Hardware Setup
There are two ways to configure a device to use silentbridge:
- Device Configuration A - Basic Configuration
- Device Configuration B - Advanced Configuration With Mechanical Bypass and Passive Ethernet Tap
If you want to get up and running quickly and just plan on attacking 802.1x-2004 (which is what you'll see in most pentesting scenarios), go with Device Configuration A. However, if you need to bypass 802.1x-2010 or simply want a stealthier and more versatile silentbridge implementation, go with Device Configuration B. Note that you will need to be comfortable getting your hands dirty with electrics assembly and wiring in order to use Device Configuration B.
Effective against: 802.x-2004, 802.1x-2001
Silentbridge is a tool for bypassing wired port security. As such, it is meant to be run on a dedicated, purpose-built, leave-behind device that can be run continuously without being shut down. We recommend using an small microcomputer such as an Intel NUC.
There are many ways to configure a leave-behind device, but for Silentbridge to run correctly your implementation must have the following features:
- a reliable side channel interface such as an LTE modem
- the ability to call home to a C2 server (see: Software Setup)
We document each of these features in the sections that follow.
Additionally, the the leave-behind device must equipped with the following network interfaces:
- PHY — the interface that is used to connect the device with the supplicant
- upstream — the interface that Is used to connect the device with the authenticator
- sidechannel — The sidechannel interface is used to establish the egress channel described in SECTION.
If you want to use Silentbridge to bypass 802.1x-2010 (or simply want to make your device extra stealthy) you'll need to equip your device with mechanical Ethernet splitters as described in Hardware Setup.
Your device should implement the configuration shown in the diagram below (although don't worry about the transparent bridge, since this gets implemented in software by silentbridge).
Effective against: 802.1x-2010, 802.x-2004, 802.1x-2001
Our second configuration builds off of Option 1, keeping all of the key design elements of the first device while adding two physical A/B Ethernet splitters that can be used to bypass the device entirely. When the splitters are in position A, they connect directly to each another using an ethernet patch cable. This causes the device acts as an ethernet extender, bypassing the network interfaces of the rogue device entirely.
When the splitters are in position B, ethernet traffic passes directly to the upstream and PHY interfaces of the rogue device. Specifically, placing both splitters in position B connects the upstream interface to the authenticator, and connects the PHY interface to the supplicant.
Both A/B splitters can be operated independently of one another.
Disclaimer - This configuration uses enough electrical power to seriously hurt you. We do not recommend messing with this if you feel that it is beyond your skill level, nor do we take any responsibility if you suffer from an electrical shock or manage to injure yourself in any other way. Additionallly, we do not take responsibility to any physical harm you manage to inflict on others as a result of this project.
This project is vendor agnostic. With that said, it's always nice to have a list of parts that you know will work, so we've provided one. Feel free to use different manufacturers / models, although we give no guarantees that your device will function.
- 4 x Small Solenoid
- 1 x RobotGeek Geekduino Sensor Shield Kit
- 4 x RobotGeek Relay
- 1 x 6V2A DC Power Supply
- 1 x 12V10A DC Power Supply
- 1 x DC Squid Cable
- 1 x RobotGeek Small Workbench
- 1 x Barrel Jack Female Pigtail Lead
- 2 x Ethernet A/B Splitter
Remove the outer casing from the mechanical A/B splitters, then build the device using the following wiring diagram.
Establishing a reliable side channel is absolutely vital for maintaining control of your leave-behind device, since silentbridge is designed to be deployed in hostile network environments where the ability to bypass egress filtering is not a guarantee. Previous tools for bypassing wired port security have relied on DNATing and hidden services to provide the attacker with connectivity to the leave-behind device. While this approach may have made sense at the time, the many drawbacks to this approach no longer make sense in an era in which reliable cellular modems are readily available on the commodity market.
Our recommendation is to establish a side channel using a USB LTE modem, as it should be sufficient in most cases. There are many Linux compatible modems out there, so just pick one that works for your choice of hardware platform. One example for setting up the LTE modem can be found here:
Make sure that you configure your device to acquire an Internet connection on boot using the side channel.