{"id":833,"date":"2015-02-11T13:07:26","date_gmt":"2015-02-11T19:07:26","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?page_id=833"},"modified":"2016-04-09T09:38:59","modified_gmt":"2016-04-09T15:38:59","slug":"bypass-802-1x-port-security","status":"publish","type":"page","link":"https:\/\/www.jedge.com\/wordpress\/bypass-802-1x-port-security\/","title":{"rendered":"Bypass 802.1x Port Security"},"content":{"rendered":"


\nBypass 802.1x Port Security w\/ Openwrt<\/strong>
\nBackground<\/strong>
\nDuring an internal and wireless penetration I was unprepared for the port security in the environment. I had to travel internationally and the Statement of Work and Rules of Engagement did not detail the extent of the internal testing and what was to be tested. Penetration Testers know what it is like to conduct a \u201cPenetration Test\u201d when sales staff and client management setup the engagement. Needless to say I was upset at the delay only due to the time it would take to configure a device to bypass the port security when I only had a week onsite to conduct the testing. Luckily I had brought along my PCEngines Alix 62f<\/a> (used previously in my Custom Power Pwn<\/a>). I had brought it for the wireless testing as it was configured for wireless client attacks. Using the work done by Alva Lease \u2018Skip\u2019 Duckwall IV<\/a> and presented <\/a>at DEFCON 19<\/a> in 2011. I reconfigured the Alix to show the client how easy it is to bypass port security. Well I never want to encounter a similar situation again but I also don\u2019t want to carry yet another device with me when traveling. Having the device be as small as possible while service multiple purposes would be ideal. That is why I\u2019m using the GL-iNet with the Openwrt operating system for this project.<\/p>\n

You must complete Part 1<\/a> of these tutorials as it builds and installs a version of Openwrt that allows you to bypass port based security with the GL-iNet. To bypass port security we cannot have any services that will leak any packets. If this was not already done in Part 1 we will disable any running services and modify the network configuration file to not bring up any interfaces when the device boots.
\n

root@OpenWrt:\/# \/etc\/init.d\/firewall stop\nroot@OpenWrt:\/# \/etc\/init.d\/firewall disable\nroot@OpenWrt:\/# \/etc\/init.d\/dnsmasq stop\nroot@OpenWrt:\/# \/etc\/init.d\/dnsmasq disable\nroot@OpenWrt:\/# \/etc\/init.d\/telnet stop\nroot@OpenWrt:\/# \/etc\/init.d\/telnetd disable\nroot@OpenWrt:\/# \/etc\/init.d\/sysntpd stop\nroot@OpenWrt:\/# \/etc\/init.d\/snsntpd disable\nroot@OpenWrt:\/# vim \/etc\/config\/network\n<\/code><\/pre>
\nBelow are the current default settings for \/etc\/config\/network.  Yours may be different if you followed Part 1<\/a>.
\n
config interface 'loopback'\n        option ifname 'lo'\n        option proto 'static'\n        option ipaddr '127.0.0.1'\n        option netmask '255.0.0.0'\n\nconfig interface 'lan'\n        option ifname 'eth1'\n        option type 'bridge'\n        option proto 'static'\n        option ipaddr '192.168.1.1'\n        option netmask '255.255.255.0'\n\nconfig interface 'wan'\n        option ifname 'eth0'\n        option proto 'dhcp'  \n<\/code><\/pre>
\nModify it by commenting out the ‘lan’ and ‘wan’ sections or remove them all together.
\n
config interface 'loopback'\n        option ifname 'lo'\n        option proto 'static'\n        option ipaddr '127.0.0.1'\n        option netmask '255.0.0.0'\n\n#config interface 'lan'\n#        option ifname 'eth1'\n#        option type 'bridge'\n#        option proto 'static'\n#        option ipaddr '192.168.1.1'\n#        option netmask '255.255.255.0'\n\n#config interface 'wan'\n#        option ifname 'eth0'\n#        option proto 'dhcp'\n<\/code><\/pre>
\nAfter making the changes let us restart the network so the changes take effect.
\n
root@OpenWrt:\/# \/etc\/init.d\/network restart\n<\/code><\/pre>
\nOpenwrt Specific Setting<\/strong>
\nOpenWrt bridge firewalling is disabled by default for performance reasons.  Not all devices can handle filtering all network traffic.  It can be re-enabled by editing \/etc\/sysctl.conf.  You will find the following four lines at the bottom.  <\/p>\n
# disable bridge firewalling by default
\nnet.bridge.bridge-nf-call-arptables=0
\nnet.bridge.bridge-nf-call-ip6tables=0
\nnet.bridge.bridge-nf-call-iptables=0<\/kbd><\/p>\n
These control whether or not packets traversing the bridge are sent to iptables for processing.  You can go ahead and delete them from \/etc\/sysctl.conf.  By default they are enabled in the kernel.  <\/p>\n
Now we need the script to bypass the 802.1x port security.  The script you download for the GL-iNet is a modified version created by Alva Duckwall for his presentation called \u201cA Bridge Too Far\u201d<\/a> given at DEFCON 19<\/a> in 2011.  Read the entire presentation to understand how the script works and how it was put together.  I only modified Alva\u2019s script to work with this device.  All credit goes to Alva!
\n
root@OpenWrt:\/# cd \/etc\/init.d\nroot@OpenWrt:\/etc\/init.d#  wget http:\/\/www.jedge.com\/code\/bridge\nroot@OpenWrt:\/etc\/init.d#  chmod 755 bridge\nroot@OpenWrt:\/etc\/init.d#  \/etc\/init.d\/bridge enable\n<\/code><\/pre><\/p>\n
References<\/strong>
\nA Bridge Too Far Defeating Wired 802.1X with a Transparent Bridge Using Linux by Alva Lease \u2018Skip\u2019 Duckwall IV
\nPresentation Slides:   https:\/\/www.defcon.org\/images\/defcon-19\/dc-19-presentations\/Duckwall\/DEFCON-19-Duckwall-Bridge-Too-Far.pdf<\/a>
\nPresentation (Youtube):  http:\/\/youtu.be\/u3T3lUxKm18<\/a>
\nIssue discussing the use of ebtables and packets not being forwarded up the IP chain.  The reason we had to re-enable bridged firewalling in Openwrt.  http:\/\/stackoverflow.com\/questions\/17116126\/iptables-ebtables-bridge-utils-prerouting-forward-to-another-server-via-single<\/a>
\nAlso mentioned in getting SSLStrip to work in a hak5.org forum.  https:\/\/forums.hak5.org\/index.php?\/topic\/26780-guide-for-installing-sslstrip-on-openwrt\/<\/a> <\/p>\n","protected":false},"excerpt":{"rendered":"
Bypass 802.1x Port Security w\/ Openwrt Background During an internal and wireless penetration I was unprepared for the port security in the environment. I had to travel internationally and the Statement of Work and Rules of Engagement did not detail the extent of the internal testing and what was to be tested. Penetration Testers know […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"open","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-833","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/833","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=833"}],"version-history":[{"count":19,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/833\/revisions"}],"predecessor-version":[{"id":987,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/833\/revisions\/987"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=833"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}