At DEF CON 26 we introduced an attack that can be used to bypass 802.1x-2010 and MACsec when weak EAP methods are used. The attack, known as a Rogue Gateway, forces the supplicant to authenticate with a rogue radius server by mechanically diverting ethernet traffic to the attacker’s rogue device. The attack can be performed remotely with the assistance of a side channel interface, and can also be implemented completely in software to attack 802.1x-2004. We also introduced several improvements to the classical bridge-based 802.1x bypass, along with EAP-MD5 Forced Reauthentication attack.
These contributions are described in detail in our white paper on the subject, which can be found at the following URL:
Additionally, the source code for our proof of concept tool silentbridge can be found at the following repository on Github:
A video recording of the original presentation, including live demos, is available here:
The slides from our presentation at DEF CON can be found here: