4

I'm currently doing a penetration test for a client, who are using Trustwave NAC to prevent unauthorized physical access to their network.

I would like to know if there are any possible ways to bypass this. Client is putting a lot of faith in their implementation (with good cause so far), but I would like to be able to bypass it if possible to demonstrate, if nothing else that reliance on a single security technology is not a good solution.

Short of trying to DOS the device (I have permission to try this), I'm not sure what could be attempted.

This device does is not simple port security. It uses ARP poisoning to hide the actual gateway, and puts all devices in a quarantine LAN until they are authenticated against an Active Directory server. Spoofing a MAC of someone else in the quarantine LAN will not help, unless I can also trick the NAC device into think I was a device that had previously authenticated against AD.

Looking for known techniques, academic papers, conference presentations etc.

Sonny Ordell
  • 3,476
  • 9
  • 33
  • 56
  • I have a similar product and I haven't found a way around it. I have been curious to try to 'freeze' my ARP tables so that I am not affected by the ARP poisoning techniques it uses. – schroeder Jul 08 '14 at 02:39
  • Can you see any broadcast trafic on a network port if you don't send a packet? – dan Jul 08 '14 at 05:46
  • I wouldn't start with any form of DOS or cache poisining since these are pretty known and noisy technics. These noisy attacks may be quickly detected and blocked by blacklisting a network port. – dan Jul 08 '14 at 05:49
  • @daniel yes, can see some broadcast traffic. Some arp requests and dhcp traffic, that's it. – Sonny Ordell Jul 08 '14 at 07:42
  • Start collecting it, get the correct map of `@MAC → @IP`. Start investigation (Wireshark, tcpdump…) by analysing the initial traffic of an `@MAC` which is the most talkative. Since this software is agentless, everything is played on the wire. Since everything can't be broadcasted, you will have to start stealing valid `@MAC` when they are off (to avoid easy duplicate detection). – dan Jul 08 '14 at 09:54
  • @danielAzuelos only traffic I can see is other people on the network before they are authneticated. Is the only potential way to bypass to spoof an allowed machine? If that is so, is the only avenue of attack to spoof one of these machines? – Sonny Ordell Jul 09 '14 at 23:52
  • Yes of course. I quickly see 3 other easy entry methods: - use of a wireless access opened on a NAC connected PC, - a sniffer PC as a bridge between a copier and the wall socket, - a well equiped USB key plugged on a NAC connected PC, to open from it any form of outside tunnel. – dan Jul 10 '14 at 20:58
  • @danielAzuelos per the terms of my engagement, I can't do anything with a NAC connected PC or really do anything physically and "cheat", and there is no wireless. I basically need to do it through my laptop alone. Anything else you can recommend to try? – Sonny Ordell Jul 10 '14 at 23:04
  • → Sonny: you said "there is no wireless", is this the result of a field audit on 802.11* & Bluetooth? – dan Jul 11 '14 at 07:12
  • @danielAzuelos Yes. Need to bypass the nacl using methods available from just my laptop, and the conference room I'm plugged into. That's it. And I don't think that's possible. – Sonny Ordell Jul 14 '14 at 05:16
  • This is possible. Just start. Take one of the valid `@MAC` when it is off, and analyze what's requested from the Trustwave and other servers. See beginning of answer from Ghost. Try to behave as a legitimate printer, register any snmp/udp, 515/tcp or 9100/tcp requests. As soon as you are connected to the `quarantine VLAN` the first stolen `@MAC` will most probably be on black list for a while. Just start with the next one. – dan Jul 14 '14 at 13:20
  • @danielAzuelos I've tried all that. Honestly, this is a next generation NAC and the typical tricks don't work. Spoofing a printer was the very first thing I tried. With the arp poisoning the device is doing, I don't know that spoofing a mac really helps, as you only see the gateway if you authenticate to AD, which I don't know can be spoofed. – Sonny Ordell Jul 14 '14 at 18:14
  • What `@IP` are said to belong to the `@MAC` of the NAC server? Get their correct through broadcast listen, and simply `arp -s @IP correct@MAC`. I think you may counter attack any form of ARP poisining if you feed your ARP cache with the right network mapping. – dan Jul 14 '14 at 23:11
  • @danielAzuelos that's the thing, you can't see the correct MAC of the gateway when in the segmented untrusted network. I've tried extensively. I'm meant to be emulating an attacker in a specific room, so to go and get the correct MAC would be "cheating" for this engagement. Would you have any tips to grab the correct MAC of the gw while in the segmented, untrusted nw? – Sonny Ordell Jul 15 '14 at 01:04
  • If your are already in the quarantine VLAN, this means that your computer was much too talkative, and Trustwave was able to classify your `@MAC`. How many ≠ `@MAC` did you collect before being parked there? – dan Jul 15 '14 at 08:39
  • @danielAzuelos, have you had firsthand experience with the trustwave NAC? All PC's are in the quarantine vlan by default, until authenticated by active directory. AD authentication is almost more important than MAC addresses in this design. Spoofing a MAC won't work, unless I can also trick the device into thinking I was a previously AD authenticated device. – Sonny Ordell Jul 16 '14 at 00:12
  • No. I'm highly interested in any form of NAC. The documentation on Trustwave internal mechanisms is too weak to validate their model. AD can't be considered a sufficient NAC building block. How do you authenticate a printer, a Linux, a MacOS X, a phone, another network switch? – dan Jul 17 '14 at 08:08
  • @danielAzuelos they are white listed in. less than .005 of devices are non windows. – Sonny Ordell Jul 21 '14 at 16:40
  • You are on the right path (of your security evaluation :) ). You got 2 weak points. – dan Jul 22 '14 at 08:33
  • @danielAzuelos Not sure what you mean when you say evaluation or weak points. With the restrictions of my engagement I cannot leave the room I'm in as an attacker would not be able to due to physically controls. Social engineering is not part of the engagement. As such, I unfortunately have to state the trustwave nac simply cannot be bypassed at this point in time without using getting physical access to a whitelisted or previously authenticated device. – Sonny Ordell Jul 24 '14 at 15:32

2 Answers2

1

Based on what you are asking (testing physical access with NAC), I would suggest pwnie express' pwnplug (if you can afford it, I think the powerpwn is even better https://www.pwnieexpress.com/penetration-testing-vulnerability-assessment-products/sensors/pwn-power/).

As to how they are bypassing NAC, here is their explanation:

  • First, the Pwn Plug is placed in-line between an 802.1x-enabled client PC and a wall jack or switch.
  • Using a modified layer 2 bridging module, the Pwn Plug transparently passes the 802.1x EAPOL authentication packets between the client PC and the switch.
  • Once the 802.1x authentication completes, the switch grants connectivity to the network.
  • The first outbound port 80 packet to leave the client PC provides the Pwn Plug with the PC’s MAC/IP address and default gateway.
  • To avoid tripping the switch’s port security, the Pwn Plug then establishes a reverse SSH connection using the MAC and IP address of the already authenticated client PC.
  • Once connected to the plug’s SSH console, you will have access to any internal subnets accessible by the client PC. As an added bonus, connections to other systems within the client PC’s local subnet will actually appear to source from the subnet’s local gateway!

Source: https://www.pwnieexpress.com/support/product-documentation/

Disclaimer: I have never used the NAC bypass functionality of the pwnplug.

Hope that helps!

you
  • 69
  • 5
  • Thank you, but that won't work in this situation. I need to be able to do it form my laptop. Whatever that device is doing, I should be able to replicate. – Sonny Ordell Jul 15 '14 at 01:02
0

Find a printer and spoof its ip and mac.... Start there.. This solution requires everything to be categorized based on function. You can try to impersonate a trusted device.

Ghost
  • 9
  • 1
  • This looks like a good beginning of an answer. Please elaborate: answer on snmp/udp, 515/tcp… – dan Jul 14 '14 at 13:21
  • 1
    That won't work against the Trustwave NAC. it's using arp poisoning and checking for authentication against an AD server before permitting access, it isn't simple port security. – Sonny Ordell Jul 15 '14 at 01:01