should I say to our fire interface so actually how do we implement this attack we take this device configuration and drop it directly between the sub looking which is here this workstation here on there on the right and the switch which is on the left and what we do is we bring down our upstream interface bring down transfer bridges we don't really need it for this but we leave our finer face off

and we drone run hostapd which is a essentially a it runs a radius server essentially that you can run you know on your on your Linux laptop or whatever you're using and we'd run that habit listen on our finer face and you know as the supplicant rerouted with we then forced it to it we then probably to authenticate with our with our host DVD instance here our radius server and it will do so and what does so we just captured the Challenger response similar in a similar way that we do what if we were attacking a wireless network would crack them and then once they're cracked what we can do is we can then bring down

the fire interface and bring the upstream interface back back up and then authenticate directly with the network using valid EAP credentials the supplicants MAC address and he also would just set a static IP address for yourself that would match the one used by the supplicant that way you kind of blend in and look exactly like the supplicant would at least from that perspective when did this last phase you want to trolley deal like in the middle of night or some some time in which you're unlikely to cause a noticeable disruption when I do this you know but I just just do it at the end of the day on a weekend or something like that no one

knows so here's here's a demo of this so like before our setup the way it works is you know we have our attackers device for an SS agent to a row device on the Left we have our workstation is we have a screen serve our workstation on the on the right it's just gonna be paying stuff continuously so you can see it's actually connecting out to the outside Internet for a switch we have a switch now is in the kind of the bottom middle there and and here's a very big version of this device and the reason for that is if you're they were creating something for the first time you ever read or see Frankenstein you know how

you just like really big you know parts to build a thing because it's easier to work with the same cause if you could make a smaller version of this but you know it's just easier to deal with so you see they're gonna run this and you're actually gonna hear the solenoids working in a second I know if you doesn't hear that so those are the solenoids kind of flipping around and I should see the second now is that we're gonna force the okay so yeah we've just Ford to authenticate we're able to capture those hashes and then we crack them and we're able to authenticate with the network regardless of the fact that they're using Mac's like so that's right

attitude 11 mm X or e 2 TX 2010 5 hash should I say okay so you bit of time left so it's gonna be a quick detour now there's some other stuff that I kind of ended up working on well in the process of working on the 80 mm X 2010 stuff we're gonna talk about Mac filtering and Mac authentication bypass or mAb you mad bro so fun fact not all devices support a 2.1 X whether your assistant min or a pen test or whatever you've probably run into this before right it's not all devices for a 2.1 X yet enterprise organizations typically need to be able to place these devices within their attitude on X protected networks anyways

so historically the solution whenever you run into this issue is to simply disable 82,000 X 2010 or a toe to toe and Excel on the port used by that device when you do this you're creating what's known as a port security exception you know usually at this point you replace a 2 dot X with some other more rudimentary form of port security system Mac filtering but you're the important part is that you're actually you're making exceptions within you're able to get one x coverage and for certain ports so that certain devices can connect to your network so historically these export security exceptions have been very prevalent and this is due to the widespread lack of a

toe to toe and I support by for full devices so you know basically you know rolling out either to dot when X is one thing rolling edited out next when you have to connect the multifunction printer to your network or IP cameras stuff like that is another because they may have had some pretty poor support for a 2 X and these port security 6 exceptions I've historically pretty much created pretty low-hanging fruit for attackers it's much easier to try to actually but to simply spoof a MAC address than it is to try to actually bypass edited onx using a bridge or a hobbit the problem is at least at least from the perspective attackers at port

security sessions are slowly dying there's still free prevalent but but you know we're seeing less and less of them and the reason for that is that support for 82 I would export peripheral devices or peripheral device manufacturers has increased dramatically which is actually the pretty good thing you know legacy hardware's is being phased out over time either breaks and has to be replaced or there's some kind of schedule where you have to replace it and you know if you just go online if you just go on Newegg or something like that or you know some equivalent you'll notice that pretty much all the major manufacturers of say you know printers and scanners they they all support at least one model that

supports data 2.1 x that is pretty well within the price range of something that could be you know fit within the budget of an enterprise organization or even less small business for that matter so I you know the fact of this is that you know port security exceptions have become less prevalent I mean you still see them quite a bit but not like you used to and they're definitely not the low-hanging fruit that they used to be the thing to keep in mind though is improved adoption traded to the next doesn't necessarily imply so on port security for peripheral devices remember the 802 that when X 2010 is just starting to take off for you know very

very expensive networking hardware and it's really not a reality at all yet for peripheral devices and if they're using it to go back to the 2004 you know we can always just bypassed using bridges injections etc but one thing that this kind of interesting about this is that you know we were talking about you know insecurity ap methods we can actually expect used to be the adoption of security methods to be even lower for peripheral devices than when we that we would from something that can be centrally managed like the main joint device so this kind of X the question can we use can we just attack EAP as like a really easy way to attack these

devices and this kind of makes sense as an alternative to relying up for security substance for attack and peripherals you know one thing that you could do is you could actually if you wanted to capture you know edited out when X credentials on a network that's created this protected by a 201 X 2004 you could use the rogue gateway tech although in this case it actually much simpler to implement you wouldn't need to rely on solenoids you can instead just kind of use the bridge based techniques we were looking at earlier you can see this is a diagram that's very similar to the one that we used for the 802 ten bypass but we don't have any

solenoids here instead we have the upstream interface the finer face but then between it we have this transparent bridge which is what can't we were using it to do the original $82 2000 ford by pass so we start out just passively sniffing traffic that allows us to gather you know any any metadata that we need to perform the attack and then when we're ready to actually perform the actually capture some credentials we just bring down our upstream interface in our in our bridge and start running hostapd on the fire interface and like before the supplicant will thank you with us and we'll be able to capture and crack those hashes and connect to the network that way but we don't even need

to do that and the reason for that is is that a lot of peripheral devices actually still use EPM v5 and the reason for that is that yep unity 5 it's it's an older you know significantly less secure EP method but it's also very easy to set up and configure and it's still better than Mac filtering you know so if you if you've kind of you know have to you're in situation where you have to sit up you know edited I went across the entire network technically you could say you're doing that if you are putting EAP md5 on your peripheral noises I mean it's still EAP md5 but you know technically it's a to 10x right so the

way he OPM d5 works it's somewhere to pee but so say what's happening here you're gonna start out with the authentication server is going to send the supplicant an EAP request at any frame you know like before the supplicants gonna respond to that with its user with what's the identity which is usually like the user neighbor something like that and the authentication server at this point is going to send the supplicant an EAP challenge response and that's going to challenge response essentially it's a randomly generated string of characters that with the supplicants gonna do with that it's going to concatenate it with its user name or ID and also with its password and it's gonna take that

concatenated string and throw it through the md5 hash function and the output of that md5 hash function becomes the challenge response which is sent back to the server the server is gonna do is going to well the server is going to do is the service is actually going to do the same thing it's gonna take the password the identity a challenge string can either concatenate them together throw them through the hash function and if the output that the server gets matches the the challenge response receive from the supplicant the authentication succeeds if it doesn't then we have an authentication failure so unlike a ppthe oh this is all happening over plaintext there's no secure tunnel protecting this

process so what that means is that and this is once again at the same time the attacks against TPP per released rata notes and Josh right released these attacks as well pretty much the only the only secret here the only the only unknown is the password you can sniff everything else and what that means is you can actually just use a dictionary attack getting the password and you know using all that caps should capture data and you know it is it is a dictionary tax so it has a little you know if you think about it it's it it's kind of slow it's not only the fast attack ever but I mean the good news is in 2012 so four

years after that after the original attacks against the AP md5 were released two researchers named fan Bell Lew and Talas II actually they actually discover that you can use a length recovery attack it's to significantly speed up the cracking process for EAP md5 hashes so actually you can you can it's pretty trivial to capture the this those hashes and then you can you can crack them pretty quickly as well sorry I lose my voice but so leveraging what we know about how to attack EAP md5 and also how to attack a to 2020 2004 if we wanted to capture go step further and actually capture edited out 1x to the delt 1x credentials on a wired network we can

you know think about how how we do this so we could start out by using a bridge based approach to place a rogue device directly between the supplicant Authenticator and then we just wait for the supplicant to authenticate and remember sniffing traffic between these two devices so that would allow us to sniff the EAP md5 challenge the EP md5 response and then we're able to crack the credentials and incorrect connect the network directly using the correct credentials one major drawback to this approach we have to wait for the supplicant to reallocate with a switch and this actually will not happen unless the supplicant is unplugged disabling a virtual networking interface is not enough it won't guarantee a real

authentic ation and we could use mechanical splitters to kind of trigger that but less overhead the better so there actually is a better option we can use something called the EAP MV v 4 v an occasion to tech which is kind of what I came up with to do this this scenario so the FIR we mentioned the first two steps of the EAP authentication process or the supplicants could send the Authenticator an equal start frame and the Authenticator is gonna send the supplicant you're gonna respond to that with EAP requested any frame we mentioned that the first step that was optional and that actually has significance because the problem that being optional well the reason why

that's optional first of all is that the authentication Authenticator needs a way of forcing the supplicant to real indicate if necessary you know but the the problem is that the supplicant has no way of verifying it incoming EAP requested any frames have been sent in response to people start frame or if they've been spoofed right because this is kind of stateless process so this means that we can force create education by setting an equals start frame to the fennec here as if it came from the silicon using Mac spoofing the result of this is that you know essentially the supplicant is going to the Authenticator it will send an EP request any frame - thank you so much that's amazing

so the result of this is that you know the Authenticator is going to send the EP request to any frame like if we do this we write a bit so if we were if we were just an equal start frame to the authentic Aries if we came from the Suffolk and using Mac spoofing what happens that the Authenticator which is an EP requested any frame to the actual supplicant and that would kickstart the real dedication process and when this happens both the Authenticator supplicant will play with the other party has initiated bf3 authentication attempt which is pretty cool because you don't really know why this this happened so you can see here what this means is

that we can actually just force the supplicant to real authentic aid that will so just by injecting these frames you can you can force that real authentication process to happen over and over and over again pretty arbitrarily so this is great because it allows us to actually perform this attack a lot faster you know previously we had to wait for this device to the real thin occasion happened on its own and now you can actually kick start the the authentication process by injecting those equal start frames and that allows us to perform this for strengthen occasion attack where we forced into real indicate and then pretty much instantly are able to to grab those hashes which we can then

crack so you know there's a proposed mitigation for this which would be just adding a safety bit to the EP arrest on any frame that's not sure if I like I really think about that that that much but like that would be a good first step and kind of think about how to address that issue but yeah just just to kind of wrap this up the main contributions that you know we've talked about here we've introduced the rogue gateway attack which can be used to bypass attitude over 9x 2010 by attacking itself in education mechanism in cases where we KP methods are used we've introduced updating improves we basically updated improved the existing attitude our next

2,000 BiPAP 2004 bypass techniques made them a lot easier to use and bundle them into a pretty easy to use Python tool so you know less monkeying around with batch scripts and stuff like that and you can just run it and it works which is great for red teaming scenarios and stuff like that and we've also introduced the EAP um v 5 for sweet n occation improve attack against EPMD v on wired networks guess the key takeaways of this talk so port security is still a very positive thing definitely keep using it this is not a you know to discourage anyone from not using port security but it's not a substitute for a layered approach to network security you know

deploying a tattoo that when x doesn't really absolve you from patch management responsibilities you know managing you know user privileges stuff like that it's just it should be part of the entire kind of holistic approach you take to security the benefits provided by 82 that when X that can be undermined due to continued use of e as an authentication mechanism and specifically weak EAP methods and finally improve attitude I went to the 80 to 90 support by peripheral devices or peripheral device manufacturer should I say is largely undermined by lack of support for 18x 2010 and also low adoption rates for strong EAP methods they can't be bypassed using the attacks we just saw if you want to go into this

little more detail there's a there's a white paper and blog post about this it's on my company website and also there's if you want to check out the tool and kind of these attacks yourself it's available on github it's a tool called silent bridge it's pretty you know right now just plop it on a on a buncha device or a Kelly device and it should run and you can do all this stuff any questions no questions one question cool

yeah sorry talking military using just pure eap-tls with with mutual certificate authentication well that doesn't address that because that that's if they're using if their certificate based authentication in that case they're not using a weak EAP methods so it kind of would kind of like right but if it's on if it's only one-sided certificate then it's pretty much up to the supplicant whether or not to to reject the certificate and that doesn't really have historically doesn't really have a really high success rate I mean you usually can find a device that either doesn't value it at all or leaves it up to the user which is even worse and then the user gets prompted do you want access to your

internet still and then they say yes and they connect but yeah that is kind of tipping point you know whether or not the device either it rejects it accepts it automatically or but I mean what's interesting is that I've seen that you know if if you have an organization usually that does a really good job of enforcing that across the board they typically also you know gone with a full mutual certificate based authentication as well because if you're going through that length you might we'll just throw all of it there but yeah yeah that's that's kind of the mitigation there yes

yes sir honestly you want the honest answer because I'm a software guy I had to learn the hardware stuff just to do this I'm not gonna lie to you about that but you know they could they're cool and the plus side of that though is that it does kind of create a solution where some wants to go replicate it it's not that hard to do but yeah there's definitely like better ways to implement it you don't get the cool sounds too you don't get some some user like ha this is awesome my computer's making clicking noises now must like me of it I don't know yeah a good question though if you have a better idea like I would love to

like you incorporate it because it not my area I should talk to you after this I think but any other questions ok [Applause]