A Bridge Too Far: Defeating Wired 802.1x with a Transparent Bridge Using Linux

Video thumbnail (Frame 0) Video thumbnail (Frame 2384) Video thumbnail (Frame 5341) Video thumbnail (Frame 7363) Video thumbnail (Frame 9593) Video thumbnail (Frame 11552) Video thumbnail (Frame 13347) Video thumbnail (Frame 16146) Video thumbnail (Frame 18028) Video thumbnail (Frame 21093) Video thumbnail (Frame 23677) Video thumbnail (Frame 26302) Video thumbnail (Frame 28227) Video thumbnail (Frame 30074) Video thumbnail (Frame 32076) Video thumbnail (Frame 38093) Video thumbnail (Frame 42082) Video thumbnail (Frame 44625) Video thumbnail (Frame 47388) Video thumbnail (Frame 49500) Video thumbnail (Frame 53267) Video thumbnail (Frame 55574) Video thumbnail (Frame 58332) Video thumbnail (Frame 60404) Video thumbnail (Frame 63289) Video thumbnail (Frame 72974) Video thumbnail (Frame 81303) Video thumbnail (Frame 83284) Video thumbnail (Frame 85829) Video thumbnail (Frame 87698) Video thumbnail (Frame 90045) Video thumbnail (Frame 92706) Video thumbnail (Frame 95200) Video thumbnail (Frame 97573) Video thumbnail (Frame 101328) Video thumbnail (Frame 104159) Video thumbnail (Frame 106021) Video thumbnail (Frame 108971) Video thumbnail (Frame 111647) Video thumbnail (Frame 115531) Video thumbnail (Frame 117591) Video thumbnail (Frame 119400) Video thumbnail (Frame 123589)
Video in TIB AV-Portal: A Bridge Too Far: Defeating Wired 802.1x with a Transparent Bridge Using Linux

Formal Metadata

Title
A Bridge Too Far: Defeating Wired 802.1x with a Transparent Bridge Using Linux
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
Using Linux and a device with 2 network cards, I will demonstrate how to configure an undetectable transparent bridge to inject a rogue device onto a wired network that is secured via 802.1x using an existing authorized connection. I will then demonstrate how to set up the bridge to allow remote interaction and how the entire process can be automated, creating the ultimate drop and walk away device for physical penetration testers and remote testers alike. Alva 'Skip' Duckwall has been using Linux back before there was a 1.0 kernel and has since moved into the information security arena doing anything from computer/network auditing, to vulnerability assessments and penetration testing. Skip currently holds the following certs: CISSP, CISA, GCIH, GCIA, GCFW, GPEN, GWPT, GCFA, GSEC, RHCE, and SCSA and is working on getting his GSE. Skip currently works for Northrop Grumman as a Sr. Cyber Something or other.

Related Material

Video is accompanying material for the following resource
Email Slide rule Group action Multiplication sign System administrator System administrator Interactive television Computer network Statistical hypothesis testing Statistical hypothesis testing Random matrix Software Alphabet (computer science) Telecommunication Kernel (computing) Object (grammar) Information security Information security
Laptop Polar coordinate system Presentation of a group Netbook Workstation <Musikinstrument> 1 (number) Data storage device Regular graph Approximation Neuroinformatik Duality (mathematics) Read-only memory Befehlsprozessor Industrie-PC Personal digital assistant Cuboid Monster group Workstation <Musikinstrument> Computer Plastikkarte Sound effect Computer network Connected space Backtracking Type theory Software Integrated development environment Hard disk drive Laptop
Point (geometry) Service (economics) Implementation Game controller Axiom of choice Arm Distribution (mathematics) Computer Computer network Data storage device Line (geometry) Plastikkarte Arm Neuroinformatik Backtracking Digital photography Backtracking Befehlsprozessor Different (Kate Ryan album) Befehlsprozessor Computer hardware Revision control Booting Default (computer science)
Frame problem Polar coordinate system Open source Image resolution Image resolution Open source Length Virtual machine Physicalism Vector potential IP address Frame problem Variable (mathematics) Virtual machine Cache (computing) Virtual LAN Computer hardware Energy level Communications protocol Communications protocol ARP Address space Local ring Address space
Gateway (telecommunications) Email Random number Local area network Virtual machine Total S.A. IP address Encapsulation (object-oriented programming) 2 (number) Cache (computing) Communications protocol System identification Router (computing) Extension (kinesiology) Local ring UDP <Protokoll> Address space Default (computer science) Routing Gateway (telecommunications) Open source Length Computer network Line (geometry) Frame problem Cache (computing) Computer configuration Software System programming Revision control Figurate number Table (information) Communications protocol Routing Window Local ring Address space Flag
Authentication Standard deviation Game controller Server (computing) Server (computing) Authentication Transport Layer Security 1 (number) Client (computing) Computer network Client (computing) Local area network Front and back ends Zugriffskontrolle Latent heat Software EAP-Protokoll Software framework Software framework Quicksort Implementation Communications protocol
Server (computing) Structural load Local area network Chemical equation Decision theory Patch (Unix) Authentication Workstation <Musikinstrument> Motion capture Public domain Virtual LAN Public key certificate Number Element (mathematics) Radius Information Local ring Authentication Netbook Information Decision theory Patch (Unix) Server (computing) Client (computing) Computer network Public domain Element (mathematics) Virtual machine Virtual LAN Radius Software Password Lastteilung Quicksort Window
Decision theory Multiplication sign Client (computing) Neuroinformatik Office suite Exception handling Adventure game Link (knot theory) Maxima and minima Bit Price index Term (mathematics) Virtual machine Self-organization Configuration space Quicksort Server (computing) Implementation Proxy server Link (knot theory) Patch (Unix) Authentication Virtual machine Power (physics) Goodness of fit Term (mathematics) Software Computer hardware Software testing Configuration space Booting Proxy server Backup Address space Authentication Overhead (computing) Server (computing) Projective plane Planning Computer network Client (computing) Power (physics) Radius Software Integrated development environment Personal digital assistant Computer hardware Exception handling Window
Link (knot theory) Link (knot theory) Information Weight Multiplication sign Open source Sheaf (mathematics) Client (computing) Client (computing) Connected space Software Blog Information security UDP <Protokoll> Information security Condition number Default (computer science)
Classical physics Server (computing) Game controller Firewall (computing) Classical physics Computer network Client (computing) Shareware Shareware Connected space Type theory Radius Flag Configuration space Cuboid Configuration space Quicksort UDP <Protokoll> Window
Standard deviation Digital filter Module (mathematics) Installation art Regulärer Ausdruck <Textverarbeitung> Distribution (mathematics) Disintegration Plastikkarte OSI model Hooking Kernel (computing) Utility software Configuration space Series (mathematics) Default (computer science) Module (mathematics) Default (computer science) Standard deviation Distribution (mathematics) Interface (computing) Open source Computer network Motion capture Line (geometry) Statistics Virtual machine Connected space Kernel (computing) Software Personal digital assistant Series (mathematics) Interface (computing) OSI model Utility software Configuration space Address space
Frame problem Standard deviation Regulärer Ausdruck <Textverarbeitung> Module (mathematics) Code Patch (Unix) Blog Googol Information Series (mathematics) Communications protocol Information security Address space Capability Maturity Model Execution unit Standard deviation Patch (Unix) Open source Code Computer network Motion capture Statistics Software Block (periodic table) Information security Address space
Injektivität Module (mathematics) Mass flow rate User interface Open source Link (knot theory) Code Patch (Unix) Set (mathematics) Infinity Physical law Configuration space Injektivität Computer icon Link (knot theory) Patch (Unix) Interface (computing) Java applet Open source Code Computer network Drop (liquid) Coma Berenices Motion capture Variable (mathematics) Message passing Software Compiler Sheaf (mathematics) Interface (computing) Video game Configuration space Hill differential equation Videoconferencing
Point (geometry) Default (computer science) Presentation of a group Link (knot theory) Adaptive behavior Virtual machine Bit Client (computing) Exploit (computer security) Shareware Power (physics) Shareware Object-oriented programming Software Right angle Booting Resource allocation Software protection dongle Window God Surjective function
Authentication Addition Existential quantification Real number Interactive television Computer Sound effect Client (computing) Maxima and minima Measurement System call Connected space Neuroinformatik Sign (mathematics) Configuration space Quicksort Information security Reverse engineering Information security Booting Address space
Service (economics) Server (computing) Service (economics) Server (computing) Open source Coma Berenices IP address Direct numerical simulation Kernel (computing) Query language Function (mathematics) Single-precision floating-point format Direct numerical simulation Query language Quicksort Information security Information security Address space Resolvent formalism Address space Booting
Dataflow Local area network Interface (computing) Open source Drop (liquid) Function (mathematics) Client (computing) Wave packet Traverse (surveying) Chain Function (mathematics) Chain Interface (computing) output Process (computing) Block (periodic table) output Information security Table (information) Local ring Local ring
Tuple Game controller Randomization Table (information) Open source Client (computing) Stack (abstract data type) Rule of inference OSI model Telecommunication Operator (mathematics) Series (mathematics) Address space Routing Operations research Game controller Slide rule Open source Computer Client (computing) Computer network Public domain Stack (abstract data type) Virtual machine Connected space Event horizon Order (biology) Table (information) Tuple Local ring Sinc function Daylight saving time Address space
Open source Range (statistics) Open source Virtual machine Range (statistics) Limit (category theory) Client (computing) UDP <Protokoll> Number Routing
Service (economics) Workstation <Musikinstrument> System call Service (economics) Open source Server (computing) Workstation <Musikinstrument> Open source Virtual machine Computer Client (computing) System call IP address Neuroinformatik Computer configuration Software Telecommunication Statement (computer science) Gastropod shell Gastropod shell Series (mathematics) Information security
Open source Server (computing) Range (statistics) Open source Computer Translation (relic) Computer network Client (computing) Basis <Mathematik> Client (computing) IP address Dynamic Host Configuration Protocol Connected space Dynamic Host Configuration Protocol Word Event horizon Software Telecommunication Order (biology) Interface (computing) Sinc function Spacetime
Gateway (telecommunications) Group action Building Local area network Range (statistics) Drop (liquid) Rule of inference Gastropod shell Software testing Configuration space Information Address space Self-organization Default (computer science) Default (computer science) Information Interface (computing) Web page Computer Sound effect Computer network Coma Berenices Range (statistics) Drop (liquid) Line (geometry) Variable (mathematics) Software Function (mathematics) Interface (computing) Configuration space Software testing Quicksort Information security Table (information) Asynchronous Transfer Mode Address space
Server (computing) Game controller Open source Firewall (computing) Multiplication sign Port scanner Amsterdam Ordnance Datum Public domain Client (computing) Coma Berenices Rule of inference IP address Shareware Neuroinformatik Data conversion Address space Fiber (mathematics) Metropolitan area network Routing Rule of inference Host Identity Protocol Open source Drop (liquid) Line (geometry) Frame problem Software Function (mathematics) Telecommunication Right angle Lastteilung Quicksort Location-based service Table (information) Address space
Gateway (telecommunications) Link (knot theory) Local area network Firewall (computing) Multiplication sign Client (computing) Drop (liquid) IP address Shareware Internetworking Computer configuration Average OSI model Process (computing) Information Series (mathematics) God Physical system Task (computing) Default (computer science) Information Bit Line (geometry) Price index Connected space 10 (number) Shareware Process (computing) Software Configuration space Right angle Quicksort Table (information) Local ring Window
Gateway (telecommunications) Default (computer science) Gateway (telecommunications) Information Computer Computer network IP address Frame problem Neuroinformatik Fluid statics Software Causality Auditory masking Configuration space Information Routing Address space Address space Default (computer science)
Gateway (telecommunications) Server (computing) Service (economics) Local area network Transport Layer Security Firewall (computing) Workstation <Musikinstrument> Virtual machine Client (computing) Likelihood function Neuroinformatik Web 2.0 Direct numerical simulation Local ring Address space Default (computer science) Self-organization Service (economics) Workstation <Musikinstrument> Gateway (telecommunications) Firewall (computing) Sound effect Computer network Bit Directory service Fluid statics Software Function (mathematics) Direct numerical simulation Quicksort Local ring Router (computing)
Gateway (telecommunications) Email Server (computing) Local area network Firewall (computing) Mathematical analysis IP address Variable (mathematics) Neuroinformatik Direct numerical simulation Goodness of fit Information Noise UDP <Protokoll> Quicksort Address space Information Image resolution Server (computing) Numerical analysis Directory service Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol Process (computing) Integrated development environment Coefficient of determination Order (biology) Direct numerical simulation Configuration space Quicksort Local ring Flag
Gateway (telecommunications) Sine Service (economics) Open source Local area network Workstation <Musikinstrument> Virtual machine Kerberos <Kryptologie> Mathematical analysis Client (computing) IP address 2 (number) Neuroinformatik Web 2.0 Cache (computing) Telecommunication Kerberos <Kryptologie> Information Service (economics) Gateway (telecommunications) Slide rule Active Directory Streaming media Computer network Directory service Virtual LAN Computer configuration Software Integrated development environment Filesharing-System Window
Game controller Computer file Motion capture Public domain Mathematical analysis Number Blog Kerberos <Kryptologie> Cuboid Information Statement (computer science) Implementation Booting Game controller Presentation of a group Execution unit Gateway (telecommunications) Information Web page Active Directory Code Computer Public domain Computer network Login Directory service Software Integrated development environment Configuration space Figurate number Automation Physical system Window Booting Address space
Point (geometry) Game controller Parsing Computer file Open source Link (knot theory) Workstation <Musikinstrument> Public domain Mathematical analysis Likelihood function Computer Variable (mathematics) Neuroinformatik Kerberos <Kryptologie> Core dump Implementation Address space Scripting language Gateway (telecommunications) Link (knot theory) Information Interface (computing) Open source Computer Coma Berenices Directory service Line (geometry) Integrated development environment Automation
Laptop Context awareness Building Proxy server 1 (number) Drop (liquid) Average Rule of inference Likelihood function Shareware Variable (mathematics) Neuroinformatik Malware Square number Information security Routing Rule of inference Information Interface (computing) Open source Physicalism Drop (liquid) Computer network Line (geometry) Variable (mathematics) Frame problem Shareware Software Function (mathematics) Cube Configuration space Automation Table (information) Sinc function Laptop Arc (geometry) Booting
Gateway (telecommunications) Default (computer science) Local area network Characteristic polynomial Mathematical analysis Sound effect Computer network Mathematical analysis Power (physics) Fluid statics Integrated development environment Software Different (Kate Ryan album) Cuboid Energy level Information Local ring Window Address space Thumbnail Default (computer science) Window Address space
Order (biology) Link (knot theory) Process (computing) Link (knot theory) Computer file Average Duplex (telecommunications) Order of magnitude Computer network Local ring Order of magnitude Statistical hypothesis testing
Building Server (computing) Link (knot theory) Duplex (telecommunications) Quantum fluctuation Virtual machine Drop (liquid) Streaming media Average Computer Sign (mathematics) Booting Self-organization Authentication Noise (electronics) Simulation Link (knot theory) System administrator Computer network Bit Power (physics) Software Integrated development environment Video game Cycle (graph theory) Information security Resultant
Email Context awareness Server (computing) Proxy server Multiplication sign Characteristic polynomial Streaming media Mereology Event horizon Statistical hypothesis testing Web 2.0 Mathematics Pressure volume diagram Flag Cuboid Software testing Office suite Information security Fiber (mathematics) Metropolitan area network Simulation Email Link (knot theory) Characteristic polynomial Code Client (computing) Vector potential Event horizon Software Cube Website Quicksort
Frame problem Vapor barrier Multiplication sign Shareware Neuroinformatik Substitute good Hooking Optics Cuboid Office suite Local ring Fiber (mathematics) Metropolitan area network Distribution (mathematics) Firewall (computing) Computer Computer network Client (computing) System call Frame problem Connected space Backtracking Mechanism design Type theory Software Intrusion detection system Analog-to-digital converter Self-organization Right angle Boundary value problem Fiber (mathematics) Routing Address space
Laptop Building Information Decision theory Patch (Unix) Decision theory Authentication Amsterdam Ordnance Datum Computer Computer network Client (computing) Public domain Neuroinformatik Hooking Software Integrated development environment Basis <Mathematik> Personal digital assistant Authorization Energy level Quicksort Routing Information security Amenable group
Existential quantification Presentation of a group IPSec Multiplication sign Workstation <Musikinstrument> Client (computing) Open set Parameter (computer programming) Disk read-and-write head Likelihood function Subset Web 2.0 Triangulation (psychology) Different (Kate Ryan album) Encryption Cuboid Data conversion Information security Scripting language IPSec Point (geometry) Amsterdam Ordnance Datum Sound effect Maxima and minima Bit Arithmetic mean Internetworking Configuration space Right angle Authorization Quicksort Metric system Arithmetic progression Point (geometry) Trail Server (computing) Supremum Link (knot theory) Patch (Unix) Virtual machine Similarity (geometry) Amsterdam Ordnance Datum Number Revision control Goodness of fit Authorization Proxy server Metropolitan area network Form (programming) Default (computer science) Standard deviation Matching (graph theory) Validity (statistics) Weight Interface (computing) Basis <Mathematik> Line (geometry) Shareware Wind tunnel Kernel (computing) Software Integrated development environment Network topology Point cloud Wireless LAN Routing
my name is skeptical I'm here to talk about bypassing wire data to an ex with a bridge using Linux so I'll just kind of get right into it oops it's not that pushing slides there we go alright so
I've been working with Linux since 1993 it's a really long time back before there was a 10 colonel unix admin by trade transition to IT security a while back got a whole bunch of initials after my name missing 12 letters so I think the new certs I go after probably going to try to go for some of the oddballs like Q picked up X a little while back but anyway I work for Northrop Grumman on a team that does full-scale penetration tests it's the only way
let's just go over some basics here the objective is to introduce onto a network that is secured with wired 8021 X device that we can inject traffic with communicate with interact with remotely and that is undetectable to the people who run the network is let's face it if they could see it it really wouldn't be much fun to play with so what do we need
a linux box with two network ports an extra network cable or two this uses an existing workstation with an existing authorized connection and box off an 8th or somewhere that we use to handle callbacks so you can actually use a
laptop with two network cards a little USB ethernet cards in them the upside is there x86-based so you don't have to worry about any cross compiling or anything like that you can use backtrack but this monster is a little hard to hide under somebody's desk so somebody would figure it out pretty easily but if you had to do an in-person demonstration walking into someone's conference room just jacking yourself in it could be a pretty effective presentation device so
also got something like this it's an atom based industrial PC pretty small this one's got two ethernet ports already on it a bunch of USB you can put an SSD hard drive in it or a regular hard drive it's completely fanless pretty quiet pretty easy to shove under a desk somewhere I want to say this one was four or five hundred bucks but they make cheaper ones or more expensive ones anyway there's a lot of industrial pcs or this kind of technology meant to run in environments where it's not terribly computer equipment friendly so high temperature humidity environments that type of thing so the other fun one to
play with is plug computer this looks like kind of a big wall wart and it's it's based on an arm CPU runs linux and it's fanless and if you saw this on the floor with another cable coming out you probably wouldn't give it a second thought if it was shoved under someone's desk and I've got it plugged in line but you can also get on the photo you see the little duel wall port it just looks like a big wall work put a sticker on it you know says air freshener something like that and yeah larm company that's a good one no one will really know the difference
so for the x86 implementation this is actually what I got working initially I use backtrack are for yeah I know five is out but I had it working on for so haven't gotten around to five and on the plug it currently has a bunt 2904 which is currently no longer supported so I'll either switch it over to Debian or probably just roll my own distro at some point to have a finer grained control over what goes on it a quick review on
Ethernet frame this is what a typical ethernet frame without using VLANs looks like it communicates to other devices on the wire using destination and source MAC addresses and typical Ethernet traffic is either the ethernet frame that encapsulates a higher level packet or ARP ARP is the address resolution
protocol it Maps IP addresses to physical hardware addresses it's a question reply protocol it's typically somebody will yell out on the local segment who has 192 168 1 dot 1 and the 192 168 1 dot one will reply back directly to the person asking the question I'm here and this is my mac address to keep the arc traffic from getting completely crazy for every packet that gets sent out on the wire there's typically a local art cash on the at the higher level on the local machine the ARP cache is typically on
windows XP would last up to 10 minutes on vista 7 2008 it's a random interval between 15 and 45 seconds and on linux typically at 60 seconds but it is tunable IP address or IP protocol IP
encapsulates tcp UDP and it uses IP addresses to communicate with who it needs to talk to you next so what happens if a destination IP is outside the local network well the
packet has to get routed there's a local routing table on the device that decides what needs to happen to the packet once it leaves the device typically the only networks that a local device can route to directly are on the local segment it's on to go outside that you typically forward to a gateway when an IP packet
gets routed to its next top the local machine will check the routing table figure out what the next top router is it will check its local local ARP cache to see if the mac address is known for the next hop and if it doesn't know it it will ARP for it store it in a local cache it'll construct the ethernet frame and the frame gets fired off down the line eep is the extensible
authentication protocol it's not really a it's a framework it's not a standard more like guidelines everybody tends to implement kind of their own little thing there's 40 or so the big ones that we're concerned with is EEP TLS and EEP over land or I Paul II Paul is what is used to authenticate using 80 2 and X 80 2
and X is an i triple e standard for pork based network access control it's got three pieces there's a supplicant namely the client that is authenticating to the network an Authenticator which is the device that the supplicant is authenticating to and then there's some sort of back-end authentication server usually radius something like that that takes credentials from the Authenticator and validates them and then gives the ultimate decision about whether or not to let the supplicant onto the network so the
supplicant packages up the authentication information that could be a password it could be a certificate it could be any number of things packaged it with EEP all sent it to the switch the switch will then repackage it into an radius request the authentication server takes a look at it and gives the ultimate decision and then if successful the traffic is allowed to pass through the network there's a quick wireshark
capture of EEP all exchange from front to back 80 2 and X also has the ability
through an agent on the supplicant side to make network policy decisions for example you can have an agent that will check to see if a road warriors netbook is up to date with patches and has a current AV if not it'll instead of allowing it onto the general business land it will shoot it off to a remediation subnet where are the only things that can talk to or the AV server or a remediation server of some sort to get brought back up to speed scanned whatever and then you can fire it back over to the workstation land you can do things like require an account membership to Windows domain so you have to actually be logged into a domain to be able to use the local network resources and if not either deny access or toss people onto a guest VLAN depending on how friendly you are and you can also use it to load balance to a lesser populated VLAN so you don't just
wake up one day and decide hey I'm going to implement a tattoo on X today there's a lot of planning required because you have to have an authentication server more than likely one or two you need more power more licenses all of your equipment needs to be able to support a tour to an ex printers are a notorious special case for a lot of things it's complicated to set up you have to plan your deployment carefully you have to start office by office making sure your switches are upgraded making sure the supplicants are communicating correctly then when you turn it on you got to make sure it all works it's a mole it's often a very long term project it requires a lot of planning and you also for your organization typically have to have a fairly robust and mature infrastructure before you even consider implementing it if you're just got one network guy he's not going to he'll probably quit if you just decide you're going to do it one day there's always going to be
exceptions printers I mentioned before typically those are going to be secured with either sticky max or Cisco calls it Mac off bypass which is basically allows you to specify a mac address that will authenticate via radius but it's kind of a special case we'll let them on anyway even though he's not fully a tattoo annex capable you've got pixi booting potentially in your environment hardware software test networks where the configuration may change over time and 80 to 1 X may not be the best thing to do to to facilitate your testing OS reloads booting from Windows to Linux that sort of thing these are all things that will cause you issues if you have a strict 802 1x implementation on the client side how often does the link on the client actually go down people kick cables all the time power cables get taken out of computers underneath the desk reboots people will shut down or bend their computer at the end of the day and then there's good old reboot Wednesday after patch tuesday every one of those machines as soon as it goes back to CMOS drops its link so it's you can't just you know it's something you have to pay attention to and you have to be aware of that you can't just be very strict about once the link drops it's never going to come back without human intervention typically it's configured in such a way that it will come back up after reoffend occation just forces another real indication and then obviously you have to configure your various clients be it linux windows or whatever to support 802 on X and that can be a bit of an adventure if you have a very heterogeneous network in 2004
security researcher demonstrated an attack using a tattoo when X against a wired network the basically injecting a hub and using the hub to add a rogue device along with an authorized client at the same time so once the authorized client would authenticate to the network the rogue device could then piggyback off of the existing connection there were a few problems and interestingly enough when I was researching who to give credit to for this particular attack there are a couple of names that came up one was a gentleman from Microsoft you posted on their tech net blog but there was another guy that I saw that actually was dated about a year earlier so I don't know who actually gets credit so I put both of them at the end in my links section anyway the
problem with having two devices on the network that respond to the same information it can really only use EDP because tcp causes a race condition if the rogue device sends out a TCP syn packet syn ACK comes back well the legitimate device if it sees a syn ACK packet because a hub will broadcast to every port on the on the hub it will respond with a reset ACK well your rogue device will respond with a knack so it's a race whose packet will get to where it's going first and even then the whole time it'll be causing problems so best thing to do is
improve on the existing classics nobody ever really has any new ideas anymore it's all improving on existing things so you can't really go to the storm by a hub anymore that really does make it kind of hard to do the classic attack or if you do go buy something that they claim as a hub it's actually a switch and hub was cheaper to print on the label yeah less letters exactly plus they get to use the h and b which are not that common makes them feel better we want to be able to use tcp or for that matter anything and if you have all sorts of weird traffic going on on the network such as having a rogue device or two devices responding the same types of traffic that can cause that can raise some flags if you know if you're paying attention that sort of thing so my demo
configuration is mostly virtual I've got a server subnet that has a radius box a demain controller and a wsus server it's separated out by a firewall the firewall has a connection to the switch the switch also has a connection to a windows 7 virtual client so once i get everything hooked up the windows 7 client will authenticate to the radius server the switch will let it go hot and away we go
so what's a bridge bridge is a network device that connects multiple segments at the layer to there's an i triple e standard and switch is essentially a special kind of bridge in that it has multiple ports so to use a bridge in
Linux there is a kernel module it's integrated into the 26 series but it's also available i believe for the 24 as well standard in most distributions there's some user land utilities that use to configure bridge and they're available almost everywhere although they may not be installed by default you'd probably have to go install them yourself so setting up a bridge is
fairly straightforward you create the bridge interface in this case I use BR 0 you add nicks to the bridge interface you bring everything up one side the other side than the bridge interface so
what happens when you hook up an ADA to an ex connection with just a straight bridge in lenox yeah not much oh yeah it couldn't be that easy could it well as
it turns out this the reason for it not working is because the traffic that epoll uses is supposed to be dropped per spec on the 801 d spec so per standard
8021 d bridge standard there's a series of 15 MAC addresses that if you see that traffic you're not supposed to pass on the bridge alright well it seems doesn't seem like rocket science we pass it it
all works so back out the the patch and away we go well unfortunately the bridge code has seen a fair amount of maturity over the past few years so simply backing out the patch from four years ago doesn't really work but fortunately there's a gentleman a bat gremo security who figured it out he wrote a tool called
Marvin that is a java-based tool that is used to inject traffic onto a network using 802 1x wired so he figured out
what you needed to do it's written in Java requires three network ports a source to destination and injection and allows you to manually jack with the traffic going across the wire it does require manual setting of Max and IPS on all sides so it's not something you can just drop and walk away from it requires a fair amount of setup it's an interesting little tool depending on what you're doing it might be worth looking at but the his patch basically
commented out the new 26 code that drops
the epub traffic and now we can pass II Paul on the bridge so it's pretty easy
to get the transparent configuration going just set up some environmental variables to make life easier enable IP forwarding create the bridge bring up
the interfaces and then using the mi I tool in Linux we can actually reset the link by forcing speed renegotiation so it actually will physically drop the link and bring it back up so we can simulate disconnecting the cable remotely so that's pretty cool let me
get my vm set up here any questions about anything so far wow you guys still hungover or something it's expecting a little more boisterous audience or something somebody have a question I'm sorry yeah yeah since the bridging by default is done at layer 2 it doesn't know anything about what's going across the wire so it's just blindly forwards traffic from point A to point B yeah I dropped the link because that's the easiest way to force a reallocation typically you can if you drop the link on the supplicant side it will say hey I'm Bob again but the switch may or may not pick it up or be expecting it you drop it on the switch side the switch will say who are you so by switching it by doing it on both sides you just simulate the link going down and it forces the Rihanna keishon correct alright get you gone sorry about this had a little bit uh unfortunately the switch i have takes like 10 minutes to boot from no power so i had to get things rolling with the presentation before was ready fortunately you know hooking up two cables it's not that hard to do any other questions while I'm getting this thing going one more vm to bring up and then hopefully this will be all working praying to the demo gods yeah they are actually yesterday when I was setting up the the demo ended up separating the USB dongle from the USB portion on one of the four adapters I brought I need three for the demonstration that was a little stressful oops damn it
I'll get this switched over real quick says the window the machine gets finished booting all right worry ah yes invariably I'll tell you what there's really not a lot to see with the transparent demo i plug it in it works we'll get to the pre-populated one and I'll get this thing figured out one of the ports is not behaving right so I got a ssh into the switch and get that fixed but anyway it's fairly straightforward you plug it in it works the interesting stuff is later on when you interact with the device remotely so anyway right now on the device the bridge looks like a piece of wire you don't really see anything it passes traffic from point A to point B the EPL traffic goes across just fine all the traffic from the client goes across unmolested and so from a proof-of-concept point we've introduced a 80 to 1 X onto or introduced a rogue access device onto a network is secured by a 21 X now this is kind of like the pet rock of exploits here you just demonstrated that it works but it's not really a lot of fun to play with so let's see what we can do to crap to fix that alright so what do we need
to actually make our pet rock a little more fun to play with well we need to first and foremost not trip up any additional security measures that are that are in place we really don't want to cause port security to get tripped because typically port security violations don't automatically get reset so it requires a human to come out and take a look or or somebody calling and saying hey my computer doesn't work what's going on so that's that's not a good situation to have for we also want to make sure that we're natick all of our traffic so that looks like we're coming from the computer whose connection we are piggybacking and we want to establish call-outs sticky max like i mentioned
typically are that's a pretty fatal problem to have if you drop one of these devices in remotely because it's a real sign that something's going on it shouldn't be going on so try to avoid that at all costs however you can typically force inator to an ex authentic re authentication without any sort of ill effects simply because there's going to be so many different devices out there that reboot periodically or the connection goes away or a switch gets rebooted or something so seeing real authentic ation traffic usually doesn't set off any alarms now
port security a single stray mac address flying across the wire will be the end of you so you have to make sure that no traffic leaves until everything is set up and we're going to start dark and slowly bring up functionality until we're good to go so things that have
bitten me in the past excess services apache is really good at that what's the first thing a patchy does when it starts up sends out a name server request for its IP address because typically it's going to be host ww CNN com what's the first thing it does oh who is ww CNN com sends out a name server request well a name server request goes on the wire so if you're not paying attention that's something that can happen in the background many other services also do the same sort of thing ipv6 most modern kernels will automatically have ipv6 support enabled and there may or may not be ipv6 traffic on the wire that you're on but since i'm not doing anything with ipv6 it's best to disable it because it has burned me in the past dns like i mentioned sometimes simply starting networking under linux can cause a dns query to go out so i typically blank out the resolv.conf to make sure that doesn't happen and then arp is usually the culprit for all of the woes when it comes to tripping port security because everything you do if it doesn't know how to get to that particular IP address it fires arpan off fires off an ARP request so simplest thing to do is to make sure
you don't fire off any art bequests arp tables is a tool that allows you to block all ARP traffic from an interface now using the output chain here the output chain is only used by traffic that leaves the local network or leaves the local device so traffic going across the bridge actually traverses the forward chain and not the output chain
this is a quick overview of the basic chains that are iptables ARP tables nibi tables pre routing all traffic coming into the device passes through the pre routing chain forward is traffic moving from one interface to another so the bridge traffic traverses the forward train input is traffic destined for the local device output is traffic leaving the local device and post routing is all traffic that leaves the device or including the the forward so all traffic
crossing the bridge will go pre routing forward post routing so we can manipulate the output chain as much as we want and not affect any of the traffic that's going on with the client
so MAC addresses are actually pretty easy to move but since we're operating at layer 2 that can cause some unusual problems and since we need to interact at layer 3 in order to be able to remotely communicate with the device there's a better solution out there and it's called EB tables EB tables basically
allows you to specify a series of rules that operate on the bridge itself and the easiest the best thing it does is allows you to NAT with mac addresses so
yeah we want to be able to interact with the device makes sense we can use source
snap with iptables to create to turn at all of our traffic to make it look like the device that we're in front of now
with source netting there is a quick caveat namely that Mike are in the most modern tcp/ip stacks connections are tracked internally by source IP the tuple source IP source port destination IP destination port since we're stealing a client's connection if we interact with the same device that our client that we're stealing is interacting with we're automatically matching potentially three out of four of the connections so if we're going after the local domain controller on port 135 we're matching the source IP the destination IP and the destination port so the source port is the only source of randomness that we have left to play with so what would happen if we actually jumped all over a connection not want to see the connection to probably reset and things would move on to normal but it would be weird to stomp all over an active clients connection and it's not terribly selfie and in a real in a in the theoretical world we have basically a 1 in 64,000 chance of stomping on a connection that way
however Microsoft in their infallible wisdom thought that 64,000 ports was just too big of a number so on two thousand and two thousand three and XP TCP and UDP source ports will pretty much always be in the range of 10 25 25 thousand that is less than 64,000 you actually have on an active machine a really good chance of stomping all over that plus if your traffic when you net out use a sport six thousand that's weird because all XP in 2003 traffic will be from 10 25 25 thousand and then vista-7 2008 uses 49 152 to 65535 so
what we can do is we can use we can specify ports that we use with our source netting so that we will restrict our traffic to be in a particular range now in this particular example I'm using restricting it to a thousand ports and assuming we're going after a Vista 7 2008 client it's in the high end so the average unless you're on a machine that has seen a lot of activity it will you'll occasionally run into a chance of stomping all over it but hopefully you won't we can use destination that to
create a virtual service that only we can connect to so by SS a Qing to say port nine eight seven six we can have the iptables pick off that connection and redirect it to localhost 22 and we can ssh into the device that we're using so we can use this as a call to the machine see ssh to the client and the client computer will never see it will get picked off by the bridge and we can
further restrict that by putting a source IP address on the on the statement there so that only traffic coming from from one particular IP or a series of networks or whatever you want so if anyone else tries to go to that poor it'll just go right to the computer and won't see anything we can also set
up a reverse shell where we have the bridge call us and in all honesty this is probably the safest way to go because if you're in a network that has a tattoo and X you're probably going to a lot allow random traffic from the outside world directly to your workstations so it would be best to call out but I've implemented everything both ways to just demonstrate the technique and I just plenty of ways to phone home SSH openvpn you know netcat whatever it's all good
so we need a layer 3 IP address in order to do any of the translations with the bridge I chose something in the 169 254 reserved I ain arranged because this is the range that you will self assign if you don't have access to a dhcp server so in other words it's something you should never see flying across the wire you're not going to be screwing with their IP space you're not going to you shouldn't have any problems interacting on the wire
yeah before we get too far too far gone I want to mention that I haven't found a good way using this device to actually interact directly with the client behind the bridge you run into little problems like since I'm stealing his network connection and I'm behaving like his IP address what source IP address do i use for any communication with him I mean I could set up a remote one and then just filter out all the traffic but you need to make sure it's something that you know he wouldn't want to visit on a normal basis it's it's really kind of a pain in the ass so I haven't found a good solution to it so the current
scenario we've got a since our group does full scope pen testing we've got folks walking around inside their building you know pretending to be employees doing all sorts of fun stuff so they've managed to give us a printer config so we're going to take the information on the printer config because if you've looked at any network printer configs they've got mac addresses IP addresses network information all that stuff and pre-populate one of our little devices so that we can imitate the printer and then interact with that device so once
again set up some shell variables switch set the MAC addresses set up the IP addresses the network range the the interfaces that the bridge is using
bring up the bridge start RP table our IP tables and arp tables in drop mode so that no traffic will leave the device while we're configuring it one of the
interesting side effects of creating a bridge in Linux is what mac address gets assigned to the bridge it's actually either the highest or the lowest mac address i can't remember which one it is but invariably it's going to be the one you don't think it is so I have a line in here using Mac changer to force the bridge IP to always be the switch side interface that way moving forward we always know what to use when our rules so we bring up the bridge interface we add the local network via the bridge we set up the default gateway and we use the post
routing EB tables rule with NAT to NAT the mac address of the bridge to the sort to the mac address of the computer so now all Ethernet traffic all ethernet frames look like they came from the computer behind us there's the iptables
rule to set up the destination nap
there's the source netting rules that for TCP UDP and ICMP start up an ssh server which is listening i believe on the bridge itself and then we drop the arp tables and the iptables rules and now we can interact with what's going on
the wire so now I think I've got everything set up so what I've got going on here is I have a plug that's in line with a fiber converter because you know people seem to think that fiber is the end-all be-all solution to all of your network woes you can't man in the middle of the stuff right so I've got the fiber going to the switch the the fiber adapter going into the plug plug going into the computer so assuming everything's working right let me see what the switch has to say about that and of course it's not gotta love it give me one sec I took typically this particular problem I have to reboot the firewall that's a lot when demonstrations go smoothly so anyway while I hopefully try to debug this anybody have any questions so far anybody still awake yes yes hello yeah I guess I should repeat the question um I'm just I'm just too quiet I'll eat the mic you'd mention that you have a hard time hiding or interacting with the host that you're hiding in front of right one of the things that popped in my head and it might not actually be a feasible idea but one of the things I do is load balancing and you got a load balancer hiding in front of a bunch of servers right acting transparently have you have you thought about any of those kind of methods lbs or pound and well the problem you have is let's say you want to do a port scan on the device what source IP do you use what source IP do you originate your nmap scan from of the client behind you okay do you pretend to be the domain controller do you pretend to be you know WWE China com that's the problem that I haven't really found a good solution for all right that makes sense now granted you know the the traffic is only going to go from you know here to here on just across a single wire but if they have some sort of an IPS or a hips install you would probably want to try to mimic something on the local wire but like I just haven't really found a good solution for that and I can see all the traffic going just fine but just establishing a two-way communication I just I you know I'm open to suggestions alrighty let's see if this works got time for a comment no yeah go ahead there's sort of two approaches there you can actually use any IP yeah I mean that's right you can use any IP then it
gets then it gets a little bit more complicated with you know your I be your IP tables need be table stuff but right you could also just pick a night you know any IP that's on the local subnet there yeah it's it's those are the two options you're sort of limited to is right well and the my big concern is I don't want to do something on the local wire that would potentially adversely affect anything going on so I mean you'd have to limit the you'd have to limit it to a particular series of ports and things like that plus I wouldn't want to run afoul of any sort of like host intrusion prevention system something like that you know because if they only allow you to talk to local networks or something like that on the client or the client firewall or something like that you could run into some problems it's like I said I haven't found a good solution there's a bunch of okay solution sir uh using the Gateway to come back like I'm barely hear you sorry ma'am what about using the gateway of the clock of the network that de clients on the gateway rarely talks directly to the client well what the problem is if you communicate with the gateway the traffic is just going to come right back to you because you're in line but use its IP address I'm osoyoos the gateways ipos I gotcha that's possible that might work you'd still have to do some restrictions on the nat things like that but that's a possibility i'll look at doing that Oh as I'm sorry this demo is just not going as as planned yeah that's also a possibility that's something worth looking at it yeah I mean you're depending on the client actually using ipv6 ought to be able to respond to it but most Windows clients actually by default unless you go in and change it won't won't do anything but yeah all right it's going to be one of those days to demo gods hate me try one more time and I'm just going to move on sorry guys unfortunately watching traffic go across the wire and a complicated setups kind of not really much to look at anyway yeah yeah I typically drop both yeah the connection will still stay hot yep and then the client when it comes back up will probably send a real indication the switch goes yeah okay you're still good but thanks for telling me yeah I touched on that a little bit later on but typically I mean since all the packets are going through it can add up to a few Oh tens or possibly hundreds of milliseconds depending on how much traffic is going through but for the average network you're not really going to notice that I mean that doesn't really affect you know somebody's surfing ebay or checking their email or something like that most people are sadly conditioned to expect delays when doing simple tasks like that so they assume it's the internet not their local link and that's even if they notice that it took a few extra milliseconds Oh best laid plans and get up and juggle but you know i probably wouldnt want to see that all right so i can talk through
the rest of this and maybe i can get this stupid config to come up by the time we're done soap repopulating the bridge is cool but it's nowhere near as interesting is just being able to walk in drop a device onto the network and walk away so the basic process would be you start transparent you gather up all the info you want off the wire take a look at it analyzed find the useful bits and then you configure the bridge and bring it up so the printer config we had
before provided the IP address the mac address network mask and the gateway IP but what if we can't easily get that information what we really need is the
IP address of the computer the mac address of the computer behind us and really all we need is mac address of the gateway because the gateway knows how to get to everything and so if we set the gateway to be the destination for all of our Ethernet frames it will figure out where to send it so we don't even need it to talk to the local we don't need anything other than the mac address of the Gateway to communicate with anything on the local segment so assuming we have
the Gateway Mac how would we bolt that into our configuration to make it work well we can create a static entry for a bogus IP address and then route to that bogus IP address and basically set that as the default route and the layer 3 stuff is happy layer 2 stuff is happy and away we go that does actually cause
a bit of an issue when interacting with the local network segment because remember the local network segments usually the only thing the computers know how to talk to on the network segment they communicate directly with the other machines on the local segment so the way we're transmitting our traffic would be fire to the Gateway the Gateway would come back to the local segment which can cause some interesting things I've seen our traffic appear to the client that we are attacking to actually be sourced from the Gateway so the Gateway almost Ngata dit huh yeah but the traffic goes out that way but it comes directly to us which is an interesting little side effect of what we're doing we can fix it but I'm of the opinion that if we're on an assessment and somebody figures out to something weirds going on based on local mac addresses on a local segment I think they got to together I think that's a safe assessment so anyway for a
typical Network what sorts of assumptions do we make since eight or 21 X is a big hairy complicated Beast it's probably safe to say that your average mom-and-pop five computer shop is not going to be implementing it so it's going to be fairly robust infrastructure there's going to be a server subnet or network there's going to be a workstation subnet there's probably some sort of a firewall or a router in between routing packets network services such as Active Directory DNS web etc in all likelihood are not going to be in the workstation segment so we can use that later on so if we watch the past
packets crossing the bridge what sorts of traffic would we expect see obviously you know anything UDP rtcp but what would be most useful for gathering the information we need once again we need the computers mac address computer's IP address and the gateways mac address well UDP DNS there might be
some worthwhile information there the problem there is sometimes depending on the firewall configuration the local firewall burb could actually act as the local segments dns server so while that would be interesting and it could work I would rather look someplace else to try to make it just be on the safe side ldap sand other possibility if you're in an Active Directory environment dhcp is not really useful a netbios isn't terribly useful so UDP aside from grabbing the
DNS for use later on I don't really sink that UDP is the way to go are actually
is a pretty good candidate because it's got all the information we need it'll have the IP address it'll have the mac addresses and the only problem with that is you have to the way the questions are structured it asks a question and it says who has this IP address tell this other guy and then ARP will respond to that other guy I'm here well you can get the mac address from the reply but in order to figure out who asked the question you have to go back and look at the question itself so it's kind of a two-step process it can be done and on a local network segment it's probably a
fairly safe guess that we captured 50 or 100 art packets that the gateway is going to be the most armed for item on the local network because that's where assuming you're on a client VLAN that's where most of the traffic is going to go now you could run into problems if there's services being offered up on the local machines or there are file shares among the workstations or things like that which is why I can't really give ARP the official seal of approval but it does work fairly well so it works I've implemented
it um it might be that it seems to be the fastest way especially given the fact that local networks will ARP out fairly frequently every 15 45 seconds for modern windows OS is so you can typically get it up and going fairly quickly in a matter of a couple minutes of just sitting and watching but I think
TCP is actually the way to go because you can get everything in one packet so if you send a sin request in your in an Active Directory environment you send a sin request out for kerberos or web or whatever it's going to have the source destination the source MAC of the the computer they'll have the destination MAC of the Gateway because it's going outside the network and it will have the IP address of the client behind it so you can actually pick off everything you want just by grabbing one packet and
just coincidentally a cold boot of a windows box on an Active Directory network sent out six hundred or more TCP packets to the domain controller immediately after booting up so there's a lot of traffic if you can reforge rebooted plus every 15 minutes or so when the Kerberos tickets expire there will be another burst of traffic so as long as you're patient and willing to leave the device up for a while and you're on an Active Directory environment you'll get all the traffic you need to be able to self configure
but like I said it takes a little while
so I've done it both ways ARP is generally faster but potentially unreliable TCP is going to be more reliable but takes a little while to
implement it with arp you just capture a bunch of ARP traffic do some do a little
gymnastics where the UNIX command line to capture file you read from the capture file you grep for the questions you grip out the information you sort it you count it you sort it reverse so you get the top number of the the top item that was armed for on the local wire and then you can using that information go back into the file and figure out who asks the question so you can get the last piece of information you need so TCP is
actually really a lot easier you just wait for the one packet you want and grab all the information you need use kerberos because an Active Directory environment typically Kerberos tickets will be going out periodically you're guaranteed that the Kerberos ticket is going to go to a domain controller it's not going to go off into never-never land and in all likelihood the domain controller is not going to be on the local segment with the workstations so wait for one packet parse through it and away we go so the grabbing that
information is actually pretty straightforward you know you read you capture the packet you dump it to a file you read it from the file you walk out the information you want and you get the source smack the destination MAC the computer IP so the fully automated
script set up the various interfaces I went ahead and automatically grabbed the mac address of the switch side of the interface computer interface bridge and face all the stuffs the same bring up the bridge switch to mac address reset the link so at this point we're up transparent so now we wait with the TCP dump line until we see a Kerberos packet fly across the wire
we then basically hawk out the information we want set it to the variables set up the arc tables and iptables to drop all of our traffic configure up the bridge interface set up
our NAT rules start up SSH if we're listening start up on our tables are set ARP tables and iptables to drop the rules and once again we're still not
unfortunately going real well with the demo I'll see if I can get it working here in a few minutes but I'll just kind of press on through since things aren't going well in the demo side so is there
any good way of detecting whether or not this is going on in the local wire the answer is probably not yeah user
awareness the same guys that bring in laptops from home bring in picture frames pre infected with malware to plug into their computers you know the ones that leave the badges piggyback do all those things that users aren't supposed to do in your network they're probably the best people to figure out what's wrong in their cube unfortunately you could probably put a sticker on something like this with network cables running in and out of it says network signal booster and defeat the first line of security but in all honesty this is a physical attack so physically looking at the wires physical inspection is the best way to see whether or not something unusual is plugged into your network now if you have a hundred thousand square foot building with thousands of network drops obviously the users are the best way of of doing that so you have to be able to empower your users to be able to look what's under there and ask questions they see something that they think they shouldn't unfortunately most places aren't like that most admins don't want their users anywhere near anything that they could screw up so in all likelihood user awareness is probably not the best way to go perfect world yes so traffic
analysis now the packets that we sent out are being sourced from a Linux box so the TTL will be by default 64 whereas windows boxes are usually 128 now we can change this but once again if you figure out something with hankies going on your network by noticing that traffic leaving the local subnet has different TTL values I am more than willing to give you the thumbs up it's possible but most of the environments I've been to it's highly unlikely that this will get caught and that default TCP window size difference between Windows and Linux and there's some tuna Buhl's I've played with it but it didn't really seem to do much so once again if you're if you've got your stuff button down to that level hey Congrats so like I talked about the
seem to be a lot of traffic destined for the local network coming from the local segment as a side effect of our using the mac address of the gateway to do all of our routing we could probably fix that just by watching our / quests on the wire and creating static arp entries for every item that we see so we can communicate with local devices without going through the Gateway and probably wouldn't be too hard to repurpose something like ARP watch to do that automatically for us but you know if you're capable of seeing that something weird like that is going off on the network then a more power to you latency
um yeah it can add up to a couple orders of magnitude on packet latency seems like on local tests I've done on hundred Meg it maybe adds 40 50 milliseconds if the link saturated it might go higher than that but you the average user isn't going to catch that same thing with
throughput I mean I've i managed to SCP a three and a half gig file through one of these plugs on a hundred Meg link and it went through it about 70 makes so that's actually pretty good um you know it's it's not horribly slow now some of the embedded devices out there you know if it's running a really slow processor you could probably run into some problems but these plugs for example or twelve hundred megahertz so you probably got enough horsepower I haven't been brave enough and I don't have a USB gig adapter but I haven't been brave enough to try gig to see what kind of throughput you actually have to push through it to break it but large files over 100 Meg don't seem to be a problem a speed duplex mismatch so if you're
running gig and all of a sudden you know port drops 200 Meg or something like that well I could be a sign something weirds going on but in all honesty I think for any large environment the chance chances of every single device on the network being all the same it's probably pretty low with life cycle replacement and things like that plus you'd have to be really awake to be able to catch the fact that port 3 on switch 5 building three floor to switched from gig 200 that would be a you that seems like just a noise level alert that unless you were looking specifically for something weird like that you probably wouldn't catch I could be wrong but so once again the likely result is probably not going to be able to see to backed it that way excessive up-down
notices touched on this a little bit earlier on all honesty the the authentication server is probably going to see a fairly steady stream of requests coming in and out link statuses go up and down a fair amount pretty easy to kick a cable it's pretty easy to unplug reboot a machine even a you know switch reboot stuff like that all that would cause a link to reset and even a flaky cable II you know so I don't really see that that would be a reliable way but it's something that if you had a sim you could probably try to picture come up with an event for and maybe no see what you considered be excessive up-down notice is on a particular link if that's what you want to try so sadly
the best technological solution is to really understand the characteristics of what your network traffic looks like and then focus on trying to look for anomalies so yeah we don't have any linux boxes on the wire so why are we seeing TTL 264 leaving our network well yeah good luck with that the other possibility would be linked speedy changes or excessive up-down notices you might be able to come up with some sort of a sim event for that but in all honesty I don't really see that that's a realistic way to detect this the best method is probably user awareness like everything else educate your users on what should be under their desk let them know what a network cable looks like let them know what a fiber transceiver looks like if you use fiber and you know let them understand and be a part of your security you know incorporated into your annual security refreshers or your monthly refreshers as as necessary and encourage them to ask questions and uh you know the problem is if you find one of these devices on your network you should probably be pissed off but you should really be pissed off about how it got there and not the fact that it is there you know because someone walked into your office walked past the guards walked past the secretary walked past the users walked into somebody's cube monkeyed around underneath somebody's desk and put one of these in and nobody raised a flag so
so what sorts of fun things can we do with this you could poison web traffic obviously in a perfect position to man in the middle ettercap has done some initial work on that I haven't had a lot of time to do any extensive testing on that but I think that's a potential for a lot of fun to be able to do any sort of client-side attack on any website by proxying through the device itself and obviously capture credentials you can scan the network you know imagine sending a phishing email where the email just appears in the inbox without actually hitting their server because you just injected it into the imap stream that would be something kind of fun to play with I haven't had a chance to implement any of that stuff or even look at implementing it but I thought the email thing would be kind of a fun thing to do you could pivot through it
you know if you set up an openvpn call out you have a full connection you can route traffic through your already set up than that you can do whatever you want with it and plus you're blaming the guy behind you so any time a network defender would see something weird they you know RDP into that box get what the hell's going on here and you got the perfect alibi you could also have callbacks that are directed inwards so you set up a listener on the on the plug computer itself and have all your local callbacks call back to it and have it call back to the outside world or you can just interact with it on the plug or if you're using one of the one of these you have a full backtrack distribution available to you so you can do anything you can do with backtrack on the thing remotely and these are also useful for a trusted insider type of assessment you could just configure up the plug ship it out tell them to plug it in somewhere and you know you'll get back to them in a couple weeks after you've finished your assessment it's a shame on travel costs and it's it to me it can be a huge savings rather than sending a team of two or three people out all over the world you can just you know dropship a plug to them and surf from the comfort of your home office or wherever you have the plug calling back to so yeah what
are the common stories I've heard fiber I said people seem to think that fiber is the ultimate solution to all your network problems that you can't man in the middle with it you can't do anything with it and yeah you can hook up fiber Ethernet you can run another fiber connector transceiver on this you can even hook to fiber connect transceivers up with fiber cable and it still works IP still works ethernet frames are the same it's just a transport medium that's it nothing special so yeah I mean if you have a obviously if you have fiber on your network you know you run into some logistical problems with having the right cable connectors and using the right kind of fiber and stuff like that but if your organization is reasonably well funded that's not really an issue just pick up some gig you pick up some hundred Meg you pick up you know couple dozen cables with all the various ends you could find on it and you should be good to go yeah it looks more stuff under a desk but it's still it's not a major barrier yeah a lot of people who
I've talked with who have fully implemented a knack solution with agents that do policy routing decisions seem to think that 80 to 1 X is the end-all be-all network security solution amen and that is really not the case 80 2 and X just authorizes the port to go alive and route traffic doesn't do any sort of per packet authorization it doesn't do any sort of per packet anything really it just says this traffic can can go through the switch and go wherever it needs to go and the agent doesn't really change any of that all it does is it will check to make sure that the computer behind it has the information it needs to make a decision so if the patch levels up to snuff or you login or you remember a domain or whatever the criteria are it'll still hook you up to the network just the same and the bridge will pass the traffic just the same so
how do we defend against something like this well this is a physical attack I can't do anything to your 80 to 1 X network if i'm outside the building it's just the way it is yeah i have to have physical access to a computer that's authorized to implant the device on it so if i can't get in the front door guess what I can't do anything which is sadly the way it is for most attacks and it requires an authorized port so if you're in an environment where you have laptops and you lock up your laptop's at night and there's a clean desk with no network equipment no nothing well not a lot to work with there so you would notice some weird device plugged into your network waiting for you to plug your computer and in the morning if sec
could be used to mitigate some of the man in the middle issues Microsoft snap solution basically establishes on top of a 2 to 1 X if sect tunnels point-to-point between all of the clients and servers so you wouldn't be able to man in the middle easily any of that in all likelihood you wouldn't be able to man in the Linea that at all but you still have to connect to the internet and unless you route all your traffic through a proxy over an ipsec tunnel you're still going to have web traffic and stuff like that that goes out in the clear so there really isn't I mean aside from locking your doors and making sure people know what's going on it really isn't a good defense for this so 80 to 1 X is a standard that just gives a yes or no question or yes or no answer to can this device attached to the network and is it allowed to communicate on the local wire it doesn't do per packet authorization it doesn't do any sort of validation that the traffic is legit all it does is say yes this guy can plug into the network it makes support go hot so one of the things that I wanted to make sure people took away with was 80 to 1 X it does exactly what it's supposed to do it's when you start getting all the vendors speak on top that starts clouding what its purpose is and what it does so
anyway anybody have any questions or the you know dozen or so people that are left what's up man you wanna yeah we got nothing but I'm almost scared everyone off sup ma'am hi hello just a little command in your scripts I noticed that you didn't turn off stp so your client your interceptor machine your minute middle could be leaking stp advertisements um by default yeah I default I'm finally if i recall i agree it is enabled by default when you are not the bridge in older versions the bridge module it was enabled by default now it is not in a way not right yeah but it might be useful to to put a line in it that's something that I'll look at doing slightly is a stealth here yeah okay I was talking to the the Pony Express guys and the vendor booths okay and I got I think the reason smear technology to me your stuff here 22 in their boxes and you mentioned that there's not an easy way to stop this and while it's not easy there is a way it's pretty new you'll be listed in their 80 two dot one ayeee max sec yup will prevent this it's a nightmare to set up and well and switches / 80 to 1 a ii i believe i haven't done a lot of research on it but there's only like two cisco switches out there that support it 29 SDS and the 3750 exes well yeah I can only imagine the nightmare it would be to set up um you'd have to if I understand it correctly you would have to upgrade your entire infrastructure to be able to support it well you need a on the switch side you have to have switch support for it but then you just need a supplicant then supports 802 that 1a it's actually kind of a i don't want to say subset but it's sort of a subset of 802 dot1x mmm like they they go through 1x negotiation and then AE kind of kicks in and they negotiate security parameters yeah it's a for those of you guys that don't know that's its its encryption between the endpoint and the switch port ok its encryption between the the endpoint the supplicant if you will right and the switch port itself so it prevents a lot of these sort of man in the middle attacks that we've shouldn't say prevents makes them a lot harder right and still there's still ways around it but it it's very very hard you can't stick an unauthenticated device on the network you know and well that's probably where things are going to be moving is on a more per packet authorized basis but given the fact that you know how many successful deployments of ADA to buy a ye are there in the world today I would bet probably you could count them on one hand and most of them are on a cisco campus somewhere greed agree i'm saying if you want an answer though oh yeah I sec well snow and that's that's probably the way to move forward with this but in its I would be interested to see I'm sure like anything else it's a patch to to the existing problem would be very curious to see an actual implementation and see how well it would take care of an attack like this sure cool thanks a problem let me again another remark perhaps there is a solution to this but is as Extreme as any other one city could you speak up a little bit yeah perhaps there is a a solution to this but it's also very extreme if we dropped a 2011 point X at all and everyone connected to the network over or open VPN or something like this and do an entirely different layer to handle at this because but it is just as as you said about a pipe sec yeah I mean it's the same sort of thing you would either have to make sure all of your traffic went over that like I said the nap solution from Microsoft that's one of their big there the big points that they tell it is it's the only solution in general really realistic solution that he exactly cuff thank you hmm quick qualit? to my previous question earlier um I brought up the TTL thing and really I was wondering was once you move from fully transparent link to you assigning IP the bridge you've moved in the layer three territory crack well what happens is the bridge the traffic that is coming from the client will always traverse the bridge interface it will always be will always be considered transparent okay um so the only time that you see traffic that would have a different TTL would be as if it's traffic that you inject it onto the network yourself so that's interesting I know so I've done some similar things in freebsd and it's a little bit differently um because if you do as soon as you assign an IP to the bridge it actually will start you'll see a TTL difference but one thing that I do like about freebsd that the might help out in certain things is i'm not sure if something's available for linux it does this but like with PF and dummy net you can simulate and spoof latency and TTLs and so you could actually you could watch for the tts of the client sitting behind and then spoof all of those details well and there's a fairly easy Linux kernel tunable in the Praxis net ipv4 IP default TTL I think is that you could just do that you do the same sort of thing so that you could match up the TTL s just see what T tails are on the client but for the assessments that we do I'm not trying to be perfect because if they can catch I mean the only time I've seen environments where people are looking for that is where they're looking for like rogue access points plugged into yeah well and it's it's the same sort of thing I mean if you're in an environment where you're actively hunting for rogue devices and you know we were able to implant a rogue device and you caught it okay that's good for you the next step for us would be to you know match up the TTL s and see if we could find it now so it'd be kind of a multi-stage kind of thing but most of the places I've been to even if they were hunting for you know rogue ap's they wouldn't necessarily be looking forward on the wire they're hunting it down over the air so they spend a lot of time and effort triangulating and trying to figure out wireless signals and things like that and not necessarily you know watching all the traffic flying across the wire but it's a good point ok and then one last thing in your previous question about talking about interacting with the client behind the point have you considered using any scripting to because you're sitting right there so you can obviously analyze all the traffic between the client in the network so using T speed up to like maybe gather some metrics on what I peas other like neighboring host on the network that that guy is allowed to talk to and then spoof those yeah I mean there's there's ways of spending you know some time to do yeah like you said you you see the track conversations for an hour and you see who he's talked to the most who he's talked to the least and you probably would want to try to pick the guy they talked to the least so you don't stomp on anything but you know it's for what we're doing for interacting with the network and whatnot I figured that not being able to talk to the guy to my right is ok if I can talk to everybody else yeah with and make it look like he did yeah so that was kind of the approach I took because you know it's just if you're on a workstation network in all likelihood you know most of the workstation is going to be configured fairly similarly so you can get a similar effect communicating and mapping them out then you know the guy behind you alright good i think yeah i mean it's it's worth looking at all right thanks huh what's up i have i have a question in regards of a typical configuration okay when you have a IP phone connected to the switch and then the workstation is connected to die perform our is this attack going to be possible if you implement the devices between the IP phone and the switch which would be the typical point where we can insert this device since there is a CDP and it is a pretty much the port becomes like a transport and the further complications in all honesty I don't know because I haven't tested it in a configuration like that my guess is in the purely transparent form it would probably work because it's just to the network it would look like a piece of wire but as as far as being able to interact with the the traffic obviously if it's might not be able to so I honestly couldn't tell you so if this breach is going to support the CDP probably that's what is gonna come down to uh yeah in all honesty I haven't tried you know setting up CDP setting a bridge up and seeing if the other guy saw it off the top of my head I don't I can't think of any reason why it wouldn't support it but I haven't tested it specifically thank you yeah that's what I was thinking I mean I haven't tested it so I can't say for certain but you know I was thinking it was just straight layer 2 so at auto just you know a lot of work anybody else anybody know any good jokes all right well thanks for surviving my my presentation I'm glad I survived wish I had a little better luck with the demos but unfortunately I didn't sacrifice enough so thanks for coming out i guess we'll head over to the question room which room yeah well be in the question Q&A room number four after i get all this crap torn down thanks
Feedback