NAC Bypass Test
The objective of the NAC Bypass Test is to attempt to find ways to communicate with hosts on the organization’s internal network, bypassing or abusing technologies that are meant to prevent communication by unauthorized clients. Access is typically demonstrated by obtaining a valid IP address, communicating with core network services, communicating with other clients, and/or communicating with hosts on the internet.
A well-designed NAC implementation will prevent unauthorized hosts from connecting to corporate network segments. In addition, devices that do not support an 802.1x supplicant (most commonly printers and VoIP handsets) will be placed on dedicated network segments that prevent device-to-device communication and minimizes communication to devices on the corporate network and the internet.
The ultimate NAC implementation often involves IPSEC to prevent piggy-backing on communication of legitimate authorized devices.
This engagement typically includes the following elements, although this is not an exhaustive list:
title: Reconnaissance (Network Traffic Analysis)
In the context of NAC Bypass testing, reconnaissance is performed in the customer facility and cannot typically be executed remotely. This step involves collecting and analyzing network traffic from various different contexts on the internal network. The interesting contexts typically involve the following:
- Workstation Port
- Common Area Access Port
- VoIP Handsets
- Printers
In general, reconnaissance efforts involve identification of interesting network traffic, whether DHCP is in use on a segment, identification of target MAC addresses (for cloning), identification of the client NAC implementation, identifcation of VLANs in use, and other relevant information.
title: Network Access Attempt
Network access attempts involve using details from the reconnaissance phase of testing to attempt to bypass the implemented NAC solution. The objectives of this phase of testing is to get the connected switch port into forwarding mode, obtain an address from the network or configure one, and communicate with other devices.
This can involve abuse of network protocols present on the given network segment (DTP, observed VLAN tags, etc), cloning MAC addresses of legitimate devices, or use of a layer 2 firewall implementation to piggy-back on authorized client communication. Network access should be attempted from each of the contexts identified during reconnaissance to ensure proper control implementation and uniform network protection.title: Scanning
The scanning phase attempts to demonstrate access to organization resources that should not be accessible to a successfully connected unauthorized device. Scanning should be accomplished on each segment where successful communication is established.
A good starting point for scanning can be obtained by gathering printer test pages. Usually, printer configurations include details about core network functions like DNS and LDAP (Active Directory). Scan the hosts providing core network functions to identify services that should NOT be accessible (like RDP). From there, scanning can be expanded to include hosts on the same subnet/vlan, scans of the workstation segment, and scans to the internet.
The tester should consider the context of the access when performing scanning and what resources SHOULD be accessible. For instance, if access is obtained on a printer VLAN, should the printers be able to:
- Communicate directly to the internet?
- Communicate directly to workstations on the corporate segment?
- Access services that are not print service related (Web, RDP, SSH, etc)?
The answers to these questions will typically drive findings reported during testing.
This is typically executed as a short duration test. As a result, post-access exploitation activity is not usually a realistic objective. Usually, demonstrating access to the network and scanning results is sufficient.
However, if you have additional time and customer approval, post-access activities can include:
- Network Protocol Abuse (DHCP, LLMNR, NBNS, mDNS, etc)
- Coercion and Relaying
- Assumed Compromise Activities