One of the topics presented during the Hack In Paris 2017 The conference focused on the 802.1x standard and a tool facilitating workaround techniques. It was a particularly interesting conference, and we offer a more detailed summary here.

The goal of this project originally arose from the desire to prove to customers that bypasses of 802.1x protection are not only "proofs of concept" (POC), but also to gain discretion during Red Team missions.

This tool was presented by Valérian LEGRAND – Orange CyberDefense.

Operation and protocol

The 802.1x standard is a relatively recent network authentication technology, created in 2001 by the IEEE, which is based on "port-based Network Access Control" or NAC. Its main function is to control physical access to the corporate network in order to prevent intruders from gaining access.

This standard distinguishes 3 types of equipment:

• SupplicantThe equipment requesting to connect to the network
• AuthenticatorThe switch or the Wi-Fi access point
• Authentication Server : The server for verifying connection credentials (such as RADIUS, TACACS, CAS, etc.)

Authentication is performed via "EAPoL EAP Over Lan", encapsulating the EAP network protocol ("Extensible Authentication Protocol").

The basic functioning of’'EAPOL is as follows:

1. The Authenticator asks the Supplicant to state their identity.
2. The Supplicant responds to the Authenticator and transmits its identity to the authentication server so that it can verify whether the Supplicant is authorized to join the network.
3. If the Supplicant is not authenticated, the authentication server transmits a challenge to the Supplicant via the Authenticator.
4. The Supplicant resolves the challenge and sends it back to the Authentication Server via the Authenticator.
5. The authentication server authorizes or denies the supplicant permission to connect.

Once the supplicant is authenticated, network access control is directly managed by the network switch using the NAC protocol. This is the crucial role of the authenticator.

The Authenticator has two states per physical port:

• Uncontrolled state : Only allows 802.1x packets and forwards them to the authentication server.
• Controlled state: The port acts like a standard port and is completely transparent to the equipment.

Bypassing the protection

Note: Older equipment does not support 802.1x, so plugging in instead of a printer or phone is often a quick and effective bypass.

1. The classic and easy way.

When no check is performed for the presence of two MAC addresses on the same port, it is generally easy to bypass authentication using a simple "hub".

Indeed, since the opening of the network port is controlled by the switch, if a legitimate device and an attacker are on the same hub, they are therefore on the same network port of the switch.

2. The FENRIR tool

A second technique relies on the FENRIR tool, which is based on intercepting and injecting network packets.

Prerequisites:

• 2 physical network interfaces
• Python
• Scapy

Operating principle

From a macro perspective, the tool captures packets from both the legitimate equipment and the attacker's machine in order to correctly redirect them to their respective recipients. It also rewrites various headers to mask its identity.

In the diagram below, packets B & D originate from and are destined for the legitimate equipment, while packets A & C originate from and are destined for the attacker.

The attacker connects the legitimate device to their workstation and then gains access to the network. The FENRIR tool then allows the legitimate device to authenticate and unlock the network connection.

Then, in order to self-configure, it studies the communications between the legitimate equipment and the network in order to retrieve, among other things:

• The IP address of the legitimate equipment
• The MAC address of the legitimate equipment
• The addresses and ports of the different servers contacted

Finally, he usurps the identity of the legitimate equipment, the attacker now being in a total man-in-the-middle position.

During this phase, it creates a referencing table for the transmitted packets, in order to remember, upon return of the packets, that they are destined for the legitimate equipment.

The headers of packets originating from the attacker's station are modified to spoof the identity of the legitimate equipment. These modifications are then recorded in the address book so that the return packets can be redirected to their respective recipients.

Because the tool operates completely transparently, the attacker can continue their attack using their own tools.

It is therefore possible to capture return connections, useful for the reverse shell, Responder, etc.

A rule creation system allows for the on-the-fly interception of packets destined for specific ports.

Explanation of the demonstration videos

This section aims to explain the different FENRIR commands entered during Valérian LEGRAND's demonstrations, and the underlying technical details.

Demonstration Video 1: Brief Overview

1. Create_virtual_tap FENRIR creates a TAP. As a reminder, a TAP allows you to define a virtual network communication interface, which is particularly useful here. This TAP contains the attacker's connection information.

All packets are transmitted to this TAP and FENRIR can therefore interface with it in order to correctly redirect packets between the two network interfaces (legitimate machine or internal network).

2. Autoconf: FENRIR learning phase, detecting the IP & MAC address of the legitimate equipment.
3. Show all : Displays all interception rules.
4. Run : Execute FENRIR

The return of the "nc" command occurs at 1:50 and responds with "Hello back".

Demonstration Video 2: Using nmap

In the demonstration video, the mode debug FENRIR illustrates that the FENRIR tool modifies all the packages of the "nmap" tool in order to perform the scan through 802.1x.

Demonstration Video 3: Using Responder

1. create_virtual_tap
2. add_reverse_rule 137 multi IP : In order to capture NBNS packets
3. add_reverse_rule 5355 multi IP : In order to capture LLMNR packets
4. add_reverse_rule 445 unique IP In order to capture the connection in Responder

Valérian points out that the rules management system is not optimal and is likely to change significantly. Currently, the following keywords are available:

• «"Multi" mode means the tool listens on a port, which is particularly useful for Man In The Middle tools.
• «The "Unique" tool captures only one packet before deleting the rule. This is useful when receiving incoming connections to avoid polluting the connection. reverse shell and gain stability.

5. Run

In a second terminal:

6. Respond –I FENRIR : Executes Responder specifying FENRIR's TAP network interface.