Skip to content →

Category: Red Team

WHITEPAPER – BYPASSING PORT-SECURITY IN 2018: DEFEATING MACSEC AND 802.1X-2010

At DEF CON 26 I introduced an attack that can be used to bypass 802.1x-2010 and MACsec when weak EAP methods are used. The attack, known as a Rogue Gateway, forces the supplicant to authenticate with a rogue radius server by mechanically diverting ethernet traffic to the attacker’s rogue device. The attack can be performed remotely with the assistance of a side channel interface, and can also be implemented completely in software to attack 802.1x-2004. I also introduced several improvements to the classical bridge-based 802.1x bypass, along with EAP-MD5 Forced Reauthentication attack.

Leave a Comment

POWERSHELL EMPIRE – EVADING NESSUS PLUGIN 99592

Back in November 2017, Tenable Network Security released a Nessus plugin that was capable of identifying the HTTP Listeners used by the Empire post-exploitation framework [1]. Since Empire is a tool that I often use during pentests and red team engagements, I felt inspired to develop a patch for Empire’s HTTP Listeners (both HTTP and HTTP_Com) that renders this plugin ineffective.

Leave a Comment