Tech­niques which decides if a new device can join the nor­mal or a spe­cial network.

A cap­tive por­tal forces a client to an authen­ti­ca­tion page. After authen­ti­ca­tion in a nor­mal low-secu­ri­ty envi­ron­ment (where you can­not assume pre­con­fig­ured sys­tems) the authen­ti­ca­tion is usu­al­ly grant­ed to a com­bi­na­tion of MAC and IP. There­fore, try to sniff valid pairs and use them.

Attack vectors

• Sniff the net­work for credentials
  • Inter­al por­tal ser­vices may not use SSL.
• Sniff pairs of IP and MAC and reuse them after they did­n’t showed up after a few min­utes. (Take care for timeouts.)
• Attack the cap­tive portal
  • Old embed­ded system?
  • Old OS?
  • Old frame­work?
• Attack oth­er authen­ti­cat­ed client devices to use the con­necion through them.
• Attack oth­er client devices before authenciation.
• Attack ser­vices like DNS or DHCP which are used before authentication.

Notes

• NAP was sup­port­ed until Win­dows Serv­er 2012.
• NPS Net­work Pol­i­cy Ser­vices from Win­dows Serv­er 2016 on.
• Some­times are “spe­cial” devices exclud­ed from nor­mal authen­ti­ca­tion. E.g. are new iPads allowed from the upper man­age­ment, which nor­mal employ­ees not have. Try to imper­son­ate as anoth­er device can help, e.g. use some­thing like a User Agent switch­er in a brows­er and see if the cap­tive por­tal changes.
• Some­times NAC detec­tion sys­tems check only every n (5?) min­utes if the traf­fic looks right and let all traf­fic through in the mean­time due to per­for­mance rea­sons. This means that an attack­er needs only to make one forged con­nec­tion and can then use the inter­face for some time also with dif­fer­ent packets.
  • Try to replay cap­tured traf­fic from a vic­tim each n minutes.
  • This may be suf­fi­cient to con­vince the NAC sys­tem that the sys­tem is still active and does­n’t hit the timeout.
  • How­ev­er, the traf­fic could get back to the attack­ers sys­tem and lead to the gen­er­a­tion of a RST pack­et because the attack­er’s sys­tem does­n’t know how to han­dle the response for which it nev­er sent a request. This RST pack­et would sig­nal to the NAC sys­tem that this con­nec­tion is over. To cir­cum­vent this, the attack­er would sim­ply pre­vent his sys­tem from send­ing RST pack­ets:
    iptables -F
iptables -A OUTPUT -p tcp --destination-port 80 --tcp-flags RST RST -s $mysqlf -d $target -j DROP

Tools

Cpscam.pl: Detect pairs of IPs and MAC address­es which were not used for some time with cpscam.pl:

perl cpscam.pl eth0 192.168.178.0 255.255.255.0
Capturing traffic ..
Sat May 1 19:44:51 2021
Sat May 1 19:45:12 2021
Host 192.168.178.1 has been inactive for 21 seconds.

p0f: Scan pas­siv­ly for devices. And alerts about devices which “does­n’t look right” and could be forged ones.

# p0f
.-[ 192.168.178.1/33553 -> 192.168.178.38/80 (syn) ]-
|
| client = 192.168.178.1/33553
| os = Linux 2.2.x-3.x
| dist = 0
| params = generic
| raw_sig = 4:64+0:0:1460:mss*20,6:mss,sok,ts,nop,ws:df,id+:0
|
`----

OPNsense is a Lin­ux-based frame­work for detect­ing the action in a network.

Paket­fence is a NAC soft­ware for Lin­ux to con­trol which sys­tems are in and can join the network.

Pre-Authentication traffic with EAP

If a net­work requires each client to be authen­ti­cat­ed via IEEE 802.1X/EAP, then a switch will route unau­then­ti­cat­ed EAP mes­sages to a RADIUS serv­er, which will respond to the switch if the authen­ti­ca­tion was successful.