Owning the LAN in 2018: Defeating MacSEC and 802.1x-2010

Video thumbnail (Frame 0) Video thumbnail (Frame 8592) Video thumbnail (Frame 17733) Video thumbnail (Frame 19365) Video thumbnail (Frame 20254) Video thumbnail (Frame 21982) Video thumbnail (Frame 23793) Video thumbnail (Frame 25007) Video thumbnail (Frame 28345) Video thumbnail (Frame 29444) Video thumbnail (Frame 31032) Video thumbnail (Frame 31999) Video thumbnail (Frame 35377) Video thumbnail (Frame 36492) Video thumbnail (Frame 38200) Video thumbnail (Frame 39463) Video thumbnail (Frame 40679) Video thumbnail (Frame 41817) Video thumbnail (Frame 43265) Video thumbnail (Frame 45737) Video thumbnail (Frame 51421) Video thumbnail (Frame 52733) Video thumbnail (Frame 58864)
Video in TIB AV-Portal: Owning the LAN in 2018: Defeating MacSEC and 802.1x-2010

Formal Metadata

Owning the LAN in 2018: Defeating MacSEC and 802.1x-2010
Alternative Title
Bypassing Port Security In 2018
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Existing techniques for bypassing wired port security are limited to attacking 802.1x-2004, which does not provide encryption or the ability to perform authentication on a packet-by-packet basis [1][2][3][4]. The development of 802.1x-2010 mitigates these issues by using MacSEC to provide Layer 2 encryption and packet integrity check to the protocol [5]. Since MacSEC encrypts data on a hop-by-hop basis, it successfully protects against the bridge-based attacks pioneered by the likes of Steve Riley, Abb, and Alva Duckwall [5][6]. In addition to the development of 802.1x-2010, improved 802.1x support by peripheral devices such as printers also poses a challenge to attackers. Gone are the days in which bypassing 802.1x was as simple as finding a printer and spoofing address, as hardware manufacturers have gotten smarter. In this talk, we will introduce a novel technique for bypassing 802.1x-2010 by demonstrating how MacSEC fails when weak forms of EAP are used. Additionally, we will discuss how improved 802.1x support by peripheral devices does not necessarily translate to improved port-security due to the widespread use of weak EAP. Finally, we will consider how improvements to the Linux kernel have made bridge-based techniques easier to implement and demonstrate an alternative to using packet injection for network interaction. We have packaged each of these techniques and improvements into an open source tool called Silent Bridge, which we plan on releasing at the conference.
Email Presentation of a group State of matter Local area network Set (mathematics) Function (mathematics) Client (computing) Mereology Usability Spherical cap Circle Software framework Extension (kinesiology) Information security Physical system Identity management File format Bit Digital signal Data management Message passing Process (computing) Telecommunication output Information security Digitizing Ocean current Point (geometry) Server (computing) Implementation Identifiability Authentication Black box Authorization Message passing Authentication Dependent and independent variables Validity (statistics) Information Server (computing) Consistency Generic programming Frame problem Radius Software Personal digital assistant Video game Wireless LAN Communications protocol
Building Injektivität Structural load Local area network State of matter Direction (geometry) Multiplication sign Workstation <Musikinstrument> Insertion loss Side channel attack Mechanism design Hooking Kernel (computing) File system Extension (kinesiology) UDP <Protokoll> Information security Exception handling Injektivität Firewall (computing) Structural load Software developer Open source Physicalism Flow separation Connected space Degree (graph theory) Message passing Process (computing) Bridging (networking) Interface (computing) Modul <Datentyp> Escape character Information security Physical system Classical physics Point (geometry) Implementation Service (economics) Proxy server Open source Computer file Firewall (computing) Authentication Similarity (geometry) Computer Rule of inference Revision control Goodness of fit Bridging (networking) Singuläres Integral Energy level Implementation Proxy server Condition number Alpha (investment) Modem Installation art Authentication Module (mathematics) Rule of inference Default (computer science) Standard deviation Patch (Unix) Prisoner's dilemma Interface (computing) Weight Projective plane Interactive television Planning Computer network Limit (category theory) System call Shareware Kernel (computing) Software Integrated development environment Revision control Connectivity (graph theory) Iteration Wireless LAN Table (information) Extension (kinesiology) Address space Singuläres Integral
Implementation Bridging (networking) Videoconferencing Shareware
Authentication Word Touchscreen Software Information Bridging (networking) Workstation <Musikinstrument> Interactive television Right angle Term (mathematics) Proxy server Position operator
Group action Injektivität Proxy server Distribution (mathematics) Euler angles INTEGRAL Authentication Port scanner Shareware Revision control Bridging (networking) Netzwerkverwaltung Videoconferencing Encryption Communications protocol Proxy server Information security Fundamental theorem of algebra Injektivität Authentication Area Distribution (mathematics) Mapping Key (cryptography) Military base System administrator Internet service provider Computer network Basis <Mathematik> Basis <Mathematik> Blog Bridging (networking) Encryption Information security Communications protocol Fundamental theorem of algebra
Authentication Point (geometry) Server (computing) Process (computing) Key (cryptography) Authentication
Point (geometry) Standard deviation Injektivität Authentication Workstation <Musikinstrument> Motion capture Sheaf (mathematics) Data dictionary Focus (optics) Shift operator Perspective (visual) 2 (number) Web 2.0 Mechanism design Cryptography Encryption Vulnerability (computing) Authentication Injektivität Workstation <Musikinstrument> Data dictionary Shift operator Focus (optics) Programming paradigm Standard deviation Parallel port Computer network Stack (abstract data type) Motion capture Transmitter Mechanism design Exterior algebra Hypermedia Software Sheaf (mathematics) System programming Right angle Encryption Information security Wireless LAN
Point (geometry) Implementation Server (computing) Context awareness Injektivität User interface Interior (topology) Transport Layer Security Authentication Similarity (geometry) Data dictionary Shift operator Focus (optics) Public key certificate Hypothesis Mechanism design Internetworking Information security Identity management Vulnerability (computing) Form (programming) Authentication Data dictionary Focus (optics) Shift operator Server (computing) Parallel port Price index Mechanism design Wind tunnel Process (computing) Hash function Password Bridging (networking) Right angle Encryption
Point (geometry) Server (computing) Process (computing) Robotics Server (computing) Operator (mathematics) Information security Information security Metropolitan area network
Point (geometry) Wechselseitige Information Dependent and independent variables Length Authentication Execution unit Range (statistics) 1 (number) Bit rate Mereology Public key certificate Perspective (visual) Derivation (linguistics) Bit rate Hash function Data Encryption Standard Encryption Communications protocol Vulnerability (computing) Form (programming) Authentication Vulnerability (computing) Dependent and independent variables Key (cryptography) Interior (topology) Field programmable gate array Computer network Bit Equivalence relation Derivation (linguistics) Hash function Software Personal digital assistant Computer hardware Password Octave Self-organization Data Encryption Standard Right angle Text editor Whiteboard Ranking Information security Thetafunktion
Authentication Point (geometry) Gateway (telecommunications) Slide rule Gateway (telecommunications) Proxy server Euler angles Authentication Workstation <Musikinstrument> Computer network Maxima and minima Process (computing) Software Hash function Term (mathematics) Hash function Encryption Directed set Proxy server Metropolitan area network Force
Intel Software Interface (computing) Multiplication sign Interface (computing) Bridging (networking) Core dump Denial-of-service attack Computer Side channel attack Proxy server
Trail Mechanism design Internetworking Workstation <Musikinstrument> Diffuser (automotive) Set (mathematics) Right angle Asynchronous Transfer Mode Wave packet
Ocean current Asynchronous Transfer Mode Link (knot theory) Proxy server Sound effect Wellenwiderstand <Strömungsmechanik> Diffuser (automotive) Computer configuration Infinite impulse response Computer configuration Interface (computing) Directed set Spacetime
Authentication Asynchronous Transfer Mode Link (knot theory) Proxy server Link (knot theory) Diffuser (automotive) Physicalism Directed set Proxy server Diffuser (automotive) Asynchronous Transfer Mode
Authentication Asynchronous Transfer Mode Server (computing) Link (knot theory) Server (computing) Interface (computing) Equaliser (mathematics) Authentication Computer network Shareware Frame problem Diffuser (automotive) Software Interface (computing) Asynchronous Transfer Mode Vulnerability (computing)
Ocean current Authentication Implementation Proxy server State of matter Multiplication sign Authentication Projective plane Shareware Connected space Hash function Proxy server Wireless LAN
Gateway (telecommunications) Game controller Enterprise architecture Euler angles Transport Layer Security Multiplication sign Workstation <Musikinstrument> 1 (number) Similarity (geometry) Control flow Public domain Zugriffskontrolle Expected value Type theory Peripheral Bridging (networking) Computer configuration Computer hardware Endliche Modelltheorie Information security Exception handling Form (programming) Vulnerability (computing) Injektivität Enterprise architecture Expert system Diffuser (automotive) Physicalism Computer network Public domain Basis <Mathematik> Special unitary group Bit ACID Lattice (order) Arithmetic mean Computer hardware Bridging (networking) Self-organization Endliche Modelltheorie Peripheral Whiteboard Information security Exception handling Resultant Row (database)
Server (computing) Inheritance (object-oriented programming) Server (computing) Interface (computing) Motion capture Computer network Hash function Peripheral Software Robotics Bridging (networking) Interface (computing) Configuration space Configuration space MiniDisc
Virtuelles Netz Length Equaliser (mathematics) Food energy Bit rate Process (computing) Enterprise resource planning Identity management Mapping Virtualization Motion capture Arithmetic mean Process (computing) Hash function Bridging (networking) Interface (computing) Right angle Resultant Implementation Server (computing) Service (economics) Dependent and independent variables Transport Layer Security Real number Authentication Data recovery Motion capture Password Event horizon Goodness of fit Bridging (networking) String (computer science) Operator (mathematics) MiniDisc Form (programming) Authentication Data dictionary Overhead (computing) Dependent and independent variables Matching (graph theory) Server (computing) Interface (computing) Diffuser (automotive) Computer network Frame problem Software Password Communications protocol Force
Gateway (telecommunications) Slide rule Proxy server Dependent and independent variables Euler angles Equaliser (mathematics) Authentication Mereology Substitute good Data management Mechanism design Bit rate Peripheral Blog Bridging (networking) Videoconferencing Process (computing) MiniDisc Proxy server Information security Physical system Identity management Injektivität Authentication Dependent and independent variables Gateway (telecommunications) Information Forcing (mathematics) Computer network Bit Multilateration Wellenwiderstand <Strömungsmechanik> Frame problem Substitute good Mechanism design Data management Uniform resource locator Process (computing) Software Blog Bridging (networking) Escape character Information security Digitizing Resultant Force
ok welcome to 3 o'clock talk at its my accent talk at DEFCON it's gonna be gabrielle Ryan talking about owning let's give him a big DEFCON welcome come on here you thanks you guys awake yet fair enough all right got 45 minutes so like the first like 10 minutes of this it's gonna be really fast we're back up from this thing can you guys still hear me if I do this no ok alright so I work for a company called digital silence for a pentesting firm in Denver I talk more but gonna skip that so my name is Gabriel Ryan also known in some circles as solstice I'm a co-founder senior security assessment manager at digital silence used to work for a company called goth until science before that I worked for a DoD contractor in Virginia called og systems which between the two of those companies it's pretty much the best two names in security ever like mochi systems that's awesome also about me I'm a red teamer researcher new dad interestingly enough hence the dark circles under my eyes my LinkedIn my life in handles kind of interesting is MS zero eight zero six seven custom chuckles at ease so this is a talk about bypassing a particular port security technology so before we get started we kind of have to go over some introductory information about a 22.1 X into not one X is an authentication protocol is designed to provide rudimentary authentication to local area networks and also Wireless local area networks the protocol defines an exchange between three parties the supplicant which is the client device that you're gonna try to connect to the network the Authenticator which is a network device that the device that the supplicant is connecting to and providing access to the land and the authentication server which is a host running deeper inside the network and it's usually running some kind of like triple-a software like radius that actually performs the actual validation so you can think of the Authenticator you know that the Authenticator is to be like your switch right the device is connecting to and you can think of it as a gatekeeper like a security guard the supplicants gonna connect to it and provide the Authenticator with some credentials and the Authenticator does really note to these grants will just forwards mafia authentic to the authentication server which then validates the credentials and then either sends a message back to the Authenticator and tells it to allow this device to access the network or not to do that when I was typically a four step process beginning with initialization initiation then we go to EAP negotiation and authentication we'll talk more about that a second so when we connect to a switch port that is protected by a 2.1 X it's gonna have one of two it's gonna be one of two states it's gonna be authorized and when it's in the authorize state traffic's gonna be completely unrestricted at least by toto when X and it's when it's in the unauthorized State traffic is restricted to only eight or 2.1 X traffic we mentioned the first step of the provi edit or extension processes on initialization and you know what this means that the supplicants going to connect to the switch port the device can switch port and it can start out disabled the Authenticator is going to tech this new connection and able to switch port but the switch ports gonna start out in an unauthorized State because we have an authenticated yet then we move to step two which is initiation which we're initiating the authentication process the first step of initiation is actually optional this has security implications so we're gonna talk about later the supplicant is going to it's gonna begin with the supplicant sending an e pole star frame to the Authenticator the Authenticator is gonna receive this and respond with the EP request identity frame that just gets sent back to the supplicant and you know at that point that EP requested any frame it's basically asking who are you and the sub book it's gonna respond with an EAP response identity frame which contains the user name or identifier such as user name the Authenticator is gonna caps encapsulate that you ap response with nd and a radius access request frame because it can actually it can't actually validate the stuff itself and it's gonna forward it off the authentication server and then we're gonna move from step two to step three which is EAP negotiation so um you know 2.1 x actually implements authentication using EAP and EAP you can think of it as like an api or black box for performing performing authentication there's many ways to implement it but the important part is that there's gonna be a set of inputs you know kind of like a generic set of accessible inputs that you can put into it and you're gonna get a consistent output format which is either an EAP success or EAP failure or finding a successor authentication failure so in step 3 what's gonna happen is that the authentication serving the supplicant are gonna haggle for a bit until they decide on the EAP method they're both comfortable with when they do we move to step four which is authentication so this is where we actually perform the EAP authentication the specific details as we mentioned how this should work are dependent on the EAP method yupi method is just a fancy way of saying you know however you're choosing to implement EAP but it's depend on the EP method chose between the authentication server and the supplicant so this will always result in the EAP success or EP failure misses that's the important part to remember about this and if we get an EAP success the ports can be set to an authorized State and communications can be allowed through that port otherwise it's gonna either remain on authorizer in a lot of cases they're actually just gonna shut down the port and entirely and go alert someone which is bad the currents actor that is so even talk to him a lot about EAP EAP is short for extensible authentication protocol really like we're calling it a protocols like not our authentication protocols kind of misleading it's more of an authentication framework because it it's it's only defining message formats the actual implementation is wrapped up in what's called an EAP method and as we mentioned you know earlier it's pretty much more like a black box for performing authentication just gonna briefly mention some notable EAP methods we're gonna talk about the more detail later but let's really hit play on that the first of which is EAP md5 spoiler it's kind of bad there are a lot of security issues with it EEP EEP EEP another EP method also sucks I know it's soap but it looks delicious so I just want to include it in this presentation
there's also a eap-tls and the traditional school thought has been the eap-tls is a lot better than the other two I just mentioned but more on that later too without the way let's do a brief history of wired port security also just to kind of get ourselves up to speed but we're going to talk about today in 2001 the you know I Triple E released 802 dot 1x 2001 and that the stander was created to provide a rudimentary authentication mechanism for local area networks the PERT the standard was revised in 2004 with 802 I when I 2004 you know in this extension basically was designed to facilitate the use of a 2.1 X in wireless environments a year after that happen a researcher named Steve Riley figured out that you could actually bypass a 2.1 X 2004 and 2001 as well by inserting a hub between the supplicant the Authenticator and basically doing this lets you just passively significant the to those those two entities right you could also interact with the network to limited degree by inject and UDP traffic's injecting TCP packets would would cause a race condition so that wasn't really feasible but this was like the first you know kind of documented mention of such a bypass fast-forward six years to 2011 avila criminal security created a tool called Marvin Marvin was able to bypass a 2.1 X by introducing the road device directly between the sub book and the switch so before we were using a hub which by 2011 those were starting to become harder and harder to find but absol was actually able to it had two network interfaces you know you have this rogue device that's inserted between the switch and like this authorites workstation and this rogue device has two network interfaces one of them is connected to the to the to the workstation one of them is connected to the switch and it actually is able to use a Linux prison afford these packets transparently back and forth and bypass port security without using a hub and also it you're able to get packet in full interacts with a network using packet injection later that year and this is actually probably the most widely used able to know when X 2004 bypass out there now the duct wall introduced a similar a similar bypass technique is a little simpler which is which is a really good thing so alpha duct walls implantation also uses a transparent bridge to introduce the rogue device between the supplicant and switch but unlike absolutely it doesn't rely on packet injection instead you with the network by you creating a source net using IP tables and this lets you basically push packets onto the network and make it look as if it's coming from the supplicant device and the authorites workstation that you're kind of like middling doing this process and actually very recently 2017 we have valerian Legrand he created a tool called Fenrir and it works very similar to duck calls tool but it's all implemented in Python a very high level so you don't run into some of the kernel patching issues that duck calls tool is kind of affected by and it's pretty cool it has a module design support for a smarter all the good stuff so I guess when I started working on this project it made sense the first thing to do should be to kind of try to recreate the the classic duck walls classic a to nx2000 for bypass and also see if there's any ways it could be improved upon so looking at duck pulsated to 1x bypass more closely we mentioned use a transformer bridge society introduced the rogue device between a supplicant and Authenticator and you achieve network interaction using source net another interesting feature of duxelles device remember that you know what we're performing this style of attack you know presumably we're not able this is gonna be performed on a network and in a physical environment like a building or something like that that we do not own and we're not supposed to be getting into in the first place you know so it's not like you know you're on like a like a red team or physical security assessment where you can go walk in you know set up this device install like a monitor and just sit there on the computer interacting with this thing you have to kind of like get in there hook this thing up and get out so it's important when you're when you're doing this kind of thing that whatever what implement however you implement these kinds of attacks you provide yourself with a mechanism of reconnecting with this rogue device remotely once you perform the bypass and once you've actually made your egress from the building so the wait duck calls implementation does this well it actually uses two methods the first is a hidden SSH service that's created using destination adding and also it has support for like an outbound like SSH channel that goes through the the target Network and lets you connect that way so I was able to improve on upon ductless implantation a couple ways you know back back when dark loss implementation was first created the Linux kernel was not forwarding eople packets over bridge it was completely disabled and as a security feature so actually you know traditionally you look at most tools that deal with a totodile 1x 2004 or my passing and should I say they deal with this problem in the same way that suckle had to which is essentially patching the Linux kernel the exception of this is is Fenrir by valerian Legrand and he just does this completely at a high level using escapees so it doesn't really matter you'll have to rely on the the kernel patching so this made sense at the time but there are some problems with both of these approaches and what is that rely on kernel patches can become an unwieldy at this time there are no longer any publicly available kernel patches for modern kernel versions that will perform this eople bridging the reason for that if you think about what it takes to maintain a tool of any kind you know you constantly have to maintain this kernel patch because if you don't you know you can bet that the the kernel development team is going to keep working on you know pushing updates to the kernel and kind of if you think of your like here's your patch and here's like the direction that the kernel is going and eventually that patch is no longer going to work after you know subsequent iterations of updates to the kernel and that's kind of the state we're in now and then if you deal with high level tools such as Skippy they work really well because you want to rely on kernel patches but also can slow down your bridge under heavy loads because it just isn't able to handle it in the same way that the the lower level plantation can so fortunately the situation has dramatically improved since knuckles contribution in 2012 eople bridging actually was was added to the kernel but kind of a second optional feature that you had to enable using the cross file system the process file system is pretty cool it's actually like an API to the Linux kernel that you could that you can let you reconfigure stuff on the fly and you can just interact with it by setting values and files and stuff like that so you basically you just use change the the value of this file in the cross file system and you can for default package so we added that in there and the other
proven that we added was support for side Channel and reaction what doc will create is originally a 1000 - WX bypass you know this was 2011 you know cellular modems were pretty unsophisticated they were slow they're very expensive you couldn't just go down to Best Buy or whatever and buy yourself like a 15.00 LTE modem with a prepaid plan that you could plug into your rogue device so this is why he kind of had to rely on the hidden SSA service and the and the outbound SSH channels this is not a perfect solution though because it relies on the assumption the egress filtering can be bypassed so if you can improve upon it that'll be great also relies on pushing traffic for the target now we're creating opportunity for detection so you know kind of now that we had the opportunity you know it's it's several years later at this point so you know we had the opportunity to leverage a lot of this newer cellular technology to kind of establish a side channel to to our tour leave behind device that also lets us deal with you know air gap networks and stuff like that so you know the updated implementation actually relies on a side channel interface to provide the attacker with connectivity rather than the hidden SSH service or the Anastasia Channel had some modify some firewall rules to get this to work but it's totally worth it cuz now you can just connect over LTE so here's the demo of our improves
implementation here to figure out how to get this to play oh cool okay can I fast forward interesting all right well all right the video is running I just don't know how to
okay all right that seems to be working so I'm not going to touch it okay so no it's paused
okay so what's happening here right and it's in the left hand side we have the attacker it's device on the top right here if you can see my mouse can you guys see my mouse okay well pretend there's a mouse pointing at the top right of the screen that's that's the supplicant let's play pretend in the bottom right that's the switch so we're connecting to you notice that we've disconnected the device here and we're running this software on the Left which is setting up the transparent bridge we're talking about and up it's turning yellow on the bottom right so that means it's Rihanna cating and we're just kind of forwarding that authentication and oh absolutely the supplicant that's on the top right is able to communicate with it's going to go back to paying which apparently this is just what this workstations use for yeah so now we're gonna add a network interaction by running this other command basically I you could see all these other flags and other the information that were passing to it when we set up the initial transparent bypass we were you know pushing position where you could sniff all that which is pretty neat it's still
running well long story short you can
you can scan things within map but just
I'll post the videos on the gun company blog posts after this so you can go check them out there anyways so all traditional 82 necks bypasses either hug based injection or bridge based take advantage of the same fundamental security issues that affect attitude on 1x 2004 the protocol does not provide encryption and the protocol does not support authentication on a packet by packet basis and that's why this bridge based bypass works so to kind of mitigate this problem you know another revision to the protocol is introduced called 802 dot next 2010 and in 2001 X 2010 uses Mac sec which provides layer 2 encryption performed on a hop by hop basis and packet by packet integrity checks so this kind of throws a wrench in the whole bridge base attacks an area that we just talked about interestingly enough it also allows network administrator's doesn't what them use to inspect data in transit so because the encryption is only performed you know how by hot bases you can still inspect traffic which is actually a pretty big deal so a totodile - 2010 works stages the first stage in authentication master key distribution the second stage is session key agreement and the third stage stages the session to secure stage
so stage one we mentioned authentication I mean that's pretty much to say it'll turn out when Excel chthonic agent process that we talked about before you're going to perform those four steps that we talked about and then you're gonna perform EAP authentication using some EAP method that is going to be selected between a supplicant and the authentication server and if that succeeds we'll move to stage two which
is assessing session key agreement how the the basically the what's happening the session key agreement is that the the Authenticator is going to establish that the supplicants actually capable of supporting Mac sec and if it is you're gonna install the sack on the supplicant and we're going to move to step three and step three is session secure so in such a secure basically at this point everything is encrypted at layer two your Mac SEC is fully enabled and this is kind of where we are trying to get to
so I guess like with this in mind right you know whenever you're trying to come up with like a way of bypassing or attacking some kind of new technology I think it's useful to to kind of look at parallels you know between whatever you're currently working with and similar technologies that have been compromised in the past or even recently and with that in mind this particular section section six point six in the a.22 dot when X 2010 standard kind of snuck out of me and basically it's comparing it's basically stating that conceptually the cryptographic capability is provided by a to 2.1 x 2010 kind of play the same role as similar you know cryptographic capabilities provided for wireless networks in 802 11 right so I think what they're alluding to here our parallelize between Mac second WPA and actually if you look at you know why entry of WPA one was released back in 2003 well when it was released what it was introducing was layer 2 encryption which mean the access point to the station and this you know authentication that provided access of this encryption was provided by EAP or using pre shared key as a fallback or alternative when WPA was released there's a major paradigm shift that had to have you know from an attackers perspective because you know prior to wpa injection based attacks are all the rage you know you could use them they're very effective against web they were very effective against open networks but now because of WPA there are no longer possible do that layer to encryption so what you saw was a major shift in focus from attacking the encryption itself to actually attacking the authentication mechanism and not even dealing with the encryption so that's where you start to see the WPA handshake captures and dictionary attacks against PSK networks and that's when you start to see rogue ap attacks against weak EAP methods on wireless networks emerge as well so he fast forward 2010 right 802 dot 1x 2010 has been released and you know very similarly we're providing hop-by-hop layer 2 encryption using mac sec and you know this is being prescription is either occurring between the device and the switch or from multiple to switches to kind of encrypt the traffic between the two of them once again authentication is being provided by EAP or PSK as a fallback kind of see where
I'm going with this
so I mean the obvious hypothesis here is that it makes sense to start with a hypothesis that you could also perform a similar shift in focus and start looking at attacking the authentication mechanism rather than trying to attack Mac's ik itself because why do things that are hard with PSK I would venture to speculate that some kind of dictionary attack may be possible although I've hadn't really worked on that so I don't know but in this talk we're talking about attacks cuz we give EMP implementations so how this work there it's a kind of more understand this these kind of parallels let's talk very briefly about attacks against wpa2 EAP right and so the most commonly like
widely known weak EAP method or is EPP and it's very similar to a PT TLS so you can kind of talk about them you know in the same way the way a PP works is that the supplicant and remember talk in a wireless context now the supplicant is going to make an authentication request to the authentication server which is going to respond with an x.509 certificate at this point basically the role this certificate is is for the authentication server to prove to the supplicant that it is who it says it is that it can be trusted the supplicant is either going to accept or deny it's either going to accept or reject that certificate it accepts that certificate it means that trust has been established between the sub booking the authentication server which moves us from the outer authentication process to the internet indication process of VAP peep and you know the inter-ethnic ation process happens when the secure channel is established between the sub book and the authentication server and basically transmit your identity your username password and in the form of hashes what have you through the secure tunnel and secure tunnels there to prevent you from sniffing this process passively so this
process does have security issues remember we're operating wirelessly to research searchers named Brad and Thomas and Josh right back 2008 they are able to discover that you could use a rogue access point attack to force a supplicant to authenticate with a robot an occasion server what do we mean by
rogue access point attack well basically you have all these these these wireless devices here and you force them to connect to your own access point establishing a man the middle there are many ways to implement this but that is the general concept that remains the same you know so pretty much you force
them to connect to you and then you force you to authenticate with your robot then occassions server and to do this you have to send the you do have to
send the target device you know one of these x.509 certificates and it's probably have to be self signed or at least general CA but you know in a lot of cases supplicant will either just automatically accept that boards can be left up to the user to accept the certificate in which case you know you always find someone within an organization who's going to accept that things so it's kind of okay making this
worse right what we talked about in our authentication it's as being that the part that's happening through that secure tunnel well the strongest form of EAP authentication available for eep-eep eep-eep TTLs is Emma's chappie - at least you know that the one that's ones that are widely used so unless chappy - is interesting because although it provides mutual authentication it actually is vulnerable to a cryptographic weakness that was discovered by Moxie Marlinspike and David Holton back at the 2012 essentially once you capture the MS happy to challenge a response that is sent with the secured tunnel using the rogue ap attack that we just described you can reduce it to 50 to 56 bits of DES encryption using a divide-and-conquer attack which you know at that point Marlinspike and Holton were able to demonstrate that with what with a 1 her percent success rate regards to the length of the of the password they were able to convert it into an nth password hash which is password equivalent within 24 hours with the one Harper sent sexist accessory now remember this is back in 2012 although they were using 100,000 cracking rank to do this if you look at what they're cracking redwood cost now it's somewhere between like 10 and 20 thousand dollars which is roughly within the it's actually what pretty much within the range of most kind of like mid-level I guess like the startups of the criminal worlds if you will let alone in like a nation-state or like an apt so let's go back to unit 1 X 2010 with all this in mind the most important takeaway about 82 down X 2010 from a tax perspective is it still uses APA authenticate device to the network and EAP as we just talked about is only as secure as the EAP method used so you know the editor open 1x theta 2 9 1 X 2 2010 standard allows any AP method so long as it supports mutual authentication supports derivation of keys are at least 2 1 128 bits in length and generates an MS Cave at least 64 octaves and there are plenty of commonly seen vici AP methods that meet these requirements including EE P P P P P TLS etc I think you see where we're going
with this so this is where we kind of go into the our new contribution where got introduced something called abrogate we attack that can be used to defeat no.21 XD doesn't end this slide it's kind of misleading because it's saying defeating max f with using rogue gateway attacks it really were just avoiding having to deal with max SEC by kind of cutting it off at the authentication process so the goal of a rogue gateway attack is to force the supplicant to authenticate with the attackers device remember on that we're on the wired now we're on a wired network not a wireless network so what have to get creative in terms of figuring out how you know a way we can do this once once you get this device to authenticate with you you're able to capture hashes which you crack and then you get credentials and just you can authenticate directly with the network at that point so we talked about
bypassing attitude ah - 2004 we use the man the middle style bypass so here you see we have this road device that's directly between the Authenticator and the authorized workstation which is the supplicant we're gonna have to do something a bit different with if the 802 X 2010 we have to go for direct access because this isn't going to work do that layer to encryption so let's talk about
how we can build a device that can do
this the first step of actually setting up our bypass is actually just to set up our device we see this this this is our road device here kind of our design for it we have a three three network interface the side channel interface and that's going to provide us a remote access to this device you know via LTE or what have you right we're also gonna have an upstream interface that's gonna be connected or eventually be connected should I say to the switchboard and we have our feet interface here which is going to be can eh I don't actually know how to say that I just see it in documents all the time five okay cool cool or a new thing every day so we have our fire interface and that's connected to the supplicant and device itself you just use a mini computer we use an Intel nuke or Nook running running Fedora 28
um so we're gonna need is a way to diverting traffic to the rogue device so
I'm gonna take a look at this picture right this is this is a set of train tracks and in the end of the train tracks here we have this little train station here and then we have a switch here and if depending on which way the switch is it's configured if the switch is configured in mode a the trains gonna go directly into the train station if the switch is configured in mobi or mode
I just spelled it in mode B the train is just going to bypass the station entirely it'd be cool if we could do something like that with the internet right so you actually can you can buy these little devices off of Amazon for like ten bucks and it's a mechanical AV splitter you you press the the a button and you're even a traffic sight very mechanically through a port a press the B button and it's driver to mechanically through port B this would be cool but
you know if it senses elite leave behind the device that we're gonna actually use this we need a way of manipulating that push switch there couple a couple ways you could do this theoretically you could use a relay to do this which essentially you either you know use higher low current to kind of like effect where the you know where that you don't know traffic's going to go unless you're an electrical engineer and that's definitely not me building something like this is going to lead to impedance issues which is why a better options to use solenoids a solenoid space a linear motor you have a rod going you know it's with a coil wrapped around it you run electricity through the coil and you know the pending configures push puller push solenoid your pull pull solenoid it's either gonna result in that rod being you kind of like slammed outward or pulled back in so you can use
that to create a pushing motion which you can use to manipulate those those buttons we saw there so our completed
our completed rogue device that the design is going to look like that we have our rogue devices as setup as we saw before we're also going to have these physical AV splitters and on either side our upstream splitter and our downstream splitter and we're gonna have this this wired link between the two of them now also whoops we'll also have a a
passive tab that is going between these two splitters when it's in bypass mode that will let us to allow us to inspect traffic you're used Michael husband's throwing star lands half you build something that's basically similar to that and use it to inspect traffic when you're in bypass mode so when the switches are in mode a traffic is completely bypassing the RO device and going directly between the authenticator in the supplicant when you use the
solenoids to flip the the the switches in to mode B now traffic is diverted to the road device so to actually implement
the attack we flip the switches in
apprehend the device remotely flip the switches to mode B and we shut down the upstream interface which essentially blocks any traffic from from being sent to or from the authenticator and then we set up our rogue authentication server to listen on our fly interface and essentially what this does is it forces the supplicants you authenticate with us and you'll have to inject an equal start frame to yourself to get this to work and we'll talk about what that is later but this actually will actually force the device to authenticate with you and then once you are able to capture those those those hashes provided there using a weak EAP method you can crack them and then you bring down your Phi interface bring up your upstream interface and authenticate directly with the network and you just kind of very lazily avoided having to deal with it at 1x entirely so
here's our are updated demo there's gonna be some legs I don't really know how to fast-forward through it but okay so in the bottom right yeah so those are the solenoids actually flipping the ABS which i made them really big so you could see him although obviously I'd want to be smaller implementation actually the first time I got this to work I freaked the hell out of my wife because she's like what is that did you electrocute yourself and OH which how is actually pretty concerned about myself because I don't really do this very often but yeah so essentially we set it up this is paused yes it is okay so yeah we divert it to the traffic to us it's playing again I don't know how to control this device I'm sorry but what you will see see soon as that basically yeah so we've cut off connectivity from there and we have our hashes that we've captured then from there we go ahead and crack them so thanks I honestly don't know why you're clapping that is like the laziest attack that like but whatever they wanted me to come talk about it stuff so let's take a quick detour really fast to it now that we've gone over that kind of some other stuff that I looked into while working on this project was how did the current state of Mac filtering and Mac authentication bypass because it's something that's been affecting me directly a lot lately
so fun fact not all devices support 80 2.1 X who the thought right but not all
devices support a to 2.1 X but enterprise organizations you know that that need to use these devices they still need to be able to employ them anyways you know so so when this happens you know when you're an enterprise organization that uses ADA to out Winx but you have to deploy a device that doesn't support it traditionally what you've had to do is create what's known as a port security exception when port security exception essentially you just disable a 22.1 X on the port used by that device when you do this you usually replace replace a 2.1 X with Mac filtering or some other weak form of access control not always but usually and historically has been pretty prevalent because of the widespread lack of ADA to know when I support by peripheral devices such as printers IP cameras all those essentials that you know just don't have the the sophistication of like a full workstation or something like that so for security ception exceptions have traditionally been very low hanging fruit for attackers it's much easier to try to find a port security exception than to try to actually bypass edit it out when X 2000 2000 whatever using a bridge or a hug the problem is and I kind of had to go try to verify this myself just by look into things because anybody do like like I mean any red teamers here physical people have done like physical security assessments yeah haven't you gotten the impression that these are just becoming much and less less prevalent like it's just slowly kind of yeah well I mean when you think about it a bit it actually makes sense if you you know basically support for attitude on what expert world support buy it for able to I wouldn't expect full device manufacturers it actually has increased dramatically in recent years if you I mean a good example of this if you if you go on Newegg or whatever and just look up multifunction printers and and try to find ones that support tnx pretty much every major manufacturer of a multi-function printer has at least one model that's affordable by the Enterprise enterprise budget and but I don't mean like a 5,000 printer I mean like you know a couple hundred dollars that supports 802 dot 1x so you know the result of this is that you know as legacy hardware's phased out either breaks your just gets cycled out you know however you know whatever basis it's gonna you know it gets replaced with edited I want to staple models so what this means is that port security exceptions are becoming much and lot much less prevalent than they used to be and you know although there's they're still there they're not quite the low-hanging fruit that they that they that they want to work which which seems seems like a good thing except for the fact that you know we have to remember improved adoption of 802 dot when X does not necessarily imply strong port security for peripheral devices for the following reasons to begin with you know 802 dot 1x 2010 support is really only just starting to become a reality for really really expensive enterprise networking hardware let alone peripheral devices you know additionally you know we mentioned the 802 that wench 2004 can be bypassed using bridges injections etc and you know releasing a tool that makes it really easy to do that as well so that's gonna become a little easier to do with that said you know adoption for secure ap methods can be expect to be lower on these peripheral devices than on domain joined devices so it kind of you know begs the question you know can we use can we just attack EAP as a means of kind of compensating for the diminishing returns that were getting from port security exceptions and doing this actually makes sense when you consider that the adoption of secure EAP methods it's already low across the board let alone peripheral devices which often can't be configured from a Sun you know centrally in the same way that a domain join workstation can be so I guess your first option for doing this if they're use if the peripheral device is using something like EAP P / EAP TLS you could use a similar row gateway
attack like what we talked about before you don't actually need the mechanical splitters to do this this time though you just set up your transparent bridge like like we talked about and you know then just say well your upstream
interface disable your bridge and you know launch launch your robot vindication server on your fire to face right and then from there you're able to you know capture hashes crack them and authenticate
directly at the network and arrestingly enough though honestly like one of the most widely used EAP methods that you see using peripheral devices such as multifunction printers EAP md5 which is really really old and kind of crappy but you know when you think about it it's also really really easy to set up and configure and it's still better than Mac filtering right so you know you you you can honestly if you're deploying EAP md5 and protecting all your parents with it you can say yes all of our devices for 802 dot 1 X we're not going to tell you how we implemented that but they support it it to that one X so the
way ap md5 works you know once again it's a really old it's a really old EAP implementation it the first step of the EAP md5 authentication process is that the authentication server is going to send an EAP request at any frame to to
the supplicant and the supplicants going to respond with an EAP response identity frame which is it's providing a username the authentication service that I'm going to create a randomly generated string of characters awesome we're good it's going to create a randomly generated string of characters in the form of an EAP challenge and it's going to send that off to the supplicant as an EAP challenge request the supplicants then going to take that randomly generated string characters concatenated with its username concatenate that with its password and then dump that through the md5 hash function and what comes out of the md5 hash function is the EAP challenge response which is sent back to the e authentication server the authentication servers that I'm going to do the exact same hashing operation that the supplicant did generate its own response and the compare to the one that received from the supplicant if they match that authentication succeeds if they failed an authentication or they don't match ten occasion fails so kind of the the the thing to remember about this authentication process is the entire process is occurring over plaintext wood which you know if you think about it you know we don't have the benefit of that tunnel that we had with EPP / EPT TLS and and what that means is an attacker can basically sniff this process passively capture the username capture the EMP chalant EAP md5 challenge request and the EAP md5 challenge response and then basically perform a dictionary attack to obtain the password and actually a couple of researchers from China in 2012 they are able to recover a PMD five pencils even faster using a length recovery tack so I mean this is essentially really really broken protocol so with this in mind and leveraging what we know not only about how to attack a PMD 5 but how to talk how to attack a 2.1 X 2004 as well you know it follows that we can use we can start out by using a bridge based approach a bridge rates bypass to place a road device between the supplicant on the authenticator we then we then start sniffing traffic being sent back and forth between these devices you know we then wait for the supplicants authenticate sniff the EAP md5 challenge snip the EAP md5 response when it does crack the credentials and just then I'll Tenakee directly with a network hi there is one major drawback to this approach and that's that we have to wait for the supplicants re-authenticate with the switch which actually that's not gonna happen unless we disable a virtual network interface or I'm sorry disabling a virtual network interface isn't enough to make that happen and it's real realistically not gonna happen unless we actually unplug the the supplicant from from the from the switch itself we could use the mechanical splitters that we talked about with a 2.1 X 2010 but honestly the less overhead the better and right now are going for simpler so basically another thing that the third contribution that we have here is the EAP md5 forestry authentication attack against a 2.1 X 2004 we mentioned the first two steps of the initialization process right which really realistically are the first two steps of the EAP authentication process that's pretty much the whole thing combined are that the supplicants going to send the Authenticator equals start frame that's the signal to the Authenticator that it should send a supplicant EAP requested energy frame because we're beginning the authentication process we also mentioned that this first step the e pole start frame is optional the reason why the first step is optional that the Authenticator needs a means of forcing the supplicants re-authenticate you know in the event of a problem in the event that they needs to reconfigure something etc so that's left as an optional as an optional step the problem with this is the supplicant has no way of verifying if the incoming EAP requested any frame has been sent in response and eople start you know essentially like we can force real dedication by sending an equal star frame to the authentic as if it came from the supplicant using maps max moving and this the result will be that the authenticators going to send an EP requested any frame to the actual supplicant and kick-start the real dedication process when this happens about the authentic here and the supplement are going to believe that the other party has initiated the relocation attempt and as you can see here in this
this little video here we can just inject repeatedly inject evil start frames using escapee in the bottom-left and that forces reopen ocation and it's very very easy to do and very fast so if
we take this information attitude to to our to our first attack our passive attack against the APM d5 we come out with you know i guess what we call the EP md5 for sri authentication attack which we start out by introducing this rogue device to the to the network directly between the authentic e and the supplicants set up our bridge as before start passively sniffing traffic we then force free authentication by setting a spoof equal start frame to the Authenticator and then from there that allows us to immediately capture the EP me5 challenge response and the AP mp5 challenge crack those and then we can authenticate the network that way and this is pretty fast you just run this yeah it's we've literally just by running the thing now we have the request ID the challenge the response and also the identity and that's it I guess like the first propose we get mitigation to this that comes to mind although you know honestly this is probably not bulletproof either is to put a safety bit in the EP request at any frame you could set it to one if the frame of sent a response to equal start frame and check it when the supplicant receives an EAP requested any frame and you know essentially if the safety that's it's a 1 and the supplicant did not recently issue an equal start frame you abort the authentication process so just to wrap this up just to summarize our contributions what we kind went over today we've introduced the rogue gateway and impedance which was which in conjunction with one another can be used to bypass 82 - 2010 by attacking its authentication mechanism we've also introduced an updated and improved we've also updated improved existing 802 that when X 2004 bypass techniques emphasis emphasizing on the on the techniques introduced by it by Alva duck wall back in 2011 and we've also introduced the EAP mb5 forestry authentication attack which an improved attack against MDF b mv5 on wired networks some key takeaways before we wrap this up port Security's still a very very positive thing please keep using it but it's not a substitute for a later post and network security it you know supplying deploying port secure does not absolve you from from from very basic responsibilities like patch management you know kind of keeping tabs of yeah it doesn't it it's it's part of it it needs to be part of a larger system that is designed to keep your network secure and additionally the benefits provided by a 2 2 a 2 2.1 X can be undermined due to the continued use of EAP as an authentication mechanism and finally improved 802 now attitude on tech support by peripheral devices or should I say peripheral device manufacturers is largely undermined by lack of support for 82 802 dot necks 2010 and low adoption support rates for strong EAP methods if you want to look over this information in more detail there's gonna be a blog post I tried putting in the entire URL the blog posts but like it just kind of took up the entire slide so it's just the first results on digital silence like home slash blog and finally we have the if you actually wanna try it try performing these the tool and the associated documentation is available on github comm slash solstice slash silent bridge thank you very much