-
Notifications
You must be signed in to change notification settings - Fork 40
Bait n Switch Attack
Effective against: 802.1x-2010 (Device Configuration B only), 802.1x-2004, 802.1x-2001 Once you have obtained a set of RADIUS credentials using the Rogue Gateway Attack (see SECTION), you can use them to authenticate with the network. In order to avoid tripping port security, we recommend you do this using a Bait n Switch attack.
The Bait n Switch attack uses the following steps give you access to the network without tripping port security:
- Disconnect authorized client device from the network
- Set MAC address of upstream interface to MAC address of authorized client device
- Connect switch using upstream interface
- Authenticate with switch using stolen credentials
- Give upstream interface static IP address of client device
In essence, the Bait n Switch attack silently swaps the authorized device with the attacker's rogue device. Since this attack will cause a temporary denial of service for the authorized device, it is best to perform it during off hours during which the authorized device is not likely to be in use.
Begin connecting your rogue device between the supplicant and authenticator as described in Device Placement.
Next, connect to your device using your side channel (see: Software Setup).
Then, follow the instruction set below that is relevant to your device's configuration:
Begin by performing a classic 802.1x bypass as described in Classic 802.1x Bypass.
Then, use tcpdump to passively sniff the following data points:
- supplicant MAC address
- supplicant IP address
- subnet netmask
- gateway IP
Then, use the --bait-n-switch command to perform the Bait n Switch attack:
./silentbridge --bait-n-switch --upstream eno1 --gw-ip 192.168.1.1 --client-mac 38:60:77:d0:ef:0b --phy eno2 --netmask 255.255.255.0 --client-ip 192.168.1.93 --wired-conf wired.conf
You'll need to use the --wired-conf flag to provide silentbridge with a valid wpa_supplicant configuration file containing your stolen EAP credentials for the Bait n Switch to work. Example wpa_supplicant configuration files have been provided in the 'sample-wpa-supplicant-configs' directory of the project repo.
Begin by using the --splitterctl command to make sure that both splitters are in the "bypass" position:
./silentbridge --splitterctl --upstream-splitter bypass --phy-splitter bypass
Next, use tcpdump to sniff traffic on the interfaces connected to the device's passive tap. Gather the following data points:
- supplicant MAC address
- supplicant IP address
- subnet netmask
- gateway IP
Then, use the --bait-n-switch command to perform the Bait n Switch attack:
./silentbridge --bait-n-switch --upstream eno1 --gw-ip 192.168.1.1 --client-mac 38:60:77:d0:ef:0b --phy eno2 --netmask 255.255.255.0 --client-ip 192.168.1.93 --wired-conf wired.conf --use-splitters
You'll need to use the --wired-conf flag to provide silentbridge with a valid wpa_supplicant configuration file containing your stolen EAP credentials for the Bait n Switch to work. Example wpa_supplicant configuration files have been provided in the 'sample-wpa-supplicant-configs' directory of the project repo.