4

We are currently whitelisting the hosts owned by our company on our Cisco switches to prevent private hosts in our network. This works pretty well but someone can still spoof the MAC address of his host.

Now we had the idea to create a domain user with literally no rights but to logon to a host over the network. The Idea behind this is to identify hosts that aren't able to verify this credentials because they aren't a part of the domain.

Every host that isn't able to verify the credentials or isn't running the needed services is definitely an unwanted device. This is because it only concerns the workstation network which is heavily regulated using Group Policies.

Is this a good idea or am I missing something?

// I'm not searching for a way to prevent a specific type of attack my primary intend is the identification of malicious devices.

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
davidb
  • 4,285
  • 3
  • 19
  • 31
  • 2
    Why don't you fingerprinter the smb service? It tell you the SMB Domain from which you can determine if it is joined to the domain or not. Use auxiliary/scanner/smb/smb_version in msf. – void_in Jun 25 '16 at 11:02
  • 1
    We are doing continous passive and active detection of hosts including smb enumeration to detect the os and domain but it took me only an hour to craft a daemon that sends fake responses to fake any os and domain. That is why,... – davidb Jun 25 '16 at 11:56
  • 2
    Couldn't a malicious host on the network relay the credentials to a different host on the network? Also if any legitimate hosts on the network have some sort of issue preventing logging in, you could misidentify it as malicious. – Macil Aug 26 '16 at 22:37
  • @AgentME those attacks are taken care of via sticky mac. Remember, Layer 2 devices such as switches operate in frame relays. Switches particularly send the frames to a particular device (via MAC address), so long as port mirroring/SPAN is disabled. Whereas, dumb hubs send all frames to every connected device. – grepNstepN Aug 29 '16 at 21:11
  • 1
    @grepNstepN I don't understand how your response relates to my comment. My comment doesn't rely on mac spoofing or listening to packets sent to other devices on the network. – Macil Sep 07 '16 at 22:08

2 Answers2

1

AFAIK Cisco switches base their forwarding decisions based on MAC; regardless of what authentication occurred first.

You can use port-security to enforce MAC auth, but as discussed that is easy to spoof.

A better option is 802.1X (Cisco just refers to it as dot1x); whereby as a port comes up it asks the client to authenticate, back-hauls that auth to a radius/TACACS server, and based on the response enables traffic forwarding on that port (on server defined VLAN)

This can also be used for NAC -- if a legitimate host doesn't pass health checks (up2date AV/Windows updates) it can be quarantined to a remediation VLAN to update itself before being allowed to join the main network.

Ultimately, however, if a host has passed dot1X authentication, any frames sourced on that port, with the expected MAC address will be forwarded without further authentication.

A much more resilient option ( which also covers remote Layer3 traffic ) is IPSEC; My main experience with this is Windows, though Linux is capable (Racoon? - though more complex to administer) you can enforce IPSEC traffic policies whereby the individual IP packets have an authentication header to prove the identity of the sender (computer, user, or both); and if the receiver cannot validate that info the packet is dropped even before passing up the stack to (possibly vulnerable) application. It does by definition cause inter-operability problems with external or non-domain devices (eg. printers)- which can be addressed with domain trusts (given similar IPSEC policy) or device certificates (from trusted chain)

You can configure IPSEC policy not only to authenticate connections, but to encrypt the data; which renders most MitM attacks useless.

You could identify attempts at non-IPSEC secured connections (or those that fail authentication) in event logs.

CGretski
  • 151
  • 6
  • n.b. don't apply IPSEC GPO to secure traffic to your domain controllers.... if you mess it up you'll have to visit every client to fix it. In general SMB signing should be enough to secure GPO traffic, and kerberos is self-securing. – CGretski Nov 24 '17 at 23:26
  • you may still wish to apply layer2 defenses; although encryption would prevent DHCP spoofing as a method of MitM, it wouldn't prevent DOS. – CGretski Nov 24 '17 at 23:31
-2

If you set sticky MAC on your switches and/or Layer3 routers, along with disabling port mirroring/SPAN, youre good to go.

Layer 2 of the OSI Model: devices such as switches operate in frame relays. Switches particularly send the frames to a particular device (via MAC address), so long as port mirroring/SPAN is disabled. Dumb hubs send all frames to every connected device.

Sticky MAC prevents mac spoofing attacks (a la ettercap).

Imagine one of two scenarios:

  1. Evil hax0r who wants to intercept your emails on the LAN. He surreptitiously connects a cat5 to your switch while using ettercap or some other tool to impersonate your MAC address and fulfill evil objectives
  2. Network/server/sys admin who unplugs a device, then plugs it back in.

In both scenarios, the switch already sees the MACs it will accept in its ARP table. It refuses to send traffic to the new device and logs the event.

To track down the offense: If someone spoofed the mac of a device on your LAN, sticky mac will get triggered and a log entry created. The log entry should contain the datetime, the mac and switchport involved. Its up to you to cross reference the switchport with a network diagram. So if it happened on switch2 port 47, you should check the diagram to find out Conference Room A is the only room with access to that switchport. From there, regular investigation (e.g. eyewitness testimony, CCTV, etc.) to find out who was in Conference Room A at the time is a must.

grepNstepN
  • 610
  • 4
  • 15
  • 1
    seriously why the -10 downvote? my answer is SOLID – grepNstepN Aug 31 '16 at 01:52
  • 2
    Wasn't my downvote. This answer helps to prevent MitM attacks in the first place but thats not exactly what I want. What I want is identifying malicous devices regardless of the mac address because that might be spoofed. – davidb Sep 07 '16 at 17:26
  • once someone spoofs the mac of a current device, its blocked and logged. the logs will only say *which* mac address was spoofed, which port on which switch had sticky mac triggered and the datetime it occurred. its up to you (or other netadmins/network engineers) to figure out which offices have which switchports available. Network diagrams (pref. vizio) are a *must.* So if you get a log entry for sticky mac being triggered, you should be able to xref the switchport in the log with your network diagram to determine it happened in Conference Room A. There are no elegant answers – grepNstepN Sep 08 '16 at 19:07