Bypass 802.1x Port Security


Bypass 802.1x Port Security w/ Openwrt
Background
During an internal and wireless penetration I was unprepared for the port security in the environment. I had to travel internationally and the Statement of Work and Rules of Engagement did not detail the extent of the internal testing and what was to be tested. Penetration Testers know what it is like to conduct a “Penetration Test” when sales staff and client management setup the engagement. Needless to say I was upset at the delay only due to the time it would take to configure a device to bypass the port security when I only had a week onsite to conduct the testing. Luckily I had brought along my PCEngines Alix 62f (used previously in my Custom Power Pwn). I had brought it for the wireless testing as it was configured for wireless client attacks. Using the work done by Alva Lease ‘Skip’ Duckwall IV and presented at DEFCON 19 in 2011. I reconfigured the Alix to show the client how easy it is to bypass port security. Well I never want to encounter a similar situation again but I also don’t want to carry yet another device with me when traveling. Having the device be as small as possible while service multiple purposes would be ideal. That is why I’m using the GL-iNet with the Openwrt operating system for this project.

You must complete Part 1 of these tutorials as it builds and installs a version of Openwrt that allows you to bypass port based security with the GL-iNet. To bypass port security we cannot have any services that will leak any packets. If this was not already done in Part 1 we will disable any running services and modify the network configuration file to not bring up any interfaces when the device boots.

root@OpenWrt:/# /etc/init.d/firewall stop
root@OpenWrt:/# /etc/init.d/firewall disable
root@OpenWrt:/# /etc/init.d/dnsmasq stop
root@OpenWrt:/# /etc/init.d/dnsmasq disable
root@OpenWrt:/# /etc/init.d/telnet stop
root@OpenWrt:/# /etc/init.d/telnetd disable
root@OpenWrt:/# /etc/init.d/sysntpd stop
root@OpenWrt:/# /etc/init.d/snsntpd disable
root@OpenWrt:/# vim /etc/config/network

Below are the current default settings for /etc/config/network. Yours may be different if you followed Part 1.
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option ifname 'eth1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'  

Modify it by commenting out the ‘lan’ and ‘wan’ sections or remove them all together.
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

#config interface 'lan'
#        option ifname 'eth1'
#        option type 'bridge'
#        option proto 'static'
#        option ipaddr '192.168.1.1'
#        option netmask '255.255.255.0'

#config interface 'wan'
#        option ifname 'eth0'
#        option proto 'dhcp'

After making the changes let us restart the network so the changes take effect.
root@OpenWrt:/# /etc/init.d/network restart

Openwrt Specific Setting
OpenWrt bridge firewalling is disabled by default for performance reasons. Not all devices can handle filtering all network traffic. It can be re-enabled by editing /etc/sysctl.conf. You will find the following four lines at the bottom.

# disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0

These control whether or not packets traversing the bridge are sent to iptables for processing. You can go ahead and delete them from /etc/sysctl.conf. By default they are enabled in the kernel.

Now we need the script to bypass the 802.1x port security. The script you download for the GL-iNet is a modified version created by Alva Duckwall for his presentation called “A Bridge Too Far” given at DEFCON 19 in 2011. Read the entire presentation to understand how the script works and how it was put together. I only modified Alva’s script to work with this device. All credit goes to Alva!

root@OpenWrt:/# cd /etc/init.d
root@OpenWrt:/etc/init.d#  wget http://www.jedge.com/code/bridge
root@OpenWrt:/etc/init.d#  chmod 755 bridge
root@OpenWrt:/etc/init.d#  /etc/init.d/bridge enable

References
A Bridge Too Far Defeating Wired 802.1X with a Transparent Bridge Using Linux by Alva Lease ‘Skip’ Duckwall IV
Presentation Slides: https://www.defcon.org/images/defcon-19/dc-19-presentations/Duckwall/DEFCON-19-Duckwall-Bridge-Too-Far.pdf
Presentation (Youtube): http://youtu.be/u3T3lUxKm18
Issue discussing the use of ebtables and packets not being forwarded up the IP chain. The reason we had to re-enable bridged firewalling in Openwrt. http://stackoverflow.com/questions/17116126/iptables-ebtables-bridge-utils-prerouting-forward-to-another-server-via-single
Also mentioned in getting SSLStrip to work in a hak5.org forum. https://forums.hak5.org/index.php?/topic/26780-guide-for-installing-sslstrip-on-openwrt/

2 thoughts to “Bypass 802.1x Port Security”

  1. ” The script you download for the GL-iNet is a modified version created by Alva Duckwall …”
    Where do you download the script?

  2. Minor typo in my tutorial. It should say “The script you will download” as the commands that follow actually download the script. I’ve corrected the wording.

Leave a Reply

Your email address will not be published.

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.