Bypass 802.1x Port Security w/ Openwrt
During an internal and wireless penetration I was unprepared for the port security in the environment. I had to travel internationally and the Statement of Work and Rules of Engagement did not detail the extent of the internal testing and what was to be tested. Penetration Testers know what it is like to conduct a “Penetration Test” when sales staff and client management setup the engagement. Needless to say I was upset at the delay only due to the time it would take to configure a device to bypass the port security when I only had a week onsite to conduct the testing. Luckily I had brought along my PCEngines Alix 62f (used previously in my Custom Power Pwn). I had brought it for the wireless testing as it was configured for wireless client attacks. Using the work done by Alva Lease ‘Skip’ Duckwall IV and presented at DEFCON 19 in 2011. I reconfigured the Alix to show the client how easy it is to bypass port security. Well I never want to encounter a similar situation again but I also don’t want to carry yet another device with me when traveling. Having the device be as small as possible while service multiple purposes would be ideal. That is why I’m using the GL-iNet with the Openwrt operating system for this project.
You must complete Part 1 of these tutorials as it builds and installs a version of Openwrt that allows you to bypass port based security with the GL-iNet. To bypass port security we cannot have any services that will leak any packets. If this was not already done in Part 1 we will disable any running services and modify the network configuration file to not bring up any interfaces when the device boots.
root@OpenWrt:/# /etc/init.d/firewall stop root@OpenWrt:/# /etc/init.d/firewall disable root@OpenWrt:/# /etc/init.d/dnsmasq stop root@OpenWrt:/# /etc/init.d/dnsmasq disable root@OpenWrt:/# /etc/init.d/telnet stop root@OpenWrt:/# /etc/init.d/telnetd disable root@OpenWrt:/# /etc/init.d/sysntpd stop root@OpenWrt:/# /etc/init.d/snsntpd disable root@OpenWrt:/# vim /etc/config/network
Below are the current default settings for /etc/config/network. Yours may be different if you followed Part 1.
config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config interface 'lan' option ifname 'eth1' option type 'bridge' option proto 'static' option ipaddr '192.168.1.1' option netmask '255.255.255.0' config interface 'wan' option ifname 'eth0' option proto 'dhcp'
Modify it by commenting out the ‘lan’ and ‘wan’ sections or remove them all together.
config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' #config interface 'lan' # option ifname 'eth1' # option type 'bridge' # option proto 'static' # option ipaddr '192.168.1.1' # option netmask '255.255.255.0' #config interface 'wan' # option ifname 'eth0' # option proto 'dhcp'
After making the changes let us restart the network so the changes take effect.
root@OpenWrt:/# /etc/init.d/network restart
Openwrt Specific Setting
OpenWrt bridge firewalling is disabled by default for performance reasons. Not all devices can handle filtering all network traffic. It can be re-enabled by editing /etc/sysctl.conf. You will find the following four lines at the bottom.
# disable bridge firewalling by default
These control whether or not packets traversing the bridge are sent to iptables for processing. You can go ahead and delete them from /etc/sysctl.conf. By default they are enabled in the kernel.
Now we need the script to bypass the 802.1x port security. The script you download for the GL-iNet is a modified version created by Alva Duckwall for his presentation called “A Bridge Too Far” given at DEFCON 19 in 2011. Read the entire presentation to understand how the script works and how it was put together. I only modified Alva’s script to work with this device. All credit goes to Alva!
root@OpenWrt:/# cd /etc/init.d root@OpenWrt:/etc/init.d# wget http://www.jedge.com/code/bridge root@OpenWrt:/etc/init.d# chmod 755 bridge root@OpenWrt:/etc/init.d# /etc/init.d/bridge enable
A Bridge Too Far Defeating Wired 802.1X with a Transparent Bridge Using Linux by Alva Lease ‘Skip’ Duckwall IV
Presentation Slides: https://www.defcon.org/images/defcon-19/dc-19-presentations/Duckwall/DEFCON-19-Duckwall-Bridge-Too-Far.pdf
Presentation (Youtube): http://youtu.be/u3T3lUxKm18
Issue discussing the use of ebtables and packets not being forwarded up the IP chain. The reason we had to re-enable bridged firewalling in Openwrt. http://stackoverflow.com/questions/17116126/iptables-ebtables-bridge-utils-prerouting-forward-to-another-server-via-single
Also mentioned in getting SSLStrip to work in a hak5.org forum. https://forums.hak5.org/index.php?/topic/26780-guide-for-installing-sslstrip-on-openwrt/