Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010

Conference:  Defcon 26



The main thesis of the conference presentation is the vulnerabilities of the 802.1X 2010 authentication protocol and the importance of using secure EAP methods.
  • The rogue gateway attack can bypass 802.1X 2010 authentication by attacking the authentication process itself.
  • The updated and improved existing edited out techniques have been packaged into an easy-to-use tool called Silent Bridge.
  • The EAPmd5 force real dedication attack makes attacking a PMD 5 easier and faster.
  • The benefits provided by 802.1X can be undermined by continued use of VAP as an authentication mechanism.
  • The lack of support for 802.1X 2010 and low adoption for strong AP methods undermines the support by peripheral devices.
  • The EAP method used is crucial for the security of the authentication process.
  • The MSChapE2 challenge and response is vulnerable to cryptographic weakness and can be cracked within 24 hours.
  • The cost of cracking the MSChapE2 challenge and response has decreased over time.
  • The security of EAP is only as strong as the EAP method used.
In 2012, Moxie Marlinspike and David Holton demonstrated that the MSChapE2 challenge and response can be converted to NTLMv1, which can be reduced to a single 56-bit DES encryption that can be cracked within 24 hours with a $100,000 FPGA-based cracking rig. Today, the cost of building such a rig has decreased to $10,000-$20,000, making it more accessible to criminal enterprises.


Existing techniques for bypassing wired port security are limited to attacking 802.1x-2004, which does not provide encryption or the ability to perform authentication on a packet-by-packet basis [1][2][3][4]. The development of 802.1x-2010 mitigates these issues by using MacSEC to provide Layer 2 encryption and packet integrity check to the protocol [5]. Since MacSEC encrypts data on a hop-by-hop basis, it successfully protects against the bridge-based attacks pioneered by the likes of Steve Riley, Abb, and Alva Duckwall [5][6]. In addition to the development of 802.1x-2010, improved 802.1x support by peripheral devices such as printers also poses a challenge to attackers. Gone are the days in which bypassing 802.1x was as simple as finding a printer and spoofing address, as hardware manufacturers have gotten smarter. In this talk, we will introduce a novel technique for bypassing 802.1x-2010 by demonstrating how MacSEC fails when weak forms of EAP are used. Additionally, we will discuss how improved 802.1x support by peripheral devices does not necessarily translate to improved port-security due to the widespread use of weak EAP. Finally, we will consider how improvements to the Linux kernel have made bridge-based techniques easier to implement and demonstrate an alternative to using packet injection for network interaction. We have packaged each of these techniques and improvements into an open source tool called Silent Bridge, which we plan on releasing at the conference.