Auth Analyzer and EAP Forced Reauthentication Attack

-Auth Analyzer and EAP Forced Reauthentication Attack

Silentbridge can automatically detect the type of EAP method used by the target supplicant using either of the following flags:

--analyze-auth-active -- Uses EAP Forced Reauthentication Attack for faster results. Automatically captures usernames and password hashes for supplicants that use EAP-MD5. Intended for use with Device Configuration A.
--analyze-auth-passive -- Slower, purely passive analysis. Intended for use with Device Configuration B.

Device Configuration A - Active Auth Analyzer

To use the Active Auth Analyzer, begin by performing a classic 802.1x bypass as described in Classic 802.1x Bypass.

Then, use tcpdump to passively sniff the MAC address of the supplicant.

Finally, use the --analyze-auth-active flag to perform an EAP Forced Reauthentication Attack and analyze the resulting authentication process:

./silentbridge --client-mac 38:60:77:d0:ef:0b --upstream eno1 --analyze-auth-active

Silentbridge will send spoofed EAPOL-Start frames to the authenticator as if they came from the supplicant. This tricks the authenticator into forcing the supplicant to reauthenticate. As the supplicant reauthenticates, silentbridge analyzes the reauthentication attempt to determine the authentication type in use (shoutout to REFERENCE for the original analysis logic).

INSERT GIF HERE

If EAP-MD5 is in use, silentbridge will capture the MD5 hash and display it to the user.

INSERT GIF HERE