{"id":3001,"date":"2021-05-01T15:17:07","date_gmt":"2021-05-01T13:17:07","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=3001"},"modified":"2023-12-24T12:43:16","modified_gmt":"2023-12-24T11:43:16","slug":"nac-network-admission-control","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=3001","title":{"rendered":"<span class=\"caps\">NAC<\/span> Network Admission Control"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Tech\u00adniques which decides if a new device can join the nor\u00admal or a spe\u00adcial network.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A <strong>cap\u00adtive por\u00adtal<\/strong> forces a client to an authen\u00adti\u00adca\u00adtion page. After authen\u00adti\u00adca\u00adtion in a nor\u00admal low-secu\u00adri\u00adty envi\u00adron\u00adment (where you can\u00adnot assume pre\u00adcon\u00adfig\u00adured sys\u00adtems) the authen\u00adti\u00adca\u00adtion is usu\u00adal\u00adly grant\u00aded to a com\u00adbi\u00adna\u00adtion of <span class=\"caps\">MAC<\/span> and <span class=\"caps\">IP<\/span>. There\u00adfore, try to sniff valid pairs and use&nbsp;them.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Attack vectors<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Sniff the net\u00adwork for credentials<ul><li>Inter\u00adal por\u00adtal ser\u00advices may not use&nbsp;<span class=\"caps\">SSL<\/span>.<\/li><\/ul><\/li><li>Sniff pairs of <span class=\"caps\">IP<\/span> and <span class=\"caps\">MAC<\/span> and reuse them after they did\u00adn\u2019t showed up after a few min\u00adutes. (Take care for timeouts.)<\/li><li>Attack the cap\u00adtive portal<ul><li>Old embed\u00added system?<\/li><li>Old <span class=\"caps\">OS<\/span>?<\/li><li>Old frame\u00adwork?<\/li><\/ul><\/li><li>Attack oth\u00ader authen\u00adti\u00adcat\u00aded client devices to use the con\u00adnecion through them.<\/li><li>Attack oth\u00ader client devices <em>before<\/em> authenciation.<\/li><li>Attack ser\u00advices like <span class=\"caps\">DNS<\/span> or <span class=\"caps\">DHCP<\/span> which are used <em>before<\/em> authentication.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Notes<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><span class=\"caps\">NAP<\/span> was sup\u00adport\u00aded until Win\u00addows Serv\u00ader&nbsp;2012.<\/li><li><span class=\"caps\">NPS<\/span> Net\u00adwork Pol\u00adi\u00adcy Ser\u00advices from Win\u00addows Serv\u00ader 2016&nbsp;on.<\/li><li>Some\u00adtimes are \u201cspe\u00adcial\u201d devices exclud\u00aded from nor\u00admal authen\u00adti\u00adca\u00adtion. E.g. are new iPads allowed from the upper man\u00adage\u00adment, which nor\u00admal employ\u00adees not have. Try to imper\u00adson\u00adate as anoth\u00ader device can help, e.g. use some\u00adthing like a User Agent switch\u00ader in a brows\u00ader and see if the cap\u00adtive por\u00adtal changes.<\/li><li>Some\u00adtimes <span class=\"caps\">NAC<\/span> detec\u00adtion sys\u00adtems check only every n (5?) min\u00adutes if the traf\u00adfic looks right and let all traf\u00adfic through in the mean\u00adtime due to per\u00adfor\u00admance rea\u00adsons. This means that an attack\u00ader needs only to make one forged con\u00adnec\u00adtion and can then use the inter\u00adface for some time also with dif\u00adfer\u00adent packets.<ul><li>Try to replay cap\u00adtured traf\u00adfic from a vic\u00adtim each n minutes.<\/li><li>This may be suf\u00adfi\u00adcient to con\u00advince the <span class=\"caps\">NAC<\/span> sys\u00adtem that the sys\u00adtem is still active and does\u00adn\u2019t hit the timeout.<\/li><li>How\u00adev\u00ader, the traf\u00adfic could get back to the attack\u00aders sys\u00adtem and lead to the gen\u00ader\u00ada\u00adtion of a <span class=\"caps\">RST<\/span> pack\u00adet because the attack\u00ader\u2019s sys\u00adtem does\u00adn\u2019t know how to han\u00addle the response for which it nev\u00ader sent a request. This <span class=\"caps\">RST<\/span> pack\u00adet would sig\u00adnal to the <span class=\"caps\">NAC<\/span> sys\u00adtem that this con\u00adnec\u00adtion is over. To cir\u00adcum\u00advent this, the attack\u00ader would sim\u00adply pre\u00advent his sys\u00adtem from send\u00ading <span class=\"caps\">RST<\/span> pack\u00adets:<br><code>iptables -F<br>iptables -A OUTPUT -p tcp --destination-port 80 --tcp-flags RST RST -s $mysqlf -d $target -j DROP<\/code><\/li><\/ul><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Tools<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><a href=\"https:\/\/github.com\/codewatchorg\/cpscam\">Cpscam.pl<\/a><\/strong>: Detect pairs of IPs and <span class=\"caps\">MAC<\/span> address\u00ades which were not used for some time with <a href=\"https:\/\/github.com\/codewatchorg\/cpscam\">cpscam.pl<\/a>:<\/p>\n\n\n\n<pre id=\"block-c17800f1-cf5f-40f2-ab01-8a0f5ffd818e\" class=\"wp-block-preformatted\">perl cpscam.pl eth0 192.168.178.0 255.255.255.0<br>Capturing traffic ..<br>Sat May 1 19:44:51 2021<br>Sat May 1 19:45:12 2021<br>Host 192.168.178.1 has been inactive for 21 seconds.<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>p0f<\/strong>: Scan pas\u00adsiv\u00adly for devices. And alerts about devices which \u201cdoes\u00adn\u2019t look right\u201d and could be forged ones.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># p0f\n.-[ 192.168.178.1\/33553 -&gt; 192.168.178.38\/80 (syn) ]-\n|\n| client = 192.168.178.1\/33553\n| os = Linux 2.2.x-3.x\n| dist = 0\n| params = generic\n| raw_sig = 4:64+0:0:1460:mss*20,6:mss,sok,ts,nop,ws:df,id+:0\n|\n`----<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><a href=\"https:\/\/opnsense.org\/\">OPNsense<\/a><\/strong> is a Lin\u00adux-based frame\u00adwork for detect\u00ading the action in a network.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/inverse-inc\/packetfence\"><strong>Paket\u00adfence<\/strong><\/a> is a <span class=\"caps\">NAC<\/span> soft\u00adware for Lin\u00adux to con\u00adtrol which sys\u00adtems are in and can join the network.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pre-Authentication traffic with&nbsp;<span class=\"caps\">EAP<\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If a net\u00adwork requires each client to be authen\u00adti\u00adcat\u00aded via <span class=\"caps\">IEEE<\/span> 802.<span class=\"caps\">1X<\/span>\/<span class=\"caps\">EAP<\/span>, then a switch will route unau\u00adthen\u00adti\u00adcat\u00aded <span class=\"caps\">EAP<\/span> mes\u00adsages to a <span class=\"caps\">RADIUS<\/span> serv\u00ader, which will respond to the switch if the authen\u00adti\u00adca\u00adtion was successful.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Tech\u00adniques which decides if a new device can join the nor\u00admal or a spe\u00adcial net\u00adwork. A cap\u00adtive por\u00adtal forces a client to an authen\u00adti\u00adca\u00adtion page. After authen\u00adti\u00adca\u00adtion in a nor\u00admal low-secu\u00adri\u00ad\u00adty envi\u00adron\u00adment (where you can\u00adnot assume pre\u00adcon\u00adfig\u00adured sys\u00adtems) the authen\u00adti\u00adca\u00adtion is usu\u00adal\u00adly grant\u00aded to a com\u00adbi\u00adna\u00adtion of <span class=\"caps\">MAC<\/span> and <span class=\"caps\">IP<\/span>. There\u00adfore, try to sniff&nbsp;valid&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[383,384],"class_list":["post-3001","post","type-post","status-publish","format-standard","hentry","category-general","tag-nac","tag-network-access-control"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3001","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3001"}],"version-history":[{"count":13,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3001\/revisions"}],"predecessor-version":[{"id":3038,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3001\/revisions\/3038"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3001"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3001"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3001"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}