README
What is XTest?
XTest is a simple, practical, and free, wired
802.1x supplicant security tool implementing the RFC 3847 EAP-MD5
Authentication method. It can be used to assess the password strength within
wired ethernet environments that rely on 802.1x to protect IP Phones and the VoIP Infrastructure
against rogue PC access. XTest is developed in C and
freely available to anyone, under the GPLv3 license.
Why XTest?
XTest was developed with the specific aim of
improving the security of environments that use 802.1x
to protect IP Phone endpoints and their supporting VoIP Infrastructure. With
the increasing prevalence of 802.1x Supplicant support in wired hard Phones,
802.1x will be increasingly used to ensure that remote IP Phones placed in
areas with low physical security will have their directly connected ethernet switch ports secured against unauthorized access.
Furthermore, the tool can demonstrate the danger [1,2] of relying solely on
802.1x, because the current wired 802.1x implementation only requires
authentication when the port initially comes up/up. Subsequent packets are not
authenticated, allowing an attacker to share a connection on a hub with the
valid 802.1x supplicant, allowing unauthorized switchport
access.
Features:
· 802.1x Supplicant: XTest can test the username and password against an 802.1x Authenticator (Ethernet Switch), and supports re-authentication.
This is a simple and easy method of comparing the password against a valid 802.1x Supplicant running on an IP Phone or a PC.
· Offline pcap dictionary attacK: If you capture a valid 802.1x authentication sequence into a pcap file, XTest will run a dictionary attack against the pcap using a supplied
wordlist. XTest will elicit the password from the pcap if the dictionary file containst the valid password.· Shared Hub unauthorized access: Using a shared hub, XTest can use the successful authentication of a valid 802.1x supplicant to gain unauthorized access to the network.
Requirements:
libpcap
XTest
is designed for, and has been tested on, BackTrack.
It runs just fine in a default installation of BackTrack.
Tested Platforms:
802.1x Supplicants:
Cisco Unified IP Phone 7971G-GE Cisco Unified IP Phone 7961G-GECisco Unified IP Phone 7941G-GECisco Unified IP Phone 7942GCisco Unified IP Phone 7945G
802.1x Authenticator:
Cisco Catalyst 3560 (WS-C3560G-24PS)
Radius Server:
CiscoSecure
ACS 4.1
Credits:
Josh Wright and his eapmd5passSteve RileySvyatoslav Pidgorny
Reference:
[1]
Article: “Steve Riley on Security”
[2] “Getting Around 802.1x
Port-based Network Assess Control through Physical Insecurity”
