Hi,
I 'd like to use this threat to share some ideas to get into 802.1X protected networks. Maybe someone of you had the same challange.
A couple of days ago I've been to a customer site to do some network analysis. One of the admins told me that they have implemented network security features to make sure a visitor with a connection to the corporate network can not access the inside ressources. I asked if I could take a look at it and was put in a meeting room with some network jacks on the wall. As I plugged my notebook in I realized quickly that I could only access some pages on the internet and nothimg else. I couldn't even scan the subnet I was in. So I unplugged my notebook, started a network capturing software and plugged back in again. With the capture I was able to see that there was some 802.1X going on.
Packets to look for
EAPOL Start
EAP Request, Identity
EAP Response Identity
EAP Request PEAP and so on...
what is 802.1X and how is it working (short version)
- 802.1X is an IEEE standard to provide port-based access control
- Involves the use of EAPOL protocol for encapsulating authentication information
- Typically implemented along with a RADIUS Server
- Three major components: Supplicant (End-user device like pc), Authenticator (Edge device like Switch), Authentication server (Determine the validity of user credential provideed by a supplicant by accessing a database of usernames and passwords)
- Different authentication methods for example MAC-based, certificate based or client software based.
If someone is interessted I can give more in-depth informations about that.
On my way to the meeting room I could see that the company was using thin clients for there employees with a virtual desktop enviroment such as citrix xendesktop or vmware view. From another project were I implemented network authentication I remembered that there are some problems with thin clients. Mostly you are not able to connect these thin clients to your Active Directory. The only practical possibility is to do a MAC-based authentication. I went to the printer in front of the meeting room and took a network status report page where the MAC address of the printer was listed. I disconnected from the network and changed the MAC-adress of my network card to the one of the printer. I plugged in again and suddenly I was put into a different subnet. First I was in a subnet 192.168.1.X/24 with a DHCP Server 192.168.1.10 and the same as DNS. Then I had access to a subnet 10.10.5.X/24 with DHCP 10.10.1.10 and the same as DNS.
After some scanning the two new found subnets I realized that I was put in some kind of printer vlan with access control lists implemented. I could do DNS request to the dns server. I could get a an ip address from DHCP and I could access another server on some ports which I think was the mail server for a scan to mail function and the print server. Sadly I wasn't able to remote desktop to one of theses servers.
I went to the next room were some employees were working. One desk fortunately was empty and I told the others that I was from the IT department and need to look for that thin client. Now I had another MAC-address from a client located in the client network.
From this new network I was able to remote desktop to some machines in different subnets. You need to know how MAC-based authentication is working. You need to add each machine with the MAC-address as username and password to your active directory. normally you should use different domains for authentication and you should restrict the possibility of logging in to a client called dummy or such to make sure nobody can log in to a client using MAC-adress as username and password. With active directory you need to store the password in reverse order. I tried to login to a server with this credentials and access was granted.
Every security feature is only as good as the way it is implemented.
I hope this is interessting for you and hopefully there is somebody out there who can use this or has some different experience to share.
